Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
GOVERNANCE RISK COMPLIANCE
  - STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE
  AND COST REDUCTION AMIDST GLOBAL ECONOMIC
    ...
Agenda
• Part 1 - GRC 101
  – Introduction to GOVERNANCE RISK & COMPLIANCE
    MANAGEMENT (GRC)


• Part 2 – Managing GRC
...
Why are We Here?




                   3
Sox 302/404 - Private
OMB Circular A123 - Public
302/404 Required activities :                              OMB Requiremen...
JULY 16, 2008 - GUESS WHO?
    Although Company has not disclosed much detail about the problem’s causes, the company’s SE...
Not convinced about Governing
     and Managing Risk?




                                6
Bottom Line

Public & Non-Public entities need strict, documented,
  and tested Internal Controls to :

  1. Guard against...
PART 1
GRC 101
GRC MIS-management


    Invalid                      Sensitive Data
    Transactions                 Not Protected       ...
Who-Why-What-Where-How’s of
Control Solutions

• Where do we build controls?
• How do we balance controls, information
  s...
Definitions

• Governance: the act, process, or power of governing; to control the
  actions or behavior of
   – To define...
What are we Automating?

                                                                                                 ...
IT GRC linkages




                  13
Select Framework - IT governance

     The IT
                                                                            ...
Select Framework - IT risk
     The COSO enterprise
     risk management life                                             ...
Select Framework - IT compliance
    The Forrester IT
    compliance life cycle                                           ...
Understand the Team

                            Enterprise-GRC

                                        Board




       ...
Example Project Office
                                          Team Structure
                                          ...
GRC Business Drivers
                            Governance, Risk and Compliance

   Financial Compliance               Tr...
GRC Solution Overview
                     Governance, Risk and Compliance

 Financial Compliance       Trade Management  ...
PART 2
TOP PROJECT MGMT TIPS FOR
GRC AUTOMATION AND AUDIT
AUTOMATION ROLLOUTS
GRC Implementation Lessons
• “Ounce of Planning worth a Pound of Execution” – Do not
  neglect Planning phase…attention to...
Recommendations for maturing
• Establish a strong IT compliance program before attempting
  risk and governance.
   –   Au...
Recommendations for maturing
(cont.)
• Establish an IT risk management program based on
  compliance.
   –   Keep the numb...
Be aware of the misconceptions
about IT-GRC

•   IT governance is the same as management.
•   IT-GRC is a single program.
...
Lessons from the trenches

• Integration: Integrate within and
  beyond IT.
• Viewpoint: View risk from the
  eyes of the ...
Considerations When Identifying
Controls
  – Focus on “Key” controls:
      • How does the application support the key fin...
It’s a team effort
True governance, risk, and compliance does not begin and end with IT
Organization. IT enables, but shou...
Case Studies – Common Business
   Drivers / Anticipated Benefits
Opportunities for benefits are expanding as security move...
How to contact us:
         Bhavesh Bhagat
           Co-Founder

       Bhavesh on LinkedIn
www.Linkedin.Com/in/BhaveshBh...
Upcoming SlideShare
Loading in …5
×

En Crisp Grc Audit Automation Overview And Sustainability Strategies

1,979 views

Published on

This is the ISACANE - Metrowest Breakfast Meeting held on January 29, 2010.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

