case study –it controls testing automation · legal & regulatory compliancey erica cohn 82...

Case Study – IT Controls Testing AutomationSteve Lambert, Director, DTCC

© 2018 GRC Summit All Rights Reserved.

Agenda1. Organization Overview: Vision, Key Facts and Needs2. GRC Program Governance, Challenges and Community3. R3: Readiness, Roadmap and Rollout

• DTCC IT Stars Strategy• GRC Program Roadmap and Rollout – IT

• First Line of Defense and Our Roles as Risk Managers• PRC Framework

4. Business Value and Realized Benefits - Before and After5. Key Learnings and Best Practices

• DTCC Solution - Automated Control Testing6. Audience Questions and Discussion

2


DTCCWith 45 years of experience, DTCC is the premier post-trade market infrastructure for the global financial services industry. From operating facilities, data centers and offices in 16 countries, DTCC, through its subsidiaries, automates, centralizes and standardizes the processing of financial transactions, mitigating risk, increasing transparency and driving efficiency for thousands of broker/dealers, custodian banks and asset managers. Industry owned and governed, the firm simplifies the complexities of clearing, settlement, asset servicing, data management and information services across asset classes, bringing increased security and soundness to financial markets. In 2017, DTCC’s subsidiaries processed securities transactions valued at more than U.S. $1.61 quadrillion. Its depository provides custody and asset servicing for securities issues from 131 countries and territories valued at U.S. $57.4 trillion. DTCC’s Global Trade Repository maintains approximately 40 million open OTC positions per week and processes over one billion messages per month.

Websitehttp://www.dtcc.com

HeadquartersNew York, NY

Year founded1973

Company type Company sizePrivately Held 1,001-5,000 employees

SpecialtiesClearing Services, Matching, Settlement & Asset Services, Wealth Management Services, Collateral Management, Derivatives Services, and Data Services

3

http://www.dtcc.com/

http://www.dtcc.com/


GRC Program Vision

• Rebrand MetricStream and the GRC program• Understand business needs, technology execution and workflow

automation• Identify convergence opportunities across processes• Audit, Risk Assessment, Issue Management and Control Testing

go-live in MetricStream• Develop change management and training strategy

Short Term Vision (Less than a year)

• Converge GRC functions to a common technology platform• Develop integrated, executive level dashboards and reporting• Greater risk management transparency and reduced redundancy• Build a strong risk culture• Training implementation

Long Term Vision(More than a year)

To execute a Governance, Risk and Compliance program that aligns and integrates risk and compliance processes to strategicbusiness priorities for improved risk management, enhanced reporting, and compliance with laws and regulations enabled by a common technology.

4


DTCC IT Stars Strategy

Reducing risk for the financial services industry remainsour foremost priority, and DTCC IT is committed tostrengthening the firm’s robust risk managementprogram by evolving our approach to solution deliveryto reflect changes in the market, regulatory andtechnology environments. In order to address theseissues, DTCC IT will focus on building competencies in 5key strategic capabilities, known as “STARS.”

6


FY15 FY16 FY17 FY18 FY19

IT PRC Program G overnance, M anagem ent and Com m unications o f P rogress, O rgan izational Change

IT PRC Initiatives: Workstreams

Info let In tegrations: D ata feedsG RC In te lligence Content Feeds

M etricStream P latfo rm and G RC FoundationG RC O rganization H ierarchy. G RC Lib rary

IT Process R isks and Contro ls Fram ew ork, R isk Reporting , Analytics and G overnance

