IIA Risk Based Auditing Slides

Report
Agenda
Introduction
Microsoft Internal Audit Org
Risk Based Audit Planning Overview (Luncheon)
In Depth Areas (Technical Session)
Enterprise Risk Management
Risk Theme Development
Project Identification
Capacity and Load
Annual Cycle
Questions
Introduction




Microsoft – 7 Years (Internal Audit, SMSG Finance, IT Finance)
PricewaterhouseCoopers – 6 Years (SAP, PeopleSoft)
Honeywell – 3 Years (SAP Security & Controls Implementation)
AIG – 2 Years (Database Design & Implementation)
Microsoft Internal Audit Group
Experience
Functional Areas
Interdisciplinary Approach
What We Stand For
Core Competencies
An Eye Toward the Future
Microsoft Internal Audit Group
Peter Klein
Audit Committee
Board of Directors
CFO –
Microsoft
Melvin Flowers
Office of Legal
Compliance
CVP –
Internal Audit
Michael Ford
Lyn Cameron
Audit Director
FIU Director
Terri Schwan
Audit Director
Rich Nardi
Audit Director
Marilee Byers
Audit Director
Bob Tenczar
Office of ERM
Director
Greg Testa
Practice
Director
Internal Audit Group - Alignment
Michael Ford
Audit Director
Meera Venkatesh
R&D, MBD,
STB, OEM
Audit Director
Audit Director
Marilee Byers
Audit Director
DC Chang
IT Gov, Bus Systems & IT
Processes, BCM, IEB, MSCIS
Steven Bean
Corp Finance,
HR, LCA
Devon Pearce
WWLP, Ops, WPG,
AC
Louis Couwenberg
Infra & IT Processes,
Security, GFS, Skype
Erica Campos
Vendor audit
Lynn Chang
David Low
TBH – Asia
Mike Gaffney - EMEA
Ankush Grover
SMSG Field, Segments, M&O, Services
Terri Schwan
Rich Nardi
Bob Kaler
OSD, WWLD,
WPD, MS Retail
CJ Long
TECA
Gerard Morisseau
Dawn Liburd
Risk?
What is RISK?
Risk is defined as a particular event, or
circumstance that, if it were to occur, would
impact achievement of a business objective.
8
Risk Assessment Components
Prior Audit
Results
Discussions with
Management
SOX Scope
Investigations
10K/ERM
Internal Data
Key Changes to
the
Business/New
Initiatives
External Risk
Environment
9
Planning Process
Planning Process Overview
Ongoing
March
Program Mgrs
•
•
•
•
Informed by:
ERM board & 10K risks
On-going understanding of the business
Recent fraud activity
Program Mgrs,
Directors
•
•
•
•
Validate against ERM board risks, analyze gaps
Calibrate assessment
Identify high risks to be addressed by audit plan
Conduct management team risk discussions
Directors
• Prioritize activities
• Allocate resources
Risk assessment
Risk analysis &
project identification
April
Prioritization &
resource allocation
May
Plan validation &
presentation
Pgm Mgrs,
Directors,
CAE
• Discuss with management
• Validate with senior executives
• Present to AC for approval
Continuous Audit Planning Cycle
On-going
More efficient annual planning cycle
Synchronized with ERM
January June
Responsive to changing risk environment
Risk
Assessment
Execute Audit
Plan
Identify
Projects
April
6-month project planning cycle allows for
more flexibility
Mid-year
Update
Finalize Audit
Plan
18-month view
May
December
Risk Assessment
AC Plan
Review
On-going
June
Execute Audit
Plan
AC Plan
Approval
Jul-Dec
12
September
New Business = New Risks
•
•
•
•
•
•
Supply Chain Disruption
Scrap Disposal Management
HW Quality Assurance
Factory Labour Conditions
Patents
Manufacturing
13
14
Key Takeaways
• Align IA Org to Business
• ERM Critical to Navigating Risks
• Risk Factors (Impact, Likelihood,
and Prior Results)
• Measure Risk Variance
• Ensure Adequate Capacity
• Revisit and Reassess Risk Annually
15
Questions?
16
ERM at Microsoft – Virtual Structure
Board of Directors: Audit & Finance
Committee(s)
Enterprise Risk Office
Executive Sponsor: CVP of Internal Audit
Program Office: Sr. Director of ERM
Strategic
SLT: CEO
Sponsor: GM- Corporate Strategy
Leader: Corp Strategy Sr. Manager
Legal/Compliance
SLT: SVP Legal Compliance
Sponsor: VP Deputy General Counsel
Leader: Compliance Director
Pillar Support: Compliance Program Attorney
Financial/Reporting
SLT: SVP & CFO
Sponsor: Corp VP of Finance and
Administration
Leader: Director
Microsoft Confidential - Internal Use Only
Operational
SLT: COO
Sponsor: CVP & CIO
Leader(s): Sr. Principal, Sr. Solutions Manager
18
Risk Categories
Accept
Areas of low risk exposure that also have a lower level of
control may be consciously accepted by the organization.
(Impact x Likelihood)
Monitor
Areas of high risk exposure where controls are deemed
adequate should be monitored to provide ongoing assurance of
control effectiveness.
High
Improve
Monitor
Accept
Optimize
Risk Level
Improve
Areas of high risk exposure with a low level of control must be
key priority for improvements in management and control
activities.
Low
Optimize
Areas of low risk exposure with a high level of control may
generate opportunities to optimize the management and control
activities.
Microsoft Confidential - Internal Use Only
Low
Management & Control
Activity Level
High
19
Risk Rating Criteria: Impact
NOTE: A risk should be evaluated on the most relevant impact; it does not need to address multiple columns. Also, evaluate the inherent impact rating of a particular risk event or circumstance assuming that
the controls or management activities do NOT exist or they fail in either design or operation and fail to mitigate the impact of the risk occurring.
Description of Impact
Organizational and
operational scope
Reputational impact to stakeholders
(i.e., customers, shareholders, employees, key partners,
subscribers, 3rd Parties)
Legal/ Compliance/
Environmental
Operating
Income (OI)
Impact on Value
Critical
Enterprise-wide: Inability to
continue business
operations Globally
Permanent loss of stakeholder confidence resulting in legal
action, interruption in Enterprise operations globally, and / or
defection to competition
Prohibited from conducting
business in certain product lines,
markets, or geographies
OI >$2.5B
Significant reduction in market
capitalization, significant draw on
liquidity reserve
5
Severe
2 or more divisions:
Significant, ongoing
interruptions to business
operations within 2 or more
divisions
Sustained losses in 2 or more stakeholder groups
Severe restrictions on conducting
business in certain product lines,
markets, or geographies
Substantial reduction in market
capitalization, substantial draw on
liquidity reserve
4
Serious
1 or more division(s):
Moderate impact within 1 or
more division(s)
Moderate loss in 1 or more stakeholder groups
Significant fines or limitations on
conducting business in certain
product lines, markets, or
geographies
OI >$500M
Limited reduction in market
capitalization,
limited draw on operating cash
flow
3
Moderate
1 division:
Limited impact within 1
division
Limited to minor/short-term loss in 1 stakeholder group
Limited actions against the
company with limited effects on
operations
OI >$250M
Missed forecast(s) and/or
budget(s), limited draw on
operating cash flow
2
Impact Rating
Mild
Minimal Impact
OI >$1B
OI >$100M
Score
1
Use Impact Table for Inherent Impact & Residual Impact ratings
Use Likelihood Table for Inherent Likelihood & Residual Likelihood ratings
Microsoft Confidential - Internal Use Only
20
Risk Rating Criteria: Likelihood, Control Effectiveness (CE)
NOTE: Evaluate the inherent likelihood rating of a particular risk event or circumstance in absence of the current management activities or controls that exist to mitigate the likelihood of the risk occurring.
Likelihood Rating
Consideration
Expected
Description of Likelihood
Score
Probability
Frequency
The risk event or circumstance is relatively certain to occur, or has occurred within the
past year
90-100%
Almost Yearly
5
Highly Likely
The risk event or circumstance is highly likely to occur
70-90%
Every 2 to 3 Years
4
Likely
The risk event or circumstance is more likely to occur than not
50-70%
