New to internal auditing? Build a strong foundation with Tools for New Auditors! This course covers essential skills, industry best practices, and practical insights to help you succeed in the profession. Enroll today and take the first step in your internal audit journey!
View our Podcasts & Video page for more related content!
00:00:03 The IIA
Hello, welcome to Getting Started With, where our job is to make your job easier.
00:00:08 The IIA
On this episode, we're getting started with the data privacy basics for internal auditors.
00:00:14 The IIA
By the end of this video, you'll understand what data privacy means for internal auditors, specifically your professional responsibilities under the Global Internal Audit Standards, how to spot privacy risk in any audit,
00:00:27 The IIA
what internal auditors look for when assessing privacy, and how to work effectively with privacy professionals in your organization.
00:00:34 The IIA
So, let's get started.
00:00:37 The IIA
Here's something a lot of new auditors don't realize right away.
00:00:40 The IIA
You don't have to be assigned a dedicated privacy audit to encounter data privacy risk.
00:00:46 The IIA
It shows up in HR audits, finance audits, vendor reviews, operational audits, and more.
00:00:53 The IIA
Anytime an organization collects, stores, or shares information about people, there's a privacy dimension to consider.
00:01:00 The IIA
And as an internal auditor, that means privacy is always part of your job, whether it's in front and center or not.
00:01:08 The IIA
Before we talk about what you evaluate and others, let's talk about your own professional responsibility.
00:01:14 The IIA
Standard 5.2 of the Global Internal Audit Standards, Protection of Information, states that internal auditors must understand and abide by the laws, regulations, policies, and procedures related to confidentiality, information privacy, and information security.
00:01:31 The IIA
That's not about auditing someone else's privacy program.
00:01:34 The IIA
That's about you, personally.
00:01:37 The IIA
As an internal auditor, you have access to a lot of sensitive information.
00:01:41 The IIA
Standard 5.2 makes clear that protecting it is part of your professional obligation from day one.
00:01:48 The IIA
So what exactly is data privacy?
00:01:50 The IIA
Our first term to learn, data privacy, is the right of individuals to control how their personal information is collected, used, stored, and shared.
00:02:00 The IIA
In plain terms, organizations don't own the personal data they collect.
00:02:06 The IIA
The individuals it belongs to do.
00:02:09 The IIA
That's the mindset shift that drives everything else in this episode.
00:02:13 The IIA
When an organization collects someone's name, e-mail address, health information, or financial records, they're being entrusted with something that belongs to that person.
00:02:22 The IIA
An internal audit's job is to help make sure that trust is honored.
00:02:28 The IIA
Here's the insight that changes how you approach every audit.
00:02:31 The IIA
Privacy risk is not just an IT problem.
00:02:34 The IIA
Privacy risk is a collective responsibility that lives across every part of the organization.
00:02:40 The IIA
HR collects employee records, finance processes, payment information.
00:02:45 The IIA
Marketing collects customer data.
00:02:48 The IIA
Operations may handle patient or client details.
00:02:51 The IIA
Every department that touches personal information is part of the privacy picture.
00:02:56 The IIA
And that means, as an internal auditor, you should be thinking about privacy implications in every engagement you work on, not just the ones labeled as privacy audits.
00:03:06 The IIA
To spot privacy risk in an audit, you need to know what you're looking for.
00:03:11 The IIA
That brings us to our next term to learn, personal data.
00:03:15 The IIA
Personal data is any information that can be used to identify an individual, directly or indirectly.
00:03:21 The IIA
That includes obvious things like names and e-mail addresses.
00:03:25 The IIA
but also less obvious things like device IDs, location data, or combinations of details that together point to one specific person.
00:03:35 The IIA
In plain terms, if it can be traced back to a specific person, it counts.
00:03:40 The IIA
During any audit, when you see data being collected, stored, or shared, train yourself to ask, is this personal data?
00:03:48 The IIA
Because if it is, privacy controls should be in place.
00:03:52 The IIA
Let's look at how this plays out in real life.
00:03:55 The IIA
Imagine a new auditor named Jordan who is assigned to an operational audit of the HR department.
00:04:00 The IIA
Jordan's objective is to review the employee onboarding process, not a privacy audit.
00:04:06 The IIA
But during the walkthrough, Jordan notices that the team is collecting a significant amount of personal information from new hires, including information that doesn't seem directly related to onboarding.
00:04:17 The IIA
Jordan asks, why is this data being collected?
00:04:20 The IIA
How is it being protected, and how long is it being kept?
00:04:23 The IIA
It turns out there's no documented policy for retention or access.
00:04:27 The IIA
That's a privacy finding.
00:04:29 The IIA
And Jordan found it not by doing dedicated privacy audit, but by staying alert during a routine engagement.
00:04:36 The IIA
That's the mindset every internal auditor should develop.
00:04:40 The IIA
Here's a pro tip.