ERM

IT Compliance

PHASE1

GRC Program Roadmap and Rollout – IT

PHASE2

IT Control Testing Automation

Risk Assessment and Governance Automation

Risk and Control Coverage

IT Compliance TestingManual IT Control Testing

Expand coverage of Controls and Risk Assessments

Regulation SCI Compliance

7


First Line of Defense and Our Roles as Risk Managers

Second Line of Defense

Compliance, ORM, CSO, Privacy, others

Third Line of Defense

Internal Audit & External Auditors

First Line of Defense

The Business

• Identify and monitor risks and key controls• Execute action plans to mitigate the risk• Support control testing • Fully understand the residual unmitigated risk

the business chooses to accept• Work with 2nd Line to define business risk

metrics

• Create standards and policies around risk management and control

• Monitor compliance with those standards and policies

• Performs a mix of risk assessment and control testing techniques

• Tests the design and effectiveness of the internal control framework

• Provides proactive advice on internal risk management

• Promotes a culture of proactive risk management by increasing the business’s control awareness through issue self-identification

8


PRC Framework WorkflowThe IT PRC Program workflow is focused on building out our capabilities across 5 areas in order to create a comprehensive “First Line of Defense” risk view of IT

Policies & Procedures

Process Risk Assessment

Management Testing

Performance

PRC FrameworkEnterprise Policy Repository§ Change & Release Management Policy§ DTCC Change & Release Management

Procedures

§ Omgeo Change & Release ManagementProcedures

Metrics- IT Change Quality metric

# Po

licie

s

# Pr

oced

ure

Ava

ilaib

ilty

Ade

quac

y

IT

Non

-IT

Des

ign

Effe

ctiv

enes

s

# Po

licie

s

# Pr

oced

ure

Ava

ilaib

ilty

Ade

quac

y

IT

Non

-IT

Des

ign

Effe

ctiv

enes

s

Inhe

rent

Ris

k

Cont

rols

Resi

dual

Ris

k

Inhe

rent

Ris

k

Cont

rols

Mgm

t. T

esti

ng

Rati

ngEv

ent

/ In

cide

nts

IT P

RC O

vera

ll Ra

ting

Des

ign

Effe

ctiv

enes

s

GovernanceIT Accounting and Oversight N Financial - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NAIT Financial Management N Financial - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NALegal & Regulatory Compliance Y Legal & Regulatory Compliance Erica Cohn 8 2 ● ● - 6 ○ ○ - 1 ● ● - - ○ ○ H S LPolicies, Standards & Procedures Y Genernal Business Risk Erica Cohn 1 - ● ● - - ○ ○ 2 4 ○ ○ - - ○ ○ L S LInformation & Data Management Y Info. Protection & Privacy / IT Erica Cohn 2 - ● ● - - ○ ○ 2 11 ○ ○ - - ○ ○ NA NA NACommunications & Awareness N Information Technology - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NAQuality Management N Information Technology Mayra M, Matt M, John Kolis - - ○ ○ - - ○ ○ 3 1 ○ ○ - - ○ ○ NA NA NARisk Management N Processing & Operational / IT - - ○ ○ - - ○ ○ - 2 ○ ○ - - ○ ○ NA NA NAProgram / Project Management Y Information Technology Thomas Stablein 1 - ● ● - - ○ ○ - 1 ○ ○ - - ○ ○ NA NA NA

Strategic ManagementIT Strategy and Planning N Genernal Business Risk - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NAEnterprise Architecture N Information Technology - ○ ○ - - ○ ○ 19 15 ○ ○ - - ○ ○ NA NA NAPerformance Management N Information Technology - ○ ○ - - ○ ○ - 1 ○ ○ - - ○ ○ NA NA NAIT Human Capital Management N Human Capital / People - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ H A MService Provider Management N IT Risk (Vendor) - ○ ○ 3 - ○ ○ - - ○ ○ - - ○ ○ M S LMergers, Acquisitions & Divestitures N Genernal Business Risk - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○Asset / Portfolio Management Y IT Risk (Portoflio / ITAM) Chris Behney 1 ● ● 1 - ○ ○ 4 14 ○ ○ - - ○ ○ S A H

SecuritySecurity Organization Y Info. Security Risk Robert Moncini 2 - ● ● 1 11 � � 1 6 ○ ○ - - ○ ○ S NA NA IP TBDOperational Security Management Y Info. Security Risk Chris Koutras 1 1 ● ● 9 6 � � - 2 ○ ○ - - ○ ○ S NA NA IP TBDIdentify & Access Management N Info. Security Risk Robert Moncini - - ○ ○ 49 2 ○ ○ 1 15 ○ ○ - - ○ ○ S NA NA IP TBDSecurity Incident Management Y Info. Security Risk Robert Moncini - 1 ● ● - 14 � � - 3 ○ ○ - - ○ ○ S A H IP H TBDPhysical Environment Security Y Info. Security (Location & Space) Steven Carey 1 ● ● 21 - � � 1 1 ○ ○ - - ○ ○ S NA NA H S IP S TBDIT Security Management Y Info. Security Risk Chris Koutras 5 4 ● ● 3 14 � � 2 4 ○ ○ - - ○ ○ S NA NA IP H TBD

SDLCRequirement Development Y Information Technology Lynn Bishop - 1 ● ● 2 - � ● - - ○ ○ - - ○ ○ NA NA NA P TBDDevelopment Customization Y Information Technology Lynn Bishop 2 2 ● ● 1 - � ● 1 2 ○ ○ - - ○ ○ NA NA NA P TBDValidation Y Information Technology (Validation) Mayra M, Matt M, John Kolis 2 4 ● ● 6 - � ● - - ○ ○ - - ○ ○ NA NA NA P TBD

Service DeliveryAvailability Management* N Processing & Operational / IT Mark Akass - - ○ ○ - - ○ ○ - 1 ○ ○ - - ○ ○ NA NA NA IP M M TBDCapacity Management* Y Processing & Operational / IT Eldad Ganin & Matt Martinez 2 7 ● ● 11 - � � - 1 ○ ○ - - ○ ○ M A L M A P M M 8IT Service Continuity Management Y Business Continuity Risk David Lafalce 2 - ● ● 10 - � � 2 1 ○ ○ - - ○ ○ S A H S A IP 3Service Level Management N Processing & Operational / IT Mark Akass - - ○ ○ - - ○ ○ - 1 ○ ○ - - ○ ○ M A L IP 0

Service SupportChange Management* Y Processing & Operational / IT Mark Akass 1 2 ● ● 18 - � � - 2 ○ ○ - - ○ ○ S A H H W NS M HRelease Management* Y Processing & Operational / IT Mark Akass & John Kolis 2 ● ● 17 - � � - 3 ○ ○ - - ○ ○ S A H H W NS M HConfiguration Management N Processing & Operational / IT Reves Alex - - ○ ○ - - ○ ○ 2 6 ○ ○ - - ○ ○ NA NA NA H W NS M H TBDJob Scheduling N Processing & Operational / IT Michael Croucher / Norman Belo - - ○ ○ - - ○ ○ 1 1 ○ ○ - - ○ ○ S S M M S NS S M 0Incident Management* Y Processing & Operational / IT Michael Croucher / Norman Belo 1 2 ● ● 11 - � � - 6 ○ ○ - - ○ ○ S A H H A NS H H 0Problem Management* Y Processing & Operational / IT Mark Akass & Eldad Ganin 1 2 ● ● 6 - � � - - ○ ○ - - ○ ○ NA NA NA H A NS H H TBDService Desk N Processing & Operational / IT Michael Croucher - - ○ ○ - - ○ ○ 1 1 ○ ○ - - ○ ○ S A H H A NS H H 2

33 30 169 53 42 106 0 0* - Risk rating as per current IT Risk Tolerance Dashboard - Process Owner to be identified/confirmed Management Testing: P - Pass, F-Fail, IP - In-Progress, NS - Not Started, NA -Not applicable for 2016

# of

Con

trol

Impr

ovem

ents

08/30/16

NA

NA NA

NAOut of

Scope for 2016

Out of scope for

2016

Out of scope for

2016

09/30/1606/10/16

3/25/16 (DTCC) 7/29/16

(Omego)

