Automated Business
Controls
ISACA – Charlotte, NC
December 3, 2013
Mag Francois, CISA, CISM, CRISC
VP, Senior Audit Manager – Strategy and Operations
© 2013 Wells Fargo Bank, N.A. All rights reserved. Internal use only. Version 1.0.
Technology Changing Lives
Yesterday
Tomorrow
Today
Business Operations - Yesterday
Simple process of fee refund
Customer calls and
disputes a fee
Manager approves refund
and check is processed
Agent documents it and
requests fee refund decision
Check is mailed and
delivered to customer
Tomorrow
Business Operations - Today
Simple process of fee refund
Customer
and
Customer calls
disputes
disputes
a fee
a fee online
System #1 send data to
System #2 via batch job
System #2 approves or
denies the fee
Agent
enters
it inReal-Time
Dispute
is sent
the system
System #1 calculates fee
refund
Customer verifies fee
refund online
Technology Risk vs Operational Risk
“Technology Risk is a Business Risk – specifically, the business risk associated with
the use, ownership, operation, involvement, influence and adoption of IT within an
enterprise. [] Due to IT’s importance to the overall business, IT risk should be treated
like other key business risks. [] IT-related risk is considered to be a component of
operational risk, eg: Basel II requirements.”
ISACA – RISK IT FRAMEWORK
“Operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people or system.”
WELLS FARGO
Manual vs. Automated Controls
What is a business control?
Control - A control is a required check within a business process. It ensures
that the risks inherent within the process, and those posed by process
design and execution, are adequately mitigated either by prevention,
detection or correction.
6
What is a Manual Control?
Manual control - A control performed by a person without making direct use
of automated systems.
EXAMPLE: The performance of a
Quality Assurance review.
The reviewer evaluates the process
and related requirements in order to
confirm that the entire process was
executed correctly.
7
What is an Automated Control?
Automated control - A control performed by an automated system, without
interference of a person.
EXAMPLE: Point of Sale credit limit check at
a retail store.
Step 1. Customer swipes their credit card at
the register.
Step 2. The retail Point of Sale (POS)
terminal communicates with the Credit Card
Issuer to verify credit limit and amount of
available credit.
Step 3. If the transaction is within the credit
limit, the system approves the transaction.
If the transaction is above the credit limit,
the system declines the transaction.
8
What is a semi-automated control?
Semi-automated - A combination of both automated and manual controls is
necessary to adequately mitigate the risk. Usually, the manual part is
dependent on the automated part.
EXAMPLE: The security screening at
an airport.
Step 1. The automated control: The
screening booth creates an image and
recognizes abnormalities.
Step 2. The manual control: The security
agent evaluates the automated results and
determines if additional screening must be
performed to eliminate unknown risk
related to the abnormalities.
9
Automated Business Controls – Value
Accuracy
Efficiency
Priceless
Timeliness
Security
10
Automated Control Failures
Automated Business Controls: Scenario #1
By Leo King | Computerworld UK |
Published 05:00, 29 June 11
JP Morgan systems failed to highlight suspicious Madoff trades, says £12bn lawsuit
JP Morgan Chase’s advanced trading systems failed to highlight problems around transactions by fraudster Bernard Madoff
before his conviction, according to a major lawsuit.
The $19 billion (£11.9 billion) claim, brought by victims’ trustee Irving Picard, is an expanded version of an existing court action
and more than triples the original amount being sought. It includes extra evidence, including from experts at another bank who
questioned transactions with Madoff’s JP Morgan Chase account.
Unusual activity in the Madoff account at JP Morgan Chase “should have triggered [its] automated account monitoring system”,
the lawsuit states. JP Morgan has said that it complied with the law and was not aware of the fraud, stating the lawsuit was
"meritless" and "based on distortions of both the relevant facts and the governing law".
JP Morgan Chase’s transaction monitoring system “failed to issue alerts even when analyzing highly suspicious activities with
respect to Madoff” and his former company Bernard L Madoff Investment Securities, the suit says.
The system “almost never issued alerts”, states the lawsuit, prompting “compliance personnel” at the bank to question after
Madoff’s arrest why this had not happened. In March 2008, some $1.1 billion (£687 million) in transactions took place on the
account, described by the lawsuit as particularly “high”.
“Remarkably, [JP Morgan Chase’s] transaction monitoring system noted the unusual activity but did not consider it unusual
enough to warrant an alert,” it said. “No alert was analyzed in March 2008.”
12
Automated Business Controls: Scenario #2
Walmart has said that it has resolved an issue that was causing an online frenzy among shoppers. An apparent glitch on the
company's website early this morning led to $8.85 listings for items that included computer monitors and projectors normally
worth hundreds of dollars. The country's largest retailer was selling a 24-inch high-definition Viewsonic computer monitor, an
InFocus IN2124 Projector digital projectors and other products, many for $8.85. The projector is listed for $578.89 on
Walmart.com and $579.99 on Newegg.com.
As customers shared the deals on social media sites like Instagram, wondering if the site was hacked, products sold out in just
hours. Customers expressed outrage on Walmart's Facebook page. "I will gladly pay an extra dollar or 2 for something to avoid
stepping foot or spending a dime in your stores," one Facebook user wrote. "Including SAMs. Membership cancelled."
From a public relations standpoint and in the interest of
customer good will, a firm will sometimes take the loss, but that
typically involves relatively inexpensive items, he said.
"However, to be clear, it's the company's decision," Marks said.
Companies can get into trouble with authorities if they
purposefully post an incorrect price to "bait" customers to shop
and then "switch" them to a more expensive alternative, Marks
said. "Again, this is something authorities would determine
based on a pattern of behavior rather than a single incident," he
explained.”
13
Automated Business Controls: Scenario #3
Two Walmart stores in Louisiana will have to foot most of the bill after a computer glitch caused spending limits on
food stamp cards to be temporarily removed on Saturday.
The Electronic Benefits Transfer system went down when a backup generator at Xerox failed during a regularly scheduled test,
ABC News reports. Xerox is a vendor for the EBT program.
Police reported people checking out at stores in Mansfield and Springhill, La. using EBT cards with 8-10 full carts in some
cases, and more than $700 worth of groceries. Customers reportedly flocked to the stores and jammed checkout lines.
Springhill Police Chief Will Lynd told ABC it was worse than anything he'd ever seen: "It was definitely worse than Black
Friday...There was no food left on any of the shelves, and no meat left. The grocery part of Walmart was totally decimated."
But ABC reports that despite the failure at Xerox, Walmart will be forced to deal with what could be a sizable bill. A Louisiana
Department of Children and Family Services spokesman explained that the emergency procedure in Louisiana is to limit all EBT
cardholders to $50 spending limits in the case of an emergency. Retailers who choose not to limit customers are responsible for
amounts spent beyond eligible benefit balances.
MSN reported both Xerox and Walmart tried to place blame for the incident on each other on Monday. Walmart pointed to
Xerox's power outage as the source of the problem, while Xerox said Walmart failed to use the "documented process for
retailers like Walmart to follow in response to EBT outages.“
But Louisiana officials insisted that they would not be left to remedy the situation. "The outage was the result of failures by our
contractor, Xerox," said Trey Williams, a spokesman for the Louisiana Department of Children and Family Services. He said any
businesses that chose not to follow emergency procedures "are only being reimbursed for the (maximum) amounts on individual
cards.“ The error at Xerox Corp. caused the EBT system to go down in 17 states. In some states, including Maine, Maryland
and Florida, retailers chose to just turn away EBT users for the duration of the problem, according to The Advocate.
Automated Business Controls: Scenario #4
Washington (CNN) -- A moment of truth approaches for President Barack Obama's signature health care reforms with
Saturday's self-imposed deadline to get the website to work properly for most users.
Obama and officials in charge of HealthCare.gov say the "vast majority" of people who go to the website to sign up at the end of
the month will have a much improved experience than the crashes, error messages and delays users faced when it launched
October 1.
However, problems continue to plague the system, and technology experts question if the fixes being deployed by a team of
government workers, outside contractors and specialists can get it functioning smoothly as soon as Saturday.
Luke Chung, president of Virginia-based software developer FMS Inc., called the administration's prediction that HealthCare.gov
would work at 80% capacity on or around November 30 an impractical threshold in the software world. "I don't know how to
build something that's only 80% complete," Chung told CNN. "I don't even understand how that works."
The website woes raised questions about the viability and security of the system, and opened the reforms known as
Obamacare to fresh attacks by conservative Republicans who seek to dismantle or eliminate them.
More bad news emerged Wednesday when the administration announced the website will be unable to enroll small businesses
online for another year.
Automated Business Controls: Scenario #5
Up to 12 million NatWest and Royal Bank of Scotland customers are still unable to pay bills or move money after a
computer glitch left their accounts frozen for the third day running. The banks, which are part of the taxpayer-owned RBS
Group, said that "technical issues" with its computers meant that payments in or out of accounts had not been made since
Wednesday.
In a statement this morning, RBS Group said: "Unfortunately we are once again experiencing technical issues with our systems
and account balances have not updated properly overnight. This means where money has gone into a customers account, there
may be a delay in it appearing on their balance. We can assure our customers that this problem is strictly of a technical nature
and we continue to work hard to resolve this.”
Around 1,000 Natwest and 218 RBS branches opened an hour early this morning to deal with customer complaints. The glitch,
which also affected online banking services, has meant that workers have been left without their wages. People also facing fines
for late payment of bills because the computer meltdown left them with insufficient funds to honor direct debit arrangements or
direct debits payments were not made. Consumer groups have called for customers to be compensated.
Problems with the group's computers meant that people who were relying on money being paid into their accounts, such as
wages, were unable to access this cash. The move left many customers helpless and angry. Peter Hurst, a NatWest customer
who could not access his money, told The Daily Telegraph: "It's all a bit Greek. What effect this will have on the economy, God
only knows. You expect this in the third world but not in London, the so-called business capital of the world."
Meanwhile a customer called Kora-Lee Holmes told Twitter: "Missed my flight home from Greece because NatWest's server
problems mean I can't check out of my hotel. New flights (cost) £200.“
A saver called JustABC told the social networking site: "My balance is reading £0.00 available, so what have you done with my
pay? Now your online service isn't working. Unacceptable."
Automated Business Controls: Scenario #6
For fifteen tense minutes on Thursday afternoon, United Airlines’ fare booking engine was operating at full steam. Someone,
likely a Flyertalk user, noticed that fares between Washington DC and Minneapolis were pricing at $10 and posted his finding
onto the forum. Attention grew rapidly, with over 100 replies in just an hour, and the news spread to Twitter.
The glitch in the system appeared to offer $0 fares plus $5 in tax for many domestic flights, and was apparently caused by
human error. Some forum readers reported finding $10 flights between Washington DC and Hawaii, while others scooped up
over a dozen tickets to destinations all over the country
And then, just as quickly as the airfares showed up, United’s reservation system slammed to a halt, reporting “United.com is
currently undergoing maintenance Flight search and booking are unavailable for all flights, including MileagePlus award travel.
We are working to restore these as quickly as possible.”
As to whether the airline will honor the bookings, the consensus is
unclear. Past errors in pricing have brought investigations from the
Department of Justice after the airline rescinded the tickets, while
other airlines have been more successful in canceling mistake
fares. While some argue that the airline advertised and sold the
fares in good faith, others argue that a clearly erroneous fare
shouldn’t need to be honored.
It is more than likely that United will have to weigh the costs and
benefits of canceling a swath of tickets and incurring the
consumer wrath versus honoring them and taking the financial hit.
Automated Business Controls: Scenario #7
Let's turn to a story to give some hope with anybody who has gotten tangled up with a credit company. Julie miller won big in
court. 18. 6 million.
A lot of people know this frustration. They're a key to getting a loan, a credit card, a home, a job. And one in four credit reports
contains errors. This morning, a battle with Equifax, with a win for the little guy. She is the face of consumers, winning and big.
There was incorrect information. 40 debt collector information. And incorrect social security and birth dates.
Eight times between 2009 and 2011, Julie Miller says she contacted credit bureau Equifax, filling out paperwork, even
highlighting mistakes. After all that, she claims Eqiufax never corrected the errors. Several times they mailed a standard form
they have that requested more information. Yet, there was no change to any of the information. She says the errors cost her
credit at two banks. So, she finally sued the credit bureau.
An Oregon jury says she's entitled to one of the biggest settlements er. An $18. 6 million award. Experts say credit bureaus
should listen up. It's almost a message to the credit bureaus, you better get this information straight because consumers have
recognized how important it is. And they're doing a better job of keeping on top of this information.
Equifax, won't say whether it disputes miller's claim. But told Abc news, we are very disappointed in the jury verdict and are
exploring our options.
The consumer did their job. However, somebody dropped the ball. That's why you're seeing such a huge punitive award.
Miller hopes it's a wake-up call. They're sending information to companies all over the world. It can affect your credit and your
scores and your life.
Audit Approach:
Integration of Business, Technology & DAS
Audit within Organizational Structure
Line Of Business (LOB)
Technology Risk Management
IT Audit
Business Risk Management
Business Audit
Technology
Data Analysis
Subject Matter
Resources (SMR)
(DAS)
Audit Programs - Technology Risk Coverage
Business Audit Programs
Technology Audit Programs
Department utilizes IT system to perform
business function, however, it does not own
(develop, code) and support any IT
applications or IT infrastructure.
Department owns (develops, codes) and
supports IT applications or IT infrastructure.
Auditor is responsible for executing operational risk audit
and consider the following:
Auditor is responsible for coordinating technology related
operational risk audit and consider the following:
User Access (Business Users)
CIO General Controls Processes
Account Mgmt/Security Administration (Users Provisioned by RABU)
Infrastructure General Controls Processes
Automated Business Controls
Account Mgmt/Security Administration
End User Computing
Information Security Processes
Changes to business rules and/or foundation data (Not code changes)
Governance and Technology Risk Management Processes
Project Management
Records Management
Vendor Management
Business Continuity and Disaster Recovery
Technology - Application Coverage
Technology Audit Programs
Business Audit Programs
Audit maintains a list of Top High Risk Applications and reports on overall technology
coverage of higher risk applications (e.g. SOX). Each audit captures Audit Programs covered.
High Risk Application #1
Automated
Business
Controls
Business
User Access
Business Rule
Change
Management
Change
Management
Application
Security
Batch
Processing
Audit Process
Audit Process
Before beginning the evaluation process, consider including IT Audit partners in
initial brainstorming and planning meetings.
1
Process
•Perform walk-throughs of critical processes with your
business partner.
2
Risk
•Determine the high risks that impact the process.
3
Control
•Identify primary and key controls that reduce the risk to
an acceptable level.
4
ABCs (Automated
vs. Manual)
•Identify controls and differentiate between automated,
manual, and combination.
5
Design
•Perform design of controls assessment in order to ensure
the control mitigates the risk.
6
Effectiveness
•If design of control is adequate, perform effectiveness
testing.
24
Automated Business Process Audit
System #1
1
System #1 send data to
System #2 via batch job
System #2
Business Control Review eg: MIS Reports
2
Technology Control Review eg: Batch Job Monitoring
3
Data Analysis
Design of Controls Evaluation
Evaluate if the specific automated function is designed correctly:
1. Identify the objective of the control (i.e., intended purpose)
2.
Assess whether the control is designed to achieve its intended purpose/objective.
For example, consider the following:
a) How is the control performed?
b) Who performs the control?
c) How often is it performed?
d) Is the control manual, automated or combination?
e) Is it preventative, detective or corrective?
f) How does the control prevent, detect or correct the error?
g) Where is the control documented?
h) How is the control monitored?
i) What reports or systems support/enable the control?
j) How are any exceptions handled?
k) Can the control be circumvented? If so, how?
l) If circumvented, would management be notified? If so, how?
m) Does the control enable Wells Fargo compliance with rules and regulations?
26
Effectiveness Testing
Evaluate if the specific automated control functions effectively.
1.
Develop detailed test steps to verify control effectiveness
2.
Determine population and sample size
3.
Select the sample
4.
Execute test steps to opine on effectiveness
5.
For Sample of 1, test all permutations/conditions
6.
Conclude whether the control performs as designed
27
Automated Control Testing Options
ABC Control Effectiveness Testing
 There are three broad categories of testing methods:
•
Option 1 - Test using actual data in the “production” environment.
•
Option 2 - Perform procedures in the “test” environment.
•
Option 3 – Utilize DAS for ABC testing.
29
Option 1 – Testing in PROD Environment
Data Tracing
through “live”
transaction
* Sample of 1
Integrated
Testing Facility
Simulator
Technique
Data Analysis
* Sample of 1
* Sample of 1
100% Population
* Sample of 1 should be considered for all “fully” automated controls including all variants.
30
Option 2 – Testing in TEST Environment
Testing performed in a
replica of the
production
environment.
Effective if properly
planned
Representative
production data
exists.
Test environment
must be the same
as the production
environment
31
Option 3 – Utilize DAS to Enhance Testing
Reperformace of
complex
processing
and
calculations
The most
comprehensive
approach –
100% of
Population
Discovery of
data
anomalies
Replace,
supplement
and/or
enhance
ABC testing
32
Let’s test ABC
ABC Testing – Primary Focus Areas
There are many different control automation types and as the technology
progresses, the complexity will also be increasing. However, there are four
main types of automation that will guide the testing approach:
Functions
•Hardcoded system/app function, such as an interest rate
calculation. The system function can only be altered through
the code change in the production system.
Application
Configuration
•Configuration that can be changed by designated users, e.g.
wire transfer limits. This type of change does not require code
changes in the production system.
Interfaces
•A transaction or data exchange between two applications or
systems. The interface could be scheduled, such as a batch job
or ad hoc, such as online update.
Reports
•Results of a query performed by the system that retrieves
specific data and delivers it to the business for analysis of
trends and errors.
Automated
34
Automated Function – Input Control
Control Type:
- Automated System Function
- Preventative
- Input
35
Automated Input Controls
File / database
matching
Completeness
check
Data field
edit/format
checks
Duplicate
check
Limit / range
check
36
Application Configuration – Edit Control
37
Automated Processing Controls
Reasonableness
checks
Dependency
checks
Mathematical
accuracy checks
Prerecorded
input
Key verification
38
Interfaces – Processing Controls
Records transferred
39
Interfaces – Batch Job Processing Control
Records transferred
40
Automated Processing Controls
Exception handling
File reconciliations/
run to run
balancing
Programmed
procedures
Limits for system
calculations
41
System Reports – Accuracy Control
System Reports – Query Evaluation
Identify the control’s objective and evaluate the report query to ensure that it meets the
objective.
select account_number, external status,
status code,
misc_fd, credit bureau flag, Start_Dq_Dt
from oildm_v1.mm_daily_curr_all
where
System # in ('xx11','xx22','xx33')
and external status in ('AB')
and status code = 7
AND misc_field= ' '
order by account_number
Fields that will display on the report
Database table that stores the information
Data selection criteria
High potential for errors
Data sorted by account number.
43
Q/A and Thank You
Mag Francois
704-410-7418
Mag.Francois@wellsfargo.com