Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Targeted Security Assessments
Targeted Security Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

Building a program? Better get your internal audit game right

Security | Compliance and Certification

Originally published at www.iapp.org

In the wake of several major data security breaches and increasing regulatory pressure on companies to protect confidential information, building an effective privacy program is crucial. Privacy practices are rapidly developing in all sectors and industries, and while non-compliance with the numerous industry, state, federal, and international regulations can cut heavily into profit margins, the effects of a data security breach can kill relationships with customers, vendors, and even stakeholders. According to the Federal Trade Commission, an effective privacy program “addresses the privacy risks related to the development and management of new and existing products and services for consumers; and protects the privacy and confidentiality of personal information.”

When faced with the constant metamorphosis of technology and information use in the global business environment, it can be challenging for a business to correctly identify its unique privacy risks and the sufficiency of any safeguards in place to manage those risks. In this way, a well developed internal audit function is essential.

When building a privacy program, an organization may look to its internal audit function first to assist in analyzing its privacy needs. An internal auditor that is well versed in risk management and the protection of data can aid in conducting privacy impact self-assessments (PIAs) to help identify key areas of privacy risk throughout the development life cycle of business initiatives, products and services, and technology. Further, conducting PIAs with the internal audit function aids businesses in better identifying gaps in existing privacy practices, and connecting applicable laws and regulations to the gaps in compliance activities related to those privacy risks. Once those areas of risk are identified, the internal auditor is the best tool an organization can use to assess privacy risk areas and any existing safeguards in place to control privacy-related risks.

Without the independence, skills and expertise, and cross-border abilities of a well developed internal audit function, an organization may find itself struggling to provide the necessary substance to back its privacy policy and meet the privacy needs of its customers, vendors, and stakeholders.

An assessment of the risks should include an assessment of the management,  notice,  choice and consent, collection, use, retention and disposal, access, disclosure to third parties, quality, monitoring, and enforcement of existing privacy practices within the organization. It can be challenging for companies to perform these assessments without impairing their independence to the audit process. A well developed internal audit function will be trained with the necessary skills and expertise to perform more thorough and objective assessments, which is critical to the design and build of a quality privacy framework.

When the needs of an organization to meet its privacy commitments are accurately identified, it can begin designing the appropriate controls and procedures to be implemented under its privacy program. The organization may choose to consult the internal audit function for guidance on the impact of proposed privacy controls, including those controls related to physical and network infrastructure, data encryption, and training and education. Because of its differential relationship with its organization, the internal audit function is best suited to aid in crossing information barriers that may inhibit the design of an effective privacy framework. The internal auditor can pull together essential privacy considerations, including:

  • Existing privacy procedures and practices with internal and external users;
  • A multi-faceted layer of applicable laws and regulations in all jurisdictions in which the organization conducts business;
  • Liaisons with information technology specialists both internal and external to the organization;
  • Liaisons with human resources for adequate training and education of the organization’s users, and
  • Organizational consequences of non-compliance or a data security breach.

To have an effective privacy program, companies cannot just design and implement privacy controls, they must also gain the assurance that those controls and procedures are sufficiently managing privacy risks, and are functioning as intended in continuously evolving technology and risk environments. While an organization may find insight working with their internal audit function to develop the appropriate tests for sufficiency, only the internal audit function has the necessary skills, experience, and organizational relationships to independently assess the effectiveness of privacy controls, call for actions to strengthen and improve controls, and evaluate the sufficiency of follow-up mechanisms in place to enhance privacy controls and mitigate weaknesses in the privacy program.

For companies building or improving a privacy program, navigating the sea of technology and regulation can be tricky, but assessing and designing an effective privacy framework can be trickier. The internal auditor can be a crucial figure in aiding the business in accurately identifying privacy risks, developing privacy controls, and monitoring those controls to gain assurance that they are sufficient over time. Without the independence, skills and expertise, and cross-border abilities of a well developed internal audit function, an organization may find itself struggling to provide the necessary substance to back its privacy policy and meet the privacy needs of its customers, vendors, and stakeholders.