Which of the following would not be an appropriate step for an internal auditor to perform during an assessment of compliance with an organization's privacy policy?
Which of the following would not be an appropriate step for an internal auditor to perform during an assessment of compliance with an organization's privacy policy?
The internal auditor's role during an assessment of compliance with an organization's privacy policy focuses on evaluating the organization's internal controls and practices. Evaluating the government's security measures related to confidential information received from the organization would fall outside the scope of the internal auditor's responsibilities, as it pertains to an external entity's practices. The other options provided involve steps that are within the realm of the internal auditor's duties, such as determining access to databases, evaluating the privacy policy, and analyzing access to confidential information.
For answer A, IA can determine who can access to the database?
I think the word (determine) here means (gets to know)