En Crisp Grc Audit Automation Overview And Sustainability Strategies
1. GOVERNANCE RISK COMPLIANCE
- STRATEGIES TO LEVERAGE FOR POSITIVE CHANGE
AND COST REDUCTION AMIDST GLOBAL ECONOMIC
RECOVERY.
Bhavesh Bhagat
Co Founder
2. Agenda
• Part 1 - GRC 101
– Introduction to GOVERNANCE RISK & COMPLIANCE
MANAGEMENT (GRC)
• Part 2 – Managing GRC
– Project Mgmt. Tips for GRC Automation and Audit
Automation Rollouts
• Strategies and Approach - Succeeding in Global Recession with Managing
Automation
2
4. Sox 302/404 - Private
OMB Circular A123 - Public
302/404 Required activities : OMB Requirement :
• Identify scope of disclosure controls and procedures
Section II : Scope
and internal control over financial reporting
• Document business processes and controls over all
major activities within an entity (beyond solely Section IV : Standards for
processes impacting financial reporting) internal control
• Perform evaluation of control design and
effectiveness Section III : Assessing
• Identify and track resulting issues and remediation
plans Section IV : Identification
• Document changes in processes and controls; of Deficiencies
surface any associated issues
• Cascade the accountability for control evaluation Section V :
and roll up the results Management’s
• Prepare internal control report Assessment
• Support external auditor attestation
4
5. JULY 16, 2008 - GUESS WHO?
Although Company has not disclosed much detail about the problem’s causes, the company’s SEC
filing offers clues:
• “We are currently implementing an enterprise resource planning (“ERP”) system
on a staged basis in our subsidiaries around the world. We implemented the ERP
system in several subsidiaries in our Asia Pacific region prior to fiscal 2008.
During our second quarter of 2008, we implemented the ERP system in the
United States resulting in changes in our system of internal control over
financial reporting. Certain controls that were previously conducted manually or
through a number of different existing systems were replaced by controls that
are embedded within the ERP system, resulting in an update to our internal
control process and procedures, the need for testing of the system and
employee training in the use of the new system. Subsequent to the U.S.
implementation, we encountered issues with the U.S. ERP system which caused
us to further revise our internal control process and procedures in order to
correct and supplement our processing capabilities within the new system. The
changes described above materially affected our system of internal control
over financial reporting during our last fiscal quarter.
5
7. Bottom Line
Public & Non-Public entities need strict, documented,
and tested Internal Controls to :
1. Guard against fraud and mistakes
2. Provide assurance to shareholders, Congress and
taxpayers that funds and are accounted for and
used wisely
3. Pass a Financial and an Internal Controls audit
4. Stay out of the news
7
9. GRC MIS-management
Invalid Sensitive Data
Transactions Not Protected RISKS are
•Inherent
•Obvious
Inefficient •Invisible
Processes •Accumulative
•Dynamic
•GLOBAL
Lost Data Reliance on
Inaccurate Data
9
10. Who-Why-What-Where-How’s of
Control Solutions
• Where do we build controls?
• How do we balance controls, information
systems, and monitoring?
• What are some control
requirements?
• Who will design and review?
• Who will own and Where?
