SlideShare une entreprise Scribd logo

En Crisp Grc Audit Automation Overview And Sustainability Strategies

ISACA New England
ISACA New England

This is the ISACANE - Metrowest Breakfast Meeting held on January 29, 2010.

TechnologieBusiness
1  sur  30
Télécharger pour lire hors ligne
GOVERNANCE RISK COMPLIANCE - STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE AND COST REDUCTION AMIDST GLOBAL ECONOMIC RECOVERY. Bhavesh Bhagat Co Founder
Agenda • Part 1 - GRC 101 – Introduction to GOVERNANCE RISK & COMPLIANCE MANAGEMENT (GRC) • Part 2 – Managing GRC – Project Mgmt. Tips for GRC Automation and Audit Automation Rollouts • Strategies and Approach - Succeeding in Global Recession with Managing Automation 2
Why are We Here? 3
Sox 302/404 - Private OMB Circular A123 - Public 302/404 Required activities : OMB Requirement : • Identify scope of disclosure controls and procedures Section II : Scope and internal control over financial reporting • Document business processes and controls over all major activities within an entity (beyond solely Section IV : Standards for processes impacting financial reporting) internal control • Perform evaluation of control design and effectiveness Section III : Assessing • Identify and track resulting issues and remediation plans Section IV : Identification • Document changes in processes and controls; of Deficiencies surface any associated issues • Cascade the accountability for control evaluation Section V : and roll up the results Management’s • Prepare internal control report Assessment • Support external auditor attestation 4
JULY 16, 2008 - GUESS WHO? Although Company has not disclosed much detail about the problem’s causes, the company’s SEC filing offers clues: • “We are currently implementing an enterprise resource planning (“ERP”) system on a staged basis in our subsidiaries around the world. We implemented the ERP system in several subsidiaries in our Asia Pacific region prior to fiscal 2008. During our second quarter of 2008, we implemented the ERP system in the United States resulting in changes in our system of internal control over financial reporting. Certain controls that were previously conducted manually or through a number of different existing systems were replaced by controls that are embedded within the ERP system, resulting in an update to our internal control process and procedures, the need for testing of the system and employee training in the use of the new system. Subsequent to the U.S. implementation, we encountered issues with the U.S. ERP system which caused us to further revise our internal control process and procedures in order to correct and supplement our processing capabilities within the new system. The changes described above materially affected our system of internal control over financial reporting during our last fiscal quarter. 5
Not convinced about Governing and Managing Risk? 6
Bottom Line Public & Non-Public entities need strict, documented, and tested Internal Controls to : 1. Guard against fraud and mistakes 2. Provide assurance to shareholders, Congress and taxpayers that funds and are accounted for and used wisely 3. Pass a Financial and an Internal Controls audit 4. Stay out of the news 7
PART 1 GRC 101
GRC MIS-management Invalid Sensitive Data Transactions Not Protected RISKS are •Inherent •Obvious Inefficient •Invisible Processes •Accumulative •Dynamic •GLOBAL Lost Data Reliance on Inaccurate Data 9
Who-Why-What-Where-How’s of Control Solutions • Where do we build controls? • How do we balance controls, information systems, and monitoring? • What are some control requirements? • Who will design and review? • Who will own and Where? 10
Definitions • Governance: the act, process, or power of governing; to control the actions or behavior of – To define and adjust the activities of a group to achieve a set of goals • Risk: exposure to the chance of injury or loss; a hazard or dangerous chance – The likelihood of an event causing an adverse impact • Compliance: the act of conforming, acquiescing, or yielding – The degree of conformity to standards derived from governance sources 11
What are we Automating? • The degree of Compliance: the act of conforming, acquiescing, or conformity to • The likelihood of standards an event causing derived from • To define and Risk: exposure to the chance of injury or loss; a an adverse governance adjust the impact activities of a sources group to achieve Governance: the act, process, or power of a set of goals governing; to control actions/behavior hazard or dangerous chance yielding 12
