PRESENTATION TO

IIA SEATTLE CHAPTER

Data Governance
January 2019

Protiviti Perspective provided by Nikhil K., New Delhi

Internal Audit, Risk, Business & Technology Consulting

PRESENTER

Roy Taylor, MBA, CISA

Associate Director, Protiviti
San Francisco
• 20 years in data / analytics space
• Past experience as Director and
Program Manager for Data Warehouse
and Analytics with Fortune 500
companies
• Conducted numerous Data
Governance audits and assessments
• Advises clients on establishing data
governance programs

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
2 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 ABOUT PROTIVITI
Protiviti helps companies around the globe identify, measure, and navigate the risks they face, within
their industries and throughout their systems and processes, using proven value-added solutions:

Data Management and Advanced Analytics

• Model Risk Management
Restructuring and Litigation Services • Data Governance, Warehousing and
• Corporate Restructuring and Recovery Business Intelligence
• Litigation Consulting • Predictive Modeling and Advanced Analytics

Risk and Compliance Business Performance Improvement

• Credit Risk • Capital Projects and Contracts
• Customer Engagement • Finance Optimization Services
• Enterprise Risk Management (ERM) • Performance and Information
• Market and Commodity Risk Management
• Model Riskand Capital Management • Revenue Enhancement
• Operational Risk • Supply Chain
• Strategy Communications and
Change Enablement
• Anti-Money Laundering Technology Consulting
• Regulatory Compliance • Security and Privacy
― Data Security and Privacy Management
― Incident Response & Forensics Services
― Digital Identity & Access Management
Internal Audit and Financial Advisory ― Technical Security Assessment
― Security Program & Strategy Services
• Data Mining and Analytics
― Cybersecurity Intelligence Response Center (CIRC)
• Financial Remediation and Reporting Compliance
• Protiviti Software Services
• Financial Investigations
― Risk Technologies
• Internal Audit ― Custom Developed Software
• Fraud Risk Management ― Enterprise Content Management
• Internal Audit Quality Assurance Reviews Transaction Services • Enterprise Resource Planning
• International Financial Reporting Standards (IFRS) • Due Diligence • Technology, Strategy and Operations
• IT Audit Services • M&A Integration and Divestiture ― IT Governance & Risk Management
• SOX and Financial Reporting Controls Compliance ― IT Operations Improvement
• Private Equity Services
― Program, Portfolio & Project Management (3PM)
• Public Company Transformation ― IT Strategy & Architecture

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
3
TOPICS TO BE COVERED TODAY

Why Implement Data Governance?

1

What Frameworks can be used to Develop and/or Audit a Data

2
Governance Program?

What are the Core Components of a Data Governance

3
Program?

Review some Examples of Scoping and Approach for Data

4 Governance Audits

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
4 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TOPICS TO BE COVERED TODAY

Why Implement Data Governance?

1

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
5 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHY IMPLEMENT DATA GOVERNANCE?
Business Need Data Governance Helps With …
To comply with data security and privacy Policies for data security, sharing of data, identifying
regulations where private or sensitive data lives
To make sure we can rely on our data Policies and process for database backups, database
being available configurations, database monitoring, capacity and
performance management, applying security patches
To make sure we can easily integrate Development of a flexible data architecture that allows
data – new systems, acquisitions new data sources to be quickly integrated
To ensure that our regulatory reporting is Definition of systems of record, data flows through
correct systems, business rules applied to data, quality control
checks
To standardize our reporting Agreement on common data definitions and business
rules
To improve data quality Creation of data quality scorecards, definition of ‘fit for
use’, pushing data quality to the ‘front-line’
To get a better understanding of our Improving completeness and accuracy of customer /
Customers or Vendors vendor records
To make sure data issues are prioritized Establishing data ownership and accountability for
and addressed providing data to the organization
To become a data-driven organization Prioritizing and funding data projects

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
6 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHY IMPLEMENT DATA GOVERNANCE?

Many organizations are proactively focusing on Data Governance and creating teams
that explicitly manage data across the enterprise. This provides for better control over
data assets, reduces the costs of data management, improves the quality and
consistency of data, and drives business value.

REACTIVE

• Everything is an emergency
• Different rules depending on who you
PROACTIVE
talk to
• Recurring issues with quality, timeliness
and consistency • Clear processes and procedures for managing data
• Lack of accountability • Clear communication of priorities
• Clear management and resolution of data issues
• Confidence in the reliability of data
• Clear ownership of data
• Clearly documented and controlled policies and procedures

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
7 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHY IMPLEMENT DATA GOVERNANCE?
Risk Management & Regulatory Reporting
Address regulators’ increased focus on data quality and
control procedures and on the availability of accurate, Regulatory Compliance
timely, and reliable information for reporting. Establish the rigorous data standards, policies, and
processes that are required by regulators, and ensure
accountability for and auditability of data.
Data Privacy & Protection
Enable the identification of all instances of employee and
customer data and who has access to sensitive data. Improved Operational Effectiveness
Reduce the fragmentation within key business
processes and the need for manually intensive activities
Cost Savings & Avoidance and error-prone data integration processes.
Lower costs by increasing operational efficiency with
business process automation and by eliminating
redundancy. Improved Analytics & Decision Making
Instill greater confidence in reporting and analytics by
improving the quality and consistency of data.
Revenue Growth
Develop a broad and deep understanding of existing
customers to better target campaigns and offers based on a
specific customer's needs.
Partnering & Outsourcing
Enable data to be efficiently and accurately deployed for
external use.
Enhanced Customer Service
Increase responsiveness by closing the gap between
insights and action.
Mergers & Acquisitions
Establish more efficient processes for migrating and
consolidating data after a merger or acquisition.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
8 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHY IMPLEMENT DATA GOVERNANCE?

As data is an enterprise asset, organizations must take an enterprise-approach to Data

Governance that defines the
Roles and Responsibilities,
Policies
and Processes
to control the management of data as a business asset.

❑ Organizations have historically focused on Compliance and Protecting Data, however

there is a growing trend to use Data Governance to realize additional business value
from data.
❑ Data Governance is not just an IT responsibility. Business functions should play a
large role in defining policies for data management.
❑ Data Governance tends not to focus on cyber security or risks of data breaches as
these are usually covered elsewhere.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
9 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TOPICS TO BE COVERED TODAY

What Frameworks can be used to Develop and/or Audit a Data

2
Governance Program?

Three frameworks we see most often are –

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
10 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FRAMEWORKS
Data Management Association
(DAMA)
DM Book of Knowledge (DMBOK)
https://dama.org
https://dama-ps.org (local chapter)

• Broad reference model

• 8 core areas
• Industry neutral

• Industry and enterprise licenses

• Individual ~ $79
• https://technicspub.com/dmbok/

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
11 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FRAMEWORKS
Data Management Association (DAMA)
https://dama-ps.org (local chapter)

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
12 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FRAMEWORKS
Enterprise Data Management Council (EDM)
Data Management Capability Assessment Model (DCAM)
https://edmcouncil.org
• EDM Council founded
by Financial Services
organizations and
vendors

• Oriented to Financial
Services regulations
and creation of
regulatory reports

• Company
membership $10,000
- $15,000
• No individual
membership

• Limited activity on
West coast
© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
13 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FRAMEWORKS
CMMI Institute (ISACA)
Data Management Maturity (DMM)
https://cmmiinstitute.com/data-management-maturity
• Relatively new

• Industry neutral

• Linked to COBIT

• Individual license
$100

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
14 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TOPICS TO BE COVERED TODAY

What are the Core Components of a Data Governance

3
Program?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
15 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FRAMEWORKS – COMMON ATTRIBUTES

Policies, Processes & Standards Measurement & Monitoring

• Policies & Rules • Statistics and Analysis
• Processes • Tracking of progress
• Controls • Monitoring of issues
• Data Standards & Definitions • Continuous Improvement
• Metadata, Taxonomy, Cataloging, and Classification • Score--carding

Organization Technology
• Operating Model • Data Quality & Lineage Tools
• Decision Makers & Escalation Points • Data Mastering & Sharing
• Data Governance Organization Members • Data Architecture & Security
• Roles and Responsibilities • Stewardship Workflows
• Data Ownership & Accountability • Business Glossary & Metadata Repository

Strategy Communication
• Vision & Mission • Communication Plan
• Objectives & Goals • Mass Communication
Change Management
• Alignment with Corporate • Individual Updates
Objectives Business Impact & Readiness
• Mechanisms
• Alignment with Business IT Operations & readiness
• Training Strategy
Strategy Training & Awareness
• Guiding Principles Stakeholder management & Communication
Defining Ownership & Accountability

