Interested in this topic? Visit the links below for more resources:
Visit The IIA's website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:07 The IIA
Charles King sits down with Kavin Anburaj from Meta to explore how privacy intersects with internal auditing.
00:00:15 The IIA
They discuss why auditors should care about privacy, key data risks, and global regulations, and they provide practical steps for auditing privacy programs.
00:00:27 The IIA
From core privacy principles like transparency, consent, and data minimization, to lessons learned in cross-functional collaboration, this episode provides auditors with a roadmap for tackling privacy audits in an AI-driven world.
00:00:44 Charles King
I'm really excited to have this discussion today.
00:00:47 Charles King
You know, we've been working together for, I guess, coming up on five years now.
00:00:52 Charles King
in different capacities and privacy, especially at Meta, but I think privacy in general is just such a fascinating topic and it's getting so much more attention even more in the age of AI.
00:01:07 Charles King
So while Meta may have somewhat unique privacy concerns relative to other companies, I think privacy is something that really impacts every organization in the world.
00:01:18 Charles King
And as auditors, we really need to be focused on
00:01:22 Charles King
understanding how our organizations are dealing with personal data.
00:01:27 Charles King
But I wonder, just from your perspective and being a leader in privacy and in internal audit, why do you think internal auditors should care about privacy?
00:01:38 Charles King
Why should this be a focus on our risk assessments and internal audit plans?
00:01:43 Charles King
A.
00:01:44 Kavin Anburaj
Lot of people think that privacy risks are very regulatory and very legal based, but the truth is privacy is
00:01:52 Speaker 3
almost anonymous with like data risks.
00:01:54 Speaker 3
So you need to understand what data your organization is collecting, what sector you belong to, and start with that for you to then figure out how to start doing a privacy audit.
00:02:04 Charles King
So this idea of what data impacts privacy.
00:02:09 Charles King
So help us think through that.
00:02:11 Charles King
I think there's things that would be obvious to anyone around maybe customer data or employee data, but can you help me think through
00:02:20 Charles King
What should I be looking for or thinking about when I consider what data has privacy implications?
00:02:29 Speaker 3
Most people would start off with like a checklist, but laws, regulations, and even customer expectations for organizations are evolving by the day.
00:02:39 Speaker 3
And so if you had to start thinking about what data actually matters,
00:02:44 Speaker 3
Again, depending on your business, it could be customer data.
00:02:49 Speaker 3
If you are making up examples here, but like if you're in the retail space, what customer data that you have, what user data or PII associated to the customers do you have is the number one place that I would look for.
00:03:00 Speaker 3
Social media companies, we have what we call user data.
00:03:04 Speaker 3
So information that users present within our platforms is another big bunch of data.
00:03:10 Speaker 3
But for most other companies,
00:03:13 Speaker 3
Even employee data can be subject to any kind of privacy laws and rules.
00:03:18 Speaker 3
And so employee data is something that I would say everybody needs to look at.
00:03:22 Speaker 3
Vendor data, so any third-party vendors that work with you within the company would also be subject to this.
00:03:31 Speaker 3
And
00:03:32 Speaker 3
anything which can be attributable to a human, a user, whether it is provided in a structured manner or it is provided in an unstructured manner.
00:03:43 Speaker 3
And an example of that would be, let's say it's a customer complaint, an e-mail, a portal where you have an external party interacting with your organization in any way.
00:03:54 Speaker 3
If that's a mechanism for you to collect details about a user in any form, then that would also be subject to a lot of these.
00:04:02 Speaker 3
laws and regulations.
00:04:04 Speaker 3
So that, I would say, anything that's attributable to a person would all be a part of user data.
00:04:12 Charles King
Right.
00:04:12 Charles King
So my name, my address, my gender, any of those might be protected data.
00:04:20 Charles King
But what we might not always think about is that when I send an e-mail to a customer service representative,
00:04:26 Charles King
and I imply my address or my gender or some other personally identifiable characteristic, even though it's not in tabular data that sits in maybe a CRM system, that's still privacy data that tells something about me.
00:04:43 Charles King
And if that was, you know, some unauthorized party got access to it, that could trigger
00:04:48 Charles King
your privacy requirements under the law or under your privacy policy that you communicate to your customers about how you're going to deal with their data.
00:04:57 Charles King
That's really fascinating.
