NACD - National Association of Corporate Directors
Director Advisory

Confronting Data and Analytics in the Boardroom

by Jose R. Rodriguez |

As the size and variety of data sets that companies collect proliferate, board oversight of the risks and opportunities associated with the company’s use of that data becomes more critical—and more challenging. Beyond the technical hurdles posed by this explosive growth in data—how it is collected, analyzed, stored, and secured—boards need to understand the company’s data strategy to help ensure that the company is getting the appropriate insights while taking the necessary precautions to protect itself, its employees, customers, and others.

Audit committees—given their focus on compliance and often data privacy—can be a catalyst for bringing the data and analytics (D&A) conversation into the boardroom to help ensure that the company has appropriate controls and processes, organizational structure, and talent in place. Indeed, understanding the fundamental elements of the company’s approach to D&A is essential to addressing the opportunities and risks associated with rapidly advancing data-driven technologies, from artificial intelligence and cognitive computing to the Internet of Things and robotics.

Here are key questions that the audit committee and the full board should ask.

■■What data is collected, how is it processed, how is it used for business purposes, how do risks escalate when it is used, and what controls are in place?

■■What are the goals of the company’s data strategy? How can the use of D&A help drive the operations and strategy?

■■Do we have a data ethics policy to protect the brand’s reputation and reduce legal risks?

■■How are the quality and integrity of the data assessed?

■■How do we ensure proper data security and protection? What other risks does D&A pose?

■■Do our data retention policies comply with the European Union’s General Data Protection Regulation (GDPR)?

■■Does the company’s use of customer data align with customer understanding and privacy expectations?

■■Who in management is accountable for decisions about data and the use of advanced analytics and the associated risks?

The accelerating use of digital technologies such as artificial intelligence, mobile devices, and cloud computing is impacting internal auditors, helping to improve performance— e.g., supporting deeper analysis of procurement decisions—while also creating demands for new and improved internal controls and risk management.

Likewise, for external auditors, D&A is enabling the evaluation of larger volumes of data and more granular analysis, which can help pinpoint anomalies and exceptions, and help auditors better understand where the risks lie within an organization.

Audit committees should understand how the finance function, internal audit, operations, controllership, external auditor, and others are using D&A today—and how they expect to do so in the next one, three, and five years. Key questions to consider include:

■■How will management govern and manage this transformation in terms of cost, quality, talent, and controls?

■■What resources and technologies does the external auditor have available? During our recent Audit Committee Institute Quarterly Webcast, 45 percent of directors and C- level executives surveyed cited auditor skills and resources as the greatest challenge to integrating data and analytics into the audit (see chart at left).

■■How can the company’s information technology organization work with the external auditor to streamline the data capture process? And how can the company give external auditors access to its data while still maintaining data security?

Recent headlines demonstrate that as corporate use of data and analytics grows exponentially, scrutiny of companies’ oversight practices will intensify—as evidenced by the GDPR. The advancement of D&A offers both opportunities and challenges— and, of course, the potential for a data breach. Audit committees can help the board consider whether the company has the appropriate systems, skills, controls, and processes in place to manage the changes needed to implement its D&A strategy.