Optimizing Compliance Programs in Organizations: A Top Down Approach
-
Upload
ethisphere -
Category
Career
-
view
31 -
download
0
Transcript of Optimizing Compliance Programs in Organizations: A Top Down Approach
Kevin McCormack
Managing Director, Content & Programming
303.819.9817
We welcome you to submit any questions for the presenters
through the chat function you see on your screen.
HOST
QUESTIONS
RECORDING The event recording and PowerPoint will be provided post
event.
3
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │4
Danny GoldbergFounder
GOLD SRD
Terence LeeRegional VP GRC Solutions
MetricStream, Inc.
SPEAKING TODAY
Danny M. Goldberg
• Founder, GOLDSRD (www.goldsrd.com)
• Former Director of Corporate Audit/SOX at Dr Pepper Snapple Group
• Former CAE - Tyler Technologies
• Published Author (Book/Articles)
• Texas A&M University – 97/98
• Chairman of the Leadership Council of the American Lung Association - North Texas –Calendar Year 2012
• Served on the Audit Committee of the Dallas Independent School District (CY 2008)
• Current Dallas and Fort Worth IIA Programs Co-Chair
• Fort Worth IIA Board Member
• IIA North America Learning Committee Member
Certifications:
• CPA – Since 2000
• CIA – Since 2008
• CISA – Since 2008
• CGEIT - Since 2009
• CRISC - Since 2011
• CRMA – Since 2011
• CCSA – Since 2007
• CGMA – Since 2012
LAUGH
Danny M. Goldberg (cont.)• Highly-Rated, Internationally Recognized Speaker
– One of the Top Rated Speakers, 2014 IIA All-Star Conference
– 7th Rated Speaker, 2014 ISACA ISRM Conference– One of the Top Rated Speakers, 2014 IIA Mid-Atlantic
Conference– One of the Top Rated Speakers, 2014 IIA Gaming
Conference– 6th Highest Rated Speaker (out of 116), 2013 IIA
International Conference– 3rd and 5th Rated Sessions, 2013 IIA Central Regional
Conference– 8th Rated Speaker (out of 120), 2012 IIA International
Conference
Danny M. Goldberg (cont.)• Published Author
– HFTP Journal: Practice Ethics (November 2014)– Bureau of National Affairs - Internal Audit:
Fundamental Principles and Best Practices (Professional Commentator)
– College & University Auditor (March 2014 Cover) –Project Management
– Audit Report Articles (June 2013 Cover, March 2012, March 2011, June 2010 Cover) – “Critical Thoughts on Critical Thinking”
– ISACA Journal (May 2012, August 2012)– Internal Auditor Articles (August 2007, December
2007, October 2010)– Dallas Business Journal (January 2011) – “The Yes
Man Phenomenon”
Agenda
• Overview of Compliance and Integration Challenges
• Top-Down Risk Based Approach (Centralized Oversight)
• Compliance as a key enterprise risk
• Key Aspects for Integrated Auditing
• Differentiation between External, Internal and Regulatory
• Differences (Sample Sizes, Substantive versus Controls)
9
Compliance Today
• Business is NOT being deregulated;
standards are increasing and becoming
more stringent
• Silo approach to compliance in many large
organizations
– Little to no integration (competing priorities)
– Compliance is not viewed as value-add (“we
have to do it”)
10
Implications of Lack of Integration
• Who owns compliance? Which line of
defense?
• Limited compliance knowledge in the
business/process owners
• Advanced preparation becomes a
necessity
• Lack of separation between auditors (“We
get audited all the time”)
11
Top-Down Approach
• Board Oversight and Support (Compliance
Program)
• Management Messaging (Continuous)
– Focus on Value of Compliance
• Continuous Monitoring/Auditing
• Incentive Plans tied to Compliance
12
Compliance Program
• Compliance is Part of Management
• Considered at the Strategic/Enterprise
Level
• Addressed as Part of ERM Program
• Address Root Causes when Non-
Compliance is uncovered
• Consider/Identify business process
interdependencies
13
Definition of Internal Audit
Internal auditing is an independent, objective
assurance and consulting activity designed
to add value and improve an organization's
operations.
