Data Governance practitioners must incorporate all aspects that bind data to the organization. Internal audit, referred to as the third line of defense against risk, should actually be top of mind for implementing effective governance programs.
The “Three Lines of Defense” model is an industry-recognized approach to enterprise risk management. The ultimate goal is to protect the organization through early detection and mitigation of risk. The three lines are defined as:
- First Line of Defense: Management and Operational Processes
- Second Line of Defense: Risk Management and Compliance
- Third Line of Defense: Internal Audit
In prior blog posts, we have focused on the data risk management implications for the first and second lines of defense. In this blog post, we shed light on the third line of defense, being the (overlooked) value of internal audit.
Corporate boards and their executives manage organizational risk through processes and internal controls. Often missed, however, is the risk from data hidden within the organization’s data centers and countless spreadsheets.
Engaging internal audit on day one of a new governance or data warehouse project has become standard practice at my company. This idea was not always popular among some of our project sponsors. However, we found that the audit staff had extensive knowledge of the client’s risk appetite and areas of vulnerability. They also had the authority and influence to help define the required governance controls.
Governance implementations should always empower this third line of defense with knowledge of the source and use of data across the organization. The job of internal audit is to make certain that all risks have been identified. Internal audit reports to the board of directors who in turn have the responsibility to protect the organization. A clear mandate is to catch any issues before they are detected by the fourth line of defense, being the external auditor, or even worse, the regulators.
In working with internal auditors, we have seen significant gaps in coverage despite the use of sophisticated Data Governance software applications. So much of governance technology today focuses on data lineage and business glossaries. While an important component, this falls short of enabling a broader view of the organization. Technology should help you answer the following questions:
- What department has ownership accountability for specific data?
- Who is the true subject matter expert for specific data?
- What departments consume what data?
- What is the current state of the data quality?
- Which systems or departments are generating the most data errors?
- Where is the confidential and PII data stored?
- Who has access to restricted or confidential data?
It has been estimated that data analysts and data scientists spend as much as 20% of their time having to collect and validate data. We call it a “waste tax,” and totally unnecessary with effective Data Governance.
For internal audit, the challenge is actually greater. Not only are they responsible for identifying data sources and quality, but they also have to piece together the relationship of data back to each business process. Giving equal weight to internal audit can only strengthen Data Governance in its role to protect your organization’s reputation.
Want to learn more about the relationship between risk and all lines of defense? Join me this June at DGIQ for my presentation called “Don’t Be Blindsided by Data Risk.”