Dun & Bradstreet (Australia) Pty. Ltd

Similar documents
Can the public sector deliver a zero tolerance approach to corruption risk?

James Cottrill Member of Russell Bedford International

REGISTERED CANDIDATE AUDITOR (RCA) TECHNICAL COMPETENCE REQUIREMENTS

Audit and Review Guidelines: Electricity and Gas Licences

AUDIT GUIDELINES: ELECTRICITY, GAS AND WATER LICENSING: AUDIT TEMPLATE FOR SMALLER ORGANISATIONS

IAASB Main Agenda (December 2004) Page Agenda Item

Commonwealth Bank of Australia

Continuing Professional Development (CPD) Requirements for New Zealand Licensed Auditors

Student RPL/RCC Information Kit

International Standard on Auditing (UK) 220 (Revised June 2016)

2016/17 Report to the Minister for Energy on the Economic Regulation Authority s compliance

Bluewaters Power 1 Pty Ltd

Glasgow Caledonian University Internal Audit Annual Report for the year ended 31 July 2008

Auditing Standard ASA 210 Agreeing the Terms of Audit Engagements

Review of agreed-upon procedures engagements questionnaire

Returned & Services League of Australia (Queensland Branch) State Congress Governance Presentation

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

Terms of Audit Engagements

For personal use only

Grant Thornton s annual report on the HCPC s governance, risk management and internal control systems is attached.

AUSTRALIAN GAAS 2007 AUDITING STANDARDS CHECKLISTS

APES 305 TERMS OF ENGAGEMENT

Risk culture. Building great organisations and growing your foundation for success CAPABILITY STATEMENT 2016

1. OBJECTIVE 1.1 This Charter outlines the roles and responsibilities of the Board.

INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

STANDARD ON INTERNAL AUDIT (SIA) 7 QUALITY ASSURANCE IN INTERNAL AUDIT *

Staffordshire Police. Data Protection Audit Report. Executive Summary

Parliamentary and Health Ombudsman. Data protection audit report

Auditor regulation and oversight plan June For the three years ending 30 June 2018

IAASB CAG Public Session (March 2018) CONFORMING AND CONSEQUENTIAL AMENDMENTS ARISING FROM DRAFT PROPOSED ISA 540 (REVISED) 1

Terms of Engagement 105. Source: SAS No Effective for audits of financial statements for periods ending on or after December 15, 2012.

National Grid Electricity Transmission plc Balancing Mechanism Review

Quality Control Systems and Engagement Files Monitoring and Inspections the Protocol

Independent Assurance Practitioner s Report on the pro forma 25 October 2015 balance sheet to satisfy ASX listing requirements

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Invitation to Tender. External Audit Services. July 2015

Alinta Sales Pty Ltd

Information Collection & Privacy Policy

NATIONAL AUSTRALIA BANK LIMITED ACN BOARD RISK COMMITTEE CHARTER

Glasgow Caledonian University. Internal Audit Annual Report 2013/2014

The Audit Plan for London Borough of Barnet

Board committees. Role of the board

Chelsea & Westminster Hospital NHS Foundation Trust. Data protection audit report

Performance Auditing

IAASB Main Agenda (July 2007) Page Agenda Item

SRI LANKA AUDITING STANDARD 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

Review of Compliance. Review completed 30 June 2015 Unclassified summary released October 2015

Securing the Future - RSL (Queensland Branch) Governance Model Final Report December 2017

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

The General Data Protection Regulation (GDPR)

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Annexure B Section 22

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Comments to be received by 30 June 2005

Clime Capital Limited CORPORATE GOVERNANCE STATEMENT. This statement has been approved by the board of directors and is current as at 15 August 2018.

Online Store Application Form

Loch Lomond and The Trossachs. National Park Authority. Review of Internal Controls 2015/16. Prepared for Loch Lomond and The Trossachs.

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

INTERNATIONAL STANDARD ON AUDITING 210 TERMS OF AUDIT ENGAGEMENTS CONTENTS

EXPLANATORY GUIDE Au6 Applying PES 3 Proportionately with the Nature and Size of a Firm Issued February 2013

Standard on Quality Control (SQC) 1. Presentation to the ICAI January 18, 2014

For personal use only

Audit committee charter

AUSTRALIAN ETHICAL GOVERNANCE FRAMEWORK. Version 3.0

International Standard on Auditing (UK) 600 (Revised June 2016)

IMB Financial Planning CPD and Training Policy

ISQC1 - Quality controls for audit firms

Detailed competency map

attending quarterly formal liaison meetings with ASIC and undertaking separate interaction on specific issues.

