We have investigations under the act, and they can be broadened into systemic investigations. This tends to be inquiries into a particular set of facts around a particular individual or a series of individuals, looking maybe at patterns and practices, but always related to a specific event.
An audit is I think what we usually understand by its name. It's a general sampling, according to the best scientific principles of representivity, into the practices and the observances of personal information protection in an organization.
We do both investigations, mostly because people complain to us about something. Sometimes we initiate our own investigations, like the Google Wi-Fi one.
What I've announced is that I thought the best tool for Veterans Affairs, given what we were learning, was to do an audit. So that would be a department-wide audit, but only on personal information protection measures.