There are few, if any, areas of the organization that are bigger, broader, or represent more opportunity — and risk — than those related to data. Internal audit’s enterprisewide knowledge and process and risk focus are ideally suited to help elevate the organization’s data governance programs, which in many cases range from insufficient to ad hoc.
Internal audit maintains a twofold relationship with data governance. First, internal audit is a data governance stakeholder. The efficacy of the function’s assurance-related work hinges on its ability to access data, identify who uses and oversees it, distinguish its value, trust its quality, and understand how data is managed throughout its life cycle.
Second, internal audit possesses the expertise and organizational knowledge needed to promote the broader strategic value of data governance. Its point of view extends beyond whether access to data is being appropriately restricted and controlled to also examining whether the business is extracting the maximum value from its data assets. In many cases, audit teams have actively contributed to these multistakeholder improvement efforts.
Every Audit Is a Data Audit
By almost any measure, the volume of data being created, stored, and processed is rising dramatically. This creates both upside opportunity and downside danger. The need for focused attention and improvement is increasing.
Cyber breach, confidentiality and privacy, and data governance rank among the top technology risks for organizations in 2021, according to a global ISACA/Protiviti survey, IT Audit’s Perspectives on the Top Technology Risks for 2021. Each of these areas is tied directly to the organization’s data. Respondents from IT audit teams within more digitally mature organizations rate data governance as an even higher improvement priority, according to the survey of more than 7,400 IT audit and risk leaders and professionals conducted in late 2020.
In light of these findings and the importance of data governance in the organization’s broader strategy, internal audit should embrace the concept that every audit it conducts essentially is a data audit. If internal audit is not looking at data as part of its projects and engagements, it is a lost opportunity as well as a potential overlooked risk area. Among the questions auditors should ask during each engagement are:
- What data is being used to support business activities?
- What data is created, processed, transmitted, and stored?
- In which systems is data stored?
- How is data being secured?
- How is data being used to support reporting, and is the quality, availability, and accessibility sufficient?
Addressing these areas can be difficult because of the enterprisewide reach of data governance requirements, widespread uncertainties concerning data ownership and use, and changing regulatory requirements related to data security and privacy. Ongoing digital transformation in the organization and the sharing of data with third-party partners provide further complications.
Despite these complexities, the internal audit function should help the organization formalize and advance its data governance program, in part to make the audit function more data-enabled. This requires auditors to consider the current state of data governance, frameworks, and structures that underpin effective programs, and take tangible steps to help strengthen the capability.
The makeshift state of data governance in many organizations belies its straightforward purpose and foundational influence on other important capabilities, including:
Data governance encompasses an extensive collection of enabling components and relationships. That universe is rapidly expanding as digitalization efforts have intensified amid the work-from-home shift spurred by COVID-19.
Many organizations have not established and maintained data governance programs at the necessary level of maturity, nor have they consistently viewed data as an asset with revenue-generating potential. There remain significant variations in how data governance is structured organizationally — from core and dedicated data governance functions, to hybrid models with key stakeholder support from groups like information security, to fully federated. In far too many organizations, however, ownership of data is fragmented or ill-defined.
From an internal perspective, there often are data governance triggers pertaining to data quality and its impact on operations and strategy that require attention. Likewise, existing data governance policies and processes tend to be re-examined in reaction to one or more common external triggers.
A Data Breach Cybersecurity lapses often spark important questions concerning the data that was breached, how it is used, its value to the organization, and responsibility for the data’s oversight. These are among the areas a data governance program should address and monitor.
New Data Security and Privacy Requirements New regulatory compliance mandates in some countries also focus attention on the need for strong data governance. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act give consumers the right to request a copy of their personal data being used by a company. Many organizations fulfill these requests ad hoc, scrambling to identify and organize the requestor’s personal data in a reactive manner. Instead, they should develop a more efficient “push-button” approach based on the clarity and visibility a formal data governance structure delivers.
In addition, there is increased focus and regulatory attention to effectively applying record management practices of retention and disposal as organizations move away from practices of over-retention because of a fear or risk of losing data. Organizations need strong data governance capabilities to mandate the collection of key metadata and data lineage documentation. Without them, it becomes challenging to establish systematic solutions to demonstrate to regulators how the business is applying retention periods to data based on an established policy or standard.
A New Vendor As the use of cloud technologies increases and organizations broaden their network of business and technology partners, organizations share more sensitive data with third parties. These organizations want to know how their vendors are protecting their data and routinely require third parties that access organizational data to complete detailed questionnaires. They also expect vendors to agree to audit and attestation processes and reporting to provide assurance related to their risk management practices and data security and privacy controls. Mature data governance programs can help increase the effectiveness of third-party risk management activities — an area of growing interest to internal audit, boards, and executive management — on both sides of these relationships.
When data governance policies and processes are created in response to these and other discrete triggers, the resulting process tends to be reactive in nature and address specific and relatively narrow needs. For example, many GDPR-related data governance responses address GDPR-specific data privacy issues. However, they may not address requirements pertaining to data quality and IT infrastructure relevant to data source lineage and analyzing big data.
