7. Data Governance (▼6)

Why is it important?

Data should be seen by organisations as a key differentiator in maintaining competitive advantage, providing distinctive, customer-centric services and increasing the efficiency of their operations. Many organisations, however, continue to struggle, not only to effectively capitalise on their data, but to protect it.

Data protection, data privacy and data governance remain topics of continuous attention and focus by senior management and Internal Audit teams alike. In another year dominated by data breaches and regulatory fines, it comes as no surprise that for this is again amongst the hot topics and a planning priority for 2021. Data management failures or breaches have drawn significant regulator and public scrutiny and have resulted in increased regulations and pressure by boards for management to improve their data governance procedures, policies and related data protection safeguards.
 

What’s new?

The significant increase in remote working amongst employees during the pandemic has heightened the information security risks that organisations are facing. More specifically, data loss and data protection risks are particularly elevated, compounded by the increase in fraudulent activity by malicious actors over the past few months. This is an area that will continue to be a major focus as we move into the next phase, post-crisis. Organisations realise the strong connection between protecting and safeguarding data and the broader resilience, data breach and incident response capabilities across the organisation. Businesses are seeking to develop effective data breach response programmes, to enable them to effectively weather a potential breach/crisis when/if it occurs. Such initiatives will encompass processes to ensure the business engages effectively with customers, the public and media, while trying to resolve the crisis.
 

What should Internal Audit be doing?

Some of the areas of focus for internal audit are:

• Data governance: Despite the strategic importance of data, many firms have been slow to implement data governance and accountability frameworks, which could enable a better coordinated and more effective approach in the use of data. This, in turn, increases the risk for regulatory fines or poor decision making that can lead to the misallocation of critical resources or missed business opportunities - in leveraging data capabilities of new digital technologies, for instance.
• Data privacy and regulation: Internal Audit should assess the implemented data privacy policies, framework and controls to comply with General Data Protection Regulation (GDPR), and broader data privacy objectives. From complying with existing regulations, to preparing for new requirements on a global or multi-region scale, organisations should have established processes to deal with the complex matrix of relevant regulatory requirements.
• Data security: Data auditors should coordinate with information security / cyber audit SMEs and focus on technical data protection controls, including Data Leakage Prevention solutions and other security controls to prevent data breaches. The level of manual processing or legacy functionality within key business applications should form a key component of any Internal Audit opinion on key application systems, as these are often the trigger points for data leakage within many financial services organisations.
• Data breach response: Internal Audit should challenge management on their customer data breach readiness procedures. Breaches will continue to occur, and it is actually a case of “when rather than if”. Organisations that have experienced such events, recognise these are hugely complex events on many levels, technically, strategically and operationally. Internal Audit should review these areas, focusing on clear accountabilities, cross-functional collaboration, and readiness to respond on a timely basis in order to contain the issue while providing high-levels of customer service to help safeguard reputation.