260 likes | 456 Views
The Greatest Risk Regulatory Compliance Solutions. Introduction to Automation Validation for Public Companies Concerning their Sarbanes-Oxley Regulatory Compliance Initiatives. Presents: The key issues in achieving your goal of SOX Regulatory Compliance.
E N D
The Greatest Risk Regulatory Compliance Solutions Introduction to Automation Validation for Public Companies Concerning their Sarbanes-OxleyRegulatory Compliance Initiatives
Presents: The key issues in achieving your goal of SOX Regulatory Compliance Your Greatest Risk Toward Regulatory Compliance
Congressional Challenges • As an understandable reaction to financial fraud and corporate scandals… Congress has mandated new regulations,for which compliance is technically challenging and perhaps not even feasible in the real world of IT. This is not the first time they did this…
Congressional Challenges • Congress once mandated to the Department of Education “KNOW YOUR CUSTOMER” so that students who cheat the government would not get any further financial assistance. A great idea to save money and catch cheaters! • The project was to combine 12 loan and grant systems to accomplish this worthy goal. The price was 2.2 billion dollars and the contract was issued to CSC. • The GAO sensed the project was not technically possible. • Analyzing source code and data proved it (with the same tools Xactis uses today). • The taxpayers saved most of the money and a scandal was averted. • Xactis tools were acknowledged in the US Congressional Record as the technology employed to validate these Information Systems – the basis of the auditors findings.
Congressional Challenges Therefore Compliance is really: • An elusive goal -- not a destination • A risk to be managed – not solved • A highly evolving scenario -- with changes that affect your professional operations and personal security, as they relate to Sarbanes Oxley – Section 404
The Greatest Risk We Face – Automation Validation • Reviewers and auditors have traditionally relied on bank statements, interviews and documentation reviews to assess regulatory related risks and to assist management in becoming compliant with regulations. • Sample testing is the common technique used to partially validate automated processes and rules embedded in the IT systems. • As the roles and complexity of enterprise information systems has grown, a new need is emerging to have online controls and business intelligence systems. • But only the most knowledgeable companies and IT Governors know that in-depth system analysis is required to validate these automated processes, rules and data -- as they pertain to new regulations that require more integrated and more accurate information about their controls under Section 404, AML, etc.
The Greatest Risk We Face – Automation Validation • Managers, Compliance Officers and IT providers are scrambling to package tools and services to help their customers reach compliance – but, no matter which controls are chosen, the risk of the initiative will depend on: • Compliance Initiative support and budget • Compliance Officers that are well-trained and given authority over autonomous entities with the organization • Effective analysis of Information Systems used in Financial Reporting: • Financial applications and business intelligence • programs and data • Effective monitoring for insider misconduct • Effective reporting to management and regulators • Diligence and Enhanced Due Diligence • Compliance Information Integration • Data Management Skills – including data quality to facilitate meaningful integration • Documentation of policies, procedures and personnel • Documentation of automated systems • Audit / Review – Validating the Adequacy and Effectiveness of Controls with all of the above information
Mitigating Risks Through Automation Validation The Purpose of Audit is to Validate the Adequacy and Effectiveness of Controls! • (Let’s remove the policies and procedures from the discussion to focus on the greatest risk) • No matter what compliance related automation we select, validating that the automated system was well-planned, well-purchased, well-installed, optimally configured and that it is working effectively must be done with a different set of tools and methods – before the regulators catch infractions and audit.