4/29/16 (DTCC) 8/19/16

(Omego)

8

Q2 2016 IT PRC Dashboard (Draft)

Policies and Procedures

Controls

Non - Reg SCI Reg SCI Controls Testing Timeline

PRC Metrics

Risk Rating

Process Owner Risk Rating

Internal Audit Rating

NA

NA

12/30/16

06/10/16 09/30/16

Out of scope for

2016

Total

Domains & Processes Process Owner(s)


Reg SCI

Controls

Reg

SCI (

Y/N

)

Risk Family

NA

NA

Management Testing- Implemented as part of Reg SCI Operating Model

9


Overview of IT Process, Risks and Controls Framework• The PRC framework defines 6 “Domains” of IT, supported by processes, sub-processes and associated risks

and controls

• In alignment with Reg SCI, IT tested Regulation SCI-applicable controls as our initial scope• Enhanced coverage beyond Regulation SCI to continue through 2018.

6 Domains 36 Processes 169 Sub-Processes

10


Business Value and Realized BenefitsB efore A fter

Benefits realized from Implementing the IT Compliance Module

# of Contro ls Tested per year Scope regulated by team size and budget N o lim it

Frequency of Tests D efined for each contro l Annually / 3 years Tested m ultip le tim es a year / M onthly

B e ahead of regulatory or audit exam s D ifficu lt to align Scheduled as required

Effort M anual effort from all stakeholders (w eeks / days) H ours

Sam ple S ize Lim ited and varies by contro l (5% -30% ) 100% in m ost cases

Evidence Collection and Storage Standardized approach across IT

Validation Criteria Effectiveness - Subjective interpretation of contro ls

and the underlying evidence.

Effectiveness and Adherence

Future Potential Benefits down the road

Issue M anagem ent Lacked Transparency Fully Integrated

B e ahead of regulatory or audit exam s D ifficu lt to align Self Service (B ased on M aturity)

Integration w ith ERM Fully Integrated

Integration w ith PD M S M anual Effort Fu lly Integrated

11


Automated Control Testing - High Level Walkthrough

Step 1 – Analyst creates and assigns task for appropriate Test Plan.Step 2 – MS7 infolet runs to create outbound .csv file for Automation ServerStep 3 – Automation Server picks up .csv file to identify controls to testStep 4 – Automation Server conducts test for assigned controlsStep 5 – Automation Server creates outbound .csv file for MS7Step 6 – MS7 picks up and processes inbound file and updates appropriate tasks in MS7Step 7 – Assessor reviews results of test and provides overall rating for control

1

2

3

4

5

6

IT Compliance Team

MetricStream M7 on the Cloud

Automation Server

Test Cases /Test Scripts

Control TestingTest Suite

R un T im e

E nv .

SNOW, PPM,SharePoint &

otherRepositories

Evidence Sources across DTCC

13


Test Plan – Creation

Fill the task related details

1

14


Task triggering

As per schedule task will trigger and will show in My

Tasks

After Clicking on Tasks, Assignment opens

Assignment have control test related fields blank

1

15


Infolet- To generate outbound file (in background)

Scheduled infolet will run as per schedule to generate

outbound file in background

2

16


Outbound File Generation (In Background) – Input to Automation Server

The Outbound file –Sample below

.

MS Status log-

.

Folder Structure in SFTP

.

Outbound file gets generated in SFTP with inbound columns

as empty

File gets generated in designated folder

2

17


Inbound File Generation (In Background After ACT Testing) – From Automation Server

The Inbound file –Sample below

.

ACT Status log-

.

Folder Structure in SFTP

.