Every 4 to 6 Years
3
Not Likely
The risk event or circumstance occurring is possible
10-50%
Every 7 to 9 Years
2
Slight
The risk event or circumstance is only remotely probable
< 10%
Every 10 Years and Beyond
1
NOTE: Evaluate the Control Effectiveness / Management Activities Rating for a particular risk event or circumstance based on existing management activities and/or controls that exist both within defined
business processes as well as at the entity level and not on future or planned control activities.
CE Rating
Improvement
Opportunities
Very High
None Identified
High
Limited
Moderate
Control Effectiveness (CE)/ Management
Activities
Additional Scoring Criteria
Score
Properly designed and operating as intended.
There are no outstanding High or Medium risk audit issues, no material
weaknesses or significant deficiencies as defined by SOX or external auditors.
5
Properly designed and operating, no significant
deficiencies.
There are no outstanding High risk audit issues, no material weaknesses or
significant deficiencies as defined by SOX or external auditors.
4
Moderate
In place, some deficiencies.
There are no outstanding High risk audit issues. There may be some
significant deficiencies as defined by SOX or the external auditors.
3
Low
Significant
Limited, high level of risk remains, significant
deficiencies.
There are outstanding High and / or Medium risk Audit issues or significant
deficiencies as defined by SOX or external auditors.
2
Very Low
Critical
Non-existent or has major deficiencies and do not
operate as intended.
There are outstanding High risk audit issues or material weakness(es) as
defined by SOX or external auditors.
1
Microsoft Confidential - Internal Use Only
21
INHERENT Risk Profile
Representative Sample
#
Critical
5
5
Tier 1 Risks - Inherent
1
2
Risk 1
Severity of Impact
High
4
9
4
7
Risk 2
3
Risk 3
Moderate
10
3
8
6
Risk 4
Low
Risk 5
2
Risk 6
Minimal
Risk 7
1
Risk 8
1
2
3
4
5
Risk 9
Slight
Not Likely
Likely
Highly Likely
Expected
Risk 10
Likelihood of Occurrence
22
RESIDUAL Risk Profile
Representative Sample
High
#
25.0
1
Risk Exposure
(Impact x Likelihood)
Risk 1
2
20.0
Tier 1 Risks - Residual
3
Risk 2
4
5
Improve
15.0
6
7
Risk 3
Monitor
8
10
Risk 4
9
Risk 5
10.0
Risk 6
Risk 7
5.0
Risk 8
Optimize
Accept
Risk 9
Low
0.0
1.0
Low
2.0
3.0
Control Level
4.0
5.0
Risk 10
High
23
10K Risk Mapped to ERM Board Risks
ERM Risk
Category
Business model disruptions from competitive landscape
Business model pricing erosion
Rise of alternative platforms
Business model disruptions from competitive landscape
Business model pricing erosion
Rise of alternative platforms
Strategic investments
Acquisition integration
Yahoo! Partnership
FY10 ERM
Status
Monitor
Monitor
Monitor
Monitor
Monitor
Monitor
Monitor
Monitor
Improve
We may not be able to adequately protect our intellectual property rights
Software piracy
Monitor
Legal
We are subject to government litigation and regulatory activity that affects how we design and market our products
Regulatory scrutiny and antitrust focus
Monitor
7
8
Legal
Legal
Improper disclosure of personal data could result in liability and harm our reputation
Third parties may claim we infringe their intellectual property rights
Improve
9
Legal
We operate a global business that exposes us to additional risks
10
Legal
We have claims and lawsuits against us that may result in adverse outcomes
Security and privacy of critical data
Not mapped
Regulatory non-compliance
Anti-corruption
Not mapped
11
Operational
We may not be able to protect our source code from copying if there is an unauthorized disclosure of source code
Security and privacy of critical data
Improve
12
13
14
Operational
Operational
Operational
Product quality and security - software & services
Hardware quality and compliance
Business continuity management
Improve
Monitor
Improve
15
Operational