En Crisp Grc Audit Automation Overview And Sustainability Strategies

  1. 1. GOVERNANCE RISK COMPLIANCE - STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE AND COST REDUCTION AMIDST GLOBAL ECONOMIC RECOVERY. Bhavesh Bhagat Co Founder
  2. 2. Agenda • Part 1 - GRC 101 – Introduction to GOVERNANCE RISK & COMPLIANCE MANAGEMENT (GRC) • Part 2 – Managing GRC – Project Mgmt. Tips for GRC Automation and Audit Automation Rollouts • Strategies and Approach - Succeeding in Global Recession with Managing Automation 2
  3. 3. Why are We Here? 3
  4. 4. Sox 302/404 - Private OMB Circular A123 - Public 302/404 Required activities : OMB Requirement : • Identify scope of disclosure controls and procedures Section II : Scope and internal control over financial reporting • Document business processes and controls over all major activities within an entity (beyond solely Section IV : Standards for processes impacting financial reporting) internal control • Perform evaluation of control design and effectiveness Section III : Assessing • Identify and track resulting issues and remediation plans Section IV : Identification • Document changes in processes and controls; of Deficiencies surface any associated issues • Cascade the accountability for control evaluation Section V : and roll up the results Management’s • Prepare internal control report Assessment • Support external auditor attestation 4
  5. 5. JULY 16, 2008 - GUESS WHO? Although Company has not disclosed much detail about the problem’s causes, the company’s SEC filing offers clues: • “We are currently implementing an enterprise resource planning (“ERP”) system on a staged basis in our subsidiaries around the world. We implemented the ERP system in several subsidiaries in our Asia Pacific region prior to fiscal 2008. During our second quarter of 2008, we implemented the ERP system in the United States resulting in changes in our system of internal control over financial reporting. Certain controls that were previously conducted manually or through a number of different existing systems were replaced by controls that are embedded within the ERP system, resulting in an update to our internal control process and procedures, the need for testing of the system and employee training in the use of the new system. Subsequent to the U.S. implementation, we encountered issues with the U.S. ERP system which caused us to further revise our internal control process and procedures in order to correct and supplement our processing capabilities within the new system. The changes described above materially affected our system of internal control over financial reporting during our last fiscal quarter. 5
  6. 6. Not convinced about Governing and Managing Risk? 6
  7. 7. Bottom Line Public & Non-Public entities need strict, documented, and tested Internal Controls to : 1. Guard against fraud and mistakes 2. Provide assurance to shareholders, Congress and taxpayers that funds and are accounted for and used wisely 3. Pass a Financial and an Internal Controls audit 4. Stay out of the news 7
  8. 8. PART 1 GRC 101
  9. 9. GRC MIS-management Invalid Sensitive Data Transactions Not Protected RISKS are •Inherent •Obvious Inefficient •Invisible Processes •Accumulative •Dynamic •GLOBAL Lost Data Reliance on Inaccurate Data 9
  10. 10. Who-Why-What-Where-How’s of Control Solutions • Where do we build controls? • How do we balance controls, information systems, and monitoring? • What are some control requirements? • Who will design and review? • Who will own and Where? 10
  11. 11. Definitions • Governance: the act, process, or power of governing; to control the actions or behavior of – To define and adjust the activities of a group to achieve a set of goals • Risk: exposure to the chance of injury or loss; a hazard or dangerous chance – The likelihood of an event causing an adverse impact • Compliance: the act of conforming, acquiescing, or yielding – The degree of conformity to standards derived from governance sources 11
  12. 12. What are we Automating? • The degree of Compliance: the act of conforming, acquiescing, or conformity to • The likelihood of standards an event causing derived from • To define and Risk: exposure to the chance of injury or loss; a an adverse governance adjust the impact activities of a sources group to achieve Governance: the act, process, or power of a set of goals governing; to control actions/behavior hazard or dangerous chance yielding 12
  13. 13. IT GRC linkages 13
  14. 14. Select Framework - IT governance The IT The IT Governance Governance Institute’s governance Institute’s Set framework defines five governance life Objectives governance goals: cycle consists of five • Strategy — focus on components. aligning with the business These and collaborative solutions components Measure IT Activities • Risks — addressing the G set objectives Performance safeguarding of IT assets, for IT, measure disaster recovery, and performance, continuity of operations compare to objectives, and • Resources — optimizing redirect knowledge and IT activities infrastructure where • Value — concentrating on necessary and Provide optimizing expenses and Compare change Direction providing the value of IT objectives • Performance — tracking where project delivery and appropriate. monitoring IT services Source Forrester Research 14
  15. 15. Select Framework - IT risk The COSO enterprise risk management life The COSO enterprise cycle consists of eight risk management interrelated Internal Env. framework is geared to components. These achieving an components set risk Objective organization’s strategic Monitor objectives, identify risk Setting objectives by events, assess the establishing four goals: likelihood and impact of events, remediate • Strategic — high-level control deficiencies, goals, aligned with and and communicate risk supporting the mission R assessment results and Info. & Event Ident. activities. These Comms. • Operations — components are effective and efficient derived from the way use of resources management runs an • Reporting — reliability organization and are integrated with the of reporting Control management Activities Risk Assmt. • Compliance — processes. compliance with Risk Response applicable laws and regulations Source Forrester Research 15
  16. 16. Select Framework - IT compliance The Forrester IT compliance life cycle The Forrester IT consists of four compliance components. These framework components established four Maintain Control establish an Framework goals: authoritative • Sustainable — normalized IT transparent control framework, integration with business and IT integrate controls operations C into normal IT operations, test • Consistent — Analyze & Report Implement Controls repeatable control control testing and effectiveness, implementation remediate control throughout the IT deficiencies, and environment report compliance • Efficient — results and streamlined control Test & Remediate activities. maintenance and testing • Authoritative — single source for IT controls and test procedures Source Forrester Research 16
