Horse to water [Diagram showing Sarbanes-Oxley data flows for finance systems] Talk about how important it is with the concept of Sarbanes Oxley – where does the data come from and where does it go? Need to consider especially the potential impact on information systems.
Talk about governance groups here.
Essentially these are the different types of governance groups/arrangements we can have (the slide is called “governance arrangements matrix” in Weill and Ross).
[Data quality is a business decision – alignment with needs of the business is necessary]
– less emphasis at the beginning of the strategy, but have monthly and quarterly reviews (as is recommended for all strategies that cannot sit on the shelf).
Describe how this process works.
The Maturity Model 0 - Nonexistent 1 - Initial/Ad Hoc 2 - Repeatable but Intuitive 3 - Defined Process 4 - Managed and Measurable 5 - Optimised Data quality management can only work when the organisation is ready for it. A great leap forward won’t work for data management Activities and performance indicators must tailored for your readiness
DS11.1 Business Requirements for Data Management Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. DS11.2 Storage and Retention Arrangements Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements. DS11.3 Media Library Management System Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity. DS11.4 Disposal Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred. DS11.5 Backup and Restoration Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. DS11.6 Security Requirements for Data Management Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
Data entry controls: Data entry requirements are clearly stated, enforced and supported by automated techniques at all levels, including database and file interfaces Data ownership: The responsibilities for data ownership and integrity requirements are clearly stated and accepted throughout the organisation Training in standards: Data accuracy and standards are clearly communicated and incorporated into the training and personnel development processes Data correction: Data entry standards and correction are enforced at the point of entry Output standards: Data input, processing and output integrity standards are formalised and enforced Data quarantine: Data are held in suspense until corrected Integrity Monitoring: Effective detection methods are used to enforce data accuracy and integrity standards Reliable and meaningful data interfaces: Effective translation of data across platforms is implemented without loss of integrity or reliability to meet changing business demands Minimal keying: There is a decreased reliance on manual data input and re-keying processes Data access tools: Efficient and flexible solutions promote effective use of data Archive management: Data are archived and protected and are readily available when needed for recovery Data dictionary: [blah] Information inventory: [blah]
1. Data management strategies Presented by: Micheal Axelsen Director Applied Insight Pty Ltd
3. About this presentation
5. DATA MANAGEMENT AND ACCOUNTANTS
6. Accounting compliance requirements <ul><li>The international accounting standards are strangely silent on specific issues relating to data management </li></ul><ul><li>ISA315 has the most to say about computing: </li></ul><ul><ul><li>The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: </li></ul></ul><ul><ul><ul><li>The classes of transactions in the entity’s operations that are significant to the financial statements; </li></ul></ul></ul><ul><ul><ul><li>The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements; </li></ul></ul></ul><ul><ul><ul><li>The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form; </li></ul></ul></ul><ul><ul><ul><li>How the information system captures events and conditions, other than transactions, that are significant to the financial statements; </li></ul></ul></ul><ul><ul><ul><li>The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures; and </li></ul></ul></ul><ul><ul><ul><li>Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments. </li></ul></ul></ul>
7. Tales from the data vault Image from Flickr User markscott . Some Rights Reserved . Image from Flickr User www.flickr.com/justplainhope. Some Rights Reserved . Image from Flickr User stargazer95050 . Some Rights Reserved . Image from Flickr User krysten_n . Some Rights Reserved . Image from Flickr User Phil Strahl . Some Rights Reserved .
