Data Warehouse Management Final Audit Report Report Nr. 8/13 November 12, 2013

Transcription

1 Data Warehouse Management Final Audit Report Report Nr. 8/13 November 12, 2013 Distribution: To: Acting President & CEO Senior Vice President & Chief Financial Officer Senior Vice President, Business Solutions & Innovation Vice President & Corporate Controller Director, Market Risk Management Director, Business Intelligence Centre Manager, Operations Control Manager, Application Infrastructure Portfolio Delivery Manager, BSD Solution Services CC: Senior Vice President, Corporate Affairs & Secretary Senior Vice President, Human Resources & Communications Senior Vice President, Business Development Senior Vice President, Financing Senior Vice President, Insurance Vice President, Risk Management Office Vice President, Business Intelligence & Innovation Vice President and Chief Information Officer Chief BSD Advisor Director, Planning & External Relations Principal, Office of the Auditor General Director, Office of the Auditor General Audit Team: Adam Stratas Lawrence Di Stefano Allison Lowe Vice President Internal Audit Monica Ryan

2 Table of Contents Introduction... 3 Audit Objectives & Scope... 3 Internal Audit Opinion... 3 Audit Findings & Recommendations... 4 Conclusion... 5 Data Warehouse Management Audit November 12,

3 Introduction In accordance with our 2013 Audit Plan, EDC Internal Audit (IA) performed an audit of EDC s Data Warehouse management process. EDC's Data Warehouse is the source for EDC s customer, risk, financial, and operational information. For example, it provides information for the reporting of risk exposures by country, industry and obligor and information on loan assets and liabilities. The Data Warehouse is comprised of data marts which receive information from source systems or via manual uploads. Users extract data from the data marts for analytical and reporting purposes. Audit Objectives & Scope The objectives of this audit were to evaluate the design and operating effectiveness of controls within the Data Warehouse management process. This included an examination of controls in place to ensure: Changes to the data marts are authorized, tested and include the identification of roll-back plans; All changes are verified by the Operations Control group to ensure they have been approved in accordance with standards; Reconciliations to independent source data are performed where required; and Manual data uploads to data marts are approved. The scope of the audit included seven data marts that are used for significant reporting and/or decision making including Credit Exposure, Corporate Results, Loans Provisioning, Asset Liability Management, CAS, ACBS and Market Risk Management. Internal Audit Opinion In our opinion, the data warehouse management process is Well Controlled 1. In our detailed testing we were able to obtain assurance that the risks inherent in the change management process were being mitigated. Reconciliations to independent source data are performed for data marts where required or compensating controls exist. We also found that the appropriate approvals are in place from the Project Sponsor for all new manual data feeds. Some moderate 2 findings were identified and are described in the following section. 1 Our standard audit opinions are as follows: - Strong Controls: Key controls are effectively designed and operating as intended. Best in class internal controls exist. Objectives of the audited process are most likely to be achieved. - Well Controlled: Key controls are effectively designed and operating as intended. Objectives of the audited process are likely to be achieved. - Opportunities Exist to Improve Controls: One or more key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process may not be achieved. The financial and/or reputation impact to the audited process is more than inconsequential. Timely action is required. - Not Controlled: Multiple key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process are unlikely to be achieved. The financial and/or reputation impact to the audited process is material. Action must follow immediately. 2 The ratings of our audit findings are as follows: - Major: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is more than inconsequential. The process objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or process objectives are achieved. - Moderate: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective. - Minor: a weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost effective. Data Warehouse Management Audit November 12,

4 Audit Findings & Recommendations 1. Data Warehouse Change Management Process Effective change management controls are important to ensure the on-going reliability and accuracy of the information in the data marts. The responsibility for change management for the data marts is shared amongst the data mart owner, the Technology group and the Operations Control (OC) group. Data mart owners are responsible for initiating changes, conducting user acceptance testing and approving changes while the Technology group is responsible for production of the requested changes. The OC is responsible for verifying all changes to ensure they have been approved in accordance with standards prior to deployment. Given the significance of data marts to reporting and decision making at EDC, we looked at controls to ensure proper testing prior to releasing into production and proper approval of changes. Overall, we found that the data warehouse change management process is being executed in a manner consistent with the change management controls and were able to confirm that key controls were operating. In most cases however, evidence supporting the change had not been stored in the Remedy system which is the repository for the official corporate record. Through substantive testing we were eventually able to find the evidence to support the changes. We recommend that the results of testing be documented according to standard form, contain testing evidence and be uploaded in Remedy to ensure the integrity of the official corporate record. We also recommend that deployment plans, including the roll-back plan section be clearly documented to ensure the involved parties understand the steps to follow in the event there is a fatal flaw with deployment. Rating of Audit Finding - Moderate Action Owner Portfolio Delivery Manager, BSD Solution Services, Manager, Application Infrastructure, Manager, Operations Control Due Dates - All actions to be implemented by Q Reconciliation of Data Marts to Source Data Data marts are refreshed daily with information from the relevant source business applications through an automated interface. However, limitations within some of these business applications have created a need to make changes directly to the data marts through manual updates and/or the application of business rules to information in the data mart. Making changes directly to a data mart creates a risk that its contents may no longer be consistent with information contained within source business applications. Accordingly, our audit included an examination of the controls in place to reconcile data marts to source business applications. A number of data rules are applied to the information in the ALMS data mart and while reasonability tests are performed, there is no process in place to periodically reconcile key values to source applications. Business rules are also applied to information within the CEDM. While a partial reconciliation is being performed, exposures sourced from FIRM are not reconciled to the CEDM. Data Warehouse Management Audit November 12,

5 We recommend that procedures be established to periodically reconcile the ALMS data mart to source systems. We also recommend that procedures be established to periodically reconcile FIRM data to the CEDM. Rating of Audit Finding Moderate Action Owner Director, MRM and Director, BIC Due Dates - All actions to be implemented by Q Conclusion The audit findings and recommendations have been communicated to and agreed by management, who has developed action plans that are scheduled for implementation no later than Q We would like to thank management for their support throughout the audit. Data Warehouse Management Audit November 12,