Efficient Support for Internal Control Systems via a GRC Software Platform

Size: px

Start display at page:

Download "Efficient Support for Internal Control Systems via a GRC Software Platform"

Grant Green
6 years ago
Views:

1 Expert Paper Platform Expert Paper A blueprint for success in an increasingly regulated business environment Efficient Support for Internal Control Systems via a GRC Software Platform

Efficient Support for Internal Control Systems via a GRC Software Platform A blueprint for success in an increasingly regulated business environment Governance, Risk & Compliance Management (GRC) is

2 Efficient Support for Internal Control Systems via a GRC Software Platform A blueprint for success in an increasingly regulated business environment Governance, Risk & Compliance Management (GRC) is about meeting the require ments of all relevant groups that have an interest in the organization. These requirements may be internal or external, mandatory or voluntary, current or future. It involves reliably identifying relevant processes, describing, allocating, and assessing specific risks, embedding an appropriate internal control system into business workflows, and monitoring the effectiveness of the controls. In particular, the increasing number of external regulations is imposing ever greater constraints on corporate autonomy. Process-oriented software solutions like Solution for Governance, Risk & Compliance Management enable businesses to introduce and operate an enterprise-wide GRC management system. Find out: why process-oriented software solutions, such as Solution for Governance, Risk & Compliance Management, enable the introduction and operation of a company-wide compliance management system. how companies benefit from reusability of process documentation. which optimization approaches exist for compliance management and why this is a facet of business process management. what process-oriented compliance management means in the context of a legally safe organization. About the author: Martin Kling is solution manager for Solution for Governance, Risk & Compliance (GRC) at IDS Scheer AG, Munich. 1. Increasing external complexity leads to growing internal complexity Today s businesses face ever tougher demands on their internal control systems. On average, a company now has to comply with the provisions of more than a hundred different laws and regulations. At the same time, the burden of proof that legislation and standards have been properly implemented and observed is becoming increasingly stringent, with Section 404 of the Sarbanes Oxley Acts (SOX) being a particularly potent example. In the European Union too, introduction of the 8th EU Directive (audit regulation) requires higher standards from internal control systems, i.e., there are tougher rules regarding the accuracy of published company accounts. Meeting legal requirements is of fundamental importance to the companies involved, since non-compliance not only harms the corporate image, but in some cases it has drastic consequences, such as fines and personal liability of executives (private assets). Further down the line, criminal prosecution is also a possibility. Contact: arisproductmarketing@ids-scheer.com 2

3 Increasingly complex requirements mean an exponential increase in the effort that companies need to expend. Something like a dozen sets of different requirements already impact a typical business process, making it difficult to keep track of audit activity and mitigating action. Greater complexity also means greater risk for companies: instances of non-compliance are more likely and can lead to serious financial consequences in the form of fines or loss of image. In order to have a proper legal defense, organizations need to be able to regularly demonstrate that non-compliance is not due to organizational failure. This exonerates management and employees and prevents possible reputational damage. Today, companies need to deal with two main areas when designing their internal control systems: 1. Reducing complexity 2. Ensuring efficient handling of all (non-value adding) tasks associated with compliance and demonstrating compliance. Fig. 1: Examples of current and future regulatory requirements, as identified by Gartner 2. Process-driven compliance is replacing project-driven compliance The efficiency of internal control systems and the compliance processes that build on them is frequently jeopardized by the fact that new requirements are introduced and implemented on a project basis. Over time, responsibility is passed to the organizational unit that seems best suited, leading to the creation of disparate, disconnected line functions. This decentralized approach also leads to silo-style IT solutions being adopted, often due to time constraints, which are incompatible and impossible to analyze. These twin mechanisms generate additional internal complexity. Efficiency can be boosted significantly by applying a holistic, consistent method, harmonizing test activity, and sharing test results. Achieving the key objectives of reduced complexity and greater efficiency requires the introduction of a central platform to support an internal control system where business processes form the common basis for all controls needed to comply with the various laws and regulations. 3. Greater efficiency thanks to a holistic, process-oriented GRC platform A GRC platform solution needs to be consistent, efficient, and long-term, and to build on a uniform set of data. In addition, it is important to have a standard connector for the wide range of different rules, regulations, and requirements. An organization s business processes are almost uniquely suited to this role. The reasons are two-fold. Firstly, business processes typically need to be documented in order to meet compliance requirements. Secondly, compliance implementation has a direct impact on corporate workflows. To take just one example, most requirements set forth in the Sarbanes Oxley Act give rise to direct controls within a company s financial processes. Careful attention must be paid to designing these controls such that process efficiency is not undermined, always taking account of the process context. A further advantage of a process-based approach is that comprehensive process documentation provides a common language across all the departments affected that embraces their different views: business view, IT view, process view, and organization view. A GRC platform creates efficiency by providing the best possible support for all workflows associated with the internal control system and compliance, which from the corporate perspective are essentially non-value adding. This mainly covers processes for documenting, updating, and communicating company rules, procedural instructions, and controls, risk analysis and evaluation processes, documentation of test activity, internal management assessment and testing processes, plus support for problem tracking and root cause analysis. Furthermore, it must be possible to incorporate insights and progress from all these processes into reports for different management audiences in a simple, effective manner. A survey by research company AMR Research of over 200 companies revealed that they anticipate huge sums being spent to meet all the necessary compliance requirements. In addition to SOX costs, AMR Research estimates that US$ 75 billion will be needed by 2009 to cover compliance activity. 3

To minimize these costs, a GRC platform must support six typical optimization strategies, all of which are closely associated with process management: Right-sizing: Reducing the number of controls,

4 To minimize these costs, a GRC platform must support six typical optimization strategies, all of which are closely associated with process management: Right-sizing: Reducing the number of controls, while simultaneously increasing efficiency by achieving a balanced distribution of controls across the corporate, IT, and process control levels. Integrating risk management and compliance management Providing support for self-assessment Standardizing processes Centralizing controls Repositioning and automating controls Introducing an internal control maturity model Solution for Governance, Risk & Compli - ance Manage ment supports precisely these sustained, holistic, and process-based methods, from strategic analysis and definition to designing controls and tests, implementation, monitoring the effectiveness of controls / actions by way of scalable, efficient workflows, enterprisewide monitoring of process performance and efficiency, testing that allows a prompt response to deviations, and continuous optimization of the established system. Effectiveness of control Unreliable 4. Modeling and documenting the elements in an internal control system (ICS) The first main task is to define and document an internal control system. This includes identifying the rules, regulations, and laws that apply to the company, or with which it feels obligated to comply, defining the specific associated requirements to be met by the company, and drawing up corresponding corporate guidelines. As part of this task, the specific risks resulting from the requirements must be documented, assigned to the relevant corporate processes, analyzed, and appropriate risk mitigation action/controls defined. The defined external and internal regulations, the requirements derived from them, and the risks are incorporated into the business processes using modeling tools. The necessary reference structures, such as balance sheet items and income statement accounts, risk trees, and IT application overviews, are generated. If this data is already available thanks to previous projects, it can be reused via a wide range of interfaces. The standard conventions enable flexible adaptation to the corporate environment and objective of the internal control system (e.g., SOX). Informal Standardized Monitored Stage of maturity Unreliable Informal Standardized Monitored Unpredictable Activities and controls Control activities are Standardized controls environment where are designed and in designed, in place, with periodic testing control activities are place, but not documented and with reporting to not designed or in adequately communicated management place documented Fig. 2: Control effectiveness as a function of maturity Optimized Optimized Integrated internal framework with realtime monitoring by management with continuous improvement Fig. 3: Risks and controls are integrated directly into the business processes using Business Architect As activities that do not directly add value, controls must be kept to a minimum, which means that companies can view in te grated GRC management as an opportunity to ensure the efficiency and effectiveness of processes and the implemented controls. To meet compliance requirements, standardized controls are the minimum configuration required. However, their fitness for purpose cannot be guaranteed without regular monitoring of effectiveness and design. 4

As a result, external regulations increasingly require concrete evidence that regular tests are being performed to ensure that the defined internal control system is functioning properly.

5 As a result, external regulations increasingly require concrete evidence that regular tests are being performed to ensure that the defined internal control system is functioning properly. These control tests are defined in using the same procedure, the relationships being conveniently combined for the control system manager in separate diagrams for each risk or control. Modeling the relevant meta information of an internal control system in and linking it with internal regulations and other applicable documents produces a unique central repository, which can be used as a Process Management Risk & Control Management Assessment & Test Planning Business Architect Business Publisher Used for Used for - Identification - Documentation - Design - Publication - Optimization - Release Cycle Assessment, Testing Issue & Deficiency Management basis for all other functionalities needed for GRC management. This uniform repository is essential for transparent, consistent presentation and analysis. It is used in tandem with the GRC platform to publish information on the intranet and trigger the relevant workflows (testing, review, sign-off, etc.). 5 Introduction of Release Cycle Management (structured version management) Like all documents of a regulatory nature, processes, internal regulations, and procedural instructions require an official, verifiable document control system. To demonstrate the validity of a specific process or control at any given time for audit purposes, all relevant process models and risk control models are subjected to a defined release process. Prior to Webbased publication of the new or modified process on the intranet, it must be tested and released by defined departments and process owners. Release is carried out quickly and easily via a Web interface that lists the individual process and risk control models for each owner. Risk & Compliance Manager then uses this release database to set up the workflows for internal assessment, risk evaluation, and, if necessary, deficiency management. 6. Internal assessment process including issue and deficiency management Fig. 5: Role-based access to Risk & Compliance Manager Sign Off, Status Documentation Reporting, Monitoring, Analysis Risk & Compliance Manager Process Performance Manager Used for Used for - Execution of Testing - Analysis of Results - Remediation of Issues - Compliance Process Dashboard - Status Reporting - Analysis of Compliance Processes - Audit Trail Repository Fig. 4: The central repository supports the processes that build on it by providing a consistent set of data Many laws and guidelines stipulate that the internal control system itself must be testable. This requires complete, audit-proof documentation of controls and their monitoring, as well as the definition of processes and responsibilities to remedy deficiencies and of document/test period sign-off. It must also be possible to extract the test data at specific times on a target group basis for external or internal auditors or for management. Using the internal control system defined in the repository, Risk & Compliance Manager provides support for a comprehensive, audit-proof assess ment process. Specific test cases are generated from the control tests and sent to the defined testers (auditors) by . So that the test can be performed efficiently, all the related information, such as the associated risks and controls and underlying business process, is included in a convenient overview. 5

The tester documents his or her test activities, including any confirmation of compliance, in Risk & Compliance Manager and assesses the design or effectiveness of each control.

6 The tester documents his or her test activities, including any confirmation of compliance, in Risk & Compliance Manager and assesses the design or effectiveness of each control. The test case is then sent to a reviewer before final completion and documentation. This workflow can be flexibly adapted to suit the company s specific requirements. To ensure a clear audit trail, each version of a test case is saved, including the associated risks and controls, and is permanently accessible to allow analysis of a particular activity. If a test case is closed with the verdict not effective, a deficiency is automatically generated so that action can be taken to address the problem. In a separate Risk & Compliance Manager module, im pact and probability are assessed and compensating controls and actions defined to ensure that the control is effective. After taking these steps and conducting a new, successful test, the deficiency is closed. Thanks to a single set of data, users can access the up-to-date, overall status of all test cases, controls, and deficiencies at any time. In the Evaluation module, it is also possible to drill down to the lowest level of a hierarchy. Here, the standard hierarchies are the organization concerned, processes, balance sheet items, and tester hierarchy. 7. Demonstrating compliance to external auditors Fig. 6: Risk & Compliance Manager always provides an up-to-date picture of the overall situation As well as being met internally, it is particularly important that compliance requirements can be verified or certified by external evaluation or an external audit. To achieve this, all compliance-relevant activities, including tracking the change history of all information, must be seamlessly documented. An end-to-end, IT-supported solution, such as Solution for GRC, enables compliance requirements to be fulfilled quickly, with minimal effort, and in an audit-proof manner. Risk & Compliance Manager can be used to verify every user, action, and result, along with the time and date. The extensive reporting functions in Risk & Compliance Manager also support documentation of compliance activities for external audit. By aggregating and filtering data, a document can be created at the push of a button that allows external tests for the relevant regulations. Here too, results can be filtered so that internal activities can be reused for multiple regulatory regimes and external audit. Furthermore, Risk & Compliance Manager provides the option of giving external auditors read-only access to results, thus fully supporting a test performed within the system itself. Companies operating a GRC platform have discovered that external auditors welcome having their own activity integrated into such a rigorous system. This has the effect of reducing unpleasant surprises on both sides at the end of the fiscal year. 8. Analysis and evaluation options within the internal control system To monitor the effectiveness of the established compliance activities as well as the status of processes and organizational units affected by these tests and controls, key performance indicators (KPIs) are needed, along with fast data extraction and presentation in an easy-to-understand format. Compliance Process Dashboard provides a quick overview of current activity status. Users can configure the display layout to suit their needs. Options include multidimensional results analysis (e.g., time series, regional/national comparisons, etc.). 6