IT GRC linkages 13
Select Framework - IT governance The IT The IT Governance Governance Institute’s governance Institute’s Set framework defines five governance life Objectives governance goals: cycle consists of five • Strategy — focus on components. aligning with the business These and collaborative solutions components Measure IT Activities • Risks — addressing the G set objectives Performance safeguarding of IT assets, for IT, measure disaster recovery, and performance, continuity of operations compare to objectives, and • Resources — optimizing redirect knowledge and IT activities infrastructure where • Value — concentrating on necessary and Provide optimizing expenses and Compare change Direction providing the value of IT objectives • Performance — tracking where project delivery and appropriate. monitoring IT services Source Forrester Research 14
Select Framework - IT risk The COSO enterprise risk management life The COSO enterprise cycle consists of eight risk management interrelated Internal Env. framework is geared to components. These achieving an components set risk Objective organization’s strategic Monitor objectives, identify risk Setting objectives by events, assess the establishing four goals: likelihood and impact of events, remediate • Strategic — high-level control deficiencies, goals, aligned with and and communicate risk supporting the mission R assessment results and Info. & Event Ident. activities. These Comms. • Operations — components are effective and efficient derived from the way use of resources management runs an • Reporting — reliability organization and are integrated with the of reporting Control management Activities Risk Assmt. • Compliance — processes. compliance with Risk Response applicable laws and regulations Source Forrester Research 15
Select Framework - IT compliance The Forrester IT compliance life cycle The Forrester IT consists of four compliance components. These framework components established four Maintain Control establish an Framework goals: authoritative • Sustainable — normalized IT transparent control framework, integration with business and IT integrate controls operations C into normal IT operations, test • Consistent — Analyze & Report Implement Controls repeatable control control testing and effectiveness, implementation remediate control throughout the IT deficiencies, and environment report compliance • Efficient — results and streamlined control Test & Remediate activities. maintenance and testing • Authoritative — single source for IT controls and test procedures Source Forrester Research 16
Understand the Team Enterprise-GRC Board Corporate compliance Executive committee Audit committee … ERM Other enterprise governance groups IT Line of business 1 HR Line of business 2 Legal Line of business 3 … … Internal audit Line of business n Functional-GRC 17 Source Forrester Research
Example Project Office Team Structure Steering Group Overall Sponsor Departmental Sponsor Departmental Sponsor Project Manager IT Dept Vendor Vendor Rep Project Lead Project Lead Project Office Project Manager Department Rep (Steering group link) Subject Matter Expert Project Project Admin Design Coms Validation Independent Project Advisor Stakeholders Business Units by Geography Related Departments Executive Interested Party’s Etc 18
GRC Business Drivers Governance, Risk and Compliance Financial Compliance Trade Management Environment Regulations • SOX mandate (Section 404 Corporations need to comply and 302) Enforcement is on the rise, esp. with environment laws and • Segregation of Duties after 9/11 regulations analysis and enforcement • Companies need to strictly • Mandate of Clean Air Act • Reduce fraud and risk adhere to changing regulations • Streamline environmental or risk costly fines reporting • Security initiatives requiring • Health care risk assessment • Certify the sign-off process more internal control, record and prevention for executives keeping and audit trails • Worker safety and hazardous • Identify controls for • Additional regulations such as materials need to be organization Anti-boycott / Anti-terrorism documented and identified • Provide auditors with Regulations and Export complete audit trail Administration Regulations (EAR) 19
GRC Solution Overview Governance, Risk and Compliance Financial Compliance Trade Management Environment Regulations Global Trade EH&S Access Control Management Emission Mgt (xEM) (GTM) Process Control Enterprise Risk Management SAP SOLUTION MANAGER 20
PART 2 TOP PROJECT MGMT TIPS FOR GRC AUTOMATION AND AUDIT AUTOMATION ROLLOUTS
GRC Implementation Lessons • “Ounce of Planning worth a Pound of Execution” – Do not neglect Planning phase…attention to details always pays.. • Pilot project can validate effort/approach – revisit resource needs after completion • Decentralized approach needs establishment of clear, required minimum standards for documentation, evaluation • Involve independent auditors throughout project • Embed application controls into business process approach 22
Recommendations for maturing • Establish a strong IT compliance program before attempting risk and governance. – Automate control maintenance and testing procedures. – Automate controls where appropriate. – Establish a single authoritative source for IT controls. – Monitor business, IT, and regulatory landscapes. 23
Recommendations for maturing (cont.) • Establish an IT risk management program based on compliance. – Keep the number of risk events to a minimum. – Tie risk events to IT operations. – Tie risk events to business risks. – Use both real-time and point-in-time measurements. • Establish an IT governance program after IT compliance and IT risk management programs are operational. 24
Be aware of the misconceptions about IT-GRC • IT governance is the same as management. • IT-GRC is a single program. • It’s an IT issue. • It’s a one-time project. • It’s the only way to govern. 25
Lessons from the trenches • Integration: Integrate within and beyond IT. • Viewpoint: View risk from the eyes of the business. • Technology: Automate at the right time (OP+NT=EOP) • Process: Over-engineered solution creates resistance and is ultimately less effective. • Approach: Start with compliance. • Timeframe: Be patient. 26
Considerations When Identifying Controls – Focus on “Key” controls: • How does the application support the key financial processes? • Is the application processing data or acting as a repository? • Who relies on the controls? – Consider the types of errors that can occur at the application and process level and don’t ignore infrastructure – Ask “What is My Risk or What can Go Wrong” questions – When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts 27
It’s a team effort True governance, risk, and compliance does not begin and end with IT Organization. IT enables, but should not own GRC functionality solely. Controller or Person or people in charge of governance – make strategic Audit Committee decisions, own the rule set. Role Owners Managers by functional area who own one or more roles. All design changes to roles must be approved by the role owner. For critical roles, role owners also approve assignments and perform periodic reviews. SOD Owners Managers by functional area, geography, or department who take ownership of mitigation controls and the approval of SOD conflicts. Audit Team Monitoring of the system in accordance with the rules set forth by the audit committee or controller. Security Team Proactive enforcement of SOD rules and critical authorization containment. Periodic monitoring of the system to keep in compliance with the rules. 28
Case Studies – Common Business Drivers / Anticipated Benefits Opportunities for benefits are expanding as security moves from traditional user access control to enablement of business controls and management notification. An increasing number of our clients are recognizing the potential and are taking advantage of these new capabilities. Increase Better Enhance Increase Lower Cost of Future Vision Assurance Information Compliance Value Operations Implement role based access control driving standardization in identities X X X Conduct segregation of duties analysis across the Enterprise X X X X Execute risk assessment, evaluation and mitigation as a service X X X Enable preventative compliance within change control processes X X X X X Implement automated controls to reduce work effort and complexity X X X Provide real time management information when executives need it X X X Improve governance through distribution of controls into the business X X X X 29
How to contact us: Bhavesh Bhagat Co-Founder Bhavesh on LinkedIn www.Linkedin.Com/in/BhaveshBhagat Q UESTIONS ? bb@encrisp.com 703.424.7615 ext 1000 703.728.2493 - cell www.EnCrisp.com

Recommandé

[weave] Risk and Compliance - Less but Better, Optimizing controls
[weave] Risk and Compliance - Less but Better, Optimizing controls[weave] Risk and Compliance - Less but Better, Optimizing controls
[weave] Risk and Compliance - Less but Better, Optimizing controlsonepoint x weave
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Margolis Healy
 
Michael.bay
Michael.bayMichael.bay
Michael.bayNASAPMC
 
BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTTalkSahana
 
Canga.m.wood.j
Canga.m.wood.jCanga.m.wood.j
Canga.m.wood.jNASAPMC
 
HML Risk Transformation
HML Risk TransformationHML Risk Transformation
HML Risk TransformationAndrew Smart
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
Uks zone 2011 the system
Uks zone 2011 the systemUks zone 2011 the system
Uks zone 2011 the systemClive Burgess
 

Recommandé

[weave] Risk and Compliance - Less but Better, Optimizing controls
[weave] Risk and Compliance - Less but Better, Optimizing controls[weave] Risk and Compliance - Less but Better, Optimizing controls
[weave] Risk and Compliance - Less but Better, Optimizing controlsonepoint x weave
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Margolis Healy
 
Michael.bay
Michael.bayMichael.bay
Michael.bayNASAPMC
 
BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTTalkSahana
 
Canga.m.wood.j
Canga.m.wood.jCanga.m.wood.j
Canga.m.wood.jNASAPMC
 
HML Risk Transformation
HML Risk TransformationHML Risk Transformation
HML Risk TransformationAndrew Smart
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
Uks zone 2011 the system
Uks zone 2011 the systemUks zone 2011 the system
Uks zone 2011 the systemClive Burgess
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 
My view imprint 2007 11 - 2
My view imprint 2007 11 - 2My view imprint 2007 11 - 2
My view imprint 2007 11 - 2Clive Burgess
 
Rcm
RcmRcm
RcmPaul Robere
 
Uks zone adi 2011
Uks zone adi 2011Uks zone adi 2011
Uks zone adi 2011Clive Burgess
 
Reliability Centered Commissioning Maturity Matrix
Reliability Centered Commissioning Maturity MatrixReliability Centered Commissioning Maturity Matrix
Reliability Centered Commissioning Maturity MatrixRicky Smith CMRP, CMRT
 
1.1.2010 Ops Risk
1.1.2010 Ops Risk1.1.2010 Ops Risk
1.1.2010 Ops Risksllzurich
 
Impact of Any Emergency in the Critical Infrastructure
Impact of Any Emergency in the Critical InfrastructureImpact of Any Emergency in the Critical Infrastructure
Impact of Any Emergency in the Critical InfrastructureIPPAI
 
Cass Rep
Cass RepCass Rep
Cass Reprb368370
 
Uks iosh inside 2 on 3
Uks iosh inside 2 on 3Uks iosh inside 2 on 3
Uks iosh inside 2 on 3Clive Burgess
 
Chapter 5
Chapter 5Chapter 5
Chapter 5bugbuster123
 
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)bluecedars2
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Reliability Centred Maintenance - RCM by Aminul Islam
Reliability Centred Maintenance - RCM by Aminul IslamReliability Centred Maintenance - RCM by Aminul Islam
Reliability Centred Maintenance - RCM by Aminul IslamMd.Aminul Islam ,CMRP,CSSBB
 
Introduction to Reliability Centered Maintenance
Introduction to Reliability Centered MaintenanceIntroduction to Reliability Centered Maintenance
Introduction to Reliability Centered MaintenanceDibyendu De
 
RCM
RCMRCM
RCMDaniela Villa
 
Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)cp2000
 
Sym Sure Loan Portfolio
Sym Sure Loan PortfolioSym Sure Loan Portfolio
Sym Sure Loan Portfoliojjfrec07
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdfchetanvchaudhari
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptxAral20101
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllershipJudy Ricamara
 
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptxChapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptxbrhanegebrewahd414
 

Contenu connexe

Tendances

DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 
My view imprint 2007 11 - 2
My view imprint 2007 11 - 2My view imprint 2007 11 - 2
My view imprint 2007 11 - 2Clive Burgess
 
Reliability Centered Commissioning Maturity Matrix
Reliability Centered Commissioning Maturity MatrixReliability Centered Commissioning Maturity Matrix
Reliability Centered Commissioning Maturity MatrixRicky Smith CMRP, CMRT
 
1.1.2010 Ops Risk
1.1.2010 Ops Risk1.1.2010 Ops Risk
1.1.2010 Ops Risksllzurich
 
Impact of Any Emergency in the Critical Infrastructure
Impact of Any Emergency in the Critical InfrastructureImpact of Any Emergency in the Critical Infrastructure
Impact of Any Emergency in the Critical InfrastructureIPPAI
 
