Connect Support Advance

Whitepaper

Auditing Data Risk

Management
January 2023

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
© 2023 - The Institute of Internal Auditors - Australia
 Auditing Data Risk
Management
Contents Background
Organisations are spending increasing amounts of time and
Background 2
effort unlocking powerful insights from their data. This is
- Purpose 2 crucial for decision-making. In order to ensure data being
- Definition 2 analysed is accurate and fit-for-purpose across its end-
to-end lifecycle, it is imperative to ensure data across the
- Background 2 organisation is well-managed and well-governed.
Discussion 2
There are two parallel aspects of data-related risk. We will use
- Issue 2 the term ‘data risk’ to cover both these aspects:
- History 3 › Data must be fit-for-purpose and this implies the ‘purpose’
- Data Management Policy and Framework 3 must be understood and ‘fitness’ defined. Some decisions
require high accuracy, reliable data and others may
- Data Governance 3
accommodate some inherent uncertainty. This aspect
- Data Partitioning and Stewardship 3 may be regarded as ‘data quality’. Data collected for one
- Data Quality 4 purpose will not necessarily be suitable for a different
purpose.
- Data Criticality and Prioritisation 4
› The processes by which information is collected and
- Data Classification and Security 4
stored must be appropriate for the data quality being
- Data Privacy 5 sought. Higher quality data is likely to have higher cost
- Data Issues 5 than lower quality data. It is counter-productive to spend
more on the collection and storage of data than the end
Conclusion 5 benefit to the organisation.
- Summary 5 Having proper data risk management in place and sufficient
- Conclusion 5 staff with data risk management expertise has often been an
after-thought for organisations, with many now playing catch-
Bibliography and References 6
up. It is important for internal audit to ensure the business has
Purpose of White Papers 6 effective data risk management processes and procedures in
Author’s Biography 6 place. Poor management of data can lead to poor outcomes
for the organisation.
About the Institute of Internal Auditors–Australia 6
Copyright 7
Discussion
Disclaimer 7
Issue
Background Data risk management is an emerging risk area requiring
internal audit coverage to minimise the risk of unintended
Purpose exposure of sensitive data, flawed decision-making, and
Compared to other more established risk classes, data- inaccurate management and regulatory reporting. Regulators
related risk is a relatively new area of focus in which most have increased their scrutiny of data risk management
organisations are still maturing their risk management over past years and recent cyber-attacks where sensitive
approach. Due to increased digitisation of processes and information for millions of customers were exposed have
reliance on data for decision-making and reporting, internal increased government sensitivity to these issues. This
audit functions need to incorporate data risk management into reinforces the need for organisations to have robust data
their internal audit plans if they have not already done so. The management processes.
challenge is to take a systematic and efficient approach to
auditing management of data-related risk. This White Paper
provides an overview of data-related risk management and
discusses the key areas that should be covered when auditing
it.