  17. 17. Understand the Team Enterprise-GRC Board Corporate compliance Executive committee Audit committee … ERM Other enterprise governance groups IT Line of business 1 HR Line of business 2 Legal Line of business 3 … … Internal audit Line of business n Functional-GRC 17 Source Forrester Research
  18. 18. Example Project Office Team Structure Steering Group Overall Sponsor Departmental Sponsor Departmental Sponsor Project Manager IT Dept Vendor Vendor Rep Project Lead Project Lead Project Office Project Manager Department Rep (Steering group link) Subject Matter Expert Project Project Admin Design Coms Validation Independent Project Advisor Stakeholders Business Units by Geography Related Departments Executive Interested Party’s Etc 18
  19. 19. GRC Business Drivers Governance, Risk and Compliance Financial Compliance Trade Management Environment Regulations • SOX mandate (Section 404 Corporations need to comply and 302) Enforcement is on the rise, esp. with environment laws and • Segregation of Duties after 9/11 regulations analysis and enforcement • Companies need to strictly • Mandate of Clean Air Act • Reduce fraud and risk adhere to changing regulations • Streamline environmental or risk costly fines reporting • Security initiatives requiring • Health care risk assessment • Certify the sign-off process more internal control, record and prevention for executives keeping and audit trails • Worker safety and hazardous • Identify controls for • Additional regulations such as materials need to be organization Anti-boycott / Anti-terrorism documented and identified • Provide auditors with Regulations and Export complete audit trail Administration Regulations (EAR) 19
  20. 20. GRC Solution Overview Governance, Risk and Compliance Financial Compliance Trade Management Environment Regulations Global Trade EH&S Access Control Management Emission Mgt (xEM) (GTM) Process Control Enterprise Risk Management SAP SOLUTION MANAGER 20
  21. 21. PART 2 TOP PROJECT MGMT TIPS FOR GRC AUTOMATION AND AUDIT AUTOMATION ROLLOUTS
  22. 22. GRC Implementation Lessons • “Ounce of Planning worth a Pound of Execution” – Do not neglect Planning phase…attention to details always pays.. • Pilot project can validate effort/approach – revisit resource needs after completion • Decentralized approach needs establishment of clear, required minimum standards for documentation, evaluation • Involve independent auditors throughout project • Embed application controls into business process approach 22
  23. 23. Recommendations for maturing • Establish a strong IT compliance program before attempting risk and governance. – Automate control maintenance and testing procedures. – Automate controls where appropriate. – Establish a single authoritative source for IT controls. – Monitor business, IT, and regulatory landscapes. 23
  24. 24. Recommendations for maturing (cont.) • Establish an IT risk management program based on compliance. – Keep the number of risk events to a minimum. – Tie risk events to IT operations. – Tie risk events to business risks. – Use both real-time and point-in-time measurements. • Establish an IT governance program after IT compliance and IT risk management programs are operational. 24
  25. 25. Be aware of the misconceptions about IT-GRC • IT governance is the same as management. • IT-GRC is a single program. • It’s an IT issue. • It’s a one-time project. • It’s the only way to govern. 25
  26. 26. Lessons from the trenches • Integration: Integrate within and beyond IT. • Viewpoint: View risk from the eyes of the business. • Technology: Automate at the right time (OP+NT=EOP) • Process: Over-engineered solution creates resistance and is ultimately less effective. • Approach: Start with compliance. • Timeframe: Be patient. 26
  27. 27. Considerations When Identifying Controls – Focus on “Key” controls: • How does the application support the key financial processes? • Is the application processing data or acting as a repository? • Who relies on the controls? – Consider the types of errors that can occur at the application and process level and don’t ignore infrastructure – Ask “What is My Risk or What can Go Wrong” questions – When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts 27
  28. 28. It’s a team effort True governance, risk, and compliance does not begin and end with IT Organization. IT enables, but should not own GRC functionality solely. Controller or Person or people in charge of governance – make strategic Audit Committee decisions, own the rule set. Role Owners Managers by functional area who own one or more roles. All design changes to roles must be approved by the role owner. For critical roles, role owners also approve assignments and perform periodic reviews. SOD Owners Managers by functional area, geography, or department who take ownership of mitigation controls and the approval of SOD conflicts. Audit Team Monitoring of the system in accordance with the rules set forth by the audit committee or controller. Security Team Proactive enforcement of SOD rules and critical authorization containment. Periodic monitoring of the system to keep in compliance with the rules. 28
  29. 29. Case Studies – Common Business Drivers / Anticipated Benefits Opportunities for benefits are expanding as security moves from traditional user access control to enablement of business controls and management notification. An increasing number of our clients are recognizing the potential and are taking advantage of these new capabilities. Increase Better Enhance Increase Lower Cost of Future Vision Assurance Information Compliance Value Operations Implement role based access control driving standardization in identities X X X Conduct segregation of duties analysis across the Enterprise X X X X Execute risk assessment, evaluation and mitigation as a service X X X Enable preventative compliance within change control processes X X X X X Implement automated controls to reduce work effort and complexity X X X Provide real time management information when executives need it X X X Improve governance through distribution of controls into the business X X X X 29
  30. 30. How to contact us: Bhavesh Bhagat Co-Founder Bhavesh on LinkedIn www.Linkedin.Com/in/BhaveshBhagat Q UESTIONS ? bb@encrisp.com 703.424.7615 ext 1000 703.728.2493 - cell www.EnCrisp.com

×