00:04:41 The IIA
When you encounter personal data, during any audit, ask three questions.
00:04:45 The IIA
Why is this being collected?
00:04:47 The IIA
Who has access to it?
00:04:49 The IIA
And how long is it being kept?
00:04:51 The IIA
If there are no clear answers to any of these three questions, that's a signal to dig deeper.
00:04:57 The IIA
These questions work in almost any context, whether you're auditing HR, finance, marketing, or operations.
00:05:05 The IIA
They're a simple, practical way to build privacy awareness into every engagement without needing to be a privacy expert.
00:05:12 The IIA
So what does it look like when internal audit evaluates privacy?
00:05:16 The IIA
There are five questions worth building into your thinking for any engagement where personal data is involved.
00:05:22 The IIA
Does a privacy policy exist and is it followed?
00:05:26 The IIA
Is personal data collected for a clear stated purpose?
00:05:30 The IIA
Is access to personal data limited to the people who genuinely need it?
00:05:35 The IIA
Are third parties who handle personal data properly managed and contractually required to protect it?
00:05:41 The IIA
And can the organization respond effectively if a data breach occurs?
00:05:46 The IIA
These aren't just questions for a dedicated privacy engagement.
00:05:50 The IIA
They're questions worth asking in any audit where you encounter personal data.
00:05:55 The IIA
That last question brings us to another term to learn, a data breach.
00:05:59 The IIA
A data breach is any incident in which personal data is accessed, disclosed, altered, or lost without authorization.
00:06:07 The IIA
In plain terms, it doesn't have to be a cyber attack.
00:06:10 The IIA
A misdirected e-mail or an unlocked laptop can qualify.
00:06:14 The IIA
When you're reviewing whether an organization is prepared for a breach, you're looking for things like an incident response plan, clear ownership of the response process, and evidence that the plan has been tested.
00:06:27 The IIA
If none of those exist, that's a finding worth noting.
00:06:31 The IIA
Internal auditors and privacy professionals need each other.
00:06:35 The IIA
The privacy office owns the privacy program.
00:06:38 The IIA
Internal audit provides independent assurance that the program is working.
00:06:43 The IIA
Those are different roles, and they're both necessary.
00:06:46 The IIA
In practice, that means when you're planning an engagement with privacy implications, it's worth connecting with your organization's privacy office early.
00:06:55 The IIA
They can help you understand what types of data are involved, what regulations apply, and where the known gaps are.
00:07:02 The IIA
And when you find something during an audit, they're the right people to loop in.
00:07:07 The IIA
If internal audit and privacy professionals aren't talking, neither function is as effective as it could be.
00:07:14 The IIA
You'll also encounter two more terms in privacy work, especially when reviewing third-party relationships.
00:07:20 The IIA
The first term to learn, data controller, is the organization that determines why and how personal data is processed.
00:07:28 The IIA
And the second term to learn, data processor, is a third party that handles data on behalf of the controller.
00:07:35 The IIA
In plain terms, the data controller is responsible and the data processor is accountable to them.
00:07:40 The IIA
Both matter to internal audit.
00:07:43 The IIA
Even if a vendor is handling the data, your organization remains responsible for what happens to it.
00:07:49 The IIA
That's an important principle to keep in mind when you're reviewing vendor contracts or third-party risk.
00:07:55 The IIA
If you haven't seen our episode on third-party risk yet, that one connects directly to this topic.
00:08:01 The IIA
Before we wrap up, here are some common mistakes to watch out for.
00:08:05 The IIA
First, assuming privacy only matters in dedicated privacy audits.
00:08:09 The IIA
As Jordan's example showed, it can surface anywhere.
00:08:13 The IIA
Second, treating privacy as an IT issue only.
00:08:17 The IIA
It lives in every department.
00:08:19 The IIA
Third, not asking who has access to the personal data during a walkthrough.
00:08:24 The IIA
Access controls are one of the most common gaps.
00:08:28 The IIA
Fourth, forgetting that third-party risk extends to personal data.
00:08:33 The IIA
Vendors who handle your organization's data need to protect it just as carefully as you do.
00:08:39 The IIA
And fifth, skipping the privacy office when planning an engagement with privacy implications.
00:08:44 The IIA
They're a resource, not a rival.
00:08:47 The IIA
Keeping these in mind will make you a sharper and more well-rounded auditor from early on in your career.
00:08:53 The IIA
Seeking training, certifications, mentorship, and challenging assignments can accelerate your growth.
00:08:59 The IIA
Avoiding these common mistakes can help you stay on track as you work toward the next step in your internal audit career.
00:09:07 The IIA
Thanks for watching Getting Started with Data Privacy Basics for Internal Auditors.
00:09:12 The IIA
Next, be sure to check out our episodes on third-party risk and data analytics to see how privacy connects to vendor oversight and how auditors work with data.
00:09:22 The IIA
You can find these episodes and other helpful resources, including tools, podcasts, and training at the links below.
