That is despite ranking information security as the top concern in the survey of more than 80 CIOs and internal auditors at large businesses in the UK, Ireland and Sweden.
Erol Mustafa, head of IT internal audit services at Ernst and Young, said the gap was probably due to the fact that privacy is a much broader issue than IT security.
He said privacy was made up of many different parts such as appropriate policies, training, and awareness that did not normally fall under the CIO.
Mustafa said internal auditors had a role to play in working with IT to ensure data privacy was properly addressed by including it in overall risk management strategies.
He said companies also had to pay attention to data privacy requirements when negotiating outsourcing deals because they often failed to meet standards.