Go ve rna nc e Oc to b e r 28, 2016 Auditing Spe a ke r Pro file s - - PDF document
Go ve rna nc e Oc to b e r 28, 2016 Auditing Spe a ke r Pro file s Da n Gra ve s, CPA Austin Se nio r Ma na g e r, Risk Adviso ry Se rvic e s 10 ye ars o f e xpe rie nc e in public ac c o unting with e mphasis risk manage me nt and inte
2
Pa rtne r-in-Cha rg e , I T Adviso ry Se rvic e s
18 ye ars o f e xpe rie nc e in manage me nt c o nsulting and risk adviso ry se rvic e s
Austin Se nio r Ma na g e r, Risk Adviso ry Se rvic e s
10 ye ars o f e xpe rie nc e in public ac c o unting with e mphasis risk manage me nt and inte rnal audit
3
4
5
– F
e xpe rtise , da ta mo de ling
– Insig ht: Busine ss insig ht, le ve ra g e K
PI s, b e nc hma rks, c o ntro l a nd pro c e ss e ffe c tive ne ss
– Hindsig ht: Mo nito r c o ntro l a nd c o mplia nc e , risk
drive n
6
Gove rna nc e is foc use d on providing dire c tion a nd
7
8
Asse sso r Adviso r Advo c a te Ca ta lyst
– Pro mo te a ppro pria te e thic s a nd va lue s – E
nsure e ffe c tive pe rfo rma nc e ma na g e me nt
– E
ffe c tive c o mmunic a tio n o f risk a nd c o ntro l info rma tio n
– E
ffe c tive c o o rdina ting a c tivitie s
– E
ffe c tive c o mmunic a tio n b e twe e n e xte rna l a udit, b o a rd, inte rna l a udit, a nd ma na g e me nt
9
S tandard 2130 the iia.o rg
11
GOVE RNANCE
Boa rd Role s & Ove rsig ht Stra te g y, Polic ie s a nd Proc e dure s Struc ture & Ac c ounta bility Communic a tion & Re porting Asse ssme nt & Risk Ma na g e me nt E thic s
12
13
14
15
16
17
IT GOVE RNANCE
18
Org a niza tiona l Gove rna nc e Struc ture s E xe c utive L e a de rship Support Stra te g ic & Ope ra tiona l Pla nning Se rvic e De live ry & Me a sure me nt IT Org a niza tion & Risk Ma na g e me nt
19
20
21
22
23
– I
nte rna l Co ntro l F ra me wo rk fo r the Go ve rna nc e Struc ture
– I
ndustry b e st pra c tic e s
25
– I
nte rna l Co ntro l F ra me wo rk fo r the Go ve rna nc e Struc ture
– F
ra me wo rk fo r Go ve rna nc e a nd Ma na g e me nt if E nte rprise I T
– Auditing I
T Go ve rna nc e
26
27
www.isac a.o rg/ c o bit
Sta ke holde r Ne e ds Se pa ra te Gove rna nc e & Ma na g e me nt Holistic Approa c h E nd- to- E nd E nte rprise Cove ra g e Sing le Inte g ra te d F ra me work
28
IT OPE RAT IONS IT PROJE CT S INF ORMAT ION SE CURIT Y IT GOVE RNANCE
GT AG 17 c o ve rs a spe c ts
sho uld b e in pla c e to e nsure I T suppo rts the stra te g ie s a nd o b je c tive s
I t a lso de sc rib e s e le me nts
a nd pe rfo rma nc e fra me wo rks suc h a s b a la nc e d sc o re c a rds, ma turity mo de ls, a nd q ua lity syste ms.
va lua tio n
– Re fe re nc e to c a te g o rize a nd hig hlig ht c ha ra c te ristic s o f
the ma turity sta g e o f a n o rg a niza tio n fo r e a c h o f the ke y e le me nts o f g o ve rna nc e
– Allo ws a udito rs the fle xib ility to a sse ss g o ve rna nc e ma turity
a c ro ss the c o ntinuum
– Ma na g e me nt is a ffo rde d the o ppo rtunity to unde rsta nd
the e ffo rts re q uire d o f a ll sta g e s o f ma turity
29
Go ve rna nc e is dyna mic a nd is diffe re nt fo r va rio us
g a ine d prio r to pe rfo rming a udit pro c e dure s
– Ag e o f the o rg a niza tio n/ pro g ra m – E
xte rna l sta ke ho lde r e xpe c ta tio ns
– Vo lume o f sta ke ho lde rs a ffe c te d
a ilo r a udit pro c e dure s to de te rmine a c tua l sta g e
30
T
sta g e o f ma turity fo r the o rg a niza tio n must b e e sta b lishe d a s a “b a se line ” fo r the a udit.
31
Attribute Initial Repeatable Defined Managed Optimizing
Board Roles and Oversight Are Board roles explicitly defined through committees and charters? How consistently and effectively does the Board provide oversight to the
Board does not have defined committees, a charter or bylaws and objectives have not been defined for the organization Board has defined committees and communicated objectives and requirements for the organization Board and its committees have established charters that been developed to align with the
Board and its committees are functioning at the defined state building the foundation for a strong risk governance culture Board and committees are committed to continuously improving capabilities at managed stage Strategy, Policies and Procedures Are the strategy, goals, objectives, policies, and procedures for supporting the organization's mission clearly defined? What are the key performance measures and metrics to monitor achievement of the mission? Is the strategy communicated, documented, and aligned? General understanding of strategic plan and vision. Policies and procedures are dependent on seasoned staff to carry out
performance measures for evaluating achievement of mission and objectives Informal policies and procedures exist and support strategic direction and key performance measures and metrics Strategic plan has been developed, and key performance measures and metrics are defined. Policies and procedures are refined and documented Strategic plan and goals are agreed upon and meaningful performance measures and metrics are in place. Policies and procedures are reviewed, revised, and communicated throughout the entity on a defined schedule. Performance metrics that align with the entity's mission are monitored Strategic plan and goals are understood and redefined annually. Policies are continuously evaluated
achieve the desired risk/reward
and metrics are regularly monitored and reported to management to monitor achievement of goals and
Structure and Accountability How effective is the structure of the
managing programs, hiring, training and staff development, evaluating performance, and succession planning? Are roles and responsibilities defined with adequate staffing? Limited accountability due to absence of clearly designated people charged with managing programs, evaluating performance, and overseeing specific risks Responsibilities and authorities are defined for specific individuals and roles in addition to identifying staff development needs Roles and responsibilities are clearly defined, robust management reports are utilized, key performance indicators are integrated into decision making processes, and career ladders are established Formal lines-of-defense framework is implemented, risk measures are linked to performance goals, early warning systems are in place, capital allocation techniques are effectively deployed, and staffing levels are systematically determined Organizational structure and delegation of authority is effective and improvement initiatives are established and are integrated with development and risk management plans Communication and Reporting What are types of communication used for board reporting, internal reporting, staff meetings, dashboards and public information? Informal communication and reporting guidelines exist Basic reporting structure in place; including board reporting, retaining meeting minutes and agendas, and consistent updates to staff Objectives and performance metrics are integrated into enterprise wide systems, providing dashboard reporting and performance management Formal guidelines in place for consistent and timely communication to the board, internally to staff, and the public Entity wide reporting needs are adequately serviced and the Board periodically evaluates performance management and communication effectiveness Assessment and Risk Management What processes are in place to monitor progress for meeting stated
management, and compliance? Monitoring goals, objectives, and compliance is informal. Risk management is fragmented and ad
in silos and the organization behaves reactively to events. There is no monitoring of performance metrics Basic risk management policy structures and processes are in place, including performing an annual risk assessment; performance goals are informally established; performance metrics are informally monitored Evidence of risk-sensitive and risk- aware decision making; control deficiencies drive improvement initiatives; risk measures are linked to performance goals Improved quantification, time tested models, and data analytics assist decision makers with forecasting and scenario planning analysis to identify emerging risks and anticipate potential disruptive
regularly monitored All elements of the risk management structure fully align with business environment changes; compliance and performance goals are continuously monitored and used to analyze risk trends associated with goals and objectives
Governance Maturity Model
32
Initia l Re pe a ta ble De fine d Ma na g e d Optimize d
33
silo s; fre q ue ntly no t mo nito re d
no t de fine d
nc o nsiste nt a c c o unta b ility struc ture
nfo rma l c o mmunic a tio n inte rna lly a nd e xte rna lly
c ha rte rs do no t e xist
sta nda rdize d pro c e sse s
