SlideShare a Scribd company logo

The Importance of Governance in a Regulatory World

Dwayne Jorgensen
Dwayne Jorgensen

.pdf version of published slide show.

BusinessTechnology
1 of 59
Download to read offline
The Importance of Governance In a Regulatory World Dwayne Jorgensen, CIA, CFE Consultant, Governance Services Spirit Consulting Services
Agenda Introduction/Sarbanes-Oxley Brief history Human nature and the need for governance COSO overview Your role Spirit or Letter of the Law? A Risk-based approach… Q&A
The Cost of Poor Governance: Sarbanes – Oxley in a Nutshell The Act was signed into law on July 30, 2002 and includes eleven titled sections: Title I Public Company Accounting Oversight Board Title II Auditor Independence Title III Corporate Responsibility Title IV Enhanced Financial Disclosures Title V Analyst Conflicts of Interest Title VI Commission Resources and Authority Title VII Studies and Reports Title VIII Corporate and Criminal Fraud Accountability Title IX White Collar Crime Penalty Enhancements Title X Corporate Tax Returns Title XI Corporate Fraud and Accountability
Brief History Thanks to Enron and the “.com implosion,” Governance became an issue COSO’s Framework of Internal Control was published in 1992, but did not prevent the need for the Sarbanes-Oxley Act… Why? COSO was left “voluntary,” and therefore was essentially ignored for ten years by the business world, until made mandatory by the Sarbanes-Oxley Act.
Human Nature -The Need For Governance Maslow's Hierarchy of needs – “Self-Awareness” is a desired, not required state. Behavior styles and business management – Governance tends to be viewed as “overhead,” and has historically been minimized on a “cost/benefit” basis. Why is governance important? – Curiosity, greed, self-rationalization and pride, the key elements of control breakdowns in historical business cases.
Human Nature The Need For Governance The Competency Square Unconsciously incompetent Unconsciously competent Consciously incompetent Consciously competent
Human Nature The Need For Governance Unconsciously Unconsciously incompetent competent Consciously Consciously incompetent competent
Human Nature The Need For Governance Unconsciously Unconsciously incompetent competent Consciously Consciously incompetent competent
COSO - Overview • COSO Definition of Internal Control – Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Key Concepts – Internal control is a process. It is a means to an end, not an end in itself. – Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. – Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. – Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
COSO - Overview Risks Evaluated by: – Severity – Likelihood Types of risks: – Inherent risks – Managed risks – Residual risks
COSO – Overview Dwayne’s “Hierarchy of Internal control needs” (First published 1990): Control Self- Assessment Proactive Consulting Reactive Operational Compliance
COSO – Overview Hierarchy of internal control needs – revised (2004) – New Foundational Layers: CSA Proactive Consulting Reactive Operational Compliance Objectivity Independence
Your Role as “Teacher” Who is responsible for implementing the Internal Control Framework? – Management Who should be responsible for overall Governance? – Not your external auditors What is the preferred solution? – Senior management and internal auditors as teachers of Internal Control
Your Role as “Teacher” Internal control expertise can provide assistance in every layer of the cube Compliance Reactive Operational Consulting Proactive CSA
Your Role as “Counselor” Why should management, internal and external auditors communicate? – Ensures company assessments, documentation, testing and reporting are correct – Lightens attestation load for external auditor (SAS 65)
Governance: Spirit or Letter of the Law? Sarbanes-Oxley: The “end” or “means?” – Act originally thought limited in life, now basis for many global governance initiatives Positive/negative effects of the intent for creating the ideal control environment – Too much focus on “letter of the law” (reporting requirements) than “spirit” (corporate governance) Ongoing debate over role of External Auditor – Act was direct result of audit firms acting as consultants, yet lines are still blurred on using external auditors for consulting needs. – “4 – 3 – 2”
Spirit or Letter of the Law? 4-3-2 Section 404 – Can external auditors “independently” test and opine on management’s report on internal controls if they played any role in preparing the document?
Spirit or Letter of the Law? 3 4- -2 Section 302 – Is management comfortable with this decision in light of pending guidance on disclosure protocols, and the subsequent potential harm if something was deemed “inappropriate” about the external auditor’s role at a later date?”
Spirit or Letter of the Law? 4-3- 2 Section 201 – Since this assistance of operating management in preparing their assertion falls outside the scope of actual external audit work, does it require audit committee approval, and is management therefore comfortable asking for it?
In the true “spirit” of the Act… Independent Internal Audit (IA) function Board-approved charters Risk assessments – management & IA – Key Controls Determined by management assessments – Audit plans developed based on output of assessments Testing and reports of effectiveness by IA – Correction of deficiencies by management Management/IA as “teachers of internal control” Management/IA as part of continuous improvement process
In the true “spirit” of the Act… Thought-leading organizations were doing most, if not all, of the previous prior to the Act, and were not even necessarily publicly traded!
COSO – ERM Framework Have You Started Yet?
Enterprise Risk Framework Four objective categories – Strive to achieve Eight components – Needed to achieve Entity and organizations units
Enterprise Risk Framework Is a process- is a means to an end, not an end and itself. Is effected by people-is not merely policies, survey and forms, but involves people at every level of an organization. Is applied in strategy setting. Is applied across an enterprise, at every level and unit, and includes taking an entity-level portfolio view of risks. Four objective categories-Strive to achieve Eight components-Needed to achieve Entity and organizational units
Enterprise Risk Framework Is designed to identify events potentially affecting the entity and manage risk within its risk appetite. Provides reasonable assurance to an entity’s management and board. Is geared to the achievement of objectives in one or more separate but overlapping categories Four objective categories-Strive to achieve Eight components-Needed to achieve Entity and organizational units
The Compliance Iceberg What You Know What You Know 404 404 Sarbanes-Oxley Act Sarbanes-Oxley Act 302 302 Compliance Requirements Compliance Requirements 301 301 409 409 Cerner Regulations (FDIC 1A, etc.) Cerner Regulations (FDIC 1A, etc.) Industry Compliance What You Might What You Might Public Co. Reg. (NYSE, NASDAQ, etc.) Public Co. Reg. (NYSE, NASDAQ, etc.) Standards Not Know Not Know Lending Covenants Lending Covenants Mission Statements Mission Statements Policies Policies Company-Specific Company-Specific Procedures Procedures Standards Standards Tasks Tasks Unique Control Events Unique Control Events © 2004 CTG © 2004 CTG
Who’s Watching the Store? Frequency Role Responsibility COSO SOX 302 SOX 404 Owner of internal controls Management Ongoing Quarterly Annually and ongoing monitoring Validators independent of Internal management, but part of Periodically Quarterly Annually auditors company External Validators independent of Annually Quarterly Annually auditors company
Cost of SOX Implementation: 2005 2005 SOX Expenditure by US firms: $6 Billion – Internal expenses: $2 Billion – Hardware/Software: $2 Billion – Consulting: $2 Billion Source: Gartner
Cost of SOX Implementation: Ongoing? A study from Foley & Lardner LLP shows that while the total cost of SOX compliance dipped in 2006, spending on so-called out-of-pocket costs rose by double-digit percentages. According to the Chicago-based law firm's study, public companies with more than $1 billion in annual revenue spent an average $10 million on costs such as board compensation and audit and legal fees in 2006. That's a 12% increase over spending in 2005. At public companies with revenue under $1 billion, the increase was 13%. External audit fees claimed the biggest chunk of money, accounting for more than 47% of the out-of- pocket spending on compliance by the smaller public companies. At companies with more than $1 billion in revenue, a whopping 60% of the money goes to external audit fees. "Some experts predicted that external audit fees would decrease after the initial implementation of Section 404 audits, as external auditors became more familiar with their clients' accounting controls and, therefore, more efficient in conducting their audits," said Thomas E. Hartman, a partner at Foley & Lardner and director of the report. "Our study results do not support this prediction. Indeed, external audit fees have been the only cost our study has shown to increase every year since the Sarbanes-Oxley Act was passed." Meanwhile, all the manpower and money that companies have invested internally on SOX compliance is beginning to pay off. According to the Foley study, most of that dip in total SOX spending in 2006 was due to efficiency improvements in internal financial reporting -- and thus a gain in productivity. IT departments shouldered a big part of the internal work done in preparation for SOX -- cleaning up and documenting processes. Can CIOs give themselves a pat on the back? "CIOs will be able to pat themselves on the back when they sit down and help the rest of the business automate the internal controls as much as they can, and help get down the external audit fees, which are out of control," said analyst French Caldwell, who covers compliance at consultancy Gartner Inc. in Stamford, Conn. "It's not over yet. Don't even stop to catch your breath." Caldwell said the Foley findings are consistent with other research. During the last three years, companies have seen about a 35% reduction in overall SOX compliance costs, almost all of which have come from savings on internal labor and on fees paid to consultants. But a reduction in internal labor costs or one-time consultants doesn't equate with "any great efficiencies," he said, precisely because the external auditing fees have hardly budged -- indeed they're "out of control." "That indicates to me that there is just as much to audit. That indicates to me that many companies Source: Linda Tucci, 16 haven't really rationalized the controls. They haven't automated a lot of the controls," Caldwell said. Aug 2007, Nor have companies yet heeded the advice this spring from the Securities and Exchange SearchCIO.com Commission (SEC) to take a more risk-based approach to SOX compliance.
So What’s a Corporation to Do? Continuous monitoring (CM) offers the only practical, cost-effective solution. – Build a system that provides a perpetual inventory of governance – Leverage IT to maximize automation and reduce staffing loads
Proposed CM Solution Pyramid Oversight Component Oversight Component “Tone at the top”: “Tone at the top”: Executive buy-in, “spirit” vs. “letter” Executive buy-in, “spirit” vs. “letter” Planning Component Planning Component SOX methodology: SOX methodology: Assess, document, test, report Assess, document, test, report Co-sourcing component? Co-sourcing component? Independent IT test services Independent IT test services Software Component Software Component Various vendor process automation products: Various vendor process automation products: Ex.: Documentum®,, Movaris OneClose®,, ACL CCM® Ex.: Documentum® Movaris OneClose® ACL CCM® Hardware/Data Integrity Component Hardware/Data Integrity Component EMC: Centera®,, Proofspace encryption, record management automation EMC: Centera® Proofspace encryption, record management automation
Sarbanes-Oxley’s Impact on the COSO Cube Section Section 404 302 Section 409 IT Components Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awareness Training Monitoring IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Information & Communication Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations Control Activities IT Risk Management, IT Risk Assessments, Business Impact Analysis Risk Assessment “Tone at the top”, IT Governance, Regulatory Compliance Control Environment
CM Solution Requirements Tool or process needed (examples Resources only): needed One Close® Monitoring ) SW Documentum® W/ Information & Communication (H ACL CCM/ gy Control Activities olo One Close® t.) hn gm , m le op Risk Assessment c Te One Close® Pe aff Organizational Control Environment (st Consulting
Key Recommendation Validate methodology through execution on a pilot process (assess, document, and test) Remediate consistently and constantly Work with external auditor to ensure approach is satisfactory via a full trial on a key process before rollout
Internal Control Maturity Model Initial Repeatable Defined Managed Optimizing Initial Control structure is not defined. Control occurs incidentally. Repeatable Control structure is not defined, but control processes may occur based on past success and management oversight. Defined Control structure is documented, standardized and integrated into control processes for the organization. Managed The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Optimizing Continuous process improvement is enabled by quantitative feedback from the control process. Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages.
COSO-Driven Methodology: Assess ASSESS ASSESS DOCUMENT TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Define overall SO requirements Management support Form Form Identify and form team team team Partner with external audit firm Internal champion Trained team Confirm audit universe Perform risk Perform risk Define risk weighting Consensus on objectives assessment assessment Conduct assessment Risk-ranked universe The plan Analyze assessment results Confirm Confirm Confirm risk rankings results results Map to knowledge base of mitigating practices Present findings to management Develop Develop Develop plan for documentation phase work plan work plan Review plan with external auditor, management
COSO-Driven Methodology: Document ASSESS DOCUMENT DOCUMENT TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Define target maturity level by process COSO maturity ranking COSO COSO Assess COSO maturity by process alignment alignment Consensus on end state Identify where improvements are needed Improved controls environment Document Document Define control objectives Ongoing monitoring control control Determine tool approach activities activities Map assessment to objectives and identify gaps Documented controls Develop plan to address gaps with control changes Improve Improve Assess and implement changes in controls controls controls Test new processes and train users Define Define Confirm the role of the internal audit department monitoring monitoring Assess current monitoring environment process process Implement monitoring process
COSO-Driven Methodology: Test ASSESS DOCUMENT TEST TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Management Management Educate management on controls Management control monitoring controls controls Develop framework for management monitoring Independent monitoring monitoring monitoring Facilitate management monitoring of controls Management reporting process Independent Independent Develop framework for independent monitoring Ongoing reporting internal audit internal audit Facilitate independent monitoring of controls Testing Testing Identify weaknesses from management test Material Material Develop action plan for weaknesses weakness plan weakness plan Reiterate if necessary Implement process for ongoing quarterly reports Ongoing Ongoing Define process for development of IC report report process report process Partner with external auditor on report requirements
COSO-Driven Methodology: Report ASSESS DOCUMENT TEST REPORT REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Management reports on role in controls Management report Management Management Management reports on testing process report report External audit report Management delivers final controls report External assertion External External External audit commences audit audit External External auditor tests controls per requirements External control testing External auditor reviews management report control testing External auditor issues final report External External auditor auditor External auditor issues final assertion assertion assertion
Benefits/ROI ROIs are easily calculated, by the determination of FTE reduction due to PCAOB’s Standard II regarding the testing of automated controls once, versus reiterative testing necessary for manual controls. Secondary benefit, especially in the ability to store the results of continuous monitoring in an authenticated, digital format, should have a significant impact on future third-party litigation revolving around alleged misconduct by management, in proving the validity of the effectiveness of key control activities.
Illustrative Assessment Work Plan Week Number 1 2 3 4 5 6 7 8 9 10 Weeks Remaining: 10 9 8 7 6 5 4 3 2 1 # T ask Description: 1 Initial planning and information gathering 2 Conduct initial interv iews 3 Rev iew Engagement Letter 4 Finalize interv iew list 5 Finalize specialists required 6 Prepare letter for interv iewees to ov erv iew project/ team 7 Prepare interv iew objectiv es and general questions 8 Finalize workplan 9 Dev elop ov erv iew of client business/industry 10 Finalize tailored questions by functional interv iew 11 Draft format for deliv erables 12 Schedule interv iews (approx . 25-35 interv iews) 13 Perform interv iews (approx . 25-35 interv iews @ approx . 1.5 hrs each) Interv iews led by IA with client internal audit personnel inv olv ement 14 Document results of interv iews / confirm with interv iewees 15 Dev elop risk ranking 16 Dev elop audit plan 17 Determine resource needs to ex ecute audit plan 18 Obtain client management consensus on risk profile 19 Finalize and present deliv erables
Control Assessment Structure General Controls Control COSO Control Capabilities Com ponent Risk Factors Control Control Capabilities Authorization Environm ent Delegation of Authority a) Authorization Authority and approval levels is not delegated to the low est levels. b) Processing and Recording Authority is delegated to the front lines how ever executive management is involved. c) Safeguarding Authority is delegated to the front lines and decision making resides at that level. d) Reporting e) Compliance Processing and Control Recording Environm ent Skill sets f) Risk Management Employees possess the know ledge and skills necessary to effectively execute their job. g) Resource Availability Employees possess some of the skills required to effectively execute their job. Employees generally do not have the know ledge or skills to effectively execute their job. Processing and Control COSO Control Com ponents: Recording Environm ent Volume of transactions a) Control Environment Low volume of transactions and minimal interventions and hand-offs. b) Risk Assessment Average volume of transactions and considerable number of manual interventions. c) Control Activities High volume of automated and manual transactions and hand-offs. d) Information & Communication e) Monitoring Risk Control Management Environment Organization Structure Operations are highly centralized with effective communication systems. Operations are fairly decentralized with fairly effective communication systems. Operations are very decentralized with ineffective communication systems.
Framework for Risk Assessment Identify – What are the risks? Measure – What is the relative degree of risk? (Determined by Severity and Likelihood.) Prioritize – Which risks are most important?
Risk Assessment: The Big Picture Internal and external risks faced by all organizations. Requires linked and consistent management objectives. Identified/analyzed to manage and achieve objectives. A system to address organization impact of external and internal condition changes. IIA Definition-“… a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. …organize and integrate professional judgments for development of the audit work schedule.”
Enterprise Risk Assessment Driven by enterprise strategies and overall goals. Risk rank audit universe, applying the same risk factors to all audit entities. Top-down focus begins at the enterprise level. Bottoms-up begins at the entity level. • Approach dependent on management’s objectives and other initiatives in place.
Enterprise Risk Assessment Defined Enterprise Risk – Potential exposures which could significantly impact or impede an enterprise’s ability to succeed in accomplishing its overall financial and operational goals and objectives. Risks can be categorized as follows: – Strategic – relating to high-level goals, aligned with and supporting the entity’s mission/vision. – Operations – relating to effectiveness and efficiency of the entity’s operations, including performance and profitability goals. – Reporting – relating to the effectiveness of the entity’s reporting. – Compliance – relating to the entity’s compliance with applicable laws and regulations.
Ways To Look At Risk Quantitative • Assign a value to each control risk times a probability of the threat of the risk • Higher value/greater risk Qualitative • High, medium, low or adequate/inadequate
Approaching Risk Assessment Solicit executive management’s enterprise strategies, goals, objectives and concerns. If applicable, obtain external auditor’s perspective of the company. Also consider insurers, outside counsel, other third-party service providers. Capture organization, products, processes, functions, locations, systems, support areas, etc. relevant to auditable entities. Develop a model using risk factors, weightings and scoring criteria. Objective is a risk-ranked audit universe.
An Enterprise Risk Assessment Tool Provide analyses regarding risk exposures at an audit universe (enterprise) level. No pre-defined database of standard questionnaires, risk factors and set risk weightings. Information compiled by experienced professionals. Information/analyses as good as the information compiled.
Types of Risk Factors Assets at risk Systems • Cash • Information quality • Inventory • Security • Intellectual property • Disaster planning Operational • Equipment/software • Procurement Financial • Production • Data accuracy • Material Handling • Available information • Sales • Completeness of data • Service • Human Resources • A/R, A/P, Cash flow, etc. • Planning • Legal • Environmental
Risk Weighting and Scoring Weigh risks based on customized criteria. • Relative importance of individual risk factor. • Risk factor impact on business units based on likelihood of occurrence and severity of impact. • Facilitate with management and process owners. Risk weighting results reviewed by management and the process owners. • Risk score is assessed for each risk factor. • Scores summed for a total risk score. • Supports risk ranked audit universe.
Risk-based Approach: Examples Functional Risk Conversion Risk Strategic Risk Business Processes Authority Alignment Bench Strength Capital Availability Business Continuity Budgeting & Planning Competition Financial Reporting Financial Markets Compliance Financial Assessment Capacity Contracting Commodity Flexibility Evaluation Industry Empowerment Financial Statement Communication Environmental Cycle Time Leadership Falsification Legal Fraud Regulatory Reporting Efficiency Health and Safety Human Resources Regulatory Taxation Product Life Cycle Illegal Activities Organization Structures Management Information Performance Metrics Product Development Obsolescence/Shrinkage Pricing Reputation Product/Service Quality Finance Resource Allocation Trademark Erosion Relevance Collateral Supplier Sovereign Unauthorized Use Counterparty Technology Selection Strategic Assumptions Credit Technology Deployment Valuation Currency Technology Derivatives Availability Interest Rate Access Liquidity Functionality Reinvestment Integrity Settlement Usability
Risk-based Approach: Process Executive Management Input Company Strategies Risk Factor Model Audit Universe Risk Exposure Audit Plan Development Development Scoring Development • Executive Management • Input Obtained from • Scoring Occurs from • Compute Risk-Ranked Input and Buy-in Many Sources Interviews with Senior Audit Universe from Management Completion of the ERA • Extract Risk Factors • Organizational Charts, Responsible for the model from Strategies Internal Management Auditable Entities Reports, Company • Develop Audit Plan • Identify & Define Risk Directory, Annual • One Person may be Based on Risk-Ranking Factors to be Used Report, General Ledger, Responsible for and Available • Define Related Scoring Location Listings, Major Scoring Multiple Resources Criteria for Each Risk Projects or Contracts, Entities • Obtain Executive Factor Information Systems, • Many Persons may be Management Approval etc. • Weight the Risk Factors Responsible for • Execute Audit Plan • Cost Centers, Profit Scoring One Entity Centers, Investment • Reassess Risk Centers, Locations, Exposures Functions, Processes, etc.
Risk-based Approach Re-cap Risk-based approach Defined model of enterprise risk factors Customized to fit our client’s needs Efficient direction of audit resources Supported by an electronic tool that provides for data analysis Provides sufficient information to build an audit plan Performed by experienced professionals Cost effective solution to improve enterprise risk management initiatives
Questions?
Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services Dwayne Jorgensen, CIA, CFE, is a recognized expert in governance, risk and controls. Mr. Jorgensen created the Sarbanes-Oxley Services & IT Governance global practice for CTG, a 39-year old IT staffing solutions firm. He is respected for his ability to assess a clients’ current state of compliance with Sarbanes-Oxley (SOX) and then guide them in meeting their compliance goals, especially those related to Sections 302, 404, and 409 of the act. In addition, Mr. Jorgensen has developed a “continuous monitoring” solution for corporate governance and speaks on the role of IT in that endeavor. Mr. Jorgensen is an expert in COSO, risks and controls, specifically as these areas pertain to the impact of SOX on corporate governance. He has over 20 years’ experience in internal audit, system controls, practice development, capital acquisitions, and risk management. Before CTG, Mr. Jorgensen was North American Practice Director of internal audit services for Jefferson Wells International. He oversaw the growth and development of the firm’s internal audit service line in the United States and Canada post-Sarbanes-Oxley, especially in the areas of 301, 302, and 404 compliance. He also directed the business process outsourcing practice for the Atlanta office of Arthur Andersen, LLP, and was elected a principal of the firm. He was a senior manager for Coopers & Lybrand, LLP, and director of internal audit and secretary of the audit committee for a Flagler System, Inc. Mr. Jorgensen is a member of the Institute of Internal Auditors and the Association of Certified Fraud Examiners, and has a Bachelor of Arts degree in pre-law with a major in accounting and finance from the University of Illinois-Urbana.
Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services – Referrals “I had the opportunity to work with Dwayne during an extremely critical period as our company attempted to address Sarbanes Oxley concerns. Dwayne and his team were simply the best of the best. I highly recommend Dwayne and would welcome the opportunity to work with him again.” April 1, 2008 Top qualities: Great Results, Expert, High Integrity Mike Pulaski - hired Dwayne as a Business Consultant in 2004, and hired Dwayne more than once “Dwayne was directly responsible for developing Jefferson Wells approach to provision of Sarbanes Oxley services just after the act was passed by congress. He was on the leading edge of the service. His leadership was instrumental in subsequent success the company enjoyed.” January 7, 2008 Bob McDonald, Director Construction Services, Jefferson Wells International - worked indirectly for Dwayne at Jefferson Wells International “Dwayne took a leading role in developing the regulatory compliance practice in the UK operation. I found Dwayne to be very commercially focused and felt his strengths were in developing a lasting relationship with the client.” January 8, 2008 Martyn Smith, Senior Consultant, CTG (UK) Ltd - worked with Dwayne at CTG “Dwayne was the key provider in the delivery of an excellent Sarbanes-Oxley assessment audit of our business processes and provided specific and creative recommendations for implementation of corrective actions.” January 4, 2008 Top qualities: Personable, Good Value, On Time John Ponzo - hired Dwayne as a IT Consultant in 2004 “I encountered few people in the three years I was selling SOX and GRC applications that truly understood the intertwined nature of a control environment and technology. Dwayne understood the pro's, the con's and the yet to be challenged status quo. Dwayne knew early that complex control issues could be tackled efficiently using technology and at a reduced overall cost. Simply put Dwayne "gets it"!” January 28, 2008 Brian Tietje, Senior Sales Consultant, Movaris - was with another company when working with Dwayne at CTG
Contact Information Dwayne E. Jorgensen, CIA, CFE Consultant Spirit Consulting Services 1851 Baltusrol Trail Duluth, GA 30097 Office: 678/957-0838 Mobile: 770/789-7581 E-mail: dej@spiritconsultingservices.com
Thank You!

Recommended

The Sane Solution To Sox Costs
The Sane Solution To Sox CostsThe Sane Solution To Sox Costs
The Sane Solution To Sox CostsDwayne Jorgensen
 
COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTFDavid Fernandes
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsInternational Federation of Accountants
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Frameworkhyesue
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationInternational Federation of Accountants
 
ERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aNusaibah Hamizan
 
Audit Committee Effectiveness
Audit Committee EffectivenessAudit Committee Effectiveness
Audit Committee EffectivenessMuhib Islam
 

Recommended

The Sane Solution To Sox Costs
The Sane Solution To Sox CostsThe Sane Solution To Sox Costs
The Sane Solution To Sox CostsDwayne Jorgensen
 
COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTFDavid Fernandes
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsInternational Federation of Accountants
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Frameworkhyesue
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationInternational Federation of Accountants
 
ERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aNusaibah Hamizan
 
Audit Committee Effectiveness
Audit Committee EffectivenessAudit Committee Effectiveness
Audit Committee EffectivenessMuhib Islam
 
policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Frameworksbyearly
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationInternational Federation of Accountants
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
Effective oversight role of audit committees
Effective oversight role of audit committeesEffective oversight role of audit committees
Effective oversight role of audit committeesKabelo Mabokela
 
Coso illustrative tool
Coso illustrative toolCoso illustrative tool
Coso illustrative toolSARVJEET KAUSHAL
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The AuditorCorporate Compliance Seminars
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrkRavinder Kumar Bhan
 
Audit committees and its role in auditing process
Audit committees and its role in auditing processAudit committees and its role in auditing process
Audit committees and its role in auditing processHardik Shah
 
INTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXINTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXMahmoud Elbagoury
 
Reflections on the Role of the Audit Committee
Reflections on the Role of the Audit CommitteeReflections on the Role of the Audit Committee
Reflections on the Role of the Audit CommitteePeter Chambers
 
Hedge Fund Management
Hedge Fund ManagementHedge Fund Management
Hedge Fund ManagementJoseph Gigliotti
 
Compliance in the framework of corporate governance (side panel 2) - Oliver O...
Compliance in the framework of corporate governance (side panel 2) - Oliver O...Compliance in the framework of corporate governance (side panel 2) - Oliver O...
Compliance in the framework of corporate governance (side panel 2) - Oliver O...e-Democracy Conference
 
June event - Operational risk management - IT Career
June event - Operational risk management - IT CareerJune event - Operational risk management - IT Career
June event - Operational risk management - IT CareerFriends4Growth Group
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summaryKatherine Reyes V.
 
Busines Continuity And Compliance
Busines Continuity And ComplianceBusines Continuity And Compliance
Busines Continuity And Compliancesalamali
 
The Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit CommitteesThe Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit Committees4Good.org
 
IAASB New Auditor's Report
IAASB New Auditor's ReportIAASB New Auditor's Report
IAASB New Auditor's ReportInternational Federation of Accountants
 
Mervyn King Excellence In Corporate Governance
Mervyn King Excellence In Corporate GovernanceMervyn King Excellence In Corporate Governance
Mervyn King Excellence In Corporate Governanceaodesign
 
Understanding the-demand-supply-equations-of-corruption-fraud-final
Understanding the-demand-supply-equations-of-corruption-fraud-finalUnderstanding the-demand-supply-equations-of-corruption-fraud-final
Understanding the-demand-supply-equations-of-corruption-fraud-finalGlobalCompact
 
Unethical Behavior in Business - The Case Against HSBC
Unethical Behavior in Business - The Case Against HSBCUnethical Behavior in Business - The Case Against HSBC
Unethical Behavior in Business - The Case Against HSBCStacey Troup
 

More Related Content

What's hot

policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Frameworksbyearly
 
Effective oversight role of audit committees
Effective oversight role of audit committeesEffective oversight role of audit committees
Effective oversight role of audit committeesKabelo Mabokela
 
Audit committees and its role in auditing process
Audit committees and its role in auditing processAudit committees and its role in auditing process
Audit committees and its role in auditing processHardik Shah
 
INTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXINTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXMahmoud Elbagoury
 
Reflections on the Role of the Audit Committee
Reflections on the Role of the Audit CommitteeReflections on the Role of the Audit Committee
Reflections on the Role of the Audit CommitteePeter Chambers
 
Compliance in the framework of corporate governance (side panel 2) - Oliver O...
Compliance in the framework of corporate governance (side panel 2) - Oliver O...Compliance in the framework of corporate governance (side panel 2) - Oliver O...
Compliance in the framework of corporate governance (side panel 2) - Oliver O...e-Democracy Conference
 
June event - Operational risk management - IT Career
June event - Operational risk management - IT CareerJune event - Operational risk management - IT Career
June event - Operational risk management - IT CareerFriends4Growth Group
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summaryKatherine Reyes V.
 
Busines Continuity And Compliance
Busines Continuity And ComplianceBusines Continuity And Compliance
Busines Continuity And Compliancesalamali
 
The Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit CommitteesThe Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit Committees4Good.org
 

What's hot (18)

policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Framework
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
Effective oversight role of audit committees
Effective oversight role of audit committeesEffective oversight role of audit committees
Effective oversight role of audit committees
 
Coso illustrative tool
Coso illustrative toolCoso illustrative tool
Coso illustrative tool
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
 
Audit committees and its role in auditing process
Audit committees and its role in auditing processAudit committees and its role in auditing process
Audit committees and its role in auditing process
 
INTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXINTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOX
 
Reflections on the Role of the Audit Committee
Reflections on the Role of the Audit CommitteeReflections on the Role of the Audit Committee
Reflections on the Role of the Audit Committee
 
Hedge Fund Management
Hedge Fund ManagementHedge Fund Management
Hedge Fund Management
 
Compliance in the framework of corporate governance (side panel 2) - Oliver O...
Compliance in the framework of corporate governance (side panel 2) - Oliver O...Compliance in the framework of corporate governance (side panel 2) - Oliver O...
Compliance in the framework of corporate governance (side panel 2) - Oliver O...
 
June event - Operational risk management - IT Career
June event - Operational risk management - IT CareerJune event - Operational risk management - IT Career
June event - Operational risk management - IT Career
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summary
 
Busines Continuity And Compliance
Busines Continuity And ComplianceBusines Continuity And Compliance
Busines Continuity And Compliance
 
The Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit CommitteesThe Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit Committees
 

Viewers also liked

Mervyn King Excellence In Corporate Governance
Mervyn King Excellence In Corporate GovernanceMervyn King Excellence In Corporate Governance
Mervyn King Excellence In Corporate Governanceaodesign
 
Understanding the-demand-supply-equations-of-corruption-fraud-final
Understanding the-demand-supply-equations-of-corruption-fraud-finalUnderstanding the-demand-supply-equations-of-corruption-fraud-final
Understanding the-demand-supply-equations-of-corruption-fraud-finalGlobalCompact
 
Unethical Behavior in Business - The Case Against HSBC
Unethical Behavior in Business - The Case Against HSBCUnethical Behavior in Business - The Case Against HSBC
Unethical Behavior in Business - The Case Against HSBCStacey Troup
 
Classifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftClassifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftDavid J Rosenthal
 
Avoiding Off-Label Promotion
Avoiding Off-Label PromotionAvoiding Off-Label Promotion
Avoiding Off-Label PromotionDale Cooke
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate GovernanceDwayne Jorgensen
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Actles561
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000PECB
 
Dealing with unethical behaviors in organizations
Dealing with unethical behaviors in organizationsDealing with unethical behaviors in organizations
Dealing with unethical behaviors in organizationsKenny Nguyen
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and ControlWeaverCPAs
 
Handling ethics issues in the workplace
Handling ethics issues in the workplaceHandling ethics issues in the workplace
Handling ethics issues in the workplaceCase IQ
 
Ethics IN BUSINESS COMMUNICATION
Ethics IN BUSINESS COMMUNICATIONEthics IN BUSINESS COMMUNICATION
Ethics IN BUSINESS COMMUNICATIONAima Masood
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
8.ethical issues in communication
8.ethical issues in communication8.ethical issues in communication
8.ethical issues in communicationAyush Mehrotra
 

Viewers also liked (20)

IAASB New Auditor's Report
IAASB New Auditor's ReportIAASB New Auditor's Report
IAASB New Auditor's Report
 
Mervyn King Excellence In Corporate Governance
Mervyn King Excellence In Corporate GovernanceMervyn King Excellence In Corporate Governance
Mervyn King Excellence In Corporate Governance
 
Understanding the-demand-supply-equations-of-corruption-fraud-final
Understanding the-demand-supply-equations-of-corruption-fraud-finalUnderstanding the-demand-supply-equations-of-corruption-fraud-final
Understanding the-demand-supply-equations-of-corruption-fraud-final
 
Unethical Behavior in Business - The Case Against HSBC
Unethical Behavior in Business - The Case Against HSBCUnethical Behavior in Business - The Case Against HSBC
Unethical Behavior in Business - The Case Against HSBC
 
Classifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftClassifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoft
 
Avoiding Off-Label Promotion
Avoiding Off-Label PromotionAvoiding Off-Label Promotion
Avoiding Off-Label Promotion
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate Governance
 
Finance Professionals Meeting Today’s Business Challenges
Finance Professionals Meeting Today’s Business ChallengesFinance Professionals Meeting Today’s Business Challenges
Finance Professionals Meeting Today’s Business Challenges
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
 
A Relevant Accountancy Profession
A Relevant Accountancy ProfessionA Relevant Accountancy Profession
A Relevant Accountancy Profession
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Act
 
Arnold schilder-iaasb-pcaob-sag-presentation
Arnold schilder-iaasb-pcaob-sag-presentationArnold schilder-iaasb-pcaob-sag-presentation
Arnold schilder-iaasb-pcaob-sag-presentation
 
Financial Instruments Education Session Part A
Financial Instruments Education Session Part AFinancial Instruments Education Session Part A
Financial Instruments Education Session Part A
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000
 
Dealing with unethical behaviors in organizations
Dealing with unethical behaviors in organizationsDealing with unethical behaviors in organizations
Dealing with unethical behaviors in organizations
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
 
Handling ethics issues in the workplace
Handling ethics issues in the workplaceHandling ethics issues in the workplace
Handling ethics issues in the workplace
 
Ethics IN BUSINESS COMMUNICATION
Ethics IN BUSINESS COMMUNICATIONEthics IN BUSINESS COMMUNICATION
Ethics IN BUSINESS COMMUNICATION
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
8.ethical issues in communication
8.ethical issues in communication8.ethical issues in communication
8.ethical issues in communication
 

Similar to The Importance of Governance in a Regulatory World

Tip Of The Compliance Iceberg
Tip Of The Compliance IcebergTip Of The Compliance Iceberg
Tip Of The Compliance IcebergDwayne Jorgensen
 
Sarbanes Oxley presentation
Sarbanes Oxley presentationSarbanes Oxley presentation
Sarbanes Oxley presentationMark Belec
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review ReportsLaura Martin
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007Danial Khan
 
Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007Slava Gorbunov
 
[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...
[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...
[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...e-Democracy Conference
 
Tip of the Compliance Iceberg
Tip of the Compliance IcebergTip of the Compliance Iceberg
Tip of the Compliance IcebergDwayne Jorgensen
 
Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...
Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...
Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...Financial Poise
 
Role of audit committee in cg - Published in SSRN-id2487167
Role of audit committee in cg - Published in SSRN-id2487167Role of audit committee in cg - Published in SSRN-id2487167
Role of audit committee in cg - Published in SSRN-id2487167Dr. Ahmed M. Al-Baidhani
 
Boards Reliance On Corporate Counsel
Boards Reliance On Corporate CounselBoards Reliance On Corporate Counsel
Boards Reliance On Corporate CounselFayFeeney
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Tina Jordan
 
Chapter 1 corporate goverance
Chapter 1 corporate goveranceChapter 1 corporate goverance
Chapter 1 corporate goveranceMudassir Ijaz
 
Intro to management_and_auditing_of_info_systs
Intro to management_and_auditing_of_info_systsIntro to management_and_auditing_of_info_systs
Intro to management_and_auditing_of_info_systsjakodongo
 
Internal Control for Cooperatives
Internal Control for CooperativesInternal Control for Cooperatives
Internal Control for Cooperativesjo bitonio
 

Similar to The Importance of Governance in a Regulatory World (20)

Tip Of The Compliance Iceberg
Tip Of The Compliance IcebergTip Of The Compliance Iceberg
Tip Of The Compliance Iceberg
 
13 internal controls
13 internal controls13 internal controls
13 internal controls
 
Sarbanes Oxley presentation
Sarbanes Oxley presentationSarbanes Oxley presentation
Sarbanes Oxley presentation
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review Reports
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ss
 
Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox compliance
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007
 
[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...
[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...
[2010] Side panel 2: Official Journals Compliance in the Framework of Corpora...
 
Tip of the Compliance Iceberg
Tip of the Compliance IcebergTip of the Compliance Iceberg
Tip of the Compliance Iceberg
 
Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...
Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...
Securities Law Compliance (Series: Corporate & Regulatory Compliance Boot Cam...
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal Audit
 
Role of audit committee in cg - Published in SSRN-id2487167
Role of audit committee in cg - Published in SSRN-id2487167Role of audit committee in cg - Published in SSRN-id2487167
Role of audit committee in cg - Published in SSRN-id2487167
 
Boards Reliance On Corporate Counsel
Boards Reliance On Corporate CounselBoards Reliance On Corporate Counsel
Boards Reliance On Corporate Counsel
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...
 
I0955965
I0955965I0955965
I0955965
 
Chapter 1 corporate goverance
Chapter 1 corporate goveranceChapter 1 corporate goverance
Chapter 1 corporate goverance
 
Intro to management_and_auditing_of_info_systs
Intro to management_and_auditing_of_info_systsIntro to management_and_auditing_of_info_systs
Intro to management_and_auditing_of_info_systs
 
Internal Control for Cooperatives
Internal Control for CooperativesInternal Control for Cooperatives
Internal Control for Cooperatives
 

More from Dwayne Jorgensen

Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipDwayne Jorgensen
 
Sarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso CubeSarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso CubeDwayne Jorgensen
 
Cf O Magazine blog comment
Cf O Magazine blog commentCf O Magazine blog comment
Cf O Magazine blog commentDwayne Jorgensen
 

More from Dwayne Jorgensen (7)

Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal Leadership
 
After Sarbanes Oxley
After Sarbanes OxleyAfter Sarbanes Oxley
After Sarbanes Oxley
 
Risk Factor 9 05 Issue
Risk Factor 9 05 IssueRisk Factor 9 05 Issue
Risk Factor 9 05 Issue
 
CEO Magazine 09 05
CEO Magazine 09 05CEO Magazine 09 05
CEO Magazine 09 05
 
Sarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso CubeSarbanes Oxleys Impact On The Coso Cube
Sarbanes Oxleys Impact On The Coso Cube
 
Cf O Magazine blog comment
Cf O Magazine blog commentCf O Magazine blog comment
Cf O Magazine blog comment
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
 

Recently uploaded

Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Aggregage
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingrajputmeenakshi733
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfASGITConsulting
 
WSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdfWSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdfJamesConcepcion7
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseSiemens
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
14680-51-4.pdf Good quality CAS Good quality CAS
14680-51-4.pdf Good quality CAS Good quality CAS14680-51-4.pdf Good quality CAS Good quality CAS
14680-51-4.pdf Good quality CAS Good quality CAScathy664059
 

Recently uploaded (20)

Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketing
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdf
 
WSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdfWSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdf
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverse
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
14680-51-4.pdf Good quality CAS Good quality CAS
14680-51-4.pdf Good quality CAS Good quality CAS14680-51-4.pdf Good quality CAS Good quality CAS
14680-51-4.pdf Good quality CAS Good quality CAS
 

The Importance of Governance in a Regulatory World

  • 1. The Importance of Governance In a Regulatory World Dwayne Jorgensen, CIA, CFE Consultant, Governance Services Spirit Consulting Services
  • 2. Agenda Introduction/Sarbanes-Oxley Brief history Human nature and the need for governance COSO overview Your role Spirit or Letter of the Law? A Risk-based approach… Q&A
  • 3. The Cost of Poor Governance: Sarbanes – Oxley in a Nutshell The Act was signed into law on July 30, 2002 and includes eleven titled sections: Title I Public Company Accounting Oversight Board Title II Auditor Independence Title III Corporate Responsibility Title IV Enhanced Financial Disclosures Title V Analyst Conflicts of Interest Title VI Commission Resources and Authority Title VII Studies and Reports Title VIII Corporate and Criminal Fraud Accountability Title IX White Collar Crime Penalty Enhancements Title X Corporate Tax Returns Title XI Corporate Fraud and Accountability
  • 4. Brief History Thanks to Enron and the “.com implosion,” Governance became an issue COSO’s Framework of Internal Control was published in 1992, but did not prevent the need for the Sarbanes-Oxley Act… Why? COSO was left “voluntary,” and therefore was essentially ignored for ten years by the business world, until made mandatory by the Sarbanes-Oxley Act.
  • 5. Human Nature -The Need For Governance Maslow's Hierarchy of needs – “Self-Awareness” is a desired, not required state. Behavior styles and business management – Governance tends to be viewed as “overhead,” and has historically been minimized on a “cost/benefit” basis. Why is governance important? – Curiosity, greed, self-rationalization and pride, the key elements of control breakdowns in historical business cases.
  • 6. Human Nature The Need For Governance The Competency Square Unconsciously incompetent Unconsciously competent Consciously incompetent Consciously competent
  • 7. Human Nature The Need For Governance Unconsciously Unconsciously incompetent competent Consciously Consciously incompetent competent
  • 8. Human Nature The Need For Governance Unconsciously Unconsciously incompetent competent Consciously Consciously incompetent competent
  • 9. COSO - Overview • COSO Definition of Internal Control – Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Key Concepts – Internal control is a process. It is a means to an end, not an end in itself. – Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. – Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. – Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
  • 10. COSO - Overview Risks Evaluated by: – Severity – Likelihood Types of risks: – Inherent risks – Managed risks – Residual risks
  • 11. COSO – Overview Dwayne’s “Hierarchy of Internal control needs” (First published 1990): Control Self- Assessment Proactive Consulting Reactive Operational Compliance
  • 12. COSO – Overview Hierarchy of internal control needs – revised (2004) – New Foundational Layers: CSA Proactive Consulting Reactive Operational Compliance Objectivity Independence
  • 13. Your Role as “Teacher” Who is responsible for implementing the Internal Control Framework? – Management Who should be responsible for overall Governance? – Not your external auditors What is the preferred solution? – Senior management and internal auditors as teachers of Internal Control
  • 14. Your Role as “Teacher” Internal control expertise can provide assistance in every layer of the cube Compliance Reactive Operational Consulting Proactive CSA
  • 15. Your Role as “Counselor” Why should management, internal and external auditors communicate? – Ensures company assessments, documentation, testing and reporting are correct – Lightens attestation load for external auditor (SAS 65)
  • 16. Governance: Spirit or Letter of the Law? Sarbanes-Oxley: The “end” or “means?” – Act originally thought limited in life, now basis for many global governance initiatives Positive/negative effects of the intent for creating the ideal control environment – Too much focus on “letter of the law” (reporting requirements) than “spirit” (corporate governance) Ongoing debate over role of External Auditor – Act was direct result of audit firms acting as consultants, yet lines are still blurred on using external auditors for consulting needs. – “4 – 3 – 2”
  • 17. Spirit or Letter of the Law? 4-3-2 Section 404 – Can external auditors “independently” test and opine on management’s report on internal controls if they played any role in preparing the document?
  • 18. Spirit or Letter of the Law? 3 4- -2 Section 302 – Is management comfortable with this decision in light of pending guidance on disclosure protocols, and the subsequent potential harm if something was deemed “inappropriate” about the external auditor’s role at a later date?”
  • 19. Spirit or Letter of the Law? 4-3- 2 Section 201 – Since this assistance of operating management in preparing their assertion falls outside the scope of actual external audit work, does it require audit committee approval, and is management therefore comfortable asking for it?
  • 20. In the true “spirit” of the Act… Independent Internal Audit (IA) function Board-approved charters Risk assessments – management & IA – Key Controls Determined by management assessments – Audit plans developed based on output of assessments Testing and reports of effectiveness by IA – Correction of deficiencies by management Management/IA as “teachers of internal control” Management/IA as part of continuous improvement process
  • 21. In the true “spirit” of the Act… Thought-leading organizations were doing most, if not all, of the previous prior to the Act, and were not even necessarily publicly traded!
  • 22. COSO – ERM Framework Have You Started Yet?
  • 23. Enterprise Risk Framework Four objective categories – Strive to achieve Eight components – Needed to achieve Entity and organizations units
  • 24. Enterprise Risk Framework Is a process- is a means to an end, not an end and itself. Is effected by people-is not merely policies, survey and forms, but involves people at every level of an organization. Is applied in strategy setting. Is applied across an enterprise, at every level and unit, and includes taking an entity-level portfolio view of risks. Four objective categories-Strive to achieve Eight components-Needed to achieve Entity and organizational units
  • 25. Enterprise Risk Framework Is designed to identify events potentially affecting the entity and manage risk within its risk appetite. Provides reasonable assurance to an entity’s management and board. Is geared to the achievement of objectives in one or more separate but overlapping categories Four objective categories-Strive to achieve Eight components-Needed to achieve Entity and organizational units
  • 26. The Compliance Iceberg What You Know What You Know 404 404 Sarbanes-Oxley Act Sarbanes-Oxley Act 302 302 Compliance Requirements Compliance Requirements 301 301 409 409 Cerner Regulations (FDIC 1A, etc.) Cerner Regulations (FDIC 1A, etc.) Industry Compliance What You Might What You Might Public Co. Reg. (NYSE, NASDAQ, etc.) Public Co. Reg. (NYSE, NASDAQ, etc.) Standards Not Know Not Know Lending Covenants Lending Covenants Mission Statements Mission Statements Policies Policies Company-Specific Company-Specific Procedures Procedures Standards Standards Tasks Tasks Unique Control Events Unique Control Events © 2004 CTG © 2004 CTG
  • 27. Who’s Watching the Store? Frequency Role Responsibility COSO SOX 302 SOX 404 Owner of internal controls Management Ongoing Quarterly Annually and ongoing monitoring Validators independent of Internal management, but part of Periodically Quarterly Annually auditors company External Validators independent of Annually Quarterly Annually auditors company
  • 28. Cost of SOX Implementation: 2005 2005 SOX Expenditure by US firms: $6 Billion – Internal expenses: $2 Billion – Hardware/Software: $2 Billion – Consulting: $2 Billion Source: Gartner
  • 29. Cost of SOX Implementation: Ongoing? A study from Foley & Lardner LLP shows that while the total cost of SOX compliance dipped in 2006, spending on so-called out-of-pocket costs rose by double-digit percentages. According to the Chicago-based law firm's study, public companies with more than $1 billion in annual revenue spent an average $10 million on costs such as board compensation and audit and legal fees in 2006. That's a 12% increase over spending in 2005. At public companies with revenue under $1 billion, the increase was 13%. External audit fees claimed the biggest chunk of money, accounting for more than 47% of the out-of- pocket spending on compliance by the smaller public companies. At companies with more than $1 billion in revenue, a whopping 60% of the money goes to external audit fees. "Some experts predicted that external audit fees would decrease after the initial implementation of Section 404 audits, as external auditors became more familiar with their clients' accounting controls and, therefore, more efficient in conducting their audits," said Thomas E. Hartman, a partner at Foley & Lardner and director of the report. "Our study results do not support this prediction. Indeed, external audit fees have been the only cost our study has shown to increase every year since the Sarbanes-Oxley Act was passed." Meanwhile, all the manpower and money that companies have invested internally on SOX compliance is beginning to pay off. According to the Foley study, most of that dip in total SOX spending in 2006 was due to efficiency improvements in internal financial reporting -- and thus a gain in productivity. IT departments shouldered a big part of the internal work done in preparation for SOX -- cleaning up and documenting processes. Can CIOs give themselves a pat on the back? "CIOs will be able to pat themselves on the back when they sit down and help the rest of the business automate the internal controls as much as they can, and help get down the external audit fees, which are out of control," said analyst French Caldwell, who covers compliance at consultancy Gartner Inc. in Stamford, Conn. "It's not over yet. Don't even stop to catch your breath." Caldwell said the Foley findings are consistent with other research. During the last three years, companies have seen about a 35% reduction in overall SOX compliance costs, almost all of which have come from savings on internal labor and on fees paid to consultants. But a reduction in internal labor costs or one-time consultants doesn't equate with "any great efficiencies," he said, precisely because the external auditing fees have hardly budged -- indeed they're "out of control." "That indicates to me that there is just as much to audit. That indicates to me that many companies Source: Linda Tucci, 16 haven't really rationalized the controls. They haven't automated a lot of the controls," Caldwell said. Aug 2007, Nor have companies yet heeded the advice this spring from the Securities and Exchange SearchCIO.com Commission (SEC) to take a more risk-based approach to SOX compliance.
  • 30. So What’s a Corporation to Do? Continuous monitoring (CM) offers the only practical, cost-effective solution. – Build a system that provides a perpetual inventory of governance – Leverage IT to maximize automation and reduce staffing loads
  • 31. Proposed CM Solution Pyramid Oversight Component Oversight Component “Tone at the top”: “Tone at the top”: Executive buy-in, “spirit” vs. “letter” Executive buy-in, “spirit” vs. “letter” Planning Component Planning Component SOX methodology: SOX methodology: Assess, document, test, report Assess, document, test, report Co-sourcing component? Co-sourcing component? Independent IT test services Independent IT test services Software Component Software Component Various vendor process automation products: Various vendor process automation products: Ex.: Documentum®,, Movaris OneClose®,, ACL CCM® Ex.: Documentum® Movaris OneClose® ACL CCM® Hardware/Data Integrity Component Hardware/Data Integrity Component EMC: Centera®,, Proofspace encryption, record management automation EMC: Centera® Proofspace encryption, record management automation
  • 32. Sarbanes-Oxley’s Impact on the COSO Cube Section Section 404 302 Section 409 IT Components Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awareness Training Monitoring IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Information & Communication Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations Control Activities IT Risk Management, IT Risk Assessments, Business Impact Analysis Risk Assessment “Tone at the top”, IT Governance, Regulatory Compliance Control Environment
  • 33. CM Solution Requirements Tool or process needed (examples Resources only): needed One Close® Monitoring ) SW Documentum® W/ Information & Communication (H ACL CCM/ gy Control Activities olo One Close® t.) hn gm , m le op Risk Assessment c Te One Close® Pe aff Organizational Control Environment (st Consulting
  • 34. Key Recommendation Validate methodology through execution on a pilot process (assess, document, and test) Remediate consistently and constantly Work with external auditor to ensure approach is satisfactory via a full trial on a key process before rollout
  • 35. Internal Control Maturity Model Initial Repeatable Defined Managed Optimizing Initial Control structure is not defined. Control occurs incidentally. Repeatable Control structure is not defined, but control processes may occur based on past success and management oversight. Defined Control structure is documented, standardized and integrated into control processes for the organization. Managed The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Optimizing Continuous process improvement is enabled by quantitative feedback from the control process. Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages.
  • 36. COSO-Driven Methodology: Assess ASSESS ASSESS DOCUMENT TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Define overall SO requirements Management support Form Form Identify and form team team team Partner with external audit firm Internal champion Trained team Confirm audit universe Perform risk Perform risk Define risk weighting Consensus on objectives assessment assessment Conduct assessment Risk-ranked universe The plan Analyze assessment results Confirm Confirm Confirm risk rankings results results Map to knowledge base of mitigating practices Present findings to management Develop Develop Develop plan for documentation phase work plan work plan Review plan with external auditor, management
  • 37. COSO-Driven Methodology: Document ASSESS DOCUMENT DOCUMENT TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Define target maturity level by process COSO maturity ranking COSO COSO Assess COSO maturity by process alignment alignment Consensus on end state Identify where improvements are needed Improved controls environment Document Document Define control objectives Ongoing monitoring control control Determine tool approach activities activities Map assessment to objectives and identify gaps Documented controls Develop plan to address gaps with control changes Improve Improve Assess and implement changes in controls controls controls Test new processes and train users Define Define Confirm the role of the internal audit department monitoring monitoring Assess current monitoring environment process process Implement monitoring process
  • 38. COSO-Driven Methodology: Test ASSESS DOCUMENT TEST TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Management Management Educate management on controls Management control monitoring controls controls Develop framework for management monitoring Independent monitoring monitoring monitoring Facilitate management monitoring of controls Management reporting process Independent Independent Develop framework for independent monitoring Ongoing reporting internal audit internal audit Facilitate independent monitoring of controls Testing Testing Identify weaknesses from management test Material Material Develop action plan for weaknesses weakness plan weakness plan Reiterate if necessary Implement process for ongoing quarterly reports Ongoing Ongoing Define process for development of IC report report process report process Partner with external auditor on report requirements
  • 39. COSO-Driven Methodology: Report ASSESS DOCUMENT TEST REPORT REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Management reports on role in controls Management report Management Management Management reports on testing process report report External audit report Management delivers final controls report External assertion External External External audit commences audit audit External External auditor tests controls per requirements External control testing External auditor reviews management report control testing External auditor issues final report External External auditor auditor External auditor issues final assertion assertion assertion
  • 40. Benefits/ROI ROIs are easily calculated, by the determination of FTE reduction due to PCAOB’s Standard II regarding the testing of automated controls once, versus reiterative testing necessary for manual controls. Secondary benefit, especially in the ability to store the results of continuous monitoring in an authenticated, digital format, should have a significant impact on future third-party litigation revolving around alleged misconduct by management, in proving the validity of the effectiveness of key control activities.
  • 41. Illustrative Assessment Work Plan Week Number 1 2 3 4 5 6 7 8 9 10 Weeks Remaining: 10 9 8 7 6 5 4 3 2 1 # T ask Description: 1 Initial planning and information gathering 2 Conduct initial interv iews 3 Rev iew Engagement Letter 4 Finalize interv iew list 5 Finalize specialists required 6 Prepare letter for interv iewees to ov erv iew project/ team 7 Prepare interv iew objectiv es and general questions 8 Finalize workplan 9 Dev elop ov erv iew of client business/industry 10 Finalize tailored questions by functional interv iew 11 Draft format for deliv erables 12 Schedule interv iews (approx . 25-35 interv iews) 13 Perform interv iews (approx . 25-35 interv iews @ approx . 1.5 hrs each) Interv iews led by IA with client internal audit personnel inv olv ement 14 Document results of interv iews / confirm with interv iewees 15 Dev elop risk ranking 16 Dev elop audit plan 17 Determine resource needs to ex ecute audit plan 18 Obtain client management consensus on risk profile 19 Finalize and present deliv erables
  • 42. Control Assessment Structure General Controls Control COSO Control Capabilities Com ponent Risk Factors Control Control Capabilities Authorization Environm ent Delegation of Authority a) Authorization Authority and approval levels is not delegated to the low est levels. b) Processing and Recording Authority is delegated to the front lines how ever executive management is involved. c) Safeguarding Authority is delegated to the front lines and decision making resides at that level. d) Reporting e) Compliance Processing and Control Recording Environm ent Skill sets f) Risk Management Employees possess the know ledge and skills necessary to effectively execute their job. g) Resource Availability Employees possess some of the skills required to effectively execute their job. Employees generally do not have the know ledge or skills to effectively execute their job. Processing and Control COSO Control Com ponents: Recording Environm ent Volume of transactions a) Control Environment Low volume of transactions and minimal interventions and hand-offs. b) Risk Assessment Average volume of transactions and considerable number of manual interventions. c) Control Activities High volume of automated and manual transactions and hand-offs. d) Information & Communication e) Monitoring Risk Control Management Environment Organization Structure Operations are highly centralized with effective communication systems. Operations are fairly decentralized with fairly effective communication systems. Operations are very decentralized with ineffective communication systems.
  • 43. Framework for Risk Assessment Identify – What are the risks? Measure – What is the relative degree of risk? (Determined by Severity and Likelihood.) Prioritize – Which risks are most important?
