|
Privacy Advisory Engagements
Privacy Attestation /Assurance Engagements
Privacy Examination/Audit Engagements
Privacy Review Engagements
Agreed-Upon (Specified Auditing) Procedures Engagements
Relationship between Generally Accepted Privacy Principles and the Trust Services Principles and Criteria
Online Privacy Engagements
This appendix provides a high-level overview of the services that CPAs and CAs in public practice (practitioners) can provide using Generally Accepted Privacy Principles. Detailed guidance in "Understanding and Implementing Privacy Services—A CPA's Resource" has been developed by the task force and is available from both the AICPA and CICA (see www.aicpa.org/privacy and www.cica.ca). This detailed guidance is viewed as an essential resource for practitioners who intend to provide any of the services discussed in this appendix.
Privacy Advisory Engagements
Practitioners can provide a variety of advisory services to their clients, which include strategic, diagnostic, implementation, and sustaining/managing services using the Generally Accepted Privacy Principles criteria. These services could include, for example, advising clients on system weaknesses, assessing risk, and recommending a course of action using the Generally Accepted Privacy Principles criteria as a benchmark.
Practitioners in the United States providing such advisory services follow Statement on Standards for Consulting Services, Consulting Services: Definition and Standards (AICPA, Professional Standards, vol. 2, CS sec. 100). Canadian practitioners are expected to meet the standards set out in Sections 5000–5900 of the CICA Handbook.
Back to top
Privacy Attestation /Assurance Engagements
Privacy attestation/assurance engagements include services in which a practitioner is engaged to:
· Issue an opinion (examination/audit),
· Conduct a review, or
· In the United States, conduct agreed-upon procedures
on a defined privacy-related subject matter or an assertion thereon.
Back to top
Privacy Examination/Audit Engagements
Relevant U.S. standards for attestation engagements are contained in the Statements on Standards for Attestation Services. Relevant Canadian standards for assurance engagements are contained in Section 5025 of the CICA Handbook. Privacy attestation/assurance engagements are defined within the context of these standards. A practitioner is expected to be aware of the requirements established by the relevant professional standards.
In an examination/audit engagement, the practitioner provides a high, though not absolute, level of assurance on a subject matter or assertion. With that objective, the practitioner develops examination/audit procedures that, in the practitioner's professional judgment, reduce the risk that the practitioner will reach an inappropriate conclusion to a low level. Illustrative privacy examination/audit reports are included in Appendix D.
The following key concepts apply to privacy assurance
engagements.1
· A privacy assurance report ordinarily covers all 10 principles. All of their relevant criteria need to be met during the period covered by the report to issue an unqualified report.2, 3
· The work should be performed at the highest level of assurance, that is, the "examination" or equivalent level.
· The scope of the engagement can cover (1) either all personal information or only certain identified types of personal information, such as customer information or employee information, and (2) all business segments and locations for the entire entity or only certain identified segments of the business (retail operations, but not manufacturing operations or only operations originating on the entity's Web site) or geographic locations (such as only Canadian operations). In addition:
o The scope of the engagement generally should be consistent with the description of the entities and activities covered in the privacy notice (see Criterion 2.2.2). The scope often could be narrower, but ordinarily not broader, than that covered by the related privacy notice.
o The scope of the engagement should cover all of the activities in the "information cycle" for the relevant personal information. These should include collection, use, retention, disclosure and destruction, de-identification or anonymization. Defining a segment that does not include this entire cycle could be misleading to the user of the practitioner's report.
o If the identified personal information included in the scope of the examination is commingled with other information not in the scope of the engagement, the privacy assurance engagement needs to cover controls over all of the information from the point of commingling forward.
o The practitioner's report should ordinarily cover a period of time (not less than two months); however, the practitioner's initial report can be a point-in-time report.
Back to top
Privacy Review Engagements
Under professional standards, a review engagement is a form of an attestation/assurance engagement. However, the term "privacy review" is often misused to mean a privacy audit or certain types of privacy advisory engagements, such as a privacy diagnostic engagement. Because review engagements, as defined in professional standards, are susceptible to misunderstanding by third-party users, the Privacy Task Force does not recommend their use.
