GOVERNANCE RISK COMPLIANCE - STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE

AND COST REDUCTION AMIDST GLOBAL ECONOMIC RECOVERY.

Bhavesh Bhagat

Co Founder

Agenda

• Part 1 - GRC 101 – Introduction to GOVERNANCE RISK & COMPLIANCE

MANAGEMENT (GRC)

• Part 2 – Managing GRC

– Project Mgmt. Tips for GRC Automation and Audit Automation Rollouts • Strategies and Approach - Succeeding in Global Recession with Managing

Automation

2

Why are We Here?

3

Sox 302/404 - Private OMB Circular A123 - Public

302/404 Required activities : • Identify scope of disclosure controls and procedures

and internal control over financial reporting

• Document business processes and controls over all major activities within an entity (beyond solely processes impacting financial reporting)

• Perform evaluation of control design and effectiveness

• Identify and track resulting issues and remediation plans

• Document changes in processes and controls; surface any associated issues

• Cascade the accountability for control evaluation and roll up the results

• Prepare internal control report

• Support external auditor attestation

OMB Requirement :

Section II : Scope

Section IV : Standards for internal control

Section III : Assessing

Section IV : Identification of Deficiencies

Section V : Management’s Assessment

4

JULY 16, 2008 - GUESS WHO?

Although Company has not disclosed much detail about the problem’s causes, the company’s SEC filing offers clues:

• “We are currently implementing an enterprise resource planning (“ERP”) system on a staged basis in our subsidiaries around the world. We implemented the ERP system in several subsidiaries in our Asia Pacific region prior to fiscal 2008. During our second quarter of 2008, we implemented the ERP system in the United States resulting in changes in our system of internal control over financial reporting. Certain controls that were previously conducted manually or through a number of different existing systems were replaced by controls that are embedded within the ERP system, resulting in an update to our internal control process and procedures, the need for testing of the system and employee training in the use of the new system. Subsequent to the U.S. implementation, we encountered issues with the U.S. ERP system which caused us to further revise our internal control process and procedures in order to correct and supplement our processing capabilities within the new system. The changes described above materially affected our system of internal control over financial reporting during our last fiscal quarter.

5

Not convinced about Governing and Managing Risk?

6

Bottom Line

Public & Non-Public entities need strict, documented, and tested Internal Controls to :

1. Guard against fraud and mistakes

2. Provide assurance to shareholders, Congress and taxpayers that funds and are accounted for and used wisely

3. Pass a Financial and an Internal Controls audit

4. Stay out of the news

7

PART 1 GRC 101

Lost Data

Invalid Transactions

Sensitive Data Not Protected

Reliance on Inaccurate Data

Inefficient Processes

GRC MIS-management

RISKS are

•Inherent •Obvious •Invisible

•Accumulative •Dynamic •GLOBAL

9

Who-Why-What-Where-How’s of Control Solutions

• Where do we build controls?

• How do we balance controls, information systems, and monitoring?

• What are some control requirements?

• Who will design and review?

• Who will own and Where?

10

Definitions

• Governance: the act, process, or power of governing; to control the actions or behavior of

– To define and adjust the activities of a group to achieve a set of goals

• Risk: exposure to the chance of injury or loss; a hazard or dangerous chance

– The likelihood of an event causing an adverse impact

• Compliance: the act of conforming, acquiescing, or yielding

– The degree of conformity to standards derived from governance sources

11

What are we Automating? G

ove

rna

nce

: th

e a

ct, p

roce

ss, o

r p

ow

er o

f g

ove

rnin

g; t

o c

on

tro

l act

ion

s/b

eha

vio

r

• To define and adjust the

activities of a group to achieve

a set of goals R

isk:

exp

osu

re t

o t

he

cha

nce

of

inju

ry o

r lo

ss; a

h

aza

rd o

r d

an

ger

ou

s ch

an

ce

• The likelihood of an event causing

an adverse impact

Co

mp

lian

ce: t

he

act

of

con

form

ing

, acq

uie

scin

g, o

r yi

eld

ing

• The degree of conformity to

standards derived from

governance sources

12

IT GRC linkages

13

Select Framework - IT governance

Set Objectives

Measure Performance

Compare Provide

Direction

IT Activities

G

Source Forrester Research

The IT Governance Institute’s governance framework defines five governance goals:

• Strategy — focus on aligning with the business and collaborative solutions

• Risks — addressing the safeguarding of IT assets, disaster recovery, and continuity of operations

• Resources — optimizing knowledge and IT infrastructure

• Value — concentrating on optimizing expenses and providing the value of IT

• Performance — tracking project delivery and monitoring IT services

The IT Governance Institute’s governance life cycle consists of five components. These components set objectives for IT, measure performance, compare to objectives, and redirect activities where necessary and change objectives where appropriate.

14

Select Framework - IT risk

Internal Env.

Objective Setting

Event Ident.

Risk Assmt.

Risk Response

Control Activities

Info. & Comms.

Monitor

R

Source Forrester Research

The COSO enterprise risk management framework is geared to achieving an organization’s strategic objectives by establishing four goals:

• Strategic — high-level goals, aligned with and supporting the mission

• Operations — effective and efficient use of resources

• Reporting — reliability of reporting

• Compliance — compliance with applicable laws and regulations

The COSO enterprise risk management life cycle consists of eight interrelated components. These components set risk objectives, identify risk events, assess the likelihood and impact of events, remediate control deficiencies, and communicate risk assessment results and activities. These components are derived from the way management runs an organization and are integrated with the management processes.

15

Select Framework - IT compliance

Maintain Control Framework

Implement Controls

Test & Remediate

Analyze & Report

C

Source Forrester Research

The Forrester IT compliance framework established four goals:

• Sustainable — transparent integration with business and IT operations

• Consistent — repeatable control testing and implementation throughout the IT environment

• Efficient — streamlined control maintenance and testing

• Authoritative — single source for IT controls and test procedures

The Forrester IT compliance life cycle consists of four components. These components establish an authoritative normalized IT control framework, integrate controls into normal IT operations, test control effectiveness, remediate control deficiencies, and report compliance results and activities.

16

Understand the Team

Enterprise-GRC

ERM

Audit committee

Co

rpo

rate

co

mp

lian

ce

Other enterprise governance groups

…

Executive committee

Board

Functional-GRC

Line of business 1

Line of business 3

Line of business 2

…

Line of business n

IT

HR

Legal

…

Internal audit

Source Forrester Research 17

Example Project Office

Team Structure Steering Group

Overall Sponsor

Departmental Sponsor

Departmental Sponsor

Project Manager

Vendor Rep

Project Office

Project Manager

Department Rep

(Steering group link)

Subject Matter Expert

Independent

Project Advisor

IT Dept

Project Lead

Vendor

Project Lead

Stakeholders

Business Units by Geography Related Departments Executive Interested Party’s Etc

Design

Validation

Project

Coms

Project Admin

18

GRC Business Drivers

Governance, Risk and Compliance

Financial Compliance Trade Management Environment Regulations

• SOX mandate (Section 404 and 302) • Segregation of Duties analysis and enforcement • Reduce fraud and risk

Enforcement is on the rise, esp. after 9/11 • Companies need to strictly adhere to changing regulations or risk costly fines • Security initiatives requiring more internal control, record keeping and audit trails • Additional regulations such as Anti-boycott / Anti-terrorism Regulations and Export Administration Regulations (EAR)

Corporations need to comply with environment laws and regulations • Mandate of Clean Air Act • Streamline environmental reporting • Health care risk assessment and prevention • Worker safety and hazardous materials need to be documented and identified

• Certify the sign-off process for executives • Identify controls for organization • Provide auditors with complete audit trail

19

GRC Solution Overview

Governance, Risk and Compliance

Financial Compliance Trade Management Environment Regulations

Access Control Global Trade Management

(GTM)

EH&S Emission Mgt (xEM)

Process Control

Enterprise Risk Management

SAP SOLUTION MANAGER

20

PART 2 TOP PROJECT MGMT TIPS FOR GRC AUTOMATION AND AUDIT AUTOMATION ROLLOUTS

GRC Implementation Lessons

• “Ounce of Planning worth a Pound of Execution” – Do not neglect Planning phase…attention to details always pays..

• Pilot project can validate effort/approach – revisit resource needs after completion

• Decentralized approach needs establishment of clear, required minimum standards for documentation, evaluation

• Involve independent auditors throughout project

• Embed application controls into business process approach

22

Recommendations for maturing

• Establish a strong IT compliance program before attempting risk and governance. – Automate control maintenance and testing procedures.

– Automate controls where appropriate.

– Establish a single authoritative source for IT controls.

– Monitor business, IT, and regulatory landscapes.

23

Recommendations for maturing (cont.) • Establish an IT risk management program based on

compliance. – Keep the number of risk events to a minimum.

– Tie risk events to IT operations.

– Tie risk events to business risks.

– Use both real-time and point-in-time measurements.

• Establish an IT governance program after IT compliance and IT risk management programs are operational.

24

Be aware of the misconceptions about IT-GRC

• IT governance is the same as management.

• IT-GRC is a single program.

• It’s an IT issue.

• It’s a one-time project.

• It’s the only way to govern.

25

Lessons from the trenches

• Integration: Integrate within and beyond IT.

• Viewpoint: View risk from the eyes of the business.

• Technology: Automate at the right time (OP+NT=EOP)

• Process: Over-engineered solution creates resistance and is ultimately less effective.

• Approach: Start with compliance.

• Timeframe: Be patient.

26

– Focus on “Key” controls: • How does the application support the key financial processes? • Is the application processing data or acting as a repository? • Who relies on the controls?

– Consider the types of errors that can occur at the application and process level and don’t ignore infrastructure

– Ask “What is My Risk or What can Go Wrong” questions

– When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts

Considerations When Identifying Controls

27

It’s a team effort

True governance, risk, and compliance does not begin and end with IT

Organization. IT enables, but should not own GRC functionality solely.

Controller or Audit Committee

Person or people in charge of governance – make strategic decisions, own the rule set.

Role Owners Managers by functional area who own one or more roles. All design changes to roles must be approved by the role owner. For critical roles, role owners also approve assignments and perform periodic reviews.

SOD Owners Managers by functional area, geography, or department who take ownership of mitigation controls and the approval of SOD conflicts.

Audit Team Monitoring of the system in accordance with the rules set forth by the audit committee or controller.

Security Team Proactive enforcement of SOD rules and critical authorization containment. Periodic monitoring of the system to keep in compliance with the rules.

28

Case Studies – Common Business Drivers / Anticipated Benefits

Opportunities for benefits are expanding as security moves from traditional user access control to enablement of business controls and management notification. An increasing number of our clients are recognizing the potential and are taking advantage of these new capabilities.

Future Vision Increase

Assurance Better

Information Enhance

Compliance Increase

Value Lower Cost of

Operations

Implement role based access control driving standardization in identities

X X X

Conduct segregation of duties analysis across the Enterprise

X X X X

Execute risk assessment, evaluation and mitigation as a service

X X X

Enable preventative compliance within change control processes

X X X X X

Implement automated controls to reduce work effort and complexity

X X X

Provide real time management information when executives need it

X X X

Improve governance through distribution of controls into the business

X X X X

29

QUESTIONS?

How to contact us:

Bhavesh Bhagat

Co-Founder

Bhavesh on LinkedIn

www.Linkedin.Com/in/BhaveshBhagat

bb@encrisp.com

703.424.7615 ext 1000

703.728.2493 - cell

www.EnCrisp.com