governance, risk & compliance (grc) – vendor landscape and implementation considerations sean...
TRANSCRIPT
Governance, Risk & Compliance (GRC) – Vendor Landscape and Implementation Considerations
Sean Winekauf – Director
Enterprise Risk Management & Governance, Risk & Compliance, KPMG
04/07/15
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2
Agenda
• What is GRC?
• GRC Marketplace today
• GRC Software Vendors
• Why GRC?
• Areas of Organizations that benefit from integrated GRC
• Tangible and intangible benefits
• Roles of technology
• Technology selection – do’s and dont’ s
• Closer look at Internal Audit
• Lessons learned
• How KPMG is helping clients
• Q&A
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
3
What is GRC ?
An approach to align the organization’s governance, risk and compliance processes to its strategy, allowing for convergence and transparency of information to drive performance and resilience in a dynamic economic business environment.
KPMG’s Definition
“
”
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
4
What is going on in the GRC Software Market?
Jamie DimonChairman and CEOJ.P. Morgan Chase & Co.• 2014 Annual Letter to
Shareholders
$2B+
54% of compliance officers at public companies expect a spending increase in compliance and ethics in 2014
in additional expenses in our overall control effort will have been made since 2012 through the end of 2014”
$19.3B
~$34.5B2010
2014
2010 2011 2012 2013 2014$0.0
$10.0
$20.0
$30.0
$40.0
$50.0
$60.0
$19.4$23.0
$27.8$32.1
$34.5
GRC Market Size ($B)
($B
)
CAGR:
~16%
“
CAGR:~16%
Software GRC Market Outlook
Source: IDC
Source: Thomson Reuters
Software GRC Growth
• GRC market growth will accelerate as regulations and technology environments grow more complex
• Software GRC market is expected to grow from:
Source: Competitive Enterprise Institute, Thomson Reuters.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5
Current GRC Spend – Survey results
2%18%
80%
Less than Today Same as Today More than Today
6%
27%
67%
3%
30%
67%
Over the next 12 months 80% of compliance professionals expect the regulatory focus on managing regulatory risk to be more than today
Over the next 12 months 67% of compliance professionals expect the compliance team budget to be more than today
Over the next 12 months 67% of compliance professionals expect the cost of senior compliance staff to be to be more than today
Source: Competitive Enterprise Institute, Thomson Reuters.
Annual Cost of Federal Regulation
The estimated compliance and economic cost burden of federal regulation and oversight in 2012 $1.8T
2013 Compliance Executive Survey Results
800 compliance practitioners, including heads of compliance and chief executives, were surveyed:
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
6
GRC – What we are seeing in the Marketplace today
• Increased regulations and a more rigorous compliance environment
• Siloed approaches in responding to these requirements leading to duplication of functions and multi-layered Governance, Risk and Compliance processes
• Board executives and senior management struggling to see the value generated by these activities and view them as cost of doing business rather than an investment to improve corporate performance
Company Characteristics– Are relatively large in terms of employees or
revenues– Have multiple divisions/SBUs – Present in highly-regulated industries or markets– Have acquired or are in the process of acquiring
businesses within or across regions– Are present in several regions/countries and
therefore need to comply with regulations across all the regions
– Do not have a clear owner for GRC across the firm
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
7
GRC Software Vendors
Forester Wave 2014
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
8
Why GRC?
Consolidated and real-time reporting of cross-functional
risks and issues
Single view of
controls across the organization
Increases accountability for
risks, controls, and issues
Automation of Control Testing
workflow
Automation of 302 Certification
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
9
What drives Corporate Directions in Governance, Risk and Compliance?
BU BU BU BU BU BU
RiskManagement
InternalAudit
Finance and Treasury
Department
LegalDepartment
Human Resources
Compliance
Shareholder Auditor RegulatorRating
Agencies
External
Board/CommitteesExecutive / Senior
Management
Internal
Business and risk management information
process
analysis
Stakeholders
InefficienciesRiskManagement
InternalAudit
Finance and Treasury
Department
LegalDepartment
Human Resources
Compliance
Shareholder Auditor RegulatorRating
Agencies
ExternalBoard/Committees
Executive / SeniorManagement
Internal
Business and risk management information
Reporting & Disclosure process
Data capture and analysis
Business Units
Oversight functions
Stakeholders
Inefficiencies
BU BU BU BU BU BU
Increasing regulatory requirements have resulted in complex business and risk management processes
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
10
Why GRC? >> What does a GRC enabled Organization look like?
Desired State
Legal EntitiesGeographical Regions
Aud
it
Pro
du
ct D
eve
lop
men
t
IT
Le
gal a
nd
Re
gul
ato
ry
Hum
an
Re
sou
rce
s
Sha
red
Se
rvic
es a
nd
S
upp
ort
Fin
ance
Ope
ratio
ns
Sal
es
an
d M
ark
etin
g
Business and
ControlsERM Compliance
Internal Audit
Other Assurance
Groups
Business and Risk Management Information
Internal External
Board/Committees
Executive/ Senior
ManagementStakeholders Auditor Regulator
Rating Agency
Business and Risk Management Information
Internal External
Board/Committees
Executive/ Senior
ManagementStakeholders Auditor Regulator
Rating Agency
Legal Entities
Aud
it
Pro
du
ct D
eve
lop
men
t
IT
Le
gal a
nd
Re
gul
ato
ry
Hum
an
Re
sou
rce
s
Sha
red
Se
rvic
es a
nd
S
upp
ort
Fin
ance
Ope
ratio
ns
Sal
es
an
d M
ark
etin
g
CONTROL REPORTS
ERM REPORTS
COMPLIANCE REPORTS
AUDIT REPORTS
ISSUE MANAGEMENT
REPORTS
QUARTERLY DEFICIENCY
SOX REPORTING
QUARTERLY ASSESSMENT
FIRM
CRMP
AUDIT PLAN
AUDIT COMMITTEE
OPEN ISSUES
PAST DUE ISSUES
CLOSED ISSUESEXTERNAL AUDIT
REPORT
eGRC Foundation Transformation
Geographical Regions
Te
ch
no
lo
gy
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
11
What areas of an Organization can benefit from an integrated GRC program?
SOX Internal Audit
Compliance Risk / ERM
• Risk Assessment• Risk Scoring• Risk Reporting and Dashboards• Storage of risk data
• Control Testing (test of design, test of operating effectiveness)
• Control test scheduling• Link controls to risks, control objective,
assertion• 302 certification survey • Testing documentation storage• Deficiency Management
• Annual Audit Planning• Audit Planning & Risk Assessment• Audit Resource & Scheduling Management• Audit fieldwork execution (Controls Test of Design,
Test of Operating Effectiveness)• Audit Reporting• Audit Finding Remediation Management
• Compliance Test Scheduling• Compliance Risk Assessment• Control testing (test of design, test of operating
effectiveness)• Management of policies• Exception / Issue Management
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
12
Benefits of an Enterprise GRC Program
Across the marketplace, we see Enterprise GRC initiatives enable companies to more effectively manage risk and compliance activities in an aligned manner. Establishing a common language and converging multiple, independent risk and compliance initiatives into an integrated approach can result in many intangible and tangible benefits. We have highlighted some benefits below:
Benefits:
Potential reduction in overall risk and compliance management effort due to integrated eGRC activities
– Dashboarding providing executives their risk profile across value chain and risk category
Improved gap detection and mitigation through automation of remediation plans and deficiency analysis
Efficiencies as a result of automation of eGRC activities
– Scoping at the account level creating a linkage between account and control
– Testing workflow
– 302 Automation
Business process controls optimization due to integration and automation
Increased accountability helping embed risk management into BAU activities instead of making it a check the box exercise.
Improved Gap Detection and
Mitigation
Reduced Risk Assessment
Effort
Reduced Compliance
Effort
Optimized Business Processes
Automated Security Controls
Monitoring
Rationalized IT Systems and
Support
Improved Reporting
Reduced Risk of Penalties, Fines Due to
Noncompliance
Reduced Operating Risk
eGRCConvergence
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
13
How does Technology enable an integrated GRC program?
• Business Law Solutions
• Board Solutions
• Disclosure Solutions
• Due Diligence Solutions
• Regulatory Intelligence Solutions
• Training Solutions
• Screening Solutions
• Policy Management Solutions
GRC TECHNOLOGY
REGULATORY & LEGAL INSIGHT• Regulatory News and Analysis,
Legal and Business Research
INTERNAL ASSURANCE• Internal Audit, Risk Management,
Internal Controls, Policy Management
CORPORATE GOVERNANCE• Regulatory Disclosure, ICFR
Certification, Board Management
• Internal Audit Solutions
• Risk Management Solutions
• Internal Controls Solutions
• Enterprise GRC Solutions
SCOPE OF GRC SOLUTION SETS
• Move away from those old spreadsheets• Have the necessary information be pushed to you• Technology facilitates dynamic GRC connections • Empower the broader GRC community with proactive
insight
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
14
What to look for when selecting a GRC tool
Allow sufficient time for the process
Look to the future as well as the past
Understand the business needs and relevant requirements before judging the quality of competing package solutions
Consider the relative priorities and importance of the different aspects, in particular, which ones are critical to the success of the chosen solution
Avoid selecting individual departmental solutions
Narrow down the number of suppliers to evaluate in detail
Put in writing the organization's needs and requirements so that the package supplier is obliged to state (in writing) whether and how the package can meet those needs
Seek independent views from users of the packaged solutions
Balance the size of the solution with the size of the problem, i.e., accept minor shortcomings if the organization can achieve better overall business benefits
Bear in mind the supplier is potentially going to be a permanent partner in the business solution
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
15
Cautions and pitfalls of GRC tool selection process
Window shop, selecting a package based on recommendation or looks alone
Send large Requests for Proposal to every possible supplier – instead use simple, key criteria to identify the most probable candidates
Class everything as ‘mandatory’
Just ask the salesman if the requirements can be met
Let different team members follow different packages – there will be inconsistencies
Rely upon the supplier to identify references
Just go to the supplier’s standard demonstration
Automatically take the highest scoring solution
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
16
Audit Lifecycle: Key Internal Audit Areas
Board Reporting and Quality Metrics
Resource Management
Time Management
Audit Universe
KPMG views these as key areas across industries in the Internal Audit Lifecycle
Exter
nal A
udit
Regulations
Internalpolicies
Inte
rnal
Assurance
functio
ns
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
17
Setting your Internal Audit Foundation Using GRC Concepts
• Perform a Risk Assessment, that aligns with ERM and the Company’s strategic objectives (ensure in-line with 1st and 2nd lines of defense)
• Consider building out a Continuous Risk Assessment Program to gain efficiencies and increase scope of coverage
• Use of a single Risk Taxonomy throughout the Company
• Position Internal Audit to focus on the riskiest areas and add the greatest amount of value to the Company
• Develop an Internal Audit Methodology and Audit Approach (i.e. end to end process reviews) tailored to the needs of the Company
• Determine a governance structure and set up lines of communication to Senior Leadership, and Audit Committee including escalation procedures
• Consider Efficient Audit techniques (i.e. Data Analytics and KPI’s)
• Consider use of technology to automate and streamline the Audit process (i.e. GRC systems)
• Develop Internal Audit’s mandate to meet stakeholder expectation and position IA to be a value added function
• Set and communicate expectations (i.e. timelines and responsibilities) with Management early in the process
• Maintain lines of communication throughout the life cycle of the audit process to keep Management engaged and aware of progress.
• Understand and leverage monitoring/testing/assurance activities within the 1st and 2nd lines of defense
• Align testing efforts with the 2nd line of defense to avoid duplicate efforts and gain efficiencies
• Integrate reporting with 2nd line of defense to Senior Leadership, Board of Directors and Audit Committee
• Develop an Issue Resolution Tracking process to ensure findings are remediated timely.
Risk Profile
Governance, Infrastructur
e and Organization
CultureEnterprise Assurance
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
18
GRC, Internal Audit and Enterprise Assurance
RISK-BASED INTERNAL AUDIT METHODOLOGY
GRC FOUNDATIONAL ELEMENTS
Risk Assessment and Prioritization
Stakeholder Requirements
Risk Identification
Risk Appetite and Tolerance
Risk Definition and Taxonomy
Input/Refresh IA Plan
Top Risk Selection
Risk Assessment Risk EvaluationRisk Qualification & Measurement
Data CollectionAdvanced Analytics
Reporting
Automated Analysis
Gather and Analyze Information
Detailed Risk Review / SAR Comparison
KPI / KRI
Metric Analysis and Selection
Value Add Insights
Updates
Evaluate, Interpret and Report results
Prioritization Criteria review for CRA
Data Transfer
Linkage to Strategic Objectives
Review Assurance Mapping
Continous Risk Assessment
Risk Assessment & Internal Audit Plan
What should we focus our audit efforts on?
How do we keep Risk Info Current?
What approach or techniques should we use to audit?
Value Added Specialists & End-to-end
process reviews
Performance Audits
Data analytics, continuous auditing &
monitoring
How do I enable efficient workflow, data storage and real time reporting?Implement GRC technology to enable
Risk Assessment, Audit workflow, data repository and reporting
Understanding of and Alignment with other assurance efforts
SOX, Compliance, Quality, Safety,
Environmental Groups
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
19
Internal Audit Point Solutions
Business Process Adaptation: Does the tool support YOUR business processes. What is the level of configuration and customization that is going to be required?
Flexibility : How flexible is the tool to meet your needs. Conversely , how flexible are your processes to adapt to tool limitations?
The Vision: Does your long term vision look at process efficiencies, integration, cost effectiveness and a horizontal view of risk across the Organization?
Time to Implement: What is driving the timeline for implementation? Strategic initiatives, Regulatory requirements, expired licenses for current tools?
Cost: What are the budget constraints given the short term and long term vision for implementation of the tool
Some Key Questions to consider when selecting an Internal Audit tool
GRC
Key Point: Consider an Internal Audit software tool that allows for integration with technology that supports other risk and compliance functions within your organization to support a long term vision of a horizontal view risk across your Organization
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
20
Internal Audit Tools - Key Considerations and Benefits
Functions Key Considerations for Internal Audit Technology Benefits
Enterprise Wide Foundational Elements / Core Data
Support of common structure and language for: Organizational Structure, Process Hierarchy, Risk Hierarchy, Control Hierarchy, Issue Classifications
Horizontal view of risks and issues across the organization empowers Management to make informed decisions
Audit Universe and Risk Assessment
Ability to capture and standardize criteria for risk assessments, audit planning (annual, audits and special projects) and creation of key documentation
Effective risk assessment process and set up of audit universe
Audit Planning Supports individual audit risk assessment, planning tools (identification of risks and controls), definition of scope/objective of audit, meetings and capturing planning approvals.
Aligns schedule, anticipated scope, and risk assessment
Audit Execution Assignment of audit procedures, testing and documentation of controls, walkthroughs, storage of testing evidence, review/approval process and issue identification.
Streamlines and organizes the audit process Provides a clear picture of the review status
Audit Reporting Generate status reports (including graphical representation) on a variety of topics/criteria.
Ability to create a valid depiction of the audit status
Issue Management & Remediation
Tracking of issues and action plans through to resolution, ownership of issues, status of issue remediation activities, and retesting by internal audit
Used to track, schedule testing, and evaluation of overall company status in regards to open/closed findings.
Board Reporting & Quality Metrics
Annual Audit Plan Status, Tracking of Audit open Issues, IA Performance Scorecard
Ability to provide snapshot reports as to the progress and effectiveness of Internal Audit Group
Resourcing Management
Management of resources within the IA group, allocating resources to project/audits based on other projects/audits, time off/conflicts, skills, and certifications.
