agenda introduction microsoft internal audit org risk based audit planning overview (luncheon) in...
TRANSCRIPT
Greg TestaDirector, Microsoft Internal Audit
Risk-Based Audit Plan Development
Agenda
IntroductionMicrosoft Internal Audit OrgRisk Based Audit Planning Overview (Luncheon)In Depth Areas (Technical Session)Enterprise Risk ManagementRisk Theme DevelopmentProject IdentificationCapacity and LoadAnnual Cycle
Questions
Introduction
Microsoft – 7 Years (Internal Audit, SMSG Finance, IT Finance)
PricewaterhouseCoopers – 6 Years (SAP, PeopleSoft) Honeywell – 3 Years (SAP Security & Controls
Implementation) AIG – 2 Years (Database Design & Implementation)
Policy and Compliance
Confidence and Influence
InvestigationRisk Management
AdvisoryAssurance
VisionDrive governance and compliance Ensure MS is viewed as a compliant company
MissionEnsure Microsoft addresses risks Bring disciplined approach to mitigate riskEnhance company operations
Process Excellence
Analytics and ProblemSolving
Core CompetenciesWhat We Stand For
Functional Areas
Microsoft Internal Audit GroupExperience
Broad exposure to the entire companyEnd-to-end business process knowledgeStrong operational and compliance skillsetProven leadership developmentB
An Eye Toward the Future
Interdisciplinary Approach
Peter KleinCFO –
Microsoft
Melvin FlowersCVP –
Internal Audit
Michael FordAudit
Director
Lyn CameronFIU Director
Terri SchwanAudit
Director
Bob TenczarOffice of
ERM Director
Rich NardiAudit
Director
Greg TestaPractice Director
Marilee ByersAudit
Director
Microsoft Internal Audit GroupAudit CommitteeBoard of Directors
Business Groups, OEM
MSIT, IEB, Skype, GFS, MSCIS
Financial Integrity Unit
SMSG (Field Sales)
Corporate, Operations
Enterprise Risk Management
Office of Legal Compliance
Audit Practice Management
Internal Audit Roles• Program
Managers• Project Managers• Audit Leads• Audit Staff
Internal Audit Offices• Redmond• Singapore• Dublin
FIU Investigations Team
Virtual Team
Professional Practice Team
Internal Audit Group - Alignment
Michael FordAudit
Director
Terri Schwan
Audit Director
Rich NardiAudit
Director
Marilee ByersAudit
Director
Business Groups, OEM
MSIT, IEB, Skype, GFS,
MSCIS
SMSG
Corporate, Operations
Ankush GroverSMSG Field, Segments, M&O, Services
Program Management
Lynn Chang
David LowTBH – Asia
Mike Gaffney - EMEA
Gerard Morisseau
Dawn Liburd
Project Management
Bob KalerOSD, WWLD,
WPD, MS Retail
Meera VenkateshR&D, MBD,STB, OEM
Louis CouwenbergInfra & IT Processes, Security, GFS, Skype
DC ChangIT Gov, Bus Systems & IT Processes, BCM, IEB, MSCIS
Devon PearceWWLP, Ops, WPG, AC
Steven BeanCorp Finance, HR, LCA
CJ LongTECA
Erica CamposVendor audit
Risk-Based Audit Planning
What is RISK? Risk is defined as a particular event, or circumstance that, if it were to occur, would impact achievement of a business objective.
8
Risk?
