The Importance of Data Lineage for AML System

By Vishal Ranjane, Managing Director
Risk and Compliance

 

 

 

Financial organizations have long embraced the advantages that information technology offers, and many are looking forward to larger digitalization initiatives to gain market advantage. Customers appreciate the convenience of digital offerings, while firms enjoy the reduction in operating costs that information technology enables. Of course, in the multifaceted, highly regulated environment in which financial institutions operate, mastering the complexity of this digital future is both rewarding and risky.

In any financial firm’s application landscape, data flows from system to system. In an ideal world, key data gathered at the front end (customer-facing systems) makes it to the back-end systems without hitches. In reality, in the application architecture of almost any financial institution, systems are sometimes imperfectly integrated, often as a result of multiple acquisitions, and data does not always make the journey from system to system without some amount of attrition or change. However, banks and other financial institutions that handle customer data must be able to demonstrate that the information which originates upstream, in customer-facing systems, is the same information found in the bank’s risk and compliance systems downstream. This is where data lineage becomes important.

Data lineage tells the complete story of how data within an organization was produced, consumed, and manipulated by the organization’s applications. It traces the data’s movement through systems.

Once, it was sufficient to demonstrate to regulators that the right policies were in place, that the right procedures were followed, and the right reports were generated and reviewed to protect against threats like fraud and money laundering. Now, financial institutions must be able to demonstrate to regulators that they are using complete and accurate data to monitor for these activities.

Asserting data legitimacy

An organization asserts de facto data legitimacy when it relies on the integrity of its data for key reporting or decision-making activities, such as those involved with risk and compliance solutions. It is imperative that data from upstream systems of record or points of capture arrives in these downstream risk and compliance systems in a manner that does not materially alter or obscure the content received from the system of record or point of capture.

De facto data legitimacy claims is an area of focus for regulatory authorities who require that these claims be documented and proven. The recent Part 504 regulation by the State of New York Department of Financial Services emphasizes the importance of data lineage in an AML context, stating that a covered institution must not only identify all data sources that contain data relevant to its transaction monitoring and watchlist filtering programs, but also must ensure that these programs include the validation of the integrity, accuracy, and quality of the data to ensure that an accurate and complete set of data flows into these programs. In addition, the regulation specifically notes data mapping as a key component of end-to-end pre- and post-implementation testing of transaction monitoring and watchlist filtering programs.

Going back to the firm’s application landscape, upstream data – data entered initially by the customer, for example – may not survive the journey downstream, and facts about the transaction may be lost with each hop from system to system. Can an auditor know if a particular transaction was made with a teller, a wire, or via an ATM, for example? Was a deposit made by check or cash?

Data lineage documentation can be done using a variety of tools ranging from simple to sophisticated. In smaller, less complex systems, simple spreadsheets and diagramming tools may suffice, while large financial institutions may deploy vendor toolsets to automate tedious and error-prone capture and documentation activities.

Data lineage as part of data governance

Establishing the data lineage should, of course, be more than just an exercise in documenting what’s already in place. Performing this level of analysis and uncovering previously unknown silent errors or gaps in the data being used to manage AML risks and generate reports should lead to increased accuracy and confidence in the reports and management information presented to senior management, internal audit and regulators. An additional benefit is getting better insights into customer behavior – a value for any business.

Having a sustainable data lineage initiative is only the start. To be sustainable over the long run, such initiative needs to be part of a larger data governance program that is firm-wide and involves all departments and functions. Data governance efforts are viewed well by regulators, who increasingly put pressure on financial institutions to formally document business processes, data controls, source-to-target mapping, and defend all activities around data management. A Protiviti white paper, “AML and Data Governance: How Well Do You KYD?,” provides more information and may be of relevance to your company.

Benjamin Kelly of Protiviti’s Regulatory Risk and Compliance practice contributed to this content.

From Analog to Analytics: 2017 a Turning Point for Internal Audit

By Barbi Goldstein, Managing Director
Internal Audit and Financial Advisory

 

 

 

With increasing demands for broader, more accurate and more efficient risk assurance, internal audit departments have officially entered the age of analytics. According to Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, two thirds of internal audit functions have begun using data analytics on at least a limited basis, with two-thirds of the remaining respondents indicating that they plan to begin using analytics within two years.