Security vulnerabilities in our products could lead to reduced revenues or to liability claims
Our vertically-integrated hardware and software products may experience quality or supply problems
Catastrophic events or geo-political conditions may disrupt our business
We may experience outages and disruptions of our online services if we fail to maintain an adequate operations
infrastructure
Inadequate operations infrastructure
Monitor
16
Operational
Our business depends on our ability to attract and retain talented employees
17
Operational
Delays in product development schedules may adversely affect our revenues
18
Financial
Adverse economic conditions may harm our business
19
Financial
We may have additional tax liabilities
Global employee recruitment & retention
Succession planning
Product/service launch and sustainability
Financial market volatility
Credit and collections
Financial Reporting
Taxation of foreign earnings
Monitor
Monitor
Monitor
Monitor
Monitor
Monitor
Monitor
20
Financial
If our goodwill or amortizable intangible assets become impaired we may be required to record a significant charge to
earnings
Financial Reporting
Monitor
10K Risk
1
Strategic
Challenges to our business model may reduce our revenues and operating margins
2
Strategic
We face intense competition
3
Strategic
Strategic
(Operational)
Legal (Strategic,
Financial,
Operational)
We make significant investments in new products and services that may not be profitable
6
4
5
Acquisitions and joint ventures may have an adverse effect on our business
ERM Board-level Risk
Monitor
Improve
Development of Business Risk Themes
Top-Down Risk Assessment Themes
Top-Down Risk Assessment Themes
Cloud (Multi-themed: including internal processes, systems, operations infrastructure,
Field sales motion - cannibalism)
Coverage through Order to Cash project for BIOS. Additional
consideration of Cloud operations infrastructure necessary.
End user experience - Billing, App Stores, Credit/Collections, Retail Stores (Expansion)
Order to Cash project.
Last Mile Excellence - LMX (Product/ Service Launch)
Potential coverage through joint project over Office 15 launch.
3rd-Party Reliance (Vendor: FTE, vendor over-reliance)
Heavy reliance on ROC vendors…
Compliance - Regulatory, Industry Standards/Certifications, FCPA, Privacy, Trade
Partner vetting rolling out in 2012-2013, increasing number of
partners. Need to consider how to cover partners?
Consumerization of IT (Internal vs. External)
Partnerships / JV's (includes Nokia, Yahoo, HP, other)
Minimally managed studios (looks like this is not going to be a big
issue)
Spend Management (includes Incentive Comp, Vendor mgmt - 3PP, Selection, single
sourced)
(Channel Incentives could be considered here), Payroll nonstandard overpayment of incentive comp; Freight
Global Programs (Governance over cross-enterprise risks)
Engineering/ Development Compliance (EE compliance, PAGO requirements)
Financial Reporting (including Budgeting, Long-range planning)
Major System Implementations - IT/Business Alignment (e.g., Project Laminar, OA 3.0 ,
CHIP )
Should have OA 3.0 project several months after Win 8 launch.
Timing for Project Laminar unknown.
Supply-chain (IEB mfg, OEM, online SW delivery, Ditigal River - Retail stores)
Project over Just In Time Keys provisioning system.
Potential Themes
Comments
Channel Partners
Channel Incentives (implementation/execution); FCPA/Fraud risks Partner audits?
CLM -Customer Life Cycle Mgmt (Ops people are getting involved
in closing renewals - how will they be compensated?)
Revenue Processing and Recognition - (Order to Cash)-
Order to Cash (for Cloud); Cutoff processing; Revenue recognition;
Shift from large$/small vol. to small$/large vol. business model;
Payco;
OA 3.0
Windows 8
26
Prioritization of Risk Themes
Greg Testa
1
1
3
1
1
1
1.33
4
4
1
7
4
6
4.33
3
3
2 13
3
3
4.50
Average
Bob Tenzar

Terri Schwan

Financial Reporting
Strategy and IT resource
alignment

Rich Nardi


Michael Ford


Marilee Byers


Inadequate operations infra

Product / Services Launch and
release

Reliability/BCM

Ranking
Regulatory compliance / Contract
compliance/Customer obligations
The cloud-based computing model
presents execution and competitive risks;
Cloud (Multi-themed: including, systems,
We may experience outages, data loss
operations infrastructure, Field sales
and disruptions of our online services if
motion - cannibalism
we fail to maintain an adequate
operations infrastructure. .
We may not be able to protect our source
Info Security, protection of consumer
code from copying if there is an
data, containment, control, reaction,
unauthorized disclosure of source code;
adaptability to new mediums, social
Security vulnerabilities could lead to
media
reduced revenue, liability claims, or
competitive harm
Delays in product development
schedules may adversely affect our
Windows 8, Windows Store, Office 15,
revenue; We make significant
Server 8, phone, OEM products
investments in new products and
services that may not be profitable
Security and Privacy of Critical
Data
10K Risk
Product Quality and Security
(Products and Services)
Sub Topics
Models/Strategic Investments/New
Business
ERM Risks

27
Themes
Themes
Sales and Channel Management
# of Hours
% of Total
19,072
29%
Cloud Implementation
9,088
14%
Compliance & Governance
7,616
12%
Spend Management
7,552
12%
Statutory and Local Requirements
7,296
11%
Product & Service Launch Readiness
4,736
7%
Privacy & Security of Critical Data and Intellectual Property
3,584
6%
Supply Chain
3,328
5%
IT/Business Alignment and System Implementations
1,920
3%
512
1%
64,704
100%
Internal process changes due to shift in business model
Grand Total
28
Project Assignments
Align by Risk Theme
Theme
Sales and Channel Management
Cloud Implementation
Anti-Malware services follow-up
Azure Services consumption
Azure Services ISO
Cloud Services Privacy
Commerce platform & business operations
Commercial Online Services order to cash
CRM Online ISO
Online Services Rapid Assessments
Online Services platform automation
SKU, pricing & redemption token management
Windows Phone Marketplace Apollo readiness
Compliance & Governance
Spend Management
Statutory and Local Requirements
Product & Service Launch Readiness
Privacy & Security of Critical Data and Intellectual Property
Supply Chain
IT/Business Alignment and System Implementations
Internal process changes due to shift in business model
Grand Total
Align by Risk Pilar
# of Hours % of Total
19,072
29%
9,088
14%
640
1%
640
1%
1,152
2%
1,152
2%
1,152
2%
768
1%
640
1%
768
1%
640
1%
768
1%
768
1%
7,616
12%
7,552
12%
7,296
11%
4,736
7%
3,584
6%
3,328
5%
1,920
3%
512
1%
64,704
100%
Risk Pilar
Financial
Legal/compliance
Operational
Acquisition integration
Business continuity management
Anti-Malware services follow-up
Azure Services ISO
Commercial CSS
Data management
Facility access and security
Global employee recruitment and retention
Hardware quality and compliance
Inadequate operations infrastructure
Product quality and security (software & services)
Anti-Malware services follow-up
Azure Services ISO
Commercial Online Services order to cash
CRM Online ISO
Nokia SSAE16 readiness
Online Services Rapid Assessments
Online Services platform automation
Product/service launch and sustainability
Security and privacy of critical data
Software piracy
Spend management
Strategy and IT resource alignment
