12 schulman - data migration rcm vdraft

Sub Process Risk Number Risk Name Control number Control Name Control Type Description Control Owner SOX In Scope

Data migration RXXX1 C01 P Adhoc Manual 0 0 N



Data migration RXXX2 Responsibilities are not clearly assigned within the migration team C02 P Adhoc Manual 0 0 N

Data migration RXXX2 Responsibilities are not clearly assigned within the migration team C06 P Adhoc Manual 0 0 N

Data migration RXXX3 Ownership of data is assigned to the wrong persons or departments C03 P Adhoc Manual 0 0 Y

Data migration RXXX4 C04 P Adhoc Automatic 0 0 N

Data migration RXXX5 Data contained in the source system is lost C05 P Adhoc Manual 0 0 N

Data migration RXXX5 Data contained in the source system is lost C07 P Adhoc IT dependent 0 0 Y

Data migration RXXX5 Data contained in the source system is lost C08 P Adhoc IT dependent 0 0 Y

Business Process

Control Frequency

Control Automation

Control Assertions

Project planning & Organization

The objectives and strategy of the data migration are not clear to the project team members

The migration charter adheres to the principles of the Project management methodology

The migration charter is created according to the principles of the generic Project Management Methodology.



A project charter is established and approved at the start of the migration project.

A Migration charter is established at the start of the migration project. This charter outlines at least following topics: 1. Aims and objectives of the data migration project 2. Scope and rationalization on any exclusions3. Nature of migration project4. Assign data ownership to appropriate business responsible5. Identify tools to be used6. Assign roles and responsibilities7. Planning of tasks8. Document constraints, risks and dependenciesThis charter is approved by the project steering committee.



The approved Migration Charter is communicated to the project team.

After approval the Migration charter is communicated to the project team members.








The ownership of data is assigned to the business

In the Migration charter the ownership of data is assigned to the impacted business responsibles.


The tools used to extract, modify and upload data do not ensure the accuracy and completeness of the data.

Approved tooling is used for data migrations

The IT department selects a number of tools to be used during data migrations. These tools are tested and approved for use by IT and business management. Whenever the approved tooling kit can not be used, the use of alternative tools is documented in the project charter and testing of the alternative tools is performed.


Data Owners decide on the approach for source system and source data

The steering committee decides on the approach that needs to be taken towards the source system and its data: - can the data be removed- must the data be archived for a defined period- must the source system continue to run for a defined periodThis decision is documented in the Migration Charter

Data Identification & Preparation

A description is made of the Source Data Model

The IT project team establishes a formal description of the data structure in the source system. This description clarifies:- the fieldnames used- the size of each field- the format of the field- the meta-data store- the meaning- the relationships to other data- the origin- the usage of the data- …


A description is made of the Target Data Model

The IT project team establish a formal description of the data structure in the target system. This description clarifies:- the fieldnames used- the size of each field- the format of the field- the meta-data store- the meaning- the relationships to other data- the origin- the usage of the data- …

Data migration RXXX5 Data contained in the source system is lost C09 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX5 Data contained in the source system is lost C19 P Adhoc IT dependent 0 0 Y

Data migration RXXX6 Data uploaded in the target system is incomplete C07 P Adhoc IT dependent 0 0 Y

Data migration RXXX6 Data uploaded in the target system is incomplete C08 P Adhoc IT dependent 0 0 Y

Data migration RXXX6 Data uploaded in the target system is incomplete C09 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX6 Data uploaded in the target system is incomplete C19 P Adhoc IT dependent 0 0 Y

Data migration Go-Live RXXX7 C16 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX7 C19 P Adhoc IT dependent 0 0 Y



The Steering Committee approves the Migration Strategy

A formal Migration Strategy is developed which is formally approved by the Steering Committee. The Migration Strategy specifies which data enrichment, enhancement, cleansing or clean-up activities need to be performed on the source data before uploading it to the target system.The Migration Strategy should cover at least following topics with relation to the data migration:- Completeness- Integrity- Consistency- Continuity- Confidentiality

The Final Data Migration is performed according to the Approved Migration Plan and the Cut-over Plan

The final data migration and Clean-up activities are performed according to the Approved Migration Plan and Cut-over Plan. The Approved Migration Plan specifically describes the Data Adjustment (enrichment, cleansing & enhancement) and Clean-up activities that need to be performed.












