1 / 19

May 1, 2006 – New Jersey IIA Chapter Software Expo

May 1, 2006 – New Jersey IIA Chapter Software Expo . Governance, Risk, & Compliance – Protiviti Demonstration Presenter: Michael Mask Associate Director Risk Technology Solutions Group. Protiviti: Who We Are. Protiviti Offices and Resources: Atlanta, GA Boston, MA Chicago, IL

caitir
Download Presentation

May 1, 2006 – New Jersey IIA Chapter Software Expo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. May 1, 2006 – New Jersey IIA Chapter Software Expo • Governance, Risk, & Compliance – Protiviti DemonstrationPresenter: Michael Mask • Associate Director • Risk Technology Solutions Group

  2. Protiviti: Who We Are Protiviti Offices and Resources: Atlanta, GA Boston, MA Chicago, IL Cincinnati, OH Cleveland, OH Dallas, TX Denver, CO Ft. Lauderdale, FL Houston, TX Kansas City, MO Los Angeles, CA Milwaukee, WI Minneapolis, MN New York City, NY Orlando, FL Philadelphia, PA Phoenix, AZ Pittsburgh, PA Salt Lake City, UT San Francisco, CA San Jose, CA Seattle, WA St. Louis, MO Tampa, FL Vienna, VA Toronto, Canada Australia Asia Europe South America Who We Are Protiviti is an independent risk consulting and internal audit company that offers a full spectrum of internal audit services and specific operational risk competencies, delivered by way of proven methodologies and supporting technology. What We Do We provide the following services to our clients: Business Risk Technology Risk Internal Audit Internal Audit Co-Sourcing Outsourcing Internal Audit Transformation Quality Assurance Reviews Risk Assessment Business Risk Consulting Event-Related Financial Risk Governance/Sarbanes-Oxley Operational Risk Credit Risk Treasury Basel II Technology Risk Consulting Applications Business Continuity Data Mining Infrastructure Privacy Project Risk Management Security

  3. An Integrated Governance Risk Compliance Platform Protiviti Governance Portal (PGP) Overview

  4. Risk and Control Repository Periodic / Sustainable Activities FINANCIAL RISK PROCESS ORGANIZATION Update Risks and Controls Assess Documentation Loss Collection Validate Loss Database Document Group RCM Remediate Monitor Actual Objectives L I N K Policies Report Risks Procedures Near-Miss Controls Narratives External Tests Process Maps An Integrated Governance Risk Compliance Platform Protiviti Governance Portal (PGP) Overview

  5. The PGP Directs Individuals to Their Areas of Responsibility PGP Overview My Portal: Tailor user experience for specified responsibilities • Shared Governance Activities • Monitor and resolve action plans through a single, on-line platform • Execute workflow-driven tasks across multiple governance activities • Measure risk and performance indicators linked to key RCMs, risks, controls, objectives, risk categories * and financial elements • The My Portal area creates a user-specific collection of tasks, reports, summaries and owned activities • In much the same way that the Protiviti Governance Portal functions as an organized repository of an organization’s governance data, the My Portal tab functions as a framework for an individual’s governance data • Each user’s view can easily be expanded or contracted based on their user profile • Sarbanes-Oxley (SarbOx PortalTM) • Perform tests and review owned controls • Operational Risk Management (ORM PortalTM) • - Assess enterprise risk event categories • Manage risks via dashboard reporting Self-Assessment (TSATM) - Conduct all aspects of a self-assessment including test validation, review, and sign-off IA Portal (TSATM) - Facilitate audit activities from planning and risk assessment to electronic workpaper management * Available in ORM Portal

  6. Foundational Frameworks PGP Overview CREATE Common Frameworks Provide Organizing Principles of an Integrated System RISK EVENT MODEL • The association of business processes with organizational units provides an analytical framework supporting varying analysis including documentation, risk and control analysis and risk event assessment. • This analysis can be related to financial reporting to support SOX exercises or to enterprise risks to support broader risk management practices. FINANCIAL MODEL L I N K PROCESS MODEL ORGANIZATION MODEL Information Technology MODEL PROJECT & EVENT MODEL

  7. Common Features - Documentation PGP Overview Document management features make the PGP a powerful document management repository • Upload multiple files and/or URLs to documents • Check in/Check out feature prevents numerous users from editing the same document at the same time • Maintain the integrity of documents by retaining version history • Track changes made to Document Evaluations and Attributes in Change History • Maintain multiple versions of the same document, select a previous version to be the current version

  8. Common Features – Risk and Control Matrices PGP Overview The Risk Control Matrix – Tool - analyze Objective, Risk and Controls • Quick Reports allow users to obtain rich information and provide a high level view of RCM content • The RCM is a “tool within a tool” • It allows for sophisticated analysis of objectives, risks and controls • A library can be used to baseline risk and control activities • Discipline is rewarded when reporting • Review, Action Plans, Notes, Tasks, Attachments & History facilitate resolution

  9. Common Features – Action Plans PGP Overview Identify, track, and resolve action items • Gather and track action items in a single application providing management visibility into key issues across multiple risk management efforts • Assign resolution or review responsibility to individuals or user groups such as an internal control group • Notify users via email when action plans are created, edited or deleted • Capture response and resolution steps • Associate action plans with objectives, risks, or controls • Build out additional tasks around action plans to delegate responsibilities

  10. Dynamic Reports Reporting Overview Report from across control activities, risk assessments and loss events via a single application • Crystal-based reporting engine allows organizations to develop reports to meet their unique needs over time, without requiring modification to code • User Reports: Drill-down dashboards contained within My Portal that present information based on individual users’ owned organizational units • Quick Reports: Provide printable information while performing analysis in a given area of the system • Filterable Reports: Provide flexible filtering options to support specified analysis

  11. User-Defined Searches Reporting Overview Support specific reporting analysis via user-defined searches • The system contains over 40 searches that allow for development of user-defined search criteria across a range of topics • Select and sort fields to include in the report • Select filter criteria • Save search as public or private search • Drill directly to search results • Export search results to develop specific and detailed analysis using familiar tools such as Excel

  12. Project Team and Executive Dashboards Reporting Overview Provide holistic, multi-perspective views of SOX evaluations performed • Dashboards aggregate RCM process, objective, risk, and control evaluations by Financial Reporting Element, Process Classification, and Organizational Unit. • The dashboards allow users to drill into more specific information. For example, if Organization 1 displays 4 ineffectively operating controls, users can drill directly to a list of ineffectively operating controls. From the list of ineffectively operating controls, users can then drill directly to a particular control in question.

  13. SarbOx Overview SarbOx Overview Organization Model The system allows for documentation and detailed risk and control analysis that can be aggregated via multiple perspectives: Financial Reporting, Business Process, and Organizational Hierarchies. Documentation Financial Model Process Model (PCS) Risk and ControlMatrix Common tasks performed in building these models under Protiviti’s risk-based approach are: • Identify “control units” • Identify and prioritize all financial reporting elements • Identify business processes that affect financial reporting • Perform process risk assessment • Link processes to related organizational units and financial reporting elements • Determine overall process criticality based on process risk and priority of related financial elements • Process criticality is a key determinant of the level of process documentation and control testing in a true risk-based approach • Documentation may include: • Process Maps* • Policies & Procedures • Process Narratives • Key Performance Indicators • Job Aids • Checklists • * Does not include a mapping tool. Risk & Control Library Objectives Evaluation of Objective Achievement Risks Evaluation of Control Design Effectiveness Evaluation of Control Design & Operating Effectiveness Controls Evaluation of Control Operating Effectiveness Control Testing Documentation

  14. The Self Assessment Life Cycle TSA Overview Assessment Template Deployed Assessment Reporting Assessment Lifecycle Groups Packages Dashboards Reports Export Questions Assessors Assess Review Signoff Assessment Completion Group Review Risk Objective AP Review TP Review Best Practice Group Review Configuration The group’s primary function is to create a “domain of review”, where a set of reviewer(s) are limited to a pool of assessors. These reviews can be performed by a single individual or delegated to a maximum of 3 persons per group. Action Plan Test Plans Action Plans Test Plan Required Values A question may be designed or “configured” to react to assessor’s feedback. Each “question-response” combination can validate behavior such as requiring answers or comments as well as generating “workflow”. The administrator can build and re-use an assessment template to periodically publish or “deploy” an assessment. Each assessment can be uniquely named, contain key messages and have specific start and end dates for assessors and reviewers. The primary activity is the assessor window, which allows respondents to provide feedback. Action and/or Test Plans may be created based on the Question Configurations. If initiated, these serve as “to-do’s” that can be documented and tracked as they move toward conclusion. Review and Signoff introduce a series of “Quality Assurance” activities.

  15. Organization Model The addition of a risk event model to proven RCSA technology supports high level assessment of operational risks, and allows risk owners to drill into deeper analysis as necessary. Documentation Risk and Control Matrix Risk Event Analysis Financial Model Process Model (PCS) Objectives Evaluation of Assertion Achievement Risk Categories Classify Risks Rate Inherent Risk Set Tolerances Assess Residual Risk Drill Deeper as Needed Risk Event Model Risks Evaluation of Control Design Effectiveness Evaluation of Control Design & Operating Effectiveness Establish a Common Risk Event Model • Enterprise-wide Risk Categories • Multiple scoring models by Risk Category • Framework for organizing both risk assessments and loss events Controls Evaluation of Control Operating Effectiveness Control Testing Documentation ORM PortalTM Overview - RCSA RCSA Overview

  16. Embrace IIA Standards Attribute Performance Implementation Practice Advisories COSO ERM OBJECTIVES Plan & Create Infrastructure Create Overall Internal Audit Plan CHANGE Identify and Assess Risk Entity Level ENTITY Assess Risk Control Self Assessment Process/ Location/Transaction/ Level Understand Analyze Activity Set Objectives and Plan Identify & Prioritize Risks Identify Controls & Evaluate Test Controls Report Monitor & Follow-up Oversight Insight Foresight Add Value Internal Audit – The Protiviti Way IA Portal Overview

  17. Boutique: • Responsive client service • Lack of SEC restrictions • Independent from attest & tax services • Better teaming with external constituents • Focus on core offerings • Major Consultancy: • Methodologies & tools • Experienced professionals • Depth of risk consulting services • Financial & management stability • Recognized • Global presence Protiviti combines the strengths of your Large Consultant and Boutique alternatives ……. without compromise The Protiviti Story Protiviti is a leading provider of independent internal audit and business and technology risk consulting services. Protiviti was formed in May 2002 when Robert Half International (RHI) hired more than 650 experienced and highly qualified partners and professionals formerly with Arthur Andersen LLP’s US internal audit and risk consulting practices. These practices operated separately from Andersen’s external audit and attestation services. Today, Protiviti works with over 25% of the Fortune 500, employs over 2,200 professionals in more than 45 locations throughout North America, Latin America, Europe, Asia and Australia. The firm retains the intellectual capital used and developed by its professionals over the past decade. Our Market Position…and Future The name Protiviti represents professionalism, integrity and independence. Unlike most other risk consulting practices, Protiviti has no affiliation with an external audit firm, nor does it provides any external audit services. This offers us a key strategic advantage, as we can offer the resources, quality, capabilities and expertise of any large accounting firm without regulatory or market concerns regarding conflicts of interest. About Our Parent Company Robert Half is a $3.3 billion public company with a $5 billion market capitalization and 330 worldwide offices. It has virtually no debt, a strong cash position and an outstanding track record in growing businesses. It is recognized as one of Forbes’ “Most Admired Companies”.

  18. Our Commitment to Technology Enabling Solutions • Our Vision: • To be recognized as the premier global risk consulting and internal audit services company. • Our Mission: • To constantly improve how businesses manage risk. We will develop deep competencies in people which enhance their value. We will bring unparalleled expertise to clients in risk management. • Our Core Values: • professional • productive • proactive • objectiviti • creativiti • integriti • Protiviti recognized as strong performer in governance, risk and compliance platforms by Forester Research (The Forester WaveTM Q1 2006) • Since release in March 2003, the base of clients utilizing our technologies has steadily grown • Our solution is battle-tested. Client feedback has infused continuous development resulting in 5 incremental versions of our SarbOx PortalTM, the foundation of Protiviti’s Governance Portal • To meet the needs of our clients seeking to evolve their governance programs, we developed and released the Protiviti Governance Portal, an integrated governance risk compliance platform, in April 2005 • We continue to seek and incorporate our clients’ feedback into the solution, and will continue to extend the capabilities of our framework, as reflected with the current development of an integrated Internal Audit module

  19. Protiviti Governance Portal: Who to Contact Other Information We would be happy demonstrate our technology tools and discuss how Protiviti can help you create a sustainable compliance process. Scott Gracyalny Managing Director, Risk Technology Solutions 312.476.6381 Scott.Gracyalny@protiviti.com Scott Wisniewski Director, Risk Technology Solutions 312.476.6302 Scott.Wisniewski@protiviti.com Michael Mask Associate Director, Risk Technology Solutions 312.476.6396 Michael.Mask@protiviti.com

More Related