Skip to Content

Auditing Privacy Risks, 2nd Edition

Recommended The IIA Jul 15, 2012

Recommended Guidance 

PG-Auditing-Privacy-Risks-Cover.jpgOne of the many challenging and formidable risk management issues faced by organizations today is protecting the privacy of personal information about customers, employees, and business partners. As consumers, we are concerned with how businesses and organizations use and protect this information. As business owners or management we want to: meet the needs and expectations of our customers, business partners, and employees; keep commitments pursuant to contractual agreements; and comply with applicable data privacy and security laws and regulations.

Privacy is a global issue. Many countries have adopted privacy legislation governing the use of personal information, as well as the export of this information across borders. For businesses to operate effectively in this environment, they need to understand and comply with these privacy laws. Examples of influential privacy legislation include Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s (EU’s) Directive on Data Privacy, and privacy acts from Australia, Japan, and New Zealand. Industry sector privacy legislation from the United States includes the Gramm-Leach Bliley Act (GLBA) for the financial services industry and the Health Insurance Portability and Accountability Act (HIPAA) for the health care industry.

Despite all these laws, media headlines have demonstrated that the privacy and protection of personal information is not absolute. There are countless news stories relating to security breaches that involve the loss or disclosure of personal information. This could be partially due to the fact that a greater number of organizations are outsourcing business processes and applications that contain personal information in addition to using newer technologies that can increase their privacy risk profile. 

Various stakeholders such as boards, audit committees or other oversight groups want assurance around the organization’s processes that protect private information. This Practice Guide, which replaces The IIA’s Global Technology Audit Guide (GTAG) “Managing and Auditing Privacy Risks” published in June 2006, provides practitioners with a foundation for meeting the complex and varied expectations that accompany privacy issues.


The Institute of Internal Auditors