Controlling your Key Data Elements (KDEs): A Case Study

by | Jan 17, 2023 | Case Studies

Learn how to improve an organization’s ability to control its financial reporting data lineage

Data is like garbage. You’d better know what you are going to do with it before you collect it. – Mark Twain 

lines of business

key data elements

Control Deficiencies

TL;DR

A large bank approached me to help re-design its process to identify and control financial reporting data elements it had yet to identify With simple, repeatable strategies, documented methodologies, and clear communication, I helped identify and manage data lineage for 100+ key data elements. The client obtained a documented process to better understand and reduce its residual risk related to financial reporting.

Introduction

You cannot govern the universe of your data by ‘boiling the ocean.’ You need to instead strategize and define what should swim to the top of your priorities in governance rollout and execution. Shift your mindset; identify and weigh the true importance of each data in your ecosystem. Specify the big fish in your pond for the proper treatment of care and order of execution.

First, we define Data Elements as the different attributes that make up a table or describe the data entity. For example, data elements for a new customer might be a unique id to identify the customer, customer name, date of birth, and phone number.

All data is not created equal, so we define financial reporting Key Data Elements (KDE), also known as Critical Data Elements (CDE), as elements that support financial reporting items or critical business functions or processes and are likely to have a direct, material financial impact if the data quality is unreliable.

Companies must identify existing controls or build new controls in the data pipeline to ensure the quality of financial reporting data.

MainPhoto

"Nothing influences a person more than a recommendation from a trusted friend,"

Mark Zuckerburg

Scenario

A top-10 US bank needed to improve its process around identifying, mapping, and controlling KDEs pertaining to financial reporting.  If you have experience in the banking industry, you know how large and complex the data element ecosystem and inventory of models can become and how often they can change.   

 Here is an illustration of one super high-level data flow you may find in the industry: 

Allowance Flowchart

Data lineage can be defined as the process of understanding, recording, and visualizing data as it flows from data sources to consumption. According to alteryx, a leader in automated data analytics,

Data lineage is the story of an organization’s data from the source, through all processes and changes, to storage or consumption. It provides a stepwise record of how data arrived at its current form, including both transformations made to the data and its journey through different business systems. 

The bank in this case did not fully understand its financial reporting data lineage, making its Internal Control of Financial Reporting (ICFR) process incomplete.   

There is an inherent risk of unidentified key data elements appearing in the financial reporting data pipeline.  These data elements, if processed incorrectly, could result in material errors.  For instance, let’s assume an allowance model pulls in external economic data elements from Bloomberg. It could be possible that we are not verifying the economic data has been vetted, meets our requirements, and is accurately and reliably interfacing with our systems.

Solution

The bank had worked with me for over a year before deciding it was time to transfer me from another one of its compliance engagements to assist in this effort.  My background in Sarbanes-Oxley, risk management, and process improvement paired well with the project’s requirements.

The current process of evaluating data elements for financial reporting impacts was undefined and inconsistent.  We needed to (1) evaluate the current state and (2) establish a sustainable process to identify new or modified key data elements. After learning about the current challenges, I collaborated with the SOX and Data Governance teams to define 10 steps making up the basic framework: 

Inventory the population of data elements

This step requires coordination between many different teams depending on the size and nature of the organizationIn our case, we had to speak with model developers, model governance, data governance, and credit risk management.  We included all data elements used in each of the processes. Data Script

Agree on a methodology to evaluate the criticality of each data element

We needed to rank each data element using a meaningful, quantifiable scale to compare significance. One formula you can use is (S = N * I) where:

S = significance 

N = Number of business use cases for which the data elements are used 

I = Impact (0-5).  We assigned each number a dollar threshold with five being the highest.

The science isn’t perfect for several reasons I won’t get into here, but it was close enough to rank our KDEs. 

Determine the bar for what’s key vs. non-key

Similar to calculating a materiality threshold for SOX scoping, we needed to land on a ‘significance score’ output that would make a data element ‘key.’  A KDE could be defined as any data element with a significance score over X.

Enhance process documentation and system diagrams to include KDEs

We layered KDEs on flowcharts and diagrams to illustrate the data flow from source to financial statementsThis helps visualize each step in the process and where we need to inquire about controls. 

Identify control gaps

There should be internal controls for all Instances where KDEs are created, transferred, or transformedIf not, this is considered a gapAll gaps should be compiled and evaluated to determine the next steps.

Remediate control gaps

No different than any other remediation effortYou can create a new control or modify an existing control.  We often found reconciliation controls where we could add the KDE to cover the gap. 

Report the results

Although stakeholders were updated throughout the engagement, it’s essential to summarize the results for Management, so they understand the additional efforts still needed. 

Identify future triggering events that could lead to changes in KDEs

Just as important as identifying the existing KDEs and controls – we needed to prevent repeating this comprehensive exercise in the futureSpecific triggering events and systematic flags were created to notify appropriate personnel when new data elements or inputs into our analysis had been changed.   

Define the process of evaluating KDEs after triggering events

This process allows management to mitigate risk much earlier by evaluating the KDEs in real-time. 

Finalize, approve and implement the new process

Update the policy and procedural documentation for the changesEnsure executives are held accountable, and the new process is formally approved. 

Results

With the new process in place, the bank had significantly reduced its applicable residual risk ratings to be within Management’s risk appetite.  The financial reporting team and external auditors had insights into all key data elements and whether they could be relied on for financial reporting.  There was also frequent communication between the finance, data governance, and model governance teams to identify subsequent changes to KDEs. 

The redesigned and simplified data element catalog, paired with a formalized review process, has made it easier to understand current risks and impacts and identify future changes. 

Do you know your KDEs for financial reporting?

I’m interested to see how much pressure external auditors are placing on Corporate Accounting or SEC Reporting teams to understand each KDE used to populate their financial statements.  Let me know in the comments below.  

0 Comments

Thanks for stopping by!

I’m so glad that you found me. I know that there are many dog memes out there that are much cuter and more entertaining than what I’ve got going on here. I’d love to hear your feedback and see you over at my Linkedin Page, so please come check me out there! If you read something you like, share away!

Contact me