AUDITING PRIVACY RISKS

HERIOT PRENTICE, CFIIA, CMIIA, CRMA, QICA

DIRECTOR, COMPLIANCE AND AUDIT GROUP
VACO

May 8, 2013
 Practice Guide
Auditing Privacy Risks

2
 What This Guide Covers
Privacy Principles and Frameworks
Privacy Business, Nonprofits and Government
Auditing Privacy
Top 12 Privacy Questions CAEs Should Ask
 What This Guide Covers
Privacy Principles and Frameworks
Privacy Business, Nonprofits and Government
Auditing Privacy
Top 12 Privacy Questions CAEs Should Ask
 What This Guide Covers
Privacy Principles and Frameworks
Privacy Business, Nonprofits and Government
Auditing Privacy
Top 12 Privacy Questions CAEs Should Ask
 What This Guide Covers
Privacy Principles and Frameworks
Privacy Business, Nonprofits and Government
Auditing Privacy
Top 12 Privacy Questions CAEs Should Ask
 What This Guide Covers
A broad variety of privacy contexts and meanings
Privacy is the protection of personal data and is considered a
fundamental human right, OECD Guidelines 1980
Privacy is defined as the rights and obligations of individuals and
organizations with respect to the collection, use, retention, and
disclosure of personal information, AICPA Privacy Task Force 2005
Personal Information / Sensitive Information /
Anonymized Information
 What This Guide Covers
A broad variety of privacy contexts and meanings
Privacy is the protection of personal data and is considered a
fundamental human right, OECD Guidelines 1980
Privacy is defined as the rights and obligations of individuals and
organizations with respect to the collection, use, retention, and
disclosure of personal information, AICPA Privacy Task Force 2005
Personal Information / Sensitive Information /
Anonymized Information
 Poll #1

Do you have a designated individual

assigned responsibility for Privacy in
your organization?
a) Yes, a Privacy Officer
b) Yes, the CIO or CFO
c) Yes, in Internal Audit
d) Yes, in another position
e) No one is designated
f) Not applicable

9
Global Privacy Laws
 Privacy Principles and Frameworks
Privacy Principles
Collection and use limitation
Data quality
Security safeguards
Transparency
Individual access
Accountability
Frameworks
Nonbinding
Legally Binding
 Privacy Principles and Frameworks

Privacy Principles
Collection and use limitation
Data quality
Security safeguards
Transparency
Individual access
Accountability
Frameworks
Nonbinding
Legally Binding
 Privacy - Business, Nonprofits, and Government

Privacy Impacts
Organizations, Stakeholders, Individuals
Threats to Organizations
Litigation, negative publicity, financial losses/extra cost,
operational disruptions, market failure
Threats to Stakeholders
Litigation, shareholder value, reduced profitability
Threats to Individuals
Externalized cost, surveillance, identity theft, spam, civil
rights constraints
 Privacy - Business, Nonprofits, and Government

Privacy Impacts
Organizations, Stakeholders, Individuals
Threats to Organizations
Litigation, negative publicity, financial losses/extra cost,
operational disruptions, market failure
Threats to Stakeholders
Litigation, shareholder value, reduced profitability
Threats to Individuals
Externalized cost, surveillance, identity theft, spam, civil
rights constraints
 Privacy - Business, Nonprofits, and Government

Privacy Impacts
Organizations, Stakeholders, Individuals
Threats to Organizations
Litigation, negative publicity, financial losses/extra cost,
operational disruptions, market failure
Threats to Stakeholders
Litigation, shareholder value, reduced profitability
Threats to Individuals
Externalized cost, surveillance, identity theft, spam, civil
rights constraints
 Privacy - Business, Nonprofits, and Government

Privacy Impacts
Organizations, Stakeholders, Individuals
Threats to Organizations
Litigation, negative publicity, financial losses/extra cost,
operational disruptions, market failure
Threats to Stakeholders
Litigation, shareholder value, reduced profitability
Threats to Individuals
Externalized cost, surveillance, identity theft, spam, civil
rights constraints
 Auditing Privacy
Activity Planning
Data prioritization and classification
Assess risk
Legal/organizational, application,
business process risk
Engagement Preparation
Understand personal data processing
Identify threats
Identify controls and countermeasures
Prioritize
 Auditing Privacy
Activity Planning
Data prioritization and classification
Assess risk
Legal/organizational, application,
business process risk
Engagement Preparation
Understand personal data processing
Identify threats
Identify controls and countermeasures
Prioritize
 Auditing Privacy
Performing the Assessment
Assessing privacy management
Test work methodologies
Vulnerability assessments, penetration testing
Physical control tests
Social engineering tests
Communicating and Monitoring Results
Privacy and Audit Management
Planning, confidentiality, staff management
 Auditing Privacy
Performing the Assessment
Assessing privacy management
Test work methodologies
Vulnerability assessments, penetration testing
Physical control tests
Social engineering tests
Communicating and Monitoring Results
Privacy and Audit Management
Planning, confidentiality, staff management
 Auditing Privacy
Performing the Assessment
Assessing privacy management
Test work methodologies
Vulnerability assessments, penetration testing
Physical control tests
Social engineering tests
Communicating and Monitoring Results
Privacy and Audit Management
Planning, confidentiality, staff management
 Privacy Controls - Using COSO's ERM
Internal Including privacy code, privacy policies, organizational privacy culture, all of which have to be
Environment aligned with applicable laws and regulations.
Objective Setting Establishing an organizational mission and vision from which privacy objectives and privacy policy
can be derived, directly or indirectly.
Event Identifying potential internal and external privacy threats is mainly part of periodic and ongoing
Identification operational and information technology (IT) risk assessment.

