Protecting a new Achilles heel: the role of auditors within the practice of data protection

Abstract

Purpose Privacy concerns and data security are changing the risks for businesses and organisations. This indicates that the accountability of all governance participants changes. This paper aims to investigate the role of external auditors within data protection practices and how their role is evolving due to the current digital ecosystem. Design/methodology/approach By surveying the literature, the authors embrace a practice-oriented perspective to explain how data protection practices emerge, exist and occur and examine the auditors’ position within data protection. Findings Auditors need to align their tasks to the purpose of data protection practices. Accordingly, in accessing and using data, auditors are required to engage moral judgements and follow ethical principles that go beyond their legal responsibility. Simultaneously, their accountability extends to data protection ends for instilling confidence that security risks are properly managed. Due to the changing technological conditions under, which auditors operate, the traditional auditors’ task of hearing and verifying extend to new phenomena that create risks for businesses. Thus, within data protection practices, auditors have the accountability to keep interested parties informed about data security and privacy risks, continue to transmit signals to users and instill confidence in businesses. Research limitations/implications The normative level of the study is a research limitation, which calls for future empirical research on how Big Data and data protection is reshaping accounting and auditing practices. Practical implications This paper provides auditing standard setters and practitioners with insights into the redefinitions of auditing practices in the era of Big Data. Social implications Recent privacy concerns at Facebook have sent warning signals across the world about the risks posed by in Big Data systems in terms of privacy, to those charged with governance of organisations. Auditors need to understand these privacy issues to better serve their clients. Originality/value This paper contributes to triggering discussions and future research on data protection and privacy in accounting and auditing research, which is an emerging, yet unresearched topic.