Weze/d
Deloitte.
Project Spire
J
Discussion document
May 2012
POL00002000
POL00002000
POL00002000
POL00002000
F/923/2
e/ez6/4
2. Our Experience
Project Blade
Deloitte led a review at a large UK corporate business to confirm the
validity and accuracy of transactional outcomes through their complex
technology and process landscape, after a small number of high
profile issues were publically reported. Despite the number of issues
being a small % of total transactional activity, the accusation was that
the processing environment was systemically “flawed”.
The client appointed Deloitte to perform an independent ‘end to end’
review of the processing environment to report the extent and detail of
any issues identified, including:
+ all key aspects of governance and control, relating to data flow
integrity, people, process and technology
sdetailed substantive testing of a large, statistically based, sample of
transactions.
Our work not only gave the client confidence to make statements on
the integrity of their systems, but also identified a number of areas of
improvement at a very detailed level, leading to both compliance and
efficiency improvements in the client's business when remediated.
POL00002000
POL00002000
Sanctions reviews at large global financial institutions
Deloitte is a Global leader in the provision of processing integrity
services relating to sanctions compliance and has led reviews at
several global financial institutions over the past four years.
The institutions were required to perform retrospective reviews to
confirm the integrity of processing of transactions and to determine if
payments had been made in violation of sanctions legislation.
Deloitte assisted the institutions with a global end to end review of
relevant transactions, touching on all types of error risks, whether
manual or technological at their root cause. Deloitte performed:
+ detailed reviews of customer and correspondent banking
relationships to identify potential violations of US sanctions;
* mapping and visualisation of the payment systems, data flows, key
applications and hubs from source into the payment network;
* analytic interrogation of the transactional population for
characteristics of violation; and
* reporting into external legal counsels who conducted investigations,
including root cause identification and remediation..
© 2012 Deloitte LLP. Private and confidential
vieze/4
POL00002000
POL00002000
2. Our Thoughts on Approach
Step 1: Understand processes, data flows and key risks
Fundamental to the assessment of processing integrity is the
understanding of the dataflows, processes and key risks in the
end to end process.
We perform end-to-end walkthroughs of all key processes and
controls, including documenting the supporting data flows for
each process. We review all key matters involved in producing
the outcome under review (for example transactional dataflows
and the financial close activities in this case).
Following this, we identify any areas of potential improvement.
This initial “top down” review highlights potential areas of
weakness which we can focus on during the subsequent stages
of our review.
Step 2: Understand governance and control arrangements
Governance and key controls assessments are structured
around a “top down” review.
Using our Data Governance framework as a best practise
benchmarking tool, we perform a current state analysis on the
organisation, interviewing key personnel, examining
documentation and reviewing systems.
We then provide observations alongside any recommendations
for improvement.
Step 3: Sample to confirm data accuracy and integrity
Where reliance is placed on certain data fields, itis critical that they are
complete and accurate. Where this is not the case, any conclusions drawn from
this data may be erroneous.
Our data accuracy testing using substantive testing technicque to verify the
accuracy of underlying data components, throughout their ‘data flow journey’.
This also helps to establish data “rules” within your data asset landscape which
informs the population level data analytic work in Step 4.
Step 4: Perform population level data analytics
Data analytics provide a “bottom up” review of key data sets.
We design bespoke data analytics to identify areas of interest at a population
level, including testing the operating effectiveness of key processes and
controls. Through analytics and targeted testing we can provide a view of the
adequacy and effectiveness of the entire system from end to end and highlight
key areas of risk.
© 2012 Deloitte LLP. Private and confidential
2. Our Thoughts on App
roach
POL00002000
POL00002000
Our suggested approach for your requirements is outlined below. It is based upon our experience of performing similar reviews at large, multi-site
organisations and we are confident it can be refined to deliver your required outcomes efficiently and effectively.
Phase 1
Mobilisation
Phase 2
Data Flows & Key Controls
Understanding
Phase 3
Governance and Controls
Testing
f
Phase 4
Testing of Data &
Phase 5
Reporting
Transactional Detail
+ Discuss and validate findings and I
produce draft report summarising I
key conclusions I
to test for existence of key risks i Close out meeting with key !
identified in Phases 2and3. I I executive stakeholders and issue I
Obtain full record and data needs I I of final report.
+ Work with POL to develop and
finalise the scope of the I
substantive testing and analytics
+ Deloitte / POL project team
mobilisation and introduction to
key stakeholders
I+ Desktop review of prior, relevant
work performed
I+ Perform detailed workshops to
+ For the ‘in-scope’ financial close I I Review of existing policies and
policies and procedures perform II procedures around system use,
full end-to-end walkthrough. I I training and other related
+ Implementation testing of key governance principles.
manual and IT controls, including I I» Determine the adequacy of
automated preventative/detective I I training for existing staff and the I
S/ez6/4
determine key system and
process areas to be tested, refine
testing boundaries and define
I characteristics that would
I represent ‘issues’ if identified
* Confirm how our review will be
positioned with interviewee
controls; change management
procedures; and functional
security access.