Capability to ensure the utilization and capabilities of auditors is being met.
Time Management Tracking of time and expenses for each audit or special project Provides a snapshot of the overall budget
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
21
Internal Audit Technology – What should you be looking for?
Security Search Functions Audit Trail System Integration
Audit Universe & Risk Assessment
Execution & Fieldwork
Issus Mgmt. &Reporting
Internal Audit Lifecycle
Recommended Internal Audit Technology
Capabilities
Planning & Scoping
Support of audit charter, vision and
strategies
Develop or adoption of a risk framework
(COSO)
Capturing and assessment of the
most significant risks to achieving the objectives and opportunities
Systematic and structured way of
aligning an organization’s
approach to risk with its strategy
Resource Mgmt.
Configuration of Risk
assessments factors,
weights, risk scores
identification of future growth opportunities and strategic objectives for the business
context (e.g. facilitated sessions or surveys)
Assess material risk, link to SOX,
materiality thresholds,
account balance info from G/L
Assign the “scope” of each business process,
risk, and control to identify whether
applicable to Audit, Compliance, ERM, IT etc
Capture of attributes – dates, stakeholders,
assertions, fraud scenarios,
inherent/residual risk etc.
Change a risk assessment, as well
as show changes year over year
Link to historical data to
understand entity, environment,
previous audits
Capture, develop and maintain risk register, risk and controls
matrix
Capture test scripts, test results
Attach evidence and supporting
documents and work paper repository
Process, risk, control, issue,
owners, date info
Creation of issues from failed tests
Automated alerts for items in tasks,
outstanding due dates and reporting
Standard checklists for planning, post-
audit and other standard activities
Attach pre-defined
templates, copy prior audits
Hyperlinks within reports to forms enabling
users to edit information real-
time
Automated Out-of-the-box reports
(e.g..: SAD, Audit Committee)
Creation of a risk summary report that
describes key risks, how they
are being managed and monitored, remediation of
key issues, and accountability
Report on KPIs and
KRIs
Document, link issues and
attributes (e.g.. Process,
control, owner, dates)
Drill down reports for metrics (e.g..
Open issue, completed audits,
outstanding tasks)
Provide business areas with a
comprehensive view of all of their issues reported by Internal
Audit
Retention and reporting of characteristics of audit personnel
such as job classification, certifications, background
information, special skill sets, and training completed and plannedall
levels
Close out time periods to prevent
auditors from charging additional time, in addition to
allowing the administrator to re-
open a period
Link to official repository of
contractor information
Define & maintain time
tracking codes
Track time and expenses against contingent worker
contract.
Store charge rates
Staff time tracking capability,
including audit and non-audit hours -
charge time by day and task
Workflow management for each audit-related
“document”, including audit, audit program,
checklists, audit process, audit risks,
audit controls, and audit work papersAbility to
capture and link org,
processes, risks
Export to PDF, XLS
etc.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
22
Vendor Landscape: Internal Audit Solutions – Key Differentiators & Highlights
[RSA Archer]
■ RSA’s GRC & IA content includes pre-mapped policies, control standards, procedures, authoritative sources and assessment questions
■ Audit Management enables the identification and risk assessment of the audit universe. Work papers with configurable workflow are generated by the solution to allow audit staff to document the results of procedures associated with an audit project. Has email notifications and alerts
[MetricStream]
■ Built-in remediation workflows, time tracking, email-based notifications and alerts, risk assessment methodologies, and offline functionalities for conducting internal audits at remote field sites Structured process for managing audit work papers and documentation including supporting evidence, findings, analysis, and results for each audit program. The tool provides approval workflow, check‑in, check‑out features, version control, document preparation workflows, comments, powerful work paper organization, and search capabilities.
