IT Governance GSI 615
IT GOVERNANCE
GSI 615
Carmen R. Cintrón Ferrer © 2014
IT Governance
2
Scope
Governance
Risk Management
Compliance
IT Resources Management
IT Governance
IT Leadership and Innovation
Governance and Ethics
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
3
Compliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
What is compliance?
4
Compliance is a desired outcome with regard to:
Laws and regulations
Internal policies and procedures
Commitments to stakeholders – Mission
Reliability and Assurance of information
Achieved through managed investment of time and resources by inserting into day to day processes:
Controls
Legal and Tactical activities
Metrics
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance
5
Compliance definition: ( Video )
Conformance to established or generally accepted regulations, standards and/or legislation
Compliance components:
Awareness of boundaries
Structure support for accountability
Culture and consistency
Automated processes and controls to avoid gaps and prevent failure
Metrics that enable compliance
Technology integration to alert/prevent possible incompliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance with Laws and Regulations
6
Which Laws & Regulations
Those which the entity is subjected to follow
Challenges
Lacking in harmony
Complex & decentralized
Dependent on manual controls
Implement via:
Policies and Procedures
Insert technology to support compliance
Rely upon ethical behavior and transparency
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
7
Comply with what?
National & International Laws and Regulations
Standards and Best Practices
Governmental regulatory agencies rules
Codes of Ethics
Organizational Policies, Procedures, Guidelines
Business Code of Ethics
Professional Code of Conduct
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Regulatory compliance areas
(sample list)
8
Financial transactions and records:
Gramm-Leach-Bliley Privacy Act (GLBA)
Payment Card Industry Standards (PCI)
Basel I & II
Sarbanes Oxley Act (SOX)
Health Transactions and records:
Health Records Insurance Portability & Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH) Act
Intellectual property:
Digital Millenium Copyright Act (DMCA)
Personal Data Privacy:
Family Education Rights and Privacy Act (FERPA - Buckley Amm.)
Electronic Communications Privacy Act (ECPA)
The Lisbon Treaty Data Protection framework as a fundamental human right
National Security, Information Security and Telecommunications:
Federal Information Securty Management (FISMA)
Computer Fraud and Abuse Act
USA Patriot Act
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
What, Who, When?
9
What?
Determine the level of compliance required
Identify responsible parties (Roles & Responsibilities)
Adopt (modify) Policies and Procedures
Communicate, Train and Monitor
Who?
Organization as a whole
Board, Officers, Senior and Line Management and staff
Compliance Officer, Internal Auditor and Legal Counsel
When?
Continuous compliance process
By request of Regulatory Agency, contractual agreement and/or lawsuit
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Responsibility
10
Dimension of Responsibility
Strict (Directly responsible)
Indirect and vicarious
Fiduciary responsible
Negligent acts or absence of
Standard of Due Care:
States the measures that should be in place to mitigate or reduce the responsibility
Requires to Act as expected (within the legal/regulatory framework)
SOX Standards – ISO 17799
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance Exercise 1
11
Choose a regulation from the Personal Data Protection List
Determine dimension of responsibility for:
Board
Officers & Managers
IT Management and Staff
Staff
What would the Standard of Due Care be if there is a:
Breach of security and clients’ data is exposed?
Scenario of industrial espionage?
Major fraud involving securities transactions (SEC)?
Unethical behavior by an Officer/Manager/Staff Employee?
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance Laws and Regulations
Personal Data and Privacy Protection
(limited listing)
Electronic Communications Privacy Act
Children's Online Privacy Protection Act
Health Insurance Portability & Accountability Act
Health Information Technology for Economic and Clinical Health (HITECH) Act
Family Education Rights and Privacy Act (Buckley Amm.)
