Agenda Introduction Microsoft Internal Audit Org Risk Based Audit Planning Overview (Luncheon) In Depth Areas (Technical Session) Enterprise Risk Management Risk Theme Development Project Identification Capacity and Load Annual Cycle Questions Introduction Microsoft – 7 Years (Internal Audit, SMSG Finance, IT Finance) PricewaterhouseCoopers – 6 Years (SAP, PeopleSoft) Honeywell – 3 Years (SAP Security & Controls Implementation) AIG – 2 Years (Database Design & Implementation) Microsoft Internal Audit Group Experience Functional Areas Interdisciplinary Approach What We Stand For Core Competencies An Eye Toward the Future Microsoft Internal Audit Group Peter Klein Audit Committee Board of Directors CFO – Microsoft Melvin Flowers Office of Legal Compliance CVP – Internal Audit Michael Ford Lyn Cameron Audit Director FIU Director Terri Schwan Audit Director Rich Nardi Audit Director Marilee Byers Audit Director Bob Tenczar Office of ERM Director Greg Testa Practice Director Internal Audit Group - Alignment Michael Ford Audit Director Meera Venkatesh R&D, MBD, STB, OEM Audit Director Audit Director Marilee Byers Audit Director DC Chang IT Gov, Bus Systems & IT Processes, BCM, IEB, MSCIS Steven Bean Corp Finance, HR, LCA Devon Pearce WWLP, Ops, WPG, AC Louis Couwenberg Infra & IT Processes, Security, GFS, Skype Erica Campos Vendor audit Lynn Chang David Low TBH – Asia Mike Gaffney - EMEA Ankush Grover SMSG Field, Segments, M&O, Services Terri Schwan Rich Nardi Bob Kaler OSD, WWLD, WPD, MS Retail CJ Long TECA Gerard Morisseau Dawn Liburd Risk? What is RISK? Risk is defined as a particular event, or circumstance that, if it were to occur, would impact achievement of a business objective. 8 Risk Assessment Components Prior Audit Results Discussions with Management SOX Scope Investigations 10K/ERM Internal Data Key Changes to the Business/New Initiatives External Risk Environment 9 Planning Process Planning Process Overview Ongoing March Program Mgrs • • • • Informed by: ERM board & 10K risks On-going understanding of the business Recent fraud activity Program Mgrs, Directors • • • • Validate against ERM board risks, analyze gaps Calibrate assessment Identify high risks to be addressed by audit plan Conduct management team risk discussions Directors • Prioritize activities • Allocate resources Risk assessment Risk analysis & project identification April Prioritization & resource allocation May Plan validation & presentation Pgm Mgrs, Directors, CAE • Discuss with management • Validate with senior executives • Present to AC for approval Continuous Audit Planning Cycle On-going More efficient annual planning cycle Synchronized with ERM January June Responsive to changing risk environment Risk Assessment Execute Audit Plan Identify Projects April 6-month project planning cycle allows for more flexibility Mid-year Update Finalize Audit Plan 18-month view May December Risk Assessment AC Plan Review On-going June Execute Audit Plan AC Plan Approval Jul-Dec 12 September New Business = New Risks • • • • • • Supply Chain Disruption Scrap Disposal Management HW Quality Assurance Factory Labour Conditions Patents Manufacturing 13 14 Key Takeaways • Align IA Org to Business • ERM Critical to Navigating Risks • Risk Factors (Impact, Likelihood, and Prior Results) • Measure Risk Variance • Ensure Adequate Capacity • Revisit and Reassess Risk Annually 15 Questions? 16 ERM at Microsoft – Virtual Structure Board of Directors: Audit & Finance Committee(s) Enterprise Risk Office Executive Sponsor: CVP of Internal Audit Program Office: Sr. Director of ERM Strategic SLT: CEO Sponsor: GM- Corporate Strategy Leader: Corp Strategy Sr. Manager Legal/Compliance SLT: SVP Legal Compliance Sponsor: VP Deputy General Counsel Leader: Compliance Director Pillar Support: Compliance Program Attorney Financial/Reporting SLT: SVP & CFO Sponsor: Corp VP of Finance and Administration Leader: Director Microsoft Confidential - Internal Use Only Operational SLT: COO Sponsor: CVP & CIO Leader(s): Sr. Principal, Sr. Solutions Manager 18 Risk Categories Accept Areas of low risk exposure that also have a lower level of control may be consciously accepted by the organization. (Impact x Likelihood) Monitor Areas of high risk exposure where controls are deemed adequate should be monitored to provide ongoing assurance of control effectiveness. High Improve Monitor Accept Optimize Risk Level Improve Areas of high risk exposure with a low level of