For the past 20 years, digital technologies have dramatically reshaped the way organisations engage internally and externally with their stakeholders, creating a completely new digital eco-system in need of its own governance and dedicated management. Many indicators show that the growth in the use of digital medium for sales and communication is scheduled to accelerate in the next five years, evidenced with the forecast 45% increase in the speed of global interconnection band-width from 2019 to 2023.
The global pandemic has demonstrated how effective digital strategy and platforms can provide both strong business development and business continuity, but also how reliant organisations have become on a safe and efficient digital infrastructure. A key part of the robustness of this infrastructure is how well it is governed.
An organisation’s digital presence provides an overlay that intersects all the traditional functions and activities of the entity: marketing, sales, finance, HR, operations, business strategy, information technology, etc. As a result, digital activities should be better thought of as a centralised domain of expertise, rather than an add-on to existing functions. Larger organisations might be able to create a dedicated Chief Digital Officer (CDO) position to coordinate all digital activities, while smaller organisations might have to rely on coordination activities through the existing management structure. Whatever the chosen organisational structure to manage digital efforts, having a digital governance framework will establish clear decision-making responsibility and accountability for digital content management. Digital governance covers how the core data of the organisation is structured and managed, as well as the channels of communication and sharing of this data via external websites, social media, intranet etc. The governance framework is typically implemented through digital policies, data standards, and data classification rules, A good governance framework will typically be more effective if it is built on a strong digital culture, ie the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of the organisation’s stakeholders and how they manifest in people’s behaviour with the underlying information technologies.
In the pre-digital era, corporate strategy typically came first, and the technology infrastructure was designed to support it. IT was complementary to the business but mostly a separate domain of expertise. In a world dominated by digital, the business strategy needs to be deeply integrated from the start with data and technology capabilities. Organisations that lack a robust digital foundation will struggle with the accelerating changes in our digital age.
In this context, digital governance serves two main purposes. First, it ensures that companies are performing digital activities in an ethical manner and abide by all laws and regulations (such as data privacy). Second, it enables an organisation to optimise business development and business resiliency through digital channels.
Inadequate digital governance puts organisations at risk through missed business opportunities (inability to reach customers, weak message), direct operational losses (cyber-attacks) and potential long-term reputational impact (defamation, intellectual property, inappropriate language, etc.). These vulnerabilities can be amplified by the internal fragmentation of the different elements of the digital footprint and the lack of internal communication between corporate functions or between parts of the organisation.
For example:
In most organisations (except the smallest ones or those with an extremely limited business model) no single individual or even single function has the knowledge or perspective to dictate or control the full digital eco-system of that organisation. The complexity and scale of any organisation’s digital eco-system will continue to increase. A robust governance framework must reflect this complexity and consider not only the existing state but the emerging properties of new technologies and ways of exchanging data. For example, the policies for use of digital media should be updated more often than most other policies and clearly identify not only who is accountable, but also who should be consulted and provide input in the decision-making process.
As an example, the design and maintenance of an organisation’s websites is a clear illustration of the necessary sharing of responsibilities to ensure an efficient, secure, and effective presence online as shown on the diagram below:
Internal audit has a major role to play in raising awareness and providing insights on the dimensions of digital culture and management across the organisation. Given the fragmentation of digital controls, internal audit can provide assurance that the governance is holistic and appropriate for a modern digital eco-system.
For most organisations, the digital governance framework will have been initially developed by trial and error without an overall plan. As a result, it will show areas of strengths and areas of weaknesses. For example, the digital vision and strategy might be clear and well understood but the supporting team structure and data standards might be lacking.
Internal audit can assess how well the organisation is doing by performing audits of the various elements of the digital framework. But the greatest value will be obtained by performing a digital governance maturity assessment that cuts across all the relevant dimensions of the framework: customer experience, business development, data management, inventory and classification, marketing, branding and use of social media, legal function involvement, cyber-security posture, technological advancement (including the use of machine learning and artificial intelligence).
The table below illustrates at a high-level the type of maturity classification that can be used as a starting point:
Maturity level |
Key characteristics |
Level 5: Innovative |
|
Level 4: Sustained |
|
Level 3: Standardised |
|
Level 2: Managed |
|
Level 1: Initial |
|
Depending on the maturity of an organisation, internal audit might undertake different roles such as advisory, assurance and/or compliance activities. If the organisation has reached a sufficient level of maturity in its digital governance/framework, internal audit can best contribute actively to its improvement by performing an annual digital governance audit engagement until maturity is of a level appropriate to the organisations risk appetite and needs. In addition, research on best practices across other sectors of activity or benchmarking against similar organisations can very often elevate our discussions with management and the board.
In the next section, we focus on the key risks and controls that could be included in such an audit review or inform advisory engagements and generally build internal audit knowledge.
