8/29/2016

1

Have You Seen My Data?Auditing Data Governance

Holger Reusch MBA, CFE, CISA

Audit Advisor, University of Calgary

Agenda• Data Governance – The What, Who, How, and Why• Planning a Data Governance Audit• Conducting a Data Governance Audit• Recent U of C Data Governance Audits

8/29/2016

2

DataGovernanceThe What, Who,How, and Why

Freeimages.com/pcst | Used with permission

What is Data Governance?• The specification of decision rights and an accountability

framework to encourage desirable behavior in the valuation,creation, storage, use, archival, and deletion of information.

• It includes the processes, roles, standards, and metrics thatensure the effective and efficient use of information in enablingan organization to achieve its goals.

Source: Gartner Inc.

8/29/2016

3

Why is Data Governance necessary?BUSINESS BENEFITS• Consistent data definition for

reporting and decision making• Clear responsibilities• Structured data/metadata• Analytics enablement• Competitive advantage (fast

action based on patterns &trends)

RISK MANAGEMENT• Operational uncertainty• Security & privacy• Audit & compliance

• Human subjects• Intellectual property• Research data management• Records retention• Custody transfer

Source: Educause Center for Analysis and Research

Data Governance Framework

Outcomes

• Data RiskManagement

• Compliance• Value Creation

Enablers

• OrganizationalStructure &Awareness

• Policy• Stewardship

CoreDisciplines

• Data QualityManagement

• InformationLife-CycleManagement

• InformationSecurity &Privacy

SupportingDisciplines

• DataArchitecture

• Classification &Metadata

• AuditInformation,Logging &Reporting

require

enhance

support

Source: IBM

8/29/2016

4

Role Description ResponsibilitiesDataTrustee

Senior official who plays a planning and policy-making role.

Oversee establishment of data governanceand assign responsibility and accountability.

DataSteward

Director-level official who oversees anoperation that collects, houses and releasesdata.

Implement a data governance system withintheir department.

DataManager

Involved in day-to-day collection and releaseof data

Departmental SME function; duties vary

DataExpert

Involved in managing business processes andrules involving data

Business analyst function; duties vary bydepartment

Data User Accesses data in discharging duties or as a partof their role in the university

Protect own access privileges;correctly use data

Typical Data Governance Roles

Source: University Business Executive Roundtable

Data Quality Management: The Challenges

MultipleSources

Inconsistency

Duplication

Ambiguity

Repurposing

ProcessFailures

Source: Knowledge Integrity Inc.

8/29/2016

5

Data Quality Management Processes

Source: Knowledge Integrity Inc.

Information Life-Cycle Management

Source: UF Health Science Center Libraries

StudyConcept

DataDistribution

DataCollection

DataProcessing

DataAnalysis

DataArchiving

DataDiscovery

DataAnalysis

Repurposing

8/29/2016

6

Information Security & Privacy Challenges• Secure Data Retention & Disposal• Identity Theft & Phishing• International Travel• Device Security: Fixed & Mobile• Network Security• Identity and Access Management• Cloud Security

Selected DG/DM FrameworksDAMA DMBOK (Data Management Body of Knowledge)

• Standard view of DM functions, terminology and best practices.• Not detailing specific methods and techniques.

Proprietary DG Frameworks• Various unofficial standards exist: IBM, Data Governance Institute (DGI), Stanford, …

COSO Internal Control Framework• Apply by contextualizing Internal Control terms to DG/DM requirements

ISO 270xx – Information Security Management• Managing the security of information assets

ISACA COBIT (Control Objectives for Information and Related Technology)• Generic governance framework and toolset for control requirements, technical issues and risks

ISO 8000 – International Data Quality Standard• Under development; Currently covering Master Data exchange & quality

8/29/2016

7

Planning a DataGovernanceAudit

Freeimages.com/eggo | Used with permission

Audit scope and approach needs to reflect thematurity of the organization

Audit Scope& Approach

DGMaturity

Sweetclipart.com | Used with permission (CC BY-NC-SA 3.0)

8/29/2016

8

Data Governance Maturity

Fragmented Holistic

IT d

riven

Bus

ines

s dr

iven

Unaware(No activity)

Initial(Ad hoc)

Repeatable(Pilot)

Defined(Project)

Managed(Program)

Optimized(Function)

Source: InformaticaU

se b

oth

dim

ensio

ns to

dete

rmin

e ov

eral

l Dat

aGo

vern

ance

mat

urity

Data Governance Maturity Levels• Elements of practice in the category may be present but are localized in individual departments and are for the most part performed

on an ad hoc basis

1 Initial1 Initial

• Elements of practice are for the most part defined at an enterprise level but implementation is not complete.

