PRESENTATION TO IIA SEATTLE CHAPTER · As data is an enterprise asset, organizations must take an...

Internal Audit, Risk, Business & Technology Consulting

Protiviti Perspective provided by Nikhil K., New Delhi

PRESENTATION TO IIA SEATTLE CHAPTER

Data Governance

January 2019

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

PRESENTER

Roy Taylor, MBA, CISA

Associate Director, Protiviti

San Francisco

• 20 years in data / analytics space

• Past experience as Director and

Program Manager for Data Warehouse

and Analytics with Fortune 500

companies

• Conducted numerous Data

Governance audits and assessments

• Advises clients on establishing data

governance programs

2


ABOUT PROTIVITI

3

Protiviti helps companies around the globe identify, measure, and navigate the risks they face, within their industries and throughout their systems and processes, using proven value-added solutions:

Data Management and Advanced Analytics• Model Risk Management

• Data Governance, Warehousing and

Business Intell igence

• Predictive Modeling and Advanced Analytics

Technology Consulting• Security and Privacy

― Data Security and Privacy Management

― Incident Response & Forensics Services

― Digital Identity & Access Management

― Technical Security Assessment

― Security Program & Strategy Services

― Cybersecurity Intelligence Response Center (CIRC)

• Protiviti Software Services― Risk Technologies

― Custom Developed Software

― Enterprise Content Management

• Enterprise Resource Planning

• Technology, Strategy and Operations― IT Governance & Risk Management

― IT Operations Improvement

― Program, Portfolio & Project Management (3PM)

― IT Strategy & Architecture

Restructuring and Litigation Services • Corporate Restructuring and Recovery

• Litigation Consulting

Risk and Compliance• Credit Risk

• Customer Engagement

• Enterprise Risk Management (ERM)

• Market and Commodity Risk

• Model Riskand Capital Management

• Operational Risk

• Strategy Communications and

Change Enablement

• Anti-Money Laundering

• Regulatory Compliance

Business Performance Improvement• Capital Projects and Contracts

• Finance Optimization Services

• Performance and Information

Management

• Revenue Enhancement

• Supply Chain

Internal Audit and Financial Advisory• Data Mining and Analytics

• Financial Remediation and Reporting Compliance

• Financial Investigations

• Internal Audit

• Fraud Risk Management

• Internal Audit Quality Assurance Reviews

• International Financial Reporting Standards (IFRS)

• IT Audit Services

• SOX and Financial Reporting Controls Compliance

Transaction Services• Due Diligence

• M&A Integration and Divestiture

• Private Equity Services

• Public Company Transformation


TOPICS TO BE COVERED TODAY

4

1Why Implement Data Governance?

2What Frameworks can be used to Develop and/or Audit a Data

Governance Program?

3What are the Core Components of a Data Governance

Program?

4

Review some Examples of Scoping and Approach for Data

Governance Audits



5



WHY IMPLEMENT DATA GOVERNANCE?

6

Business Need Data Governance Helps With …

To comply with data security and privacy regulations

Policies for data security, sharing of data, identifying where private or sensitive data lives

To make sure we can rely on our data being available

Policies and process for database backups, database configurations,database monitoring, capacity and performance management, applying security patches

To make sure we can easily integrate data – new systems, acquisitions

Development of a flexible data architecture that allowsnew data sources to be quickly integrated

To ensure that our regulatory reporting is correct

Definition of systems of record, data flows through systems, business rules applied to data, quality control checks

To standardize our reporting Agreement on common data definitions and business rules

To improve data quality Creation of data quality scorecards, definition of ‘fit for use’, pushing data quality to the ‘front-line’

To get a better understanding of our Customers or Vendors

Improving completeness and accuracy of customer / vendor records

To make sure data issues are prioritizedand addressed

Establishing data ownership and accountability for providing data to the organization

To become a data-driven organization Prioritizing and funding data projects



7

Many organizations are proactively focusing on Data Governance and creating teams that explicitly manage data across the enterprise. This provides for better control over data assets, reduces the costs of data management, improves the quality and consistency of data, and drives business value.

• Clear processes and procedures for managing data

• Clear communication of priorities

• Clear management and resolution of data issues

• Confidence in the reliability of data

• Clear ownership of data

• Clearly documented and controlled policies and procedures

• Everything is an emergency

• Different rules depending on who you

talk to

• Recurring issues with quality, timeliness and consistency

• Lack of accountability

REACTIVE

PROACTIVE



88

Address regulators’ increased focus on data quality and control procedures and on the availability of accurate,

timely, and reliable information for reporting.