Sarbanes Oxley Act
Gramm-Leach Bliley Financial Privacy Act (GLB)
Digital Millenium Copyright Act (DMCA)
Control Assault of Non-Solicited Pornography & Marketing Act
Electronic Signatures in Global & National Commerce Act
Communications Assistance for Law Enforcement Act
Real ID Act
The Lisbon Treaty significantly affects the data protection framework. It establishes that Personal dat protection is a fundamental human right
Federal Information Securty Management (FISMA)
Computer Fraud and Abuse Act
Cyber Security Enhancement Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act
Cyber stalking, Cyber Harrasment & Cyber Bullying laws
Federal Information Security Management Act
Electronic Freedom of Information Act
PL 99-508 (1986)
PL 105-277 (1998)
PL 104-191 (1996)
PL 111-5 (2009)
(1974)
PL 107-204 (2002)
PL 106-102 (1999)
PL 105-304 (1998)
PL 108-187 (2003)
PL 106-229 (2000)
PL 103-414 (1994)
PL 109-13 (2005) http://europa.eu/lisbon.treaty
PL 107-347 (2002)
PL 107-296 (2002)
PL 107-56 (2001) http://www.ncsl.org/default.aspx?tabid=13495
PL 107-347 (2002)
PL – 104-231 (1996)
Carmen R. Cintron Ferrer, 2014, Reserved Rights
Compliance Exercise 1(a)
13
Dimension of
Responsibility
Board of
Directors
Officers Managers IT Mangement &
Staff
Other Staff
Strict/Direct
Indirect/
Vicarious
Fiduciary
Negligent actions
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance Exercise 1(b)
14
Expected Standard of Due Care
Board of
Directors
Officers Managers IT Mangement &
Staff
Other Staff
Client’s Data
Exposed
Industrial
Espionage
SEC fraud
Unethical behaviour
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance Management
15
Identify Regulatory requirements
Select Compliance Frameworks
Document Business processes and controls:
Implement or update Processes & Controls
Determine Control Gaps
Address - close gap(s)
Monitor control status and effectiveness:
Identify and remediate issues
Review and update control environment
Certify effectiveness
Communicate results of analysis to key stakeholders:
Train for Compliance
Generate evidence to support audit requirements
Assess impact of events on controls
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
16
Compliance Management Process
Regulatory Requirements
Compliance Framework
Business Processes
Monitor Controls
Communicate & Train
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Compliance Management Issues
17
No Compliance oversight function and/or very low confidence level in risk management
Lack of Compliance Awareness and Education
Outdated Policies and Procedures
Informal Procedures and Practices
Unknown and/or not well informed and understood Policies,
Procedures, Strategic Plans, Budget and Resources
Allocation-Management
Inconsistent application of policies and practices among different areas/departments
Ineffective/Inefficient controls
Personal accountability is unenforceable or wrongly placed
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Environment for Compliance
18
Establish an incentive and reward system based on excellence and hard work.
Develop an ethical environment that can foster and sustain responsible decisions.
Build a system of ethical practice throughout the compliance program and the organization.
Assign the resources and communicate a clear message
Move the cultural change: Compliance is the right thing to do
Michael Volkov, Creating a Culture of Ethics and Compliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
SOX Compliance
19
Sec 302 - Faulty Financial Reporting (Data Safeguard)
Prevent data tampering
Accurate reporting and timelines
Track data access
Operational safeguards
Safeguards effectiveness
Security breaches detection
Sec 404: Disclosure and transparency (Data Security)
Disclose security safeguards
Disclose security breaches
Disclose failure of safeguards
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
Sox Compliance Frameworks
20
Cobit 5 ( www.isaca.org/cobit5 )
ISO 27000 ( http://www.oanc.ir/iso27k.pdf
)
COSO ( http://www.coso.org
)
SANS Approach:
An Overview of SOX
A Compliance Primer
SOX IT Compliance Audit
Some IT Support Solutions:
Computron
CorreLog
Oracle
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
SOX Compliance References
21
Computron, Sarbanes-Oxley Compliance: A Checklist for Evaluating
Internal Controls
Correlog, Sarbanes-Oxley (SOX) Compliance Checklist
Deloitte, Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002
Ernst & Young, The Sarbanes-Oxley Act at 10, Enhancign the reliability of financial reporting and audit quality
KPMG, Sarbanes-Oxley Section 404: Summary of key points from submissions to the SEC
J. StephenMcNally, CPA, The 2013 COSO Framework & SOX
Compliance, One Approach to Effective Transition
Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control
Reporting Requirements, FAQ’s Regarding section 404
SPLUNK, SOX Compliance
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
COSO 2013
(Committee of Sponsoring Organizations - Threadway Commission)
Update considers changes in business and operating environments
Environments changes...
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules, regulations, and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting fraud
…have driven Framework updates
COSO Cube (2013 Edition)
COSO 2013 Updated Model
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
COSO - Example on how controls effect principles
Component
Control Environment
Principle (1) The organization demonstrates a commitment to integrity and ethical values.
Controls embedded in other components may effect this principle
Human Resources review employees’ confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity
Control Environment
Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information
Internal Audit separately evaluates Control
Environment, considering employee behaviors and whistleblower hotline results and reports thereon
Information &
Communication
Monitoring Activities
25
GR&C Wrap-up
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
GRC or ECRG
26
Governance Risk and Compliance ( Video )
Why a GRC Framework ? ( Video )
GRC: The Power to decide ( Video )
Ethics, Compliance, Risk Management &
Governance:
Should it be GRC or ECRG? (Why/Why not?)
What does the Ethical Component introduce?
How can Ethical Governance become the axis?
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
27
Ethics and Compliance or
Compliance and Ethics
Society of Corporate Compliance and Ethics, Sally March,
Compliance in Europe
Alstom, Ethics and Compliance: "clean business is great business"
Lilly, Ethics and Compliance Program
Ethics & Compliance Officer Association, Standards of
Conduct for Ethics and Compliance Professionals
Education Portal, Corporate Social Responsibility
Dilbert on Ethics for e-CPE
DigiPharm, The relationship between compliance and ethics
Funny FCPA trainings
Click4Compliance, Global Anti-corruption laws
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
28
Governance Cases
Teamwork Exercise
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
29
Cases in Governance
Enron
Lee Ann Obringer - Stuffworks http://money.howstuffworks.com/cooking-books7.htm
Robert Jon Petersen – Sophia.org http://www.sophia.org/tutorials/enron-case-study
The Economist http://www.economist.com/node/940091
The FBI, Crime in the Suites: A look back at the
Enron Case http://www.fbi.gov/news/stories/2006/december
Leigh Tesfatsion – Iowa State University http://www2.econ.iastate.edu/classes/econ353/tesfatsion/enron.pdf
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
30
Cases in Governance
Tyco International
Lee Ann Obringer – Stuffworks http://money.howstuffworks.com/cooking-books10.htm
Tyco Fraud InfoCenter http://www.tycofraudinfocenter.com/information.php
Daniels Fund Ethics Initiative – University of New Mexico
http://danielsethics.mgt.unm.edu/pdf/Tyco%20Case.pdf
Law Teacher – Unethical issues or legal issues in Tyco
International http://www.lawteacher.net/companylaw/essays//unethical-issues-or-legal-issues-in-tyco-international-companylaw-essay.php
Study Mode http://www.studymode.com/essays/Tyco-International-
Case-Study-1022395.html
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
31
Cases in Governance
WorldCom
Lee Ann Obringer – Stuffworks http://money.howstuffworks.com/cooking-books9.htm
Romar et als – Santa Clara University – World Com
Case Study
http://www.prmia.org/sites/default/files/references/WorldCom
_Case_Study_April_2009.pdf
http://www.scu.edu/ethics/dialogue/candc/cases/worldcomupdate.html
Kristin A. Kennedy – An Analysis of Fraud … -
University of New Hampshire http://scholars.unh.edu/cgi/viewcontent.cgi?article=1099&context=honors
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
32
Cases in Governance
Adelphia
The Adelphia Case Scandal https://www.google.com.pr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=
3&cad=rja&ved=0CDQQFjAC&url=http%3A%2F%2Fwww.aicpa.org%2FI nterestAreas%2FAccountingEducation%2FResources%2FDownloadableDocu ments%2Fadelphia.ppt&ei=8i_wUtHdMZG8kQfJuIDYCg&usg=AFQjCNEhp tLoBmQE4mMGBg0lUoPs6TikXQ
CNN Money – The Adelphia Story http://money.cnn.com/magazines/fortune/fortune_archive/2002/08/12/
327011/
C.P. Carter et als. – The Adelphia Fraud – American
Accounting Association, http://aaahq.org/fia/attachments/fianewsletter-v2n3.pdf
Adelphia Communications Case Study http://www.docstoc.com/docs/23287542/Adelphia-Communications-A-
Case-Study
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
33
Cases in Governance
Peregrine Systems
FBI – Peregrine Systems Indictment –
http://www.fbi.gov/news/pressrel/press-releases/executives-andauditor-of-peregrine-systems-inc.-indicted-on-securities-fraud-charges
http://en.wikipedia.org/wiki/Peregrine_Systems
Carmen R. Cintrón Ferrer, 2014, Reserved Rights
