Governance SPICE 6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011 Applying COSO/COBIT SPICE based

Governance SPICE

6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011

Applying COSO/COBIT SPICE based

infrastructure and ECQA certificates to

create trust and transparency in

European industry

BPM GOSPEL(LLP-LDV-TOI-2010-HU-001)

This project has been funded with support from the European Commission. This publication reflects the views only of the authors,

and the Commission cannot be held responsible for any use which may be made of the information contained therein .

János Ivanyos

Memolux Ltd.

[email protected]

Dr. József Roóz

Budapest Business School

[email protected]


BPM GOSPEL - Business Process Modelling for

Governance SPICE andInternal Financial Control

Topics

2

• Trust and Effective Governance• ”Governance” SPICE Roadmap (2005-2012)• COBIT/COSO Process Assessment Model

– Governance Capability - Mapping COSO Objectives with ISO/IEC 15504 Capability Levels

• Linking Governance to Sustainable Value Creation– Governance Model for Trusted Businesses– Multi-layer business assurance technology

• ECQA for Trusted Businesses




Why Industry Needs Trust?

Turbulent economic environment• Financial crisis & economic downturn• Global impact on local/sectoral markets• General cost cutting leads to decline of available (in-house and/or outsourced)

competency levels

Stakeholders’ expectations• Predictable business benefits (more explicit tolerance levels)• Conservative risk-taking (redefinition of risk appetites)• Higher management accountability (with balanced compensation)• No governance scandals or regulatory non-compliance issues jeopardizing reputation• Cost effective controls (less duplicates or overlaps)

Sector specific• More interdependences among business partners• Faster reaction on market needs• Supply chain management requests long term credibility

3




How Trust Needs Effective Governance?

Less isolated risk & compliance management programs• More responsibility of the ”Chief Executive” level management• Set links between strategic business objectives and management control

processes• Integrated assessment/audit approaches

Transparency • Applying business objectives for managing/supervising compliance programs• Presenting excellence in an understandable way (format)• Using competent and qualified human resources• Assuring accuracy by harmonizing time horizons to business objectives

Coverage• Defining the business operation boundary conditions• Leveraging the business opportunities (sustainability)• Addressing the sector-specific technical/regulatory (control) requirements of the core

business activities

4




Validation of Governance SPICE Competencies

Governance, Risk and Controls

SPICE

Audit

5

EU Certification & Qualification

TRUST for

Industry




”Governance” SPICE Roadmap (2005-2012)

Refers to• Governance, Risk and Controls (OECD Principles, Regulations, Audit Standards)

based on different concepts (IA-Manager 2005-2007)• Recognized Control Frameworks (COSO&COBIT)• Risk Tolerance and Risk Appetite (COSO ERM)• Performance Measurement (COBIT)• Process Capability Assessment (ISO/IEC 15504-2)• Evaluating Process-related Risk (ISO/IEC 15504-4)• Organizational Maturity (ISO/IEC TR 15504-7)

by using multilingual ontology (MONTIFIC 2008-2010)• Terminology database• Ontology model

to leverage sustainable value creation (GOSPEL 2010-2012)• Governance Model for Trusted Businesses• Multi-layer business assurance technology

6




COSO Objective Categories

COBIT Performance Drivers

Strategic high-level goals, aligned with and supporting entity’s mission

Strategic Goals driven by the outcome measures of Established IT processes

Operationseffective and efficient use of entity’s resources

Effective and efficient business operation driven by the outcome measures of Managed IT Processes

Reportingreliability of reporting

Reliable IT operation driven by the outcome measures of Performed IT Processes

Compliancecompliance with applicable laws and regulations

IT Goals driven by the outcome measures of IT Activities

COSO20 Control Processes

COBIT34 ITGC Processes

Financial ReportingActivities

BusinessProcesses

Risk Tolerance

Risk Appetite

Business Process Models

Using COSO & COBIT Process Assessment Models

Measurement Framework

Supervision & M

anagement

GOVERNANCESPICE

7

Evidencies Focusing on Objectives categories

COSO Objectives for Trusted Businesses

Assessments Effectiveness goals

Strategic objectives

Metrics Efficiency goals

Organizational levels

Policies Standardization goals

Operations objectives

Procedures Deployment goals

Workprograms Management goals

Reporting objectives

Operational levels

Workproducts Documentation goals Operational levels

Activities Process goals Compliance objectives

8

Strategicobjectives

COSO OBJECTIVES FOR TRUSTED BUSINESSES

high-level goals, aligned with and

supporting entity’s mission

processes consistently

enacted within defined limits

COSO ERM definedriven by

Internal Control

Operationsobjectives

effective and efficient use of

entity’s resources

defined processes used

based on standard process

Level 3Established

are based on reliable driven by

Reportingobjectives

reliability of reporting

mananged processes with

established, controlled and

maintained work products

Level 2Managed

are achieved by performing driven by

Complianceobjectives

compliance with applicable

laws and regulations

implemented processes achieving

process purpose

Level 1 Performed

Strategicobjectives

high-level goals, aligned with and

supporting entity’s mission

processes consistently

enacted within defined limits

COSO ERM definedriven by

Internal Control

Operationsobjectives

effective and efficient use of

entity’s resources

defined processes used

based on standard process

Level 3Established

are based on reliable driven by

Reportingobjectives

reliability of reporting

managed processes with

established, controlled and

maintained work products

Level 2Managed

are achieved by performing driven by

ISO/IEC 15504CAPABILITY LEVELSCompliance

objectives

compliance with applicable

laws and regulations

implemented processes achieving

process purpose

Level 1 Performed

9

COBIT processes

Plan and Organize (PO)PO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects

Acquire and Implement (AI) AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

Deliver and Support (DS) DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

Monitor and Evaluate (MO) ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance

COSO processes

Control Environment (CE)Integrity and Ethical Values (IEV)Oversight Board (OB)Management’s Philosophy and Operating Style (MPO)Organizational Structure (OS)Financial Reporting Competencies (FRC)Authority and Responsibility (AR)Human Resources (HR)

Risk Assessment (RA) Financial Reporting Objectives (FRO) Financial Reporting Risks (FRR)Fraud Risk (FR)

Control Activities (CA) Integration with Risk Assessment (IRA)Selection and Development of Control Activities (SD)Policies and Procedures (PD)Information Technology (IT)

Information and Communication (IC) Financial Reporting Information (FRI)Internal Control Information (ICI)Internal Communication (IC)External Communication (EC)

Monitoring (MO) Ongoing and Separate Evaluations (OSE)Reporting Deficiencies (RD)

10




Linking Governance to Sustainable Value Creation

11

???




Why a new model is needed?

• The well established and recognized control frameworks and process reference models – like COSO and COBIT - could be used for effective and efficient enterprise governance, if only the management established its own governance related objectives.

• Unfortunately, structures of control frameworks and reference models are not easily interpretable by enterprise management for setting their business’ specific governance objectives.

• Furthermore, the external and internal audit standards and literatures are also not really supportive in these terms.

12




Governance Model for Trusted Businesses

The new Model

• keeps both enterprise management and audit assurance logics in mind

• by presenting governance processes in line with the objectives relevant for enterprise management,

• together with an exact mapping to processes of control frameworks (reference models) accepted and used by auditors for compliance attestation.

• Provides descriptions and application practices of governance processes for management assertions and audit reports for providing assurance of trusted and sustainable business operation.

13




Governance Model for Trusted Businesses Setting Governance Objectives

• Supporting Business Sustainability (leveraging opportunities)– Competitiveness– Exploitability– Satisfaction

• Supporting Organization’s Internal Control System– Risk Awareness – Accountability– Competency– Accuracy– Process Integrity – Data Protection – Commitment– Control Efficiency

14




Determining Application Process for a Governance Objective (Accuracy)

15

Governance Objective

Key Risk Risk Factors ResponsesApplicable

COSO&COBIT processes

Application Practices

Accuracy / Information Reliability Ensured

Inconsistency in data

architecture and

disclosure elements

Information architecture is

inconsistent with processing

requirements

Maintaining effective information

architecture and data model

Define the Information Architecture

(COBIT)

Satisfy the business requirement of being agile in responding to requirements; provide reliable, consistent information, and seamlessly integrate applications into business processes.

Non-compliance with rules and regulations are not detected in

time

Information is systematically collected and

assessed to detect compliance issues, privacy problems

and fraud

Financial Reporting

Information (COSO)

Pertinent information is identified, captured, used at all levels of the organisation, and distributed in a form and timeframe that supports the achievement of the organization’s financial reporting and trusted business objectives.

Availability and quality of control information are not sufficient

Control information for automated

process settings, data manipulations and calculations are

maintained systematically

Internal Control

Information (COSO)

Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.




BPM GOSPEL: Multi-layer business assurance technology

Concept of 4 layers in BPM GOSPEL:• Transaction Processing (e.g. payroll

system)• Workflow/Control Management Tool• Compliance/Audit Management –

Stages ”Governance” Edition (Method Park AG)

• Certification – Capability Advisor (ISCN)

16




ECQA Job-roles related to Governance SPICE

• Internal Financial Control Assessor– Skill Card based on the COSO PRM– 800+ exams (Europe-wide)– Pool of ca. 600 multiple choice questions

• Governance SPICE Assessor– Skill Card developed (3 units covering GRC, Process

Assessment and Governance Capability)– Training materials for IFCA trainers integrated with IFCA Moodle

courses (training.ia-manager.org)– Possible extension with the new Governance Model for Trusted

Businesses– Evidence based testing is planned in 2012

17




ECQA for Trusted Businesses

• Current status– Qualification of Governance SPICE related job-roles, exam and

training bodies– Certification for trainers and trainees– Promotion by ECQA portal and events

• For future– ECQA cannot provide certificates for assessed (trusted business)

companies.– However by referring to the international background, ECQA certified

Governance SPICE Assessors may feed a joined pool on a ”Trusted Business Partners” portal, promoting their local activities and providing Europe-wide presence of their clients.

– Suggestion: www.trustedbusinesspartners.eu– Also applicable for other ECQA job-roles.

18




More information: www.ia-manager.org

Contact: [email protected]

Thank you for your attention!

19

Documents

Governance SPICE 6th EU Certificates (EUCert) Days, “Politehnica” University of Timişoara, Romania, 22 - 23 September 2011 Applying COSO/COBIT SPICE based