GRC och God Dag !
Transcription
GRC och God Dag !
GRC och God Dag ! ROBERT HIRTH CHAIRMAN, COSO What you Might Hear… • View of the GRC func:on as a whole. • How has the GRC func:on changed over the past few years and what awaits in the future? • Where are the future opportuni:es and challenges for the internal auditors, risk managers and compliance officers? If You Believe… COSO is a “US Thing” Then, You Also Must Believe… All Swedes are Blond Three Roles… • Chairman, COSO • Member, PCAOB Standing Advisory Group (SAG) • Chairman IIA IPPF Re-‐look Task Force The COSO Agenda Since their inception, the COSO frameworks (COSO’s Enterprise Risk Management – Integrated Framework and Internal Control – Integrated Framework) have both intended to provide guidance for management on how to implement and evaluate effective enterprise risk management (ERM) and internal control. When applied effectively, the frameworks’ concepts contribute to the end result of improving organizational performance and governance. 8 Lets Get on the Same Page… 9 What is GRC? “An integrated approach used by corporations to act in accordance with the guidelines set for each category. Governance, risk management and compliance (GRC) is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories.” Source: Investopia 10 GRC processes are extensive, ranging from the ac:vi:es of the board and execu:ve management, through strategy seVng, performance management, risk management and financial repor:ng, and including internal controls and IT security. OCEG’s list of func:ons and processes that are typically included in GRC makes this very clear: • Governance • Strategy and business performance management • Risk management • Compliance • Internal control • Corporate security • Legal • IT • Business ethics • Sustainability and corporate social responsibility • Quality management • Human capital and culture • Audit and assurance • Finance More… • GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations 12 And… • Organizations reach a size where coordinated control over governance, risk management and compliance (GRC) activities is required to operate effectively. Each of these three disciplines creates information of value to the other two. Each of the three GRC disciplines touch and impact the same technologies, people, processes and information in any organization. 13 From OCEG … • OCEG defines GRC as a “system of people, processes, and technology that enables an organization to: • Understand and prioritize stakeholder expectations. • Set business objectives that are congruent with values and risks. • Achieve objectives while optimizing risk profile and protecting value. • Operate within legal, contractual, internal, social, and ethical boundaries. • Provide relevant, reliable, and timely information to appropriate stakeholders. • Enable the measurement of the performance and effectiveness of the system.” 14 15 GRC Sources… • King III • UK Corporate Governance Code • COSO • IIA Standards • OCEG • RIMS • • • • • • ISO Malaysia, Singapore Australia Japan Consul:ng firms Many Others 17 King III- New Requirements • The need for an annual integrated report that focuses on the impact of the organization in the economic, environmental and social spheres • A statement by the audit committee to the board and shareholders on the effectiveness of internal financial controls to be included in the integrated report • The consideration of the strategic role of IT and its importance from a governance perspective • The positioning of internal audit as a strategic function that conducts a riskbased internal audit and provides a written assessment of the company's system of internal control, including internal financial controls • The governance of risk through formal risk management processes. 18 Key Principles of King III • Good governance is essentially about effective leadership. Leaders need to define strategy, provide direction and establish the ethics and values that will influence and guide practices and behavior with regard to sustainability performance. • Sustainability is now the primary moral and economic imperative and it is one of the most important sources of both opportunities and risks for businesses. Nature, society, and business are interconnected in complex ways that need to be understood by decision makers. Incremental changes towards sustainability are not sufficient – we need a fundamental shift in the way companies and directors act and organize themselves. 19 King III Principles, Cont’d • Innovation, fairness, and collaboration are key aspects of any transition to sustainability – innovation provides new ways of doing things, including profitable responses to sustainability. Fairness is vital because social injustice is unsustainable and collaboration is often a prerequisite for large-scale change. • Social transformation and redress is important and needs to be integrated within the broader transition to sustainability. Integrating sustainability and social transformation in a strategic and coherent manner will give rise to greater opportunities, efficiencies, and benefits, for both the company and society 20 Governance and the Code (UK) 1. The purpose of corporate governance is to facilitate effective, entrepreneurial and prudent management that can deliver the long-term success of the company. 2. The first version of the UK Corporate Governance Code (the Code) was produced in1992 by the Cadbury Committee. Its paragraph 2.5 is still the classic definition of the context of the Code: 21 Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders’ role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship. The board’s actions are subject to laws, regulations and the shareholders in general meeting. 22 3.Corporate governance is therefore about what the board of a company does and how it sets the values of the company. It is to be distinguished from the day to day operational management of the company by full-time executives. 4. The Code is a guide to a number of key components of effective board practice. It is based on the underlying principles of all good governance: accountability, transparency, probity and focus on the sustainable success of an entity over the longer term. 23 5. The Code has been enduring, but it is not immutable. Its fitness for purpose in a permanently changing economic and social business environment requires its evaluation at appropriate intervals. 6. The new Code applies to accounting periods beginning on or after 1 October 2014 and applies to all companies with a Premium listing of equity shares regardless of whether they are incorporated in the UK or elsewhere. 24 GRC Management Platforms… • Enterprise GRC Platforms with IT GRC Capabilities and Clients: Agiliance, Aruvio, Bwise, CURA, DoubleCheck, IBM Open Pages, LockPath, LogicManager, MEGA, MetricStream, Modulo, Pr ocess Unity, ProcessGene, Protiviti • Pure Play IT GRC: Allgress, Blackthorn, Brinqa, C2C Smart Compliance, Citicus, Commugen, Continuity Logic, Maclear GRC, MetaCompliance, RiskWatch, ServiceNow, Tra ceSecurity, TRUSTe, UCF, XACGTA (note some of these players have unique focuses and may not fit perfectly into the platform definition) • And More… Resolver, RSA Archer, Rsam, SAI Global, SAP, Thomson Reuters, Wolters Kluwer, Wynyard Group, Xactium 25 What’s New … • The 3rd Party Management segment of the GRC market is the hottest and fastest growing segment. This is the segment that looks at solutions (and content such as databases) to help govern, manage risk and compliance, and the overall lifecycle of 3rd party relationships. Relationships spans areas of suppliers, vendors, outsourcers, service providers, contractors, consultants, agents, temporary workers and more. 26 COSO and GRC… 27 Mission COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.” COSO’s Fundamental Principle Good risk management and internal control are necessary for long term success of all organizations 28 COSO is more than Internal Control… 29 • Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. • Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. 30 COSO Releases New Thought Lead Paper Demonstrating How Frameworks Improve Organizational Performance and Governance ALTAMONTE SPRINGS, Fla., Feb. 10, 2014: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) announced today the release of a new thought paper, Improving Organizational Performance and Governance: How the COSO Frameworks Can Help, developed to illustrate how the enterprise risk management (ERM) and internal control frameworks can contribute to enhancing organizational performance and governance for sustainable success. 31 http:/www.coso.org/ Management and Governance Processes Governance Starts with the organization’s vision and mission and consists of the oversight from the board across the enterprise’s planning and operations Strategy Setting Business Is the process by which management articulates a high level plan for Planning achieving goals consistent with mission Plan Business Planning Do Act Adapting P Execution Study Monitoring 33 Relating Frameworks and Business Model Internal Control Integrated Framework Deals with alternate risk reduction Enterprise Risk Management Integrated Framework Focuses on Strategic Objectives Deals with alternate risk responses (risk avoidance, acceptance, sharing, and reduction) Contextual Business Model 34 Update articulates principles of effective internal control 1. Demonstrates commitment to integrity and ethical values Control Environment 2. 3. 4. 5. Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment 6. 7. 8. 9. Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Information & Communication Monitoring Activities 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 35 36 Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. . 37 Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. 38 Compliance “Concepts” • Laws, rules, standards and regulations establish minimum standards of conduct • Compliance objectives are established • Management consider acceptable level of variation • Many laws and regulations depend on external factors, geography and industry- and at times, size 39 The Challenge and The Opportunity 40 “That fact of life for compliance executives means that for them to succeed, they should master the art of working with and leveraging resources in other functions (legal, IT, HR, and internal audit) to achieve compliance goals, and they should continuously communicate to management and the board that a strong compliance function is a valuable strategic asset that not only focuses on risk avoidance, but also looks to find ways to gain strategic advantage from intelligently managing risk. “ Compliance Trends 2013, Deloitte and Compliance Week 41 Battling Your GRC Demons Solving The Top 5 Concerns of Compliance Professionals • Making Compliance a Concern for Leadership and Securing a Seat at the Table • Employee Engagement- Keeping Ethics Top of Mind • Driving a “Speak-up” Culture and Overcoming a “Speak-not” Culture • Managing Potential Risk of Doing Business with Your Partners and Vendors- Third-Party Risk • Globalizing and Socializing Compliance- Dealing with a Wide-open World Source: The Network, Integrated GRC Solutions 42 Protiviti’s Future Auditor… • Positioned to be objective • Vested with a direct reporting line to the board • Establishes relevance by understanding the organization’s business objectives and strategy and identifying related risks • Creates value by making recommendations to strengthen the effectiveness of governance, risk management and internal control processes • Uses a lines-of-defense perspective to ensure that risk management and internal control are effective • Articulates value a risk-based audit plan contributes to the organization, providing an assurance perspective the board and executive management can understand • Maximizes use of technology to achieve efficiencies and maximizing coverage • Possesses escalation authority and proactively exercises that authority 43 Ways to Add Value… 1. Think more strategically when analyzing risk and framing audit plans 2. Provide early warning on emerging risk 3. Broaden the focus on operations, compliance and nonfinancial reporting issues 4. Strengthen the lines of defense that make risk management work 5. Improve information for decision-making across the organization 6. Watch for signs of a deteriorating risk culture 44 Adding