Gartner conducted interviews and surveys of Chief Audit Executives (CAEs) from across its global network of client organisations to identify the biggest risks facing boards, audit committees and executives in 2020.
Data governance came in as CAEs’ number one audit concern, followed by cybersecurity preparedness. This is in part due to regulatory scrutiny along with related data management challenges such as third-party ecosystems, cyber vulnerabilities and data privacy.
Despite acknowledging the strategic importance of data, GRC’s own observations are that organisations have been slow to adopt data governance frameworks. This incurs a risk of privacy and quality breaches, regulatory fines, loss of public trust as well as fines.
The top three risks for CAEs for 2020
Data governance: Nearly 80% of executives agree their organisations will lose competitive advantage if they do not effectively utilise data. 49% say data can be used to decrease expenses and create new avenues for innovation. More than half the surveyed organisations, however, lack a formal data governance framework and a dedicated budget.
Internal and external auditors should pay special attention to security controls around data assets, data quality controls, data migration plans and backups for critical data assets. They should also review data privacy controls and ensure privacy impact assessments are conducted and issues are actioned. A concept of “privacy by design” should be applied for all projects.
Organisations should have privacy breach identification and response plans in place and these should be regularly tested and continually improved.
Supply chain: Fifty-three percent of senior leaders report an increased dependence on third parties, and in some cases, fourth and fifth parties. Despite the vast access these outside parties have to important business data, the surveyed organisations are generally in a poor position to manage them.
Only 53% of businesses have a strategy to mitigate the risks, and just 28% of organisations continually monitor third parties.
Continuous monitoring and right-to-audit contract provisions can help ensure that third parties adhere to an organisation’s protocols around data use and behaviour. Organisations should also account for contractual reporting requirements if any third parties experience a breach that compromises its data.
Cyber security: A lack of relevant skills and low cybersecurity budgets means that organisations are falling behind in their attempts to counter the growing number of cyberattacks.
Without an increase in resources, organisations will continue to be unable to mitigate the threat of cyberattacks, leading to potential data breaches, loss of intellectual property and regulatory exposure.
At a minimum, organisations should have foundational security measures in place. This includes ongoing vulnerability management and staff awareness training. A discipline of “security by design” should be adopted whereby security is embedded throughout project management phases and the systems development lifecycle.
Finally, organisations should ensure their cyber incident identification and response plan is regularly tested and improved.