IS Audit in Practice: Data Integrity On Demand—Applying Lessons Learned From Election Processes to Data Integrity for Business Innovation

As a risk manager or audit professional, how does one assess data integrity for new and innovative business when time is of the essence? Emerging technologies, unplanned outcomes, and new regulatory decisions all can create shocks to the organization. The increasing use of artificial intelligence (AI) and social media challenges the auditor’s ability to evaluate data accuracy on a timely basis. The on-demand nature of social media requires real-time fact checking and constant evaluation to avoid undue influence. Expectations for quick conclusions from managers to stakeholders to clients put careful review of data under an immediate microscope, yet care in determining data accuracy while still making time for collaboration with the data providers is the only way to create digital trust. AI can also create incomplete or biased data that challenge the delivery of timely audit results unless monitoring practices have been established ahead of a project or audit event.

Yet technology adoption can generate a necessary competitive edge, and organizations that do something different as quickly as possible can gain market presence and improve their financial outlooks. Timely risk prioritization, careful audit plan scoping, early detection, and communication of issues with recommendations that can be executed on demand are key for successful governance and controls management even when deadlines loom. There are lessons to be learned from perhaps a most unlikely source: the democratic election process.

Case Study of Two Democracies

After several years of dramatic elections in countries around the world, 2022 and 2023 are harbingers of a renewed focus on integrity. Voters and governments have assessed the threats of misinformation and disinformation, demanding news media coverage that is reliable and information they can trust. Politics and the transition of power has been a hot topic for centuries, if not millennia. What changed is the impact of technology and the highly publicized drama of events over the past decade. In two use cases regarding India and the United States, election process concerns resulted in action aimed at rebuilding trust through targeted scrutiny, controls, and reliable, testable election processes.

Election process updates were focused on understanding where the biggest gaps in accuracy might be, and frameworks were created and made publicly available.

The United States
US midterm elections involved 50 different state election processes with varying technologies supporting the tabulation of results. US media polls predicted a shift of power, the specter of fraud was raised before election day had even arrived, and the public braced for turmoil that never occurred on election day or in the runoff elections afterward. Expectations were set early for close races that would take several days or even weeks to finalize. From a media perspective, the Associated Press did not call final results until the polls had closed in each jurisdiction to avoid voters being swayed by election reporting before they had a chance to cast ballots. Election process enhancements included video monitoring of polling locations with streaming available to the public, on-site ballot validations, a return to paper vs. paperless ballots, hiring of cybersecurity staff, and the decommissioning of old voting machines.¹

India
India’s Election Commission hosted the second annual Election Integrity Conference in January 2023, with a number of countries in attendance, including Armenia, Croatia, Indonesia and the Philippines. India has embraced technology, but has been cognizant of the increasing public concern for verifiably trustworthy elections. Having faced challenges of different voting systems in different states and a geographically dispersed population, technology is viewed as advantageous; specifically to increase voter participation and accessibility, to simplify election processes and improve error detection, and to provide more timely results. Despite the advantages, there is consensus within the Election Commission that the risk associated with technology adoption must be closely managed to avoid tampering, misinformation and undue influence. After the second successful annual conference, where collaboration and transparency were viewed as critical framework components for increasing success in election and voting governance, the consortium has moved forward to work on the key topics of technology use for improved election administration, technology to accelerate a more inclusive voting process, and preservation of technology as an election process enabler through monitoring and validation of data.²

What Went Right?

Several factors contributed to trust in election outcomes in these two countries, including:

• The lesson regarding the need to safeguard voting integrity was learned and acted upon. Politics in 2016 and 2018 taught the world to expect the unexpected. Best practices to assess risk, enable accurate technical monitoring, and to investigate questionable information were added to the 2022 election processes and widely communicated to the voting public for their awareness.
• Short time frames and on-demand information meant timely risk assessment and prioritization. Election process updates were focused on understanding where the biggest gaps in accuracy might be, and frameworks were created and made publicly available. The use case on India’s Election Commission demonstrates collective action and shared best practices. The US Cybersecurity and Infrastructure Security Agency (CISA) is another example of proactive planning efforts where tool kits were created and updated for use by election officials to assess the risk of tampering and nation-state intervention.³
• Who obtained election data, and how, and what was done to guarantee election data accuracy had to be transparent throughout the process. In the United States, modifications to the process based on claims of fraud introduced collaboration with social media platforms and publicly available audits of election balloting machines.
• Open communication brought acceptance of election results. Digital trust was a high bar to reach after controversial election results in previous years. Proof of results shared frequently with the public and accompanied by irrefutable evidence of accuracy earned the voting public’s trust and acceptance of the outcomes.

