Skip to Content

The Institute of Internal Auditors (IIA) Privacy Policy

The Institute of Internal Auditors (IIA) Privacy Policy

Introduction

The Institute of Internal Auditors, Inc. (IIA or The IIA) is a professional membership association for people who work in the field of Internal Auditing (IA), risk management, and related fields.  The IIA values the privacy of its members, affiliates, and visitors to its websites and is strongly committed to each visitor's right to privacy.  This privacy policy has been developed as a codification of the IIA's commitment in this area. 

The privacy policy explains the IIA's information gathering and handling practices.  If you have any questions regarding the IIA's privacy policy or do not feel that your concerns have been otherwise addressed, please contact the data protection officer by sending an email to privacy@theiia.org.  The IIA understands that you are aware of and care about your own personal privacy interests, and the IIA takes that seriously.  This Privacy Policy describes the IIA’s policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights.  We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices, adopt new privacy policies, and/or address changing privacy laws/regulations. 

This policy guides how the IIA stores and uses personal information that is collected by the IIA or provided to the IIA, whether through our websites or by other methods such as an application, enrollment, registration, transmission via Group Membership, Chapters or Affiliates, or other means.  This policy covers all of the IIA's websites, however, this policy does not cover Affiliate or Chapter websites whether or not linked to the IIA's sites.  We do not knowingly attempt to solicit or receive information from minors. 

Data Protection Officer

The IIA is headquartered in Lake Mary, Florida, in the United States.  The IIA has appointed an internal data protection officer for you to contact if you have any questions or concerns about the IIA’s personal data policies or practices.  If you would like to exercise your privacy rights, please direct your query to the IIA’s data protection officer.  The IIA’s data protection officer’s name and contact information is as follows:

Sean Jordan.
Sr. Director, General Counsel, Governance, Compliance & Risk
The Institute of Internal Auditors, Inc. - Global Headquarters
Lake Mary, FL 32746
Office Phone: +1-407-937-1401
Email: privacy@theiia.org

How the IIA Collects and Uses (Processes) Your Personal Information

The IIA collects personal information about its members and other customers.  With some exceptions, this information is limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, address, primary email, and phone number.  The IIA uses this information to provide members and customers with goods and services, including membership services, privacy and data protection content, certification opportunities, training, and the like.  The IIA does not provide personally identifiable information (PII) to third-parties without obtaining your consent. 

All individual IIA members and customers are entered into the global membership database and are assigned a unique account number (i.e., global account number-GAN).  Organizations may purchase a bundle of discounted individual memberships (group membership) with The IIA. A GAN specific to the group membership will be created. When members or customers log on to the website, they will be asked to enter their email address and to create a unique password to authenticate their IIA account.  GAN numbers are delivered to members and customers together with basic information about IIA benefits and services either directly from global IIA or via their IIA Affiliates.

  1. Personal information you give to us:

    1. Membership
      When you become an IIA North American, International Chapter, Virtual, or Global Affiliate member, we collect information about you including your (1) given name and surname, (2) mailing address (i.e., address, city, state/province, zip code, and country), (3) employment information (i.e., type of organization and industry), (4) country of residence, and (5) your primary email address.  The IIA requests members to provide optional information in their membership profile including an alternative email address, a billing address (i.e., address, city, state/province, zip code, and country), and a home, business, and/or mobile phone number.  Your organization may sponsor or purchase membership on your behalf. In order to assign a membership to a member of the organization’s group, the organization must provide (1) given name and surname and (2) email address. Once you receive the sponsored membership and sign in, the same information listed above will be collected in your MyIIA profile.

When you become an IIA member via a Global Affiliate, the IIA Affiliate provides the IIA with your (1) given name and surname, (2) industry code, (4) country of residence, and (5) your primary email address.  The IIA requests members to provide optional information in their membership profile including an alternative email address, a billing address, and a home, business, and/or mobile phone number.  The IIA Affiliate who is a separate legal entity has responsibility for policies and practices regarding its collection and use of your personal data.

The IIA processes your personal information for membership administration, to deliver member benefits to you, and to inform you of IIA events, content, and other benefits or opportunities associated with your IIA membership.  The IIA may also use this information to help The IIA understand our members’ needs and interests to better tailor our products and services to meet stakeholder needs.

Members often participate in North American or International Chapter meetings.  These meetings are organized by Chapter volunteers and take place at various locations.  The IIA provides an event management application, Aventritm, where registration information from IIA members and their guests are processed at the Chapter level, with the IIA having access to this data.

The IIA relies on fulfillment of a contract as the lawful basis (e.g., GDPR Article 6 and Bill 64-National Assembly of Quebec) for processing members’ personal information.

    1. In-Person and/or Virtual Conferences, Seminars, Webinars, Symposiums, and On-site Events
      The IIA hosts many in-person and virtual learning events throughout the year.  These include conferences like the General Audit Management Conference, for example.  If you purchase and register for one of our events and you are a member, we will access the information in your member profile to provide you with information and services associated with the event.  You may be asked to provide more information when signing up for an event than is found in your IIA profile (e.g., whether it’s your first IIA event, your meal preferences, and information about your title and industry).

If you are not a member, you must create an IIA account to purchase and register for an event or procure other services and products from the IIA.  The following information is required for IIA account setup: 1) given name and surname; (2) billing address, (3) mailing address, (4) country of residence, and (5) your primary email address.

Before or after an IIA event, you may be asked to update your IIA profile; this is optional, but the IIA has found that the information provided in conjunction with event attendance is often more accurate and up-to-date than information provided at membership registration/authentication.  Members and customers may edit their account profile at any time to change, add, or remove optional personal information.  For virtual events, the IIA provides PII to the IIA virtual platform contractors so that you are provisioned to have access to the virtual event.  You may be requested to voluntarily provide additional information at provisioning which is provided to The IIA by the contractor.

Source and Use of Event Registration PII

The IIA uses the information provided by event attendees to provide them with event services, including (1) badge printing, (2) tracking of Continuing Professional Education (CPE) credits, (3) tailoring of event demographics, and (4) other related purposes connected with the event.  Each customer’s event transaction record is captured and stored in the IIA Customer Relationship Management database.  The IIA keeps a record of your participation in IIA events as an attendee or presenter.  This information may be used to provide you with membership and certification services (e.g., such as keeping track of your CPE credits, or to tell you about other events and publications).  It may also be used to help the IIA understand our customers’ needs and interests to better tailor and align our products and services to meet stakeholder needs.

Event Presenters

If you are a presenter at one of the IIA events, the IIA will collect information about you including your name, employer and contact information, bio, and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter.  The IIA may also make and store a recording of your voice and likeness in certain instances.  The IIA relies on a legitimate interest basis for collecting, storing, and processing this information.

Conference App

In association with attending one or more of our conferences, you will have the option to download the “IIA Conference App” to help you navigate the conference and plan your schedule.  The IIA has engaged a cloud service provider, TripBuilder Media, to host the IIA Conference App.  The IIA Conference App allows conference attendees to view the event program, including any last-minute updates to sessions, speaker biographies, and venue navigation.  There re will no longer be a printed program for most of the IIA events.  In order to access the IIA App, conference attendees must download the app on their mobile device or access the program on TripBuilder Media’s event-specific webpage, entering a unique event ID and Password which the IIA provides by email.  The IIA shares with TripBuilder Media event registrants’ first and last name, email address, and mobile phone (if provided) to allow event attendees to be authenticated when they access the web-based event app, and the customization features of the mobile app.  More information about TripBuilder Media’s privacy practices is available in its global privacy notice.

