Why do corporations continue to fail, regardless of the increase (or decrease) in regulatory efforts? Until management adopts a "risk-centric" stance, we will continue to repeat the sins of the past...

1. The Importance of Governance In a Regulatory World Dwayne Jorgensen, CIA, CFE Consultant, Governance Services Spirit Consulting Services

7. Human Nature The Need For Governance Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously competent

8. Human Nature The Need For Governance Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously competent

22. COSO – ERM Framework Have You Started Yet?

26. The Compliance Iceberg Industry Compliance Standards

31. Proposed CM Solution Pyramid Hardware/Data Integrity Component EMC: Centera ® , Proofspace encryption, record management automation Software Component Various vendor process automation products: Ex.: Documentum ® , Movaris OneClose ® , ACL CCM ® Co-sourcing component? Independent IT test services Planning Component SOX methodology: Assess, document, test, report Oversight Component “ Tone at the top”: Executive buy-in, “spirit” vs. “letter”

32. Sarbanes-Oxley’s Impact on the COSO Cube IT Components Section 302 Section 409 Section 404 Risk Assessment Control Environment IT Risk Management, IT Risk Assessments, Business Impact Analysis “ Tone at the top”, IT Governance, Regulatory Compliance Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awareness Training Monitoring Information & Communication Control Activities

33. CM Solution Requirements One Close® Organizational Consulting ACL CCM/ One Close ® Documentum ® One Close ® Technology (HW/SW) People (staff, mgmt.) Risk Assessment Control Environment Monitoring Information & Communication Control Activities Resources needed Tool or process needed (examples only):

35. Internal Control Maturity Model Control structure is not defined. Control occurs incidentally. Control structure is not defined, but control processes may occur based on past success and management oversight. Control structure is documented, standardized and integrated into control processes for the organization. The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Continuous process improvement is enabled by quantitative feedback from the control process. Initial Repeatable Defined Managed Optimizing Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages. Initial Repeatable Defined Managed Optimizing

41. Illustrative Assessment Work Plan

42. Control Assessment Structure

52. Risk-based Approach: Examples Business Processes Alignment Business Continuity Compliance Contracting Empowerment Environmental Fraud Health and Safety Illegal Activities Management Information Obsolescence/Shrinkage Product/Service Quality Relevance Unauthorized Use Technology Availability Access Functionality Integrity Usability Functional Risk Finance Collateral Counterparty Credit Currency Derivatives Interest Rate Liquidity Reinvestment Settlement Financial Reporting Financial Assessment Evaluation Financial Statement Falsification Regulatory Reporting Taxation Strategic Risk Capital Availability Competition Financial Markets Flexibility Industry Leadership Legal Regulatory Product Life Cycle Product Development Reputation Trademark Erosion Sovereign Strategic Assumptions Valuation Authority Bench Strength Budgeting & Planning Capacity Commodity Communication Cycle Time Efficiency Human Resources Organization Structures Performance Metrics Pricing Resource Allocation Supplier Technology Selection Technology Deployment Conversion Risk

55. Questions?

59. Thank You!