A
ND THE IMPLICATIONS FOR INTERNAL AUDIT
Candidate: Jack Mills MSc - (ID6020417)Amsterdam, 2015-09-04 Coach: Jan Groenewold
University of Amsterdam - Amsterdam Business School Executive Internal Auditing Program
This research explores the impact big data has on the organizational risk landscape, the implications this has for internal audit. By means of in-depth interviews with industry experts the risks involved with adopting big data technologies and its implications are investigated. The results show big data has a high impact on the organization’s business processes, procedures, IT infrastructure, skills and staffing. This research identifies the top 50 risks involved with big data and finds that 29 of 50 are operational risks, a further 11 are strategic and that 3 of the top 10 risks are compliance related. Finally, the implications for internal audit function include critical updates to its operating model in the areas of strategy development; risk assessment; planning and scoping; audit execution; audit reporting; staffing and planning activities.
THE IMPACT OF BIG DATA ON
This research represents the final stage of my professional education in the Executive Internal Audit Program at the Amsterdam Business School. I have enjoyed the two years in this program immensely and the thing I am most grateful for is the value the program places on practical contributions to business. Even the discussions at the Maas Coffee machines during breaks were a lab of innovation for the field of internal audit. Similarly this research seeks to balance academic rigor with practical value for any business function involved with big data.
My heartfelt thanks go to my family, friends & sweet girlfriend for supporting me during the late nights and absent weekends spent in the library over the course of the program – Guys, I’m coming home! Special thanks go out to Jamila for being a wonderful study buddy. My thanks also go out to my coach – Jan Groenewold, who, through his enthusiasm and no bullshit straight talk, helped me immensely in writing this thesis.
Finally to the reader of this research, I sincerely hope you enjoy the fruits of my labor. The findings have been copyrighted in the UK and the Netherlands, however I encourage you to reflect on the application of big data within your own organization and to reflect on the key take-aways that could help you manage the oncoming wave that is the big data revolution.
Jack Mills | 2015-09-04 | Amsterdam
There is a lot of research into the added value of big data and the opportunities it represents. The risks involved with big data however are largely unexplored. It is the ambition of this research paper to explore the risks behind the opportunity that big data presents.
Research Objective: The objectives of this research is to explore the impact of big data adoption on the risk landscape of the organization and to understand what implications the adoption of big data. Research Questions: The research is structured around two research questions:
1. How does the implementation of big data impact an organization’s risk landscape? 2. How should internal audit (IA) respond to the implementation of big data?
To explore these research questions, in-depth interviews are performed with 11 professionals from 9 different industries all of whom have been involved with the implementation or adoption of big data technologies.
Using a probing, exploratory interview method, a list of top risks and top implications involved with big data implementation were obtained from the interviewees. The top 50 risks were further rated high, medium or low based on a series of five risk validation sessions in which a total of 21 risk professionals voted on risk ratings for each of the 50 risks presented.
Research question 1 Results:
From the top 50 risks of adopting big data, 29 are operational in nature, a further 11 are strategic. Compliance and reporting risks are less prevalent. Big data’s greatest area of impact is on, firstly, business processes and procedures, and secondly, on the IT architecture itself. The top 10 risks cover the following areas: the risk of data loss, lack of alignment between big data objectives and business objectives; lack of buy-in from key stakeholders; non-compliance with local or EU regulation; adopting IT solutions that cannot handle the complexity of big data, lack of feedback loops between end-users and IT developers, and lack of consideration for end-user requirements. Research question 2 Results:
Based on the impact big data has on the risk landscape and the list of risks involved with adopting big data the research outlines the key implications for internal audit. Big data adoption has implications for all core delivery methods and most support activities of the internal audit function. The most important implications for internal audit are: Updating the IA strategy to better meet a data-driven environment, the content of audit reports should be adapted to remove redundancies created by big data, the recruitment and training policies of the IA department should be updated to handle IT related issues, and finally IA should use big data to enhance risk assessments, audit planning & scoping, audit execution, the form of audit reporting, and monitoring activities.
Foreword ... I Executive Summary ... II Table of Contents ... III
Chapter 1 – Introduction ... 1
1.1 Research Motivation & Contributions ... 1
1.1.1 Theoretical Contributions for Science ... 1
1.1.2 Practical Contributions for Internal Audit (IA) ... 1
1.2 Research Objectives ... 2
1.3 Research Questions ... 2
1.4 Methodology ... 2
1.4.1 Definition of Information Needed ... 3
1.4.2 Interviewee Identification & Selection ... 3
1.4.3 Interview Method ... 3
1.4.4 Transcription of Interview Responses ... 4
1.4.5 Analysis of Results ... 4
1.5 Scoping, Limitations & Assumptions ... 4
1.6 Reading Guide ... 5
Chapter 2 – Literature Review ... 6
2.1 What is big data? ... 6
2.2 What is the Organizational Risk Landscape? ... 9
2.3 The Internal Audit Operating Model ... 11
2.4 Theoretical Research Model ... 12
Chapter 3 – The Risks of Adopting Big Data ... 13
3.1 Theoretical findings on the risks of adopting big data ... 13
3.1.1 Impact of big data adoption on regulators ... 13
3.1.2 Impact of big data adoption on governance & organizational structure ... 13
3.1.3 Impact of big data adoption on strategy & executive management ... 13
3.1.4 Impact of big data adoption on information technology & infrastructure ... 14
3.1.5 Impact of big data adoption on resources & assets ... 14
3.1.6 Impact of big data adoption on business processes & procedures ... 15
3.2 Interview findings on the risks of adopting big data ... 17
3.2.1 Impact of big data adoption on customers ... 17
3.2.2 Impact of big data adoption on suppliers ... 17
3.2.3 Impact of big data adoption on governance & organizational structure ... 18
3.2.4 Impact on of big data adoption strategy & executive management ... 18
3.2.5 Impact of big data adoption on information technology & infrastructure ... 19
3.2.6 Impact of big data adoption on skills & staff ... 20
3.2.7 Impact of big data adoption on resources & assets ... 20
3.2.8 Impact of big data adoption on business processes and procedures ... 20
3.2.9 Impact of big data adoption on culture & shared values ... 22
3.3 Top risks from adopting big data ... 22
Chapter 4 – The Implications of Big Data for IA ... 24
4.1 Interview findings on the implications of big data for IA ... 24
4.1.1 Implications of big data adoption for IA strategy & governance ... 24
4.1.2 Implications of big data adoption for IA risk assessments ... 25
4.1.3 Implications of big data adoption for audit planning ... 25
4.1.4 Implications of big data adoption for audit execution ... 27
4.1.5 Implications of big data adoption for audit reporting ... 28
4.1.6 Implications of big data adoption for IA monitoring activities ... 28
4.1.7 Implications of big data adoption for IA core support processes ... 28
4.2 Top implications of adopting big data for IA ... 29
Chapter 5 – Contributions & Conclusions ... 30
5.1 Contributions to Academia and Business ... 30
5.2 Conclusion ... 31
5.3 Suggested Future Research ... 31
References ... 32
Appendix ... 35
Item 1: Interview template ... 35
Item 2: Risk Validation Session Participants... 36
Item 3: Risk Validation Session Survey Screenshot ... 37
“There were 11 exabytes of
information created between the
dawn of civilization through 2004,
that much information is now
created every 2 days.”
