This is a book about governance, risk management, and compliance management of a large modern enterprise and how the IT infrastructure, in particular the Oracle IT Infrastructure, can assist in that governance. The IT infrastructure both presents a risk and also provides the infrastructure to mitigate and manage that risk. The IT infrastructure must be shown to be in compliance with policies, laws, and regulations, and assists in establishing and confirming that compliance. We have written this book from the perspective of big GRC. There have been many solutions springing up around fashionable pieces of the compliance problem. At the start of the Sarbanes gold rush, it was document management. For a while that was the management of the close process. Then for a very long time it was segregation of duties. These are all important components. We have tried our best to take the perspective of those who are responsible for the stewardship of the company, and see the GRC problem from their perspective. We have written at length about governance To this end, our book is aimed at risk assurance professionals, executives, directors, and those who advise them. It is not an implementation manual for the GRC products, although we hope you can get the best out of the GRC products after reading this book. In this book, we have discussed many applications and technology products that are not in the GRC product family. Again, we are not attempting to write an implementation guide for those products. We can hopefully show you how those products participate and assist in the governance process, how they introduce or mitigate risk, and how they can be brought into compliance with best practice as well as applicable laws and regulations.
We have written this book with a section dedicated to each of the following three blocks:
Governance: Here we discuss the strategic management of the enterprise, setting the plans for the managers, making disclosures to investors, and ensuring that the board knows that the enterprise is meeting its goals and staying within its policies.
Risk management: Here we discuss the audit disciplines. This is where we work out what can go wrong, document what we have to do to prevent it from going wrong, and check that what we think prevents it from going wrong actually works. We move through the various sub disciplines within the audit profession and show what tools are best suited from within the Oracle family to assist.
Compliance management: Here we map the tools and facilities that we have discovered in the first two sections for frameworks and legislations. We will give this from an industry and geography agnostic viewpoint and then drill in to some specific industries and countries.
We neither stay in the narrow definition of the GRC applications, nor limit ourselves to the business applications but take you to the most appropriate places in the full Oracle footprint. For example, some of the configuration management and change control problems are addressed within the GRC applications and some of them are addressed within Enterprise Manager.
This means that the book is not organized by product. It is organized by the governance and risk assurance processes. A given product may be represented in multiple places in the book and a given process may contain multiple product references.
Before we go much further, we should lay down some basic definitions of these three key terms.
The www.businessdictionary.com has a great definition of governance:
Traditionally defined as the ways in which a firm safeguards the interests of its financiers (investors, lenders, and creditors). The modern definition calls it the framework of rules and practices by which the board of directors ensure accountability, fairness, and transparency in the firm's relationship with all the stakeholders (financiers, customers, management, employees, government, and the community). This framework consists of (1) explicit and implicit contracts between the firm and the stakeholders for distribution of responsibilities, rights, and rewards; (2) procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with their duties, privileges, and roles; and (3) procedures for proper supervision, control, and information-flows to serve as a system of checks-and-balances. It is also called corporation governance.
I really like this definition, partly because it lets you know where the real accountability for Governance lies in the enterprise, but mostly because it is pretty much undefined in most of the frameworks that have had influence on the GRC market.
Probability of loss inherent in a firm's operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. The leading framework in risk management was published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. COSO ERM extends the definition from not meeting a financial objective to not meeting any of the enterprise's objectives. It makes it pretty clear that the body that is responsible for signing off on the corporate strategy should also ensure that there is a process to identify the risks of not meeting the goals.
The following figure gives an overview of the major functional areas of the governance, risk, and compliance problems and the Oracle Component that best addresses that problem:
When you consider who is involved in the governance, risk, and compliance process, you start to appreciate the tools that you need to complete the footprint.
This tool is used to measure the degree to which the strategy that has been communicated is actually executing.
This tool is used to convert the mission of the enterprise into financial goals, forecasts that can be discussed with investors through the management )discussion, and analysis.
This set of tools is used to report to investors the progress toward the goals expressed in the financial plan.
This tool is used to ensure delivery of ethics and policy education and confirm their understanding.
This tool is used to discover and document risks to the mission of the enterprise, and to ensure that management has well-designed and effective operating controls to mitigate those risks. Such tools cover the following:
Access Controls Governor: To ensure that appropriate access is granted to systems.
Transaction Controls Governor: To ensure that transaction policies are followed and fraudulent transactions found.
Configuration Controls Governor: To ensure that recommended settings of the applications that themselves constitute great automated controls are appropriately configured and that changes are authorized and recorded.
Preventive Controls Governor: To extend the controls footprint of the delivered application.
Oracle Enterprise Manager: Enterprise Manager also has great capabilities to extract configuration settings and measure them against baseline. The settings that are tracked within EM by default tend to be deeper technical settings.
GRC Manager: To provide self assessment, testing operations, and to aggregate the results of the documentation and testing phases of the governance program for managers of the risk assurance activity.
GRC Intelligence: To provide the most potent and important information to the executive suite and directors on the residual risk to the enterprise.
Sub Certification applications are used to allow management to confirm the controls within processes that they are responsible for. Such tools include Hyperion Close Process Manager.
These applications are used to provide the pivot point for the risk analysis and management accountability. Largely, these are the processes within the applications themselves. The process may be orchestrated through Oracle Workflow as in the case of purchase order approval or journal approval.
These applications are used to provide evidence store for unstructured information. They also provide a store for standard working papers and completed working papers that have been part of the testing activity.
These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information assets required to do their jobs.
In order to ensure that we keep ourselves grounded in real problems, we have written the book as a journal of a fictional company establishing its governance processes. We will introduce managers and directors responsible for various aspects of the governance, risk, and compliance problem and where that problem is exposed and how it is addressed in the technology and business applications.
In the previous figure, we have seen the key roles that are directly engaged in the governance, risk management, and compliance activities in a typical organizational chart.
Their IT infrastructure is comprised of Sun Hardware and are running Oracle database, middleware, and business applications. We do have one of the subsidiaries of InFission running JD Edwards just to allow us to illustrate GRC working in a heterogeneous applications environment.
It is worth examining what function is responsible for what activity and what part of the Oracle footprint each is most interested in.
The audit committee of the board of directors must have at least three members. One member must have accounting or financial management expertise and all other members must be financially literate. All members must be independent.
The Audit Committee is charged with the oversight of the Financial Reporting process, including review of quarterly and annual financial statements on behalf of the investors and to discuss annual financial statement with management and auditors.
They need to review Management Discussion and Analysis (MD&A) with management and auditors. This is where management gives guidance on where the business is going. Such guidance is also given in Earnings Announcements, press releases, and guidance provided to rating agencies.
They need to monitor the system of internal control and compliance with legal and regulatory requirements. In order to do this, they need to monitor the system of risk assessment and risk management. This may be synonymous with overseeing the internal audit function, but in recent years many enterprises have set up a separate risk management program office reporting it to the management. This oversight means that the audit plan and the scope of the audits are signed off by the audit committee.
In order to ensure that the tone at the top is appropriate, received, and understood the audit committee is generally responsible for an ethics program, and responsible to manage whistle-blower complaints.
The CEO and CFO of the company are responsible for signing the Sarbanes-Oxley Section 302 Certifications.
These certifications, referred to by the Securities and Exchange Commission as "Rule 13a-14(a)/15d-14a Certifications", must be signed separately by the CEO and the CFO, and filed as an exhibit to quarterly reports on Form 10-Q or 10-Q(SB) and to annual reports on Form 10-K or Form 10-KSB, as Exhibit 31, or, for foreign private issuers, as an exhibit to Form 20-F. The SEC has specified the form and wording of these certifications, which cannot be changed.
Briefly, the Signing Officer certifies that he has reviewed the report, that he believes that it does not contain any misleading misstatement or omission, and that it fairly presents the company's financial position and results of operations. The officer also certifies his responsibility for the company's disclosure controls and procedures and internal controls over financial reporting and as to their effectiveness.
The Chief Audit Executive is a part of the company but generally has reporting relationships to the Audit Committee of the board of directors.
The duties of the Chief Audit Executive include:
Status, strategy, and organization of the Internal Audit Department
Management/supervision of the internal audit activity
Ensuring the timely completion of internal auditing engagements
Ensuring that reports on internal auditing engagements are provided to the audit committee with minimum delay
Providing an annual holistic opinion on the effectiveness and adequacy of risk management, control, and governance processes
As well as being one of the signing officers, the CFO obviously heads the departments that are involved in processing of transactions that most directly affect the subledgers and general ledger, the preparation of financial statements, and financial planning and analysis.
In addition to Sarbanes-Oxley (SOX), CIOs and CSOs must understand and achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) the Payment Card Industry Data Security Standard (PCI DSS) for organizations processing credit card transactions, and the Federal Information Security Management Act (FISMA) for federal agencies as well as many other global, national, and industry-wide regulations and mandates.
IT governance includes writing IT policies that define who within an organization is responsible for key decisions with regards to IT adoption and usage, who is held accountable for such decisions, and how results are monitored and measured. Implementing IT governance strategies includes assigning committees to steer technology adoption, architectural reviews, and project analysis. Governance is about processes, which should support consistent and transparent methods for managing your information technology acquisitions and usage.
The CIO is also responsible for IT risk management. Risk management requires adapting to constantly changing business requirements and monitoring what technologies are deployed within the organization Risk management encompasses surviving a constantly changing threat landscape by tightening and optimizing an organization's information security, both perimeter and internal, while improving business agility and efficiency.
The CIO is also responsible for IT compliance approaches, governance by designing, assessing, and implementing controls. These controls must map back to the various industry requirements and best practices that ultimately determine success or failure during an IT audit.
Many of the controls in the business are part of the processes and procedures operating in the Business Units themselves. For example, your revenue line might be unreliable due to side contracts that are made by your salespeople. Management in the business is responsible for the design of the controls and certifying their effectiveness.
The following figure explains the Audit and Compliance process starting with the establishment of the program office and ending with certified financial statements:
While there are many processes that support and feed into the audit processes process, it is important to realize who the players are at the end of top level process. The process has to make evident to investors and regulators that risks are managed. Once an Audit and Compliance process is established, it goes through a risk assessment, audit planning, documentation phase, a testing phase, and a reporting phase, before the results are combined with the financial disclosures and signed by the management.
In the Risk Assessment phase, you will be cataloging the risks to the objectives of the business and asking questions such as "What can go wrong?". There are many methodologies, tools, and focuses for this. One methodology is to review the financial statements by subsidiary and highlight the lines that are material and then start to investigate the risks to which that line is exposed. For example, if a subsidiary constitutes less than five percent of the revenue of the enterprise, its revenue line may not be material. For one of the subsidiaries, the revenue line may be subject to risks of mistatement. For example, if revenue is claimed when customers have vouchers outstanding. Other methodologies include facilitated workshop methods and survey methods.
In the Audit Planning phase, you will create a set of audit engagements, each with a defined scope and projected timeframe. Scope may be defined in terms of process, business units, and subsidiaries. The scope sets a boundary around the set of risks and controls that will be tested. An engagement itself is a project that has an engagement manager and a set of auditors assigned. The audit and its scope is generally authorized through an engagement letter addressed to the management and authorized from the Chief Audit Executive or audit committee. It may well include a records request for access to records that are within the scope of the audit.
As you kick off the program, you will probably establish a program office. The controls will need to be cataloged, but they are generally organized by processes, and the processes and procedures themselves may be controls in and of themselves. The testing phase will be performed within the legal entities and business units of the enterprise, so the enterprise structure needs to be documented.
The testing phase will include a risk assessment to prompt the management to think about the risks to the mission of the enterprise. When the risks have been cataloged, the scope of the audit and the audit plan can be set. The scope may be set in terms of the processes, business units, or individual controls. The audit plan is broken down into individual engagement projects that have their own scope, where controls are tested and the results reported back to the Chief Audit Executive. Management may also be testing controls themselves and providing self assessments of the effectiveness of those controls.
The reporting phase brings together management testing and the results of audit operations to be able to arm management and the directors with the information they need to certify the financial statements.
The Chief Audit Executive will need to keep the audit committee apprised of the findings in the audit engagements.
We should always remember that the end goal is that we can prove to the investors that management and directors have worked with due diligence to govern the company, assess risks to the enterprise and its mission, and comply with applicable laws and regulations.
We should look at an example of a process, a risk, a control, and a test:
In this example, a subsidiary of Infission runs the U.S. Operations. Part of the results for the subsidiary is the revenue line. The receivables management process has a material impact on what is reported as revenue. There is an inherent risk that we may apply improper revenue recognition policies. For example, we may recognize revenue, even though we have written into the contract that the customer has right of return if the product does not perform as specified, within 90 days. The control may be that every contract with revenue over 100,000 dollars is reviewed by the Revenue Recognition Team. That control may be tested by generating a report of all contracts over 100,000 and testing for revenue recognition approval.
The governance process itself can start small in a fairly ad hoc manner and can mature to where the governance processes are truly optimized. The IT Policy Compliance Group, an industry and advisory consortium adapted the Capability Maturity Model first published by The Carnegie Mellon Software Engineering Institute to the GRC Domain. It has provided a way for companies to measure where they are on the spectrum, and give themselves a sense of how far they have to go and the costs and benefits in getting there.
The following figure shows the levels in the Capability Maturity Model and the process characteristics at each of the levels:
We will be revisiting the Capability Maturity Model to see how different pieces of our GRC solution help move us along the spectrum towards optimizing our controls footprint, minimizing the costs, maximizing the repeatability, and ensuring we have measurable results that can be expressed in terms of business value. The IT Policy Compliance Group provides standardized assessments to help companies measure where they are.
In this chapter, we have introduced the GRC Concepts and explained the breadth of tools that Oracle has, to address the GRC problems. We have introduced the fictional company with whom we will be taking the governance, risk, and compliance journey. We have also introduced the key roles that have a stake in the governance, risk, and compliance process and explained what that stake is. We have shown the overall risk management and compliance process at a very high level to see how the information comes together for the signing officers to certify to the investors in the enterprise that the risks are managed and the controls are effective. We have illustrated how a sample process, risk, and control are related to a financial statement line for a subsidiary within the enterprise and explained how the process can move from an ad hoc manual process to a repeatable, automated, and optimized solution over time.
In the next chapter we will introduce the Governance theme with Corporate Governance. We will take a look at key strategic issues that Infission faces as an enterprise and also how to craft and communicate the strategic intent of Infission.
