Automated Business

Controls

© 2013 Wells Fargo Bank, N.A. All rights reserved. Internal use only. Version 1.0.

ISACA – Charlotte, NC

December 3, 2013

Mag Francois, CISA, CISM, CRISC

VP, Senior Audit Manager – Strategy and Operations

Technology Changing Lives

Yesterday Tomorrow Today

Business Operations - Yesterday

Simple process of fee refund

Customer calls and disputes a fee

Agent documents it and requests fee refund decision

Manager approves refund and check is processed

Check is mailed and delivered to customer

Business Operations -

Customer calls and disputes a fee

Agent enters it in the system

System #1 send data to System #2 via batch job

System #2 approves or denies the fee

Customer verifies fee refund online

System #1 calculates fee refund

Customer disputes a fee online

Dispute is sent Real-Time

Tomorrow - Today

Simple process of fee refund

Technology Risk vs Operational Risk

“Technology Risk is a Business Risk – specifically, the business risk associated with

the use, ownership, operation, involvement, influence and adoption of IT within an

enterprise. [] Due to IT’s importance to the overall business, IT risk should be treated

like other key business risks. [] IT-related risk is considered to be a component of

operational risk, eg: Basel II requirements.”

ISACA – RISK IT FRAMEWORK

“Operational risk is defined as the risk of loss resulting from inadequate or failed

internal processes, people or system.”

WELLS FARGO

Manual vs. Automated Controls

What is a business control?

Control - A control is a required check within a business process. It ensures

that the risks inherent within the process, and those posed by process

design and execution, are adequately mitigated either by prevention,

detection or correction.

6

What is a Manual Control?

Manual control - A control performed by a person without making direct use of automated systems.

EXAMPLE: The performance of a Quality Assurance review.

The reviewer evaluates the process and related requirements in order to confirm that the entire process was executed correctly.

7

What is an Automated Control?

Automated control - A control performed by an automated system, without interference of a person.

EXAMPLE: Point of Sale credit limit check at a retail store.

Step 1. Customer swipes their credit card at the register.

Step 2. The retail Point of Sale (POS) terminal communicates with the Credit Card Issuer to verify credit limit and amount of available credit.

Step 3. If the transaction is within the credit limit, the system approves the transaction. If the transaction is above the credit limit, the system declines the transaction.

8

What is a semi-automated control?

Semi-automated - A combination of both automated and manual controls is necessary to adequately mitigate the risk. Usually, the manual part is dependent on the automated part.

EXAMPLE: The security screening at an airport.

Step 1. The automated control: The

screening booth creates an image and recognizes abnormalities.

Step 2. The manual control: The security agent evaluates the automated results and determines if additional screening must be performed to eliminate unknown risk related to the abnormalities.

9

Automated Business Controls – Value

10

Priceless

Accuracy

Timeliness

Security

Efficiency

Automated Control Failures

Automated Business Controls: Scenario #1

JP Morgan systems failed to highlight suspicious Madoff trades, says £12bn lawsuit

JP Morgan Chase’s advanced trading systems failed to highlight problems around transactions by fraudster Bernard Madoff

before his conviction, according to a major lawsuit.

The $19 billion (£11.9 billion) claim, brought by victims’ trustee Irving Picard, is an expanded version of an existing court action

and more than triples the original amount being sought. It includes extra evidence, including from experts at another bank who

questioned transactions with Madoff’s JP Morgan Chase account.

Unusual activity in the Madoff account at JP Morgan Chase “should have triggered [its] automated account monitoring system”,

the lawsuit states. JP Morgan has said that it complied with the law and was not aware of the fraud, stating the lawsuit was

"meritless" and "based on distortions of both the relevant facts and the governing law".

JP Morgan Chase’s transaction monitoring system “failed to issue alerts even when analyzing highly suspicious activities with

respect to Madoff” and his former company Bernard L Madoff Investment Securities, the suit says.

