case study –it controls testing automation · legal & regulatory compliancey erica cohn 82...
TRANSCRIPT
Case Study – IT Controls Testing AutomationSteve Lambert, Director, DTCC
© 2018 GRC Summit All Rights Reserved.
Agenda1. Organization Overview: Vision, Key Facts and Needs2. GRC Program Governance, Challenges and Community3. R3: Readiness, Roadmap and Rollout
• DTCC IT Stars Strategy• GRC Program Roadmap and Rollout – IT
• First Line of Defense and Our Roles as Risk Managers• PRC Framework
4. Business Value and Realized Benefits - Before and After5. Key Learnings and Best Practices
• DTCC Solution - Automated Control Testing6. Audience Questions and Discussion
2
© 2018 GRC Summit All Rights Reserved.
DTCCWith 45 years of experience, DTCC is the premier post-trade market infrastructure for the global financial services industry. From operating facilities, data centers and offices in 16 countries, DTCC, through its subsidiaries, automates, centralizes and standardizes the processing of financial transactions, mitigating risk, increasing transparency and driving efficiency for thousands of broker/dealers, custodian banks and asset managers. Industry owned and governed, the firm simplifies the complexities of clearing, settlement, asset servicing, data management and information services across asset classes, bringing increased security and soundness to financial markets. In 2017, DTCC’s subsidiaries processed securities transactions valued at more than U.S. $1.61 quadrillion. Its depository provides custody and asset servicing for securities issues from 131 countries and territories valued at U.S. $57.4 trillion. DTCC’s Global Trade Repository maintains approximately 40 million open OTC positions per week and processes over one billion messages per month.
Websitehttp://www.dtcc.com
HeadquartersNew York, NY
Year founded1973
Company type Company sizePrivately Held 1,001-5,000 employees
SpecialtiesClearing Services, Matching, Settlement & Asset Services, Wealth Management Services, Collateral Management, Derivatives Services, and Data Services
3
© 2018 GRC Summit All Rights Reserved.
GRC Program Vision
• Rebrand MetricStream and the GRC program• Understand business needs, technology execution and workflow
automation• Identify convergence opportunities across processes• Audit, Risk Assessment, Issue Management and Control Testing
go-live in MetricStream• Develop change management and training strategy
Short Term Vision (Less than a year)
• Converge GRC functions to a common technology platform• Develop integrated, executive level dashboards and reporting• Greater risk management transparency and reduced redundancy• Build a strong risk culture• Training implementation
Long Term Vision(More than a year)
To execute a Governance, Risk and Compliance program that aligns and integrates risk and compliance processes to strategicbusiness priorities for improved risk management, enhanced reporting, and compliance with laws and regulations enabled by a common technology.
4
© 2018 GRC Summit All Rights Reserved.
DTCC IT Stars Strategy
Reducing risk for the financial services industry remainsour foremost priority, and DTCC IT is committed tostrengthening the firm’s robust risk managementprogram by evolving our approach to solution deliveryto reflect changes in the market, regulatory andtechnology environments. In order to address theseissues, DTCC IT will focus on building competencies in 5key strategic capabilities, known as “STARS.”
6
© 2018 GRC Summit All Rights Reserved.
FY15 FY16 FY17 FY18 FY19
IT PRC Program G overnance, M anagem ent and Com m unications o f P rogress, O rgan izational Change
IT PRC Initiatives: Workstreams
Info let In tegrations: D ata feedsG RC In te lligence Content Feeds
M etricStream P latfo rm and G RC FoundationG RC O rganization H ierarchy. G RC Lib rary
IT Process R isks and Contro ls Fram ew ork, R isk Reporting , Analytics and G overnance
ERM
IT Compliance
PHASE1
GRC Program Roadmap and Rollout – IT
PHASE2
IT Control Testing Automation
Risk Assessment and Governance Automation
Risk and Control Coverage
IT Compliance TestingManual IT Control Testing
Expand coverage of Controls and Risk Assessments
Regulation SCI Compliance
7
© 2018 GRC Summit All Rights Reserved.
First Line of Defense and Our Roles as Risk Managers
Second Line of Defense
Compliance, ORM, CSO, Privacy, others
Third Line of Defense
Internal Audit & External Auditors
First Line of Defense
The Business
• Identify and monitor risks and key controls• Execute action plans to mitigate the risk• Support control testing • Fully understand the residual unmitigated risk
the business chooses to accept• Work with 2nd Line to define business risk
metrics
• Create standards and policies around risk management and control
• Monitor compliance with those standards and policies
• Performs a mix of risk assessment and control testing techniques
• Tests the design and effectiveness of the internal control framework
• Provides proactive advice on internal risk management
• Promotes a culture of proactive risk management by increasing the business’s control awareness through issue self-identification
8
© 2018 GRC Summit All Rights Reserved.
PRC Framework WorkflowThe IT PRC Program workflow is focused on building out our capabilities across 5 areas in order to create a comprehensive “First Line of Defense” risk view of IT
Policies & Procedures
Process Risk Assessment
Management Testing
Performance
PRC FrameworkEnterprise Policy Repository§ Change & Release Management Policy§ DTCC Change & Release Management
Procedures
§ Omgeo Change & Release ManagementProcedures
Metrics- IT Change Quality metric
# Po
licie
s
# Pr
oced
ure
Ava
ilaib
ilty
Ade
quac
y
IT
Non
-IT
Des
ign
Effe
ctiv
enes
s
# Po
licie
s
# Pr
oced
ure
Ava
ilaib
ilty
Ade
quac
y
IT
Non
-IT
Des
ign
Effe
ctiv
enes
s
Inhe
rent
Ris
k
Cont
rols
Resi
dual
Ris
k
Inhe
rent
Ris
k
Cont
rols
Mgm
t. T
esti
ng
Rati
ngEv
ent
/ In
cide
nts
IT P
RC O
vera
ll Ra
ting
Des
ign
Effe
ctiv
enes
s
GovernanceIT Accounting and Oversight N Financial - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NAIT Financial Management N Financial - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NALegal & Regulatory Compliance Y Legal & Regulatory Compliance Erica Cohn 8 2 ● ● - 6 ○ ○ - 1 ● ● - - ○ ○ H S LPolicies, Standards & Procedures Y Genernal Business Risk Erica Cohn 1 - ● ● - - ○ ○ 2 4 ○ ○ - - ○ ○ L S LInformation & Data Management Y Info. Protection & Privacy / IT Erica Cohn 2 - ● ● - - ○ ○ 2 11 ○ ○ - - ○ ○ NA NA NACommunications & Awareness N Information Technology - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NAQuality Management N Information Technology Mayra M, Matt M, John Kolis - - ○ ○ - - ○ ○ 3 1 ○ ○ - - ○ ○ NA NA NARisk Management N Processing & Operational / IT - - ○ ○ - - ○ ○ - 2 ○ ○ - - ○ ○ NA NA NAProgram / Project Management Y Information Technology Thomas Stablein 1 - ● ● - - ○ ○ - 1 ○ ○ - - ○ ○ NA NA NA
Strategic ManagementIT Strategy and Planning N Genernal Business Risk - - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ NA NA NAEnterprise Architecture N Information Technology - ○ ○ - - ○ ○ 19 15 ○ ○ - - ○ ○ NA NA NAPerformance Management N Information Technology - ○ ○ - - ○ ○ - 1 ○ ○ - - ○ ○ NA NA NAIT Human Capital Management N Human Capital / People - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○ H A MService Provider Management N IT Risk (Vendor) - ○ ○ 3 - ○ ○ - - ○ ○ - - ○ ○ M S LMergers, Acquisitions & Divestitures N Genernal Business Risk - ○ ○ - - ○ ○ - - ○ ○ - - ○ ○Asset / Portfolio Management Y IT Risk (Portoflio / ITAM) Chris Behney 1 ● ● 1 - ○ ○ 4 14 ○ ○ - - ○ ○ S A H