Uks iosh inside 2 on 3
Uks iosh inside 2 on 3Uks iosh inside 2 on 3
Uks iosh inside 2 on 3Clive Burgess
 
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)bluecedars2
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Reliability Centred Maintenance - RCM by Aminul Islam
Reliability Centred Maintenance - RCM by Aminul IslamReliability Centred Maintenance - RCM by Aminul Islam
Reliability Centred Maintenance - RCM by Aminul IslamMd.Aminul Islam ,CMRP,CSSBB
 
Introduction to Reliability Centered Maintenance
Introduction to Reliability Centered MaintenanceIntroduction to Reliability Centered Maintenance
Introduction to Reliability Centered MaintenanceDibyendu De
 

Tendances (15)

DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
 
My view imprint 2007 11 - 2
My view imprint 2007 11 - 2My view imprint 2007 11 - 2
My view imprint 2007 11 - 2
 
Rcm
RcmRcm
Rcm
 
Uks zone adi 2011
Uks zone adi 2011Uks zone adi 2011
Uks zone adi 2011
 
Reliability Centered Commissioning Maturity Matrix
Reliability Centered Commissioning Maturity MatrixReliability Centered Commissioning Maturity Matrix
Reliability Centered Commissioning Maturity Matrix
 
1.1.2010 Ops Risk
1.1.2010 Ops Risk1.1.2010 Ops Risk
1.1.2010 Ops Risk
 
Impact of Any Emergency in the Critical Infrastructure
Impact of Any Emergency in the Critical InfrastructureImpact of Any Emergency in the Critical Infrastructure
Impact of Any Emergency in the Critical Infrastructure
 
Cass Rep
Cass RepCass Rep
Cass Rep
 
Uks iosh inside 2 on 3
Uks iosh inside 2 on 3Uks iosh inside 2 on 3
Uks iosh inside 2 on 3
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Reliability Centred Maintenance - RCM by Aminul Islam
Reliability Centred Maintenance - RCM by Aminul IslamReliability Centred Maintenance - RCM by Aminul Islam
Reliability Centred Maintenance - RCM by Aminul Islam
 
Introduction to Reliability Centered Maintenance
Introduction to Reliability Centered MaintenanceIntroduction to Reliability Centered Maintenance
Introduction to Reliability Centered Maintenance
 
RCM
RCMRCM
RCM
 

Similaire à En Crisp Grc Audit Automation Overview And Sustainability Strategies

Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)cp2000
 
Sym Sure Loan Portfolio
Sym Sure Loan PortfolioSym Sure Loan Portfolio
Sym Sure Loan Portfoliojjfrec07
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptxAral20101
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllershipJudy Ricamara
 
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptxChapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptxbrhanegebrewahd414
 
Internal Control for Cooperatives
Internal Control for CooperativesInternal Control for Cooperatives
Internal Control for Cooperativesjo bitonio
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controlstarunmallappa
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Internal auditor training
Internal auditor trainingInternal auditor training
Internal auditor trainingqauditor11
 
Managerial control
Managerial controlManagerial control
Managerial controlParul Tandan
 
FIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptFIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptKinhDoanhKhoaKinhTe
 
FIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptFIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptssusere1a0f0
 
FIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptFIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptbm6tkbry4q
 
Finance Internal_Controls presentation ppt
Finance Internal_Controls presentation pptFinance Internal_Controls presentation ppt
Finance Internal_Controls presentation pptbm6tkbry4q
 

Similaire à En Crisp Grc Audit Automation Overview And Sustainability Strategies (20)

Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)
 
Sym Sure Loan Portfolio
Sym Sure Loan PortfolioSym Sure Loan Portfolio
Sym Sure Loan Portfolio
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdf
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptx
 
3. financial controllership
3. financial controllership3. financial controllership
3. financial controllership
 
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptxChapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
Chapterhjhlzuoollkkklhkoksfghjyrec-7.pptx
 
Internal Control for Cooperatives
Internal Control for CooperativesInternal Control for Cooperatives
Internal Control for Cooperatives
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controls
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Operational risks
Operational risksOperational risks
Operational risks
 