Data Privacy & ProtectionEnable the identification of all instances of employee and

customer data and who has access to sensitive data.

Lower costs by increasing operational efficiency with business process automation and by eliminating

redundancy.

Develop a broad and deep understanding of existing customers to better target campaigns and offers based on a

specific customer's needs.

Enhanced Customer ServiceIncrease responsiveness by closing the gap between

insights and action.

Regulatory Compliance

Establish the rigorous data standards, policies, and processes that are required by regulators, and ensure accountability for and auditability of data.

Improved Operational EffectivenessReduce the fragmentation within key business processes and the need for manually intensive activities and error-prone data integration processes.

Improved Analytics & Decision MakingInstill greater confidence in reporting and analytics by improving the quality and consistency of data.

Partnering & OutsourcingEnable data to be efficiently and accurately deployed for external use.

Risk Management & Regulatory Reporting

Cost Savings & Avoidance

Revenue Growth

Mergers & AcquisitionsEstablish more efficient processes for migrating and consolidating data after a merger or acquisition.



As data is an enterprise asset, organizations must take an enterprise-approach to Data

Governance that defines the

Roles and Responsibilities,

Policies

and Processes

to control the management of data as a business asset.

❑ Organizations have historically focused on Compliance and Protecting Data, however

there is a growing trend to use Data Governance to realize additional business value

from data.

❑ Data Governance is not just an IT responsibility. Business functions should play a

large role in defining policies for data management.

❑ Data Governance tends not to focus on cyber security or risks of data breaches as

these are usually covered elsewhere.

9



10


Governance Program?

Three frameworks we see most often are –


FRAMEWORKS

11

Data Management Association

(DAMA)

DM Book of Knowledge (DMBOK)

https://dama.org

https://dama-ps.org (local chapter)

• Broad reference model

• 8 core areas

• Industry neutral

• Industry and enterprise licenses

• Individual ~ $79

• https://technicspub.com/dmbok/

https://dama.org/

https://dama-ps.org/


FRAMEWORKS

12

Data Management Association (DAMA)

https://dama-ps.org (local chapter)

https://dama-ps.org/


FRAMEWORKS

13

Enterprise Data Management Council (EDM)

Data Management Capability Assessment Model (DCAM)

https://edmcouncil.org

• EDM Council founded

by Financial Services

organizations and

vendors

• Oriented to Financial

Services regulations

and creation of

regulatory reports

• Company

membership $10,000

- $15,000

• No individual

membership

• Limited activity on

West coast

https://edmcouncil.org/


FRAMEWORKS

14

CMMI Institute (ISACA)

Data Management Maturity (DMM)

https://cmmiinstitute.com/data-management-maturity

• Relatively new

• Industry neutral

• Linked to COBIT

• Individual license

$100



15


Program?


FRAMEWORKS – COMMON ATTRIBUTES

16

Business Impact & Readiness

IT Operations & readiness

Training & Awareness

Stakeholder management & Communication

Defining Ownership & Accountability

Change Management

Data Governance

• Vision & Mission

• Objectives & Goals

• Alignment with Corporate Objectives

• Alignment with Business Strategy

• Guiding Principles

• Operating Model

• Decision Makers & Escalation Points

• Data Governance Organization Members

• Roles and Responsibilities

• Data Ownership & Accountability

• Policies & Rules

• Processes

• Controls

• Data Standards & Definitions

• Metadata, Taxonomy, Cataloging, and Classification

• Statistics and Analysis

• Tracking of progress

• Monitoring of issues

• Continuous Improvement

• Score--carding

• Data Quality & Lineage Tools

• Data Mastering & Sharing

• Data Architecture & Security

• Stewardship Workflows

• Business Glossary & Metadata Repository

• Communication Plan

• Mass Communication

• Individual Updates

• Mechanisms

• Training Strategy

Strategy

Organization

Policies, Processes & Standards

Communication

Technology

Measurement & Monitoring


DATA GOVERNANCE STRATEGY

The organization should have a defined organizational model for the Data Governance

function. The model could take various forms including –

− A formal (centralized) organization led by a Chief Data Officer (CDO)

− A de-centralized model whereby responsibilities are absorbed into existing functions

