Company Information Management (CIM) Audit Report Report # 2/15 March 11, 2015



Similar documents
Trade Finance Obligations (TFO) Credit Granting, Underwriting and Monitoring Final Audit Report Report Nr. 19/13 May 1, 2014

Payroll Process Final Audit Report Report Nr. 13/12 August 30, 2012

Financial Statement Closing Process Audit Report Report Nr. 3/14 August 26, 2014

Data Warehouse Management Final Audit Report Report Nr. 8/13 November 12, 2013

Reporting on Control Procedures at Outsourcing Entities

CHARTER THE AUDIT COMMITTEE POLARIS MINERALS CORPORATION

Charter of the Audit Committee of the Board of Directors

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

AUDIT OF SBA S SYSTEM AUDIT REPORT NUMBER 4-42 SEPTEMBER 10, 2004

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

CORPORATE GOVERNANCE GUIDELINES

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER

FORGAME HOLDINGS LIMITED 雲 遊 控 股 有 限 公 司. (Incorporated in the Cayman Islands with limited liability) (Stock Code: 00484) Terms of Reference for the

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

FINANCIAL MANAGEMENT POLICIES AND PROCEDURES

Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness.

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

UIL HOLDINGS CORPORATION CORPORATE GOVERNANCE GUIDELINES. Amended March 24, 2015

EXHIBIT A THE TIMKEN COMPANY BOARD OF DIRECTORS GENERAL POLICIES AND PROCEDURES

Enterprise Risk Management. Breaking Down the Barriers at Emory

Enterprise Risk Management Panel Discussion

Corporate Governance Principles. February 23, 2015

Hunter Hall International Limited

Corporate Governance Guidelines. Apartment Investment and Management Company. Adopted as of March 8, 2004 (last updated July 2010)

COHERENT, INC. Board of Directors. Governance Guidelines


BOARD OF DIRECTORS MANDATE

HEALTH SERVICE EXECUTIVE NATIONAL FINANCIAL REGULATION INTRODUCTION TO NATIONAL FINANCIAL REGULATIONS NFR - 00

ISACA PROFESSIONAL RESOURCES

Audit Phases. Phase 1: Planning and Risk Identification

FIRST REPUBLIC BANK DIRECTORS ENTERPRISE RISK MANAGEMENT COMMITTEE CHARTER

How To Set Up A Committee To Check On Cit

INSPECTOR GENERAL. Availability of Critical Applications. Audit Report. September 25, Report Number IT-AR OFFICE OF

MANDATE OF THE BOARD OF DIRECTORS STINGRAY DIGITAL GROUP INC.

Nexteer Automotive Group Limited

Best Practices Report

Introduction. Board Structure and Composition CORPORATE GOVERNANCE GUIDELINES

CORPORATE GOVERNANCE GUIDELINES AND PRINCIPLES OF PBF ENERGY INC.

PROCEDURE. The permission rights assigned to allow data custodians to view, copy, enter, download, update or query data.

NASA Financial Management

Disclosure and Communication Policy 1

Exponent, Inc. Charter of the Audit Committee of the Board of Directors (as amended through December 10, 2015)

EXECUTIVE SUMMARY Audit of vendor database management in UNOG

AUDIT REPORT. Federal Energy Regulatory Commission s Unclassified Cybersecurity Program 2015

MEMORANDUM FOR COMMANDER, U.S. AIR FORCE SYSTEMS COMMAND REGIONAL HOSPITAL EGLIN, EGLIN AIR FORCE BASE, FLORIDA

Effective Internal Audit in the Financial Services Sector

Consultation Questions

ORGANOVO HOLDINGS, INC. CORPORATE GOVERNANCE GUIDELINES

REPORT 2016/057 INTERNAL AUDIT DIVISION

A Guide to Corporate Governance for QFC Authorised Firms

AUDIT REPORT. The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Corporate Governance DIRECTORS SECURITIES TRANSACTIONS BOARD OF DIRECTORS

SunTrust Banks, Inc. Audit Committee of the Board of Directors Charter

中 國 通 信 服 務 股 份 有 限 公 司

BAHRAIN TELECOMMUNICATIONS COMPANY B.S.C. AUDIT COMMITTEE CHARTER

CITY UNIVERSITY OF NEW YORK EMPLOYEE ACCESS TO THE STUDENT INFORMATION MANAGEMENT SYSTEM AT SELECTED CAMPUSES. Report 2007-S-23

Auditor's Objective in an Audit of Internal Control Over Financial Reporting

European Common Audit Inspection Methodology. Tone at the Top work programme Expected inspection procedures

Advisory Services Oracle Alliance Case Study

Board Risk & Compliance Committee Charter

Chelsea Mulvey, Manager of Compliance The REALTORS Association of the Palm Beaches One Harvard Circle West Palm Beach, Florida 33409

Appendix A - Charter of the Academic and Student Affairs Committee

GARMIN LTD. CORPORATE GOVERNANCE GUIDELINES

TITLE III INFORMATION SECURITY

Financial services mis-selling: regulation and redress

August 2008 Report No

Lee & Man Paper Manufacturing Limited (Incorporated in the Cayman Islands with limited liability) (Stock Code: 2314)

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

TERMS OF REFERENCE BOARD OF DIRECTORS

Information Security Policies. Version 6.1

SPIN MASTER CORP. CHARTER OF THE AUDIT COMMITTEE

Transcription:

Distribution: Company Information Management (CIM) Audit Report Report # 2/15 March 11, 2015 To: President & CEO Senior Vice President & Chief Financial Officer Senior Vice President, Business Solutions & Innovation Vice President, Business Intelligence & Innovation Vice President & Corporate Controller Director, Information Management Business Change Lead, Data Governance Office CC: Senior Vice President, Business Development Senior Vice President, Corporate Affairs & Secretary Senior Vice President & Chief Risk Officer Senior Vice President, Financing and Investments Senior Vice President, Human Resources & Communications Senior Vice President, Insurance Acting Senior Vice President, Insurance Vice President & Chief Information Officer Vice President, Enterprise Portfolio Management Office Director, Strategic Planning & Government Relations Principal, Office of the Auditor General Director, Office of the Auditor General Audit Team: Steve Hu Lawrence Di Stefano Vice President, Internal Audit Monica Ryan.

