The Institute of Internal Auditors has released a new report to assist internal auditors in assessing their current level of preparedness regarding privacy and data protection issues.
The first guide in a three-part series, “Privacy and Data Protection — Internal Audit’s Role in Establishing a Resilient Framework,” provides guidance on deploying a specific privacy and data protection framework to provide structure and direction on developing an effective data privacy program.
The report, issued by the IIA’s Internal Audit Foundation and developed along with accounting and consulting firm Crowe, is intended to help internal auditors understand specific risks and threats and to help them ensure that relevant controls are developed, implemented, and operated effectively. The framework, audit plan, and implementation discussions in the later sections of the report are designed to provide a foundation on how internal audit departments can build their own structures.
“Developing and implementing a privacy and data protection program—and then auditing compliance and effectiveness—initially can seem like an overwhelmingly complex and intricate process. Like all complex initiatives, however, the effort becomes more manageable when it is broken down into steps,” the report’s authors write.
The Urgency of Now
Today’s rapidly evolving regulatory environment, coupled with continued advances in data technology and growing awareness of privacy and data protection issues, pose specific issues for internal auditors. The urgency of these issues is reflected in concerns expressed in recent surveys of the internal audit profession in both the United States and Europe. As jurisdictions around the world continue to release new regulations governing how organizations can collect and use people’s data the urgency only intensifies.
As stated, the framework and implementation methodology outlined in this report represent one approach that has been successful in helping organizations develop and execute relevant controls for managing and mitigating data privacy-related risks. However, as both the technological and regulatory environments continue to evolve, organizations in general — and internal audit departments in particular — will need to be able to adapt quickly to changes in stakeholder expectations.
The report can be downloaded from the IIA’s website.