Few would disagree that financial services is one

Size: px
Start display at page:

Download "Few would disagree that financial services is one"

Transcription

1 Enterprise Risk Management and Controls-Monitoring Automation Can Reduce Compliance Costs By Mark Nelson and James Ambrosini A framework to reduce risk and compliance costs. Few would disagree that financial services is one of the most heavily regulated and risk-conscious industries. Banks and other financial institutions must continually enhance their risk management strategies to keep up with the changing landscape brought about by new technologies, financial products and global strategies. A decade ago, most financial services firms risk management activities were limited to market and credit risk in an attempt to minimize financial loss caused by market fluctuations or poor lending. Today, with a plethora of new regulations and customer demands, d banks must account for other multidimensional facets of fri risk, including those related to privacy, information on technology, og reputation and operations. How does a company sift through the details and focus on the risks most important to oit?fo For that purpose, banks should use an enterprise risk management (ERM) approach along with a controls automation solution. What Is ERM? First, let us explain what ERM is not. It is not a tool; it is not a onetime project; and, most of all, it is not an end state. ERM is a framework supported by various tools and methods that helps organizations answer questions such as, What are my biggest risks? and How do I manage these risks to get them to a level suitable for my business? The Committee of Sponsoring Organizations of the Treadway Commission (COSO) gives the following definition of ERM 1 : Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO elaborates on this definition by stating that ERM is a process with the following characteristics: Ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-level, portfolio view of risk Able to provide reasonable assurance to an entity s management and board of directors Designed nedto identify potential events that, if they ont s automation so ution. De occur, will affect the entity and to manage risk within its risk appetite Geared to achievement of objectives in one or more separate but overlapping categories ERM Components According to the COSO framework, 2 which is becoming a de facto standard in ERM frameworks, ERM consists of eight interrelated components: Internal environment. The internal environment encompasses the tone at the top or controls con- Mark Nelson is Managing Director at Protiviti, New York, New York. Contact him at James Ambrosini is Associate Director at Protiviti, New York, New York. Contact him at FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 25

2 sciousness and sets the basis for how risk is viewed and addressed by an entity s people, ethical values and the environment in which they operate. Objective setting. Objectives must exist before management can identify potential events affecting their achievement. Further, these are aligned with the organization s risk tolerance. Event identification. Internal and external events that could affect the achievement of an entity s objectives must be identified and reported to management. Risk assessment. Risks are analyzed, and their likelihood and impact are evaluated, to determine how they should be managed. Risks are assessed on an inherent and a residual basis (that is, before and after considering any threat mitigation efforts or controls). Risk response. Management determines how to handle the risks (accept, avoid, reduce or share them) and develops a set of actions to align risks with the entity s risk tolerances. Control activities. Policies and procedures are established and implemented to help ensure the risk responses are applied effectively. Information and communication. Relevant information on is identified, captured and communicated din a form and time frame that enable people e to carry out their responsibilities. Effective communication mu also occurs in a broader sense, flowing down, across and up the entity. Monitoring. The entirety of ERM is monitored and modifications are made as necessary. Monitoring ing is accomplished through ongoing management ent activities, separate evaluations or both. Organizations usually perform well in most of these categories, at one time or another. The key is to integrate them holistically across the enterprise, specifically among their strategic, operational, financial reporting and compliance-related functions. It is important to note that not all of these components will apply equally in all institutions due to variations in size. For example, smaller banks or financial institutions have a significantly different risk landscape than larger ones. Thus, these principles of ERM should be applied and tailored for a custom fit. In addition, there is no single aspect of ERM that is more important than another. There is one key element where companies continually struggle: monitoring. Monitoring is the glue that holds the ERM framework together. In an information-rich society, where we continually monitor data such as market swings, expenses and financial information, etc., the importance of monitoring should come as no surprise. Without effective monitoring, all the best-laid ERM plans are for naught because the quality, amount and speed of required information will be compromised. Technology to Monitor Controls and Reduce Compliance Costs The Sarbanes-Oxley Act of 2002 ( SOX ) provides a good example to illustrate how companies can make better use of compliance and controls-related information. Each year, organizations have spent millions of dollars and tens of thousands of hours to complete the documentation, testing and reporting required by SOX. In retrospect, many organizations faced two very common issues: 1. Documenting Too Many Controls When SOX compliance was in its infancy, no one was certain how many documented controls were too few, too many or the right amount. Preferring to err on the side of caution, most companies documented every control they could find. 2. Documenting Mostly Manual a Controls SOX teams often lacked application experts with a detailed understanding of the embedded system-based controls (often called configurable controls). Therefore, they mostly documented manual controls. The effect of these errors is that companies performed very extensive and largely manual testing. These testing projects occur quarterly and annually for the 302 and 404 certifications required of SOX. Often, this costly work is not adding value or improving the internal control environment. Most companies seasoned in SOX compliance are beginning to change their approaches. Rather than approach SOX compliance as a project, they see the advantages of treating it as an ongoing process. Taking a process-based approach to SOX compliance helps companies maintain strong internal control over financial reporting and saves money in the 26 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007

