Discription

One of the many challenging and formidable risk management issues faced by organizations today is protecting the privacy of customers' and employees' personal information. As presented in The IIA’s Practice Advisory 2130.A1-2: Evaluating an Organization’s Privacy Framework, the internal audit activity can contribute to good governance and risk management by assessing the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the controls established to mitigate those risks to an acceptable level. The following describes some of the benefits of undergoing a privacy audit. Privacy audit benefits: Facilitates compliance with laws and regulations. Measures and helps improve compliance with the organization’s data protection system. Identifies potential inconsistencies between policies and practices. Increases the level of data protection awareness among management and staff. Provides information for a data protection system review. Provides assurance over reputational risks. Improves procedures for responding to privacy complaints. This Practice Guide complements and expands on Practice Advisory 2130.A1-2. The Guide provides the chief audit executive (CAE) and internal auditors with insight into privacy risks that the organization should address when it collects, uses, retains, discloses, and disposes of personal information. This Guide provides an overview of key privacy frameworks to help readers understand the basic concepts and find the right resources for more guidance regarding expectations and what works well in a variety of environments. It also provides direction on how internal auditors can complete privacy assessments.