Data is uploaded multiple times in the target system, resulting in duplicate records

A cut-over plan is in place before the move to production.

Before the go/no-go decision is taken a cut-over plan needs to be in place which specifies on which date, at what time and by which person the migration to production will be performed.





The access rights required to perform data migrations are limited to authorized individuals only.

The required access rights for performing data migrations are only given to a limited number of IT employees.

Data migration RXXX8 The source and target system contain records with equal information C09 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX8 The source and target system contain records with equal information C19 P Adhoc IT dependent 0 0 Y

Data migration Testing RXXX9 The source and target system contain records with conflicting information C10 P Adhoc IT dependent 0 0 Y

Data migration Testing RXXX9 The source and target system contain records with conflicting information C11 P Adhoc Manual 0 The final test plan is formally approved by the Steering Committee. 0 Y

Data migration Testing RXXX9 The source and target system contain records with conflicting information C12 D Adhoc Manual 0 0 N

Data migration Testing RXXX9 The source and target system contain records with conflicting information C13 D Adhoc Manual 0 0 Y

Data migration Testing RXXX9 The source and target system contain records with conflicting information C14 D Adhoc Manual 0 0 Y

Data migration Testing RXXX9 The source and target system contain records with conflicting information C15 D Adhoc Manual 0 0 N

Data migration Go-Live RXXX9 The source and target system contain records with conflicting information C17 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX9 The source and target system contain records with conflicting information C19 P Adhoc IT dependent 0 0 Y

Data migration Go-Live RXXX9 The source and target system contain records with conflicting information C22 P Adhoc Automatic 0 0 Y






The Test Plan contains a number of mandatory test categories

The Test Plan outlines the test steps to be taken to assure the completeness and accuracy of the data migration. To achieve these goals, a number of comparisons are made between the data in the source and target system. During this comparison, at least following test categories need to be performed:- the total number of lines in the source system is compared with the total number of lines in the target system. - a manual verification is performed between the source and target system for at least 25 data lines- a number of standard control totals are checked for equality between both systems- The business activities traditionally performed on the data (e.g. calculation of depreciations) are performed on both systems and compared for equality.- The results of the management reporting are compared between source and target systemIf the project team decides not to perform one of the mandatory test categories. The exclusion of test categories is rationalized, formally documented.

Approval of Test Plan before start of testingThe data migration is tested in a test environment

The full data migration is tested in a specific test environment separated from the production environment.

Testing is performed by business and IT

Testing of the data migration is performed by: - IT employees responsible for the source and target system - Owners of both source and target data

Testing is performed according to the Approved Test Plan

The tests are performed according to the approved test plan. Formal documentation is kept of the testing approach and the results of each test step.

Testing results are formally approved by the Steering Committee

The results of the testing are discussed during the project steering committee and where required corrective actions are decided upon. The testing results as drafted by the test executors are formally approved by the Steering Committee.

The Steering Committee gives a final approval before Go-Live

The full data migration to the production environment is only performed after a formal go/no-go decision of the steering committee. The go/no-go decision is made based on the Approved Testing Results, the Approved Migration Strategy and the Cut-over Plan. The formal go/no-go is documented in the Readiness Review document which is made available to all members of the project team.



The target system performs all application controls in the case of batch upload

When automatic upload of data files is performed in the target system, the system will automatically perform all business application controls as it would perform in the case of manual input. Any records or data lines that fail these controls will be included in an error report automatically created by the system. Based on this error report the data owners will decide what to do with these faulty records/lines.

Data migration Validation RXXX9 The source and target system contain records with conflicting information C24 D Adhoc IT dependent 0 0 Y

Data migration Validation RXXX9 The source and target system contain records with conflicting information C25 D Adhoc Manual 0 0 Y

Data migration RXXX10 C07 P Adhoc IT dependent 0 0 Y


Data migration RXXX10 C09 P Adhoc Manual 0 0 Y


Data migration Go-Live RXXX11 C20 P Adhoc Automatic 0 0 Y

The final data migration to the production environment is tested and validated by IT and the business according to the Approved Test Approach

After the final data migration to the production environment, the migration is tested according to the approved test plan. Formal documentation is kept of the testing approach and the results of each test step. The results of the testing are discussed during the project steering committee and where required corrective actions are decided upon.

The Validation Results are approved by the Steering Committee

The test executors develop the Draft Validation Results which are reviewed and approved by the steering committee. Only after the approval of the Validation Results the Migration Close phase can be initiated.


The format of the source data is different from the format of the target data, resulting in faulty interpretation by the target system














Tables used to store data in-between extraction and upload are not appropriately secured resulting in unauthorized use, disclosure, modification, damage or loss of data

In-between tables are stored on a drive only accessible by IT employees

After extraction from the source system, during enhancement, enrichment and cleansing activities and before migration to the target system, the data is stored on a drive only accessible by IT employees.

Data migration RXXX12 Data is uploaded incorrectly C10 P Adhoc IT dependent 0 0 Y

Data migration RXXX12 Data is uploaded incorrectly C11 P Adhoc Manual 0 The final test plan is formally approved by the Steering Committee. 0 Y

Data migration Testing RXXX12 Data is uploaded incorrectly C12 D Adhoc Manual 0 0 N

Data migration RXXX12 Data is uploaded incorrectly C13 D Adhoc Manual 0 0 Y

Data migration RXXX12 Data is uploaded incorrectly C14 D Adhoc Manual 0 0 Y

Data migration Testing RXXX12 Data is uploaded incorrectly C15 D Adhoc Manual 0 0 N

Data migration Go-Live RXXX12 Data is uploaded incorrectly C17 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX12 Data is uploaded incorrectly C19 P Adhoc IT dependent 0 0 Y

Data migration Go-Live RXXX12 Data is uploaded incorrectly C22 P Adhoc Automatic 0 0 Y

Data migration Validation RXXX12 Data is uploaded incorrectly C24 D Adhoc IT dependent 0 0 Y

Data migration Validation RXXX12 Data is uploaded incorrectly C25 D Adhoc Manual 0 0 Y

Testing/Validation



Testing/Validation



Testing/Validation



Testing/Validation
















Data migration Testing RXXX14 Errors identified during testing are not appropriately recorded or dealt with. C15 D Adhoc Manual 0 0 N

Data migration RXXX15 Tests are not performed by users with the appropriate knowledge C13 D Adhoc Manual 0 0 Y

Data migration Testing RXXX16 C12 D Adhoc Manual 0 0 N

Data migration Go-Live RXXX16 C17 P Adhoc Manual 0 0 Y

Data migration Go-Live RXXX17 C18 P Adhoc Automatic 0 0 Y


Data Migration Migration Close RXXX18 C26 D Adhoc Manual 0 0 Y

Testing/Validation

The testing approach does not ensure the accuracy and completeness of the data. The testing approach is not complete and does not cover all risks related to the data migration.





Testing/Validation



Faults in the data migration methodology are not detected or are only detected during the final upload.

The data migration is tested in a test environment


Faults in the data migration methodology are not detected or are only detected during the final upload.



Data in the source system is changed after the data extraction, resulting in a situation where not all required information is migrated to the target system.

A freeze period is Initiated before the start of the final data migration

Before the final extraction of data is started, access to the source system is blocked for all end users, hereby ensuring that no more activities can be performed during or after the extraction. During the Freeze period all activities in the Source System are logged.

Data in the source system is changed after the data extraction, resulting in a situation where not all required information is migrated to the target system.

Activities performed during the Freeze period are only uploaded after validation by the Business Project Team

After the final data extract is moved to production the IT project team Checks the logs and Captures any transactions made during the Freeze Period. These transactions are validated by the Business project team. After validation the transactions are included in the target data.