3 long term. To accomplish this, the proper use of technological tools is key in creating an effective and sustainable transition from project to process. Automating and Optimizing Controls Technology plays a significant role in moving SOX compliance and ERM in general from a project to an ongoing, sustainable process. Manual controls are more prone to failure than automated controls. They are detective rather than preventive, identifying problems only after they have occurred, and they are ad hoc, meaning only a portion of all transactions is evaluated and tested. Optimized automated controls are system based, preventive and managed. These features allow companies to engage in more self-assessment, entitylevel and process-level monitoring and automated testing. In addition, automated testing more accurately covers a larger universe than manual testing. A manual control test is based on a selected sample size of typically 10 to 30 transactions; automated controls ols testing is performed on the full universe of transactions. ti Because of this larger number of transactions, ns, there is inherently ntly greater assurance provided by automated te controls testing. The role of technology in regulatory ry compliance can nbe ebro broken down into two parallel tracks: (1) automation of the internal control environment and (2) automation of the compliance process. By automating the control environment and compliance process, companies are able to test and review controls throughout the year, providing the documentation and reporting materials needed to more easily comply with quarterly and annual reporting requirements. In many instances, companies do not need to purchase expensive new technology tools. Many companies can make significant advances by making better use of the applications and tools they already have. The result is improved sustainability, lower costs and greater value to the internal control environment and compliance process. Enterprise Resource Planning (ERP) companies and other technology vendors recognize the benefits they can provide to the control environment and compliance process. As a result, they have been improving their products in an evolutionary way. Continuous Controls Monitoring to Support ERM The highest levels of compliance technology provide continuous control monitoring and improvement and support ERM (Exhibit 1). With continuous control monitoring, companies achieve preemptive segregation of duties ( SOD ), conflict analysis, real-time transaction exception monitoring and master data and configuration change alerts. These features keep management on top of and, often, ahead of changes to their control environment. They can immediately detect problems or often anticipate and avoid them. With ERM, companies have the ability to integrate compliance frameworks, tools and data. They gain the benefits of proactive risk identification and evaluation. Employees gain portal access to individual risk management information. To achieve sustained value from application controls, organizations must first attain a high level of process maturity. Process maturity implies a high degree of control automation, control reliability and preventive versus detective controls. This entails properly configuring controls for the control universe, assessing existing controls, identifying gaps and opportunities and implementing necessary control and process changes. SOD issues must also be addressed, including the design and acquisition of rule sets, assessment of existing roles and assignments, nts identification ication and mitigation of potential tial gaps, redesign of roles where necessary and reprovisioning user access rights. Once the process maturity is achieved, SOX compliance costs become more predictable. They are also lower than the expected costs of a manually driven project approach. This decrease in cost occurs because most of the controls testing, monitoring and documentation are automated and woven into business processes. The move from manual processes to control automation requires an investment in people, tools and time. Once automated controls and SOD are in place, however, organizations can actively maintain the environment. It is this active maintenance that ensures compliance becomes an ongoing process rather than a stand-alone project. FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 27

4 Active Maintenance Is Essential Active maintenance is critical. Without active maintenance, companies with a strong automated control environment can eventually fall back into the project mode of compliance. This happens over time as a result of employee turnover, poor change management and other factors that decrease the effectiveness of the control environment. Eventually, the organization reaches a point where it must engage in another expensive project to bring the control environment back to a high level of effectiveness. Along with active maintenance, continuous monitoring and automated testing enable organizations Exhibit 1. Development of Compliance Technology Sophistication of Compliance Technology High Low Enterprise Risk Management Enterprise Risk Management Continuous Control Monitoring & and Improvement Control& and Assessment en Automation Autom Autom ation of of Certification Process Document Inte Interna l Controls Time to Implement The basic level of technology enables the documentation of internal controls. The next level builds on that to automate the compliance process, providing features such as control owner updates, quarterly certifications, control self-assessment and routine risk assessment. Control and assessment automation enables organizations to move from manual to systemic and from detective to preventive controls. Automation at this level also provides improved system-enforced SOD, automated assessment of SOD transaction analysis and configurable control testing. Continuous controls monitoring allows real-time and proactive monitoring of an organization s transactions and application controls. With ERM, companies tailor their monitoring initiatives to specific areas of risk and integrate various tools and frameworks. to stay on top of employee turnover, quickly address SOD issues and address changes in the environment to keep the technological tools current. Continuous controls monitoring is a rapidly growing market with solutions from ERP leaders SAP and Oracle, as well as niche vendors Applimation, Approva and Logical Apps. For example, a midsize bank in the Southeast selected Oracle s Internal Controls Manager (ICM) software to automate its SOD processes. Previously, the bank was using internally developed scripts to test for security violations only when the auditors were working onsite. With the implementation of Oracle s solution, it added a level of continuous automation to check and prevent SOD violations when changes to new or existing users are performed. Automated tools are key to helping organizations ensure active maintenance of their control environment so that controls are operating for the entire period, not just at testing time. A story about a Protiviti SOX client illustrates the effectiveness of these tools. Company A had been through nearly two years of SOX compliance when Protiviti was asked to evaluate its compliance program and look for improvement opportunities. ortu ies Through h an assessment ssm of the company s high-risk control areas, we identified four categories of issues: 1. Forty controls matched to the automated assessment and tested without exception. The potential for improvement here resided in the ability to replace manual testing with automated testing. 2. Sixty-nine controls matched but tested with exception. This means that Company A was improperly relying on these 69 controls. Potential for 28 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007