The Keys to Integrity and Digital Trust

The election stories are all relevant to managing emerging business innovations and unexpected events, as several points highlight:

• Predictability is considered synonymous with low risk. Planning an audit review while a project is in the early stages is essential. Outlining what-if scenarios for the unexpected lends a sense of predictability.
• Knowledge and awareness are the hallmarks of a sense of control. Transparency keeps people informed at a level of detail that is applicable to what they need to know. It fights against misinformation and rumors.
• Need is a critical driver. With accurate information and clear communication regarding the outcome’s importance, people—whether they are voters, project participants or end users—will show up to participate when it is a priority for them.

Successful audit teams prepare more than one view of the data tailored to those receiving the presentation and based on what the audience must do to accept and/or enact the recommendations.

Telling the Story

To drive home these three points, risk and audit professionals need to tell the story in a compelling way. If best practices include risk prioritization, assessment of controls, and data validation, then telling the story is the way to stay on track with continuous improvement and high levels of constituent and stakeholder involvement. As with elections, innovative business changes or reactions to unexpected business events have minimal chance for success if users are not engaged. As with elections, risk and audit professionals need to contribute to the story by involving others early in the process in an open and collaborative way. Auditors and risk managers must understand what is relevant to each audience so the plot keeps people engaged. What are the key chapters to building a compelling story? There are a number worth considering:

• Understand the scope of the emerging project/innovation. Use the scope to identify key process owners, business users, designers and business advisors.
• Examine and confirm potential risk factors based on the risk management best practices of examining the impacts of financial, reputational, regulatory and client risk. Obtain information from the appropriate audience and gain buy-in from all impacted. If feedback that affects the scope of work is provided, modify the risk factor priorities based on the feedback received.
• Create an audit plan and seek audience feedback and confirmation of the plan. Expect stakeholder commitment to continuously improve based on including the feedback in the scope of work.
• Identify milestones that align with the timing requirements of the project and adjust as project milestones change. Innovations carry a high risk of rework and subsequent disillusionment when expectations are not managed throughout the project. Auditors play an important role in identifying and collaborating on recommendations “just in time,” not after it is too late to derive a benefit from the insights the audit team provides.
• Communicate widely, with information that is audience relevant. Relevance can be determined with the aid of a responsible, accountable, consulted and informed (RACI) chart and with an understanding of who will be affected if the issue persists. Audience-relevant information often implies that more than one group needs to see the results from their perspective. Successful audit teams prepare more than one view of the data tailored to those receiving the presentation and based on what the audience must do to accept and/or enact the recommendations.
• Provide doable recommendations that enable the outcome. It is important to be seen not as an obstacle to innovation, but as a knowledgeable resource willing to work side-by-side with others for a positive conclusion.

Election history shows that predicting outcomes and anticipating the unexpected is not possible, even with the best use of knowledge and technology. Winning the battle over the unknown requires digital trust, and digital trust is built on the tried-and-true practices of a clear risk and control framework, timely assessment, and open communication.

Endnotes

¹ Cassidy, C. A.; “Explainer: Voting Systems Reliable, Despite Conspiracies,” Associated Press News, 4 October 2022, https://apnews.com/article/2022-midterm-elections-technology-voting-donald-trump-campaigns-46c9cf208687636b8eaa1864c35ab300
² Staff, “Cyber-Attacks and Information Influence Operations Are a Threat to Electoral Integrity: Election Commissioner,” ANI, 24 January, 2023, https://aninews.in/news/national/general-news/cyber-attacks-and-information-influence-operations-are-a-threat-to-electoral-integrity-election-commissioner20230124195644/
³ Cybersecurity and Infrastructure Security Agency (CISA), "Cybersecurity Toolkit to Protect Elections," USA, https://www.cisa.gov/cybersecurity-toolkit-and-resources-protect-elections

CINDY BAXTER | CISA, ITIL FOUNDATION

Is director at What's the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as opportunities to learn the nuts and bolts of a business and help her clients worry less because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.