Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Introduction Microsoft Internal Audit Org Risk Based Audit Planning Overview (Luncheon) In Depth Areas (Technical Session) Enterprise Risk Management.

Similar presentations


Presentation on theme: "Agenda Introduction Microsoft Internal Audit Org Risk Based Audit Planning Overview (Luncheon) In Depth Areas (Technical Session) Enterprise Risk Management."— Presentation transcript:

1

2 Agenda Introduction Microsoft Internal Audit Org Risk Based Audit Planning Overview (Luncheon) In Depth Areas (Technical Session) Enterprise Risk Management Risk Theme Development Project Identification Capacity and Load Annual Cycle Questions

3 Introduction Microsoft – 7 Years (Internal Audit, SMSG Finance, IT Finance) PricewaterhouseCoopers – 6 Years (SAP, PeopleSoft) Honeywell – 3 Years (SAP Security & Controls Implementation) AIG – 2 Years (Database Design & Implementation)

4 Core Competencies What We Stand For Functional Areas Microsoft Internal Audit Group Experience An Eye Toward the Future Interdisciplinary Approach

5 Peter Klein CFO – Microsoft Melvin Flowers CVP – Internal Audit Michael Ford Audit Director Lyn Cameron FIU Director Terri Schwan Audit Director Bob Tenczar Office of ERM Director Rich Nardi Audit Director Greg Testa Practice Director Marilee Byers Audit Director Microsoft Internal Audit Group Audit Committee Board of Directors Office of Legal Compliance

6 Internal Audit Group - Alignment Michael Ford Audit Director Terri Schwan Audit Director Rich Nardi Audit Director Marilee Byers Audit Director Ankush Grover SMSG Field, Segments, M&O, Services Lynn Chang David Low TBH – Asia Mike Gaffney - EMEA Gerard Morisseau Dawn Liburd Bob Kaler OSD, WWLD, WPD, MS Retail Meera Venkatesh R&D, MBD, STB, OEM Louis Couwenberg Infra & IT Processes, Security, GFS, Skype DC Chang IT Gov, Bus Systems & IT Processes, BCM, IEB, MSCIS Devon Pearce WWLP, Ops, WPG, AC Steven Bean Corp Finance, HR, LCA CJ Long TECA Erica Campos Vendor audit

7

8 What is RISK? Risk is defined as a particular event, or circumstance that, if it were to occur, would impact achievement of a business objective. 8 Risk?

9 Risk Assessment Components 9 Prior Audit Results SOX ScopeInvestigations10K/ERM Discussions with Management Internal Data Key Changes to the Business/New Initiatives External Risk Environment

10 Planning Process

11 Planning Process Overview Risk assessment Risk analysis & project identification Prioritization & resource allocation Plan validation & presentation Informed by: ERM board & 10K risks On-going understanding of the business Recent fraud activity Validate against ERM board risks, analyze gaps Calibrate assessment Identify high risks to be addressed by audit plan Conduct management team risk discussions Prioritize activities Allocate resources Discuss with management Validate with senior executives Present to AC for approval On- going March April May Program Mgrs Program Mgrs, Directors Pgm Mgrs, Directors, CAE

12 Continuous Audit Planning Cycle 12 On-going April May June Jul-Dec December January - June On-going September More efficient annual planning cycle Synchronized with ERM Responsive to changing risk environment 6-month project planning cycle allows for more flexibility 18-month view

13 New Business = New Risks 13 Supply Chain Disruption Scrap Disposal Management HW Quality Assurance Factory Labour Conditions Patents Manufacturing

14 14

15 Key Takeaways 15 Align IA Org to Business ERM Critical to Navigating Risks Risk Factors (Impact, Likelihood, and Prior Results) Measure Risk Variance Ensure Adequate Capacity Revisit and Reassess Risk Annually

16 Questions? 16

17

18 ERM at Microsoft – Virtual Structure 18 SLT: COO Sponsor: CVP & CIO Leader(s): Sr. Principal, Sr. Solutions Manager SLT: SVP & CFO Sponsor: Corp VP of Finance and Administration Leader: Director Financial/Reporting Operational SLT: CEO Sponsor: GM- Corporate Strategy Leader: Corp Strategy Sr. Manager SLT: SVP Legal Compliance Sponsor: VP Deputy General Counsel Leader: Compliance Director Pillar Support: Compliance Program Attorney Board of Directors: Audit & Finance Committee(s) Enterprise Risk Office Executive Sponsor: CVP of Internal Audit Program Office: Sr. Director of ERM Strategic Legal/Compliance Microsoft Confidential - Internal Use Only

19 Risk Categories Improve Areas of high risk exposure with a low level of control must be key priority for improvements in management and control activities. Monitor Areas of high risk exposure where controls are deemed adequate should be monitored to provide ongoing assurance of control effectiveness. Accept Areas of low risk exposure that also have a lower level of control may be consciously accepted by the organization. Optimize Areas of low risk exposure with a high level of control may generate opportunities to optimize the management and control activities. Accept Improve Optimize Monitor High Low High Management & Control Activity Level Risk Level (Impact x Likelihood) Microsoft Confidential - Internal Use Only 19

20 Risk Rating Criteria: Impact NOTE: A risk should be evaluated on the most relevant impact; it does not need to address multiple columns. Also, evaluate the inherent impact rating of a particular risk event or circumstance assuming that the controls or management activities do NOT exist or they fail in either design or operation and fail to mitigate the impact of the risk occurring. Impact Rating Description of Impact Score Organizational and operational scope Reputational impact to stakeholders (i.e., customers, shareholders, employees, key partners, subscribers, 3rd Parties) Legal/ Compliance/ Environmental Operating Income (OI) Impact on Value Critical Enterprise-wide: Inability to continue business operations Globally Permanent loss of stakeholder confidence resulting in legal action, interruption in Enterprise operations globally, and / or defection to competition Prohibited from conducting business in certain product lines, markets, or geographies OI >$2.5B Significant reduction in market capitalization, significant draw on liquidity reserve 5 Severe 2 or more divisions: Significant, ongoing interruptions to business operations within 2 or more divisions Sustained losses in 2 or more stakeholder groups Severe restrictions on conducting business in certain product lines, markets, or geographies OI >$1B Substantial reduction in market capitalization, substantial draw on liquidity reserve 4 Serious 1 or more division(s): Moderate impact within 1 or more division(s) Moderate loss in 1 or more stakeholder groups Significant fines or limitations on conducting business in certain product lines, markets, or geographies OI >$500M Limited reduction in market capitalization, limited draw on operating cash flow 3 Moderate 1 division: Limited impact within 1 division Limited to minor/short-term loss in 1 stakeholder group Limited actions against the company with limited effects on operations OI >$250M Missed forecast(s) and/or budget(s), limited draw on operating cash flow 2 Mild Minimal ImpactOI >$100M 1 Use Impact Table for Inherent Impact & Residual Impact ratings Use Likelihood Table for Inherent Likelihood & Residual Likelihood ratings 20 Microsoft Confidential - Internal Use Only

21 NOTE: Evaluate the inherent likelihood rating of a particular risk event or circumstance in absence of the current management activities or controls that exist to mitigate the likelihood of the risk occurring. Risk Rating Criteria: Likelihood, Control Effectiveness (CE) Likelihood RatingConsideration Description of Likelihood Score ProbabilityFrequency Expected The risk event or circumstance is relatively certain to occur, or has occurred within the past year %Almost Yearly5 Highly Likely The risk event or circumstance is highly likely to occur 70-90%Every 2 to 3 Years4 Likely The risk event or circumstance is more likely to occur than not50-70%Every 4 to 6 Years3 Not Likely The risk event or circumstance occurring is possible10-50%Every 7 to 9 Years2 Slight The risk event or circumstance is only remotely probable< 10%Every 10 Years and Beyond1 NOTE: Evaluate the Control Effectiveness / Management Activities Rating for a particular risk event or circumstance based on existing management activities and/or controls that exist both within defined business processes as well as at the entity level and not on future or planned control activities. CE Rating Improvement Opportunities Control Effectiveness (CE)/ Management Activities Additional Scoring CriteriaScore Very High None IdentifiedProperly designed and operating as intended. There are no outstanding High or Medium risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or external auditors. 5 High Limited Properly designed and operating, no significant deficiencies. There are no outstanding High risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or external auditors. 4 Moderate In place, some deficiencies. There are no outstanding High risk audit issues. There may be some significant deficiencies as defined by SOX or the external auditors. 3 Low Significant Limited, high level of risk remains, significant deficiencies. There are outstanding High and / or Medium risk Audit issues or significant deficiencies as defined by SOX or external auditors. 2 Very Low Critical Non-existent or has major deficiencies and do not operate as intended. There are outstanding High risk audit issues or material weakness(es) as defined by SOX or external auditors Microsoft Confidential - Internal Use Only

22 INHERENT Risk Profile 22 Representative Sample ExpectedHighly LikelyLikelyNot Likely Slight Minimal 2Low 3Moderate 4High 5Critical Likelihood of Occurrence Severity of Impact #Tier 1 Risks - Inherent Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8 Risk 9 Risk 10

23 RESIDUAL Risk Profile 23 Representative Sample #Tier 1 Risks - Residual Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8 Risk 9 Risk 10 Monitor Optimize Improve Accept HighLow High Low

24 10K Risk Mapped to ERM Board Risks ERM Risk Category 10K RiskERM Board-level Risk FY10 ERM Status 1StrategicChallenges to our business model may reduce our revenues and operating margins Business model disruptions from competitive landscapeMonitor Business model pricing erosionMonitor Rise of alternative platformsMonitor 2StrategicWe face intense competition Business model disruptions from competitive landscapeMonitor Business model pricing erosionMonitor Rise of alternative platformsMonitor 3StrategicWe make significant investments in new products and services that may not be profitableStrategic investmentsMonitor 4 Strategic (Operational) Acquisitions and joint ventures may have an adverse effect on our business Acquisition integrationMonitor Yahoo! PartnershipImprove 5 Legal (Strategic, Financial, Operational) We may not be able to adequately protect our intellectual property rightsSoftware piracyMonitor 6LegalWe are subject to government litigation and regulatory activity that affects how we design and market our productsRegulatory scrutiny and antitrust focusMonitor 7LegalImproper disclosure of personal data could result in liability and harm our reputationSecurity and privacy of critical dataImprove 8LegalThird parties may claim we infringe their intellectual property rightsNot mapped 9LegalWe operate a global business that exposes us to additional risks Regulatory non-complianceMonitor Anti-corruptionImprove 10LegalWe have claims and lawsuits against us that may result in adverse outcomesNot mapped 11OperationalWe may not be able to protect our source code from copying if there is an unauthorized disclosure of source codeSecurity and privacy of critical dataImprove 12OperationalSecurity vulnerabilities in our products could lead to reduced revenues or to liability claimsProduct quality and security - software & servicesImprove 13OperationalOur vertically-integrated hardware and software products may experience quality or supply problemsHardware quality and complianceMonitor 14OperationalCatastrophic events or geo-political conditions may disrupt our businessBusiness continuity managementImprove 15Operational We may experience outages and disruptions of our online services if we fail to maintain an adequate operations infrastructure Inadequate operations infrastructureMonitor 16OperationalOur business depends on our ability to attract and retain talented employees Global employee recruitment & retentionMonitor Succession planningMonitor 17OperationalDelays in product development schedules may adversely affect our revenuesProduct/service launch and sustainabilityMonitor 18FinancialAdverse economic conditions may harm our business Financial market volatilityMonitor Credit and collectionsMonitor 19FinancialWe may have additional tax liabilities Financial ReportingMonitor Taxation of foreign earningsMonitor 20Financial If our goodwill or amortizable intangible assets become impaired we may be required to record a significant charge to earnings Financial ReportingMonitor

25

26 Development of Business Risk Themes 26

27 Prioritization of Risk Themes 27

28 Themes # of Hours% of Total Sales and Channel Management19,07229% Cloud Implementation9,08814% Compliance & Governance7,61612% Spend Management7,55212% Statutory and Local Requirements7,29611% Product & Service Launch Readiness4,7367% Privacy & Security of Critical Data and Intellectual Property3,5846% Supply Chain3,3285% IT/Business Alignment and System Implementations1,9203% Internal process changes due to shift in business model5121% Grand Total64,704100% 28

29

30 Project Assignments 30 Risk PilarTotal Hours Financial18,255 Legal/compliance13,750 Operational32,699 Acquisition integration230 Business continuity management536 Anti-Malware services follow-up128 Azure Services ISO192 Commercial CSS216 Data management616 Facility access and security856 Global employee recruitment and retention764 Hardware quality and compliance768 Inadequate operations infrastructure5,281 Product quality and security (software & services)2,656 Anti-Malware services follow-up384 Azure Services ISO192 Commercial Online Services order to cash192 CRM Online ISO384 Nokia SSAE16 readiness640 Online Services Rapid Assessments384 Online Services platform automation480 Product/service launch and sustainability1,493 Security and privacy of critical data8,389 Software piracy1,015 Spend management8,350 Strategy and IT resource alignment1,744 Grand Total64,704 Theme# of Hours% of Total Sales and Channel Management19,07229% Cloud Implementation9,08814% Anti-Malware services follow-up6401% Azure Services consumption6401% Azure Services ISO1,1522% Cloud Services Privacy1,1522% Commerce platform & business operations1,1522% Commercial Online Services order to cash7681% CRM Online ISO6401% Online Services Rapid Assessments7681% Online Services platform automation6401% SKU, pricing & redemption token management7681% Windows Phone Marketplace Apollo readiness7681% Compliance & Governance7,61612% Spend Management7,55212% Statutory and Local Requirements7,29611% Product & Service Launch Readiness4,7367% Privacy & Security of Critical Data and Intellectual Property3,5846% Supply Chain3,3285% IT/Business Alignment and System Implementations1,9203% Internal process changes due to shift in business model5121% Grand Total64,704100% Align by Risk ThemeAlign by Risk Pilar

31 Project Level Risk 31 Risks are aligned to COSO framework (area/type/category) Associate risks with auditable unit (AU) Significance and likelihood scores are absolute Residual score is calculated based a discounting using the audit experience/knowledge score Reassess after each project

32 All Up Comparison of Risks YoY (Gut-Check) 32 FY11 Actual FY12 ActualFY13 Plan FY12 Actual vs FY13 Hours % % % % Pts Financial 26,50036% 22,60030% 23,70028% 1,100-2 Pts Compliance 17,30024% 15,40020% 17,90021% 2,5001 Pts Operational 29,40040% 37,30049% 42,40051% 5,1001 Pts Strategic -0% Pts Grand Total 73,200100% 75,300100% 84,000100% 8,70012%

33

34 Resource Capacity 34 FY13 FTEProgramProjectInvestERMInternalTotal VP ,800 ERM , ,800 PPM director ,620 1,800 PPM manager ,800 Admins ,600 IA director 4 2,880 2, ,200 IA program mgr 8 9,360 3, ,440 14,400 IA proj/ppl mgr 6 2,160 5, ,700 10,800 IA proj mgr IA lead 15 1,350 22, ,700 27,000 IA staff , ,240 32,400 RA 4 - 4, ,520 7,200 TECA manager ,800 TECA staff 1 - 1, ,800 FIU director ,800 FIU ppl mgr , ,350 5,400 FIU staff , ,800 18,000 FIU PM Total 77 19,620 70,650 19,530 1,710 27, ,600 FIU Vendors 5,100 IA Vendors ,405 11,305 SMSG Vendors 2,900 ERM Vendor 300 PPM Vendor 1,250 Vendor total ,305 5, ,250 20,855 Total All 20,520 83,955 24,630 2,010 28, ,455

35 Load Balancing 35 Row LabelsHoursRow LabelsMin ThresholdMax Threshold a-Jul2,624a-Jul4,5435,652 b-Aug2,752b-Aug4,5435,652 c-Sep5,248c-Sep4,5435,652 d-Oct5,696d-Oct4,5435,652 e-Nov7,595e-Nov4,5435,652 f-Dec4,715f-Dec4,5435,652 g-Jan6,187g-Jan4,5435,652 h-Feb6,592h-Feb4,5435,652 i-Mar6,720i-Mar4,5435,652 j-Apr6,848j-Apr4,5435,652 k-May5,184k-May4,5435,652 l-Jun3,776l-Jun4,5435,652 Grand Total63,937Grand Total54,51667,824

36 Continuous Audit Planning Cycle 36 On-going April May June Jul-Dec December January - June On-going September More efficient annual planning cycle Synchronized with ERM Responsive to changing risk environment 6-month project planning cycle allows for more flexibility 18-month view

37 Key Takeaways 37 Align IA Org to Business ERM Critical to Navigating Risks Risk Factors (Impact, Likelihood, and Prior Results) Measure Risk Variance Ensure Adequate Capacity Revisit and Reassess Risk Annually

38 Questions? 38

39 Thanks! 39

40


Download ppt "Agenda Introduction Microsoft Internal Audit Org Risk Based Audit Planning Overview (Luncheon) In Depth Areas (Technical Session) Enterprise Risk Management."

Similar presentations


Ads by Google