~ Eric Schmidt (Chairman & CEO Google, 2015)¹
1.1
R
ESEARCH
M
OTIVATION
&
C
ONTRIBUTIONS
The volume of data being created and stored both inside and outside the business world is greater than ever, Moore’s law predicts that computing power doubles approximately every two years (Moore, Gordon E., 1965). Innovation in computing has resulted in cheaper and greater amounts of data and data processing power than ever before, this is changing the way businesses create and manage data. Being able to create value from this data demands innovation too.
Early adopters of Big Data analytics have outperformed their peers in a variety of ways. A Bain & Co. (2013) study found that organizations with leading practices in big data analytics are:
• Twice as likely to be in the top quartile of financial performance within their industries. • Five times as likely to make decisions faster than market peers.
• Three times as likely to effectively execute decisions as intended. • Twice as likely to use data very frequently when making decisions.
On the other side of the coin however the implementation of big data can have unforeseen consequences for the business, there are risks involved with big data. If management fails to identify and mitigate these risks, the adoption of big data will fail to add value and potentially harm the organization.
Research motivation: It is the ambition of this research paper to explore the risks behind the opportunity that big data presents.
In this research, the impact of implementing big data on the risk landscape of a business is explored. Big data represents information assets characterized by such a high volume, velocity, variety, [and veracity] to require specific technological and analytical methods for its transformation into Value. (De Mauro, et al. 2015). Big data covers the datasets, tools, processes and procedures enabling an organization to create, manipulate, and manage very large data sets. The risk landscape of an organization is defined here as the entirety of the risks that potentially prevent the organization from accomplishing its objectives.
1.1.1 Theoretical Contributions for Science
The opportunities and theoretical applications of big data have been widely researched and discussed in academic literature. The downside, or risks involved with adopting big data, however, has been sparsely researched. This research will contribute to a greater understanding of the risks associated with big data. This will provide future researchers a more balanced view on big data and provide a firmer basis upon which to conduct research into the true costs and benefits of adopting big data technologies.
1.1.2 Practical Contributions for Internal Audit (IA)
For management, the findings of this research help to reduce the level of uncertainty around the decision to implement big data by providing an overview of the risks involved. Given these insights, management or business intelligence departments can use the findings to take mitigating actions designed to minimize risk exposure during and after implementation of big data technology.
In addition to providing insights into the impact of big data on the organizational risk landscape, the research also provides insights into the implications of big data adoption for the internal audit function. Specifically implications relating to each block of the internal audit value chain are discussed.
Research Question 1: How does the implementation of big data impact an organization’s risk landscape?
Research Question 2: How should internal audit respond to the implementation of big data?
1.2
R
ESEARCH
O
BJECTIVE
The goal of this research is to create greater understanding of the impact of big data on the risk landscape of an organization and what the implications of this are for internal audit. Specifically the following objective is defined: To explore the impact of big data adoption on the risk landscape of the organization and to understand what implications the adoption of big data has for the internal audit function.
1.3
R
ESEARCH
Q
UESTIONS
In order to accomplish this research objective the following research questions are defined:
For this research question the aim is to catalogue the top risks involved with implementing big data. Each risk will then be rated high, medium, or low risk and categorized by the four COSO objectives, which are:
1. Strategic: High-level risks threatening accomplishment of the organization’s mission. 2. Operational: Risk of ineffective or inefficient use of organizational resources.
3. Reporting: Risk of misstatements in (financial) reporting.
4. Compliance: Risk of non-compliance with applicable laws and regulations.
The primary aim of this research question is to understand the implications big data adoption has for the internal audit function and to prescribe actions that internal audit should take in response.
1.4
M
ETHODOLOGY
In order to research these questions a qualitative, exploratory, interview-based method was selected. Due to the behavioral and interpretive nature of risks and the exploratory nature of the topic of big data, the qualitative method is preferred. As big data practices are often confidential it was opted to perform one-to-one interviews as the primary research method. The complete research method is outlined in figure 1.
1.4.1 Definition of Information Needed
The information needed for this research can be categorized into the following buckets: • Biographical company-related information
• Big data implementation plans and ambitions
• Big data impact on the business and potential risk areas
• The role of internal audit with regards to big data implementation
The detailed list of questions and probing areas is outlined in the interview template (reference appendix item 1).
1.4.2 Interviewee Identification & Selection
Interviewees were targeted based on the following requirements:
• [AND] The employer has implemented, or plans to implement, big data technologies. • [OR] The interviewee is directly or indirectly involved with the implementation. • [OR] The interviewee is directly or indirectly involved with internal audit.
