Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 246

An internal auditor conducts a preliminary privacy and data protection risk assessment. Which of the following is the most essential question to start the assessment?

Answer options

• A. How does the cybersecurity unit investigate instances of data leakage or allegations?
• B. What are potential fines applicable to the organization for data protection breaches?
• C. What type of private data is collected and maintained by the organization?
• D. In what instances is data pseudonymization is applied in the organization?

Correct answer: C

Explanation

The most critical question to begin the assessment is about the type of private data collected and maintained by the organization, as understanding the data types is fundamental to evaluating privacy risks. While the other options address important aspects of data protection, they do not provide the foundational knowledge needed to assess privacy and data protection risks effectively.