Corporate Governance, Internal Control, and Compliance

Transcription

1 , Internal Control, and Compliance RESPECT: We treat others as we would like to be treated ourselves. We do not tolerate abusive or disrespectful treatment. Ruthlessness, allousness, and arrogance dont t belong here. INTEGRITY: We work with customers and prospects openy, honestly, and sincerely. When we say we will do something, we will do it; when we say we cannot or will not do something, then we won t do it. COMMUNICATION: We have an obligation to communicate. Here, we take the time to talk with one another... and to listen. We believe that information is meant to move and that information moves people. EXCELLENCE: We are satisfied with nothing less than the very best in everything we do. We will continue to raise the bar for everyone. The great fun here will be for all of us to discover just how good we really can be. Christer Magnusson Kerem Kocaer OUR VALUES From Enron s 1998 Annual Report Losses in market value: USD 18,8 billion WorldCom, Tyco, Riggs Banks, Fannie Mae, ImClone, HealthSouth, Marsh & McLennan President Bush signed the corporate fraud bill, the Sarbanes-Oxley Act, on July 30, 2002 Ahold, Parmala, Skandia CEO and CFO shall personally certify the correctness in the financial reports (section 302) Demands on the certification of the underlying (IT) processes (section 404) The U.S. Securities and Exchange Commission requires companies to base their assessment on a suitable and recognized internal control framework (i.e. COSO-ERM). A challenge is to integrate COSO-ERM with other standards and frameworks, as for instance, the Service Management standard ISO 20000, the Information Security standard ISO and in-house developed frameworks (for example a Security Architecture).

2 2 CORPORATE AND IT GOVERNANCE 2 CORPORATE AND IT GOVERNANCE The primary objective report is to investigate if the framework may facilitate the integration with COSO-ERM and the other standards and frameworks, or not. (COSO-ERM) The latest developments regarding SOX and the possible consequences of these developments for, Compliance, ERM and Information Security will also be discussed. IT Delivery (ISO 20000) Information Security (ISO 27001) Security Architecture IT Governance () 2 CORPORATE AND IT GOVERNANCE 3 FRAMEWORKS AND STANDARDS Research Methodology COSO-ERM ISO ISO Sec. Arch. Model COSO-ERM ISO ISO Sec. Arch. Model COSO-ERM ISO/IEC ISO/IEC Security Architecture Model COSO-ERM 3.1 COSO-ERM Enterprise Risk Management - Integrated Framework ENTERPRISE RISK MANAGEMENT: By the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Goal: Provide direction to evaluate and enhance the effectiveness of ERM. A common language to communicate more effectively; possibility to assess the entity s ERM process against a standard, strengthen it and move towards established goals; increased understanding of ERM by legislators and regulators. Every entity exists to provide value for its stakeholders. COSO-ERM builds itself on this premise, aiming for value creation through reaching the optimal balance between growth, returns, uncertainties, risks and opportunities. ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

3 3.1 COSO-ERM 3.2 ISO/IEC The 3 dimensions: Objectives Components Entity units ISO Specification promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. Effective ERM : The 8 components are present and functioning Is effective in each of the 4 objectives Provides reasonable assurance to management ISO Code of practice provides best practices for service management processes within the scope of ISO ISO/IEC ISO/IEC Goal Deliver managed services to meet the business and customer requirements Improved quality, lower costs, greater flexibility, faster response Service Management Processes Service delivery processes Relationship processes Resolution processes Control processes Release processes 3.3 ISO/IEC ISO/IEC ISO/IEC 27001: IT Security techniques Information security management systems Requirements ISO/IEC 17799:2005 part 1 (ISO/IEC 27002): IT Security techniques Code of practice for information security management Goal Establish, implement, operate, monitor, review, maintain and improve a documented Information Security Management Systems (ISMS) within the context of business risks