Sponsored Learning Events and Event Exhibitors

Some of our events are sponsored.  The IIA provides an attendee list to sponsors, co-sponsors and/or exhibitors of our events. The IIA may also allow sponsors, co-sponsors and/or exhibitors to send you material by mail once per sponsored event, in which case The IIA engages a third-party mailing house and does not share your mailing address directly with the sponsor/exhibitor.  If you do not wish to have your information included in an attendee list or to receive information from sponsors, co-sponsors and/or exhibitors, you can express your preferences when you register for events or you may contact The IIA directly at Customer.Relations@theia.org or privacy@theiia.org.  Sharing your personal information with a sponsor, co-sponsor, and/or exhibitor for example may allow you to receive content for free, industry or subject matter information, and/or service information.  The IIA does give attendees a choice not to receive marketing messages from sponsors or from the IIA.

Exhibitors at the IIA events may wish to scan your badge so they can contact you with more information.  The IIA contracts with various vendors to provide badge-scanning services to exhibitors who request it.  By allowing an exhibitor to scan your badge, you are consenting to have the authorized vendor to provide the exhibitor with your contact information, and thereafter you may be contacted by the exhibitor post-event.  If you do not wish the exhibitor to contact you, please communicate this directly with the exhibitor at the event or thereafter. 

Co-sponsored Web Conferences

The IIA offers several web conferences throughout the year.  Many of them are free to the IIA members, while non-members are charged a fee.  The IIA also offers web conferences that are co-sponsored by the IIA and its corporate partners and these conferences are often free to everyone because of the co-sponsor’s underwriting.  This means that when you register for a co-sponsored web conference, you will be providing your registration information to both The IIA and the applicable co-sponsor.  As noted previously in this Policy, you are provided opt-in and opt-out choices regarding the use of your PII.  All the IIA web conference co-sponsors must agree to follow applicable privacy and data protection laws.

On-Demand Learning

The IIA contracts with Docebo to administer the IIA OnDemand learning platform through Docebo’s Learning Management System.  If you are a member, your given name and surname, primary email, and GAN are sent to Docebo to provision a purchased OnDemand product.  If not a member, once you create an account and purchase an OnDemand Learning product, name and surname, primary email, and GAN are sent to Docebo to provision a purchased OnDemand product.  Docebo’s use of your PII is governed through the contract agreement with Docebo.

    1. Publications & Newsletters
      The IIA offers a great deal of content for our members and non-members.  In addition to producing original content, the IIA also subscribes to news feeds and blogs produced by others, which we often link to from our website.  This means you may find yourself on the IIA website or reading an email from the IIA publications team and we will offer you a link to another organization’s website where you will find content on internal audit, risk management, data privacy, fraud, cybersecurity, and other subjects that we deem potentially relevant and useful to you.  At these times, you will be leaving the IIA website.  The IIA is not responsible or liable for content provided by these third-party websites or personal information they may happen to gather from you.

You may wish to subscribe to the IIA publications without becoming a member of the IIA.  For example, many people sign up to receive SmartBriefs even though they are not The IIA members.  To receive the IIA publications/newsletters by email, you will need to create a “new user account.” which requires: 1) given name and surname; (2) country of residence, and (3) your primary email address.  The purpose of processing this data is to have the necessary information to deliver the IIA publications by email.  The IIA is the data controller of this information, and the processing may be managed by third-parties which are deemed “Processors.”  The IIA does not share this information with any third-party other than to store the information in our cloud-hosted databases. We rely on a contract basis to process your personal information for purposes of fulfilling your request to receive our publications.  You may at your own option choose to subscribe to the IIA news and updates that may be considered direct marketing.

The IIA from time to time sends research surveys to subscribers of the IIA.  By subscribing, you agree to receive these survey requests occasionally.  You are under no obligation to take the surveys.