The system “almost never issued alerts”, states the lawsuit, prompting “compliance personnel” at the bank to question after

Madoff’s arrest why this had not happened. In March 2008, some $1.1 billion (£687 million) in transactions took place on the

account, described by the lawsuit as particularly “high”.

“Remarkably, [JP Morgan Chase’s] transaction monitoring system noted the unusual activity but did not consider it unusual

enough to warrant an alert,” it said. “No alert was analyzed in March 2008.”

By Leo King | Computerworld UK |

Published 05:00, 29 June 11

12

Automated Business Controls: Scenario #2

13

Walmart has said that it has resolved an issue that was causing an online frenzy among shoppers. An apparent glitch on the

company's website early this morning led to $8.85 listings for items that included computer monitors and projectors normally

worth hundreds of dollars. The country's largest retailer was selling a 24-inch high-definition Viewsonic computer monitor, an

InFocus IN2124 Projector digital projectors and other products, many for $8.85. The projector is listed for $578.89 on

Walmart.com and $579.99 on Newegg.com.

As customers shared the deals on social media sites like Instagram, wondering if the site was hacked, products sold out in just

hours. Customers expressed outrage on Walmart's Facebook page. "I will gladly pay an extra dollar or 2 for something to avoid

stepping foot or spending a dime in your stores," one Facebook user wrote. "Including SAMs. Membership cancelled."

From a public relations standpoint and in the interest of

customer good will, a firm will sometimes take the loss, but that

typically involves relatively inexpensive items, he said.

"However, to be clear, it's the company's decision," Marks said.

Companies can get into trouble with authorities if they

purposefully post an incorrect price to "bait" customers to shop

and then "switch" them to a more expensive alternative, Marks

said. "Again, this is something authorities would determine

based on a pattern of behavior rather than a single incident," he

explained.”

Automated Business Controls: Scenario #3

Two Walmart stores in Louisiana will have to foot most of the bill after a computer glitch caused spending limits on

food stamp cards to be temporarily removed on Saturday.

The Electronic Benefits Transfer system went down when a backup generator at Xerox failed during a regularly scheduled test,

ABC News reports. Xerox is a vendor for the EBT program.

Police reported people checking out at stores in Mansfield and Springhill, La. using EBT cards with 8-10 full carts in some

cases, and more than $700 worth of groceries. Customers reportedly flocked to the stores and jammed checkout lines.

Springhill Police Chief Will Lynd told ABC it was worse than anything he'd ever seen: "It was definitely worse than Black

Friday...There was no food left on any of the shelves, and no meat left. The grocery part of Walmart was totally decimated."

But ABC reports that despite the failure at Xerox, Walmart will be forced to deal with what could be a sizable bill. A Louisiana

Department of Children and Family Services spokesman explained that the emergency procedure in Louisiana is to limit all EBT

cardholders to $50 spending limits in the case of an emergency. Retailers who choose not to limit customers are responsible for

amounts spent beyond eligible benefit balances.

MSN reported both Xerox and Walmart tried to place blame for the incident on each other on Monday. Walmart pointed to

Xerox's power outage as the source of the problem, while Xerox said Walmart failed to use the "documented process for

retailers like Walmart to follow in response to EBT outages.“

But Louisiana officials insisted that they would not be left to remedy the situation. "The outage was the result of failures by our

contractor, Xerox," said Trey Williams, a spokesman for the Louisiana Department of Children and Family Services. He said any

businesses that chose not to follow emergency procedures "are only being reimbursed for the (maximum) amounts on individual

cards.“ The error at Xerox Corp. caused the EBT system to go down in 17 states. In some states, including Maine, Maryland

and Florida, retailers chose to just turn away EBT users for the duration of the problem, according to The Advocate.

Automated Business Controls: Scenario #4

Washington (CNN) -- A moment of truth approaches for President Barack Obama's signature health care reforms with

Saturday's self-imposed deadline to get the website to work properly for most users.

