PRESENTATION TO IIA SEATTLE CHAPTER Data January 2019

Protiviti Perspective provided by Nikhil K., New Delhi

Internal Audit, Risk, Business & Technology Consulting PRESENTER

Roy Taylor, MBA, CISA Associate Director, Protiviti San Francisco • 20 years in data / analytics space • Past experience as Director and Program Manager for Data Warehouse and Analytics with Fortune 500 companies • Conducted numerous Data Governance audits and assessments • Advises clients on establishing data governance programs

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 2 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. ABOUT PROTIVITI Protiviti helps companies around the globe identify, measure, and navigate the risks they face, within their industries and throughout their systems and processes, using proven value-added solutions:

Data Management and Advanced Analytics • Model Risk Management Restructuring and Litigation Services • Data Governance, Warehousing and • Corporate Restructuring and Recovery Business Intelligence • Litigation Consulting • Predictive Modeling and Advanced Analytics

Risk and Compliance Business Performance Improvement • Credit Risk • Capital Projects and Contracts • Customer Engagement • Finance Optimization Services • Enterprise Risk Management (ERM) • Performance and Information • Market and Commodity Risk Management • Model Riskand Capital Management • Revenue Enhancement • Operational Risk • Supply Chain • Strategy Communications and Change Enablement • Anti-Money Laundering Technology Consulting • Regulatory Compliance • Security and Privacy ― and Privacy Management ― Incident Response & Forensics Services ― Digital Identity & Access Management Internal Audit and Financial Advisory ― Technical Security Assessment • Data Mining and Analytics ― Security Program & Strategy Services ― Cybersecurity Intelligence Response Center (CIRC) • Financial Remediation and Reporting Compliance • Protiviti Software Services • Financial Investigations ― Risk Technologies • Internal Audit ― Custom Developed Software • Fraud Risk Management ― Enterprise Content Management • Internal Audit Quality Assurance Reviews Transaction Services • Enterprise Resource Planning • International Financial Reporting Standards (IFRS) • Due Diligence • Technology, Strategy and Operations • IT Audit Services • M&A Integration and Divestiture ― IT Governance & Risk Management • SOX and Financial Reporting Controls Compliance • Private Equity Services ― IT Operations Improvement ― Program, Portfolio & (3PM) • Public Company Transformation ― IT Strategy & Architecture

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. 3 TOPICS TO BE COVERED TODAY

Why Implement Data Governance? 1

What Frameworks can be used to Develop and/or Audit a Data 2 Governance Program?

What are the Core Components of a Data Governance 3 Program?

Review some Examples of Scoping and Approach for Data 4 Governance Audits

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 4 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. TOPICS TO BE COVERED TODAY

Why Implement Data Governance? 1

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 5 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. WHY IMPLEMENT DATA GOVERNANCE?

Business Need Data Governance Helps With … To comply with data security and privacy Policies for data security, sharing of data, identifying regulations where private or sensitive data lives To make sure we can rely on our data Policies and process for database backups, database being available configurations,database monitoring, capacity and performance management, applying security patches To make sure we can easily integrate Development of a flexible data architecture that allows data – new systems, acquisitions new data sources to be quickly integrated To ensure that our regulatory reporting is Definition of systems of record, data flows through correct systems, business rules applied to data, quality control checks To standardize our reporting Agreement on common data definitions and business rules To improve Creation of data quality scorecards, definition of ‘fit for use’, pushing data quality to the ‘front-line’ To get a better understanding of our Improving completeness and accuracy of customer / Customers or Vendors vendor records To make sure data issues are prioritized Establishing data ownership and accountability for and addressed providing data to the organization To become a data-driven organization Prioritizing and funding data projects

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 6 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. WHY IMPLEMENT DATA GOVERNANCE?

Many organizations are proactively focusing on Data Governance and creating teams that explicitly manage data across the enterprise. This provides for better control over data assets, reduces the costs of , improves the quality and consistency of data, and drives business value.

REACTIVE

• Everything is an emergency PROACTIVE • Different rules depending on who you talk to • Recurring issues with quality, timeliness and consistency • Clear processes and procedures for managing data • Lack of accountability • Clear communication of priorities • Clear management and resolution of data issues • Confidence in the reliability of data • Clear ownership of data • Clearly documented and controlled policies and procedures

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 7 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. WHY IMPLEMENT DATA GOVERNANCE?

Risk Management & Regulatory Reporting Address regulators’ increased focus on data quality and control procedures and on the availability of accurate, Regulatory Compliance timely, and reliable information for reporting. Establish the rigorous data standards, policies, and processes that are required by regulators, and ensure accountability for and auditability of data. Data Privacy & Protection Enable the identification of all instances of employee and customer data and who has access to sensitive data. Improved Operational Effectiveness Reduce the fragmentation within key business processes and the need for manually intensive activities Cost Savings & Avoidance and error-prone data integration processes. Lower costs by increasing operational efficiency with business process automation and by eliminating redundancy. Improved Analytics & Decision Making Instill greater confidence in reporting and analytics by improving the quality and consistency of data. Revenue Growth Develop a broad and deep understanding of existing customers to better target campaigns and offers based on a specific customer's needs. Partnering & Outsourcing Enable data to be efficiently and accurately deployed for external use. Enhanced Customer Service Increase responsiveness by closing the gap between insights and action. Mergers & Acquisitions Establish more efficient processes for migrating and consolidating data after a merger or acquisition.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 8 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. WHY IMPLEMENT DATA GOVERNANCE?

As data is an enterprise asset, organizations must take an enterprise-approach to Data Governance that defines the Roles and Responsibilities, Policies and Processes to control the management of data as a business asset.

❑ Organizations have historically focused on Compliance and Protecting Data, however there is a growing trend to use Data Governance to realize additional business value from data. ❑ Data Governance is not just an IT responsibility. Business functions should play a large role in defining policies for data management. ❑ Data Governance tends not to focus on cyber security or risks of data breaches as these are usually covered elsewhere.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 9 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. TOPICS TO BE COVERED TODAY

What Frameworks can be used to Develop and/or Audit a Data 2 Governance Program?

Three frameworks we see most often are –

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 10 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. FRAMEWORKS Data Management Association (DAMA) DM Book of Knowledge (DMBOK) https://dama.org https://dama-ps.org (local chapter)

• Broad reference model • 8 core areas • Industry neutral

• Industry and enterprise licenses • Individual ~ $79 • https://technicspub.com/dmbok/

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 11 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. FRAMEWORKS Data Management Association (DAMA) https://dama-ps.org (local chapter)

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 12 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. FRAMEWORKS Enterprise Data Management Council (EDM) Data Management Capability Assessment Model (DCAM) https://edmcouncil.org

• EDM Council founded by Financial Services organizations and vendors

• Oriented to Financial Services regulations and creation of regulatory reports

• Company membership $10,000 - $15,000 • No individual membership

• Limited activity on West coast

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 13 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. FRAMEWORKS CMMI Institute (ISACA) Data Management Maturity (DMM) https://cmmiinstitute.com/data-management-maturity

• Relatively new

• Industry neutral

• Linked to COBIT

• Individual license $100

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 14 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. TOPICS TO BE COVERED TODAY

What are the Core Components of a Data Governance 3 Program?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 15 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. FRAMEWORKS – COMMON ATTRIBUTES

Policies, Processes & Standards Measurement & Monitoring • Policies & Rules • Statistics and Analysis • Processes • Tracking of progress • Controls • Monitoring of issues • Data Standards & Definitions • Continuous Improvement • Metadata, Taxonomy, Cataloging, and Classification • Score--carding Organization Technology • Operating Model • Data Quality & Lineage Tools • Decision Makers & Escalation Points • Data Mastering & Sharing • Data Governance Organization Members • Data Architecture & Security • Roles and Responsibilities • Stewardship Workflows • Data Ownership & Accountability • Business Glossary & Metadata Repository

Strategy Communication • Vision & Mission • Communication Plan • Objectives & Goals Change Management • Mass Communication • Alignment with Corporate • Individual Updates Objectives Business Impact & Readiness • Mechanisms • Alignment with Business IT Operations & readiness • Training Strategy Strategy Training & Awareness • Guiding Principles Stakeholder management & Communication Defining Ownership & Accountability Data Governance

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 16 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA GOVERNANCE STRATEGY

