internal audit and grc at netapp - · pdf filenetapp –the basics maker of storage...
TRANSCRIPT
![Page 1: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/1.jpg)
The journey from
mainstream to value-add
Internal Audit and GRC at NetApp
NetApp Confidential - Limited Use Only
![Page 2: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/2.jpg)
The Internal Audit Journey at NetApp:
From mainstream to value-add service:
– What does Value from Internal Audit and GRC look like
to tech industry stakeholders?
– How to sell it?
– How to deliver on the promise?
– What does the future look like? (the promise of Big
Data)
NetApp Confidential - Limited Use Only
![Page 3: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/3.jpg)
NetApp – The Basics
Maker of storage devices and software
Fortune 500 company
Forbes “Great Places to Work” list
$6.5B in revenue, 12,000 people
Broader ecosystem includes:
– Channel partners – 80% of our sales
– Contract manufacturers – 100% of our product
– Outsource a lot of other things - software and
hardware development, shared services,
facilities, etc.
NetApp Confidential - Limited Use Only
![Page 4: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/4.jpg)
NetApp Internal Audit - The Basics
Report to CFO and the Audit Committee
3 lines of service:
– Internal Audit
– Investigations & Compliance
– License Services
16 staff:
- 3 in Bangalore
- 13 in Sunnyvale
- 3-4 contractor FTEs
NetApp Confidential - Limited Use Only
![Page 5: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/5.jpg)
NetApp Internal Audit - The Basics
Role is defined by Charter:
The mission of the Internal Audit Department is to.. [blah blah blah]..
provide independent and objective audit and consulting services…[blah blah blah]… compliance with legal and regulatory
requirements…[blah blah blah] to add value through operational
improvement... [blah blah blah]…evaluate and improve the
effectiveness of risk management, internal control, and corporate
governance processes.
What it is NOT – Sarbanes-Oxley (woo-hoo!)
NetApp Confidential - Limited Use Only
![Page 6: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/6.jpg)
Instapoll #1 – IA’s role in SOX
Does your Internal Audit function manage the
SOX program?
– Yes
– No, but IA does testing to support the program
– No
– Don’t know
NetApp Confidential - Limited Use Only
![Page 7: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/7.jpg)
What do we actually do?
NetApp Confidential - Limited Use Only
Activity Area FY12 FY14 FY16 Where we are now
Internal Audit
Point-in-time Projects 70% 45% 35% 10 – 12 projects per year
Continuous Auditing 0% 25% 30% Analytics-based audit
Other Audit Projects 5% 5% 10% Requests, Issues Tracking, “Fix” Assistance
SOX Support 10% 0% 0% Done!
Investigations & Compliance
Investigations 10% 15% 15% Mostly revenue/channel related
Compliance Programs 5% 10% 10% 15-20 partners a year, plus analytics
License Services Group
Leakage Recovery 0% 65% 80% Sales-Assist Approach
Tools Development 0% 25% 15% Current program tools, future state design
Inbound Audit Defense 0% 5% 5% Helping to keep Oracle, IBM, SAP at bay
![Page 8: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/8.jpg)
What we used to do,
and why we don’t do it any more
Country Audits – great for air miles, but:
– Low coverage
– High cost
– Point-in-time
– Boring and repetitive
Financial scope audits
– Finance is the best run function in the company
from a risk and controls POV
– It gets audited twice over already – SOX and
External Audit
NetApp Confidential - Limited Use Only
![Page 9: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/9.jpg)
What do we do now?
Operational audits mostly, comprising:
– As-is Assessment
– Benchmarking and Maturity Analysis
– To-Be State and Roadmap
– FIX – our mantra is “2/3 audit, 1/3 fix”
Thinking hard about:
– “Audit Forward” - Can we audit for readiness for
desired state?
– Integrated Assurance – Whose work can we
borrow to build a bigger, better picture of risk and
control?
NetApp Confidential - Limited Use Only
![Page 10: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/10.jpg)
What we do now – some examples:
Go – No Go on major systems implementations
Contract Manufacturers – Are they ready for the next tsunami,
earthquake, flood?
Talent Management – Is compensation set fairly, and how do
we keep it so?
Quality – How can we shift our culture to improve product
quality?
Product security – How do we develop our products to keep
our customers’ environments safe?
NetApp Confidential - Limited Use Only
![Page 11: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/11.jpg)
How did we sell it?
Not difficult to sell – which would you buy?
