GOOD. SMART. BUSINESS. PROFIT.TM

Optimizing Compliance Programs in Organizations:

A Top-Down Approach

March 19, 2015

Kevin McCormack

Managing Director, Content & Programming

kevin.mccormack@ethisphere.com

303.819.9817

We welcome you to submit any questions for the presenters

through the chat function you see on your screen.

HOST

QUESTIONS

RECORDING The event recording and PowerPoint will be provided post

event.

3

Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │4

Danny GoldbergFounder

GOLD SRD

Terence LeeRegional VP GRC Solutions

MetricStream, Inc.

SPEAKING TODAY

INTRODUCTION

Danny M. Goldberg

• Founder, GOLDSRD (www.goldsrd.com)

• Former Director of Corporate Audit/SOX at Dr Pepper Snapple Group

• Former CAE - Tyler Technologies

• Published Author (Book/Articles)

• Texas A&M University – 97/98

• Chairman of the Leadership Council of the American Lung Association - North Texas –Calendar Year 2012

• Served on the Audit Committee of the Dallas Independent School District (CY 2008)

• Current Dallas and Fort Worth IIA Programs Co-Chair

• Fort Worth IIA Board Member

• IIA North America Learning Committee Member

Certifications:

• CPA – Since 2000

• CIA – Since 2008

• CISA – Since 2008

• CGEIT - Since 2009

• CRISC - Since 2011

• CRMA – Since 2011

• CCSA – Since 2007

• CGMA – Since 2012

LAUGH

Danny M. Goldberg (cont.)• Highly-Rated, Internationally Recognized Speaker

– One of the Top Rated Speakers, 2014 IIA All-Star Conference

– 7th Rated Speaker, 2014 ISACA ISRM Conference– One of the Top Rated Speakers, 2014 IIA Mid-Atlantic

Conference– One of the Top Rated Speakers, 2014 IIA Gaming

Conference– 6th Highest Rated Speaker (out of 116), 2013 IIA

International Conference– 3rd and 5th Rated Sessions, 2013 IIA Central Regional

Conference– 8th Rated Speaker (out of 120), 2012 IIA International

Conference

Danny M. Goldberg (cont.)• Published Author

– HFTP Journal: Practice Ethics (November 2014)– Bureau of National Affairs - Internal Audit:

Fundamental Principles and Best Practices (Professional Commentator)

– College & University Auditor (March 2014 Cover) –Project Management

– Audit Report Articles (June 2013 Cover, March 2012, March 2011, June 2010 Cover) – “Critical Thoughts on Critical Thinking”

– ISACA Journal (May 2012, August 2012)– Internal Auditor Articles (August 2007, December

2007, October 2010)– Dallas Business Journal (January 2011) – “The Yes

Man Phenomenon”

Agenda

• Overview of Compliance and Integration Challenges

• Top-Down Risk Based Approach (Centralized Oversight)

• Compliance as a key enterprise risk

• Key Aspects for Integrated Auditing

• Differentiation between External, Internal and Regulatory

• Differences (Sample Sizes, Substantive versus Controls)

9

Compliance Today

• Business is NOT being deregulated;

standards are increasing and becoming

more stringent

• Silo approach to compliance in many large

organizations

– Little to no integration (competing priorities)

– Compliance is not viewed as value-add (“we

have to do it”)

10

Implications of Lack of Integration

• Who owns compliance? Which line of

defense?

• Limited compliance knowledge in the

business/process owners

• Advanced preparation becomes a

necessity

• Lack of separation between auditors (“We

get audited all the time”)

11

Top-Down Approach

• Board Oversight and Support (Compliance

Program)

• Management Messaging (Continuous)

– Focus on Value of Compliance

• Continuous Monitoring/Auditing

• Incentive Plans tied to Compliance

12

Compliance Program

• Compliance is Part of Management

• Considered at the Strategic/Enterprise

Level

• Addressed as Part of ERM Program

• Address Root Causes when Non-

Compliance is uncovered

• Consider/Identify business process

interdependencies

13

Definition of Internal Audit

Internal auditing is an independent, objective

assurance and consulting activity designed

to add value and improve an organization's

operations.

It helps an organization accomplish its

objectives by bringing a systematic,

disciplined approach to evaluate and

improve the effectiveness of risk

management, control, and governance

processes.

14

Key Enterprise Risks

• Focus on Value of Compliance

• Top Five risk in most/many industries

• Compliance is not optional

• Lack of Compliance

– Do Not Focus on Fines

– Unable to do Business?

– Not aligned with Company’s Strategic

Objectives?

15

Messaging

How Do You Get People to Do What They

Do Not Want to Do?

• Socialize Importance of Compliance

• Continuous Communication

• Training

• Embed in the Business

16

Integrated Audit – Natural

Similarities

Integrated

Audit

17

Integrated Auditing

• Starts at the Top

• Umbrella Approach to GRC?

– All functions reporting through same authority

line

• Must start at the Risk Assessment Level

– Combine Audit Risks with Compliance Risks

(if possible)

• Integrate Pool of Auditors

18

Types of Continuous GRC

• Data Analytics

– Continuous Monitoring

– Continuous Auditing

• Continuous Risk Assessment

• Continuous Controls Monitoring

• Data Warehousing

• Data Mining

• Fraud Detection Tool

19

Continuous Controls Monitoring

• Process performed by management to

determine whether policies are operating

effectively

• Uses automated tests to identify activities and

transactions that fail to comply with controls

• Allows management to fix control problems

timely

• Similar to continuous risk assessment – find the

key controls, understand how they can be

monitored through the system, etc.

20

“Who is Auditing Me Now?”

• Confusion with Auditees as to who does

what

• Perception is that audits happen “all the

time” – there is no end

• Integration will assist perception

• Important to delineate between internal

and external

21

Differences Between Compliance

and Internal Audit• Controls testing versus Substantive testing

• Non-statistical Sampling versus Statistical

Sampling

• Concluding on initial sample versus

extending sample sizes

22

Benefits of Compliance

Optimization• Efficiency and Effectiveness of

Compliance Process = Money

• Real-Time Information (KPI’s) – pushes

understanding and acceptance

• Increased Readiness to Respond to Third-

Parties

23

Summary

• Compliance must be viewed as a key risk

(ERM)

• Integration is key to efficiency and

effectiveness

• Automation (CA/CM) is key to effective

response

• Can generate new revenue, etc. =

Business Opportunity

24

© 2015 MetricStream, Inc. All Rights Reserved.

Optimizing Compliance Programs in Organizations: A Top-Down Approach

Terence LeeRegional Vice President | GRC Solutions

MetricStreamtlee@metricstream.com

© 2015 MetricStream, Inc. All Rights Reserved.

Agenda

• Challenges faced by the Business today

• Facing the Compliance Challenge

• Compliance as a Management Function

• Benefits of an Effective Compliance Program

• Q & A

© 2015 MetricStream, Inc. All Rights Reserved.

Challenges faced by the Business today

© 2015 MetricStream, Inc. All Rights Reserved.

Challenges

• Addressing changing regulations and mandates.

• Management of Regulatory Changes in silos.

• Management of policies related to Governance, risk, compliance, ethics, and business conduct.

• Lack of systematized operational testing.

• Disconnect with BPM and Issue Tracking tools.

© 2015 MetricStream, Inc. All Rights Reserved.

Facing the Compliance ChallengeManaging the Compliances

© 2015 MetricStream, Inc. All Rights Reserved.

Facing The Compliance Challenge

• Standardize Internal Controls

– Create a central repository for all types of company’s control systems, including those for operational efficiency, regulatory compliance, and financial reporting.

– Have control linkages to related GRC content (regulations, processes, risks etc.) to get a bigger picture .

• Use Business Process Management tools

– Provide a framework for managing complex processes, ensuring that changes can be made in line with regulations.

• Implement Standard Documentation

– Have an integrated document repository to store documents pertaining to processes and controls across all subsidiaries.

• Simplify Change Management

– Enable sharing of documented risks and controls across processes.

– Rationalize and reduce documented controls

© 2015 MetricStream, Inc. All Rights Reserved.

Facing The Compliance Challenge (contd..)

• Enable Operational Testing

– Test internal controls in a consistent manner across all operations within the company and over time.

– Export report data into spreadsheets to simplify the overall operational testing process.

• Automate Issue Management

– Provide complete visibility into the entire lifecycle of issues – from identification through root cause analysis to remediation.

• Enhance Reporting Capabilities

– Build executive dashboards which provide enterprise-

wide visibility into the internal controls and processes.

