IT Compliance: Shifting from Cost Center to Profit Center

Proprietary & Confidential – Accretive Solutions, Inc.
How much is the changing regulatory landscape driving you to re-assess your third-
party relationships, including partnerships, suppliers, distributors, or other business?
1
The Changing Compliance Landscape
What are the biggest operational issues around managing compliance risks that you
face today?
66%
18% 17%
re-assess all to most
re-assess some re-assess none
47%
Monitoring third-parties
“Compliance Trends Survey 2013” Compliance Week and Deloitte.

IT Compliance as a Growth Accelerator
Connecting Problems with Problem Solvers
WELCOME

Webinar Features
3
Presentation Window
Use the buttons in the top-right of the
presentation window to maximize or
minimize a widget.
CPE CERTIFICATION
To qualify for CPE Credit you must
answer all of the polling questions
as well as fill out the CPE Evaluation.
Click this icon in the dock
to access the evaluation.
Q&A
If you have a question during the
presentation you may enter it here.
Resources
• Copy of Presentation
• Presenter Bios
Dock
Provides control of the on-screen
widgets.

CPE Credit
4
Two requirements:
1) Answer 4 polling questions
throughout the presentation
2) Fill out the CPE Evaluation
anytime during the presentation
Click this icon to take Evaluation

CPE Credit
5
Two requirements:

CPE Credit
6
Two requirements:

CPE Credit
7
YOUR NAME
Click this icon to print
CPE certificate

Agenda
Overview: Insights on structuring a more strategic IT Compliance
organization. Deploying an integrated framework to address multiple
compliance requirements while mitigating risks and driving efficiencies.
Lessons From the Trenches:
 Sajeev Prelis
Practice Director of IT Strategy & Compliance, Accretive Solutions
 Gary Pennington
Southwest Practice Director, SSAE-16 Professionals
 Blake Holman
Senior Vice President, Chief Information Officer, Ryan, Inc.
CPE Evaluation
8

Learning Objectives for this Webinar
 How an IT Compliance organization can be a catalyst for change
and a driver for growth
 Insights on how to positively contribute to the bottom line
 Practical examples of how an integrated framework impacts
organizations
9

Sajeev Prelis
10
Practice Director of IT Strategy
and Compliance
Accretive Solutions

Old compliance environment
 IT an Afterthought
 Nice to have
 Differentiator
 Selling point
11
Current compliance environment
 IT an Integral Part
 Must have
 Expected
 Deal breaker

Why Comply:
 Fulfills contractual obligations
 Provides a competitive advantage
 Secures a seat at the table
 Increases client confidence in internal controls
 Prevents audits/questionnaires throughout the year
 Increases investor confidence in internal controls
 Enhances internal operational control that would facilitate
controlled growth
…and, it’s the law!
12

 SSAE16 (SOC 1) - The Statement on Standards for Attestation
Engagements (SSAE) No. 16
 SOC 2 & 3 – Service Organization Control 2 & 3
 PCI DSS – Payment Card Industry Data Security Standard
 SOX – Sarbanes-Oxley 404
 HIPAA – Health Insurance Portability and Accountability Act
 ISO – International Organization for Standardization
 FCPA – Foreign Corrupt Practices Act
 FISMA – Federal Information Security Management Act
 FFIEC - The Federal Financial Institutions Examination Council
 ……….
13

Pain Points:
 Cost of multiple compliance assessments
 Direct monetary cost
 Opportunity cost of internal resource time
 Managing multiple service providers
 Hiring internal resources with skillsets to manage multiple efforts
 Maintaining multiple control lists
• Responding to multiple PBC lists
14

“Test once - comply with many” approach:
 Enable one test to cover multiple compliance initiatives
 Leverage common requirements across standards
 Aligns controls to cover multiple compliance initiatives
 Consolidates service providers
• Same team to test controls
• Retain tribal knowledge
• Deal with one point of contact
 Achieve reduction in overall assessment resources
for the environment
15
Alleviating the Compliance Burden

Benefits:
 Promotes efficiency by reducing internal resource audit support
responsibilities and frees up time to concentrate on business
needs
 Reduces compliance cost if performed by one provider
 Simplifies identification of control gaps and unmitigated risks
 Streamlines policy and procedure and control updates
16
Alleviating the Compliance Burden

Appoint internal champion who has executive support:
 Bring the different stakeholders and business units together
(IA, IT, Finance, Legal, Procurement)
 Identify geographic considerations
Reevaluate timing of reports:
 Movable vs. immovable compliance initiatives
 External stakeholder considerations
17
Implementation – Practical Considerations

Choose the service provider:
 One provider
 Multiple vendors managed internally
Take it slow, include one compliance initiative at a time.
18

Southwest Practice Director
Gary Pennington
19

SSAE 16 Professionals, LLP
 Licensed CPA firm with offices throughout the USA
 Registered with the PCAOB
 Specialized focus on SSAE 16 (SOC 1), SOC 2, & other IT
Compliance services
 Strategic alliance partner of Accretive Solutions
 Personnel comprised of former Big 4 and other large international
accounting firm personnel
20
Company Overview

Password Control
21
PCI SSAE16 / SOC2&3 ISO 27001 SOX
8.2.4 - Change passwords
at least every 90 days
8.2.3 - Passwords must be
at least seven characters
long
8.1.6/8.1.7 - Lockout
threshold and duration
8.2.3 - Passwords must
contain both alphabetic
and numeric characters
8.2.5 - History of at least
four passwords
remembered
Security Principal 3.2.5
The internal network
domain is configured to
enforce the following
password requirements:
•Maximum Password Age
•Minimum Password
Length
•Invalid Password Lockout
•Complexity
•Password History
9.4.1 – Access to information
and application system
functions shall be restricted in
accordance with the access
control policy.
9.4.2 – Where required by the
access control policy, access to
systems and applications shall
be controlled by a secure log-
in procedure.
9.4.3 – Password management
systems shall be interactive
and shall ensure quality
passwords.
Applications and
systems are configured
to comply with
password parameters as
defined in the Safe
Computing Policy.
Practical Example – Compliance Consolidation

22
9.1 - Controls to limit and
monitor physical access -
video cameras and/or access-
control mechanisms in place,
protected from tampering,
monitored/reviewed and
correlated with other entries,
and data stored for at least
three months.
9.3 - Visitors authorized,
distinguishable, badge
expiration controls.
9.4 - Visitor log
Security Principal 3.3.2
Physical access to the
onsite data center is
restricted to authorized
personnel.
11.1.1 – Security
perimeters shall be defined
and used to protect areas
that contain either
sensitive or critical
information and
information processing
facilities.
11.1.2 – Secure areas shall
be protected by
appropriate entry controls
to ensure that only
authorized personnel are
allowed access.
Physical access to the data
center is restricted to
authorized IT Operations
staff only.
Practical Example – Compliance Consolidation
Physical Access to Datacenter

23
5.1 Deploy anti-virus software on all systems
commonly affected by malicious software (particularly
personal computers and servers).
5.1.1 Ensure that anti-virus programs are capable of
detecting, removing, and protecting against all known
types of malicious software.
5.1.2 For systems considered to be not commonly
affected by malicious software, perform periodic
evaluations to identify and evaluate evolving malware
threats in order to confirm whether such systems
continue to not require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are
maintained as follows:
 Are kept current
 Perform periodic scans
 Generate audit logs which are retained per PCI
DSS Requirement 10.7
5.3 Ensure that anti-virus mechanisms are actively
running and cannot be disabled or altered by users,
unless specifically authorized by management on a
case-by-case basis for a limited time period.
3.5.1 - Anti-virus software
with up to date virus
signatures are used to
protect all Company network
devices. Scans are
performed on a daily basis.
3.5.2 -Anti-virus software
security updates are applied
based on automatic update
timelines.
12.2.1 Detection,
prevention and recovery
controls to protect against
malware shall be
implemented, combined
with appropriate user
awareness.
Virus protection software at
the Network/Gateway level
is configured to scan and
filter the incoming and
outgoing network traffic
(Email, HTTP, FTP and other
messaging) for real-time
detection and quarantine of
malicious code.
Practical Example – Anti-virus Protection