Compliance Process Performance Manager can be deployed for in-depth analysis of the aggregated results. Benefits include the ability to drill down to the individual process or test instance.

7 Compliance Process Performance Manager can be deployed for in-depth analysis of the aggregated results. Benefits include the ability to drill down to the individual process or test instance. Finally, an internal control maturity model is required. All controls are categorized as follows: Unreliable Informal Standardized Monitored Optimized Using this model, company managers and internal and external auditors can assess the suitability of the internal control system at any time and strategically manage its continuing development. It is vital that companies adopt a centralized approach to GRC and organize it efficiently only then can the various initiatives be combined in a consolidated GRC management system, thereby leveraging the synergies between human resources, data, IT, and existing knowledge. The result is greater process discipline, improved risk management (integrated into the GRC strategy), and a raised awareness of GRC as an ongoing business requirement. 9. Summary Fig. 7: Compliance Process Dashboard enables a wide range of views of the available data Internal control systems are expected to deliver ever-higher levels of effectiveness. Similarly, companies increasingly need to demonstrate what action they have taken. The effectiveness, and especially the efficiency, of internal control systems and the compliance processes that build on them have not kept pace with these more stringent requirements. Sustained improvements in efficiency can only be achieved by deploying a holistic, consistent method and implementing a central platform to support an internal control system where business processes form the common basis for all controls needed to comply with the various laws and regulations. Solution for GRC is a flexible platform that is not tied to a particular system or content focus and that efficiently supports internal control system processes. It renders complex relationships transparent via database-supported modeling of risks and controls in the individual business processes and allows easy publication of the company s defined internal regulations. By efficiently enabling internal management assessment, test activity effort is reduced and the quality of test results improved. Thus managers are free to focus on the more important events within the organization. The seamless audit trail, which documents all activities, and transparent test results boost trust in the internal control system and allow test activity by external auditors to be reduced. Having a uniform set of data for internal and external testing prevents duplication of work and means that agreement on the assessment of deficiencies can be reached at an early stage. Organizations that implement a uniform, flexible GRC platform see a significant reduction in costs, while benefiting from an improvement in their control system along with optimization and harmonization of their business processes. They are also equipped for the future, since new areas of compliance can be incorporated into a consistent system. At the same time, increased automation of controls and test activities delivers further efficiency savings. 7

8 Platform Expert Paper IDS Scheer AG Headquarters Altenkesseler Str Saarbruecken Phone: Fax: Copyright IDS Scheer AG, Saarbruecken, All rights reserved. The contents of this document are subject to copyright. Any changes, modifications, additions or amendments require prior written consent from IDS Scheer AG, Saarbruecken. Reproduction in any form is only permitted on the condition that the copyright notice remains on the actual document. Publication or translation in any form requires prior written consent from IDS Scheer AG, Saarbruecken., IDS, ProcessWorld, PPM, with Platform symbol and Y symbol are trademarks or registered trademarks of IDS Scheer AG in Germany and in many other countries worldwide. SAP NetWeaver is a trademark of SAP AG, Walldorf. All other trademarks are the property of their respective owners. ID-Number: EP-GRC-0108-E

Expert Paper. From Business Process Design to Enterprise Architecture. Expert Paper - May Business Process Excellence

Expert Paper. From Business Process Design to Enterprise Architecture. Expert Paper - May Business Process Excellence Expert Paper Expert Paper - May 2006 From Business Process Design to Enterprise Architecture Business Process Excellence From Business Process Design to Enterprise Architecture Corporate growth typically