10
11. Definitions
• Governance: the act, process, or power of governing; to control the
actions or behavior of
– To define and adjust the activities of a group to achieve a set of
goals
• Risk: exposure to the chance of injury or loss; a hazard or dangerous
chance
– The likelihood of an event causing an adverse impact
• Compliance: the act of conforming, acquiescing, or yielding
– The degree of conformity to standards derived from governance
sources
11
12. What are we Automating?
• The degree of
Compliance: the act of conforming, acquiescing, or
conformity to
• The likelihood of standards
an event causing derived from
• To define and
Risk: exposure to the chance of injury or loss; a
an adverse governance
adjust the impact
activities of a sources
group to achieve
Governance: the act, process, or power of
a set of goals
governing; to control actions/behavior
hazard or dangerous chance
yielding
12
14. Select Framework - IT governance
The IT
The IT Governance
Governance
Institute’s governance
Institute’s Set framework defines five
governance life Objectives governance goals:
cycle consists
of five • Strategy — focus on
components. aligning with the business
These and collaborative solutions
components Measure
IT Activities • Risks — addressing the
G
set objectives Performance
safeguarding of IT assets,
for IT, measure disaster recovery, and
performance, continuity of operations
compare to
objectives, and • Resources — optimizing
redirect knowledge and IT
activities infrastructure
where • Value — concentrating on
necessary and Provide optimizing expenses and
Compare
change Direction providing the value of IT
objectives
• Performance — tracking
where
project delivery and
appropriate.
monitoring IT services
Source Forrester Research
14
15. Select Framework - IT risk
The COSO enterprise
risk management life The COSO enterprise
cycle consists of eight risk management
interrelated Internal Env.
framework is geared to
components. These achieving an
components set risk Objective organization’s strategic
Monitor
objectives, identify risk Setting
objectives by
events, assess the
establishing four goals:
likelihood and impact
of events, remediate • Strategic — high-level
control deficiencies, goals, aligned with and
and communicate risk supporting the mission
R
assessment results and Info. &
Event Ident.
activities. These
Comms. • Operations —
components are effective and efficient
derived from the way use of resources
management runs an
• Reporting — reliability
organization and are
integrated with the of reporting
Control
management Activities
Risk Assmt.
• Compliance —
processes. compliance with
Risk Response applicable laws and
regulations
Source Forrester Research
15
16. Select Framework - IT compliance
The Forrester IT
compliance life cycle The Forrester IT
consists of four compliance
components. These framework
components established four
Maintain Control
establish an Framework
goals:
authoritative • Sustainable —
normalized IT transparent
control framework, integration with
business and IT
integrate controls
operations
C
into normal IT
operations, test • Consistent —
Analyze & Report Implement Controls
repeatable control
control testing and
effectiveness, implementation
remediate control throughout the IT
deficiencies, and environment
report compliance • Efficient —
results and streamlined control
Test & Remediate
activities. maintenance and
testing
• Authoritative —
single source for IT
controls and test
procedures
Source Forrester Research
16
17. Understand the Team
Enterprise-GRC
Board
Corporate compliance
Executive committee
Audit committee
…
ERM
Other enterprise governance groups
IT Line of business 1
HR Line of business 2
Legal Line of business 3
… …
Internal audit Line of business n
Functional-GRC
17
Source Forrester Research
18. Example Project Office
Team Structure
Steering Group
Overall Sponsor
Departmental Sponsor
Departmental Sponsor
Project Manager
IT Dept Vendor
Vendor Rep
Project Lead Project Lead
Project Office
Project Manager
Department Rep
(Steering group link)
Subject Matter Expert
Project Project Admin Design
Coms Validation
Independent
Project Advisor
Stakeholders
Business Units by Geography Related Departments Executive Interested Party’s Etc
18
19. GRC Business Drivers
Governance, Risk and Compliance
Financial Compliance Trade Management Environment Regulations
• SOX mandate (Section 404
Corporations need to comply
and 302) Enforcement is on the rise, esp. with environment laws and
• Segregation of Duties after 9/11 regulations
analysis and enforcement • Companies need to strictly • Mandate of Clean Air Act
• Reduce fraud and risk adhere to changing regulations • Streamline environmental
or risk costly fines reporting
• Security initiatives requiring • Health care risk assessment
• Certify the sign-off process more internal control, record and prevention
for executives keeping and audit trails • Worker safety and hazardous
• Identify controls for • Additional regulations such as materials need to be
organization Anti-boycott / Anti-terrorism documented and identified
• Provide auditors with Regulations and Export
complete audit trail Administration Regulations
(EAR)
19
20. GRC Solution Overview
Governance, Risk and Compliance
Financial Compliance Trade Management Environment Regulations
Global Trade
EH&S
Access Control Management
Emission Mgt (xEM)
(GTM)
Process Control
Enterprise Risk Management
SAP SOLUTION MANAGER
20
21. PART 2
TOP PROJECT MGMT TIPS FOR
GRC AUTOMATION AND AUDIT
AUTOMATION ROLLOUTS
22. GRC Implementation Lessons
• “Ounce of Planning worth a Pound of Execution” – Do not
neglect Planning phase…attention to details always pays..
