www.ids-scheer.com

Efficient Support for Internal ControlSystems via a GRC Software Platform

A blueprint for success in an increasinglyregulated business environment

ARIS Expert Paper

�����������

�� ����� �

1. Increasing external complexity leads to growing internalcomplexity

Today’s businesses face ever tougher demands on their internal control systems.On average, a company now has to comply with the provisions of more than ahundred different laws and regulations. At the same time, the burden of proofthat legislation and standards have been properly implemented and observed isbecoming increasingly stringent, with Section 404 of the Sarbanes Oxley Acts(SOX) being a particularly potent example.

In the European Union too, introduction of the 8th EU Directive (audit regulation)requires higher standards from internal control systems, i.e., there are tougherrules regarding the accuracy of published company accounts.

Meeting legal requirements is of fundamental importance to the companiesinvolved, since non-compliance not only harms the corporate image, but in somecases it has drastic consequences, such as fines and personal liability of exec-utives (private assets). Further down the line, criminal prosecution is also a pos-sibility.

Efficient Support for Internal Control Systems via a GRC Software Platform

A blueprint for success in an increasingly regulated business environment

Governance, Risk & Compliance Management (GRC) is about meeting therequire ments of all relevant groups that have an interest in the organization.These requirements may be internal or external, mandatory or voluntary,current or future. It involves reliably identifying relevant processes, describ-ing, allocating, and assessing specific risks, embedding an appropriateinternal control system into business workflows, and monitoring the effec-tiveness of the controls. In particular, the increasing number of external reg-ulations is imposing ever greater constraints on corporate autonomy.Process-oriented software solutions like ARIS Solution for Governance,Risk & Compliance Management enable businesses to introduce and oper-ate an enterprise-wide GRC management system.

2

ARIS Expert Paper

Find out:� why process-oriented software solutions, such as ARIS Solution

for Governance, Risk & Compliance Management, enable theintroduction and operation of a company-wide compliancemanagement system.

� how companies benefit from reusability of processdocumentation.

� which optimization approaches exist for compliancemanagement and why this is a facet of business processmanagement.

� what process-oriented compliance management means in thecontext of a legally safe organization.

About the author:

Martin Klingis solution manager for

ARIS Solution for Governance,Risk & Compliance (GRC) at

IDS Scheer AG, Munich.

Contact:arisproductmarketing@ids-scheer.com

Increasingly complex requirements mean an exponentialincrease in the effort that companies need to expend.Something like a dozen sets of different requirementsalready impact a typical business process, making it diffi-cult to keep track of audit activity and mitigating action.Greater complexity also means greater risk for companies:instances of non-compliance are more likely and can leadto serious financial consequences in the form of fines orloss of image. In order to have a proper legal defense,organizations need to be able to regularly demonstrate thatnon-compliance is not due to organizational failure. Thisexonerates management and employees and prevents pos-sible reputational damage.

Today, companies need to deal with two main areas whendesigning their internal control systems:

1. Reducing complexity

2. Ensuring efficient handling of all (non-value adding)tasks associated with compliance and demonstrating compliance.

2. Process-driven compliance is replacing project-driven compliance

The efficiency of internal control systems and the compliance processes that build on them is frequently jeopardized bythe fact that new requirements are introduced and implemented on a project basis. Over time, responsibility is passed tothe organizational unit that seems best suited, leading to the creation of disparate, disconnected line functions. Thisdecentralized approach also leads to silo-style IT solutions being adopted, often due to time constraints, which areincompatible and impossible to analyze. These twin mechanisms generate additional internal complexity. Efficiency canbe boosted significantly by applying a holistic, consistent method, harmonizing test activity, and sharing test results.

Achieving the key objectives of reduced complexity and greater efficiency requires the introduction of a central platformto support an internal control system where business processes form the common basis for all controls needed to com-ply with the various laws and regulations.

3. Greater efficiency thanks to a holistic, process-oriented GRC platform

A GRC platform solution needs to be consistent, efficient, and long-term, and to build on a uniform set of data. In addition,it is important to have a standard connector for the wide range of different rules, regulations, and requirements. An orga-nization’s business processes are almost uniquely suited to this role. The reasons are two-fold. Firstly, business process-es typically need to be documented in order to meet compliance requirements. Secondly, compliance implementation hasa direct impact on corporate workflows.

To take just one example, most requirements set forth in the Sarbanes Oxley Act give rise to direct controls within a com-pany’s financial processes. Careful attention must be paid to designing these controls such that process efficiency is notundermined, always taking account of the process context. A further advantage of a process-based approach is thatcomprehensive process documentation provides a common language across all the departments affected that embracestheir different views: business view, IT view, process view, and organization view.

A GRC platform creates efficiency by providing the best possible support for all workflows associated with the internalcontrol system and compliance, which from the corporate perspective are essentially non-value adding. This mainly cov-ers processes for documenting, updating, and communicating company rules, procedural instructions, and controls, riskanalysis and evaluation processes, documentation of test activity, internal management assessment and testing process-es, plus support for problem tracking and root cause analysis. Furthermore, it must be possible to incorporate insightsand progress from all these processes into reports for different management audiences in a simple, effective manner.

A survey by research company AMR Research of over 200 companies revealed that they anticipate huge sums beingspent to meet all the necessary compliance requirements. In addition to SOX costs, AMR Research estimates that US$ 75billion will be needed by 2009 to cover compliance activity.

3

ARIS Expert Paper

Fig. 1: Examples of current and future regulatoryrequirements, as identified by Gartner

To minimize these costs, a GRC platform must support six typical optimization strategies, all of which are closely associ-ated with process management:

� Right-sizing: Reducing the number of controls, while simultaneously increasing efficiency by achieving a balanceddistribution of controls across the corporate, IT, and process control levels.

� Integrating risk management and compliance management

� Providing support for self-assessment

� Standardizing processes

� Centralizing controls

� Repositioning and automating controls

� Introducing an internal control maturitymodel

ARIS Solution for Governance, Risk & Compli -ance Manage ment supports precisely thesesustained, holistic, and process-based methods,from strategic analysis and definition to design-ing controls and tests, implementation, monitor-ing the effectiveness of controls / actions byway of scalable, efficient workflows, enterprise-wide monitoring of process performance andefficiency, testing that allows a promptresponse to deviations, and continuous opti-mization of the established system.

4. Modeling and documenting the elements in an internal control system (ICS)

The first main task is to define and document an internal control system. This includes identifying the rules, regulations,and laws that apply to the company, or with which it feels obligated to comply, defining the specific associated require-ments to be met by the company, and drawing up corresponding corporate guidelines. As part of this task, the specificrisks resulting from the requirements must be documented, assigned to the relevant corporate processes, analyzed, andappropriate risk mitigation action/controls defined.

The defined external and internal regulations, the requirements derived from them, and the risks are incorporated into thebusiness processes using ARIS modeling tools. The necessary reference structures, such as balance sheet items and

income statement accounts, risktrees, and IT application overviews,are generated. If this data is alreadyavailable thanks to previous projects,it can be reused via a wide range ofinterfaces. The standard conventionsenable flexible adaptation to the cor-porate environment and objective ofthe internal control system (e.g.,SOX).

As activities that do not directly addvalue, controls must be kept to a min-imum, which means that companiescan view in te grated GRC manage-ment as an opportunity to ensure theefficiency and effectiveness ofprocesses and the implemented con-trols.

To meet compliance requirements,standardized controls are the minimum configuration required. However, their fitness for purpose cannot be guaranteedwithout regular monitoring of effectiveness and design.

4

ARIS Expert Paper

UnreliableInformal

Standardized

Monitored

Optimized

Stage of maturity

Effectivenessof control

UnreliableUnpredictable

environment where control activities are not designed or in

place

InformalActivities and controls are designed and in

place, but not adequately

documented

StandardizedControl activities are designed, in place, documented and communicated

MonitoredStandardized controls with periodic testing

with reporting to management

OptimizedIntegrated internal

framework with real-time monitoring by management with

continuous improvement

UnreliableUnpredictable

environment where control activities are not designed or in

place

InformalActivities and controls are designed and in

place, but not adequately

documented

StandardizedControl activities are designed, in place, documented and communicated

MonitoredStandardized controls with periodic testing

with reporting to management

OptimizedIntegrated internal

framework with real-time monitoring by management with

continuous improvement

Fig. 2: Control effectiveness as a function of maturity

Fig. 3: Risks and controls are integrated directly into the business processesusing ARIS Business Architect

As a result, external regulationsincreasingly require concrete evi-dence that regular tests are beingperformed to ensure that the definedinternal control system is functioningproperly. These control tests aredefined in ARIS using the same pro-cedure, the relationships being con-veniently combined for the controlsystem manager in separate dia-grams for each risk or control.

Modeling the relevant meta informa-tion of an internal control system inARIS and linking it with internal regu-lations and other applicable docu-ments produces a unique centralrepository, which can be used as abasis for all other functionalities needed for GRC management. This uniform repository is essential for transparent, con-sistent presentation and analysis. It is used in tandem with the GRC platform to publish information on the intranet andtrigger the relevant workflows (testing, review, sign-off, etc.).

5 Introduction of Release Cycle Management (structured version management)

Like all documents of a regulatory nature, processes, internal regulations, and procedural instructions require an official,verifiable document control system. To demonstrate the validity of a specific process or control at any given time for auditpurposes, all relevant process models and risk control models are subjected to a defined release process. Prior to Web-based publication of the new or modified process on the intranet, it must be tested and released by defined departmentsand process owners. Release is carried out quickly and easily via a Web interface that lists the individual process andrisk control models for each owner.

ARIS Risk & Compliance Manager then uses this release database to set up the workflows for internal assessment, riskevaluation, and, if necessary, deficiency management.

6. Internal assessment process including issue and deficiency management

Many laws and guidelines stipulate that the internalcontrol system itself must be testable. This requirescomplete, audit-proof documentation of controlsand their monitoring, as well as the definition ofprocesses and responsibilities to remedy deficien-cies and of document/test period sign-off. It mustalso be possible to extract the test data at specifictimes on a target group basis for external or internalauditors or for management.

Using the internal control system defined in the ARISrepository, ARIS Risk & Compliance Manager pro-vides support for a comprehensive, audit-proofassess ment process. Specific test cases are gener-ated from the control tests and sent to the definedtesters (auditors) by e-mail. So that the test can beperformed efficiently, all the related information,such as the associated risks and controls andunderlying business process, is included in a con-venient overview.

5

ARIS Expert Paper

������������ ������

������������������

������������������������

����� �������� �� ����������

� �������������

�������� ��

��������

��������������������

���������������

������� �����!��������

���"���������� ���#������

���� ������� �����!��

$��%��� #��%�������#� ���#�"���&���

$��%��� #� ���������#���������#����������!���

$��%��� #�'(��������������#�����%�������������#������������ ��#���%��� ��

$��%��� #����!�������������#����������� ������ ������ %#����!���������������� �������

����������� !

����������� !

����������� !

Fig. 4: The central ARIS repository supports the processes that build on it byproviding a consistent set of data

Fig. 5: Role-based access to ARIS Risk & Compliance Manager

The tester documents his or her testactivities, including any confirmation ofcompliance, in ARIS Risk & ComplianceManager and assesses the design oreffectiveness of each control. The testcase is then sent to a reviewer beforefinal completion and documentation.This workflow can be flexibly adaptedto suit the company’s specific require-ments.

To ensure a clear audit trail, each ver-sion of a test case is saved, includingthe associated risks and controls, andis permanently accessible to allowanalysis of a particular activity.

If a test case is closed with the verdict“not effective”, a deficiency is auto-matically generated so that action canbe taken to address the problem. In aseparate ARIS Risk & ComplianceManager module, im pact and probabil-ity are assessed and compensating controls and actions defined to ensure that the control is effective. After taking thesesteps and conducting a new, successful test, the deficiency is closed.

Thanks to a single set of data, users can access the up-to-date, overall status of all test cases, controls, and deficienciesat any time. In the Evaluation module, it is also possible to drill down to the lowest level of a hierarchy. Here, the standardhierarchies are the organization concerned, processes, balance sheet items, and tester hierarchy.

7. Demonstrating compliance to external auditors

As well as being met internally, it is particularly important that compliance requirements can be verified or certified byexternal evaluation or an external audit. To achieve this, all compliance-relevant activities, including tracking the changehistory of all information, must be seamlessly documented.

An end-to-end, IT-supported solution, such as ARIS Solution for GRC, enables compliance requirements to be fulfilledquickly, with minimal effort, and in an audit-proof manner. ARIS Risk & Compliance Manager can be used to verify everyuser, action, and result, along with the time and date.

The extensive reporting functions in ARIS Risk & Compliance Manager also support documentation of compliance activ-ities for external audit. By aggregating and filtering data, a document can be created at the push of a button that allowsexternal tests for the relevant regulations. Here too, results can be filtered so that internal activities can be reused formultiple regulatory regimes and external audit.

Furthermore, ARIS Risk & Compliance Manager provides the option of giving external auditors read-only access toresults, thus fully supporting a test performed within the system itself. Companies operating a GRC platform have discov-ered that external auditors welcome having their own activity integrated into such a rigorous system. This has the effectof reducing unpleasant “surprises” on both sides at the end of the fiscal year.

8. Analysis and evaluation options within the internal control system

To monitor the effectiveness of the established compliance activities as well as the status of processes and organization-al units affected by these tests and controls, key performance indicators (KPIs) are needed, along with fast data extrac-tion and presentation in an easy-to-understand format.

Compliance Process Dashboard provides a quick overview of current activity status. Users can configure the display lay-out to suit their needs. Options include multidimensional results analysis (e.g., time series, regional/national comparisons,etc.).

6

ARIS Expert Paper

Fig. 6: ARIS Risk & Compliance Manager always provides an up-to-date pic-ture of the overall situation

Compliance Process Performance Manager can be deployed for in-depth analysis of the aggregated results. Benefitsinclude the ability to drill down to the individual process or test instance.

Finally, an internal control maturity model is required.

All controls are categorized as follows:

� Unreliable

� Informal

� Standardized

� Monitored

� Optimized

Using this model, companymanagers and internal andexternal auditors can assessthe suitability of the internalcontrol system at any time andstrategically manage its con-tinuing development.

It is vital that companies adopta centralized approach to GRCand organize it efficiently –only then can the various initia-tives be combined in a consoli-dated GRC management sys-tem, thereby leveraging the synergies between human resources, data, IT, and existing knowledge. The result is greaterprocess discipline, improved risk management (integrated into the GRC strategy), and a raised awareness of GRC as anongoing business requirement.

9. Summary

Internal control systems are expected to deliver ever-higher levels of effectiveness. Similarly, companies increasinglyneed to demonstrate what action they have taken. The effectiveness, and especially the efficiency, of internal controlsystems and the compliance processes that build on them have not kept pace with these more stringent requirements.

Sustained improvements in efficiency can only be achieved by deploying a holistic, consistent method and implementinga central platform to support an internal control system where business processes form the common basis for all con-trols needed to comply with the various laws and regulations.

ARIS Solution for GRC is a flexible platform that is not tied to a particular system or content focus and that efficiently sup-ports internal control system processes. It renders complex relationships transparent via database-supported modelingof risks and controls in the individual business processes and allows easy publication of the company’s defined internalregulations. By efficiently enabling internal management assessment, test activity effort is reduced and the quality of testresults improved. Thus managers are free to focus on the more important events within the organization.

The seamless audit trail, which documents all activities, and transparent test results boost trust in the internal controlsystem and allow test activity by external auditors to be reduced. Having a uniform set of data for internal and externaltesting prevents duplication of work and means that agreement on the assessment of deficiencies can be reached at anearly stage.

Organizations that implement a uniform, flexible GRC platform see a significant reduction in costs, while benefiting froman improvement in their control system – along with optimization and harmonization of their business processes. They arealso equipped for the future, since new areas of compliance can be incorporated into a consistent system. At the sametime, increased automation of controls and test activities delivers further efficiency savings.

7

ARIS Expert Paper

Fig. 7: Compliance Process Dashboard enables a wide range of views of the availabledata

ARIS Expert Paper

�����������

�� ����� �

IDS Scheer AG

HeadquartersAltenkesseler Str. 1766115 SaarbrueckenPhone: +49 681 210-0 Fax: +49 681 210-1000E-mail: info@ids-scheer.com

www.ids-scheer.com

© Copyright IDS Scheer AG, Saarbruecken, 2007. All rights reserved. The contents of this document are subject to copyright. Any changes, modifications, additionsor amendments require prior written consent from IDS Scheer AG, Saarbruecken. Reproduction in any form is only permitted on the condition that the copyright notice remains on the actual document. Publication or translation in any form requires prior written consent from IDS Scheer AG, Saarbruecken. “ARIS”, “IDS” ,“ProcessWorld”, “PPM”, ARIS with Platform symbol and Y symbol are trademarks or registered trademarks of IDS Scheer AG in Germany and in many other countries worldwide. “SAP NetWeaver” is a trademark of SAP AG, Walldorf. All other trademarks are the property of their respective owners.

ID-Number: EP-GRC-0108-E