Top concerns for audit executives? Cyber risks and data governance

As organizations continue to collect customer and employee data, chief audit executives (CAEs) are increasingly concerned about how to govern and protect it.

Gartner conducted interviews and surveys from across its global network of client organizations to identify the biggest risks facing boards, audit committees and executives in 2020.

Data governance has risen to the top spot of CAEs’ audit concerns, up from second place in last year’s report, replacing cybersecurity preparedness.

Increased regulatory scrutiny has pushed governance risks, along with related data management challenges such as third-party ecosystems, cyber vulnerabilities and data privacy, as major concerns for audit departments.

“Despite the strategic importance of data, organizations have been slow to adopt data governance frameworks, putting them at risk of large fines, of poor strategic decision making and of misallocation of critical resources,” said Malcolm Murray, vice president for the Gartner Audit practice.

“Data management failures have drawn regulator and public scrutiny, leading to increased regulatory burdens and pressure on organizations and their use of data.”

The top three risks for audit executives in 2020

Data governance: Nearly 80% of executives agree companies will lose competitive advantage if they do not effectively utilize data, and 49% say data can be used to decrease expenses and create new avenues for innovation. More than half of organizations, however, lack a formal data governance framework and a dedicated budget.

As CAEs audit their data management practices, audit teams should pay special attention to security controls around data assets, data migration plans and backups for critical data assets.

To ensure compliance with regulations such as Europe’s GDPR, organizations should also review their controls and rules around collection and retention, and ensure deletion policies exist.

Third-party ecosystems: Fifty-three percent of senior leaders report an increased dependence on third parties, and in some cases, fourth and fifth parties. Despite the vast access these outside parties have to important business data, organizations are generally in a poor position to manage them.

Only 53% of businesses have a strategy to mitigate the risks, and just 28% of organizations continually monitor third parties.

Continuous monitoring and right-to-audit contract provisions can help ensure that third parties adhere to an organization’s protocols around data use and behavior. An organization must also account for contractual reporting requirements if any third parties experience a breach that compromises its data.

Cyber vulnerabilities: Cybercriminals are now operating highly sophisticated organizations with a variety of low-cost, readily available hacking tools. A lack of relevant skills and low cybersecurity budgets means that organizations are falling behind in their attempts to counter the growing number of cyberattacks.

Without an increase in resources, organizations will continue to be unable to mitigate the threat of cyberattacks, leading to potential data breaches, loss of intellectual property and regulatory exposure.

At a minimum, organizations should have foundational security measures in place, such as privileged access controls on sensitive assets and mature vulnerability identification.

It is also important to evaluate not only employee cybersecurity training and access management policies, but also the organization’s overall network security mechanisms and operational technology assets.

Finally, organizations should ensure their response plan for cyber-physical attacks (which target the control of an organization’s physical infrastructure) addresses all of its vulnerabilities in the event of an incident.

While there are numerous steps an organization can take to addressing the above risks and more, to prepare for the challenges of 2020 and beyond, all begin with assessing the adequacy of risk management strategies and ensuring these strategies are adaptable.

“Risk management is critical to identifying, mitigating and responding to potential disruptions,” said Leslee McKnight, research director in Gartner’s Audit Practice. “Organizations that do not continuously work on strengthening their risk management and resiliency practices hinder their abilities to recover and rebound from inevitable business disruptions.”

CAEs are also watching risks around increased organizational complexity, digital business transformation, and geopolitical and regulatory volatility. Rounding out the top 10 “hot spots” for 2020 are data privacy, risk culture and decision-making, project management, IT governance, regulatory developments, organizational resilience and supply chain.