Based on these selection criteria interviewees were identified with the assistance of EY Advisory and the University of Amsterdam, who together had a sufficiently large network to identify 11 respondents. Interviewees were initially approached via email and interviewed in a follow-up one-to-one interview. For privacy reasons the names of the interviewees and specific details of their big data strategies are not stated here. The wide variety in sectors of the selected companies increases the robustness of the findings and also their applicability across sectors. Figure 2 gives an indication of the diversity of the interviewees in terms of sector and company profile:
# Company Profile Sector Title of Interviewee
1 International Bank Financial Services Manager Data Innovation & Analytics 2 Fashion Retailer Retail Consumer Goods Manager Advisory Services
3 Consultancy firm Professional Services Director Advisory Services 4 IT Manufacturer Information Technology Senior Consultant
5 Train service provider Public Manager IT Business Intelligence
6 Train service provider Public Head Customer Insight
7 Biotechnology firm Life Sciences Manager Advisory Services 8 Mining Equipment Manufacturer Industrial Products Senior Data Analyst 9 Oil & Gas Producer Oil & Gas Manager Advisory Services 10 Insurance provider Financial Services Senior Audit Manager 11 Telecommunications provider Telecommunications Senior Manager Figure 2: Interviewee details
1.4.3 Interview Method
Semi-structured qualitative interviews were conducted in a one-to-one meeting. Due to the infant nature of big data in the business world the interviews were intentionally semi-structured to allow for enough structure for the interview results to be reliably compared but with enough open questions to allow probing and follow-up questions on previously unidentified risk areas.
The interview template (appendix item 1) contains a combination of standardized open-ended questions and the guide approach to interviewing to ensure the same general areas of information are collected from each interviewee while still allowing a degree of adaptability in obtaining the required information. The interviews were performed by Jack Mills (Research Lead) and Maarten Bellekom (Research Intern) over the course of 2014/2015.
In order to avoid bias and develop openness from the interviewees, all the interviews were conducted with complete anonymity for the both the interviewee and their employer. This was necessary as big data practices are commonly perceived as a key source of competitive advantage and in some cases as intellectual property. For this reason the interviews were recorded by hand and later digitalized in the format presented in the appendix (item 1).
1.4.4 Transcription of Interview Responses
In order to reliably compare and analyze the information collected during the interviews, the interview notes were transcribed using recursive abstraction in which the information provided is categorized into predefined groups of information, the groups of information consist of: firstly, risks for each of the risk landscape areas outlined in figure 5 and secondly, the implications of big data for each of the primary internal audit functions outlined in figure 6. The interview questions used to collect these groups of information can be seen in appendix item 1.
1.4.5 Analysis of Results
Literature review
The information received from the interviewees regarding risks and implications for internal audit could not in all cases be backed up by an explanation or a root cause by the interviewee due to lack of theoretical knowledge on the topic. In order to accurately classify and understand the risks identified by the interviewees a supplementary literature review was performed. The end result for each research question is a set of findings that are backed by both real world experience from the interviewees and a theoretical basis from existing literature.
Risk validation sessions
The end result of research question 1 is a list of risks involved with adopting big data. In order to rate these risks, validation sessions were held with 21 participants (see appendix item 2) in which each risk was ranked high, medium or low (H/M/L) based on a voting system. The metric of H/M/L was selected for its simplicity and practicality and takes both probability and impact into consideration.
In order to avoid judgment bias, none of the interviewees were selected to participate in the validation sessions. The 21 participants were all professional risk consultants trained in risk assessment and were selected based on their range of industry experiences. The names of participants are anonymous but appendix item 2 shows the participants’ level of seniority and primary field of specialization.
Five validation sessions took place with one to eight participants in each. Each validation session consisted of three stages: 1st an introduction to the research topic and explanation of big data were given in order for the participants to be knowledgeable enough about big data to give an accurate risk rating; 2nd procedural instructions for voting were given. The participants were allowed to ask questions to ensure full understanding of the risks and were instructed to base their rating on their own professional judgment and industry background; 3rd Voting of H/M/L risk ratings per risk were collected using a live survey in which results were captured in real time. For screenshots of the survey tool and validation sessions reference appendix item 3.
1.5
S
COPING
,
L
IMITATIONS
&
A
SSUMPTIONS
In executing the research methodology there are a number of limitations the reader should take into consideration.
the implications of big data for internal audit are a largely unexplored academic field. To compensate for this limitation the research uses inductive reasoning to infer insights from literature in related topics such as big data applications, IT risk landscapes, and the mandate of internal audit. Secondly, access to respondents actively involved with big data projects is limited. This is partly because the total number of companies involved in big data to start with is limited and also because those companies that are involved with big data in its early stages typically don’t publicize this information immediately. To overcome this limitation the research has used the following methods:
• To extract the most information possible from the respondents that are engaged with big data in-depth interviews were performed using a probing technique to extract relevant information from unanticipated areas. The following probing techniques were used (Easterby-Smith, et al.1991):
o Explanatory probing: use to get a clearer understanding by asking for examples and explanations to statements made.
o Drawing out: By repeating or re-phrasing questions to obtain more examples or information
o Giving ideas of suggestions that are designed to trigger the interviewee to provide more information.
o Mirroring and reflecting: Rephrasing the interviewees own words back to them in order trigger the interviewee to go deeper into their explanations.
• Indirectly linked parties – such as consultants that have worked on big data projects and internal auditors who are knowledgeable about the topic without having directly been involved – were interviewed.
Finally, it is recognized that big data, as a technological development, has an impact extending beyond the borders of the organization, it has an impact on macroeconomic risk factors as well. The scope of this research, however, is limited to the impact of big data to the organization and its immediate environment. Macro environmental risks will therefore not be taken into consideration beyond their direct impact on the organization and the micro environment.
1.6
R
EADING
G
UIDE
This research paper is structured around the research questions presented in chapter 1. In chapter 2, a literature review is presented in which the underlying constructs of big data, big data analytics, risk landscapes and the operating mode of internal audit are explored. The literature review draws on both academic and business sources to provide a complete picture of the research conducted to date.
Chapter 3 describes the detailed findings of research question 1. The chapter starts with a literature review describing academic and business research relevant to the research question, followed by the findings from the interviews. Chapter 3 is concluded with a summary of the top risks involved with big data implementation.
Chapter 4 provides the findings related to research question 2. First the assumptions underlying the research are presented, then the findings from the interviews are presented for each component of the internal audit operating model.
Chapter 5 outlines the implications and contributions this research makes towards academia, internal audit and the business world and summarizes the conclusions of the overall research objective. Finally, a list of references and an appendix is provided.
