Addressing emerging risks in transborder cloud computing and the protection of personal information : the role of internal auditors

Abstract

There is general consensus amongst researchers that most South African companies are not yet ready to comply with the Protection of Personal Information Act No. 4 of 2013 (the POPI Act) as they lack the necessary skills, knowledge and understanding to effect such compliance. Whilst the flow of personal information to trans border clouds is lawful according to section 72 of the POPI Act, and cloud services offer benefits such as cost savings and agility, it has been determined that companies are yet to take cognisance of the fact that there are risks associated with such transfers. Five preeminent emerging risks associated with cloud data storage include data location, security, privacy, legal compliance and the cloud service providers themselves. Because of their role as assurance providers, with knowledge about organisational strategy, processes and operations, internal auditors are found to be uniquely positioned within companies to assist effectively with risk management as required by The Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and the corporate governance standards presented in King III. Internal auditors have been shown to be able to assist in mitigating each of the five emerging risks through their effective auditing of contracts, policies, procedures and controls, which ultimately results in effective advice and assurance for boards, management and stakeholders.