Data Protection

Since the onset of the Covid-19 pandemic, many auditors and their clients have been working remotely, resulting in much more client data being exchanged on technological platforms. Not all platforms are secure, which creates a greater threat of data security breaches. The damage caused by data breaches is unpredictable and audit firms may incur considerable losses in this regard. Audit firms should, therefore, take all the necessary steps to protect the data they process, including personal information processed, in terms of the Protection of Personal Information Act, 2013.

Professional requirements

The International Standard on Quality Control 1 (ISQC 1) requires audit firms to establish policies and procedures that are designed to maintain the confidentiality, safe custody, integrity, accessibility and retrievability of engagement documentation.

Similarly, the International Standard on Quality Management 1 (ISQM 1) requires that engagement documentation be appropriately maintained and retained, which may involve the use of IT applications. The integrity of engagement documentation may be compromised, if it is altered, supplemented, or deleted without authorisation, or if it is permanently lost or damaged.

The IRBA Code requires auditors to respect the confidentiality of information acquired because of professional and business relationships.

The Protection of Personal Information Act, 2013, requires responsible parties to have the necessary security measures in place to ensure the integrity and confidentiality of personal information, and to report any security compromises.

Threats to data security

Possible threats to the protection and retention of client data include:
• Outdated software, leading to increased vulnerability to data breaches, or system failures resulting in data losses
• Data breaches caused by employees using personal devices for business purposes, where personal devices may lack the security features required
• Use of unauthorised software and applications with weak security features
• Weak passwords and using the same password for multiple access points, making it easier for attackers to gain access to data
• Not properly formatting decommissioned IT assets that are resold or reused, leading to unauthorised access to confidential client data
• Employees leaving the firm while still having access to confidential client data, leading to unauthorised access or permanent data loss
• Exchanging sensitive data with clients by email, thereby exposing the audit firm to malware attacks, such as ransomware attacks to steal data in transit
• Using cloud-based computing and remote access of data without using encrypted connections, thereby increasing the risk of data security breaches
• Intentional or unintentional destruction of physical data storage facilities, resulting in data losses.

Mitigating the threats

Audit firms should establish quality objectives that take into account recognised frameworks in developing policies and procedures on data protection and retention, and consider strategic documentation and operational elements when doing so. Key questions to take into consideration when processing client data (including personal information) are:
• Do engagement letters, terms and conditions, and other contracting documents contain the relevant clauses regarding data protection and security?
• Are the tools and technology used for the processing of data secure, and compliant with the standards and legislation?
• Can the processes and controls that are in place be demonstrated to regulators, authorities and clients?
• Are there adequate policies and procedures in place to ensure the protection of data from the point of collection to destruction?
• Are the processes, controls, and procedures frequently reviewed and tested?
• Has training been provided to all employees regarding the protection and retention of client data?
• Is there a response plan, if a data breach should occur?
• Are third parties/service providers aware of data protection controls and do they have sufficient controls?
• Are there adequate resources engaged by the firm to proactively monitor, and maintain data security processes and controls?

In summary

Audit firms need to ensure that they have sound policies and procedures in place for data protection and retention. LEAF can assist firms by reviewing policies, providing practical advice and training staff on the new requirements.

References

1. IAASB: International Standard on Quality Control 1 (ISQC 1), Quality control for firms that perform audits and reviews of financial statements, and other assurance and related services engagements
2. IAASB: International Standard on Quality Management 1 (ISQM 1), Quality management for firms that perform audits or reviews of financial statements, or other assurance or related services engagements
3. IRBA Code of Professional Conduct for Registered Auditors (Revised November 2018)
4. IRBA Staff Audit Practice Alert 6: Protection and Retention of Client Data, September 2021s
5. Protection of Personal Information Act, 2013