As organizations continue to collect customer and employee data, chief audit executives (CAEs) are increasingly concerned about how to govern and protect it, according to Gartner’s latest annual Audit Plan Hot Spots Report.
Data governance has risen to the top spot of CAEs’ audit concerns, up from second place in last year’s report, replacing cybersecurity preparedness.
Increased regulatory scrutiny has positioned governance risks, along with related data management challenges such as third-party ecosystems, cyber vulnerabilities, and data privacy, as major concerns for audit departments.
“Despite the strategic importance of data, organizations have been slow to adopt data governance frameworks, putting them at risk of large fines, poor strategic decision-making, and misallocation of critical resources,” said Malcolm Murray, a vice president in Gartner’s audit practice. “Data management failures have drawn regulator and public scrutiny, leading to increased regulatory burdens and pressure on organizations and their use of data.”
Nearly 80% of executives agreed that companies will lose competitive advantage if they don’t effectively utilize data, and 49% said data can be used to decrease expenses and create new avenues for innovation. More than half of organizations, however, lack a formal data governance framework and a dedicated budget.
As CAEs audit their data management practices, audit teams should pay special attention to security controls around data assets, data migration plans, and backups for critical data assets, Gartner said.
To ensure compliance with regulations such as Europe’s GDPR, organizations should also review their controls and rules around collection and retention, and ensure deletion policies exist, the research and consulting firm added.
Gartner recommended that internal audit departments take the following steps in 2020:
Assess data minimization policies: Review the controls and rules in place around data collection and retention. Ensure policies on data deletion exist and determine whether over-retention is an issue for the organization.
Review security controls around data assets: Work with the IT department to review and evaluate whether sufficient security controls exist for various data assets. Determine if organizational functions have visibility and control around which data is stored and retained.
Participate in relevant working groups and committees: Stay abreast of current governance efforts through involvement in the organization’s data governance working groups or committees and provide advisory input when frameworks are being built.
Review data migration plans: Work with the business and IT to examine the timeline and budget allocated for data migration projects. Assess the projects’ possible shortcomings and ensure that fail-safes, such as data inventories and backups, are in place to address them.
Assess the existence of backups: Evaluate whether sufficient backups exist for critical data assets involved in upcoming data migration projects. Evaluate the level of preparedness of relevant organizational functions to deal with the possibility of data loss, such as backup and disaster recovery procedures.