With new territory comes new ethical issues. Rapid developments in technology have provided organizations with more data than ever before, but they have come at a cost. Management and internal audit must work together to define ethical issues relating to handling data or risk heavy fines resulting from noncompliance to severe data privacy regulations, which will soon affect organizations in Europe (Piper, 2017).
The increase in cybercrimes and data thefts has eroded customers’ faith in data and left businesses to determine how much time and resources they should invest in securing data from being stolen (EYGM, 2017). To compound the complexity of the problem, there are growing concerns regarding privacy rights as they relate to how data is collected, used, and retained. The use of data is not always clear upon collection, which creates an enormous challenge of explaining to data subjects how their data is to be used. Moreover, data subjects may not always know to what they are giving consent. Although a compliance-based approach may fail to address this ethically sensitive area, internal audit can help organizations navigate the challenge of ethically handling data (Piper, 2017).
Management’s responsibility is to identify, assess, and address emerging risks (Marks, 2016), but internal audit can add value to this process by understanding the organization’s data privacy risks and controls and by supporting the effectiveness of controls with a risk-based approach (Piper, 2017). Questions should be asked like “How does a company store personally identifiable information, and who owns it? How does it [the company] address regulatory issues and privacy breaches?” (Blanchard, 2015) What are the risks associated with data being used in a way that deviates from its intended use? Internal audit must think beyond IT application and general controls to help management protect data access and use.
Internal audit can also provide suggestions to mitigate identified risks and build trusted relationships, such as establishing formal requirements for addressing privacy obligations. According to EY, “fifty-four percent of organizations have no formalized requirements for addressing privacy obligations while using big data.” Along with privacy obligations, internal audit may suggest minimizing or de-identifying personal information (EYGM, 2017). It is important for internal audit to connect these suggestions to specific business objectives when educating management through their audits (Piper, 2017).
Data cannot be ignored; virtually every business is driven by data. The threats that data presents to organizations are unparalleled, but internal audit may be the key to helping organizations answer the question, “What does data mean to the success of our company both today and tomorrow?” (Piper, 2017).
Blanchard, Rob. (2015). “Big Data Risk and Opportunity.” The Institute of Internal Auditors. Retrieved from iaonline.theiia.org/2015/big-data-risk-and-opportunity.
EYGM. (2017). “Big Data: the Growing Trust Deficit.” Cybersecurity, EYGM. Retrieved from advisory.ey.com/cybersecurity/big-data.
Marks, Norman. (2016). “Internal Audit and the Internet of Things.” The Institute of Internal Auditors. Retrieved from iaonline.theiia.org/blogs/marks/2016/pages/internal-audit-and-the-internet-of-things.aspx.
Piper, Arthur. (2017). “In Safe Hands.” The Institute of Internal Auditors. Retrieved from iaonline.theiia.org/2017/Pages/In-Safe-Hands.aspx.