SecuritySecurity Organization Y Info. Security Risk Robert Moncini 2 - ● ● 1 11 � � 1 6 ○ ○ - - ○ ○ S NA NA IP TBDOperational Security Management Y Info. Security Risk Chris Koutras 1 1 ● ● 9 6 � � - 2 ○ ○ - - ○ ○ S NA NA IP TBDIdentify & Access Management N Info. Security Risk Robert Moncini - - ○ ○ 49 2 ○ ○ 1 15 ○ ○ - - ○ ○ S NA NA IP TBDSecurity Incident Management Y Info. Security Risk Robert Moncini - 1 ● ● - 14 � � - 3 ○ ○ - - ○ ○ S A H IP H TBDPhysical Environment Security Y Info. Security (Location & Space) Steven Carey 1 ● ● 21 - � � 1 1 ○ ○ - - ○ ○ S NA NA H S IP S TBDIT Security Management Y Info. Security Risk Chris Koutras 5 4 ● ● 3 14 � � 2 4 ○ ○ - - ○ ○ S NA NA IP H TBD
SDLCRequirement Development Y Information Technology Lynn Bishop - 1 ● ● 2 - � ● - - ○ ○ - - ○ ○ NA NA NA P TBDDevelopment Customization Y Information Technology Lynn Bishop 2 2 ● ● 1 - � ● 1 2 ○ ○ - - ○ ○ NA NA NA P TBDValidation Y Information Technology (Validation) Mayra M, Matt M, John Kolis 2 4 ● ● 6 - � ● - - ○ ○ - - ○ ○ NA NA NA P TBD
Service DeliveryAvailability Management* N Processing & Operational / IT Mark Akass - - ○ ○ - - ○ ○ - 1 ○ ○ - - ○ ○ NA NA NA IP M M TBDCapacity Management* Y Processing & Operational / IT Eldad Ganin & Matt Martinez 2 7 ● ● 11 - � � - 1 ○ ○ - - ○ ○ M A L M A P M M 8IT Service Continuity Management Y Business Continuity Risk David Lafalce 2 - ● ● 10 - � � 2 1 ○ ○ - - ○ ○ S A H S A IP 3Service Level Management N Processing & Operational / IT Mark Akass - - ○ ○ - - ○ ○ - 1 ○ ○ - - ○ ○ M A L IP 0
Service SupportChange Management* Y Processing & Operational / IT Mark Akass 1 2 ● ● 18 - � � - 2 ○ ○ - - ○ ○ S A H H W NS M HRelease Management* Y Processing & Operational / IT Mark Akass & John Kolis 2 ● ● 17 - � � - 3 ○ ○ - - ○ ○ S A H H W NS M HConfiguration Management N Processing & Operational / IT Reves Alex - - ○ ○ - - ○ ○ 2 6 ○ ○ - - ○ ○ NA NA NA H W NS M H TBDJob Scheduling N Processing & Operational / IT Michael Croucher / Norman Belo - - ○ ○ - - ○ ○ 1 1 ○ ○ - - ○ ○ S S M M S NS S M 0Incident Management* Y Processing & Operational / IT Michael Croucher / Norman Belo 1 2 ● ● 11 - � � - 6 ○ ○ - - ○ ○ S A H H A NS H H 0Problem Management* Y Processing & Operational / IT Mark Akass & Eldad Ganin 1 2 ● ● 6 - � � - - ○ ○ - - ○ ○ NA NA NA H A NS H H TBDService Desk N Processing & Operational / IT Michael Croucher - - ○ ○ - - ○ ○ 1 1 ○ ○ - - ○ ○ S A H H A NS H H 2
33 30 169 53 42 106 0 0* - Risk rating as per current IT Risk Tolerance Dashboard - Process Owner to be identified/confirmed Management Testing: P - Pass, F-Fail, IP - In-Progress, NS - Not Started, NA -Not applicable for 2016
# of
Con
trol
Impr
ovem
ents
08/30/16
NA
NA NA
NAOut of
Scope for 2016
Out of scope for
2016
Out of scope for
2016
09/30/1606/10/16
3/25/16 (DTCC) 7/29/16
(Omego)
4/29/16 (DTCC) 8/19/16
(Omego)
8
Q2 2016 IT PRC Dashboard (Draft)
Policies and Procedures
Controls
Non - Reg SCI Reg SCI Controls Testing Timeline
PRC Metrics
Risk Rating
Process Owner Risk Rating
Internal Audit Rating
NA
NA
12/30/16
06/10/16 09/30/16
Out of scope for
2016
Total
Domains & Processes Process Owner(s)
Policies and Procedures
Reg SCI
Controls
Reg
SCI (
Y/N
)
Risk Family
NA
NA
Management Testing- Implemented as part of Reg SCI Operating Model
9
© 2018 GRC Summit All Rights Reserved.