■ Record qualitative or quantitative findings along with detailed observations and recommendations in predefined formats,
■ Graphical executive dashboards and flexible reports with drill-down capability provide statistics on a variety of parameters such as by audited entities, audit schedule and calendar, finding reports, and corrective and remediation actions triggered
[Nasdaq BWise]
■ Ability to capture and store audit data and results in logical folders, which are automatically created based on the audit work program/work papers
■ Offers a flexible Data Model, providing a way of relating elements of the audit framework in many-to-many relations between elements such as processes, risks, controls, control objectives, etc
■ Automatically create multi-year audit plans, based on audit rating, risk rating and cyclical audit frequency
■ Audit Analytics assisting in reducing data collection efforts with both standard and ad hoc analysis
■ Findings and Recommendations with configurable workflows to review and monitor on a one time basis
■ Basic scheduling functionality
[Thompson Reuters]
■ Centralized data capture, risk assessment, reporting anddocumentation similar to SharePoint folder structure
■ Ability to share risks and risk assessments, audit findings, key risk areas and recommendations across the internal audit department and provide quantifiable evidence of compliance through real-time dashboards and reports; Workflow and notifications. Resource scheduling are also key features
■ Flexible deployment options - On-premise perpetual license, on-demand or hosted perpetual license options mean that Accelus Audit Manager will fit into your current audit and risk processes, providing you with maximum benefit with minimum disruption.
[IBM OpenPages]
■ Supports top-down and bottom-up approaches to risk assessment and creation of multiple-year audit plans
■ Maintains a centralized library of electronic work papers, and automates work paper review and approval.
■ Manages auditor time and expenses to avoid versioning conflicts and promote consistency
■ Integrated with financial controls management, IT risk and compliance management, general regulatory compliance efforts, and operational risk management programs
RSA Archer
Nasdaq BWise
IBMOpenPages
ThomsonReuters
MetricStream
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
23
Internal Audit Technology Implementation Success Factor: Interlinked with Other Assurance Areas – A long term vision
Better Practices across industries show that the success of Internal Audit tool implementations is greatly increased when the implemented in such a way that it is able to interlink with technology
utilized by other assurance areas – giving Management a view of risk and issues across the Organization
Internal Audit
SOX/Internal Controls
Other Assurance Areas
(ERM, Compliance, Policy Mgmt.
etc)
Management’s View
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
24
Internal Audit Technology – Key Consideration Areas
Time to Implement
Flexibility, Configurability, &
Customization
Maturity & Sophistication of
Modules & Capabilities
supporting in scope areas
Client Specific Requirements &
why they selected it
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
25
Include all relevant stakeholders at the start of the project
Define and agree upon the functional and business requirements
Establish a clear project plan inclusive of change and risk management
Develop a deployment plan
Establish a clear change management plan
Perform System Testing and User Acceptance Testing
Develop and provide training tailored to the end user
Don’t let a tool drive the process
Lessons Learned in GRC Technology Implementations
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
26
Enterprise Governance, Risk and Compliance (GRC) Considerations
GRC Vision Guiding Principles Executive Buy-in Functional Commitment Roadmap
1
Strategy
Convergence & Foundational
Elements
ProgramManagement
People &Change
Business Requirements&
Reporting
TechnologyEnablement
Foundational Elements Future State Process Flows Convergence Opportunities, Alignment
of Shared Functionality, and Integration Points with GRC Tool
High-level Business, Functional, and Technical Requirements Definition
3
2
45
6 Project Governance Project Plan, Timeline and Budget Project Risks/Issue Tracking Project Resource Management
Stakeholder Analysis Roles and Responsibilities Communication Plan Learning, Development and
Training Adoption Plan/Roll-out
GRC Business requirements design & documentation
Fit-Gap Analysis Process, Risk, Transactional
level dashboards & reporting
Link between Business Requirements and Business Process Design
Requirements to System Mapping /Proof of Concept
Data Conversion Testing Strategy,
Performance and User Acceptance Testing
Enterprise GRC Considerations
Components
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
27
KPMG vs. GRC Technology Vendor – Division of Roles and Responsibilities
Convergence & Foundational
Elements
Program Management
Strategy
• Participate, as needed, in Steering Committee meeting
• Participate in meetings to determine duration and staging of user groups for strategic GRC roadmap/ GRC Journey
• Assist with defining the baseline set of taxonomies/values required to setup the tool (such as organizational structure, process list, and risk categories)
• Assist with gaining agreement for common definitions of terms and ratings criteria to be shared by users
• Review/document future state process flows for use as starting point for business requirements
• Identify and map GRC Technology Vendor tool integration points in future state processes
• Identify gaps and facilitate discussions for process changes required due to tool capability/functionality
• Provide list of configuration options to be defined for initial product setup
• Create a sandbox environment to facilitate workshop sessions and design decisions
• Assist with facilitation of targeted demonstration (walkthrough of technology and future state process)
• Provide project plan for activities assigned for GRC Technology Vendor to lead (i.e. tool installation, configuration, unit/functional testing, etc)
• Participate in project status meetings• Provide project status updates, per agreed upon
project plan, to PMO
• Assist with the development of a GRC Strategy, mission statement, guiding principles, and success criteria
• Assist with the identification of current and potential future stakeholders and perform potential future usage for enterprise-wide solution
• Provide support in forming GRC Steering Committee and establishing roles and responsibilities for the initiative
• Participate in and help facilitate as needed GRC Steering Committee meeting• Provide guidance with obtaining executive buy-in• Perform maturity assessment for each stakeholder group and
oversight/assurance activity to serve as input to roadmap• Assist with the development of strategic and tactical roadmap for GRC Journey• Assist with creation of support model and governance board to provide
direction on changes to the tool both during and after the project
• Assist with creation of support model and governance board to provide direction on changes to the tool both during the project
• Develop integrated GRC project plan, incorporating each workstream and GRC Technology Vendor timelines
• Facilitate/participate in project status meetings• Provide detailed project plan, budget, risk and
scope tracking
1
3
2
GRC Technology Vendor
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
28
KPMG vs. GRC Technology Vendor – Division of Roles and Responsibilities, (continued)
Business Requirements &
Reporting
People & Change
• Provide super user training guides, screen shots and hold initial standard tool functionality training
• Provide standard ‘out-of-the-box’ training guides
• Create a training strategy and rollout plan by user group and level (i.e. admin, super user, lite user)
• Develop and train UAT testers• Create user group specific training guides, presentations,
and quick reference guides using client-specific GRC Technology Vendor screen shots to enable the business process
• Coordinate and instruct training sessions specific to client’s usage of GRC Technology Vendor
• Provide attributes/criteria to consider for process mapping
• Provide detailed advice on tool capabilities based on client contract
• Participate in business requirements work sessions, including navigating dedicated client sandbox to determine field attributes and approval workflows
• Document business requirements in the Gap document to record areas of the tool that require configuration (such as mandatory fields, pick list values, etc.)
Technology Enablement
• Perform technical installation• Provide on site support to UAT testers for timely root cause analysis
and resolution of defects• Assist IT with system integration and interfaces with other systems• Perform any configuration changes, software updates, or technical
modifications to the software• Provide on-going technical support
• Develop testing strategy for System Integration Test (SIT), User Acceptance Testing (UAT), and regression testing
• Assist with the creation of detailed test cases and scripts to ensure business requirements, functional requirements, and technical requirements are being met
• Perform UAT testing, including detailed defect tracking and validation with GRC Technology Vendor
• Help facilitate sessions with client and GRC Technology Vendor to identify business/functional requirements
• Review/document detailed future use and functional requirement documents
• Assist in reviewing/documenting business requirements and Gap document
• Determine users access rights, user groups, and user profiles• Facilitate sessions to document landing page views, reporting
requirements including quick reports to view daily and those processes nightly in batch
• Develop mock reports and requirements for integrated reporting needs
4
5
6
GRC Technology Vendor
Q&A – Open Discussion
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
Contact Info
Sean Winekauf - Director, ERM & [email protected]: 402-672-0126