Respondents at organizations of all sizes reported that they have begun the transformation from labor-intensive manual processes to reliance on technology for things like sample selection and testing procedures. Most organizations are still early in the process. Only 16 percent said that they have a person dedicated full time to analytics, and only three percent indicated that they considered their audit analytics to be optimized.

I recently had the opportunity to review the survey results for participants in an April 12 webinar (available for streaming at the link). If you are interested in learning more about the survey results, I urge you to check it out. In the meantime, here are some action items for internal audit derived from the survey:

Recognize that the demand for data analytics is growing across all organizations and industries.

Internal audit organizations are under growing pressure to increase audit efficiency and coverage. Regulators across a wide array of industries are pushing for more use of data and quantitative inputs into the audit process, and auditors are finding that implementation of analytics allows them to provide broader assurance in less time than it would typically take to perform manual testing on a representative sample.

Seek opportunities to expand the internal audit function’s knowledge of sophisticated data analytics capabilities.

From peer-to-peer networking to engagement with industry groups and continuing education, it is critical for auditors to become familiar with the ways in which tools and techniques are being used across their industry.

Do not let budget and resource constraints and business-as-usual workloads limit internal audit’s ability to optimize data analytics efforts.

Look for practical applications you can showcase to gain buy-in from other auditors within your internal audit function. Understanding what peers are doing can also accelerate your organization’s analytic maturity.

Assign analytics champions to lead the effort.

Where a dedicated analytics function doesn’t exist, experience has shown that organizations that employ a champion network within their audit function benefit from broader analytics usage, more sophisticated techniques and greater adoption of analytics in the audit department. The ideal candidate for a data champion is someone with aptitude and interest in data analytics, and a person of influence whom others will follow.

Explore avenues to expand internal audit’s access to quality data.

Engage with stakeholders, such as IT and data governance, to understand how to gain access to data while following all applicable organizational policies and procedures.

Identify new data sources — both internal and external.

Internal auditors, because of their broad industry knowledge, risk focus and access to data and systems throughout the organization, are uniquely positioned to find and mine new data sources to analyze for risk assurance.

Increase use and reach of data-based continuous auditing and monitoring.

Once data sources have been identified, it is important for internal auditors to apply continuous auditing and monitoring tools to have a timely and accurate view of the state of risk in the organization. Visualization tools, such as dashboards, are useful for enabling real-time access to key risk indicators.

Use real-time risk snapshots to help focus audit efforts.

Related to the previous point, problem areas discovered through visualization tools, such as Tableau, can be flagged for additional research/root cause analysis.

Seek ways to increase stakeholder input when building/implementing data analytic capabilities.

Business owners understand and monitor the key risks in their business, as does risk management in its second-line role. It is important for internal audit to build relationships and work closely with the first and second lines of defense to continue to enhance their understanding of risk indicators in the business.

Implement steps to measure success of data analytics efforts.

Internal audit groups that can demonstrate tangible value will build a better business case for increased budgets and resources dedicated to data analysis. Metrics, such as logging requests for analytics in the audit process and number of audits that leverage analytics, are a good way to demonstrate the value of using analytics.

The overarching theme that emerged from this year’s survey results is that data analytics has reached a tipping point. Internal audit functions that lead by embracing analytics and continuous monitoring will grow in value and stature with their stakeholders, regulators and peers. Those that fail to adapt will struggle to keep up with the rate of change and the state of risk at their organizations.

The Role of the Business in Ensuring a Successful ERP Implementation

By Ronan O’Shea, Managing Director
Global ERP Solutions Practice Leader

 

 

 

As organizations implement new enterprise resource planning (ERP) systems as part of digitization, process improvement and platform modernization, it is becoming increasingly critical not just for IT, but also for the business units themselves, to understand their central role in the overall success of these initiatives. The implementation of an enterprise system, or any other major IT system, should never be viewed as just an IT project because, ultimately, it is a business project with business objectives.

Even when a project is supported by a strong system integrator, it is critical for business stakeholders to assume responsibility for key activities before, during and after the implementation. Failure to do so can lead to project delays, budget overruns, business disruption and low user adoption, among other things.

There are seven key responsibilities that businesses need to understand and accept in any successful system implementation. They are:

Program Management and Governance – Although most system integration firms provide project management capabilities, common gaps include oversight of internal business and IT resources, management of other vendors, and engagement with company leadership. Proper oversight requires a more robust approach, from the establishment of a project management office (PMO) structure and assignment of roles, to the establishment of a comprehensive program-wide plan and a “single source of truth” for program status.

Business Process Readiness and Solution Design – Systems integrators are usually technical experts, not business process experts. Businesses should define the vision and operational expectations of a new system with regard to each business process. Specifically, the business must ensure that the technical solution the system integrator proposes will satisfy the business process vision and future-state goals. To meet operational expectations, the business should design process models for the end-to-end future state of each business process that the new system will impact. This will help system integrators focus on blueprinting rather than designing future processes, which typically is not their core expertise.

Organizational Change Enablement – As the solution design is established, the organizational impact of system and process changes must be determined to ensure that the anticipated benefits are realized. Training alone is not sufficient. Ultimately, the goal is a change enablement plan that will raise awareness with key stakeholders, obtain their buy-in and ensure their commitment to support the changes and the performance improvement objectives of the initiative.

User Acceptance Testing (UAT) – The final and most important phase of system testing, UAT, is designed to ensure that the system does what it was designed to do and that it meets user expectations. UAT must go beyond prior functional and technical testing phases. UAT scenarios should cover all business processes end-to-end, include all critical real-life data variations and be validated by process owners.

Data Conversion – This critical aspect is often overlooked by the business, but it is one of the most critical implementation processes, and a common source of project delays. No two systems are alike, and data from one system will rarely map cleanly or directly onto a new system. Data quality issues in legacy systems can also cause delays. Realistic data is critical to UAT. The business, supported by IT, typically owns data conversion design, mapping, enrichment, validation and cleansing. Start the data conversion process early.

Data Governance – To ensure that master data and transactional data are employed appropriately and consistently throughout the organization from go-live forward, the business should develop a comprehensive data governance program that includes a framework of organizational roles, a “data dictionary,” defined metrics and documented policies.

Business Intelligence (BI) and Reporting – BI and reporting should not be left as an afterthought, with the presumption that they can be addressed after go-live.  For most users, the primary benefit of an enterprise system is ease and accuracy of reporting. Ensure that the BI and reporting requirements are fully incorporated into the design phase of the implementation and tracked throughout. The ease and flexibility of reporting is highly dependent on the quality of the architecture and design. The efficiency and integrity of the business process is dependent on the availability of information at the right time and place.

Enterprise systems can bring remarkable efficiencies and return on investment, or be massive failures – and the business, not the integrator or IT, is ultimately responsible for the outcome. For a more in-depth analysis of these and other implementation challenges, download our recently published white paper, Understanding the Responsibilities of the Business During an ERP System Implementation.

Digital Transformation, Data Governance, and Internal Audit

Ari Sagett

By Ari Sagett, Managing Director
Internal Audit and Financial Advisory

 

 

Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.

Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.

We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.

Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.

As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.

Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:

  • Does the current internal audit plan consider digitization risks?
  • Does IT leadership have a solid understanding of potential control impacts associated with digitization?
  • Does the audit team understand digitization?
  • Do our auditors have the right skills to effectively evaluate digitization risks and controls?
  • Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?

There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.

Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.

Data Analytics in Internal Audit: An Imperative That Can’t Wait

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

Kyle Furtis

By Kyle Furtis
Managing Director, 
Internal Audit and Financial Advisory practice

 

 

 

Data analytics is a hot topic for internal audit departments. In our most recent Internal Audit Capabilities and Needs survey, data analytics figured among the top ten priorities for internal audit professionals, and CAEs ranked big data and business intelligence their number one priority. When we concluded that internal audit has arrived at a tipping point, it’s fair to say that data analytics is one of the items sure to cause the precipitous changes in how we, as internal auditors, do our work.

The profession is aware that businesses are now more data-driven than ever before, and that not utilizing this data can be detrimental to the proper evaluation of risks and controls and, more importantly, meeting stakeholder expectations. Even so, many internal audit departments are still struggling to come up with a formal methodology for integrating data analytics into their work. A formal data analytics program has a mission and a purpose. It also specifies how data is to be identified, acquired and analyzed to determine potential breakdowns of selected controls. But how do you begin?

