Data Quality and Governance Guide
Good reporting depends on good operational data. This guide explains what administrators should check so dashboards, KPIs, risk scores, assessment results, and management reports remain reliable.
1. Purpose
Data quality is not only a reporting concern. Poor data can cause incorrect risk prioritization, weak audit evidence, missed approvals, overdue remediation, and misleading compliance scores.
Administrators should use this guide when:
- setting up a new tenant or department
- reviewing monthly GRC health
- preparing executive reports
- preparing audit evidence
- investigating KPI changes
- cleaning stale or incomplete records
2. Required Fields by Module
| Module | Required Data Quality Checks |
|---|---|
| Compliance and Assessments | Framework, assessment owner, scope, start date, due date, control response, compliance status, evidence or explanation, reviewer when required. |
| Risk Management | Risk title, category, owner, inherent likelihood, inherent impact, residual likelihood, residual impact, treatment decision, review date, linked asset/vendor/control where relevant. |
| Policies | Policy owner, version, status, approver, effective date, review date, target audience, acknowledgement requirement, attachments where needed. |
| Policy Exceptions | Requestor, policy, business justification, risk impact, approver, expiry date, compensating control, status. |
| Audit Management | Audit name, scope, auditor, auditee, planned dates, findings, severity, due dates, evidence, closure decision. |
| Issues and Actions | Title, owner, priority, due date, source, status, remediation notes, closure evidence. |
| Assets | Asset name, type, owner, criticality, status, department, linked risks where relevant. |
| Vendors | Vendor name, owner, criticality, status, service description, assessment status, risk rating, renewal/review date. |
| Incidents | Incident title, owner, severity, status, detection date, response actions, closure evidence. |
| Awareness | Campaign name, audience, due date, assigned users, completion status. |
| Reports and KPIs | KPI owner, target, thresholds, frequency, source module understanding, review date. |
3. What Breaks Reports and KPIs
| Problem | Impact |
|---|---|
| Missing owners | Tasks and escalations cannot be assigned correctly. |
| Missing due dates | Overdue reporting becomes incomplete. |
| Incorrect status | Dashboards may show open work as closed, or closed work as still active. |
| Stale risk scores | High and critical risk reports become misleading. |
| Controls marked compliant without evidence | Compliance reporting becomes weak for audit and management review. |
| Policies published without correct audience | Acknowledgement rates may be inaccurate. |
| Exceptions without expiry date | Expiring exception alerts cannot work correctly. |
| Vendors without criticality | Third-party risk reporting underestimates exposure. |
| Assets without owners | Risk linkage and accountability become unclear. |
| Duplicate records | Counts in reports and KPIs become inflated. |
4. Owner Assignment Rules
Every operational record should have one accountable owner.
Recommended ownership model:
| Record Type | Recommended Owner |
|---|---|
| Assessment | Compliance manager or assigned assessment lead. |
| Control response | Control owner. |
| Risk | Business risk owner, not only the GRC team. |
| Treatment action | Action owner responsible for remediation. |
| Policy | Policy owner from the accountable business function. |
| Exception | Requesting business owner with approval by authorized approver. |
| Audit finding | Finding owner responsible for remediation. |
| Issue | Person accountable for closure. |
| Asset | Business or technical asset owner. |
| Vendor | Vendor relationship owner. |
Avoid assigning everything to a single administrator. That makes reporting look complete but weakens accountability.
5. Review-Date Discipline
Review dates keep records active and current.
| Record | Review Rule |
|---|---|
| Risks | Review high and critical risks more frequently than medium or low risks. |
| Policies | Set a review date before publication and review before expiry or major change. |
| Exceptions | Always set an expiry date and review before renewal. |
| Vendors | Review critical vendors at least annually or when service/risk changes. |
| Assets | Review criticality and ownership when business use changes. |
| Assessments | Close or formally extend assessments that pass due date. |
| KPIs | Review thresholds when risk appetite or reporting expectations change. |
If a record has no review date, it will eventually become stale even if it was correct when created.
6. Naming Conventions
Use names that are clear in exports and reports.
Recommended pattern:
| Area | Naming Guidance |
|---|---|
| Assessments | Include framework, scope, and period. Example: “ISO 27001 Internal Assessment - Finance - 2026”. |
| Risks | Use a business risk statement. Example: “Unauthorized access to customer records due to weak access review”. |
| Policies | Use official document title and version. |
| Exceptions | Include policy/control and business area. |
| Audit Findings | Describe the control gap, not only the symptom. |
| Issues | Start with the required action. |
| Vendors | Use legal or contracted vendor name consistently. |
| Assets | Use recognizable business or technical asset name. |
| Reports | Include audience, topic, and frequency if scheduled. |
Avoid vague names such as “Risk 1”, “Test”, “Policy Update”, or “Follow-up”.
7. Evidence Quality Rules
Evidence should prove the statement made in the platform.
High-quality evidence:
- is current for the assessment or review period
- clearly relates to the control, risk, finding, or issue
- shows who approved or performed the activity when relevant
- includes date, source, and enough context
- is not a screenshot without explanation when a stronger document is available
- does not include unnecessary sensitive information
Weak evidence examples:
- outdated screenshots
- generic documents not linked to the control
- evidence with no date
- policy drafts used as proof of approved policy
- closure notes without supporting proof
- files uploaded to the wrong record
8. Monthly Data Quality Review
Administrators should run this review before management reporting.
- Review overdue assessments, issues, findings, policy reviews, vendor reviews, and risk reviews.
- Check records with missing owners.
- Check critical risks without treatment or review date.
- Check controls marked compliant without evidence.
- Check exceptions expiring within 30 days.
- Check policies pending approval or pending acknowledgement.
- Check vendors and assets without criticality.
- Review KPI values that changed significantly.
- Correct source records before exporting reports.
- Document unresolved data quality limitations in the report commentary.
9. Escalation Rules
Escalate when:
- a critical risk has no owner, treatment, or review date
- an overdue finding affects a high-risk control
- a policy exception is close to expiry without decision
- a compliance assessment is blocked by missing evidence
- a vendor has high criticality but no recent assessment
- report values are disputed and source records are incomplete
- the same owner repeatedly misses due dates
Escalation should include the record, owner, due date, business impact, and requested decision.
10. Administrator Checklist
- Confirm every active record has an owner.
- Confirm due dates are realistic and maintained.
- Confirm statuses match actual work progress.
- Confirm high-impact records have evidence.
- Confirm stale records are reviewed, closed, or updated.
- Confirm dashboards and reports are interpreted from source data.
- Confirm recurring data quality issues are addressed through ownership and process, not manual report edits.