Big data is a popular term used to describe the
exponential growth and availability of data created by people, applications, and smart machines. Big data is evolving rapidly and will continue to present risks and opportunities for organizations and internal auditors for the foreseeable future.
This paper is a guide to internal auditors when performing assurance or advisory procedures related to big data efforts.
Data Analytics is closely linked with Big Data.
However, Data Analytics is a problem-solving process, extracts insights, and Historical, real-time, or predictive.
Data Analytics (DA) can be risk-focused i.e., controls around effectiveness, detection of fraud, waste, policy/regulatory non-compliance or Performance-focused: ie: increased sales, decreased costs, improved profitability.
With knowledge of Big data, Internal Auditors can offer advisory services on forecast trends, model options, and predict outcomes to increase their customer base and improve customer loyalty. For example, an Internal Auditor can advise his organization on how to provide more personalized services and tailored products using transactional history and demographic data to determine the right pricing and financial strategies for an individual.
Internal auditors working with big data should engage with the organization’s Chief Information Officer
(CIO) and Chief Data Officer (CDO) to better understand the risks in terms of data collection, storage, analysis, security, and privacy.
For big data programs to be successful, a clear business case must be articulated in alignment with the organization’s strategy. The big data program should have defined objectives, success criteria, and executive-level business sponsorship. The business case should also include a cost-benefit analysis of deploying such a significant program versus leveraging existing tools and technologies within the enterprise.
Key Risks and Control Activities in Auditing Big
Data
Risks related to big data can arise from many factors, both internal and external to the organization. The following categories represent the primary risk areas:
(a)
Program governance
Key Risk
Lack of appropriate management support, funding, and/or governance over the big data program can expose the organization to undue risk or failure to meet strategic goals.
Control Activities
Executive management should develop a big data strategy that provides solutions across the organization.
Prior to approving the business case, management should conduct a proof of concept to validate that the systems designs align with strategic goals.
Roles and responsibilities should be clear and well defined.
The organization should provide the necessary resources to deploy and maintain the big data strategy.
~ Third-party vendor management best practices should be used to manage big data suppliers.
(b) Technology availability and performance
Key Risk
Ineffective technology solutions and/or configurations may result in a negative customer experience, reduced system availability, and/or degraded performance.
Control Activities
~ IT general controls should be assessed
periodically.
Big data systems should be part of the change management strategy.
~ Big data systems should be included in the patch
management strategy.
Big data systems should be procured, built, and/or configured in alignment with the complexity and demands documented in the business case.
~ Systems and support tools should be configured to provide automatic notifications to support personnel.
v
Reporting tools should be configured to be flexible, intuitive, and easy to use; and training aids should be provided.
Big data systems should be configured to allow flexibility and scalability without sacrificing performance.
(c)Security and privacy
Key Risk
Ineffective information securit standards and configurations may result in unauthorized access to
– and theft of – data, inappropriate modifications of data, and regulatory compliance violations.
Control Activities
- Information security management should be part ofthe big data strategy.
- Data security management should be part of the big data strategy.
- Data privacy should be part of the big data strategy.
(d) Data quality, management, and reporting
Key Risk
Data quality issues and/or inaccurate reporting may lead to inaccurate management reporting and flawed decision making.
Control Activities
Policies and procedures should be established to ensure data quality.
Policies and procedures should be established to ensure that data obtained from third parties complies with data quality standards.
Policies and procedures should be established to ensure reporting accuracy.
Access to reports should be granted based on business needs.