One recommendation, based on observing successful data analytics programs within internal audit, is to start in areas where you’re comfortable with the data – whether it’s account reconciliations, journal entries, payables, fixed assets, payroll, human resources or threshold/limit controls. It’s easy to test data based on information you’re comfortable with. Just start in an area where enhanced visibility into the underlying data can add value to internal audit findings.

An interesting example of how to begin came from one internal audit shop I worked with. One of the required steps in each audit was for auditors to explain why they didn’t analyze data when performing testing of internal controls. The auditor’s manager and the director of internal audit were also required to sign off on the explanation. The idea was that inserting that step into the audit program forces auditors to think about data in advance of the audit, knowing that they have to answer that question. They couldn’t just give a flip answer, such as “We didn’t have the time,” or “This type of audit is not conducive to data analysis.” It really forces the internal audit staff to think about the risks, the data behind the risks, and whether some data analysis is appropriate.

For those already thinking ahead in this manner, I suggest below a high-level road map that outlines what data analytics may look like in a few years, and how to get there:

  • In Year 1, define your objectives for data analytics and set the basics: Train staff, identify tools, access and normalize data. You may need to prove the value of data analytics through strategies such as pilot and proof-of-concept programs.
  • In Year 2, identify opportunities to fully embed data analytics in internal audit. Define the data-access model, establish key performance indicators (KPIs), and integrate ad hoc analysis.
  • In Year 3 (and perhaps beyond), fully embed data analytics, broadening its use within the organization, and move toward data governance.
  • Next, engage in continuous analytics, fully integrating the analytics program and establishing standard reporting practices. Enable access to analytics reports throughout the enterprise and increase the level of data governance.
  • Finally, introduce predictive analytics. This would be a new frontier for internal auditors, as predictive analytics is not 100 percent accurate, and, as auditors, we’re used to high precision and accuracy when we analyze data – but it will yield interesting results that you can use for discussion.

Incorporating data analytics into internal audit won’t happen overnight. It’s a multistage process, with components introduced over the course of several years. As with everything, the most important step is the first one – so get started on defining your objectives now. By following the road map outlined here, the benefits of more efficient and effective audits will not be too far down the road.

PreView: Checking the Rearview Mirror and Looking Ahead

In risk management, like driving, the safest way forward is to keep your eyes on the road ahead. Every now and again, however, it’s a good idea to check your mirrors. That’s the premise behind the latest issue of PreView, Protiviti’s ongoing series on emerging risks. In our first ever “look-back” edition, we revisit some of the risks we’ve highlighted since we initiated the series in early 2014. We often advise our clients to do a look back on their risk assessments, so it is appropriate for us to take our own medicine. Risks evolve, and checking to see whether we were on track with our predictions is worth the time and effort.

A little background: PreView is a “big picture” publication that focuses on macro-level emerging risks, classified according to the World Economic Forum’s five global risk categories – economic, technological, environmental, societal and geopolitical. Protiviti’s Risk and Compliance Solutions team scans the risk landscape and selects risks they believe have the potential to fundamentally change the profile portrayed in those risk categories.

The risks we revisited in the latest issue include municipal financial instability, Big Data, mobile banking and social media lending. Here, in short, is how these risks have evolved:

Municipal Financial Instability – In December 2014, we warned of municipal instability stemming from a decline in investor appetite for municipal bonds following a wave of defaults. We also warned of a pending debt crisis in Puerto Rico.

Update: Puerto Rico has defaulted on its debt in a case that is currently before the U.S. Supreme Court. At issue: The unprecedented possibility of a state-level debt restructuring – previous restructurings in the United States have all been at the municipal level. What to watch for: If the Supreme Court allows Puerto Rico to restructure its state debt, the bond market will turn a wary eye on the State of Illinois, which is experiencing its own financial crisis.

Big Data – In 2014, “big data” and machine-to-machine communication via the Internet of Things were all the buzz, and we cautioned against over-investing in data analytics without a clear quantification of benefits. We also called for strong data governance, security and management.

Update: Big Data and data analytics have moved from the fringe and into the mainstream due in part to the rapid expansion and dropping costs of data storage, cloud infrastructure and high-speed Internet bandwidth. Using this readily available data strategically promises to fundamentally change everything, from pizza delivery to health care. Big Data also has become the backbone of modern cybersecurity. And 79 percent of business leaders agree that companies that do not adopt Big Data will lose their competitive position and may face the possibility of extinction.