The IIA uses third-party email service providers to manage our subscriptions.  Services like this are necessary because email hosts like the IIA providers are able to send bulk emails, manage subscribe/unsubscribe features, keep track of open rates and invalid email addresses, and related functions.  When you click on a hyperlink in the email, the URL will include a tracking code.  If (and only if) you have accepted a provider’s cookie through the IIA cookie tool, then that information will be recorded in the IIA account and associated with you.  The IIA uses this information to better understand what information is of interest to its subscribers so it can produce more of that information for them.  The provider does not use or sell this information.

You may manage your IIA subscriptions by subscribing or unsubscribing at any time.  Please note that if you have set your browser to block cookies, this may have an impact on your ability to unsubscribe.  If you have any difficulties managing your email or other communication preferences with The IIA, please contact us at Customer.Relations@theiia.org or privacy@theiia.org.

The IIA uses Google Analytics to track how often people gain access to or read our content.  Provided you have opted-in to analytics cookies, we use this information taken together to understand what content our members find useful or interesting, so we can produce the most valuable content to meet customer needs.

The IIA uses the OneTrust, Privacy, Security, and Governance, application to manage consent Cookie preferences.  Users have the option to opt-in or opt-out of Targeting Cookies, Functional Cookies, and Performance Cookies.  “Strictly Necessary Cookies” are designated as “Always Active.” 

    1. Third-Party Training
      If you participate in IIA training, you may purchase the training product and register directly through the IIA via the IIA’s event management application, Aventritm, which requires membership or account setup.  You may, alternatively, sign up for training – or be signed up for training – by or through a third-party such as one of our training partners, or your own employer IIA group administrator via the MyIIA Business-to-Business Portal.  We may also use independent contractors to conduct the training and third-parties to provide the training venue.  Your personal information will be stored in our database (hosted by a cloud service provider) and may be shared with our training partners, trainers, and/or the venue hosting the event (to verify your identity when you arrive).  The IIA training partners, trainers, and data transfer hosts have agreed not to share your information with others and not to use your personal information other than to provide you with The IIA products and services, unless “Express Consent” has been obtained.  The IIA relies on fulfillment of a contract to process personal data associated with providing training services.
    2. Certification
      When you sign up to take one of the IIA certification exams, we will collect data to establish your Certification Profile.  When you apply to the Certification Program, the IIA initially collects the following information to create a Candidate Profile: (1) given name and surname; (2) billing address (i.e., address, city, state/province, zip code, and country); (3) mailing address (i.e., address, city, state/province, zip code, and country); (4) preferred language; (5) country of residence; and (5) primary email address.  The IIA requests Certification candidates to provide optional information in their Candidate Profile including (a) an alternative email address, (b) a home, business, and/or mobile phone number, and (c) job code, type of organization, industry code, and industry code group. 

Exam application review and approval also requires that additional PII be obtained (See Appendix for the type of PII data accepted for the exam application review and approval process).  This information is processed to approve the certification candidate for testing and to administer the exam testing process.  The IIA will also collect and store information you provide about your need for special accommodations.  The IIA shares your personal information as necessary with our computer-based exam hosting service, Pearson VUE.  The computer-based exam hosting service may also share with us information you provide to them to verify your identity in taking the exam.

Application Certifications integrations with Pearson Vue enable exam authorizations, scheduling, and exam results communications.  Once Certifications approves a candidate’s exam application, an exam authorization code is sent to Pearson Vue with the candidate demographic information, including:

      • Candidate ID-GAN.
      • Candidate Name, including first, middle, and last name.
      • Primary Address, including local business or residential address, city, state/province, postal code, and country.
      • Phone Numbers.
      • Country Code.

An audit trail of each candidate’s activity (e.g., scheduled date of exam, no show, rescheduling) is maintained in the Pearson Vue system and submitted to the IIA.  The IIA receives high level exam results (i.e., Pass or Fail) for Certifications’ candidates and the results are synced to CRM using the GAN.  Pearson Vue provides a flat file of exam results which is loaded to Mountain Measurement for psychometrics.  The IIA does not store exam scores.

