Are you sweating the auditors? How about that “make or break” business decision? Better double check your data quality: your corporate future and compliance could depend on it.

If you ever happen to find yourself sitting across from an auditor in one of the less appealing conference rooms of your estimable corporation, the hum of the fluorescent lights playing harmony to your own measured breath as you anticipate the next query on some tick in the myriad reports strewn before you, there will come a moment when the lottery-ball maelstrom of you own mental processing kicks out a thought as unwelcome and jarring as the candy-green scrawl on that white board across the room that maybe, just maybe, your data is wrong.

The unassailable logic of business analyses and the cool numeric representation of operational outputs reflect a deep etymology of data interpretation, integration, acquisition, and collection that can ultimately be traced back to…what? Distracted data-entry workers? Purchased lists of opaque origin? Inconsistent semantics? Incomplete and outdated record sets?

Managers and auditors generally assume that data underlying reports is reliable and that that data management decisions behind reports are sound and logical. Such assumptions are seldom explicitly supported, quantified, or explored, however. In fact, a 2006 data quality survey¹ by The Data Warehousing Institute paints a vivid picture of cognitive dissonance and denial when it comes to the reality of data and the reports that businesses produce:

1. Data managers and database administrators believe data quality is worse than most people think (almost 50 percent)
2. Many workers suspect data quality has directly contributed to compliance problems (about 40 percent)
3. Suspect data quality is nothing new, but dedicated data governance is rare (8 percent)

While business managers and auditors might question data-warehouse design, data-query structures, and reporting results, such critiques seldom delve into data quality.

Meanwhile, if the IT managers and line workers who actually see raw data—missing fields, unreconciled duplicates, garbage entries and all—register alarm, it is so far displaced from compliance and reporting processes that it becomes SEP (somebody else’s problem).

Does the data quality disconnect matter, in terms of compliance? Emphatically yes! And no—or at least not yet. In reality, the answer largely depends on your corporate culture. If your company follows the letter-of-the-law-and-least-possible-investment strain of compliance theory, the short answer is that, regulators and most auditors won’t question the data quality underlying your reports to any technical degree. On the other hand, if you’re in the good-governance-and-get-it-right camp, good data quality is an indispensable precursor to data integration and reporting and the foundation of all higher-level compliance, risk management, and governance efforts.

Data quality, per se, is generally too granular for auditor interest, and most regulatory texts are fairly mum on the matter. US regulations from Sarbanes-Oxley (SOX), the Bank Secrecy Act, and HIPAA indicate the need for strong data management and control, but they don’t drill down to means and models. CobiT,² IT’s risk management bible, has only a single reference to data quality amidst extensive data management recommendations, citing it under the lowest level “0” section of its data management maturity model. And even homeland security requirements, which demand data mining, data matching, and integration, have noodles to say about the data quality factors that influence the success of such initiatives.

Still, reading between the lines, data quality processes and goals are inferred by regulations and implied by governance standards as a pillar of data integrity requirements. COBIT’s pert placement of data quality at level 0 in its maturity model essentially says that, without data quality, you’re nowhere—whatever your other data management controls. SOX requires CEO and CFO attestation to the accuracy of financial reporting, for which they must have confidence in the underlying data quality. And the US Department of the Treasury, which enforces customer identification requirements under OFAC and USAPA, doesn’t monitor how you match names to its specially designated nationals (SDN) list, but insists you have the data integrity to do so with some accuracy. Finally, regulators and auditors do perk up when they see suspect reports, and IT-savvy auditors know that garbage reports belie garbage data.

What does this all mean, in practical terms? Short answer: be ready. The day is coming when data quality is a line item on auditing checklists. The dissociation of auditing-by-report and underlying data quality must be addressed through measurement and assurance of data quality management. Like most business users, auditors don’t distinguish business processes from the information systems that support them, a fallacy that is bound to bear out in the sorts of corporate scandals that ultimately lead to revised auditing standards and guidelines.

Prior to the first SOX deadlines, many media reports and analysts observed that corporations with strong internal control environments when the act was passed spent considerably less on compliance than companies with weaker controls—and those costs were generally reported in hard numbers that excluded opportunity costs and more abstract business losses incurred by the mad scramble to comply.

Consider again at the TDWI report findings: respondents know data is hindering with compliance and suspect data is worse than anyone thinks, but most companies don’t have dedicated data governance functions. As companies calculate the ROI of data quality, the cost of reactive compliance should be high on the list.

Notes
¹ “Global Data Management Survey 2004,” PricewaterhouseCoopers, November 2004
² “Control Objectives for Information and related Technology (CobiT),” ISACA

Cass Brewer is founder and steward of the Truth to Power community. Email her at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .