Upload
dangkhanh
View
218
Download
1
Embed Size (px)
Citation preview
Protiviti CAE Roundtable SeriesHigh Value Internal Audits
October 10, 2008
2
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Universal Characteristics of Successful Internal Audit Programs:
• The mission of the IA function is defined by adding value
• Supports corporate governance initiatives
• Provides continuous auditing services - not a rigid plan
• Responds to increasing complexity of organizational risks by delivering enterprise-wide value and recognizing strategic impact to their businesses
• Grooms and retains first-rate professionals in the IA function who will continue their careers in key positions throughout the entire organization
• Embraces the need to keep pace with regulatory changes, advancing technology, and monitoring the wide array of risks – internally and externally
Internal Audit Expectations are Rising….
The expectation for Internal Audit to add more value is becoming more pervasive!
3
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
So How Can We Add Value?
Internal AuditServices ContinuityGovernance and Management
Internal Audit Quality Assessment Review
Internal Audit Transformation
Business Continuity Management
Disaster Recovery Planning
Crisis Management/Pandemic Audits
Enterprise Risk Management
Overall GRC - Governance Review
IT Governance Review
IT Alignment with Business Strategy
Project and Portfolio Management
Due Diligence Process
IT Processes and Operations IT Security and PrivacyInformation Management
IT Infrastructure Library Benchmarking Audit
IT Asset Management
IT Service Management
Technology Change Management
Identity Management
Database Security Audit
Data Privacy ReviewPayment Card Industry (PCI) Audit
Vulnerability Assessment
Business Intelligence Diagnostic
Intellectual Property Audit
Records Management
Technology Infrastructure, Technology Components and Configurations
IT Risk Assessment and PlanningApplication Security, Controls and Configuration
Technology Architecture Evaluations
Database Audits
Network Audit
IT Audit Scoping and Risk Assessment
CobiT Implementation Assistance
ERP Security Assessment
Pre/Post -Implementation Review
Automated Business Process Control Review
Spend Risk AssessmentRoyalty Audit
Loss Prevention
Revenue Risk Review
Credit Risk Review
E-DiscoveryAnti-Fraud Assessment of Programs/Controls
Regulatory (various)
Supply Chain Assessment
Global Sourcing
Capital Projects & Construction
SOX Controls Rationalization
Financial Leakage / Asset ProtectionLitigation, Investigative, RegulatoryBusiness Operations Improvement
“High Value Audits”
4
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
So How Can We Add Value?
Internal AuditServices ContinuityGovernance and Management
Internal Audit Quality Assessment Review
Internal Audit Transformation
Business Continuity Management
Disaster Recovery Planning
Crisis Management/Pandemic Audits
Enterprise Risk Management
Overall GRC - Governance Review
IT Governance Review
IT Alignment with Business Strategy
Project and Portfolio Management
Due Diligence Process
IT Processes and Operations IT Security and PrivacyInformation Management
IT Infrastructure Library Benchmarking Audit
IT Asset Management
IT Service Management
Technology Change Management
Identity Management
Database Security Audit
Data Privacy ReviewPayment Card Industry (PCI) Audit
Vulnerability Assessment
Business Intelligence Diagnostic
Intellectual Property Audit
Records Management
Technology Infrastructure, Technology Components and Configurations
IT Risk Assessment and PlanningApplication Security, Controls and Configuration
Technology Architecture Evaluations
Database Audits
Network Audit
IT Audit Scoping and Risk Assessment
CobiT Implementation Assistance
ERP Security Assessment
Pre/Post -Implementation Review
Automated Business Process Control Review
Spend Risk AssessmentRoyalty Audit
Loss Prevention
Revenue Risk Review
Credit Risk Review
E-DiscoveryAnti-Fraud Assessment of Programs/Controls
Regulatory (various)
Supply Chain Assessment
Global Sourcing
Capital Projects & Construction
SOX Controls Rationalization
Financial Leakage / Asset ProtectionLitigation, Investigative, RegulatoryBusiness Operations Improvement
5
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What Is The Total Cost of Ownership?
Most organizations spend 20% to
70% of their revenues procuring third
party goods and services. When
searching for cost savings, often
times the focus is on Unit Cost while
other cost drivers are ignored.
Spend Risk Audits allow Internal
Audit to look at all aspects of the
expenditure process and identify the
risks and cost drivers effecting the
organization.
Specifications
OwnershipCosts
ObsolescenceCosts
Total Cost
Inventory Costs
UnitCost
PerceivedOpportunities
EffectiveOpportunities
Usage Costs
• Volume leverage
• Rebate management
• Performance, incentive structure
• Gain sharing
• Guaranteed reductions
Price Administrative & Process Costs
• Product design
• Product specifications
• Standardization
• Extended life products
• End product cost
• Recycle
• Transportation
• Scrap
• Mix shifting
• Elimination
• Consolidated invoicing
• eProcurement
• PO processing
• Receiving
• Payment Errors
• Stockless inventory
• Performance reporting
• Payables
• Quality
• Payment Terms
Working CapitalImpact
Processing Costs
6
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Supply Chain Risks - - - and Opportunities
Risks• Business Interruption due to
Supply Concerns
• Duplicate Payments
• Inefficient Working Capital Management
• Fraudulent Payments
• Reputation Risks from Poor Quality Products or Vendor Selection
• High Processing Costs / Headcount
• Non-Optimized Sourcing Decisions
Opportunities• Develop Supply Chain Contingency
Plans
• Recover Dollars Lost through Financial Leakage
• Better Manage Cash through Discount Use and Payment Term Extensions
• Identify and Prevent Fraud
• Analyze Vendor Usage to Reduce Risk and Save Dollars through Strategic Sourcing
• Identify Process Bottlenecks and Inefficiencies
7
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Spend Risk Audit – Establish Scope
Internal Audit can align themselves with the organization by assisting with the evaluation
of the Cost Drivers and the Risk Environment in which they operate. A Spend Risk
Audit can be constructed as a general assessment or focused specifically on one
component. To help establish the focus scoping questions can assist in assessing the
risk profile of your organization.
Supply Chain Risk Strategic Sourcing Working Capital
Does a Contingency Plan exist for your
sole sourcing
arrangements?
Could an
environmental event
interrupt your
supplies?
Do Geo-Political
Risks exist in your
Supplier Base?
Financial Leakage Forensic Review
Are centralized spend decisions being made
for all Departments
and Locations?
Does a centralized
contract database exist to take
advantage of
purchasing actions?
How are product
specifications
established and
monitored?
Has your organization established a policy
on preferred payment
terms?
Is workflow installed
to ensure payment timing can be dictated
by the business?
Are ERP System
controls established
to ensure
compliance?
Has your organization experienced a system
conversion / merger
the last 3 years?
Has AP or
Purchasing a high amount of turnover?
When was the last
time a financial
leakage audit
occurred?
Have you experienced or
suspected a fraud
event?
Is your organization
concerned about FCPA compliance?
Is there a corporate
policy regarding
related party
vendors?
8
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Spend Risk Audit - Approach
Internal Data
• Vendor Master File
• Employee Master File
• Invoices and Invoice Line Items
• Purchase Orders Table
• Payment Table
• Contract Database
• T&E Expenses
Questions to Ask
What data is captured and where?
What support do you have from IT? What data analysis capabilities do you have within your Department?
External Data
• Supplier Billing Data
• Credit Card Providers (PCard, T & E, etc.)
• Payment Receipt Data
• Government Databases (Social Security Administration, OFAC Database)
Questions to Ask
What data format should be provided by the Supplier?
What is the time period in scope?
9
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Spend Risk Audit - Tools
Benchmarking Tools Data Analysis Tools
Assure Controls™for SAP R/3
Assure Security™for SAP R/3
Assure Integrity™for SAP R/3
Assure Controls™for SAP R/3
Assure Security™for SAP R/3
Assure Integrity™for SAP R/3
Data Analysis and Benchmarking are critical elements when designing a Spend Audit.
• Benchmarking services allow for the comparison against other organizations in the same industry
• Data analysis tools allow for the audit of 100% of the spend data and an “Anomaly Focused” approach
to the audit.
10
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Spend Risk Audit - Benefits
A large Manufacturer developed an inventory contingency plan to maintain production in response
to sole sourcing disruption.
Supply Chain Risk
A National Retailer performed an audit that revealed their SGA
Spend was significantly higher than their competition. The resulting sourcing initiative
resulted in a 3% reduction in SGA Costs.
StrategicSourcing
A School District identified nearly $400K in Annual Cost of Capital Savings by enabling controls to prevent payments prior to due
dates.
Working Capital
A large Pharmaceutical Firm outsourced Accounts Payable to
India resulting in $12M in duplicate payments during Year 1.
FinancialLeakage
A Development Company identified a Purchasing Employee who was using
her position to assist husband’s contracting business. Hundreds of thousands of dollars of work was
awarded to his firm during her tenure.
ForensicReview
11
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Roundtable Discussion Questions
• What experience does your IA function have in conducting a Spend Risk Audit? What was the value? What were some of the lessons learned?
• Is data a roadblock when scoping your audit – both in terms of getting IT Support and having the analysis skills to interpret the data provided?
• Have the recent economic events affected your organization’s focus on costs? Has internal audit been asked to respond to this change in focus?
12
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
So How Can We Add Value?
Internal AuditServices ContinuityGovernance and Management
Internal Audit Quality Assessment Review
Internal Audit Transformation
Business Continuity Management
Disaster Recovery Planning
Crisis Management/Pandemic Audits
Enterprise Risk Management
Overall GRC - Governance Review
IT Governance Review
IT Alignment with Business Strategy
Project and Portfolio Management
Due Diligence Process
IT Processes and Operations IT Security and PrivacyInformation Management
IT Infrastructure Library Benchmarking Audit
IT Asset Management
IT Service Management
Technology Change Management
Identity Management
Database Security Audit
Data Privacy ReviewPayment Card Industry (PCI) Audit
Vulnerability Assessment
Business Intelligence Diagnostic
Intellectual Property Audit
Records Management
Technology Infrastructure, Technology Components and Configurations
IT Risk Assessment and PlanningApplication Security, Controls and Configuration
Technology Architecture Evaluations
Database Audits
Network Audit
IT Audit Scoping and Risk Assessment
CobiT Implementation Assistance
ERP Security Assessment
Pre/Post -Implementation Review
Automated Business Process Control Review
Spend Risk AssessmentRoyalty Audit
Loss Prevention
Revenue Risk Review
Credit Risk Review
E-DiscoveryAnti-Fraud Assessment of Programs/Controls
Regulatory (various)
Supply Chain Assessment
Global Sourcing
Capital Projects & Construction
SOX Controls Rationalization
Financial Leakage / Asset ProtectionLitigation, Investigative, RegulatoryBusiness Operations Improvement
13
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party.
"It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
- Warren Buffett
Information Risks
It is easy to see the increasing compliance and regulatory risksassociated with the protection of confidential information, especially personal information.
The true risks, however, are core to every organization’s fundamental business:
• Reputation Risk• Compliance & Regulatory Risk• Financial Risk
14
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
The Risk Continues to Grow
More than 100 million personally-identifiable, customer records have been breached in the US over the past two years. Most of these breaches occurred at companies that are household names. As a result, boards and top executives are demanding reports from their IT and security staff on the effectiveness of security controls within their organizations.
Forrester: September 2007
Throughout hundreds of investigations over the last four years, one theme emerges as
perhaps the most consistent and widespread trend of our entire caseload. Nine out of 10 data breaches involved one of the following:
• A system unknown to the organization (or business group affected)
• A system storing data that the organization did not know existed on that system
• A system that had unknown network connections or accessibility
• A system that had unknown accounts or privileges
We refer to these recurring situations as “unknown unknowns” and they appear to be
the Achilles heel in the data protection efforts of every organization—regardless of
industry, size, location, or overall security posture. Verizon 2008 Data Breach Investigation Report
15
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
Key Audit Elements – Types of Data
Information Loss Prevention
Confid
entia
l In
form
ation
Business Data - confidential or sensitive business-related data that does not relate to individuals (e.g., pricing information, trade secrets, financials, M&A or other strategic plans, etc.);
Personal Data - any data, which is not publicly available, that can uniquely identify a specific individual (customer, employee, etc.); and
Intellectual Property - any intangible asset that consists of human knowledge and ideas, of which the ownership or right to use is legally protected by the company (e.g., copyright, patent, trademark, etc.)
In MotionWhere is it
going?
At RestWhere is it
stored?
In UseHow is it used, and by who?
16
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
Key Audit Elements – Regulatory Requirements
US Federal:
HIPAA, GLBA, COPPA, Do Not Call
Canada:
PIPEDA
California:
SB1, SB1386
Argentina:
Personal Data Protection Law, Confidentiality of Information Law
European Union:
EU Data Protection Directive and Member States Data Protection Laws, Safe Harbor Principles
South Africa:
Electronic Communications and Transactions Act
Australia:
Federal Privacy Amendment Bill
Hong Kong:
Personal Data Privacy Ordinance
Japan:
Guidelines for the Protection of Computer Processed Personal Data
UK:
Data Protection Act
Brazil:
Article 5 of the 1988 Constitution
17
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
Key Audit Elements – Information Lifecycle
Confidential information audits are designed to help identify confidential information on your network, determine if adequate controls are in place, identify potential root cause issues and provide recommendations for protecting this information.
CollectionCollection
SharingSharing
UsageUsage
DisposalDisposal
Retention Retention
& Storage& Storage
Information Information LifecycleLifecycle
Policy & AwarenessPolicy & Awareness
IA can perform audits to evaluate compliance to defined policies and standards, including leading industry practices across:
• Business Units
• Departments
• Geographies
18
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
Key Audit Elements – Vendor Management Aspects
Final Edition Source: Information Week, October 2007
Headline News
Theft Of Gap Laptop Puts
800,000 Job Applicants
At Risk
What really happened – “The laptop was stolen from one of the retailer's third-party vendors that manages information on job applicants.”
Common Vendor Issues
• Companies do not know which third parties have access to, or are provided, confidential information
• Contract language is not put in place to address data protection concerns
• Companies do not assess or enforce data protection controls that third parties should have in place
19
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
Audit Tools – Data Leakage Assessments
Your company’s network, like most, is permeable from the inside out. (FTP, Email, Webmail, Message Boards,
P2P Clients, IM, Chat, Blogging….)
Would you know if sensitive information were leaking out of your organization?
Would you know if at-risk material were being accessed by your employees?
To: CEO
RE: Merger – HIGHLY SENSITIVE
Please treat this information…..
Data Leakage Tools
20
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party. © 2008 Protiviti Inc. This document is for your company’s internal use only and may not be distributed to any third party.
Audit Results
An Information Protection Audit can help answer these questions:
• Am I adequately protecting my customer’s and/or employee’s information?
• Are we meeting our regulatory requirements with regards to
Data Privacy?
• Where is our biggest risk of a potential data breach?
• Am I prepared in the event that a breach occurs?
• Are our vendors adequately protecting our data?
21
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Roundtable Discussion Questions
• Who owns this risk area in your organization (IT, Legal, Compliance, IA, etc) and what have been the coordination and ownership challenges?
• Where does your organization stand on the maturity of policy development in these emerging areas?
• How has your IA shop prioritized the various levels of IT Security risk (mobile devices, global networks, personal data, etc)
• What tools have you found helpful in conducting audits?
• What skill sets have you found to be critical in conducting these reviews?
22
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
So How Can We Add Value?
Internal AuditServices ContinuityGovernance and Management
Internal Audit Quality Assessment Review
Internal Audit Transformation
Business Continuity Management
Disaster Recovery Planning
Crisis Management/Pandemic Audits
Enterprise Risk Management
Overall GRC - Governance Review
IT Governance Review
IT Alignment with Business Strategy
Project and Portfolio Management
Due Diligence Process
IT Processes and Operations IT Security and PrivacyInformation Management
IT Infrastructure Library Benchmarking Audit
IT Asset Management
IT Service Management
Technology Change Management
Identity Management
Database Security Audit
Data Privacy ReviewPayment Card Industry (PCI) Audit
Vulnerability Assessment
Business Intelligence Diagnostic
Intellectual Property Audit
Records Management
Technology Infrastructure, Technology Components and Configurations
IT Risk Assessment and PlanningApplication Security, Controls and Configuration
Technology Architecture Evaluations
Database Audits
Network Audit
IT Audit Scoping and Risk Assessment
CobiT Implementation Assistance
ERP Security Assessment
Pre/Post -Implementation Review
Automated Business Process Control Review
Spend Risk AssessmentRoyalty Audit
Loss Prevention
Revenue Risk Review
Credit Risk Review
E-DiscoveryAnti-Fraud Assessment of Programs/Controls
Regulatory (various)
Supply Chain Assessment
Global Sourcing
Capital Projects & Construction
SOX Controls Rationalization
Financial Leakage / Asset ProtectionLitigation, Investigative, RegulatoryBusiness Operations Improvement
23
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What’s e-Discovery?
A process that organizations have to go through when faced with legal or
regulatory actions.
Phases of a Lawsuit
Appeals andAppeals and
EnforcementEnforcementTrial andTrial and
JudgmentJudgment
DiscoveryDiscovery
and Trialand Trial
PreparationPreparation
PleadingsPleadings
and Motionsand MotionsCase AssessmentCase Assessment
and Developmentand Development
24
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Key Takeaways
It’s a Risk that Demands a Response.
� RISK.
In a changing legal landscape and regulatory climate,
the cost of compliance and the harsh consequences of non-compliance are both growing exponentially.
� DEMANDS.The demands may not be avoidable, but the excessive
cost, burden and duration certainly can.
� RESPONSE. Organizations are looking to transform the challenges of
ad hoc projects to sustainable processes.
25
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What’s It About?
Getting Risk Management, Controls and Compliance Right.
� Increased risks and scrutiny
� Need for better controls and procedures
� Implementing monitoring and compliance
Understanding the issues around e-Discovery and how management is addressing them.
26
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Who’s Worried?
Senior Executives
“…worry about what effect theircompliance systems will have on theircompanies' future.”
“Almost half said they are concerned that their corporations' failure to effectively archive and manage all their electronic documents could be a critical liability.”
Source: Johnson, Sarah. “Survey: IT Falls Behind on Compliance.” CFO.com: September 18, 2006.
27
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Compliance: What’s Out There?
Records RetentionPreservation Demand Third
Party
Source: “Out of Control eDiscovery: Attacking the Causes Not the Symptoms”: F. Wu & T. Barnett, June 2006
Sarbanes Oxley
Patriot Act
EU Data Protection
Gramm LeachBliley
HIPAA
FRCP
PCI
EPA
OSHA
Document Request
Regulatory Request
28
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Compliance: What Else is Out There?
�Health Insurance Portability Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d-2(d)(2) (Privacy rule and Security rule for health care providers and other Covered Entities)
�Medicare Considerations of Participation�Freedom of Information Act (FOIA)�Payment Card Industry Data Security Standard
(PCI DSS)�EU Data Protection Directive
(Directive 95/46/EC)�Universal Market Integrity Rules for Canadian
Marketplaces�Sections 6801 and 6805(b)(2) of the Gramm-
Leach-Bliley Act�Section 552 of the Freedom of Information Act,
as amended by Public Law No. 104-231, 110 Stat. 2422
�Section 552(a) of The Privacy Act�Foreign Corrupt Practices Act�National Archives and Records Administration,
44 U.S.C. Chapter 21�Federal Records Act, 44 U.S.C. Chapter 21�Sarbanes-Oxley Act of 2002, Pub. L. 107-204,
116 Stat. 745 (2002)�Clinger-Cohen Act
�Disposal of Records, 44 U.S.C. Chapter 33�Paperwork Reduction Act, 44 U.S.C. Chapter 35�Uniform Preservation of Business Records Act�Administrative Procedure Act, 5 U.S.C. Chapter 5�Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act), Public Law 107-56
�Department of Defense 5015.2 Standard – data integrity and confidentiality requirement for records management applications
�Medicare Considerations of Participation�Organizational Sentencing Guidelines�Federal Rules of Evidence�Federal Rules of Civil Procedure �Department of Justice Corporate Prosecution
Principles�OSHA�ERISA�IRC�State Records Retention Acts�California Database Protection Act (1386)�Electronic Signatures in Global and National
Commerce Act (E-SIGN)
29
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
FRCP: Who’s Adopting?
Date Enacted
Arizona 1.01.08
Connecticut 1.01.06
Idaho 7.01.06
Illinois 1.01.06
Indiana 1.01.08
Iowa 5.01.08
Louisiana 6.25.07
Maryland 1.01.08
Minnesota 7.01.07
Mississippi 5.29.03
Montana 2.28.07
Nebraska 6.18.08
New Hampshire 3.01.07
New Jersey 9.01.06
New York 1.17.06
North Carolina 7.31.06
Texas 1.01.99
Utah 1.01.07
Currently undertaking adoption of FRCP:California, Washington, New Mexico, Kansas, North Dakota, Ohio, Tennessee, Florida, Virginia
30
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What’s the Problem?
Electronically Stored Information (ESI)
“…the discovery of
electronically stored
information is becoming more
time-consuming, burdensome
and costly.”
