COSO Compliance`s Impact on the Tech Sector

COSO Compliance's
Impact on the Tech Sector
August 21, 2013
Thank You Sponsors
MODERATOR
Scott McKay
Partner
Scott McKay
Partner & Practice Leader – Risk Advisory Services
 Certifications – CPA, CFE, CIA, CCSA
 Past Roles
 Cree – Corporate Controller and Director Corporate Audit
 McGladrey – Audit and Risk Advisory Manager, focusing on large public and private clients in
manufacturing, distribution, construction and gaming industry, along with some government and
university experience.
 Speaking Engagements
 AICPA Internal Control Task Force
 AICPA Business and Industry Conference – Risk Management and Internal Control Advisory Panel
 AICPA National CFO Conference – 2010 in Los Angeles
 AICPA Corporate Directors Conference – 2010 in New York
 Institute of Internal Auditors (IIA) Raleigh Chapter – Chief Audit Executive Roundtables
 North Carolina State University (NCSU) – ERM Post Graduate Lecturer
Risk Management vs. Compliance

Rule Book Approach – Risk management and control maturity
are often driven by regulatory compliance. However, being reactive
to regulation provides the wrong motive to manage risk and leads
to what we call “over-control” and wasting resources—people don’t
“buy in” and it’s not sustainable.

Wake up Morning! – Long-term success is predicated on behavior
change. Time spent helping people clearly see the risks to
achieving objectives leads to better-designed controls,
management “buy in” and sustainable processes. When risk
management makes sense, one of the de facto byproducts is
regulatory compliance.
Cherry Bekaert’s Definition of Risk
Probability of missing opportunities and objectives
or committing errors due to:
 Unseen Risk
 Unmanaged Risk
 Failed Controls
Growth, Risk, & Constraints
 Growth – the problem we all want to have but it puts
stress on most organization’s system of internal controls.
 #1 Risk Management Strategy – Controls
 Theory of Constraints….
 Insight – COSO is the emerging criteria that can be a
burden or an opportunity to enabling the Organization’s
growth.
COSO ~ What It Is…and Is Not
 COSO is not a regulation, mandate or compliance standard.
 COSO is the underlying criteria used by many to meet
regulatory requirements and internal control standards
(e.g. SOX, JSOX, ISOX, and SOC Reports).
 1985-1992: Framework focused on fraudulent financial
reporting.
 2002: Advent of SOX ~ COSO results in de facto standard
criteria.
COSO 2013 Highlights
Significant Increased Focus on Technology
 COSO “Principles” (17)
 Specifies suitable objectives
 Identifies and analyzes risk
 Assesses fraud risk
 Identifies and analyzes significant change
 Selects and develops general controls over technology
 Expanded Relationships and Globalization
 Transition period up to December 2014
WHY SHOULD I CARE?
 Dealing with the public sector, public companies or
considering going public?
 Meeting regulatory requirements e.g. SOX and still using “checkthe-box” approach
 Consider doing a gap assessment against the 17 COSO
Principles.
 If you are providing or receiving hosted services or
SaaS solutions.
 If you are a mid-sized or smaller private technology
company with less than 150 FTEs.
Panelist
Introductions
PANELIST
Rick Chilton
Director & CISO
Blue Cross and Blue Shield of North Carolina
PHOTO
of HQ
frominsurer
Kyle
+ North Carolina’s
largest
health
+ 3.7 million members
+
26,000 in-network providers
+ 4,000 employees
+ $5.7 billion revenue (2012)
+ Founded in 1933
13
13
Rick Chilton – CISO
+ 20 years of technology experience
+ Certified in Risk Information Systems Control
(CRISC)
+ Certified Information Systems Security
Professional (CISSP)
+ Vulnerability assessment, risk mitigation, security
engineering, security architecture, and
compliance.
14
PANELIST
Matt Cleaver
Sr. Director of Financial
Planning
Matt Cleaver, CPA
• Senior Director Financial Planning and Analysis at
Extreme Networks
• 14 Years Experience in Internal and External Audit and
Corporate Finance across many industries including Bio
Tech, Hi-Tech Manufacturing and Financial Services
16
© 2012 Extreme Networks, Inc. All rights reserved.
Extreme Networks - Leading Technology Innovator
Global, publicly traded company headquartered in San Jose, CA
Market leader in Ethernet Networking: >30M ports shipped
Focused on campus, data center, and mobile carrier markets
Largest office located in Morrisville, NC
Price/Performance
Leadership
Pioneer PacketRing Technology
First On-Switch
Programmability
First to Market
with 40G
First Cost
Effective Cloud
Scale 100G
1996
Pioneer Layer 2/3
Ethernet Switching
17
2013
Pioneer Ethernet
Quality of Service
Modular OS:
ExtremeXOS®
First VirtualizationAware Network
© 2012 Extreme Networks, Inc. All rights reserved.
Highest-Density,
Lowest Latency,
Lowest Power
Data Center Cost Savings
Solution Benefits: High Density and Price/Performance
18
(US) National Center for
Supercomputing Applications
Academia Sinica research
institution (Taiwan)
Challenge: Density,
performance, High Availability
Solution: BlackDiamond X8
Benefits: “Only switch that had
adequate port density for this
many high-speed connections
with oversubscription”
Challenge: Reliable network for
High Performance Computing
Solution: BlackDiamond 8810
Benefits: “Accomplishes both
our price-performance
requirements and our investment
protection goals”
© 2013 Extreme Networks, Inc. All rights reserved.
PANELIST
Greg Wehn
Risk & Assurance Manager
Greg Wehn
Risk & Security Manager
Administration, Security, and Risk Manager – Compliance Implementation
Services

~$35M in revenue as an outsourcing and professional services company for
pharmaceutical industry.

Industry leader in government programs and pricing outsourcing.

First outsourced firm to achieve SSAE16 SOC1.
Financial and IT Audit Senior – Various Firms
 8 years of Big 4 and Top Regional Firm experience. Specialized in healthcare and
financial industries as well as SAS70 engagements.
 Served large public and private clients in manufacturing, financial services, government,
and higher education experience.
Affiliations
 Pittsburgh Technology Council – SMB Compliance Roundtable Sponsor
 Pittsburgh Technology Council – SSAE 16 and AS5 Update
 Member – ISACA RTP Chapter
Managed Services
Managed IT Services – a la carte or bundled based on client needs:
 Managed Security Services (My role oversees this portion of the contracts)
 End User Services
 Managed Data Center
 Desktop Managed Services
 Service/Help Desk and Call Centers
 Technical and Maintenance Services
Managed Security Services
 Enterprise Access Controls – Enterprise Logical Access Execution
 Cyber Security Management
 Network Security and Monitoring
 Audit and compliance support services
Discussion
Does this apply to you or your company? Do you:
 Provide audited or reviewed financial statements?
 Use cloud-based or outsourced service vendors to
support your organization?
 Provide hosted or SaaS solutions to your customers?
Discussion
Talk about your company’s risk
management strategy and the compliance
framework (COSO, COBIT, ISO, etc.)
you utilize.
Discussion
Do you feel that regulation tends to drive
control maturity or more of business risk
approach?
Discussion
When considering a vendor for hosted
solutions or SaaS services, what
assurances or reporting do you require?
Discussion
When offering cloud-based services to your
customers, risks like Business Interruption,
Information Security and Information
Management Risk are considered. How do you
prioritize these, based on your customers and
how are the frameworks helping you manage
that risk.
Discussion
As a look ahead, do you think we need to
increase or decrease the standards over
technology services and solutions?
Tech Demo
Hard Drive Destruction Demo
Securely dispose of 5 HDs for FREE!
THANK YOU
nctechnology.org
PLEASE RECYCLE
YOUR NAME BADGES