P762 web
P762 webP762 web
P762 web
 
Compliance
ComplianceCompliance
Compliance
 
Internal auditor training
Internal auditor trainingInternal auditor training
Internal auditor training
 
P762
P762P762
P762
 
Managerial control
Managerial controlManagerial control
Managerial control
 
FIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptFIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.ppt
 
FIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptFIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.ppt
 
FIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.pptFIN-Internal_Controls_Primer_Presentation.ppt
FIN-Internal_Controls_Primer_Presentation.ppt
 
Finance Internal_Controls presentation ppt
Finance Internal_Controls presentation pptFinance Internal_Controls presentation ppt
Finance Internal_Controls presentation ppt
 

Dernier

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

En Crisp Grc Audit Automation Overview And Sustainability Strategies

  • 1. GOVERNANCE RISK COMPLIANCE - STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE AND COST REDUCTION AMIDST GLOBAL ECONOMIC RECOVERY. Bhavesh Bhagat Co Founder
  • 2. Agenda • Part 1 - GRC 101 – Introduction to GOVERNANCE RISK & COMPLIANCE MANAGEMENT (GRC) • Part 2 – Managing GRC – Project Mgmt. Tips for GRC Automation and Audit Automation Rollouts • Strategies and Approach - Succeeding in Global Recession with Managing Automation 2
  • 3. Why are We Here? 3
  • 4. Sox 302/404 - Private OMB Circular A123 - Public 302/404 Required activities : OMB Requirement : • Identify scope of disclosure controls and procedures Section II : Scope and internal control over financial reporting • Document business processes and controls over all major activities within an entity (beyond solely Section IV : Standards for processes impacting financial reporting) internal control • Perform evaluation of control design and effectiveness Section III : Assessing • Identify and track resulting issues and remediation plans Section IV : Identification • Document changes in processes and controls; of Deficiencies surface any associated issues • Cascade the accountability for control evaluation Section V : and roll up the results Management’s • Prepare internal control report Assessment • Support external auditor attestation 4
  • 5. JULY 16, 2008 - GUESS WHO? Although Company has not disclosed much detail about the problem’s causes, the company’s SEC filing offers clues: • “We are currently implementing an enterprise resource planning (“ERP”) system on a staged basis in our subsidiaries around the world. We implemented the ERP system in several subsidiaries in our Asia Pacific region prior to fiscal 2008. During our second quarter of 2008, we implemented the ERP system in the United States resulting in changes in our system of internal control over financial reporting. Certain controls that were previously conducted manually or through a number of different existing systems were replaced by controls that are embedded within the ERP system, resulting in an update to our internal control process and procedures, the need for testing of the system and employee training in the use of the new system. Subsequent to the U.S. implementation, we encountered issues with the U.S. ERP system which caused us to further revise our internal control process and procedures in order to correct and supplement our processing capabilities within the new system. The changes described above materially affected our system of internal control over financial reporting during our last fiscal quarter. 5
  • 6. Not convinced about Governing and Managing Risk? 6
  • 7. Bottom Line Public & Non-Public entities need strict, documented, and tested Internal Controls to : 1. Guard against fraud and mistakes 2. Provide assurance to shareholders, Congress and taxpayers that funds and are accounted for and used wisely 3. Pass a Financial and an Internal Controls audit 4. Stay out of the news 7
  • 9. GRC MIS-management Invalid Sensitive Data Transactions Not Protected RISKS are •Inherent •Obvious Inefficient •Invisible Processes •Accumulative •Dynamic •GLOBAL Lost Data Reliance on Inaccurate Data 9
  • 10. Who-Why-What-Where-How’s of Control Solutions • Where do we build controls? • How do we balance controls, information systems, and monitoring? • What are some control requirements? • Who will design and review? • Who will own and Where? 10
  • 11. Definitions • Governance: the act, process, or power of governing; to control the actions or behavior of – To define and adjust the activities of a group to achieve a set of goals • Risk: exposure to the chance of injury or loss; a hazard or dangerous chance – The likelihood of an event causing an adverse impact • Compliance: the act of conforming, acquiescing, or yielding – The degree of conformity to standards derived from governance sources 11
