Download presentation
Presentation is loading. Please wait.
Published byClifford Ray Modified over 10 years ago
0
Governance, Risk & Compliance (GRC) – Vendor Landscape and Implementation Considerations
Sean Winekauf – Director Enterprise Risk Management & Governance, Risk & Compliance, KPMG 04/07/15
1
Agenda What is GRC? GRC Marketplace today GRC Software Vendors
Why GRC? Areas of Organizations that benefit from integrated GRC Tangible and intangible benefits Roles of technology Technology selection – do’s and dont’ s Closer look at Internal Audit Lessons learned How KPMG is helping clients Q&A
2
What is GRC ? An approach to align the organization’s governance, risk and compliance processes to its strategy, allowing for convergence and transparency of information to drive performance and resilience in a dynamic economic business environment. KPMG’s Definition “ ”
3
What is going on in the GRC Software Market?
Software GRC Market Outlook Software GRC market is expected to grow from: 2014 ~$34.5B 2010 Source: IDC 54% of compliance officers at public companies expect a spending increase in compliance and ethics in 2014 $19.3B CAGR: ~16% Source: Thomson Reuters $2B+ in additional expenses in our overall control effort will have been made since 2012 through the end of 2014” GRC market growth will accelerate as regulations and technology environments grow more complex “ Jamie Dimon Chairman and CEO J.P. Morgan Chase & Co. 2014 Annual Letter to Shareholders Software GRC Growth CAGR: ~16% Source: Competitive Enterprise Institute, Thomson Reuters.
4
Current GRC Spend – Survey results
Annual Cost of Federal Regulation The estimated compliance and economic cost burden of federal regulation and oversight in 2012 $1.8T 2013 Compliance Executive Survey Results 800 compliance practitioners, including heads of compliance and chief executives, were surveyed: Over the next 12 months 67% of compliance professionals expect the compliance team budget to be more than today Over the next 12 months 80% of compliance professionals expect the regulatory focus on managing regulatory risk to be more than today Over the next 12 months 67% of compliance professionals expect the cost of senior compliance staff to be to be more than today Source: Competitive Enterprise Institute, Thomson Reuters.
5
GRC – What we are seeing in the Marketplace today
Increased regulations and a more rigorous compliance environment Siloed approaches in responding to these requirements leading to duplication of functions and multi-layered Governance, Risk and Compliance processes Board executives and senior management struggling to see the value generated by these activities and view them as cost of doing business rather than an investment to improve corporate performance Company Characteristics Are relatively large in terms of employees or revenues Have multiple divisions/SBUs Present in highly-regulated industries or markets Have acquired or are in the process of acquiring businesses within or across regions Are present in several regions/countries and therefore need to comply with regulations across all the regions Do not have a clear owner for GRC across the firm
6
GRC Software Vendors Forester Wave 2014
7
Increases accountability for risks, controls, and issues
Why GRC? Increases accountability for risks, controls, and issues Automation of Control Testing workflow Single view of controls across the organization Consolidated and real-time reporting of cross-functional risks and issues Automation of Certification
8
What drives Corporate Directions in Governance, Risk and Compliance?
Increasing regulatory requirements have resulted in complex business and risk management processes BU Risk Management Internal Audit Finance and Treasury Department Legal Human Resources Compliance Shareholder Auditor Regulator Rating Agencies External Board/Committees Executive / Senior Business and risk management information process analysis Stakeholders Inefficiencies Reporting & Disclosure process Data capture and analysis Business Units Oversight functions
9
Why GRC? >> What does a GRC enabled Organization look like?
Legal Entities Legal Entities Geographical Regions Geographical Regions Sales and Marketing Operations Finance Shared Services and Support Human Resources Legal and Regulatory IT Product Development Audit Sales and Marketing Operations Finance Shared Services and Support Human Resources Legal and Regulatory IT Product Development Audit Desired State Technology eGRC Foundation Transformation Business and Controls ERM Compliance Internal Audit Other Assurance Groups CONTROL REPORTS ERM REPORTS COMPLIANCE REPORTS AUDIT REPORTS ISSUE MANAGEMENT REPORTS QUARTERLY DEFICIENCY SOX REPORTING QUARTERLY ASSESSMENT FIRM CRMP AUDIT PLAN AUDIT COMMITTEE OPEN ISSUES PAST DUE ISSUES CLOSED ISSUES EXTERNAL AUDIT REPORT Business and Risk Management Information Business and Risk Management Information Internal External Internal External Board/ Committees Executive/ Senior Management Stakeholders Auditor Regulator Rating Agency Board/ Committees Executive/ Senior Management Stakeholders Auditor Regulator Rating Agency
10
SOX Internal Audit Compliance Risk / ERM
What areas of an Organization can benefit from an integrated GRC program? SOX Internal Audit Control Testing (test of design, test of operating effectiveness) Control test scheduling Link controls to risks, control objective, assertion 302 certification survey Testing documentation storage Deficiency Management Annual Audit Planning Audit Planning & Risk Assessment Audit Resource & Scheduling Management Audit fieldwork execution (Controls Test of Design, Test of Operating Effectiveness) Audit Reporting Audit Finding Remediation Management Compliance Risk / ERM Compliance Test Scheduling Compliance Risk Assessment Control testing (test of design, test of operating effectiveness) Management of policies Exception / Issue Management Risk Assessment Risk Scoring Risk Reporting and Dashboards Storage of risk data
11
Benefits of an Enterprise GRC Program
Across the marketplace, we see Enterprise GRC initiatives enable companies to more effectively manage risk and compliance activities in an aligned manner. Establishing a common language and converging multiple, independent risk and compliance initiatives into an integrated approach can result in many intangible and tangible benefits. We have highlighted some benefits below: Tangible Benefits Improved Gap Detection and Mitigation Reduced Risk Assessment Effort Reduced Compliance Effort Optimized Business Processes Automated Security Controls Monitoring Rationalized IT Systems and Support Improved Reporting Reduced Risk of Penalties, Fines Due to Noncompliance Reduced Operating Risk Intangible Benefits Benefits: Potential reduction in overall risk and compliance management effort due to integrated eGRC activities Dashboarding providing executives their risk profile across value chain and risk category Improved gap detection and mitigation through automation of remediation plans and deficiency analysis Efficiencies as a result of automation of eGRC activities Scoping at the account level creating a linkage between account and control Testing workflow 302 Automation Business process controls optimization due to integration and automation Increased accountability helping embed risk management into BAU activities instead of making it a check the box exercise. eGRC Convergence
12
How does Technology enable an integrated GRC program?
Move away from those old spreadsheets Have the necessary information be pushed to you Technology facilitates dynamic GRC connections Empower the broader GRC community with proactive insight Business Law Solutions Board Solutions Disclosure Solutions Due Diligence Solutions Regulatory Intelligence Solutions Training Solutions Screening Solutions Policy Management Solutions GRC TECHNOLOGY REGULATORY & LEGAL INSIGHT Regulatory News and Analysis, Legal and Business Research INTERNAL ASSURANCE Internal Audit, Risk Management, Internal Controls, Policy Management CORPORATE GOVERNANCE Regulatory Disclosure, ICFR Certification, Board Management Internal Audit Solutions Risk Management Solutions Internal Controls Solutions Enterprise GRC Solutions SCOPE OF GRC SOLUTION SETS
13
What to look for when selecting a GRC tool
Allow sufficient time for the process Look to the future as well as the past Understand the business needs and relevant requirements before judging the quality of competing package solutions Consider the relative priorities and importance of the different aspects, in particular, which ones are critical to the success of the chosen solution Avoid selecting individual departmental solutions Narrow down the number of suppliers to evaluate in detail Put in writing the organization's needs and requirements so that the package supplier is obliged to state (in writing) whether and how the package can meet those needs Seek independent views from users of the packaged solutions Balance the size of the solution with the size of the problem, i.e., accept minor shortcomings if the organization can achieve better overall business benefits Bear in mind the supplier is potentially going to be a permanent partner in the business solution
14
Cautions and pitfalls of GRC tool selection process
Window shop, selecting a package based on recommendation or looks alone Send large Requests for Proposal to every possible supplier – instead use simple, key criteria to identify the most probable candidates Class everything as ‘mandatory’ Just ask the salesman if the requirements can be met Let different team members follow different packages – there will be inconsistencies Rely upon the supplier to identify references Just go to the supplier’s standard demonstration Automatically take the highest scoring solution
15
Audit Lifecycle: Key Internal Audit Areas
Reporting Issue Management Board Reporting and Quality Metrics Resource Management Time Management Foundational Elements Audit Universe Enterprise Wide View External Audit 5. Remediation Regulations 1. Audit Planning 2. Audit Execution 3. Audit Reporting KPMG views these as key areas across industries in the Internal Audit Lifecycle 4. Issues Mgmt Internal Assurance functions Internal policies
16
Setting your Internal Audit Foundation Using GRC Concepts
Risk Profile Perform a Risk Assessment, that aligns with ERM and the Company’s strategic objectives (ensure in-line with 1st and 2nd lines of defense) Consider building out a Continuous Risk Assessment Program to gain efficiencies and increase scope of coverage Use of a single Risk Taxonomy throughout the Company Position Internal Audit to focus on the riskiest areas and add the greatest amount of value to the Company Governance, Infrastructure and Organization Develop an Internal Audit Methodology and Audit Approach (i.e. end to end process reviews) tailored to the needs of the Company Determine a governance structure and set up lines of communication to Senior Leadership, and Audit Committee including escalation procedures Consider Efficient Audit techniques (i.e. Data Analytics and KPI’s) Consider use of technology to automate and streamline the Audit process (i.e. GRC systems) Culture Develop Internal Audit’s mandate to meet stakeholder expectation and position IA to be a value added function Set and communicate expectations (i.e. timelines and responsibilities) with Management early in the process Maintain lines of communication throughout the life cycle of the audit process to keep Management engaged and aware of progress. Enterprise Assurance Understand and leverage monitoring/testing/assurance activities within the 1st and 2nd lines of defense Align testing efforts with the 2nd line of defense to avoid duplicate efforts and gain efficiencies Integrate reporting with 2nd line of defense to Senior Leadership, Board of Directors and Audit Committee Develop an Issue Resolution Tracking process to ensure findings are remediated timely.
17
GRC, Internal Audit and Enterprise Assurance
GRC FOUNDATIONAL ELEMENTS What should we focus our audit efforts on? How do we keep Risk Info Current? Continous Risk Assessment Risk Assessment & Internal Audit Plan What approach or techniques should we use to audit? Understanding of and Alignment with other assurance efforts Value Added Specialists & End-to-end process reviews Performance Audits Data analytics, continuous auditing & monitoring SOX, Compliance, Quality, Safety, Environmental Groups How do I enable efficient workflow, data storage and real time reporting? RISK-BASED INTERNAL AUDIT METHODOLOGY Implement GRC technology to enable Risk Assessment, Audit workflow, data repository and reporting
18
Some Key Questions to consider when selecting an Internal Audit tool
Internal Audit Point Solutions Business Process Adaptation: Does the tool support YOUR business processes. What is the level of configuration and customization that is going to be required? Flexibility : How flexible is the tool to meet your needs. Conversely , how flexible are your processes to adapt to tool limitations? The Vision: Does your long term vision look at process efficiencies, integration, cost effectiveness and a horizontal view of risk across the Organization? Time to Implement: What is driving the timeline for implementation? Strategic initiatives, Regulatory requirements, expired licenses for current tools? Cost: What are the budget constraints given the short term and long term vision for implementation of the tool GRC Key Point: Consider an Internal Audit software tool that allows for integration with technology that supports other risk and compliance functions within your organization to support a long term vision of a horizontal view risk across your Organization
19
Internal Audit Tools - Key Considerations and Benefits
Functions Key Considerations for Internal Audit Technology Benefits Enterprise Wide Foundational Elements / Core Data Support of common structure and language for: Organizational Structure, Process Hierarchy, Risk Hierarchy, Control Hierarchy, Issue Classifications Horizontal view of risks and issues across the organization empowers Management to make informed decisions Audit Universe and Risk Assessment Ability to capture and standardize criteria for risk assessments, audit planning (annual, audits and special projects) and creation of key documentation Effective risk assessment process and set up of audit universe Audit Planning Supports individual audit risk assessment, planning tools (identification of risks and controls), definition of scope/objective of audit, meetings and capturing planning approvals. Aligns schedule, anticipated scope, and risk assessment Audit Execution Assignment of audit procedures, testing and documentation of controls, walkthroughs, storage of testing evidence, review/approval process and issue identification. Streamlines and organizes the audit process Provides a clear picture of the review status Audit Reporting Generate status reports (including graphical representation) on a variety of topics/criteria. Ability to create a valid depiction of the audit status Issue Management & Remediation Tracking of issues and action plans through to resolution, ownership of issues, status of issue remediation activities, and retesting by internal audit Used to track, schedule testing, and evaluation of overall company status in regards to open/closed findings. Board Reporting & Quality Metrics Annual Audit Plan Status, Tracking of Audit open Issues, IA Performance Scorecard Ability to provide snapshot reports as to the progress and effectiveness of Internal Audit Group Resourcing Management Management of resources within the IA group, allocating resources to project/audits based on other projects/audits, time off/conflicts, skills, and certifications. Capability to ensure the utilization and capabilities of auditors is being met. Time Management Tracking of time and expenses for each audit or special project Provides a snapshot of the overall budget
20
Internal Audit Technology – What should you be looking for?
Audit Universe & Risk Assessment Execution & Fieldwork Issus Mgmt. & Reporting Internal Audit Lifecycle Recommended Internal Audit Technology Capabilities Planning & Scoping Support of audit charter, vision and strategies Develop or adoption of a risk framework (COSO) Capturing and assessment of the most significant risks to achieving the objectives and opportunities Systematic and structured way of aligning an organization’s approach to risk with its strategy Resource Mgmt. Configuration of Risk assessments factors, weights, risk scores identification of future growth opportunities and strategic objectives for the business context (e.g. facilitated sessions or surveys) Assess material risk, link to SOX, materiality thresholds, account balance info from G/L Assign the “scope” of each business process, risk, and control to identify whether applicable to Audit, Compliance, ERM, IT etc Capture of attributes – dates, stakeholders, assertions, fraud scenarios, inherent/residual risk etc. Change a risk assessment, as well as show changes year over year Link to historical data to understand entity, environment, previous audits Capture, develop and maintain risk register, risk and controls matrix Capture test scripts, test results Attach evidence and supporting documents and work paper repository Process, risk, control, issue, owners, date info Creation of issues from failed tests Automated alerts for items in tasks, outstanding due dates and reporting Standard checklists for planning, post-audit and other standard activities Attach pre-defined templates, copy prior audits Hyperlinks within reports to forms enabling users to edit information real-time Automated Out-of-the-box reports (e.g..: SAD, Audit Committee) Creation of a risk summary report that describes key risks, how they are being managed and monitored, remediation of key issues, and accountability Report on KPIs and KRIs Document, link issues and attributes (e.g.. Process, control, owner, dates) Drill down reports for metrics (e.g.. Open issue, completed audits, outstanding tasks) Provide business areas with a comprehensive view of all of their issues reported by Internal Audit Retention and reporting of characteristics of audit personnel such as job classification, certifications, background information, special skill sets, and training completed and plannedall levels Close out time periods to prevent auditors from charging additional time, in addition to allowing the administrator to re-open a period Link to official repository of contractor information Define & maintain time tracking codes Track time and expenses against contingent worker contract. Store charge rates Staff time tracking capability, including audit and non-audit hours - charge time by day and task Workflow management for each audit-related “document”, including audit, audit program, checklists, audit process, audit risks, audit controls, and audit work papers Ability to capture and link org, processes, risks Export to PDF, XLS etc. Security Search Functions Audit Trail System Integration
21
Vendor Landscape: Internal Audit Solutions – Key Differentiators & Highlights
[RSA Archer] RSA’s GRC & IA content includes pre-mapped policies, control standards, procedures, authoritative sources and assessment questions Audit Management enables the identification and risk assessment of the audit universe. Work papers with configurable workflow are generated by the solution to allow audit staff to document the results of procedures associated with an audit project. Has notifications and alerts [MetricStream] Built-in remediation workflows, time tracking, - based notifications and alerts, risk assessment methodologies, and offline functionalities for conducting internal audits at remote field sites Structured process for managing audit work papers and documentation including supporting evidence, findings, analysis, and results for each audit program. The tool provides approval workflow, check‑in, check‑out features, version control, document preparation workflows, comments, powerful work paper organization, and search capabilities. Record qualitative or quantitative findings along with detailed observations and recommendations in predefined formats, Graphical executive dashboards and flexible reports with drill-down capability provide statistics on a variety of parameters such as by audited entities, audit schedule and calendar, finding reports, and corrective and remediation actions triggered Regulatory Content Modern UI Flexibility Out of the box Drag & Drop Capability [Nasdaq BWise] Ability to capture and store audit data and results in logical folders, which are automatically created based on the audit work program/work papers Offers a flexible Data Model, providing a way of relating elements of the audit framework in many-to- many relations between elements such as processes, risks, controls, control objectives, etc Automatically create multi-year audit plans, based on audit rating, risk rating and cyclical audit frequency Audit Analytics assisting in reducing data collection efforts with both standard and ad hoc analysis Findings and Recommendations with configurable workflows to review and monitor on a one time basis Basic scheduling functionality RSA Archer MetricStream Nasdaq BWise Thomson Reuters IBM OpenPages [Thompson Reuters] Centralized data capture, risk assessment, reporting and documentation similar to SharePoint folder structure Ability to share risks and risk assessments, audit findings, key risk areas and recommendations across the internal audit department and provide quantifiable evidence of compliance through real-time dashboards and reports; Workflow and notifications. Resource scheduling are also key features Flexible deployment options - On-premise perpetual license, on- demand or hosted perpetual license options mean that Accelus Audit Manager will fit into your current audit and risk processes, providing you with maximum benefit with minimum disruption. [IBM OpenPages] Supports top-down and bottom-up approaches to risk assessment and creation of multiple-year audit plans Maintains a centralized library of electronic work papers, and automates work paper review and approval. Manages auditor time and expenses to avoid versioning conflicts and promote consistency Integrated with financial controls management, IT risk and compliance management, general regulatory compliance efforts, and operational risk management programs
22
Internal Audit Technology Implementation Success Factor: Interlinked with Other Assurance Areas – A long term vision Foundational Elements Common Taxonomy & Reporting SOX/Internal Controls Management’s View Other Assurance Areas (ERM, Compliance, Policy Mgmt. etc) Internal Audit Better Practices across industries show that the success of Internal Audit tool implementations is greatly increased when the implemented in such a way that it is able to interlink with technology utilized by other assurance areas – giving Management a view of risk and issues across the Organization
23
Internal Audit Technology – Key Consideration Areas
Time to Implement Flexibility, Configurability, & Customization Maturity & Sophistication of Modules & Capabilities supporting in scope areas Client Specific Requirements & why they selected it
24
Lessons Learned in GRC Technology Implementations
Include all relevant stakeholders at the start of the project Define and agree upon the functional and business requirements Establish a clear project plan inclusive of change and risk management Develop a deployment plan Establish a clear change management plan Perform System Testing and User Acceptance Testing Develop and provide training tailored to the end user Don’t let a tool drive the process
25
Enterprise Governance, Risk and Compliance (GRC) Considerations
GRC Vision Guiding Principles Executive Buy-in Functional Commitment Roadmap Foundational Elements Future State Process Flows Convergence Opportunities, Alignment of Shared Functionality, and Integration Points with GRC Tool High-level Business, Functional, and Technical Requirements Definition 1 2 Convergence & Foundational Elements Strategy Link between Business Requirements and Business Process Design Requirements to System Mapping /Proof of Concept Data Conversion Testing Strategy, Performance and User Acceptance Testing 6 3 Project Governance Project Plan, Timeline and Budget Project Risks/Issue Tracking Project Resource Management Enterprise GRC Considerations Components Technology Enablement Program Management Business Requirements & Reporting People & Change GRC Business requirements design & documentation Fit-Gap Analysis Process, Risk, Transactional level dashboards & reporting Stakeholder Analysis Roles and Responsibilities Communication Plan Learning, Development and Training Adoption Plan/Roll-out 5 4
26
Convergence & Foundational Elements
KPMG vs. GRC Technology Vendor – Division of Roles and Responsibilities GRC Technology Vendor Assist with the development of a GRC Strategy, mission statement, guiding principles, and success criteria Assist with the identification of current and potential future stakeholders and perform potential future usage for enterprise-wide solution Provide support in forming GRC Steering Committee and establishing roles and responsibilities for the initiative Participate in and help facilitate as needed GRC Steering Committee meeting Provide guidance with obtaining executive buy-in Perform maturity assessment for each stakeholder group and oversight/assurance activity to serve as input to roadmap Assist with the development of strategic and tactical roadmap for GRC Journey Assist with creation of support model and governance board to provide direction on changes to the tool both during and after the project 1 Participate, as needed, in Steering Committee meeting Participate in meetings to determine duration and staging of user groups for strategic GRC roadmap/ GRC Journey Strategy Assist with defining the baseline set of taxonomies/values required to setup the tool (such as organizational structure, process list, and risk categories) Assist with gaining agreement for common definitions of terms and ratings criteria to be shared by users Review/document future state process flows for use as starting point for business requirements Identify and map GRC Technology Vendor tool integration points in future state processes Identify gaps and facilitate discussions for process changes required due to tool capability/functionality Provide list of configuration options to be defined for initial product setup Create a sandbox environment to facilitate workshop sessions and design decisions Assist with facilitation of targeted demonstration (walkthrough of technology and future state process) 2 Convergence & Foundational Elements Assist with creation of support model and governance board to provide direction on changes to the tool both during the project Develop integrated GRC project plan, incorporating each workstream and GRC Technology Vendor timelines Facilitate/participate in project status meetings Provide detailed project plan, budget, risk and scope tracking 3 Program Management Provide project plan for activities assigned for GRC Technology Vendor to lead (i.e. tool installation, configuration, unit/functional testing, etc) Participate in project status meetings Provide project status updates, per agreed upon project plan, to PMO
27
Business Requirements & Reporting
KPMG vs. GRC Technology Vendor – Division of Roles and Responsibilities, (continued) GRC Technology Vendor Create a training strategy and rollout plan by user group and level (i.e. admin, super user, lite user) Develop and train UAT testers Create user group specific training guides, presentations, and quick reference guides using client-specific GRC Technology Vendor screen shots to enable the business process Coordinate and instruct training sessions specific to client’s usage of GRC Technology Vendor 4 People & Change Provide super user training guides, screen shots and hold initial standard tool functionality training Provide standard ‘out-of-the-box’ training guides Help facilitate sessions with client and GRC Technology Vendor to identify business/functional requirements Review/document detailed future use and functional requirement documents Assist in reviewing/documenting business requirements and Gap document Determine users access rights, user groups, and user profiles Facilitate sessions to document landing page views, reporting requirements including quick reports to view daily and those processes nightly in batch Develop mock reports and requirements for integrated reporting needs Provide attributes/criteria to consider for process mapping Provide detailed advice on tool capabilities based on client contract Participate in business requirements work sessions, including navigating dedicated client sandbox to determine field attributes and approval workflows Document business requirements in the Gap document to record areas of the tool that require configuration (such as mandatory fields, pick list values, etc.) 5 Business Requirements & Reporting 6 Perform technical installation Provide on site support to UAT testers for timely root cause analysis and resolution of defects Assist IT with system integration and interfaces with other systems Perform any configuration changes, software updates, or technical modifications to the software Provide on-going technical support Develop testing strategy for System Integration Test (SIT), User Acceptance Testing (UAT), and regression testing Assist with the creation of detailed test cases and scripts to ensure business requirements, functional requirements, and technical requirements are being met Perform UAT testing, including detailed defect tracking and validation with GRC Technology Vendor Technology Enablement
28
Q&A – Open Discussion
29
Sean Winekauf - Director, ERM & GRC swinekauf@kpmg.com
Contact Info Sean Winekauf - Director, ERM & GRC Phone: © 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.