1

STUDY UNIT FOUR

INTERNAL AUDIT ROLES II

4.1 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

4.2 Information Reliability, Integrity, and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

This study unit is the second of two that address the nature of work of internal auditors. Their work
is defined in the pronouncements of The IIA. These pronouncements elaborate on the description of
the services performed by the internal audit activity provided in the Definition of Internal Auditing. It
stresses the improvement of governance, risk management, and control processes. However, the
internal auditors’ work regarding control is such a vital part of their responsibilities that it is treated
separately in Study Units 5 and 6.

Core Concepts
■ The risk management process identifies, assesses, manages, and controls potential risk
exposures.
■ Senior management and the board determine the role of the IAA in risk management.
■ Information reliability and integrity is a management responsibility.
■ The IAA periodically assesses information reliability and integrity practices and makes
recommendations.
■ The IAA evaluates compliance with laws and regulations concerning privacy.

4.1 RISK MANAGEMENT

Risk management is “a process to identify, assess, manage, and control potential events or situations
to provide reasonable assurance regarding the achievement of the organization’s objectives”
(Glossary). It is a fundamental element of the Definition of Internal Auditing. This subject is covered in
one General Performance Standard, one Specific Performance Standard, one Interpretation, two
Assurance Implementation Standards, three Consulting Implementation Standards, a Position Paper,
and one Practice Advisory.

2100 – Nature of Work

The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.

2120 – Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of
risk management processes.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2 SU 4: Internal Audit Roles II

Interpretation:
Determining whether risk management processes are effective is a judgment resulting from
the internal auditor’s assessment that:
a. Organizational objectives support and align with the organization’s mission.
b. Significant risks are identified and assessed.
c. Appropriate risk responses are selected that align risks with the organization’s risk
appetite.
d. Relevant risk information is captured and communicated in a timely manner across
the organization, enabling staff, management, and the board to carry out their
responsibilities.
Risk management processes are monitored through ongoing management activities,
separate evaluations, or both.

Practice Advisory 2120-1: Assessing the Adequacy of Risk Management

1. Risk management is a key responsibility of senior management and the board. To
achieve its business objectives, management ensures that sound risk management
processes (RMPs) are in place and functioning. Boards have an oversight role to
determine that appropriate RMPs are in place, adequate, and effective. In this role,
they may direct the internal audit activity to assist them by examining, evaluating,
reporting, or recommending improvements in the adequacy and effectiveness of RMPs.
2. Management and the board are responsible for their organization’s risk management
and control processes. However, internal auditors acting in a consulting role can
assist the organization in identifying, evaluating, and implementing risk management
methodologies and controls to address those risks.
3. If the organization does not have formal RMPs, the chief audit executive (CAE)
formally discusses with management and the board their obligations with regard to
RMPs. These include understanding, managing, and monitoring risks within the
organization. They also include becoming satisfied that processes operating within the
organization, even if informal, provide the appropriate level of insight into the key risks
and how they are being managed and monitored.
4. The CAE is to obtain an understanding of senior management’s and the board’s
expectations of the internal audit activity in the organization’s RMP. This
understanding is then codified in the charters of the internal audit activity and the
board. Internal auditing’s responsibilities are to be coordinated between all groups and
individuals within the organization’s RMP. The internal audit activity’s role in the RMP
of an organization can change over time and may encompass:
● No role.
● Auditing the risk management process as part of the internal audit plan.
● Active, continuous support and involvement in the risk management process such
as participation on oversight committees, monitoring activities, and status
reporting.
● Managing and coordinating the risk management process.
5. Ultimately, it is the role of senior management and the board to determine the role of
internal auditing in the risk management process. Their view on internal auditing’s role
is likely to be determined by factors such as the culture of the organization, ability of
the internal audit staff, and local conditions and customs of the country. However,
taking on management’s responsibility regarding the RMP and the potential threat to
the internal audit activity’s independence requires a full discussion and board
approval.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 3

