ERM from a $100M, public company perspective David Wagner, … · 2018-10-18 · ERM from a $100M, public company perspective. David Wagner, Chief Financial Officer, Entrust, Inc

ERM from a $100M, public company perspectiveDavid Wagner, Chief Financial Officer, Entrust, Inc.Presentation to NC State University College of Management: Enterprise Risk Management Round tableNovember 18, 2005

© Copyright Entrust, Inc. 2005 CONFIDENTIAL 2

Enterprise Risk Management“An Information Security CFO’s point of view”

• Introduction

• Small Company response to SOX 404

• Information Security Risks


David Wagner, CFO Entrust, Inc.

• BS Accounting, Pennsylvania State University

• MBA, Finance, Pennsylvania State University

• Raytheon Corporation - 1986-1991• Nortel Networks - 1991-1995• Entrust Inc., Controller - 1995-2003• Entrust Inc., CFO - 2003- present


We are Security Specialists…• Headquartered in Dallas (offices in Ottawa,

Washington DC, London, Germany, China & Japan)

• #12 of 600+ security software companies, with approx. $100M in annual revenues

• Industry pioneer and leader, with approximately 500 employees, market leading products and over 100 patents

• Best in class service and support, and integration for leading technology vendors

• Strong financial position - $83M of cash- no debt.


Known by the Customers We Keep• More than 1450 enterprises and global governments

worldwide in over 50 countries have licensed Entrust’s products

• Entrust has prominence with industry leaders around the globe:– 8 of the top 10 Global Telecom companies– 7 of the top 10 Global Pharmaceutical companies– 8 of the top 10 Global Aerospace and Defense Companies– 7 of the top 10 Global Commercial Savings Banks– 4 of the top 5 Global Petroleum Companies



• Introduction




Sox 404 at Entrust

1) Approach – A case study

2) Lessons learned about Sox 404

3) Lesson learned about Enterprise Risk


Approach – Accounts & ProcessesPer PCAOB and COSO guidance; Risk assessment

– Team identified

– Significant accounts identified– Materiality– Inherent Risk

– Significant processes identified– Control risk

– Intersection point of all above: ‘The Matrix’

– Set priority to attack processes


The 404 Team Audit Committee

CFO CIO

Project Manager

Corporate Controller

FinanceAccounting

StaffIT Operations Legal Third Party

Audit FirmExternalAuditor

Lucky Good

- Project Manager on staff - Strong Accounting staff (5 CA of 9 staff in 1997)

- Strong CIO with Governance Bias - Good process culture, executive support

- Audit Committee support

-----------------

Testing of all key

controls

AttestationDocumentation/Peer Reviews/Testing of low risk accounts & processes.


Management Assertion

What could go wrong?

What are the key controls?


Approach – Initial Findings

• Controls Operating and Effective but not documented– Example: Finance Balance Sheet Review meetings.

• Second Level reviews and sign-offs– Example: Payroll Canada; one person enters, submits,

processes and reconciles. Added second level review of key reports and authorization of any ‘one-off’ payments.


Approach –Risk & Controls Repository

Use of existing portal

- Entrust get Access

- Lotus Domino Database


0 %1 8 %

2 4 %

1 8 %

8 %

3 2 %

0 %0 %0 %0 %

7 2 %

1 0 %

1 2 %

3 % 3 %

7. Internal Testing

8. GT Formal Review

3. Owner Rework4. Second Team Review

6. Test Plan

April July

September 1 Owner Documentation2 First Team Review3 Owner Rework4 Second Team Review5 E&Y Review6 Test Plan7 Internal Testing8 GT Formal Review9 Formal Remediation10 Ongoing Monitoring

Project Management - Status


Timeline - SeptemberEntrust Sarbanes-Oxley Compliance Project

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

High Level Timeline

Milestones

1 Set Objectives and Team2 Process, Risks, & Controls Documentation3 Initial owner & team assessments4 Ongoing Remediation of Controls5 Formal Internal Control Test Plan & Testing 6 Interim Internal Control Enhancements/Fixes7 Intermin Review, Test & Feedback8 Ongoing Control Monitoring9 Final Signoff

2004

Original Timeline - April 2004Updated Timeline - July 2004Updated Timeline - Sept 2004


Internal Testing Results: Individual Controls (December)• Total 116 individual controls

identified to test– Green: Testing completed &

passed– Yellow: Testing in progress, item

to be reviewed at year end, or in Remediation.

– Red: Testing resulting in significant issue, or further testing not yet resolved

THEN:

Entrust Control Testing Status October

NOW


Approach – IT General Controls• Information Security Governance Process

– Risk assessment by business unit based on ISO17799

– Very little guidance existed for SOX IT issues before July 2004

– Compliance requirements for SOX and other legislation (SB1386, PIPEDA) incorporated in framework and process

– Unacceptable risks result in action item (SOX compliance example would include missing documentation of key control is considered risk)

– Focus on Finance data and application:• Confidentiality• Integrity• Availability

– Mapping of ‘COBIT for SOX’ items back to framework to ensure coverage


Entrust 404 Project Summary

• 42 Accounts and 66 processes identified• 41 Key processes documented• 116 key controls identified & tested in Finance• 92 IT general controls supporting 2 Key applications

Entrust 404 Project Cost

• ~ 20% of 2004 Finance & Accounting staff hours , plus one full-time project manager

• ~ 30% of 2004 IS/IT resources• + 55% additional fees for external testing (not auditor) • + 101% additional audit fees to external auditor

Entrust 404 Project Scope


2 Questions on 4041) Was it worth what paid for?

No! $2.5 million - 2.5% of Revenue

2) Did you get anything worthwhile from 404?Yes!