00:04:59 Charles King
Maybe let's think a little bit about what some of those obligations are.
00:05:03 Charles King
Obviously, Meta is a bit of a special case, but there are privacy laws all around the world that apply to everyone, not just social media companies.
00:05:12 Charles King
So what are some of the big ones that we should be thinking about for organizations that are in countries that have these privacy laws?
00:05:21 Speaker 3
Even though there are evolving laws across the globe, the one thing that is very evident is
00:05:29 Speaker 3
All of these laws are based off of basic privacy principles.
00:05:33 Speaker 3
Each country may interpret it differently.
00:05:35 Speaker 3
Each country may have their own special requirements or a special sauce that they add to it.
00:05:39 Speaker 3
But at the end of the day, they are all baked off of basic privacy principles.
00:05:45 Speaker 3
I'm going to state a few of them with some examples, but not everything is going to apply for every single organization out there.
00:05:52 Speaker 3
But here's my take on it.
00:05:54 Speaker 3
I think it all starts with transparency and consent.
00:05:57 Speaker 3
Every organization needs to make it extremely clear and transparent to the users what data is going to be collected about them and what they are going to be doing with that data.
00:06:08 Speaker 3
It's that disclosure that I would say is one of the key things that need to happen.
00:06:13 Speaker 3
The second thing is consent.
00:06:15 Speaker 3
And consent here could be the terms of service that a user agrees to, the checkmark that we put in every time we download an app.
00:06:23 Speaker 3
That could be considered consent, or in some countries, like I said, some countries add their special sauce.
00:06:28 Speaker 3
One of it is they would say, I need explicit consent.
00:06:31 Speaker 3
So someone needs to go in and say, I authorize this data to be used for this particular purpose.
00:06:36 Speaker 3
So that could be explicit consent.
00:06:38 Speaker 3
So transparency and consent are one of the key principles of anything related to privacy that a lot of laws base
00:06:45 Speaker 3
their regulations off of.
00:06:47 Speaker 3
The second one is purpose limitation, which is a very hard area to audit, to be honest, but that's another key principle that we need to keep in mind is, this data that I'm collecting about the user, am I only going to be using it for the purpose that I am ultimately stating it to be used for?
00:07:06 Charles King
So this could, outside of the media or technology context, if I were, say, a store,
00:07:15 Charles King
a retailer, and I have information about my customers that maybe I get through the point of sale or through my loyalty program, I can't then come up with a novel idea for how to use their data, maybe to target them with ads through the e-mail address that I have on file or other things, unless I've told them in advance that I'm going to use their data for that purpose.
00:07:42 Charles King
Is that the idea?
00:07:43 Charles King
Okay.
00:07:44 Speaker 3
Exactly.
00:07:45 Speaker 3
That is what purpose limitation is.
00:07:48 Speaker 3
Data minimization is another privacy principle.
00:07:51 Speaker 3
I'm starting to see like a lot of organizations also get into the principle.
00:07:55 Speaker 3
It is collecting only the data that is truly required for you to do your business.
00:08:01 Speaker 3
Just personally, every time I wear to like orders, like a shirt off of a website, the size, the address, all of that makes sense.
00:08:08 Speaker 3
And then given my age, sometimes when I have to put in what my date of birth is, I'm like, I understand the month and the date, but why do you need to know which year I was born in?
00:08:18 Speaker 3
Because it automatically buckets me into a certain age group, right?
00:08:22 Speaker 3
And yes, personally, it affects me too.
00:08:24 Speaker 3
Data minimization is something that you need to keep in mind.
00:08:27 Speaker 3
Am I only collecting the data that is required for me to perform this service for this individual?
00:08:32 Speaker 3
Another interesting area which
00:08:35 Speaker 3
it may apply to a lot of industries and may not, is the storage limitations and retention limitations.
00:08:41 Speaker 3
This is where we need to make sure the data is there with that organization only for the amount of time that it's required.
00:08:48 Speaker 3
So orders that I might have placed 10 years ago, the company needs to have policies, internal policies, which state that all data needs to be purged on a regular basis.
00:08:58 Speaker 3
And that is going to be organizational dependent.
00:09:00 Speaker 3
However, in some instances, from a payments perspective, for fraud detection reasons, companies are going to be required to keep their data for much longer.
