Auditing is a cornerstone of effective public sector governance. Internal and external auditors help public sector organisations strengthen accountability and integrity, improve services, and build trust among citizens and stakeholders. In doing so, organisations rely on auditors to provide unbiased and objective assessments of governance responsibilities.

By focusing on the value of data, auditors can help shape a data-driven approach with integrity[1] and accountability at its heart – and the emergence of frameworks for data ethics highly facilitate this. In honing their assessment of data practices in the public sector, auditors can contribute to an environment where, the use of data is more likely to promote trust, despite challenges posed by technological advances. Such a culture within public sector organisations would indeed be highly beneficial to society in the long-run.

Assessment criteria are key

Due to the increasing use of data in the public sector, the criteria to assess its ethical use have evolved. Auditors should not only assess data quality, but also pay attention to the purpose of data, its use, proportionality and legitimacy. Furthermore, auditors should take into account the way data are processed and whether its use is in compliance with standards and best practices. To enable this, auditors need more targeted assessment frameworks.

Examples of criteria that help auditors to assess data ethics include the recent publication of the revised UK Data Ethics Framework (Figure 1) and the draft U.S Data Ethics Framework. Similarly, instruments such as the General Data Protection Regulation (GDPR) in the European Union have put forward issues that are core to good data governance (e.g. data minimisation, data portability), and the UK Information Commissioner’s Office (ICO) describes how auditors can assess the risks to rights and freedoms that Artificial Intelligence (AI) can pose, and the appropriate measures they can implement to mitigate them[2].

In addition to existing tools, the Good Practice Principles (GPPs), developed by the OECD Thematic Group on Data-driven Public Sector as a means to build a common understanding for the ethical use of data by public sector officials, could also inform and help auditors set priorities and evaluation criteria when tackling issues of data governance.

As the copy, storage and use of citizens’ data could be misused or hacked, the GPPs list principles for public servants to follow as a standardised practice when processing citizens’ data, to ensure its ethical use. This tool could therefore help auditors assess compliance with the principles on the use of data as a complementary resource to national ethical frameworks, which are country-specific and serve as a national reference point for ethical considerations.

As the roles of external and internal auditors are complementary, they both contribute to effective governance and accountability in the public sector. While external auditors could use the GPPs along with national ethical frameworks as guidelines to assess an organisation’s compliance with ethical standards as mentioned previously, including specific regulations and laws on the use of data. Internal auditors could analyse and suggest improvements to internal controls based on the GPPs, in conjunction with national frameworks for data governance.

…But we need more

Despite increasing awareness around this issue, evidence shows that there are limited criteria for auditing ethical frameworks relating to data governance. For instance, the Institute of Internal Auditors (IIA) have International Standards for the Professional Practice of Internal Auditing[3] that are complemented by an implementation guide to help auditors apply standards, but they do not identify processes or procedures relating to auditing data governance or ethics. As we continue to develop a deeper understanding of the ethical implications of how data are used, particularly in the public sector, there is a need to develop targeted tools and criteria for auditors to enable them to audit ethical frameworks and the use of data, and to establish standardised practices in this area.

Auditors must also be equipped with the right skills and training to effectively assess the ethical use of data or technologies. For example, adaptability skills are a vital part of working in a changing working environment. Moreover, an understanding of the basic principles of AI can help auditors, especially internal auditors to better identify and advise on the risks and opportunities for using AI.

[1] For more information see: https://www.oecd.org/gov/ethics/recommendation-public-integrity/

[2] For more information, please see: https://ico.org.uk/media/2617219/guidance-on-the-ai-auditing-framework-draft-for-consultation.pdf

[3] For more information, please see: https://na.theiia.org/periodicals/Public%20Documents/GPI-Artificial-Intelligence-Part-II.pdf

The views in this article are the author’s only, and do not necessarily represent the views of the OECD or its member countries.