#327 – Legal and Regulatory Risk: Silent and Possibly Deadly Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.

2 Overview Identifying legal and regulatory risks Quantifying and weighing these risks Proactively mitigating legal and regulatory risk Communicating legal and regulatory risk to the business process owners

3 Identifying Legal and Regulatory Risks COSO framework –Control environment –Information and communication –Risk assessment –Monitoring Determining where the gaps are –Inherent risk –Controls in place

4 Internal Control – Integrated Framework Familiar Cube Three objective categories Five Components Entity and organizational units

5 Control Environment Integrity and ethical values Commitment to competence Board of Directors/Audit Committee Management’s philosophy and operating style Organizational Structure Assignment of authority and responsibility Human resource policies and procedures

6 Information and Communication Information is identified, captured, processed and reported by information systems. Relevant information includes industry, economic and regulatory information obtained from external sources, as well as internally generated information. Communication is inherent in information processing. Communication also takes place in a broader sense, dealing with expectations and responsibilities of individuals and groups. Effective communication must occur down, across and up an organization and with parties external to the organization.

7 Risk Assessment Entity-wide objectives –Include broad statements of what an entity desires to achieve, and are supported by related strategic plans Activity level objectives –Flow from entity-wide objectives –Are frequently stated as goals with specific targets and deadlines Risks –Consider external and internal factors that could impact achievement of the objectives Managing Change –Economic, industry and regulatory environments change and entities' activities evolve; mechanisms are needed to identify and react to changing conditions.

8 Monitoring Ongoing monitoring occurs in the ordinary course of operations, and includes regular management and supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal control system performance. The scope and frequency of separate evaluations will depend primarily on an assessment of risks, and ongoing monitoring procedures. Internal control deficiencies should be reported upstream with certain matters reported to top management and the board.

9 ERM Integrated Framework Expands the original cube Four objective categories Eight Components Entity and organizational units

10 ERM Framework Objective Setting –Strategic High level goals Aligned with mission/vision –Operations Relates to effectiveness and efficiency –Reporting Effectiveness; relates to internal and external – Compliance Applicable laws and regulations

11 Compliance Objectives Relevant laws and regulations –Examples Wage and hour laws EEOC IRS/SEC Dependent on external factors –Examples: Environmental regulation Sarbanes-Oxley Act Homeland Security/Patriot Act Tend to be similar –Across entities or industries

12 Applicable Laws and Regulations Establish minimum standards for behavior –Entities must integrate into compliance objectives Compliance records –Significantly – positively or negatively – affect an entity’s reputation in the community and marketplace Overlap of objectives –Compliance objectives can affect other categories Strategic, operational, reporting

13 Achievement of Objectives Measurable targets toward which an entity moves Will have differing degrees of importance and priority Reasonable assurance objectives are achieved –May not pertain to all objectives –Compliance objectives are largely under entity’s control –Has the ability to do what’s needed to meet them

14 Risk Appetite Expressed as the acceptable balance between: –Growth, risk and return – OR – –Risk-adjusted shareholder value-added measures Risk appetite vs strategy –Strategy may exceed entity’s risk appetite –Strategy may not embrace sufficient risk to allow entity to achieve its vision/mission Guide resource allocation

15 Risk Tolerances Acceptable levels of variation relative to the achievement of objectives Measurable Performance measures –Help ensure actual results will be within the acceptable risk tolerances –Based on relative importance of related objectives

16 Event Identification Governmental changes –Changes in overall climate Legislation –Sarbanes-Oxley Act –Patriot Act Regulation –Certain required processes and disclosures

17 Proactively Mitigating Legal and Regulatory Risk Some examples –Establish a compliance office –Establish policies and procedures for appropriate legal reviews of contracts –Ensure line recognizes primary compliance responsibilities –Review privacy policies and practices –Benchmark against government requirements and best practices

18 Mitigating Risk vs Impeding Progress Establish guidelines –What requires review –Articulate where leverage may be applied Develop tools –Checklists –Standard language Empower business partners to perform their own control self assessment

19 Communicating Legal and Regulatory Risk Use layperson’s terms –Avoid “sounding” like an attorney or compliance officer Demonstrate with examples –Likelihood – have other entities been affected –Impact – what is a worst case scenario Know your audience –Sales objectives often collide with legal risk management –What does the risk mean to the executive group

Open Discussion and Examples

Questions?

22 For More Information: Deborah Frazer, CPA, CISA, CISSP Senior Director, Internal Audit PalmSource, Inc.

Thank you!