Privacy Auditing

Between 2008 and 2009, Privacy Management moved up two spots to #2 on the AICPA's annual review of Top Technology Initiatives.

The full list of the Top Ten was:

1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission and Exchange (Formerly known as Securing and Controlling
4. Business Process Improvement, Work Flow and Process Exception Alerts
5. Mobile and Remote Computing
6. Training and Competency
7. Identity and Access Management
8. Improved Application and Data Integration
9. Document, Forms, Content and Knowledge Management
10. Electronic Data Retention Strategy

This is true even while an Ernst & Young Survey of last summer suggests that IT executives and chief audit executives still haven't become wise to the risk. Indeed, according to survey, "Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business."

Nevertheless, the lack of awareness of the risk doesn't change the nature of the risk. So, it was with this in mind that I went hunting for some good intel on auditing this risk for the benefit of my readers.

And I found a terrific source.

The American Association of Accountants (AAA) held a conference in Anaheim, California last year and I found the content of their presentation a nicely encapsulated primer for auditors to approach risk assessing and auditing Privacy.

I was particularly pleased with the slide that compares the various international standards on the subject. And, if the E&Y survey reflects your organization's awareness of the risk, the opening section presents a very compelling case for getting a bit more motivated about the subject.

Enjoy.




-- Prescott Coleman, CIA, CISA