The organization should have a defined organizational model for the Data Governance function. The model could take various forms including – − A formal (centralized) organization led by a Chief Data Officer (CDO) − A de-centralized model whereby responsibilities are absorbed into existing functions

Key aspects of the model should include – • A Data Governance Charter – defining the scope of authority for the DG function • Defined roles and responsibilities for both IT and Business resources • A funding model – either its own funding or a ‘tax’ on projects • A mechanism to develop and approve DG processes, including: • Prioritize data management initiatives, and ensure these are aligned with business priorities • Review and approve data management policies • Review and approve the data management architecture • Monitor compliance with data management policies • Monitor compliance with regulatory requirements • A communication plan to promote data management standards and policies

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 17 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA STEWARDS

The roles and responsibilities Business Data Stewards can be split among three major involvement areas:

Overall Business Alignment and Representation • Act as a Data Governance champion for a particular business area or function, such a ‘New Accounts’ or ‘Customer Service’ • Responsible for understanding all established Data Governance policies, standards, and procedures, and confirm business users’ understanding and adherence to these policies. • Provide a clear line of communication to the Enterprise Data Governance function for the alerting and escalating of issues. • Work to identify and define important business terms, and provide input for business requirements that affect data quality standards and overall usage

Data Life-Cycle Management • Help establish priorities w ithin business functions and continuously review requirements as part of new w ork requests or established w ork streams • Define the data, manage metadata, and communicate new business data definitions and approved data usage standards to Enterprise Data Governance • Take ow nership and responsibility of metrics and monitoring overall compliance of data conforming to the established measures • Make recommendations on how data quality can be improved and protected as a result of any root cause analysis follow ing any conflict resolution that has been escalated. • Understand and assess any enterprise impacts to data change by participating in stew ardship committees organized around new data and project initiatives Data Quality and Risks • Establish acceptable levels of data quality that can be measured • Understand all data use cases for critical data elements and be included in actions or decisions for new planned data usage scenarios. • Define improvement opportunities as a result of review ing data quality metrics and analysis of root causes for any data falling below acceptable levels • Support new business cases for improvement projects for improving data quality

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 18 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA GOVERNANCE STRATEGY – KEY RISKS

Data Stewardship • Defined data stewardship roles and responsibilities do not exist, resulting in a lack of accountability and coordination across the organization as well as poorly defined and controlled data. Data Governance and • Appropriate data governance roles and responsibilities do not exist to support the strategic Stewardship Organizations alignment between the data management function and the business as a whole. Data Strategy • A formal data strategy has not been defined, resulting in an ineffective data management program that does not align with business strategy or support the achievement of business objectives. Data Policies, Standards • Data policies, standards and procedures are not formally defined or communicated to the and Procedures organization, resulting in ad-hoc, inconsistently applied data management practices which negatively impact data definition, data collection, data maintenance, data use, and data security processes. Data Architecture • A defined enterprise data model does not exist, does not take into account business requirements, or is not approved, resulting in data architecture that is not suitable to meet the needs of the organization. Regulatory Compliance • Non-compliance incidents not identified or corrected, adversely impacting the organization’s performance and reputation. Issue Management • Data related issues are not identified and resolved in a timely manner, resulting in poor data quality, regulatory non-compliance, or reliance on incorrect information to make business decisions. Project Management • Data management projects are not appropriately managed, resulting in a lack of project prioritization, potential misallocation of funds, and sub-optimal decision making. Data Management Services • Organizational data management service expectations are not formally defined in a service level agreement, resulting in the organization’s data needs not being met. Communication and • Stakeholders are unaware of data management responsibilities, resulting in Promotion noncompliance with organizational data standards and external regulations.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 19 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA ARCHITECTURE

The organization should have a documented data architecture strategy that includes - • The principles and design patterns to be used for data management − How data will be shared and integrated between systems • Will each system have its own physical copy of data • How will data be shared and synchronized across systems (to maintain data integrity) − Standards for development

• What platforms and technologies will be used to manage data?

• What are the core data subject areas and how are these related? e.g. • Customers • Vendors • Sales • Inventory − And defines these data concepts e.g. how do we define a customer?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 20 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA ARCHITECTURE – KEY RISKS

Understanding Enterprise • Enterprise information needs are not understood, resulting in inadequate information for Information Needs business functions, inconsistency between information requirements and application development, and inefficient planning of IT-enabled investment programs. Develop and Maintain the • Enterprise Data model is not consistent with IT plans, rigidity of models, security-cost- Enterprise Data Model effectiveness issues and non-up gradation of models. • Without business involvement and design reviews, data models will be inaccurate and inconsistent and will not support business needs • Without change management controls, data models will not accurately reflect changing business requirements Define and Maintain the • Without defining and maintaining database architecture, data standards for all data Database Technology systems and integration are not possible. Architecture Define and Maintain the • Data Management is inconsistent and criteria are not well-defined leading to distorted Data Integration information, unreliable external reports and data integrity errors and incidents. Architecture Understand Data • Data technology requirements are not understood, resulting in the implementation of Technology Requirements suboptimal solutions to business problems.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 21 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATABASE MANAGEMENT

Database management is the set of activities designed to ensure the integrity of the database, manage the availability of data and optimize performance of the database environments. This is typically achieved by:

• Conducting performance monitoring, error reporting and performance tuning • Implementing backup and recovery mechanisms • Implementing redundancy and failover in the database environment (e.g. through clustering)

• Implementing an archiving mechanism • Implementing a controlled process for changes to the database environment • Applying upgrades and patches to maintain the database environment at a supported level

• Tracking issues and reporting/tracking issues logged with vendors • Maintaining an inventory and tracking usage of technology licenses

❑ Review of this area may already be covered as part of other IT audits.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 22 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA BASE MANAGEMENT – KEY RISKS

Implement and Control • The organization may not have the database systems it needs to effectively support Database Environments the current and future information requirements of the business in an efficient, cost- effective and well-controlled fashion Backup and Recover • Data availability is compromised by a lack of adequate backup and restoration Data procedures and technologies. Set Database • Database performance expectations are not formally defined in a service level Performance Service agreement, resulting in a lack of data availability and application performance Levels Monitor and Tune • Database performance issues are not identified and addressed, resulting in data not Database Performance being available to the business. Archive, Retain and • A data retention plan is not formally defined and followed, resulting in data that is Purge Data unavailable to address operational and compliance needs or performance issues arising from data being retained beyond its useful life. Inventory and Track Data • The organization is not in compliance with licensing agreements, resulting in fines Technology Licenses and reputational damage.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 23 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA SECURITY MANAGEMENT

Effective data security policies and procedures ensure that the right people can use and update data in the right way, by complying with the regulatory, privacy and confidentiality needs of all stakeholders. This is typically achieved by:

• Defining a data security policy based on regulatory and internal requirements • Defining standards such as data encryption, data transmission, remote access and password standards • Classifying information confidentiality • Defining a process to request, track and approve initial authorizations and subsequent changes • Establishing a mechanism to grant access to databases (such as group memberships) • Monitoring user authentication and access behavior

Review of this area may already be covered as part of other IT or SOX Audits, however validate if the following are covered – ❑ Approvals for access by Database Administrators (DBA) ❑ Monitoring of changes to data made by DBAs. All changes are logged, but DBAs have privileges to delete / manipulate the logs! ❑ Analytics environments – access is often given to all data ❑ Data in staging and test environments (if this is copied from production)

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 24 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA BASE MANAGEMENT – KEY RISKS

Understand Data Security • Data security needs and requirements do not map to the company’s short term or long Needs and Regulatory term goals or address regulatory requirements. This may lead to compliance, reputational Requirements or financial impact. Define Data Security Policy • Absence of a data security policy may lead to employees being unaware of privacy policies and procedures which may lead to exposure of sensitive data Define Data Security • Data Security standards are not aligned with local or national privacy laws and the Standards company’s policies that may lead to compliance and financial impacts. Define Data Security • Security controls and procedures do not address company policies or compliance Controls and Procedures obligations which may lead to financial and compliance related impacts. Manage Users, Passwords • Inappropriate user management procedures may lead to unauthorized access to functions and Group Memberships and individuals, which may lead to financial, compliance related impacts. Manage Data Access Views • Access to sensitive data is not appropriately managed, resulting in the exposure of and Permissions sensitive information to unauthorized parties that may lead to financial and compliance related impacts. Monitor User • Inappropriate access and misuse of information assets goes undetected resulting in Authentication and Access negative compliance, reputational, and financial impacts. Behavior Classify Information • Information is not adequately classified resulting inappropriate access to confidential Confidentiality information that may lead to financial or compliance related impacts. Audit Data Security • Improvements and/or vulnerabilities are not identified resulting in process weaknesses and business requirements not being met. This may lead to financial or compliance related impacts.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 25 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA QUALITY MANAGEMENT

