Security and privacy are typically regarded as key risks from an internal audit perspective. However, out of the disruption of the pandemic emerged a new understanding of the interwoven nature of privacy, security, and trust. When sensitive and confidential data protected by an organization is compromised — such as during a ransomware attack or phishing attack — trust in the organization can quickly erode, resulting in subsequent fallout including reputational damage and financial loss. The likelihood of these security incidents has been amplified by the sheer number of organizations that are investing or are planning to invest in digital transformation. While digital transformation itself can mean different things to different companies, it inevitably points to an exponential increase in data generation and big data.
In the face of escalating data privacy concerns, internal auditors are grappling with new ethical dilemmas that require careful navigation. As more businesses across all sectors continue to invest in new technologies, internal auditors must take a closer look — from a privacy, security, and trust perspective — at the guardrails that exist to protect and manage confidential and private information related to employees, customers, and third parties.
This article will explore the characteristics of big data as well as ethical considerations for internal auditors in this vulnerable digital ecosystem.
Big Data and Privacy Laws and Regulations
Big data is commonly associated with a large volume of data that has a high degree of variety. Because it largely consists of personal identifying information for employees, customers, and/or vendors, big data is one of the most strategic organizational assets as it allows the business to evolve, innovate, and grow. Some of the highly sensitive personal information big data may contain includes:
- Age, name, ID numbers (including social insurance or health number), income, or ethnic origin
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, or intentions (e.g., to acquire goods or services, or change jobs)
- Personal health information
As digital transformation produces more big data, this naturally creates more security and privacy risk. Some of this risk can be effectively mitigated by organizations if they are knowledgeable about and implement existing data privacy laws and regulations that protect employees, consumers, and vendors. However, these laws and regulations are complicated by differences across states, regions, nations, and even industries. For example, while there is no overarching data privacy law in the U.S., there are federal and state data protection laws that apply to specific sectors, including financial, medical, education, and minors. To make things even more complicated, a business that operates in one territory but has international customers may be subject to the privacy laws and regulations specific to the citizens of those different countries. Below is a small snapshot of the variety of data privacy-related regulations a business may come across:
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- California Online Privacy Protection Act (CalOPPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- The California Privacy Rights Act (CPRA)
- The European Union’s General Data Protection Regulation (GDPR)
Ethical Considerations for Internal Auditors in the Age of Big Data
This growing patchwork of geography and industry-specific data privacy laws and regulations means that every business must perform its due diligence when determining the data privacy security requirements applicable to their operations. Considering this complex environment, it is also necessary for internal auditors to step up their attentiveness on the job anytime they interact with or handle big data.
Balancing the need for effective internal audits with respect for individuals’ privacy rights poses challenges that require thoughtful analysis and decision-making by internal auditors. The following are some ethical considerations for internal auditors regarding data privacy and big data:
1. Data risks during internal audits and investigations.
Internal auditors may inadvertently create a privacy incident in the process of transferring or transmitting data during an internal audit or investigation. This is why it is necessary to have a solid grasp of not only your organization’s compliance requirements, but also the data privacy requirements specific to the states, regions, and countries where your business operates in.
Developing a strong understanding of the relevant local, national, and international data privacy laws and regulations — and having the foresight to consult with the local privacy office or legal counsel — can help mitigate potential privacy risks or breaches while carrying out internal audit or investigation procedures.
2. Increased workplace monitoring and employee confidentiality.
While organizations are proactively trying to detect potential misconduct at an early stage (or deter it altogether), this has led to an increase of workplace monitoring. However, employers must carefully balance protecting the organization from misconduct with heightened sensitivity around data privacy and confidentiality.
While employers have legitimate requirements for collecting personal information about their employees, at a minimum, they should notify their employees regarding what personal information will be collected, how it will be used, how long it will be retained, and to whom it will be disclosed.
3. Collecting too much data during investigations.
Data collected during internal investigations tends to fall between two extremes: too much or the bare minimum. While the minimum is often finding just enough credible evidence of misconduct, the maximum can entail an exhaustive and intrusive review of employees’ activities and communications, which may wind up creating additional privacy risk exposure for the investigating team and the business.
When undertaking investigations, internal auditors should exercise caution to avoid collecting excessive or disproportionate amounts of personal data. Internal auditors must also ensure they are collecting data in accordance with company policies, as well as all applicable data privacy laws and regulations.
4. Confidentiality with AI, RPA, and Machine Learning.
As the business case for leveraging new technologies like AI, RPA, and machine learning becomes increasingly accepted, internal audit professionals should take care to fully vet solutions with the appropriate decision-makers before they are implemented and integrated into the business.
Technologies that are designed to quickly process, interpret, or manipulate confidential data can add additional data privacy risk if there is insufficient or ineffective oversight. Now is the time to ask: how is internal audit assessing management’s responsiveness to these areas? Some good practices for internal audit to consider include:
- Coordinating and engaging with their privacy, legal, IT, and HR teams at the early stages as management develops business cases for new technologies.
- Conducting formal risk assessments on these technologies, specifically considering privacy risk through an HR and legal lens.
- Ensuring their organization has established strong policies and procedures governing the development and implementation of new technologies, expressly considering data privacy laws and regulations.
5. Auditing Data.
When executing internal audit procedures in terms of collecting data, it is important to consider the data collection process itself. This can add an additional layer of protection around meeting data privacy standards during the internal audit process. Some important questions internal auditors can ask about the data being collected include:
- What media are being investigated?
- Real-time or stored communications?
- What audit techniques are being used?
- Did the employer policies provide notice and advance warning to employees?
- Was employee consent obtained? Reasonable purposes? Reasonable scope?
- Are there minimization procedures and good controls on access, use, and disposal?
- Is the employee outside the United States, in Europe or Canada?
Digital Transformation Is Not on Its Way: It Has Already Arrived
The time for internal auditors to consider their company’s policies and procedures from a privacy perspective is now. By considering the ethical implications of big data as they perform their day-to-day audit duties, internal auditors can become champions of security and trust in the organization. In doing so, internal auditors can help contribute to the development of robust privacy programs that not only meet data privacy requirements, but also align with ethical principles and foster a culture of trust and transparency.
David Helberg, CIA, CRMA, is the Director of Internal Audit & Corporate Ethics & Privacy Officer (Chief Internal Audit Services) at a Canadian-based mining company, Cameco Corporation. He is a member of The Institute of Internal Auditors North America Board and Canada Advisory Committee. Connect with David on LinkedIn.