Key aspects of the model should include –

17

• A Data Governance Charter – defining the scope of authority for the DG function

• Defined roles and responsibilities for both IT and Business resources

• A funding model – either its own funding or a ‘tax’ on projects

• A mechanism to develop and approve DG processes, including:

• Prioritize data management initiatives, and ensure these are aligned with business priorities

• Review and approve data management policies

• Review and approve the data management architecture

• Monitor compliance with data management policies

• Monitor compliance with regulatory requirements

• A communication plan to promote data management standards and policies


DATA STEWARDS

18

The roles and responsibilities Business Data Stewards can be split among three major involvement areas:

Overall Business Alignment and Representation

• Act as a Data Governance champion for a particular business area or function, such a ‘New Accounts’ or

‘Customer Service’

• Responsible for understanding all established Data Governance policies, standards, and procedures, and

confirm business users’ understanding and adherence to these policies.

• Provide a clear line of communication to the Enterprise Data Governance function for the alerting and

escalating of issues.

• Work to identify and define important business terms, and provide input for business requirements that affect

data quality standards and overall usage

Data Life-Cycle Management

• Help establish priorities w ithin business functions and continuously review requirements as part

of new w ork requests or established w ork streams

• Define the data, manage metadata, and communicate new business data definitions and

approved data usage standards to Enterprise Data Governance

• Take ow nership and responsibility of metrics and monitoring overall compliance of data

conforming to the established measures

• Make recommendations on how data quality can be improved and protected as a result of any

root cause analysis follow ing any conflict resolution that has been escalated.

• Understand and assess any enterprise impacts to data change by participating in stew ardship

committees organized around new data and project initiatives

Data Quality and Risks

• Establish acceptable levels of data quality that can be measured

• Understand all data use cases for critical data elements and be included in actions or decisions for new

planned data usage scenarios.

• Define improvement opportunities as a result of review ing data quality metrics and analysis of root causes

for any data falling below acceptable levels

• Support new business cases for improvement projects for improving data quality


DATA GOVERNANCE STRATEGY – KEY RISKS

19

Data Stewardship • Defined data stewardship roles and responsibilities do not exist, resulting in a lack of

accountability and coordination across the organization as well as poorly defined and controlled data.

Data Governance and

Stewardship Organizations

• Appropriate data governance roles and responsibilities do not exist to support the strategic

alignment between the data management function and the business as a whole.

Data Strategy • A formal data strategy has not been defined, resulting in an ineffective data management

program that does not align with business strategy or support the achievement of business objectives.

Data Policies, Standards

and Procedures

• Data policies, standards and procedures are not formally defined or communicated to the

organization, resulting in ad-hoc, inconsistently applied data management practices which negatively impact data definition, data collection, data maintenance, data use, and data

security processes.

Data Architecture • A defined enterprise data model does not exist, does not take into account business

requirements, or is not approved, resulting in data architecture that is not suitable to meet the needs of the organization.

Regulatory Compliance • Non-compliance incidents not identified or corrected, adversely impacting the

organization’s performance and reputation.

Issue Management • Data related issues are not identified and resolved in a timely manner, resulting in poor

data quality, regulatory non-compliance, or reliance on incorrect information to make business decisions.

Project Management • Data management projects are not appropriately managed, resulting in a lack of project

prioritization, potential misallocation of funds, and sub-optimal decision making.

Data Management Services • Organizational data management service expectations are not formally defined in a service

level agreement, resulting in the organization’s data needs not being met.

Communication and

Promotion

• Stakeholders are unaware of data management responsibilities, resulting in

noncompliance with organizational data standards and external regulations.


DATA ARCHITECTURE

The organization should have a documented data architecture strategy that includes -

• The principles and design patterns to be used for data management

− How data will be shared and integrated between systems

• Will each system have its own physical copy of data

• How will data be shared and synchronized across systems (to maintain data integrity)

− Standards for development

• What platforms and technologies will be used to manage data?

20

• What are the core data subject areas and how are these related? e.g.

• Customers

• Vendors

• Sales

• Inventory

− And defines these data concepts e.g. how do we define a customer?


DATA ARCHITECTURE – KEY RISKS

21

Understanding Enterprise

Information Needs

• Enterprise information needs are not understood, resulting in inadequate information for

business functions, inconsistency between information requirements and application development, and inefficient planning of IT-enabled investment programs.

