jump to navigation

Why I Hate Being An Internal Auditor… October 16, 2011

Posted by Audit Monkey in The Joy & Pain of Internal Audit, The State of the British Nation.
Tags: ,

For the past couple of months I’ve been quite comfortable in my own skin being an Internal Auditor. At some point this was likely to end but I wasn’t quite sure when, or what was likely to precipitate the mood change. Well, the change happened last week and the three words that changed the mood were ‘Data Protection Act’.

For those not in the know, the Data Protection Act 1998 is a piece of legislation on the Statute Book in England & Wales which basically states data must only be used for the specific purposes it was collected, it shouldn’t be passed to third parties without the consent of the person to whom it relates (think third-party marketing from credit card applications) and the personal information should not be kept longer than necessary.

So why I have got the beef? I was in a meeting last week with a bunch of Internal Auditors and someone suggested that we audit ‘Data Protection’. Oh please. Everyone knows it’s a flaming hornet’s nest. Why? Because in certain industry sectors it’s subjective what should and shouldn’t be retained, no-one wants to be on the hook for binning the wrong things and no-one’s really that interested. It’s a real low priority item except for the Compliance monkeys.

Based on my experience, if you go and see a firm’s Legal Department, they will flash you the Data Protection Policy which will include the usual proviso’s of not leaving customer data on train, car or plane, etc, and there will be a bland comment and nod towards retention periods, but do the in-house solicitors want to start unpicking customer records, laying down the law (no pun intended) on specific periods for the retention of records? The answer is, no. Why? Because, one, it’s a dreadfully dull subject, second, they don’t want to become that embroiled in operational matters and third, there’s bigger corporate fish to fry and legal matters to pursue.

Now, you wanna go and audit it? Oh, foxtrot oscar, foxtrot oscar. You will piss off the firm, piss off Legal, piss off Operational and everyone else into the bargain and have sod all to show for it. Audit will look completely misaligned to the business and it’s ‘risks’ (if you were really that bothered…) and look like a right bunch of numpties. If no-one else wants to unpick the DPA mess, I don’t see why I should…


1. www.facebook.com - February 3, 2014

Good Why I Hate Being An Internal Auditor… | Auditmonkey’s Blog
It’s hard to find well-informed people in this particular subject,
however, you seem like you know what you’re talking about!

ITauditSecurity - February 6, 2014

I don’t remember seeing this post the first time around. Not sure how I missed it. But now that someone else commented on it, it came up on my radar….

Well, this reminds me of 2 former companies where I raised the PCI question. Everyone said, no we don’t take credit cards, so that doesn’t appy to us. Of course, I looked anyway, and found that we were indeed subject to PCI and needed to come into compliance right away.

Was I a hero because now we could address a risk that we didn’t know we had? No, I was a nosey guy who should not have rolled away that rock. It was all my fault, not management’s, who is responsible for the risk of their operations.

Also, I’ll never forget the time we put a data loss protection unit on the outgoing internet connection during a pilot just to see if we had any problems. The first guy caught was the head of the legal department. So much for happy hunting!

2. Audit Monkey - May 4, 2014

But PCI and Data Protection in the context of the DPA are completely different. Data loss is an altogether different topic as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: