Frequently asked questions about FAR, surveys and data
Confidentiality
How anonymous is the survey?
An essential element of the research data processing process is to ensure that the data is de-personalized, transformed, and that data cannot be identified with the auditor, the audited client, the audit firm, or its personnel. The FAR processes are based on the principles of privacy by design and privacy by default.
Who within the firm will be able to see my answers? Why?
Nobody of your firm will be able to see your responses, nor will they know your identity.
Only the research team involved will be able to analyze the anonymized data on an aggregated level. This is important as to get as honest answers as possible and to create a safe environment to speak about your experiences. All data (after anonymization and transformation) are only available in FAR’s secure information environment, so the research team does not have direct access to the data on their local computer, but only in the separated and secured research environment.
What guarantee do I have that the information provided by me will not be seen by others within my company? Or will not be made available to others?
Good question, you must be an auditor, good job! Please refer to our ISAE 3000 type II assurance report which is audited by BDO and is available at your FAR Liaison: ISAE 3000 type II report.
Will the researchers be able to trace back my answers to me? / Can my answers be traced back to me?
No, the researchers will only get access to anonymized and transformed information. Researchers will only be able to analyze the anonymized data on an aggregated level. The researchers do not have any interest in identifying you, they are only interested in the outcome to the research question. Furthermore, all personnel involved at CentERdata, FAR and the research team is under a strict non-disclosure agreement. All data (after anonymization and transformation) are only available in FAR’s secure information environment, so the research team does not have direct access to the data on their local computer.
Who will have access to the answers I will provide?
The research team gets access to the anonymized answers you provide after CentERdata and FAR performed a confidentiality check to safeguard that the data does not hold identifying information. All identifying information is removed / replaced before any data is provided to the research team. This check on identifying information is performed by designated central key personnel of CentERdata and FAR. No personal information whatsoever will be provided. All data (after anonymization and transformation) are only available in FAR’s secure information environment, so the research team does not have direct access to the data on their local computer.
What guarantee do I have that only FAR employees and researchers connected to FAR will be able to use the data from this survey?
The data are in FAR’s separated secured research environment. This environment has strict data access policies, all personnel involved have signed NDA’s, CentERdata personnel all have certificates of good conduct (VOG’s) and access rights are reviewed quarterly by FAR’s management. The research the environment has been subject of several voluntary pen-tests and part of the research infrastructure is subjected to a voluntary pen-test every year. Please refer to our ISAE 3000 type II assurance report which is audited by BDO and is available at your FAR Liaison if you should have further questions.
What type of analysis/analyses will be performed based on the answers I provide in the survey? / How will my answers be used?
This depends on the research question of the project. For the most part data will be analyzed on an aggregated level such as an audit team, office, firm, or profession as a whole. Researchers will only receive Unique Anonymized IDs to safeguard your full anonymity through FAR’s trusted service provider CentERdata.
I have received a personal reminder e-mail, does this mean my personal information is known to the researchers?
No. There is a strict segregation of duties between the research team, the audit firm, FAR and CentERdata. CentERdata is the intermediate party to ensure data confidentiality, so only CentERdata has the e-mail address for the purpose of distributing the survey only. Not even the FAR team has your e-mail address. FAR and the research team will only have access to fully anonymized respondents’ IDs that cannot be traced back to any individual. Nor will anybody else but the researchers and designated FAR staff be able to see any responses or research data.
How will personal information be kept confidential?
By anonymization: The anonymization of the CentERdata Anonymization Tool results in a non-traceable hash key for every entered variable. Furthermore, all data is reviewed by FAR and CentERdata on confidentiality before any data is placed on the research environment where the research team can access the data. FAR has European Privacy Guideline (GDPR) guided DPA’s in place with all relevant parties in the data processing process.
Who is funding this survey?
All FAR research projects are co-funded by academic institutions (universities) and the affiliated audit firms. FAR, CentERdata, the researchers and the affiliated audit firms in their collaboration with FAR comply with the Dutch scientific code of conduct (VSNU).
In addition to that, FAR received generous financial support from Stichting Accountantsfonds (donor).
For a list of affiliated audit firms and donors refer to: https://foundationforauditingresearch.org/en/governance-and-organization/affiliated-firms-and-donors/
Data security
What assurance do I have that the data is stored safely?
Good question, you must be an auditor, good job! Please refer to our ISAE 3000 type II assurance report which is audited by BDO and is available at your FAR Liaison.
How will my information be protected? / How do I know my information is safe?
All parties involved entered into Data Processing Agreements. In this agreement we agreed to treat all data in line with data protection laws and regulations, e.g., for safeguarding a legitimate and correct processing of personal data (i.e. data privacy). Key for these measures is that all data processing will be conform ISO 27001 and all data processing, except for the research results, will take place on secured CentERdata virtual servers at the Dutch ISO 9001 and ISO 27001 certified cloud service provider. All virtual servers involved will be solely used for FAR purposes and will only be accessible by authorized FAR approved CentERdata personnel.
We have several (internal) controls in place to ensure data protection. One of those is that we subject a part of the research environment to an ethical hack (pen-test) to discover vulnerabilities yearly. For further information, please refer to: Please refer to our ISAE 3000 type II assurance report which is audited by BDO and is available at your FAR Liaison.
What assurance do I have that the anonymization procedure regarding my personal information is performed correctly?
We love assurance too! For that reason, we performed several tests of the CentERdata Anonymization Tool together with affiliated audit firms and external (data security) experts.
Furthermore, we review the data on identifying information before the researchers team get access to this on the secured sever environment, from which they cannot download or copy the data. In addition to that we subject a part of the research environment to an ethical hack at least once a year. To provide you and the affiliated audit firms with assurance that we comply with these procedures, we prepared an ISAE 3000 type II assurance report audit, which is audited by BDO and is available at your FAR Liaison.
Practical information
I was not involved in the (audit) engagement the survey is referring to.
When this is the case, please contact the CentERdata contact mentioned in the invitation/reminder e-mail and ask to be removed from the mailing list for this project due to this reason.
I cannot find my login credentials to the secured survey environment. Can you help me?
Please contact the CentERdata employee mentioned in the invitation/reminder e-mail, he/she will provide you with new credentials.
Can I save an active survey to complete it later?
Yes, the survey system automatically saves your progress.
How personal is my personal invitation link to the survey?
It is important that only you use the link in the invitation. These links should thus not be shared as to secure personal confidentiality and ensure that the right people fill in the right survey
Who can I contact if I have questions that are not addressed in this Q&A?
Our general e-mail address is: info@foundationforauditingresearch.org