TECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR (BUY VS BUILD) APRIL 17, 2015
LEVERAGING TECHNOLOGY FOR AUDIT Utilizing Software to Administrate Audit Process 40% 35% 30% 37% Tools Leveraged 32% 36% Yes No 35% 65% 25% 20% 15% 10% 5% 12% 12% 7% 0% MS Excel Internally Teammate Developed Auto Audit Protiviti Portal Others Amongst 65% utilizing technology, roughly 50% opt to build or leverage existing technology (eg, Excel) while 50% opt to buy an off-the-shelf platform. Source: Protiviti s 2012 IA Capabilities and Needs Survey including more than 800 respondents. 2015 Protiviti Inc. CONFIDENTIAL 2
AUDIT TECHNOLOGY USE-CASES 100% 87% 80% 73% 71% 60% 52% 51% 40% 20% 0% Work Papers Audit Planning Reporting Tracking findings through Remediation Knowledge Sharing Organizations site electronic work-papers, audit planning, and automated reporting as key use-cases employed through technology. Source: E&Y Global IA Survey 2007 2015 Protiviti Inc. CONFIDENTIAL 3
OUR GRC TECHNOLOGY POINT OF VIEW Establish Strong Business Processes Obtain project sponsorship Define business objectives & requirements Identify relevant resources required to make the most of the investment. Enabling Technology Make the Right Technology Choice(s) Buy: Purchase off-the-shelf Build: Leverage elements of your existing infrastructure to build custom solution Best-of-Breed: Integrate multiple systems Implement Effectively Establish a measurable scorecard to track success. 2015 Protiviti Inc. CONFIDENTIAL 4
GRC TECHNOLOGY EXPERIENCE Strategic group within Protiviti that: Specializes in software development and technology integration Maintains operations in the U.S. and India Provides 24 X 5 Customer Support Responsible for the Governance Portal Released in 2003 More than 450 implementations 200 GRC customers We are Recognized by the Analysts Named as a Strong Performer in The Forrester Wave : Governance, Risk, and Compliance Platforms, Q1 2014 by Forrester Research, Inc. Positioned as a Challenger by Gartner Inc. in the September 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms The Governance Portal is a Governance Risk and Compliance (GRC) software platform that integrates content and commonly accepted and proprietary frameworks with world-class consulting expertise that provides you with the visibility and insight needed to manage and mitigate your critical risk and compliance issues today and in the future. 2015 Protiviti Inc. CONFIDENTIAL 5
GRC SHAREPOINT EXPERIENCE Highly Trained, Expert Staff 14-time Microsoft Gold certified partner, 100+ SharePoint Experts on staff including top-certified SharePoint MVP s 100% of Protiviti SharePoint consultants hold SharePoint certifications, many hold multiple, advanced certs (PMP, MCTS, MCP/T, MCSD) Protiviti SharePoint Employees spoke at every major SharePoint industry conference in 2013 100 s of Satisfied SharePoint Customers Over 300 unique SharePoint project, support, and training customers in 2013, including development of GRC business applications. 90% of all first-time clients return for a second engagement within 12 months. 2013 average SharePoint On Call Satisfaction rating is 4.68 (out of 5) Deep Microsoft Relationship Ability to leverage Software Assurance (SA) Benefits and to help navigate the Microsoft volume license discounts program. Every commercial product we reviewed required customization and implementation services in addition to the product license If we are going to go down that path, why not do it on a platform that we already own? Paraphrased from two separate companies: Financial Services Company, Hospitality Industry Company Direct access to Microsoft SharePoint product team personnel 2015 Protiviti Inc. CONFIDENTIAL 6
GRC TECHNOLOGY IMPLEMENTATION APPROACH Project Management j Objectives & Requirements Definition Buy vs Build Build Identify Platform & Schedule Resources Develop Roadmap for Implementation Buy Develop and issue RFI Develop and issue RFP Proposal Review Demonstrations Final Analysis & Selection 2015 Protiviti Inc. CONFIDENTIAL 7
Project Management j PROJECT MANAGEMENT Define B/B Resource Roadmap RFI RFP Review Demo Analysis Establish Steering Committee & Project Team Confirm scope, approach, deliverables, and time schedule. Recognize potential schedule conflicts Monitor through defined checkpoints. 2015 Protiviti Inc. CONFIDENTIAL 8
Project Management j OBJECTIVES & REQUIREMENTS Define B/B Resource Roadmap RFI RFP Review Demo Analysis Establish business objectives Define requirement structure Seek input across teams and levels Consider long-term vs near-term goals Solicit awareness demonstrations 2015 Protiviti Inc. CONFIDENTIAL 9
Buy Project Management j BUY VS BUILD DECISION Define B/B Resource Roadmap RFI RFP Review Demo Analysis GRC Program Goal Value Buy Build Embedded, integrated enterprise GRC Alignment of strategies and operations to achieve business goals Support of evolving requirements Single, or Synergistic Departmental GRC Program Implementation Increased departmental efficiency Reduction of operational losses and incidents Project or Initiative Focused Compliance with regulatory filings or public reporting Agile, time sensitive approach without large capital acquisition IT Model SaaS (Low IT involvement) Off-the-shelf software Prefer to license Program Qualities Single or synergistic departmental efficiency Mature, known requirements Build IT Model On-Premise (IT involvement) Customizable platform Prefer to own IP Program Qualities Embedded, integrated enterprise GRC Evolving, agile requirements Project or initiative focused 2015 Protiviti Inc. CONFIDENTIAL 10
Project Management j BUY: DEVELOP & ISSUE RFI / RFP Define B/B Resource Roadmap RFI RFP Review Demo Analysis Review analyst reports, colleagues, conferences, IA events. Synthesize your requirements Identify long-list of vendors for RFI. Identify short-list for RFP. 2015 Protiviti Inc. CONFIDENTIAL 11
Project Management j BUY: PROPOSAL REVIEW Define B/B Resource Roadmap RFI RFP Review Demo Analysis Sample Scorecard Category # Requirement / Questions Vendor 1 Vendor 2 Vendor 3 Vendor 4 Risk Assessment 1 Audit Execution 2 Configurable risk assessment with 5x5 scoring against risk categories per entity. Multi-stage workpaper workflow including varied level of review by workpaper type. 8 6 4 9 7 5 2 9 Reporting 3 Automated Audit Report, exportable to word for offline viewing. 5 4 8 9 Summary Analysis 20 15 14 27 Establish weighted scorecard: core vs value-add requirements. Recognize first reaction vs functional alignment Document individual & aggregated scores Identify gaps in information or items for demonstration 2015 Protiviti Inc. CONFIDENTIAL 12
Project Management j BUY: DEMONSTRATIONS Define B/B Resource Roadmap RFI RFP Review Demo Analysis Demonstration Flow Example Risk Assessment Audit Execution Remediation Reports & Other 1. Risk categorization 2. Assessment criteria 3. Ranking significant risk 4. Annual audit planning 1. Resource allocation 2. Workpaper assignment 3. Manager review 4. Workflow and alerts 1. Issue identification 2. Action plan assignment 3. Business user updates 4. Audit review 1. Automated audit report 2. Report configuration options 3. Security and administration 4. Data migration Focus on critical & complex requirements Consider narrative driven use-cases vs step-by-step Leverage live data Recognize marketing vs reality (understand effort involved) Update scorecard 2015 Protiviti Inc. CONFIDENTIAL 13
Project Management j BUY: FINAL ANALYSIS & SELECTION Define B/B Resource Roadmap RFI RFP Review Demo Analysis Review scorecards Consider follow-up demonstrations Consider Proof-of- Concept Perform Fit analysis 2015 Protiviti Inc. CONFIDENTIAL 14
Project Management j BUILD: PLATFORM & RESOURCE Define B/B Resource Roadmap RFI RFP Review Demo Analysis Inventory relevant elements of infrastructure & 3rd party tools. Identify internal and external capabilities 2015 Protiviti Inc. CONFIDENTIAL 15
2015 Protiviti Inc. CONFIDENTIAL 16
Project Management j ROADMAP FOR IMPLEMENTATION Define B/B Resource Roadmap RFI RFP Review Demo Analysis Audit Planning Scope & Design Configuration User Acceptance Training Pilot & Go- Live Audit Execution Issue Tracking Audit Close & Reporting Establish logical, definable configuration topics Define configuration topic leads and support resources Prioritize focus areas and establish timeline with milestones 2015 Protiviti Inc. CONFIDENTIAL 17
QUESTIONS 2015 Protiviti Inc. CONFIDENTIAL 18