Data Quality Management is a critical process that involves more than just correcting data. Pro-active DQM involves defining data quality metrics and a cycle of continuous monitoring and improvement. This is typically achieved by:

• Defining responsibility for data quality with Data Stewards • Defining measurement of data quality (fit for use) • Profiling data and establishing a data quality baseline • Defining a process to prioritize and correct data quality defects • Publishing data quality scorecards • Training / feedback to the front-line to drive data quality improvements

❑ Data Owner are ‘service-providers’ who are responsible to provide data to the organization, as such they need to understand the users of data and their data quality requirements ❑ Data corrections should be made in the source system and not ‘fixed’ downstream ❑ Improvements in data quality requires establishing a shared culture where all levels of the organization understand the downstream impacts of poor data quality

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 26 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA QUALITY MEASUREMENT

Not all data needs to be 100% correct. Requirements for data quality should be defined within the context of “fit for use”. Data quality can be measured against a number of dimensions, not all dimensions will apply to each data element.

Accuracy The degree that data correctly represents the “real life” entities. Usually measured by comparison to a known correct value, or against dynamically computed values. Completeness The degree to which a data record contains all required values.

Consistency The degree to which the same data values exist across different data records or databases (also known as referential integrity). Currency The degree to which data is up to date.

Precision The degree to which a data value has the correct level of detail.

Reasonableness A measure of the consistency expectations of the data.

Timeliness A measure of the availability of data based on service levels.

Uniqueness The degree to which data elements that should only exist once within a dataset have not been duplicated Validity Refers to whether a data value conforms to its data type, format pattern or lies within a known valid range of values.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 27 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA QUALITY – KEY RISKS

Develop and Promote • Necessary stake-holders in the organization are not made aware of data quality Quality Awareness needs and in turn do not buy-in to or support the organization’s Data Quality Management program. Define Data Quality • Data quality requirements, metrics, and business rules are not well defined, Requirements, Metrics resulting in the collection of data that does not align with business objectives and and Business Rules requirements or is unsuitable for use in the business processes for which the data was collected. Set and Evaluate Data • Organizational data quality expectations are not formally defined in a service level Quality Service Levels agreement, resulting in inadequate data quality issue identification and remediation. Continuously Measure • Data quality is not consistently measured and monitored, resulting in the use of and Monitor Data Quality data that does not meet established business requirements and is not fit for use. Manage Data Quality • A mechanism for recording and tracking data quality incidents does not exist, Issues resulting in ineffective processes to research and resolve data quality incidents. Clean and Correct Data • A process does not exist to correct acute data quality issues and their Quality Defects corresponding root causes, resulting in reoccurring data quality issues and the use of poor quality data. Design and Implement • A consistent operational approach to data quality management does not exist or is Operational DQM not formally defined, resulting in unrepeatable data quality management processes. Procedures Monitor Operational DQM • Operational data quality management processes are not monitored and measured, Procedures and resulting in suboptimal performance of data quality management processes Performance

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 28 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. REFERENCE AND MASTER DATA MANAGEMENT

Master Data Management refers to the process of establishing an authoritative source for business entities such as customers, products or vendors (also known as a golden record or system of record). Reference Data Management refers to the definition of valid data values (or codes). Once defined, both master and reference data are made available for shared use across the organization. This is typically achieved by:

• Identifying data sources and contributors (lineage) • Developing a data integration architecture • Implementing a process to define and maintain match rules to identify identical entities and standards to determine whether to merge or link records • Defining a process to manage and maintain hierarchies and affiliations • Publishing and distributing reference and master data • Defining a process to manage changes to reference and master data

