Suggested Reading:

Baker Tilly Singapore Internal Audit Adding Value 2.0 Salient Point Web Banner Agg

Internal Audit’s value lies in helping organisations manage risks effectively. Ironically, how does one then prove and quantify the benefits from risk events that have been averted? Just as the modern-day auditor has to be multi-faceted in his/her training and competencies, so does the value of internal audit. This article discusses the different intrinsic values found in internal audit.

Internal Audit: Adding Value 2.0
Thursday, April 30, 2020

Data and its Risks

 

By: Nicodemus Tan, Partner, Governance & Risk, CIA, CRMA, CFSA, CA Baker Tilly Singapore_LinkedIn_Partner_Adrian Cheow_Deal Advisory

 

Data has often been touted as the new gold that all companies should be panning for. Without accurate or sufficient data, any decisions made by senior management may not have been any better than tossing a coin.

 

Data as Competitive Advantage

Recognising that data is capital, many organisations today are incentivised to collecting and correctly interpreting a vast amount of data to make better decisions across all levels, with the key objective of gaining significant competitive advantage over their competitors. However, with great data comes great risks. Other than data corruption or data compliance risks, there are many lesser-known data risks.

 

Types of Data Risks

A pernicious data risk occurs with vendor lock-ins where vendors severely limit the company’s ability to access or transfer data upon changing vendors. Companies may want to work only with reputable vendors within a trusted jurisdiction or host key data internally and/ or obtain periodic backups from the vendors.


Another lesser known risk of data remanence relates to residual data that remains in the system even after deletion and scrubbing. Common techniques such as over-writing or degaussing do not work for data remanence in cloud computing or third-party backup systems. To minimise the risk of data remanence in the system, adequate data encryption may be required.


Recent developments in data privacy laws also meant that many companies have embarked on initiatives to manage private data in a compliant manner. However, the existence of “dark” data which is data which the company has collected but did not use or may not even be aware of consumes unnecessary resources, slows down processing and leaves the company vulnerable to possible security, storage and compliance issues.

 

Data Risk Management Framework

Companies should do a health check of their current data risk management framework:

  • Do you have an inventory of your data? i.e. the types of data being captured, points of capture, how it is captured, where it is housed and what it is used for.

 

  • Have you identified the relevant risks to key groups of data? Classify what are the risk events that may occur, and what are the legal and regulatory requirements applicable to the data.

 

  • Have you analysed the risks? Evaluate how probably is the risk event and identify the type and quantum of damages should such a risk event happens.

 

  • Have the risks been treated to an acceptable level? Select suitable cost beneficial countermeasures and assess if residual risks are within acceptable levels.

 

  • Is there a mechanism to monitor and review the risks? Appoint risk owner(s) who will be responsible for monitoring key risk indicators and updating the data risk register on material changes or breaches in risk management.

 

  • When was the framework last reviewed? This should be performed at least annually.​

Role of Internal Audit

A good internal audit function should be reviewing the data management framework holistically in accordance with standards such as the International Professional Practices Framework promulgated by The Institute of Internal Auditors.

It should review controls over lesser known risks in its process audits and conducts reviews of data security that goes beyond rudimentary reviews of access rights and data backup controls. Key aspects include the cybersecurity framework, phishing awareness programmes, training programmes for employees, and the timely patching of software.

The internal audit team should also analyse the company’s data to identify trends and patterns essential to understanding and managing risks. These could include assessment of relevancy of data maintained (e.g. number of times certain data was accessed in a period) to identify dark data or compute the total value lost at recovery
time actual vs recovery time objective.

If you wish to have a chat about your current data risks or coverage by your internal audit function, you can reach out to our Partners, Lim Weiwei at wwlim@bakertilly.sg or Nicodemus Tan at nicodemus.tan@bakertilly.sg.

 

Download The Salient Point - Data and its Risks:

Baker Tilly Singapore_The Salient Point_Data and its Risks

 

Get in touch with the author(s):

Baker Tilly Singapore_Nicodemus Tan

Nicodemus Tan
Partner
Governance and Risk
  |  Email

 

>> Back to The Salient Point>> Main Page

 

DISCLAIMER: All opinions, conclusions, or recommendations in this article are reasonably held by Baker Tilly at the time of compilation but are subject to change without notice to you. Whilst every effort has been made to ensure the accuracy of the contents in this article, the information in this article is not designed to address any particular circumstance, individual or entity. Users should not act upon it without seeking professional advice relevant to the particular situation. We will not accept liability for any loss or damage suffered by any person directly or indirectly through reliance upon the information contained in this article.

Data Data Risk Management Framework Internal Audit

Cookie Disclaimer

Agree