Standard on Assurance Engagements ASAE 3500 Performance Engagements

Joint Audit Plan for Devon and Cornwall Police and Crime Commissioner and Chief Constable

Commonwealth Bank of Australia

General Data Protection Regulation ( GDPR ) National Care Forum How Boards Manage GDPR Compliance & Risks. By Meena Lekhi, Associate

Invitation to Tender. Development Legal Services. August 2015

Annual Regulatory Compliance and Quality Report. Grant Thornton UK LLP June 2015 Audit 2014/15

INVITATION TO TENDER (ITT) TENDER RETURN DATE AND TIME (DEADLINE): 12 APRIL pm

Financial Reporting Council BDO LLP AUDIT QUALITY INSPECTION

Our mission is to promote transparency and integrity in business. We monitor the quality of UK Public Interest Entity audits. We have responsibility f

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 210

1. Membership of the Committee

Audit & Risk Committee Charter

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (NEW ZEALAND) 3402

Electricity Networks Corporation (t/a Western Power)

Independent auditor's report

Benchmarking of audit regime against audit best practices

United Lincolnshire Hospitals NHS Trust. Governance Statement 2015/16. Scope of responsibility. The governance framework of the organisation

Internal Audit Charter

City and County of San Francisco Municipal Transportation Agency (MTA)

The Contribution of NSW Community Service Organisations

Audit and Risk Management Committee Charter

Assistance Options to New Applicants and Sponsors in connection with Internal Controls over Financial Reporting

Memo. Date: October 2018 INTRODUCTION

Wesfarmers Kleenheat Gas Pty Ltd. Gas Trading Licence (GTL10) 2016 Performance Audit (Independent Assurance) January 2017 report

IAASB Main Agenda (September 2004) Page Agenda Item PROPOSED REVISED INTERNATIONAL STANDARD ON AUDITING 540

Case Report from Audit Firm Inspection Results

Alinta Energy Transmission (Roy Hill) Pty Ltd

The implications of the EU General Data Protection Regulation 2016 for ICT Disposal

ACC 269 Auditing and Assurance Services

Agreeing the Terms of Audit Engagements

Sharing experiences on audit quality. A selection of ideas and initiatives intended to assist the promotion of consistent audit quality in Australia

Transcription:

Dun & Bradstreet (Australia) Pty. Ltd Independent review of compliance with Part IIIA of the Privacy Act 1988, the Privacy Regulations 2013 and the Privacy (Credit Reporting) Code 2014 External Report 30 June 2017 kpmg.com.au

Inherent Limitations As set out in our Engagement Letter dated 29 May 2017 ( Engagement Letter ), KPMG has undertaken an independent review of compliance with Part IIIA of the Privacy Act 1988, the Privacy Regulations 2013 and the Privacy (Credit Reporting) Code 2014 (collectively the Privacy Requirements ), for Dun and Bradstreet (Australia) Pty. Ltd (D&B), as required in accordance with paragraph 24.2 of the Privacy (Credit Reporting) Code 2014, ( the Engagement ). The services provided in connection with the Engagement comprise an advisory engagement, which is not subject to assurance or other standards issued by the Australian Auditing and Assurance Standards Board and consequently no opinions or conclusions intended to convey such assurance have been expressed. As part of the Engagement we have delivered an External Report to D&B, providing a summary of the findings set out in our Internal Report dated 30 June 2017. This document is the External Report ( this Report ) and contains our key findings. Our detailed findings for management purposes are contained in our Internal Report dated 30 June 2017. No warranty of completeness accuracy or liability is given in relation to the statements and representations made by, and the information and documentation provided by D&B or D&B management and personnel consulted as part of the process. The information and conclusions set out in this Report have been extracted from our Internal Report dated 30 June 2017. KPMG has not, and is not obliged, to undertake any procedures in relation to, or update this Report for events occurring subsequent to 30 June 2017 that may be relevant to this Report. Due to the inherent limitations of any internal control structure, it is possible that fraud, error or non-compliance with laws and regulations may occur and not be detected. Further, the internal control structure, within which the control procedures that have been subject to the procedures we have performed, has not been reviewed in its entirety, and therefore, no opinion or view is expressed as to the effectiveness of the greater internal control structure. The procedures performed were not designed to detect all weaknesses in control procedures as they were not performed continuously throughout the period and the tests performed on the control procedures were performed on a sample basis. Any projection of the evaluation of control procedures to future periods are subject to the risk that the procedures may become inadequate because of changes in conditions, or that the degree of compliance with them may deteriorate. The observations contained within this Report have been formed on the above basis. Third Party Reliance This Report has been prepared solely for the purpose set out in Section 2 and for D&B s information, and is not to be used for any other purpose or distributed to any other party without KPMG s prior written consent. This Report has been prepared at the request of D&B in accordance with the terms of KPMG s Engagement Letter dated 29 May 2017. Other than our responsibility to D&B, neither KPMG nor any member or employee of KPMG undertakes responsibility arising in any way from reliance placed by a third party on this Report. Any reliance placed is that party s sole responsibility. In that regard, we consent to this Report being released to the OAIC on the basis set out in our Engagement Letter. We disclaim any assumption of responsibility by KPMG to any person other than D&B, or for any use of this Report for any purpose other than that for which it was prepared. The definitive version of this Report is the one bearing our original signature and D&B management is responsible for any errors or in accuracies appearing in any reproduction in any form or medium.

Contents 1. Introduction 1 2. Background 1 3. Scope and Approach 1 4. Overall Conclusion 2 i

1. Introduction As set out in our Engagement Letter dated 29 May 2017 ( Engagement Letter ), KPMG has undertaken an independent review of compliance with Part IIIA of the Privacy Act 1988, the Privacy Regulations 2013 and the Privacy (Credit Reporting) Code 2014 (collectively the Privacy Requirements ), for Dun and Bradstreet (Australia) Pty. Ltd (D&B), as required in accordance with paragraph 24.2 of the Privacy (Credit Reporting) Code 2014, ( the Engagement ). As part of the Engagement we have delivered an External Report to D&B, providing a summary of the findings set out in our Internal Report dated 30 June 2017. This document is the External Report ( this Report ) and contains our key findings. Our detailed findings for management purposes are contained in our Internal Report dated 30 June 2017. 2. Background In accordance with paragraph 24.2 of the Privacy (Credit Reporting) Code 2014 (Version 1.2) ( CR Code ), every 3 years (or more frequently, if the Commissioner requests) a Credit Reporting Body ( CRB ) must commission an independent review of its operations and processes to assess compliance by the CRB with its obligations with the Privacy Requirements. In addition, the CRB must consult with the Commissioner as to the choice of reviewer and scope of the review. This Report and the CRB s response to this Report must be provided to the Commissioner and made publicly available. D&B engaged KPMG to undertake the independent review of the design and operating effectiveness of its Privacy Framework for compliance with the Privacy Requirements. This review is necessarily a point in time review focusing on the Privacy Framework of the D&B credit reporting business entity. This Report, for completeness, recognises through management comments and our observations, the ongoing changes and improvements the business is making in order to ensure ongoing compliance with their obligations. 3. Scope and Approach The scope of the Engagement is agreed as follows: Perform a Governance, Policy and Process assessment to gain an understanding of the Privacy Framework implemented by D&B to comply with the Privacy Requirements. Review and testing of process controls against the Privacy Framework. Prepare a final report to present findings and observations in accordance with the obligations under the Privacy Requirements (collectively, Scope). 1

In light of the Scope, a summary of the approach is as follows: We reviewed copies of documents provided by D&B and made further enquiries of D&B management and personnel as required. We conducted interviews with members of D&B management and personnel in order to understand the level of awareness and how D&B s Privacy Framework is applied in practice. We undertook on-site walk throughs of key processes and controls and areas identified by management for continuous improvement and action. Our observations set out in this Report should be considered in this context. 4. Overall Conclusion We acknowledge the cooperation that has been provided by D&B in our preparation for this report and throughout the course of our review. Based on the work performed during the Engagement, we make the following observations: We consider that the relevant D&B management and personnel have a strong understanding of D&B s Privacy activities, designed to manage D&B s compliance with the Privacy Requirements. There is a strong appetite within D&B management to be compliant with the obligations of CRBs, with the Privacy Requirements and a recognition of the importance of individual responsibilities in applying D&B s Privacy Framework as designed. We have evidenced a strong tone from the top regarding the importance of applying D&B s Privacy Framework effectively and managing D&B s ongoing Privacy compliance obligations. We recognise that D&B has been proactive in engaging in initiatives to strengthen their Privacy Framework. We consider that appropriately qualified and experienced people have been appointed into the key roles within D&B s Privacy Framework. These individuals have displayed the right mindset, level of influence and desire to apply D&B s Privacy Framework. Whilst we observed there is a key person risk associated with several key roles in D&B s Privacy Framework, we note management s awareness of this risk and the appropriate focus on the documentation of policies and procedures in this regard. We observed that certain processes and controls supporting D&B s monitoring of Privacy compliance activities are impacted by their manual nature. We observed that the limited operationalisation of certain reporting and storage (outside D&B's primary consumer credit bureau database) procedures impacts D&B s ability to identify, assess and manage Privacy obligations. 2

We raised a number of findings during the course of the Engagement and provided associated recommendations in our Internal Report. Whilst we acknowledge D&B s ongoing journey to strengthen their Privacy Framework, we consider that by implementing these recommendations, D&B will further enhance their ability to comply with obligations under the Privacy Requirements. Given the reliance on third parties to originate credit reporting information, particularly as it relates to Privacy obligations, it is expected that CRBs may be prone to instances of noncompliance. An effectively governed CRB is therefore not expected to be a business that always avoids compliance issues, but rather a business that supports and actively promotes compliant outcomes and behaviours and responds to breaches or other compliance issues promptly and appropriately, including relevant remediation activity as required. 3

kpmg.com.au kpmg.com.au/app 4

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback