Governance, Risk, and Compliance Handbook for Oracle Applications: Written by industry experts with more than 30 years combined experience, this handbook covers all the major aspects of Governance, Risk, and Compliance management in your organization with this book and ebook.

The www.businessdictionary.com has a great definition of governance:

Traditionally defined as the ways in which a firm safeguards the interests of its financiers (investors, lenders, and creditors). The modern definition calls it the framework of rules and practices by which the board of directors ensure accountability, fairness, and transparency in the firm's relationship with all the stakeholders (financiers, customers, management, employees, government, and the community). This framework consists of (1) explicit and implicit contracts between the firm and the stakeholders for distribution of responsibilities, rights, and rewards; (2) procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with their duties, privileges, and roles; and (3) procedures for proper supervision, control, and information-flows to serve as a system of checks-and-balances. It is also called corporation governance.

I really like this definition, partly because it lets you know where the real accountability for Governance lies in the enterprise, but mostly because it is pretty much undefined in most of the frameworks that have had influence on the GRC market.

Probability of loss inherent in a firm's operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. The leading framework in risk management was published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. COSO ERM extends the definition from not meeting a financial objective to not meeting any of the enterprise's objectives. It makes it pretty clear that the body that is responsible for signing off on the corporate strategy should also ensure that there is a process to identify the risks of not meeting the goals.

Certification or confirmation that the doer of an action such as the writer of an audit report, or the manufacturer or supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract.

This tool is used to express and communicate the mission of the enterprise.

This tool is used to measure the degree to which the strategy that has been communicated is actually executing.

This tool is used to convert the mission of the enterprise into financial goals, forecasts that can be discussed with investors through the management )discussion, and analysis.

This set of tools is used to report to investors the progress toward the goals expressed in the financial plan.

This tool is used to ensure delivery of ethics and policy education and confirm their understanding.

This tool is used to discover and document risks to the mission of the enterprise, and to ensure that management has well-designed and effective operating controls to mitigate those risks. Such tools cover the following:

Sub Certification applications are used to allow management to confirm the controls within processes that they are responsible for. Such tools include Hyperion Close Process Manager.

These applications are used to provide the pivot point for the risk analysis and management accountability. Largely, these are the processes within the applications themselves. The process may be orchestrated through Oracle Workflow as in the case of purchase order approval or journal approval.

These applications are used to provide evidence store for unstructured information. They also provide a store for standard working papers and completed working papers that have been part of the testing activity.

These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information assets required to do their jobs.

In order to ensure that we keep ourselves grounded in real problems, we have written the book as a journal of a fictional company establishing its governance processes. We will introduce managers and directors responsible for various aspects of the governance, risk, and compliance problem and where that problem is exposed and how it is addressed in the technology and business applications.

In the previous figure, we have seen the key roles that are directly engaged in the governance, risk management, and compliance activities in a typical organizational chart.

Their IT infrastructure is comprised of Sun Hardware and are running Oracle database, middleware, and business applications. We do have one of the subsidiaries of InFission running JD Edwards just to allow us to illustrate GRC working in a heterogeneous applications environment.

It is worth examining what function is responsible for what activity and what part of the Oracle footprint each is most interested in.

In the Risk Assessment phase, you will be cataloging the risks to the objectives of the business and asking questions such as "What can go wrong?". There are many methodologies, tools, and focuses for this. One methodology is to review the financial statements by subsidiary and highlight the lines that are material and then start to investigate the risks to which that line is exposed. For example, if a subsidiary constitutes less than five percent of the revenue of the enterprise, its revenue line may not be material. For one of the subsidiaries, the revenue line may be subject to risks of mistatement. For example, if revenue is claimed when customers have vouchers outstanding. Other methodologies include facilitated workshop methods and survey methods.

In the Audit Planning phase, you will create a set of audit engagements, each with a defined scope and projected timeframe. Scope may be defined in terms of process, business units, and subsidiaries. The scope sets a boundary around the set of risks and controls that will be tested. An engagement itself is a project that has an engagement manager and a set of auditors assigned. The audit and its scope is generally authorized through an engagement letter addressed to the management and authorized from the Chief Audit Executive or audit committee. It may well include a records request for access to records that are within the scope of the audit.

As you kick off the program, you will probably establish a program office. The controls will need to be cataloged, but they are generally organized by processes, and the processes and procedures themselves may be controls in and of themselves. The testing phase will be performed within the legal entities and business units of the enterprise, so the enterprise structure needs to be documented.

The testing phase will include a risk assessment to prompt the management to think about the risks to the mission of the enterprise. When the risks have been cataloged, the scope of the audit and the audit plan can be set. The scope may be set in terms of the processes, business units, or individual controls. The audit plan is broken down into individual engagement projects that have their own scope, where controls are tested and the results reported back to the Chief Audit Executive. Management may also be testing controls themselves and providing self assessments of the effectiveness of those controls.

The reporting phase brings together management testing and the results of audit operations to be able to arm management and the directors with the information they need to certify the financial statements.

The Chief Audit Executive will need to keep the audit committee apprised of the findings in the audit engagements.

We should always remember that the end goal is that we can prove to the investors that management and directors have worked with due diligence to govern the company, assess risks to the enterprise and its mission, and comply with applicable laws and regulations.

We should look at an example of a process, a risk, a control, and a test:

In this example, a subsidiary of Infission runs the U.S. Operations. Part of the results for the subsidiary is the revenue line. The receivables management process has a material impact on what is reported as revenue. There is an inherent risk that we may apply improper revenue recognition policies. For example, we may recognize revenue, even though we have written into the contract that the customer has right of return if the product does not perform as specified, within 90 days. The control may be that every contract with revenue over 100,000 dollars is reviewed by the Revenue Recognition Team. That control may be tested by generating a report of all contracts over 100,000 and testing for revenue recognition approval.