Data Warehouse Management Final Audit Report Report Nr. 8/13 November 12, 2013



Similar documents
Payroll Process Final Audit Report Report Nr. 13/12 August 30, 2012

Trade Finance Obligations (TFO) Credit Granting, Underwriting and Monitoring Final Audit Report Report Nr. 19/13 May 1, 2014

Financial Statement Closing Process Audit Report Report Nr. 3/14 August 26, 2014

Company Information Management (CIM) Audit Report Report # 2/15 March 11, 2015

Comparison of ISA 330 with AS-402 Objectives and Requirements Only

Module 2 IS Assurance Services

Chapter 18 Auditing Investments and Cash Balances

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL


Risk Management Policy

CORPORATE GOVERNANCE GUIDELINES

SESSION 3 AUDIT PLANNING

Internal Audit Guidelines Market Risk Management. March 2012

Audit, Risk Management and Compliance Committee Charter

PRUDENTIAL FINANCIAL, INC. CORPORATE GOVERNANCE PRINCIPLES AND PRACTICES

CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT

EXHIBIT A THE TIMKEN COMPANY BOARD OF DIRECTORS GENERAL POLICIES AND PROCEDURES

Board Risk & Compliance Committee Charter

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

Select the right configuration management database to establish a platform for effective service management.

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

Internal Audit Practice Guide

LSE Internal Audit procedures (to be read in conjunction with the attached flowchart)

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

The PNC Financial Services Group, Inc. Business Continuity Program

PMS 288 Blue or CMYK = C100-M85-Y0-C43 PMS 1255 Ochre / Yellow or CMYK = C0-M35-Y85-C30. Tax Technology

Communicating Internal Control Related Matters Identified in an Audit

Audit Quality Thematic Review

Version: 5 Date: October 6, 2011

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

MINNESOTA MUTUAL COMPANIES, INC. Guidelines of the Audit Committee of the Board of Directors

Assessing Credit Risk

How To Save Money At The University Of California

Auditor's Objective in an Audit of Internal Control Over Financial Reporting

FFIEC Cybersecurity Assessment Tool

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

What are substantive tests?

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Report on. Office of the Superintendent of Financial Institutions. Corporate Services Sector Human Resources Payroll. April 2010

Audit Toolbox part 1: Property, Plant and Equipment & Cash

How To Set Up A Committee To Check On Cit

2. Auditing Objective and Structure What Is Auditing?

HUMAN RESOURCES PAYROLL

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

Public Sector Pension Investment Board

Vice President Sales Operations Job Description

October 20, Sincerely. Anthony Chavez, CIA, CGAP, CRMA Director, Internal Audit Division

Ethics and Compliance Training

Enterprise Data Quality Dashboards and Alerts: Holistic Data Quality

Auditing Applications. ISACA Seminar: February 10, 2012

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

The Role of the BI Competency Center in Maximizing Organizational Performance

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

Aberdeen City Council IT Asset Management

CI FINANCIAL CORP. BOARD OF DIRECTORS MANDATE. As of August 4, 2016

Board of Directors Charter and Corporate Governance Guidelines

Eclipx Group Limited Risk Management Policy

Corporate Governance Principles

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

Blue Cross and Blue Shield of North Carolina Corporate Governance Guidelines

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

COMMODITIES MANAGEMENT SOFTWARE

FINANCIAL MANAGEMENT POLICIES AND PROCEDURES

Basic Securities Reconciliation for the Buy Side

Environmental Protection Agency Clean Water and Drinking Water State Revolving Funds ARRA Program Audit

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

Managing GST with data analytics

Saxo Capital Markets CY Limited

How To Audit A Company

WOODWARD INC. DIRECTOR GUIDELINES

TransAlta Corporation Energy Trading Compliance Program Assessment

Data Quality for BASEL II

SUBCONTRACTOR PRE-QUALIFICATION APPLICATION

Transcription:

Data Warehouse Management Final Audit Report Report Nr. 8/13 November 12, 2013 Distribution: To: Acting President & CEO Senior Vice President & Chief Financial Officer Senior Vice President, Business Solutions & Innovation Vice President & Corporate Controller Director, Market Risk Management Director, Business Intelligence Centre Manager, Operations Control Manager, Application Infrastructure Portfolio Delivery Manager, BSD Solution Services CC: Senior Vice President, Corporate Affairs & Secretary Senior Vice President, Human Resources & Communications Senior Vice President, Business Development Senior Vice President, Financing Senior Vice President, Insurance Vice President, Risk Management Office Vice President, Business Intelligence & Innovation Vice President and Chief Information Officer Chief BSD Advisor Director, Planning & External Relations Principal, Office of the Auditor General Director, Office of the Auditor General Audit Team: Adam Stratas Lawrence Di Stefano Allison Lowe Vice President Internal Audit Monica Ryan

Table of Contents Introduction... 3 Audit Objectives & Scope... 3 Internal Audit Opinion... 3 Audit Findings & Recommendations... 4 Conclusion... 5 Data Warehouse Management Audit November 12, 2013 2

Introduction In accordance with our 2013 Audit Plan, EDC Internal Audit (IA) performed an audit of EDC s Data Warehouse management process. EDC's Data Warehouse is the source for EDC s customer, risk, financial, and operational information. For example, it provides information for the reporting of risk exposures by country, industry and obligor and information on loan assets and liabilities. The Data Warehouse is comprised of data marts which receive information from source systems or via manual uploads. Users extract data from the data marts for analytical and reporting purposes. Audit Objectives & Scope The objectives of this audit were to evaluate the design and operating effectiveness of controls within the Data Warehouse management process. This included an examination of controls in place to ensure: Changes to the data marts are authorized, tested and include the identification of roll-back plans; All changes are verified by the Operations Control group to ensure they have been approved in accordance with standards; Reconciliations to independent source data are performed where required; and Manual data uploads to data marts are approved. The scope of the audit included seven data marts that are used for significant reporting and/or decision making including Credit Exposure, Corporate Results, Loans Provisioning, Asset Liability Management, CAS, ACBS and Market Risk Management. Internal Audit Opinion In our opinion, the data warehouse management process is Well Controlled 1. In our detailed testing we were able to obtain assurance that the risks inherent in the change management process were being mitigated. Reconciliations to independent source data are performed for data marts where required or compensating controls exist. We also found that the appropriate approvals are in place from the Project Sponsor for all new manual data feeds. Some moderate 2 findings were identified and are described in the following section. 1 Our standard audit opinions are as follows: - Strong Controls: Key controls are effectively designed and operating as intended. Best in class internal controls exist. Objectives of the audited process are most likely to be achieved. - Well Controlled: Key controls are effectively designed and operating as intended. Objectives of the audited process are likely to be achieved. - Opportunities Exist to Improve Controls: One or more key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process may not be achieved. The financial and/or reputation impact to the audited process is more than inconsequential. Timely action is required. - Not Controlled: Multiple key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process are unlikely to be achieved. The financial and/or reputation impact to the audited process is material. Action must follow immediately. 2 The ratings of our audit findings are as follows: - Major: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is more than inconsequential. The process objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or process objectives are achieved. - Moderate: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective. - Minor: a weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost effective. Data Warehouse Management Audit November 12, 2013 3

Audit Findings & Recommendations 1. Data Warehouse Change Management Process Effective change management controls are important to ensure the on-going reliability and accuracy of the information in the data marts. The responsibility for change management for the data marts is shared amongst the data mart owner, the Technology group and the Operations Control (OC) group. Data mart owners are responsible for initiating changes, conducting user acceptance testing and approving changes while the Technology group is responsible for production of the requested changes. The OC is responsible for verifying all changes to ensure they have been approved in accordance with standards prior to deployment. Given the significance of data marts to reporting and decision making at EDC, we looked at controls to ensure proper testing prior to releasing into production and proper approval of changes. Overall, we found that the data warehouse change management process is being executed in a manner consistent with the change management controls and were able to confirm that key controls were operating. In most cases however, evidence supporting the change had not been stored in the Remedy system which is the repository for the official corporate record. Through substantive testing we were eventually able to find the evidence to support the changes. We recommend that the results of testing be documented according to standard form, contain testing evidence and be uploaded in Remedy to ensure the integrity of the official corporate record. We also recommend that deployment plans, including the roll-back plan section be clearly documented to ensure the involved parties understand the steps to follow in the event there is a fatal flaw with deployment. Rating of Audit Finding - Moderate Action Owner Portfolio Delivery Manager, BSD Solution Services, Manager, Application Infrastructure, Manager, Operations Control Due Dates - All actions to be implemented by Q1 2014 2. Reconciliation of Data Marts to Source Data Data marts are refreshed daily with information from the relevant source business applications through an automated interface. However, limitations within some of these business applications have created a need to make changes directly to the data marts through manual updates and/or the application of business rules to information in the data mart. Making changes directly to a data mart creates a risk that its contents may no longer be consistent with information contained within source business applications. Accordingly, our audit included an examination of the controls in place to reconcile data marts to source business applications. A number of data rules are applied to the information in the ALMS data mart and while reasonability tests are performed, there is no process in place to periodically reconcile key values to source applications. Business rules are also applied to information within the CEDM. While a partial reconciliation is being performed, exposures sourced from FIRM are not reconciled to the CEDM. Data Warehouse Management Audit November 12, 2013 4

We recommend that procedures be established to periodically reconcile the ALMS data mart to source systems. We also recommend that procedures be established to periodically reconcile FIRM data to the CEDM. Rating of Audit Finding Moderate Action Owner Director, MRM and Director, BIC Due Dates - All actions to be implemented by Q2 2014 Conclusion The audit findings and recommendations have been communicated to and agreed by management, who has developed action plans that are scheduled for implementation no later than Q2 2014. We would like to thank management for their support throughout the audit. Data Warehouse Management Audit November 12, 2013 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information