The following post is intended to explain some of the IT audit standards, control process and associated laws and regulations currently used in Canada. Even though, the 2012 research showed that only 16% of Canadian Businesses were not aware of privacy or security-related standards and we could say, that Canadian IT companies have moderate to high awareness of the compliance standards.
Note: This article is a work in progress.
IT Audit Standards used in Canada
These are some of the standards used to ensure the security of private and other sensitive information.
- PCI DSS (The Payment Card Industry Data Security Standard) is a security standard created by the credit card brands to ensure a secure handling of credit card related information. Initially, the credit card companies such as Visa, Mastercard, American Express would produce their own security standards. Mastercard created SDP and Visa used CISP. However, in 2005 all major credit card brands unified under a single PCI-DSS framework, which is a set of security compliance standards used for auditing and certifying those IT organizations that receive, transmit, store or in any way process and communicate credit card information. While the PCI compliance is a golden rule in Canada, it needs to stated that “PCI compliance is a minimum standard, and most companies regularly do much more than required by PCI.” (Cheney, 2010).
- ISACA – is a gold standard for IT Audit in the world, formerly the Information Systems Audit and Control Association. The organization has existed since 1969 and currently have 140 000 members in 180 countries worldwide. ISACA is well known among IT Auditors here in Canada. Especially when it comes to their local ISACA Chapters, which do their best to raise the awareness of IT governance, control, and security as well as professional development in this specific area of IT. “Control Association (ISACA) is a tool for IT governance” (Kang, Lee and Kim, 2010). In Canada, ISACA has chapters in Alberta (Calgary & Edmonton), Atlantic Provinces, British Columbia (Vancouver & Victoria), Manitoba (Winnipeg), Quebec (Montreal & Quebec City), Saskatchewan (Regina) and in Ontario (Ottawa & Toronto). I want to note here, that Toronto chapter was established in 1977 and is just celebrating the 40th anniversary. According to ISACA’s website, Toronto Chapter “is one of the most active ISACA chapters serving IT Governance, Risk, Audit, and Security professionals. It has over 2,500 members and is the largest chapter in Canada and the 5th largest in the world.” (Isaca.org, 2017). As far as ISACA certification goes, University of Toronto School of Continuing Studies Strategic Education has a collaboration with ISACA Toronto Chapter to support the development of two professional development certificate programs that are broadly aligned to the domains of CGEIT and CISM: SMEIT (Strategic Management of Enterprise IT) and Cyber Security Management. There numerous mentions in the published papers, some of them going back to 2004, such as the paper under the name ‘The evolution of IT auditing and internal control standards in financial statement audits’, where authors mentioned that “ISACA is considering to address future standards, guidelines, and procedures, such as business‐to‐business e‐commerce reviews, business intelligence, business process re‐engineering, capacity review, communication scenarios, computer forensics, customer relationship management, data mining” (Yang and Guan, 2004). Fast forward to 2017 and business intelligence and data mining are without a doubt the tools and areas of computing that almost every business is leveraging today. That said, it’s good to see that ISACA community is known to look ahead and I would highly recommend that all IT Auditors located in Canada explore ISACA membership benefits as well as consider Cyber Security and Strategic management certificates currently offered through ISACA’s collaboration with University of Toronto.
- PIPEDA (Personal Information Protection and Electronic Documents Act) was established in 2004, and it is a privacy standard mandated by Canada’s federal government. PIPEDA states the ground rules for collecting personal information in a Canadian corporate environment and “regulates the collection, use, and disclosure of personal information” (Austin, 2006).
- ISO 27001 – Globally recognized management framework, also used in Canada, to assure the security and preservation of business-critical information.
- Service organization report standards such as SOC1, SOC2, SOC3 and internal control standards such as Sarbanes Oxley Act (SOX).
IT Auditor Requirements and Roles
IT Auditor needs to be able to interpret the local compliance laws and translate the knowledge into a compliance plan with logical timelines, a plan that is conceivable, yet ensures the company-wide compliance readiness and continuous compliance with regulations. IT Auditors also partake in various activities, such as monitoring the compliance level, participating in improvement activities, facilitating gap assessment workshops, or collaborating with 3rd party companies (or inspecting authorities) that perform external compliance audits. In my experience, the goal for IT auditor is to efficiently transfer the knowledge of the compliance laws to all IT groups, and be the champion of change within all departments of the organization. Since the rules and regulations vary between Canada and United States, one of the most critical roles of ITC (IT Compliance) Auditor operating in Canada is to understand the Canada specific compliance requirements (such as PIPEDA).
As I cannot cover certification process of all compliance standards, I’ll illustrate the ISO 27001 6-step certification process (Figure 1), because it is most similar to other Audit and Certification processes.
Figure 1 – ISO 27001 Certification Process (2017)
IT Control and Audit Process in Canada vs. United States
Canada’s IT Control and Audit process is nearly the same as in the United States. One of the most notable differences is in the area of Canadian privacy laws, where privacy of collected information is ruled by the PIPEDA, instead of HIPAA (Health Insurance Portability and Accountability Act) used in the USA.
Cheney, J. S. (2010). Heartland Payment Systems: lessons learned from a data breach.
Austin, L. M. (2006). Is Consent the Foundation of Fair Information Practices? Canada’s Experience Under PIPEDA. University of Toronto Law Journal, 56(2), 181-215.
ISO 27001 (2017). Cambridge Risk – ISO 27001. [online] Available at: http://www.cambridge-risk.com/overview-of-bcm/our-services/iso-27001/ [Accessed 18 Nov. 2017].