Continuous Auditing: IT
Architecture for Financial Institutions
November 2008
IBM Global Business Services
Context: IBM Global CEO Study 2008
Recently IBM published the CEO Study 2008 showing the main external
forces impacting financial institutions
External Forces Impacting the Bank
The forces of change impacting banks constitute a
huge potential opportunity to expand markets and
optimize resources, although constraints remain
•
•
•
•
Recent issues in the sub-prime mortgage sector confirm
CEO perceptions that market forces remain a critical factor
impacting banks
Regulation and compliance continues to increase in
sophistication and complexity, putting pressure on
banks to adapt and expand management systems
Attracting and retaining specialized skills remains a key
issue for many banks
Technology continues to evolve as both a key competitive
differentiator or a key constraint
o
Many of the most important innovations in banking
over recent years have been driven by flexible
technologies
o
However many banks experience limited ability to
innovate due to inflexible legacy systems
Many banks continue to be constrained
in their ability to leverage change to
drive growth and shareholder value
Source: IBM Global CEO Study 2008; n (Banking) = 128
MarketSight Category Name / Analysis Name: Hungry for Change / Q1
Frequency; 2008 Global CEO Study
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008
IBM Global Business Services
Context: Sarbanes-Oxley Act of 2002
Since Sarbanes - Oxley Act of 2002, regulations are constantly increasing
CEO and CFO must personally certify
and sign-off on financial statements
Section 302
Getting “Back to the Basics”…tactical near-term Sarbanes-Oxley compliance to
meet reporting requirements. Focus on controls, information integrity, timely and
certified reporting, and accountability. May not achieve significant operational
efficiencies
Section 404
Requires internal controls and
procedures for financial reporting.
Additionally, Auditors must certify
internal controls and processes
annually
Operationalize the “Basics”…controlled, repeatable and sustainable performance
improvement. Enhance compliance capabilities and reengineer for operational efficiencies.
Building business value and tying financial to operational drivers.
Fast Close, On Demand reporting, ERP integration…etc
Companies must provide urgent
disclosure of material events that
may affect performance
Section 409
Moving Beyond Compliance…Optimizing performance for competitive
advantage. Integrated Performance Management (IPM) and enabling
Business Intelligence infrastructure. ROI measurement, enhanced
visibility, predictability and insights
Immediate
Near-term
Longer-Term
Source: IBM BDW presentation 2003
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008
IBM Global Business Services
Context: Sarbanes-Oxley Act of 2002
Auditing process automation is mandatory to be compliant without
increasing operational costs
Strategy
Risk Identification
KPI, business
rules, analysis
dimensions
Extraction
parameters
IT Architecture
Implementation
Solution Outline
Define Infrastructure
Requirements
BI Strategy and Planning
Define Architecture
Model
Review Client Business
& IT Environment
Macro Design
Micro Design
Design Logical Data
Repositories
Design Physical Data
Repositories
CreateLogical Data
Integration Design
CreatePhysical Data
Integration Design
Create Logical Anaytics
Design
Create Physical Anaytics
Design
Create Logical Access
Design
Create Physical Access
Design
Design Architecture
Model
Refine Architecture
Model
Design Solution Plans
Perform Static Testing
Define Organization
Identify Solution Areas
Define Business
Solution Strategy
Review Client
Environment
Build Cycle
Perform Data
Repositories Build
Deployment
Perform Acceptance
Testing
Build Data Integration
Code
Build/Extend Analytics
Components
Setup Production
Environment
Build/Extend Access
Components
Deploy Client Support
Define Technical
Solution Strategy
Outline Architecture
Model
Outline Solution
Requirements
Prepare for Testing
Outline Application
Model
Develop Support
Materials
Cutover to Production
Assess Infrastructure
Impact
Assess Business Impact
Confirm BI Strategy and
Planning
Outline Solution Strategy
Perform Development
Testing
Design Test
Specifications
