First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Scratching the surface on Facebook and its problems


Richard Chambers, President and CEO of the IIA, has shared a short piece that scratches the surface (IMHO) when it comes to the issues faced by Facebook and similar organizations. I am talking about organizations that want either to use or sell data.

Facebook Data Exposure Offers Critical Lesson for Internal Auditors makes some good points, including:

  • From an internal audit perspective, Facebook’s woes offer a clear and compelling lesson: Data, once viewed solely as an asset to be leveraged, now must be viewed as a potential liability or risk, as well.
  • Mining and analyzing data is a fundamental step in strategic business decisions. It helps businesses and organizations build models based on historical information to predict future behavior. But poor data management and a failure to understand what it tells us is a risk.
  • Internal auditors must cultivate and maintain a keen understanding of how their organizations collect, manage, protect, use, and share data. They also must have a handle on past and current practices on data usage and storage.
  • CAEs should speak candidly to boards and executive management on the value of assurance.

It is tempting to focus exclusively on the down (or dark) side of the story. But as Richard says, the use and even commercialization of data is a huge opportunity as well.

I suggest that organizations and their internal audit teams seek assurance regarding:

  • Compliance with applicable laws and regulations in every location. Initiatives and resources should be allocated based on an understanding of relative risk to the organization and its objectives.
  • Compliance with the expectations of the community, governments, and (especially) customers. Again, prioritization of effort should be risk-based.
  • The safety of information, not only within the organization’s internal systems but also when it is in the “cloud” or with a vendor/customer/partner.
  • Whether optimal benefit is being obtained from the data. Consider the internal use of available data to inform and drive business decisions as well as the opportunity to market information. With respect to the marketing of the information, consider the whole sales cycle and the need for assurance that buyers will comply not only with the terms of the contract but with applicable laws, regulations, and societal expectations.
  • The integrity of the data: completeness, accuracy, currency, and timeliness.
  • The validity of the strategic model for using and leveraging the model.

While the focus right now is on the dark side, many organizations can leverage their data far more than they do today.

Internal audit can point out opportunities as well as potential problems.

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.