While being inundated with news about the Costa Concordia disaster, I got wondering about their ERM (Enterprise Risk Management) processes, and quickly tumbled to the conclusion that no matter what their processes were on paper, they were clearly unsatisfactory in practice.
First, let me state clearly that I have no more information on this disaster than what has been made public to-date. Many other official investigations and reports will be coming out for some time regarding what happened and why. However, I don’t expect them to view this matter from the perspective of Enterprise Risk Management (ERM).
To that end, I will attempt to put this occurrence into the context of known risks, controls intended to mitigate the risks, the testing of those controls and the escalating notifications necessary if those controls fail or are bypassed. There is always the Inherent Risk of a ship running aground; but with the proper ERM processes and controls in place, I don’t believe that should ever be the level of Residual Risk.
To set a point of reference for this analysis, I am defining ERM as a set of processes that allow MANAGEMENT to scope key risks (a ship going aground, for example) and put a series of “detect” controls, “prevent” controls and “mitigating” controls in place to reduce the impact of a Risk Event from the likely high value of the Inherent risk to a Residual risk value as close to zero as possible given the laws of diminishing returns on investment.
As a point of reference, when a plane veers off its assigned route, the standard ERM process in that industry has a number of “detect controls” in place. A co-pilot who can question the pilot about the change (direction or altitude), an independent air traffic controller who is tasked with monitoring the location of the aircraft and questioning the pilot if anomalies are observed and usually automated alarms on the plane that are triggered under certain adverse circumstances.
What ERM processes were in place on the Costa Concordia? We know there was a 2nd officer; why did he allow the Captain to make unauthorized changes to the route without questioning his actions (Detect and Prevent Control)? Was no one on shore (Port authorities) aware of the change of course of the ship? Was no one at Costa Cruises headquarters monitoring the route of the ship real-time via GPS? I don’t know the answers to these questions, but I will bet the lawyers for the passengers and victims will be asking those questions later.
Once the ship went aground, why weren’t there sufficient “mitigating controls” in place and working? Leadership and correct information from management to the crew (“oh, it was just a loss of electricity”) would have mitigated the confusion and counter-productive direction to the passengers (eg, “go back to your cabins and await our instructions”); automated alarms THAT SOUND AT HEADQUARTERS, not just on the ship, when the hull is breached are just few of the breakdowns in a proper ERM process.
Even if it is determined that the primary fault lies with the actions of the Captain, the company is responsible for not having the proper ERM processes and controls in place to detect, prevent or at least mitigate the improper actions of a single individual. This is a basic tenet of any working ERM system, whether it is to mitigate the losses incurred by a single rogue trader at a large financial institution or a ship’s Captain responsible for the safety of thousands of passengers.
Whenever an event like this occurs, it always makes me ask myself the basic questions: Does my ERM program truly identify the key risks? Do I have good Key Risk Indicators in place? Do I have appropriate Risk Mitigation plans in place? Have I audited or otherwise checked those plans to assure they are in fact complete and operational? Can I demonstrate this?
As we have seen far too often, complacency in ERM has serious consequences.
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA USA
Phone: 770-565-8616
Mobile: 678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters/
Chief Audit Executives (CAE) have a difficult task. They are oftentimes placed in the unenviable position of having to be a “slave to two masters”. That is, they have a direct reporting relationship to the Audit Committee, but also an operational/dotted line reporting relationship to the CFO. Strategic guidance may come from the Audit Committee (AC), but the Audit Department budget at some point goes through the CFO (if not officially, certainly unofficially).
So, the CAE must carefully balance the positioning of his department (and him/herself) as being proactive in the utilization of his available resources, adding strategic as well as tactical value to the organization and picking their funding battles very carefully. There is no single answer to how best deal with these potential conflicts, because the responsibilities of a CAE vary greatly by company.
Some may also have Compliance (eg. SOX) under their domain; others might have ERM. Some have all three areas to manage, which can get complicated if not all areas report into the AC (eg. SOX will often stay ultimately within the Business Owners’ responsibilities). In fact, some CAE have told me their department spends 50% of their time on SOX-related matters, leaving few resources for more value-added operational audit and risk-scoping activity that could enhance their standing within the company.
With finite resources (staff, time, money, political capital), a CAE may find themselves having to use a “triage” approach to the allocation of those resources. What some have fallen back on is the “if it ain’t broke, don’t fix it” approach. This status quo approach can leave an audit department behind current “best practices” and prove inefficient over time. World class organizations pursue a philosophy of cannibalization. Said another way, if you don’t “eat your own lunch”, your competition will eat it for you.
The application of this philosophy means that you don’t just look to place resources against things that aren’t working; you also put resources against products/processes/policies that are working, but not working as well as they could be. Your ROI comes from freeing up resources to accomplish other goals that might be of more value than the “check the box” approach of an older audit/testing process.
Think of this as an analogy to how you might be scoping and testing the difference between the Inherent Likelihood of a Risk event occurring and the Residual Likelihood of that Risk event occurring after the proper Controls are in place. In this analogy, investing in new processes, systems and products to ensure a Risk event doesn’t occur in the Audit Dept (lack of document version control using Excel, broken audit trail of activities, incomplete reports due to multiple data sources, etc.) becomes the “Control” to prevent and mitigate the Risk. If you would be reporting a Material Deficiency to the Business Owners if they didn’t have the proper Controls in place, why should your department be exempt from the same level of oversight and scrutiny? Beware the old homily: “Do as I say, not as I do!”
This “new Controls environment” may involve investments to increase or upgrade staff, find more efficient ways of doing audits/testing (CSA, Peer Testing, Co-sourcing, etc.) or automating manual procedures. The use of automation is particularly useful and “value-added” if the CAE is trying to expand the scope of their department, or is responsible for multiple areas (eg. ICFR, ERM, etc.). Having all of your data residing within a single electronic repository, with the ability to associate findings across audits as well as tests, can be invaluable when reporting Enterprise-level findings to the AC (and having a complete audit trail to support the accuracy of those findings to the External Auditors, reducing the cost of duplicate testing by them).
A CAE whose primary defense for why they aren’t constantly trying to improve their department, enhance productivity of their Team and improve their ability to inform Management on the state of the organization is:
“It wasn’t broke, so I didn’t invest money to fix it”…
may find that time-worn phrase headlining their exit interview summary. After all, in the world of the CAE, when something does finally break, the AC’s first step in remediation is often a decision to get a new CAE. You have to stay ahead of the game if you want to stay in the game.
I wish you all a Happy New Year.
Paul Fine
Director of Marketing & Business Development
Atlanta,GA
Phone: 770-565-8616
Mobile: 678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters/
“The Twelve Days of Audit”
1. On the first day of the audit, my Audit Manager gave to me…
One bus ticket to Pigeon Forge,Tennessee
2. On the second day of the audit, my Audit Manager gave to me…
Two Audit interns…
And one bus ticket to Pigeon Forge,Tennessee
3. On the third day of the audit, my Audit Manager gave to me…
Three hours to do the preliminary survey…
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
4. On the fourth day of the audit, my Audit Manager gave to me…
Four page Planning Memo…
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
5. On the fifth day of the audit, my Audit Manager gave to me…
Five global processes to audit…
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
6. On the sixth day of the audit, my Audit Manager gave to me…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
7. On the seventh day of the audit, my Audit Manager gave to me…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
8. On the eighth day of the audit, my Audit Manager gave to me…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
9. On the ninth day of the audit, my Audit Manager gave to me…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
10. On the tenth day of the audit, my Audit Manager gave to me…
Ten hour post-audit conference…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
11. On the eleventh day of the audit, my Audit Manager gave to me…
Eleven notations in the Comment Log…
Ten hour post-audit conference…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee
12. On the twelfth day of the audit, my Audit Manager gave to me…
Twelve hours to get to my next audit site…
Eleven notations in the Comment Log…
Ten hour post-audit conference…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennesseeeeeeee
I would love to hear how many of these “Days of Audit” resonate with you. Happy Holidays to one and all. See you next year…
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Pfine@doublechecksoftware.com
770-565-8616
Atlanta,GA
Since I just finished having a root canal 3 hours ago, this question isn’t as crazy as it may initially seem. Sitting in an endodontist’s (specialty dentist) chair for nearly two hours, shot full of Novacaine (a great discovery, by they way), my mind tended to wander. I prefer the subject of my DoubleCheck™ Monthly Newsletters to be topical and I realized this personal experience offered an interesting opportunity to consider the similarities between the two experiences from the perspectives of the patient (auditee) and specialist dentist (auditor). We’ll start with the experience I know best;
THE PATIENT:
1. Anticipation: Both audits and root canals tend to be procedures that are planned and scheduled, but all “patients” should remember that an ounce of prevention is worth a pound of cure (and usually less painful). Neither is an event we wish to experience, but we know trying to avoid it will only lead to more dire consequences later. But your mind does tend to imagine the worst as you wait for the appointed day.
2. Expectation: Neither a root canal patient or an auditee expects anything good to come from their experience. The goal is avoid anything bad that might result from it. We don’t want to suffer any pain, repeat procedures, denied insurance coverage (eg. your boss doesn’t protect you) or other ill effects. We just want it to be over with and forgotten by everyone.
3. Experience: As you go through the actual experience (root canal or audit), you begin to realize that much of the anticipation and expectation was all in your head, rather than based on facts. You have heard the horror stories from other people; maybe had a bad experience previously (as I had). But once you relax and let the experts do their job, you will typically find the experience painless and uneventful. Of course, both events go even smoother if the professionals involved have a good set of current generation tools at their disposal.
4. Aftermath: In my case, the Novacaine has now worn off and I have no residual pain or discomfort. Same is true for most auditees (except their numbness might be derived from other sources). If you follow directions, answer the experts’ questions, relax in the chair and recognize their goal is not to cause you pain, you should come out just fine.
THE DENTIST:
1. Anticipation: Dentists (and auditors) do this all day, every day. There is no sense of anticipation or excitement; they are just doing their job. But most (the good ones) recognize the concerns and sometimes dread that the patient (auditee) has for this process. They try to take this emotional component of the process into account, realizing that their job will go smoother and faster if the person they are working with is inclined to be cooperative.
2. Expectation: A dentist expects to find a tooth needing a nerve removed to avoid chronic inflammation and infection. An auditor expects to find NOTHING that requires removal (material deficiency) or is causing chronic inflammation (non-operating Key Controls). In this matter, their expectations do diverge. However, both types of professionals are trained to recognize and deal with any exigent circumstances uncovered during their planned activities. So, let them do their job.
3. Experience: For both the dentist and the auditor, the actual experience usually goes according to the general plan. However, there is always something they discover during their routine activities that requires some adjustment, extra effort or re-consideration. If they don’t make a big deal about the new information, the patient/auditee will usually not even realize that something is different or even amiss. After all, the dentist/auditor is the person who knows what the plan was, not the patient/auditee, right?
4. Aftermath: When the procedure is completed, the specialty dentist gives the patient near-term instructions (pain meds, etc.), provides before/after X-rays for the patient’s regular dentist and goes on to the next patient. Similarly, an auditor provides the auditee near-term instructions (eg. we are going to re-test some Key Controls), notifies Audit Management and Process Owners of any key findings; then go on to the next audit. For both, it is all in a day’s work.
So, what are the lessons we can learn from my personal experiences today?
1. Letting a problem fester without correction can lead to a more acute problem requiring more drastic measures. Usually more costly and generally avoidable.
2. Don’t imagine the worst outcome; you might make it a self-fulfilling prophecy.
3. Trained professionals are usually working with your best interests at heart; there is no upside for them to do otherwise. Help them help you.
4. Don’t minimize the angst and emotions the patient/auditee may be feeling; numbers aren’t always the only things that need counting.
I hope to offer a different (and less personal) perspective for our December Newsletter. In the meantime, we at DoubleCheck™ wish all our clients and friends in the U.S. and Canada who have served their country a well-deserved Veterans Day/Remembrance Day this Friday, 11/11/11.
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
pfine@doublechecksoftware.com
770-565-8616 (office)
678-360-2851 (cell)
Atlanta, GA USA
www.doublechecksoftware.com
“Due diligence” is the mantra of any executive considering the acquisition of a new software tool, especially one with broad-reaching scalability and impact within an organization; a key attribute of a GRC & Audit platform.
The challenge in making an optimum selection has two key elements:
1. Most decision-makers (CAE, CAO, CCO, etc.) may have only acquired this type of product once or twice before in their career (or maybe not at all)
2. There are a plethora of vendors who claim to offer one or more functional pieces of a GRC & Audit platform, with their features and services changing regularly.
I could recommend every prospective purchaser go through a formal and lengthy RFP process, but that can be overkill for small-midsize (or even large) firms. Takes up way too many internal resources and time both to pull together and to then evaluate. Yes, there are vendors who offer to provide you a “template” RFP, but what are the odds that template is going to be both objective and a good fit to your particular framework and requirements?
I would prefer to recommend that you first pull together your key requirements, both in the short term (I just want to automate the SOX testing area now) and long term (need a platform expandable and scalable to Audit, Risk, Contract Mgmt, etc.). You can’t select a software tool to solve a problem you haven’t yet defined.
Once that is done, you now face the “apples to apples” vs. “apples to oranges” dilemma. How do you make sure you are comparing accurately all that you are getting for the different prices the vendors are quoting? The devil is in the details, as many of you who have faced “buyer’s remorse” learned the hard way. Here are a few key areas I recommend you get clear definitions for:
1. User licenses:
How do they define a “User”? Do they differentiate between Full/Power Users and Casual/Limited Users? What do the different types cost, and what can they do or see? Do Assessment Takers need a license, or can they respond to surveys/assessments/questionnaires/certifications for no charge?
2. Implementation:
Your success and staff adoption of a new software platform will be as dependent upon the ease and completeness of the implementation as it will be upon the actual product features. Don’t let a salesman deflect the question by saying “90% of our customers only need our standard implementation package”. Find out what this includes, and what it costs to “have fries with that”; eg. customized configuration (vs. standard COSO template), automated importation of your data (vs. you doing it manually), standard AND custom reports at no extra charge, U.S.-based Help Desk/Tech Support, etc.
3. Training:
If you haven’t been sufficiently trained on how to use the software, you won’t use it; simple as that. How much training is the vendor including in the quote? Four hours of online training is not the same as 5 days of onsite training, no matter what you call it. Will the training be conducted on your own data, after the implementation, or on generic “static” data they have in a general training manual? If onsite training, is it at your facility, or do you and your staff have to travel to the vendor’s location at your company’s expense?
4. Product Features:
This is basic, but sometimes forgotten. If the vendor says they have a feature important to you, have them show it to you. Different products accomplish certain functions in different ways. You want to be sure you are comparing key aspects of those functions such as being user-friendly and re-configurable (without IT or Vendor support).
5. References:
I can’t emphasize this enough. Talk to others that have done what you plan to do. Get applicable and relevant references from the vendors; either by asking directly or going to their web site or press release site to see who their clients are. Then, call them. If the vendor hasn’t made their current clients “raving fans”, what are the chances they will make one of you?
If you hold all the vendors you are considering to this same set of standards, you will have a much better chance of comparing “apples to apples” vs. “apples to oranges”. And isn’t that what “due diligence” is all about?
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
770-565-8616
pfine@doublechecksoftware.com
www.doublechecksoftware.com
GRC Spreadsheets: An Oxymoron?
Are you still managing your GRC elements just with spreadsheets? A number of analysts have noted that spreadsheets are still the leading “tool” for managing the various elements of governance, risk, compliance (GRC) and audit.
Yet, if you start from the premise that a GRC culture is meant to create an organizational environment where all key risks and related governance elements are not only identified and assigned from an accountability standpoint, but KNOWN by key Corporate management (versus siloed information), then the question has to be asked:
“Is a collection of spreadsheets the best tool set to meet the GRC objective?”
I spoke with a VP-Internal Audit a few months ago that I have known for five years. He was struggling to work through a spreadsheet that had literally a thousand rows and dozens of columns. The lack of ease in identifying the key data cells and ensuring they were updated correctly and linked to appropriate sub-forms and workpapers was both time-consuming and had an inherently high level of risk for data corruption associated with it.
Similarly, we recently demo’d our GRC & Audit solution for a few companies that spent a week every month trying to export data from multiple spreadsheets into a template report format delivered to the Board within a PowerPoint document. Were spreadsheets the most efficient tool to use for the collection and dissemination of important information to Senior Management on a regular basis? They were starting to think “maybe not”.
I sometimes hear from GRC executives (e.g., Audit, ERM, Compliance, Policy, etc.) that they already have an automated solution to “share” documents, which they consider consistent with the GRC goal of “breaking down silos”. This is not the same as having a single electronic repository of DATA. DATA is not the same thing as DOCUMENTS. If the data is available in its simplest form (data points), and is housed in an architecture that allows for relational linkage and reporting, then you can truly share information.
Importantly, you can then re-configure the various data elements to create a report that is specific to the needs of each individual user, or user group, rather than just sharing a general spreadsheet that then has to be interpreted or re-formatted by the user. And if you can do this without requiring IT to help you, it becomes even more convenient.
Understand, I have nothing against the use of spreadsheets per se. I use them myself on a daily basis. But they are just one tool, like many others in your toolbox. If the task is relatively simple and doesn’t require multiple human touchpoints (remember the need for Version Control), then spreadsheets might be sufficient.
But if your objective is to make all key data available to the appropriate people (with varying levels of security access), keep a complete audit trail of any changes to the data, manage the data and tasks/issues via an automated workflow (with notifications) and have the ability to run and share reports on both a scheduled and ad hoc basis without requiring IT support, then you may want to consider a more robust automated GRC & Audit solution.
If you now think you may want to look at alternatives to simply a spreadsheet environment, give me a call. DoubleCheck™ would be happy to import representative samples of your spreadsheets to show you what you can do to meet your GRC & Audit objectives, and how easily you can do it, within our environment.
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
pfine@doublechecksoftware.com
770-565-8616
This is a question that has no right or wrong answer, but is one that every Chief Audit Executive (CAE) needs to consider. Even private firms that aren’t required to comply with SOX are likely still tasked with testing some Controls to ensure internal control over financial reporting (ICFR) within the organization, or have some other type of compliance audit to perform (HIPAA, PCI, Fraud, MAR, etc).
So, how do you fulfill this role for testing and reporting on regulatory compliance (SOX), while finding the time and resources to perform your larger role of adding value to your department through oversight of the company’s general activities? To address this issue, let’s start with making sure we are working from a common framework. A standard definition (Farlex Financial Dictionary) of an Operational (sometimes called Management) Audit is as follows:
“A measurement and report of the effectiveness and results of certain business procedures. Management audits are usually performed internally, and check to see that procedures have their intended effect. Unlike a compliance audit (eg. SOX), which simply ensures that procedures are being followed, management audits challenge the assumptions and objectives of procedures, with an eye toward improving efficiency. A management audit may recommend changes in procedures resulting from observed inefficiencies in existing procedures.”
This can include audits of facilities, processes, staff behavior, etc. I believe the majority of you would agree that it should always include Objectives and Risks associated with the entity areas being audited. We also recognize that there is oftentimes some overlap with SOX Controls, so that a SOX test can satisfy part of an Operational Audit, or visa versa.
However, how do you split your workload for those areas that don’t overlap? Some of you have told me that the majority of your auditors’ time is spent doing SOX testing, not “true” auditing. The perceived downside of that mix is it becomes difficult for the CAE to demonstrate the strategic value of his/her Audit department because they are performing what many CFO/CEOs think of as a “commodity” function. After all, SOX has been around for 8 years or so, so how much creativity is involved in the activities to demonstrate ICFR (their opinion, not mine)?
The majority of the CAEs I talk to (particularly those who are relatively new in their assignment) tell me one of their organizational objectives is to reduce the SOX workload to allow for more Operational audits. Many tell me that over 50% of their department’s manhours are spent on SOX-related activities, with their goal to get it down to less than 33%.
One reason they are willing to speak with me about GRC & Audit automation software is so that they can achieve this goal without adding headcount (either internally or thru co-sourcing). As I discussed in last month’s newsletter, automation also offers the option of self-assessments vs. direct testing as a time and money-saving process. This also releases auditors to perform more Operational audit activities vs. SOX Compliance. This assessment “engine” also can be used for Risk Assessments to better focus the Operational audits on areas other than SOX Key Controls.
On a related note, as more Audit Committees and Boards of Directors take up the issue of Enterprise Risk Management (ERM), it is frequently falling to the CAE (if no CRO exists in the organization) to pick up the gauntlet for this responsibility. That puts one more item on their plate without an increase in headcount. The only way to accomplish that goal is to be more efficient and productive in managing the existing key responsibilities (eg. SOX testing), thus freeing up time for more risk-based Operational audits. What the right balance is for your organization is up to you, but I’m pretty sure achieving that desired balance will be easier with automation than without. I’d love to hear from you regarding your point of view on the matter.
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
770-565-8616 (office)
678-360-2851 (cell)
Atlanta, GA
pfine@doublechecksoftware.com
July 25, 2011 | Morris Plains, NJ: DoubleCheck™ LLC, a leading provider of enterprise GRC & Audit solutions, today announced the availability of a suite of preconfigured solutions for PCI and CobIT assessments.
“These capabilities enrich the power of our current solution,” said Tim Ihde, Chief Technical Officer, DoubleCheck. “As part of an integrated suite, these preconfigured assessments make it easy and efficient for companies to implement and maintain standards based compliance programs.”
The CobIT framework supports effective management of an IT organization, with focus on balancing technical, operational and business requirements. The DoubleCheck CobIT Solution provides an easy means of performing a CobIT assessment, built around a structured set of assessments, a clear scoring methodology, excellent document management and easy to interpret reports.
The PCI (Payment Card Industry) Data Security Standards (DSS) are designed to identify and minimize technical and process vulnerabilities that present risks to the sensitive cardholder data. The DoubleCheck PCI Solution takes the PCI requirements and turns them into an easy-to-use self-assessment, with a scoring methodology that provides insight about both compliance and areas of potential concern. Additionally, the assessment process is easy to customize based on the specific needs or structure of your organization.
This content and associated assessments, management and reporting functions may be used on a standalone basis or integrated with a broader GRC & Audit solution. When implemented as part of a broader GRC & Audit solution, both the CobIT and PCI assessments can be linked with other compliance, audit and risk management initiatives, communicating key issues and sharing results across programs.
“We are very pleased to add these capabilities to our solution suite,” said Joseph Cincotta, President and CEO of DoubleCheck. “These capabilities will make it easier for our clients to execute PCI and CobIT compliance programs and keep those programs current as the standards evolve. When combined with our well established and rich capabilities and our exceptional customer service, we have one again raised the bar for GRC & Audit solutions.”
About DoubleCheck™ LLC: DoubleCheck™ LLC is a leading enterprise-level GRC & Audit solutions software company. The DoubleCheck product portfolio includes solutions for Compliance, Corporate Governance, Risk Management and Audit Management. A leading research firm, Gartner, has identified DoubleCheck as a vendor that can provide all four elements of a complete Enterprise GRC solution: Audit Management, Compliance Management, Risk Management and Policy Management. DoubleCheck™ is ideally suited to provide the solutions, tools, information, reporting systems and exceptional customer support essential to ensure a productive, efficient and well-organized Governance, Risk, Compliance and Audit Management business processes.
For more information about DoubleCheck LLC, please contact:
Mr. Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
770-565-8616
pfine@doublechecksoftware.com
www.doublechecksoftware.com
This question arises frequently in my conversations with senior Audit and Compliance executives, particularly in the context of SOX compliance. The answer for each organization depends upon a myriad of factors, including organizational structure, geographic disbursement, staffing levels and management philosophy (centralized vs. decentralized). I want to devote this month’s newsletter to discussing the pros/cons of each approach, recognizing that success is identifying and fixing issues and, ultimately, providing appropriate assurance that the firm is in compliance while minimizing time and money spent.
Testing:
In its simplest form, testing is done to confirm that Controls are functioning properly. As Ronald Reagan once said “trust, but verify”. This is at the heart of SOX Compliance; ensuring and certifying that the organization has sufficient “Internal Controls over Financial Reporting”.
However, the SOX regulations don’t dictate how to meet that standard. Direct testing of key controls by independent parties is generally the most reliable (and usually the most expensive) way to confirm a control is performing properly. And while other organizations provide frameworks and guidance (COSO, COBIT, etc.), there is great latitude in the actual way to test.
Companies implement testing programs in different ways. For example, some large firms have a separate IC staff, removed from IA. Others have Internal Auditors do the SOX testing, with the actual responsibility for SOX compliance remaining with the Business Owners (generally within the Controller’s group). I’m sure there are other combinations/permutations of these options, but they all still end up doing “testing”.
Geographically dispersed organizations (global footprint) will often times use the concept of “Peer testing” to augment lower staffing levels and reduce travel costs. Here, trained staff will conduct tests of Controls outside their area of responsibility (and outside their normal work duties). This might be Controller A testing controls in Controller B’s business unit, B’s testing C’s, etc.
Another approach, with additional costs, is to co-source the testing to a 3rd party accounting/advisory firm with a local presence overseas. This method is also employed by some firms for non-financial controls testing (e.g., IT Controls, PCI, etc.) regardless of the location.
For any of these methods of testing, you want a system, like that offered by DoubleCheck™, that provides the capability for designing, scheduling and managing the tests. It should also include the ability to execute specific test plans, collect and archive appropriate evidence, and sharing the findings, as appropriate, with management for review. The chosen system should also enhance your capability to follow up, post audits and to confirm agreed-to management actions have been executed. Finally, not every tester will always be within range of an Internet connection, so be sure that whatever system you use, it allows for off-line testing with later synch-up capability.
Self-Assessments:
Self-Assessments are the other means many firms use to confirm that Controls are performing to expectations. This method requires that the organization trusts the Control Owners to police themselves, principally by responding to a set of specific questions designed to determine compliance based on the subject matter knowledge of the control owners.
By their very nature, self-assessments can carry more potential risk than direct testing. You are asking the person to potentially report a deficiency that they might be blamed for. It also requires an organizational culture that pushes tasks down the chain of command and encourages delegation and personal responsibility.
That said, some of that risk can be mitigated by requesting documentation support for the responses or doing random testing of some of the Controls after the self-assessment response is received. Once again, “trust but verify”.
The key advantage of self-assessments vs. direct testing is savings in cost and time. If you have a system like the DoubleCheck™ GRC & Audit Platform, you have unlimited FREE licenses for self-assessment respondents. This can add up to a substantial savings in staff, lost productivity (when Peer testing diverts time from normal duties), travel costs and User license fees. Self-assessments can also be very costly in man-hours if you try to do it just with Word/Excel, using manually-generated email notifications and manual response integration and analysis processes.
One key feature that DoubleCheck™ offers when doing assessments is the ability to perform what is called “Branching Assessments”. Often when executing a self-assessment, depending on the answer, you may want to ask follow up questions. For example, if (and only if) a respondent answers a question “No” for which the preferred answer is “Yes” (e.g., “Is this Control still working?”), the system can ask any number of follow up questions to help the assessment manager understand that “No” answer. It can even require an answer in the “Comment” field of the Assessment before the system will allow the response to be submitted.
Many organizations use Self-Assessments to supplement direct testing; others use it for virtually all their SOX Compliance work. For either approach, you benefit from relying on a platform like ours that provides the capability for designing, scheduling, managing and scoring individual assessments. Assessments can also be integrated with other risk and compliance data. Issues or concerns can be forwarded immediately, as needed, or as scheduled, to appropriate individuals for awareness or action. The DoubleCheck™AssessmentCenteralso ensures that all respondents do in fact respond, or the system will follow up automatically and escalate as appropriate.
So, what is the correct balance between testing and self-assessments of SOX Controls? That answer will vary company by company, but now you have some of the factors to consider when making that decision.
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
770-565-8616
pfine@doublechecksoftware.com
www.doublechecksoftware.com
I know this seems like a trick question. After all, the “best practices” definition of GRC tells us that there should be no separation between IT GRC and Finance GRC.
And yet, I speak nearly every day with companies that have one of those two departments in charge of a GRC project, with the other department “going along for the ride”. While management purists would like us to believe that every project can be led by a committee of peers with equal votes, the reality we all know says someone has to lead and someone has to follow.
Continuing my headline metaphor, which function is the locomotive and which is the caboose will greatly influence what content and structure will be in the train cars between them (and whether the train will get them where they want to go).
Even key GRC analysts now have published findings that tell us over 80% of GRC engagements are in fact not Enterprise GRC engagements but rather tactical engagement to resolve key problems. For IT GRC, it might be PCI, SoD/Access, Data Privacy, etc. For Financial GRC, it is the usual suspects of SOX, Audit, etc.
However, in most cases, there is sufficient awareness of the concept of GRC at the decision-making/budget sign-off level of the company that the lead department with the budget has to at least appear to include the other side of the floor in the evaluation. Since IT and Finance oftentimes come at this issue from a different point of reference, the “best of class” solution for one may not in fact be the best solution for the overall company.
What you can be left with is exactly what the concept of GRC, from a technology solution standpoint, was supposed to prevent. Niche software solutions suited for one problem/department, but not scalable to others in the organization. The irony of this is that eventually you can wind up with a myriad of individual software tools that IT now has to devote resources to manage and integrate in order to provide necessary information/reports to Senior Management.
So what is the solution to this dilemma? There are two primary approaches that GRC software vendors take to this issue; an integrated platform or a modular platform. An integrated approach includes all components and solution capabilities in a single platform. The modular approach breaks those functions and capabilities into sub-components that you can purchase individually on an as-needed basis.
Here at DoubleCheck™ we believe a platform where all components (governance, risk, compliance, audit) are architecturally integrated into a single system is the approach most consistent with a GRC philosophy. A modular approach can leave you with the need for an element in another module on an ad-hoc basis before you can gain management support for additional expenditures. It can create artificial silos (due to missing features) that negate the intended benefits of a GRC tool.
You can also find yourself in a situation where you think you know what the cost of the system will be, yet see that cost grow exponentially as the realization hits that more modules are needed, with accompanying professional services fees to integrate and train on the new modules.
So, regardless of whether IT or Finance is leading the GRC project, considering an integrated software platform may be the best way to satisfy both groups and avoid a locomotive vs. caboose scenario.
Best regards,
Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
770-565-8616 (office)
678-360-2851 (cell)
Atlanta, GA
pfine@doublechecksoftware.com
www.doublechecksoftware.com
Next Page »