- Risk Based Review of the organizations;

- Internal controls and processes documented

- Internal control processes permeated throug the organization- Operations- HR- Legal- IT

- Strengthened Ownership of Internal Controls


Lessons Learned• Risk based

- focus on significant accounts and processes, and then- key controls within those accounts and processes.

• Complete documentation internally• Do not get caught up in a software implementation, but tools are

important.• Establishing a common framework is fundamental

- Information Security Governance- Risk Based Assessment and mitigating controls

• Intellectual Property Processes• Information Systems and Controls are fundamental


Going Forward – 2005 and Beyond

Maintain documentation as you go.Build control documentation into everyday processes.Continuous monitoring and project management.Objective to reduce costs 50%

- Moved 60% of 3rd party testing in-house- Continue to work with external auditor to alternatives to traditional

working paper documentation

On-going risk based focus.



• Introduction




Business compliance realities:

Access to Services & Information

CustomersStreamlined Business

Processes

SuppliersEmployees

Improved Productivity & Self-Service

CorporateCompliance

RegulatoryCompliance

Enterprises & Governments are Extending Outside

Increased Legislation Compliance Anxiety


Governance & RegulationExtended Enterprise & Govt.

HIPAAGLBA

SEC Regulations

BASEL II

Sarbanes-Oxley

EU Data Protection Act

FISMA

Employees SuppliersCustomers

Enterprise-wide policies required:

Policy&

AccessManagement

Shift from Compliance to Risk


• Not cyber terrorism, but cyber crime• Intent is to steal personal information for

monetary gain• Diverse targets across different regions and

sectors– Retailers (DSW, BJ Wholesaler’s)– Data brokers (Choice Point, LexisNexis)– Universities (USC, Duke, Purdue, Tufts) – Banks (BOA, Citibank, Wachovia)– Corporations (Motorola, Time Warner, SAIC)– Healthcare (Kaiser, San Jose Medical Group)

Identity Theft


Customer Implications • Cost of incident

– A Gartner study found the average identity breach costs a consumer $1,500.• End User Loyalty and Preferences

– A Nationwide Mutual Ins. study found that it takes approximately 81 hours for a consumer to repair the damage caused by identity theft

• Business Relationships– Visa severed business relationship with CardSystems Solutions, Inc.

• Drop in Stock Price– Firms that have a security breach involving credit card information

suffered a stock market loss of 9.3 % the first day, increasing to 14.9% over three days.

• Stagnant Market Growth– Online banking stagnant at 39% of Americans over past 12 months

Brand Impact


Online Identity Fraud Driving Industry Mandates

Financial Institutions will be expected to achieve compliance…no later than year-end 2006

The guidance describes enhanced authentication methodsthat regulators expect banks to use

when authenticating the identity of customers…

18% of all respondentsstopped or decreased online banking in last 12 months!


Information Security Governance

Info Security has become a fundamental business issue at the CEO and Board levelBalance IT investments with business risk decisions and put into a framework for implementationOutlines accountability at various management levels, plus core elements of an information security programRecognized the need to treat info security as a continuous improvement process

Corporate Governance Task Force – Apr. 2004

www.cyberpartnership.org


Why Enterprise Risk Management?

• Information security– Headlines confirm failures produce real business impact

• Regulatory compliance– Inconsistent “best” practices being self-imposed

• Enterprise risk management– Help position audit findings and legal liabilities

• Search for the Holy Grail– A single framework to provide focus and efficiency


ISG – Keys to Successful Deployment

• Identify key systems (NIST SP800-18)• Simple subjective risk assessment (OMB A-130 App. III)• Risk expressed in words (threat, vulnerability, impact)• Red - Yellow - Green ranking (FIPS-PUB 199)• Iterative process, progressive detail (GAO/AIMD 00-33)• Transparent process with summary reporting

(GAO/AIMD 98-68)


One Way Forward• One-hour sessions quarterly with managers to review:

– Ask them what they think the risks are– Assessment of controls/residual risk per ISO17799 element– Use the session to raise awareness of threats and risks– Follow-up with groups they defer to (IT, Legal, HR)

• Consolidate view across the organization– Feedback to managers where they stand relative to others– Share results up the management chain, request feedback

• Let the managers do the assessment– If you can't convince them it's a risk, they won't deal with it– They can put it into business terms better than you can

• Executive Sponsorship is NOT required– They are accountable, work with it


How did ISG help our compliance efforts?• almost immediate reduction in D&O insurance• framework for internal control assessment

– processes and responsibilities were already defined– it was not a separate compliance effort – SOX control assessment fit into it

• provided laser focus on the compliance issues– covered all audit topics at heart of major regulations– still little guidance, poor audit standards, multiple regulations to check– ISG provided us with the list of concerned areas with very little excess

• contained our audit fees– we experienced over 100% increase, and they called us “best in class”– knowing our business risks made it easy to focus on our risks & our systems,

not simply “best practices”


Conclusions• SoX 404 Impacts

– changed Corporate Governance permanently– need to improve cost benefit through risk-based assessment

• Enterprise Risk is increasingly important– Provides a common framework for evaluating non-ROI projects– Executive Officers are accountable

• Information Security issues moving to Risk Management– Enterprises are increasingly based on information– Higher value assets are intangible; related business risk increasing– Inherent conflict between ROI focused CIOs and Information risk mitigation

• Continuous Improvement – Quality Model

Documents

ERM from a $100M, public company perspective David Wagner, … · 2018-10-18 · ERM from a $100M, public company perspective. David Wagner, Chief Financial Officer, Entrust, Inc