❑ As reference and master data are shared across the organization, it can be challenging to determine which individuals are accountable. Program steering committees and data governance councils must make decisions collaboratively.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 29 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. REFERENCE AND MASTER DATA – KEY RISKS

Understand Reference • Reference and Master Data integration needs are not understood, resulting in and Master Data Needs inconsistent, duplicate, or low quality data being used across the organization. Identify Master and • Upstream data sources and downstream data needs are not considered, resulting Reference Data Sources in duplicate or inconsistent data being used. and Contributors Define and Maintain the • Local reference and master data management occurs in application silos, resulting Data Integration in redundant and inconsistent data. Architecture Define and Maintain • Data matching rules are not appropriately defined, resulting in incorrect and Match Rules inconsistent data. Establish Golden • Half-hearted maintenance of reference data degrades quality of business data and Records results in misleading reports. Since each reference data sets are value domains with distinct values, there is a high risk of inability to maintain those different values. Define and Maintain • Important hierarchy and affiliation data may be overlooked if proper vocabularies Hierarchies and and their associated data sets are not properly established and maintained Affiliations between master data records. This may also lead to unauthorized vendors having access to data that they should otherwise not have access to. Replicate and Distribute • Data is not properly replicated, resulting in the degradation of referential integrity. Reference and Master Data Manage Changes to • Unauthorized or incorrect changes are made to reference and master data. Reference and Master Data

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 30 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA WAREHOUSE AND BUSINESS INTELLIGENCE

A Data Warehouse consists of the technical architecture and the set of processes to extract, cleanse, transform and store data from a variety of data sources to provide an integrated decision support database. Business Intelligence refers to the tools and processes used to query and access data and provide reporting and analytics to support decision making. Implementation of the DW/BI environment is typically achieved by:

• Developing an overall BI/DW strategy and roadmap based on business intelligence needs (avoiding multiple versions of the truth and shadow IT systems) • Defining a process for demand management and prioritization of business intelligence needs • Selecting and implementing DW and BI tools and technologies • Developing standards for data warehouse development, including processes to extract, cleanse, transform and load data into the data warehouse. • Standardization of reports, and preventing report proliferation • Developing guidelines for the ‘fair use’ of data

❑ Traditional DW and BI environments are usually well-governed, however emerging analytics environments used for ‘big data’ (also known as data lakes) are often loosely managed ❑ Business areas may develop their own reporting environments that are not subject to IT Governance for change controls, backups etc.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 31 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. BI AND DW – KEY RISKS

Understand Business • Lack of a BI strategy restricts the company from developing an appropriate Intelligence Needs framework, methodology, processes, governance, systems, and technology to deliver value that aligns with the business objectives and priorities. Define and Maintain the • Data Warehousing and Business Intelligence Management architecture is not DW/BI Architecture sufficient to meet the business’s Business Intelligence needs Implement BI Tools and • Business Intelligence tools are not sufficient to provide the reporting functionality User Interfaces required by the business. Process Data for • Data is not properly processed, resulting in inefficient storage of data and data that Business Intelligence is not fit for business intelligent use. Monitor and Tune Data • Inefficiencies and errors are not identified, resulting in sub-optimal Business Warehouse Processes Intelligence performance and data quality. Monitor and Tune BI • BI performance is not effectively monitored, resulting in DW-BIM activities that do Activity and Performance not meet the needs of end-users. Unreasonable use of • Lack of ‘data contracts’ may result in use of data that may attract negative publicity Data for Business and result in reputational risk Purposes Reporting Requirements • Projects do not adequately address reporting needs or leave these to ‘business are Not Addressed when users’ to develop themselves, resulting in inadequate reporting and/or reliance on Implementing New manual spreadsheet-based solutions. Systems

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 32 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. METADATA MANAGEMENT

Metadata management is the set of processes to ensure the capture, storage and use of ‘data about the data’ including business rules, data definitions, lineage and data flows. Metadata is often categorized as business, technical, operational or data-stewardship metadata. Establishing Metadata Management is typically achieved by:

• Business Metadata • Defining agreed upon terminology and business rules for data elements • Defining data classifications • Publishing business metadata

• Technical Metadata • Capturing flow of data through systems (data lineage) • Capturing database metadata (field types and sizes)

• Acquiring Tools to support management of metadata

❑ Data stewards take the lead in defining business metadata but need to facilitate discussions across the enterprise.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 33 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. METADATA MANAGEMENT – KEY RISKS

Understand Metadata • Lack of understanding, no well-defined scope, lack of education to users, no clear Requirements delineation for business and technical users, no data governance organization, lack of confidence among business users, lack of flow for technical users Define the Metadata • Information can be extracted from very limited sources, architecture design doesn’t support Architecture needs of the organization, semantic integration, manual updates are not supported, lack of a single access point. Develop and Maintain • Incorrect identification of standards, relevant rules are not specified and metadata Metadata Standards elements are not grouped under the correct schemes. Implement a Managed • No pilot conducted to evaluate the environment, scope and strategy haven’t been defined Metadata Environment appropriately and required integrations are not in place. Create and Maintain • Metadata is not appropriately maintained, resulting in low quality, inconsistent metadata Metadata that cannot be relied upon. Integrate Metadata • Metadata is not integrated effectively resulting in inconsistent, low quality metadata.

Manage Metadata • Metadata repositories are not appropriately managed resulting in data quality and Repositories availability issues. Distribute and Deliver • Metadata is not effectively distributed and delivered, resulting in unavailable information or Metadata data disclosure to unauthorized users Query, Report and Analyze • Missing benefits of impact analysis and the implied productivity improvements, data Metadata security risks

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 34 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. TOPICS TO BE COVERED TODAY

Review some Examples of Scoping for Data Governance Audits 4

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 35 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. DATA GOVERNANCE AUDIT • Refer to previous slides for key risks

• Does your organization have a defined Data Governance function?

• If so, review the charter and compare to a reference framework

• If not, you can likely find pockets of ‘grass-roots’ activities

• For your first DG Audit you might conduct a broad risk assessment and identify areas for further investigation

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 36 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. CREATION OF REGULATORY REPORTS Scope: End-to-end audit of process to create regulatory reports Who owns the overall process? Is the process documented? Data Governance Are roles and responsibilities in each step of the process defined? Strategy Are the appropriate data owners and subject matter experts involved? Is adequate funding provided to develop a robust solution? What data sources should be used? Who decided this? Do we have all the required data? What data gaps exist? Data Architecture Are any non-standard technologies used within the process? Does the development process follow established IT standards e.g. change controls Is the infrastructure reliable? Are databases versions up to date? Database Can data be recovered (backups)? Management Are service-level agreements in place for key infrastructure components?

Data Security Who has access to change / manipulate the data? How is this controlled?

Is data quality measured? Is the data fit for use? How are data defects identified? How are data defects corrected? Data Quality Are we using any 3rd party data? How is this validated? How is data quality controlled in manual steps (Excel)? Reference and How is data from different sources standardized? Master Data Are key data elements identified and defined? DW / BI How are business rules defined and documented? How are reports validated / reconciled? Who signs off on reports? How does data flow through systems (data lineage), is this documented? Metadata Are all data definitions and business rules documented? Management Are our data definitions consistent with regulatory requirements?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 37 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. IT DATA MANAGEMENT AUDIT Scope: Audit of IT Data Management and Database Operations

Data Governance Are roles and responsibilities defined for data management functions? Strategy Are policies defined for data management functions such as patch management, capacity planning, performance monitoring, and backups? Data Architecture Are standard technologies and configurations defined and documented?

Database Management Are standard operating processes defined for data management functions such as patch management, capacity planning, performance monitoring, and backups? Are database performance issues detected via pro-active monitoring? How are issues prioritized and assigned for resolution? Are service levels established for database availability? Are data models consistent in naming standards and field types? Data Security How is access granted for database administrators? Have default passwords been disabled or changed? How are DBA activities monitored? Are database security patches current? Data Quality

Reference and Master Data DW / BI

Metadata Management Is technical metadata documented? Are data models documented?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 38 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. TOPICS WE COVERED TODAY

Why Implement Data Governance? 1

What Frameworks can be used to Develop and/or Audit a Data 2 Governance Program?

What are the Core Components of a Data Governance 3 Program?

Review some Examples of Scoping and Approach for Data 4 Governance Audits Questions?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 39 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. Thank You!!!!

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm 40 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners. © 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.