Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    Privacy Auditing Standards
    research summary posted June 15, 2016 by Jennifer M Mueller-Phillips, tagged 01.0 Standard Setting, 01.02 Changes in Audit Standards 
    Privacy Auditing Standards
    Practical Implications:

    This paper played the vital role of beginning the conversation on privacy audit standards. From this starting point, more research can be done on the effectiveness of privacy audits, issues with privacy audits, differences in effectiveness between various audit providers, whether more extensive regulation tends to increase or decrease the use of international best practice in privacy audits, studying the causes and effects of privacy breaches in other research methodologies, and the effect of privacy audit fees on privacy audits, just to name a few.


    Toy, A. and D.C. Hay. 2015. Privacy Auditing Standards. Auditing: A Journal of Practice and Theory 34(3): 181-199.

    privacy audits, information privacy, data protection, international comparability, and assurance services
    Purpose of the Study:

    Privacy of personal information has been an issue of rising importance in the 21st century, especially after the revelations by Edward Snowden regarding the collection of certain data about telephone and Internet activities of ordinary citizens. Also, action by regulators has resulted in the imposition of fines based on privacy violations, which has led to privacy audits becoming increasingly implemented as a response to privacy problems. This paper examines the extent of convergence of the standards used in privacy audits conducted by various privacy auditors. It is the position of the authors that generally accepted criteria would improve the usefulness of privacy audits because users would be able to assess the relevance of privacy audits to entities that operate across different countries and to compare the audits with privacy audits in other countries; furthermore, if consistent standards are not developed it would fall on the user to adjust his or her understanding of the findings in the audit report based on a range of technical differences between standards used in different privacy audit reports. Within this paper, the authors suggest a set of fundamental principles for information privacy that could serve as suitable criteria for privacy audits.

    Design/Method/ Approach:

    To illustrate the need for consistency among privacy audits, the authors assess 30 privacy auditing reports in five countries and examine the consistency among them and their consistency with the fundamental principles the authors are proposing. 

    • The authors find that of the 30 audit reports analyzed, two applied four of the suitable fundamental privacy principles.
    • Sixteen of the audit reports did not apply any of the fundamental privacy principles, which could be due to legitimate reasons for the scope of these audits due to the legal mandate within a particular country to conduct a privacy audit.
    • The fundamental principles of Legitimacy and Respect for Context were not used as criteria in any of the audit reports.
    • Although some standards embody aspects of the fundamental principle of Respect for Context, the broad definition of this principle as a fundamental principle is not captured in its entirety by the national legislation in any of the countries from which audit reports were sourced.
    • Overall, there has been a significant divergence between standards used by different privacy audits.
    Standard Setting
    Changes in Audit Standards