Few would disagree that financial services is one
|
|
- Morris Wright
- 8 years ago
- Views:
Transcription
1 Enterprise Risk Management and Controls-Monitoring Automation Can Reduce Compliance Costs By Mark Nelson and James Ambrosini A framework to reduce risk and compliance costs. Few would disagree that financial services is one of the most heavily regulated and risk-conscious industries. Banks and other financial institutions must continually enhance their risk management strategies to keep up with the changing landscape brought about by new technologies, financial products and global strategies. A decade ago, most financial services firms risk management activities were limited to market and credit risk in an attempt to minimize financial loss caused by market fluctuations or poor lending. Today, with a plethora of new regulations and customer demands, d banks must account for other multidimensional facets of fri risk, including those related to privacy, information on technology, og reputation and operations. How does a company sift through the details and focus on the risks most important to oit?fo For that purpose, banks should use an enterprise risk management (ERM) approach along with a controls automation solution. What Is ERM? First, let us explain what ERM is not. It is not a tool; it is not a onetime project; and, most of all, it is not an end state. ERM is a framework supported by various tools and methods that helps organizations answer questions such as, What are my biggest risks? and How do I manage these risks to get them to a level suitable for my business? The Committee of Sponsoring Organizations of the Treadway Commission (COSO) gives the following definition of ERM 1 : Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO elaborates on this definition by stating that ERM is a process with the following characteristics: Ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-level, portfolio view of risk Able to provide reasonable assurance to an entity s management and board of directors Designed nedto identify potential events that, if they ont s automation so ution. De occur, will affect the entity and to manage risk within its risk appetite Geared to achievement of objectives in one or more separate but overlapping categories ERM Components According to the COSO framework, 2 which is becoming a de facto standard in ERM frameworks, ERM consists of eight interrelated components: Internal environment. The internal environment encompasses the tone at the top or controls con- Mark Nelson is Managing Director at Protiviti, New York, New York. Contact him at mark.nelson@protiviti.com. James Ambrosini is Associate Director at Protiviti, New York, New York. Contact him at james.ambrosini@protiviti.com. FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 25
2 sciousness and sets the basis for how risk is viewed and addressed by an entity s people, ethical values and the environment in which they operate. Objective setting. Objectives must exist before management can identify potential events affecting their achievement. Further, these are aligned with the organization s risk tolerance. Event identification. Internal and external events that could affect the achievement of an entity s objectives must be identified and reported to management. Risk assessment. Risks are analyzed, and their likelihood and impact are evaluated, to determine how they should be managed. Risks are assessed on an inherent and a residual basis (that is, before and after considering any threat mitigation efforts or controls). Risk response. Management determines how to handle the risks (accept, avoid, reduce or share them) and develops a set of actions to align risks with the entity s risk tolerances. Control activities. Policies and procedures are established and implemented to help ensure the risk responses are applied effectively. Information and communication. Relevant information on is identified, captured and communicated din a form and time frame that enable people e to carry out their responsibilities. Effective communication mu also occurs in a broader sense, flowing down, across and up the entity. Monitoring. The entirety of ERM is monitored and modifications are made as necessary. Monitoring ing is accomplished through ongoing management ent activities, separate evaluations or both. Organizations usually perform well in most of these categories, at one time or another. The key is to integrate them holistically across the enterprise, specifically among their strategic, operational, financial reporting and compliance-related functions. It is important to note that not all of these components will apply equally in all institutions due to variations in size. For example, smaller banks or financial institutions have a significantly different risk landscape than larger ones. Thus, these principles of ERM should be applied and tailored for a custom fit. In addition, there is no single aspect of ERM that is more important than another. There is one key element where companies continually struggle: monitoring. Monitoring is the glue that holds the ERM framework together. In an information-rich society, where we continually monitor data such as market swings, expenses and financial information, etc., the importance of monitoring should come as no surprise. Without effective monitoring, all the best-laid ERM plans are for naught because the quality, amount and speed of required information will be compromised. Technology to Monitor Controls and Reduce Compliance Costs The Sarbanes-Oxley Act of 2002 ( SOX ) provides a good example to illustrate how companies can make better use of compliance and controls-related information. Each year, organizations have spent millions of dollars and tens of thousands of hours to complete the documentation, testing and reporting required by SOX. In retrospect, many organizations faced two very common issues: 1. Documenting Too Many Controls When SOX compliance was in its infancy, no one was certain how many documented controls were too few, too many or the right amount. Preferring to err on the side of caution, most companies documented every control they could find. 2. Documenting Mostly Manual a Controls SOX teams often lacked application experts with a detailed understanding of the embedded system-based controls (often called configurable controls). Therefore, they mostly documented manual controls. The effect of these errors is that companies performed very extensive and largely manual testing. These testing projects occur quarterly and annually for the 302 and 404 certifications required of SOX. Often, this costly work is not adding value or improving the internal control environment. Most companies seasoned in SOX compliance are beginning to change their approaches. Rather than approach SOX compliance as a project, they see the advantages of treating it as an ongoing process. Taking a process-based approach to SOX compliance helps companies maintain strong internal control over financial reporting and saves money in the 26 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007
3 long term. To accomplish this, the proper use of technological tools is key in creating an effective and sustainable transition from project to process. Automating and Optimizing Controls Technology plays a significant role in moving SOX compliance and ERM in general from a project to an ongoing, sustainable process. Manual controls are more prone to failure than automated controls. They are detective rather than preventive, identifying problems only after they have occurred, and they are ad hoc, meaning only a portion of all transactions is evaluated and tested. Optimized automated controls are system based, preventive and managed. These features allow companies to engage in more self-assessment, entitylevel and process-level monitoring and automated testing. In addition, automated testing more accurately covers a larger universe than manual testing. A manual control test is based on a selected sample size of typically 10 to 30 transactions; automated controls ols testing is performed on the full universe of transactions. ti Because of this larger number of transactions, ns, there is inherently ntly greater assurance provided by automated te controls testing. The role of technology in regulatory ry compliance can nbe ebro broken down into two parallel tracks: (1) automation of the internal control environment and (2) automation of the compliance process. By automating the control environment and compliance process, companies are able to test and review controls throughout the year, providing the documentation and reporting materials needed to more easily comply with quarterly and annual reporting requirements. In many instances, companies do not need to purchase expensive new technology tools. Many companies can make significant advances by making better use of the applications and tools they already have. The result is improved sustainability, lower costs and greater value to the internal control environment and compliance process. Enterprise Resource Planning (ERP) companies and other technology vendors recognize the benefits they can provide to the control environment and compliance process. As a result, they have been improving their products in an evolutionary way. Continuous Controls Monitoring to Support ERM The highest levels of compliance technology provide continuous control monitoring and improvement and support ERM (Exhibit 1). With continuous control monitoring, companies achieve preemptive segregation of duties ( SOD ), conflict analysis, real-time transaction exception monitoring and master data and configuration change alerts. These features keep management on top of and, often, ahead of changes to their control environment. They can immediately detect problems or often anticipate and avoid them. With ERM, companies have the ability to integrate compliance frameworks, tools and data. They gain the benefits of proactive risk identification and evaluation. Employees gain portal access to individual risk management information. To achieve sustained value from application controls, organizations must first attain a high level of process maturity. Process maturity implies a high degree of control automation, control reliability and preventive versus detective controls. This entails properly configuring controls for the control universe, assessing existing controls, identifying gaps and opportunities and implementing necessary control and process changes. SOD issues must also be addressed, including the design and acquisition of rule sets, assessment of existing roles and assignments, nts identification ication and mitigation of potential tial gaps, redesign of roles where necessary and reprovisioning user access rights. Once the process maturity is achieved, SOX compliance costs become more predictable. They are also lower than the expected costs of a manually driven project approach. This decrease in cost occurs because most of the controls testing, monitoring and documentation are automated and woven into business processes. The move from manual processes to control automation requires an investment in people, tools and time. Once automated controls and SOD are in place, however, organizations can actively maintain the environment. It is this active maintenance that ensures compliance becomes an ongoing process rather than a stand-alone project. FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 27
4 Active Maintenance Is Essential Active maintenance is critical. Without active maintenance, companies with a strong automated control environment can eventually fall back into the project mode of compliance. This happens over time as a result of employee turnover, poor change management and other factors that decrease the effectiveness of the control environment. Eventually, the organization reaches a point where it must engage in another expensive project to bring the control environment back to a high level of effectiveness. Along with active maintenance, continuous monitoring and automated testing enable organizations Exhibit 1. Development of Compliance Technology Sophistication of Compliance Technology High Low Enterprise Risk Management Enterprise Risk Management Continuous Control Monitoring & and Improvement Control& and Assessment en Automation Autom Autom ation of of Certification Process Document Inte Interna l Controls Time to Implement The basic level of technology enables the documentation of internal controls. The next level builds on that to automate the compliance process, providing features such as control owner updates, quarterly certifications, control self-assessment and routine risk assessment. Control and assessment automation enables organizations to move from manual to systemic and from detective to preventive controls. Automation at this level also provides improved system-enforced SOD, automated assessment of SOD transaction analysis and configurable control testing. Continuous controls monitoring allows real-time and proactive monitoring of an organization s transactions and application controls. With ERM, companies tailor their monitoring initiatives to specific areas of risk and integrate various tools and frameworks. to stay on top of employee turnover, quickly address SOD issues and address changes in the environment to keep the technological tools current. Continuous controls monitoring is a rapidly growing market with solutions from ERP leaders SAP and Oracle, as well as niche vendors Applimation, Approva and Logical Apps. For example, a midsize bank in the Southeast selected Oracle s Internal Controls Manager (ICM) software to automate its SOD processes. Previously, the bank was using internally developed scripts to test for security violations only when the auditors were working onsite. With the implementation of Oracle s solution, it added a level of continuous automation to check and prevent SOD violations when changes to new or existing users are performed. Automated tools are key to helping organizations ensure active maintenance of their control environment so that controls are operating for the entire period, not just at testing time. A story about a Protiviti SOX client illustrates the effectiveness of these tools. Company A had been through nearly two years of SOX compliance when Protiviti was asked to evaluate its compliance program and look for improvement opportunities. ortu ies Through h an assessment ssm of the company s high-risk control areas, we identified four categories of issues: 1. Forty controls matched to the automated assessment and tested without exception. The potential for improvement here resided in the ability to replace manual testing with automated testing. 2. Sixty-nine controls matched but tested with exception. This means that Company A was improperly relying on these 69 controls. Potential for 28 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007
5 improvement included enhancing security and configurable controls and automating testing to achieve efficient and replicable results. 3. Ninety-eight controls were turned on but were not mentioned in the control documentation. As a result, the company was missing opportunities to place more reliance on these controls and reduce manual testing. 4. One hundred and forty-five controls that could have been implemented were not. They were not identified in the documentation and tested with exception. At the completion of the analysis, there were: one hundred and nine already identified application controls that could be tested more efficiently, including the 69 that tested with exception; two hundred and forty-three application controls that could be used to replace manual controls; and two hundred and fourteen potential security/ configuration issues. Based on these findings, it s likely that the company s prior-year testing and conclusions may have been wrong due to the inherent limitations of manual testing of sophisticated applications. This example is typical of most organizations, an overreliance on manual al control of activities. Af further argument for using automated tools to transition tion from mp project to process is the stance of the external audit firms. They appear pe to be preparing to deploy sophisticated stic application ation analysis alysis tools for future audits and Section 404 assessments. By automating controls where possible and shifting the focus away from detailed application plicat testing and on to the tools and rule sets used to monitor the applications, time and effort can be saved, with the reliability of results greatly enhanced. The need for active maintenance cannot be overemphasized. Without a process to maintain and monitor the control environment, it will weaken over time, forcing companies to spend significant resources to bring it back up to a high level of efficiency. Maintenance ensures SOX compliance remains a process that can be predictably and reliably managed. Which Controls to Automate? Moving a control structure and the associated testing toward a reliance on automated controls takes time. It will require input from a variety of internal business constituents and at least some technology investments. In this regard, organizations should begin by examining the sources of evidence supporting management s conclusion as to the operating effectiveness of internal control over financial reporting. This examination ordinarily should drive efforts to start rebalancing the automated controls portfolio (Exhibit 2). The effort begins with a fresh look at the organization s current key controls, with an eye toward several factors. We have found control automation efforts to be most successful in yielding value-added benefits when they are: applied through an integrated solution (for example, ERP) because the improvements have a multiplier effect across common processes; used to replace manual controls that are particularly expensive to operate and test; used in risk areas that have the most impact on reports and performance if the controls fail; employed in areas of heightened external audit sensitivity, such as SOD, and areas of concern to the audit firms; directed toward current practices that are more prone to error and breakdowns; and operated in association with procedures that are repetitive and require little judgment or human intervention. Applying the factors above to manual or poorly automated controls can help rank management s options for automating or optimizing controls. Prerequisites to relying on automated controls include sound program and configuration change management controls, as well as strong security controls. If either of these general controls is weak, automated a controls ols are vulnerable to circumvention by management men and other personnel. In addition, the compliance team would be unable to prove conclusively that the automated controls remained intact through year-end. It should be noted that automation is not appropriate for all situations. As always, there should be an evaluation of the holistic cost of change against the value of future savings and increased quality and effectiveness of the internal controls structure. Where Should Financial Institutions Focus? We believe there are several key areas where financial institutions should apply their ERM and controlsmonitoring activities. This is based on our experience FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 29
6 within this industry, as well as discussions with our banking clients and regulators: Operational risk. Most financial institutions are quite familiar with this risk dimension because this is a frequent hot spot of regulators and SOX auditors. Financial institutions should use a risk-based approach to implementing and testing internal controls. For example, we have seen increased scrutiny over loan processing and wire transfer functions, so it would make sense for organizations to consider strengthening and automating controls in these areas. Information security. The advent of the Web and e-banking has enabled customers to conduct their banking activities from their home computer and manage their own accounts. While this has been a significant benefit to both banks and customers, the downside is that critical data could become compromised. It is no longer enough to merely have strong passwords and encrypt transactions. Financial institutions must be proactive and employ the latest tools and techniques to thwart the would-be information assailants. Customers expect a certain level of security and privacy; compromising this could severely damage a company s reputation. Credit risk. It is not uncommon for financial institutions to monitor credit risk at the transaction level rather than have a broad picture of the total portfolio risk, which requires more sophisticated tools and processes. In addition, geographic diversity of lending may be beneficial, but it also requires more real-time information about emerging conditions in those markets. Exhibit 2. Rebalancing the Automated Controls Portfolio Controls That Are Not Optimized Manual Detective Ad hoc Automated Controls Manual Controls Automated Automated Controls Controls Manual Controls Optimized Controls System-based Preventive Managed Sustainability Optimizing controls through continuous controls monitoring reduces the need for large amounts of manual testing. As a result, an organization s overall compliance cost is reduced and its controls sustainability is increased. Using Technology to Minimize Risk In today s complex financial services arena, all organizations need, and are required to have, sound risk management techniques. An ERM approach coupled with the efficient use of technology and monitoring could aid financial institutions in achieving their goals while minimizing risk. The exact process by ywhich h these initiatives are addressed ed should differ with an organization s size, risk appetite and overall goals. Endnotes 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, Executive Summary, Id. This article is reprinted with the publisher s permission from Bank Accounting & Finance, a bimonthly journal published by CCH, a Wolters Kluwer business. Copying or distribution without the publisher s permission is prohibited. To subscribe to Bank Accounting & Finance or other CCH Journals please call or visit All views expressed in the articles and columns are those of the author and not necessarily those of CCH or any other person. 30 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007
IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationCOSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,
More informationApplication Control Effectiveness for SAP. December 2007
Application Control Effectiveness for SAP December 2007 Meeting Objectives Application Control Effectiveness Compliance at a glance Trends and challenges Technology issues Application Control Business
More informationA Risk-Based Audit Strategy November 2006 Internal Audit Department
Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal
More informationGuide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationEnterprise Risk Management Process Improvement. Secure Banking Solutions, LLC
Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationEnterprise Risk Management Integrated Framework. Executive Summary
Enterprise Risk Management Integrated Framework Executive Summary September 2004 Copyright 2004 by the Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved. You are hereby
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationMapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA
Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT
More informationEnterprise Risk Management
Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's
More informationUNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL
UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Evaluation and Inspection Services Memorandum May 5, 2009 TO: FROM: SUBJECT: James Manning Acting Chief Operating Officer Federal Student
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationGuide to Internal Control Over Financial Reporting
Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).
More informationSarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director.
Sarbanes-Oxley (SOX) The Migration from Project to Process Practical Actions for Getting Started Jim DeLoach, Managing Director November 7, 2006 The Results So Far? Source: AuditAnalytics.com May 2006
More informationGUIDE TO THE SARBANES-OXLEY ACT: MANAGING APPLICATION RISKS AND CONTROLS. Frequently Asked Questions
GUIDE TO THE SARBANES-OXLEY ACT: MANAGING APPLICATION RISKS AND CONTROLS Frequently Asked Questions Table of Contents Page No. Introduction 1 Section 1: Looking Forward 3 Section 2: General Application
More informationHow To Ensure Financial Compliance
Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview
More informationInternal Audit Practice Guide
Internal Audit Practice Guide Continuous Auditing Office of the Comptroller General, Internal Audit Sector May 2010 Table of Contents Purpose...1 Background...1 Definitions...2 Continuous Auditing Professional
More informationDesigning an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting
Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for
More informationRisk Assessment & Enterprise Risk Management
Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less
More informationTHE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
More informationAN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN
More informationGet More Out of Your Risk Assessment. Austin Chapter of the IIA
Get More Out of Your Risk Assessment Austin Chapter of the IIA Speakers Alyssa G. Martin, CPA Dallas Executive Partner, Advisory Services 25 years of public accounting experience, with a practice emphasis
More informationTHE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT
THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.
More informationIT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP
IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational
More information[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]
SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting
More informationSarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:
Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report
More informationFraud Risk Management
Fraud Risk Management Overview Discussion Questions 1) Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization
More informationCompared to other industries, banks do quite
A Framework for Governance, Risk Management and Compliance By Tom Grubb and Tom Burke Compliance and operational improvements are complementary and should happen in tandem. Compared to other industries,
More informationHow To Get A Tech Startup To Comply With Regulations
Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity? Implementing Dynamic, Flexible and Continuously Optimized IT General Controls POWERFUL INSIGHTS Issue It s not a secret
More informationC o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n T h o u g h t L e a d e r s h i p i n E R M E m b r a c i n g E n t e r p r i s e R i s
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationS24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma
S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma Governance, Risk, Compliance (GRC) Automation Siamak Razmazma Siamak.razmazma@protiviti.com September 2009 Agenda Introduction to
More informationInternal Control over Financial Reporting Guidance for Smaller Public Companies
Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked Questions Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked
More informationMatthew E. Breecher Breecher & Company PC November 12, 2008
Applying COSO s Enterprise Risk Management Integrated Framework Matthew E. Breecher Breecher & Company PC November 12, 2008 The basic outline for this presentation was provided by: Objectives for the session:
More informationDeveloping an Effective Enterprise Risk Management Program
Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationPursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES
Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES Contents PART I An Increasing Threat: Identity Theft The FFIEC Response Risk Assessment Fundamentals The FFIEC
More informationSample Financial institution Risk Management Policy 2011
Sample Financial institution Risk Management Policy 2011 1 Contents Risk Management Program...2 Internal Control and Risk Management Diagram... 2 General Control Environment... 2 Specific Internal Control
More informationCyber-Security Risk Management Framework (CSRM)
ABSTRACT The Security-Centric, Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control Framework as well as Enterprise Risk Management Framework and proposes an effective Integrated
More informationThe New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework
The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,
More informationFraud Prevention and Detection in a Manufacturing Environment
Fraud Prevention and Detection in a Manufacturing Environment Introduction The Association of Certified Fraud Examiners (ACFE) estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse
More informationMarch 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve
March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve HIPAA, SOX, PCI, GLBA...In today's corporate environment, businesses are facing increasing regulation affecting the corporation
More informationBuilding an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA
Building an Audit Trail in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right
More informationRISK MANAGEMENT IN A FOR-
RISK MANAGEMENT IN A FOR- PROFIT ORGANISATION 1 OBJECTIVES Explain the risk management framework The underlying process and cycle, and resources and people involved The framework can be applied in for
More informationEnterprise Risk Management in Colleges and Universities
Enterprise Risk Management in Colleges and Universities Cherry Bekaert & Holland, L.L.P. Neal Beggan, CISA, CRISC Shane Hester, CPA, CISA Cherry, Bekaert & Holland, L.L.P. The Firm of Choice. 1 Cherry,
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationIFAD Policy on Enterprise Risk Management
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
More informationMoving Internal Audit Back into Balance
Moving Internal Audit Back into Balance A Post-Sarbanes-Oxley Survey Fourth Edition Table of Contents Introduction... 1 Executive Summary... 2 Overview of Rebalancing Initiatives... 4 Current Status of
More informationENTERPRISE RISK MANAGEMENT FOR BANKS
ENTERPRISE RISK MANAGEMENT FOR BANKS Seshagiri Rao Vaidyula, Senior Manager, Governance, Risk and Compliance Jayaprakash Kavala, Consultant, Banking and Financial Services 1 www.wipro.com/industryresearch
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationYour asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified.
Asset management Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified. Data is about more than numbers. It tells
More informationMISSION VALUES. The guide has been printed by:
www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit
More informationCOSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting
in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL
More informationIT risk management discussion 2013 PIAA Leadership Camp May 15, 2013
IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 Debbie Lew Agenda Review what is IT governance Review what is IT risk management A discussion of key IT risks to be aware of Page 2
More informationMinimize Access Risk and Prevent Fraud With SAP Access Control
SAP Solution in Detail SAP Solutions for Governance, Risk, and Compliance SAP Access Control Minimize Access Risk and Prevent Fraud With SAP Access Control Table of Contents 3 Quick Facts 4 The Access
More informationBEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT
BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT Communications Company One Company s Supply Chain Transformation Journey INTERVIEWS Senior Manager Supply Chain Operations Strategy Manager Procurement
More informationContinuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010
Continuous Controls Monitoring Virginia ISACA January Meeting 19 January 2010 Today s Agenda What We Are Hearing About Risk Internal Controls Continuous Control Monitoring What is CCM? Framework EY Point
More informationHarness Enterprise Risks With Oracle Governance, Risk and Compliance
Hardware and Software Engineered to Work Together Harness Enterprise Risks With Oracle Governance, Risk and Compliance Is the plethora of financial, operational and regulatory policies and mandates overwhelming
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationwww.pwc.com Advisory Services Oracle Alliance Case Study
www.pwc.com Advisory Services Oracle Alliance Case Study A global software company turns a Sarbanes-Oxley challenge into an opportunity for cost reduction and performance improvement Client s challenge
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationCOSO Internal Control Integrated Framework (2013)
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD.
ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD. Enterprise Risk Credit Risk Market Risk Operational Risk Regulatory Compliance Securities Lending INCREASED FOCUS ON ERM Although the
More informationEnterprise-Wide Risk Assessment
Enterprise-Wide Risk Assessment Agenda 1. Definition of risk. 2. Risk drivers in higher education today. 3. Implementing an enterprise-wide risk management (ERM) program to effectively assess, manage,
More informationUncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity
Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800
More informationW H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g
W H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g Sponsored by: Panaya Dan Yachin September 2009 I D C O P I N I O
More informationTop 10 Trends In Business Intelligence for 2007
W H I T E P A P E R Top 10 Trends In Business Intelligence for 2007 HP s New Information Management Practice Table of contents Trend #1: BI Governance: Ensuring the Effectiveness of Programs and Investments
More informationUnderstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.
More informationInformation Security and Governance in ERP Implementation (JD Edwards)
Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features...
More informationSurviving an Identity Audit
What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................
More informationGuidance on Conflicts of Interest for Investment Advisers
Guidance on Conflicts of Interest for Investment Advisers By Joshua Horn and Amit Shah I. Introduction Conflicts of interest arise in any fiduciary relationship, and perhaps no more so than in the financial
More informationSTANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework
STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES ENTERPRISE RISK MANAGEMENT Framework September 2011 Notice This document is intended as a reference tool to assist Ontario credit unions to develop an
More informationAudit of the Test of Design of Entity-Level Controls
Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents
More informationIMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE
IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationIMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP
IMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP Building Sustainable Control Accountability Contents 1 EXECUTIVE SUMMARY... 1 2 MANAGING YOUR DYNAMICS ERP SYSTEM: AUDIT READINESS... 1 2.1 Common
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationImplementing COBIT based Process Assessment Model for Evaluating IT Controls
Implementing COBIT based Process Assessment Model for Evaluating IT Controls By János Ivanyos, Memolux Ltd. (H) Introduction New generations of governance models referring to either IT or Internal Control
More informationUniversity Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment
Internal Controls Enterprise-Wide Risk Assessment Balancing Risk and Controls In order to achieve goals and objectives, management needs to effectively balance risks and controls. Control procedures need
More informationInternal Auditing Guidelines
Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may
More informationEnterprise risk management: A pragmatic, four-phase implementation plan
Enterprise risk management: A pragmatic, four-phase implementation plan Prepared by: John Brackett, Managing Director, Risk Advisory Services, RSM McGladrey, Inc. 704.442.3820, john.brackett@mcgladrey.com
More informationFormulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements
A Forrester Consulting Thought Leadership Paper Commissioned By Oracle Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements
More informationSimply Sophisticated. Information Security and Compliance
Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns
More informationDEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY
DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY SEPTEMBER 2012 DISCLAIMER Copyright 2012 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave., Altamonte Springs, Fla., 32701,
More informationTransmittal Letter... 1. Objectives and Scope... 2. Approach... 3-7. Financial System... 8. Permitting Application... 9
Internal Audit Committee of Information Technology Risk Assessment Public Report Prepared By: Internal Auditors of Brevard County September 30, 2009 Table of Contents Transmittal Letter... 1 Objectives
More informationSarbanes-Oxley Section 404: Management s Assessment Process
Sarbanes-Oxley Section 404: Management s Assessment Process Frequently Asked Questions ADVISORY Contents 1 Introduction 2 Providing a Road Map for Management 3 Questions and Answers 3 Section I. Planning
More informationIntroduction to Enterprise Risk Management at UVM DRAFT
Introduction to Enterprise Management at UVM 1 Enterprise What is Enterprise Management? Enterprise risk management is a structured, consistent, and continuous process across the whole organization for
More informationAdministrative Guidelines on the Internal Control Framework and Internal Audit Standards
Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page
More informationAUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL
AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT REPORT JUNE 2010 TABLE OF CONTENTS EXCUTIVE SUMMARY... 3 1 INTRODUCTION... 5 1.1 AUDIT OBJECTIVE. 5 1.2 SCOPE...5 1.3 SUMMARY
More informationWhite Paper. Imperva Data Security and Compliance Lifecycle
White Paper Today s highly regulated business environment is forcing corporations to comply with a multitude of different regulatory mandates, including data governance, data protection and industry regulations.
More informationPractice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE
Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012 Table of Contents Executive Summary... 1 Introduction... 1 Risk Management and Assurance (Assurance Services)... 1 Assurance Framework...
More informationOVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.
Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the
More informationUsing Assurance Models in IT Audit Engagements
Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,
More informationSuccessfully identifying, assessing and managing risks for stakeholders
Introduction Names like Enron, Worldcom, Barings Bank and Menu Foods are household names but unfortunately as examples of what can go wrong. With these recent high profile business failures, people have
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationContinuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006
Continuous Controls Monitoring ISACA, Houston Chapter August 17, 2006 Purpose of Discussion Understand impact of Continuous Controls Monitoring (CCM) on the Information Systems Audit community To perform
More information