Tuesday, March 3, 2009

Privacy Auditing

Between 2008 and 2009, Privacy Management moved up two spots to #2 on the AICPA's annual review of Top Technology Initiatives.

The full list of the Top Ten was:

  1. Information Security Management
  2. Privacy Management
  3. Secure Data File Storage, Transmission and Exchange (Formerly known as Securing and Controlling
  4. Business Process Improvement, Work Flow and Process Exception Alerts
  5. Mobile and Remote Computing
  6. Training and Competency
  7. Identity and Access Management
  8. Improved Application and Data Integration
  9. Document, Forms, Content and Knowledge Management
  10. Electronic Data Retention Strategy

This is true even while an Ernst & Young Survey of last summer suggests that IT executives and chief audit executives still haven't become wise to the risk. Indeed, according to survey, "Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business."

Nevertheless, the lack of awareness of the risk doesn't change the nature of the risk. So, it was with this in mind that I went hunting for some good intel on auditing this risk for the benefit of my readers.

And I found a terrific source.

The American Association of Accountants (AAA) held a conference in Anaheim, California last year and I found the content of their presentation a nicely encapsulated primer for auditors to approach risk assessing and auditing Privacy.

I was particularly pleased with the slide that compares the various international standards on the subject. And, if the E&Y survey reflects your organization's awareness of the risk, the opening section presents a very compelling case for getting a bit more motivated about the subject.

Enjoy.




-- Prescott Coleman, CIA, CISA

2 comments:

toomuchcountry said...

Have had the opportunity to meet and network (no pun intended) a bit the last several Novembers with Marilyn at the Rutgers continuous auditing symposium. She's a huge proponent of GAP-P as I guess its being called. The slides of breaches at companies, fed level, state & local level, NFPs, etc. astonishes me each time I see them. I agree privacy is a big risk with not near enough management or audit attention... that is until a breach occurs & everyone is suddenly attentive...for a short while... and then the norm returns.

Prescott Coleman, CIA, CISA said...

Too true. Anything you can share from the Rutger's symposium?