Risk Assessment Components
9
Prior Audit Results SOX Scope Investigations 10K/ERM
Discussions with
ManagementInternal Data
Key Changes to the
Business/New Initiatives
External Risk Environment
Planning Process
Planning Process Overview
Risk assessment
Risk analysis & project identification
Prioritization & resource allocation
Plan validation & presentation
• Informed by: • ERM board & 10K risks• On-going understanding of the business • Recent fraud activity
• Validate against ERM board risks, analyze gaps• Calibrate assessment• Identify high risks to be addressed by audit plan• Conduct management team risk discussions
• Prioritize activities• Allocate resources
• Discuss with management• Validate with senior executives• Present to AC for approval
On-going
March
April
May
Program Mgrs
Program Mgrs,Directors
Directors
Pgm Mgrs, Directors, CAE
12
Continuous Audit Planning CycleRisk Assessment
Identify Projects
Finalize Audit Plan
AC Plan Review
AC Plan ApprovalExecute Audit Plan
Risk Assess-ment
Mid-year Update
Execute Audit Plan
On-going
April
May
June
Jul-Dec
December
January -June
On-going
September
More efficient annual planning cycle
Synchronized with ERM
Responsive to changing risk environment
6-month project planning cycle allows for more flexibility
18-month view
New Business = New Risks
13
• Supply Chain Disruption• Scrap Disposal Management• HW Quality Assurance• Factory Labour Conditions• Patents• Manufacturing
14
Key Takeaways
15
• Align IA Org to Business
• ERM Critical to Navigating Risks
• Risk Factors (Impact, Likelihood, and Prior Results)
• Measure Risk Variance
• Ensure Adequate Capacity
• Revisit and Reassess Risk Annually
Questions?
16
Enterprise Risk Management
18
ERM at Microsoft – Virtual Structure
SLT: COOSponsor: CVP & CIOLeader(s): Sr. Principal, Sr. Solutions Manager
SLT: SVP & CFOSponsor: Corp VP of Finance and AdministrationLeader: Director
Financial/Reporting Operational
SLT: CEOSponsor: GM- Corporate StrategyLeader: Corp Strategy Sr. Manager
SLT: SVP Legal ComplianceSponsor: VP Deputy General CounselLeader: Compliance Director
Pillar Support: Compliance Program Attorney
Board of Directors: Audit & Finance Committee(s)
Enterprise Risk Office
Executive Sponsor: CVP of Internal Audit
Program Office: Sr. Director of ERM
Strategic Legal/Compliance
Microsoft Confidential - Internal Use Only
Risk CategoriesImprove Areas of high risk exposure with a low level of control must be key priority for improvements in management and control activities.
Monitor Areas of high risk exposure where controls are deemed adequate should be monitored to provide ongoing assurance of control effectiveness.
Accept Areas of low risk exposure that also have a lower level of control may be consciously accepted by the organization.
Optimize Areas of low risk exposure with a high level of control may generate opportunities to optimize the management and control activities.
Accept
Improve
Optimize
Monitor
High
Low
Low HighManagement & Control
Activity Level
Risk
Lev
el(Im
pact
x L
ikel
ihoo
d)
Microsoft Confidential - Internal Use Only 19
Risk Rating Criteria: ImpactNOTE: A risk should be evaluated on the most relevant impact; it does not need to address multiple columns. Also, evaluate the inherent impact rating of a particular risk event or circumstance assuming that the controls or management activities do NOT exist or they fail in either design or operation and fail to mitigate the impact of the risk occurring.
Impact Rating
Description of Impact
ScoreOrganizational and operational scope
Reputational impact to stakeholders (i.e., customers, shareholders, employees, key
partners, subscribers, 3rd Parties)
Legal/ Compliance/ Environmental
Operating Income (OI) Impact on Value
CriticalEnterprise-wide:
Inability to continue business operations
Globally
Permanent loss of stakeholder confidence resulting in legal action, interruption in Enterprise operations
globally, and / or defection to competition
Prohibited from conducting business in certain product
lines, markets, or geographiesOI >$2.5B
Significant reduction in market capitalization,
significant draw on liquidity reserve
5
Severe
2 or more divisions: Significant, ongoing
interruptions to business operations within 2 or
more divisions
Sustained losses in 2 or more stakeholder groups
Severe restrictions on conducting business in certain
product lines, markets, or geographies
OI >$1B
Substantial reduction in market capitalization,
substantial draw on liquidity reserve
4
Serious1 or more division(s): Moderate impact within 1 or more division(s)
Moderate loss in 1 or more stakeholder groups
Significant fines or limitations on conducting business in
certain product lines, markets, or geographies
OI >$500M
Limited reduction in market capitalization,
limited draw on operating cash flow
3
Moderate1 division:
Limited impact within 1 division
Limited to minor/short-term loss in 1 stakeholder groupLimited actions against the
company with limited effects on operations
OI >$250MMissed forecast(s) and/or
budget(s), limited draw on operating cash flow
2
Mild Minimal Impact OI >$100M 1
Use Impact Table for Inherent Impact & Residual Impact ratingsUse Likelihood Table for Inherent Likelihood & Residual Likelihood ratings
20Microsoft Confidential - Internal Use Only
NOTE: Evaluate the inherent likelihood rating of a particular risk event or circumstance in absence of the current management activities or controls that exist to mitigate the likelihood of the risk occurring.