Grand Total
Total Hours
18,255
13,750
32,699
230
536
128
192
216
616
856
764
768
5,281
2,656
384
192
192
384
640
384
480
1,493
8,389
1,015
8,350
1,744
64,704
30
Project Level Risk
• Risks are aligned to COSO framework
(area/type/category)
• Associate risks with auditable unit (AU)
• Significance and likelihood scores are
absolute
• Residual score is calculated based a
discounting using the audit
experience/knowledge score
• Reassess after each project
31
All Up Comparison of Risks YoY (‘Gut-Check’)
100,000
Audit Project Hours
80,000
60,000
40,000
20,000
Financial
Compliance
Operational
FY11 Actual
FY11 Actual
Hours
FY12 Actual
Strategic
FY13 Plan
FY12 Actual
%
Hours
Total
FY13 Plan
%
Hours
FY12 Actual vs FY13
%
Hours
% Pts
Financial
26,500
36% 22,600
30%
23,700
28%
1,100
-2 Pts
Compliance
17,300
24% 15,400
20%
17,900
21%
2,500
1 Pts
Operational
29,400
40% 37,300
49%
42,400
51%
5,100
1 Pts
Strategic
Grand Total
73,200
0%
-
100% 75,300
0%
100%
84,000
0%
100%
8,700
0 Pts
12%
32
Resource Capacity
FTE
Program
FY13
Invest
Project
ERM
Internal
Total
180,000
90
720
1,800
160,000
1,620
180
1,800
140,000
-
1,620
1,800
3,600
1,800
1,800
3,600
-
-
2,160
7,200
80,000
3,600
-
-
1,440
14,400
60,000
2,160
-
5,940
-
-
-
2,700
-
10,800
-
15
18
4
1,350
-
22,950
29,160
4,680
-
-
2,700
3,240
2,520
27,000
32,400
7,200
TECA manager
1
540
630
180
-
450
1,800
TECA staff
1
-
1,350
180
-
270
1,800
FIU director
1
720
-
540
-
540
1,800
FIU ppl mgr
3
810
-
3,240
-
1,350
5,400
FIU staff
FIU PM
10
-
900
-
-
15,300
-
-
1,800
-
18,000
-
Total
FIU Vendors
77
19,620
70,650
27,090
138,600
5,100
900
10,405
2,900
VP
1
720
180
90
ERM
1
-
-
-
PPM director
PPM manager
Admins
1
1
2
180
-
-
-
IA director
4
2,880
2,160
IA program mgr
8
9,360
IA proj/ppl mgr
IA proj mgr
6
-
IA lead
IA staff
RA
IA Vendors
SMSG Vendors
ERM Vendor
PPM Vendor
Vendor total
Total All
19,530
5,100
1,710
1,250
11,305
2,900
300
1,250
300
900
13,305
5,100
300
1,250
20,855
20,520
83,955
24,630
2,010
28,340
159,455
120,000
100,000
40,000
20,000
Program
Audit Projects Investigations
FY11 Actual Hours
ERM
FY12 Actual Hours
Internal
Total
FY13 Plan Hours
34
Load Balancing
FY13 Load Balancing
8,000
7,000
6,000
5,000
4,000
At Target
3,000
Over Capacity
2,000
Under Capacity
1,000
0
a-Jul
Row Labels
a-Jul
b-Aug
c-Sep
d-Oct
e-Nov
f-Dec
g-Jan
h-Feb
i-Mar
j-Apr
k-May
l-Jun
Grand Total
b-Aug
c-Sep
d-Oct
e-Nov
Hours
2,624
2,752
5,248
5,696
7,595
4,715
6,187
6,592
6,720
6,848
5,184
3,776
63,937
f-Dec
g-Jan
Row Labels
a-Jul
b-Aug
c-Sep
d-Oct
e-Nov
f-Dec
g-Jan
h-Feb
i-Mar
j-Apr
k-May
l-Jun
Grand Total
h-Feb
i-Mar
j-Apr
Min Threshold
k-May
l-Jun
Max Threshold
4,543
4,543
4,543
4,543
4,543
4,543
4,543
4,543
4,543
4,543
4,543
4,543
54,516
5,652
5,652
5,652
5,652
5,652
5,652
5,652
5,652
5,652
5,652
5,652
5,652
67,824
35
Continuous Audit Planning Cycle
On-going
More efficient annual planning cycle
Synchronized with ERM
January June
Responsive to changing risk environment
Risk
Assessment
Execute Audit
Plan
Identify
Projects
April
6-month project planning cycle allows for
more flexibility
Mid-year
Update
Finalize Audit
Plan
18-month view
May
December
Risk Assessment
AC Plan
Review
On-going
June
Execute Audit
Plan
AC Plan
Approval
Jul-Dec
36
September
Key Takeaways
• Align IA Org to Business
• ERM Critical to Navigating Risks
• Risk Factors (Impact, Likelihood,
and Prior Results)
• Measure Risk Variance
• Ensure Adequate Capacity
• Revisit and Reassess Risk Annually
37
Questions?
38
Thanks!
[email protected]
39

similar documents