IT GOVERNANCE GSI 615 Carmen R. Cintrón Ferrer 2014
IT Governance 2 Scope Governance Risk Management Compliance IT Resources Management IT Governance IT Leadership and Innovation Governance and Ethics
3 Compliance
What is compliance? 4 Compliance is a desired outcome with regard to: Laws and regulations Internal policies and procedures Commitments to stakeholders Mission Reliability and Assurance of information Achieved through managed investment of time and resources by inserting into day to day processes: Controls Legal and Tactical activities Metrics
Compliance 5 Compliance definition: (Video) Conformance to established or generally accepted regulations, standards and/or legislation Compliance components: Awareness of boundaries Structure support for accountability Culture and consistency Automated processes and controls to avoid gaps and prevent failure Metrics that enable compliance Technology integration to alert/prevent possible incompliance
Compliance with Laws and Regulations 6 Which Laws & Regulations Those which the entity is subjected to follow Challenges Lacking in harmony Complex & decentralized Dependent on manual controls Implement via: Policies and Procedures Insert technology to support compliance Rely upon ethical behavior and transparency
Comply with what? 7 National & International Laws and Regulations Standards and Best Practices Governmental regulatory agencies rules Codes of Ethics Organizational Policies, Procedures, Guidelines Business Code of Ethics Professional Code of Conduct
Regulatory compliance areas (sample list) 8 Financial transactions and records: Gramm-Leach-Bliley Privacy Act (GLBA) Payment Card Industry Standards (PCI) Basel I & II Sarbanes Oxley Act (SOX) Health Transactions and records: Health Records Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act Intellectual property: Digital Millenium Copyright Act (DMCA) Personal Data Privacy: Family Education Rights and Privacy Act (FERPA - Buckley Amm.) Electronic Communications Privacy Act (ECPA) The Lisbon Treaty Data Protection framework as a fundamental human right National Security, Information Security and Telecommunications: Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act USA Patriot Act
What, Who, When? 9 What? Determine the level of compliance required Identify responsible parties (Roles & Responsibilities) Adopt (modify) Policies and Procedures Communicate, Train and Monitor Who? Organization as a whole Board, Officers, Senior and Line Management and staff Compliance Officer, Internal Auditor and Legal Counsel When? Continuous compliance process By request of Regulatory Agency, contractual agreement and/or lawsuit
Responsibility 10 Dimension of Responsibility Strict (Directly responsible) Indirect and vicarious Fiduciary responsible Negligent acts or absence of Standard of Due Care: States the measures that should be in place to mitigate or reduce the responsibility Requires to Act as expected (within the legal/regulatory framework) SOX Standards ISO 17799
Compliance Exercise 1 11 Choose a regulation from the Personal Data Protection List Determine dimension of responsibility for: Board Officers & Managers IT Management and Staff Staff What would the Standard of Due Care be if there is a: Breach of security and clients data is exposed? Scenario of industrial espionage? Major fraud involving securities transactions (SEC)? Unethical behavior by an Officer/Manager/Staff Employee?
Compliance Laws and Regulations Personal Data and Privacy Protection (limited listing) Electronic Communications Privacy Act PL 99-508 (1986) Children's Online Privacy Protection Act PL 105-277 (1998) Health Insurance Portability & Accountability Act Health Information Technology for Economic and Clinical Health (HITECH) Act Family Education Rights and Privacy Act (Buckley Amm.) (1974) PL 104-191 (1996) PL 111-5(2009) Sarbanes Oxley Act PL 107-204 (2002) Gramm-Leach Bliley Financial Privacy Act (GLB) PL 106-102 (1999) Digital Millenium Copyright Act (DMCA) PL 105-304 (1998) Control Assault of Non-Solicited Pornography & Marketing Act PL 108-187 (2003) Electronic Signatures in Global & National Commerce Act PL 106-229 (2000) Communications Assistance for Law Enforcement Act PL 103-414 (1994) Real ID Act PL 109-13 (2005) The Lisbon Treaty significantly affects the data protection framework. It establishes that Personal dat protection is a fundamental human right http://europa.eu/lisbon.treaty Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act Cyber Security Enhancement Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act Cyber stalking, Cyber Harrasment & Cyber Bullying laws PL 107-347 (2002) PL 107-296 (2002) PL 107-56 (2001) http://www.ncsl.org/default.aspx?tabid=13495 Federal Information Security Management Act PL 107-347 (2002) Electronic Freedom of Information Act PL 104-231 (1996) Carmen R. Cintron Ferrer, 2014, Reserved Rights
Compliance Exercise 1(a) 13 Dimension of Responsibility Board of Directors Officers Managers IT Mangement & Staff Other Staff Strict/Direct Indirect/ Vicarious Fiduciary Negligent actions
Compliance Exercise 1(b) 14 Expected Standard of Due Care Board of Directors Officers Managers IT Mangement & Staff Other Staff Client s Data Exposed Industrial Espionage SEC fraud Unethical behaviour
Compliance Management 15 Identify Regulatory requirements Select Compliance Frameworks Document Business processes and controls: Implement or update Processes & Controls Determine Control Gaps Address - close gap(s) Monitor control status and effectiveness: Identify and remediate issues Review and update control environment Certify effectiveness Communicate results of analysis to key stakeholders: Train for Compliance Generate evidence to support audit requirements Assess impact of events on controls
Compliance Management Process 16 Regulatory Requirements Compliance Framework Business Processes Monitor Controls Communicate & Train
Compliance Management Issues 17 No Compliance oversight function and/or very low confidence level in risk management Lack of Compliance Awareness and Education Outdated Policies and Procedures Informal Procedures and Practices Unknown and/or not well informed and understood Policies, Procedures, Strategic Plans, Budget and Resources Allocation-Management Inconsistent application of policies and practices among different areas/departments Ineffective/Inefficient controls Personal accountability is unenforceable or wrongly placed
Environment for Compliance 18 Establish an incentive and reward system based on excellence and hard work. Develop an ethical environment that can foster and sustain responsible decisions. Build a system of ethical practice throughout the compliance program and the organization. Assign the resources and communicate a clear message Move the cultural change: Compliance is the right thing to do Michael Volkov, Creating a Culture of Ethics and Compliance
SOX Compliance 19 Sec 302 - Faulty Financial Reporting (Data Safeguard) Prevent data tampering Accurate reporting and timelines Track data access Operational safeguards Safeguards effectiveness Security breaches detection Sec 404: Disclosure and transparency (Data Security) Disclose security safeguards Disclose security breaches Disclose failure of safeguards
Sox Compliance Frameworks 20 Cobit 5 (www.isaca.org/cobit5) ISO 27000 (http://www.oanc.ir/iso27k.pdf) COSO (http://www.coso.org) SANS Approach: An Overview of SOX A Compliance Primer SOX IT Compliance Audit Some IT Support Solutions: Computron CorreLog Oracle
SOX Compliance References 21 Computron, Sarbanes-Oxley Compliance: A Checklist for Evaluating Internal Controls Correlog, Sarbanes-Oxley (SOX) Compliance Checklist Deloitte, Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002 Ernst & Young, The Sarbanes-Oxley Act at 10, Enhancign the reliability of financial reporting and audit quality KPMG, Sarbanes-Oxley Section 404: Summary of key points from submissions to the SEC J. StephenMcNally, CPA, The 2013 COSO Framework & SOX Compliance, One Approach to Effective Transition Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, FAQ s Regarding section 404 SPLUNK, SOX Compliance
COSO 2013 (Committee of Sponsoring Organizations - Threadway Commission) Update considers changes in business and operating environments Environments changes... have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)
COSO 2013 Updated Model Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
COSO - Example on how controls effect principles Component Control Environment Principle (1) The organization demonstrates a commitment to integrity and ethical values. Controls embedded in other components may effect this principle Human Resources review employees confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity Control Environment Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information Information & Communication Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities
25 GR&C Wrap-up
GRC or ECRG 26 Governance Risk and Compliance (Video) Why a GRC Framework? (Video) GRC: The Power to decide (Video) Ethics, Compliance, Risk Management & Governance: Should it be GRC or ECRG? (Why/Why not?) What does the Ethical Component introduce? How can Ethical Governance become the axis?
27 Ethics and Compliance or Compliance and Ethics Society of Corporate Compliance and Ethics, Sally March, Compliance in Europe Alstom, Ethics and Compliance: "clean business is great business" Lilly, Ethics and Compliance Program Ethics & Compliance Officer Association, Standards of Conduct for Ethics and Compliance Professionals Education Portal, Corporate Social Responsibility Dilbert on Ethics for e-cpe DigiPharm, The relationship between compliance and ethics Funny FCPA trainings Click4Compliance, Global Anti-corruption laws
28 Governance Cases Teamwork Exercise
Cases in Governance 29 Enron Lee Ann Obringer - Stuffworks http://money.howstuffworks.com/cooking-books7.htm Robert Jon Petersen Sophia.org http://www.sophia.org/tutorials/enron-case-study The Economist - http://www.economist.com/node/940091 The FBI, Crime in the Suites: A look back at the Enron Case - http://www.fbi.gov/news/stories/2006/december Leigh Tesfatsion Iowa State University - http://www2.econ.iastate.edu/classes/econ353/tesfatsion/enron.pdf
30 Cases in Governance Tyco International Lee Ann Obringer Stuffworks - http://money.howstuffworks.com/cooking-books10.htm Tyco Fraud InfoCenter - http://www.tycofraudinfocenter.com/information.php Daniels Fund Ethics Initiative University of New Mexico - http://danielsethics.mgt.unm.edu/pdf/tyco%20case.pdf Law Teacher Unethical issues or legal issues in Tyco International - http://www.lawteacher.net/companylaw/essays//unethical-issues-or-legal-issues-in-tyco-international-companylaw-essay.php Study Mode - http://www.studymode.com/essays/tyco-international- Case-Study-1022395.html
31 Cases in Governance WorldCom Lee Ann Obringer Stuffworks - http://money.howstuffworks.com/cooking-books9.htm Romar et als Santa Clara University World Com Case Study http://www.prmia.org/sites/default/files/references/worldcom _Case_Study_April_2009.pdf http://www.scu.edu/ethics/dialogue/candc/cases/worldcomupdate.html Kristin A. Kennedy An Analysis of Fraud - University of New Hampshire http://scholars.unh.edu/cgi/viewcontent.cgi?article=1099&context=honors
32 Cases in Governance Adelphia The Adelphia Case Scandal - https://www.google.com.pr/url?sa=t&rct=j&q=&esrc=s&source=web&cd= 3&cad=rja&ved=0CDQQFjAC&url=http%3A%2F%2Fwww.aicpa.org%2FI nterestareas%2faccountingeducation%2fresources%2fdownloadabledocu ments%2fadelphia.ppt&ei=8i_wuthdmzg8kqfjuidycg&usg=afqjcnehp tlobmqe4mmgbg0luops6tikxq CNN Money The Adelphia Story - http://money.cnn.com/magazines/fortune/fortune_archive/2002/08/12/ 327011/ C.P. Carter et als. The Adelphia Fraud American Accounting Association, http://aaahq.org/fia/attachments/fianewsletter-v2n3.pdf Adelphia Communications Case Study http://www.docstoc.com/docs/23287542/adelphia-communications-a- Case-Study
33 Cases in Governance Peregrine Systems FBI Peregrine Systems Indictment http://www.fbi.gov/news/pressrel/press-releases/executives-andauditor-of-peregrine-systems-inc.-indicted-on-securities-fraud-charges http://en.wikipedia.org/wiki/peregrine_systems