Data Governance

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
16 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATA GOVERNANCE STRATEGY
The organization should have a defined organizational model for the Data Governance
function. The model could take various forms including –
− A formal (centralized) organization led by a Chief Data Officer (CDO)
− A de-centralized model whereby responsibilities are absorbed into existing functions

Key aspects of the model should include –

• A Data Governance Charter – defining the scope of authority for the DG function
• Defined roles and responsibilities for both IT and Business resources
• A funding model – either its own funding or a ‘tax’ on projects
• A mechanism to develop and approve DG processes, including:
• Prioritize data management initiatives, and ensure these are aligned with business priorities
• Review and approve data management policies
• Review and approve the data management architecture
• Monitor compliance with data management policies
• Monitor compliance with regulatory requirements

• A communication plan to promote data management standards and policies

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
17 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA STEWARDS
The roles and responsibilities Business Data Stewards can be split among three major involvement areas :

Overall Business Alignment and Representation

• Act as a Data Governance champion for a particular business area or function, such a ‘New Accounts’ or
‘Customer Service’
• Responsible for understanding all established Data Governance policies, standards, and procedures, and
confirm business users’ understanding and adherence to these policies.
• Provide a clear line of communication to the Enterprise Data Governance function for the alerting and
escalating of issues.
• Work to identify and define important business terms, and provide input for business requirements that affect
data quality standards and overall usage

Data Life-Cycle Management

• Help establish priorities w ithin business functions and continuously review requirements as part
of new w ork requests or established w ork streams
• Define the data, manage metadata, and communicate new business data definitions and
approved data usage standards to Enterprise Data Governance
• Take ow nership and responsibility of metrics and monitoring overall compliance of data
conforming to the established measures
• Make recommendations on how data quality can be improved and protected as a result of any
root cause analysis follow ing any conflict resolution that has been escalated.
• Understand and assess any enterprise impacts to data change by participating in stew ardship
committees organized around new data and project initiatives

Data Quality and Risks

• Establish acceptable levels of data quality that can be measured
• Understand all data use cases for critical data elements and be included in actions or decisions for new
planned data usage scenarios.
• Define improvement opportunities as a result of review ing data quality metrics and analysis of root causes
for any data falling below acceptable levels
• Support new business cases for improvement projects for improving data quality

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
18 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA GOVERNANCE STRATEGY – KEY RISKS
Data Stewardship • Defined data stewardship roles and responsibilities do not exist, resulting in a lack of
accountability and coordination across the organization as well as poorly defined and
controlled data.
Data Governance and • Appropriate data governance roles and responsibilities do not exist to support the strategic
Stewardship Organizations alignment between the data management function and the business as a whole.
Data Strategy • A formal data strategy has not been defined, resulting in an ineffective data management
program that does not align with business strategy or support the achievement of business
objectives.
Data Policies, Standards • Data policies, standards and procedures are not formally defined or communicated to the
and Procedures organization, resulting in ad-hoc, inconsistently applied data management practices which
negatively impact data definition, data collection, data maintenance, data use, and data
security processes.
Data Architecture • A defined enterprise data model does not exist, does not take into account business
requirements, or is not approved, resulting in data architecture that is not suitable to meet
the needs of the organization.
Regulatory Compliance • Non-compliance incidents not identified or corrected, adversely impacting the
organization’s performance and reputation.
Issue Management • Data related issues are not identified and resolved in a timely manner, resulting in poor
data quality, regulatory non-compliance, or reliance on incorrect information to make
business decisions.
Project Management • Data management projects are not appropriately managed, resulting in a lack of project
prioritization, potential misallocation of funds, and sub-optimal decision making.
Data Management Services • Organizational data management service expectations are not formally defined in a service
level agreement, resulting in the organization’s data needs not being met.
Communication and • Stakeholders are unaware of data management responsibilities, resulting in
Promotion noncompliance with organizational data standards and external regulations.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
19 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATA ARCHITECTURE
The organization should have a documented data architecture strategy that includes -
• The principles and design patterns to be used for data management
− How data will be shared and integrated between systems
• Will each system have its own physical copy of data
• How will data be shared and synchronized across systems (to maintain data integrity)
− Standards for development

• What platforms and technologies will be used to manage data?

• What are the core data subject areas and how are these related? e.g.
• Customers
• Vendors
• Sales
• Inventory
− And defines these data concepts e.g. how do we define a customer?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
20 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA ARCHITECTURE – KEY RISKS

Understanding Enterprise • Enterprise information needs are not understood, resulting in inadequate information for
Information Needs business functions, inconsistency between information requirements and application
development, and inefficient planning of IT-enabled investment programs.
Develop and Maintain the • Enterprise Data model is not consistent with IT plans, rigidity of models, security-cost-
Enterprise Data Model effectiveness issues and non-up gradation of models.
• Without business involvement and design reviews, data models will be inaccurate and
inconsistent and will not support business needs
• Without change management controls, data models will not accurately reflect changing
business requirements
Define and Maintain the • Without defining and maintaining database architecture, data standards for all data
Database Technology systems and integration are not possible.
Architecture
Define and Maintain the • Data Management is inconsistent and criteria are not well-defined leading to distorted
Data Integration information, unreliable external reports and data integrity errors and incidents.
Architecture
Understand Data • Data technology requirements are not understood, resulting in the implementation of
Technology Requirements suboptimal solutions to business problems.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
21 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATABASE MANAGEMENT
Database management is the set of activities designed to ensure the
integrity of the database, manage the availability of data and optimize
performance of the database environments. This is typically achieved by:

• Conducting performance monitoring, error reporting and performance tuning

• Implementing backup and recovery mechanisms

• Implementing redundancy and failover in the database environment (e.g. through clustering)

• Implementing an archiving mechanism

• Implementing a controlled process for changes to the database environment

• Applying upgrades and patches to maintain the database environment at a supported level

• Tracking issues and reporting/tracking issues logged with vendors

• Maintaining an inventory and tracking usage of technology licenses

❑ Review of this area may already be covered as part of other IT audits.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
22 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA BASE MANAGEMENT – KEY RISKS

Implement and Control • The organization may not have the database systems it needs to effectively support
Database Environments the current and future information requirements of the business in an efficient, cost-
effective and well-controlled fashion
Backup and Recover • Data availability is compromised by a lack of adequate backup and restoration
Data procedures and technologies.
Set Database • Database performance expectations are not formally defined in a service level
Performance Service agreement, resulting in a lack of data availability and application performance
Levels
Monitor and Tune • Database performance issues are not identified and addressed, resulting in data not
Database Performance being available to the business.
Archive, Retain and • A data retention plan is not formally defined and followed, resulting in data that is
Purge Data unavailable to address operational and compliance needs or performance issues
arising from data being retained beyond its useful life.
Inventory and Track Data • The organization is not in compliance with licensing agreements, resulting in fines
Technology Licenses and reputational damage.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
23 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATA SECURITY MANAGEMENT
Effective data security policies and procedures ensure that the right
people can use and update data in the right way, by complying with the
regulatory, privacy and confidentiality needs of all stakeholders. This is
typically achieved by:

• Defining a data security policy based on regulatory and internal requirements

• Defining standards such as data encryption, data transmission, remote access and password
standards
• Classifying information confidentiality
• Defining a process to request, track and approve initial authorizations and subsequent changes
• Establishing a mechanism to grant access to databases (such as group memberships)
• Monitoring user authentication and access behavior

Review of this area may already be covered as part of other IT or SOX Audits, however validate if the
following are covered –
❑ Approvals for access by Database Administrators (DBA)
❑ Monitoring of changes to data made by DBAs. All changes are logged, but DBAs have privileges to
delete / manipulate the logs!
❑ Analytics environments – access is often given to all data
❑ Data in staging and test environments (if this is copied from production)

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
24 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA BASE MANAGEMENT – KEY RISKS
Understand Data Security • Data security needs and requirements do not map to the company’s short term or long
Needs and Regulatory term goals or address regulatory requirements. This may lead to compliance, reputational
Requirements or financial impact.
Define Data Security Policy • Absence of a data security policy may lead to employees being unaware of privacy policies
and procedures which may lead to exposure of sensitive data
Define Data Security • Data Security standards are not aligned with local or national privacy laws and the
Standards company’s policies that may lead to compliance and financial impacts.
Define Data Security • Security controls and procedures do not address company policies or compliance
Controls and Procedures obligations which may lead to financial and compliance related impacts.
Manage Users, Passwords • Inappropriate user management procedures may lead to unauthorized access to functions
and Group Memberships and individuals, which may lead to financial, compliance related impacts.
Manage Data Access Views • Access to sensitive data is not appropriately managed, resulting in the exposure of
and Permissions sensitive information to unauthorized parties that may lead to financial and compliance
related impacts.
Monitor User • Inappropriate access and misuse of information assets goes undetected resulting in
Authentication and Access negative compliance, reputational, and financial impacts.
Behavior
Classify Information • Information is not adequately classified resulting inappropriate access to confidential
Confidentiality information that may lead to financial or compliance related impacts.
Audit Data Security • Improvements and/or vulnerabilities are not identified resulting in process weaknesses and
business requirements not being met. This may lead to financial or compliance related
impacts.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
25 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATA QUALITY MANAGEMENT
Data Quality Management is a critical process that involves more than
just correcting data. Pro-active DQM involves defining data quality
metrics and a cycle of continuous monitoring and improvement. This is
typically achieved by:

• Defining responsibility for data quality with Data Stewards

• Defining measurement of data quality (fit for use)
• Profiling data and establishing a data quality baseline
• Defining a process to prioritize and correct data quality defects
• Publishing data quality scorecards
• Training / feedback to the front-line to drive data quality improvements

❑ Data Owner are ‘service-providers’ who are responsible to provide data to the organization, as such
they need to understand the users of data and their data quality requirements
❑ Data corrections should be made in the source system and not ‘fixed’ downstream
❑ Improvements in data quality requires establishing a shared culture where all levels of the
organization understand the downstream impacts of poor data quality

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
26 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATA QUALITY MEASUREMENT
Not all data needs to be 100% correct. Requirements for data quality should be defined within the
context of “fit for use”. Data quality can be measured against a number of dimensions, not all dimensions
will apply to each data element.

Accuracy The degree that data correctly represents the “real life” entities. Usually
measured by comparison to a known correct value, or against dynamically
computed values.
Completeness The degree to which a data record contains all required values.

Consistency The degree to which the same data values exist across different data
records or databases (also known as referential integrity).
Currency The degree to which data is up to date.

Precision The degree to which a data value has the correct level of detail.

Reasonableness A measure of the consistency expectations of the data.

Timeliness A measure of the availability of data based on service levels.

Uniqueness The degree to which data elements that should only exist once within a
dataset have not been duplicated
Validity Refers to whether a data value conforms to its data type, format pattern or
lies within a known valid range of values.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
27 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA QUALITY – KEY RISKS

Develop and Promote • Necessary stake-holders in the organization are not made aware of data quality
Quality Awareness needs and in turn do not buy-in to or support the organization’s Data Quality
Management program.
Define Data Quality • Data quality requirements, metrics, and business rules are not well defined,
Requirements, Metrics resulting in the collection of data that does not align with business objectives and
and Business Rules requirements or is unsuitable for use in the business processes for which the data
was collected.
Set and Evaluate Data • Organizational data quality expectations are not formally defined in a service level
Quality Service Levels agreement, resulting in inadequate data quality issue identification and remediation.
Continuously Measure • Data quality is not consistently measured and monitored, resulting in the use of
and Monitor Data Quality data that does not meet established business requirements and is not fit for use.
Manage Data Quality • A mechanism for recording and tracking data quality incidents does not exist,
Issues resulting in ineffective processes to research and resolve data quality incidents.
Clean and Correct Data • A process does not exist to correct acute data quality issues and their
Quality Defects corresponding root causes, resulting in reoccurring data quality issues and the use
of poor quality data.
Design and Implement • A consistent operational approach to data quality management does not exist or is
Operational DQM not formally defined, resulting in unrepeatable data quality management processes.
Procedures
Monitor Operational DQM • Operational data quality management processes are not monitored and measured,
Procedures and resulting in suboptimal performance of data quality management processes
Performance

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
28 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 REFERENCE AND MASTER DATA MANAGEMENT
Master Data Management refers to the process of establishing an authoritative source for
business entities such as customers, products or vendors (also known as a golden record
or system of record). Reference Data Management refers to the definition of valid data
values (or codes). Once defined, both master and reference data are made available for
shared use across the organization. This is typically achieved by:
• Identifying data sources and contributors (lineage)
• Developing a data integration architecture
• Implementing a process to define and maintain match rules to identify identical entities and standards
to determine whether to merge or link records
• Defining a process to manage and maintain hierarchies and affiliations
• Publishing and distributing reference and master data
• Defining a process to manage changes to reference and master data

❑ As reference and master data are shared across the organization, it can be challenging to determine
which individuals are accountable. Program steering committees and data governance councils must
make decisions collaboratively.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
29 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
REFERENCE AND MASTER DATA – KEY RISKS

Understand Reference • Reference and Master Data integration needs are not understood, resulting in
and Master Data Needs inconsistent, duplicate, or low quality data being used across the organization.
Identify Master and • Upstream data sources and downstream data needs are not considered, resulting
Reference Data Sources in duplicate or inconsistent data being used.
and Contributors
Define and Maintain the • Local reference and master data management occurs in application silos, resulting
Data Integration in redundant and inconsistent data.
Architecture
Define and Maintain • Data matching rules are not appropriately defined, resulting in incorrect and
Match Rules inconsistent data.
Establish Golden • Half-hearted maintenance of reference data degrades quality of business data and
Records results in misleading reports. Since each reference data sets are value domains
with distinct values, there is a high risk of inability to maintain those different values.
Define and Maintain • Important hierarchy and affiliation data may be overlooked if proper vocabularies
Hierarchies and and their associated data sets are not properly established and maintained
Affiliations between master data records. This may also lead to unauthorized vendors having
access to data that they should otherwise not have access to.
Replicate and Distribute • Data is not properly replicated, resulting in the degradation of referential integrity.
Reference and Master
Data
Manage Changes to • Unauthorized or incorrect changes are made to reference and master data.
Reference and Master
Data

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
30 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 DATA WAREHOUSE AND BUSINESS INTELLIGENCE
A Data Warehouse consists of the technical architecture and the set of processes to
extract, cleanse, transform and store data from a variety of data sources to provide an
integrated decision support database. Business Intelligence refers to the tools and
processes used to query and access data and provide reporting and analytics to support
decision making. Implementation of the DW/BI environment is typically achieved by:
• Developing an overall BI/DW strategy and roadmap based on business intelligence needs (avoiding
multiple versions of the truth and shadow IT systems)
• Defining a process for demand management and prioritization of business intelligence needs
• Selecting and implementing DW and BI tools and technologies
• Developing standards for data warehouse development, including processes to extract, cleanse,
transform and load data into the data warehouse.
• Standardization of reports, and preventing report proliferation
• Developing guidelines for the ‘fair use’ of data

❑ Traditional DW and BI environments are usually well-governed, however emerging analytics

environments used for ‘big data’ (also known as data lakes) are often loosely managed
❑ Business areas may develop their own reporting environments that are not subject to IT Governance
for change controls, backups etc.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
31 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
BI AND DW – KEY RISKS

Understand Business • Lack of a BI strategy restricts the company from developing an appropriate
Intelligence Needs framework, methodology, processes, governance, systems, and technology to
deliver value that aligns with the business objectives and priorities.
Define and Maintain the • Data Warehousing and Business Intelligence Management architecture is not
DW/BI Architecture sufficient to meet the business’s Business Intelligence needs
Implement BI Tools and • Business Intelligence tools are not sufficient to provide the reporting functionality
User Interfaces required by the business.
Process Data for • Data is not properly processed, resulting in inefficient storage of data and data that
Business Intelligence is not fit for business intelligent use.
Monitor and Tune Data • Inefficiencies and errors are not identified, resulting in sub-optimal Business
Warehouse Processes Intelligence performance and data quality.
Monitor and Tune BI • BI performance is not effectively monitored, resulting in DW-BIM activities that do
Activity and Performance not meet the needs of end-users.
Unreasonable use of • Lack of ‘data contracts’ may result in use of data that may attract negative publicity
Data for Business and result in reputational risk
Purposes
Reporting Requirements • Projects do not adequately address reporting needs or leave these to ‘business
are Not Addressed when users’ to develop themselves, resulting in inadequate reporting and/or reliance on
Implementing New manual spreadsheet-based solutions.
Systems

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
32 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 METADATA MANAGEMENT
Metadata management is the set of processes to ensure the capture, storage and use of
‘data about the data’ including business rules, data definitions, lineage and data flows.
Metadata is often categorized as business, technical, operational or data-stewardship
metadata. Establishing Metadata Management is typically achieved by:
• Business Metadata
• Defining agreed upon terminology and business rules for data elements
• Defining data classifications
• Publishing business metadata

• Technical Metadata
• Capturing flow of data through systems (data lineage)
• Capturing database metadata (field types and sizes)

• Acquiring Tools to support management of metadata

❑ Data stewards take the lead in defining business metadata but need to facilitate discussions across
the enterprise.