6. The techniques used by various organizations for their risk management practices can
vary significantly. Depending on the size and complexity of the organization’s
business activities, RMPs can be:
● Formal or informal.
● Quantitative or subjective.
● Embedded in the business units or centralized at a corporate level.
7. The organization designs processes based on its culture, management style, and
business objectives. For example, the use of derivatives or other sophisticated capital
markets products by the organization could require the use of quantitative risk
management tools. Smaller, less complex organizations could use an informal risk
committee to discuss the organization’s risk profile and to initiate periodic actions. The
internal auditor determines that the methodology chosen is sufficiently
comprehensive and appropriate for the nature of the organization’s activities.
8. Internal auditors need to obtain sufficient, appropriate evidence to determine that the
key objectives of the RMPs are being met to form an opinion on the adequacy of
RMPs. In gathering such evidence, the internal auditor might consider the following
types of engagement procedures:
● Research and review current developments, trends, industry information, and
other appropriate sources of information to determine risks and exposures
that may affect the organization and related control procedures used to
address, monitor, and reassess those risks.
● Review corporate policies and minutes of board meetings to determine the
organization’s business strategies, risk management philosophy and
methodology, appetite for risk, and acceptance of risks.
● Review previous risk evaluation reports by management, internal auditors,
external auditors, and any other sources that may have issued such reports.
● Conduct interviews with line and senior management to determine business
unit objectives, related risks, and management’s risk mitigation and control
monitoring activities.
● Assimilate information to independently evaluate the effectiveness of risk
mitigation, monitoring, and communication of risks and associated control
activities.
● Assess the appropriateness of reporting lines for risk monitoring activities.
● Review the adequacy and timeliness of reporting on risk management results.
● Review the completeness of management’s risk analysis, actions taken to
remedy issues raised by RMPs, and suggest improvements.
● Determine the effectiveness of management’s self-assessment processes
through observations, direct tests of control and monitoring procedures, testing
the accuracy of information used in monitoring activities, and other appropriate
techniques.
● Review risk-related issues that may indicate weakness in risk management
practices and, as appropriate, discuss with senior management and the board.
If the auditor believes that management has accepted a level of risk that is
inconsistent with the organization’s risk management strategy and policies, or
that is deemed unacceptable to the organization, the auditor should refer to
Standard 2600 and any related guidance for additional direction.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
4 SU 4: Internal Audit Roles II

PA Summary
● Risk management is the responsibility of senior management and the board.
Management ensures that sound RMPs are in place and functioning. Boards
determine that RMPs are in place, adequate, and effective. The IAA may be directed
to examine, evaluate, report, or recommend improvements. It also plays a consulting
role in identifying, evaluating, and implementing risk management methods and
controls.
● If the organization has no formal RMPs, the CAE has formal discussions with
management and the board about their obligations for understanding, managing, and
monitoring risks.
● The CAE must understand management’s and the board’s expectations of the IAA in
risk management. The understanding is codified in the charters of the IAA and the
board.
● Senior management and the board determine the IAA’s role in risk management based
on factors such as (1) organizational culture, (2) abilities of the IAA staff, and (3) local
conditions and customs. That role may range from no role, to auditing the process as
part of the audit plan, to active, continuous support and involvement in the process, to
managing and coordinating the process. But assuming management responsibilities
and the threat to IAA independence must be fully discussed and board-approved.
● RMPs may be formal or informal, quantitative or subjective, or embedded in business
units or centralized. Processes are designed to fit the organization’s culture,
management style, and objectives. The IAA determines that the methods chosen
are comprehensive and appropriate for the organization.
● Sufficient, appropriate evidence needs to be obtained regarding attainment of the key
objectives to form an opinion on the adequacy of the RMPs. The internal auditor might
consider the following:
1) Current developments, trends, and industry information to determine risks
and exposures and related controls.
2) Corporate policies and minutes of board meetings to determine strategies,
philosophy, methods, appetite for risk, and acceptance of risks.
3) Previous risk evaluation reports by management, auditors, and others.
4) Interviews with line and senior management to determine objectives, related
risks, and risk mitigation and control monitoring activities.
5) Information to independently evaluate the effectiveness of risk mitigation,
monitoring, and communication of risks and controls.
6) Assessment of the appropriateness of reporting lines.
7) Review of the adequacy and timeliness of reporting on results.
8) Review of the completeness of management’s risk analysis and actions taken
to remedy problems.
9) Suggesting improvements.
10) Determining the effectiveness of management’s self-assessment processes,
e.g., through observation, direct tests of control and monitoring procedures, and
testing information used in monitoring.
11) Reviewing risk-related indications of weakness in RMPs and, as appropriate,
discussing them with management and the board. (Also see Standard 2600.)