Overview of IT Process, Risks and Controls Framework• The PRC framework defines 6 “Domains” of IT, supported by processes, sub-processes and associated risks
and controls
• In alignment with Reg SCI, IT tested Regulation SCI-applicable controls as our initial scope• Enhanced coverage beyond Regulation SCI to continue through 2018.
6 Domains 36 Processes 169 Sub-Processes
10
© 2018 GRC Summit All Rights Reserved.
Business Value and Realized BenefitsB efore A fter
Benefits realized from Implementing the IT Compliance Module
# of Contro ls Tested per year Scope regulated by team size and budget N o lim it
Frequency of Tests D efined for each contro l Annually / 3 years Tested m ultip le tim es a year / M onthly
B e ahead of regulatory or audit exam s D ifficu lt to align Scheduled as required
Effort M anual effort from all stakeholders (w eeks / days) H ours
Sam ple S ize Lim ited and varies by contro l (5% -30% ) 100% in m ost cases
Evidence Collection and Storage Standardized approach across IT
Validation Criteria Effectiveness - Subjective interpretation of contro ls
and the underlying evidence.
Effectiveness and Adherence
Future Potential Benefits down the road
Issue M anagem ent Lacked Transparency Fully Integrated
B e ahead of regulatory or audit exam s D ifficu lt to align Self Service (B ased on M aturity)
Integration w ith ERM Fully Integrated
Integration w ith PD M S M anual Effort Fu lly Integrated
11
© 2018 GRC Summit All Rights Reserved.
Automated Control Testing - High Level Walkthrough
Step 1 – Analyst creates and assigns task for appropriate Test Plan.Step 2 – MS7 infolet runs to create outbound .csv file for Automation ServerStep 3 – Automation Server picks up .csv file to identify controls to testStep 4 – Automation Server conducts test for assigned controlsStep 5 – Automation Server creates outbound .csv file for MS7Step 6 – MS7 picks up and processes inbound file and updates appropriate tasks in MS7Step 7 – Assessor reviews results of test and provides overall rating for control
1
2
3
4
5
6
IT Compliance Team
MetricStream M7 on the Cloud
Automation Server
Test Cases /Test Scripts
Control TestingTest Suite
R un T im e
E nv .
SNOW, PPM,SharePoint &
otherRepositories
Evidence Sources across DTCC
13
© 2018 GRC Summit All Rights Reserved.
Test Plan – Creation
Fill the task related details
1
14
© 2018 GRC Summit All Rights Reserved.
Task triggering
As per schedule task will trigger and will show in My
Tasks
After Clicking on Tasks, Assignment opens
Assignment have control test related fields blank
1
15
© 2018 GRC Summit All Rights Reserved.
Infolet- To generate outbound file (in background)
Scheduled infolet will run as per schedule to generate
outbound file in background
2
16
© 2018 GRC Summit All Rights Reserved.
Outbound File Generation (In Background) – Input to Automation Server
The Outbound file –Sample below
.
MS Status log-
.
Folder Structure in SFTP
.
Outbound file gets generated in SFTP with inbound columns
as empty
File gets generated in designated folder
2
17
© 2018 GRC Summit All Rights Reserved.
Inbound File Generation (In Background After ACT Testing) – From Automation Server
The Inbound file –Sample below
.
ACT Status log-
.
Folder Structure in SFTP
.
