Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with CICA

 

December 2003

 

Terry McQuay, Nymity President, recently had an opportunity to interview Bryan Walker who is responsible for the privacy initiatives at the Canadian Institute of Chartered Accountants (CICA). The CICA, together with the CA institutes/ordre, represents approximately 68,000 Chartered Accountants and 8,000 students in Canada and Bermuda. The CICA conducts research into current business issues and sets accounting, auditing and assurance standards for business, not-for-profit organizations and government. It issues guidance on control and governance, publishes professional literature, develops continuing education programs and represents the CA profession nationally and internationally. ( www.cica.ca ).

 

Nymity: What is your role at the CICA?

 

Walker: I am a Principle in the new services group. I have responsibility for the privacy initiatives launched by the CICA in cooperation with the American Institute of Certified Public Accountants (AICPA). I also have responsibility for the WebTrustTM and SysTrustTM programs that also have been developed with the AICPA.


Nymity: What privacy services do your member CAs provide?

 

Walker : In the public interest, the CICA has launched a comprehensive privacy initiative that includes raising awareness of privacy issues, providing guidance on privacy control systems and delivering value-added privacy services. Chartered accountants can provide a range of services with respect to privacy, from advisory to full audits. In all cases, the core tool for providing these services is the AICPA/CICA Privacy Principle, Components and Criteria Framework "The AICPA/CICA Privacy Framework".

 

Nymity: Why do you consider CAs uniquely well qualified to offer privacy services?

 

Walker : In many instances, a key element for an enterprise is to ensure that its systems, including its policies and procedures, are appropriate and are operating effectively. Much like a system of internal control for financial information, there should be a system of controls to ensure that the entity's privacy policies are appropriate and are met. Our traditional expertise includes the advising on appropriate controls to meet identified objects and, when appropriate, evaluating those controls to ensure that they are operating effectively. This expertise coupled with the AICPA/CICA Privacy Framework makes us well positioned to help organizations meet their privacy requirements.


Nymity: What does independent verification mean? What does it entail?

 

Walker : First, let me say that our services are not all predicated on providing "independent verification". In fact, in many cases clients often only want our assistance to ensure that their systems are "privacy compliant". But to answer your question, independent verification means the same as audit. A member will express an objective opinion as to whether the entity has met the assertions made by management, for example, that it meets the privacy principles and criteria of the AICPA/CICA Privacy Framework.


Nymity: How many of your member CAs provide privacy services?

 

Walker : It is difficult to say since we do not have a reporting mechanism to determine the exact number. We are aware that the major accounting firms are providing privacy services to their clients and there are several small firms who are taking a leading position on the topic of privacy.


Nymity: How can I find a CA that is a privacy expert?

 

Walker: I suggest that an organization talk with its auditor to determine his or her experience with the CICA's privacy initiative.


Nymity: How does an organization decide when to use a privacy consultant, CA, or privacy lawyer?

 

Walker : In many cases, if not most, it is not a case of one or the other. Each have their expertise that it is relevant to solving the organization's privacy concerns. For example, we recommend that organizations should use privacy lawyers to ensure that its privacy policies are appropriate for regulatory purposes. Also, privacy experts can also be used to provide insights into specific issues facing the organization. The CA can provide additional objective advice as well as ensure that the decisions made are appropriately followed by the entities by conducting an audit of the systems. In addition, the CA can also apply the AICPA/CICA Privacy Framework to the organizations systems to provide an objective evaluation of the organizations systems with respect to its privacy responsibilities.


Nymity: Will privacy examinations become part of a CA's responsibility to a client or employer?

 

Walker : No, privacy examinations are not, nor are they likely to become, a core part of an audit. It is a specialized area outside of the financial statements or financial information responsibilities.


Nymity: Do CAs audit organizations' privacy practices?

 

Walker : Yes, independent examination is a synonym for an audit. Audits of this type must be based on suitable criteria that will provide a basis that the auditor can use to base an opinion on. The AICPA/CICA Framework provides that basis.


Nymity: Please introduce the CAs privacy program called Webtrust Seal of Assurance.