nc o nsiste nt
thic s po lic y do e s no t e xist
34
ma na g e me nt po lic y struc ture s e sta b lishe d
a re info rma lly mo nito re d
le a de rship po sitio ns e xist
ide ntifie d
nfo rma l pe rfo rma nc e me tric s a nd g o a ls e sta b lishe d
struc ture in pla c e ; inc luding b o a rd re po rting , re ta ining me e ting minute s a nd a g e nda s, a nd c o nsiste nt upda te s to sta ff
nfo rma l po lic ie s a nd pro c e dure s e xist to suppo rt stra te g ic dire c tio n
b o a rd sub -c o mmitte e s
nfo rma l e thic s po lic y a nd g uida nc e e xists
35
re g ula rly pe rfo rme d
to pe rfo rma nc e g o a ls
re spo nsibilitie s a re c o mmunic a te d
mo nito re d a nd inte g ra te d
pe rfo rma nc e me tric s inte g ra te d into e nte rprise -wide syste ms
a nd pe rfo rma nc e ma na g e me nt
pe rfo rma nc e me tric s a re de fine d
do c ume nte d po lic ie s a nd pro c e dure s
ha ve fo rma l c ha rte rs
do c ume nte d e thic s po lic y
re po rting
36
PI s a nd da ta a na lytic s a re inte g ra te d into pe rfo rma nc e mo de ls
pla c e to ma na g e risks
pe rfo rma nc e g o a ls
PI s a re a c tive ly mo nito re d a nd e a rly wa rning syste ms a re in pla c e
b o a rd, inte rna l a nd e xte rna l c o mmunic a tio n a re in pla c e
a nd g o a ls
PI s a lig n with stra te g ic pla n
upda te d a nd ma inta ine d re g ula rly
func tio n a t De fine d sta te
a nd re po rting e thic s c o mplia nc e
a nd c o mmunic a tio ns
37
a sso c ia te d with K PI s a re c o ntinuo usly mo nito re d a nd a na lyze d
impro ve me nts a re inte g ra te d with de ve lo pme nt a nd risk ma na g e me nt pla ns
ntity-wide re po rting ne e ds a re a de q ua te ly se rvic e d
g o a ls a re re de fine d a nnua lly
PI s a re re g ula rly mo nito re d a nd re po rte d
a re c o ntinuo usly impro ving c a pa b ilitie s
thic s c o mplia nc e mo nito ring is inte g ra te d into pro c e sse s
mo nito ring
38
ittle to no da ta sha ring b e twe e n syste ms
T risk a sse ssme nt
T ro le s a nd struc ture a re no t we ll de fine d
T a c q uisitio ns a re no t sta nda rdize d
T Co sts a re no t tra c ke d within I T
me tric s o r me a sure s a re e sta b lishe d
O is vie we d a s pa rt o f I T , no t se nio r ma na g e me nt
de pe nde nt o n se a so ne d sta ff
(ste e ring c o mmitte e , c ha ng e a ppro va l b o a rd, e tc .) do no t e xist
39
no t inte g ra te d o r a uto ma te d
T risks a re info rma lly a sse sse d
a c tic a l pla ns fo r stra te g ic dire c tio n
T
b ut ha s b lurre d line s o f re spo nsibility
T c o sts a re tra c ke d b ut no t e a sily re la ta b le to ke y initia tive s o r the stra te g ic pla n
nfo rma l po lic e s a nd pro c e dure s
O is c o nside re d pa rt
b ut ha s no fo rma l de finitio n
nfo rma l I T de c isio n b o die s a re fo rme d
T g o ve rna nc e c o mmunic a tio ns
40
nte g ra te d a nd a uto ma te d da ta sha ring
a c tic a l o pe ra ting pla ns a re de fine d
me tric s a re de fine d
As a re e sta b lishe d a nd
T va lue a nd de live ra b le s a re me a sure d a g a inst the SL A a nd I T stra te g ic pla n
T stra te g ic pla n is de fine d
a re de fine d a nd a lig n with stra te g ic pla n
de fine d c ha rte rs
he ro le o f de c isio n b o die s is c o mmunic a te d a nd unde rsto o d
41
a rc hite c ture
nve nto ry o f I T infra struc ture a nd a pplic a tio ns is de fine d
a c tic a l o pe ra ting pla ns a re mo nito re d a nd re vise d, a s ne c e ssa ry
PI s a re mo nito re d a nd c o st- b e ne fit de c isio ns a re inte g ra te d into wo rkflo ws
T
a re a c tive ly tra c ke d a g a inst b udg e t
T stra te g ic pla n is c o o rdina te d a nd a lig ne d with
pla n
inte g ra te d with
pla n
inc lude d in da ily wo rkflo w
42
T risk a sse ssme nts a re c o nduc te d a nnua lly a nd inte g ra te it stra te g ic pla nning
T sta ffing me tric s a re mo nito re d to e nsure a de q ua te re so urc e s a re a va ila b le
T c o sts a re pro a c tive ly tra c ke d
T va lue is me a sure d a g a inst SL As a nd stra te g ic pla n
e c hno lo g y tre nds a re mo nito re d a nd e va lua te d fo r impa c t to the I T stra te g ic pla n
PI s a re inte g ra te d into da ily wo rkflo w
T Stra te g ic pla n is re g ula rly re vie we d a g a inst
ffe c tive c o mmunic a tio n te c hniq ue s
– Visua ls (c ha rts, g ra phs) – E
ffe c tive la ng ua g e
finding s a he a d o f time
g o ve rna nc e ma turity
pre sc riptive re c o mme nda tio ns fo r e xe c utio n to a c hie ve the g o a l ma turity sta g e
43
44
Maturity Level
Governance Maturity Assessment
Current Goal
Initial Defined Managed Optimizing Repeatable
Maturity Level
Board Oversight
Current Goal
Initial Defined Managed Optimizing Repeatable
Pre se nting b o th the Go ve rna nc e re sults a s a who le a nd the individua l e le me nts pro vide a c le a r re pre se nta tio n
Re c o g nizing the inc re me nta l a c hie ve me nts o f the sta g e o f ma turity o ffe rs the o ppo rtunity to g a in the a c c e pta nc e o f ma na g e me nt a nd the o the r a udite e s
a rly b uy-in a nd c o mmunic a tio n
ime ly c o mmunic a tio n
the impa c t o f the po litic a l e nviro nme nt
a c kno wle dg e s a c hie ve me nts a nd po rtra ys tre nds a nd c o mpa riso ns fo r impro ve me nts
45
b ria n.tho ma s@ we a ve r.c o m da nie l.g ra ve s@ we a ve r.c o m
we a ve r.c om