Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles Appendixes > Appendix D: Illustrative Privacy Examination/Audit Reports
Appendix D: Illustrative Privacy Examination/Audit Reports

The following appendix includes examples of examination/audit reports under professional reporting standards:

 

Under AICPA Attestation Standards

Under CICA Assurance Standards

Illustration 1—Reporting Directly on the Subject Matter

Illustration 3—Reporting Directly on the Subject Matter

Illustration 2—Reporting on Management's Assertion

Illustration 4—Reporting on Management's Assertion

Illustrative Management Assertion

 

Illustrative Management Assertion

 

 

Illustration 1—Reporting Directly on the Subject Matter Under AICPA Attestation Standards

Independent Practitioner's Privacy Report

 

To the Management of ABC Company, Inc.:

 

We have examined (1) the effectiveness of ABC Company, Inc.'s (ABC Company) controls over the personal information collected in its _______ [description of the entities and activities covered, for example "the mail-order catalog-sales operations"] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants, and (2) ABC Company's compliance with its commitments in its privacy notice related to the Business during the period Xxxx xx, 2006 through Yyyy yy, 2006. ABC Company's management is responsible for maintaining the effectiveness of these controls and for compliance with its commitments in its privacy notice. Our responsibility is to express an opinion based on our examination.

 

Our examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included (1) obtaining an understanding of ABC Company's controls over the privacy of personal information, (2) testing and evaluating the operating effectiveness of the controls, (3) testing compliance with ABC Company's commitments in its privacy notice, and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

 

In our opinion, during the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company, in all material respects (1) maintained effective controls over privacy of personal information collected in the Business to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles; and (2) complied with its commitments in its privacy notice.

 

Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.

 

[Name of CPA firm]

Certified Public Accountants

[City, State]

[Date]

 

Back to Top

 

Illustration 2—Reporting on Management's Assertion
Under AICPA Attestation Standards

Independent Practitioner's Privacy Report

 

To the Management of ABC Company, Inc.:

 

We have examined ABC Company, Inc.'s (ABC Company) management assertion that, during the period Xxxx xx, 2006 through Yyyy yy, 2006, it:

 

·         Maintained effective controls over the privacy of personal information collected in its ______________ [description of the entities and activities covered, for example "the mail-order catalog-sales operations"] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice related to the Business and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants, and

·         Complied with its commitments in its privacy notice.

 

This assertion is the responsibility of ABC Company's management. Our responsibility is to express an opinion based on our examination.

 

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of ABC Company's controls over the privacy of personal information, (2) testing and evaluating the operating effectiveness of the controls, (3) testing compliance with ABC Company's commitments in its privacy notice, and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

 

In our opinion, ABC Company's management assertion that, during the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company:

 

  • Maintained effective controls over privacy of personal information collected in the Business to provide reasonable assurance that the personal information was collected, used, retained and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles; and
  • Complied with its commitments in its privacy notice,

 

is, in all material respects, fairly stated.

 

OR

 

In our opinion, ABC Company's management assertion referred to above is fairly stated, in all material respects, in conformity with ABC Company's privacy notice and with criteria set forth in Generally Accepted Privacy Principles.

 

Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.

 

[Name of CPA firm]

Certified Public Accountants

[City, State]

[Date]

 

Back to Top

 

Illustrative Management Assertion

 

During the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company, in all material respects:

 

  • Maintained effective controls over the privacy of personal information collected in our _________ [description of the entities and activities covered, for example "the mail-order catalog-sales operations"] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained and disclosed in conformity with our commitments in our privacy notice related to the Business and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants , and
  • Complied with our commitments in our privacy notice.

 

Back to Top

 

Illustration 3—Reporting Directly on the Subject Matter Under CICA Assurance Standards

 

Auditor's Privacy Report

 

To the Management of ABC Company, Ltd.:

 

We have audited (1) the effectiveness of ABC Company, Inc.'s (ABC Company) controls over the personal information collected in its _______ [description of the entities and activities covered, for example "the mail-order catalog-sales operations"] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants (CICA), and (2) ABC Company's compliance with its commitments in its privacy notice related to the Business during the period Xxxx xx, 2006 through Yyyy yy, 2006. ABC Company's management is responsible for maintaining the effectiveness of these controls and for compliance with its commitments in its privacy notice. Our responsibility is to express an opinion based on our audit.

 

Our audit was conducted in accordance with standards for assurance engagements established by the CICA. Those standards require that we plan and perform our audit to obtain reasonable assurance as a basis for our opinion. Our audit included (1) obtaining an understanding of ABC Company's controls over the privacy of personal information, (2) testing and evaluating the operating effectiveness of the controls, (3) testing compliance with ABC Company's commitments in its privacy notice, and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

 

In our opinion, during the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company, in all material respects (1) maintained effective controls over privacy of personal information collected in the Business to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in the Generally Accepted Privacy Principles; and (2) complied with its commitments in its privacy notice.

 

Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.

 

[Name of CA firm]                                                    

[City, Province]

Chartered Accountants

[Date]

 

Back to Top

 

Illustration 4—Reporting on Management's Assertion
Under CICA Assurance Standards

 

Auditor's Privacy Report

 

To the Management of ABC Company, Ltd.:

 

We have audited ABC Company, Inc.'s (ABC Company) management assertion that, during the period Xxxx xx, 2006 through Yyyy yy, 2006, it:

  • Maintained effective controls over the privacy of personal information collected in its ______________ [description of the entities and activities covered, for example "the mail-order catalog-sales operations"] business (the Business) to provide reasonable assurance that the personal information was collected, used, retained, and disclosed in conformity with its commitments in its privacy notice related to the Business and with criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants (CICA), and
  • Complied with its commitments in its privacy notice.

 

This assertion is the responsibility of management. Our responsibility is to express an opinion based on our audit.

 

Our audit was conducted in accordance with standards for assurance engagements established by the CICA. Those standards require that we plan and perform our audit to obtain reasonable assurance as a basis for our opinion. Our audit included (1) obtaining an understanding of ABC Company's controls over the privacy of personal information, (2) testing and evaluating the operating effectiveness of the controls, (3) testing compliance with ABC Company's commitments in its privacy notice and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

 

In our opinion, ABC Company's management assertion that, during the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company:

 

  • Maintained effective controls over privacy of personal information collected in the Business to provide reasonable assurance that the personal information was collected, used, retained and disclosed in conformity with its commitments in its privacy notice and with criteria set forth in Generally Accepted Privacy Principles; and
  • Complied with its commitments in its privacy notice,

 

is, in all material respects, fairly stated.

 

OR

 

In our opinion, ABC Company management's assertion referred to above is fairly stated, in all material respects, in conformity with ABC Company's privacy notice and with criteria set forth in Generally Accepted Privacy Principles.

 

Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.

 

[Name of CA firm]                                              

[City, Province]

Chartered Accountants

[Date]

 

Back to Top

 

Illustrative Management Assertion

 

During the period Xxxx xx, 2006 through Yyyy yy, 2006, ABC Company, in all material respects:

 

  • Maintained effective controls over the privacy of personal information collected in our _________business [description of the entities and activities covered, for example "the mail-order catalog-sales operations"] (the Business) to provide reasonable assurance that the personal information was collected, used, retained and disclosed in accordance with our commitments in the privacy notice related to the Business and with the criteria set forth in Generally Accepted Privacy Principles, issued by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, and
  • Complied with our commitments in our privacy notice.

Back to Top
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York. All rights reserved.