Matt Hall, an Entrepreneurs' Organization (EO) member in Seattle, is CEO of Bocada, a comprehensive backup reporting platform for enterprise environments that streamlines storage oversight and compliance audits. As an entrepreneur in the backup reporting space, we asked Matt about the importance of independent audit tools. Here's what he shared.
Entrepreneurs are known for unbridled optimism, strong execution and relying on instinct to grow companies. Because these dynamic qualities compel us to pursue topline performance at a rapid pace, we sometimes fall short of kicking the proverbial tires to ensure that the information we're using to make decisions and build confidence is, in fact, valid.
It's the ultimate irony: We live in a data-driven world, yet often fail to audit our own data--until it's too late.
Alarmingly, this is a universal issue, even in the enterprise data backup and protection industry, where validating the fact that data has been successfully backed up and can be recovered is at our core. Why does this continue to present challenges? Because the concept of "independent" verification is often compromised.
It seems obvious, yet it is only discussed when something goes seriously wrong.
When data validation goes wrong
Consider recent controversies--the Boeing 737 MAX certification process, Volkswagen diesel emissions, and asset-backed security ratings pre-2008--all three situations stemmed from violating the fundamental pillar of independent data verification.
Objective, independent verification applies to certifications and audits in every discipline. The best-known example of mandated audit independence is the Sarbanes-Oxley Act (SOX) of 2002, which is financial oversight legislation that resulted from high-profile accounting scandals including Enron, WorldCom, Tyco and Arthur Andersen.
SOX prohibits financial auditors from being part of the same firm that performs the operational accounting. The goal: Eliminate conflicts of interest.
Audits improve confidence and job performance
Why do businesses perform audits anyway? Why do they matter? We like to think of it as "trust but verify." The intention of an audit is not to discover weaknesses or fraud--though those may certainly be found. Rather, an audit corroborates and adds credibility to self-reported performance. It also serves the purpose of aligning behaviors with desired performance.
When operators or administrators know their work will be independently audited, they take greater care to ensure accurate self-reporting. Successful audits increase everyone's confidence in reported results and reduce the risk that reported results are flawed.
Objectivity is key
If audits validate and build confidence, why is independence such a big deal?
Because the foundation of independent auditing is objectivity. If an auditor has any incentive beyond successfully completing the audit itself, they cannot provide an unbiased evaluation. Said another way, an audit will not convey confidence if the auditor or tools are subjective rather than independent.
Consider the Volkswagen diesel fuel scandal. The company had an overall goal of opening more markets and accelerating diesel car sales. As a result, internal teams were incented to certify that vehicles would pass each country's emissions guidelines, not to actually test whether they met emissions standards. The company's overall goal compromised an internal team's objectivity, all because the two parties were not independent. Three years later, Volkswagen is still plagued with lawsuits and loss of credibility from its manipulated test results.
Why audit your enterprise data?
The case for independent audits hits home just as much in the enterprise data protection space. Your organization can rely on an internal team to confirm, "Yes, all company data is backed up." Or, you can implement independent systems and processes to verify that fact. Which sounds more reassuring?
In my organization, we've found significant data protection blind spots in Fortune 500 companies. Data they thought was being successfully backed up and protected actually went unprotected for weeks and in some cases months.
Imagine if this were the situation at your bank in the moment of a cyber attack. Your bank's failure to successfully monitor its backup activities could mean the difference between an outage measured in hours (as they scramble to restore information) versus a complete catastrophe.
Technology makes validation convenient--and automatic
Why wait for labor-intensive, annual audits when solutions exist for rapid check-ins to isolate potential risks and fix them before they spiral out of control?
There is a growing category of companies offering governance, risk and compliance technologies to simplify what can otherwise be complex, cumbersome validation processes. Best practices revolve around selecting companies, processes and tools that are truly neutral and independent. And then, selecting options that allow for automation of the oversight.
Whether you're an entrepreneur looking to validate your sales funnel or a Fortune 500 chief technology officer, tools are available to reduce the risk of human error, reduce labor costs and ensure that you have a complete grasp on your organization's performance.
It may be tempting to prioritize other activities. Don't. Skipping the "trust but verify" step can lead to a ripple effect of poor decision-making that puts your business in harm's way, leaving customers wondering about your trustworthiness.