Data has often been touted as the new gold that all companies should be panning for. Without accurate or sufficient data, any decisions made by senior management may not have been any better than tossing a coin.
Data as Competitive Advantage
Recognising that data is capital, many organisations today are incentivised to collecting and correctly interpreting a vast amount of data to make better decisions across all levels, with the key objective of gaining significant competitive advantage over their competitors. However, with great data comes great risks. Other than data corruption or data compliance risks, there are many lesser-known data risks.
Types of Data Risks
A pernicious data risk occurs with vendor lock-ins where vendors severely limit the company’s ability to access or transfer data upon changing vendors. Companies may want to work only with reputable vendors within a trusted jurisdiction or host key data internally and/ or obtain periodic backups from the vendors.
Another lesser known risk of data remanence relates to residual data that remains in the system even after deletion and scrubbing. Common techniques such as over-writing or degaussing do not work for data remanence in cloud computing or third-party backup systems. To minimise the risk of data remanence in the system, adequate data encryption may be required.
Recent developments in data privacy laws also meant that many companies have embarked on initiatives to manage private data in a compliant manner. However, the existence of “dark” data which is data which the company has collected but did not use or may not even be aware of consumes unnecessary resources, slows down processing and leaves the company vulnerable to possible security, storage and compliance issues.
Data Risk Management Framework
Companies should do a health check of their current data risk management framework:
- Do you have an inventory of your data? i.e. the types of data being captured, points of capture, how it is captured, where it is housed and what it is used for.
- Have you identified the relevant risks to key groups of data? Classify what are the risk events that may occur, and what are the legal and regulatory requirements applicable to the data.
- Have you analysed the risks? Evaluate how probably is the risk event and identify the type and quantum of damages should such a risk event happens.
- Have the risks been treated to an acceptable level? Select suitable cost beneficial countermeasures and assess if residual risks are within acceptable levels.
- Is there a mechanism to monitor and review the risks? Appoint risk owner(s) who will be responsible for monitoring key risk indicators and updating the data risk register on material changes or breaches in risk management.
- When was the framework last reviewed? This should be performed at least annually.
Role of Internal Audit
A good internal audit function should be reviewing the data management framework holistically in accordance with standards such as the International Professional Practices Framework promulgated by The Institute of Internal Auditors.
It should review controls over lesser known risks in its process audits and conducts reviews of data security that goes beyond rudimentary reviews of access rights and data backup controls. Key aspects include the cybersecurity framework, phishing awareness programmes, training programmes for employees, and the timely patching of software.
The internal audit team should also analyse the company’s data to identify trends and patterns essential to understanding and managing risks. These could include assessment of relevancy of data maintained (e.g. number of times certain data was accessed in a period) to identify dark data or compute the total value lost at recovery
time actual vs recovery time objective.
If you wish to have a chat about your current data risks or coverage by your internal audit function, you can reach out to our Partners, Lim Weiwei at wwlim@bakertilly.sg or Nicodemus Tan at nicodemus.tan@bakertilly.sg.
DISCLAIMER: All opinions, conclusions, or recommendations in this article are reasonably held by Baker Tilly at the time of compilation but are subject to change without notice to you. Whilst every effort has been made to ensure the accuracy of the contents in this article, the information in this article is not designed to address any particular circumstance, individual or entity. Users should not act upon it without seeking professional advice relevant to the particular situation. We will not accept liability for any loss or damage suffered by any person directly or indirectly through reliance upon the information contained in this article.