Obama and officials in charge of HealthCare.gov say the "vast majority" of people who go to the website to sign up at the end of

the month will have a much improved experience than the crashes, error messages and delays users faced when it launched

October 1.

However, problems continue to plague the system, and technology experts question if the fixes being deployed by a team of

government workers, outside contractors and specialists can get it functioning smoothly as soon as Saturday.

Luke Chung, president of Virginia-based software developer FMS Inc., called the administration's prediction that HealthCare.gov

would work at 80% capacity on or around November 30 an impractical threshold in the software world. "I don't know how to

build something that's only 80% complete," Chung told CNN. "I don't even understand how that works."

The website woes raised questions about the viability and security of the system, and opened the reforms known as

Obamacare to fresh attacks by conservative Republicans who seek to dismantle or eliminate them.

More bad news emerged Wednesday when the administration announced the website will be unable to enroll small businesses

online for another year.

Automated Business Controls: Scenario #5

Up to 12 million NatWest and Royal Bank of Scotland customers are still unable to pay bills or move money after a

computer glitch left their accounts frozen for the third day running. The banks, which are part of the taxpayer-owned RBS

Group, said that "technical issues" with its computers meant that payments in or out of accounts had not been made since

Wednesday.

In a statement this morning, RBS Group said: "Unfortunately we are once again experiencing technical issues with our systems

and account balances have not updated properly overnight. This means where money has gone into a customers account, there

may be a delay in it appearing on their balance. We can assure our customers that this problem is strictly of a technical nature

and we continue to work hard to resolve this.”

Around 1,000 Natwest and 218 RBS branches opened an hour early this morning to deal with customer complaints. The glitch,

which also affected online banking services, has meant that workers have been left without their wages. People also facing fines

for late payment of bills because the computer meltdown left them with insufficient funds to honor direct debit arrangements or

direct debits payments were not made. Consumer groups have called for customers to be compensated.

Problems with the group's computers meant that people who were relying on money being paid into their accounts, such as

wages, were unable to access this cash. The move left many customers helpless and angry. Peter Hurst, a NatWest customer

who could not access his money, told The Daily Telegraph: "It's all a bit Greek. What effect this will have on the economy, God

only knows. You expect this in the third world but not in London, the so-called business capital of the world."

Meanwhile a customer called Kora-Lee Holmes told Twitter: "Missed my flight home from Greece because NatWest's server

problems mean I can't check out of my hotel. New flights (cost) £200.“

A saver called JustABC told the social networking site: "My balance is reading £0.00 available, so what have you done with my

pay? Now your online service isn't working. Unacceptable."

Automated Business Controls: Scenario #6

For fifteen tense minutes on Thursday afternoon, United Airlines’ fare booking engine was operating at full steam. Someone,

likely a Flyertalk user, noticed that fares between Washington DC and Minneapolis were pricing at $10 and posted his finding

onto the forum. Attention grew rapidly, with over 100 replies in just an hour, and the news spread to Twitter.

The glitch in the system appeared to offer $0 fares plus $5 in tax for many domestic flights, and was apparently caused by

human error. Some forum readers reported finding $10 flights between Washington DC and Hawaii, while others scooped up

over a dozen tickets to destinations all over the country

And then, just as quickly as the airfares showed up, United’s reservation system slammed to a halt, reporting “United.com is

currently undergoing maintenance Flight search and booking are unavailable for all flights, including MileagePlus award travel.

We are working to restore these as quickly as possible.”

As to whether the airline will honor the bookings, the consensus is

unclear. Past errors in pricing have brought investigations from the

Department of Justice after the airline rescinded the tickets, while

other airlines have been more successful in canceling mistake

fares. While some argue that the airline advertised and sold the

fares in good faith, others argue that a clearly erroneous fare

shouldn’t need to be honored.

