Big data represents both a growing risk and a growing resource for internal auditors, prompting the Institute of Internal Auditors to offer some new guidance meant to help auditors address it and leverage it.
The IIA’s nearly 50-page paper provides an overview of big data for the benefit of internal auditors who may be tasked both with using it and assessing risks associated with it. The paper covers the value of big data, the components, strategies, implementation considerations, data governance, consumption, and reporting, not to mention the associated risks. The guide explains what the IIA regards as internal auditors’ roles and responsibilities when performing any kind of advisory or assurance procedures related to big data.
That begins with considering the role of big data within the organization as part of the risk assessment and audit planning processes, the guidance says. Auditors typically plan to address big data risk in the context of multiple audits where it arises rather than a single audit looking at all big data risks. Auditors should plan to look at process and technology controls and should focus on how the data is being both consumed and acted upon within the organization.
The risks associated with big data that deserve internal audit scrutiny are numerous and complex, the IIA says. They include poor data quality, inadequate technology, insufficient security, and immature data governance practices. The company’s chief information officer should become the auditor’s go-to expert in understanding the risks associated with collecting, storing, analyzing, and securing big data.
The IIA says auditors must verify that the objectives of a big data program are aligned with the company’s business strategy, performing tests to show that the big data program provides value and is appropriately supported by leadership in the company. It is up to internal auditors to check the confidentiality, integrity, availability, and performance of big data systems, assuring they align with management’s business requirements and needs. Auditors also need to check the quality, security, and privacy of the data used for analysis, not to mention the analytical outputs.
The IIA guidance also gives internal auditors a little advice on using the data as an audit tool, beyond auditing the data or the big data effort itself. The company may have already acquired, consolidated, and integrated the data, enabling internal audit to realize efficiencies, the paper says.