Pearson VUE uses third-party testing centers in a variety of locations throughout the world to administer the IIA Certification Exams.  These testing centers collect personally identifying information from anyone who arrives at the center to take any exam.  This information may include your name, your photograph, a government-issued identification, and the like.  The testing centers use this information to verify your identity and eliminate examination by proxy (someone else taking your exam).  

The IIA has engaged Person VUE to provide the online test proctoring program for test candidates electing to take exams online through its OnVUE application. This process requires taking the exam in a location in which no other people are present during the exam and also requires the disclosure of certain personal information to Pearson VUE.  Specifically, Pearson VUE will collect test candidates’ photographs and photo identifications and use artificial intelligence to confirm that they are the same person for the purpose of preventing exam fraud.  In addition, test candidates must take pictures/scan the environment for the proctor to demonstrate that they do not have materials at hand that could assist them in answering the questions (e.g. cheating).  Each candidate’s testing experience is recorded as well, and Pearson VUE collects a phone number in case the candidates’ online connection is disrupted.

The IIA will collect your exam results and, in conjunction with maintaining your certification(s), your record of participation in continuing privacy education.  Only authorized employees within the IIA have access to your certification exam results and personal information pertaining to any special accommodations you may request.  Information submitted to support special accommodation requests are maintained for no more than one year after submission.  The IIA relies upon a contract fulfillment basis to process personal data associated with providing certification services.

    1. Opt-In and Opt-Out Processing and Data Privacy Rights
      Opt-In and Opt-Out
      At any time you can update your communication opt-in and opt-out preferences on-line in your IIA account profile.  If you correspond with The IIA by email, the postal service, or other form of communication, we may retain such correspondence and the information contained in it and use it to respond to your inquiry; to notify you of The IIA conferences, publications, or other services; or to keep a record of your complaint, accommodation request, or similar concern or request.  Members in North America are entered into the global membership database and given the choice to opt-out of receiving communications from The IIA or their chapter. To opt out, please complete the appropriate mailing and email option fields on the Member Profile form on The IIA's website, or send your request via email to: CustomerRelations@theiia.org.

Members reported via their IIA Affiliate are entered in the global membership database and given the choice to opt-in to receiving communications and additional services from global IIA. IIA Institute members will not be contacted by global IIA unless they opt-in either by instructing their IIA Institute or by logging into their profile on the global IIA website and selecting to receive optional services and communications.

However, if you opt-in and choose to provide The IIA with personally identifiable information by purchasing a product, registering for an event, or requesting other services, The IIA may use that information to provide you with the purchased products or services, for billing purposes, to send immediately relevant information to you, and for other purposes related to the reason you provided the information even if you opt out of the use of your information by the means detailed in this privacy policy.

    1. Other Purposes for processing your data
      As explained above, the IIA processes your data to provide you with the goods or services you have requested or purchased from us, including membership services, certification product services, in-person and virtual learning events, and IIA Bookstore publications and content.  The IIA also uses this information to refine our goods and services to better tailor and align them to your needs and to communicate with you about other services the IIA offers that may assist you in your career or otherwise help you do your job as a privacy professional.  Most of the time, the IIA needs to process your personal data to fulfill an order for goods or services – including membership, certification, IIA Bookstore, and learning services and products.  Sometimes the IIA has a legitimate interest in processing data to better understand the needs, concerns, and interests of the IIA members, customers, and the internal audit and corresponding professions.  For the processing of PII, the IIA must obtain and rely upon your consent, in which case we will keep a record of it and honor your choices.

 

    1. Payment card information
      You may choose to purchase goods or services from the IIA using a payment card.  Payment card information is entered directly into the IIA third-party NopCommerce Ecommerce system PCI/DSS-compliant payment processing service to which The IIA subscribes.  The IIA does not, itself, process or store the card information.  Occasionally, members or customers ask The IIA Customer Service employees to, on their behalf, enter payment card information into the PCI/DSS-compliant payment processing service to which The IIA subscribes.  We prohibit the submission of credit card information via email.  When Customer Services receives payment card information telephonically from customers or members, the payment information is electronically entered into the NopCommerce Ecommerce system and no written record is established.  The IIA does not store the credit card information.  The transaction identifier would only include the last four digits of the credit card number.