00:09:10 Speaker 3
So depending on the rules of the country, all payments history needs to be maintained for five years or seven years or 10 years.
00:09:18 Speaker 3
And those laws will override any internal policies that an organization may have.
00:09:23 Speaker 3
So data limitations, data retention is another principle that a lot of these laws are based off of.
00:09:28 Speaker 3
I know it's a lot, but those are some of the key areas that exist in addition to obviously natural.
00:09:34 Speaker 3
data security requirements that we are going to have and good governance policies that every organization needs to have.
00:09:40 Charles King
Right.
00:09:41 Charles King
And additionally, some of the laws require that customers be able to ask the organization to delete their data, right?
00:09:49 Charles King
And that has all kinds of far-reaching implications because sometimes your data is in many different places and it can create, you know, all of these questions about data lineage and
00:10:01 Charles King
As the marketing team, maybe where my data is, but you got that data from the sales team or from somebody in supply chain.
00:10:10 Charles King
And so is it there too?
00:10:12 Charles King
And where are all of the different places we have to delete it if that is in fact an obligation that you have?
00:10:19 Speaker 3
Yes, I think you hit on a very, very important point.
00:10:25 Speaker 3
As I was mentioning earlier, a lot of people think privacy is very focused on what regulatory requirements are, but as I said, it's evolving where user rights are also high up on the reason as to why we need to have good privacy audits that occur.
00:10:43 Speaker 3
From a user rights perspective, to your point,
00:10:46 Speaker 3
At any given time, any data that we collect about a user is still actually the user's data, which means that they have right to access it, they have rights to delete it, they have the right to be forgotten effectively.
00:10:58 Speaker 3
And so it's extremely important for any organization to understand at what point does the data come into the organization, which is obvious.
00:11:07 Speaker 3
But then the second piece is where else is that data going to flow?
00:11:11 Speaker 3
Where else am I saving that data so that I can have that traceability of data across the different systems?
00:11:18 Speaker 3
And that is going to be required because if a user
00:11:21 Speaker 3
where to come in and say, hey, can I have a list of all the points or all the data that you have about me?
00:11:28 Speaker 3
Then we as an organization should be able to demonstrate that here is all the data that I have about you.
00:11:35 Speaker 3
And knowing that traceability and knowing that lifecycle is the only way for us to be able to pull that list.
00:11:42 Speaker 3
And in case the user decides to delete it,
00:11:45 Speaker 3
then we need to know all the points where it is sitting so that our systems can efficiently do that.
00:11:50 Speaker 3
And if this were to happen at scale, forget Meta as an organization, but pretty much any company at all, it's important for us to know what those different points are so that the deletion can happen accurately.
00:12:03 Speaker 3
We are representing the data to the user accurately.
00:12:06 Speaker 3
And lastly,
00:12:09 Speaker 3
Obviously, having a lot of data also puts every organization at risk.
00:12:13 Speaker 3
I think that is just pretty clear with breaches that have occurred across the industries.
00:12:18 Speaker 3
And so knowing where your data resides has got more than one purpose, not just from a regulatory perspective, but helps us be transparent to the users.
00:12:27 Speaker 3
And lastly, helps our organizations be safe.
00:12:31 Charles King
Right.
00:12:31 Charles King
And that's an area a lot of organizations struggle with, even though there have been
00:12:36 Charles King
major advances in tooling that can help with managing data lineage and understanding sort of data management and data governance in general, it's still really challenging.
00:12:46 Charles King
There are so many systems and so many different ways that organizations use data.
00:12:51 Charles King
It's often hard to find one reliable data lineage or data management solution that will tell you where all of your data is.
00:13:02 Charles King
So that poses challenges for auditors, but I'd like to talk a little bit about how we go about auditing privacy, but maybe before we do that, let's think about the different kinds of audits or audit objectives we might accomplish through privacy audits.
00:13:20 Charles King
Can you maybe think through what are some of the triggers for audits or the types of audits or focal points of the audits that you do to think through
00:13:29 Charles King
the different ways we might go about building an audit program.
00:13:35 Speaker 3
Yeah, when we originally had to get started with building out the audit program, these were some of the questions that we had to ask ourselves as well.
00:13:46 Speaker 3
As you must have probably understood by now, I'm an extremely data-driven person.
00:13:50 Speaker 3
And so
00:13:52 Speaker 3
didn't naturally translate into the only type of audits that we've ever done.
