GRC-XML Program Working Session:

GRC-XML Risk and Control TaxonomyGRC-XML Prototype

XBRL International Conference, Paris FranceJune 25th, 2009 14:30 – 15:00

Said TabetTechnical Director, OCEGstabet@oceg.org

Eric E. CohenExecutive Member, OCEG GRC-XML

Working Grouperic.e.cohen@us.pwc.com

Your Speakers

Overview of the GRC XML Program and its architecture

Demonstration of disparate systems sharing standardized GRC data to illustrate the use of the GRC XML taxonomy of Risks and Controls, the foundation of the future GRC-XML deliverables

Next steps◦ For OCEG◦ For those interested in the work

OCEG GRC-XML Program

Agenda

Today’s business environment is highly volatile In response, there is increasing attention to GRC policies

and procedures Today’s GRC architecture is predominantly silo-based,

making sharing data difficult and error-prone A common language to represent their risks, controls,

policies, procedures and test of controls can facilitate discussion, comparison and interchange

We are driving the development of GRC-XML to address this problem

OCEG is currently a provisional jurisdiction of XBRL GRC-XML

◦ Is XBRL◦ Leverages XBRL's external reporting taxonomies◦ Is highly integrated with XBRL's Global Ledger Framework

We hope GRC-XML will enable highly efficient and agile Risk and Control Monitoring systems in a format that is application-neutral and easy to integrate

OCEG GRC-XML Program

Overview

Orgs With An Invested Interest

11Work Work Groups*Groups*

Risk and Control Taxonomy

Fujitsu’s ERM XBRL Program

Taxonomy/ Messaging Standards Area

RelatedCouncilMember Targets

IdentifiedTaxonomy “QuickWins”

OCEG GRC-XML Program

GRC-XML Taxonomy: The Business Case

•A common language of risk and control is a prerequisite for effective management of audit, risk, and compliance processes

•Most organizations currently struggle with a common language of risk and control between their internal GRC silos

•There is no standard risk and control language for multiple information systems to communicate or pass information

GRC-XML Taxonomy: Assumptions

• Risk and control taxonomies, from a business process view, function very similar to a chart of accounts

• Standard risk and control models exist and are utilized by many organizations (COSO, COBIT), yet there is no common language for systems to communicate on these taxonomies

• XBRL is a functional technology for enabling systems to communicate business and financial reporting information

• XBRL can be effectively leveraged to enable information systems to communicate Risk, Control and Test of Control information

• Risk and control taxonomies, from a business process view, function very similar to a chart of accounts

• Standard risk and control models exist and are utilized by many organizations (COSO, COBIT), yet there is no common language for systems to communicate on these taxonomies

• XBRL is a functional technology for enabling systems to communicate business and financial reporting information

• XBRL can be effectively leveraged to enable information systems to communicate Risk, Control and Test of Control information

GRC-XML Taxonomy: Requirements

• Define a standard XBRL Taxonomy for Controls and Risks

• Define an XBRL for GRC integration specification (leveraging the XBRL Global Ledger Framework - XBRL GL) that will enable the mapping and delivery of a payload of information

•Leverage XBRL for external reporting

•Use XBRL GL for evidence and other payload

• Define a standard XBRL Taxonomy for Controls and Risks

• Define an XBRL for GRC integration specification (leveraging the XBRL Global Ledger Framework - XBRL GL) that will enable the mapping and delivery of a payload of information

•Leverage XBRL for external reporting

•Use XBRL GL for evidence and other payload

BusinessProcess

RiskInternalControl

Test ofControl

ProcedureTask

FinancialRisk

OperationalRisk

COSO

InternalPolicy

Regulations

GRC-XML Model (very simplified)

OtherRisk

COSO Framework Overview

QuickTime™ and a decompressor

are needed to see this picture.

GRC-XML Taxonomy: The Extended COSO Taxonomy

DTS (Discoverable Taxonomy Sets) of COSO IC taxonomy

-COSO Template consists of 25 components (sample: INBOUND)

-Risk Evaluation for Organizations

Copyright Fujitsu Research Institute 2009

fujitsu-rcm.xsd

coso-act.xsd

coso-cta.xsd

coso-rsk.xsd

fujitsu-rol.xsd

coso-obj.xsdCOSO LayerCOSO Layer

Fujitsu Evaluation LayerFujitsu Evaluation Layer

Fujitsu Risk/Control LayerFujitsu Risk/Control Layer

-Testing for Control Activities-Related Organizations-Relation among activity, objectives, risks and control activities

coso.xsd

fujitsu-cta.xsd

11

-Viewer (Presentation)

fujitsu-rsk.xsd

InstanceInstance FY2008evaluation.xml

25 activities defined in COSO Evaluation Tool. 1/Activity : INBOUND2/Activity : OPERATIONS 　3/Activity : OUTBOUND 　4/Activity : MARKETING AND SALES 　5/Activity : SERVICE 　6/Activity : PROCUREMENT 　7/Activity : TECHNOLOGY DEVELOPMENT 　8/Activity : HUMAN RESOURCES 　9/Activity : MANAGE THE ENTERPRISE10/Activity : MANAGE EXTERNAL RELATIONS11/Activity : PROVIDE ADMINISTRATIVE

SERVICES 　12/Activity : MANAGE INFORMATION TECHNOLOGY13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS 　

15/Activity : PLAN16/Activity : PROCESS ACCOUNTS PAYABLE 　17/Activity : PROCESS ACCOUNTS RECEIVABLE 　18/Activity : PROCESS FUNDS19/Activity : PROCESS FIXED ASSETS 　20/Activity : ANALYZE AND RECONCILE21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 　22/Activity : PROCESS PAYROLL 　23/Activity : PROCESS TAX COMPLIANCE 　24/Activity : PROCESS PRODUCT COSTS 　25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING

Copyright Fujitsu Research Institute 2009

GRC-XML Taxonomy: The COSO Taxonomy (Cont’d)

Extended Risk and Control in Fujitsu-RCM taxonomy

GRC-XML Taxonomy: The Viewer

Values in Instance document –

FY2008evaluation.xml in dimensional view.

GRC-XML Taxonomy: The Viewer (Cont’d)

The PrototypeGRC-XML at work

OCEG GRC-XML Program

ERP Financial Application

GL, AP, AR, FA, etc.

Controls Testing & MonitoringRisk & Controls Repository

GRC XML

Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys Sampling

Risk modelsControls documentation Organization / Process Test Procedures Test Results

GRC-XML Taxonomy: Prototype Architecture

Demonstration

Next Steps

OCEG GRC-XML Program

Strategy and Measurement

Corporate Disclosure

Issue and Incident Management

Legal Requirements

Orgs With An Invested Interest

11 22 33 44 55Target Target areas*areas*

Risk and Control TaxonomyTaxonom

y/ Messaging Standards Area

RelatedCouncilMember Targets

OCEG GRC-XML Program

If this project is of interest to you and your organization, or if you have specific skills, knowledge and expertise you can provide, please contact OCEG

Join OCEG and take part If you can’t join but you have expertise or have

intellectual property to contribute, please contact OCEG

Said Tabet◦ stabet@oceg.org

Call to Action: Come Join Us!