The following table highlights some of the key risks resulting from inadequate digital governance.
Business and operational risk |
|
Cyber risks
|
|
Reputational, legal, and regulatory risk
|
|
By mapping these digital risks to their own organisation’s environment, internal auditors can design a testing programme of the key elements for a robust digital governance framework. These elements cover the whole structure starting with the high-level tone from the top to the policies for the management of information shared on social media and data protection. A robust digital management culture and the right governance arrangements are the keystones for operational excellence in the 21st century.
The table below illustrates the types of questions that internal auditors can ask to assess the status of the organisation’s digital governance:
Key areas |
Questions for internal audit |
Board and executive management oversight |
Does the board (including sub-committees such as the audit/risk committee) have access to the required technical expertise (either directly with board members or externally through advisers and training) to understand and challenge the digital governance framework given the rapidly changing business environment? Does the board understand the key risks to the digital eco-system of the organisation (technological and other)? Are the risks to the digital eco-system part of an integrated risk management approach rather than a risk-by-risk analysis? Has the board reviewed/approved the set of digital governance policies? Is the board presented with regular updates on the key projects in the improvement of the digital governance framework, particularly regarding compliance with regulatory obligations? Is the board using the organisation’s data classification for its own communication? Does the board actively support the strong messages of awareness and individual responsibility of all stakeholders regarding the protection of the organisation’s data? Has the executive management (IT and non-IT) agreed on a clear digital governance framework and on appropriate policies? |
Executive/Senior Management |
Are non-technical executives involved in cyber and digital strategy discussions? Is the digital governance framework aligned with the enterprise risk management framework? Does executive management actively promote awareness of the organisation’s data classification scheme by tagging its own communication? Is there a senior enough executive in charge of digital governance across the organisation (ideally separated from the CISO responsibility, it does not require an IT specialism)? Has senior management put in place appropriate incentives (or dis-incentives) to support the behaviours implied by a strong digital governance culture? Has senior management endorsed clear and practical policies on the implementation of new digital tools and the use and protection of data, in particular: data theft/loss, code of conduct, use of personal devices and use of social media? Is senior management promoting regular training and testing of the digital governance framework (social engineering or phishing tests)? Is executive management included in cyber-testing (in particular internal phishing exercises)? Does management systematically share the lessons learned from data breaches with all employees? Does the risk function track external best practices in data management behaviours and promote them across the organisation? Does management encourage a “speak up” mentality to report data loss incidents internally? Is internal audit involved in data strategy discussions and project updates? |
IT function |
Is the IT function focused on delivering the tools to influence behaviours for secure management of data (sandboxes for email attachments, automated reminders for external emails, anti-virus, reporting of suspicious emails, password changes, regular back-ups…)? Does the IT function have clearly defined responsibilities over digital governance, inventory management, and data classification processes? Does the IT function consider all the regulatory and legal requirements and restrictions on data before moving applications to the cloud? Does the IT function collaborate with the business to allocate the right resources to the development and maintenance of the digital eco-system? Does the IT function consider all the dimensions of deploying machine learning and artificial intelligence applications (legal, technical, business...)? |
Organisation stakeholders (employees, contractors, suppliers) |
Are all stakeholders regularly trained and tested on data management and protection? Are the risks of digital (including data protection awareness) included in the induction program for new joiners at all levels? |
Internal audit can have a proactive and enabling role in the assessment of the digital governance framework and its promotion across the organisation. However, this can only be achieved if internal audit has established working relationships with key stakeholders and decision makers who are shaping the digital eco-system of the organisation. Internal auditors must also demonstrate sufficient knowledge of the dynamic interactions between all the key building blocks of the digital eco-system of the organisation: technology, legal and regulatory, marketing and branding, culture, and business strategy. Developing a systematic approach and thorough analysis, based on the key questions in the table above, could be the first step to a value-added, insightful integrated digital governance maturity audit assurance engagement.
Cyber security | IT auditing and cyber security | Technical guidance | IIA
IT auditing and cyber security | Technical guidance | IIA
Cyber risk | Auditing business functions | Technical guidance | IIA
Mind the Gap: Cyber security risk in the new normal | Research reports | IIA
Recognising internal audit’s role in cyber risk | Technical blog | Technical guidance | IIA
Data protection | Auditing business functions | Technical guidance | IIA
Data security in third party agreements | Auditing business functions | Technical guidance | IIA
Data breach incidents and response plans | Auditing business functions | Technical guidance | IIA
IIA Bulletin - International Data Privacy Day
Auditing culture | Organisational culture | Technical guidance | IIA
https://www.nao.org.uk/knowledge/digital/
https://www.gov.uk/government/publications/making-digital-work-12-questions-for-trustees-to-consider