Develop and Maintain the

Enterprise Data Model

• Enterprise Data model is not consistent with IT plans, rigidity of models, security-cost-

effectiveness issues and non-up gradation of models.

• Without business involvement and design reviews, data models will be inaccurate and

inconsistent and will not support business needs

• Without change management controls, data models will not accurately reflect changing

business requirements

Define and Maintain the

Database Technology Architecture

• Without defining and maintaining database architecture, data standards for all data

systems and integration are not possible.


Data Integration Architecture

• Data Management is inconsistent and criteria are not well-defined leading to distorted

information, unreliable external reports and data integrity errors and incidents.

Understand Data

Technology Requirements

• Data technology requirements are not understood, resulting in the implementation of

suboptimal solutions to business problems.


DATABASE MANAGEMENT

Database management is the set of activities designed to ensure the

integrity of the database, manage the availability of data and optimize

performance of the database environments. This is typically achieved by:

22

• Conducting performance monitoring, error reporting and performance tuning

• Implementing backup and recovery mechanisms

• Implementing redundancy and failover in the database environment (e.g. through clustering)

• Implementing an archiving mechanism

• Implementing a controlled process for changes to the database environment

• Applying upgrades and patches to maintain the database environment at a supported level

• Tracking issues and reporting/tracking issues logged with vendors

• Maintaining an inventory and tracking usage of technology licenses

❑ Review of this area may already be covered as part of other IT audits.


DATA BASE MANAGEMENT – KEY RISKS

23

Implement and Control

Database Environments

• The organization may not have the database systems it needs to effectively support

the current and future information requirements of the business in an efficient, cost-

effective and well-controlled fashion

Backup and Recover

Data

• Data availability is compromised by a lack of adequate backup and restoration

procedures and technologies.

Set Database

Performance Service

Levels

• Database performance expectations are not formally defined in a service level

agreement, resulting in a lack of data availability and application performance

Monitor and Tune

Database Performance

• Database performance issues are not identified and addressed, resulting in data not

being available to the business.

Archive, Retain and

Purge Data

• A data retention plan is not formally defined and followed, resulting in data that is

unavailable to address operational and compliance needs or performance issues

arising from data being retained beyond its useful life.

Inventory and Track Data

Technology Licenses

• The organization is not in compliance with licensing agreements, resulting in fines

and reputational damage.


DATA SECURITY MANAGEMENT

Effective data security policies and procedures ensure that the right

people can use and update data in the right way, by complying with the

regulatory, privacy and confidentiality needs of all stakeholders. This is

typically achieved by:

24

• Defining a data security policy based on regulatory and internal requirements

• Defining standards such as data encryption, data transmission, remote access and password standards

• Classifying information confidentiality

• Defining a process to request, track and approve initial authorizations and subsequent changes

• Establishing a mechanism to grant access to databases (such as group memberships)

• Monitoring user authentication and access behavior

Review of this area may already be covered as part of other IT or SOX Audits, however validate if the following are covered –❑ Approvals for access by Database Administrators (DBA)❑ Monitoring of changes to data made by DBAs. All changes are logged, but DBAs have privileges to

delete / manipulate the logs!❑ Analytics environments – access is often given to all data❑ Data in staging and test environments (if this is copied from production)


DATA BASE MANAGEMENT – KEY RISKS

25

Understand Data Security

Needs and Regulatory Requirements

• Data security needs and requirements do not map to the company’s short term or long

term goals or address regulatory requirements. This may lead to compliance, reputational or financial impact.

Define Data Security Policy • Absence of a data security policy may lead to employees being unaware of privacy policies

and procedures which may lead to exposure of sensitive data

Define Data Security

Standards

• Data Security standards are not aligned with local or national privacy laws and the

company’s policies that may lead to compliance and financial impacts.

Define Data Security

Controls and Procedures

• Security controls and procedures do not address company policies or compliance

obligations which may lead to financial and compliance related impacts.

Manage Users, Passwords

and Group Memberships

• Inappropriate user management procedures may lead to unauthorized access to functions

and individuals, which may lead to financial, compliance related impacts.

Manage Data Access Views

and Permissions

• Access to sensitive data is not appropriately managed, resulting in the exposure of

sensitive information to unauthorized parties that may lead to financial and compliance related impacts.

Monitor User

Authentication and Access Behavior

• Inappropriate access and misuse of information assets goes undetected resulting in

negative compliance, reputational, and financial impacts.

