Protiviti CAE Roundtable Series - KnowledgeLeader · Protiviti CAE Roundtable Series High Value...

Protiviti CAE Roundtable SeriesHigh Value Internal Audits

October 10, 2008

2

© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.

Universal Characteristics of Successful Internal Audit Programs:

• The mission of the IA function is defined by adding value

• Supports corporate governance initiatives

• Provides continuous auditing services - not a rigid plan

• Responds to increasing complexity of organizational risks by delivering enterprise-wide value and recognizing strategic impact to their businesses

• Grooms and retains first-rate professionals in the IA function who will continue their careers in key positions throughout the entire organization

• Embraces the need to keep pace with regulatory changes, advancing technology, and monitoring the wide array of risks – internally and externally

Internal Audit Expectations are Rising….

The expectation for Internal Audit to add more value is becoming more pervasive!

3


So How Can We Add Value?

Internal AuditServices ContinuityGovernance and Management

Internal Audit Quality Assessment Review

Internal Audit Transformation

Business Continuity Management

Disaster Recovery Planning

Crisis Management/Pandemic Audits

Enterprise Risk Management

Overall GRC - Governance Review

IT Governance Review

IT Alignment with Business Strategy

Project and Portfolio Management

Due Diligence Process

IT Processes and Operations IT Security and PrivacyInformation Management

IT Infrastructure Library Benchmarking Audit

IT Asset Management

IT Service Management

Technology Change Management

Identity Management

Database Security Audit

Data Privacy ReviewPayment Card Industry (PCI) Audit

Vulnerability Assessment

Business Intelligence Diagnostic

Intellectual Property Audit

Records Management

Technology Infrastructure, Technology Components and Configurations

IT Risk Assessment and PlanningApplication Security, Controls and Configuration

Technology Architecture Evaluations

Database Audits

Network Audit

IT Audit Scoping and Risk Assessment

CobiT Implementation Assistance

ERP Security Assessment

Pre/Post -Implementation Review

Automated Business Process Control Review

Spend Risk AssessmentRoyalty Audit

Loss Prevention

Revenue Risk Review

Credit Risk Review

E-DiscoveryAnti-Fraud Assessment of Programs/Controls

Regulatory (various)

Supply Chain Assessment

Global Sourcing

Capital Projects & Construction

SOX Controls Rationalization

Financial Leakage / Asset ProtectionLitigation, Investigative, RegulatoryBusiness Operations Improvement

“High Value Audits”

4

















IT Asset Management



Identity Management






Records Management




Database Audits

Network Audit







Loss Prevention

Revenue Risk Review

Credit Risk Review




Global Sourcing




5


What Is The Total Cost of Ownership?

Most organizations spend 20% to

70% of their revenues procuring third

party goods and services. When

searching for cost savings, often

times the focus is on Unit Cost while

other cost drivers are ignored.

Spend Risk Audits allow Internal

Audit to look at all aspects of the

expenditure process and identify the

risks and cost drivers effecting the

organization.

Specifications

OwnershipCosts

ObsolescenceCosts

Total Cost

Inventory Costs

UnitCost

PerceivedOpportunities

EffectiveOpportunities

Usage Costs

• Volume leverage

• Rebate management

• Performance, incentive structure

• Gain sharing

• Guaranteed reductions

Price Administrative & Process Costs

• Product design

• Product specifications

• Standardization

• Extended life products

• End product cost

• Recycle

• Transportation

• Scrap

• Mix shifting

• Elimination

• Consolidated invoicing

• eProcurement

• PO processing

• Receiving

• Payment Errors

• Stockless inventory

• Performance reporting

• Payables

• Quality

• Payment Terms

Working CapitalImpact

Processing Costs

6


Supply Chain Risks - - - and Opportunities

Risks• Business Interruption due to

Supply Concerns

• Duplicate Payments

• Inefficient Working Capital Management

• Fraudulent Payments

• Reputation Risks from Poor Quality Products or Vendor Selection

• High Processing Costs / Headcount

• Non-Optimized Sourcing Decisions

Opportunities• Develop Supply Chain Contingency

Plans

• Recover Dollars Lost through Financial Leakage

• Better Manage Cash through Discount Use and Payment Term Extensions

• Identify and Prevent Fraud

• Analyze Vendor Usage to Reduce Risk and Save Dollars through Strategic Sourcing

• Identify Process Bottlenecks and Inefficiencies

7


Spend Risk Audit – Establish Scope

Internal Audit can align themselves with the organization by assisting with the evaluation

of the Cost Drivers and the Risk Environment in which they operate. A Spend Risk

Audit can be constructed as a general assessment or focused specifically on one

component. To help establish the focus scoping questions can assist in assessing the

risk profile of your organization.

Supply Chain Risk Strategic Sourcing Working Capital

Does a Contingency Plan exist for your

sole sourcing

arrangements?

Could an

environmental event

interrupt your

supplies?

Do Geo-Political

Risks exist in your

Supplier Base?

Financial Leakage Forensic Review

Are centralized spend decisions being made

for all Departments

and Locations?

Does a centralized

contract database exist to take

advantage of

purchasing actions?

How are product

specifications

established and

monitored?

Has your organization established a policy

on preferred payment

terms?

Is workflow installed

to ensure payment timing can be dictated

by the business?

Are ERP System

controls established

to ensure

compliance?

Has your organization experienced a system

conversion / merger

the last 3 years?

Has AP or

Purchasing a high amount of turnover?

When was the last

time a financial

leakage audit

occurred?

Have you experienced or

suspected a fraud

event?

Is your organization

concerned about FCPA compliance?

Is there a corporate

policy regarding

related party

vendors?

8


Spend Risk Audit - Approach

Internal Data

• Vendor Master File

• Employee Master File

• Invoices and Invoice Line Items

• Purchase Orders Table

• Payment Table

• Contract Database

• T&E Expenses

Questions to Ask

What data is captured and where?

What support do you have from IT? What data analysis capabilities do you have within your Department?

External Data

• Supplier Billing Data

• Credit Card Providers (PCard, T & E, etc.)

• Payment Receipt Data

• Government Databases (Social Security Administration, OFAC Database)

Questions to Ask

What data format should be provided by the Supplier?

What is the time period in scope?

9


Spend Risk Audit - Tools

Benchmarking Tools Data Analysis Tools

Assure Controls™for SAP R/3

Assure Security™for SAP R/3

Assure Integrity™for SAP R/3

Assure Controls™for SAP R/3

Assure Security™for SAP R/3

Assure Integrity™for SAP R/3

Data Analysis and Benchmarking are critical elements when designing a Spend Audit.

• Benchmarking services allow for the comparison against other organizations in the same industry

• Data analysis tools allow for the audit of 100% of the spend data and an “Anomaly Focused” approach

to the audit.

10


Spend Risk Audit - Benefits

A large Manufacturer developed an inventory contingency plan to maintain production in response

to sole sourcing disruption.

Supply Chain Risk

A National Retailer performed an audit that revealed their SGA

Spend was significantly higher than their competition. The resulting sourcing initiative

resulted in a 3% reduction in SGA Costs.

StrategicSourcing

A School District identified nearly $400K in Annual Cost of Capital Savings by enabling controls to prevent payments prior to due

dates.

Working Capital

A large Pharmaceutical Firm outsourced Accounts Payable to

India resulting in $12M in duplicate payments during Year 1.

FinancialLeakage

A Development Company identified a Purchasing Employee who was using

her position to assist husband’s contracting business. Hundreds of thousands of dollars of work was

awarded to his firm during her tenure.

ForensicReview

11


Roundtable Discussion Questions

• What experience does your IA function have in conducting a Spend Risk Audit? What was the value? What were some of the lessons learned?

• Is data a roadblock when scoping your audit – both in terms of getting IT Support and having the analysis skills to interpret the data provided?

• Have the recent economic events affected your organization’s focus on costs? Has internal audit been asked to respond to this change in focus?

12

















IT Asset Management



Identity Management






Records Management




Database Audits

Network Audit







Loss Prevention

Revenue Risk Review

Credit Risk Review




Global Sourcing




13

© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party.

"It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."

- Warren Buffett

Information Risks

It is easy to see the increasing compliance and regulatory risksassociated with the protection of confidential information, especially personal information.

The true risks, however, are core to every organization’s fundamental business:

• Reputation Risk• Compliance & Regulatory Risk• Financial Risk

14

© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.

The Risk Continues to Grow

More than 100 million personally-identifiable, customer records have been breached in the US over the past two years. Most of these breaches occurred at companies that are household names. As a result, boards and top executives are demanding reports from their IT and security staff on the effectiveness of security controls within their organizations.

Forrester: September 2007

Throughout hundreds of investigations over the last four years, one theme emerges as

perhaps the most consistent and widespread trend of our entire caseload. Nine out of 10 data breaches involved one of the following:

• A system unknown to the organization (or business group affected)

• A system storing data that the organization did not know existed on that system

• A system that had unknown network connections or accessibility

• A system that had unknown accounts or privileges

We refer to these recurring situations as “unknown unknowns” and they appear to be

the Achilles heel in the data protection efforts of every organization—regardless of

industry, size, location, or overall security posture. Verizon 2008 Data Breach Investigation Report

15


Key Audit Elements – Types of Data

Information Loss Prevention

Confid

entia

l In

form

ation

Business Data - confidential or sensitive business-related data that does not relate to individuals (e.g., pricing information, trade secrets, financials, M&A or other strategic plans, etc.);

Personal Data - any data, which is not publicly available, that can uniquely identify a specific individual (customer, employee, etc.); and

Intellectual Property - any intangible asset that consists of human knowledge and ideas, of which the ownership or right to use is legally protected by the company (e.g., copyright, patent, trademark, etc.)

In MotionWhere is it

going?

At RestWhere is it

stored?

In UseHow is it used, and by who?

16


Key Audit Elements – Regulatory Requirements

US Federal:

HIPAA, GLBA, COPPA, Do Not Call

Canada:

PIPEDA

California:

SB1, SB1386

Argentina:

Personal Data Protection Law, Confidentiality of Information Law

European Union:

EU Data Protection Directive and Member States Data Protection Laws, Safe Harbor Principles

South Africa:

Electronic Communications and Transactions Act

Australia:

Federal Privacy Amendment Bill

Hong Kong:

Personal Data Privacy Ordinance

Japan:

Guidelines for the Protection of Computer Processed Personal Data

UK:

Data Protection Act

Brazil:

Article 5 of the 1988 Constitution

17


Key Audit Elements – Information Lifecycle

Confidential information audits are designed to help identify confidential information on your network, determine if adequate controls are in place, identify potential root cause issues and provide recommendations for protecting this information.

CollectionCollection

SharingSharing

UsageUsage

DisposalDisposal

Retention Retention

& Storage& Storage

Information Information LifecycleLifecycle

Policy & AwarenessPolicy & Awareness

IA can perform audits to evaluate compliance to defined policies and standards, including leading industry practices across:

• Business Units

• Departments

• Geographies

18


Key Audit Elements – Vendor Management Aspects

Final Edition Source: Information Week, October 2007

Headline News

Theft Of Gap Laptop Puts

800,000 Job Applicants

At Risk

What really happened – “The laptop was stolen from one of the retailer's third-party vendors that manages information on job applicants.”

Common Vendor Issues

• Companies do not know which third parties have access to, or are provided, confidential information

• Contract language is not put in place to address data protection concerns

• Companies do not assess or enforce data protection controls that third parties should have in place

19


Audit Tools – Data Leakage Assessments

Your company’s network, like most, is permeable from the inside out. (FTP, Email, Webmail, Message Boards,

P2P Clients, IM, Chat, Blogging….)

Would you know if sensitive information were leaking out of your organization?

Would you know if at-risk material were being accessed by your employees?

To: CEO

RE: Merger – HIGHLY SENSITIVE

Please treat this information…..

Data Leakage Tools

20


Audit Results

An Information Protection Audit can help answer these questions:

• Am I adequately protecting my customer’s and/or employee’s information?

• Are we meeting our regulatory requirements with regards to

Data Privacy?

• Where is our biggest risk of a potential data breach?

• Am I prepared in the event that a breach occurs?

• Are our vendors adequately protecting our data?

21



• Who owns this risk area in your organization (IT, Legal, Compliance, IA, etc) and what have been the coordination and ownership challenges?

• Where does your organization stand on the maturity of policy development in these emerging areas?

• How has your IA shop prioritized the various levels of IT Security risk (mobile devices, global networks, personal data, etc)

• What tools have you found helpful in conducting audits?

• What skill sets have you found to be critical in conducting these reviews?

22

















IT Asset Management



Identity Management






Records Management




Database Audits

Network Audit







Loss Prevention

Revenue Risk Review

Credit Risk Review




Global Sourcing




23


What’s e-Discovery?

A process that organizations have to go through when faced with legal or

regulatory actions.

Phases of a Lawsuit

Appeals andAppeals and

EnforcementEnforcementTrial andTrial and

JudgmentJudgment

DiscoveryDiscovery

and Trialand Trial

PreparationPreparation

PleadingsPleadings

and Motionsand MotionsCase AssessmentCase Assessment

and Developmentand Development

24


Key Takeaways

It’s a Risk that Demands a Response.

� RISK.

In a changing legal landscape and regulatory climate,

the cost of compliance and the harsh consequences of non-compliance are both growing exponentially.

� DEMANDS.The demands may not be avoidable, but the excessive

cost, burden and duration certainly can.

� RESPONSE. Organizations are looking to transform the challenges of

ad hoc projects to sustainable processes.

25


What’s It About?

Getting Risk Management, Controls and Compliance Right.

� Increased risks and scrutiny

� Need for better controls and procedures

� Implementing monitoring and compliance

Understanding the issues around e-Discovery and how management is addressing them.

26


Who’s Worried?

Senior Executives

“…worry about what effect theircompliance systems will have on theircompanies' future.”

“Almost half said they are concerned that their corporations' failure to effectively archive and manage all their electronic documents could be a critical liability.”

Source: Johnson, Sarah. “Survey: IT Falls Behind on Compliance.” CFO.com: September 18, 2006.

27


Compliance: What’s Out There?

Records RetentionPreservation Demand Third

Party

Source: “Out of Control eDiscovery: Attacking the Causes Not the Symptoms”: F. Wu & T. Barnett, June 2006

Sarbanes Oxley

Patriot Act

EU Data Protection

Gramm LeachBliley

HIPAA

FRCP

PCI

EPA

OSHA

Document Request

Regulatory Request

28


Compliance: What Else is Out There?

�Health Insurance Portability Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d-2(d)(2) (Privacy rule and Security rule for health care providers and other Covered Entities)

�Medicare Considerations of Participation�Freedom of Information Act (FOIA)�Payment Card Industry Data Security Standard

(PCI DSS)�EU Data Protection Directive

(Directive 95/46/EC)�Universal Market Integrity Rules for Canadian

Marketplaces�Sections 6801 and 6805(b)(2) of the Gramm-

Leach-Bliley Act�Section 552 of the Freedom of Information Act,

as amended by Public Law No. 104-231, 110 Stat. 2422

�Section 552(a) of The Privacy Act�Foreign Corrupt Practices Act�National Archives and Records Administration,

44 U.S.C. Chapter 21�Federal Records Act, 44 U.S.C. Chapter 21�Sarbanes-Oxley Act of 2002, Pub. L. 107-204,

116 Stat. 745 (2002)�Clinger-Cohen Act

�Disposal of Records, 44 U.S.C. Chapter 33�Paperwork Reduction Act, 44 U.S.C. Chapter 35�Uniform Preservation of Business Records Act�Administrative Procedure Act, 5 U.S.C. Chapter 5�Uniting and Strengthening America by Providing

Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act), Public Law 107-56

�Department of Defense 5015.2 Standard – data integrity and confidentiality requirement for records management applications

�Medicare Considerations of Participation�Organizational Sentencing Guidelines�Federal Rules of Evidence�Federal Rules of Civil Procedure �Department of Justice Corporate Prosecution

Principles�OSHA�ERISA�IRC�State Records Retention Acts�California Database Protection Act (1386)�Electronic Signatures in Global and National

Commerce Act (E-SIGN)

29


FRCP: Who’s Adopting?

Date Enacted

Arizona 1.01.08

Connecticut 1.01.06

Idaho 7.01.06

Illinois 1.01.06

Indiana 1.01.08

Iowa 5.01.08

Louisiana 6.25.07

Maryland 1.01.08

Minnesota 7.01.07

Mississippi 5.29.03

Montana 2.28.07

Nebraska 6.18.08

New Hampshire 3.01.07

New Jersey 9.01.06

New York 1.17.06

North Carolina 7.31.06

Texas 1.01.99

Utah 1.01.07

Currently undertaking adoption of FRCP:California, Washington, New Mexico, Kansas, North Dakota, Ohio, Tennessee, Florida, Virginia

30


What’s the Problem?

Electronically Stored Information (ESI)

“…the discovery of

electronically stored

information is becoming more

time-consuming, burdensome

and costly.”

Source: “Summary of the Report of the Judicial Conference Committee on the Rules of Practice and Procedures.” Agenda E-18 (Summary), Rules, September 2005: page 23 (http://www.uscourts.gov/rules/Reports/ST09-2005.pdf)

31


What Can be Relevant?

Information Lifecycle

Create/Receive Distribute Use Maintain (Retain) Dispose

Includes:

� official and non-official� physical and electronic� active and archived� online and offline� onsite and offsite� internal and external� local and international

Sources:

� email servers and file servers

� desktops, laptops, peripherals and electronic devices

� structured data – databases, logs, records and transactions

� unstructured data – documents, emails and voicemails

� user created or system generated data

EVERYTHING.

32


How Much Can It Cost?

20¢ to buy 1 gigabyte of storage,$3,500 to review it.

$2.5 to $4.0 million per yearper billion in sales for e-Discovery.

$1.0 million per billion in salesfor Sarbanes-Oxley compliance.

Source: AIIM.org June 26, 2008.

Source: Cohasset Associates. “The Eternal Charter: Improving Corporate Governance through Compliance and Assured Records Management.” June 2005.

33


Where Can It Hurt?

Risks Resulting from Mishandling e-Discovery

� Monetary sanctions

� Threat of criminal penalties

� Obstruction of justice

� Adverse inference and jury instructions

� Shifting of burden of proof

� Disruption to business operations

� Negative impact to reputation

34


Where It Did Hurt.

Compromised Legal Position

Apple

Amkor Technology

Bristol-Myers Squibb

Boston Communications

Computer Associates

CNET Networks

Comverse Technology

Mercury Interactive

Monster Worldwide

Oracle

Qualcomm

Tenet Healthcare

United Health

Hewlett Packard

HCC Insurance

IBasis

KB Home

KLA-Tencor

Marvell Technologies

McAfee, Inc.

35


What are the Realities and Trends?

� Cost and Consequences� Legal discovery can consume over 50% of litigation budget� e-Discovery can devour over 50% of legal discovery budget� Increased frequency and amount of fines and sanctions due to

mishandled preservation and production of ESI

� Current Landscape (Outsourced e-Discovery)� Almost $3B in 2007 growing to $5B by 2011� 600+ e-Discovery vendors (Tier I<$70M annual revenues each)

� Trends� Hyper-competition and rapid commoditization� Integration of maturing tools and technologies� Establishing in-house capabilities and capacity� Managing the risk exposures and expenses of e-Discovery

36


Where’s the Roadmap and Compass?

� Be Prepared for Litigation and InvestigationsEvaluate key elements of a litigation readiness program in anticipation of, or response to lawsuits, regulatory actions and other business disputes.

� Operationalize Records Retention ProgramUpdate records retention policy, and develop a practical plan to implement sustainable practices.

� Appropriately Dispose of Unnecessary RecordsCreate plan to dispose of records no longer needed for the proper functioning of the company; thereby, driving operational efficiencies and reducing costs.

e-Discovery and Records Retention

37


Policies Practices Reports Approach Technology

�Undocumented or vague policies.

Focused on paper

�Limited resources & management support

�No limits or enforcements

�No formal processes or

controls

�Mostly manual

processes

�Limited or no monitoring or auditing

�Few stable processes

�Reactionary, ad hoc response

�Just do it

�Reliance on key people and

individual heroics

�Firefighting, crisis

management

�Informal records management structure

�Coordination is challenging

�Weak accountability

�Sporadic, ad hoc

�Informal

�Incomplete

�Inconsistent

�Untimely/ Inaccurate

�Rough measures

�Over-simplification

�Limited or no prioritization

�May miss key characteristics

�Spreadsheets

�Unstable

�Unscalable

�Patches and point solutions

�Ad hoc data search and retrieval

What Do We See?

People

38


What’s Internal Audit’s Role?

Processes People Reports

Adding Value.

Policies Approach Technology��

“Bringing a systematic, disciplined approach

to evaluate and improve the effectiveness

of risk management, control, and governance processes.”

Source: The IIA Research Foundation. The Professional Practices Framework. March 2007

39


What Are Companies Doing?

“High Value Audit”Records Retention and e-Discovery

� Evaluate:� Risk profiles (“Hot Spots” and “Blind Spots”)� Policies related to records and ESI� Practices compared to policies (records retention & e-Discovery)� IT infrastructure (legacy, existing and planned)

� Address:� Litigation readiness and effectiveness� Ability to operationalize record retention program� Proper disposition of outdated and unnecessary records

� Findings and Recommendations

40


What’s Important?

Processes People Reports

Getting Risk Management, Controls and Compliance Right.

� Good Faith Efforts

� Reasonable Practices

� Defensible Processes

� Significant Cost Savings from Practical Solutions

Policies Approach Technology��

41



• Who owns this risk area in your organization (IT, Legal, Compliance, IA, etc) and what have been the coordination and ownership challenges?

• Has your organization inventoried all the applicable regulations in this area?

• Has this area surfaced on your risk assessment and what level of prioritization has it taken on?

• What lessons learned or roadblocks have you encountered in auditing this area?

42


Date post:	27-Jul-2018
Category:	Documents
Upload:	dangkhanh
View:	214 times
Download:	1 times

Protiviti CAE Roundtable Series - KnowledgeLeader · Protiviti CAE Roundtable Series High Value...

Documents