It helps an organization accomplish its
objectives by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of risk
management, control, and governance
processes.
14
Key Enterprise Risks
• Focus on Value of Compliance
• Top Five risk in most/many industries
• Compliance is not optional
• Lack of Compliance
– Do Not Focus on Fines
– Unable to do Business?
– Not aligned with Company’s Strategic
Objectives?
15
Messaging
How Do You Get People to Do What They
Do Not Want to Do?
• Socialize Importance of Compliance
• Continuous Communication
• Training
• Embed in the Business
16
Integrated Auditing
• Starts at the Top
• Umbrella Approach to GRC?
– All functions reporting through same authority
line
• Must start at the Risk Assessment Level
– Combine Audit Risks with Compliance Risks
(if possible)
• Integrate Pool of Auditors
18
Types of Continuous GRC
• Data Analytics
– Continuous Monitoring
– Continuous Auditing
• Continuous Risk Assessment
• Continuous Controls Monitoring
• Data Warehousing
• Data Mining
• Fraud Detection Tool
19
Continuous Controls Monitoring
• Process performed by management to
determine whether policies are operating
effectively
• Uses automated tests to identify activities and
transactions that fail to comply with controls
• Allows management to fix control problems
timely
• Similar to continuous risk assessment – find the
key controls, understand how they can be
monitored through the system, etc.
20
“Who is Auditing Me Now?”
• Confusion with Auditees as to who does
what
• Perception is that audits happen “all the
time” – there is no end
• Integration will assist perception
• Important to delineate between internal
and external
21
Differences Between Compliance
and Internal Audit• Controls testing versus Substantive testing
• Non-statistical Sampling versus Statistical
Sampling
• Concluding on initial sample versus
extending sample sizes
22
Benefits of Compliance
Optimization• Efficiency and Effectiveness of
Compliance Process = Money
• Real-Time Information (KPI’s) – pushes
understanding and acceptance
• Increased Readiness to Respond to Third-
Parties
23
Summary
• Compliance must be viewed as a key risk
(ERM)
• Integration is key to efficiency and
effectiveness
• Automation (CA/CM) is key to effective
response
• Can generate new revenue, etc. =
Business Opportunity
24
© 2015 MetricStream, Inc. All Rights Reserved.
Optimizing Compliance Programs in Organizations: A Top-Down Approach
Terence LeeRegional Vice President | GRC Solutions
© 2015 MetricStream, Inc. All Rights Reserved.
Agenda
• Challenges faced by the Business today
• Facing the Compliance Challenge
• Compliance as a Management Function
• Benefits of an Effective Compliance Program
• Q & A
© 2015 MetricStream, Inc. All Rights Reserved.
Challenges
• Addressing changing regulations and mandates.
• Management of Regulatory Changes in silos.
• Management of policies related to Governance, risk, compliance, ethics, and business conduct.
• Lack of systematized operational testing.
• Disconnect with BPM and Issue Tracking tools.
© 2015 MetricStream, Inc. All Rights Reserved.
Facing the Compliance ChallengeManaging the Compliances
© 2015 MetricStream, Inc. All Rights Reserved.
Facing The Compliance Challenge
• Standardize Internal Controls
– Create a central repository for all types of company’s control systems, including those for operational efficiency, regulatory compliance, and financial reporting.
– Have control linkages to related GRC content (regulations, processes, risks etc.) to get a bigger picture .
• Use Business Process Management tools
– Provide a framework for managing complex processes, ensuring that changes can be made in line with regulations.
• Implement Standard Documentation
– Have an integrated document repository to store documents pertaining to processes and controls across all subsidiaries.
• Simplify Change Management
– Enable sharing of documented risks and controls across processes.
– Rationalize and reduce documented controls
© 2015 MetricStream, Inc. All Rights Reserved.
Facing The Compliance Challenge (contd..)
• Enable Operational Testing
– Test internal controls in a consistent manner across all operations within the company and over time.
– Export report data into spreadsheets to simplify the overall operational testing process.
• Automate Issue Management
– Provide complete visibility into the entire lifecycle of issues – from identification through root cause analysis to remediation.
