Chief audit executives are not so confident about the accuracy of the data their companies rely on to make decisions.

A survey by the Institute of Internal Auditors found that less than one out of three audit chiefs are confident about the strategic decisions they make based on data analytics. Only 29 percent of chief audit executives polled by the IIA’s Audit Executive Center said they are very or extremely confident in decisions made based on the data their organizations collect and analyze. Nearly as many, 23 percent, hold the opposite view, describing themselves as “slightly or not at all confident” about data-driven decisions, according to the 2016 North American Pulse of Internal Audit. The 48 percent remainder of those surveyed indicated they had only moderate confidence in such decisions.

The data used to make such decisions is oftentimes not even reviewed by internal audit. The survey, which questioned 486 North American chief audit executives, directors and senior managers, found nearly half of internal audit functions, 47 percent, have little or no involvement in evaluating the quality of data used by their organizations.

“The power of data to inform decisions comes with the potential to misdirect organizations,” the report warns. “Problems can arise from data collection, data analysis, and decisions made from the data.”

Some potential pitfalls cited by the report include legal and ethical concerns on data collection, such as privacy. Internal audit needs to confirm the data’s appropriateness, accuracy and completeness. There should be proper, unbiased evaluation of the data once it has been collected in order to understand, for example, the difference between correlation and causation. Otherwise the conclusions from the data may be based not on what the data itself proves, but instead on what someone wants it to prove.

The report urges chief audit executives to inform themselves better about the nature and extent of the data used by the organization. They should also assess the risks associated with data collection and usage, and address those risks with management and audit committees. Audit executives should add elements to the audit plan to ensure such risks are being addressed, and ensure internal audit has the skills to properly engage and evaluate such risks.