  1. Personal information we get from third parties or provide to third-parties

    From time to time, the IIA receives personal information about individuals from third-parties.  This may happen, for example, if your employer is a corporate member of the IIA and signs you up for training, certification, or membership via the MyIIA Business-to-Business Portal.  One of our third-party training partners may also share your personal information with the IIA when you sign up for training through that training partner [e.g., ISACA (Information Systems Audit and Control Association) and the IIA co-sponsor the Governance, Risk, and Controls Conference in which ISACA executes the registration process for attendees].  The IIA may also collect your personal data from a third-party website (e.g. LinkedIn) if you fill out a form on that site requesting content from or registering for an event with The IIA.  You may always update your profile data with the IIA via your IIA account, or contact the IIA at Customer.Relations@theiia.org.

If you voluntarily provide the IIA with personally identifiable information, the IIA may share personal information with companies, organizations or individuals outside of The IIA when we have your consent to do so. The IIA requires opt-in consent for the sharing of any sensitive personal information. The IIA may release information on a selective basis to outside organizations whose products and services are of perceived benefit. These organizations include, but are not limited to:

    • BrightKey, which is the IIA's distribution/fulfillment house in Annapolis Junction, Md., for purchase of educational products.
    • Various companies that authenticate credit cards on behalf of the IIA if you provide a credit card for the purchase of products or services.
    • If you register as a certification candidate, to the examination site. Registrant's information may be released to providers of CIA exam preparation products, who subsequently may send you information concerning their products and services.
    • IIA Affiliates or chapters, which may solicit you for local participation or membership. In the case of IIA members, the IIA Affiliate or chapter may publish your name in a directory or use your data to mail or email local materials, unless you contact the Affiliate or chapter and opt-out of such disclosure.
    • For some North American members, the IIA may provide mailing information to other organizations whose products and services are of perceived benefit. If you do not want the IIA to provide your personally identifiable information to third parties other than IIA chapters or as noted above, please see the "Opting Out" section of this policy.

  1. What happens if you don’t give us your data

You can enjoy many of The IIA services without giving us your personal data because a great deal of information on our website is available even to those who are not IIA’s members.  You can also enjoy subscriptions to select publications without becoming an IIA member, but you will need to create a “new user account.” which requires: (1) given name and surname; (2) country of residence, and (3) your primary email address.  Some personal information is necessary so that The IIA can supply you with the services you have purchased or requested, or services your organization purchased or requested on your behalf, and to authenticate you so that we know it is you and not someone else.  You may manage your IIA subscriptions and you may opt-in or opt-out of receiving marketing communication at any time by contacting Customer.Relations@theiia.org or updating your IIA profile online.

 

Use of The IIA’s Website

As is true of most other websites, The IIA website collects certain information automatically and stores it in log files.  The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the IIA website, including a history of the pages you view.  The IIA uses this information to help us design our site to better suit our users’ needs.  The IIA may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

The IIA has a legitimate interest in understanding how members, customers and potential customers use its website.  This assists the IIA with (1) providing more relevant products and services, (2) communicating value to our sponsors and corporate members, and (3) providing appropriate staffing to meet member and customer needs.  By using the IIA's websites, you signify your acceptance of our privacy policy.  If you, as a visitor choose to log-in as a customer via account set-up and register for courses or events, purchase products, apply for membership or certification, or otherwise submit personally identifiable information, you are consenting to the IIA's use of such data in accordance with its privacy policy.

