To an internal auditor, just the term big data can elicit a sinking feeling. The challenges associated with the volume, complexity, and variety of big data can be overwhelming. The good news is, with a solid action plan, internal auditors can do more than just mitigate the risks associated with big data. Internal audit also can help exploit big data to identify and mitigate existing risks.
Big data is the collection of data sets that are so large and complex that they are difficult to process using conventional database tools. Big data comes in two flavors: structured data (e.g., data in spreadsheets and databases) and unstructured data (e.g., social media posts, emails, audio, video, and GPS data). And, of course, big data can have multiple sources. Typically, working with big data requires new technologies to identify usable business insights, trends, and correlations — often in real time.
Businesses are using big data not only to boost performance, but also to reduce risks and prevent loss. From a risk management perspective, companies can identify risks and create value by using big data in three areas: business opportunities and risks, IT governance, and internal audit opportunities and risks.
First, business opportunities result from the fact that companies have valuable data but often don’t know how to use it to gain actionable insights. Rules creation and testing, personalization of product offerings, using social media to spot consumer trends, and the ability to make data-driven business decisions all represent significant big data opportunities.
But these opportunities come with risk. For example, how does a company store personally identifiable information, and who owns it? How does it address regulatory issues and privacy breaches? What about increased exposure to reputation risk? And how should data retention, such as timing of disposals, be managed?
Big data considerations in the area of IT governance tend to focus on data-center management, specifically capacity planning and monitoring because of the massive replication of data at the software level and the need to measure performance. Of course, IT security is a tremendous concern, as are access control, penetration testing, and the quality of systems testing and processes.
Finally, internal audit opportunities and risks are centered around the security and compliance related to big data implementation, with issues such as ownership of data, authority to access, and secure access as priorities. Also, auditors exploit big data in the areas of continuous controls monitoring, access to nontraditional data sets, and regulatory compliance.
An organization’s plan for addressing these three areas will vary according to its industry, goals, and challenges. However, there is a high-level, phased-action-plan approach any enterprise can customize:
- Phase 1: Identify where data resides in the organization and the roles and responsibilities related to it.
- Phase 2: Define goals and priorities.
- Phase 3: Assess critical data issues.
- Phase 4: Identify key risk indicators (KRIs).
- Phase 5: Identify opportunities to add value.
By applying these phases to each of the three identified areas, internal auditors and risk management professionals can identify and mitigate big data risks and seize any opportunities.
An action plan for addressing IT governance, for example, should focus on the implementation team’s responsibilities in phase 1, including security, capacity planning, code writing, pinpointing the owner of specifications, and identifying internal audit’s role in the project. Phase 2 priorities should include improving system performance and test processes to reduce spurious output. Assessing available data and performing various types of testing of data sets are crucial in phase 3. In phase 4, the KRIs should be identified by addressing trending information on usage and service quality, completeness and accuracy of data, and disaster recovery capabilities. Finally, the focus in phase 5 should be on speed, indexing, and assessing storage and cloud options (private versus internal storage or public versus hybrid cloud) to create efficiencies.
The five phases often overlap and might not occur in sequence. In addition, both risk management professionals and senior management have specific tasks they must accomplish during each phase to make the plan work.
The bottom line: Auditors, risk managers, and compliance officers must work with senior management to understand and embrace big data to help identify and mitigate risks. Plus, they should take advantage of the opportunities big data offers to improve their own effectiveness. By covering risks and opportunities, they can help organizations analyze and understand big data’s potential from both a compliance perspective and a strategic and operational improvement stance.