4 3.3 ISO/IEC THE SECURITY ARCHITECTURE 133 security controls, classified under 11 security control clauses containing 39 security control categories: Security Policy (1) Organizing Information Security (2) Asset Management (2) Human Resources Security (3) Physical and Environmental Security (2) Communications and Operations Management (10) Access Control (7) Information Systems Acquisition, Development and Maintenance (6) Information Security Incident Management (2) Business Continuity Management (1) Compliance (3) Costs for security Security properties Confidentiality, Integrity, Availability Threat, weakness and vulnerability Security areas and security services Physical, Logical, Administrative IT areas Common IT, Workstations, Network applications, Local network, Connections with external network Security levels Control Objectives for Information and related Technology Created by ISACA and ITGI in 1992 A framework for IT Governance, so that: IT is aligned business IT enables the business and maximizes benefits IT resources are used responsibly IT risks are managed appropriately Main characteristics: Business-focused Process-oriented Controls-based Measurement-driven Information Criteria: Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability COMPARISON PROTOCOL 34 processes - high level objectives 215 control objectives Information criteria IT resources Inputs, Outputs RACI Chart Goals and Metrics Maturity characteristics 1.Goal: To compare the most important aspects of the different standards and frameworks subject to integration 2.How it was created.. 3.The 14 criteria: Audience Abstraction level Objective Internal environment Risk Control activities Monitoring and improvement Documentation and reporting Budgeting and ROI External relationships Incident management Release management Control management

5 5 PROTOCOL ANALYSIS COSO-ERM ISO ISO Security Architecture Model Based on the results of the, the relation between COSO-ERM, ISO 20000, ISO and the Security Architecture Model... are analyzed in detail according to the. are identified in terms of gaps and overlaps... Audience Abstraction Level Objective

6 7 THE FACILITATOR - 7 THE FACILITATOR - The 4 options: Not using at all Using 100% Using as the architect Using as the plumber Audience Different reports for different audiences Framework, Management guideline, Audit guideline As standards like ISO and ISO do not provide a management summary, senior managers are not able to understand what they should expect from these standards without reading the whole document. can help to close this gap Management Guidelines, giving managers a tool to understand issues such as return and investment and performance of controls. By mapping ISO and ISO controls or processes to controls, senior managers can get feedback on how these standards are performing from without necessarily getting involved se standards. 7 THE FACILITATOR - 7 THE FACILITATOR - Abstraction Level is not a framework to replace the other standards, but is on the right place to become a link between them and COSO- ERM. Objectives A middle layer between COSO-ERM and the others. Translates the COSO-ERM objectives into ISO processes and controls. Directly linking the Security Architecture Model to COSO-ERM? does not cover the full scope of COSO-ERM! 7 THE FACILITATOR - 7 THE FACILITATOR - The 4 options: Not using at all Using 100% Using as the architect Using as the plumber

7 will not replace the other standards. It is a middle layer between COSO-ERM and the standards. can translate COSO-ERM objectives into more concrete controls or processes to ISO and ISO by first matching them controls. can also directly integrate COSO-ERM Security Architecture, if ISO is not implemented (even though this is recommended). is not implemented in total with all its controls; it is tailored according to the environment of the Company and the pre-existing standards and architecture. This Plumbing Approach reduces unnecessary work and is thereby cost-effective; it is only used when there is a detected gap between COSO-ERM and the standards ISO 20000, ISO and the Security Architecture. However, doesn t otherwise replace ISO The reason is that is limited to IT governance; it doesn t cover the full scope of either COSO-ERM or information security. The odds may be in favor of a change of SOX and Section 404. Business Week s guessed that, regulators are now planning to loosen the rules, probably before the end of this year is out. However, there is some resistance; it is not the same consensus in the U.S. as when SOX passed the Senate unanimously and won easy approval in the House before it was signed by President Bush into law. Critics stress high compliance costs (which totaled an estimated $15-20 billion for issuers in 2004). Supporters emphasize the changed tone at the top among public companies when it comes to financial reporting, with a higher level of engagement from audit committees, CEOs, and CFOs on compliance. They also note the significant improvements in the control environment. Lately, the sub-prime meltdown and the risk of a global credit crunch have highlighted the consequences of lack of governance and transparence in the global financial industry. This may strengthen the supporters and weaken the critics. Workshop 1) Erfarenheter (+/-) av regelverken 2) Vilka funktioner hanterar praktiskt regelverken i era resp organisationer 3) Skillnader mellan olika branscher i tillämpning och implementation 4) Skillnader mellan nationella, internationella och globala organisationer 5) För- och nackdelar med ett helhetsperspektiv på samtliga regelverk 6) Är "Top-down" (dvs börja med COSO-ERM) "rätt" väg eller är det bättre med ett "Bottom-up" perspektiv (separata implementeringar av t ex och därefter knyta säcken med ERM) 7) Skall NSD och dess medlemmar verka för ett helhetsgrepp (ERM) på risker och i så fall vad krävs för att vi skall nå dit Resultatet har vi tänkt att dokumentera och presentera på kommande årsmöte.