internal audit and grc at netapp - · pdf filenetapp –the basics maker of storage...

The journey from

mainstream to value-add

Internal Audit and GRC at NetApp

NetApp Confidential - Limited Use Only

The Internal Audit Journey at NetApp:

From mainstream to value-add service:

– What does Value from Internal Audit and GRC look like

to tech industry stakeholders?

– How to sell it?

– How to deliver on the promise?

– What does the future look like? (the promise of Big

Data)


NetApp – The Basics

Maker of storage devices and software

Fortune 500 company

Forbes “Great Places to Work” list

$6.5B in revenue, 12,000 people

Broader ecosystem includes:

– Channel partners – 80% of our sales

– Contract manufacturers – 100% of our product

– Outsource a lot of other things - software and

hardware development, shared services,

facilities, etc.


NetApp Internal Audit - The Basics

Report to CFO and the Audit Committee

3 lines of service:

– Internal Audit

– Investigations & Compliance

– License Services

16 staff:

- 3 in Bangalore

- 13 in Sunnyvale

- 3-4 contractor FTEs


NetApp Internal Audit - The Basics

Role is defined by Charter:

The mission of the Internal Audit Department is to.. [blah blah blah]..

provide independent and objective audit and consulting services…[blah blah blah]… compliance with legal and regulatory

requirements…[blah blah blah] to add value through operational

improvement... [blah blah blah]…evaluate and improve the

effectiveness of risk management, internal control, and corporate

governance processes.

What it is NOT – Sarbanes-Oxley (woo-hoo!)


Instapoll #1 – IA’s role in SOX

Does your Internal Audit function manage the

SOX program?

– Yes

– No, but IA does testing to support the program

– No

– Don’t know


What do we actually do?


Activity Area FY12 FY14 FY16 Where we are now

Internal Audit

Point-in-time Projects 70% 45% 35% 10 – 12 projects per year

Continuous Auditing 0% 25% 30% Analytics-based audit

Other Audit Projects 5% 5% 10% Requests, Issues Tracking, “Fix” Assistance

SOX Support 10% 0% 0% Done!

Investigations & Compliance

Investigations 10% 15% 15% Mostly revenue/channel related

Compliance Programs 5% 10% 10% 15-20 partners a year, plus analytics

License Services Group

Leakage Recovery 0% 65% 80% Sales-Assist Approach

Tools Development 0% 25% 15% Current program tools, future state design

Inbound Audit Defense 0% 5% 5% Helping to keep Oracle, IBM, SAP at bay

What we used to do,

and why we don’t do it any more

Country Audits – great for air miles, but:

– Low coverage

– High cost

– Point-in-time

– Boring and repetitive

Financial scope audits

– Finance is the best run function in the company

from a risk and controls POV

– It gets audited twice over already – SOX and

External Audit


What do we do now?

Operational audits mostly, comprising:

– As-is Assessment

– Benchmarking and Maturity Analysis

– To-Be State and Roadmap

– FIX – our mantra is “2/3 audit, 1/3 fix”

Thinking hard about:

– “Audit Forward” - Can we audit for readiness for

desired state?

– Integrated Assurance – Whose work can we

borrow to build a bigger, better picture of risk and

control?


What we do now – some examples:

Go – No Go on major systems implementations

Contract Manufacturers – Are they ready for the next tsunami,

earthquake, flood?

Talent Management – Is compensation set fairly, and how do

we keep it so?

Quality – How can we shift our culture to improve product

quality?

Product security – How do we develop our products to keep

our customers’ environments safe?


How did we sell it?

Not difficult to sell – which would you buy?

We sold it as a package deal:

– Value-add audit projects plus

– Analytics to replace traditional audit

Not as hard as you think to deliver on the

promise – but you will need to co-source


The Promise of Big Data:

Continuous Audit Program

Traditional audit:

– A typical audit gives a snapshot of current performance

– We might get to an area every 3 or 4 years

Continuous audit and monitoring - GRC Heaven:

– Analyze data to understand how processes are working all the

time

– Use metrics, triggers, performance indicators to tell us when

things have gone wrong, or when they are about to go wrong

– Build tools to share information with process owners real time

– Give these tools to the process owners


NetApp iCAT Snapshot

We’re On A Journey

Evolve from a compliance focus to a broader service

by:

– Innovation

License Services Group, iCAT continuous audit program

– Growth

New approaches and techniques

Working better with other functions – ERM, SOX, SAS, ICO, IT

– Contribution to Customer Success

Focus on helping, not just assessing – “2/3 Audit, 1/3 Fix”

Audit Forward – “Where do we need to be in the future?”

Stay a step ahead of NetApp’s maturity


GRC at NetApp


Typical Tech Approach to GRC at NetApp:

A lot of the components are in place:

– ERM, CCO, Privacy Officer, Security Council,

Investigations Teams, SOX, IA, IT

Governance, other compliance functions, etc

Coordination on an as-needed basis:

– Driven by external or internal demand

No common platform:

– Variety of tools in play


What I Wish For:

Principles–Based Approach to GRC at NetApp

Activity Categories Purpose

Objective Setting Providing clear definition of GRC purposes and goals

Risk Appetite and Tolerance Defining an organization’s receptivity to taking risk and how much

Structure, Roles and Responsibilities Optimizing the organization design to support and sustain GRC activities

Policies and Procedures Setting policy and procedure for common understanding and execution

Communication and Training Delivering consistent understanding across the organization

Risk and Controls Assessment Harmonizing and aligning assessment of risks; optimizing internal controls

Monitoring and Testing Monitoring GRC activities to facilitate continuous improvement

Incident response Providing effective incident response and follow-up

Reporting (Internal and External)Sharing performance feedback, improvement opportunities, meeting external

requirements


The Marriage of GRC and Data

Principles –Based Approach to GRC at NetApp :

Activity

Categories

Privacy Global

Trade

HR EHS Channel SEC ROHS,

WEEE

Etc..

Objective Setting

Risk Appetite and Tolerance

Structure, Roles and

Responsibilities

Policies and Procedures

Communication and

Training

Risk and Controls

Assessment

Monitoring and Testing

Incident response

Reporting (Internal and

External)


But It Is Complicated – GRC Stakeholders Are

Everywhere

BoD Execs BPOs ERM OGC SOX IA Compliance

functions IT

Objective Setting

Risk Appetite and Tolerance

Structure, Roles and

Responsibilities

Policies and Procedures

Communication and Training

Risk and Controls Assessment

Monitoring

Testing

Incident Response

Reporting (Internal and

External)


How To Move Forward?

A good crisis always helps!

Being Regulated trumps ROI

In our case, the ERM program might be our

best shot at a vehicle for GRC


Instapoll #2 – Correlation between GRC

and Regulated Industries

Part 1: My company has a GRC program

called GRC or equivalent

– Yes

– No

– Don’t Know

Part 2: My company is in a regulated industry

– Yes

– No


GRC Tools At NetApp – a.k.a. Show Me the ROI

Currently silo’d to each stakeholder – combination of

MS Office and Sharepoint and off-the-shelf apps

ERM, SOX , IA and Compliance Office explored

implementing a common tool in 2011

Although all agreed on merits for supporting activities

and sharing information and resources, did not move

forward as ROI could not be proven for all

stakeholders


My Wish List For The Future:

A crisp ROI for GRC

– Which will drive

A crisp ROI for a common platform

– Which will drive

Effective, efficient resource allocation

– And ultimately Nirvana for an Internal Auditor

Provide a view on the entire risk universe at

NetApp


internal audit and grc at netapp - · pdf filenetapp –the basics maker of storage...

Documents