Presentation - Sunera - Overview (150513)
-
Upload
brian-campbell -
Category
Documents
-
view
17 -
download
0
Transcript of Presentation - Sunera - Overview (150513)
Overview An Introduction to Sunera May 2015
Table of Contents
2
Industry Experience
Introduction
Service Offerings
Contact Information
Introduction
3
4
Introduction
Brian T. Campbell, Partner Brian is a Partner in Sunera’s Northeast practice, managing internal and IT audit engagements. He has over 13 years of experience in internal audit, business and IT consulting, risk assessments, and regulatory compliance services.
Prior to joining Sunera, Brian was an Associate Director in Protiviti's Internal Audit & Financial Controls (IAFC) practice out of their New York Metro offices. He was a Project Manager (PM) and served as a subject matter expert (SME) across several of Protiviti's Internal Audit and Business Risk Consulting solutions. In addition, Brian was also an IT Auditor in PricewaterhouseCoopers’ Global Risk Management Solutions (GRMS) / System Process Assurance (SPA) practice.
Brian received his Bachelor of Science in Accounting and Management Information Systems from the University of Delaware. He is a Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Project Management Professional (PMP).
Raymond Paolantonio, Partner Ray is a Partner with Sunera and directs the Firm’s Northeast practice. Ray has more than 20 years of diversified experience as an accomplished internal audit and risk management executive with proven skills in both the corporate and professional services marketplace. He is experienced with Fortune 500 companies in the media, entertainment, advertising, retail, and professional services sectors. Ray’s prime expertise is creating and delivering diverse risk management services relating to internal audit, process improvement, Sarbanes-Oxley compliance, and information technology.
Ray is an active CPA in New York and has been a seminar presenter on topics relating to internal audit and Sarbanes-Oxley. Prior to joining Sunera Ray held executive positions in professional service firms, including being an original member of Ernst & Young’s business risk practice, and was Vice President of Internal Audit for Viacom Inc.
Practice Leadership
Company History Introduction
5
Sunera LLC, a privately held limited liability company, is a leading provider of risk-based consulting services. Sunera was founded in 2005 on the belief that risk-based consulting should be pragmatic, cost-effective, and designed around client needs. Sunera is supported by private equity, and led by a Board of Directors and CEO. Our Partners direct our national practices and offices, while our Directors and managers lead our teams of consultants in client engagements.
Core Services Introduction
6
The majority of our projects are internal audit, regulatory and compliance, and information security focused. The high percentage of annual recurring engagements we experience demonstrates that our clients recognize the value Sunera provides versus other service providers or internal options.
Internal Audit • Full-Outsourcing / Co-Sourcing • Regulatory & Compliance Support • Process Improvement Reviews • Technology Audits
Information Security • Vulnerability Assessments • Penetration Testing • Social Engineering • Regulatory & Compliance (e.g., PCI)
Financial Advisory • Interim CFO/Controller • Audit Preparation and Facilitation • SEC Reporting Assistance • Business Process Redesign
IT Advisory • Software Selection • ERP/GRC Consulting • Data Analytics (e.g., ACL, Arbutus) • Data Privacy
Offices and Accolades
§ Over 220 consulting professionals
§ Served over 1,000 clients § Completed over 3,500
engagements § Founded by former Big-4 risk
partners and professionals § Certified integration partner for
leading continuous controls monitoring solutions, including ACL and Arbutus
Introduction
7
Certifications & Credentials Introduction
8
Our ability to deliver the quality and expertise our clients expect is based on the depth, skills, and experience of our team. We are a multidisciplinary team of certified practitioners, including:
• Certified Public Accountants (CPA) • Certified Internal Auditors (CIA) • Certified Information Systems Auditors (CISA) • Certified in Risk and Information Systems Control (CRISC) • Certified Financial Analysts (CFA) • Certified Fraud Examiners (CFE) • Certified Information Systems Security Professionals (CISSP) • Certified Information Security Managers (CISM) • Project Management Professional (PMP) • Microsoft Certified Systems Engineers (MCSE)
Service Offerings
Internal Audit Services
10
Internal Audit IT Audit
Continuous Monitoring Benefits
• Outsourcing and Co-sourcing • Enterprise Risk Assessment • Audit Planning • Operational and Business Process Audit • Store, Branch, and Franchise Audit • Contract Compliance Audit • Fraud and Forensic Audit • Quality/Peer Review
• IT Risk and Governance (CobiT) Review • ERP Controls Optimization, Design, & Testing • ERP Security and SoD Assessment • ERP Pre- & Post-Integration Review • SOX ITGCs and Application Controls Testing • Information Security & Data Privacy Assessment • Data Integrity Analysis
• Data Analytics • Continuous Controls Auditing • ACL and Arbutus • ACL GRC • SAP Direct Link • SAP GRC Integration • SAP Process Controls & SoD Rule Configuration
• Enhance Internal Audit’s profile and impact on the organization
• Increase audit efficiencies and risk coverage • Overcome resource capacity and skills constraints
Information Security Services
11
Security Assessments PCI
Infrastructure Benefits
• Security Program Definition • Security Awareness Training and Education • Internal and External Vulnerability Assessments • Penetration Testing • Web Application Security Assessment • Wireless Security Assessment • Secure Source Code Review • BC and DR Planning, Testing, and Implementation
• Annual On-site Audit • Gap Analysis/Compliance Roadmap • Penetration Testing • Quarterly External Scanning (ASV) • Remediation Assistance • PCI Awareness and Training Program
• Secure Architecture Design • Firewall Design and Deployment • Intrusion Detection/Prevention System Design • Web Application Infrastructure Design/Deployment • System Hardening • Identity Management Deployment • Logging Solutions Deployment • Wireless Design and Deployment
• Prevent business disruptions, loss of data, and disclosure of sensitive information resulting from a security breach
• Avoid scrutiny from customers, business partners, the Board, and regulators
Data Privacy
12
Privacy Services HIPAA Compliance
Incident Response Management Benefits
• Privacy risk assessments • Privacy Office program development & augmentation • Information inventories & data classification models • Third party U.S. Safe Harbor evaluations • Independent validation audits of Corrective Action Plans • Vendor management program development & oversight • Policy and procedure development
• Co-sourcing and outsourcing HIPAA compliance office functions
• HIPAA compliance assessments for Privacy and Security Rule requirements
• HIPAA compliance office services • Risk analysis satisfying Security Rule and Meaningful Use
Core Objective • Use and disclosure considerations • HIPAA awareness training program development
• Enterprise incident response program development • Maturity assessment of incident response program • Performance of scenario based exercises • Project management assistant for real-world events • Post-mortem evaluations
• Ensure compliance with federal, state, and industry standards
• Provide visibility into effectiveness of privacy practices
• Develop programs to mitigate privacy risks • Independent assessment of privacy-related
policies and procedures
Compliance Services
13
Regulatory Compliance Sarbanes-Oxley
Data Privacy Benefits
• Financial Reporting Regulations (Sarbanes-Oxley § 404, C-SOX, J-SOX, Model Audit Rule)
• Financial Services Regulations (GLBA, FDICIA, Basel II, Patriot Act, & Anti Money Laundering)
• IT Standards (PCI, CobiT, ISO 27001, SOC, NERC) • Data Privacy (HIPAA/HITECH, US Safe Harbor, EU
Directive 95/46/EC, Massachusetts 201 CMR 17, PIPEDA)
• Risk Assessment, Scoping, & Materiality Assistance • Entity & Activity-Level Controls Testing • Business Process and IT Controls Testing • Controls Remediation Assistance • Self-Assessment Program Assistance • Project Management & Quality Assurance • ICFR Sustainment & Rationalization
• Data Privacy Assessment • Corporate Data Privacy Program Development • Privacy Policy Development • Data Breach Notification Procedures • Data Privacy Awareness Training • US Safe Harbor & EU DPA Registrations • Massachusetts 201 CMR 17 Privacy Law • Cross-Border Data Transfers
• Free-up management to focus on strategic objectives
• Avoid scrutiny from the Board and Regulators • Minimize compliance costs and project delays
Financial Advisory Services
14
Finance & Accounting Acquisition Support
Business Process Improvement Benefits
• Interim CFO/CRO/Controller • Audit Preparation/Coordination/Facilitation • Preparation and Drafting of Financial Statements • SEC Reporting and Filing Assistance • Implementation of Accounting Standards (IFRS) • Accounting Policy Development & Implementation • Contract Review and Analysis • Financial Accounting, Reporting, & Close Process
• Accounting for New Acquisitions (Opening Balance Sheet or Purchase Accounting)
• Financial, IT, and Operational Due Diligence • Integration Support and Oversight • Transaction Modeling and Evaluation • Accounting Function Assessment • Valuation of Acquired Assets and Liabilities • Review and Assessment of Valuation Reports
• Quality and Efficiency Process Analysis Including Baseline of Current State
• Develop Roadmaps and Detailed Plans for Process Enhancements
• Independent Selection of Technology Solutions • Program and Project Management of Improvement
Initiatives, Including Oversight of Technology Implementations
• Technical accounting expertise when you need it • Improve reliability/timeliness of financial reporting • Overcome resource and skills constraints • Achieve anticipated operational synergies and cost
savings • Improve operating margins resulting from
realignment of process with corporate objectives • Reduction of manual efforts, errors, and re-work
IT Advisory Services
15
Software Selection Project IV&V
IT Governance Benefits
• ROI Review and Validation • Business Requirements Discovery and
Documentation • RFP Development • Vendor and Solution Identification • Demonstration Script Development • Contract Considerations and Negotiation Assistance
• Implementation of Program and Project Best Practices (IEEE, SEI, & PMI)
• Project Plan Evaluation and Critique • Independent “in-flight” Progress Reviews • Post Implementation Control Evaluation • System Stabilization and Optimization
• IT Risk and Governance Assessment • IT Strategic, Technology, Organization Assessment • Application Strategy and Planning • IT Policy and Procedure Development • ROI/Cost Analysis • Performance Measurement • Technology Resource Evaluations • Software License Compliance
• Deliver high-value projects on time and on budget • Increase ROI for system implementations • Improve performance of the IT organization, reduce
costs, and achieve returns from IT investments
SAP Security Services
16
SoD Remediation Elements of SAP Assessment
SAP Security Role Design Benefits
• Role and User SoD Analysis • Custom Authorization, Compensating Control
Mapping, Role Redesign Options, User Access Changes, and Remediation Action Plan
• Security Outsourcing • User and Role Admin, GRC Rule Set Maintenance,
SoD Reporting & Analysis, User Access Troubleshooting, and Role Maintenance
• Role and User Permissions • Use of Custom Authorizations • Tcode Usage vs. Design • Effectiveness of Security Team • User Provisioning • Manual Authorizations • Naming Conventions • Use of Automated Security Testing Tools
• SoD-free Simple and Master Roles • Task-based Roles for SoD Related Tcodes • Broad Roles for Display & Reporting Tcodes • Works with either Derived Roles or Organizational
“Enabler” Roles
• Pre-designed SoD-free roles that meet at least 90% of an organization’s security requirements
• Templates are used to fast track information and requirements gathering
Oracle ERP Services
17
SoD Conflict Remediation Oracle Security Assessment
Oracle Analytics Benefits
• User & responsibility conflict assessment • Remediation workshops • User access changes & remediation action plan • Mitigating control mapping • Role redesign and optimization • Execution of security changes • Execution of rule set changes • Training for sustainable remediation approach
• Overall security design assessment • Effectiveness of security approach • Sensitive responsibility usage • AZN (process tab) analysis • User provisioning assessment • Effectiveness of use of automated security tools • Identification of areas for improvement within the
security process
• Leverage ACL/Arbutus and Tableau to analyze and display transactional/master data
• Identify opportunities to improve the use of Oracle within specific business functions
• Improve the quality of data processed within Oracle • Optimize controls across a business process • Benchmark Oracle use across your organizations/
sets of books
• Accelerators are used to expedite requirements gathering, design, build, test, and deploy phases
• Security role templates that meet a high percentage of an organization’s security requirements
• Sustainable and flexible security environment that meets the short and long-term needs of the organization
• Enhanced security and control environment
Data Analytics Services
18
Data Analytics ACL & Arbutus
Example Projects Benefits
• ACL/Arbutus Scripting • Continuous Controls Monitoring • Corporate Training • CPE Courses Around the Country • CCM Planning & Program Development • Fraud Program • Arbutus Implementation & Consulting • Predictive Analytics
• Purchase licenses directly from Sunera • Bundle with implementation and consulting where
needed • Assistance with implementation and setup • Arbutus Software's only North American Distributor • ACL Software’s only North American reseller
• Duplicate Payments • Fixed Assets Accuracy • Non-Routine Journal Entry Identification • Phantom Employees and Vendors • Segregation of Duties Testing • Fraud Identification • AX Implementation • Reconciliation and Reporting
• Find fraud and abuse • Reduce waste and inefficiency • Improve preventive and detective controls • Automate testing • Improve business processes • Make informed decisions based on results
Technology Training Services
19
Data Analytics Cyber Security
Operating Systems Benefits • Improve performance of internal security team • Improve efficiency of internal audit process by leveraging
advanced data analytics • Develop in-house skills and provide employees with career
advancement opportunities
• ACL/Arbutus Scripting • Continuous Controls Monitoring • Corporate Training • CPE Courses Around the Country • CCM Planning & Program Development • Fraud Program • Arbutus Implementation & Consulting • Predictive Analytics
• Penetration Testing Training • Network Security • Mobile Security (Android and iPhone) • Malware Analysis • Reverse Engineering • Ethical Hacking • Network Threat Analysis
• Understanding Operating Systems • Operating System Intrusion Analysis • Windows Kernels Internals and Programming
Industry Experience
Financial Services Experience
21
Recent Projects Internal Audit Co-Source
• Enterprise Risk Management • Operational Audits • Sarbanes-Oxley Compliance
IT Audit Co-Source • IT Risk Assessment • Application Security & Control Review
Information Security & Data Privacy • Data Privacy Program Development • Internal, External, & Wireless
Vulnerability Assessments • Penetration Testing • Mobile Application Code Review
Technical Accounting Advisory/Support Disaster Recovery Planning
• Sunera has worked with clients across the financial services industry, including some of the nation’s leading banks, credit unions, private equity firms, financial advisors, broker-dealers, property insurers, life insurance providers, and accounting firms.
• We provide information security services to several of the top 10 banks in the U.S.
• We are a trusted advisor to leading credit card, insurance, and investment firms.
• We provide a number of services designed to address the unique challenges faced by financial services organizations. These services include regulatory compliance, enterprise risk management, data privacy and security, and fraud risk assessments.
Healthcare Experience
22
Recent Projects Information Security & Data Privacy
• HIPAA/HITECH Compliance • PCI Compliance (QSA/ASV) • Internal and External Vulnerability
Assessments
Internal Audit Co-Source • Enterprise Risk Assessment • Operational Audits • Data Analytics (ACL/Arbutus) • Quality Assurance Review • Sarbanes-Oxley Compliance
IT Audit Co-Source • IT Risk Assessment
Technical Accounting Advisory/Support • Interim Controller • Process Improvement
• Sunera has worked with clients across the healthcare industry, including some of the nation’s leading hospitals, pharmaceutical manufacturers, biotechnology firms, research organizations, and medical suppliers.
• We are a trusted advisor to some of the nation’s leading medical research centers, online and brick-and-mortar pharmacies, hospital systems, and pharmaceutical developers.
• We provide a number of services designed to address the unique challenges faced by healthcare organizations. These services include IT audits, data analytics, business continuity and disaster recovery planning, HIPAA/HITECH gap analyses, and information security and privacy services.
Media & Publishing Experience
23
Recent Projects Internal Audit / IT Audit Co-Source
• Operational Audits • Data Analytics (ACL, Arbutus) • IT Risk Assessment • Application Security/Control Review
Information Security & Data Privacy • HIPAA & Data Privacy Compliance • PCI Compliance (QSA/ASV) • Internal & External Vulnerability
Assessments • Penetration Testing
IT Advisory • IT Project Management • Process Improvement • Disaster Recovery Planning
• Conducted a number of large internal audit projects for media and publishing clients based in the Northeast.
• Conducted audits of newspaper, broadcast, and internet divisions for a major media company.
• Assisted one of the largest Canadian media companies, which owned print, digital, and broadcast outlets.
• Performed business process and information systems reviews at a major publishing company.
• Sunera’s leadership team has been a frequent presenter at the News Media Internal Audit (NMIA) group.
Technology Experience
24
Recent Projects Information Security & Data Privacy
• HIPAA/HITECH Compliance • PCI Compliance (QSA/ASV) • Internal and External Vulnerability
Assessments • Mobile Application Code Review
Internal Audit Co-Source • Enterprise Risk Assessment • Operational Audits • Data Analytics (ACL/Arbutus) • Sarbanes-Oxley Compliance
IT Audit Co-Source • IT Risk Assessment • ITGC Testing and Remediation • SSAE 16 SOC 1 & 2 Readiness
Technical Accounting Advisory/Support
• Sunera has worked with clients across the technology industry, including some of the world’s leading cloud software providers, mobile device developers, web-hosting companies, and telecommunications firms.
• We have also worked with social media, advertising, web development, and mobile application software providers.
• We work with the nation’s largest tech companies, including a leading Internet search provider.
• Our services address the unique challenges faced by technology organizations. These services include vulnerability assessments, data analytics, ERP security, PCI compliance, and application code reviews.
Hospitality Experience
25
Recent Projects IT Audit Co-Source
• IT Risk Assessment • Application Review • SoD Analysis
Information Security & Data Privacy • PCI Compliance (QSA/ASV) • Internal, Wireless, and Store
Vulnerability Assessments • Penetration Testing • PII Risk Assessment
Internal Audit Co-Source • Operational Audits • Franchise Audits • Data Analytics (ACL/Arbutus) • Quality Assurance Review
SAP GRC Integration
• Sunera has worked with clients across the hospitality industry, including some of the world’s leading hotel chains, cruise lines, restaurants, and airlines.
• We work with clients in the fast food, fast casual, casual dining, and fine dining sectors.
• We serve as the co-sourced internal audit provider for several of the nation’s largest cruise lines.
• Sunera provides a number of services designed to address the unique challenges faced by hospitality companies. These services include franchise audits, gift card accounting, PCI compliance, merchandising system implementations, and POS system security assessments.
Retail Experience
26
Recent Projects IT Audit Co-Source
• IT Risk Assessment • Application Review
Information Security & Data Privacy • PCI Compliance (QSA/ASV) • Internal, External, and Store Vulnerability
Assessments • Penetration Testing • PII Risk Assessment • Network Integration • Incident Response Training
IT Advisory • Strategic IT Assessment • Merchandising System Implementation
Internal Audit Co-Source • Data Analytics (ACL/Arbutus) • Sarbanes-Oxley Compliance
• Sunera has worked with clients across the retail industry, including some of the world’s leading department stores, supermarkets, specialty retailers, online retailers, and fashion brands.
• We have worked with one of the world’s largest big-box retailers.
• We serve as a co-sourced audit provider for several of the nation’s leading restaurant and fast food chains.
• We provide a number of services designed to address the unique challenges faced by retailers. These services include franchise audits, gift card accounting, PCI compliance, merchandising system implementations, and POS system security assessments.
Manufacturing Experience
27
Recent Projects Information Security
• Safe Harbor Program Development • Internal, External, & Wireless
Vulnerability Assessments • Penetration Testing • Data Privacy Policies/Procedures
Internal Audit Co-Source • Enterprise Risk Assessment • Operational Audits • Data Analytics (ACL, Arbutus) • Sarbanes-Oxley Compliance • Fraud Risk & Forensic Analysis
IT Audit Co-Source • IT Risk Assessment • Application Security/Control Review
SAP Security and Controls
• Sunera has worked with clients across the manufacturing industry, including some of the nation’s leading automobile, technology, household goods, construction, cosmetics, agricultural, and industrial manufacturers.
• Our clients include the nation’s largest door manufacturer, top international automakers, and leading consumer products manufacturers.
• We provide a number of services designed to address the unique challenges faced by manufacturers. These services include SAP pre- and post-implementation reviews, SOX compliance, data analytics, SoD audits, accounting advisory, operational audits, and IT risk assessments.
Government Experience
28
Recent Projects Internal Audit Co-Source
• Operational Audits • Data Analytics (ACL, Arbutus)
IT Audit Co-Source • IT Risk Assessment • Application Security/Control Review
Information Security & Data Privacy • HIPAA & Data Privacy Compliance • PCI Compliance (QSA/ASV) • Internal & External Vulnerability
Assessments • Penetration Testing
IT Advisory • IT Project Management • Process Improvement
Disaster Recovery Planning
• Sunera has worked with clients in various government sectors at the local, state, and federal levels, including school boards, airport and transportation organizations, and law enforcement agencies.
• We also frequently work with government contractors in the defense and research sectors and understand the unique requirements in that industry.
• We provide a number of services designed to address the unique challenges faced by government organizations. These services include operational audits, data analytics, data privacy compliance, business process reviews, IT risk assessments, and security and privacy services.
Energy Experience
29
Recent Projects NERC/FERC CIP Assistance Internal Audit Co-Source
• Enterprise Risk Assessment • Operational Audits • Data Analytics (ACL-CCM) • Quality Assurance Review • Sarbanes-Oxley Compliance
Information Security & Data Privacy • Internal & External Vulnerability
Assessments • Penetration Testing • Data Privacy Program Development
IT Audit Co-Source • IT Risk Assessment • Segregation of Duties Analysis
SAP GRC Integration Business Continuity Planning
• Sunera has worked with clients across the energy and utilities industry, including some of the nation’s leading gas storage, utilities, oil & gas exploration, and oil refining corporations.
• We provide a number of services designed to address the unique challenges faced by energy organizations. These services include NERC/FERC, SOX compliance, data analytics, vulnerability assessments, fraud risk assessments, business continuity planning, operational audits, and PCI compliance.
• We have developed long-term, trusted relationships with many of our clients in the energy and utilities industry.
30
Brian T Campbell Partner [email protected] 917.623.5679
NEW YORK OFFICE 31 Penn Plaza 132 West 31st Street New York, NY 10001
Contact Information Ray Paolantonio Partner [email protected] 732.580.7940
BOSTON OFFICE 7 Wells Avenue
Newton Centre, MA 02459