 

Walker : For approximately four years, CAs in Canada, CPAs in the United States and accountants world-wide have been able to provide WebTrust services. The WebTrust Program is a comprehensive, e-business solution that provides companies with a series of e-business 'best practices' designed to build trust and confidence in e-commerce. The WebTrust Program includes standards that cover Privacy, Security, Availability, Processing Integrity, and Confidentiality. Based on the successful audit to ensure that an organization has met the standards laid down for one or all of these areas, the organization is permitted to display the WebTrust mark which is backed by the auditor's opinion. ( www.cica.ca/webtrust).


Nymity: The Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) and the Assurance Services Development Board (ASDB) of the Canadian Institute of Chartered Accountants have created a Privacy Framework. Please introduce the two Assurance Services organizations and describe their privacy mandate?

 

Walker: The AICPA and CICA both recognized that a CA's (or CPA's) skill and expertise often goes beyond financial statements and financial information. Accordingly, a process was established at each institute that would allow the development of appropriate tools that would enable CAs and CPAs to meet a demand and would also broaden the range of services offered. To ensure that the tools, primarily the standards used as a basis for the services, were developed appropriately, the Canadian Institute of Chartered Accountants established the Assurance Services Development Board (ASDB). In the United States, the AICPA established the Assurance Services Executive Committee (ASEC). These two bodies were granted authority to issue standards for the profession in these new areas.


Nymity: Please provide us with an overview of the Privacy Framework, how it is used by a CA, and how an organization can benefit from the Framework.

 

Walker : The Framework incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines.

The Framework contains 10 privacy components and related criteria that are essential to the proper protection and management of personal information. These privacy components and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices. The following are the 10 privacy components:

  1. Management. The entity defines documents, communicates, and assigns accountability for its privacy policies and procedures.
  2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
  3. Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
  4. Collection. The entity collects personal information only for the purposes identified in the notice.
  5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.
  6. Access. The entity provides individuals with access to their personal information for review and update.
  7. Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
  8. Security. The entity protects personal information against unauthorized access (both physical and logical).
  9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice
  10. Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.


For each of the 10 privacy components, there are relevant, objective, complete, and measurable criteria for evaluating an entity's privacy policies, communications, and procedures and controls.


Nymity: What has been the response to the Privacy Framework with CAs, Canadian private sector organizations, and the Commissioners' offices?

 

Walker: Strong is the word that comes to mind. Our first exposure to the markets was a introductory CD, called Solutions for Today's Privacy Issues. Included in this CD are two documents - 20 Questions Directors Should Ask about Privacy and 20 Questions Small Businesses Should Ask about Privacy. So far over 2000 of these CDs have been distributed. We have produced a number of other publications which seem to have attracted attention. (For a list and access to the documents, you can go to www.cica.ca/privacy).

 

We have had very positive feedback from several of the privacy commissioner's offices, and in particular from the Ontario Privacy Commissioner's office. We hope to work with them in the future to promote the concepts of privacy. As more organizations become aware that the AICPA/CICA Privacy Framework exists we are confident that it will become a key tool for organizations to use to build, evaluate and validate their privacy regimes.


Nymity: When do you expect the final Privacy Framework document to be completed?

 

Walker : The final AICPA/CICA Privacy Framework is finished. It is being translated and should be available by the middle of December.


Nymity: What makes the Privacy Framework different than complying with the 10 fair information practices?

Walker: As the outline above explains, the AICPA/CICA Privacy Framework is based on the 10 fair information practices. This Framework, however, converts or translates these broad requirement into specific criteria that are objective and measurable. By using these criteria, the organization can determine with reasonable assurance that the 10 fair information practices are being met.


Nymity: Will CAs certify an organization as compliant with privacy legislations or the framework?

 

Walker : The purpose of an audit is to express an opinion on whether an organization has met the criteria established by the AICPA/CICA Privacy Framework. Whether an organization is compliant with any specific privacy legislation is not within our expertise.


Nymity: Do you have any specific programs for employee privacy?

 

Walker: While there are no separate programs for employee privacy, the criteria in the AICPA/CICA Privacy Framework include specific references to employee privacy. Of course, these would only be applicable in situations where an organization has established or is required to establish employee privacy policies.


Nymity: In closing, what recommendations do you have for organizations have not completed their compliance programs?

 

Walker : The answer is simple. Establish your policies, undergo an evaluation to establish were your organization is deficient, evaluate your systems to identify those that need to be changed and get on with it as soon as possible.

 

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY