1 / 19

János Ivanyos Memolux Ltd. ivanyos@memolux.hu

kanan
Download Presentation

János Ivanyos Memolux Ltd. ivanyos@memolux.hu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Applying COSO/COBIT SPICE based infrastructure and ECQA certificates to create trust and transparency in European industry BPM GOSPEL(LLP-LDV-TOI-2010-HU-001)This project has been funded with support from the European Commission.This publicationreflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. János Ivanyos Memolux Ltd. ivanyos@memolux.hu Dr. JózsefRoóz Budapest Business School rooz.jozsef@bgf.hu

  2. Topics • Trust and Effective Governance • ”Governance” SPICERoadmap (2005-2012) • COBIT/COSO Process Assessment Model • Governance Capability - Mapping COSO Objectives with ISO/IEC 15504 Capability Levels • Linking Governance to Sustainable Value Creation • Governance Model for Trusted Businesses • Multi-layer business assurance technology • ECQA for Trusted Businesses

  3. Why Industry Needs Trust? Turbulent economic environment • Financial crisis & economic downturn • Global impact on local/sectoral markets • General cost cutting leads to decline of available (in-house and/or outsourced) competency levels Stakeholders’ expectations • Predictable business benefits (more explicit tolerance levels) • Conservative risk-taking (redefinition of risk appetites) • Higher management accountability (with balanced compensation) • No governance scandals or regulatory non-compliance issues jeopardizing reputation • Cost effective controls (less duplicates or overlaps) Sector specific • More interdependences among business partners • Faster reaction on market needs • Supply chain management requests long term credibility

  4. How Trust Needs Effective Governance? Less isolated risk & compliance management programs • More responsibility of the ”Chief Executive” level management • Set links between strategic business objectives and management control processes • Integrated assessment/audit approaches Transparency • Applying business objectives for managing/supervising compliance programs • Presenting excellence in an understandable way (format) • Using competent and qualified human resources • Assuring accuracy by harmonizing time horizons to business objectives Coverage • Defining the business operation boundary conditions • Leveraging the business opportunities (sustainability) • Addressing the sector-specific technical/regulatory (control) requirements of the core business activities

  5. Validation of Governance SPICE Competencies Governance, Risk and Controls SPICE Audit EU Certification & Qualification TRUST for Industry

  6. ”Governance” SPICE Roadmap (2005-2012) Refers to • Governance, Risk and Controls (OECD Principles, Regulations, Audit Standards) based on different concepts (IA-Manager 2005-2007) • Recognized Control Frameworks (COSO&COBIT) • Risk Tolerance and Risk Appetite (COSO ERM) • Performance Measurement (COBIT) • Process Capability Assessment (ISO/IEC 15504-2) • Evaluating Process-related Risk (ISO/IEC 15504-4) • Organizational Maturity (ISO/IEC TR 15504-7) by using multilingual ontology (MONTIFIC 2008-2010) • Terminology database • Ontology model to leverage sustainable value creation (GOSPEL 2010-2012) • Governance Model for Trusted Businesses • Multi-layer business assurance technology

  7. Using COSO & COBIT Process AssessmentModels Measurement Framework Corporate view Risk Tolerance Risk Appetite Instance view Supervision & Management Business Process Models GOVERNANCE SPICE

  8. COBIT processes • Plan and Organize (PO) • PO1 Define a Strategic IT Plan • PO2 Define the Information Architecture • PO3 Determine Technological Direction • PO4 Define the IT Processes, Organisation and Relationships • PO5 Manage the IT Investment • PO6 Communicate Management Aims and Direction • PO7 Manage IT Human Resources • PO8 Manage Quality • PO9 Assess and Manage IT Risks • PO10 Manage Projects • Acquire and Implement (AI) • AI1 Identify Automated Solutions • AI2 Acquire and Maintain Application Software • AI3 Acquire and Maintain Technology Infrastructure • AI4 Enable Operation and Use • AI5 Procure IT Resources • AI6 Manage Changes • AI7 Install and Accredit Solutions and Changes • Deliver and Support (DS) • DS1 Define and Manage Service Levels • DS2 Manage Third-party Services • DS3 Manage Performance and Capacity • DS4 Ensure Continuous Service • DS5 Ensure Systems Security • DS6 Identify and Allocate Costs • DS7 Educate and Train Users • DS8 Manage Service Desk and Incidents • DS9 Manage the Configuration • DS10 Manage Problems • DS11 Manage Data • DS12 Manage the Physical Environment • DS13 Manage Operations • Monitor and Evaluate (MO) • ME1 Monitor and Evaluate IT Performance • ME2 Monitor and Evaluate Internal Control • ME3 Ensure Compliance With External Requirements • ME4 Provide IT Governance • COSO processes • Control Environment (CE) • Integrity and Ethical Values (IEV) • Oversight Board (OB) • Management’s Philosophy and Operating Style (MPO) • Organizational Structure (OS) • Financial Reporting Competencies (FRC) • Authority and Responsibility (AR) • Human Resources (HR) • Risk Assessment (RA) • Financial Reporting Objectives (FRO) • Financial Reporting Risks (FRR) • Fraud Risk (FR) • Control Activities (CA) • Integration with Risk Assessment (IRA) • Selection and Development of Control Activities (SD) • Policies and Procedures (PD) • Information Technology (IT) • Information and Communication (IC) • Financial Reporting Information (FRI) • Internal Control Information (ICI) • Internal Communication (IC) • External Communication (EC) • Monitoring (MO) • Ongoing and Separate Evaluations (OSE) • Reporting Deficiencies (RD)

  9. Linking Governance to Sustainable Value Creation ???

  10. Why a new model is needed? The well established and recognized control frameworks and process reference models – like COSO and COBIT - could be used for effective and efficient enterprise governance, if only the management established its own governance related objectives. Unfortunately, structures of control frameworks and reference models are not easily interpretable by enterprise management for setting their business’ specific governance objectives. Furthermore, the external and internal audit standards and literatures are also not really supportive in these terms.

  11. Governance Model for Trusted Businesses The new Model • keeps both enterprise management and audit assurance logics in mind • by presenting governance processes in line with the objectives relevant for enterprise management, • together with an exact mapping to processes of control frameworks (reference models) accepted and used by auditors for compliance attestation. • Provides descriptions and application practices of governance processes for management assertions and audit reports for providing assurance of trusted and sustainable business operation.

  12. Governance Model for Trusted Businesses Setting Governance Objectives • Supporting Business Sustainability(leveraging opportunities) • Competitiveness • Exploitability • Satisfaction • Supporting Organization’s Internal Control System • Risk Awareness • Accountability • Competency • Accuracy • Process Integrity • Data Protection • Commitment • Control Efficiency

  13. Determining Application Process for a Governance Objective (Accuracy)

  14. BPM GOSPEL: Multi-layer business assurance technology Concept of 4 layers in BPM GOSPEL: • Transaction Processing (e.g.payroll system) • Workflow/Control Management Tool • Compliance/Audit Management – Stages ”Governance” Edition (Method Park AG) • Certification –Capability Advisor (ISCN)

  15. ECQA Job-roles related to Governance SPICE • Internal Financial Control Assessor • Skill Card based on the COSO PRM • 800+ exams (Europe-wide) • Pool of ca. 600 multiple choice questions • Governance SPICE Assessor • Skill Card developed (3 units covering GRC, Process Assessment and Governance Capability) • Training materials for IFCA trainers integrated with IFCA Moodle courses (training.ia-manager.org) • Possible extension with the new Governance Model for Trusted Businesses • Evidence based testing is planned in 2012

  16. ECQA for Trusted Businesses • Current status • Qualification of Governance SPICE related job-roles, exam and training bodies • Certification for trainers and trainees • Promotion by ECQA portal and events • For future • ECQA cannot provide certificates for assessed (trusted business) companies. • However by referring to the international background, ECQA certified Governance SPICE Assessors may feed a joined pool on a ”Trusted Business Partners” portal, promoting their local activities and providing Europe-wide presence of their clients. • Suggestion: www.trustedbusinesspartners.eu • Also applicable for other ECQA job-roles.

  17. More information: www.ia-manager.org Contact: trusted@content.hu Thank you for your attention!

More Related