Map controls:
 Identify control overlap
 Force adherence to the stricter control
 Standardize sample selection methodology
 Acquire applications that map multiple standards
 Good in theory, but not always practical
 Good starting point, but need experienced personnel to
properly execute
 Not always compatible with SSAE 16 since a standardized set of
controls has not been created by the AICPA
24

Additional potential efficiency:
Flexibility of control activities in SOC 1 and SOC 2 audits enables the
overlay of other compliance frameworks, including:
 PCI
 ISO
 HIPAA
 NIST
 Cloud Controls Matrix
25

Blake Holman
26
Senior Vice President,
Chief Information Officer

Ryan, LLC
 Global tax services firm founded in 1991
 The largest indirect tax practice in North America and the seventh
largest corporate tax practice in the United States
 Offices in 70 cities across 12 countries
 Provides a comprehensive range of state, local, federal, and
international tax advisory and consulting services, including:
• Audit defense
• Tax recovery
• Credits and Incentives
• Tax process improvement and automation
• Tax appeals
• Tax compliance
• Strategic planning
27
Company Overview

 Tax recovery work involving credit card transactions (PCI)
 Tax compliance services work (SAS70 and now SSAE16)
• Sales and Use Tax compliance services
• Property Tax compliance services
28
IT Compliance Situation

Security Questionnaires
are cumbersome
29
Challenges
Audits
Costly and time consuming
(and they can consume you, if you let them!)

 IT controls are conceptually and fundamentally the same
 Differences in controls often have to do with the level of rigor you
employ in satisfying the controls
 Poor planning results in burning lots and lots of employee and
auditor hours that can simply be avoided
 IT compliance doesn’t have to be hard
 Most security questionnaires are similar, though there are some
exceptions
30
Lessons Learned

 Line up the strictest standards and controls that you have to comply,
and set your program from those
 Decide when you want to be doing audits
 Try to get one provider to do as much of your audit work for you as
you can to gain economies of scale
• The IT Controls scale VERY well
 Work with your auditor to streamline the process
 Don’t release security information without a mutual NDA
 Save the answers to security questionnaires
 Prepare a security position document, if you can – it may help
streamline inquiries
31
Takeaways

 1 annual PCI audit
 2 annual SSAE16 audits
 PCI controls govern vast majority of the IT controls work
 Kick off in early September, fieldwork in October/November and
reports produced in December
 Result – focused audit efforts, fieldwork is done once for all three
audits, and the IT controls reporting for SSAE16 is leveraged for both
reports, enabling many other benefits, including being:
• Cost effective
• Scalable
• Improved profit margin for the firm
32
At Ryan

Moving towards a more strategic IT Compliance organization and deploying
an integrated framework to address multiple compliance requirements will:
 Drive sales / revenue by:
• Providing a competitive advantage and securing a seat at the table
• Increasing client and investor confidence in internal controls
• Enhancing internal operational control to facilitate growth
 Increase bottom line by:
• Reducing compliance costs
• Freeing up staff audit support time to concentrate on business
needs
33
Wrap Up

34
REMINDER
You must fill out the CPE Evaluation for credit.
UPCOMING WEBINARS
Latest SEC Initiatives and Impacts Relating to Accounting and Audit Practices
Techniques to avoid having financial reports flagged for investigation by the SEC
Cloud Security
Understanding key security implications of the migration of software to the cloud,
both as a seller and a user of cloud technologies.
Organizational Change Management
Locking down big hidden costs of Company Change
Thank You

IT Compliance: Shifting from Cost Center to Profit Center

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to IT Compliance: Shifting from Cost Center to Profit Center

Similar to IT Compliance: Shifting from Cost Center to Profit Center (20)

Recently uploaded

Recently uploaded (20)

IT Compliance: Shifting from Cost Center to Profit Center