control must be key priority for improvements in management and control activities. Low Optimize Areas of low risk exposure with a high level of control may generate opportunities to optimize the management and control activities. Microsoft Confidential - Internal Use Only Low Management & Control Activity Level High 19 Risk Rating Criteria: Impact NOTE: A risk should be evaluated on the most relevant impact; it does not need to address multiple columns. Also, evaluate the inherent impact rating of a particular risk event or circumstance assuming that the controls or management activities do NOT exist or they fail in either design or operation and fail to mitigate the impact of the risk occurring. Description of Impact Organizational and operational scope Reputational impact to stakeholders (i.e., customers, shareholders, employees, key partners, subscribers, 3rd Parties) Legal/ Compliance/ Environmental Operating Income (OI) Impact on Value Critical Enterprise-wide: Inability to continue business operations Globally Permanent loss of stakeholder confidence resulting in legal action, interruption in Enterprise operations globally, and / or defection to competition Prohibited from conducting business in certain product lines, markets, or geographies OI >$2.5B Significant reduction in market capitalization, significant draw on liquidity reserve 5 Severe 2 or more divisions: Significant, ongoing interruptions to business operations within 2 or more divisions Sustained losses in 2 or more stakeholder groups Severe restrictions on conducting business in certain product lines, markets, or geographies Substantial reduction in market capitalization, substantial draw on liquidity reserve 4 Serious 1 or more division(s): Moderate impact within 1 or more division(s) Moderate loss in 1 or more stakeholder groups Significant fines or limitations on conducting business in certain product lines, markets, or geographies OI >$500M Limited reduction in market capitalization, limited draw on operating cash flow 3 Moderate 1 division: Limited impact within 1 division Limited to minor/short-term loss in 1 stakeholder group Limited actions against the company with limited effects on operations OI >$250M Missed forecast(s) and/or budget(s), limited draw on operating cash flow 2 Impact Rating Mild Minimal Impact OI >$1B OI >$100M Score 1 Use Impact Table for Inherent Impact & Residual Impact ratings Use Likelihood Table for Inherent Likelihood & Residual Likelihood ratings Microsoft Confidential - Internal Use Only 20 Risk Rating Criteria: Likelihood, Control Effectiveness (CE) NOTE: Evaluate the inherent likelihood rating of a particular risk event or circumstance in absence of the current management activities or controls that exist to mitigate the likelihood of the risk occurring. Likelihood Rating Consideration Expected Description of Likelihood Score Probability Frequency The risk event or circumstance is relatively certain to occur, or has occurred within the past year 90-100% Almost Yearly 5 Highly Likely The risk event or circumstance is highly likely to occur 70-90% Every 2 to 3 Years 4 Likely The risk event or circumstance is more likely to occur than not 50-70% Every 4 to 6 Years 3 Not Likely The risk event or circumstance occurring is possible 10-50% Every 7 to 9 Years 2 Slight The risk event or circumstance is only remotely probable < 10% Every 10 Years and Beyond 1 NOTE: Evaluate the Control Effectiveness / Management Activities Rating for a particular risk event or circumstance based on existing management activities and/or controls that exist both within defined business processes as well as at the entity level and not on future or planned control activities. CE Rating Improvement Opportunities Very High None Identified High Limited Moderate Control Effectiveness (CE)/ Management Activities Additional Scoring Criteria Score Properly designed and operating as intended. There are no outstanding High or Medium risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or external auditors. 5 Properly designed and operating, no significant deficiencies. There are no outstanding High risk audit issues, no material weaknesses or significant deficiencies as defined by SOX or external auditors. 4 Moderate In place, some deficiencies. There are no outstanding High risk audit issues. There may be some significant deficiencies as defined by SOX or the external auditors. 3 Low Significant Limited, high level of risk remains, significant deficiencies. There are outstanding High and / or Medium risk Audit issues or significant deficiencies as defined by SOX or external auditors. 2 Very Low Critical Non-existent or has major deficiencies and do not operate as intended. There are outstanding High risk audit issues or material weakness(es) as defined by SOX or external auditors. 1 Microsoft Confidential - Internal Use Only 21 INHERENT Risk Profile Representative Sample # Critical 5 5 Tier 1 Risks - Inherent 1 2 Risk 1 Severity of Impact High 4 9 4 7 Risk 2 3 Risk 3 Moderate 10 3 8 6 Risk 4 Low Risk 5 2 Risk 6 Minimal Risk 7 1 Risk 8 1 2 3 4 5 Risk 9 Slight Not Likely Likely Highly Likely Expected Risk 10 Likelihood of Occurrence 22 RESIDUAL Risk Profile Representative Sample High # 25.0 1 Risk Exposure (Impact x Likelihood) Risk 1 2 20.0 Tier 1 Risks - Residual 3 Risk 2 4 5 Improve 15.0 6 7 Risk 3 Monitor 8 10 Risk 4 9 Risk 5 10.0 Risk 6 Risk 7 5.0 Risk 8 Optimize Accept Risk 9 Low 0.0 1.0 Low 2.0 3.0 Control Level 4.0 5.0 Risk 10 High 23 10K Risk Mapped to ERM Board Risks ERM Risk Category Business model disruptions from competitive landscape Business model pricing erosion Rise of alternative platforms Business model disruptions from competitive landscape Business model pricing erosion Rise of alternative platforms Strategic investments Acquisition integration Yahoo! Partnership FY10 ERM Status Monitor Monitor Monitor Monitor Monitor Monitor Monitor Monitor Improve We may not be able to adequately protect our intellectual property rights Software piracy Monitor Legal We are subject to government litigation and regulatory activity that affects how we design and market our products Regulatory scrutiny and antitrust focus Monitor 7 8 Legal Legal Improper disclosure of personal data could result in liability and harm our reputation Third parties may claim we infringe their intellectual property rights Improve 9 Legal We operate a global business that exposes us to additional risks 10 Legal We have claims and lawsuits against us that may result in adverse outcomes Security and privacy of critical data Not mapped Regulatory non-compliance Anti-corruption Not mapped 11 Operational We may not be able to protect our source code from copying if there is an unauthorized disclosure of source code Security and privacy of critical data Improve 12 13 14 Operational Operational Operational Product quality and security - software & services Hardware quality and compliance Business continuity management Improve Monitor Improve 15 Operational Security vulnerabilities in our products could lead to reduced revenues or to liability claims Our vertically-integrated hardware and software products may experience quality or supply problems Catastrophic events or geo-political conditions may disrupt our business We may experience outages and disruptions of our online services if we fail to maintain an adequate operations infrastructure Inadequate operations infrastructure Monitor 16 Operational Our business depends on our ability to attract and retain talented employees 17 Operational Delays in product development schedules may adversely affect our revenues 18 Financial Adverse economic conditions may harm our business 19 Financial We may have additional tax liabilities Global employee recruitment & retention Succession planning Product/service launch and sustainability Financial market volatility Credit and collections Financial Reporting Taxation of foreign earnings Monitor Monitor Monitor Monitor Monitor Monitor Monitor 20 Financial If our goodwill or amortizable intangible assets become impaired we may be required to record a significant charge to earnings Financial Reporting Monitor 10K Risk 1 Strategic Challenges to our business model may reduce our revenues and operating margins 2 Strategic We face intense competition 3 Strategic Strategic (Operational) Legal (Strategic, Financial, Operational) We make significant investments in new products and services that may not be profitable 6 4 5 Acquisitions and joint ventures may have an adverse effect on our business ERM Board-level Risk Monitor Improve Development of Business Risk Themes Top-Down Risk Assessment Themes Top-Down Risk Assessment Themes Cloud (Multi-themed: including internal processes, systems, operations infrastructure, Field sales motion - cannibalism) Coverage through Order to Cash project for BIOS. Additional consideration of Cloud operations infrastructure necessary. End user experience - Billing, App Stores, Credit/Collections, Retail Stores (Expansion) Order to Cash project. Last Mile Excellence - LMX (Product/ Service Launch) Potential coverage through joint project over Office 15 launch. 3rd-Party Reliance (Vendor: FTE, vendor over-reliance) Heavy reliance on ROC vendors… Compliance - Regulatory, Industry Standards/Certifications, FCPA, Privacy, Trade Partner vetting rolling out in 2012-2013, increasing number of partners. Need to consider how to cover partners? Consumerization of IT (Internal vs. External) Partnerships / JV's (includes Nokia, Yahoo, HP, other) Minimally managed studios (looks like this is not going to be a big issue) Spend Management (includes Incentive Comp, Vendor mgmt - 3PP, Selection, single sourced) (Channel Incentives could be considered here), Payroll nonstandard overpayment of incentive comp; Freight Global Programs (Governance over cross-enterprise risks) Engineering/ Development Compliance (EE compliance, PAGO requirements) Financial Reporting (including Budgeting, Long-range planning) Major System Implementations - IT/Business Alignment (e.g., Project Laminar, OA 3.0 , CHIP ) Should have OA 3.0 project several months after Win 8 launch. Timing for Project Laminar unknown. Supply-chain (IEB mfg, OEM, online SW delivery, Ditigal River - Retail stores) Project over Just In Time Keys provisioning system. Potential Themes Comments Channel Partners Channel Incentives (implementation/execution); FCPA/Fraud risks Partner audits? CLM -Customer Life Cycle Mgmt (Ops people are getting involved in closing renewals - how will they be compensated?) Revenue Processing and Recognition - (Order to Cash)- Order to Cash (for Cloud); Cutoff processing; Revenue recognition; Shift from large$/small vol. to small$/large vol. business model; Payco; OA 3.0 Windows 8 26 Prioritization of Risk Themes Greg Testa 1 1 3 1 1 1 1.33 4 4 1 7 4 6 4.33 3 3 2 13 3 3 4.50 Average Bob Tenzar Terri Schwan Financial Reporting Strategy and IT resource alignment Rich Nardi Michael Ford Marilee Byers Inadequate operations infra Product / Services Launch and release Reliability/BCM Ranking Regulatory compliance / Contract compliance/Customer obligations The cloud-based computing model presents execution and competitive risks; Cloud (Multi-themed: including, systems, We may experience outages, data loss operations infrastructure, Field sales and disruptions of our online services if motion - cannibalism we fail to maintain an adequate operations infrastructure. . We may not be able to protect our source Info Security, protection of consumer code from copying if there is an data, containment, control, reaction, unauthorized disclosure of source code; adaptability to new mediums, social Security vulnerabilities could lead to media reduced revenue, liability claims, or competitive harm Delays in product development schedules may adversely affect our Windows 8, Windows Store, Office 15, revenue; We make significant Server 8, phone, OEM products investments in new products and services that may not be profitable Security and Privacy of Critical Data 10K Risk Product Quality and Security (Products and Services) Sub Topics Models/Strategic Investments/New Business ERM Risks 27 Themes Themes Sales and Channel Management # of Hours % of Total 19,072 29% Cloud Implementation 9,088 14% Compliance & Governance 7,616 12% Spend Management 7,552 12% Statutory and Local Requirements 7,296 11% Product & Service Launch Readiness 4,736 7% Privacy & Security of Critical Data and Intellectual Property 3,584 6% Supply Chain 3,328 5% IT/Business Alignment and System Implementations 1,920 3% 512 1% 64,704 100% Internal process changes due to shift in business model Grand Total 28 Project Assignments Align by Risk Theme Theme Sales and Channel Management Cloud Implementation Anti-Malware services follow-up Azure Services consumption Azure Services ISO Cloud Services Privacy Commerce platform & business operations Commercial Online Services order to cash CRM Online ISO Online Services Rapid Assessments Online Services platform automation SKU, pricing & redemption token management Windows Phone Marketplace Apollo readiness Compliance & Governance Spend Management Statutory and Local Requirements Product & Service Launch Readiness Privacy & Security of Critical Data and Intellectual Property Supply Chain IT/Business Alignment and System Implementations Internal process changes due to