Guide 5: Managing and Auditing Privacy Risks
Download (members only): English (PDF 752KB); Spanish (670KB); French (640KB)
Purchase from The IIA Research Foundation Bookstore
Rate this guide

Managing and Auditing Privacy Risks is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks which help to understand the basic concepts and aid in finding the right sources for more guidance regarding expectations and what works well in a variety of environments. It also covers the details on how internal auditors complete privacy assessments.

1. Executive Summary
2. Introduction
2.1 What is Privacy?
2.2 Privacy Risk Management
3. Privacy Principles and Frameworks
3.1 Privacy Principles.
3.2 Privacy Frameworks
4. Privacy and Business
4.1 Privacy Impacts
4.2 Privacy Risk Model
4.3 Sector and Industry Issues
4.4 Privacy Control Framework
4.5 Determining Good and Bad Performers
5. Auditing Privacy
5.1 Internal Auditing's Role in the Privacy Framework
5.2 Activity Planning
5.3 Prioritizing and Classifying Data
5.4 Assessing Risk
5.5 Preparing the Engagement.
5.6 Performing the Assessment
5.7 Communicating and Monitoring Results
5.8 Privacy and Audit Management
6. Top 10 Privacy Questions CAEs Should Ask
7. Appendix
7.1 The IIA's Professional Practices Framework
7.2 Other Auditing Standards and Methodology
7.3 Selected Monographs
7.4 Global and Regional Governmental Resources
7.5 Regional and National Resources
7.6 Professional and Nonprofit Organizations
7.7 More Internet Resources
7.8 Glossary of Terms
7.9 Glossary of Acronyms
7.10 Authors, Contributors, and Reviewers

Authors
Ulrich Hahn, Ph.D., Switzerland/Germany : : Ken Askelson, JCPenney, USA
Robert Stiles, Texas Guaranteed (TG), USA

Questions about this guide for the authors? E-mail guidance@theiia.org.