As organisations continue to collect customer and employee data, chief audit executives (CAEs) are increasingly concerned about how to govern and protect it, noted Gartner.
The analyst’s annual Audit Plan Hot Spots Report revealed that data governance has risen to the top spot of CAEs’ audit concerns, up from second place in last year’s report, replacing cybersecurity preparedness. Increased regulatory scrutiny has pushed governance risks, along with related data management challenges such as third-party ecosystems, cyber vulnerabilities and data privacy, as major concerns for audit departments.
“Despite the strategic importance of data, organisations have been slow to adopt data governance frameworks, putting them at risk of large fines, of poor strategic decision making and of misallocation of critical resources,” said Malcolm Murray, vice president for the Gartner Audit practice.
He commented that data management failures have drawn regulatory and public scrutiny, leading to increased regulatory burdens and pressure on organisations and their use of data.
The top three risks audit executives must prepare for in 2020 include:
Data governance: Nearly 80% of executives agree companies will lose competitive advantage if they do not effectively utilize data, and 49% say data can be used to decrease expenses and create new avenues for innovation. More than half of organisations, however, lack a formal data governance framework and a dedicated budget.
As CAEs audit their data management practices, audit teams should pay special attention to security controls around data assets, data migration plans and backups for critical data assets. To ensure compliance with regulations such as Europe’s GDPR, organisations should also review their controls and rules around collection and retention, and ensure deletion policies exist.
Third-party ecosystems: Fifty-three percent of senior leaders report an increased dependence on third parties, and in some cases, fourth and fifth parties. Despite the vast access these outside parties have to important business data, organisations are generally in a poor position to manage them. Only 53% of businesses have a strategy to mitigate the risks, and just 28% of organisations continually monitor third parties.
Continuous monitoring and right-to-audit contract provisions can help ensure that third parties adhere to an organisation’s protocols around data use and behaviour. An organisation must also account for contractual reporting requirements if any third parties experience a breach that compromises its data.
Cyber vulnerabilities: Cybercriminals are now operating highly sophisticated organisations with a variety of low-cost, readily available hacking tools. A lack of relevant skills and low cybersecurity budgets means that organisations are falling behind in their attempts to counter the growing number of cyberattacks.
Without an increase in resources, organisations will continue to be unable to mitigate the threat of cyberattacks, leading to potential data breaches, loss of intellectual property and regulatory exposure.
At a minimum, organisations should have foundational security measures in place, such as privileged access controls on sensitive assets and mature vulnerability identification. It is also important to evaluate not only employee cybersecurity training and access management policies, but also the organisation’s overall network security mechanisms and operational technology assets.
Finally, organisations should ensure their response plan for cyber-physical attacks (which target the control of an organisation’s physical infrastructure) addresses all of its vulnerabilities in the event of an incident.
While there are numerous steps an organisation can take to addressing the above risks and more, to prepare for the challenges of 2020 and beyond, all begin with assessing the adequacy of risk management strategies and ensuring these strategies are adaptable.
“Risk management is critical to identifying, mitigating and responding to potential disruptions,” said Leslee McKnight, research director in Gartner’s Audit Practice. “Organisations that do not continuously work on strengthening their risk management and resiliency practices hinder their abilities to recover and rebound from inevitable business disruptions.”
CAEs are also watching risks around increased organisational complexity, digital business transformation, and geopolitical and regulatory volatility. Rounding out the top 10 “hot spots” for 2020 are data privacy, risk culture and decision-making, project management, IT governance, regulatory developments, organisational resilience and supply chain.
