Page 446 - ITGC_Audit Guides
P. 446

Appendix C. Planning a Big Data Audit


                   Engagement






                   In order to successfully audit or provide advisory services on big data programs, internal auditors
                   must have an understanding of the related risks and challenges (see Standard 2200 – Engagement
                   Planning and 2201 – Planning Considerations). The severity of risk will vary by organization and will
                   depend on the strategic intent and operational deployment of these initiatives (see Standard 2210
                   – Engagement Objectives and Standard 2220 – Engagement Scope). The following sections provide
                   additional detail on key risk areas, as well as example risk and control considerations for use in
                   building an audit work program for big data (see Standard 2240 – Engagement Work Program).

                   Big Data Risks and Challenges


                   The potential benefits of implementing of a big data program come with significant risks and
                   challenges. Internal audit must help ensure the organization’s risks are identified, understood, and
                   appropriately addressed. By managing big data risks to acceptable levels, management increases
                   the likelihood of achieving planned business objectives and realizing the potential benefits of the
                   big data program.

                   As described above, the primary risk areas impacting big data are:

                   •   Program governance.

                   •   Technology availability and performance risks.
                   •   Security and privacy.
                   •   Data quality, management, and reporting.


                   Big data programs and environments should also be subject to IT general controls. (See “GTAG:
                                                           nd
                   Information Technology Risk and Controls, 2  Edition” for additional information regarding risks
                   and challenges related to IT general controls.)

                   Engagement Planning

                   Standard 2200 – Engagement Planning states that for each engagement, internal auditors must
                   develop and document a plan, which must include the engagement’s objectives, scope, timing,
                   and resource allocations. One of the most important things internal audit needs to determine
                   when planning the engagement is whether the organization has a unified and cohesive governance
                   structure in place, including policies and procedures, from which clear and consistent guidance
                   can be distributed across the organization. A strong governance model will provide the necessary




                   27 — theiia.org
   441   442   443   444   445   446   447   448   449   450   451