  • Cookies and web beacons
    The IIA makes available a comprehensive Cookie Notice that describes the cookies used on the IIA website and provides information on how users can accept or reject them.  To view the notice, just on do not accept all cookies in the website Cookie Opt-in message.  Specifically, the IIA uses the OneTrust (Privacy, Security, and Governance) application to manage Cookie consent preferences.  Users have the option to opt-in or opt-out of Targeting Cookies, Functional Cookies, and Performance Cookies.  “Strictly Necessary Cookies” are designated as “Always Active.” 
  • Do not track
    The IIA tracks users when they cross from our primary public website www.theiia.org to our https://www.theiia.org/en portion of the site by logging in with their username and password, as well as when visitors to our website enter through a marketing landing page.  The IIA also keeps a record of third-party websites accessed when a user is on the IIA site and clicks on a hyperlink.  But the IIA does not track users to subsequent sites and does not serve targeted advertising to them. The IIA does not, therefore, respond to Do Not Track (DNT) signals.

When and How the IIA Shares Personal Information

Information about your IIA membership, purchases, and certifications is maintained in association with your account profile.  The personal information the IIA collects from you is stored in one or more databases on servers located in the United States. Third-parties hosting your personal information do not use or have access to your personal information for any purpose other than providing the means for storage and retrieval.  On occasion, the IIA engages third-parties to mail information to you, including items like books you may have purchased, certification certificates, or material from an event sponsor.

We do not otherwise reveal your personal data to non-IIA persons or businesses for their independent use unless:

  • You request or authorize it.
  • It’s in connection with the IIA’s-hosted and the IIA co-sponsored conferences as described above.
  • The information is provided to comply with the law (for example, to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety, of the IIA’s employees or others.
  • The information is provided to our agents, vendors or service providers who perform processing on our behalf.
  • To address emergencies or acts of God.
  • To address disputes, claims, or to persons demonstrating legal authority to act on your behalf.
  • Through the IIA Certification Directory as described below.

We may also gather aggregated data about our members and Site visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third-parties for marketing or promotional purposes.

The IIA website uses interfaces with social media sites such as Facebook, LinkedIn, Twitter and others.  If you choose to "like" or share information from The IIA website through these services, you should review the privacy policy of that service.  If you are a member of a social media site, the interfaces may allow the social media site to connect your site visit to your personal data.

  • Certification Directory

    The IIA makes member information available through the IIA Certification Directory to other IIA members using this Site. Members are invited to opt-in to having their information shared in the Member Directory.

Transferring Personal Data to the U.S.

The IIA has its headquarters in the United States.  Information we collect about you will be processed in the United States.  By using the IIA services, you acknowledge that your personal information will be processed in the United States.  The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR.  Pursuant to Article 46 of the GDPR, the IIA is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK.  These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.

Depending on the circumstance, the IIA also collects and transfers to the U.S. personal data with consent or to perform a contract with you.  The IIA endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with the IIA and the practices described in this Privacy Policy.  The IIA also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate.

For more information or if you have any questions, please contact us at privacy@theiia.org.

Individual Data Privacy Rights

The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects.  An example, in English, is available on the website of the country of Ireland  https://www.dataprotection.ie/en/organisations) where data privacy rights are clearly delineated.

This Privacy Policy is intended to provide you with information about what personal data the IIA collects about you and how it is used.  If you have any questions, please contact us at privacy@theiia.org. 

Rights of Access, Rectification, Portability, and Erasure

If you wish to confirm that The IIA is processing your personal data, or to have access to the personal data The IIA may have about you, please contact The IIA at privacy@theiia.org.  You may also request information about the purpose of the processing; the categories of personal data concerned; who else outside the IIA might have received the data from the IIA, what the source of the information was, if you didn’t provide it directly to the IIA, and how long it will be stored.  You have a right to:

  • Correct (rectify) the record of your personal data maintained by the IIA if it is inaccurate.
  • Request that the IIA erase your PII or cease processing it, subject to certain exceptions.
  • Request that the IIA cease using your data for direct marketing purposes.

