Operationalizing Data Protection & Privacy: Lesson 17 - The Role of Auditing

Disclaimer:? The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.

?

Throughout Operationalizing Data Protection & Privacy, I’ve written several times about the need for demonstrable and defensible compliance.? Whether it’s for a regulator inquiring about the process for responding to individual rights or a third party partner requesting assurances that any data shared will be properly protected, as a risk and compliance function DP&P leaders need to be able to produce relevant information and documentation that can support their program’s overall compliance posture.??

If you’ve developed and matured your various program components properly, some of this is straightforward.? Records of processing activities, DSAR logs, current and past policies, and historical training records should all be easily shareable, but when it comes to proving the protection of personal data in the systems, business processes, and data repositories where it's collected, processed, and stored, this can be a lot more challenging.??

Particularly in organizations where there are hundreds, or even thousands, of systems and processes, ensuring that each one has implemented adequate technical and organizational controls is a difficult task.? Organizations often struggle with how to manage this responsibility, with some preferring strict central management and others using a more distributed model.? Regardless of how an organization manages its internal controls though, the DP&P office needs to advocate for a thoughtful information technology audit strategy for validating them, especially when personal data is processed. ?

Let’s dig a bit more.?

1. IT audits have been a part of organizations for nearly half a century.? As companies grew reliant on information technology in the seventies and eighties, IT audits became an important component of proper corporate governance and managing information.? IT auditors have been performing the work of validating and documenting the effectiveness of system and process controls for decades, providing assurance to executives and audit committees that their organization’s information is processed properly and protected.
2. Audits support a key corporate governance principle - trust but verify.? Most organizations will develop or adopt certain standards or a control framework(s) for managing and protecting its systems and data (including personal data).? In some circumstances a senior executive such as a CIO, CDO, or CISO will oversee compliance with the company’s technical and organizational controls, and trust (or maybe hope) that everyone will comply. In reality though, employees are balancing multiple priorities, and compliance activities and control testing can easily end up in a backlog.? But an IT audit team can act as a mirror to the organization, providing an honest assessment of the current state by verifying controls and identifying gaps, allowing the organization to reach a more confident level of compliance.
3. Most large companies have an internal audit team, which typically reports to a senior leader like the CFO with a dotted line to an audit committee of the board of directors. ??Just like with DP&P offices though, companies may have its own culture and practice around system assurance and decide to appoint IT audit responsibilities to information security or an IT compliance function. The reporting structure doesn’t matter as much as the IT audit team maintaining a reasonable level of independence in its scope, methodology, and opinions.
4. Usually led by a head of internal audit, the IT audit team will develop an audit strategy and annual schedule that addresses the organization’s identified risks and compliance requirements, including the performance of regular system level audits.? In US publicly traded companies, this may include performing SOX audits or other general IT control audits for financial systems and ERPs, but there will usually be an opportunity to audit other key areas of the business, including systems or processes impacting personal data.?
5. Unfortunately, companies can’t audit everything and will need to be strategic in its resource allocation and audit schedule.? While IT audits of financial systems are important for assuring accurate financial reporting, as DP&P leaders we should be lobbying for the internal IT audit team to develop an audit plan that also adequately addresses some of the high risk personal data processing activities within the organization.? Ideally this would include several DP&P focused audits per year, but with budgets strained and resources limited, the scope and number of any DP&P focused audit will need to be agreed upon by the relevant stakeholders.
6. For example, DP&P teams know that a significant amount of employee personal data will be processed in an HRMS, with numerous vital processes such as employee onboarding, performance management, and offboarding being supported by most HRMSs.? It would be reasonable then to request the IT audit function to perform annual IT audits on the HRMS, which would provide assurance to the DP&P office that employee personal data is adequately protected.? As time and resources allow, similar audits can then be performed for other high risk systems that process personal data such as a CRM or an e-commerce platform.??
7. IT audit functions have adapted and evolved to the change in information systems and processing preferences, particularly in the current era of cloud computing and distributed processing.? While general IT control audits are still important, there is also a need for IT auditors to understand how information flows throughout a business process where data is available nearly everywhere in real time and leverage or adapt an appropriate control framework for validating data protection.?
8. An IT audit alone doesn’t guarantee adequate controls and protection of personal data.? It’s simply an assessment at a point in time, and DP&P leaders must review the scope and methodology of any audit to understand if it’s effective and being properly conducted.??There are several published control frameworks that can assist here, including those from ISO, NIST, SANS, and PCI-DSS, and while not all controls will be applicable in every IT audit, a skilled IT auditor can usually identify the critical controls that will provide a reasonable level of assurance for the organization.?
9. A properly conducted IT audit requires a significant investment by the organization.? The auditor should be properly credentialed with a Certified Information System Auditor (CISA) certification or have years of experience to know how to properly conduct an audit.? Each audit itself can take 100-200 hours (or even more) depending on the scope and audit methodology, and major systems or processes can easily exceed this amount of time by requiring multiple auditors and significant time of the system or process owners.?
10. Throughout an IT audit the auditor should be systematically documenting their findings in an audit system.? As the auditor tests a control and requests documentation from the system or process owners, they will want to keep a detailed record of what’s being tested and how a control is determined to be effective or deficient. Audit records can also be helpful if the organization is ever challenged on its corporate governance and compliance program.?
11. Once an IT audit is complete, there will usually be a comprehensive report written by the audit team documenting the audit’s findings.? This should include an executive summary as well as all the issues and gaps identified, sorted by risk level.? In some reports, recommendations as to how to address each issue or gap will also be included.?
12. After dissemination of the audit report to relevant stakeholders, there needs to be an agreement on how to remediate any critical issues or gaps and the deadline for completing the work.? Some audit teams will support and track this process, but the real work needs to occur by the teams that own the systems or processes that were the subject of the audit.? Depending on the findings, DP&P leaders may need to use some political capital to get remediation work prioritized by executive leaders in order to maintain a proper DP&P compliance posture.?
13. Even when a company has a mature and strong internal audit program, there may be a reason to engage external auditors.? External auditors can bring a level of independence that internal teams cannot, but they can also perform certified audits that may be necessary for certain parts of the business, such as for PCI-DSS or ISO 27001.? External auditors can also supplement the internal audit team to increase the team’s capabilities, but that usually comes at a pretty high cost and someone internally still needs to oversee the performance of any external audit.?
14. While general IT control audits are valuable to help assure day to day personal data processing activities maintain an appropriate level of protection, you can also seek to perform audits that assess the overall DP&P program, such as auditing to the NIST Privacy Framework that was released in 2020.? Even if a full program review isn’t necessary or possible, DP&P leaders should welcome audits of specific DP&P program components such as reviewing the process for DSARs or consent management.?
15. If the IT audit team is limited in its scope or resources by other factors and can’t prioritize DP&P related audits, the DP&P office can look to build audit capabilities within its team.? DPO functions already have some audit responsibilities under GDPR, and while not ideal, in some circumstances DP&P leaders can oversee a more robust IT audit program focused on the processing of personal data then an internal audit team.? While you likely can’t claim independence in the audit process, you can use the findings to mature and improve DP&P throughout the organization.?
16. Lastly, there’s a cynical view held by some that audits can create unnecessary risk for an organization by proactively identifying issues.? It’s from a school of thought that it’s better to not know and plead ignorance if an otherwise identifiable issue impacts the business.? It’s true that audits are expensive and can create additional risk if they identify high risk issues and the company fails to take reasonable measures to mitigate said issues, but DP&P leaders should still continue to advocate for a robust audit program to assure personal data is processed properly and adequately protected.?

?

?

?