PwC Integrated Compliance - ISACA · PwC Integrated Compliance Defined Provide value and cost...
Transcript of PwC Integrated Compliance - ISACA · PwC Integrated Compliance Defined Provide value and cost...
PwC
Integrated Compliance
Driving ROI with Compliance
Presenters:JJ Marais, Managing Director Risk AssuranceChetan Trivedi, Manager, Risk Assurance
PwC
Copyright:© 2013 PwC. All rights reserved.
Definition:PwC refers to the PwC network and/or one or more of its memberfirms, each of which is a separate legal entity. Please seewww.pwc.com/structure for further details.
Disclaimer:This content is for general information purposes only, and shouldnot be used as a substitute for consultation with professionaladvisors.
Description:PwC helps organisations and individuals create the value they’relooking for. We’re a network of firms in 157 countries with morethan 184,000 people who are committed to delivering quality inassurance, tax and advisory services. Tell us what matters to youand find out more by visiting us at www.pwc.com
PwC
Integrated Compliance Defined
Provide value and cost savings to our clients by:
• developing an entity-wide sustainable compliance program
- which leverages a single set of integrated controls thatsatisfies regulatory, financial, and operational requirements,
◦ eliminates redundancy in controls execution and testing and
› reduces compliance risk
4
PwC
Complex and Evolving Compliance Landscape
5
Organizational RequirementsOperational Objectives
Strategic InitiativesCustomer
Vendor
Regulatory Agencies
Regulatory RequirementsGLBA
NERC
Best Practice and Frameworks
COBITISO COSO
SEC FDAFERC
OSHA
FISMA SOXHIPAA
FCPAPCI
SSAE 16
NIST
PwC
The Common Response?
• Response to regulatory and best practice guidance is often tacticaland remedial rather than strategic
• Each executive independently identifies and addresses their pieceof the compliance puzzle
6
PwC
The Result?
This structure results in…
• Managed in silos
• Duplicate and uncoordinated efforts resulting in redundant costs
• Fractured and potentially conflicting reporting
• Increased risk of non-compliance
• Uncoordinated efforts to address new compliance requirements
• Increased risk of audits and audit findings
• Unclear roles and responsibilities
• Inconsistent and isolated technology
7
Info Security
Privacy
PCI
Vendor
Consumer Protection
AML
Info Security
Privacy
FCPA
Vendor
OSHA
PCI
Basel/SII
FDA
SEC
Vendor
Basel
SOX
Consumer Protection
AML
FSG
Vendor
ComplianceRisk
ManagementFinance LegalIT
PCI
SOX
FCPA
Internal Audit & Compliance Assessors
PwC
Where to Start
Organizations often have one or both of the following needs:
• Bottom Up - Control Landscape: Increase the efficiency and effectiveness ofcontrol processes and activities
• Top Down - Compliance Sustainability: Improve the sustainability of thecompliance program
Potential areas of focus could include a combination of the following:
8
Compliance SustainabilityControl Landscape
• Sustainability Program
• Compliance Coordination andManagement
• Compliance Change Management
• Comprehensive Reporting
• Policies and Procedures
• Training and Awareness
• Controls Optimization
• Controls Rationalization
• Gap and Remediation Analysis
• Cost of Controls Analysis
• Testing Procedures
• Project Management
Supporting GRC Technology
PwC
Controls Optimization, Testing and Reporting
9
Optimized Control Framework
Change ManagementInformation Security
Data Classification/Privacy
Credit Card Processing
FISMA
SSAE 16
HIPAA/HITECH
PCI
Ra
tion
alize,
Co
sto
fC
on
trols
&T
esting
Ap
ply
To
Ma
ny
Test Once
PwC
Su
sta
ina
bil
ity
People
Compliance Sustainability
Structure
Process
Technology
Strategy
Optimized Control Framework
Change ManagementInformation Security
Data Classification/PrivacyTelecommunication
Credit Card Processing
FISMAHIPAA/HITECH
SSAE 16PCI
More than controls optimization…Integrated Compliance leverages people, process and technology to create a compliancestructure that ensures an efficient, effective and sustainable compliance program.
GLBA TIA 942-2
10
Ongoing Updates
Additional Regulation
PwC
Technology Enables Compliance
11
Technology
Integrated Compliance
FoundationalComponentsForm the basicreference dataand standards /methodologiesused by allparticipants inthe process.
Analysis &ReportingMetrics-basedinformationenabling effectivemanagementresponse.
Core CompliancePrinciples
Centralized control framework
Communications and Training
Roles and responsibilities
Testing approach and results
Reporting
CommonLanguage
CommonOrganizational
View
ConsistentMethodology
DataAggregation
Data Analysis
DataPresentation
PwC
Roles and responsibilities for Integrated ComplianceEffective organizations implement three distinct lines of defense into theirIntegrated Compliance programs
12
Clarity of Roles and Responsibilities Structured into “Three Lines of Defense”
Senior Management
Board / Audit Committee
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Ma
na
ge
me
nt
Co
ntr
ols
Inte
rn
al
Co
ntr
ol
Me
as
ur
es
Financial Control
Security
Risk Management
Quality
Compliance
Inspection
Inte
rn
al
Au
dit
Re
gu
lato
r
Ex
ter
na
lA
ud
itor
PwC
Roles & Responsibilities
• Convert strategy into operational objectives
• Operational management of the day to day organization
• Oversees the risk management efforts of the operations
• Assigns procedural and operational responsibilities
• Assigns responsibility for the controls to service linemembers
13
Senior Management
1st Line of Defense
Ma
na
ge
me
nt
Co
ntr
ols
Inte
rn
al
Co
ntr
ol
Me
as
ur
es
1st line of defense
Operational management has ownership, responsibility and accountabilityfor assessing, controlling and mitigating risks.
PwC
Roles & Responsibilities
• Provides positive Tone at the Top
• Establish compliance and risk managementpolicies, roles and responsibilities andimplementation goals
• Establishing the integrated control and riskframework (common language)
• Promotes compliance and risk managementcompetence
• Facilitates the development of the risk andcontrol monitoring and reporting process
• Reporting to senior management and board onprogress and recommended actions
14
Senior Management
2nd Line of Defense
Financial Control
Security
Risk Management
Quality
Compliance
Inspection
2nd line of defense
Risk Management and Compliance facilitates and monitors practices byoperational management and assists in reporting information up and downthe organization.
PwC
Roles & Responsibilities:
• Provide objective assurance to the board andsenior management
• Serves as an in-house consultant to the secondand first line of defense
• Provide the connection with the externalauditor and regulatory
• Coordinates of the internal audit plan with theinspection activities performed by the first andsecond line of defense
15
3rd Line of Defense
Inte
rn
al
Au
dit
Re
gu
lato
r
Ex
ter
na
lA
ud
itor
Board / Audit Committee
3rd line of defense
Internal Audit provides assurance to the board and senior management onthe effectiveness of compliance and risk management.
PwC
Benefits of Integrated Compliance
• Greater awareness andunderstanding of responsibilities forcontrol performers
• Significant reduction of compliancecosts resulting from centralizedgovernance structure and elimination ofduplicate audit/compliance activities
• Greater transparency and visibilityinto the aggregated risk and controls andbroader business posture
• Increased sustainability leveraging acommon technology platform
• Reallocation of internal resources tocore revenue and operational activities as aresult of reduction in controls
• Reduction of compliance risk due togreater coordination, awareness andvisibility
16
• Leverage the compliance program to drivestrategic initiatives and operationalobjectives
• Improved executive and Board reportingleveraging advanced dashboards and real-timereporting
• Reduce the organizational impact ofnew regulations through establishedcompliance change management practices
• Streamline audit preparation, designevaluation and execution
• Gain a competitive advantage and firstmover status by implementing an agilecompliance framework, which facilitates theaddition of standards in demand by customers
Shorter Term Benefits Longer Term Benefits
Efficient Agile SustainableStrategicCoordinated
PwC
Integrated Compliance: Assess Phase
20
Assess and Rationalization: Understand the current program structure and compliancerequirements and perform a controls rationalization
Task 1 – Determine the current compliance structure and requirements:• Gather the current program structure, strategies, processes and controls• Understand the detailed compliance requirements and control objectives
Task 2 – Map and rationalize the program structure and control frameworks:• Create and/or validate the compliance register• Establish compliance frameworks to be rationalized• Rationalize the current controls to arrive at a common control framework• Map the current governance structure
3. Gap Analysis 4. Remediation5. Implementand Execute
Assess Phase
2. ControlsRationalization
1. AssessCurrent
State
Implement PhaseRemediate Phase
Activities
Deliverables
• Summary of the current compliance structure• Map of the compliance requirements via the compliance register• Documented set of rationalized controls
Organizational Change Management
6. Sustain
PwC
Integrated Compliance: Remediate Phase
21
Gap and Remediation: Identify risks, gaps and remediation solutions in both theprogram structure and control requirements
Task 3 – Perform a gap analysis to identify gaps in program structure and in the rationalized set of controls:• Evaluate existing compliance governance structure against the desired level of maturity and leading practices
including the use of GRC technology• Identify control objectives and activities defined in the common control framework that are not addressed, or are
duplicated, in the existing control environment
Task 4 – Work collaboratively to identify appropriate remediation actions for the identified redundancies and gaps• Provide leading practices for management’s consideration and recommended remediation procedures• Document decisions and action points in a remediation roadmap
5. Implementand Execute
Assess Phase
2. ControlsRationalization
1. AssessCurrent
State
Implement PhaseRemediate Phase
Activities
Deliverables
• Program and control gap analysis including leading practices• Detailed remediation roadmap documenting current state, future state and recommendations on remediation
procedures to arrive at future state
Organizational Change Management
6. Sustain3. Gap Analysis 4. Remediation
PwC
Integrated Compliance: Implement Phase
22
Implement and Test: Implement the program and control structure and assess thepost-implementation compliance posture
Task 5 – Assist in the implementation and execution of the compliance program:• Provide leading practice guidance on the implementation of an integrated compliance program• Work collaboratively to assist in the implementation of the new program structure and optimized control
framework• Assess the operating effectiveness of remediation activity over control management and rationalization• Assist in the integrated compliance program implementation• Assist in the implementation of the GRC technology solution
Task 6 – Create a sustainable compliance model:• Assess and provide remediation plan to create a change management process with supporting GRC technology• Implement change management procedures including updates to policies/procedures and training
Assess Phase
2. ControlsRationalization
1. AssessCurrent
State
Implement PhaseRemediate Phase
Activities
Deliverables• Implement leading practices for integrated compliance implementation• Recommendations for program and control rationalization remediation activity• Provide the sustainability roadmap including change management procedures and training activities
Organizational Change Management
3. Gap Analysis 4. Remediation5. Implementand Execute 6. Sustain
PwC
Thank You
Contact Information:
Scott Peyton
Integrated Compliance PracticeLeader
(702) 931-7765
JJ Marais
Managing Director RiskAssurance
(602) 364-8232
Chetan Trivedi
Manager, Risk Assurance
(602) 364-8168
24
PwC
Copyright:© 2013 PwC. All rights reserved.
Definition:PwC refers to the PwC network and/or one or more of its memberfirms, each of which is a separate legal entity. Please seewww.pwc.com/structure for further details.
Disclaimer:This content is for general information purposes only, and shouldnot be used as a substitute for consultation with professionaladvisors.
Description:PwC helps organisations and individuals create the value they’relooking for. We’re a network of firms in 157 countries with morethan 184,000 people who are committed to delivering quality inassurance, tax and advisory services. Tell us what matters to youand find out more by visiting us at www.pwc.com