IIA South Eastern Regional Conference Day 2.1 – Effective Compliance Programs

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

“Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include – Ryder, OCEG, Turner, and Southern Company.

• It was noted that SOX provided several benefits – attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
• A study from the OCEG was presented with several trends and statistics (Available – Check out this post for the OCEG and many more):

• The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
• Technology solutions are trending to bridge these SILO gaps and create a central management approach
• 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:

• Pain of reconciling disparate data
• Difficult to find the truth

• • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
  • Only 14% of respondents had integrated their compliance programs
  • The overarching theme that resonated from the study was the need for consistency and accountability

• Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
• The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
• General overview of the FSG (Mainly pulled from Chapter 8):

• • Possess good policies and procedures
  • Assign a responsible party (Compliance Officer)
  • Existence and presence of a program
  • communicate / Publish / Train on program
  • Enforce the Standards
  • React and address problems
  • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
  • Note: The government does not care how much was spent on a safeguard, but only that it is effective – business perspectives must be considered
  • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel

• Challenge of Ethics

• • Organizations can choose to accept fines for non-compliance if only direct costs are considered
  • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business

• When dealing with auditors, create a relationship and seek to understand the intent of the effort

• Understanding the reasons information is sought allows for the organization to provide the correct information.

• OCEG – the Red Book published in its current form has recommendations on establishing a compliance program
• The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
• A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
• Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
• Several Studies were recommended to include:
  • The Conference Board – a Global Study
  • The Conference Board – Emerging Governance Practices in Enterprise Risk Management
• A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
• Some takeaway tips from the session:
  • Develop an Agree Upon Procedure process for GRC
  • Define hard metrics for a framework – consider OCEG Red Book
  • Become certified – whether by ANSI, OCEG, or others
  • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

• There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
• Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong – Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
• Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

• Seek to understand an organization’s culture – even transformational leaders must understand where the river flows before effecting change.
• Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
• Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
• Communicate in a language that can be understood – and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV

COSO Releases – Guidance on Monitoring Internal Control Systems

Here is a chance for everyone to provide feedback and contributions for a COSO guidance document. It looks very good, and no doubt will become the quintessential guide surrounding this topic, as did the ERM Framework published only a few years ago. So, sharpen those pencils and provide some feedback!

“This business guidance more fully develops the monitoring component of the Internal Control – Integrated Framework to assist companies in ensuring the effectiveness of their financial, operational, and compliance-related internal controls. All interested parties are encouraged to provide feedback regarding the clarity and usefulness of this guidance. The comment period will end October 31, 2007.

News Release announcing exposure of monitoring guidance
Letter from COSO Chairman Larry Rittenberg, Ph.D.
Guidance on Monitoring Internal Control Systems DISCUSSION DOCUMENT
Online Feedback Portal with key survey questions
Microsoft Word Survey for respondents who prefer not to use Online Feedback Portal”

Happy Editing,

James DeLuccia

Defcon talks – Videos available online..

Every year there is Hacker conference where some of the brightest minds come together and present their ideas and research. Beyond an awesome gathering of truly unique individuals, I love the sheer magnitude of intelligence and thought around security and technology. The Defcon talks have made it online and are ready for viewing. Thanks to all who made these videos!

An interesting presentation by WhiteHat Security regarding intranet hacking through browsers is available here.

“Defcon talks – Videos available online..“:
Thanks to SensePost for the heads up!

Technical Alert - these presentations and articles are waist deep in technical information. This is not a standard 30,000 foot view on security.

Best,

James DeLuccia

Article: Wharton to Offer Exclusive Training for CIOs

This is a positive theme that is occurring around the country and throughout various consulting firms. Deloitte also recently highlighted the challenges and opportunities that exist through the executive and technology branches of the organization. An interesting point is, highlighted by DT, that the CIO is currently not perceived as the executive over information, but instead is more a technology manager. This focus on gears and switches will transition away as the role and the requirements of business evolved. This is consistent with the shifts seen in the CFO suite where a greater focus is placed upon that of strategy and less on Controller type activities.

A recent study was released that highlights the information intelligence and satisfaction of the Executive, the Board, and the rest of the C-Suite.

The Article can be found here:

“In a partnership with Gartner, the Wharton now offers high-level CIO education with a focus on the CEO-CIO relationship.”
By John Soat, InformationWeek Bank Systems & Technology

Best,

James DeLuccia

Live from the IIA Regional Conference in Atlanta

This week is the IIA’s South Eastern Regional Conference in Atlanta, and has been sold out for some time. I was lucky enough to be invited and plan to post comments and insight for each day. I can only speak on the areas that jumped out, but I hope this information will be helpful to all internal auditors and those passionate about corporate governance. The materials are available to IIA members, and right now you can join for a discount joining over 130,000 worldwide members.

Day 1 – Monday 9/10/07

First day at the Westin and we start with a classic big networking morning with roughly 80% in attendance for the breakfast – hosted by Accume Partners. Paul Sobel kicked off the conference after an intro from David Bilko. Paul is known for publishing an excellent text on Enterprise Risk Management (ERM) and a recent textbook. His speech was really catered towards accelerating the profession and stirring up the ranks to aim at the horizons for improvement.

Personally I would have loved to see greater emphasis on promoting the profession at the Director level in companies, and stronger emphasis on promoting the language and depth required to really provide true value to these members. This was highlighted ever so briefly in the Corporate Governance track, but not nearly enough.

The first session I sat through was with Paul Lapides on Corporate Governance and Internal Audits role. He presented some good points regarding the lack of focus on the controls by boards, and highlighted a recent set of principles he put together this year (as a refresher to an older paper). His newly released paper is available here. An area of especial interest was Paul’s comments on how to become a Director with companies, and the benefits he has received as a result.

The second session was very enjoyable by John Montoro of Cherry, Bekaert & Holland LLP. He presented on Performance Audit Under the New Yellow Book Standards. Now unless you are a government focused auditor you have been missing this treasure. If it wasn’t for the lunch crowd I sat with today I too would have not seen the light. The Yellow book has some excellent information on how audits should be conducted, and a treasure trove of templates, metrics, and reference points. Someday I may dive into the value and nuggets found within the Yellow book, but until then it is worth a read while you fly to India or across the pond to London.

This was a very enjoyable session with take away information, and was my second favorite of the day. John had passion, gave great insight, spoke at all levels on the topic, and really boiled it down to the meat and potatoes.

The final session I had the privilege to attend was with Bob Anderson of The Home Depot on Process Improvement Reviews. This was by far the fullest session and the best of the day. Given I am biased because I was in this session, so it must be good, and I am not objective because I didn’t sit through all the sessions. That said – Bob gave excellent information and a huge amount of takeaway information. Bob focused on the process used by his company on walking through the concerns of the company and determining the best course of action. His process included:

First identifying the value the internal audit provides ranging from three degrees of value – Audit, Process Improvement, and Strategy. He emphasized the transition is necessary for companies to truly gain efficiencies in the market with this mindset.

Of particular interest of the attendees was that The Home Depot establishes a rotation program where employees work through different audit teams to allow for a near perfect cross-polonization effect.

Bob recommended a near six-sigma approach that was boiled down to five steps – Risk Assessment, Project Selection, Discovery, Execution, and Reporting

• Risk Assessment – classic examples here (nothing new): Business process identification, identify risks, measure, prioritize, graphics
• Project Selection – I loved how he broke this out and it created quite a stir in the audience with questions. He placed all the projects on risk maps and create audit plans for three years out.
• Discovery – Here he emphasizes the value roadmap process which he emphasized should go beyond simple cost cutting and meld into nearly 12 specific categories
• Execution – Here the team boils down the data pulls pure empirical evidence. This was a great point as it seems in technology specifically the measurements are more subjective and opinionated that they should be in equations that imply precision. He brought forward classics like Pareto Analysis and Fishbone diagrams. An interesting point he made was how much they rely on the classics in their analysis despite have massive resources.
• Reporting – Of course presentation to executive, and follow up are the close out loops.

Bob goes into a great deal of detail and specifics, and it is impossible fully recount. I strongly recommend you purchase a copy of the slides, video, or call colleagues that went to hear the additional value points he made.

Overall Day 1 very good. If you are not an IIA member and work within the bounds of corporate governance, technology controls, controls, or simply manage business divisions you should consider joining. The fees are reasonable and the available information is tremendously valuable to every enterprise.

Best,

James