Classify Information

Confidentiality

• Information is not adequately classified resulting inappropriate access to confidential

information that may lead to financial or compliance related impacts.

Audit Data Security • Improvements and/or vulnerabilities are not identified resulting in process weaknesses and

business requirements not being met. This may lead to financial or compliance related impacts.


DATA QUALITY MANAGEMENT

Data Quality Management is a critical process that involves more than

just correcting data. Pro-active DQM involves defining data quality

metrics and a cycle of continuous monitoring and improvement. This is

typically achieved by:

26

• Defining responsibility for data quality with Data Stewards

• Defining measurement of data quality (fit for use)

• Profiling data and establishing a data quality baseline

• Defining a process to prioritize and correct data quality defects

• Publishing data quality scorecards

• Training / feedback to the front-line to drive data quality improvements

❑ Data Owner are ‘service-providers’ who are responsible to provide data to the organization, as such they need to understand the users of data and their data quality requirements

❑ Data corrections should be made in the source system and not ‘fixed’ downstream

❑ Improvements in data quality requires establishing a shared culture where all levels of the organization understand the downstream impacts of poor data quality


DATA QUALITY MEASUREMENT

27

Not all data needs to be 100% correct. Requirements for data quality should be defined within the context of “fit for use”. Data quality can be measured against a number of dimensions, not all dimensions will apply to each data element.

Accuracy The degree that data correctly represents the “real life” entities. Usually measured by comparison to a known correct value, or against dynamically computed values.

Completeness The degree to which a data record contains all required values.

Consistency The degree to which the same data values exist across different data records or databases (also known as referential integrity).

Currency The degree to which data is up to date.

Precision The degree to which a data value has the correct level of detail.

Reasonableness A measure of the consistency expectations of the data.

Timeliness A measure of the availability of data based on service levels.

Uniqueness The degree to which data elements that should only exist once within a dataset have not been duplicated

Validity Refers to whether a data value conforms to its data type, format pattern or lies within a known valid range of values.


DATA QUALITY – KEY RISKS

28

Develop and Promote

Quality Awareness

• Necessary stake-holders in the organization are not made aware of data quality

needs and in turn do not buy-in to or support the organization’s Data Quality

Management program.

Define Data Quality

Requirements, Metrics

and Business Rules

• Data quality requirements, metrics, and business rules are not well defined,

resulting in the collection of data that does not align with business objectives and

requirements or is unsuitable for use in the business processes for which the data

was collected.

Set and Evaluate Data

Quality Service Levels

• Organizational data quality expectations are not formally defined in a service level

agreement, resulting in inadequate data quality issue identification and remediation.

Continuously Measure

and Monitor Data Quality

• Data quality is not consistently measured and monitored, resulting in the use of

data that does not meet established business requirements and is not fit for use.

Manage Data Quality

Issues

• A mechanism for recording and tracking data quality incidents does not exist,

resulting in ineffective processes to research and resolve data quality incidents.

Clean and Correct Data

Quality Defects

• A process does not exist to correct acute data quality issues and their

corresponding root causes, resulting in reoccurring data quality issues and the use

of poor quality data.

Design and Implement

Operational DQM

Procedures

• A consistent operational approach to data quality management does not exist or is

not formally defined, resulting in unrepeatable data quality management processes.

Monitor Operational DQM

Procedures and

Performance

• Operational data quality management processes are not monitored and measured,

resulting in suboptimal performance of data quality management processes


REFERENCE AND MASTER DATA MANAGEMENT

Master Data Management refers to the process of establishing an authoritative source for

business entities such as customers, products or vendors (also known as a golden record

or system of record). Reference Data Management refers to the definition of valid data

values (or codes). Once defined, both master and reference data are made available for

shared use across the organization. This is typically achieved by:

29

• Identifying data sources and contributors (lineage)

• Developing a data integration architecture

• Implementing a process to define and maintain match rules to identify identical entities and standards to determine whether to merge or link records

• Defining a process to manage and maintain hierarchies and affiliations

• Publishing and distributing reference and master data

• Defining a process to manage changes to reference and master data

❑ As reference and master data are shared across the organization, it can be challenging to determine which individuals are accountable. Program steering committees and data governance councils must make decisions collaboratively.