  • 12. What are we Automating? • The degree of Compliance: the act of conforming, acquiescing, or conformity to • The likelihood of standards an event causing derived from • To define and Risk: exposure to the chance of injury or loss; a an adverse governance adjust the impact activities of a sources group to achieve Governance: the act, process, or power of a set of goals governing; to control actions/behavior hazard or dangerous chance yielding 12
  • 14. Select Framework - IT governance The IT The IT Governance Governance Institute’s governance Institute’s Set framework defines five governance life Objectives governance goals: cycle consists of five • Strategy — focus on components. aligning with the business These and collaborative solutions components Measure IT Activities • Risks — addressing the G set objectives Performance safeguarding of IT assets, for IT, measure disaster recovery, and performance, continuity of operations compare to objectives, and • Resources — optimizing redirect knowledge and IT activities infrastructure where • Value — concentrating on necessary and Provide optimizing expenses and Compare change Direction providing the value of IT objectives • Performance — tracking where project delivery and appropriate. monitoring IT services Source Forrester Research 14
  • 15. Select Framework - IT risk The COSO enterprise risk management life The COSO enterprise cycle consists of eight risk management interrelated Internal Env. framework is geared to components. These achieving an components set risk Objective organization’s strategic Monitor objectives, identify risk Setting objectives by events, assess the establishing four goals: likelihood and impact of events, remediate • Strategic — high-level control deficiencies, goals, aligned with and and communicate risk supporting the mission R assessment results and Info. & Event Ident. activities. These Comms. • Operations — components are effective and efficient derived from the way use of resources management runs an • Reporting — reliability organization and are integrated with the of reporting Control management Activities Risk Assmt. • Compliance — processes. compliance with Risk Response applicable laws and regulations Source Forrester Research 15
  • 16. Select Framework - IT compliance The Forrester IT compliance life cycle The Forrester IT consists of four compliance components. These framework components established four Maintain Control establish an Framework goals: authoritative • Sustainable — normalized IT transparent control framework, integration with business and IT integrate controls operations C into normal IT operations, test • Consistent — Analyze & Report Implement Controls repeatable control control testing and effectiveness, implementation remediate control throughout the IT deficiencies, and environment report compliance • Efficient — results and streamlined control Test & Remediate activities. maintenance and testing • Authoritative — single source for IT controls and test procedures Source Forrester Research 16
  • 17. Understand the Team Enterprise-GRC Board Corporate compliance Executive committee Audit committee … ERM Other enterprise governance groups IT Line of business 1 HR Line of business 2 Legal Line of business 3 … … Internal audit Line of business n Functional-GRC 17 Source Forrester Research
  • 18. Example Project Office Team Structure Steering Group Overall Sponsor Departmental Sponsor Departmental Sponsor Project Manager IT Dept Vendor Vendor Rep Project Lead Project Lead Project Office Project Manager Department Rep (Steering group link) Subject Matter Expert Project Project Admin Design Coms Validation Independent Project Advisor Stakeholders Business Units by Geography Related Departments Executive Interested Party’s Etc 18
  • 19. GRC Business Drivers Governance, Risk and Compliance Financial Compliance Trade Management Environment Regulations • SOX mandate (Section 404 Corporations need to comply and 302) Enforcement is on the rise, esp. with environment laws and • Segregation of Duties after 9/11 regulations analysis and enforcement • Companies need to strictly • Mandate of Clean Air Act • Reduce fraud and risk adhere to changing regulations • Streamline environmental or risk costly fines reporting • Security initiatives requiring • Health care risk assessment • Certify the sign-off process more internal control, record and prevention for executives keeping and audit trails • Worker safety and hazardous • Identify controls for • Additional regulations such as materials need to be organization Anti-boycott / Anti-terrorism documented and identified • Provide auditors with Regulations and Export complete audit trail Administration Regulations (EAR) 19
