TIAPS Module 1 Audit and Assurance workbook
C.3.4 Data Privacy There are strict requirements regarding data privacy. Although laws and regulations vary and continue to evolve, when someone provides an organization with personal data they generally have a right to: • Know the purpose for collecting the data. • Know what personal information an organization has. • Control what information is collected and how it is used, including who has access to it. • Request to change and delete any personal information held at any time for any reason. Organizations can find themselves operating outside of these requirements due to inadequate controls, such as: • The processes used for data collection are poorly designed and maintained and as a result the organization is collecting unnecessary, incomplete, or inaccurate information, or they do not gain appropriate permission from the owner of personal data for its usage and storage. • The organization allows data to be corrupted, stolen, or leaked, or shares it – contrary to the agreement with the data owner – with a third party that misuses it. • Data is stored beyond a permissible or useful period when it should be deleted. Organizations must maintain awareness of internal and external requirements for data privacy, keep staff informed, and ensure policies and processes are regularly reviewed and kept up to date. 70
C.3: Reflection Fraud: How are suspected frauds handled in your organization? Do internal auditors receive sufficient training? Are internal auditors involved in awareness raising about fraud risk? IT: How does your internal audit function ensure it has the skills and expertise needed to audit IT risks and controls? To what extent is automated controls testing utilized? Who in your organization takes the lead on managing IT risks? How does internal audit collaborate with and support those responsible for IT risk management? Cybersecurity: How does your internal audit function ensure it has the skills and expertise needed to audit cybersecurity risks and controls? Who in your organization takes the lead on managing cybersecurity risks? How does internal audit collaborate with and support those responsible for cybersecurity risk management? Data Privacy: Who in your organization takes the lead on managing data privacy risks? How does internal audit collaborate with and support those responsible for data privacy risk management? 71
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67 and 68: IT controls may be manual, automate
- Page 69: The IIA’s Cybersecurity Toolkit d
- Page 73 and 74: Global Perspectives and Insights -
- Page 75: CIPFA: 77 Mansell Street, London E1
C.3.4 Data Privacy<br />
There are strict requirements regarding data privacy. Although laws <strong>and</strong> regulations vary <strong>and</strong><br />
continue to evolve, when someone provides an organization with personal data they<br />
generally have a right to:<br />
• Know the purpose for collecting the data.<br />
• Know what personal information an organization has.<br />
• Control what information is collected <strong>and</strong> how it is used, including who has access to<br />
it.<br />
• Request to change <strong>and</strong> delete any personal information held at any time for any<br />
reason.<br />
Organizations can find themselves operating outside of these requirements due to<br />
inadequate controls, such as:<br />
• The processes used for data collection are poorly designed <strong>and</strong> maintained <strong>and</strong> as a<br />
result the organization is collecting unnecessary, incomplete, or inaccurate<br />
information, or they do not gain appropriate permission from the owner of personal<br />
data for its usage <strong>and</strong> storage.<br />
• The organization allows data to be corrupted, stolen, or leaked, or shares it –<br />
contrary to the agreement with the data owner – with a third party that misuses it.<br />
• Data is stored beyond a permissible or useful period when it should be deleted.<br />
Organizations must maintain awareness of internal <strong>and</strong> external requirements for data<br />
privacy, keep staff informed, <strong>and</strong> ensure policies <strong>and</strong> processes are regularly reviewed <strong>and</strong><br />
kept up to date.<br />
70