The digital transformation process leads to the generation of considerable amounts of data. As such organizations need to be sure that this data is being put to appropriate use, in terms of analytics, and that any cybersecurity vulnerabilities are addressed. This leads companies to seek external services to provide an audit of their information management systems.
According to CBE Global, the primary risk that such audits identify is around “data privacy”, and addressing this risk requires the greatest amount of audit time and resources. Breaking this risk down further, the Internet of Things is found to be the area of greatest vulnerability for companies. The core risk is here is that hackers could use connected devices to obtain or override control of hitherto unreachable aspects of the business.
The key areas of digital activity that need to be focused on are, according to business analyst Peter Young, cybersecurity; information governance; data privacy; mobile technologies; system vulnerability; and vendors. Drawing some examples from these main areas, cycbersecurity extends to a review of data loss. This includes the need for an audit to assess whether the organization has controls in place to detect data leakage and the extent it can monitor the transfer of sensitive information outside of the organization’s network. How the organization deals with an incident of data loss, in terms of preparedness and risk assessment also need to be assessed. A further area of cybersecurity is with the identification of employees deemed to be a risk of becoming so-termed ‘malicious insiders’.
With information governance, a digital audit should determine whether information is appropriately classified, inventoried and mapped. Extending this review to data privacy, a digital audit should assess that any data collected by the organization that is considered redundant is destroyed.
With mobile devices, the digital audit should assess security, especially of devices used by employees off-premises. This will include a ‘hygiene check’ of passwords, software updates, and security strength. The type and sensitivity of information that can be accessed remotely should also be evaluated. Internal systems need to be reviewed too, especially in assessing whether legacy systems are able to meet current information security protocols. It is good practice to also assess whether vendors that the organization deals with also have good security systems in place, for flaws here could affect the organization too.
These examples illustrate why digital systems require a periodic audit and why many organization are turning to outside specialist companies to provide and appropriate level of insight. Such practices also help with driving further change for once an organization has had an audit and visualization of its information management systems completed it can better review how to plan and develop its digital activities going forwards.
As well as receiving audits around digitialization, companies can also harness digital technology to make their own internal and external audit processes more efficient. Ways to do this are outlined in a companion Digital Journal article “Auditing process is going digital.”
