What is data auditing: Unlocking the value of data through data risk management

Data gathering

The first step to realizing value from information is collecting the right data. Data gathering takes many forms in different settings. In most organizations, the most relevant and accessible data is the transactional information they possess from interacting with their customers, data about the products they make or sell, and employee data. With data risk management, the objective is to ensure the data is captured completely and classified accurately so that the insights gained later are based on the right data. The most common controls for data collection include:

• Data classification to a consistent data taxonomy (such as HR Data, Product Data, or Customer Data, as well as labeling the data based on confidentiality levels)
• Ensuring data privacy, obtaining consent, and anonymizing data based on applicable regulations
• Validating the data's accuracy and completeness 

Data storage

Data storage includes the protection, retention, and destruction of data. Data storage is complex, encompassing IT security practices for encrypting data, creating backup data, and preventing cybersecurity breaches. Companies should also establish retention policies and guidelines for removing and destroying data at set intervals. Data risk management related to storage practices covers many risks and controls. The most common controls to include in a data audit are:

• Access controls to stored data, including third-party access
• Use of current encryption best practices
• Frequent data backup, monitoring for failures, offsite storage, and recoverability for backup files
• Use of firewalls, VPN, and other network penetration controls
• Physical security controls over storage areas and devices

Data usage

Data analytics adds value to the business when used to examine data and apply statistical methods to identify patterns and correlations leaders can use to draw conclusions and anticipate future events and trends specific to each business function's needs. To make the output more meaningful, data visualization can be used to present the data using visual elements. During data risk management, the controls for data usage can include:

• Ensuring the data is appropriately cleaned and normalized before analysis
• Processes exist to request new visualizations and changes
• Verifying business critical reports and analysis are complete and accurate
• AI, algorithms, and models used for predictive analytics are understood, documented, and tested

Achieving Internal Audit's mission with data auditing

The mission for internal audit is "to enhance and protect organizational value," and auditing data, the organization's most valuable asset, is a key activity audit teams can perform to reach that mission. Through solid data risk management, organizations can ensure their data assets are gathered, stored, and used in a manner that allows them to make critical, data-driven business decisions with confidence.