Why You Need a Data Audit Team

Data Leverage Book
Ward & Ward

Every so often, we like to include an excerpt from our book Data Leverage to give you an idea of what we recommend to clients.

Today, we want to touch on a topic that gets far less attention than it deserves – the importance of a data audit team. When we suggest to people we meet that they should deploy a data audit team, we typically get one of two responses: the immediate “no we can’t do that” and (far more common) the head-tilting what-are-you-talking-about look.

Yeah that one

So, to help illustrate our point, here’s an excerpt from Data Leverage that explains why a data audit team makes sense for your business, regardless of size, industry, or maturity.

It fascinates us how few data audit teams we run into, regardless of company size or data asset library depth. Everyone is accustomed to financial audits; the very same principles can be put to work for your data strategy to monitor intrinsic and extrinsic data usage. Data audit teams systematically review and document the usage, access, and financial linkage of data throughout an organization. They are a hybrid between accountants and data geeks (like us).

Create this team, or hire a data audit lead to create it, and you will immediately increase data protection focus around the organization. Typically, a data audit team will begin with a review of systems and access logs to identify who is using what. You will be shocked at how much data is accessible by people within your organization that should not have access to it. If you don’t already have a team reviewing all of your log files to track users and access points, then your data audit team will start with that. This is also the first moment where your new data audit team will make some enemies. Usually some manager “who has always had access before” will be upset that the audit turned up their access and usage. Be prepared for this type of response, it’s a sign that you’ve caught something problematic.

“Yes…of course…check my browser history.”

Once the data audit team has used log files to document and then restrict access to data, it continues with an interview process within each division. The goal of internal interviews is to work with the rank-and-file employees to find out what they use data for, whether their use and access is necessary, and how you can better protect the information. Many companies restrict their audit interviews to managers, but this can be counterproductive. When you consider that every newsletter signup, Twitter account, purchase, customer service complaint, and website hit affects several different employees at your company, you realize that those are the people closest to the data and they often have the best understanding of how it is (or is not) used.

Interviews reveal the social hierarchy of data access at your business. There are  engineers that have access to every transaction at your company, although they aren’t in sales or accounting. They can see all the transactions including the financial terms because they built the database in which this data often resides. Even if it is encrypted in storage, these employees typically have also built (and have the keys for) the encryption module. This isn’t necessarily a problem, but it illustrates the types of insight you might get from interviewing an employee who is boastful about the access they have, or, instead, from another employee lamenting how little access they have.

“Our permissioning standards are too strict!”

Once the access logs and interviews are all buttoned up, the data audit team will flip around their green visors and determine the financial metrics. This is our favorite part of the process because it so closely aligns with step 2 of the DataSmart Method, Value. The data audit team will connect access and loss or misappropriation of data to potential financial impacts. For example, one company we worked with had hundreds of salespeople that could provide “free trial” access to a dataset for a period of 30 days. For some datasets, this generates a lead, helps demonstrate value, and engages prospective customers. The data audit team at this company discovered that there was no process tracking the number of times that a customer received a free trial nor how many times the free trial period was extended for an additional 30 days. They tabulated thousands of these additional “months” of access over a period of only one year. At a cost of around $500 per month, these accounts misused data with a value of more than $1 million in one year. Data teams always pay for themselves by revealing such activities.

This was more an example of poor sales training than malfeasance. Many times, the data audit team will help with issues in identifying and valuing data, which then leads to better data governance. However, the data audit team also improves the overall corporate culture and attitude towards data security in general. From the day you announce the arrival of a data audit team empowered to review access and usage of all company data assets, you will see employees and practices change. Rats will jump ship and reckless drivers will suddenly position their hands at 10 and 2.

Did someone say “rats” and “driver?”

Ultimately, the purpose of the data audit team is to safeguard the integrity of your datasets and of your systems while you find ways to create value with new uses for those datasets.  A data partnership depends on the quality of your data, which means your role in the partnership depends on your ability to understand, and vouch for, your data.  Your ability to do so will be much impaired without a data audit team supporting your efforts.

Excerpt from:

Data Leverage: Unlocking the Surprising Growth Potential of Data Partnerships available from Amazon and Audible.

Leave a Reply