shift in business model Grand Total Align by Risk Pilar # of Hours % of Total 19,072 29% 9,088 14% 640 1% 640 1% 1,152 2% 1,152 2% 1,152 2% 768 1% 640 1% 768 1% 640 1% 768 1% 768 1% 7,616 12% 7,552 12% 7,296 11% 4,736 7% 3,584 6% 3,328 5% 1,920 3% 512 1% 64,704 100% Risk Pilar Financial Legal/compliance Operational Acquisition integration Business continuity management Anti-Malware services follow-up Azure Services ISO Commercial CSS Data management Facility access and security Global employee recruitment and retention Hardware quality and compliance Inadequate operations infrastructure Product quality and security (software & services) Anti-Malware services follow-up Azure Services ISO Commercial Online Services order to cash CRM Online ISO Nokia SSAE16 readiness Online Services Rapid Assessments Online Services platform automation Product/service launch and sustainability Security and privacy of critical data Software piracy Spend management Strategy and IT resource alignment Grand Total Total Hours 18,255 13,750 32,699 230 536 128 192 216 616 856 764 768 5,281 2,656 384 192 192 384 640 384 480 1,493 8,389 1,015 8,350 1,744 64,704 30 Project Level Risk • Risks are aligned to COSO framework (area/type/category) • Associate risks with auditable unit (AU) • Significance and likelihood scores are absolute • Residual score is calculated based a discounting using the audit experience/knowledge score • Reassess after each project 31 All Up Comparison of Risks YoY (‘Gut-Check’) 100,000 Audit Project Hours 80,000 60,000 40,000 20,000 Financial Compliance Operational FY11 Actual FY11 Actual Hours FY12 Actual Strategic FY13 Plan FY12 Actual % Hours Total FY13 Plan % Hours FY12 Actual vs FY13 % Hours % Pts Financial 26,500 36% 22,600 30% 23,700 28% 1,100 -2 Pts Compliance 17,300 24% 15,400 20% 17,900 21% 2,500 1 Pts Operational 29,400 40% 37,300 49% 42,400 51% 5,100 1 Pts Strategic Grand Total 73,200 0% - 100% 75,300 0% 100% 84,000 0% 100% 8,700 0 Pts 12% 32 Resource Capacity FTE Program FY13 Invest Project ERM Internal Total 180,000 90 720 1,800 160,000 1,620 180 1,800 140,000 - 1,620 1,800 3,600 1,800 1,800 3,600 - - 2,160 7,200 80,000 3,600 - - 1,440 14,400 60,000 2,160 - 5,940 - - - 2,700 - 10,800 - 15 18 4 1,350 - 22,950 29,160 4,680 - - 2,700 3,240 2,520 27,000 32,400 7,200 TECA manager 1 540 630 180 - 450 1,800 TECA staff 1 - 1,350 180 - 270 1,800 FIU director 1 720 - 540 - 540 1,800 FIU ppl mgr 3 810 - 3,240 - 1,350 5,400 FIU staff FIU PM 10 - 900 - - 15,300 - - 1,800 - 18,000 - Total FIU Vendors 77 19,620 70,650 27,090 138,600 5,100 900 10,405 2,900 VP 1 720 180 90 ERM 1 - - - PPM director PPM manager Admins 1 1 2 180 - - - IA director 4 2,880 2,160 IA program mgr 8 9,360 IA proj/ppl mgr IA proj mgr 6 - IA lead IA staff RA IA Vendors SMSG Vendors ERM Vendor PPM Vendor Vendor total Total All 19,530 5,100 1,710 1,250 11,305 2,900 300 1,250 300 900 13,305 5,100 300 1,250 20,855 20,520 83,955 24,630 2,010 28,340 159,455 120,000 100,000 40,000 20,000 Program Audit Projects Investigations FY11 Actual Hours ERM FY12 Actual Hours Internal Total FY13 Plan Hours 34 Load Balancing FY13 Load Balancing 8,000 7,000 6,000 5,000 4,000 At Target 3,000 Over Capacity 2,000 Under Capacity 1,000 0 a-Jul Row Labels a-Jul b-Aug c-Sep d-Oct e-Nov f-Dec g-Jan h-Feb i-Mar j-Apr k-May l-Jun Grand Total b-Aug c-Sep d-Oct e-Nov Hours 2,624 2,752 5,248 5,696 7,595 4,715 6,187 6,592 6,720 6,848 5,184 3,776 63,937 f-Dec g-Jan Row Labels a-Jul b-Aug c-Sep d-Oct e-Nov f-Dec g-Jan h-Feb i-Mar j-Apr k-May l-Jun Grand Total h-Feb i-Mar j-Apr Min Threshold k-May l-Jun Max Threshold 4,543 4,543 4,543 4,543 4,543 4,543 4,543 4,543 4,543 4,543 4,543 4,543 54,516 5,652 5,652 5,652 5,652 5,652 5,652 5,652 5,652 5,652 5,652 5,652 5,652 67,824 35 Continuous Audit Planning Cycle On-going More efficient annual planning cycle Synchronized with ERM January June Responsive to changing risk environment Risk Assessment Execute Audit Plan Identify Projects April 6-month project planning cycle allows for more flexibility Mid-year Update Finalize Audit Plan 18-month view May December Risk Assessment AC Plan Review On-going June Execute Audit Plan AC Plan Approval Jul-Dec 36 September Key Takeaways • Align IA Org to Business • ERM Critical to Navigating Risks • Risk Factors (Impact, Likelihood, and Prior Results) • Measure Risk Variance • Ensure Adequate Capacity • Revisit and Reassess Risk Annually 37 Questions? 38 Thanks! gtesta@microsoft.com 39