In this section we explore the theoretical underpinnings of the research questions. This forms a basis from which to draw conclusions from the research. Here we explore the existing literature behind: big data, its impact on the business environment and risk landscapes, and the mandate of internal audit in relation to the organizational risk landscape. The purpose of this chapter is to provide the reader with sufficient understanding of these topics to be able to understand the findings presented in chapter 3 & 4. The literature review is summarized in the form of three theoretical models, firstly a model representing the Big Data Infrastructure (figure 4), secondly a model representing the organizational risk landscape (figure 5) and finally a model representing the typical functions of internal audit (figure 6). These three model are combined into an overall theoretical model used to structure the presentation of the research findings in chapter 3 & 4.
2.1
W
HAT IS BIG DATA
?
Big data is defined as a set of data so large and complex that traditional data analysis solutions (hardware and software) are unable to effectively process it. Big data sets have four defining features compared with traditional data sets; these are outlined in the 4V’s model (Laney, Douglas): Volume: Over the last 30 years, digital storage space (in gigabytes) per unit cost ($) has doubled roughly every 14 months (Komorowski, 2009).
Figure 3: Drop in storage space cost from 1980 to 2009 (Komorowski, 2009).
As server space becomes cheaper the incremental cost to capture and store data drops. At the same time the ability for businesses to glean insight from data has increased (McAfee, Brynjolfsson, 2012). The result is that more data is being collected and stored today than at any point in history. An estimated 2.5 exabytes (2.5 billion gigabytes) of data is created every day, and this number doubles about every 40 months (McAfee, Brynjolfsson, 2012). Big data sets are larger in volume than traditional data sets.
Velocity: The speed at which big data sets are being collected and stored is also on the rise. It is estimated that 90% of the world’s data has been collected in the last 2 years (IBM, Global CMO study). Traditional forms for data analytics are based primarily on historical data records: the rate at which big data sets are now being collected allows companies to perform data analytics in real time (McAfee, Brynjolfsson, 2012).
Variety: Next to volume and velocity, big data sets are also characterized by an increase in the variety of data collected. The number of types of device collecting and storing data is more diverse than ever before, from e-retailers, to social media, to smart phones, to traffic signals, to satellites, to ERP systems. Big data is most often a combination of structured and unstructured data made up of demographics, point-of-sale, messaging, status updates, GPS signals, tweets, financial, network usage. The variety of data collected and stored is greater than with traditional data sets (McAfee, Brynjolfsson, 2012).
Veracity: The 3V’s model was recently updated to the 4V’s model in order to include “veracity” as a key distinguishing feature of big data. Veracity refers to the correctness or accuracy of the data collected. Sathi (2012) states: “Unlike carefully governed internal data, most Big Data comes partly from sources outside [the organization] and therefore suffers from significant correctness or accuracy problems”. Sathi (2012) further states: “Veracity represents both the credibility of the data source as well as the suitability of the data for the target audience”. The veracity of big data must be taken into consideration when interpreting and using big data insights.
The 4V’s model demonstrates how big data sets are different from traditional data sets and is graphically represented by the ‘Big Data’ layer at the bottom of figure 4. The analysis of traditional data sets to produce actionable business insights is referred to as “business intelligence” (BI). In order to analyze big data sets, new forms of data analytics have been developed; these are referred to as “big data analytics”. Both business intelligence and big data analytics aim to support management decision making, but do so with a different set of tools.
Business intelligence primarily uses descriptive statistics with traditional data sets with high information density to provide historical, current, and predictive views of business operations (Rud, Olivia, 2009). Big data analytics, on the other hand, uses inductive statistics and techniques from nonlinear system identification to infer laws (regressions, nonlinear relationships, and causal effects) from big data sets (Billings, 2013). The aim of big data analytics is to reveal relationships and dependencies, and to perform predictions of outcomes and behaviors in real time (Billings, 2013).
Big Data Analytics
Data analytics is the process of inspecting, cleaning, integrating, transforming, and modeling data with the goal of discovering useful information, producing actionable insights, and supporting business decision-making (Judd, Charles and, McCleland, Gary, 1989). The unique nature of big data (as described by the 4V’s above) means that traditional forms of data analytics (using a data warehouse, MS Excel, or ACL, for example) are not capable of processing it. In a typical ‘traditional’ system architecture (i.e. legacy systems), there is a set of components for ingesting data, a set of components for storing the data, and a set of components for analyzing the data to produce actionable business insights. Since all the data must be routed via a storage medium using a data warehouse, the storage, organization, and retrieval of data creates a bottleneck when dealing with big data (Arvind Sathi, 2012).
Analyzing big data requires new forms of hardware, software, and analytical techniques to uncover actionable insights for operational use and business decision making. The components required to process big data are graphically represented in figure 4; these components are explained below.
Figure 4: Big Data Infrastructure Model Hardware required for Big Data
As represented by the MPP Platform Layer in figure 4, the most common approach to tackling the data tsunami associated with big data is to use Massively Parallel Processing (MPP) Platforms – a form of massively parallel computing with the aim of enabling scalability in processing mass amounts of data. The underlying principle of MPP is a distribution of workload across many processors as well as storage and transportation of underlying data across a set of parallel storage units and streams. When dealing with high volumes and velocity of data, the end-to-end system architecture should eliminate all bottlenecks. All data analytical processes, starting with data ingestion, data storage, analytics, and its use, must meet the velocity and volume requirements of the enterprise.
Ideally any architecture designed for big data processing should meet the following design requirements (Arvind Sathi, 2012):
• The data integration process (process of merging datasets from multiple sources into meaningful information or datasets) should be fully scalable without concern for data volumes or time constraints.
• Leverages database partitioning schemes for optimal load performance. • Uses a single configuration file to add processors and hardware.
• Requires no hand-coding of programs to enable more processors to be added to the network.
• Supports MPP platforms and other forms of big data processing configurations. Software required for Big Data
The software required for processing big data can be clustered into two main groups: integration engines and user applications, represented in figure 4 as the integration engine and user application layers, respectively.
