Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | william-chapman |
View: | 228 times |
Download: | 0 times |
GRC-XML Program Working Session:
GRC-XML Risk and Control TaxonomyGRC-XML Prototype
XBRL International Conference, Paris FranceJune 25th, 2009 14:30 – 15:00
Said TabetTechnical Director, [email protected]
Eric E. CohenExecutive Member, OCEG GRC-XML
Working [email protected]
Your Speakers
Overview of the GRC XML Program and its architecture
Demonstration of disparate systems sharing standardized GRC data to illustrate the use of the GRC XML taxonomy of Risks and Controls, the foundation of the future GRC-XML deliverables
Next steps◦ For OCEG◦ For those interested in the work
OCEG GRC-XML Program
Agenda
Today’s business environment is highly volatile In response, there is increasing attention to GRC policies
and procedures Today’s GRC architecture is predominantly silo-based,
making sharing data difficult and error-prone A common language to represent their risks, controls,
policies, procedures and test of controls can facilitate discussion, comparison and interchange
We are driving the development of GRC-XML to address this problem
OCEG is currently a provisional jurisdiction of XBRL GRC-XML
◦ Is XBRL◦ Leverages XBRL's external reporting taxonomies◦ Is highly integrated with XBRL's Global Ledger Framework
We hope GRC-XML will enable highly efficient and agile Risk and Control Monitoring systems in a format that is application-neutral and easy to integrate
OCEG GRC-XML Program
Overview
Orgs With An Invested Interest
11Work Work Groups*Groups*
Risk and Control Taxonomy
Fujitsu’s ERM XBRL Program
Taxonomy/ Messaging Standards Area
RelatedCouncilMember Targets
IdentifiedTaxonomy “QuickWins”
OCEG GRC-XML Program
GRC-XML Taxonomy: The Business Case
•A common language of risk and control is a prerequisite for effective management of audit, risk, and compliance processes
•Most organizations currently struggle with a common language of risk and control between their internal GRC silos
•There is no standard risk and control language for multiple information systems to communicate or pass information
GRC-XML Taxonomy: Assumptions
• Risk and control taxonomies, from a business process view, function very similar to a chart of accounts
• Standard risk and control models exist and are utilized by many organizations (COSO, COBIT), yet there is no common language for systems to communicate on these taxonomies
• XBRL is a functional technology for enabling systems to communicate business and financial reporting information
• XBRL can be effectively leveraged to enable information systems to communicate Risk, Control and Test of Control information
• Risk and control taxonomies, from a business process view, function very similar to a chart of accounts
• Standard risk and control models exist and are utilized by many organizations (COSO, COBIT), yet there is no common language for systems to communicate on these taxonomies
• XBRL is a functional technology for enabling systems to communicate business and financial reporting information
• XBRL can be effectively leveraged to enable information systems to communicate Risk, Control and Test of Control information
GRC-XML Taxonomy: Requirements
• Define a standard XBRL Taxonomy for Controls and Risks
• Define an XBRL for GRC integration specification (leveraging the XBRL Global Ledger Framework - XBRL GL) that will enable the mapping and delivery of a payload of information
•Leverage XBRL for external reporting
•Use XBRL GL for evidence and other payload
• Define a standard XBRL Taxonomy for Controls and Risks
• Define an XBRL for GRC integration specification (leveraging the XBRL Global Ledger Framework - XBRL GL) that will enable the mapping and delivery of a payload of information
•Leverage XBRL for external reporting
•Use XBRL GL for evidence and other payload
BusinessProcess
RiskInternalControl
Test ofControl
ProcedureTask
FinancialRisk
OperationalRisk
COSO
InternalPolicy
Regulations
GRC-XML Model (very simplified)
OtherRisk
COSO Framework Overview
QuickTime™ and a decompressor
are needed to see this picture.
GRC-XML Taxonomy: The Extended COSO Taxonomy
DTS (Discoverable Taxonomy Sets) of COSO IC taxonomy
-COSO Template consists of 25 components (sample: INBOUND)
-Risk Evaluation for Organizations
Copyright Fujitsu Research Institute 2009
fujitsu-rcm.xsd
coso-act.xsd
coso-cta.xsd
coso-rsk.xsd
fujitsu-rol.xsd
coso-obj.xsdCOSO LayerCOSO Layer
Fujitsu Evaluation LayerFujitsu Evaluation Layer
Fujitsu Risk/Control LayerFujitsu Risk/Control Layer
-Testing for Control Activities-Related Organizations-Relation among activity, objectives, risks and control activities
coso.xsd
fujitsu-cta.xsd
11
-Viewer (Presentation)
fujitsu-rsk.xsd
InstanceInstance FY2008evaluation.xml
25 activities defined in COSO Evaluation Tool. 1/Activity : INBOUND2/Activity : OPERATIONS 3/Activity : OUTBOUND 4/Activity : MARKETING AND SALES 5/Activity : SERVICE 6/Activity : PROCUREMENT 7/Activity : TECHNOLOGY DEVELOPMENT 8/Activity : HUMAN RESOURCES 9/Activity : MANAGE THE ENTERPRISE10/Activity : MANAGE EXTERNAL RELATIONS11/Activity : PROVIDE ADMINISTRATIVE
SERVICES 12/Activity : MANAGE INFORMATION TECHNOLOGY13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS
15/Activity : PLAN16/Activity : PROCESS ACCOUNTS PAYABLE 17/Activity : PROCESS ACCOUNTS RECEIVABLE 18/Activity : PROCESS FUNDS19/Activity : PROCESS FIXED ASSETS 20/Activity : ANALYZE AND RECONCILE21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 22/Activity : PROCESS PAYROLL 23/Activity : PROCESS TAX COMPLIANCE 24/Activity : PROCESS PRODUCT COSTS 25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING
Copyright Fujitsu Research Institute 2009
GRC-XML Taxonomy: The COSO Taxonomy (Cont’d)
Extended Risk and Control in Fujitsu-RCM taxonomy
GRC-XML Taxonomy: The Viewer
Values in Instance document –
FY2008evaluation.xml in dimensional view.
GRC-XML Taxonomy: The Viewer (Cont’d)
The PrototypeGRC-XML at work
OCEG GRC-XML Program
ERP Financial Application
GL, AP, AR, FA, etc.
Controls Testing & MonitoringRisk & Controls Repository
GRC XML
Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys Sampling
Risk modelsControls documentation Organization / Process Test Procedures Test Results
GRC-XML Taxonomy: Prototype Architecture
Demonstration
Next Steps
OCEG GRC-XML Program
Strategy and Measurement
Corporate Disclosure
Issue and Incident Management
Legal Requirements
Orgs With An Invested Interest
11 22 33 44 55Target Target areas*areas*
Risk and Control TaxonomyTaxonom
y/ Messaging Standards Area
RelatedCouncilMember Targets
OCEG GRC-XML Program
If this project is of interest to you and your organization, or if you have specific skills, knowledge and expertise you can provide, please contact OCEG
Join OCEG and take part If you can’t join but you have expertise or have
intellectual property to contribute, please contact OCEG
Said Tabet◦ [email protected]
Call to Action: Come Join Us!