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 4: Internal Audit Roles II 5

2010.A1 – The internal audit activity must evaluate risk exposures relating to the
organization’s governance, operations, and information systems regarding the:
● Reliability and integrity of financial and operational information;
● Effectiveness and efficiency of operations;
● Safeguarding of assets; and
● Compliance with laws, regulations, and contracts.
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud
and how the organization manages fraud risk.
2120.C1 – During consulting engagements, internal auditors must address risk consistent
with the engagement’s objectives and be alert to the existence of other significant risks.
2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting
engagements into their evaluation of the organization’s risk management processes.
2120.C3 – When assisting management in establishing or improving risk management
processes, internal auditors must refrain from assuming any management responsibility by
actually managing risks.

1. Position Paper, The Role of Internal Auditing in Enterprise-wide Risk Management

Definition
a. Enterprise-wide risk management (ERM) is a structured, consistent, and continuous
process across the whole organization for identifying, assessing, deciding on
responses to, and reporting on opportunities and threats that affect the achievement
of its objectives.
b. The board has overall responsibility for ensuring that risks are managed. In practice,
the board delegates the operation of the risk management framework (RMF) to
management.
1) Everyone in the organization plays a role in successful ERM, but the primary
responsibility for identifying risks and managing them lies with management.
2) A separate function may coordinate and manage these activities and apply
special skills and knowledge.
Activities
c. The following are possible ERM activities:
1) Defining and communicating organizational objectives
2) Determining the risk appetite
3) Establishing an appropriate internal environment, including an RMF
4) Identifying potential threats
5) Assessing risk (determining impact and likelihood)
6) Selecting and implementing risk responses
7) Undertaking control and other response activities
8) Communicating information on risks consistently and at all levels
9) Centrally monitoring and coordinating RMPs and outcomes
10) Providing assurance on the effectiveness of risk management

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
6 SU 4: Internal Audit Roles II

Assurance
d. Assurance is needed about the effectiveness of RMPs and the management of key
risks to an acceptable level. Such assurance comes primarily from management.
1) Objective assurance also is provided by the IAA, external auditors, and
independent specialists. The IAA usually provides assurance about
a)
The design and effectiveness of RMPs
b)
Management of key risks, including the effectiveness of response
activities
c) Risk assessment
d) Reporting risk and control status
2) The IAA provides value to the organization primarily through giving objective
assurance that (a) key risks are properly managed and (b) the risk
management and control framework is effective.
e. The IAA also may provide consulting services, depending on the availability of other
resources and the organization’s risk maturity (the extent to which a robust risk
management approach has been applied).
1) As risk maturity increases, or if the organization has a risk management
specialist or function, the IAA’s consulting role tends to diminish.
2) The IAA may provide ERM consulting services if it does not actually manage
risks.
IAA Roles
f. With regard to ERM, the IAA has certain core roles and may play certain other
legitimate roles.
1) Core assurance roles
a) Giving assurance on risk management processes
b) Giving assurance that risks are correctly evaluated
c) Evaluating risk management processes
d) Evaluating the reporting of key risks
e) Reviewing the management of key risks
2) Legitimate consulting roles
a) Facilitating identification and evaluation of risks
b) Coaching management in responding to risks
c) Coordinating ERM activities
d) Consolidating the reporting on risks
e) Maintaining and developing the ERM framework
f) Championing establishment of ERM
g) Developing a risk management strategy for board approval
3) Roles not to undertake
a) Setting the risk appetite.
b) Imposing risk management processes.
c) Managing assurance on risks.
d) Making decisions on risk responses.
e) Implementing risk responses on management’s behalf.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 4: Internal Audit Roles II 7

f) Accountability for risk management. Thus, an internal auditor must not

also be the organization’s chief risk officer (CRO). An organization
needs to appoint a CRO who is not part of the internal audit function.
i) A CRO is a member of management assigned primary responsibility
for ERM processes. The CRO is most effective when supported by
a specific team with the necessary expertise and experience related
to organization-wide risk.
2. Practice Guide, Business Continuity Management
a. BCM is a risk management approach based on business value. It matches
(1) business continuity capabilities and (2) likely risks.
b. The objective of BCM is to restore critical processes and to minimize financial and
other effects of a disaster or business disruption.
c. BCM is the third component of an emergency management program. Its time frame
is measured in hours and days if not weeks. The EMP also includes
1) Emergency response, the goal of which is lifesaving, safety, and initial efforts to
limit the effects of a disaster to asset damage. Its time frame is measured in
hours if not minutes.
2) Crisis management, the focus of which is managing communications and
senior management activities. Its time frame is measured in hours or days.
Elements
d. The following are elements of BCM:
1) Management support. Management must demonstrate support for properly
preparing, maintaining, and practicing a business continuity plan (BCP) by
assigning adequate resources, people, and budgeted funds.
2) Risk assessment and mitigation. Potential risks due to threats (e.g., fires,
terrorism, weather events, and disease outbreaks) must be identified, and the
probability and potential effects on the business must be determined. This
must be done at the site and on the division level to ensure the risks of all
credible events are understood and appropriately managed.
a) The entity must (1) define disruptive (credible) events, (2) assess their
effects, and (3) develop risk mitigation strategies.
3) Business impact analysis (BIA). The BIA identifies business processes that
are integral to functioning in a disaster and determines how soon they should
be recovered.
a) The entity (1) identifies critical processes, (2) defines the recovery time
objective (RTO) and the recovery point objective (RPO) for processes
and resources, and (3) identifies the other parties (e.g., vendors and other
divisions of the entity) and physical resources (e.g., critical equipment and
records) needed for recovery.
i) An RTO is the duration of time and service level within which a
process must be restored.
ii) An RPO is the amount of data the entity can afford to lose.
iii) The cost of a recovery solution ordinarily increases as the RTO or
RPO decreases.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
8 SU 4: Internal Audit Roles II

4) Business recovery and continuity strategy. This strategy addresses the

actual steps, people, and resources required to recover a critical business
process.
a) The entity plans for
i)
Alternative staffing (e.g., staff remaining at the site, staff at another
site, or staff of another entity),
ii) Alternative sourcing (e.g., use of nonstandard products and
services, use of diverse suppliers, outsourcing to entities that
provide standard services, or reciprocal agreements with
competitors),
iii) Alternative work spaces (e.g., another entity facility, remote access
with proper security, or a commercial recovery site), and
iv) The return to normal operations (e.g., entry of manually processed
data, resolution of regulatory and financial exceptions, return of
borrowed equipment, and replenishment of products and supplies).
5) Awareness and training. Education and awareness of the BCM program and
BC plans are critical to the execution of the plan.
6) Exercises. Employees should participate in regularly scheduled practice drills of
the BCM program and BC plans.
7) Maintenance. The BCM capabilities and documentation must be maintained to
ensure that they remain effective and aligned with business priorities.
Crisis Management (CM)
e. CM planning addresses how the entity informs its stakeholders (including the public)
about the crisis and the steps taken to restore business processes.
1) CM responses to the reality and perception of crises are documented in a plan.
2) CM also uses metrics to determine what constitutes a crisis and requires
needed responses.
Disaster Recovery Plan (DRP)
f. Disaster recovery of IT provides support for regaining access to data (e.g., hardware,
software, and records), communications, work areas, and other business processes.
1) Thus, a DRP that is established and tested must be developed in connection
with the BCP. It should describe IT recovery strategies, including details about
procedures, vendors, and systems.
a) Detailed procedures must be updated when systems and businesses
change.
b) The following are examples of items addressed by the DRP:
i) Data center
ii) Applications and data needed
iii) Servers and other hardware
iv) Communications
v) Network connections
vi) IT infrastructure (e.g., logon services and software distribution)
vii) Remote access services
viii) Process control systems
ix) File rooms
x) Document management systems

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 4: Internal Audit Roles II 9

2) The following are considerations for choosing DRP strategies:

a) The DRP should be based on the BIA.
b) The recovery abilities of critical service providers must be assessed.
c) The recovery of IT components often must be combined to recover a
system.
d) Service providers (internal and external) must furnish recovery
information, such as (1) their responsibilities, (2) limitations, (3) recovery
activities, (4) communication methods, (5) strategy, (6) RPOs, (7) RTOs,
(8) costs, (9) testing frequency, (10) scope of effort, and (11) third-party
contracts.
e) Strategies for components may be developed independently. The
objective is the best, most cost-effective solution that (1) allows user
access and (2) permits components to work together, regardless of where
systems are recovered.
f) Security and compliance standards must be considered.
3) The following are recovery solutions and sites for which a recovery plan
exists:
a) Hot. Resources are available at the site(s) and data are synchronized in
real-time to permit recovery immediately or within hours.
b) Warm. Resources are available at the site(s) but may need to be
configured to support the production system. Some data may need to be
restored. Typical recovery time is two days to two weeks.
c) Cold. Site(s) have been identified with space and base infrastructure.
Resources are not available at the site(s). Data likely need to be
restored. Typical recovery time is two weeks to a month.

4.2 INFORMATION RELIABILITY, INTEGRITY, AND PRIVACY

This subunit covers the related topics of information reliability and integrity and privacy. They are
addressed in two Assurance Implementation Standards and two Practice Advisories.
NOTE: Physical security, such as safeguards against environmental risks and unauthorized access
to computer terminals, remains an internal auditing concern even though software controls now provide
most protection for information.

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to the risks within the organization’s governance, operations, and
information systems regarding the:
● Reliability and integrity of financial and operational information;
● Effectiveness and efficiency of operations;
● Safeguarding of assets; and
● Compliance with laws, regulations, and contracts.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
10 SU 4: Internal Audit Roles II

Practice Advisory 2130.A1-1: Information Reliability and Integrity

1. Internal auditors determine whether senior management and the board have a clear
understanding that information reliability and integrity is a management
responsibility. This responsibility includes all critical information of the
organization, regardless of how the information is stored. Information reliability and
integrity includes accuracy, completeness, and security.
2. The chief audit executive (CAE) determines whether the internal audit activity
possesses, or has access to, competent auditing resources to evaluate information
reliability and integrity and associated risk exposures. These risk exposures may be
internal or external, including those relating to the organization’s relationships with
outside entities.
3. The CAE determines whether information reliability and integrity breaches and
conditions that might represent a threat to the organization will promptly be made
known to senior management, the board, and the internal audit activity.
4. Internal auditors assess the effectiveness of preventive, detective, and mitigation
measures against past attacks, as appropriate, and future attempts or incidents
deemed likely to occur. Internal auditors determine whether the board has been
appropriately informed of threats, incidents, vulnerabilities exploited, and corrective
measures.
5. Internal auditors periodically assess the organization’s information reliability and
integrity practices and recommend, as appropriate, enhancements to, or
implementation of, new controls and safeguards. Such assessments can either be
conducted as separate stand-alone engagements or integrated into other audits or
engagements conducted as part of the internal audit plan. The nature of the
engagement will determine the most appropriate reporting process to senior
management and the board.

PA Summary
● Information reliability and integrity is a management responsibility for all critical
information regardless of its form.
● The CAE determines whether the IAA has competent audit resources for evaluating
internal and external risks to information reliability and integrity.
● The CAE determines whether senior management, the board, and the IAA will be
promptly notified about breaches and conditions that might represent a threat.
● Internal auditors assess the effectiveness of preventive, detective, and mitigative
measures against past and future attacks. They also determine whether the board
has been appropriately informed.
● Internal auditors periodically assess reliability and integrity practices and recommend
new or improved controls. Such assessments can be made as separate
engagements or as multiple engagements integrated with other elements of the
audit plan.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 4: Internal Audit Roles II 11

1. Another aspect of internal auditing’s role regarding information reliability and integrity is to
evaluate compliance with laws and regulations concerning privacy. Thus, internal auditors
assess the adequacy of the identification of risks and the controls that mitigate those risks.

Practice Advisory 2130.A1-2: Evaluating an Organization’s Privacy Framework

1. The failure to protect personal information with appropriate controls can have
significant consequences for an organization. The failure could damage the reputation
of individuals or the organization, and expose an organization to risks that include legal
liability and diminished consumer or employee trust.
2. Privacy definitions vary widely depending upon the culture, political environment, and
legislative framework of the countries in which the organization operates. Risks
associated with the privacy of information encompass personal privacy (physical and
psychological); privacy of space (freedom from surveillance); privacy of
communication (freedom from monitoring); and privacy of information (collection,
use, and disclosure of personal information by others). Personal information
generally refers to information associated with a specific individual, or that has
identifying characteristics that, when combined with other information, can then be
associated with a specific individual. It can include any factual or subjective
information – recorded or not – in any form of media. Personal information could
include:
● Name, address, identification numbers, family relationships;
● Employee files, evaluations, comments, social status, or disciplinary actions;
● Credit records, income, financial status, or
● Medical status.
3. Effective control over the protection of personal information is an essential component of
the governance, risk management, and control processes of an organization. The
board is ultimately accountable for identifying the principal risks to the organization
and implementing appropriate control processes to mitigate those risks. This
includes establishing the necessary privacy framework for the organization and
monitoring its implementation.
4. The internal audit activity can contribute to good governance and risk management by
assessing the adequacy of management’s identification of risks related to its
privacy objectives and the adequacy of the controls established to mitigate those
risks to an acceptable level. The internal auditors are well positioned to evaluate the
privacy framework in their organization and identify the significant risks and make
appropriate recommendations for mitigation.
5. The internal audit activity identifies (1) the types and appropriateness of information
gathered by the organization that is deemed personal or private, (2) the collection
methodology used, and (3) whether the organization’s use of that information is in
accordance with its intended use and applicable legislation.
6. Given the highly technical and legal nature of privacy issues, the internal audit
activity needs appropriate knowledge and competence to conduct an assessment of
the risks and controls of the organization’s privacy framework.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
12 SU 4: Internal Audit Roles II

