Click here to download.


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Click here to download.

  1. 1. <ul><li>Governance, Risk, & Compliance – Protiviti Demonstration Presenter: Michael Mask </li></ul><ul><li>Associate Director </li></ul><ul><li>Risk Technology Solutions Group </li></ul>May 1, 2006 – New Jersey IIA Chapter Software Expo
  2. 2. Protiviti: Who We Are Protiviti Offices and Resources: Atlanta, GA Boston, MA Chicago, IL Cincinnati, OH Cleveland, OH Dallas, TX Denver, CO Ft. Lauderdale, FL Houston, TX Kansas City, MO Los Angeles, CA Milwaukee, WI Minneapolis, MN New York City, NY Orlando, FL Philadelphia, PA Phoenix, AZ Pittsburgh, PA Salt Lake City, UT San Francisco, CA San Jose, CA Seattle, WA St. Louis, MO Tampa, FL Vienna, VA Toronto, Canada Australia Asia Europe South America Who We Are Protiviti is an independent risk consulting and internal audit company that offers a full spectrum of internal audit services and specific operational risk competencies, delivered by way of proven methodologies and supporting technology. What We Do We provide the following services to our clients: Business Risk Technology Risk Internal Audit Business Risk Consulting Event-Related Financial Risk Governance/Sarbanes-Oxley Operational Risk Credit Risk Treasury Basel II Internal Audit Co-Sourcing Outsourcing Internal Audit Transformation Quality Assurance Reviews Risk Assessment Technology Risk Consulting Applications Business Continuity Data Mining Infrastructure Privacy Project Risk Management Security
  3. 3. An Integrated Governance Risk Compliance Platform Protiviti Governance Portal (PGP) Overview
  4. 4. An Integrated Governance Risk Compliance Platform Protiviti Governance Portal (PGP) Overview ORGANIZATION PROCESS RISK FINANCIAL RCM L I N K Risks and Controls Policies Procedures Document Group Process Maps Documentation Narratives Actual Near-Miss Loss Database External Loss Collection Risk and Control Repository Objectives Risks Tests Controls Update Periodic / Sustainable Activities Assess Validate Remediate Report Monitor
  5. 5. The PGP Directs Individuals to Their Areas of Responsibility <ul><li>Sarbanes-Oxley (SarbOx Portal TM ) </li></ul><ul><li>Perform tests and review owned controls </li></ul>Self-Assessment (TSA TM ) - Conduct all aspects of a self-assessment including test validation, review, and sign-off <ul><li>Operational Risk Management (ORM Portal TM ) </li></ul><ul><li>- Assess enterprise risk event categories </li></ul><ul><li>Manage risks via dashboard reporting </li></ul><ul><li>The My Portal area creates a user-specific collection of tasks, reports, summaries and owned activities </li></ul><ul><li>In much the same way that the Protiviti Governance Portal functions as an organized repository of an organization’s governance data, the My Portal tab functions as a framework for an individual’s governance data </li></ul><ul><li>Each user’s view can easily be expanded or contracted based on their user profile </li></ul>My Portal: Tailor user experience for specified responsibilities <ul><li>Shared Governance Activities </li></ul><ul><li>Monitor and resolve action plans through a single, on-line platform </li></ul><ul><li>Execute workflow-driven tasks across multiple governance activities </li></ul><ul><li>Measure risk and performance indicators linked to key RCMs, risks, controls, objectives, risk categories * and financial elements </li></ul>PGP Overview * Available in ORM Portal IA Portal (TSA TM ) - Facilitate audit activities from planning and risk assessment to electronic workpaper management
  6. 6. Foundational Frameworks <ul><li>The association of business processes with organizational units provides an analytical framework supporting varying analysis including documentation, risk and control analysis and risk event assessment. </li></ul><ul><li>This analysis can be related to financial reporting to support SOX exercises or to enterprise risks to support broader risk management practices. </li></ul>Common Frameworks Provide Organizing Principles of an Integrated System PGP Overview FINANCIAL MODEL PROCESS MODEL RISK EVENT MODEL ORGANIZATION MODEL CREATE L I N K Information Technology MODEL PROJECT & EVENT MODEL
  7. 7. Common Features - Documentation Document management features make the PGP a powerful document management repository <ul><li>Upload multiple files and/or URLs to documents </li></ul><ul><li>Check in/Check out feature prevents numerous users from editing the same document at the same time </li></ul><ul><li>Maintain the integrity of documents by retaining version history </li></ul><ul><li>Track changes made to Document Evaluations and Attributes in Change History </li></ul><ul><li>Maintain multiple versions of the same document, select a previous version to be the current version </li></ul>PGP Overview
  8. 8. Common Features – Risk and Control Matrices <ul><li>Quick Reports allow users to obtain rich information and provide a high level view of RCM content </li></ul><ul><li>The RCM is a “tool within a tool” </li></ul><ul><li>It allows for sophisticated analysis of objectives, risks and controls </li></ul><ul><li>A library can be used to baseline risk and control activities </li></ul><ul><li>Discipline is rewarded when reporting </li></ul><ul><li>Review, Action Plans, Notes, Tasks, Attachments & History facilitate resolution </li></ul>The Risk Control Matrix – Tool - analyze Objective, Risk and Controls PGP Overview
  9. 9. Common Features – Action Plans <ul><li>Gather and track action items in a single application providing management visibility into key issues across multiple risk management efforts </li></ul><ul><li>Assign resolution or review responsibility to individuals or user groups such as an internal control group </li></ul><ul><li>Notify users via email when action plans are created, edited or deleted </li></ul><ul><li>Capture response and resolution steps </li></ul><ul><li>Associate action plans with objectives, risks, or controls </li></ul><ul><li>Build out additional tasks around action plans to delegate responsibilities </li></ul>Identify, track, and resolve action items PGP Overview
  10. 10. Dynamic Reports <ul><li>Crystal-based reporting engine allows organizations to develop reports to meet their unique needs over time, without requiring modification to code </li></ul><ul><li>User Reports: Drill-down dashboards contained within My Portal that present information based on individual users’ owned organizational units </li></ul><ul><li>Quick Reports: Provide printable information while performing analysis in a given area of the system </li></ul><ul><li>Filterable Reports: Provide flexible filtering options to support specified analysis </li></ul>Report from across control activities, risk assessments and loss events via a single application Reporting Overview
  11. 11. User-Defined Searches <ul><li>The system contains over 40 searches that allow for development of user-defined search criteria across a range of topics </li></ul><ul><li>Select and sort fields to include in the report </li></ul><ul><li>Select filter criteria </li></ul><ul><li>Save search as public or private search </li></ul><ul><li>Drill directly to search results </li></ul><ul><li>Export search results to develop specific and detailed analysis using familiar tools such as Excel </li></ul>Support specific reporting analysis via user-defined searches Reporting Overview
  12. 12. Project Team and Executive Dashboards Provide holistic, multi-perspective views of SOX evaluations performed <ul><li>Dashboards aggregate RCM process, objective, risk, and control evaluations by Financial Reporting Element, Process Classification, and Organizational Unit. </li></ul><ul><li>The dashboards allow users to drill into more specific information. For example, if Organization 1 displays 4 ineffectively operating controls, users can drill directly to a list of ineffectively operating controls. From the list of ineffectively operating controls, users can then drill directly to a particular control in question. </li></ul>Reporting Overview
  13. 13. SarbOx Overview <ul><li>Documentation may include: </li></ul><ul><ul><li>Process Maps* </li></ul></ul><ul><ul><li>Policies & Procedures </li></ul></ul><ul><ul><li>Process Narratives </li></ul></ul><ul><ul><li>Key Performance Indicators </li></ul></ul><ul><ul><li>Job Aids </li></ul></ul><ul><ul><li>Checklists </li></ul></ul><ul><li>* Does not include a mapping tool. </li></ul>Organization Model Financial Model Process Model (PCS) Documentation Risk and Control Matrix Risk & Control Library <ul><li>Common tasks performed in building these models under Protiviti’s risk-based approach are: </li></ul><ul><ul><li>Identify “control units” </li></ul></ul><ul><ul><li>Identify and prioritize all financial reporting elements </li></ul></ul><ul><ul><li>Identify business processes that affect financial reporting </li></ul></ul><ul><ul><li>Perform process risk assessment </li></ul></ul><ul><ul><li>Link processes to related organizational units and financial reporting elements </li></ul></ul><ul><ul><li>Determine overall process criticality based on process risk and priority of related financial elements </li></ul></ul><ul><ul><li>Process criticality is a key determinant of the level of process documentation and control testing in a true risk-based approach </li></ul></ul>The system allows for documentation and detailed risk and control analysis that can be aggregated via multiple perspectives: Financial Reporting, Business Process, and Organizational Hierarchies. Control Testing Documentation Controls Evaluation of Control Operating Effectiveness Risks Evaluation of Control Design Effectiveness Evaluation of Control Design & Operating Effectiveness Objectives Evaluation of Objective Achievement SarbOx Overview
  14. 14. The Self Assessment Life Cycle TSA Overview Assessment Template Deployed Assessment Assessment Lifecycle Assess Questions Packages Objective Groups Risk Assessors Dashboards Reports Export AP Review TP Review The group’s primary function is to create a “domain of review”, where a set of reviewer(s) are limited to a pool of assessors. These reviews can be performed by a single individual or delegated to a maximum of 3 persons per group. Group Review Assessment Completion Test Plan Action Plan Action Plans Test Plans Required Values Review Signoff The administrator can build and re-use an assessment template to periodically publish or “deploy” an assessment. Each assessment can be uniquely named, contain key messages and have specific start and end dates for assessors and reviewers. The primary activity is the assessor window, which allows respondents to provide feedback. Action and/or Test Plans may be created based on the Question Configurations. If initiated, these serve as “to-do’s” that can be documented and tracked as they move toward conclusion. Review and Signoff introduce a series of “Quality Assurance” activities. A question may be designed or “configured” to react to assessor’s feedback. Each “question-response” combination can validate behavior such as requiring answers or comments as well as generating “workflow”. Group Review Best Practice Reporting Configuration
  15. 15. ORM Portal TM Overview - RCSA RCSA Overview Documentation Risk and Control Matrix Organization Model Financial Model Process Model (PCS) Control Testing Documentation Controls Evaluation of Control Operating Effectiveness Risks Evaluation of Control Design Effectiveness Evaluation of Control Design & Operating Effectiveness Objectives Evaluation of Assertion Achievement Risk Event Model <ul><li>Establish a Common Risk Event Model </li></ul><ul><ul><li>Enterprise-wide Risk Categories </li></ul></ul><ul><ul><li>Multiple scoring models by Risk Category </li></ul></ul><ul><ul><li>Framework for organizing both risk assessments and loss events </li></ul></ul>The addition of a risk event model to proven RCSA technology supports high level assessment of operational risks, and allows risk owners to drill into deeper analysis as necessary. Risk Event Analysis Risk Categories Classify Risks Rate Inherent Risk Set Tolerances Assess Residual Risk Drill Deeper as Needed
  16. 16. Internal Audit – The Protiviti Way IA Portal Overview COSO ERM CHANGE OBJECTIVES Assess Risk Identify and Assess Risk ENTITY Entity Level Process/ Location/ Transaction/ Level Create Overall Internal Audit Plan Plan & Create Infrastructure Understand Analyze Activity Set Objectives and Plan Identify & Prioritize Risks Identify Controls & Evaluate Test Controls Report Monitor & Follow-up Control Self Assessment Add Value Oversight Insight Foresight Embrace IIA Standards Attribute Performance Implementation Practice Advisories
  17. 17. The Protiviti Story Protiviti is a leading provider of independent internal audit and business and technology risk consulting services. Protiviti was formed in May 2002 when Robert Half International (RHI) hired more than 650 experienced and highly qualified partners and professionals formerly with Arthur Andersen LLP’s US internal audit and risk consulting practices. These practices operated separately from Andersen’s external audit and attestation services. Today, Protiviti works with over 25% of the Fortune 500, employs over 2,200 professionals in more than 45 locations throughout North America, Latin America, Europe, Asia and Australia. The firm retains the intellectual capital used and developed by its professionals over the past decade. About Our Parent Company Robert Half is a $3.3 billion public company with a $5 billion market capitalization and 330 worldwide offices. It has virtually no debt, a strong cash position and an outstanding track record in growing businesses. It is recognized as one of Forbes’ “Most Admired Companies”. Our Market Position…and Future The name Protiviti represents professionalism, integrity and independence. Unlike most other risk consulting practices, Protiviti has no affiliation with an external audit firm, nor does it provides any external audit services. This offers us a key strategic advantage, as we can offer the resources, quality, capabilities and expertise of any large accounting firm without regulatory or market concerns regarding conflicts of interest. Protiviti combines the strengths of your Large Consultant and Boutique alternatives ……. without compromise <ul><li>Boutique: </li></ul><ul><ul><li>Responsive client service </li></ul></ul><ul><ul><li>Lack of SEC restrictions </li></ul></ul><ul><ul><li>Independent from attest & tax services </li></ul></ul><ul><ul><li>Better teaming with external constituents </li></ul></ul><ul><ul><li>Focus on core offerings </li></ul></ul><ul><li>Major Consultancy: </li></ul><ul><ul><li>Methodologies & tools </li></ul></ul><ul><ul><li>Experienced professionals </li></ul></ul><ul><ul><li>Depth of risk consulting services </li></ul></ul><ul><ul><li>Financial & management stability </li></ul></ul><ul><ul><li>Recognized </li></ul></ul><ul><ul><li>Global presence </li></ul></ul>
  18. 18. Our Commitment to Technology Enabling Solutions <ul><ul><li>Protiviti recognized as strong performer in governance, risk and compliance platforms by Forester Research (The Forester WaveTM Q1 2006) </li></ul></ul><ul><ul><li>Since release in March 2003, the base of clients utilizing our technologies has steadily grown </li></ul></ul><ul><ul><li>Our solution is battle-tested. Client feedback has infused continuous development resulting in 5 incremental versions of our SarbOx PortalTM, the foundation of Protiviti’s Governance Portal </li></ul></ul><ul><ul><li>To meet the needs of our clients seeking to evolve their governance programs, we developed and released the Protiviti Governance Portal, an integrated governance risk compliance platform, in April 2005 </li></ul></ul><ul><ul><li>We continue to seek and incorporate our clients’ feedback into the solution, and will continue to extend the capabilities of our framework, as reflected with the current development of an integrated Internal Audit module </li></ul></ul><ul><li>Our Vision: </li></ul><ul><li>To be recognized as the premier global risk consulting and internal audit services company. </li></ul><ul><li>Our Mission: </li></ul><ul><li>To constantly improve how businesses manage risk. We will develop deep competencies in people which enhance their value. We will bring unparalleled expertise to clients in risk management. </li></ul><ul><li>Our Core Values: </li></ul><ul><ul><li>pro fessional </li></ul></ul><ul><ul><li>pro ductive </li></ul></ul><ul><ul><li>pro active </li></ul></ul><ul><ul><li>object iviti </li></ul></ul><ul><ul><li>creat iviti </li></ul></ul><ul><ul><li>integr iti </li></ul></ul>
  19. 19. Protiviti Governance Portal: Who to Contact Other Information We would be happy demonstrate our technology tools and discuss how Protiviti can help you create a sustainable compliance process. Scott Gracyalny Managing Director, Risk Technology Solutions 312.476.6381 [email_address] Scott Wisniewski Director, Risk Technology Solutions 312.476.6302 [email_address] Michael Mask Associate Director, Risk Technology Solutions 312.476.6396 [email_address]
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.