• Enhance Reporting Capabilities
– Build executive dashboards which provide enterprise-
wide visibility into the internal controls and processes.
– Build reports and scorecards for status tracking.
– Provide statistics and data by a variety of parameters such as business units, processes, and divisions.
© 2015 MetricStream, Inc. All Rights Reserved.
Compliance Management Approach
Document
Mgmt.
Translate Rules Into
Policies & Procedures
Policies &
Procedures
Rules &
Regulations
Construct Compliance
StrategiesRisk / Cost of
Compliance
Compliance
Reporting &
Dashboards
G&A
T&E
HR
FCPA, OFAC, AML
Corporate Ethics
Financial Processes
Adherence to Rules &
Laws
SEC Rules & Regs.
Financial Controls
Independence
Non-Key Controls
Code of Conduct
OFAC FERC/NERC
Controls
Self-
Testing
3rd
Party
Testing
Training &
Certification
Notifications & Alerts
Attestation
Examples
Build a control
structure that
matches company
risks
© 2015 MetricStream, Inc. All Rights Reserved.
A Typical Compliance Management Workflow
Planning
Organizing
Operating
Controlling
© 2015 MetricStream, Inc. All Rights Reserved.
• Risk 1
• Risk 2
• Risk 3
…
…
…
Risks
• Control 1
• Control 2
• Control 3
…
…
…
Controls
• IT
• Function 1
…
…
…
Functions/
Standards
• Process 1
• Process 2
• Process 3
…
…
…
Processes
• Control Test 1
• Control Test 2
• Control Test 3
…
…
…
Control Tests
• Risk-Based
• Requirement-Based
• Business Unit-Based
Risk Assessments
• Action Plan
• Implement
• Monitor
Issues
• SEC
• NASD
• PCI
• ISO
• SOX
…
Area of
Compliance
• Regulation 1
• Regulation 2
• Standard 1
• Standard 2
…
…
References
• Policy 1
• Procedure 1
• Work Instruction 1
…
…
…
Policies/Documents
Single Platform for Multiple Compliance Programs
© 2015 MetricStream, Inc. All Rights Reserved.
Benefits
• Reduced Cost, Time, and Effort
– Automated information flows, assessments and testing, and remediation assignments will reduce over all compliance costs.
• Increased Efficiency and Collaboration
– Groups will be able to carry out team activities in a productive manner within the collaborative environment.
– Business will understand, control and manage business processes within strict tolerances.
• Streamlined Change Control
– Integrated document management with change control capabilities will keep documentation and processes in sync. This will significantly reduced the amount of redo of documentation for ongoing compliance.
• Enhanced Transparency and Visibility
– Risk of non-compliance will reduce, assuring the executives of higher customer and investor confidence.
• Improved Reporting Capabilities
– Enterprise-wide visibility into the financial controls management and compliance process will improve and also highlight issues that need to be addressed.
© 2015 MetricStream, Inc. All Rights Reserved.
• Over 1,700 employees
• Headquarters in Palo Alto, California with offices worldwide
• Over 350 enterprise customers
• Privately held – backed by leading global VCs, including Goldman
Sachs
About MetricStream
Integrated Governance, Risk and Compliance
for Better Business PerformanceVision
Solutions
• Enterprise Risk Management
• Operational Risk Management
• Vendor Risk Management
• Audit Management
• Third Party Management
Partners
Differentiators
• Technology - GRC Platform – 9 Patents
• Breadth of Solutions – Single Vendor for all GRC needs
• Cross-industry Best Practices and Domain Knowledge
• ComplianceOnline.com - Largest Compliance Portal on the Web
•GRCIntelligence.com- One stop solution for curated intelligence
Organization
• EHS & Sustainability
• Compliance Management
• SOX Compliance
• IT-GRC
• Quality Management
This webcast and all future Ethisphere webcasts are
available complimentary and on demand for BELA
members. BELA members are also offered complimentary
registration to Ethisphere’s Global Ethics Summit and
other Summits around the world.
For more information on BELA contact:
Laara van Loben Sels
Senior Director, Engagement Services
480.397.2663
Business Ethics Leadership
Alliance (BELA)