As organizations continue to collect customer and employee data, chief audit executives are becoming increasingly concerned about how their organizations govern and protect it, according to a new report from research and advisory firm Gartner.
According to Gartner’s annual Audit Plan Hot Spots Report, data governance has risen to the top spot of chief audit executives’ (CAEs) internal audit concerns, up from second in last year’s report, replacing cybersecurity preparedness. Increased regulatory scrutiny has pushed governance risks, along with related data management challenges such as third-party ecosystems, cyber vulnerabilities, and data privacy, as major concerns for internal audit departments.
“Despite the strategic importance of data, organizations have been slow to adopt data governance frameworks, putting them at risk of large fines, of poor strategic decision making, and of misallocation of critical resources,” said Malcolm Murray, vice president for the Gartner internal audit practice. “Data management failures have drawn regulator and public scrutiny, leading to increased regulatory burdens and pressure on organizations and their use of data.”
Gartner conducted interviews and surveys from across its global network of client organizations to identify the biggest risks that boards, audit committees, and executives face in 2020. The top three risks internal audit executives must prepare for in 2020 include:
- Data governance: Nearly 80 percent of executives agree companies will lose competitive advantage if they do not effectively leverage data, and 49 percent say data can be used to decrease expenses and create new avenues for innovation. More than half of organizations, however, lack a formal data governance framework and a dedicated budget.As CAEs audit their data management practices, audit teams should pay special attention to security controls around data assets, data migration plans and backups for critical data assets. To ensure compliance with regulations such as Europe’s GDPR, organizations should also review their controls and rules around collection and retention, and ensure deletion policies exist.
- Third-party ecosystems: Fifty-three percent of senior leaders report an increased dependence on third parties, and in some cases, fourth and fifth parties. Despite the vast access these outside parties have to important business data, organizations are generally in a poor position to manage them. Only 53 percent of businesses have a strategy to mitigate the risks, and just 28 percent of organizations continually monitor third parties.
Continuous monitoring and right-to-audit contract provisions can help ensure that third parties adhere to an organization’s protocols around data use and behavior. An organization must also account for contractual reporting requirements if any third parties experience a breach that compromises its data.
- Cyber vulnerabilities: Cyber-criminals are now operating highly sophisticated organizations with a variety of low-cost, readily available hacking tools. A lack of relevant skills and low cybersecurity budgets means that organizations are falling behind in their attempts to counter the growing number of cyberattacks. Without an increase in resources, organizations will continue to be unable to mitigate the threat of cyberattacks, leading to potential data breaches, loss of intellectual property, and regulatory exposure.At a minimum, organizations should have foundational security measures in place, such as privileged access controls on sensitive assets and mature vulnerability identification. It is also important to evaluate not only employee cybersecurity training and access management policies, but also the organization’s overall network security mechanisms and operational technology assets. Finally, organizations should ensure their response plan for cyber-physical attacks (which target the control of an organization’s physical infrastructure) addresses all of its vulnerabilities in the event of an incident.
Risk Management Strategies
While there are numerous steps an organization can take to address the above risks and more, to prepare for the challenges of 2020 and beyond, all begin with assessing the adequacy of risk management strategies and ensuring these strategies are adaptable.
“Risk management is critical to identifying, mitigating, and responding to potential disruptions,” said Leslee McKnight, research director in Gartner’s internal audit practice. “Organizations that do not continuously work on strengthening their risk management and resiliency practices hinder their abilities to recover and rebound from inevitable business disruptions.”
CAEs are also watching risks around increased organizational complexity, digital business transformation, and geopolitical and regulatory volatility. Rounding out the top 10 “hot spots” for 2020 are data privacy, risk culture and decision-making, project management, IT governance, regulatory developments, organizational resilience, and supply chains.
Gartner creates its annual Audit Plan Hot Spots report by combining input from interviews and surveys from across its global network of client organizations and experts.
2 Replies to “Data Governance Tops Cybersecurity as Top Internal Audit Concern”