Test_Execution_IDTest_Exec_NameTask_OverviewRelated_AOCFrequencyDue_Date Test_Item_IdTest_Item_NameByTesting_IDByTesting_Item_NameQuestionsQP_PerformedQP_ResponseQP_CommentsQP_AttachmentsResult_RatingDesign_EffectivenessSamples_IDSample_DescriptionSample_ResultSample_CommentsSample_AttachmentTask_EvidenceAttachmentTest_Item_EvidenceAttachmentByTesting_EvidenceAttachmentTEST-100147Non-DPA Testing-001Process: Non-DPA Testing FY2018Reg SCI RulesAnnually 04-11-18 PROC-0000001001Change Management Process null null nullTEST-100147Non-DPA Testing-001Process: Non-DPA Testing FY2018Reg SCI RulesAnnually 04-11-18 PROC-0000001001Change Management Process CTRL-0000001005Scope Management Controlnull Pass Effective S-001 Sample for control1Pass Passed 4.docxTEST-100147Non-DPA Testing-001Process: Non-DPA Testing FY2018Reg SCI RulesAnnually 04-11-18 PROC-0000001001Change Management Process CTRL-0000001006FRS Documentation for Change Managementnull Fail Effective S-002 Sample for control1Fail Failed 5.docx

In Background the ACT integration start testing the controls as per

outbound file receive. ACT fill up the inbound columns

Inbound file along with attachment get placed into designated folder

3

5

4Evidence Sources across DTCC

18


Infolet- To Process inbound file

Scheduled infolet start the process of inbound file and

push data in Task assignment

6

19


Test Assignment in Application (Summary)

From Inbound file, data is filled against control,

sample and task

Overall Process/Asset result rating need to be determined by Tester on basis of control

test results

Note the Drop-down values and color-coding as requested in Wave 1

7

20


Task View – Single Control evidence Details

E v id e n c e s a s a d d it io n a l

in f o r m a t io n

N o t e t h e D r o p -d o w n v a lu e s

a n d c o lo r -c o d in g

7

21


Control Testing Process and Methodology Guiding Principles• The IT controls testing process will use a repeatable and sustainable model• Existing IT Control documentation needs to be maintained for changes in policies or procedures.

• DTCC Process / Control Owners are responsible for sending the Controls Testing Team the population of documents (logs, reports, emails, BRD, etc.) required to complete the control tests. (Eliminated due to Automation)

• DTCC Process / Control Owners are responsible for the accuracy and authenticity of the documents sent to the Testing Team. (Partially eliminated due to Automation)

Methodology

Review Prior PRC Controls Testing

Review & Identify DTCC Policies

Prepare Evidence Request

Identify SMEs and Collect Evidence

Prepare 1st Draft

Review 1st Draft with SMEs

Final IT Control Test Documents

Control Testing process: (Most of the steps below are already completed due to Automation)

• Test design1. Locate and review all relevant policies and procedures

2. Create the test and walkthrough document3. Define and document all test attributes

4. Design a test of each control• Control effectiveness Testing

1. Design the comprehensive test document2. Design the Comprehensive control check list

3. Conduct a walkthrough with the control owners and develop a request list4. Design the test of control effectiveness and confirm test strategy with control owner

5. Create evidence request list6. Collect, test and document the evidence

7. Review test results with control owners8. Summarize the test results for management review

22


IT Risk Assessment Approach as FLOD (First Line of Defense)

23

Inherent Risk: The level of risk before action is taken to manage it. (Product of Impact and Likelihood) Strength of Control: Control activities are the policies and procedures that help ensure management directives are carried out. Ensure actions are taken to address risks to acceptable level. Residual Risk: The level of risk with all the measures and controls in place.

Alignment: Process, Risk and Control (PRC) Framework & Corporate Risk PolicyOverall FLOD PRC Risk rating based on: Process owner’s ratings and IT PRC Team assessment

Inherent Risk Cont

rolResidual Risk

Events and

Incidents

Management

Testing

Final assessment

IT Process Owner Risk Rating IT PRC Assessment


IT PRC Team

M S I

A c t io n

P la n

Process Owner

Audience Questions and Discussion

24

Thank YouContinue the conversation on #GRCSummit