2010 November article Information is Power final10202010
1. Information is power
— but how can we control this power?
By Greg Wallig CISA, CGEIT, and Omar Kuyateh CGFM, CDFM, CISA, CISM, CFE, PMP
Information is power, and those who control it are often the most powerful people. Information has
implications for public policy, the economy, national security and, in the case of publicly traded corporations,
market or price.
The legislative framework
The Federal Government spends a good deal of legislative and regulatory time aimed at safeguarding
information. This includes protecting automated systems that process information, data integrity and timeliness
and reliability of information. Some of the many legislative acts that form a framework for IT or financial
safeguards and controls are:
The Chief Financial Officers Act of 1990 (CFO Act)
Clinger-Cohen Act of 1996 (Information Technology Management Reform Act)
Computer Security Act of 1987
Federal Financial Management Improvement Act of 1996 (FFMIA)
Federal Information Security Management Act of 2002 (FISMA)
Federal Managers’ Financial Integrity Act of 1982 (FMFIA)
Government Information Security reform Act (GISRA)
Government Management Reform Act of 1994
Government Performance and Results Act of 1993 (GPRA)
Various Sections of the U.S. Code and White House Office of Management and Budget guidance (e.g.,
OMB Circular A-123, Management’s Responsibility for Internal Control and A-130, Management of Federal
Information Resources.)
Management’s responsibility
Management is responsible for establishing and maintaining effective internal control and financial management
systems that meet the objectives of the legislative framework. These objectives are to:
1. Support effective and efficient operations
2. Comply with applicable laws and regulations
3. Produce reliable financial reporting
4. Safeguard assets
5. Prevent fraud waste and abuse
2. A Governance, Risk and Compliance management approach
Managers, the stewards of government’s administrative, program and financial operations, can enhance their
stewardship through a governance, risk and compliance (GRC) program. GRC is a comprehensive framework of
strategy, processes, people and technology that strengthens controls and improves efficiency and effectiveness.
The framework relies on enterprise-wide risk management and governance to support the control environment,
instead of simply the traditional compliance activities. Figure 1 below depicts how governance, risk and
compliance interact with internal organizational mechanisms to achieve desired outcomes. The green boxes
emphasize that a well-defined GRC framework supports strategy, people, processes and technology. The light
blue background highlights that internal policies, risk appetite and external regulations all influence
management’s approach to GRC. The expected outcomes of a GRC program, shown in blue, include ethically
correct behavior and improved efficiency and effectiveness, especially by those charged with governance.
Figure 1: GRC framework1
Benefits of a GRC Approach
GRC is not a replacement for internal control testing, but instead is a comprehensive framework that
incorporates all mechanisms for improving performance and managing risk, including internal controls. GRC
provides smarter governance and planning processes that can better target and enhance the effectiveness of
internal control efforts and deliver much more value than a traditional controls testing approach alone. GRC
advantages include:
1Racz, N., E. Weippl and A. Seufert (2010): “A frame of reference for research of integrated GRC.” In: Bart De
Decker, Ingrid Schaumüller-Bichl (Eds.), Communications and Multimedia Security, 11th IFIP TC 6/TC 11
International Conference, CMS 2010 Proceedings. Berlin: Springer, pp. 106-117.
Governance
Risk
Management
Compliance
Strategy
Processes People
Technology
integrated
holistic
organization wide
internal policies
risk
appetite
external
regulations
Ethically correct behavior
Improved efficiency
Improved effectiveness
Operations managed and
supported through GRC
Governance
Risk
Management
Compliance
Strategy
Processes People
Technology
integrated
holistic
organization wide
internal policies
risk
appetite
external
regulations
Ethically correct behavior
Improved efficiency
Improved effectiveness
Operations managed and
supported through GRC
3. GRC gives greater emphasis on setting up the framework and culture needed to improve controls and
reduce risk, instead of using a traditional approach that relies excessively on repeated, detailed and costly
control testing.
GRC incorporates more meaningful risk assessments and considers a broader group of risks.
GRC targets testing activities at those controls most likely to reduce or
manage risk.
GRC considers other risk mitigation activities, instead of focusing exclusively
on internal control testing and remediation. This includes more emphasis on
self-assessment and monitoring, which frees internal control program
personnel to focus on areas of greatest risk.
GRC emphasizes ownership and accountability across all facets of an
organization.
GRC enhances communication, allowing management to focus on the highest risk areas.
Effective communication among key operational and mission support personnel is important because it
will help the organization to effectively:
1. Conduct a high-level risk assessment,
2. Identify controls,
3. Define Assessable units,
4. Develop a risk assessment plan,
5. Conduct process-level assessments, and
6. Develop assessment plans and schedules.
GRC is integrated. It organizes and supplements other efforts, rather than duplicating them.
In Conclusion
Our responsibility as financial managers requires us to safeguard and ensure the accuracy of information.
Methods used in years past to accomplish this mission are no longer adequate to address the increasing
importance and complexity of information in our organizations. New techniques, such as those embodied in
governance, risk and compliance, are a more realistic approach to addressing the risks and power associated with
information.
About the Authors
Greg Wallig is a Principal in Grant Thornton LLP’s Global Public Sector practice in Alexandria, Va. Mr. Wallig
brings a unique combination of public and private sector experience to organizations that are seeking to optimize
the control and management of their business. With a decade of program design and launch experience coupled
with six years of risk management and Sarbanes-Oxley (SOX) experience, Mr. Wallig helps clients design and
operate efficient compliance programs. To that end, Mr. Wallig has both designed and assessed control
frameworks for some of Grant Thornton’s largest clients in both an internal and external audit capacity. He is
particularly adept at working in highly complex environments with high volumes of transactional data. Mr. Wallig
leads Grant Thornton’s Public Sector Governance, Risk and Compliance practice.
Omar Kuyateh is a Senior Manager at Grant Thornton with more than 13 years experience providing audit,
accounting and advisory services, including 9 years working with Federal Government agencies. His experience
includes planning and executing federal audit and advisory engagements, especially in OMB Circular A-123,
Appendix A, “Review of Internal Controls over Financial Reporting.”
About Grant Thornton LLP
Grant Thornton LLP, founded in Chicago in 1924, is one of the largest accounting and management consulting
firms in the world. Grant Thornton’s Global Public Sector practice, based in Alexandria, Va., is a global
4. management consulting business with the mission of providing responsive and innovative financial, performance
management, human capital management and systems solutions to governments and international organizations.
We provide comprehensive, cutting-edge solutions to the most challenging business issues facing the public
sector.
Contact us
Greg Wallig, Principal
T 703.847.7611
E Greg.wallig@gt.com
Omar Kuyateh, Senior Manager
T 703.637.2908
E Omar.Kuyateh@gt.com
Or visit www.GrantThornton.com/publicsector