Question 643 - CISA discussion

The answer D is correct because the most important thing to determine when conducting an audit of an organization's data privacy practices is whether the systems inventory containing personal data is maintained. A systems inventory is a list of all the systems, applications, databases, and devices that store, process, or transmit personal data within the organization. Maintaining a systems inventory is essential for data privacy because it helps the organization to identify, classify, and protect the personal data it holds, as well as to comply with the relevant privacy laws and regulations. A systems inventory also enables the organization to perform data protection impact assessments (DPIAs), data breach notifications, data subject access requests, and data retention and disposal policies.

The other options are not as important as option D. Whether a disciplinary process is established for data privacy violations (option A) is a policy issue that may deter or sanction the employees who violate the data privacy rules, but it does not directly affect the data privacy practices of the organization. Whether strong encryption algorithms are deployed for personal data protection (option B) is a technical issue that may enhance the security and confidentiality of the personal data, but it does not address the other aspects of data privacy, such as accuracy, consent, and purpose limitation. Whether privacy technologies are implemented for personal data protection (option C) is also a technical issue that may support the data privacy practices of the organization, but it does not guarantee that the organization follows the best practices or complies with the applicable laws and regulations.

IS Audit Basics: Auditing Data Privacy

Best Practices for Privacy Audits

ISACA Produces New Audit and Assurance Programs for Data Privacy and Mobile Computing