00:13:55 Speaker 3
But taking a step back, you always look at what sector your organization belongs to.
00:14:01 Speaker 3
And understanding what sector they belong to will automatically give you an understanding as to what regulations apply to your industry.
00:14:09 Speaker 3
So that will give you an entire scope of audits that you can perhaps do from a regulatory angle.
00:14:14 Speaker 3
If your organization belongs to California, and if you want to do something related in the privacy space, then CCPA, CPRA,
00:14:21 Speaker 3
laws will apply.
00:14:22 Speaker 3
So understanding what your regulatory environment is and what your organization is going to be subject to is the first bucket of questions you need to answer and the first tranche of audit plan that you will start obtaining.
00:14:35 Speaker 3
The second, if you move out of the legal and the regulatory space, is having a very operational lens to it or a compliance lens to it.
00:14:45 Speaker 3
chances are your internal audit is hopefully not the first party that's going to be looking at what risks exist in the privacy space.
00:14:54 Speaker 3
There should definitely be like risk assessments either performed by the legal teams, or if you have a compliance organization, information security organization, which could also be looking at privacy as a space.
00:15:04 Speaker 3
So understanding what has either second line or the first line, depending on how you differentiated within every organization, what work has been done by them, and is that something that you can leverage?
00:15:17 Speaker 3
And if it's mature enough, is that something that you can audit?
00:15:20 Speaker 3
Is a whole tranche of audits that you can think about from a privacy angle.
00:15:25 Speaker 3
And then the third is
00:15:27 Speaker 3
Internal auditors can jump straight into the business itself.
00:15:30 Speaker 3
So the privacy principles that I alluded to earlier, you can literally pick one, two, or all of them and try and do an audit with your business partners directly.
00:15:41 Speaker 3
So this could be starting with your sales or your marketing organizations to understand what disclosures or what do we state about our products.
00:15:49 Speaker 3
And then checking back into the systems to say, is everything that we are stating, is that accurately being performed?
00:15:55 Speaker 3
So you can look at it either at a
00:15:57 Speaker 3
regulatory lens.
00:15:58 Speaker 3
You look at it from an operational compliance, what has the organization done so far lens.
00:16:04 Speaker 3
Or third, you focus on the business directly and try and see if any of the privacy principles can be applied and if it can be audited through the systems through and through.
00:16:15 Speaker 3
So those are three different mechanisms that I would say an organization can think about it.
00:16:19 Speaker 3
And maybe that's a part of your rotation plan.
00:16:21 Speaker 3
Like you do regulatory one year
00:16:23 Speaker 3
but you're more interested in how data actually flows.
00:16:27 Speaker 3
And so you do the third type of audit.
00:16:30 Speaker 3
So that is how I would suggest if you had to start off.
00:16:34 Charles King
Right, so a regulatory focused audit would be taking the requirements of, you mentioned CCPA or GDPR or any one of the many different state specific privacy regulations that exist in the US.
00:16:48 Charles King
understand what your obligations are under that law, and then try to go audit against those regulations.
00:16:53 Charles King
That might be step number one, or at least an option.
00:16:58 Charles King
Another option is to look at second line functions, like legal or maybe depending on how you're structured, maybe part of the CISO organization, or if you have a chief privacy officer, and then how are they overseeing privacy?
00:17:13 Charles King
And it's almost like a governance audit.
00:17:15 Charles King
And then the third one, if I understood you correctly, is looking at the actual, call it the first line that is presumably collecting this data, storing and using the data.
00:17:29 Charles King
And then, there are different ways that you might audit against that, but taking some of the privacy principles we talked about before and seeing about purpose limitation in the first line or how they're dealing with transparency in the first line and
00:17:45 Charles King
communicating to their customers how that data is being used and what their policies are around data.
00:17:52 Charles King
So you talked before about how you were a traditional auditor, I guess, and then got into the privacy space as a specialization.
00:18:01 Charles King
What did you learn in the beginning that would help people that are just, that are new to auditing privacy to get up to speed a little bit faster?
00:18:10 Speaker 3
I'm glad that you asked this question.
00:18:12 Speaker 3
because I did wish that I had someone explain to me what the differences would be or what I could have done a little better upfront.
00:18:21 Speaker 3
But hopefully this helps some people.
