how a centralized audit management system transformed our team
TRANSCRIPT
How a Centralized Audit Management System Transformed Our TeamSeptember 19, 2016
Rose-Ann Mondy, Director – HSNi Assurance & Risk Advisory
Cathy Miyagi, Senior Specialist – ACL Customer Success Organization: Data-Driven GRC Adoption
This presentation may contain forward-looking statements relating to the future performance and financial condition of HSNi, its operating segments and its consolidated subsidiaries. Forward-looking statements are based on management's current expectations and assumptions which may not prove to be accurate. Forward-looking statements are not guarantees of performance or historical facts and there are a number of known and unknown risks, uncertainties, contingencies and other factors (many of which are outside our control) that could cause actual results to differ materially from those expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include but are not limited to: our ability to attract new and retain existing customers in a cost-effective manner; our exposure to intense competition and our ability to effectively compete for customers; changes in political, business and economic conditions, particularly those that affect consumer confidence, consumer spending or digital sales growth; changes in our relationships with pay television operators, vendors, manufacturers and other third parties; failure to attract and retain television viewers and secure a suitable programming tier of carriage and channel placement for the HSN television network programming; changes in shipping and handling costs, particularly if we are unable to offset them; any technological or regulatory developments that could negatively impact the way we do business, including regulations regarding state and local sales and use taxes; risks associated with possible systems failures and/or security breaches, including any breach that results in the theft, transfer or unauthorized access or disclosure of customer, employee or company information, or the failure to comply with various laws applicable to HSNi in the event of such a breach; any material change in HSNi's business prospects and/or strategy, including whether HSNi's initiatives and investments will be effective; our ability to offer new or innovative products and services through various platforms in a cost effective manner and consumer acceptance of these products and services; risks associated with acquisitions including the ability to successfully integrate new businesses and achieve expected benefits and results; risks associated with litigation, audits, claims and assessments; and the loss of any key member of our senior management team. More information about potential factors that could affect HSNi's business and financial results is included in our filings with the U.S. Securities and Exchange Commission. Other unknown or unpredictable factors that could also adversely affect HSNi's business, financial condition and results of operations may arise from time to time. In light of these risks and uncertainties, any forward-looking statements may not prove to be accurate. All written or oral forward-looking statements that are made or attributable to us are expressly qualified in their entirety by this cautionary notice. Accordingly, you should not place undue reliance on any forward-looking statements, which only reflect the views of HSNi management as of the date of this press release. Such statements speak only to the date such statements are made and HSNi does not undertake to update any forward-looking statements. Historical results should not be considered as an indication of future performance.
SAFE HARBOR STATEMENT
2
HSN, Inc. (Nasdaq: HSNI) is a $4 billion interactive multi-channel retailer with strong direct-to-consumer expertise and operates two business segments, HSN and Cornerstone.
HSNi became a stand-alone company May 2008
HSN Compliance department converted to HSNi Assurance & Risk Advisory - ARA (F/K/A: Internal Audit)
ARA retained legacy system (OpenPages) until 2014
ARA started out as a 2 person department and over the years has grown to:
> 4 Audit Professionals> 1 Business Continuity Manager> 2 Para-professionals> RSM for IT & Non-IT Support
The Story
What Were We Looking For
Should We Renew?
We needed a tool that will improve our productivity:
A tool that can generate useful reports Capture key IA elements (e.g. Control #, Owner, method,
frequency, COSO element, application name, etc.) Contains industry accepted frameworks (e.g. risk control
matrices, COSO, ISO, etc.) Workflow capabilities Cloud computing Ability to grant restricted access Streamline navigation
Timeline
Q2 2014
• Wrote business case• Research and assess tools• Obtain support from VP of Assurance & Risk Advisory (ARA)
Q3 2014
• ACL Connections - Dallas, Texas• Championed tool to ARA team• Partnered with ACL: CSO, Pre-Sales and Product Management teams• Introduce tool to internal & external partners
Q4 2014
• ACL GRC demonstration with HSNi specific data and methodologies• Developed implementation plan• Drafted MSA and SOW
Q1 2015
• Signed MSA and SOW• Engaged ACL CSO DDGRC Adoption team (formerly Professional Services)• ACL migrated data from OpenPages • Trained ARA, External Auditors and other Partners – Went Live!
Critical Factors:
Others:
Engagement team Data conversion Customer service Long term growth Performed a three-year expense analysis
Decision Criteria
Key Functionalities & Features
Regular Product Updates
Continuous Improvement
User Groups, ACL
Academy, etc.
Work papermanagement,
Cloud Computing
Fundamentals
Templates: SOX, SSAE 16, T&E, Purchase
Cards
You are not a
number –they’ve got your back!
SupportVarious ACL
support teams
HSNi Assurance & Risk Advisory
“The world hates change, yet it is the only thing that has brought progress.”
- Charles Kettering(a very important guy)
■ Support from Senior Management ■ HSNi ARA
> Data conversion & mapping> Timing of conversion> Training> Reporting> Ongoing assistance
■ External Auditors > Availability of data> Capture key elements> Data conversion
■ Consultants> Training and Accessibility
■ Data conversion> ACL built template to migrate data
Getting The Green Light
Leadership Style
If you don’t believe it, don’t try to sell it Listen Be honest – don’t oversell and under deliver Take a partner along Ask for help when you need it – you don’t have to
have all the answers Lay the foundation, but everyone builds Have some skin in the game!
Why ACL DDGRC Adoption Frameworks?
Clear transformational paths to customer value-based outcomes Long-term scalable strategies Clear methodologies, phases and milestones To accelerate adoption of ACL technology by existing ACL GRC
and analytic customers
“Data-Driven” GRC
ACL DDGRC Audit Management Adoption Methodology
Change Management
Efficient Audit workflows
Continuous controls
monitoring
One version of the truth
Increase visibility of
Audit program
Align audit plan with
enterprise risks
Value-Based Outcomes
OPTIMIZATION
Integrating data analytics into controls testing
Adopting continuous monitoring via usage of questionnaires and assigning records for review to the business
Usage of report templates or create custom reports in Reports Manager
OPERATIONALIZATION
Enable users to use ACL GRC functionality for audit
> Project Manager
> Results Manager
> Reports Manager
Document audit workflow in Project Manager with usage of collaborative functionalities like client requests, to-do’s, and action items.
The Customer Adoption Journey
CUSTOMER SUCCESS ORGANIZATION(CSO)
ANALYTICSAdoption
DD GRCAdoption
SpecialistsAgents
Customer Intensity Agency
(CIA)
Adoption ManagersAdoption Specialists
value
value
value
value
value
value
PROJECT MANAGER Operational audits SOX
RESULTS MANAGER Data gathering Questionnaires
REPORTS MANAGER Weekly status reports
Achievable & Measurable Successes
Results Manager
A B C
A Used to gather information before onsite meetings were held
Success rate - High
B Used to execute questionnaire to eleven members of Senior Management covering 94 topics
Success rate - Low
C Templates provided by ACL
Build out Enterprise Risk Management Risk Manager Coming Soon - New COSO ERM
Framework – Q2/Q3 2017
Incorporate data analytics “Data-Driven GRC”
Enhancements to address Enterprise Risk Management
ACL Product Roadmap
Multiple risk profiles Up to 10 risk scoring factors 5 configurable risk attributes
Roll up of Risk Assurance scores Linking enterprise risks to control objectives Nested entity tags (linked with Projects)
Key Takeaways
Implementing a Centralized Audit System:
Solicit input and listen Make a list of your “Must Haves” What does success look like to you? How do you measure value? Buying a product vs. buying a solution Have fun