Integration engines are designed for performing ‘data integration’, defined by Maurizio & Lenzerini (2002) as the process of combining data residing in different sources and providing users with a unified view of this data. In the case of big data this involves combining massive amounts of data from highly varied sources (including both structured and unstructured data) into manageable clustered data. Apache Hadoop, for example, splits input data (from varied sources) into large blocks and distributes them amongst multiple physical storage components (nodes) in a cluster. To process this data, Hadoop’s MapReduce functionality transfers processing requests (packaged code) for nodes to process in parallel, based on the data each node contains. By utilizing the processing power of multiple nodes simultaneously, massive amounts of data can be processed in parallel; this is the core requirement of a big data integration engine. The input to an integration engine is unstructured data from varied sources, the output of an integration engine is a filtered, sorted (mapped) and summarized (reduced) data set, ready for use in big data analytics.
User applications are any software applications designed to transform or model big data with the goal of discovering useful information. There are currently thousands of user applications capable of transforming and modeling various forms of big data available on the market. User applications are generally designed for analytics with a specific user-group in mind across all three lines of defense; the output of user applications are actionable business insights (reference the ‘business insight’ layer in figure 4).
2.2
W
HAT IS THE
O
RGANIZATIONAL
R
ISK
L
ANDSCAPE
?
A risk is defined as the possibility that an event will occur, which will negatively impact an organization's achievement of objectives (The Professional Practices Framework 2004). Key defining characteristics of a risk are: a) a risk must be an event in the future, b) its occurrence must be uncertain (i.e. the probability of occurrence must be less than p=1), and c) the occurrence of the event must have a negative impact on the attainment of organizational objectives.
The IIA recognizes four categories of risks which are linked to business objectives:
• Strategic Risks – high-level risks threatening accomplishment of the organization’s mission. • Operational Risks – ineffective or inefficient use of organizational resources.
• Reporting Risks – risk of misstatements in (financial) reporting.
A risk can either be the realization of a threat or the non-realization of an opportunity. The risk landscape (synonymous with risk universe, risk register or risk map) of an organization is defined here as the entire population of risks, and the interdependencies between risks, that negatively impact the organization in accomplishing its objectives. The risk landscape is visualized in figure 5.
Figure 5: Risk Landscape Model
The risk landscape is shaped by threats and opportunities occurring in the business environment. The business environment consists of the macro, micro and internal environment (Osterwalder, Pigneur, 2010). The macro environment in figure 5 is based on one of the most commonly used models for mapping the business environment, the PESTLE Model (Collins, 2010), an extension of the classical PEST model. The micro environment layer is based on an adaptation of Porter’s five forces model (Porter, 1979). Finally, the internal business environment is based on the McKinsey 7S model, commonly used as an organizational analysis tool to assess and monitor changes in the internal environment of an organization (Waterman et al., 1980). The scope of this research is exclusively the impact of big data on the micro and internal environments of the risk landscape. This is because the mandate of both 2nd and 3rd line functions, the target audience of this research, rarely extends beyond the borders of the enterprise and its immediate environment. The focus is on the impact of big data on the organization, not on society at large. For this reason, the impact on the macro environmental factors is excluded from focus.
2.3
T
HE
I
NTERNAL
A
UDIT
O
PERATING
M
ODEL
In order to structure the findings of research question 2 – The implications of big data adoption for
internal audit – we used an operating model for the internal audit as a theoretical base (see figure
6). The model is based on a combination of EY’s standard internal audit analytics framework and Groenewold’s (2014) internal audit methodology.
Figure 6: Internal Audit Operating Model
The model shows the structural activities and processes required for an internal audit department to effectively fulfil its mandate. The model contains firstly, the strategy and governance of the IA department, secondly the core delivery methodology – this is the core value stream of the internal audit function – thirdly, the core support processes which are required for the primary value stream to operate, and finally the measuring of impact. Given that the intended audience of this research is internal audit professionals, no further detail will be provided into the standard internal audit operating model.
2.4
T
HEORETICAL
R
ESEARCH
M
ODEL
In summary of the literature review, the above models for big data; the risk landscape and internal audit can be plotted into one unified theoretical model showing the relationship between existing theory and the research questions, see figure 7 below.
Figure 7: Theoretical research model.
Figure 7 provides a bridge between theory and practice for this research. In this model, research question 1 is represented as the impact of big data on the risk landscape and research question 2 is represented as the implications of big data adoption for the internal audit department.
This research model is used to structure the research and resulting findings as presented in chapters 3 and 4.
In this chapter the findings related to research question 1 (RQ1) are presented. RQ2 relates to the impact of big data of the organizational risk landscape. Firstly, a literature review is performed in which existing theoretical findings relating to the research question are presented. Secondly, the findings from the in-depth interviews are presented. Finally, the end result of the theory and interviews is summarized in the form of a risk register used as input for the risk validation sessions.
3.1
T
HEORETICAL FINDINGS ON THE RISKS OF ADOPTING BIG DATA
Current academic literature on the relationship between big data and the organization risk landscape is limited. However, using inductive reasoning we can use existing literature on the impact of big data on the organizational environment to infer the impact this will have on the risk landscape. The resulting risk exposures are described below and categorized by the risk areas defined in the risk landscape model. The individual risks identified are listed under each section.
3.1.1 Impact of big data adoption on regulators
The rise in the use – and more notably the abuse – of big data for personal gain is leading to increasing regulatory pressure for firms to manage their data securely, privately, and with discretion. To name just a few of the regulations that have arisen or been adapted to deal with the rise of big data: Dodd-Frank, Basel III, FATCA, and Solvency II (Patterson, 2013).
3.1.2 Impact of big data adoption on governance & organizational structure
Big data adoption has been found to positively impact overall business performance. On behalf of the MIT business center, McAfee & Brynjolfsson (2012) conducted structured interviews with 330 public companies regarding their organizational and technology management practices. The primary finding from this study is: the more data-driven the company was, the better the financial & operational performance. They found that the top third most data-driven companies (in terms of management decision making) were on average 5% more productive and 6% more profitable than their competitors (McAfee, Brynjolfsson, 2012).
As the above research highlights, the adoption of big data empowers management and shareholders alike by providing real-time feedback about the impact of executive decision-making and improved predictions about future business performance. Because of this, the classical information asymmetry between executives and business owners is shrinking. The long-term impact of greater information symmetry is yet unknown, but it has the potential for structural shifts in governance models and organizational structure (Toub, 2012).
