The excitement of the Olympics is undeniable. The efforts of host countries to impress and the opportunity to watch elite athletes display the results of years of hard work and dedication create memories for the most dedicated sports fans, as well as those who only occasionally watch athletic competitions. Some of the most memorable Olympic moments are those when there is a close finish—that event where it is difficult, if not impossible, for spectators to determine the actual winner. But with the introduction of electronic timekeeping in general, and the photo-finish camera in particular in 1948, Olympic officials are armed with the technology to determine the winner for even the closest of races.
Annually, Protiviti and ISACA survey IT audit and risk executives and professionals to identify and analyze top technology risks. Using a scale of 1 to 10 (with 1 indicating low significance and 10 indicating high significance), respondents were asked to rank their levels of concern. The most recent “IT Audit Perspectives on Today’s Technology Risks” survey from Protiviti and ISACA rendered the following results:
While photo-finish technology from the Olympics is not required to analyze the survey results, the top technology risks were actually very close. In fact, seven of the 10 risks all ranked at No. 7 or above. Bumping the detailed results to a higher-level summary, the key survey takeaways were cybersecurity-related breaches and related risk issues; data governance and data integrity; and regulatory compliance burdens and risks. Given the visibility of cybersecurity issues through news updates on high-profile breaches, attention to compliance matters and even data governance due to upcoming requirements or changes to existing requirements, I do not think that their placements as key takeaways are unexpected. While data integrity is associated with data governance and also connected with cybersecurity and compliance, it just does not seem to receive the same level of attention. This is unfortunate because data integrity (i.e., data being complete, consistent and accurate) is crucial to the decisions that enterprises make in the course of routine business.
Looking at the food and pharmaceutical industries, areas where data integrity do appear to have some visibility, efforts to heighten awareness of the impacts of data integrity on business decisions (and ultimately health and well-being) are being made. The Pharmaceutical Inspection Co-operation Scheme (PIC/S) is an organization that collaborates with 54 participating organizations to harmonize pharmaceutical safety standards to facilitate better decision making. Some of the participating organizations include the Federal Ministry of Health (Germany), the National Agency for Drug and Food Control (Indonesia), the Federal Commission for the Protection Against Sanitary Risks (Mexico), and the South African Health Products Regulatory Authority (South Africa). The US Food and Drug Administration (FDA) is also a participating organization of PIC/S.
In its role partnering with US companies and global companies who import to the US, data integrity-related warning letters increased from four in 2008 to a high of 56 in 2017, with a decrease in the following year to 42. If these trends of just one PIC/S participating organization are an indicator, data integrity challenges are widespread and in need of attention.
As IT auditors address data integrity, there are a few key considerations:
- Assessing the Data Lifecycle: It is important that the entire lifecycle (i.e., the sequence of steps data go through, beginning with collection/generation and ending with archiving or deleting it at the end of its useful life) is assessed.
- Managing Level of Effort: Additionally, it may be helpful to align the level of audit effort with commensurate data integrity severities. As a guideline, issues with original data and data manipulation have been identified as the leading causes of data integrity challenges, at 29.5% and 25.9% respectively. These areas are followed by system controls, data destruction and other data lifecycle components that reported issues at much lower percentages.
- Leveraging Other Data Initiatives: In looking at data integrity, there may be opportunities to rely on work performed in other areas. In Guy Pearce’s ISACA Journal article “Data Auditing: Building Trust in Artificial Intelligence,” he opined that as enterprises adopted artificial intelligence (AI) and machine learning (ML), confidence in the underlying data may have delayed embracing AI and ML. To mitigate that, this article provides guidance on inputs, data flows and other elements of assessing risk and performing a data audit from an AI and ML perspective. However, some of the guidance in that article may be useful to IT auditors’ specific evaluations of data integrity.
In reflecting on the outcome of the most recent “IT Audit Perspectives on Today’s Technology Risks” survey, unlike the Olympics, there is no technology risk that can be declared the “winner.” The importance of all the risks identified is indicated in how closely the risks were ranked. In mapping a plan to address these risks, it may be helpful to look at how the risks interrelate, particularly for those audit functions that are smaller or short-staffed. That streamlining should, however, retain awareness of risks that may need a more individual and focused review.
As in the case of data integrity, especially in specific areas such as data origin and data manipulation, some top risks may warrant a little more attention than they sometimes receive.