  • 44. Risk Assessment: The Big Picture Internal and external risks faced by all organizations. Requires linked and consistent management objectives. Identified/analyzed to manage and achieve objectives. A system to address organization impact of external and internal condition changes. IIA Definition-“… a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. …organize and integrate professional judgments for development of the audit work schedule.”
  • 45. Enterprise Risk Assessment Driven by enterprise strategies and overall goals. Risk rank audit universe, applying the same risk factors to all audit entities. Top-down focus begins at the enterprise level. Bottoms-up begins at the entity level. • Approach dependent on management’s objectives and other initiatives in place.
  • 46. Enterprise Risk Assessment Defined Enterprise Risk – Potential exposures which could significantly impact or impede an enterprise’s ability to succeed in accomplishing its overall financial and operational goals and objectives. Risks can be categorized as follows: – Strategic – relating to high-level goals, aligned with and supporting the entity’s mission/vision. – Operations – relating to effectiveness and efficiency of the entity’s operations, including performance and profitability goals. – Reporting – relating to the effectiveness of the entity’s reporting. – Compliance – relating to the entity’s compliance with applicable laws and regulations.
  • 47. Ways To Look At Risk Quantitative • Assign a value to each control risk times a probability of the threat of the risk • Higher value/greater risk Qualitative • High, medium, low or adequate/inadequate
  • 48. Approaching Risk Assessment Solicit executive management’s enterprise strategies, goals, objectives and concerns. If applicable, obtain external auditor’s perspective of the company. Also consider insurers, outside counsel, other third-party service providers. Capture organization, products, processes, functions, locations, systems, support areas, etc. relevant to auditable entities. Develop a model using risk factors, weightings and scoring criteria. Objective is a risk-ranked audit universe.
  • 49. An Enterprise Risk Assessment Tool Provide analyses regarding risk exposures at an audit universe (enterprise) level. No pre-defined database of standard questionnaires, risk factors and set risk weightings. Information compiled by experienced professionals. Information/analyses as good as the information compiled.
  • 50. Types of Risk Factors Assets at risk Systems • Cash • Information quality • Inventory • Security • Intellectual property • Disaster planning Operational • Equipment/software • Procurement Financial • Production • Data accuracy • Material Handling • Available information • Sales • Completeness of data • Service • Human Resources • A/R, A/P, Cash flow, etc. • Planning • Legal • Environmental
  • 51. Risk Weighting and Scoring Weigh risks based on customized criteria. • Relative importance of individual risk factor. • Risk factor impact on business units based on likelihood of occurrence and severity of impact. • Facilitate with management and process owners. Risk weighting results reviewed by management and the process owners. • Risk score is assessed for each risk factor. • Scores summed for a total risk score. • Supports risk ranked audit universe.
  • 52. Risk-based Approach: Examples Functional Risk Conversion Risk Strategic Risk Business Processes Authority Alignment Bench Strength Capital Availability Business Continuity Budgeting & Planning Competition Financial Reporting Financial Markets Compliance Financial Assessment Capacity Contracting Commodity Flexibility Evaluation Industry Empowerment Financial Statement Communication Environmental Cycle Time Leadership Falsification Legal Fraud Regulatory Reporting Efficiency Health and Safety Human Resources Regulatory Taxation Product Life Cycle Illegal Activities Organization Structures Management Information Performance Metrics Product Development Obsolescence/Shrinkage Pricing Reputation Product/Service Quality Finance Resource Allocation Trademark Erosion Relevance Collateral Supplier Sovereign Unauthorized Use Counterparty Technology Selection Strategic Assumptions Credit Technology Deployment Valuation Currency Technology Derivatives Availability Interest Rate Access Liquidity Functionality Reinvestment Integrity Settlement Usability
  • 53. Risk-based Approach: Process Executive Management Input Company Strategies Risk Factor Model Audit Universe Risk Exposure Audit Plan Development Development Scoring Development • Executive Management • Input Obtained from • Scoring Occurs from • Compute Risk-Ranked Input and Buy-in Many Sources Interviews with Senior Audit Universe from Management Completion of the ERA • Extract Risk Factors • Organizational Charts, Responsible for the model from Strategies Internal Management Auditable Entities Reports, Company • Develop Audit Plan • Identify & Define Risk Directory, Annual • One Person may be Based on Risk-Ranking Factors to be Used Report, General Ledger, Responsible for and Available • Define Related Scoring Location Listings, Major Scoring Multiple Resources Criteria for Each Risk Projects or Contracts, Entities • Obtain Executive Factor Information Systems, • Many Persons may be Management Approval etc. • Weight the Risk Factors Responsible for • Execute Audit Plan • Cost Centers, Profit Scoring One Entity Centers, Investment • Reassess Risk Centers, Locations, Exposures Functions, Processes, etc.
  • 54. Risk-based Approach Re-cap Risk-based approach Defined model of enterprise risk factors Customized to fit our client’s needs Efficient direction of audit resources Supported by an electronic tool that provides for data analysis Provides sufficient information to build an audit plan Performed by experienced professionals Cost effective solution to improve enterprise risk management initiatives
  • 56. Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services Dwayne Jorgensen, CIA, CFE, is a recognized expert in governance, risk and controls. Mr. Jorgensen created the Sarbanes-Oxley Services & IT Governance global practice for CTG, a 39-year old IT staffing solutions firm. He is respected for his ability to assess a clients’ current state of compliance with Sarbanes-Oxley (SOX) and then guide them in meeting their compliance goals, especially those related to Sections 302, 404, and 409 of the act. In addition, Mr. Jorgensen has developed a “continuous monitoring” solution for corporate governance and speaks on the role of IT in that endeavor. Mr. Jorgensen is an expert in COSO, risks and controls, specifically as these areas pertain to the impact of SOX on corporate governance. He has over 20 years’ experience in internal audit, system controls, practice development, capital acquisitions, and risk management. Before CTG, Mr. Jorgensen was North American Practice Director of internal audit services for Jefferson Wells International. He oversaw the growth and development of the firm’s internal audit service line in the United States and Canada post-Sarbanes-Oxley, especially in the areas of 301, 302, and 404 compliance. He also directed the business process outsourcing practice for the Atlanta office of Arthur Andersen, LLP, and was elected a principal of the firm. He was a senior manager for Coopers & Lybrand, LLP, and director of internal audit and secretary of the audit committee for a Flagler System, Inc. Mr. Jorgensen is a member of the Institute of Internal Auditors and the Association of Certified Fraud Examiners, and has a Bachelor of Arts degree in pre-law with a major in accounting and finance from the University of Illinois-Urbana.
  • 57. Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services – Referrals “I had the opportunity to work with Dwayne during an extremely critical period as our company attempted to address Sarbanes Oxley concerns. Dwayne and his team were simply the best of the best. I highly recommend Dwayne and would welcome the opportunity to work with him again.” April 1, 2008 Top qualities: Great Results, Expert, High Integrity Mike Pulaski - hired Dwayne as a Business Consultant in 2004, and hired Dwayne more than once “Dwayne was directly responsible for developing Jefferson Wells approach to provision of Sarbanes Oxley services just after the act was passed by congress. He was on the leading edge of the service. His leadership was instrumental in subsequent success the company enjoyed.” January 7, 2008 Bob McDonald, Director Construction Services, Jefferson Wells International - worked indirectly for Dwayne at Jefferson Wells International “Dwayne took a leading role in developing the regulatory compliance practice in the UK operation. I found Dwayne to be very commercially focused and felt his strengths were in developing a lasting relationship with the client.” January 8, 2008 Martyn Smith, Senior Consultant, CTG (UK) Ltd - worked with Dwayne at CTG “Dwayne was the key provider in the delivery of an excellent Sarbanes-Oxley assessment audit of our business processes and provided specific and creative recommendations for implementation of corrective actions.” January 4, 2008 Top qualities: Personable, Good Value, On Time John Ponzo - hired Dwayne as a IT Consultant in 2004 “I encountered few people in the three years I was selling SOX and GRC applications that truly understood the intertwined nature of a control environment and technology. Dwayne understood the pro's, the con's and the yet to be challenged status quo. Dwayne knew early that complex control issues could be tackled efficiently using technology and at a reduced overall cost. Simply put Dwayne "gets it"!” January 28, 2008 Brian Tietje, Senior Sales Consultant, Movaris - was with another company when working with Dwayne at CTG
  • 58. Contact Information Dwayne E. Jorgensen, CIA, CFE Consultant Spirit Consulting Services 1851 Baltusrol Trail Duluth, GA 30097 Office: 678/957-0838 Mobile: 770/789-7581 E-mail: dej@spiritconsultingservices.com