+ For the ‘in-scope” transactions,
perform end to end data flow
walkthrough.
+ Review of incident management
;
I
stakeholders processes and of historical
+ Finalise field work plan and incident logs.
milestones + Review error logging and
+ Identify and obtain additional key
items required for the review.
+ Agree data handling protocols.
monitoring activities in key
systems.
Le
I. Allocation of a POL “point o
I contact”
+ Attendance at workshops.
+ Supply of existing documentation I I systems, and existing
and historic reviews documentation.
+ Agree data handling protocols. \- Validation of accuracy of initial
I+ Agree detailed timetable. I findings
+ Timely provision of supporting
information, such as reports from
+ Detailed Project Plan and
communication protocols. I
I+ Change Order relating to any I
I changes to original scope I
+ Meeting plan for future phases {I
+ Agreed data handling plan. I
I
Schedule of key risks identified
(including characteristics of
transactional error)
I scope transaction and summary
of financial close process.
+ Draft data request for phase 4.
I
[+ Timely access to key POL staff. I
I I_ findings.
+ High level data flow diagram for in I
on-boarding process for new staff I
and how this is managed.
I I+ Review the processes used to
‘communicate policies to sub-
I postmasters and how changes
I I ate implemented.
+ Understand support available to
I I postmasters in the financial close
procedures. including complaint
I I and whistle-biowing procedures
and how frequently these are
used
postmasters
+ Potential processing dummy
transactions and tracing
through the systems
previously recorded
and perform reconciliation.
Execute agreed scope of tests,
this may include, for example:
* Potential surveys with
\
+ Potential analytics over data I I
Validate the output with POL I I
I
I+ Work with management, where I
required, to provide technical
I. input and lay foundation for next
I steps.
I
I
1
I
I
!
+ Timely access to key POL staff.
+ Timely provision of supporting
I_ information, such as reports from
II systems, and existing
I documentation.
I. Validation of accuracy of initial
+ Draft of key observations
identified
+ Finalised data request for phase
4.
I
I
scope.
Support reconciliation
\
I
I
I
U
* Draft of key observations
identified.
* Output for each of the
tests/analytics for POL
investigation and root cause
analysis
Contribute to detailed tests
Provision of required data.
Input into validation / follow-up of I
analytic outputs to identify higher
risk items and root causes.
I Validation and discussion of draft I
findings.
Final Deliverable: I
» Executive Summary providing
I. key'themes' from the review
I > Detailed observations and I
recommendations
I > Appendix containing key
I dataflow and process maps and I
I an Excel workbook of I
underlying analytic schedules. I
I
I
I a j
© 2012 Deloitte LLP. Private and confidential
9/€Z6/4
3. Detailed Scoping Considerations
Locations/ sites
é “Transaction type
General Compute
Timescale Controls?
e bs
nterviews?:
POL00002000
POL00002000
© 2012 Deloitte LLP. Private and confidential
Leze/4
POL00002000
POL00002000
Deloitte
Important notice
This document has been prepared by Deloitte LLP (as defined below) for the sole purpose of providing a proposal to the parties to whom it is addressed in order that they may
evaluate the capabilities of Deloitte LLP to supply the proposed services.
‘The information contained in this document has been compiled by Deloitte LLP and includes material which may have been obtained from information provided by various sources
and discussions with management but has not been verified or audited. This document also contains confidential material proprietary to Deloitte LLP. Except in the general context
of evaluating our capabilities, no reliance may be placed for any purposes whatsoever on the contents of this document or on its completeness. No representation or warranty,
express or implied, is given and no responsibilty or liability is or will be accepted by or on behalf of Deloitte LLP or by any of its partners, members, employees, agents or any other
person as to the accuracy, completeness or correctness of the information contained in this document or any other oral information made available and any such liability is
expressly disclaimed.
This document and its contents are confidential and may not be reproduced, redistributed or passed on, directly or indirectly, to any other person in whole or in part without our prior
written consent.
This document is not an offer and is not intended to be contractually binding. Should this proposal be acceptable to you, and following the conclusion of our intemal acceptance
procedures, we would be pleased to discuss terms and conditions with you prior to our appointment.
In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (‘DTTL"), a UK private
company limited by guarantee, whose member firms are legally separate and independent entities. Please see www. deloitte.co.uk/about for a detailed description of the legal
structure of DTTL and its member firms.
© 2012 Deloitte LLP. All rights reserved,
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A.
3BZ, United Kingdom.
Member of Deloitte Touche Tohmatsu Limited *