  • 20. GRC Solution Overview Governance, Risk and Compliance Financial Compliance Trade Management Environment Regulations Global Trade EH&S Access Control Management Emission Mgt (xEM) (GTM) Process Control Enterprise Risk Management SAP SOLUTION MANAGER 20
  • 21. PART 2 TOP PROJECT MGMT TIPS FOR GRC AUTOMATION AND AUDIT AUTOMATION ROLLOUTS
  • 22. GRC Implementation Lessons • “Ounce of Planning worth a Pound of Execution” – Do not neglect Planning phase…attention to details always pays.. • Pilot project can validate effort/approach – revisit resource needs after completion • Decentralized approach needs establishment of clear, required minimum standards for documentation, evaluation • Involve independent auditors throughout project • Embed application controls into business process approach 22
  • 23. Recommendations for maturing • Establish a strong IT compliance program before attempting risk and governance. – Automate control maintenance and testing procedures. – Automate controls where appropriate. – Establish a single authoritative source for IT controls. – Monitor business, IT, and regulatory landscapes. 23
  • 24. Recommendations for maturing (cont.) • Establish an IT risk management program based on compliance. – Keep the number of risk events to a minimum. – Tie risk events to IT operations. – Tie risk events to business risks. – Use both real-time and point-in-time measurements. • Establish an IT governance program after IT compliance and IT risk management programs are operational. 24
  • 25. Be aware of the misconceptions about IT-GRC • IT governance is the same as management. • IT-GRC is a single program. • It’s an IT issue. • It’s a one-time project. • It’s the only way to govern. 25
  • 26. Lessons from the trenches • Integration: Integrate within and beyond IT. • Viewpoint: View risk from the eyes of the business. • Technology: Automate at the right time (OP+NT=EOP) • Process: Over-engineered solution creates resistance and is ultimately less effective. • Approach: Start with compliance. • Timeframe: Be patient. 26
  • 27. Considerations When Identifying Controls – Focus on “Key” controls: • How does the application support the key financial processes? • Is the application processing data or acting as a repository? • Who relies on the controls? – Consider the types of errors that can occur at the application and process level and don’t ignore infrastructure – Ask “What is My Risk or What can Go Wrong” questions – When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts 27
  • 28. It’s a team effort True governance, risk, and compliance does not begin and end with IT Organization. IT enables, but should not own GRC functionality solely. Controller or Person or people in charge of governance – make strategic Audit Committee decisions, own the rule set. Role Owners Managers by functional area who own one or more roles. All design changes to roles must be approved by the role owner. For critical roles, role owners also approve assignments and perform periodic reviews. SOD Owners Managers by functional area, geography, or department who take ownership of mitigation controls and the approval of SOD conflicts. Audit Team Monitoring of the system in accordance with the rules set forth by the audit committee or controller. Security Team Proactive enforcement of SOD rules and critical authorization containment. Periodic monitoring of the system to keep in compliance with the rules. 28
  • 29. Case Studies – Common Business Drivers / Anticipated Benefits Opportunities for benefits are expanding as security moves from traditional user access control to enablement of business controls and management notification. An increasing number of our clients are recognizing the potential and are taking advantage of these new capabilities. Increase Better Enhance Increase Lower Cost of Future Vision Assurance Information Compliance Value Operations Implement role based access control driving standardization in identities X X X Conduct segregation of duties analysis across the Enterprise X X X X Execute risk assessment, evaluation and mitigation as a service X X X Enable preventative compliance within change control processes X X X X X Implement automated controls to reduce work effort and complexity X X X Provide real time management information when executives need it X X X Improve governance through distribution of controls into the business X X X X 29
  • 30. How to contact us: Bhavesh Bhagat Co-Founder Bhavesh on LinkedIn www.Linkedin.Com/in/BhaveshBhagat Q UESTIONS ? bb@encrisp.com 703.424.7615 ext 1000 703.728.2493 - cell www.EnCrisp.com