00:18:24 Speaker 3
One is the amount of cross-collaboration that is required for a privacy audit.
00:18:32 Speaker 3
In the traditional audit space, when I have done an audit in a particular sector, either I'm working with engineering teams or I'm working with business teams.
00:18:41 Speaker 3
And I'm not saying that it gets limited to just that org that I am currently auditing, but in the privacy space, as you're aware, data never stays within one organization alone.
00:18:53 Speaker 3
And couple that with evolving regulations, there is constant flux in what you're supposed to do, and there's constant flux in how data is ultimately managed within as well.
00:19:06 Speaker 3
And so combining these two is where the complexity
00:19:10 Speaker 3
gets a little harder to manage.
00:19:12 Speaker 3
So biggest lesson learned is understanding who your cross-functional partners are and starting to set up expectations with them.
00:19:19 Speaker 3
And for us, or for any privacy audit for the matter, you start off with legal or with the organization that is responsible for translating what regulatory requirements are required for your organization and converting them into policy.
00:19:35 Speaker 3
So you work a lot with legal policy
00:19:38 Speaker 3
teams to make sure that the law has been interpreted and that we have policies that we can audit against.
00:19:44 Speaker 3
So that would be a lesson learned.
00:19:47 Speaker 3
And you don't just start off with the organization that you are just automatically auditing.
00:19:51 Speaker 3
So
00:19:53 Speaker 3
I would suggest starting off there.
00:19:55 Speaker 3
The second piece is, like I said, hopefully internal audit is not the first team that's looking at things from a privacy perspective.
00:20:02 Speaker 3
So talk to your second lines to see what work has already been done.
00:20:06 Speaker 3
Has there been risk assessments that have been performed in this particular space?
00:20:10 Speaker 3
And getting that information will help ground you before you start doing an audit.
00:20:16 Speaker 3
So that is another big lesson that I've learned, because sometimes, obviously, when we are reporting these things out to the board or to senior management, it is important for us to be able to speak the same language.
00:20:28 Speaker 3
And the question naturally is going to arise, like a third line and the second line working together, and do they have similar principles that we are auditing against?
00:20:36 Speaker 3
So align with legal, align with second line in these spaces.
00:20:41 Speaker 3
The third thing that I have understood is, which I'm pretty sure any internal auditor would empathize with, is it's not like you walk into an audit and then someone gives you a data map and says, this is where all the data is.
00:20:53 Speaker 3
This is where the data storage is.
00:20:55 Speaker 3
These are the controls that we have.
00:20:57 Speaker 3
So it's hard enough to do it in one space.
00:21:00 Speaker 3
It gets harder when there are multiple business units that are involved.
00:21:03 Speaker 3
So talking to someone
00:21:06 Speaker 3
who has that knowledge upfront and getting or trying to piece this together initially would really be beneficial before you start identifying controls.
00:21:18 Speaker 3
So those are like 3 big buckets that I would say would be helpful.
00:21:22 Charles King
Yeah, and I think this is probably fairly obvious for people that are in regulated industries or have parts of their business that are subject to some kind of third-party scrutiny.
00:21:35 Charles King
But you have to be very careful with the language you use in these reports as well.
00:21:41 Charles King
I think sometimes when we do the traditional plain vanilla business process audits, I don't think we ever want to be sloppy with our language, but sometimes if it's a little bit imprecise or we don't choose our words very carefully, if it's a procurement audit or something like that, it's not that big a deal.
00:22:00 Charles King
But in the privacy
00:22:02 Charles King
realm and in other regulatory realms, being inartful in the way you write your findings or observations, that can have some downstream implications because it's possible that other people will see your internal audit report and potentially misconstrue it, right?
00:22:20 Charles King
So whether that's a regulator or it's part of a lawsuit or, you know, anyone, any third party that may be interested in how you're complying with privacy laws or privacy obligations,
00:22:32 Charles King
your internal audit reports are absolutely going to be part of that.
00:22:36 Speaker 3
Yeah, I think you're absolutely right.
00:22:39 Speaker 3
When I was also mentioning working with legal or with functions which are interpreting law in some ways, it's also important when the results are out to work with them closely to make sure that us, like an internal audit team,
00:22:56 Speaker 3
stating something in the context of 1 jurisdiction does not have a completely different interpretation or a different meaning in a different jurisdiction, which could naturally happen if you are working anywhere in the global space and your business is conducted outside of just one country.
00:23:12 Speaker 3
And that's where their expertise in making sure that
00:23:18 Speaker 3
either adding clauses to say, this is in this particular jurisdiction, only getting the words right is of utmost important when doing a privacy-related audit.
00:23:28 Charles King
Yeah.
00:23:29 Charles King
Well, if auditors want to learn more about privacy, what resources would you recommend they go to
00:23:39 Charles King
to prepare for a privacy auditor to think about including privacy implications into their risk assessment or into their audit plan in some way.
00:23:51 Speaker 3
Yes.
00:23:52 Speaker 3
For me, to be honest, I think IAPP actually was a very helpful resource location where I went to understand a lot of these in more detail.
00:24:05 Speaker 3
Again, I would say it really depends on the country that you are in as well or where your organization is doing business.
00:24:11 Speaker 3
And it's important for you to understand what your sector is and look for it.
00:24:16 Speaker 3
For example, within the healthcare space, what are some of the regulatory requirements?
00:24:21 Speaker 3
what regulatory requirements will apply to your particular organization is something that you need to be aware of and do research more into that sector itself in addition to general basic privacy principles and laws and regulations can be looked up.
00:24:36 Speaker 3
And IAPP would be a really good source for it.
00:24:39 Charles King
Yeah, IAPP is a great place.
00:24:42 Charles King
That's where I started my journey.
00:24:44 Charles King
I'm really happy to
00:24:46 Charles King
I really enjoyed getting my privacy certification.
00:24:50 Charles King
And I think if you're an organization that has serious privacy concerns, I think it's worth, if not getting the certification yourself, just making sure that you have access to some people that have some proper privacy training after they get their CIA, of course, but then after that.
00:25:06 Charles King
That's exactly.
00:25:09 Speaker 3
Actually, that is.
00:25:11 Speaker 3
Really true, Charles, which I truly believe in, is if your internal audit basics are good and you have your CIA or IAA to support that, in addition to you understanding your business quite well, you understanding how data management works in general,
00:25:33 Speaker 3
I think a combination of that, in addition to anything else in the privacy space that you do, I feel like will make you a very well-rounded privacy auditor.
00:25:42 Charles King
Excellent.
00:25:43 Charles King
Well, Kavin, this has been a great discussion.
00:25:45 Charles King
I really appreciate you coming on this week and sharing what you've learned about privacy with everyone.
00:25:50 Charles King
I know it's an exciting area.
00:25:52 Charles King
I think it's only going to be more and more relevant to every organization as we see more regulation, as we see technologies like AI,
00:26:03 Charles King
come to the fore.
00:26:04 Charles King
It's an important area, and I think it's an overlooked area by many auditors.
00:26:08 Charles King
So I'm really glad we were able to have this discussion today.
00:26:11 Charles King
Thanks for coming on the show.
00:26:13 Speaker 3
Thank you so much, Charles, for this opportunity.
00:26:15 Speaker 3
And yeah, the last bit that you just mentioned, I wanted to reiterate, with AI becoming such an important topic across all organizations, the data traceability, lineage, and privacy implications are going to be so much more higher for every organization out there.
00:26:31 Speaker 3
So
00:26:33 Speaker 3
Privacy audits are not going to be done in a silo.
00:26:35 Speaker 3
I feel like anything that we are going to be doing in the AI space is going to have privacy components.
00:26:40 Speaker 3
So it is time that every organization adapts and embraces the privacy audit lifestyle too.
00:26:46 Charles King
Well said.
00:26:47 Speaker 3
Thank you so much again.
00:26:49 The IIA
Banking on big changes will spark your next audit breakthrough at the 2025 Financial Services Exchange.
00:26:57 The IIA
November 3rd to the 4th in Washington, D.C.
00:27:01 The IIA
or virtually.
00:27:02 The IIA
Gain fresh insights, network with peers, and earn up to 13 CPEs.
00:27:09 The IIA
Head to theiia.org to reserve your spot now.
00:27:14 The IIA
If you like this podcast, please subscribe and rate us.
00:27:18 The IIA
You can subscribe wherever you get your podcasts.
00:27:21 The IIA
You can also catch other episodes on YouTube or at theiia.org.
00:27:27 The IIA
That's THEIIA dot ORG.