Risk Rating Criteria: Likelihood, Control Effectiveness (CE)
Likelihood Rating Consideration
Description of LikelihoodScore
Probability Frequency
Expected The risk event or circumstance is relatively certain to occur, or has occurred within the past year 90-100% Almost Yearly 5
Highly Likely The risk event or circumstance is highly likely to occur 70-90% Every 2 to 3 Years 4
Likely The risk event or circumstance is more likely to occur than not 50-70% Every 4 to 6 Years 3
Not Likely The risk event or circumstance occurring is possible 10-50% Every 7 to 9 Years 2
Slight The risk event or circumstance is only remotely probable < 10% Every 10 Years and Beyond 1NOTE: Evaluate the Control Effectiveness / Management Activities Rating for a particular risk event or circumstance based on existing management activities and/or controls that exist both within defined business processes as well as at the entity level and not on future or planned control activities.
CE Rating Improvement Opportunities
Control Effectiveness (CE)/ Management Activities Additional Scoring Criteria Score
Very High None Identified Properly designed and operating as intended.There are no outstanding High or Medium risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or external auditors.
5
High Limited Properly designed and operating, no significant deficiencies.
There are no outstanding High risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or external auditors.
4
Moderate Moderate In place, some deficiencies. There are no outstanding High risk audit issues. There may be some significant deficiencies as defined by SOX or the external auditors. 3
Low Significant Limited, high level of risk remains, significant deficiencies.
There are outstanding High and / or Medium risk Audit issues or significant deficiencies as defined by SOX or external auditors. 2
Very Low Critical Non-existent or has major deficiencies and do not operate as intended.
There are outstanding High risk audit issues or material weakness(es) as defined by SOX or external auditors. 1
21Microsoft Confidential - Internal Use Only
INHERENT Risk Profile
22
Representative Sample
ExpectedHighly LikelyLikelyNot LikelySlight
54321
1Minimal
2Low
3Moderate
4High
5Critical 12
4 37
6
9
8
5
10
Likelihood of Occurrence
Sev
erit
y o
f Im
pac
t
# Tier 1 Risks - Inherent
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk 9
Risk 10
RESIDUAL Risk Profile
23
Representative Sample
# Tier 1 Risks - Residual
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk 9
Risk 10
0.0
5.0
10.0
15.0
20.0
25.0
1.0 2.0 3.0 4.0 5.0
Control Level
Ris
k E
xp
osu
re
(Im
pact
x L
ikeli
ho
od
)
Monitor
Optimize
Improve
Accept
HighLow
High
Low
1
23
45
6
9
78
10
10K Risk Mapped to ERM Board RisksERM Risk Category
10K Risk ERM Board-level RiskFY10 ERM
Status
1 Strategic Challenges to our business model may reduce our revenues and operating marginsBusiness model disruptions from competitive landscape MonitorBusiness model pricing erosion MonitorRise of alternative platforms Monitor
2 Strategic We face intense competitionBusiness model disruptions from competitive landscape MonitorBusiness model pricing erosion MonitorRise of alternative platforms Monitor
3 Strategic We make significant investments in new products and services that may not be profitable Strategic investments Monitor
4Strategic (Operational)
Acquisitions and joint ventures may have an adverse effect on our businessAcquisition integration MonitorYahoo! Partnership Improve
5
Legal (Strategic, Financial, Operational)
We may not be able to adequately protect our intellectual property rights Software piracy Monitor
6 LegalWe are subject to government litigation and regulatory activity that affects how we design and market our products
Regulatory scrutiny and antitrust focus Monitor
7 Legal Improper disclosure of personal data could result in liability and harm our reputation Security and privacy of critical data Improve8 Legal Third parties may claim we infringe their intellectual property rights Not mapped
9 Legal We operate a global business that exposes us to additional risksRegulatory non-compliance MonitorAnti-corruption Improve
10 Legal We have claims and lawsuits against us that may result in adverse outcomes Not mapped
11 OperationalWe may not be able to protect our source code from copying if there is an unauthorized disclosure of source code
Security and privacy of critical data Improve
12 Operational Security vulnerabilities in our products could lead to reduced revenues or to liability claims Product quality and security - software & services Improve13 Operational Our vertically-integrated hardware and software products may experience quality or supply problems Hardware quality and compliance Monitor14 Operational Catastrophic events or geo-political conditions may disrupt our business Business continuity management Improve
15 OperationalWe may experience outages and disruptions of our online services if we fail to maintain an adequate operations infrastructure
Inadequate operations infrastructure Monitor
16 Operational Our business depends on our ability to attract and retain talented employeesGlobal employee recruitment & retention MonitorSuccession planning Monitor
17 Operational Delays in product development schedules may adversely affect our revenues Product/service launch and sustainability Monitor
18 Financial Adverse economic conditions may harm our businessFinancial market volatility MonitorCredit and collections Monitor
19 Financial We may have additional tax liabilitiesFinancial Reporting MonitorTaxation of foreign earnings Monitor
20 FinancialIf our goodwill or amortizable intangible assets become impaired we may be required to record a significant charge to earnings
Financial Reporting Monitor
Risk Theme Development (Top Down Approach)
Development of Business Risk Themes
26
Top-Down Risk Assessment Themes Top-Down Risk Assessment Themes
Cloud (Multi-themed: including internal processes, systems, operations infrastructure, Field sales motion - cannibalism)
Coverage through Order to Cash project for BIOS. Additional consideration of Cloud operations infrastructure necessary.
End user experience - Billing, App Stores, Credit/Collections, Retail Stores (Expansion) Order to Cash project.
Last Mile Excellence - LMX (Product/ Service Launch) Potential coverage through joint project over Offi ce 15 launch.
3rd-Party Reliance (Vendor: FTE, vendor over-reliance) Heavy reliance on ROC vendors…
Compliance - Regulatory, Industry Standards/Certifications, FCPA, Privacy, Trade Partner vetting rolling out in 2012-2013, increasing number of partners. Need to consider how to cover partners?
Consumerization of IT (Internal vs. External)
Partnerships / JV's (includes Nokia, Yahoo, HP, other) Minimally managed studios (looks like this is not going to be a big issue)
Spend Management (includes Incentive Comp, Vendor mgmt - 3PP, Selection, single sourced)
(Channel Incentives could be considered here), Payroll - nonstandard overpayment of incentive comp; Freight
Global Programs (Governance over cross-enterprise risks)
Engineering/ Development Compliance (EE compliance, PAGO requirements)
Financial Reporting (including Budgeting, Long-range planning)
Major System Implementations - IT/Business Alignment (e.g., Project Laminar, OA 3.0, CHIP)
Should have OA 3.0 project several months after Win 8 launch. Timing for Project Laminar unknown.
Supply-chain (IEB mfg, OEM, online SW delivery, Ditigal River - Retail stores) Project over Just In Time Keys provisioning system.
Potential Themes Comments
Channel Partners Channel Incentives (implementation/execution); FCPA/Fraud risks - Partner audits?CLM -Customer Life Cycle Mgmt (Ops people are getting involved in closing renewals - how will they be compensated?)
Revenue Processing and Recognition - (Order to Cash)- Order to Cash (for Cloud); Cutoff processing; Revenue recognition; Shift from large$/small vol. to small$/large vol. business model; Payco;Windows 8 OA 3.0
Prioritization of Risk Themes
27
Sub Topics 10K Risk
Cloud (Multi-themed: including, systems, operations infrastructure, Field sales motion - cannibalism
The cloud-based computing model presents execution and competitive risks; We may experience outages, data loss and disruptions of our online services if we fail to maintain an adequate operations infrastructure. .