Table of Contents Introduction... 3 Audit Objectives & Scope... 3 Internal Audit Opinion... 3 Audit Findings & Action Plans... 4 Conclusion... 5 2

Introduction In accordance with our 2014 Audit Plan, EDC Internal Audit performed an audit of the Company Information Management (CIM) project. The first releases of CIM have been foundational, focused on the institutionalization of company data governance at EDC and the implementation of an IT infrastructure to support company data governance. The institutionalization of company data governance has included the establishment of a data governance office (DGO), a centralized CIM team that sets the control standards, processes, and tools for maintaining and monitoring the integrity of company data, and a network of business stewards across EDC responsible for ensuring the on-going integrity of company data. An application called Universal Company Master (UCM) has been implemented to enable company data governance and will also enable the decommissioning of the Company Index (CI). Company data is currently limited to company name and company headquarter address. The intention is to extend company data governance beyond these two data elements through future releases of UCM and the related projects. Audit Objectives & Scope The objective of the audit was to evaluate the controls in place to maintain the integrity of company name and address. Specifically, this included an evaluation of the preventative controls that limit the number of users that can add/change/delete company data and segregate the ability to initiate, approve and record an addition, change or deletion. We also reviewed the monitoring or detective controls in place to identify and follow up on potential data quality exceptions such as duplicate records. Internal Audit Opinion In our opinion, Opportunities Exist to Improve Controls 1 surrounding company data. Sound control standards have been implemented with respect to the deletion of company records. However until CI is decommissioned, it is not feasible to implement preventative control standards for new additions or changes to existing records. During this interim period, reliance is on the Business Stewards to execute detective controls to identify and follow up on data quality exceptions on a timely basis. Business Stewards have been nominated, their roles and responsibilities have been defined, and tools commensurate with these roles and responsibilities have been designed. However, a company data governance policy has not yet been issued which would formalize roles and responsibilities, control standards, and convey both as a corporate priority. In the absence of this policy, most of the effort for maintaining the integrity of company data is falling to the CIM team. The CIM team has appropriately triaged their efforts to their capacity, however it is not scalable. In addition, although the configuration of 1 Our standard audit opinions are as follows: - Strong Controls: Key controls are effectively designed and operating as intended. Best in class internal controls exist. Objectives of the audited process are most likely to be achieved. - Well Controlled: Key controls are effectively designed and operating as intended. Objectives of the audited process are likely to be achieved. - Opportunities Exist to Improve Controls: One or more key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process may not be achieved. The financial and/or reputation impact to the audited process is more than inconsequential. Timely action is required. - Not Controlled: Multiple key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process are unlikely to be achieved. The financial and/or reputation impact to the audited process is material. Action must follow immediately. 3

UCM includes a sound control to identify potential duplicates, a transaction trail of the resolution of duplicates is not yet available. As a result, we were unable to confirm whether potential duplicate records are being addressed. Management has identified effective action plans for resolving these matters and are included in Appendix A. Audit Findings & Action Plans 1. Data Governance Framework The standard controls for master data include a combination of both preventative and detective controls. This includes: user access controls that limit the number of people who can add, delete or change master data (preventative); formal change controls that segregate the ability to initiate, approve and record a change (preventative), and timely exception reporting and resolution process to address any errors (detective). We found that sound control standards have been implemented with respect to the deletion of company records. However, until CI is decommissioned, it is not feasible to implement preventative control standards for new additions or changes to existing records. During this interim period, reliance is on the Business Stewards to execute detective controls to identify and follow up on data quality exceptions on a timely basis. Business Stewards have been nominated, their roles and responsibilities have been defined, and tools commensurate with these roles and responsibilities have been designed. However, a company data governance policy has not yet been issued which would formalize roles and responsibilities, control standards, and convey both as a corporate priority. In the absence of this policy, most of the effort for maintaining the integrity of company data is falling to the CIM team. The CIM team has appropriately triaged their efforts to their capacity, however it is not scalable. Management has agreed to issue a company data governance policy. In addition, a detailed review of the roles and responsibilities relating to Business Stewards will be performed in order to assess appropriate workloads and assign sufficient resources. Rating of Audit Finding - Major 2 Action Owner VP, Business Intelligence & Innovation Due Date Q4, 2015 2 The ratings of our audit findings are as follows: Major: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is more than inconsequential. The process objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or process objectives are achieved. Moderate: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost-effective. Minor: a weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost-effective. 4

2. UCM Transaction Trails The configuration of UCM includes a sound control to identify potential duplicates through a matching routine. However, we found that a transaction trail of the resolution of duplicates cannot yet be generated from UCM. As a result, we were unable to confirm whether potential duplicate records are being addressed. Management has agreed to maintain a UCM based, or other satisfactory, transaction trail for the resolution of potential duplicate records placed into suspense as a result of the UCM matching routine. Rating of Audit Finding Moderate Action Owner VP, Business Intelligence & Innovation Due Date Q1, 2016 Conclusion The audit findings and action plans have been communicated to and agreed by management, who has developed action plans that are scheduled for implementation no later than Q1, 2016. We would like to thank management for their support throughout the audit. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information