Personally Identifiable Information PII Audit/Assurance Program

The Personally Identifiable Information (PII) audit/assurance review will:

• Provide management with an assessment of PII policies and procedures and their operating effectiveness.
• Identify internal control and regulatory deficiencies that could affect the organizations.
• Identify information security control concerns that could affect the reliability, accuracy and security of enterprise data due to weaknesses in network or mobile computing controls.

Because PII is typically stored in a myriad of locations, electronic and hard copy, this review will focus on:

• Policies and procedures to protect PII and other private data in any of its forms and storage locations, including the deployment and effectiveness of an organization-wide data classification scheme
• Policies and procedures relating to action needed after a breach of PII confidentiality
• Training and awareness of employees in the handling and processing of PII and data privacy

Due to the wide range of definitions of what exactly comprises PII, each organization is responsible for determining what defines PII in its jurisdiction and which statutes, industry standards, etc., are in scope for compliance.

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.