1 1 3 1 1 1 1.33
Info Security, protection of consumer data, containment, control, reaction, adaptability to new mediums, social media
We may not be able to protect our source code from copying if there is an unauthorized disclosure of source code; Security vulnerabilities could lead to reduced revenue, liability claims, or competitive harm 4 4 1 7 4 6 4.33
Windows 8, Windows Store, Office 15, Server 8, phone, OEM products
Delays in product development schedules may adversely affect our revenue; We make significant investments in new products and services that may not be profitable
3 3 2 13 3 3 4.50
Str
ateg
y an
d IT
res
ourc
e al
ignm
ent
Fin
anci
al R
epor
ting
ERM Risks
Reg
ulat
ory
com
plia
nce
/ C
ontr
act
com
plia
nce/
Cus
tom
er o
blig
atio
ns
Mod
els/
Str
ateg
ic I
nves
tmen
ts/N
ew
Bus
ines
s
Ina
dequ
ate
oper
atio
ns in
fra
Pro
duct
Qua
lity
and
Sec
urity
(P
rodu
cts
and
Ser
vice
s)
Sec
urity
and
Priv
acy
of C
ritic
al
Dat
a
Rel
iabi
lity/
BC
M
Pro
duct
/ S
ervi
ces
Laun
ch a
nd
rele
ase
Aver
age
Ranking
Mar
ilee
Byer
s
Mich
ael F
ord
Rich
Nar
di
Terr
i Sch
wan
Bob
Tenz
ar
Greg
Tes
ta
Themes
Themes # of Hours % of Total
Sales and Channel Management 19,072 29%
Cloud Implementation 9,088 14%
Compliance & Governance 7,616 12%
Spend Management 7,552 12%
Statutory and Local Requirements 7,296 11%
Product & Service Launch Readiness 4,736 7%
Privacy & Security of Critical Data and Intellectual Property 3,584 6%
Supply Chain 3,328 5%
IT/Business Alignment and System Implementations 1,920 3%
Internal process changes due to shift in business model 512 1%
Grand Total 64,704 100%
28
Project Assignment
Project Assignments
30
Risk Pilar Total HoursFinancial 18,255Legal/compliance 13,750Operational 32,699
Acquisition integration 230Business continuity management 536
Anti-Malware services follow-up 128Azure Services ISO 192Commercial CSS 216
Data management 616Facility access and security 856Global employee recruitment and retention 764Hardware quality and compliance 768Inadequate operations infrastructure 5,281Product quality and security (software & services) 2,656
Anti-Malware services follow-up 384Azure Services ISO 192Commercial Online Services order to cash 192CRM Online ISO 384Nokia SSAE16 readiness 640Online Services Rapid Assessments 384Online Services platform automation 480
Product/service launch and sustainability 1,493Security and privacy of critical data 8,389Software piracy 1,015Spend management 8,350Strategy and IT resource alignment 1,744
Grand Total 64,704
Theme # of Hours % of TotalSales and Channel Management 19,072 29%Cloud Implementation 9,088 14%
Anti-Malware services follow-up 640 1%Azure Services consumption 640 1%Azure Services ISO 1,152 2%Cloud Services Privacy 1,152 2%Commerce platform & business operations 1,152 2%Commercial Online Services order to cash 768 1%CRM Online ISO 640 1%Online Services Rapid Assessments 768 1%Online Services platform automation 640 1%SKU, pricing & redemption token management 768 1%Windows Phone Marketplace Apollo readiness 768 1%
Compliance & Governance 7,616 12%Spend Management 7,552 12%Statutory and Local Requirements 7,296 11%Product & Service Launch Readiness 4,736 7%Privacy & Security of Critical Data and Intellectual Property 3,584 6%Supply Chain 3,328 5%IT/Business Alignment and System Implementations 1,920 3%Internal process changes due to shift in business model 512 1%Grand Total 64,704 100%
