Contenu connexe Similaire à Demo site script_1.03.ppt (20) Demo site script_1.03.ppt1. January 2012
Mizuho Bank Internal Audit
Evaluation Quick Start Guide
Any site inquiries please contact:
Matt McDonough, Pre-Sales Engineer
312.364.4916
matthew.mcdonough@protiviti.com
2. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
A definition of ERM
Proposed SolutionProposed Solution
Protiviti's Governance Portal offers clients a flexible technology solution to balance
sound governance with business performance.
2
FinancialControls
Compliance
EnterpriseRisk
ITGovernance
InternalAudit
Shared Database with Configuration
Protiviti Governance Portal
Monitoring, Workflow and Reporting
GRC Module
A GRC system that supports risk, control management,
and incident management.
Internal Audit Module
An integrated audit management system that facilitates
risk assessment, planning, electronic work papers,
issue management and reporting.
4. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Log OnLog On
4
• Access the Portal through your internet browser
at:
http://grc5.protiviti.com/demosecond40/D
efault.aspx
• Enter your Admin ID and password
• IDs:
admin@sarboxportal.com
Password: password1
Click the Lock
symbol to log into
the Portal.
Enter Admin email
address and
password.
5. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
RibbonRibbon
5
• After logging in, the
first thing you will
notice is a basic
homepage with a
welcome message
and some key
administration
activities.
• Ribbon includes a
configurable layout
that allows you to
manage navigation for
users and allows you
to expand or collapse
the particular view
you’re going to go into
without having to go
out to the homepage.
“Click”
Default GRC
6. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Default GRC View: GRC RegisterDefault GRC View: GRC Register
6
• GRC Register
contains an Entity
Hierarchy. GRC
Register is flexible
to support client
frameworks and
entities. If a client
has a basic
approach it can be
simplified. As you
expand out the
organizations, you
will notice a series
of sub-units and
sub-processes.
7. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
GRC Register: Entity HierarchyGRC Register: Entity Hierarchy
7
• Four processes with key
data:
• Chicago – Payables Process
• Chicago – Information
Security Process
• New York – Underwriting
Process
• Desk Officers – Trading
Process
• Expand out individual risk
control matrices right on
the hierarchy.
• Gives flexibility to build out
and manage your
framework right from this
page.
• Can add risks and
controls by right clicking
on “Add Risks or
Controls”.
Expanded Out View
8. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
GRC Register: Entity HierarchyGRC Register: Entity Hierarchy
8
• Filtering
capabilities: The
filtering capabilities
allow you to view
only what you want
highlighted. In this
example, Project
with High Risks are
highlighted, and
what defines High
Risks is completely
configurable to
clients internal
methodology.
• From the entity tree
you can begin to
scope out an audit
directly on this
page.
Filter Entities by Project
– High Risks
By clicking scope you
can begin to plan an
audit.
9. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Projects: ScheduleProjects: Schedule
9
• Shows all the different
projects that have been
set up in the tool.
• Can expand and
collapse projects with
details down below.
• Full staffing capability in
the tool that allows you
look at who is
assigned/not assigned
to a particular project.
• Can search and filter
resources assigned to
project.
10. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Workflow Management: EventsWorkflow Management: Events
10
• Workflow feature in
the tool that is highly
flexible. Workflow is
driven off of two types
of activities: Event and
structured templates
that you deploy.
• Events that are
configurable by clients
allows you to build out
very specific activities
that will define or
trigger out a workflow
path. Events can be
very specific to client
methodology.
11. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Workflow Management: AssessmentsWorkflow Management: Assessments
11
• On the Assessment link
there are a variety of
different of surveys.
Surveys or
assessments can be
used to perform testing
risk reviews,
awareness, educational
training, etc.
• Survey functionality has
been redesigned in 4.0
version, it allows clients
to take advantage of
latest technology,
including mobile device
support.
• I.E.: The Risk
Assessment in the tool
is just a highlight of how
you can pull data from
the risk register to send
out an email alert to
complete assessments.
Once completed, the
results automatically
feed back into register.
Follow Risk
Assessment
hyperlink.
12. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Analysis: GRC DashboardAnalysis: GRC Dashboard
12
• Analysis component
contains a Dashboard
that shows 9 reports:
• Action
Assessment
Summary
• Regulatory Alert
Status
• Mitigation Plans
• Performance
Rating
• Performance
Indicators
• Key Indicators
• Information
Security
• Internal
Compliance
• Financial
Controls
All Reports have drill-
down capabilities.
13. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Analysis: Ad Hoc (Risk and Controls)Analysis: Ad Hoc (Risk and Controls)
13
• Search capabilities will
highlight data in a very
flexible query engine.
• Switch to filter mode
and it will allow you to
look for very specific
records.
Click Search Filter
Mode.
Risk and Controls
filtered by those
containing the word
“Cash”.
14. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Click into Audit Management and Risk Management:Click into Audit Management and Risk Management:
14
• At this point, it’s a
matter of focusing on
the most relevant
aspects for the
particular clients
needs.
• For example, if client’s
using tool for risk
management it would
be appropriate to drill
into the Risk
Management. Vice
Versa for Internal
Audit.
Risk Management View
Audit Management
View
15. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Risk Management View: RCM LibraryRisk Management View: RCM Library
15
• RCM Library allows
you to establish the
RCM Templates; risks,
controls, and
objectives.
All
Objectives:
16. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Risk Management View: Analysis (Entity Ratings)Risk Management View: Analysis (Entity Ratings)
16
• On the Analysis
tab, you have all
the key aspects of
analytics:
Assessment
Ratings, Control
Ratings, KRIs,
KPIs, Loss Events,
and Identification of
Actions.
• Click into Entity
Ratings, illustrate
can start to use the
tool to assess at an
entity level some of
your different
metrics.
Click into Entity
Ratings.
17. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Risk Management View: Reporting (Heat Map)Risk Management View: Reporting (Heat Map)
17
• On the Reporting tab,
you will have a serious
of different reports that
are available.
• Heat Map Report: will
pull up an aggregated
view of all of risks
across the system
looking at their
inherent residual and
inherent assessments.
Can drill into those
risks by clicking on risk
name and looking at
the details.
Heat Map Pop-
up
18. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Risk Management View: Reporting (Risk RegisterRisk Management View: Reporting (Risk Register
Search)Search)
18
• Search Builder: Risk
Register Search.
Demonstrate flexibility
by clicking on filter
mode and looking for
very specific controls
that contain text or
evaluation. Also, can
drag and drop columns
to group data to your
liking.
Apply different
Filters:
19. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Risk Management View: Reporting (RCM Excel)Risk Management View: Reporting (RCM Excel)
19
• This excel link allows
you to demonstrate to
flexibility of tool’s excel
generated reports.
You can export a
search into excel,
make a report in in
excel, and then load
file back into
application (and it will
continue to refresh for
you).
• The report is being
updated concurrently
with tool.
Excel File is
constantly
updated as new
information is
entered:
20. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Internal Controls View: Internal ControlsInternal Controls View: Internal Controls
20
• Testing information
and action plans in the
Internal Controls
views.
• Main Point: Different
dashboards and
different links can be
provided for various
stakeholders.
Menu very similar to
Risk Mgmt. View:
21. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management: Home (Dashboard)Audit Management: Home (Dashboard)
21
• Audit View has its on
dashboards. Reports
have drill downs with
more details and you
have the ability to
perform updates right
in the report.
Drilldown
Capabilities:
22. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management: Audit Planning (Audit Universe)Audit Management: Audit Planning (Audit Universe)
22
• In the Audit
Universe, look
at all areas
with high risks
and create a
new audit for
high risk area.
• For clients who
prefer the
more
traditional
approach
without going
to org. tree,
they can just
click “Quick
Create”.
“Click” Quick
Create.
“Click” Scope to
add to existing
audit or create
new audit.
23. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management: Completing AuditAudit Management: Completing Audit
23
• Can manage the Audit
through the scheduling
link.
• From the scheduling
view, you can push
and pull resources in
and out of the audit.
• In the audit 8 steps.
One of more the
common ones is a
opening/planning
meeting. User can
edit the audit by
changing the status of
the audit.
User can manually
change the status
of the audit.
24. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management: Field Work StepAudit Management: Field Work Step
24
“Click” Not Started
under RCM
Development and
Completion.
“Click” Click
Here
• Once you go into the
RCM Development and
Completion, you can go
in to the payables
process where the
payables risks and
controls can be viewed.
• The key thing is you can
pull in assessments that
was made from the risk
team, internal controls
team, or the business.
• The concept of having a
shared risk register is
completely true that is
integrated with rest of the
system. Data can be
leveraged and shared.
25. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management:Audit Management:
25
“Click” Add to
add WorkPaper
• Highlight you
can add a new
testing work
paper, work
paper step,
and the details
around that
step.
26. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management:Audit Management:
26
• Through the
Traditional Template
Library, you can import
a payables risk control
matrix tests directly
into the RCM.
“Click”
Traditional
Template Library
“Click” Audit
Templates
“Click” Payables
27. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Audit Management: Test ReviewsAudit Management: Test Reviews
27
“Click”
Disbursements
• Take a look at the
Test Reviews Tab,
shows all of the
assigned tests that
are ready for
review.
• If you click into the
test you can see
the details of the
tests performed,
look at any
attachments, and
perform the review.
Once the review is
formed it will take it
off you cue as
action needed.
28. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Auditor View:Auditor View:
28
• In the Auditor View,
you will see this user is
only been assigned to
an Auditor role so the
homepage just a has
list of current audits.
• Assigned Test: In the
Assigned Test tab the
Auditor can see the
tests they have been
assigned and likewise
for Assigned Findings.
Homepage for
Auditor View:
“Click”
Assigned Tests
Tab
29. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Compliance View:Compliance View:
29
• Compliance can mean
a couple different
things for clients:
Regulatory
Compliance, Internal
Compliance, and Case
Management. These
all have different tabs
across the top of the
portal under the
Compliance View.
• If you going to
demonstrate
regulatory
compliance you will
need to log back in as
a different user, the
reason being we are
proxying how our
separation of forms will
be in the future.
Regulatory Compliance
Log-In: username:
john.russell@protiviti.com
Password: password1
30. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Compliance: (John Russell Log-In)Compliance: (John Russell Log-In)
30
• Regulatory Updates
Tab shows the updates
assigned to the user
from a regulatory
change perspective
which can be created
manually or through
integration with a 3rd
party content provider.
• This form is the loss
event form which is
being used for alerts.
• If you drill into an Alert,
there is information
about the Rule name,
description, what's
changing from a
regulatory perspective,
which business entities
are assigned to alert,
which classifications is
the alert linked to, which
risks the alert linked to,
and which controls the
alert is linked to.
“Drill” into a
particular Rule for
further details.
31. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Compliance: (John Russell Log-In)Compliance: (John Russell Log-In)
31
• Regulatory Dashboard
will be looking at alerts
across the system trying
to understand which
business units are they
associated to, the
status of the alerts, and
which regulatory
themes are the alerts
associated with.
• The report has drill-
down capabilities which
will show the details of
the alert.
Drill Down
Capabilities:
32. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Compliance: Internal ComplianceCompliance: Internal Compliance
32
• You have the ability to
manage policy
compliance in the tool.
• You can build out a entity
hierarchy that includes
corporate policies and
within those policies you
can establish relationships
to organizations.
• You can document and
attach files into the tool
and when you mark status
for review, it will trigger
out a workflow for
individuals to perform their
reviews.
• Policy Review tab will
allow you to see all
policies that are up for
review and you will be
able to download the
documentation to your
computer or Sharepoint
Integration is another
option.
“Click” into create
documentation in
order to attach
documents.
33. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Compliance: Case ManagementCompliance: Case Management
33
• The tool has a case
management feature that
allows users to identify
issues/cases in the
organization. As you click
save the event will go
through a case review
process. Individuals will
be notified via email that
there is a new case, then
they can document the
case, and take that
through workflow. You can
build out projects which
leverage the audit
functionality of the tool.
• The information will be
similar to audit view but
the workplan flow will be
specific to cases. This is
customizable according to
a client’s case
management
methodology.
Enter Data in
the required
fields.
“Click”
Save.
34. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
IT Governance View: IT HierarchyIT Governance View: IT Hierarchy
34
• IT Governance View have
links to all IT Controls
and Action Plan
Summary.
• IT Hierarchy filtered to
show entities relevant to
IT area such IT Services,
IT Applications, and IT
Organizations.
• Flexible to handle the
Service concept which is
the linking of a single
service to multiple
organizations and multiple
applications.
• As you perform
Assessments, reporting
feature allows you
aggregate data and tell
you which services are
most impacted by the
organization. Provides
higher level view of data
by different cuts.
Aggregated
Data Reports in
the Dashboard
View.
35. © 2012 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to any third party.
Business User View and Issue Management View:Business User View and Issue Management View:
35
• Shows what a
business user might
see when they log-in to
the portal. The view
that users see is
based on their role in
the organization.
• Issue Management
View is a more basic
view without the
complexities of the
entire portal.
Business
User View:
Issue
Management
View: