en crisp grc audit automation overview and sustainability strategies
DESCRIPTION
This is the ISACANE - Metrowest Breakfast Meeting held on January 29, 2010.TRANSCRIPT
GOVERNANCE RISK COMPLIANCE - STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE
AND COST REDUCTION AMIDST GLOBAL ECONOMIC RECOVERY.
Bhavesh Bhagat
Co Founder
Agenda
• Part 1 - GRC 101 – Introduction to GOVERNANCE RISK & COMPLIANCE
MANAGEMENT (GRC)
• Part 2 – Managing GRC
– Project Mgmt. Tips for GRC Automation and Audit Automation Rollouts • Strategies and Approach - Succeeding in Global Recession with Managing
Automation
2
Why are We Here?
3
Sox 302/404 - Private OMB Circular A123 - Public
302/404 Required activities : • Identify scope of disclosure controls and procedures
and internal control over financial reporting
• Document business processes and controls over all major activities within an entity (beyond solely processes impacting financial reporting)
• Perform evaluation of control design and effectiveness
• Identify and track resulting issues and remediation plans
• Document changes in processes and controls; surface any associated issues
• Cascade the accountability for control evaluation and roll up the results
• Prepare internal control report
• Support external auditor attestation
OMB Requirement :
Section II : Scope
Section IV : Standards for internal control
Section III : Assessing
Section IV : Identification of Deficiencies
Section V : Management’s Assessment
4
JULY 16, 2008 - GUESS WHO?
Although Company has not disclosed much detail about the problem’s causes, the company’s SEC filing offers clues:
• “We are currently implementing an enterprise resource planning (“ERP”) system on a staged basis in our subsidiaries around the world. We implemented the ERP system in several subsidiaries in our Asia Pacific region prior to fiscal 2008. During our second quarter of 2008, we implemented the ERP system in the United States resulting in changes in our system of internal control over financial reporting. Certain controls that were previously conducted manually or through a number of different existing systems were replaced by controls that are embedded within the ERP system, resulting in an update to our internal control process and procedures, the need for testing of the system and employee training in the use of the new system. Subsequent to the U.S. implementation, we encountered issues with the U.S. ERP system which caused us to further revise our internal control process and procedures in order to correct and supplement our processing capabilities within the new system. The changes described above materially affected our system of internal control over financial reporting during our last fiscal quarter.
5
Not convinced about Governing and Managing Risk?
6
Bottom Line
Public & Non-Public entities need strict, documented, and tested Internal Controls to :
1. Guard against fraud and mistakes
2. Provide assurance to shareholders, Congress and taxpayers that funds and are accounted for and used wisely
3. Pass a Financial and an Internal Controls audit
4. Stay out of the news
7
PART 1 GRC 101
Lost Data
Invalid Transactions
Sensitive Data Not Protected
Reliance on Inaccurate Data
Inefficient Processes
GRC MIS-management
RISKS are
•Inherent •Obvious •Invisible
•Accumulative •Dynamic •GLOBAL
9
Who-Why-What-Where-How’s of Control Solutions
• Where do we build controls?
• How do we balance controls, information systems, and monitoring?
• What are some control requirements?
• Who will design and review?
• Who will own and Where?
10
Definitions
• Governance: the act, process, or power of governing; to control the actions or behavior of
– To define and adjust the activities of a group to achieve a set of goals
• Risk: exposure to the chance of injury or loss; a hazard or dangerous chance
– The likelihood of an event causing an adverse impact
• Compliance: the act of conforming, acquiescing, or yielding
– The degree of conformity to standards derived from governance sources
11
What are we Automating? G
ove
rna
nce
: th
e a
ct, p
roce
ss, o
r p
ow
er o
f g
ove
rnin
g; t
o c
on
tro
l act
ion
s/b
eha
vio
r
• To define and adjust the
activities of a group to achieve
a set of goals R
isk:
exp
osu
re t
o t
he
cha
nce
of
inju
ry o
r lo
ss; a
h
aza
rd o
r d
an
ger
ou
s ch
an
ce
• The likelihood of an event causing
an adverse impact
Co
mp
lian
ce: t
he
act
of
con
form
ing
, acq
uie
scin
g, o
r yi
eld
ing
• The degree of conformity to
standards derived from
governance sources
12
IT GRC linkages
13
Select Framework - IT governance
Set Objectives
Measure Performance
Compare Provide
Direction
IT Activities
G
Source Forrester Research
The IT Governance Institute’s governance framework defines five governance goals:
• Strategy — focus on aligning with the business and collaborative solutions
• Risks — addressing the safeguarding of IT assets, disaster recovery, and continuity of operations
• Resources — optimizing knowledge and IT infrastructure
• Value — concentrating on optimizing expenses and providing the value of IT
• Performance — tracking project delivery and monitoring IT services
The IT Governance Institute’s governance life cycle consists of five components. These components set objectives for IT, measure performance, compare to objectives, and redirect activities where necessary and change objectives where appropriate.
14
Select Framework - IT risk
Internal Env.
Objective Setting
Event Ident.
Risk Assmt.
Risk Response
Control Activities
Info. & Comms.
Monitor
R
Source Forrester Research
The COSO enterprise risk management framework is geared to achieving an organization’s strategic objectives by establishing four goals:
• Strategic — high-level goals, aligned with and supporting the mission
• Operations — effective and efficient use of resources
• Reporting — reliability of reporting
• Compliance — compliance with applicable laws and regulations
The COSO enterprise risk management life cycle consists of eight interrelated components. These components set risk objectives, identify risk events, assess the likelihood and impact of events, remediate control deficiencies, and communicate risk assessment results and activities. These components are derived from the way management runs an organization and are integrated with the management processes.
15
Select Framework - IT compliance
Maintain Control Framework
Implement Controls
Test & Remediate
Analyze & Report
C
Source Forrester Research
The Forrester IT compliance framework established four goals:
• Sustainable — transparent integration with business and IT operations
• Consistent — repeatable control testing and implementation throughout the IT environment
• Efficient — streamlined control maintenance and testing
• Authoritative — single source for IT controls and test procedures
The Forrester IT compliance life cycle consists of four components. These components establish an authoritative normalized IT control framework, integrate controls into normal IT operations, test control effectiveness, remediate control deficiencies, and report compliance results and activities.
16
Understand the Team
Enterprise-GRC
ERM
Audit committee
Co
rpo
rate
co
mp
lian
ce
Other enterprise governance groups
…
Executive committee
Board
Functional-GRC
Line of business 1
Line of business 3
Line of business 2
…
Line of business n
IT
HR
Legal
…
Internal audit
Source Forrester Research 17
Example Project Office
Team Structure Steering Group
Overall Sponsor
Departmental Sponsor
Departmental Sponsor
Project Manager
Vendor Rep
Project Office
Project Manager
Department Rep
(Steering group link)
Subject Matter Expert
Independent
Project Advisor
IT Dept
Project Lead
Vendor
Project Lead
Stakeholders
Business Units by Geography Related Departments Executive Interested Party’s Etc
Design
Validation
Project
Coms
Project Admin
18
GRC Business Drivers
Governance, Risk and Compliance
Financial Compliance Trade Management Environment Regulations
• SOX mandate (Section 404 and 302) • Segregation of Duties analysis and enforcement • Reduce fraud and risk
Enforcement is on the rise, esp. after 9/11 • Companies need to strictly adhere to changing regulations or risk costly fines • Security initiatives requiring more internal control, record keeping and audit trails • Additional regulations such as Anti-boycott / Anti-terrorism Regulations and Export Administration Regulations (EAR)
Corporations need to comply with environment laws and regulations • Mandate of Clean Air Act • Streamline environmental reporting • Health care risk assessment and prevention • Worker safety and hazardous materials need to be documented and identified
• Certify the sign-off process for executives • Identify controls for organization • Provide auditors with complete audit trail
19
GRC Solution Overview
Governance, Risk and Compliance
Financial Compliance Trade Management Environment Regulations
Access Control Global Trade Management
(GTM)
EH&S Emission Mgt (xEM)
Process Control
Enterprise Risk Management
SAP SOLUTION MANAGER
20
PART 2 TOP PROJECT MGMT TIPS FOR GRC AUTOMATION AND AUDIT AUTOMATION ROLLOUTS
GRC Implementation Lessons
• “Ounce of Planning worth a Pound of Execution” – Do not neglect Planning phase…attention to details always pays..
• Pilot project can validate effort/approach – revisit resource needs after completion
• Decentralized approach needs establishment of clear, required minimum standards for documentation, evaluation
• Involve independent auditors throughout project
• Embed application controls into business process approach
22
Recommendations for maturing
• Establish a strong IT compliance program before attempting risk and governance. – Automate control maintenance and testing procedures.
– Automate controls where appropriate.
– Establish a single authoritative source for IT controls.
– Monitor business, IT, and regulatory landscapes.
23
Recommendations for maturing (cont.) • Establish an IT risk management program based on
compliance. – Keep the number of risk events to a minimum.
– Tie risk events to IT operations.
– Tie risk events to business risks.
– Use both real-time and point-in-time measurements.
• Establish an IT governance program after IT compliance and IT risk management programs are operational.
24
Be aware of the misconceptions about IT-GRC
• IT governance is the same as management.
• IT-GRC is a single program.
• It’s an IT issue.
• It’s a one-time project.
• It’s the only way to govern.
25
Lessons from the trenches
• Integration: Integrate within and beyond IT.
• Viewpoint: View risk from the eyes of the business.
• Technology: Automate at the right time (OP+NT=EOP)
• Process: Over-engineered solution creates resistance and is ultimately less effective.
• Approach: Start with compliance.
• Timeframe: Be patient.
26
– Focus on “Key” controls: • How does the application support the key financial processes? • Is the application processing data or acting as a repository? • Who relies on the controls?
– Consider the types of errors that can occur at the application and process level and don’t ignore infrastructure
– Ask “What is My Risk or What can Go Wrong” questions
– When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts
Considerations When Identifying Controls
27
It’s a team effort
True governance, risk, and compliance does not begin and end with IT
Organization. IT enables, but should not own GRC functionality solely.
Controller or Audit Committee
Person or people in charge of governance – make strategic decisions, own the rule set.
Role Owners Managers by functional area who own one or more roles. All design changes to roles must be approved by the role owner. For critical roles, role owners also approve assignments and perform periodic reviews.
SOD Owners Managers by functional area, geography, or department who take ownership of mitigation controls and the approval of SOD conflicts.
Audit Team Monitoring of the system in accordance with the rules set forth by the audit committee or controller.
Security Team Proactive enforcement of SOD rules and critical authorization containment. Periodic monitoring of the system to keep in compliance with the rules.
28
Case Studies – Common Business Drivers / Anticipated Benefits
Opportunities for benefits are expanding as security moves from traditional user access control to enablement of business controls and management notification. An increasing number of our clients are recognizing the potential and are taking advantage of these new capabilities.
Future Vision Increase
Assurance Better
Information Enhance
Compliance Increase
Value Lower Cost of
Operations
Implement role based access control driving standardization in identities
X X X
Conduct segregation of duties analysis across the Enterprise
X X X X
Execute risk assessment, evaluation and mitigation as a service
X X X
Enable preventative compliance within change control processes
X X X X X
Implement automated controls to reduce work effort and complexity
X X X
Provide real time management information when executives need it
X X X
Improve governance through distribution of controls into the business
X X X X
29
QUESTIONS?
How to contact us:
Bhavesh Bhagat
Co-Founder
Bhavesh on LinkedIn
www.Linkedin.Com/in/BhaveshBhagat
703.424.7615 ext 1000
703.728.2493 - cell
www.EnCrisp.com