3.1.3 Impact of big data adoption on strategy & executive management
Big data applications for management are designed to provide a range of real-time management information including dashboards and News Briefs providing critical intelligence for senior executives to support strategic making. The relationship between data-driven decision-making and performance has been found to be robust even when adjusting for variances in labor, capital, purchase services, and other forms of IT investment (McAfee, Brynjolfsson, 2012). At the heart of the added value of big data is its ability to provide insights that improve the quality of management decision-making. This is an opportunity that management cannot afford to miss. According to an IBM survey of 1144 business and IT professionals, executives are primarily using big data to aid management decision-making in the following ways (Turner et al, 2013): 91% - Queries & Reporting; 77% - Data Mining; 71% - Data Visualization; 67% - Predictive Modelling; 65% - Decision Optimization.
3.1.4 Impact of big data adoption on information technology & infrastructure
As discussed above the adoption of big data requires unique hardware and software components. The implementation of new system architecture comes with its own set of organization risks. As outlined by COBIT and ITIL (IT service delivery models) the following risk areas are inherent to the adoption of a new system architecture: strategic alignment; information integrity; planning & organizational risks; acquisition & implementation risks; delivery & support risks; monitoring risks; supplier service level performance; architecture availability; system availability; system configuration; knowledge leakage; user adoption; system functional operation (Katsikas, et al., 1996; Esteves, Alves, 2013).
Traditionally, monitoring of infrastructure and network usage has been a costly process involving primarily manual data collection. Infrastructure and networks may include road and rail networks, power and utilities infrastructure, telecommunication networks and even internal system architecture. Big data has opened a myriad of new ways for networks and infrastructure to self-report on usage and for companies to collect data about usage and issues arising on the network. Public transport companies, for example, can now adapt their schedules in real time based on congestion or network issues. Infrastructure investment decisions can be made based on more accurate data. Network users themselves can use apps to self-report issues on networks including telecom coverage and road disruptions. This information can be passed directly to the network operators that can potentially respond to these issues in real time. Another important application in this field is public safety: police forces from the New York Police Department to the Nederlandse Politie are using big data for crime prevention. This change in network and infrastructure usage provides opportunities for organizations but also threats to their status quo and to the security of their operations (Arvind Sathi,2012).
3.1.5 Impact of big data adoption on resources & assets
As more complex data and information are used to support marketing campaigns, in-depth business intelligence capabilities and reporting processes, for enhanced operational and financial risk management and monitoring, decision making will more often become the product of many data manipulations, aggregations, complex modeling algorithms, and the calculations of multiple data elements. As these data elements become more uniquely manipulated in complex algorithmic processes it will become more difficult for management and auditors alike to quickly disaggregate the information back into original source data formats. The increased use of big data compromises the integrity of the data itself. This demands greater levels of data protection controls to secure information assets (Patterson, 2013).
Currently, financial reporting standards tend to prohibit the registration of information as an asset on the balance sheet except for during mergers and acquisitions in which information capture may play a key role. When information assets are omitted from the balance sheet they are often treated as having zero value. This has resulted in organizations lacking the tools and techniques to accurately or completely value their information assets and to track changes in their value over time. With the adoption of big data, the value of information assets rises and with it the importance of information availability and security increases, the business becomes more reliant on information systems for decision making, and operational activities (Tallon, 2013).
Figure 8: The information life-cycle curve
Figure 9: Big Data Cost Simulation
Typically, the value of a unit of data or information rises and falls over its useful life. The typical value of an information asset over time is displayed in figure 8. Management will need to continually assess whether to retain data they assess to be valuable in the future, balancing the opportunity cost of not keeping the data against its retention costs. When the opportunity cost falls below the expected costs of retention, it might signal the need to begin removing or destroying data or to consider less expensive long-term storage technology.
On the other side of the equation, the cost of information storage, protection and provision becomes more significant with big data adoption. Research by Tallon (2013) suggests a typical 125% increase in big data costs over five years (reference figure 9).
Without a clear understanding of the value and cost of information within the organization, companies cannot efficiently manage their data storage and processing activities. Undervalued data is at risk of loss or corruption and overvalued information will cost the organization storage and data security premiums unnecessarily (Tallon, 2013).
3.1.6 Impact of big data adoption on business processes & procedures
Impact on fraud detection:
According to a recently published study by the Professional Services company KPMG, one of the major issues which both commercial and law enforcement organizations face when combating fraud is the sheer amount of data generated by everyday business operations. This can make it easy for fraudsters to hide activity from traditional fraud investigation techniques. By using big data analytics technology to combat fraud businesses can identify fraud risk earlier and easily uncover trends and patterns in large amounts of data, both structured and unstructured, and thus not only solve investigations but also prevent crime (Hipgrave, 2013).
Impact on customer services:
The adoption of big data enables the automated search and display of consumer feedback expressed publicly on social media and internally via customer complaint/feedback channels. KLM, for example, commits to responding to every Facebook and Twitter message in which it is tagged within a matter of minutes (reference figure 10). As well as direct customer contact, as in the example of KLM, big data can provide higher level social barometer dashboards in which customer feedback is typically summarized in the form of “positive” or “negative” sentiment. Adopting big data into the customer services realm allows marketers to have real-time feedback on the customer experience. Gatorade (a sports drink product), for example, has used big data to set up a social media command center including features such as:
• Social listening framework and protocols. • Social listening software.
• Data Integration software (“Mashup”). • Data Visualizations and dashboards.
From the command center the organization is able to tailor a customized and timely response to any issues arising (Arvind Sathi, 2012).
Impact on strategic marketing:
Big data has provided companies with several opportunities to use sensors to collect data on customer-facing processes such as points of sale and click streams in the use of a website. Sensor data also gives companies an opportunity to establish behavioral patterns using analytics. Traditionally, customer segmentations are demographic in nature and use hard customer related data such as location, age, and gender to establish market segmentations. Using big data, marketers can define micro-segments and specific niche markets based on analytics-driven parameters. For example, marketers can now differentiate innovators and early adopters from late adopters in their willingness to purchase new electronic gadgets (Arvind Sathi, 2012).
Big data further enables the concept of one-to-one marketing based on the ‘share of customer’ principle as opposed to ‘market share’. The goal of the one-to-one marketer is to sell to one customer at a time as many products as possible over the lifetime of that customer’s patronage. One-to-one marketers develop a customer and try to find products for that customer. In B2B environments this is more common. With the rise of big data this is now possible in B2C markets as well (Rogers & Peppers, 1996).