– Build reports and scorecards for status tracking.

– Provide statistics and data by a variety of parameters such as business units, processes, and divisions.

© 2015 MetricStream, Inc. All Rights Reserved.

Compliance Management Approach

© 2015 MetricStream, Inc. All Rights Reserved.

Compliance Management Approach

Document

Mgmt.

Translate Rules Into

Policies & Procedures

Policies &

Procedures

Rules &

Regulations

Construct Compliance

StrategiesRisk / Cost of

Compliance

Compliance

Reporting &

Dashboards

G&A

T&E

HR

FCPA, OFAC, AML

Corporate Ethics

Financial Processes

Adherence to Rules &

Laws

SEC Rules & Regs.

Financial Controls

Independence

Non-Key Controls

Code of Conduct

OFAC FERC/NERC

Controls

Self-

Testing

3rd

Party

Testing

Training &

Certification

Notifications & Alerts

Attestation

Examples

Build a control

structure that

matches company

risks

© 2015 MetricStream, Inc. All Rights Reserved.

A Typical Compliance Management Workflow

Planning

Organizing

Operating

Controlling

© 2015 MetricStream, Inc. All Rights Reserved.

• Risk 1

• Risk 2

• Risk 3

…

…

…

Risks

• Control 1

• Control 2

• Control 3

…

…

…

Controls

• IT

• Function 1

…

…

…

Functions/

Standards

• Process 1

• Process 2

• Process 3

…

…

…

Processes

• Control Test 1

• Control Test 2

• Control Test 3

…

…

…

Control Tests

• Risk-Based

• Requirement-Based

• Business Unit-Based

Risk Assessments

• Action Plan

• Implement

• Monitor

Issues

• SEC

• NASD

• PCI

• ISO

• SOX

…

Area of

Compliance

• Regulation 1

• Regulation 2

• Standard 1

• Standard 2

…

…

References

• Policy 1

• Procedure 1

• Work Instruction 1

…

…

…

Policies/Documents

Single Platform for Multiple Compliance Programs

© 2015 MetricStream, Inc. All Rights Reserved.

Benefits of an Effective Compliance Program

© 2015 MetricStream, Inc. All Rights Reserved.

Benefits

• Reduced Cost, Time, and Effort

– Automated information flows, assessments and testing, and remediation assignments will reduce over all compliance costs.

• Increased Efficiency and Collaboration

– Groups will be able to carry out team activities in a productive manner within the collaborative environment.

– Business will understand, control and manage business processes within strict tolerances.

• Streamlined Change Control

– Integrated document management with change control capabilities will keep documentation and processes in sync. This will significantly reduced the amount of redo of documentation for ongoing compliance.

• Enhanced Transparency and Visibility

– Risk of non-compliance will reduce, assuring the executives of higher customer and investor confidence.

• Improved Reporting Capabilities

– Enterprise-wide visibility into the financial controls management and compliance process will improve and also highlight issues that need to be addressed.

© 2015 MetricStream, Inc. All Rights Reserved.

• Over 1,700 employees

• Headquarters in Palo Alto, California with offices worldwide

• Over 350 enterprise customers

• Privately held – backed by leading global VCs, including Goldman

Sachs

About MetricStream

Integrated Governance, Risk and Compliance

for Better Business PerformanceVision

Solutions

• Enterprise Risk Management

• Operational Risk Management

• Vendor Risk Management

• Audit Management

• Third Party Management

Partners

Differentiators

• Technology - GRC Platform – 9 Patents

• Breadth of Solutions – Single Vendor for all GRC needs

• Cross-industry Best Practices and Domain Knowledge

• ComplianceOnline.com - Largest Compliance Portal on the Web

•GRCIntelligence.com- One stop solution for curated intelligence

Organization

• EHS & Sustainability

• Compliance Management

• SOX Compliance

• IT-GRC

• Quality Management

Q&A

This webcast and all future Ethisphere webcasts are

available complimentary and on demand for BELA

members. BELA members are also offered complimentary

registration to Ethisphere’s Global Ethics Summit and

other Summits around the world.

For more information on BELA contact:

Laara van Loben Sels

Senior Director, Engagement Services

laara.vanlobensels@ethisphere.com

480.397.2663

Business Ethics Leadership

Alliance (BELA)

THANK YOU