In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how The IIA processes your personal data.  When technically feasible, the IIA will—at your request—provide your personal data to you or transmit it directly to another controller.  Reasonable access to your personal data will be provided at no cost to the IIA members, conference attendees and others upon request made to the IIA at privacy@theiia.org.  If access cannot be provided within a reasonable period, the IIA will provide you with a date when the information will be provided.  If for some reason access is denied, the IIA will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal data, you can email The IIA data protection officer at privacy@theiia.org. 

Security of Your Personal Information

To help protect the privacy of data and personally identifiable information you transmit through use of the IIA websites and applications, the IIA maintains physical, technical and administrative safeguards.  The IIA updates and tests our security technology on an on-going basis.  The IIA restricts access to your personal data to those employees who need to know that information to provide benefits or services to you.  In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.  The IIA commits to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.

Data Storage and Retention

Your personal data is stored by the IIA on its servers, and on the servers of the cloud-based database management services the IIA engages, located in the United States.  The IIA retains data for the duration of the customer’s or member’s business relationship with the IIA and for a period of time thereafter to allow members to recover accounts if they decide to renew, to analyze the data for the IIA’s own operations, and for historical and archiving purposes associated with the IIA history as a membership association.  For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact the IIA data protection officer at privacy@theiia.org.

Disclosure of Information for Legal Reasons

The IIA will share personal information with companies, organizations or individuals outside of the IIA if the IIA has a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • Meet any applicable law, regulation, legal process or enforceable governmental request.
  • Enforce applicable Terms of Service, including investigation of potential violations.
  • Detect, prevent, or otherwise address fraud, security or technical issues.
  • Protect against harm to the rights, property or safety of the IIA, our members or the public as required or permitted by law.

There are other instances in which the IIA may divulge your personal information.  The IIA may provide your personal information if necessary, if in the IIA's good faith judgment, to comply with laws or regulations of a governmental or regulatory body or in response to a valid subpoena, warrant or order, or to protect the rights of the IIA or others.

Questions, Concerns or Complaints

If you have questions, concerns, complaints, or would like to exercise your rights, please contact the IIA’s data protection officer at privacy@theiia.org.

Appendix A –PII That May be Submitted to Process Certification Program Application

Type of PII Acceptable Documents
Proof of Identification (ID)
  • Government-issued driver’s license
  • U.S. Dept. of State driver’s license
  • U.S. learner’s permit (Plastic card only with photo and signature)
  • National/State/Country ID Card
  • Passport
  • Passport card
  • Military ID
  • Military ID for spouses and dependents
  • Alien Registration Card (green card, permanent resident visa)
  • Government-issued local language ID (Plastic card only w/photo & signature)
Proof of Education
  • Copy of degree
  • Official transcript
  • Letter from university or institution
  • Letter from evaluation service
Felony Conviction
  • Letter of motivation addressed to the PCB
  • Certificate of disposition or disposition letter from the court
  • The IIA requires that certification candidates demonstrate strong ethical standing, and individuals with felony convictions are not eligible to participate.  However, The IIA also provides all candidates the opportunity to appeal any established PCB policy.  To appeal the felony restriction, candidates must submit a letter of motivation and document the restitution or actions they have taken to rehabilitate themselves.
Accommodation Request
  • Completed accommodation request form
  • Signed letter/note from doctor
  • The IIA must meet global requirements for individuals with special needs or disabilities.  Individuals requesting test accommodations must provide documentation from their physician detailing their specific needs. 
CPE Documentation
  • Certificate of completion or participation
  • Letter from sponsor
  • Other written attestation of completion or participation
Student Application
  • Transcript from University or Institution:
  • Must be an official transcript from an accredited education institution
  • Must confirm that the student was enrolled full-time
  • Undergraduate students must be enrolled a minimum of 12 semester hours or equivalent
  • Graduate students must be enrolled a minimum of 9 semester hours or equivalent

Learn about IIA programs and partners.

We are continually searching for innovative products and services to enhance our members' ability to meet their rising stakeholder demands.