As an extension to the annual Pric
By functioning as a consultative arm to the business and helping to establish an enterprise-wide risk and control framework, audit has the capacity to influence the continued improvement of process level controls as well as the macro level control environment. Internal audit can bring to the business best practices for measuring, managing and prioritizing risks while cross pollinating effective management techniques and internal controls across the enterprise.
To learn more about Internal Audit and its evolving role in ERM, check out this white paper.
PwC surveyed the chief audit executives (CAEs) of Fortune 250 companies about trends likely to affect internal auditors over the next five years and what they expect internal audit to look like in 2012. Titled “Internal Audit 2012”, the study lists “ten imperatives” that provide the foundation for a high performance internal audit function in the years ahead including:
One of the key roadblocks to an integrated approach to IT audit is the sheer complexity of data gathering and management. In the past, it represented a tremendous amount of effort for internal audit to collect relevant information and to govern access to that information securely. A centralized technology platform for identifying, assessing and monitoring risk and controls presents a unique and unprecedented opportunity to help the business focus on making risk decisions based on management’s risk appetite and tolerances.
This common framework and process can make the business more predictable in meeting IT, financial and management objectives and can help managers anticipate major risk and control problems of the future. As a partner with IT and the business in managing risk, internal audit should be a driving factor in evaluating technological and process-based changes and evolving the organization’s risk management practices.
A recent industry survey by PTC shows that the highest cost of product compliance
Of course implementing a compliance program has its costs as well. As our recent white paper “The High Cost of Non-Compliance” authored by Rick Steinberg points out, an OCEG Benchmarking Study shows the cost of Sarbanes-Oxley compliance alone averaging:
So, while implementing a compliance program may seem high, it’s clear that not putting an effective compliance program in place can be significantly more expensive.
The white paper points out several key ways companies have succeeded not only in reducing compliance costs, but also enhancing efficiency and gaining real business benefits:
To learn more, check out “The High Cost of Non-Compliance.”
With individual countries required to implement Solvency II by October 2012, insurance companies face relatively tight deadlines to comply with a more sophisticated risk-based approach to supervision throughout the EU. One of the largest changes for all firms covered by Solvency II is the ORSA requirement. “The ORSA has a two-fold nature,” according to EC documents. “It is an internal assessment process within the undertaking and is as such embedded in the strategic decisions of the undertaking. It is also a supervisory tool for the regulatory authorities, which must be informed about the results of the undertaking’s ORSA.”
ORM software can provide crucial risk self-assessment capabilities that enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators (KRI) and controls. Executives can stay on top of organizational risk activities through dashboards and reports that highlight key risk metrics and policy compliance.
Munich-based Allianz spent much of 2008 and 2009 focused on infrastructure and Pillar I of Solvency II. The company selected OpenPages ORM (Operational Risk Management) for loss data capture, risk self-assessment and quantitative scenario analysis. The operational risk framework involves the introduction of an updated methodology, improved business processes and new IT support systems. The goal is to integrate pragmatic operational risk management techniques in core businesses operations and decision making processes.
Allianz hopes that their efforts for Solvency II will form the basis of a deeper change in terms of building a risk management culture and the ability to generate good business from a risk and return perspective.
To learn how Allianz is managing Operational Risk and Solvency II, read the case study.
I just returned from the Gartner Security and Risk Summit where IT risk and compliance was a featured topic. In a recent blog post, I mentioned that Gartner Research VP French Caldwell presented a session titled “Selecting and Applying GRC Frameworks and Standards,’ in which he polled the audience on “which areas are you most likely to apply standards?” Not surprisingly, IT risk and IT security ranked highest followed by regulatory compliance and enterprise risk. We hear every day how companies are grappling with compliance requirements of hundreds of regulations, standards and guidelines that include thousands of overlapping controls and which make the task of managing IT compliance an increasingly daunting one.
The folks at Network Frontiers developed the Unified Compliance Framework (UCF) – the first and largest independent initiative to map IT controls across international regulations, standards, guidelines and best practices, with this challenge in mind. The UCF indexes over 400 laws, regulations, standards and guidelines into a set of integrated controls and reduced over 20,000 citations to fewer than 2,700 harmonized activities.
OpenPages partnered with Network Frontiers to integrate the UCF with the OpenPages Platform, thus allowing IT risk and compliance directors to identify where the greatest risk of non-compliance exists from both a business and IT perspective and prioritize resources accordingly. Pairing this approach with a harmonized requirements and control framework, companies are able to reduce redundancy and duplication of effort and achieve an effective and efficient testing and monitoring program.
To learn more about the OpenPages Platform and Unified Compliance Framework (UCF), download this paper.