Introduction
I was a Technology Risk & Compliance Auditor in Financial Services, at Ernst & Young for more than 2 years and 8 months. I entered as a Junior Associate and became a Senior at the end of it. The goal of my team was to assess the IT risk profiles of financial institutions such as Banks and Brokerages, and ensure that they were in compliance with regulatory requirements set by MAS, industry standards, and best practices.
Because our team was small, we were assigned around 4 to 6 engagement or project each quarter. For engagements that involved bigger financial instutions, we would divide up the workload among the team and each of use will be responsible for the topic, scope or area of interest. For smaller financial institutions, we would often be responsible for conducting the entire assessment ourselves, with discussions and guidance of the manager and partner of the team throughout the process.
Process for IT Risk Assessment & Regulatory Compliance
We start by reading up and understand the profile and previous years' observations of the client. We communicate with other teams if there are any relevant problems or area of concerns that are relevant to IT processes, that require our attention, additional to our own scope of work. Then, we plan out the scope and objectives of the assessment and confirm it with the client during our introductory meeting.
The topic for our scopes are based on the MAS regulatory documents, such as:
- MAS Technology Risk Management Notice
- MAS Cyber Hygiene Notice
- Technology Risk Management Guidelines
- Business Continuity Management Guidelines
- and MAS Advisories and Circulars that are issued from time to time.
The MAS Notices, while concise, still requires us to understand the a whole lot about the current implementations of the financial institutions we are assessing, to identify any gaps and areas of improvement to ensure compliance with the notice.
Out of all these documents, the main document that we based our scope on is the Technology Risk Management Guidelines. This document consist a variety of areas in technology risk management. It contains 12 distinct areas such as Technology Risk Framework, User access management, Change management, Incident management, and etc. We do not audit every area in every engagement. It depends on the previous year's observations and findings, client's setup, MAS' focus areas or requests, clients' or any relevant stakeholders' requests and/or areas that our teams think that it is relevant.
We would perform the assessment by:
- Conducting walk-throughs session and going through process demonstrations
- Having QnA sessions with process owners, management, and any other relevant stakeholders
- Inspecting documents such as policy and procedure documents
- Analysing logs and inspecting system configurations
- Performing on-site Data Loss Prevention tests
We will need to have a strong understanding of their processes and the control objective of the processes. We even go through meeting minutes of relevant committees, if necessary to understand the background or context of certain decisions or initiatives, that are relevant to the assessment. Usually, there will be a few rounds of requesting documents back and forth, along with in-person discussion as well as online calls, to fully understand the processes we are assessing. Then, we will raise any list of concerns we have to the client, and start narrowing the scope further to the findings we raised.
Data Analytics and Process Automtion in Audit
[Direction: Describe your use of data analytics. Name the tools you used. Explain how analytics improved audit effectiveness.]
Because I am a part time Masters student in UOL-SIM, in Data Science and AI, I tried to take on as many tasks as possible that involved anything relevant to data analytics. I would also try my best to help out my team's data analytics request and needs, whenever I had the bandwidth to do so, even if it is not within my scope of work.
One area of work I got involved in was doing a lot of data manipulation tasks and formatting them for easier analysis, or for the purpose of cross checking different datasets such as inventory listings, incident listings, server instances, and list of vulnerabilities, etc. A method of finding issues or gaps in client's processes, that my team partner has taught our team, was to use different lists of data, but relevant enough to be compared against each other. Then, find areas or items that were inconsistent, which can give us a lead to further investigation, and bring up questions to the client. I would usually be the one to find columns or data points that we can combine, consolidate, or arrange in a way that we can properly compare them, and identify issues, gaps, or anomalies that we should raise to the clients. This often results in us discovering issues or gaps in processes that we might have otherwise missed with manual reviews.
I have also done recreations of formulations and processses within Excel as we need to ensure that the calculations are correct and robust. Based on our understanding from client's walkthroughs and documentations provided, we will attempt to recreate their logic and processses, and see if we can arrive at the same result. I have done simpler conditional filtering and data manipulation such as recreating a Business Impact Assessment (BIA) process, to even recreating complex formulation from specific areas in client's codebase. This was for an engagement where I had to perform code reviews for the financial audit team, and recreate the formulas in the code, in an explainable and understandable way for them to validate. For most cases, we use Excel, because we need to easily demonstrate the process and steps taken for work we do to many stakeholders internally and externally, each step of our work needs to be clear, concise, and easy to understand. This has allowed me to always think of ways to break steps down into smaller chunks and in a way that is easy to demonstrate.
As for automating tasks, I have used VBA in Excel as a extra-curricular work for another team. They had several large excel files with dataset that were all relevant to each other. This was mostly done manually until the dataset has gotten too large recently. The task was to consolidate the these datasets into one, and to identify matching transactions based on several criteria. Those that were outliers and were missing, needed to be highlighted, for manual review. Because the dataset was also prone to certain typos, or inconsistency in formatting, these were also highlighted for manual review.
Another automation tasks that I did on the job, was creating a Python script to extract all the CIS Benchmark recommendations heading, that were relevant to our audit. Because we did not have a paid subscription to the CIS Benchmark, we were only able to access the PDF version of the CIS Benchmark on their site, no excel versions were available. This meant that we had PDF versions, and it would be a painstaking process if we were to manually go extract all the recommendations headings manually. In this particular engagement, a client had numerous server environments, which means they would use many CIS Benchmark recommendations. They had logs on individual servers being compliant with a number of recommendations from CIS Benchmark. Because we would like to do a completeness check, and to see if there were any missing recommendations, we had to get a complete list on our own. Hence, I used PyMuPDF (fitz), a python library, to extract texts from the PDF, then, similar to how we would web scrape, I would use regex and text manipulation to extract the relevant parts of the text, and structure it into a excel sheet, ready for our team to use. This process was not perfect, as there were about 1 or 2 headings that were missing in each of the CIS benchmark. However, it still saved us a lot of time and effort from manual data entry, and we were able to now do a completeness check against clients' logs, moving forward.
[Direction: Provide specific examples of insights or issues discovered using analytics. How did analytics help identify risks or gaps that manual reviews might miss?]
Key Takeaways
Working in Ernst & Young has been an eye-opening experience, where I have been exposed to and involved in a variety of engagements with different financial institutions in Singapore. Being able to be expose to several of the industry's best practices, I have since gained much more insights, not only in technology risk management, but also in broader areas of technology, and even how financial business processes and technology intersects, and how a smaller organization manages risks differently compared to a large organization. Additionally, being a curious individual, there were always new areas or topics to learn and understand.
The projects I worked on have also given me the opportunity to improve on my communication and interpersonal skills, as I had to regularly communicate internally and externally, with clients, stakeholders, and team members. For instance, I was often involved in walkthroughs with clients, and had to present our findings, insights, and recommendations to them, and had to be able to tailor my communication to different stakeholders, from technical team members to senior management. On top of that, there were also regular coordination required with team members and stakeholders to ensure that the projects were completed smoothly and efficiently. It was also truly a fast-paced environment where every hour counts. There was an inside joke among my team that we often say to each other, "there's no time for work at work", because there was always something urgent and new popping up, requiring immediate attention, which made our planned work for the day, to be pushed later until overtime. This was especially true during reporting seasons or during busy periods.