Big data also enables the marketing concept of Next Best Action (NBA), which recommends an activity to marketers based on the customer’s latest experience with the product or service. An NBA could include an up-sell or cross-sell opportunity based on current product ownership, usage level, and behavioral profile. An NBA could be offered any time the sales organization has the opportunity to connect with the customer via a touch point. NBA is far more effective in sales conversion compared with standard rules that repeatedly offer the same product across a customer interaction channel. An example of big data enabled NBA is amazon.com, an online retailer, who will recommend purchases to customers based on prior purchasing behavior (Arvind Sathi, 2012). Impact on sales processes:
Sales teams can utilize real-time buyer behavior to tailor sales offers and deals to a defined set of buyers at the right place, right time, and for the right price.
Figure 10: KLM’s expected social media response time.
Impact on asset management:
Enable Asset Managers to track key assets – brands, products, markets, supply chain – for an array of operational and strategic risks. Results can be displayed in a live, interactive dashboard that reflects the digital risk footprint of their business.
Impact on finance:
Can be used, for example, to reduce financial risks by acquiring real-time
visibility into transactions and complying with current and future regulations; it can be used to improve working capital by providing real-time information on outgoing and incoming cash transactions; planning, budgeting and forecasting using data; providing financial analytics and dashboards; aligning and controlling financial and accounting data; financial planning and analysis; portfolio risk.
Impact on procurement:
Procurement departments can use big data applications to access real-time information about suppliers and their existing supplier usage to obtain better prices, better quality products, with better payment terms and to tailor their purchasing strategy to better meet the organization’s procurement requirements.
Impact on business controlling:
Enables controllers to rapidly create data visualizations and dashboards through simple mouse clicks. This enables detailed data visualizations to discover patterns and trends in business data. These applications provide business insights, for example through the use of regression models for predicting profit and expenses, or classification models to identify fraud.
Impact on risk management:
Risk management may use big data for text-analytics and search engine functionality to review mass amounts of publicly available unstructured data in multiple languages, and in real time to provide precise risk identification via clear visualizations and dashboards that enable smarter operational risk management practices.
3.2
I
NTERVIEW FINDINGS ON THE RISKS OF ADOPTING BIG DATA
In this section the findings from the in-depth interviews relating to research question 1 are presented. The findings are categorized around the components in the risk landscape model. All of the below information is based on the direct experience of the interviewees and has been re-written to remove company specific terminology and industry jargon.
3.2.1 Impact of big data adoption on customers
In cases where big data adoption involves the use of personal data of (potential) consumers, partners, or even suppliers, the organization exposes itself to the risk of reputation damage through the perceived misuse of personal information. Even in cases where personal data is used lawfully there is the risk of consumer backlash if the organization fails to communicate its commitment to data privacy. Furthermore, the use of personal data increases the organization’s exposure to data breaches and information theft, again resulting in potential reputation damage and negative consumer sentiment.
3.2.2 Impact of big data adoption on suppliers
Outsourcing big data production activities to third party providers creates challenges around the safeguarding of information assets. Through outsourcing, the organization no longer has control over a valuable asset: its own data and information. The challenge is to put sufficient service-level
agreements in place and to monitor third party control performance around data management and information security.
3.2.3 Impact of big data adoption on governance & organizational structure
To keep up with the increased use of personal data and increase in value of information assets, the organization must acquire personnel with the knowledge and expertise in the field of data privacy and information security. This may call for the introduction of a data privacy officer and information security officer responsible for advising all functions involved with the collection or processing of sensitive and valuable information.
The introduction of big data changes the flow of information from operations to management. Big data insights can often be generated in real time and are typically visualized more meaningfully than traditional forms of reporting. Big data has increased the use of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) are a replacement of traditional control activities. Providing management with a real-time dashboard of operational effectiveness shortens reporting lines. This allows a single manager to oversee a larger area of the business and handle more direct reports than ever before.
Impact on internal control frameworks
The increase in use of KRIs and KPIs may replace the use of traditional manual controls with automated indicators. This provides the opportunity for continuous controls monitoring, but also brings with it increased complexity in the control environment. Control activities in the 1st line of defense will increase in complexity and automation. This provides a challenge for the 2nd line of defense, who must adapt their practices around risk assessment, control design, and management of IT general controls (ITGCs). The 3rd line of defense (internal audit) will also need to adapt its practices and methodology to cope with these changes in the control environment and to ensure that KRIs and KPIs are designed and operating effectively. The implications for internal audit are described in detail in research question 2 (chapter 4).
3.2.4 Impact on of big data adoption strategy & executive management
Impact on big data strategy development:
Before adopting big data technologies, management should play an active role in the development of a big data strategy and guidelines for implementation, production, and consumption of big data insights. The following areas require management input:
• Decision-making with regards to the implementation and also future upgrades to big data capabilities should be based on accurate information on current regulations, costs analysis, and information asset valuation estimates. Management must ensure it has sufficient knowledge and expertise involved in the big data decision-making process.
• Guidance for Enterprise Architecture regarding future scale-up and continuous improvement plans for the system.
• Clear roles and responsibilities around the defining, producing and consumption of big data analytics. Lack of communication between these activities can lead to the production of analytics that are not fit for purpose.
• Requirements for segregation of duties between testing environments and production environments as well between functions managing the big data production activities and the big data insights user base.
Impact on management style & decision making:
to logistics, to sales, to marketing spend, to strategic initiative, to system usage and availability. This development means that traditional management styles involving experience and intuition are no longer feasible. As big data is adopted, fact-based data-driven decision-making will take over old-school management styles, thus changing the process of management decision-making itself. Impact on monitoring & performance assessment:
Through big data, KRIs and KPIs will play a bigger role compared with classical automated and manual controls. Currently, the internal control framework is primarily designed for risk mitigation and operational excellence. As more controls become automated and continuous controls monitoring becomes the norm, the whole internal control framework becomes a key governance system for management decision-making. Management can use KRIs and KPIs as key levers of management control, and they can be used to support management decision-making.