© 2023 - The Institute of Internal Auditors - Australia 2

 Auditing Data Risk
Management
History such as technology committee or risk committee.
Good governance of data and the management of data risk Topics for discussion may include:
are closely related.
› Major data initiatives across the organisation.
For more established organisations, data has historically
› Metrics defining the current state of data risk
been managed in siloes partitioned by systems and business
management and future targets.
areas. Data was not consistently managed across these siloes
and enterprise-wide data standards were not developed. The › Significant data-related issues.
challenge for enterprise data teams has been to fix historical
› Major changes to the data management policy and
data management issues and to make sure data created
framework.
going forward is properly governed.
› Major changes to senior data governance roles and
The well-established international standard on information
responsibilities.
technology governance ISO/IEC 38500:2015 ‘Information
technology – Governance of IT for the organisation’ sets out Data Partitioning and Stewardship
a series of principles that have been adapted for data in ISO/
IEC 38505-1:2017 ‘Information technology – Governance of IT To facilitate enterprise-wide data risk management, data
– Governance of data – Part 1: Application Of ISO/IEC 38500 to across the organisation may be divided in some manner. This
the governance of data’. process establishes a direct link between the business and
the data. For example, in organisations providing products to
Data Management Policy and Framework customers with the aid of suppliers, data can be divided into
the main business areas such as:
The best starting point for the internal auditor is to review
the data management policy and framework in place, if › Customers.
there is one. There is no ‘one size fits all’ approach for how
› Products.
an organisation approaches data management – in some
organisations there may be an overarching framework › Transactions.
supported by multiple policies or there may be a single
comprehensive policy. The best approach is dictated by the › Suppliers, business partners, etc.
size of the organisation, the volume, variety and complexity of Each data area will have a data steward accountable for
data and regulation. it. If the data steward is a senior member of staff, they may
be supported by delegates such as direct reports, risk
Data Governance
professionals or specialist data governance staff who perform
In a centralised model, a central data management office day-to-day management of data and periodically provide
reporting to a chief data officer or an equivalent senior officer updates to the data steward.
will own the policy and framework. As ‘data’ can mean
Data stewards should receive sufficient training to ensure they
different things to different people, the internal auditor should
understand their responsibilities and they should dedicate
check whether there is a definition of what ‘data’ actually
sufficient time and effort to execute their responsibilities.
means for the organisation, including whether it covers both
There should be a periodic assessment performed by data
digital and non-digital records (such as hardcopy documents).
stewards that assesses the current state of data within their
Roles and responsibilities for various teams should be remit including data quality, known issues and progress of
defined including critical staff such as chief data officer, any data remediation projects.
data risk management support staff. and ‘data owners’ or
In some organisations, a central team may have responsibility
‘data stewards’1. Data steward will often be a part-time role
for data across the organisation. Irrespective of what data
incorporated into another job role – it may also be a full-time
partitioning and stewardship structure is used, there should
position, depending on the organisation.
be clarity around the structure used and on roles and
Senior management may opt to oversee data governance responsibilities.
through a dedicated committee in which members include
senior data management staff across the organisation
including the chief data officer and data stewards. If a
dedicated committee does not exist, data governance can be
included as a standing item in another relevant committee

1 As all data is actually owned by an organisation, we will refer to the individual with responsibility for making decisions about retention, access
and use of data as a ‘data steward’.

© 2023 - The Institute of Internal Auditors - Australia 3

 Auditing Data Risk
Management
Data Quality › Data provided externally for example from customers,
government and regulators.
The definition of quality is driven by intended use of the data.
Poor data quality is a common weakness across organisations, Assuming the concept of critical data exists, there should be
highlighting the need for a systematic approach to measuring a catalogue capturing data element names and data element
data quality and providing visibility across the organisation. definitions. For example, customer critical data may be
Data quality issues commonly arise when data collected for customer name, address and date of birth. Due to the dynamic
one purpose is adapted for a different business purpose. nature of management reporting and regulatory obligations, it
is important to check whether there is a periodic process (such
For organisations regulated by the Australian Prudential
Regulatory Authority (APRA), Prudential Practice Guide CPG- as 6 months or 12 months) to reassess whether the current list
235 ‘Managing Data Risk’ defines six main dimensions of data of critical data is complete and accurate.
quality: If critical data has not been defined, management should be
› Accuracy. questioned about this be asked whether there have been
adverse outcomes identified due to a lack of critical data
› Completeness.
identification.
› Consistency.
Data Classification and Security
› Timeliness.
Data should be classified according to how sensitive it is. At
› Availability. a minimum, data should be classified as being sensitive and
› Fitness for use. non-sensitive. For example, personally identifiable information
(PII) of individuals is very sensitive information and may
For organisations not regulated by APRA, CPG-235 is still a
useful reference for managing data quality. It is important be subject to legislated protection. In most organisations,
to know the uncertainty in each of these dimensions. Data additional classifications will be required.
must be tolerably accurate for the purpose to which it is put,
Sensitivity criteria can be based on potential adverse
but it is possible to spend too much on data accuracy for the
outcomes associated with disclosure of data. For example, if
desired outcome. On the other hand, if the use of data is to be
customer PII data is unintentionally disclosed through a cyber-
upscaled it will be important to know it is sufficiently accurate
attack, adverse outcomes include:
for the new purpose.
› Privacy breach and associated penalties and fines.
A robust data quality approach at a minimum involves periodic
execution of data quality rules over an organisation’s critical › Increased likelihood of identity fraud for the compromised
data. Data quality results should be communicated via reports customers.
or dashboards to relevant staff such as data stewards who
› Losing customers to competitors.
can take action if data quality is not at an acceptable level.
› Reputational damage if reported in the media.
In organisations where data quality is not consistently
measured, management should be asked how they gain Data classification determines the appropriate storage,
comfort over the organisation’s data quality and what their access and transfer mechanisms for data. These processes
approach is to identifying data quality issues, which can then are referred to as data security. Access to any data should
be subject to remediation. be restricted to staff requiring access for legitimate reasons.
however general access may be a cost-effective solution for
Data Criticality and Prioritisation non-sensitive data. The storage and transfer of some data
Due to the high volume, variety and complexity of data may have special provisions driven by law or by sensitivity in
produced in today’s business environment, it is important to which case strong encryption might be appropriate.
identify data critical to the organisation and ensure the quality As data classification and data security requirements are
of this data is subject to strong controls and clear oversight. a relatively new concept for most organisations, general
Criteria for determining what data is critical will vary from awareness across the organisation outside data management
organisation to organisation, but includes factors such as: and IT staff may be limited.
› Data used in decision-making such as performance
measures (KPIs), insights and reports presented to senior
management and the board of directors.
› Data supporting financial statements.

© 2023 - The Institute of Internal Auditors - Australia 4

 Auditing Data Risk
Management
Data Privacy Conclusion
PII is subject to provisions of the Australian Government Summary
‘Privacy Act’. Other jurisdictions have extra-territorial provisions
in their privacy laws that might be applicable to Australian Organisations are starting to incorporate data risk
organisations. Data privacy breaches have increased in past management into their internal audit plans. This White Paper
years and have received widespread media attention through covers several areas that should be reviewed when auditing
several high-profile incidents. data risk management:

The Office of the Australian Information Commissioner (OAIC) › Data management policy and framework.
is the national regulator for privacy. The OAIC regulates › Data governance.
the ‘Privacy Act’ which covers how personal information
is handled by organisations. If personal information is › Data partitioning and stewardship.
compromised through inappropriate access, insufficient data › Data quality.
storage controls, or inadequate data transmission controls,
a data breach may have occurred. The OAIC administers › Data criticality and prioritisation.
the Notifiable Data Breaches scheme which requires › Data classification and security.
organisations to:
› Data privacy.
› Notify individuals if a data breach is likely to cause them
serious harm. › Data issues.

› Report serious breaches to the OAIC. Based on the size, complexity and nature of data
management risks across an organisation, the areas
Refer the OAIC website for more information on data privacy. discussed in this White Paper could be covered in multiple
audits rather than a single enterprise-wide audit. Auditing data
Data Issues
risk management could be a specific scope area in different
Most organisations have data-related issues, whether they
audits.
relate to data completeness, accuracy, quality, security,
privacy or some other data deficiency. What differs across Conclusion
organisations is how these data-related issues are identified,
made visible to appropriate staff and remediated. Data risk is an emerging area for organisations. Having strong
data risk management in place reduces the risk of flawed
One approach is to use a risk management system to decision-making, adverse reputational impact from data-
capture data-related issues and ensure there is an easy way related issues, and regulatory scrutiny and fines. The areas
to distinguish data-related issues from other issues. Sifting covered in this White Paper should be used as a reference
through free-text fields is not an ideal approach for identifying when auditing data risk management at your organisation.
data-related issues due to the high potential for inconsistent
descriptions of data-related issues. A more robust approach is
the ability to tag data issues through a drop-down box or list.
If data issue tagging is available, it is possible to capture
metrics on how well the organisation is tagging data issues,
identifying trends over time, and whether particular business
areas and systems have a higher proportion of data-related
issues.
If a risk management system does not provide the ability to
tag data issues, management should be questioned about
how data-related issues are captured and actioned. Even
if there is no robust approach, there may be widespread
awareness of data-related issues, with staff having reduced
ability to formally raise and therefore remediate such issues.