Procedures and controls are not appropriately executed, resulting in problems or issues not being detected.

The correct execution of the Migration Charter is checked at the end of the migration project

At the end of the migration project the Steering Committee checks if the Migration Charter was correctly followed and if all required documentation was collected. Only if this is the case, the Steering Committee formally signs off on the migration.

Risk Name

Responsibilities are not clearly assigned within the migration teamOwnership of data is assigned to the wrong persons or departments

Data contained in the source system is lostData uploaded in the target system is incomplete

The source and target system contain records with equal informationThe source and target system contain records with conflicting information

Data is uploaded incorrectly

Errors identified during testing are not appropriately recorded or dealt with.Tests are not performed by users with the appropriate knowledge


The tools used to extract, modify and upload data do not ensure the accuracy and completeness of the data.


The format of the source data is different from the format of the target data, resulting in faulty interpretation by the target systemTables used to store data in-between extraction and upload are not appropriately secured resulting in unauthorized use, disclosure, modification, damage or loss of data

The testing approach does not ensure the accuracy and completeness of the data. The testing approach is not complete and does not cover all risks related to the data migration.

Faults in the data migration methodology are not detected or are only detected during the final upload.Data in the source system is changed after the data extraction, resulting in a situation where not all required information is migrated to the target system.

Procedures and controls are not appropriately executed, resulting in problems or issues not being detected.

Control Name Control Type Description Control Owner Sox in scope

C01 P Adhoc Manual N


C03 P Adhoc Manual Y

C04 P Adhoc Automatic N



Control Frequency

Control Automation

Control Assertions

The migration charter adheres to the principles of the Project management methodology

The migration charter is created according to the principles of the generic Project Management Methodology.



The ownership of data is assigned to the business

In the Migration charter the ownership of data is assigned to the impacted business responsibles.

Approved tooling is used for data migrations

The IT department selects a number of tools to be used during data migrations. These tools are tested and approved for use by IT and business management. Whenever the approved tooling kit can not be used, the use of alternative tools is documented in the project charter and testing of the alternative tools is performed.

Data Owners decide on the approach for source system and source data

The steering committee decides on the approach that needs to be taken towards the source system and its data: - can the data be removed- must the data be archived for a defined period- must the source system continue to run for a defined periodThis decision is documented in the Migration Charter



C07 P Adhoc IT dependent Y










C11 P Adhoc Manual The final test plan is formally approved by the Steering Committee. Y

C12 D Adhoc Manual N

C13 D Adhoc Manual Y


C15 D Adhoc Manual N












A cut-over plan is in place before the move to production.

Before the go/no-go decision is taken a cut-over plan needs to be in place which specifies on which date, at what time and by which person the migration to production will be performed.


C18 P Adhoc Automatic Y








A freeze period is Initiated before the start of the final data migration

Before the final extraction of data is started, access to the source system is blocked for all end users, hereby ensuring that no more activities can be performed during or after the extraction. During the Freeze period all activities in the Source System are logged.



In-between tables are stored on a drive only accessible by IT employees

After extraction from the source system, during enhancement, enrichment and cleansing activities and before migration to the target system, the data is stored on a drive only accessible by IT employees.

The access rights required to perform data migrations are limited to authorized individuals only.

The required access rights for performing data migrations are only given to a limited number of IT employees.



Activities performed during the Freeze period are only uploaded after validation by the Business Project Team

After the final data extract is moved to production the IT project team Checks the logs and Captures any transactions made during the Freeze Period. These transactions are validated by the Business project team. After validation the transactions are included in the target data.

C24 D Adhoc IT dependent Y







The correct execution of the Migration Charter is checked at the end of the migration project

At the end of the migration project the Steering Committee checks if the Migration Charter was correctly followed and if all required documentation was collected. Only if this is the case, the Steering Committee formally signs off on the migration.

12 schulman - data migration rcm vdraft

Documents

standard control totals

control owner sox

readiness review document

required corrective actions

project team checks

project team decides

project team establishes

project team establish