purposes identified in the notice.
• Monitoring and enforcement– The organization monitors compliance with its privacy policies and procedures and has processes to address privacy- related complaints and disputes.
15.8.5 Confidentiality Principle – Information
designated as “confidential” is protected as committed or agreed.
The confidentiality principle focuses on information desig- nated “confidential.” There is no widely recognized defini- tion of confidential information, unlike personally identifiable information, which many countries currently are defining through regulation. In the course of communicating and transacting business, partners often exchange information they require to be maintained on a confidential basis. In most instances, the respective parties wish to ensure that the information they provide is available only to those individ- uals who need access to complete the transaction or resolve any questions that arise. To enhance business partner confi- dence, it is important to inform the partner about the orga- nization’s confidentiality practices, including those for providing authorized access to, use of, and sharing of infor- mation designated as confidential.
Information that may be subject to confidentiality includes:
• Transaction details. • Engineering drawings. • Business plans.
• Banking information about businesses. • Inventory availability.
• Bid or ask prices. • Price lists. • Legal documents. • Client and customer lists. • Revenue by client and industry.
Unlike personal information, there are no defined rights for accessing confidential information to ensure its accuracy and completeness. Interpretations of what is considered con- fidential information can vary significantly from business to business and are driven by contractual arrangements in most cases. As a result, those engaged in business relationships need to understand what information will be maintained on a confidential basis and what, if any, rights of access or other expectations an organization might have for updating that information to ensure its accuracy and completeness.
Information that is provided to another party is suscepti- ble to unauthorized access during transmission and while it is stored on the other party’s computer systems. For example, an unauthorized party may intercept business partner profile information and transaction and settlement instructions while they are being transmitted. Controls such as encryp- tion can be used to protect the confidentiality of this infor- mation during transmission, while firewalls and rigorous
access controls can help protect the information while it is stored on computer systems.
15.8.6 Certification Authority (CA) Principle
The certification authority discloses its key and certificate life cycle-management business and information privacy practices and provides its services in accordance with these practices. This includes the concepts of CA business- practice disclosures, service integrity, and environmental controls.
The COSO Internal Control – Integrated Framework is recog- nized as a formal model for the purpose of Sarbanes-Oxley attestation by the SEC and provides a hierarchical catego- rization of controls. In addition, the audit standard from the PCAOB states:
“Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the standard are based on the COSO framework. Other suitable frameworks have been published in other countries and likely will be published in the future. Although different frameworks may not contain exact- ly the same elements as COSO, they should have ele- ments that encompass all of COSO’s general themes.” The COSO model was refined and enhanced during 2004 through development of the COSO Enterprise Risk Management – Integrated Framework (http://www.coso.org). This appendix describes the earlier framework, which is the version referenced for regulatory compliance. Nonetheless, the CAE should investigate the Enterprise Risk Management – Integrated Framework.
16.1 COSO Definition of Internal Control COSO defines internal control (http://www.coso.org/) as “a process, effected by an organization’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations. • Reliability of financial reporting.
• Compliance with applicable laws and regulations. These distinct, but overlapping, categories address different needs such that each require a directed focus. The first category addresses an entity’s basic business objectives, including performance and profitability goals and safeguard- ing of resources, which are impacted greatly by the use of IT. The second category relates to the preparation of reliable published financial statements, including interim and con- densed financial statements, as well as earnings releases and other selected publicly reported financial data derived from such statements. IT systems frequently produce such reports, and the controls over these systems play a major part in the level of internal control.
The third category deals with complying with those laws and regulations to which the entity is subject.
Internal control systems operate at different levels of effectiveness. Internal control can be judged effective in each of the three categories if the board of directors and management have reasonable assurance that:
• They understand the extent to which the entity’s operations objectives are being achieved.
• Published financial statements are being prepared reliably.
• There is compliance with applicable laws and regulations.
Although internal control is a process, its effectiveness is a state or condition of the process at one or more points in time.
16.2 COSO Internal Control —
Integrated Framework
Internal control consists of five interrelated components that are derived from the way management runs a business and are integrated with the management process. Although the components apply to all entities, small and mid-size organizations may implement them differently than large enterprises. A small organization’s controls may be less for- mal and less structured, yet it can still have effective inter- nal control. The components are:
16.2.1 Control Environment
The control environment sets the tone for an organization, influencing the control consciousness of its people, estab- lishing the foundation for all other components of internal control, and providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philos- ophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors.
16.2.2 Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of objectives that are linked at different levels and are consistent internally . Risk assess- ment identifies and analyzes the relevant risks to achieving these objectives and forms a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, organizations need mechanisms to identify and deal with the special risks associated with change.
16.2.3 Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out and that nec- essary actions are taken to address risks to achieving these objectives. Control activities occur throughout the organiza- tion, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifica- tions, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
16.2.4 Information and Communication
Pertinent information must be identified, captured, and communicated in a form and time frame that enables people to perform their responsibilities. Information systems produce reports containing operational, financial, and com- pliance-related information that make it possible to run and