404 Whats Next Trends in Governance, Risk and Compliance September 17, 2004

1
404 - Whats NextTrends in Governance, Risk and
ComplianceSeptember 17, 2004
PwC
2
Topics for Discussion

• Current 404 Activities
• Home Stretch
• Working with Your Auditor
• Final Report
• Whats Next 404 Year Two
• Clean Up
• 302 Requirements
• Long Term Year Two and Beyond
• Change Management
• Operational Governance
• Compliance Office Function
• Technology
• ERM
• QA

3
Current 404 Activities

• Home Stretch
• Documentation Done
• Testing Wrapping Up
• Aggregation of Exceptions
• Retesting Remediation Items
• Auditor Testing
• Reporting Findings
• 2005 Plan

4
Current 404 Activities

• Working with Your Auditor
• Scoping
• Accounts, Controls, Locations
• Walkthroughs
• Testing
• Scheduling
• Access to Documentation
• Reliance on Managements Testing
• Evaluation of Management Assessment Process

5
Current 404 Activities

• Introduction
• Managements Assessment
• Context
• Process
• Company Level Controls
• Control Environment
• Risk Assessment
• Monitoring
• Information and Communications
• Fraud Programs
• Audit Committee Oversight

• Significant Accounts and Disclosures
• Defining Scope
• Relevant Assertions
• Significant Processes
• Locations and Business Units Included
• Documentation of Control Activities
• Standards
• Evidence
• Policies
• Testing
• Principles and Methodology
• Scope and Procedures
• Results
• Design Effectiveness
• Operating Effectiveness
• Company Level Controls
• Findings

Final Report Topical Items
6
Whats Next 404 Year Two

• Clean Up
• Archive As of Date History
• Remediation Plan
• Material Weaknesses, Significant Deficiencies,
  Deficiencies
• Documentation Quick Fixes

7
Whats Next 404 Year Two

• 302 Requirements
• Quarterly disclosure in 302 certification of
  material changes in internal control over
  financial reporting rather than repetition of
  Section 404 annual assessment.
• Consider additional procedures for review of
  Disclosure Controls and Procedures

8
Long Term Year Two and Beyond

• Change Management
• Merger Integration
• New Systems Implementation
• Scope Changes
• Process Changes
• Document Changes
• Version Control
• Sustainable Process

9
Insight From Recent Surveys

• PwC META Group Survey
• To whom does your compliance function directly
  report?
• 18 Finance (CFO)
• 18 General Counsel
• 14 Board of Directors
• 14 CEO
• 10 Business Unit Head
• 10 Other
• 8 Corporate/Chief Compliance Officer
• 5 Internal Audit Department
• 2 Compliance Committee
• 1 Risk Management Department
• Based on 135 interviews conducted with large
  companies in North America nearly ¾ of
  respondents are greater than 2B in annual
  revenue.

No single pattern is evident.
10
Insight From Recent Surveys

• PwC/Economist Intelligence Unit Survey
• Which department in your organization has primary
  responsibility for compliance? (identify all that
  apply)
• 42 Specific Compliance Department
• 38 Legal
• 33 Internal Audit
• 29 Risk
• 23 Finance
• To what extent is compliance in your organization
  centralized? (identify all that apply)
• 29 Largely centralized on a global level
• 25 Largely centralized at a regional level
• 19 Largely centralized at a group level
• 16 Largely centralized at the level of the
  business
• 14 Largely decentralized to local territories
• 14 Largely decentralized to individual divisions

11
Insight From Recent Surveys

• PwC/Economist Intelligence Unit Survey
• What are the key barriers to achieving first-rate
  compliance, in your view? Please identify the
  top two barriers.
• 47 Sheer complexity of regulatory environment
• 36 Poor integration with other functions,
  including risk management, sales customer
  service
• 31 Perception that compliance is not a
  responsibility of every member of staff
• 26 Perception that compliance is not a strategic
  function
• 23 Focus on cost cutting in the current
  environment
• 16 Inadequate technological infrastructure for
  monitoring compliance
• 15 Lack of direct communication between
  compliance and senior management
• 10 Insufficient pool of talent in this area of
  the business

12
Integrated View Governance, Risk Management
Compliance (GRC)
13
A New Vision of Compliance

• Compliance integrated into day-to-day activities
• Compliance as a value driver (e.g., customer
  service, operational efficiency, etc.)

14
Long Term Year Two and Beyond

• Operational Governance Cost of Compliance Value
  Measured

15
Long Term Year Two and Beyond

• Compliance Office Function - Elements of an
  Effective Compliance Framework (USFSG)

16
Long Term Year Two and Beyond

• Technology
• First Generation Tools (Big 4)
• Second Generation (Software Developers
  Pre-Chasm)
• Mature Market
• What do I need? Document Management, Work Flow,
  Reporting, COSO Structure or not, Escalation and
  Alerts, Sub Certifications?
• ERM, ERP Integration, Real Time Monitoring of
  Controls

17
Long Term Year Two and Beyond

• Elements of an Effective Enterprise Risk
  Management Framework (COSO - ERM)
• Establishment of an effective internal
• environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring processes

18
Remember the Goal
Instilling a Culture of Business Integrity
Integrating GRC intoCore Processes
IntegrityDrivenPerformance
Managing Cost and Value Through Performance
Management
Enabling Success Through Technology
19
Key GRC Enablers and Characteristics

• Instilling a Culture of Integrity Ethics
• Leaders drive and communicate consistent GRC
  thinking across organization
• Culture balances open thinking with adherence to
  standards
• Integrity and GRC skills are core competencies
• Learning supports GRC

• Integrating Governance, Risk and Compliance into
  Core Business Processes
• Single stream of operations
• Real time monitoring is in place and operating
• Policies are clearly defined and in place that
  map the course of action
• GRC is embedded into control environment

• Enabling Success Through Technology
• Real time environment enabling application of
  policy and standards at the time business is
  executed
• Risk and compliance obligations are actively
  assessed and managed
• Issues and incidents are identified quickly and
  addressed on a real time basis
• Accountability is built into reporting and
  management
• Information is more accurate and timely

• Managing Cost and Value Through Performance
  Management
• Accountability, integrity and fiscal
  responsibility are embedded in management
  processes
• Comprehensive performance measurement system
  including GRC measures is in place
• True costs are known and spending is aligned with
  the organizations objectives capital is
  allocated to highest and best use

20
Attributes of a Best Practice Capability
No matter how Compliance is structured, best
practice companies are successful at

• Communicating tone from the top, embedding
  compliance in day-to-day processes and creating a
  culture of compliance
• Tracking new legal and regulatory developments
  maintaining good relations with regulators
• Formulating policies and procedures
• Providing regulatory advice
• Communicating with business lines and management
• Managing complaints, investigations and crisis
• Providing training on compliance, legal and
  regulatory matters
• Monitoring, reporting and risk management
• Managing annual compliance review

21
QA

• Questions?