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
33 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
METADATA MANAGEMENT – KEY RISKS

Understand Metadata • Lack of understanding, no well-defined scope, lack of education to users, no clear
Requirements delineation for business and technical users, no data governance organization, lack of
confidence among business users, lack of flow for technical users
Define the Metadata • Information can be extracted from very limited sources, architecture design doesn’t support
Architecture needs of the organization, semantic integration, manual updates are not supported, lack of
a single access point.
Develop and Maintain • Incorrect identification of standards, relevant rules are not specified and metadata
Metadata Standards elements are not grouped under the correct schemes.
Implement a Managed • No pilot conducted to evaluate the environment, scope and strategy haven’t been defined
Metadata Environment appropriately and required integrations are not in place.
Create and Maintain • Metadata is not appropriately maintained, resulting in low quality, inconsistent metadata
Metadata that cannot be relied upon.
Integrate Metadata • Metadata is not integrated effectively resulting in inconsistent, low quality metadata.

Manage Metadata • Metadata repositories are not appropriately managed resulting in data quality and
Repositories availability issues.
Distribute and Deliver • Metadata is not effectively distributed and delivered, resulting in unavailable information or
Metadata data disclosure to unauthorized users
Query, Report and Analyze • Missing benefits of impact analysis and the implied productivity improvements, data
Metadata security risks

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
34 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TOPICS TO BE COVERED TODAY

Review some Examples of Scoping for Data Governance Audits

4

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
35 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DATA GOVERNANCE AUDIT
• Refer to previous slides for key risks

• Does your organization have a

defined Data Governance function?

• If so, review the charter and compare

to a reference framework

• If not, you can likely find pockets

of ‘grass-roots’ activities

• For your first DG Audit you might

conduct a broad risk assessment and
identify areas for further investigation

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
36 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CREATION OF REGULATORY REPORTS
Scope: End-to-end audit of process to create regulatory reports
Who owns the overall process? Is the process documented?
Data Governance Are roles and responsibilities in each step of the process defined?
Strategy Are the appropriate data owners and subject matter experts involved?
Is adequate funding provided to develop a robust solution?
What data sources should be used? Who decided this?
Do we have all the required data? What data gaps exist?
Data Architecture
Are any non-standard technologies used within the process?
Does the development process follow established IT standards e.g. change controls
Is the infrastructure reliable? Are databases versions up to date?
Database
Can data be recovered (backups)?
Management
Are service-level agreements in place for key infrastructure components?

Data Security Who has access to change / manipulate the data? How is this controlled?

Is data quality measured? Is the data fit for use?

How are data defects identified? How are data defects corrected?
Data Quality
Are we using any 3rd party data? How is this validated?
How is data quality controlled in manual steps (Excel)?
Reference and How is data from different sources standardized?
Master Data
Are key data elements identified and defined?
DW / BI How are business rules defined and documented?
How are reports validated / reconciled? Who signs off on reports?
How does data flow through systems (data lineage), is this documented?
Metadata
Are all data definitions and business rules documented?
Management
Are our data definitions consistent with regulatory requirements?
© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
37 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IT DATA MANAGEMENT AUDIT
Scope: Audit of IT Data Management and Database Operations
Data Governance Are roles and responsibilities defined for data management functions?
Strategy Are policies defined for data management functions such as patch management, capacity
planning, performance monitoring, and backups?
Data Architecture Are standard technologies and configurations defined and documented?

Database Management Are standard operating processes defined for data management functions such as patch
management, capacity planning, performance monitoring, and backups?
Are database performance issues detected via pro-active monitoring?
How are issues prioritized and assigned for resolution?
Are service levels established for database availability?
Are data models consistent in naming standards and field types?
Data Security How is access granted for database administrators?
Have default passwords been disabled or changed?
How are DBA activities monitored?
Are database security patches current?
Data Quality

Reference and Master

Data
DW / BI

Metadata Management Is technical metadata documented?

Are data models documented?

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
38 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TOPICS WE COVERED TODAY

Why Implement Data Governance?

1

What Frameworks can be used to Develop and/or Audit a Data

2
Governance Program?

What are the Core Components of a Data Governance

3
Program?

Review some Examples of Scoping and Approach for Data

4 Governance Audits

Questions?
© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
39 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
 Thank You!!!!

© 2018 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
40 and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
© 2018 Protiv iti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not
licensed or registered as a public accounting firm and does not issue opinions on financial statements
or offer attestation services. All registered trademarks are the property of their respective owners.