We sold it as a package deal:
– Value-add audit projects plus
– Analytics to replace traditional audit
Not as hard as you think to deliver on the
promise – but you will need to co-source
NetApp Confidential - Limited Use Only
![Page 12: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/12.jpg)
The Promise of Big Data:
Continuous Audit Program
Traditional audit:
– A typical audit gives a snapshot of current performance
– We might get to an area every 3 or 4 years
Continuous audit and monitoring - GRC Heaven:
– Analyze data to understand how processes are working all the
time
– Use metrics, triggers, performance indicators to tell us when
things have gone wrong, or when they are about to go wrong
– Build tools to share information with process owners real time
– Give these tools to the process owners
NetApp Confidential - Limited Use Only
![Page 13: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/13.jpg)
NetApp iCAT Snapshot
![Page 14: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/14.jpg)
We’re On A Journey
Evolve from a compliance focus to a broader service
by:
– Innovation
License Services Group, iCAT continuous audit program
– Growth
New approaches and techniques
Working better with other functions – ERM, SOX, SAS, ICO, IT
– Contribution to Customer Success
Focus on helping, not just assessing – “2/3 Audit, 1/3 Fix”
Audit Forward – “Where do we need to be in the future?”
Stay a step ahead of NetApp’s maturity
NetApp Confidential - Limited Use Only
![Page 15: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/15.jpg)
GRC at NetApp
NetApp Confidential - Limited Use Only
![Page 16: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/16.jpg)
Typical Tech Approach to GRC at NetApp:
A lot of the components are in place:
– ERM, CCO, Privacy Officer, Security Council,
Investigations Teams, SOX, IA, IT
Governance, other compliance functions, etc
Coordination on an as-needed basis:
– Driven by external or internal demand
No common platform:
– Variety of tools in play
NetApp Confidential - Limited Use Only
![Page 17: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/17.jpg)
What I Wish For:
Principles–Based Approach to GRC at NetApp
Activity Categories Purpose
Objective Setting Providing clear definition of GRC purposes and goals
Risk Appetite and Tolerance Defining an organization’s receptivity to taking risk and how much
Structure, Roles and Responsibilities Optimizing the organization design to support and sustain GRC activities
Policies and Procedures Setting policy and procedure for common understanding and execution
Communication and Training Delivering consistent understanding across the organization
Risk and Controls Assessment Harmonizing and aligning assessment of risks; optimizing internal controls
Monitoring and Testing Monitoring GRC activities to facilitate continuous improvement
Incident response Providing effective incident response and follow-up
Reporting (Internal and External)Sharing performance feedback, improvement opportunities, meeting external
requirements
NetApp Confidential - Limited Use Only
![Page 18: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/18.jpg)
The Marriage of GRC and Data
Principles –Based Approach to GRC at NetApp :
Activity
Categories
Privacy Global
Trade
HR EHS Channel SEC ROHS,
WEEE
Etc..
Objective Setting
Risk Appetite and Tolerance
Structure, Roles and
Responsibilities
Policies and Procedures
Communication and
Training
Risk and Controls
Assessment
Monitoring and Testing
Incident response
Reporting (Internal and
External)
NetApp Confidential - Limited Use Only
![Page 19: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/19.jpg)
But It Is Complicated – GRC Stakeholders Are
Everywhere
BoD Execs BPOs ERM OGC SOX IA Compliance
functions IT
Objective Setting
Risk Appetite and Tolerance
Structure, Roles and
Responsibilities
Policies and Procedures
Communication and Training
Risk and Controls Assessment
Monitoring
Testing
Incident Response
Reporting (Internal and
External)
NetApp Confidential - Limited Use Only
![Page 20: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/20.jpg)
How To Move Forward?
A good crisis always helps!
Being Regulated trumps ROI
In our case, the ERM program might be our
best shot at a vehicle for GRC
NetApp Confidential - Limited Use Only
![Page 21: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/21.jpg)
Instapoll #2 – Correlation between GRC
and Regulated Industries
Part 1: My company has a GRC program
called GRC or equivalent
– Yes
– No
– Don’t Know
Part 2: My company is in a regulated industry
– Yes
– No
NetApp Confidential - Limited Use Only
![Page 22: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/22.jpg)
GRC Tools At NetApp – a.k.a. Show Me the ROI
Currently silo’d to each stakeholder – combination of
MS Office and Sharepoint and off-the-shelf apps
ERM, SOX , IA and Compliance Office explored
implementing a common tool in 2011
Although all agreed on merits for supporting activities
and sharing information and resources, did not move
forward as ROI could not be proven for all
stakeholders
NetApp Confidential - Limited Use Only
![Page 23: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/23.jpg)
My Wish List For The Future:
A crisp ROI for GRC
– Which will drive
A crisp ROI for a common platform
– Which will drive
Effective, efficient resource allocation
– And ultimately Nirvana for an Internal Auditor
Provide a view on the entire risk universe at
NetApp
NetApp Confidential - Limited Use Only
![Page 24: Internal Audit and GRC at NetApp - · PDF fileNetApp –The Basics Maker of storage devices and software Fortune 500 company Forbes “Great Places to Work” list $6.5B in revenue,](https://reader035.vdocument.in/reader035/viewer/2022062907/5a9e157e7f8b9a29228d5ddc/html5/thumbnails/24.jpg)
NetApp Confidential - Limited Use Only