• Pilot project can validate effort/approach – revisit
resource needs after completion
• Decentralized approach needs establishment of clear,
required minimum standards for documentation,
evaluation
• Involve independent auditors throughout project
• Embed application controls into business process
approach
22
23. Recommendations for maturing
• Establish a strong IT compliance program before attempting
risk and governance.
– Automate control maintenance and testing procedures.
– Automate controls where appropriate.
– Establish a single authoritative source for IT controls.
– Monitor business, IT, and regulatory landscapes.
23
24. Recommendations for maturing
(cont.)
• Establish an IT risk management program based on
compliance.
– Keep the number of risk events to a minimum.
– Tie risk events to IT operations.
– Tie risk events to business risks.
– Use both real-time and point-in-time measurements.
• Establish an IT governance program after IT compliance and
IT risk management programs are operational.
24
25. Be aware of the misconceptions
about IT-GRC
• IT governance is the same as management.
• IT-GRC is a single program.
• It’s an IT issue.
• It’s a one-time project.
• It’s the only way to govern.
25
26. Lessons from the trenches
• Integration: Integrate within and
beyond IT.
• Viewpoint: View risk from the
eyes of the business.
• Technology: Automate at the
right time (OP+NT=EOP)
• Process: Over-engineered
solution creates resistance and is
ultimately less effective.
• Approach: Start with
compliance.
• Timeframe: Be patient.
26
27. Considerations When Identifying
Controls
– Focus on “Key” controls:
• How does the application support the key financial processes?
• Is the application processing data or acting as a repository?
• Who relies on the controls?
– Consider the types of errors that can occur at the application
and process level and don’t ignore infrastructure
– Ask “What is My Risk or What can Go Wrong” questions
– When evaluating IT controls and related risks, consider the
relevant financial statement assertions for significant accounts
27
28. It’s a team effort
True governance, risk, and compliance does not begin and end with IT
Organization. IT enables, but should not own GRC functionality solely.
Controller or Person or people in charge of governance – make strategic
Audit Committee decisions, own the rule set.
Role Owners Managers by functional area who own one or more roles. All
design changes to roles must be approved by the role owner. For
critical roles, role owners also approve assignments and perform
periodic reviews.
SOD Owners Managers by functional area, geography, or department who
take ownership of mitigation controls and the approval of SOD
conflicts.
Audit Team Monitoring of the system in accordance with the rules set forth
by the audit committee or controller.
Security Team Proactive enforcement of SOD rules and critical authorization
containment. Periodic monitoring of the system to keep in
compliance with the rules.
28
29. Case Studies – Common Business
Drivers / Anticipated Benefits
Opportunities for benefits are expanding as security moves from traditional user access control to
enablement of business controls and management notification. An increasing number of our clients are
recognizing the potential and are taking advantage of these new capabilities.
Increase Better Enhance Increase Lower Cost of
Future Vision Assurance Information Compliance Value Operations
Implement role based access control
driving standardization in identities
X X X
Conduct segregation of duties analysis
across the Enterprise
X X X X
Execute risk assessment, evaluation and
mitigation as a service
X X X
Enable preventative compliance within
change control processes
X X X X X
Implement automated controls to reduce
work effort and complexity
X X X
Provide real time management
information when executives need it
X X X
Improve governance through distribution
of controls into the business
X X X X
29
30. How to contact us:
Bhavesh Bhagat
Co-Founder
Bhavesh on LinkedIn
www.Linkedin.Com/in/BhaveshBhagat
Q UESTIONS ?
bb@encrisp.com
703.424.7615 ext 1000
703.728.2493 - cell
www.EnCrisp.com