© 2023 - The Institute of Internal Auditors - Australia 5

 Auditing Data Risk
Management
Bibliography and References Author’s Biography
Australian Prudential Regulation Authority, 2013. Prudential This White Paper written by:
Practice Guide: CPG 235 – Managing Data Risk. [Online]
Tariq Islam BEng (First Class Honours), BMaths & Computer
Available at: https://www.apra.gov.au/sites/default/files/
Science, DCAM
Prudential-Practice-Guide-CPG-235-Managing-Data-Risk_1.pdf
Tariq has 17 years of experience across financial services,
Institute of Internal Auditors, 2012. Practice Guide: Auditing professional services and defence, including 10 years of
Privacy Risks, 2nd Edition. [Online] internal audit experience at the Commonwealth Bank of
Available at: https://global.theiia.org/standards-guidance/ Australia (CBA), Westpac and PwC. In 2022, Tariq founded
Member%20Documents/PG%20Auditing%20Privacy%20Risks. RapidLynx Consulting to provide data analytics and data
pdf management consulting services to organisations in the Asia
Pacific region. Prior to founding RapidLynx Consulting, Tariq
International Organization for Standardization & International
was Executive Manager Analytics in CBA Group Audit &
Electrotechnical Commission, 2016. AS ISO/IEC 38500
Assurance.
Information technology - Governance of IT for the organization,
Sydney: Standards Australia. Before joining CBA, Tariq worked for five years in Group Audit
at Westpac and primarily focused on data analytics. He also
International Organization for Standardization & International
gained considerable experience in data risk management,
Electrotechnical Commission, 2017. ISO/IEC 38505-1
led several end-to-end data risk management reviews and
Information technology — Governance of IT — Governance of
authored quarterly data risk management messages for
data — Part 1: Application of ISO/IEC 38500 to the governance
multiple board committees at Westpac. In 2020, he was
of data., Geneva: ISO/IEC.
accredited in the Data Management Capability Assessment
Office of the Australian Information Commissioner, 2014. Model (DCAM) V2 issued by the EDM Council.
Privacy fact sheet 17: Australian Privacy Principles. [Online]
This White Paper edited by:
Available at: http://www.oaic.gov.au/privacy/privacy-resources/
privacy-fact-sheets/other/privacy-fact-sheet-17-australian- Michael Parkinson BSc (Hons), Grad Dip Computing, PFIIA,
privacy-principles [Accessed 20 Jul]. CIA, CISA, CRMA, CRISC
Office of the Australian Information Commissioner, n.d.
Australian Privacy Principles. [Online] About the Institute of Internal Auditors–Australia
Available at: https://www.oaic.gov.au/privacy/australian-
privacy-principles The Institute of Internal Auditors (IIA) is the global professional
association for Internal Auditors, with global headquarters in
Selmier, W. T. & Frasher, M., 2003. Differing views of privacy
rights in the EU and U.S., and the resulting challenges to the USA and affiliated Institutes and Chapters throughout the
international banking: An interview with Joseph Cannataci. world including Australia.
Business Horizons, Volume 56, pp. 779-786.
As the chief advocate of the Internal Audit profession, the IIA
serves as the profession’s international standard-setter, sole
Purpose of White Papers provider of globally accepted internal auditing certifications,
A White Paper is a report authored and peer reviewed by and principal researcher and educator.
experienced practitioners to provide guidance on a particular The IIA sets the bar for Internal Audit integrity and
subject related to governance, risk management or control. It professionalism around the world with its ‘International
seeks to inform readers about an issue and present ideas and Professional Practices Framework’ (IPPF), a collection of
options on how it might be managed. It does not necessarily
guidance that includes the ‘International Standards for the
represent the position or philosophy of the Institute of Internal
Auditors-Global and the Institute of Internal Auditors–Australia. Professional Practice of Internal Auditing’ and the ‘Code of
Ethics’.

The IIA-Australia ensures its members and the profession are

well-represented with decision-makers and influencers, and
is extensively represented on a number of global committees
and prominent working groups in Australia and internationally.

The IIA was established in 1941 and now has more than

© 2023 - The Institute of Internal Auditors - Australia 6

 Auditing Data Risk
Management
200,000 members from 190 countries with hundreds of local
area Chapters. Generally, members work in internal auditing,
risk management, governance, internal control, information
technology audit, education, and security.

Copyright
This White Paper contains a variety of copyright material.
Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors-Global or the
Institute of Internal Auditors-Australia. Some material is owned
by others which is shown through attribution and referencing.
Some material is in the public domain. Except for material,
which is unambiguously and unarguably in the public domain,
only material owned by the Institute of Internal Auditors-
Global and the Institute of Internal Auditors-Australia, and so
indicated, may be copied, provided that textual and graphical
content are not altered, and the source is acknowledged. The
Institute of Internal Auditors-Australia reserves the right to
revoke that permission at any time. Permission is not given for
any commercial use or sale of the material.

Disclaimer
Whilst the Institute of Internal Auditors-Australia has
attempted to ensure the information in this White Paper is
as accurate as possible, the information is for personal and
educational use only, and is provided in good faith without
any express or implied warranty. There is no guarantee given
to the accuracy or currency of information contained in this
White Paper. The Institute of Internal Auditors-Australia does
not accept responsibility for any loss or damage occasioned
by use of the information contained in this White Paper.

© 2023 - The Institute of Internal Auditors - Australia 7