Align by Risk Theme
Align by Risk Pilar
Project Level Risk
31
• Risks are aligned to COSO framework (area/type/category)
• Associate risks with auditable unit (AU)
• Significance and likelihood scores are absolute
• Residual score is calculated based a discounting using the audit experience/knowledge score
• Reassess after each project
All Up Comparison of Risks YoY (‘Gut-Check’)
32
Financial Compliance Operational Strategic Total -
20,000
40,000
60,000
80,000
100,000
FY11 Actual FY12 Actual FY13 Plan
Audi
t Pro
ject
Hou
rs
FY11 Actual FY12 Actual FY13 Plan FY12 Actual vs FY13
Hours % Hours % Hours % Hours % Pts
Financial 26,500 36% 22,600 30% 23,700 28% 1,100 -2 Pts
Compliance 17,300 24% 15,400 20% 17,900 21% 2,500 1 Pts
Operational 29,400 40% 37,300 49% 42,400 51% 5,100 1 Pts
Strategic - 0% - 0% - 0% - 0 Pts
Grand Total 73,200 100% 75,300 100% 84,000 100% 8,700 12%
Capacity
Resource Capacity
34
FY13FTE Program Project Invest ERM Internal Total
VP 1 720 180 90 90 720 1,800
ERM 1 - - - 1,620 180 1,800
PPM director 1 180 - - - 1,620 1,800 PPM manager 1 - - - - 1,800 1,800 Admins 2 - - - - 3,600 3,600
IA director 4 2,880 2,160 - - 2,160 7,200
IA program mgr 8 9,360 3,600 - - 1,440 14,400
IA proj/ppl mgr 6 2,160 5,940 - - 2,700 10,800 IA proj mgr - - - - - - -
IA lead 15 1,350 22,950 - - 2,700 27,000 IA staff 18 - 29,160 - - 3,240 32,400 RA 4 - 4,680 - - 2,520 7,200
TECA manager 1 540 630 180 - 450 1,800
TECA staff 1 - 1,350 180 - 270 1,800
FIU director 1 720 - 540 - 540 1,800
FIU ppl mgr 3 810 - 3,240 - 1,350 5,400
FIU staff 10 900 - 15,300 - 1,800 18,000 FIU PM - - - - - - -
Total 77 19,620 70,650 19,530 1,710 27,090 138,600 FIU Vendors 5,100 5,100
IA Vendors 900 10,405 11,305 SMSG Vendors 2,900 2,900 ERM Vendor 300 300 PPM Vendor 1,250 1,250
Vendor total 900 13,305 5,100 300 1,250 20,855
Total All 20,520 83,955 24,630 2,010 28,340 159,455
Program Audit Projects Investigations ERM Internal Total -
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
FY11 Actual Hours FY12 Actual Hours FY13 Plan Hours
Load Balancing
35
Row Labels Hours Row Labels Min Threshold Max Thresholda-Jul 2,624 a-Jul 4,543 5,652b-Aug 2,752 b-Aug 4,543 5,652c-Sep 5,248 c-Sep 4,543 5,652d-Oct 5,696 d-Oct 4,543 5,652e-Nov 7,595 e-Nov 4,543 5,652f-Dec 4,715 f-Dec 4,543 5,652g-Jan 6,187 g-Jan 4,543 5,652h-Feb 6,592 h-Feb 4,543 5,652i-Mar 6,720 i-Mar 4,543 5,652j-Apr 6,848 j-Apr 4,543 5,652k-May 5,184 k-May 4,543 5,652l-Jun 3,776 l-Jun 4,543 5,652Grand Total 63,937 Grand Total 54,516 67,824
a-Jul b-Aug c-Sep d-Oct e-Nov f-Dec g-Jan h-Feb i-Mar j-Apr k-May l-Jun0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
FY13 Load Balancing
At TargetOver CapacityUnder Capacity
36
Continuous Audit Planning CycleRisk Assessment
Identify Projects
Finalize Audit Plan
AC Plan Review
AC Plan ApprovalExecute Audit Plan
Risk Assess-ment
Mid-year Update
Execute Audit Plan
On-going
April
May
June
Jul-Dec
December
January -June
On-going
September
More efficient annual planning cycle
Synchronized with ERM
Responsive to changing risk environment
6-month project planning cycle allows for more flexibility
18-month view
Key Takeaways
37
• Align IA Org to Business
• ERM Critical to Navigating Risks
• Risk Factors (Impact, Likelihood, and Prior Results)
• Measure Risk Variance
• Ensure Adequate Capacity
• Revisit and Reassess Risk Annually
Questions?
38