This blog is part of our ongoing SOC Insight series. Each piece focuses on a different area of SOC reporting and aims to answer the questions that are important to your business. Read more to learn why SOC reporting is about much more than checking a compliance box.
Most companies have data platforms that support business intelligence and reporting. Many large companies are looking to rationalize disparate systems to create central data platforms that contain a single source of truth. For that truth to be considered reliable, companies need controls that cover not only the movement of data between systems but also the continuous monitoring necessary to secure the ongoing quality (completeness, accuracy, validity and consistency) of the underlying data.
For large organizations, or at least those with many systems, demonstrating that their data is trustworthy can be an onerous task. Data lineage—that is, tracing a data element from its source system to target systems—continues to be a challenge. As clients provide their customers direct access to data and the ability to create reports, assurance over data management controls becomes critical.
Heightened regulatory demands are also behind the need for, and increased cost of, validating data. But other affected stakeholders—such as customers, business partners and end users—are increasing their demands around the completeness and accuracy of financial and regulatory reports, which has further increased costs to companies as they work to validate data on an ongoing basis. Furthermore, regulations such as BCBS 239 and the General Data Protection Regulation (GDPR) are shining a spotlight on data management weaknesses within organizations. The ramifications of non-compliance can be sizable if fines and matters requiring attention (MRA) are imposed.
So why does all of this matter? A company’s ability to understand its customers, market opportunities and cost reduction opportunities is directly related to its ability to analyze data across the enterprise and make business decisions. Knowing what and where information is contained allows companies to reduce duplication and implement appropriate controls to protect that information from unauthorized use. Furthermore, being able to readily report on effective data management controls can be a differentiator among peers.
But where and how do you start? Any assessment of data quality should start with a health check or readiness assessment in preparation for attestation reporting on the controls. Companies can begin by reviewing the current data management framework to assess the adequacy of its documentation, data quality controls, data definitions and mapping to systems as well as the roles and responsibilities of its data owners, custodians and stewards. Performing an assessment of controls can help identify critical areas for remediation and support the development of a road map on which the organization should focus.
Attestation reporting can effectively provide independent assurance over data management controls to both customers and regulators while also providing management with assurance that the controls in place are designed and operating effectively.
There is also a financial incentive to obtain independent assurance over the effectiveness of a company’s controls. According to Gartner's October 2018 report on overcoming data quality challenges, nearly 60 percent of organizations do not measure the financial cost of poor-quality data. This is because many organizations do not have a formal data governance program in place and investment in data management tools is often temporary and not sustainable. In addition, the demands of testing controls under an attestation report can help identify specific control deficiencies that, when remediated, can help organizations reduce costs.
Having a single source of truth for data can also help companies meet other reporting requests such as those related to environmental, social and governance (ESG) reporting. Indeed, these kinds of reports consist of many different types of data—not all of which are currently well controlled. By having a good data management system and supporting data governance in place, organizations can feel confident that their ESG disclosures will meet investor expectations, providing the (accurate) information they need to make investment process decisions.
Companies need data management owners who understand their stakeholders’ needs, particularly the needs of third parties that require assurance over data controls. This will allow for good data governance as gaps in controls can be identified and remediated on an ongoing basis. As the race to derive data-driven insights accelerates, companies with good data hygiene will rapidly find themselves outdistancing their peers in all areas of growth.
All these steps are important; however, it’s not enough for companies to say they’ve completed these checks. For organizations to provide transparency into their data management controls and build trust with customers, regulators and other stakeholders, communicating the effectiveness of their controls can easily be achieved through an attestation report.