3. Kevin McCormack
Managing Director, Content & Programming
kevin.mccormack@ethisphere.com
303.819.9817
We welcome you to submit any questions for the presenters
through the chat function you see on your screen.
HOST
QUESTIONS
RECORDING The event recording and PowerPoint will be provided post
event.
3
4. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │4
Danny Goldberg
Founder
GOLD SRD
Terence Lee
Regional VP GRC Solutions
MetricStream, Inc.
SPEAKING TODAY
6. Danny M. Goldberg
• Founder, GOLDSRD
(www.goldsrd.com)
• Former Director of Corporate
Audit/SOX at Dr Pepper
Snapple Group
• Former CAE - Tyler
Technologies
• Published Author (Book/Articles)
• Texas A&M University – 97/98
• Chairman of the Leadership
Council of the American Lung
Association - North Texas –
Calendar Year 2012
• Served on the Audit Committee
of the Dallas Independent
School District (CY 2008)
• Current Dallas and Fort Worth
IIA Programs Co-Chair
• Fort Worth IIA Board Member
• IIA North America Learning
Committee Member
Certifications:
• CPA – Since 2000
• CIA – Since 2008
• CISA – Since 2008
• CGEIT - Since 2009
• CRISC - Since 2011
• CRMA – Since 2011
• CCSA – Since 2007
• CGMA – Since 2012
LAUGH
7. Danny M. Goldberg (cont.)
• Highly-Rated, Internationally Recognized Speaker
– One of the Top Rated Speakers, 2014 IIA All-Star
Conference
– 7th Rated Speaker, 2014 ISACA ISRM Conference
– One of the Top Rated Speakers, 2014 IIA Mid-Atlantic
Conference
– One of the Top Rated Speakers, 2014 IIA Gaming
Conference
– 6th Highest Rated Speaker (out of 116), 2013 IIA
International Conference
– 3rd and 5th Rated Sessions, 2013 IIA Central Regional
Conference
– 8th Rated Speaker (out of 120), 2012 IIA International
Conference
8. Danny M. Goldberg (cont.)
• Published Author
– HFTP Journal: Practice Ethics (November 2014)
– Bureau of National Affairs - Internal Audit:
Fundamental Principles and Best Practices
(Professional Commentator)
– College & University Auditor (March 2014 Cover) –
Project Management
– Audit Report Articles (June 2013 Cover, March
2012, March 2011, June 2010 Cover) – “Critical
Thoughts on Critical Thinking”
– ISACA Journal (May 2012, August 2012)
– Internal Auditor Articles (August 2007, December
2007, October 2010)
– Dallas Business Journal (January 2011) – “The Yes
Man Phenomenon”
9. Agenda
• Overview of Compliance and Integration Challenges
• Top-Down Risk Based Approach (Centralized Oversight)
• Compliance as a key enterprise risk
• Key Aspects for Integrated Auditing
• Differentiation between External, Internal and Regulatory
• Differences (Sample Sizes, Substantive versus Controls)
9
10. Compliance Today
• Business is NOT being deregulated;
standards are increasing and becoming
more stringent
• Silo approach to compliance in many large
organizations
– Little to no integration (competing priorities)
– Compliance is not viewed as value-add (“we
have to do it”)
10
11. Implications of Lack of Integration
• Who owns compliance? Which line of
defense?
• Limited compliance knowledge in the
business/process owners
• Advanced preparation becomes a
necessity
• Lack of separation between auditors (“We
get audited all the time”)
11
12. Top-Down Approach
• Board Oversight and Support (Compliance
Program)
• Management Messaging (Continuous)
– Focus on Value of Compliance
• Continuous Monitoring/Auditing
• Incentive Plans tied to Compliance
12
13. Compliance Program
• Compliance is Part of Management
• Considered at the Strategic/Enterprise
Level
• Addressed as Part of ERM Program
• Address Root Causes when Non-
Compliance is uncovered
• Consider/Identify business process
interdependencies
13
14. Definition of Internal Audit
Internal auditing is an independent, objective
assurance and consulting activity designed
to add value and improve an organization's
operations.
It helps an organization accomplish its
objectives by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of risk
management, control, and governance
processes.
14
15. Key Enterprise Risks
• Focus on Value of Compliance
• Top Five risk in most/many industries
• Compliance is not optional
• Lack of Compliance
– Do Not Focus on Fines
– Unable to do Business?
– Not aligned with Company’s Strategic
Objectives?
15
16. Messaging
How Do You Get People to Do What They
Do Not Want to Do?
• Socialize Importance of Compliance
• Continuous Communication
• Training
• Embed in the Business
16
18. Integrated Auditing
• Starts at the Top
• Umbrella Approach to GRC?
– All functions reporting through same authority
line
• Must start at the Risk Assessment Level
– Combine Audit Risks with Compliance Risks
(if possible)
• Integrate Pool of Auditors
18
19. Types of Continuous GRC
• Data Analytics
– Continuous Monitoring
– Continuous Auditing
• Continuous Risk Assessment
• Continuous Controls Monitoring
• Data Warehousing
• Data Mining
• Fraud Detection Tool
19
20. Continuous Controls Monitoring
• Process performed by management to
determine whether policies are operating
effectively
• Uses automated tests to identify activities and
transactions that fail to comply with controls
• Allows management to fix control problems
timely
• Similar to continuous risk assessment – find the
key controls, understand how they can be
monitored through the system, etc.
20
21. “Who is Auditing Me Now?”
• Confusion with Auditees as to who does
what
• Perception is that audits happen “all the
time” – there is no end
• Integration will assist perception
• Important to delineate between internal
and external
21
22. Differences Between Compliance
and Internal Audit
• Controls testing versus Substantive testing
• Non-statistical Sampling versus Statistical
Sampling
• Concluding on initial sample versus
extending sample sizes
22
23. Benefits of Compliance
Optimization
• Efficiency and Effectiveness of
Compliance Process = Money
• Real-Time Information (KPI’s) – pushes
understanding and acceptance
• Increased Readiness to Respond to Third-
Parties
23
24. Summary
• Compliance must be viewed as a key risk
(ERM)
• Integration is key to efficiency and
effectiveness
• Automation (CA/CM) is key to effective
response
• Can generate new revenue, etc. =
Business Opportunity
24
40. This webcast and all future Ethisphere webcasts are
available complimentary and on demand for BELA
members. BELA members are also offered complimentary
registration to Ethisphere’s Global Ethics Summit and
other Summits around the world.
For more information on BELA contact:
Laara van Loben Sels
Senior Director, Engagement Services
laara.vanlobensels@ethisphere.com
480.397.2663
Business Ethics Leadership
Alliance (BELA)