​Facebook Data Exposure Offers Critical Lesson for Internal Auditors

Facebook, once the social media darling that could do no wrong in the eyes of users and investors, was hit with another setback recently. Researchers at a cybersecurity firm discovered Facebook user information readily available on cloud computing servers run by Amazon.com.

The revelation comes about a year after Facebook was pilloried for the Cambridge Analytica scandal, where an app developer shared data on millions of Facebook users with a political consulting firm. Despite assurances from Facebook CEO Mark Zuckerberg that the company would do more to protect user data, lapses such as the one involving Amazon continue to come to light.

From an internal audit perspective, Facebook's woes offer a clear and compelling lesson: Data, once viewed solely as an asset to be leveraged, now must be viewed as a potential liability or risk, as well. Demand is growing for greater protection of data, or more precisely, protecting the personally identifiable information that makes such information a treasure trove for marketers, retailers, political campaigns, and others who want to influence what the public thinks and does.

More governments are considering legislation requiring data aggregators to protect data and ensure privacy. A recent survey from the IBM Institute of Business Value makes it clear that the public also is demanding accountability.

Three quarters of respondents to the IBM survey said they don't trust companies with their data. Additionally, 87 percent said governments should regulate companies that manage personal data, and 40 percent said C-level executives should be fined or imprisoned for failing to do so (see"The Consumer's Data Anxiety").

In short, data has taken on a Dr. Jekyll and Mr. Hyde persona. Mining and analyzing data is a fundamental step in strategic business decisions. It helps businesses and organizations build models based on historical information to predict future behavior. But poor data management and a failure to understand what it tells us is a risk. That risk becomes more distinct and complex when failing to protect data damages the organization's reputation. Indeed, 70 percent of chief audit executives responding to The IIA's 2019 Pulse of Internal Audit survey listed reputational damage from a data breach as their biggest cybersecurity concern.

Internal auditors must cultivate and maintain a keen understanding of how their organizations collect, manage, protect, use, and share data. They also must have a handle on past and current practices on data usage and storage. To be sure, the list of areas where internal audit can provide assurance on data is significant.

Compliance. New data-protection regulations — from the Global Data Protection Regulation in Europe to the new California Consumer Privacy Act set to go into effect next year — are quickly creating a complex web of compliance risks related to data protection. Internal audit must stay abreast of these regulations, as well as any potential new regulations, and provide insight and foresight on steps that organizations must take to comply.

Operational. Policies and processes addressing how data is collected, managed, and protected offer many opportunities to provide assurance. One key area relating to data protection is how it is shared internally and externally. For many organizations, policies and processes designed to protect data are secondary to those designed to monetize it, which heightens the risk of data breaches.

Strategic. Boards and C-suites make strategic business decisions based on many factors, including data analytics. Internal audit must provide assurance on the accuracy of the data and on the analysis process itself.

Culture. This is one of more the challenging and least obvious aspects of data risk. Internal audit must understand how an organization's approach to and decisions made about data influence day-to-day operations. What's more, auditors need to grasp the organization's capacity to adapt to changing data needs. Culture is often defined as "how we do things around here." If "how we do things" disregards the need to protect data, then we have a cultural problem, too.
A 2018 Gartner survey found more than 87 percent of organizations are classified as having low business intelligence and analytics maturity. This not only creates obstacles for organizations that want to increase the value of their data assets and exploit emerging analytics technologies, it also suggests there is little understanding of the legal and ethical implications of data usage.

Clearly, there is much internal audit can offer relating to data. CAEs should speak candidly to boards and executive management on the value of assurance in each of the areas outlined here and be prepared to provide that assurance when the opportunity arises.

As always, I look forward to your comments.