This “thin-slicing” pitfall represents both a risk and an opportunity for internal audit. The risk resides in internal audit’s assurance role: Insufficient organizational data governance raises troubling questions about the availability and reliability of data that auditors use to conduct their work. This is a growing concern, as many audit functions are looking to tap into more data sources and use advanced analytics, RPA, and other technologies to perform audits.
As more boards and leadership teams call for innovative audit approaches, internal auditors need a better understanding of where their organization’s data resides, how its quality is managed, how it generates value, and how it is protected. Moreover, there is an opportunity for internal audit to provide advice to management on establishing a proactive, enterprisewide data governance program to create long-term benefits for the organization.
Start With Structure
More internal audit functions are tasked with evaluating their organization’s current state of data governance and determining whether it is worthwhile to implement a more structured approach. In most of these cases, that assessment concludes with a resounding “yes.”
Implementing an enterprisewide data governance program in any mid-sized to large organization requires a comprehensive and multiyear initiative. That journey should begin by defining the data governance capability’s scope and structure.
Organizations often use an existing data governance framework, such as those developed and maintained by DAMA International and the Data Governance Institute (DGI). A viable framework describes what data governance means to the organization, what data will be governed, the areas of business that data governance will apply to, who will have governance responsibilities, and how governance will be enforced.
The DAMA-DMBOK 2.0 model is based on the organization’s Data Management Body of Knowledge (DMBOK). It places data governance at the core of an overarching data management model that also supports:
- Data architecture management.
- Data modeling and design.
- Data storage and operations management.
- Data security management.
- Reference and master data management.
- Data warehousing and business intelligence management.
- Document and content management.
- Metadata management.
- Data integration and interoperability management.
Data quality management.
According to DAMA, the primary enabling components of core data governance include organization, strategy, technology, communication, management and monitoring, and policies, procedures, and standards.
The DGI emphasizes an overarching principle that “business needs drive information needs, which drive technology strategies and approaches.” The DGI Data Governance Framework contains 10 enabling components organized into three categories:
Existing data governance frameworks often serve as starting points. Because data governance is a large and varied subject that covers both technical and business process control areas, the specific structure and design of a program is normally tailored to address each organization’s unique characteristics and needs.
Four Steps to Strong Governance
Selecting the right framework for the organization is just the first step the business must take. Data governance initiatives require a sizeable budget as well as sustained commitment and coordination across the enterprise.
The data governance team must coordinate with stakeholders within IT and the business who have access to or oversight of data, systems, applications, and databases that may reside across multiple geographies. Plus, data ownership and stewardship responsibilities often are uncertain or not formally outlined, which complicates access to data, as well as executing necessary improvements.
To get data governance initiatives prioritized by the organization, internal audit should:
- Enlist business partners from within the organization. The sprawling scope of data governance improvement initiatives should encourage audit functions — especially those that are resource-challenged — to seek support from business partners. Enlist these partners in the effort while detailing internal audit’s advisory role, risk and controls focus, and process expertise.
- Expand beyond a checklist mentality – and a “protection only” approach. Internal audit’s knowledge of the organization’s reporting, monitoring, and decision-making mechanisms, and how they generate value, can help data governance project teams prioritize potential improvement activities. The broad, multifaceted nature of data governance will require internal audit to avoid a checklist approach and instead apply risk- and opportunity-based judgments and analyses. Internal auditors should keep in mind that data assets not only require protection, but also consideration for the value that they offer to the organization. These analyses resemble the considerations of risk appetite internal auditors routinely perform.
- Start with the end in mind. Many decisions about data governance structures and processes begin with a clear understanding of the end result. Auditors routinely ask questions such as: What do we want our data to do for us? What story do we want our data to tell us? Where and how should our data be stored? Answers to those broad, high-level questions serve as a starting point that sparks more focused questions such as: Do we have tools and processes to support those objectives? Does our existing data let us answer the questions we’re asking?
- Identify where data governance is needed most. Internal audit can underscore the need for improved data governance by pointing to its value in driving the success of specific activities, such as new system implementations or a new vendor relationship. In system implementations, data governance policies and processes should govern how metadata is tracked, how data quality is ensured, how data conversion and migration are managed, and more. The considerations associated with bringing on new vendors include: What data will vendors require access to? What data will they process on the organization’s behalf? What are their data governance practices? Each of these considerations has its foundation in data governance principles.
Taking on the Challenge
Although there are many other steps internal audit functions involved with data governance will need to consider, perhaps the most important step is overcoming the reluctance to take on such a sizeable endeavor. Data governance initiatives can deliver the dual benefits of bolstering organizational value and advancing internal audit’s credentials as a strategic contributor to the business. Internal auditors need to sharpen their big data, business intelligence, and data analytics skills to keep pace with their stakeholders’ data-driven approaches while conducting more efficient audits that provide deeper insights.