The first goal when auditing information systems is typically to identify policies exist and are enforced around responsible management of data. Audit controls, change tracking, security, access, integrity constraints, etc., can all be verified or recommended. These are prudent practices to managing risks and corporate liabilities, and it is essential for an organization to maintain its customers’ trust. They also make an audit look like an expense with no immediate business advantage. Like paying for car insurance, it’s a cost we’d really rather not have. Focusing exclusively on questions of governance and control can fail to recognize there is more opportunity to an information audit that simply implementing new rules.
Some years ago I sat in on a meeting to discuss information sharing. One manager stated quite definitively there was no way they were going to share a report because of “FOIPOP” laws. This was a reference to Freedom of Information/Protection of Privacy legislation current in British Columbia at the time. Their staunch protection of their customer was comforting, however for the scenario being discussed there was in fact no compliance issue. More surprisingly their vague reference to “FOIPOP” proved sufficient to silence the other party.
Since that time our familiarity with, and adoption of, good practices for managing information have greatly matured. Yet we still find organizations and users that don’t entirely understand their responsibilities and their rights with regard to their data assets. We needs to focus on themes of accountability and ownership, and how they apply both between the organization and its client base as well as between staff and their organization’s objectives.
The immediate and most familiar requirement for an Information Audit is to ensure Accountability in the collection and usage of information. This is ultimately a question of whether the organization is managing its information with respect to their obligations to their customers. Is the information being gathered and retained for reasonable purposes? Is it being stored with diligence to security and access policies? Are they holding themselves accountable to how that information is used so the rights of their customers are maintained? Do they have any exposed liabilities or risks? There may be market or government legislation that mandates how information can be collected, stored and used. There are almost always internal policies and procedures that need to be defined, communicated and enforced. And there generally needs to be technical implementations for ensuring compliance and governance that IT will often be responsible for. Ensuring organizational accountability is the first priority to assess.
What shouldn’t be lost however is also an accountability to supporting and enabling the organizations success. There is an accountability users and departments have to enable each other that excessive zeal around protecting data can obstruct. Sharing data isn’t a bad thing. In the spirit of “Systems Thinking” a good audit will also identify where policies and safeguards are unnecessary or could be streamlined to benefit the business. The cumulative corporate data an organization can collect is an immensely valuable asset that leveraged appropriately can empower the business. Navigating silos and diplomatically handling internal politics is part and parcel of making sound recommendations in a complete information audit.
The second area of focus is in regards to Ownership. This captures the responsibilities individuals and departments have around what data they collect and their role as the stewards of that data. Ensuring they understand their responsibilities for collecting good clean data, correcting errors, and understanding how dependent downstream systems are on data quality. Aligning against business objectives can help clarify if the right information is being collected and retained. Ownership includes a look at how other parties are supported, how usage policies are communicated, and who ultimately decides how data will be shared or transformed within the organization.
This sense of ownership should not however lead directly to silos of information. Part of the mandate of being a data owner is to ensure all users understand both their responsibilities and their rights with the data in a system. Users are empowered when they understand the reason behind a policy and can access the necessary resources and experts to be able to apply appropriate judgment on how data is shared or managed. In your own organization, do you find the hurdles to working with your organizations data are reasonable or excessive? Ensuring corporate data is being shared appropriately and efficiently between separate departments is a critical deliverable of a good information audit.
Data is one of the most valuable assets an organization has. Business users have serious responsibilities around its collection, storage and usage that need to be very carefully understood and respected. The risks and liabilities are considerable. The caveat remains, however, that an information audit should focus not only on mitigating risks but also ensuring data is being effectively leveraged. There is just as much value in recognizing when a constraint is not necessary as there is in confirming one exists.
When you assess an information system you need to go beyond the technical details and consider your data landscape more holistically. By understanding the business, by reviewing the external and internal policies and procedures, and by engaging with business users at all levels, you will be able to deliver an assessment that will help you manage your risks and ensure you are maximizing your opportunities.
An information audit is not a police action. This is an opportunity to ensure your organization is leveraging its data assets respectfully and effectively.