Define Training and
User Support
Build Development
Environment
Plan Development
Monitoring
Perform System Testing
Implementation
Checkpoint
Solution Prototype
(Optional)
Banks to Banking II | 13-Nov-08
Plan Deployment
© Copyright IBM Corporation 2008
IBM Global Business Services
Case Study
Last year IBM and one of the largest financial institutions in Brazil started
the definition of a new IT architecture for continuous auditing process
Background
•
•
Continuous auditing process was implemented using tools as Access and Focus
(ETL tool) with high level of manual interventions
Main interest in event deviation analysis only which results a lack scalability
The Business Challenge
•
Some Figures
Propose a new robust IT solution for
• 8 million clients
continuous auditing process which
• 300 million transaction per month
offers to users:
• 70 million journal entries per day
o Scalability
• 1.3 terabytes of historical files
o Availability
• Aprox. 35.000 employees
o Integrity and trust
o Synergy with corporate tools
o Use of multi dimensional database The Solution
for risk evaluation
• New IT architecture based on a BI
approach including dashboard
implementation
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008
IBM Global Business Services
Case Study
The solution was a new IT architecture based on a BI approach including
dashboard implementation
EXTRACTION
Extraction from
transactional system
(use of simple filters
and data volume
reduction)
ETL on main frame
INTEGRATION
AND
TRANSFORMATION
Data consolidation
(use of business
rules, data cleaning
and KPI calculation)
ETL on UNIX plataform
ANALISYS
OLAP analysis
(indicator versus
visions)
Data marts
multi dimensional
analysis
CONTROL
Deviation follow-up
Follow-up / workflow
PUBLICATION
Indicator monitoring
Dashboard
Summary of Section 409 of the Sarbanes-Oxley Act
Issuers are required to disclose to the public, on an urgent basis, information on
material changes in their financial condition or operations. These disclosures are to be
presented in terms that are easy to understand supported by trend and qualitative
information of graphic presentations as appropriate.
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008
IBM Global Business Services
Case Study
The new IT architecture can help on the identification and treatment of
suspect transactions
Formulação
Identificação de Riscos
Indicadores, regras de
negócio, dimensões de
análise
Risk Identification
Algorítimos de controle
(parâmetros de
extração)
Implementação
Fraudulent insurance
withdraws
Monitoramento
Extraction
parameters
Indicators,
business
rules, analysis
dimensions
Indicator
Dimensions
Parameters
•
•
•
•
•
Number of
insurance
withdraws after
customer master
file update
Per dealer
Per month
Per product
Master file
update 90
days before
the insurance
withdraws
Follow-up on suspect transactions
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008
IBM Global Business Services
Proposed Architecture
The proposed IT architecture is presented bellow
Alta
Mainframe
Plataforma
DB2
Outras
DB2
fontes
DB
distribuído
Fonte de
Primary data
Dados
source
Primários
DW
Corporativ
o
Arq. indexados
VSA
VSA
VSA
M
M
M
Transactions
systems
Bases
dados
(corede
products)
Relacionais
E
T
L
E
Staging Area
Extração para
indicadores
agrupados AC
X
T
R
A
Ç Extração (desvios)
à para FUP/ Workflow
O
Extração AD Hoc
T
R
T
A
R
N
A
S
N
F
S
O
F
R
O
M
R
A
M
T
A
ÇI
O
Ã
N
O
L
C
O
A
R
D
G
A
Unix
BaixaEnvironment
Plataforma
Business Application
Aplicações
de Negócio
Dashboard
Relatórios (report,
Web, Gráficos
graphics)
e
Painel de Controle
Risk criteria = # of
deviations per
dimensions Usuários de
Negócios
Business
users
# withdraw
Data MART
dealer
month
product
Sistema FUP/ Workflow
TXT
Customers
master file
updates
TXT
Arquivos
Sequenciais
TXT
Customers
withdraw
E
X
E
T
X
R
T
A
R
C
A
T
Ç
I
Ã
O
O
N
TXT
Usuários
Auditados (Ex.
Audited
Agências,
branch
Diretorias,
etc)
Base
Relaciona
Deviations
• l Desvios
•
Informaçõe
s
detalhadas
para
composiçã
o dos
indicadores
Arquivos
TXT
Usuários de
Negócios
Resultado Ad Hoc
Escopo Ambiente Auditoria
Bancos de dados
hierárquicos
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008
TITLE
IBM Global Business Services
Banks to Banking II | 13-Nov-08
© Copyright IBM Corporation 2008