Risk Assessment Depending on an organizations field, privacy may be a more or less important aspect of operational
and IT risk assessment. Hence, inherent and residual privacy exposures need to be well understood
by operational management and staff as well as IT functio
Risk Response Privacy-enabled business processes, such as collection limitation, data security, and data
management measures manage privacy-related risk.

Control Activities Organizational policies, procedures, and structures that ensure that risk responses are carried out
encompass elements like data security, access controls, integrity and contingency controls,
privacy reviews, a privacy ombudsman, and many more.
Information Relevant information needs to be expedited timely to allow effective control; instruments include
Communication observing privacy metrics and reporting on issues and their mitigation.

Monitoring The privacy risk management system requires monitoring and adaptation as needed. An
organization may appoint privacy commissioner, maintain a data register, evaluate requests to
access personal information records, and conduct privacy audits.
 Poll #2

What is the internal auditors role

when auditing privacy?
a) Management oversight
b) Reviewing policies and internal controls
c) Systems that process personal information
d) None of the above

23
 Top 12 Privacy Questions CAEs Should Ask

1. Does the organization have a governing body in place

to address the acceptable level of privacy risk it will take?

2. What level of privacy risk is management prepared to accept?

3. What privacy laws and regulations currently impact the organization

or may likely be required in the near future?

4. What type of personal information does the organization collect,

who defines what is personal or private, and are the definitions
consistent and appropriate?
 Top 12 Privacy Questions CAEs Should Ask

5. Does the organization have privacy policies and procedures with respect
to collection, use, retention, destruction, and disclosure of personal
information?

6. Does the organization have responsibility and accountability assigned for

managing a privacy program?

7. Does the organization know where all personal information is stored

and who has access?

8. How is personal information protected at various levels databases,

networks, system platforms, application layers, and business
process/functional levels?
 Top 12 Privacy Questions CAEs Should Ask

9. Is any personal information collected by the organization

disclosed to or processed by third parties?

10. Do employees receive privacy awareness training and have

guidance on their specific responsibilities in handling privacy
requirements, issues, and concerns?

11. Does the organization have and provide adequate resources to

develop, implement, and maintain an effective privacy
program?

12. Does the organization complete a periodic assessment to

ensure that privacy policies and procedures are being followed
and meet new or current requirements?
 Poll #3

Has your organization undertaken a

Privacy Audit?
a) Yes, and issued a formal report in accordance
with Standard 2400
b) Yes, but not following Standard 2400
c) No, but one is planned for the future
d) No, we do not consider this a significant risk
e) No, we do not have the skill set to undertake
this review
f) Not applicable

27
 Internal Auditing's Role
Internal Auditing Can
Evaluate that framework
Identify significant risks
Make appropriate recommendations
Auditor Independence May Be Impaired
 Internal Auditing's Role
Internal Auditing Can
Evaluate that framework
Identify significant risks
Make appropriate recommendations
Auditor Independence May Be Impaired
 Poll #4

Can internal auditors assist in the

development of a privacy program?
a) Yes, they can be fully involved
b) Yes, in an advisory role where their
independence and objectivity is not impaired
c) Yes, but if so they cannot audit that area for a
12-month period
d) No, they should not undertake this type of work

30
 A Privacy Maturity Model

Optimizing
Continual improvement of privacy practices, and controls, with:
Changes systematically scrutinized for privacy impact.
Dedicated resources allocated to achieve privacy objectives.
A high level of cross-functional integration and teamwork to meet
privacy objectives.
Managed
A consistently effective level of managing privacy, privacy requirements,
and considerations is reflected in organization, with:
Early consideration of privacy in systems and process development.
Privacy integrated in functions and performance objectives.
Monitoring on an organizational and functional level.
Periodic risk-based reviews.
Defined
The privacy policy and organization are in place, with:
Risk assessments performed.
Priorities established and resources allocated accordingly.
Activities to coordinate and deploy effective privacy controls.
Repeatable
The privacy policy is defined, with:
Some senior management commitment.
General awareness and commitment.
Specific plans in high-risk areas.
Initial
Activities are ad hoc.
 Practice Guide Series

For information on the Practice Guides, visit the IIA

web site (link is available in Resources)
https://na.theiia.org/standards-guidance/recommended-
guidance/practice-guides/pages/practice-guides.aspx
Q&A

33