7. In conducting such an evaluation of the management of the organization’s privacy

framework, the internal auditor:
● Considers the laws, regulations, and policies relating to privacy in the
jurisdictions where the organization operates;
● Confers with in-house legal counsel to determine the exact nature of laws,
regulations, and other standards and practices applicable to the organization and
the country/countries in which it operates;
● Confers with information technology specialists to determine that information
security and data protection controls are in place and regularly reviewed and
assessed for appropriateness;
● Considers the level or maturity of the organization’s privacy practices.
Depending upon the level, the internal auditor may have differing roles. The
auditor may facilitate the development and implementation of the privacy
program; evaluate management’s privacy risk assessment to determine the
needs and risk exposures of the organization; or provide assurance on the
effectiveness of the privacy policies, practices, and controls across the
organization. If the internal auditor assumes any responsibility for developing
and implementing a privacy program, the internal auditor’s independence will
be impaired.

PA Summary
● Protection of personal information prevents such adverse consequences as legal
liability and loss of reputation.
● Privacy definitions vary: (1) personal privacy (physical and psychological); (2) privacy
of space (freedom from surveillance); (3) privacy of communication (freedom from
monitoring); and (4) privacy of information (collection, use, and disclosure of personal
information by others).
1) Personal information is any information that can be associated with a specific
individual or that might be combined with other information to do so.
● The board is ultimately accountable for managing privacy risk, e.g., by establishing
and monitoring a privacy framework. The IAA assesses the adequacy of
(1) management’s risk identification and (2) the controls that mitigate those risks.
● The IAA evaluates the privacy framework, identifies significant risks, and makes
recommendations. The IAA also considers (1) laws, regulations, and practices in
relevant jurisdictions; (2) the advice of legal counsel; and (3) the security efforts of IT
specialists.
● Depending on the level or maturity of the organization’s privacy practices, the role of
the internal auditor may be to (1) facilitate the development and implementation of the
privacy program, (2) evaluate management’s privacy risk assessment, or (3) perform
an assurance service regarding the effectiveness of the privacy framework. However,
assumption of responsibility may impair independence.
● The internal auditor identifies (1) personal information gathered, (2) collection
methods, and (3) whether use of the information is in accordance with its intended
use and applicable law.
● Given the difficulty of the technical and legal issues, the IAA needs the knowledge and
capacity to assess the risks and controls of the privacy framework.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 4: Internal Audit Roles II 13

4.3 SUMMARY
1. Risk management is a key responsibility of senior management. Boards ensure that
processes are in place, adequate, and effective. The IAA may be directed to examine,
evaluate, report, and recommend improvements. They also play a consulting role.
2. The IAA must evaluate the effectiveness and contribute to the improvement of risk
management processes.
3. To form an opinion on the adequacy of the RMPs, the IAA must determine that the key
objectives of the RMPs are being met.
4. Enterprise-wide risk management (ERM) is a structured, consistent, and continuous process
across the whole organization for identifying, assessing, deciding on responses to, and
reporting on opportunities and threats that affect the achievement of its objectives.
5. Business continuity management is a risk management approach to matching (a) business
continuity capabilities and (b) likely risks that is based on business value. The objective of
BCM is to restore critical processes and to minimize financial and other effects of a disaster
or business disruption.
6. Information reliability and integrity is a management responsibility for all critical information.
The CAE determines whether the IAA has competent audit resources for evaluating internal
and external risks to information reliability and integrity.
7. The board is ultimately accountable for managing privacy risks, e.g., by establishing and
monitoring a privacy framework. The IAA evaluates the framework, identifies risks, and
makes recommendations.

Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com