REFERENCE AND MASTER DATA – KEY RISKS

30

Understand Reference

and Master Data Needs

• Reference and Master Data integration needs are not understood, resulting in

inconsistent, duplicate, or low quality data being used across the organization.

Identify Master and

Reference Data Sources

and Contributors

• Upstream data sources and downstream data needs are not considered, resulting

in duplicate or inconsistent data being used.


Data Integration

Architecture

• Local reference and master data management occurs in application silos, resulting

in redundant and inconsistent data.

Define and Maintain

Match Rules

• Data matching rules are not appropriately defined, resulting in incorrect and

inconsistent data.

Establish Golden

Records

• Half-hearted maintenance of reference data degrades quality of business data and

results in misleading reports. Since each reference data sets are value domains

with distinct values, there is a high risk of inability to maintain those different values.

Define and Maintain

Hierarchies and

Affiliations

• Important hierarchy and affiliation data may be overlooked if proper vocabularies

and their associated data sets are not properly established and maintained

between master data records. This may also lead to unauthorized vendors having

access to data that they should otherwise not have access to.

Replicate and Distribute

Reference and Master

Data

• Data is not properly replicated, resulting in the degradation of referential integrity.

Manage Changes to


Data

• Unauthorized or incorrect changes are made to reference and master data.


DATA WAREHOUSE AND BUSINESS INTELLIGENCE

A Data Warehouse consists of the technical architecture and the set of processes to

extract, cleanse, transform and store data from a variety of data sources to provide an

integrated decision support database. Business Intelligence refers to the tools and

processes used to query and access data and provide reporting and analytics to support

decision making. Implementation of the DW/BI environment is typically achieved by:

31

• Developing an overall BI/DW strategy and roadmap based on business intelligence needs (avoiding multiple versions of the truth and shadow IT systems)

• Defining a process for demand management and prioritization of business intelligence needs

• Selecting and implementing DW and BI tools and technologies

• Developing standards for data warehouse development, including processes to extract, cleanse, transform and load data into the data warehouse.

• Standardization of reports, and preventing report proliferation

• Developing guidelines for the ‘fair use’ of data

❑ Traditional DW and BI environments are usually well-governed, however emerging analytics environments used for ‘big data’ (also known as data lakes) are often loosely managed

❑ Business areas may develop their own reporting environments that are not subject to IT Governance for change controls, backups etc.


BI AND DW – KEY RISKS

32

Understand Business

Intelligence Needs

• Lack of a BI strategy restricts the company from developing an appropriate

framework, methodology, processes, governance, systems, and technology to

deliver value that aligns with the business objectives and priorities.


DW/BI Architecture

• Data Warehousing and Business Intelligence Management architecture is not

sufficient to meet the business’s Business Intelligence needs

Implement BI Tools and

User Interfaces

• Business Intelligence tools are not sufficient to provide the reporting functionality

required by the business.

Process Data for

Business Intelligence

• Data is not properly processed, resulting in inefficient storage of data and data that

is not fit for business intelligent use.

Monitor and Tune Data

Warehouse Processes

• Inefficiencies and errors are not identified, resulting in sub-optimal Business

Intelligence performance and data quality.

Monitor and Tune BI

Activity and Performance

• BI performance is not effectively monitored, resulting in DW-BIM activities that do

not meet the needs of end-users.

Unreasonable use of

Data for Business

Purposes

• Lack of ‘data contracts’ may result in use of data that may attract negative publicity

and result in reputational risk

Reporting Requirements

are Not Addressed when

Implementing New

Systems

• Projects do not adequately address reporting needs or leave these to ‘business

users’ to develop themselves, resulting in inadequate reporting and/or reliance on

manual spreadsheet-based solutions.


METADATA MANAGEMENT

Metadata management is the set of processes to ensure the capture, storage and use of

‘data about the data’ including business rules, data definitions, lineage and data flows.

Metadata is often categorized as business, technical, operational or data-stewardship

metadata. Establishing Metadata Management is typically achieved by:

33

• Business Metadata

• Defining agreed upon terminology and business rules for data elements

• Defining data classifications

• Publishing business metadata

• Technical Metadata

• Capturing flow of data through systems (data lineage)

• Capturing database metadata (field types and sizes)

• Acquiring Tools to support management of metadata

❑ Data stewards take the lead in defining business metadata but need to facilitate discussions across the enterprise.