8. Definitions <ul><li>Definitions </li></ul><ul><li>Data Quality measures the data’s fitness for the intended use in operations, decision making & planning </li></ul><ul><li>Governance is a set of accountabilities, processes, and auditable and measurable controls that ensure the business is on track to achieve its objectives </li></ul><ul><li>Data Governance is a set of accountabilities, processes, and auditable and measurable controls to ensure the business is on track to achieve its data quality objectives </li></ul><ul><li>Data Quality Frameworks provide structure to data quality activities and allow assessment of data quality </li></ul>
9. Data assurance
10. The reasons why <ul><li>Compliance frameworks </li></ul><ul><li>Control Objectives for IT (COBIT) </li></ul><ul><li>Sarbanes-Oxley </li></ul><ul><li>ASX Principles (risk, value) </li></ul><ul><li>National Privacy Principles </li></ul><ul><li>AS8015-2005 (and ISO/IEC 38500) </li></ul><ul><li>Good IT governance is good for bottom line </li></ul><ul><li>MIT research shows that companies with better than average IT governance earn at least a 20 percent higher return on assets than organizations with weaker governance (Weill/Ross 2004) </li></ul><ul><li>For accountants, the most relevant and global standard to adopt is the Control Objectives for Information Technology standard, which is published by the IT Governance Institute </li></ul>
11. Accountants and spreadsheets <ul><li>Spreadsheets are a great deal of the corporate data that we have </li></ul><ul><li>It’s not ‘just a spreadsheet’ </li></ul><ul><li>The spreadsheet should have internal controls and methods of validation as well – it is still a system and needs appropriate controls, checks and balances </li></ul><ul><li>Where the spreadsheet uses data from other systems, understand where that data has come from, and its security, its integrity, its effectiveness and its efficiency </li></ul>
12. CONCLUSION ALIGNING EFFORT AND NEED
13. Do what the business needs
14. Corporate governance and data
15. Governance groups
16. Integrating IT plans into business strategy
17. A business decision
18. CONCLUSION DATA GOVERNANCE STRATEGY
19. Improving data quality <ul><li>Creating active strategies </li></ul><ul><li>It is naive to think that data quality can be improved in a ‘Great Leap Forward’ on all fronts and all at once </li></ul><ul><li>To be sustainable, data quality must meet the cost/benefit test, and be important to the business </li></ul><ul><li>A data governance strategy grows organisational capability by implementing a data quality ‘floor’ for all data and focussing the most resources upon the most critical data </li></ul><ul><li>This creates less business risk, higher quality, and lower costs than a ‘big bang’ approach </li></ul>
20. Practical strategies <ul><li>Owned by the business, not ‘IT’ </li></ul><ul><li>Set core standards for all data, and focus resources on the development of data governance approaches for absolutely critical data first. </li></ul><ul><li>Do not develop over-engineered solutions for the entire organisation’s data at first. </li></ul><ul><li>Slow-burn strategies that deliver beat fast-burning failures every time </li></ul><ul><li>Build the strategic rhythm of monthly & quarterly reviews </li></ul><ul><li>Set quarterly deliverables in the program of works for ease of monitoring </li></ul><ul><li>An active strategy is a practical strategy </li></ul>
21. Strategy for delivering data governance
22. THE PROGRAM OF WORKS
23. Maturity through growth COBIT Maturity Model Level Description 0 Non-existent 1 Ad hoc 2 Repeatable but intuitive 3 Defined process 4 Managed and measurable 5 Optimised
24. Objectives of data quality COBIT: DS11 Manage Data Process Description DS11.1 Business Requirements for Data Management DS11.2 Storage and Retention Arrangements DS11.3 Media Library Management System DS11.4 Disposal DS11.5 Backup and Restoration DS11.6 Security Requirements for Data Management
25. Improving the data quality framework
26. Invest in security according to your needs
27. DATA QUALITY POLICY FRAMEWORK
28. Data management lifecycle
29. Data quality policy framework
31. Conclusion <ul><li>More information </li></ul><ul><li>www.cpaaustralia.com.au </li></ul><ul><li>www.isaca.org </li></ul><ul><li>www.itgi.org </li></ul><ul><li>Speaking Notes </li></ul><ul><li>Speaking notes for this presentation may be downloaded from www.appliedinsight.com.au </li></ul><ul><li>Questions and answers </li></ul><ul><li>Questions from the audience </li></ul>
33. References <ul><li>Gillies, C, and Broadbent M. IT Governance: A Practical Guide for Company Directors and Business Executives. CPA Australia. 2005. </li></ul><ul><li>IT Governance Institute. Board Briefing on IT Governance (Second Edition). Rolling Meadows, Illinois. 2003. </li></ul><ul><li>IT Governance Institute. COBIT 4.1. Rolling Meadows, Illinois. 2007. </li></ul><ul><li>Standards Australia. AS8015-2005 Corporate Governance of ICT. Standards Australia. 2005 </li></ul><ul><li>Weill, P., and Ross, J. W. “IT Governance: How Top Performers Manage IT Decisions Right for Superior Results”. Harvard Business School Press. 2004. </li></ul>
34. About the speaker <ul><li>Services </li></ul><ul><li>Micheal Axelsen provides business systems consulting services in the governance of information technology, and development and implementation of IT business strategy </li></ul><ul><li>Position and qualifications </li></ul><ul><li>Director, Applied Insight Pty Ltd </li></ul><ul><li>Chair, CPA Australia IT & Management Centre of Excellence </li></ul><ul><li>Member of ISACA </li></ul><ul><li>Qualifications </li></ul><ul><ul><li>Bachelor of Commerce (Hons) </li></ul></ul><ul><ul><li>Masters of Information Systems </li></ul></ul><ul><ul><li>FCPA </li></ul></ul>