Mitigating Risks Through Automation Validation The audit process must: • Be viewed with prestige and in a positive way • Bring together all aspects of the company to do what is nearly impossible – team building • Analyze all controls • Document rules and processes in the automation • Document the data lineage from reports • Have access to and check historical data to see what the people and automated systems are catching and what they are missing • Effectively and proactively handle external audits to minimize penalties for infractions
Information Validation Methodology • Step One: Identify Critical Information End-items • Step Two: Trace Data Lineage Back to Origins • Step Three: Determine the Meaning and Validate the Quality of the Original Data • Step Four: Validate Application Processes, Business Rules and Related Controls and Verify Automation Security • Step Five: Follow Data Lineage Forward to Validate Mappings, Transformations and Data Quality • Step Six: Verify Security at Data Consumption Points
Step One: Identify Critical InformationEnd-items Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
Via Data Marts Step Two: Trace Data Lineage Back to Origins Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
Via Data Stores and Warehouses Step Two: Trace Data Lineage Back to Origins Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
And Via Source Applications Step Two: Trace Data Lineage Back to Origins Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI Message ETL Query ETL “Green Screen”
Until the Origins Are Reached Step Two: Trace Data Lineage Back to Origins Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI Message ETL Query ETL “Green Screen”
Step Three: Determine Meaning & Validate The Quality of Original Data Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
Step Four: Validate Application Processes,With Related Business Rules and Controls Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
Via Data Warehouses Step Five: Validate Mappings, Transformations & Data Quality Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
And Via Data Marts Step Five: Validate Mappings, Transformations and Data Quality Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
Until Critical Information End-items Are Validated Step Five: Validate Mappings, Transformations & Data Quality Applications Data Stores and Warehouses Management Reports Data Origination Points Data Marts Code and Data ETL Query ETL Website EAI ETL Query ETL ETL EDI ETL Query ETL “Green Screen”
Step Six: Validate End-to-end System Security Authorized Unauthorized
RULES ARE THEN COMPILED INTO A LIBRARY WITH AN INDEX: Note: Which rule would you investigate? How quickly could Auditors review rules with this information?
Xactis Services Offerings Risk Assessment of the current compliance Initiatives • Review Report from a Certified Auditor • Risk Mitigation Plan Compliance Consulting: • Strategic Planning • Implementing and Enhancing Controls Audit Preparedness Program Compliance Information Integration
Compliance Assurance Methodology ThroughCompliance Consulting FromRisk Assessment Policies, Procedures, Personnel, Automation & Data Integration Assistance (AML, BASEL ll, Sarbanes-Oxley, Graham-Leach-Bliley, etc.) ToAudit Preparedness Analyze the Controls incl. Policies, Procedures, Personnel & Focus on Automation Validation Customer Knowledge (CIP/KYC) & Privacy Validate& Optimize Controls Select or Support the Products Implement Solutions & Integrate Data Focusing on Exactly What the Regulator Will Be Checking Suspicious Activity Monitoring, Insider Misconduct & Intruder Detecting / Reporting Certified Auditor’s Review Report of Compliance Risks using Software & Database Tool Apply Global Perspective & Experiences Validate& Optimize Controls Select or Support the Products Implement Solutions & Integrate Data Audit Report Preparations & Documentation Compliance Training Risk Mitigation Plan & Presentation Employee & Customer Awareness Compliance Officer(s) Advanced Training Audit Meeting Assistance
Tools & Methods Summary For Automation Discovery & Compliance Validation: • Imperative Profilertm (for data profiling) • Imperative Fusiontm (for semantic interoperability) • AutoReArchbenchtm Source Code Analysis Toolset • BRP Library - Business Rule Packet Repository • Management & Audit Support Processes For Compliance Remediation: • Data Quality and Integrity Approach • Network and Systems Discovery, Analysis, and Mapping Xactis Corporation 180 Old Short Hills Road Short Hills, NJ 07078 Alan Kaplan President / CTO973-868-6974 Direct akaplan@xactiscorp.com www.xactiscorp.com
Summary – Your Greatest Risk Toward Compliance • Reviewers and auditors have traditionally relied on interviews and documentation reviews to assess regulatory related risks and to assist management in becoming compliant. • Sample testing is the common technique used to partially validate automated processes and rules embedded in the IT systems. • As the roles and complexity of enterprise information systems has grown, a new need is emerging to have in-depth system analysis to validate these automated processes, rules and data as they pertain to new regulations that require more integrated and more accurate information. • IT providers are scrambling to package tools and services to help their customers reach compliance – but, no matter which applications and approaches are chosen, the success or failure of the initiative will depend on data quality and integration. • The Catch-22 phenomenon is real – you are in fact damned if you do and damned if you don’t. The more you do… the more the regulators expect. The solution is to also bring in an independent 3rd party to validate the entire Regulatory Compliance Initiative.