New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Guide Provides Data Security Audit Steps

The IT Compliance Institute (ITCi), an IT education, research, and analysis services organization, recently released its next IT audit checklist, Privacy and Data Protection, the next in its IT Audit Checklist Series, to help IT, compliance, audit, and business managers develop internal audits of their regulatory, legal, and contractual requirements. The checklist also provides information to help readers prepare for audits of high-level data security and privacy processes and resources, assess the robustness of privacy controls, support privacy policies and procedures, and ensure the ongoing improvement of privacy practices.

As the guide explains, multiple privacy laws exist around the world and are currently under consideration, thus making the privacy compliance landscape more complex than in previous years. However, many, if not all, of these laws include the following four basic types of requirements: what data may be collected and under what conditions; how data may be stored, managed, used, repurposed, and transferred; how data is protected from unintended and unauthorized exposure; and how individuals should know and or limit all of the above.

Consequently, audits of an organization's data privacy and protection initiatives need to document whether management's direction on the protection and handling of private information is adhered to as documented in written practices and procedures. This aspect of the audit is important because any inconsistencies "with written privacy and security policies could result in increased exposure if a breach does occur," describes the report.

To help organizations assess the robustness of privacy and security controls, the checklist details the different steps those responsible for the organization's data security and privacy initiatives (i.e., the board of directors, executive and business managers, privacy and information security officers, and internal auditors) should take during the audit's planning, testing, and reporting phases. For instance, prior to the audit, managers should meet with the audit team to review the audit program and define necessary resources, collect documents in preparation for the audit, and provide feedback on the internal audit's plan draft, while steps to be taken during the audit include:

  • Evaluating information on privacy and data protection processes and procedures.
  • Assessing the quality of information generated by privacy and data protection programs; the ease, reliability, and timeliness of access to such information by key decision makers; and the operational consistency in generating the information.
  • Reviewing the organization's privacy and data protection performance metrics, as well as determining whether privacy and data protection controls are sufficiently preventive and detective.
  • Defining tests to confirm the operational effectiveness of privacy and data protection efforts.
  • Identifying and recommending opportunities for improvement of privacy and data protection activities.
  • Completing an exit meeting with managers to discuss audit findings and recommendations as well as management's response to the audit.

Finally, the checklist discusses the types of controls to be examined during the audit (i.e., management, operational, and technical controls) and provides an appendix that lists different privacy and data protection resources.

To read or download the complete checklist, visit the ITCi Web site (PDF, 693 KB).