Leveraging Internal Audit for Effective Data Governance

Internal auditors are uniquely qualified to protect organizations’ data. Here’s why you should involve them in your data governance strategy. By Pedro Diaz de Leon, CPA, CIA, CFE | Digital Exclusive – 2023

Unlike other finance professionals, internal auditors are commonly uniquely suited to help ensure that the population of data within an organization is secure, private, accurate, available, and usable. This is because internal auditors have access to a variety of systems, applications, and types of data—all key in effectively implementing a data governance strategy.

Although more technical members of the team will be critical in implementing data management processes, such as integration, architecture, planning, and database configuration, internal auditors can assist in establishing a good foundation for data governance and set the groundwork to collect and use data. Establishing a good foundation is the first step in effective data governance.

Here are six ways for your organization to leverage internal audit for effective data governance.

1. Data Governance Foundation: Internal audit can identify the lapses in data controls and processes that should be in place to validate data quality and how accurately and completely the data is managed. Their findings should be addressed as part of the data governance framework and the associated policies and procedures that guide the overall governance program.

Notably, data ownership can be defined by internal audit so that the role has the necessary components as expected by a regulator. Determining the right individuals to manage and own the data will establish the foundation for creating effective policies for data classification, retention, and management—all foundational to a data governance program.

2. Data Understanding: Internal audit can play a key role in understanding the data by providing insight into what dimensions are needed to define the elements to meet regulatory expectations. It’s crucial to capture data that’s relevant to the investigation process, like identifying the specific data points required to meet the organization's objectives, as well as the usage, definition, and classification of data. Because of this process, a central data dictionary can be established and leveraged across the organization to drive more consistent data usage. The data classification is part of the effort to ensure appropriate care is taken based on any data sensitivity (e.g., personally identifiable information).

3. Data Architecture: The architecture used by an organization will dictate the constraints of its data usage. Many have legacy systems that require specialized resources to manage the data and associated capture and use. For internal audit, identifying data usage needs can help define the architecture requirements. These requirements will be based on risk and ability to meet regulatory expectations. With these requirements, the technical teams can construct an architectural pattern that mitigates the auditor’s findings. Part of the approach will be to develop a data standardization method as part of the supporting construct to ensure that the organization’s data is clean and high quality.

4. Data Quality and Cleansing: Once a data architecture has been determined and data has been standardized, internal audit can assist in developing a data quality model that’s in accordance with Control Objectives for Information Technologies to ensure that data meets established data quality criteria. Because internal auditors are experts on the data used for the reporting, their assessments can provide insights into the overall quality of the data (i.e., accuracy, completeness, and availability).

Notably, the quality of the data needs to be consistently monitored and managed through a governance framework. The data owners and the guiding policies and procedures can be developed and enforced through the governance framework. The experience and regulatory knowledge of the internal auditor can be leveraged to develop the needed rules and guiding policies and principles to help validate that they’re aligned to regulatory expectations.

5. Data Democratization: Effective data governance ensures that all permitted users in the organization have access to standardized, clean, and high-quality data. Internal audit can help management achieve this goal by assisting with the implementation of strong end-user access controls, providing assurance that data is secured and private, and recommending input controls that create high-quality data.

With the quality managed and the architecture deployed to facilitate broad access, users will develop trust in the data with the convenience of accessing and using the data. By providing universal access to a trusted data source, the end-user community will grow and unleash the value of the data in the form of creative and insightful analysis with the assistance of artificial intelligence.

6. Data Analytics: The implementation of data visualization tools can deliver analytical solutions based on the critical needs of the organization. Internal audit can help determine key metrics and outputs used in data visualizations and help users create reports and outputs that enable better decision-making.

Refining the Data Governance Program

Once the organization has established a data governance framework, internal audit can continue to assist in the following ways:

• Identifying and assessing data risks, such as loss, breaches, and corruption.
• Developing and implementing effective data governance policies and procedures.
• Monitoring compliance with data governance policies and procedures.
• Reporting on the effectiveness of data governance, including providing recommendations for improvement and highlighting at-risk areas for the organization.

Benefits of Internal Audit’s Involvement

Of course, there are many benefits to having internal audit involved in your data governance strategy. They include:

• Increased Assurance: Internal audit can assure management and the board that their data governance is effective. Through the auditor’s analytical assessment, they can assess the business processes to identify data anomalies in the process itself. This is particularly relevant when reviewing transaction logs, which can help reduce the risk of data inaccuracies, loss, and other related incidents.
• Improved Efficiency: Internal audit can help with data management efficiency by identifying and eliminating unnecessary processes and procedures. This can free up resources that can be used to improve the quality of data and the speed of data access.
• Reduced Costs: Internal audit can help to reduce the costs of data management by identifying and eliminating unnecessary data storage and processing costs. This can also free up resources that can be used to improve the quality of data and the speed of data access.
• Increased Compliance: Internal audit can help ensure that the organization complies with data-related regulations, which can help protect the organization from receiving fines and penalties.

As you can see, it’s in your organization’s best interest to involve internal audit in your data governance strategy. Doing so protects your data’s value, power performance, and resilience.

---

Pedro Diaz de Leon, CPA, CIA, CFE, is the director of risk and accounting advisory services at Cherry Bekaert. This article also features contributions from Cherry Bekaert’s Managing Director Al Swan, MBA.

 

Related Content:

• Tech-Driven Audit Approach: What You Need to Know: By allowing technology to shape your audit methodology, you can give clients the insights, analysis, and recommendations they’re looking for.
• Best Practices for Performing a Quality Audit: Here's how to ensure your audit engagements are efficient (e.g., on budget) and effective (e.g., have no deficiencies).