5 improvement included enhancing security and configurable controls and automating testing to achieve efficient and replicable results. 3. Ninety-eight controls were turned on but were not mentioned in the control documentation. As a result, the company was missing opportunities to place more reliance on these controls and reduce manual testing. 4. One hundred and forty-five controls that could have been implemented were not. They were not identified in the documentation and tested with exception. At the completion of the analysis, there were: one hundred and nine already identified application controls that could be tested more efficiently, including the 69 that tested with exception; two hundred and forty-three application controls that could be used to replace manual controls; and two hundred and fourteen potential security/ configuration issues. Based on these findings, it s likely that the company s prior-year testing and conclusions may have been wrong due to the inherent limitations of manual testing of sophisticated applications. This example is typical of most organizations, an overreliance on manual al control of activities. Af further argument for using automated tools to transition tion from mp project to process is the stance of the external audit firms. They appear pe to be preparing to deploy sophisticated stic application ation analysis alysis tools for future audits and Section 404 assessments. By automating controls where possible and shifting the focus away from detailed application plicat testing and on to the tools and rule sets used to monitor the applications, time and effort can be saved, with the reliability of results greatly enhanced. The need for active maintenance cannot be overemphasized. Without a process to maintain and monitor the control environment, it will weaken over time, forcing companies to spend significant resources to bring it back up to a high level of efficiency. Maintenance ensures SOX compliance remains a process that can be predictably and reliably managed. Which Controls to Automate? Moving a control structure and the associated testing toward a reliance on automated controls takes time. It will require input from a variety of internal business constituents and at least some technology investments. In this regard, organizations should begin by examining the sources of evidence supporting management s conclusion as to the operating effectiveness of internal control over financial reporting. This examination ordinarily should drive efforts to start rebalancing the automated controls portfolio (Exhibit 2). The effort begins with a fresh look at the organization s current key controls, with an eye toward several factors. We have found control automation efforts to be most successful in yielding value-added benefits when they are: applied through an integrated solution (for example, ERP) because the improvements have a multiplier effect across common processes; used to replace manual controls that are particularly expensive to operate and test; used in risk areas that have the most impact on reports and performance if the controls fail; employed in areas of heightened external audit sensitivity, such as SOD, and areas of concern to the audit firms; directed toward current practices that are more prone to error and breakdowns; and operated in association with procedures that are repetitive and require little judgment or human intervention. Applying the factors above to manual or poorly automated controls can help rank management s options for automating or optimizing controls. Prerequisites to relying on automated controls include sound program and configuration change management controls, as well as strong security controls. If either of these general controls is weak, automated a controls ols are vulnerable to circumvention by management men and other personnel. In addition, the compliance team would be unable to prove conclusively that the automated controls remained intact through year-end. It should be noted that automation is not appropriate for all situations. As always, there should be an evaluation of the holistic cost of change against the value of future savings and increased quality and effectiveness of the internal controls structure. Where Should Financial Institutions Focus? We believe there are several key areas where financial institutions should apply their ERM and controlsmonitoring activities. This is based on our experience FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 29

6 within this industry, as well as discussions with our banking clients and regulators: Operational risk. Most financial institutions are quite familiar with this risk dimension because this is a frequent hot spot of regulators and SOX auditors. Financial institutions should use a risk-based approach to implementing and testing internal controls. For example, we have seen increased scrutiny over loan processing and wire transfer functions, so it would make sense for organizations to consider strengthening and automating controls in these areas. Information security. The advent of the Web and e-banking has enabled customers to conduct their banking activities from their home computer and manage their own accounts. While this has been a significant benefit to both banks and customers, the downside is that critical data could become compromised. It is no longer enough to merely have strong passwords and encrypt transactions. Financial institutions must be proactive and employ the latest tools and techniques to thwart the would-be information assailants. Customers expect a certain level of security and privacy; compromising this could severely damage a company s reputation. Credit risk. It is not uncommon for financial institutions to monitor credit risk at the transaction level rather than have a broad picture of the total portfolio risk, which requires more sophisticated tools and processes. In addition, geographic diversity of lending may be beneficial, but it also requires more real-time information about emerging conditions in those markets. Exhibit 2. Rebalancing the Automated Controls Portfolio Controls That Are Not Optimized Manual Detective Ad hoc Automated Controls Manual Controls Automated Automated Controls Controls Manual Controls Optimized Controls System-based Preventive Managed Sustainability Optimizing controls through continuous controls monitoring reduces the need for large amounts of manual testing. As a result, an organization s overall compliance cost is reduced and its controls sustainability is increased. Using Technology to Minimize Risk In today s complex financial services arena, all organizations need, and are required to have, sound risk management techniques. An ERM approach coupled with the efficient use of technology and monitoring could aid financial institutions in achieving their goals while minimizing risk. The exact process by ywhich h these initiatives are addressed ed should differ with an organization s size, risk appetite and overall goals. Endnotes 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, Executive Summary, Id. This article is reprinted with the publisher s permission from Bank Accounting & Finance, a bimonthly journal published by CCH, a Wolters Kluwer business. Copying or distribution without the publisher s permission is prohibited. To subscribe to Bank Accounting & Finance or other CCH Journals please call or visit All views expressed in the articles and columns are those of the author and not necessarily those of CCH or any other person. 30 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

Application Control Effectiveness for SAP. December 2007

Application Control Effectiveness for SAP. December 2007 Application Control Effectiveness for SAP December 2007 Meeting Objectives Application Control Effectiveness Compliance at a glance Trends and challenges Technology issues Application Control Business

More information

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,

More information

A Risk-Based Audit Strategy November 2006 Internal Audit Department

A Risk-Based Audit Strategy November 2006 Internal Audit Department Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal

More information

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall

More information

Sarbanes-Oxley Control Transformation Through Automation

Sarbanes-Oxley Control Transformation Through Automation Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com

More information

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com

More information

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive

More information

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT

More information

Enterprise Risk Management

Enterprise Risk Management Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving

More information

Enterprise Risk Management Integrated Framework. Executive Summary

Enterprise Risk Management Integrated Framework. Executive Summary Enterprise Risk Management Integrated Framework Executive Summary September 2004 Copyright 2004 by the Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved. You are hereby

More information

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition 1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...

More information

Guide to Internal Control Over Financial Reporting

Guide to Internal Control Over Financial Reporting Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).

More information

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Evaluation and Inspection Services Memorandum May 5, 2009 TO: FROM: SUBJECT: James Manning Acting Chief Operating Officer Federal Student

More information

Sarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director.

Sarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director. Sarbanes-Oxley (SOX) The Migration from Project to Process Practical Actions for Getting Started Jim DeLoach, Managing Director November 7, 2006 The Results So Far? Source: AuditAnalytics.com May 2006

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

Internal Audit Practice Guide

Internal Audit Practice Guide Internal Audit Practice Guide Continuous Auditing Office of the Comptroller General, Internal Audit Sector May 2010 Table of Contents Purpose...1 Background...1 Definitions...2 Continuous Auditing Professional

More information

GUIDE TO THE SARBANES-OXLEY ACT: MANAGING APPLICATION RISKS AND CONTROLS. Frequently Asked Questions

GUIDE TO THE SARBANES-OXLEY ACT: MANAGING APPLICATION RISKS AND CONTROLS. Frequently Asked Questions GUIDE TO THE SARBANES-OXLEY ACT: MANAGING APPLICATION RISKS AND CONTROLS Frequently Asked Questions Table of Contents Page No. Introduction 1 Section 1: Looking Forward 3 Section 2: General Application

More information

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for

More information

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN

More information

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.

More information

Evolving from Financial Compliance to Next Generation GRC. Gary Prince Principal Solution Specialist - GRC

Evolving from Financial Compliance to Next Generation GRC. Gary Prince Principal Solution Specialist - GRC Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview

More information

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational

More information

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by: Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report

More information

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma Governance, Risk, Compliance (GRC) Automation Siamak Razmazma Siamak.razmazma@protiviti.com September 2009 Agenda Introduction to

More information

Risk Assessment & Enterprise Risk Management

Risk Assessment & Enterprise Risk Management Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less

More information

Internal Control over Financial Reporting Guidance for Smaller Public Companies

Internal Control over Financial Reporting Guidance for Smaller Public Companies Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked Questions Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked

More information

Compared to other industries, banks do quite

Compared to other industries, banks do quite A Framework for Governance, Risk Management and Compliance By Tom Grubb and Tom Burke Compliance and operational improvements are complementary and should happen in tandem. Compared to other industries,

More information

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

Get More Out of Your Risk Assessment. Austin Chapter of the IIA Get More Out of Your Risk Assessment Austin Chapter of the IIA Speakers Alyssa G. Martin, CPA Dallas Executive Partner, Advisory Services 25 years of public accounting experience, with a practice emphasis

More information

Cyber-Security Risk Management Framework (CSRM)

Cyber-Security Risk Management Framework (CSRM) ABSTRACT The Security-Centric, Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control Framework as well as Enterprise Risk Management Framework and proposes an effective Integrated

More information

Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity?

Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity? Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity? Implementing Dynamic, Flexible and Continuously Optimized IT General Controls POWERFUL INSIGHTS Issue It s not a secret

More information

Fraud Risk Management

Fraud Risk Management Fraud Risk Management Overview Discussion Questions 1) Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization

More information

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA Building an Audit Trail in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right

More information

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were

More information

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n T h o u g h t L e a d e r s h i p i n E R M E m b r a c i n g E n t e r p r i s e R i s

More information

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES Contents PART I An Increasing Threat: Identity Theft The FFIEC Response Risk Assessment Fundamentals The FFIEC

More information

Minimize Access Risk and Prevent Fraud With SAP Access Control

Minimize Access Risk and Prevent Fraud With SAP Access Control SAP Solution in Detail SAP Solutions for Governance, Risk, and Compliance SAP Access Control Minimize Access Risk and Prevent Fraud With SAP Access Control Table of Contents 3 Quick Facts 4 The Access

More information

IFAD Policy on Enterprise Risk Management

IFAD Policy on Enterprise Risk Management Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008

More information

ENTERPRISE RISK MANAGEMENT FOR BANKS

ENTERPRISE RISK MANAGEMENT FOR BANKS ENTERPRISE RISK MANAGEMENT FOR BANKS Seshagiri Rao Vaidyula, Senior Manager, Governance, Risk and Compliance Jayaprakash Kavala, Consultant, Banking and Financial Services 1 www.wipro.com/industryresearch

More information

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

More information

Developing an Effective Enterprise Risk Management Program

Developing an Effective Enterprise Risk Management Program Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting

More information

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,

More information

Sample Financial institution Risk Management Policy 2011

Sample Financial institution Risk Management Policy 2011 Sample Financial institution Risk Management Policy 2011 1 Contents Risk Management Program...2 Internal Control and Risk Management Diagram... 2 General Control Environment... 2 Specific Internal Control

More information

Matthew E. Breecher Breecher & Company PC November 12, 2008

Matthew E. Breecher Breecher & Company PC November 12, 2008 Applying COSO s Enterprise Risk Management Integrated Framework Matthew E. Breecher Breecher & Company PC November 12, 2008 The basic outline for this presentation was provided by: Objectives for the session:

More information

Impact of New Internal Control Frameworks

Impact of New Internal Control Frameworks Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com

More information

Guidance on Conflicts of Interest for Investment Advisers

Guidance on Conflicts of Interest for Investment Advisers Guidance on Conflicts of Interest for Investment Advisers By Joshua Horn and Amit Shah I. Introduction Conflicts of interest arise in any fiduciary relationship, and perhaps no more so than in the financial

More information

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 Debbie Lew Agenda Review what is IT governance Review what is IT risk management A discussion of key IT risks to be aware of Page 2

More information

MISSION VALUES. The guide has been printed by:

MISSION VALUES. The guide has been printed by: www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit

More information

Fraud Prevention and Detection in a Manufacturing Environment

Fraud Prevention and Detection in a Manufacturing Environment Fraud Prevention and Detection in a Manufacturing Environment Introduction The Association of Certified Fraud Examiners (ACFE) estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse

More information

March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve

March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve HIPAA, SOX, PCI, GLBA...In today's corporate environment, businesses are facing increasing regulation affecting the corporation

More information

RISK MANAGEMENT IN A FOR-

RISK MANAGEMENT IN A FOR- RISK MANAGEMENT IN A FOR- PROFIT ORGANISATION 1 OBJECTIVES Explain the risk management framework The underlying process and cycle, and resources and people involved The framework can be applied in for

More information

Enterprise Risk Management in Colleges and Universities

Enterprise Risk Management in Colleges and Universities Enterprise Risk Management in Colleges and Universities Cherry Bekaert & Holland, L.L.P. Neal Beggan, CISA, CRISC Shane Hester, CPA, CISA Cherry, Bekaert & Holland, L.L.P. The Firm of Choice. 1 Cherry,

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

Harness Enterprise Risks With Oracle Governance, Risk and Compliance

Harness Enterprise Risks With Oracle Governance, Risk and Compliance Hardware and Software Engineered to Work Together Harness Enterprise Risks With Oracle Governance, Risk and Compliance Is the plethora of financial, operational and regulatory policies and mandates overwhelming

More information

www.pwc.com Advisory Services Oracle Alliance Case Study

www.pwc.com Advisory Services Oracle Alliance Case Study www.pwc.com Advisory Services Oracle Alliance Case Study A global software company turns a Sarbanes-Oxley challenge into an opportunity for cost reduction and performance improvement Client s challenge

More information

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010 Continuous Controls Monitoring Virginia ISACA January Meeting 19 January 2010 Today s Agenda What We Are Hearing About Risk Internal Controls Continuous Control Monitoring What is CCM? Framework EY Point

More information

Moving Internal Audit Back into Balance

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance A Post-Sarbanes-Oxley Survey Fourth Edition Table of Contents Introduction... 1 Executive Summary... 2 Overview of Rebalancing Initiatives... 4 Current Status of

More information

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were

More information

COSO Internal Control Integrated Framework (2013)

COSO Internal Control Integrated Framework (2013) COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)

More information

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified.

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified. Asset management Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified. Data is about more than numbers. It tells

More information

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment Internal Controls Enterprise-Wide Risk Assessment Balancing Risk and Controls In order to achieve goals and objectives, management needs to effectively balance risks and controls. Control procedures need

More information

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL

More information

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire

More information

Surviving an Identity Audit

Surviving an Identity Audit What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................

More information

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.

More information

IMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP

IMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP IMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP Building Sustainable Control Accountability Contents 1 EXECUTIVE SUMMARY... 1 2 MANAGING YOUR DYNAMICS ERP SYSTEM: AUDIT READINESS... 1 2.1 Common

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business

More information

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012 The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD.

ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD. ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD. Enterprise Risk Credit Risk Market Risk Operational Risk Regulatory Compliance Securities Lending INCREASED FOCUS ON ERM Although the

More information

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements A Forrester Consulting Thought Leadership Paper Commissioned By Oracle Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

More information

Enterprise risk management: A pragmatic, four-phase implementation plan

Enterprise risk management: A pragmatic, four-phase implementation plan Enterprise risk management: A pragmatic, four-phase implementation plan Prepared by: John Brackett, Managing Director, Risk Advisory Services, RSM McGladrey, Inc. 704.442.3820, john.brackett@mcgladrey.com

More information

The Future of Investment Compliance for Asset Owners: The Next Great Transformation

The Future of Investment Compliance for Asset Owners: The Next Great Transformation The Future of Investment Compliance for Asset Owners: The Next Great Transformation By: State Street Global Services Performance Services December 2014 STATE STREET CORPORATION 1 Contents Introduction

More information

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical

More information

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY SEPTEMBER 2012 DISCLAIMER Copyright 2012 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave., Altamonte Springs, Fla., 32701,

More information

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page

More information

Information Security and Governance in ERP Implementation (JD Edwards)

Information Security and Governance in ERP Implementation (JD Edwards) Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features...

More information

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800

More information

Enterprise-Wide Risk Assessment

Enterprise-Wide Risk Assessment Enterprise-Wide Risk Assessment Agenda 1. Definition of risk. 2. Risk drivers in higher education today. 3. Implementing an enterprise-wide risk management (ERM) program to effectively assess, manage,

More information

W H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g

W H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g W H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g Sponsored by: Panaya Dan Yachin September 2009 I D C O P I N I O

More information

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012 Table of Contents Executive Summary... 1 Introduction... 1 Risk Management and Assurance (Assurance Services)... 1 Assurance Framework...

More information

Using Assurance Models in IT Audit Engagements

Using Assurance Models in IT Audit Engagements Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,

More information

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million. Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the

More information

Data Analysis: The Cornerstone of Effective Internal Auditing. A CaseWare Analytics Research Report

Data Analysis: The Cornerstone of Effective Internal Auditing. A CaseWare Analytics Research Report Data Analysis: The Cornerstone of Effective Internal Auditing A CaseWare Analytics Research Report Contents Why Data Analysis Step 1: Foundation - Fix Any Cracks First Step 2: Risk - Where to Look Step

More information

Enterprise Risk Management

Enterprise Risk Management Enterprise Risk Management Topic Gateway Series No. 49 1 Prepared by Jasmin Harvey and Technical Information Service July 2008 About Topic Gateways Topic Gateways are intended as a refresher or introduction

More information

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT REPORT JUNE 2010 TABLE OF CONTENTS EXCUTIVE SUMMARY... 3 1 INTRODUCTION... 5 1.1 AUDIT OBJECTIVE. 5 1.2 SCOPE...5 1.3 SUMMARY

More information

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006 Continuous Controls Monitoring ISACA, Houston Chapter August 17, 2006 Purpose of Discussion Understand impact of Continuous Controls Monitoring (CCM) on the Information Systems Audit community To perform

More information

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES ENTERPRISE RISK MANAGEMENT Framework September 2011 Notice This document is intended as a reference tool to assist Ontario credit unions to develop an

More information

1. Corporate Governance Corporate governance is discussed in the French-language document de référence in section 1.2. Gouvernement d entreprise.

1. Corporate Governance Corporate governance is discussed in the French-language document de référence in section 1.2. Gouvernement d entreprise. Report of the Chairman of the Board of Directors as presented in the French-language document de référence (Section L. 225-37 of the French Commercial Code) In preparing this report, the Chairman consulted

More information

GSK Vaccines: Easing Compliance with SAP Process Control

GSK Vaccines: Easing Compliance with SAP Process Control 2014 SAP AG or an SAP affiliate company. All rights reserved. GSK Vaccines: Easing Compliance with SAP Process Control GlaxoSmithKline Vaccines Industry Life sciences pharmaceuticals Products and Services

More information

Best Practices Report

Best Practices Report Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general

More information

XBRL & GRC Future opportunities?

XBRL & GRC Future opportunities? XBRL & GRC Future opportunities? Suzanne Janse Deloitte NL Paul Hulst Deloitte / Said Tabet EMC Presenters Suzanne Janse Deloitte Netherlands Director ERP (SAP, Oracle) Risk Management GRC software Paul

More information

Public Sector Pension Investment Board

Public Sector Pension Investment Board Public Sector Pension Investment Board Office of the Auditor General of Canada Bureau du vérificateur général du Canada Ce document est également publié en français. Her Majesty the Queen in Right of Canada,

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT Communications Company One Company s Supply Chain Transformation Journey INTERVIEWS Senior Manager Supply Chain Operations Strategy Manager Procurement

More information

AD Management Survey: Reveals Security as Key Challenge

AD Management Survey: Reveals Security as Key Challenge Contents How This Paper Is Organized... 1 Survey Respondent Demographics... 2 AD Management Survey: Reveals Security as Key Challenge White Paper August 2009 Survey Results and Observations... 3 Active

More information

2010 Sarbanes-Oxley Compliance Survey. Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes

2010 Sarbanes-Oxley Compliance Survey. Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes 2010 Sarbanes-Oxley Compliance Survey Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes Table of Contents Introduction... 1 Executive Summary... 2 I. Current State of Sarbanes-Oxley

More information

Leveraging a Maturity Model to Achieve Proactive Compliance

Leveraging a Maturity Model to Achieve Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................

More information