Confidentiality is generally described as a set of rules or agreement that limits access or places restrictions on certain types of information. The same is true when it relates to the Trust Service Principles as defined by the AICPA. In our fourth installment of our TSP Blog series, we will review the importance of confidentiality as it relates to service organizations.
The AICPA defines confidentiality as “information designated as confidential is protected as committed or agreed”. Information is deemed confidential as defined by the individual service organization, as there is no widely recognized definition to reference. Most service organizations deem information as confidential when they wish to ensure that the only the necessary individuals vital to the transaction have access to the information. The organization responsible for processing the information or data must describe their policies, procedures, and control practices related to the protection of confidential information. An example of confidential information is transactional details typically seen in ecommerce purchases.
Protecting confidential data is essential to almost every business. Most business-to-consumer organizations collect information such as names, addresses, phone numbers and email addresses. eCommerce businesses also collect billing and credit card information from customers. Many eCommerce businesses have begun to add HTTPS protection their websites to help protect confidential information.
The service organization responsible for protecting confidential information is responsible for several tasks before and during the audit process. The organization is responsible for detailing and reviewing policies related to protecting confidential data. Confidentiality policies should also be updated regularly based on risk assessment. For example, whenever an employee leaves your organization, the list of authorized users to confidential data should be updated. Policies should also include sharing confidential information with authorized third party vendors, along with assigning responsibilities.
There are several steps your organization can take before engaging an auditor to ensure the process runs smoothly. Along with updating your procedures, your organization should also invest in training for employees with authorized access to confidential information. Investing in data encryption tools, such as firewalls and antivirus software, should also be established to protect vital information from physical threats. Protection from environmental threats, such as floods, fires, power failure, and excessive heat should also be documented and evaluated periodically.
The auditor who will be conducting the audit is responsible for their own tasks as well. The auditor’s primary task is to evaluate the written policies and procedures related to the protection of confidential information. Depending on the audit you select, the auditor may also provide additional insight into your policies and procedures.
The Team at Auditwerx has worked with many different businesses over the years. Our experience conducting over 200 audits per year has helped us develop a customized audit checklist for our customers to reference before, during, and after their audit. We understand the difficulties of having to navigate through the audit process and are here to help. Call us at 866.446.4038 to speak with our team of certified professional accountants today or contact us here.