METADATA MANAGEMENT – KEY RISKS

34

Understand Metadata

Requirements

• Lack of understanding, no well-defined scope, lack of education to users, no clear

delineation for business and technical users, no data governance organization, lack of confidence among business users, lack of flow for technical users

Define the Metadata

Architecture

• Information can be extracted from very limited sources, architecture design doesn’t support

needs of the organization, semantic integration, manual updates are not supported, lack of a single access point.

Develop and Maintain

Metadata Standards

• Incorrect identification of standards, relevant rules are not specified and metadata

elements are not grouped under the correct schemes.

Implement a Managed

Metadata Environment

• No pilot conducted to evaluate the environment, scope and strategy haven’t been defined

appropriately and required integrations are not in place.

Create and Maintain

Metadata

• Metadata is not appropriately maintained, resulting in low quality, inconsistent metadata

that cannot be relied upon.

Integrate Metadata • Metadata is not integrated effectively resulting in inconsistent, low quality metadata.

Manage Metadata

Repositories

• Metadata repositories are not appropriately managed resulting in data quality and

availability issues.

Distribute and Deliver

Metadata

• Metadata is not effectively distributed and delivered, resulting in unavailable information or

data disclosure to unauthorized users

Query, Report and Analyze

Metadata

• Missing benefits of impact analysis and the implied productivity improvements, data

security risks



35

4Review some Examples of Scoping for Data Governance Audits


DATA GOVERNANCE AUDIT

36

• Refer to previous slides for key risks

• Does your organization have a

defined Data Governance function?

• If so, review the charter and compare

to a reference framework

• If not, you can likely find pockets

of ‘grass-roots’activities

• For your first DG Audit you might

conduct a broad risk assessment and

identify areas for further investigation


CREATION OF REGULATORY REPORTS

3737

Data Governance

Strategy

Who owns the overall process? Is the process documented?

Are roles and responsibilities in each step of the process defined?

Are the appropriate data owners and subject matter experts involved?

Is adequate funding provided to develop a robust solution?

Data Architecture

What data sources should be used? Who decided this?

Do we have all the required data? What data gaps exist?

Are any non-standard technologies used within the process?

Does the development process follow established IT standards e.g. change controls

Database

Management

Is the infrastructure reliable? Are databases versions up to date?

Can data be recovered (backups)?

Are service-level agreements in place for key infrastructure components?

Data Security Who has access to change / manipulate the data? How is this controlled?

Data Quality

Is data quality measured? Is the data fit for use?

How are data defects identified? How are data defects corrected?

Are we using any 3rd party data? How is this validated?

How is data quality controlled in manual steps (Excel)?

Reference and

Master Data

How is data from different sources standardized?

DW / BI

Are key data elements identified and defined?

How are business rules defined and documented?

How are reports validated / reconciled? Who signs off on reports?

Metadata

Management

How does data flow through systems (data lineage), is this documented?

Are all data definitions and business rules documented?

Are our data definitions consistent with regulatory requirements?

Scope: End-to-end audit of process to create regulatory reports


IT DATA MANAGEMENT AUDIT

3838

Data Governance

Strategy

Are roles and responsibilities defined for data management functions?

Are policies defined for data management functions such as patch management, capacity

planning, performance monitoring, and backups?

Data Architecture Are standard technologies and configurations defined and documented?

Database Management Are standard operating processes defined for data management functions such as patch

management, capacity planning, performance monitoring, and backups?

Are database performance issues detected via pro-active monitoring?

How are issues prioritized and assigned for resolution?

Are service levels established for database availability?

Are data models consistent in naming standards and field types?

Data Security How is access granted for database administrators?

Have default passwords been disabled or changed?

How are DBA activities monitored?

Are database security patches current?

Data Quality


Data

DW / BI

Metadata Management Is technical metadata documented?

Are data models documented?

Scope: Audit of IT Data Management and Database Operations


TOPICS WE COVERED TODAY

39



Governance Program?


Program?

4

Review some Examples of Scoping and Approach for Data

Governance Audits

Questions?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.40

Thank You!!!!

© 2018 Protiv iti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not

l icensed or registered as a public accounting firm and does not issue opinions on financial statements

or offer attestation services. All registered trademarks are the property of their respective owners.

PRESENTATION TO IIA SEATTLE CHAPTER · As data is an enterprise asset, organizations must take an...

Documents

Transcript of PRESENTATION TO IIA SEATTLE CHAPTER · As data is an enterprise asset, organizations must take an...