The following figure gives an overview of the major functional areas of the governance, risk, and compliance problems and the Oracle Component that best addresses that problem:
When you consider who is involved in the governance, risk, and compliance process, you start to appreciate the tools that you need to complete the footprint.
This tool is used to measure the degree to which the strategy that has been communicated is actually executing.
This tool is used to convert the mission of the enterprise into financial goals, forecasts that can be discussed with investors through the management )discussion, and analysis.
This set of tools is used to report to investors the progress toward the goals expressed in the financial plan.
This tool is used to ensure delivery of ethics and policy education and confirm their understanding.
This tool is used to discover and document risks to the mission of the enterprise, and to ensure that management has well-designed and effective operating controls to mitigate those risks. Such tools cover the following:
Access Controls Governor: To ensure that appropriate access is granted to systems.
Transaction Controls Governor: To ensure that transaction policies are followed and fraudulent transactions found.
Configuration Controls Governor: To ensure that recommended settings of the applications that themselves constitute great automated controls are appropriately configured and that changes are authorized and recorded.
Preventive Controls Governor: To extend the controls footprint of the delivered application.
Oracle Enterprise Manager: Enterprise Manager also has great capabilities to extract configuration settings and measure them against baseline. The settings that are tracked within EM by default tend to be deeper technical settings.
GRC Manager: To provide self assessment, testing operations, and to aggregate the results of the documentation and testing phases of the governance program for managers of the risk assurance activity.
GRC Intelligence: To provide the most potent and important information to the executive suite and directors on the residual risk to the enterprise.
Sub Certification applications are used to allow management to confirm the controls within processes that they are responsible for. Such tools include Hyperion Close Process Manager.
These applications are used to provide the pivot point for the risk analysis and management accountability. Largely, these are the processes within the applications themselves. The process may be orchestrated through Oracle Workflow as in the case of purchase order approval or journal approval.
These applications are used to provide evidence store for unstructured information. They also provide a store for standard working papers and completed working papers that have been part of the testing activity.
These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information assets required to do their jobs.
In order to ensure that we keep ourselves grounded in real problems, we have written the book as a journal of a fictional company establishing its governance processes. We will introduce managers and directors responsible for various aspects of the governance, risk, and compliance problem and where that problem is exposed and how it is addressed in the technology and business applications.
In the previous figure, we have seen the key roles that are directly engaged in the governance, risk management, and compliance activities in a typical organizational chart.
Their IT infrastructure is comprised of Sun Hardware and are running Oracle database, middleware, and business applications. We do have one of the subsidiaries of InFission running JD Edwards just to allow us to illustrate GRC working in a heterogeneous applications environment.
It is worth examining what function is responsible for what activity and what part of the Oracle footprint each is most interested in.
The audit committee of the board of directors must have at least three members. One member must have accounting or financial management expertise and all other members must be financially literate. All members must be independent.
The Audit Committee is charged with the oversight of the Financial Reporting process, including review of quarterly and annual financial statements on behalf of the investors and to discuss annual financial statement with management and auditors.
They need to review Management Discussion and Analysis (MD&A) with management and auditors. This is where management gives guidance on where the business is going. Such guidance is also given in Earnings Announcements, press releases, and guidance provided to rating agencies.
They need to monitor the system of internal control and compliance with legal and regulatory requirements. In order to do this, they need to monitor the system of risk assessment and risk management. This may be synonymous with overseeing the internal audit function, but in recent years many enterprises have set up a separate risk management program office reporting it to the management. This oversight means that the audit plan and the scope of the audits are signed off by the audit committee.
In order to ensure that the tone at the top is appropriate, received, and understood the audit committee is generally responsible for an ethics program, and responsible to manage whistle-blower complaints.
The CEO and CFO of the company are responsible for signing the Sarbanes-Oxley Section 302 Certifications.
These certifications, referred to by the Securities and Exchange Commission as "Rule 13a-14(a)/15d-14a Certifications", must be signed separately by the CEO and the CFO, and filed as an exhibit to quarterly reports on Form 10-Q or 10-Q(SB) and to annual reports on Form 10-K or Form 10-KSB, as Exhibit 31, or, for foreign private issuers, as an exhibit to Form 20-F. The SEC has specified the form and wording of these certifications, which cannot be changed.
Briefly, the Signing Officer certifies that he has reviewed the report, that he believes that it does not contain any misleading misstatement or omission, and that it fairly presents the company's financial position and results of operations. The officer also certifies his responsibility for the company's disclosure controls and procedures and internal controls over financial reporting and as to their effectiveness.
The Chief Audit Executive is a part of the company but generally has reporting relationships to the Audit Committee of the board of directors.
The duties of the Chief Audit Executive include:
Status, strategy, and organization of the Internal Audit Department
Management/supervision of the internal audit activity
Ensuring the timely completion of internal auditing engagements
Ensuring that reports on internal auditing engagements are provided to the audit committee with minimum delay
Providing an annual holistic opinion on the effectiveness and adequacy of risk management, control, and governance processes
As well as being one of the signing officers, the CFO obviously heads the departments that are involved in processing of transactions that most directly affect the subledgers and general ledger, the preparation of financial statements, and financial planning and analysis.
In addition to Sarbanes-Oxley (SOX), CIOs and CSOs must understand and achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) the Payment Card Industry Data Security Standard (PCI DSS) for organizations processing credit card transactions, and the Federal Information Security Management Act (FISMA) for federal agencies as well as many other global, national, and industry-wide regulations and mandates.
IT governance includes writing IT policies that define who within an organization is responsible for key decisions with regards to IT adoption and usage, who is held accountable for such decisions, and how results are monitored and measured. Implementing IT governance strategies includes assigning committees to steer technology adoption, architectural reviews, and project analysis. Governance is about processes, which should support consistent and transparent methods for managing your information technology acquisitions and usage.
The CIO is also responsible for IT risk management. Risk management requires adapting to constantly changing business requirements and monitoring what technologies are deployed within the organization Risk management encompasses surviving a constantly changing threat landscape by tightening and optimizing an organization's information security, both perimeter and internal, while improving business agility and efficiency.
The CIO is also responsible for IT compliance approaches, governance by designing, assessing, and implementing controls. These controls must map back to the various industry requirements and best practices that ultimately determine success or failure during an IT audit.
Many of the controls in the business are part of the processes and procedures operating in the Business Units themselves. For example, your revenue line might be unreliable due to side contracts that are made by your salespeople. Management in the business is responsible for the design of the controls and certifying their effectiveness.