For example, using big data technologies, customer satisfaction metrics are linked with operational data to generate meaningful insights on how to improve customer satisfaction, and allows the customer insights team to continuously monitor customer satisfaction. Drops in customer satisfaction will indicate to management an immediate operational failure.
3.2.5 Impact of big data adoption on information technology & infrastructure
The implementation of new IT infrastructure brings a myriad of challenges with it. The most significant relating to big data technologies include the following:
• Adoption of big data leads to increased vulnerability to server damage, power outages, force majeure, backup and recovery failures. This calls for increased measures to safeguard data security and system stability.
• Increased data inputs and complexity of the IT architecture increases the potential for hacks and data theft. IT security must handle up to 10,000 hack attempts per day. This demands increased attention for controls on the outer perimeter.
• To ensure data privacy, segregation of duties between those with access to the source systems and those that use the outputs of big data analytics must exist. To depersonalize data before use, for example, companies are required to aggregate and sanitized before it is accessible to the operating units of the company.
Impact on enterprise architecture
The enterprise architecture department is typically responsible for hardware management and information resource management based on DAMA principles (the equivalent of COBIT for information resources). Enterprise architecture practices are centered on treating data and information as a key enterprise resource.
Upon adoption of big data, enterprise architecture must ensure alignment between the big data implementation and the overarching business objectives to ensure the system is fit for purpose. This involves assessing the following elements:
• The nature of the data variety, veracity, volume, and velocity to ensure the big data system can handle current and future data characteristics.
• The intended uses of big data analytics and requirements from the user base.
• The current nature of the IT landscape, for example the degree of system fragmentation or other elements impacting the effectiveness of big data technologies.
For example, one of the key requirements for the big data user base is that data is traceable to its source as a safeguard to data veracity. Enterprise architecture must design the system to meet this requirement.
Additionally, enterprise architecture should ensure the organization has the ability to scale up and apply continuous improvement to the big data systems. This involves ensuring sufficient access to coding and to version updates for critical end-user computing applications.
3.2.6 Impact of big data adoption on skills & staff
To effectively manage big data and obtain value from its analytical outputs the organization must acquire and develop new skills and expertise. Human resources (HR) must firstly acquire sufficient personnel with analytical capabilities that can use the outputs of big data. Secondly HR should deploy sufficient training programs around the production and use of big data to ensure that production teams and the user base are making effective use of analytics.
The acquisition and development of analytical skills is also critical for the organization to identify and resolve hardware and software issues or errors that may arise. This is particularly relevant for the IT department: through resource planning IT must ensure they have sufficient capacity to handle bugs, errors, issues and to uphold monitoring activities.
2nd and 3rd line of defense functions must also acquire or develop the skills to adapt to a changing control environment. This will involve at a minimum skills in the following areas: information security; data privacy; data analytics; and lean-six sigma or equivalent.
3.2.7 Impact of big data adoption on resources & assets
The use of big data increases the value of information as a critical asset. The largest areas of impact this has on the risk landscape are as follows:
• Outsourcing of big data production activities requires the sharing of assets with third parties, which also means the storage and controls required to protect those assets exist outside the organizations control framework.
• Big data involves the integration of information assets from a large number of sources. One organization, for example, combines up to 500 variables in a single data warehouse. In doing so the value of information assets becomes greater the sum of information assets prior to implementation.
• Adoption of big data commonly involves obtaining and ultimately relying on external sources of information. In one example, up to 10% of information used for management decision-making is from external sources. This reliance makes the organization operationally and managerially dependent on suppliers of external information.
3.2.8 Impact of big data adoption on business processes and procedures
Impact on data privacy and information security:
Adopting big data creates unique challenges that data privacy and information security practices must overcome, including the following:
• Increased complexity of the IT landscape results in greater risk of malware, fraud, cyber-attacks, data leakage, and data loss.
• Increased value of information assets results in greater risk of data theft.
• Increased operational and managerial reliance on information and analytical capabilities. • Increased complexity of the internal control framework and operational processes creates
Impact on IT support:
In response to adopting big data the IT department must adapt and update its policies, procedures and auxiliary systems that can detect and resolve big data related issues. IT must implement sufficient monitoring activities around usage and issues in the big data system to ensure timely resolution of bugs and errors in order to prevent downtime and safeguard information availability for the user base.
Impact on the legal team:
As big data technologies continue to develop, so too do changes in international and domestic regulation relating to big data, primarily around data privacy. The legal team needs to put sufficient monitoring processes in place to detect changes in regulation with implications for the organization’s current big data practices. This also requires that the legal teams have sufficient knowledge of big data practices and information security protocols to accurately and timely interpret the implications of changes to legislations in this area.
Impact on marketing:
The marketing department is often one of the primary users of big data technologies. It can be used to define customer segments and to tailor product placement, pricing and communication strategies for these segments.
Marketing is also a key provider of management reports and knowledge regarding shifts in customer behavior and sales figures. Big data allows marketing to deliver improved return on investment (ROI) from advertising campaigns and to track return on investment on advertising. Another use is to track customer satisfaction and to deliver reports on customer satisfaction to management. In one case, big data has enabled marketing to track ROI on marketing spending with 80% accuracy. Impact on business intelligence & external reporting functions:
The aim of Business Intelligence (BI) is to provide meaningful insights to the right people are the right time. BI also often has legal obligations to generate reports for external regulators such as solvency reports or prediction models for De Nederlandse Bank (DNB). Big data is a key enabler for the BI function, but also a source of risk. The challenge for BI is to ensure its reports remain reliable, accurate and provided timely to the user base.
Changes in the IT landscape have far reaching implications for the working of end-user-computing applications and documents. Both the data inputs and the computations themselves can become compromised in a new data environment. It can be time-consuming for BI to identify the full chain of domino effects these have on end-user-computing and the corresponding reliability of management reports. Changes in the IT landscape also make reporting functions more vulnerable to errors in version management and access control, which again may leads to errors in reporting.
Impact on customer services:
Big data is also changing the way customer services (CS) operates. The opportunity for CS is to use big data for gathering insights into their customers and eventually delivering better service levels. Customer service centers can, for example, use big data to scan multiple media platforms to detect potential risk events, reputation damage and large catastrophes; this allows them to perform damage control in a timely manner.
