In-Depth

Data Auditing's Role in Governance and Risk Management

Corporate governance, risk management, and compliance are challenges that will determine your company’s future. Here's how data auditing can help.

• By Murray S Mazer
• 09/13/2005

Corporate governance, risk management, and compliance are challenges that will determine your company’s future. How do you insure that the company is governed effectively, with strong controls that create accountability at all levels of the company? How do you identify and mitigate risks with serious consequences, whether fraud, loss of brand loyalty, or shareholder lawsuits? What compliance requirements must you meet?

Data is one of a company’s most valuable assets, so data integrity is at the heart of solutions to each of these challenges. Data auditing is a primary means for protecting corporate data assets against potential risk and loss. It provides an unimpeachable record of corporate data use, allowing enterprises to validate compliance and implement key practices to insure that the company operates at the very highest levels of ethics and compliance. Data auditing is key to identifying potential legal threats, because it provides a transparent view of the evolution of information upon which corporate financial reports and other corporate legal documents rely.

Data Auditing and Good Governance

Informed decision making in corporations depends on information integrity. For corporate leaders to make good decisions, information must be accurate and trusted. A company without a means to audit data access can base decisions on erroneous information, implement weak governance procedures, and experience business and legal problems.

How do independent audit solutions contribute to good governance? Governance is largely about controls, that is, the policies, procedures, and safeguards the organization uses to assure corporate objectives are being met and exceptional activity is quickly identified and managed. Critically, the organization must have strong controls around the use of its data. A data auditing solution can provide confidence that the organization’s internal corporate policies and processes are effective and help ensure that individuals and divisions within the enterprise are operating within the same set of corporate guidelines. With the independent controls that a data auditing solution offers, corporations have the necessary information to prove that their data is accurate and that only authorized changes have been made.

In addition, the automation of a comprehensive data auditing solution offers several benefits:

• It increases the degree of trust associated with the controls and their validation, since humans are taken further out of the process.
• The organization experiences operational efficiencies associated with having fewer people engaged with the gathering, analysis, and reporting of control information.
• The cost of an external audit can be lower because automated controls generally need less testing than do human controls.

Finally, information from audit records can be used to respond quickly and effectively to regulators and governance stakeholders. Without the benefit of an audit solution, it can be extremely difficult, or even impossible, to answer the questions posed by these interrogators.

Risk Management: The New Corporate Agenda

An effective risk management oversight program identifies and manages risks that potentially threaten a company, such as fraud, failed audits, lost customers, damage to brand and reputation, and increased capital costs. Executives now insist that their management team develops a risk profile for the company and review it frequently, increasingly involving internal auditors and the board of director's audit committee as an integral part of this effort.

Although many think that hackers or breached firewalls are the major threat to data integrity, access to corporate databases by unauthorized employees and errors made by internal users are consistently shown to be the biggest threat. To combat this internal threat, an enterprise data auditing solution provides a trusted audit trail that safeguards the back doors to corporate data by auditing direct database access by internal users, including privileged IT users. With ever more sensitive corporate data being captured and maintained electronically, data auditing is the only means to detect inappropriate changes in corporate information or learn of unauthorized access that could create legal problems.

For a sound risk-management process, organizations should use data auditing to:

• capture key types of data activity, including data modifications, database structure, and data views
• detect and analyze breaches in user and application behavior, intentional or accidental
• offer alerting of key database events and rapidly respond to violations and vulnerabilities
• perform forensic analysis for detecting fraud, outsider intrusion, and employee misbehavior
• comply with government regulations regarding the security and privacy of data

200X: The Years of Compliance

Today’s regulations place strict requirements on enterprises to audit access to corporate information and produce reports detailing who has changed (or even seen) that information. Data auditing is the core of any compliance solution because the collected activity information enables the organization to have a complete record of access to those databases, letting them produce reports that are necessary to ensure compliance with regulations or satisfy their own internal audit needs.

Because an effective data auditing solution provides such a granular level of detail on data access, enterprises can be confident they have collected the information necessary to meet compliance requirements and provide an evidentiary trail when needed.

Approaches to Data Auditing

A complete data auditing solution must do more than just gather information on events that occur at the database. It must be able to consolidate the collected information, prevent tampering, be easily deployed, offer alerts, support archiving and reporting, and fit into business processes, among other requirements.

The most crucial element is still the means for capturing the activity information. In the past, organizations generally considered two approaches to data auditing, but these create potential risks or increase the costs of implementing compliance. Application modifications change the source code of every application that might be used to access the data of interest. This approach can substantially increase the implementation cost of compliance auditing and reduce confidence in the audit trail, creating security vulnerability or risk because of the inability to capture direct access to the data and changes to permissions and schema.

Trigger-based collection at the database is another approach to capture data modifications. These triggers are special-purpose application logic embedded in the database to execute whenever a data-changing operation is invoked. IT departments' main concern about triggers is the substantial runtime performance overhead. In addition, triggers cannot capture data views or changes to schema and permissions, and they are difficult to write and maintain.

A Preferred Data Auditing Approach

Because of the high threat associated with privileged users, it is essential to capture activity information at the database itself. A preferred way to do this without the pain of triggers is through audit agents, which are associated with each database server containing important data. These audit agents harvest information about data-related activity, and because they operate at the database server, they capture all relevant data activity and all direct access, regardless of the application used. Applications need not be modified to accommodate this approach.

Conclusion

Data auditing delivers the records that enterprises need to insure good governance, enable better corporate decisions, protect against business and legal risk, and comply with government regulations. The ideal solutions for auditing data activity offer effective data capture capability. The best approaches minimize performance overhead while consolidating a complete audit of data access across multiple servers and providing active monitoring and alerting. Prudent organizations are implementing data auditing solutions to meet today’s demanding governance and compliance requirements.