It is more than likely that United will have to weigh the costs and

benefits of canceling a swath of tickets and incurring the

consumer wrath versus honoring them and taking the financial hit.

Automated Business Controls: Scenario #7

Let's turn to a story to give some hope with anybody who has gotten tangled up with a credit company. Julie miller won big in

court. 18. 6 million.

A lot of people know this frustration. They're a key to getting a loan, a credit card, a home, a job. And one in four credit reports

contains errors. This morning, a battle with Equifax, with a win for the little guy. She is the face of consumers, winning and big.

There was incorrect information. 40 debt collector information. And incorrect social security and birth dates.

Eight times between 2009 and 2011, Julie Miller says she contacted credit bureau Equifax, filling out paperwork, even

highlighting mistakes. After all that, she claims Eqiufax never corrected the errors. Several times they mailed a standard form

they have that requested more information. Yet, there was no change to any of the information. She says the errors cost her

credit at two banks. So, she finally sued the credit bureau.

An Oregon jury says she's entitled to one of the biggest settlements er. An $18. 6 million award. Experts say credit bureaus

should listen up. It's almost a message to the credit bureaus, you better get this information straight because consumers have

recognized how important it is. And they're doing a better job of keeping on top of this information.

Equifax, won't say whether it disputes miller's claim. But told Abc news, we are very disappointed in the jury verdict and are

exploring our options.

The consumer did their job. However, somebody dropped the ball. That's why you're seeing such a huge punitive award.

Miller hopes it's a wake-up call. They're sending information to companies all over the world. It can affect your credit and your

scores and your life.

Audit Approach:

Integration of Business, Technology & DAS

Audit within Organizational Structure

Line Of Business (LOB)

IT Audit

Business Audit

Technology

Subject Matter

Resources (SMR)

Data Analysis

(DAS)

Technology Risk Management Business Risk Management

Audit Programs - Technology Risk Coverage

Business Audit Programs Technology Audit Programs

Department utilizes IT system to perform business function, however, it does not own (develop, code) and support any IT applications or IT infrastructure.

Department owns (develops, codes) and supports IT applications or IT infrastructure.

Auditor is responsible for executing operational risk audit

and consider the following:

Automated Business Controls

Account Mgmt/Security Administration (Users Provisioned by RABU)

End User Computing

Changes to business rules and/or foundation data (Not code changes)

CIO General Controls Processes

Auditor is responsible for coordinating technology related

operational risk audit and consider the following:

Infrastructure General Controls Processes

Information Security Processes

Governance and Technology Risk Management Processes

Records Management

Project Management

Vendor Management

Business Continuity and Disaster Recovery

User Access (Business Users)

Account Mgmt/Security Administration

Technology - Application Coverage

Technology Audit Programs Business Audit Programs

High Risk Application #1

Audit maintains a list of Top High Risk Applications and reports on overall technology

coverage of higher risk applications (e.g. SOX). Each audit captures Audit Programs covered.

Automated Business Controls

Business User Access

Business Rule Change

Management

Change Management

Application Security

Batch Processing

Audit Process

Audit Process

Before beginning the evaluation process, consider including IT Audit partners in initial brainstorming and planning meetings.

1

2

3

4

5

6

24

•Perform walk-throughs of critical processes with your business partner.

Process

•Determine the high risks that impact the process. Risk

•Identify primary and key controls that reduce the risk to an acceptable level.

Control

•Identify controls and differentiate between automated, manual, and combination.

ABCs (Automated vs. Manual)

•Perform design of controls assessment in order to ensure the control mitigates the risk. Design

•If design of control is adequate, perform effectiveness testing.

