Upload
randolf-simpson
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Governance SPICE
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
Applying COSO/COBIT SPICE based
infrastructure and ECQA certificates to
create trust and transparency in
European industry
BPM GOSPEL(LLP-LDV-TOI-2010-HU-001)
This project has been funded with support from the European Commission. This publication reflects the views only of the authors,
and the Commission cannot be held responsible for any use which may be made of the information contained therein .
János Ivanyos
Memolux Ltd.
Dr. József Roóz
Budapest Business School
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Topics
2
• Trust and Effective Governance• ”Governance” SPICE Roadmap (2005-2012)• COBIT/COSO Process Assessment Model
– Governance Capability - Mapping COSO Objectives with ISO/IEC 15504 Capability Levels
• Linking Governance to Sustainable Value Creation– Governance Model for Trusted Businesses– Multi-layer business assurance technology
• ECQA for Trusted Businesses
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Why Industry Needs Trust?
Turbulent economic environment• Financial crisis & economic downturn• Global impact on local/sectoral markets• General cost cutting leads to decline of available (in-house and/or outsourced)
competency levels
Stakeholders’ expectations• Predictable business benefits (more explicit tolerance levels)• Conservative risk-taking (redefinition of risk appetites)• Higher management accountability (with balanced compensation)• No governance scandals or regulatory non-compliance issues jeopardizing reputation• Cost effective controls (less duplicates or overlaps)
Sector specific• More interdependences among business partners• Faster reaction on market needs• Supply chain management requests long term credibility
3
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
How Trust Needs Effective Governance?
Less isolated risk & compliance management programs• More responsibility of the ”Chief Executive” level management• Set links between strategic business objectives and management control
processes• Integrated assessment/audit approaches
Transparency • Applying business objectives for managing/supervising compliance programs• Presenting excellence in an understandable way (format)• Using competent and qualified human resources• Assuring accuracy by harmonizing time horizons to business objectives
Coverage• Defining the business operation boundary conditions• Leveraging the business opportunities (sustainability)• Addressing the sector-specific technical/regulatory (control) requirements of the core
business activities
4
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Validation of Governance SPICE Competencies
Governance, Risk and Controls
SPICE
Audit
5
EU Certification & Qualification
TRUST for
Industry
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
”Governance” SPICE Roadmap (2005-2012)
Refers to• Governance, Risk and Controls (OECD Principles, Regulations, Audit Standards)
based on different concepts (IA-Manager 2005-2007)• Recognized Control Frameworks (COSO&COBIT)• Risk Tolerance and Risk Appetite (COSO ERM)• Performance Measurement (COBIT)• Process Capability Assessment (ISO/IEC 15504-2)• Evaluating Process-related Risk (ISO/IEC 15504-4)• Organizational Maturity (ISO/IEC TR 15504-7)
by using multilingual ontology (MONTIFIC 2008-2010)• Terminology database• Ontology model
to leverage sustainable value creation (GOSPEL 2010-2012)• Governance Model for Trusted Businesses• Multi-layer business assurance technology
6
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
COSO Objective Categories
COBIT Performance Drivers
Strategic high-level goals, aligned with and supporting entity’s mission
Strategic Goals driven by the outcome measures of Established IT processes
Operationseffective and efficient use of entity’s resources
Effective and efficient business operation driven by the outcome measures of Managed IT Processes
Reportingreliability of reporting
Reliable IT operation driven by the outcome measures of Performed IT Processes
Compliancecompliance with applicable laws and regulations
IT Goals driven by the outcome measures of IT Activities
COSO20 Control Processes
COBIT34 ITGC Processes
Financial ReportingActivities
BusinessProcesses
Risk Tolerance
Risk Appetite
Business Process Models
Using COSO & COBIT Process Assessment Models
Measurement Framework
Supervision & M
anagement
GOVERNANCESPICE
7
Evidencies Focusing on Objectives categories
COSO Objectives for Trusted Businesses
Assessments Effectiveness goals
Strategic objectives
Metrics Efficiency goals
Organizational levels
Policies Standardization goals
Operations objectives
Procedures Deployment goals
Workprograms Management goals
Reporting objectives
Operational levels
Workproducts Documentation goals Operational levels
Activities Process goals Compliance objectives
8
Strategicobjectives
COSO OBJECTIVES FOR TRUSTED BUSINESSES
high-level goals, aligned with and
supporting entity’s mission
processes consistently
enacted within defined limits
COSO ERM definedriven by
Internal Control
Operationsobjectives
effective and efficient use of
entity’s resources
defined processes used
based on standard process
Level 3Established
are based on reliable driven by
Reportingobjectives
reliability of reporting
mananged processes with
established, controlled and
maintained work products
Level 2Managed
are achieved by performing driven by
Complianceobjectives
compliance with applicable
laws and regulations
implemented processes achieving
process purpose
Level 1 Performed
Strategicobjectives
high-level goals, aligned with and
supporting entity’s mission
processes consistently
enacted within defined limits
COSO ERM definedriven by
Internal Control
Operationsobjectives
effective and efficient use of
entity’s resources
defined processes used
based on standard process
Level 3Established
are based on reliable driven by
Reportingobjectives
reliability of reporting
managed processes with
established, controlled and
maintained work products
Level 2Managed
are achieved by performing driven by
ISO/IEC 15504CAPABILITY LEVELSCompliance
objectives
compliance with applicable
laws and regulations
implemented processes achieving
process purpose
Level 1 Performed
9
COBIT processes
Plan and Organize (PO)PO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects
Acquire and Implement (AI) AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes
Deliver and Support (DS) DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations
Monitor and Evaluate (MO) ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance
COSO processes
Control Environment (CE)Integrity and Ethical Values (IEV)Oversight Board (OB)Management’s Philosophy and Operating Style (MPO)Organizational Structure (OS)Financial Reporting Competencies (FRC)Authority and Responsibility (AR)Human Resources (HR)
Risk Assessment (RA) Financial Reporting Objectives (FRO) Financial Reporting Risks (FRR)Fraud Risk (FR)
Control Activities (CA) Integration with Risk Assessment (IRA)Selection and Development of Control Activities (SD)Policies and Procedures (PD)Information Technology (IT)
Information and Communication (IC) Financial Reporting Information (FRI)Internal Control Information (ICI)Internal Communication (IC)External Communication (EC)
Monitoring (MO) Ongoing and Separate Evaluations (OSE)Reporting Deficiencies (RD)
10
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Linking Governance to Sustainable Value Creation
11
???
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Why a new model is needed?
• The well established and recognized control frameworks and process reference models – like COSO and COBIT - could be used for effective and efficient enterprise governance, if only the management established its own governance related objectives.
• Unfortunately, structures of control frameworks and reference models are not easily interpretable by enterprise management for setting their business’ specific governance objectives.
• Furthermore, the external and internal audit standards and literatures are also not really supportive in these terms.
12
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Governance Model for Trusted Businesses
The new Model
• keeps both enterprise management and audit assurance logics in mind
• by presenting governance processes in line with the objectives relevant for enterprise management,
• together with an exact mapping to processes of control frameworks (reference models) accepted and used by auditors for compliance attestation.
• Provides descriptions and application practices of governance processes for management assertions and audit reports for providing assurance of trusted and sustainable business operation.
13
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Governance Model for Trusted Businesses Setting Governance Objectives
• Supporting Business Sustainability (leveraging opportunities)– Competitiveness– Exploitability– Satisfaction
• Supporting Organization’s Internal Control System– Risk Awareness – Accountability– Competency– Accuracy– Process Integrity – Data Protection – Commitment– Control Efficiency
14
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
Determining Application Process for a Governance Objective (Accuracy)
15
Governance Objective
Key Risk Risk Factors ResponsesApplicable
COSO&COBIT processes
Application Practices
Accuracy / Information Reliability Ensured
Inconsistency in data
architecture and
disclosure elements
Information architecture is
inconsistent with processing
requirements
Maintaining effective information
architecture and data model
Define the Information Architecture
(COBIT)
Satisfy the business requirement of being agile in responding to requirements; provide reliable, consistent information, and seamlessly integrate applications into business processes.
Non-compliance with rules and regulations are not detected in
time
Information is systematically collected and
assessed to detect compliance issues, privacy problems
and fraud
Financial Reporting
Information (COSO)
Pertinent information is identified, captured, used at all levels of the organisation, and distributed in a form and timeframe that supports the achievement of the organization’s financial reporting and trusted business objectives.
Availability and quality of control information are not sufficient
Control information for automated
process settings, data manipulations and calculations are
maintained systematically
Internal Control
Information (COSO)
Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
BPM GOSPEL: Multi-layer business assurance technology
Concept of 4 layers in BPM GOSPEL:• Transaction Processing (e.g. payroll
system)• Workflow/Control Management Tool• Compliance/Audit Management –
Stages ”Governance” Edition (Method Park AG)
• Certification – Capability Advisor (ISCN)
16
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
ECQA Job-roles related to Governance SPICE
• Internal Financial Control Assessor– Skill Card based on the COSO PRM– 800+ exams (Europe-wide)– Pool of ca. 600 multiple choice questions
• Governance SPICE Assessor– Skill Card developed (3 units covering GRC, Process
Assessment and Governance Capability)– Training materials for IFCA trainers integrated with IFCA Moodle
courses (training.ia-manager.org)– Possible extension with the new Governance Model for Trusted
Businesses– Evidence based testing is planned in 2012
17
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
ECQA for Trusted Businesses
• Current status– Qualification of Governance SPICE related job-roles, exam and
training bodies– Certification for trainers and trainees– Promotion by ECQA portal and events
• For future– ECQA cannot provide certificates for assessed (trusted business)
companies.– However by referring to the international background, ECQA certified
Governance SPICE Assessors may feed a joined pool on a ”Trusted Business Partners” portal, promoting their local activities and providing Europe-wide presence of their clients.
– Suggestion: www.trustedbusinesspartners.eu– Also applicable for other ECQA job-roles.
18
6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011
BPM GOSPEL - Business Process Modelling for
Governance SPICE andInternal Financial Control
More information: www.ia-manager.org
Contact: [email protected]
Thank you for your attention!
19