Mobile banking – In our first two issues of PreView, we noted the increasing popularity of mobile banking and suggested that successful financial institutions in the future would be those that found a way to integrate mobile banking and other banking options with traditional brick-and-mortar branch operations to allow customers to choose from multiple ways to conduct their banking.

Update: Trends have continued to show that consumers are interested in an “omni-channel” experience, where they can choose among different banking options, depending on their needs. In addition, nontraditional competitors such as PayPal, Amazon Payments and others continue to disrupt the market and threaten the relationship between the consumer and his or her bank. Cybersecurity and regulatory compliance remain key risks.

Social media lending – In January 2014, we predicted that an individual’s reputation on social media platforms, rather than their traditional credit score, could become a growing basis for lending. In addition, we anticipated that social media lending would create unique and complex fair-lending compliance issues and increase reputation risk with consumers. Lastly, we stated that social media disclosures and behavior might provide lenders with a source for validating information and a predictive profile of creditworthiness in the underwriting process.

Update: We hit two out of three right, as social media lenders in the United States entered and left the market, failing to pass the fair-lending standard. Target customers for this service today seem to be young entrepreneurs outside the United States who are shut out of traditional lending by a lack of a comprehensive credit history.

I know that this short overview doesn’t come close to doing these topics justice. For a more in-depth analysis and bibliographic links, download our Volume 3, Issue 1. In our next edition, we’ll continue to look forward: Technology enabled disruption in financial services, natural resources sustainability and competition, political shifts and climate change effects on the economy are among the topics on our radar. We hope you stay engaged with us to navigate these risks.

Jim

To KYD or Not to KYD: It Is Hardly a Question

Matt McGivernShaheen DilBy Matt McGivern and Shaheen Dil,
Managing Directors

Protiviti’s Data and Analytics practice

 

 

The importance of “know your customer,” or KYC, activities to any AML compliance program is well known. A much less known – but equally crucial – component of an AML program is “know your data,” or KYD, which feeds into KYC and other AML compliance modules.

To run their AML compliance programs, financial firms use a variety of software to review customers, analyze transactions to identify suspicious activities and provide analytical and research capabilities to support suspicious activity reports (SARs). Both SARs and KYC rely on the quality and accessibility of data, which requires knowledge of that data – where it resides, who uses it, what actions are performed on it, etc. While over-stretched AML departments may not want to hear that they now need now to be more proficient in data management, KYD activities are needed and can drive efficiencies inside these departments through better data governance.

Due to the way they grow, financial institutions often are burdened with siloed organizational and technical infrastructure with redundant and difficult to integrate systems and data stores. This creates a particular challenge for AML compliance heads who have to make sense of disparate data that flows into the AML system from a variety of sources.

A recently published Protiviti point-of-view paper, AML and Data Governance: How well do you KYD?, sets out how firms can benefit from putting in place an effective data governance program to alleviate this problem. The paper covers the main challenges firms face with regard to data management in the context of an AML program and summarizes the main steps needed to create an effective data governance function as follows:

  • Institute and enforce effective master- and reference-data management programs
  • Institute enforceable enterprisewide data governance strategy and processes
  • Be proactive in assigning data ownership and monitoring of data quality
  • Create a centralized repository for metadata
  • Support big data initiatives

Financial institutions that take these steps in an effort to create better data governance will not only be better equipped with regard to their AML efforts; they are more likely to achieve good standing with regulators who look favorably on firms that demonstrate data governance efforts.

Case in point: A Protiviti team, while working on a customer repository project at one of our clients, uncovered substantial data integrity and completeness issues across core systems supporting transaction monitoring at the organization. Regulators severely criticized the bank following an AML compliance program examination – a criticism that could have been avoided if effective data governance practices had been put in place. The firm engaged Protiviti to help expedite remediation of the data issues and formulate an effective and proactive data governance resolution to avoid an enforcement action.

We highly recommend reading this paper to gain a clear understanding of how critical KYD is to the long-term success of your AML program. Regulatory scrutiny around AML compliance has intensified after a series of high-profile lapses – so making data governance a priority seems like a prudent approach for financial firms.