An internal auditor is conducting an initial risk assessment of an audit area and wants to assess management's compliance with privacy laws for safeguarding customer information stored on the organization's servers. Which course of action is appropriate for this phase of the engagement?
At the initial risk assessment phase of an audit focused on compliance with privacy laws, it would be appropriate to obtain the most current approved copies of the organization's privacy policy. This provides the auditor with a baseline understanding of the organization's stated policies and procedures regarding privacy and customer data protection. It allows the auditor to compare these policies against relevant privacy laws and regulations to identify any discrepancies or areas of potential noncompliance. Engaging a specialist or consulting legal counsel may be actions taken in later stages if more detailed, specialized knowledge or interpretation is required.
B make sense for “initial assessment”