Effectiveness

Automated Business Process Audit

System #1 send data to System #2 via batch job

System #2 System #1

Business Control Review eg: MIS Reports

Technology Control Review eg: Batch Job Monitoring

Data Analysis

1

2

3

Design of Controls Evaluation

Evaluate if the specific automated function is designed correctly:

1. Identify the objective of the control (i.e., intended purpose)

2. Assess whether the control is designed to achieve its intended purpose/objective. For example, consider the following:

a) How is the control performed?

b) Who performs the control?

c) How often is it performed?

d) Is the control manual, automated or combination?

e) Is it preventative, detective or corrective?

f) How does the control prevent, detect or correct the error?

g) Where is the control documented?

h) How is the control monitored?

i) What reports or systems support/enable the control?

j) How are any exceptions handled?

k) Can the control be circumvented? If so, how?

l) If circumvented, would management be notified? If so, how?

m) Does the control enable Wells Fargo compliance with rules and regulations?

26

Effectiveness Testing

Evaluate if the specific automated control functions effectively.

1. Develop detailed test steps to verify control effectiveness

2. Determine population and sample size

3. Select the sample

4. Execute test steps to opine on effectiveness

5. For Sample of 1, test all permutations/conditions

6. Conclude whether the control performs as designed

27

Automated Control Testing Options

ABC Control Effectiveness Testing

There are three broad categories of testing methods:

• Option 1 - Test using actual data in the “production” environment.

• Option 2 - Perform procedures in the “test” environment.

• Option 3 – Utilize DAS for ABC testing.

29

Option 1 – Testing in PROD Environment

* Sample of 1 should be considered for all “fully” automated controls including all variants.

30

Data Tracing through “live” transaction

Integrated Testing Facility

Simulator Technique

Data Analysis

100% Population * Sample of 1 * Sample of 1 * Sample of 1

Option 2 – Testing in TEST Environment

31

Testing performed in a replica of the production

environment.

Effective if properly planned

Test environment must be the same as the production

environment

Representative production data

exists.

Option 3 – Utilize DAS to Enhance Testing

32

Re-performace of

complex processing

and calculations

Discovery of data

anomalies

Replace, supplement

and/or enhance

ABC testing

The most comprehensive

approach – 100% of

Population

Let’s test ABC

ABC Testing – Primary Focus Areas

There are many different control automation types and as the technology

progresses, the complexity will also be increasing. However, there are four

main types of automation that will guide the testing approach:

•Hardcoded system/app function, such as an interest rate calculation. The system function can only be altered through the code change in the production system.

Automated

Functions

•Configuration that can be changed by designated users, e.g. wire transfer limits. This type of change does not require code changes in the production system.

Application Configuration

•A transaction or data exchange between two applications or systems. The interface could be scheduled, such as a batch job or ad hoc, such as online update.

Interfaces

•Results of a query performed by the system that retrieves specific data and delivers it to the business for analysis of trends and errors.

Reports

34

Automated Function – Input Control

Control Type:

- Automated System Function

- Preventative

- Input

35

Automated Input Controls

36

File / database matching

Completeness check

Data field edit/format

checks

Duplicate check

Limit / range check

Application Configuration – Edit Control

37

Automated Processing Controls

38

Reasonableness checks

Dependency checks

Mathematical accuracy checks

Prerecorded input

Key verification

Interfaces – Processing Controls

Records transferred

39

Interfaces – Batch Job Processing Control

Records transferred

40

Automated Processing Controls

41

Exception handling File reconciliations/

run to run balancing

Programmed procedures

Limits for system calculations

System Reports – Accuracy Control

select account_number, external status, status code, misc_fd, credit bureau flag, Start_Dq_Dt from oildm_v1.mm_daily_curr_all where System # in ('xx11','xx22','xx33') and external status in ('AB') and status code = 7 AND misc_field= ' ' order by account_number

Identify the control’s objective and evaluate the report query to ensure that it meets the

objective.

Data selection criteria

Fields that will display on the report

Database table that stores the information

Data sorted by account number.

43

System Reports – Query Evaluation

High potential for errors

Mag Francois

704-410-7418

Mag.Francois@wellsfargo.com

Q/A and Thank You