2 Managed2 Managed

• Elements in practice are defined and implemented at an enterprise level but no formal processes are established to ensurecontinuous improvement.

3 Defined3 Defined

• Elements of practice are defined and implemented across the enterprise and repeatable processes and metrics are used to monitorand track progress to ensure continuous improvement.

4 Quantitatively Managed4 Quantitatively Managed

• Elements of practice are implemented, monitored and used proactively across the enterprise to reduce risk, continuously improvedata governance practices and to gain a competitive advantage.

5 Optimized5 Optimized

Source: IBM

8/29/2016

9

Data Quality Assessment

Source: Knowledge Integrity Inc.

Presentanomalies

VerifycriticalityPrioritize

issuesSuggest action

itemsReview next

stepsDevelop action

plan

Review

Reviewanomalies

Describeissues

Prepare report

Synthesize

ExtractProfile

AnalyzeDrill down

Note findings

Analyze

List datasetsCritical data

elementsProposedmeasures

Prepare DQtools

Prepare

Review sysdocs

Reviewcurrent issues

Collatebusinessimpacts

BusinessProcess

Select processAssess scopeAcquire docsIdentify bus

impactsAssess existing

DQ processProject Plan

Plan

Add to scope ifappropriate

Use the DG Framework to define Audit Scope andObjectives

Outcomes CoreDisciplines

SupportingDisciplinesrequire support

enhance

Enablers

Use to specifyobjectives

Use to outlinescope

Add to scope ifappropriate

8/29/2016

10

Audit Scope & DG Core Disciplines

• Data Quality Management• Completeness• Accuracy• Appropriateness

• Information Life-CycleManagement

• Policies• Control Processes

• Information Security & Privacy• Identity & Access Management• Change Management• Service Management• Asset Management• Business Continuity

Management

Performing aData GovernanceAudit

Pitfalls &Best Practices Freeimages.com/maybeknot | Used with permission

8/29/2016

11

Pitfalls

• Lack of understanding• Not sold on DG value proposition

Lack of executive supportLack of executive support

• Scoping error• Maturity mismatch

Boiling the oceanBoiling the ocean

• Different parts of the organization at different levels• Resource and skill availability

One size fits all approachOne size fits all approach

• “Standard spam”

Recommendations not matching maturity levelRecommendations not matching maturity level

Best Practices (1) – Communicate vision and buildbusiness case

• Relate to organizationalimperatives

• Use DG Framework objectivesto illustrate benefits

• Use DG Framework to buildcause-effect narratives

• Relate DG to businessprocesses

• Examples: On/Offboarding,Procurement, A/P

Freeimages.com/createsima | Used with permission

8/29/2016

12

Best Practices (2) – Select the right people

AppropriateDG/DM/DQ skills?

Staffing levelsappropriate?

Peopleengaged/motivated?

• Work withmanagement as earlyas possible if this is anissue

Conductingthe audit

engagement

Conductingthe audit

engagement

• Recommend changesif found deficient

PerformingData

Governancework

PerformingData

Governancework

Best Practices (3) – Policies, processes and tools

• Recommend policies fittingthe organization

• Organizational imperatives• Current & desired DG maturity• Change Management

• IT Change Management• Organizational Chage

Management

• Choose tools/architecturefitting the organization

• Select subset from frameworkor standard

• Think crawl-walk-run

8/29/2016

13

Best Practices (4) – Start as a project, run as aprogram

Exec sponsor & support

Project/program management

Define milestones/KPIs to track progress

Business value metrics for executive management

Operational data quality metrics for data stewards

Recent U of CData GovernanceAudits

University of Calgary | Used with permission

8/29/2016

14

Recent Data Governance AuditsInstitutional Metrics Process• Frameworks used:

• COSO, IBM DG, Oracle DG

• Selected Findings:• Inconsistent content and

context of source data• No process for data life-cycle

management• No data quality management

process

Enterprise Data Warehouse• Frameworks used:

• DAMA DMBOK, IBM DG

• Selected Findings:• Lack of data dictionary• No training for Data Users• No DG stakeholders appointed• Inconsistent access

management processes

Questions?Holger Reusch MBA, CFE, CISA

Audit Advisor, University of Calgaryholger.reusch@ucalgary.ca | 403-210-9427