Test_Execution_IDTest_Exec_NameTask_OverviewRelated_AOCFrequencyDue_Date Test_Item_IdTest_Item_NameByTesting_IDByTesting_Item_NameQuestionsQP_PerformedQP_ResponseQP_CommentsQP_AttachmentsResult_RatingDesign_EffectivenessSamples_IDSample_DescriptionSample_ResultSample_CommentsSample_AttachmentTask_EvidenceAttachmentTest_Item_EvidenceAttachmentByTesting_EvidenceAttachmentTEST-100147Non-DPA Testing-001Process: Non-DPA Testing FY2018Reg SCI RulesAnnually 04-11-18 PROC-0000001001Change Management Process null null nullTEST-100147Non-DPA Testing-001Process: Non-DPA Testing FY2018Reg SCI RulesAnnually 04-11-18 PROC-0000001001Change Management Process CTRL-0000001005Scope Management Controlnull Pass Effective S-001 Sample for control1Pass Passed 4.docxTEST-100147Non-DPA Testing-001Process: Non-DPA Testing FY2018Reg SCI RulesAnnually 04-11-18 PROC-0000001001Change Management Process CTRL-0000001006FRS Documentation for Change Managementnull Fail Effective S-002 Sample for control1Fail Failed 5.docx
In Background the ACT integration start testing the controls as per
outbound file receive. ACT fill up the inbound columns
Inbound file along with attachment get placed into designated folder
3
5
4Evidence Sources across DTCC
18
© 2018 GRC Summit All Rights Reserved.
Infolet- To Process inbound file
Scheduled infolet start the process of inbound file and
push data in Task assignment
6
19
© 2018 GRC Summit All Rights Reserved.
Test Assignment in Application (Summary)
From Inbound file, data is filled against control,
sample and task
Overall Process/Asset result rating need to be determined by Tester on basis of control
test results
Note the Drop-down values and color-coding as requested in Wave 1
7
20
© 2018 GRC Summit All Rights Reserved.
Task View – Single Control evidence Details
E v id e n c e s a s a d d it io n a l
in f o r m a t io n
N o t e t h e D r o p -d o w n v a lu e s
a n d c o lo r -c o d in g
7
21
© 2018 GRC Summit All Rights Reserved.
Control Testing Process and Methodology Guiding Principles• The IT controls testing process will use a repeatable and sustainable model• Existing IT Control documentation needs to be maintained for changes in policies or procedures.
• DTCC Process / Control Owners are responsible for sending the Controls Testing Team the population of documents (logs, reports, emails, BRD, etc.) required to complete the control tests. (Eliminated due to Automation)
• DTCC Process / Control Owners are responsible for the accuracy and authenticity of the documents sent to the Testing Team. (Partially eliminated due to Automation)
Methodology
Review Prior PRC Controls Testing
Review & Identify DTCC Policies
Prepare Evidence Request
Identify SMEs and Collect Evidence
Prepare 1st Draft
Review 1st Draft with SMEs
Final IT Control Test Documents
Control Testing process: (Most of the steps below are already completed due to Automation)
• Test design1. Locate and review all relevant policies and procedures
2. Create the test and walkthrough document3. Define and document all test attributes
4. Design a test of each control• Control effectiveness Testing
1. Design the comprehensive test document2. Design the Comprehensive control check list
3. Conduct a walkthrough with the control owners and develop a request list4. Design the test of control effectiveness and confirm test strategy with control owner
5. Create evidence request list6. Collect, test and document the evidence
7. Review test results with control owners8. Summarize the test results for management review
22
© 2018 GRC Summit All Rights Reserved.
IT Risk Assessment Approach as FLOD (First Line of Defense)
23
Inherent Risk: The level of risk before action is taken to manage it. (Product of Impact and Likelihood) Strength of Control: Control activities are the policies and procedures that help ensure management directives are carried out. Ensure actions are taken to address risks to acceptable level. Residual Risk: The level of risk with all the measures and controls in place.
Alignment: Process, Risk and Control (PRC) Framework & Corporate Risk PolicyOverall FLOD PRC Risk rating based on: Process owner’s ratings and IT PRC Team assessment
Inherent Risk Cont
rolResidual Risk
Events and
Incidents
Management
Testing
Final assessment
IT Process Owner Risk Rating IT PRC Assessment
Policies and Procedures
IT PRC Team
M S I
A c t io n
P la n
Process Owner
Audience Questions and Discussion
24
Thank YouContinue the conversation on #GRCSummit