Survey: Data use, security among top audit risk areas
By Maria L. Murphy
The top three risk areas for internal audit teams and chief audit executives heading into 2020 are data governance, third-party ecosystems, and cyber vulnerabilities, according to a recent report by research and advisory firm Gartner.
Gartner’s annual “Audit Hot Spots” report is based on interviews and surveys of their global network of clients and identifies the most significant risks facing executives, boards, and audit committees in the year ahead. The report lists the 2020 top risks, compares them to the 2019 report, and includes key risk indicators and questions management should ask for each. It also includes an evaluation of the survey respondents’ confidence in the audit department’s ability to provide assurance over each risk, and their plans to cover the risk in their audit activities in the next 12-18 months.
Top risk area: Data governance
Businesses continue to generate and retain enormous amounts of data. Data is essential for strategic decision-making, but it must be managed and protected to avoid ever-increasing risks.
Those surveyed recognize the need for effective utilization of data for competitive advantage, driving innovation, allocation of resources, and expense reduction. But more than half of their organizations do not have a formal data governance framework and a dedicated budget for data management.
A formal data governance framework should include how data is collected, used, and managed, including security controls, backup, retention, and data migration plans. Controls over retaining data should also include deletion policies. The report identifies the high cost and potential risks of “data overretention,” which includes keeping unnecessary data that is not business-critical, or that is not utilized and may contain sensitive content that is not adequately protected.
Data migration is a significant issue for organizations, and it includes upgrades of systems, moving data to the cloud, and changing systems after mergers and acquisitions. Data migrations can be complex and, without proper planning, can lead to data loss, quality issues, inability to function, and missed business opportunities. The report, however, identifies that most organizations do not properly prepare for data migrations, and up to 75 percent of new systems fail to meet expectations.
An effective data governance framework needs to address what processes are in place to maintain compliance with existing data protection regulations and to prepare for the growing number of new regulations. There has been increasing regulatory and public pressure relating to data privacy, and new requirements are being imposed because of recent failures in data management and data breaches.
The report recommends that executives and auditors participate in working groups and committees to keep current on emerging governance issues and provide advice to their organization on the design and maintenance of data governance frameworks over time.
No. 2 risk: Third-party ecosystems
Organizations increasingly depend on multiple outside parties in running their businesses, and these parties are given access to sensitive assets and important business data to perform outsourced functions. Sixty percent of the organizations surveyed work with over 1,000 third parties, and third parties may use fourth and fifth parties that can increase the risks. The report refers to this as “deeper entanglement of third parties.”
Using outside vendors creates many data security and compliance challenges. Nonpublic data accessed by third parties can create potential damage if released, and critical business processes can be disrupted if the third party’s services are not available.
The processes and strategies for managing and monitoring outside vendors have not kept up with the level of use. Of the executives surveyed, only 28 percent said they continually monitor third parties, and only 53 percent said they have a strategy for risk mitigation in this area.
Failures and incidents at third parties are costly and can include business delays, financial losses, regulatory fines, and reputational damage to the organization. Consumers and regulators at the state, national, and international level are holding organizations accountable and extending the liability to them for issues that arise from the outside parties’ handling and lack of protection of company data. Examples included in the report are data breaches, privacy issues, human rights violations, and child labor in supply chains.
The report calls for a continuous and integrated approach in order to monitor and mitigate third-party ecosystem risk. It recommends reviewing the existing governance process for all relationships and identifying any gaps or conflicts, along with assessing how risks will be monitored and addressed over time as conditions change.
There should be a review of the third parties’ contractual obligations to communicate changes that could affect their risk profile, like changes in their ownership or operations, along with how they must report failures or breaches to the organization. Third-party contracts should include right-to-audit provisions, and companies should prioritize audits of any third parties that present the perceived highest risks because of the confidential data involved or how vital their services are to the organization.
No. 3 risk: Cyber-vulnerabilities
There has been an increase in the number of cyber-attacks, and the scale of the attacks and sophistication of the cyber-criminals is also changing. Cyber-attacks can result in data breaches, loss of intellectual property, and consumer and regulatory financial and reputational exposures.
The report attributes much of the organizations’ vulnerabilities to cyber-attacks to human error and negligent employee behaviors (for example, phishing e-mails, logging on to unsecured networks, use of social media, remote access to networks, and leaving devices unattended).
In addition, increased connection of devices and assets to the internet makes organizations more susceptible to cyber-attacks. Connection of Internet of Things (IoT) devices, smart buildings, and other emerging technologies present new challenges.
Those surveyed admit that they have insufficient cyber-skills and budgets, along with inadequate security measures to protect themselves from even common cyber-attacks. Many organizations also do not perform cyber-risk assessments and do not have processes in place to detect or respond to potential cyber-risks.
To reduce cyber-exposure, companies should review the policies and procedures over system access and user rights, including changes and terminations. They should also train their employees on cyber-security awareness, how to mitigate risks, and what to do if there is a theft or data is compromised.
The IT department should evaluate the overall security measures over critical servers and assets connected to the network, including how unusual activities in the network would be detected. The organization should have a cyber-physical attack response plan that includes all relevant departments and addresses both system backups and building/employee safety concerns.
These top risk areas, along with other hot spots and themes covered in Gartner’s report, provide information that audit departments can use to assess key risks, discuss them with management during audit scoping, benchmark their audit plan coverage, and educate their audit committees on risk trends overall.