Value, cont’d 7. Expand the emphasis on assurance through effective communication with management and the board 8.Collaborate more effectively with other independent functions on managing risk and compliance 9.Leverage technology-enabled auditing 10. Improve the control structure, including the use automated controls 11. Advise on improving and streamlining compliance management 12. Remain vigilant with respect to fraud 45 The Challenge … Governance Audit Risk Compliance Other 47 The Opportunity … 48 The Goal ? “We could not function without our GRC program. Our team pulls it all together. They coordinate, consolidate and know their stuff. They challenge us AND they help us. As a result, we have become a better employer and a more effective and successful organization. We know, communicate and meet our objectives more of the time, know how to measure, change course when needed and realize this is a journey that may never be finished.” 49 Practical Advice • START THE DISCUSSION! • “Head North” • “Find” GRC in your organization • Learn more from others and outside sources • Determine if it’s worth the effort • Leverage activity of others • Consider how to leverage technology • Define value and measure it 50 Proposed Enhancements to The Institute of Internal Auditors International Professional Practices Framework (IPPF) August 4, 2014 NOTICE: Comment Period ends November 3, 2014. Thank You ! Extra slides for reference Principle 2- Points of Focus • Establishes oversight responsibilities • Applies relevant expertise • Operates independently • Provides oversight to the system of internal control 54 Principle 3 - Points of Focus • Considers all structures of the entity • Establishes reporting lines • Defines, assigns and limits authorities and responsibilities 55 56 Principle 7- Points of Focus • Includes entity, subsidiary, division, Operating unit and functional levels • Analyzes internal and external factors • Involves appropriate levels of management • Estimates significance of risks identified • Determines how to respond to risks 57 58 Six Attributes of Contextual Business Model 1. Governance • Providing oversight / authoritative direction / control • Allocating power among the board, management and shareholders* • The board ensures accountability, fairness and transparency in the organization’s relationships with its various stakeholders * Governance, Risk Management and Compliance, Richard M. Steinberg, John Wiley & Sons, Inc., page 2 Six Attributes of Contextual Business Model 1. Governance 2. Strategy Setting • Providing a high level plan for what the organization seeks to achieve over the planning horizon • Presented in the form of overall goals, initiatives and tactics • Articulates what organization seeks to achieve through its: • Overall direction • Environmental scan • Differentiating capabilities • Infrastructure needed to deliver the differentiating capabilities Six Attributes of Contextual Business Model 1. Governance 2. Strategy Setting 3. Business Planning • Initiates the management cycle for delivering the strategy • Links strategic planning, risk mitigation, budgeting, forecasting, and resource allocation • Breaks down corporate strategy into achievable plans, with financial and operational targets to establish accountability for results • Aligns business objectives, key metrics, plans and budgets across the organization down to the level of greatest achievability and accountability Management & Governance: ERM Components – Business Model Governance Strategy Setting Business Planning Business Planning Execution Adapting P Monitoring 62 Management & Governance: Internal Control Components – Business Model Governance Strategy Setting Business Planning Business Planning Execution Adapting P Monitoring 63 64 Update considers changes in business and operating environments… Environmental changes... …have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition) 65 Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. 66 Principle 11- Points of Focus • Determine dependency between the use of technology in business processes and technology general controls • Establishes relevant: – technology infrastructure control activities – security management process control activities – technology acquisition, development and maintenance control activities 67 Outsourcing Alternative (page 23) “…While in principle, the same considerations apply whether controls are performed internally or by an outsourced service provider, outsourcing presents unique risks and often requires selecting and developing additional controls over the completeness, accuracy, validity of information submitted to and received from the outsourced service provider .” 68 Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. 69 Principle 13- Points of Focus • Identifies information requirements • Captures internal and external sources of data • Processes relevant data into information • Maintains quality throughout processing • Considers costs and benefits 70 Why Two?????????? Internal Control Integrated Framework Enterprise Risk Management Integrated Framework Why Two?????????? 71 All Organizations are Unique… • Different Maturity levels • No ERM but need controls • Have to report on controls and need a framework • Are starting ERM, controls are mature • ERM and Internal control are closely linked • ERM is a separate activity • Have to report on ERM and need a framework • And other distinctions… ALL CAN USE COSO MATERIALS FOR ADDING VALUE 72 Update on Transition to COSO 2013… 73 A Specific-Purpose Perspective THE SARBANES-OXLEY ACT OF 2002 THE SARBA NESOXLEY ACT OF 2002 74 Getting COSO Publications The updated Framework and related Illustrative documents are available in 3 layouts 1. E-book – This layout is ideally suited for those wanting access in electronic format for tablet use. An e-book reader from the AICPA is required to view this layout. Printing is restricted in this layout. • Purchase through www.cpa2biz.com 2. Paper-bound – This layout is ideally suited for those wanting a hard copy. • Purchase through www.cpa2biz.com 3. PDF – This layout is ideally suited for organizations interested in licensing multiple copies. • Contact the AICPA at [email protected] 75