Back to top
Agreed-Upon (Specified Auditing) Procedures Engagements
In an agreed-upon/specified procedures engagement, the practitioner performs specified procedures, agreed to by the parties4, and reports his or her findings. The practitioner does not perform an audit or review of an assertion or subject matter or express an opinion or negative assurance about the assertion or subject matter.5 In this type of engagement, the practitioner's report is in the form of a description of procedures and findings. Generally Accepted Privacy Principles may be used in such engagements. This type of work would not lead to an assurance report, but rather to a report presenting the agreed-upon/specified procedures and the corresponding findings. Agreed-upon/specified procedures could be undertaken relative to a subset of an entity's system with reference to a subset of the Generally Accepted Privacy Principles. For example, an entity may request that a practitioner complete agreed-upon/specified procedures using a sub-set of Generally Accepted Privacy Principles and report the findings. In Canada, specified procedures engagements are permitted, although they are not considered to be assurance engagements under CICA Handbook Section 5025.
Because users' needs may vary widely, the nature, timing, and extent of the agreed-upon/specified procedures may vary as well. Consequently, the parties to the report (agreed to/specified users and the client) assume responsibility for the sufficiency of the procedures since they best understand their own needs. The use of such a report is restricted to the specified parties who agreed upon the procedures.
Back to top
Relationship between Generally Accepted Privacy Principles and the Trust Services Principles and Criteria
Generally Accepted Privacy Principles are part of the AICPA/CICA Trust Services Principles and Criteria—a set of professional assurance and advisory services based on a common framework (i.e., a core set of principles and criteria). The Trust Services Principles and Criteria were developed by volunteer task forces under the auspices of the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The AICPA and the CICA are referred to in this document as "the Institutes." The other Trust Services Principles and Criteria are:
· Security—The system is protected against unauthorized access (both physical and logical).
· Availability—The system is available for operation and use as committed or agreed.
· Processing Integrity—System processing is complete, accurate, timely, and authorized.
· Confidentiality—Information designated as confidential is protected as committed or agreed.
These are discussed more fully on the WebTrust Web site Additional information about Trust Services is set out in the Guide, "Understanding and Implementing Trust Services," which is available from the AICPA and CICA.
Back to top
Online Privacy Engagements
When the privacy engagement relates to an online segment, an entity may choose to display a WebTrust Online Privacy seal. For these engagements:
· The scope of the engagement needs to include, but is not limited to, an online business segment of the entity. Use of the WebTrust seal is only permitted in circumstances where the online business segment is included in the scope of the practitioner's examination.
· WebTrust seals are trademarked and service-marked graphic images and their use is subject to the Trust Services license agreement. The Trust Services license agreement and the guidance established for the Trust Services program permit the images to be displayed on a client's Web site or electronically, subject to certain requirements:
o The practitioner must be licensed under the Trust Services license agreement.
o The entity must have received a report from the practitioner that does not include a qualification or scope limitation.
o The entity must agree to certain conditions governing the use of the WebTrust seal (generally included in the practitioner's engagement letter).
o The seal must be issued using the AICPA/CICA processes and be listed on the Institutes' server.
o Fees as established by the Trust Services license agreement for the use of the seal must be paid to the Institutes.
When the WebTrust seal is used, the task force recommends that the practitioner's report includes language such as the following: "The WebTrust Online Privacy seal constitutes a symbolic representation of the contents of the independent auditor's report and it is not intended, nor should it be construed, to update that report or provide any additional assurance."
Back to top
1. Chapter 10 of the AICPA Guide "Understanding and Implementing Privacy Services—A CPA's Resource" and Chapters 10 and 11 of the CICA Guide "Solutions for Today's Privacy Issues" include guidance on performing privacy assurance engagements.
2. See Appendix D, "Illustrative Privacy Examination/Audit Reports."
3. In certain circumstances (such as a report on a third-party service provider), special purpose privacy reports covering some of the 10 Principles could be issued. The Privacy Task Force recommends that such reports contain language that indicates that the privacy principles not covered are essential for overall assurance of privacy and be "restricted use" reports.
4. The specified users of the report and the practitioner agree upon the procedures to be performed by the practitioner.
5. In the U.S., agreed-upon procedures engagements are performed under SSAE No. 10, Chapter 2, Agreed-Upon Procedures Engagements. In Canada there are no general standards for agreed-upon procedures/specified procedures. A practitioner could, however, look to the guidance provided by CICA Handbook section 9100 that contains standards for performing Specified Procedures on Financial Information Other Than Financial Statements. In specified auditing procedures engagements, the practitioner is engaged to report to specific users the results of applying specified procedures. In applying such procedures, the practitioner does not express a conclusion concerning the subject matter because he or she does not necessarily perform all of the procedures that, in the practitioner's judgment, would be necessary to provide a high level of assurance. Rather, the practitioner's report sets out the factual results of the procedures applied, including any exceptions found.
|