Source: “Summary of the Report of the Judicial Conference Committee on the Rules of Practice and Procedures.” Agenda E-18 (Summary), Rules, September 2005: page 23 (http://www.uscourts.gov/rules/Reports/ST09-2005.pdf)
31
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What Can be Relevant?
Information Lifecycle
Create/Receive Distribute Use Maintain (Retain) Dispose
Includes:
� official and non-official� physical and electronic� active and archived� online and offline� onsite and offsite� internal and external� local and international
Sources:
� email servers and file servers
� desktops, laptops, peripherals and electronic devices
� structured data – databases, logs, records and transactions
� unstructured data – documents, emails and voicemails
� user created or system generated data
EVERYTHING.
32
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
How Much Can It Cost?
20¢ to buy 1 gigabyte of storage,$3,500 to review it.
$2.5 to $4.0 million per yearper billion in sales for e-Discovery.
$1.0 million per billion in salesfor Sarbanes-Oxley compliance.
Source: AIIM.org June 26, 2008.
Source: Cohasset Associates. “The Eternal Charter: Improving Corporate Governance through Compliance and Assured Records Management.” June 2005.
33
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Where Can It Hurt?
Risks Resulting from Mishandling e-Discovery
� Monetary sanctions
� Threat of criminal penalties
� Obstruction of justice
� Adverse inference and jury instructions
� Shifting of burden of proof
� Disruption to business operations
� Negative impact to reputation
34
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Where It Did Hurt.
Compromised Legal Position
Apple
Amkor Technology
Bristol-Myers Squibb
Boston Communications
Computer Associates
CNET Networks
Comverse Technology
Mercury Interactive
Monster Worldwide
Oracle
Qualcomm
Tenet Healthcare
United Health
Hewlett Packard
HCC Insurance
IBasis
KB Home
KLA-Tencor
Marvell Technologies
McAfee, Inc.
35
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What are the Realities and Trends?
� Cost and Consequences� Legal discovery can consume over 50% of litigation budget� e-Discovery can devour over 50% of legal discovery budget� Increased frequency and amount of fines and sanctions due to
mishandled preservation and production of ESI
� Current Landscape (Outsourced e-Discovery)� Almost $3B in 2007 growing to $5B by 2011� 600+ e-Discovery vendors (Tier I<$70M annual revenues each)
� Trends� Hyper-competition and rapid commoditization� Integration of maturing tools and technologies� Establishing in-house capabilities and capacity� Managing the risk exposures and expenses of e-Discovery
36
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Where’s the Roadmap and Compass?
� Be Prepared for Litigation and InvestigationsEvaluate key elements of a litigation readiness program in anticipation of, or response to lawsuits, regulatory actions and other business disputes.
� Operationalize Records Retention ProgramUpdate records retention policy, and develop a practical plan to implement sustainable practices.
� Appropriately Dispose of Unnecessary RecordsCreate plan to dispose of records no longer needed for the proper functioning of the company; thereby, driving operational efficiencies and reducing costs.
e-Discovery and Records Retention
37
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Policies Practices Reports Approach Technology
�Undocumented or vague policies.
Focused on paper
�Limited resources & management support
�No limits or enforcements
�No formal processes or
controls
�Mostly manual
processes
�Limited or no monitoring or auditing
�Few stable processes
�Reactionary, ad hoc response
�Just do it
�Reliance on key people and
individual heroics
�Firefighting, crisis
management
�Informal records management structure
�Coordination is challenging
�Weak accountability
�Sporadic, ad hoc
�Informal
�Incomplete
�Inconsistent
�Untimely/ Inaccurate
�Rough measures
�Over-simplification
�Limited or no prioritization
�May miss key characteristics
�Spreadsheets
�Unstable
�Unscalable
�Patches and point solutions
�Ad hoc data search and retrieval
What Do We See?
People
38
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What’s Internal Audit’s Role?
Processes People Reports
Adding Value.
Policies Approach Technology���� ���� ���� ���� ���� ����
“Bringing a systematic, disciplined approach
to evaluate and improve the effectiveness
of risk management, control, and governance processes.”
Source: The IIA Research Foundation. The Professional Practices Framework. March 2007
39
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What Are Companies Doing?
“High Value Audit”Records Retention and e-Discovery
� Evaluate:� Risk profiles (“Hot Spots” and “Blind Spots”)� Policies related to records and ESI� Practices compared to policies (records retention & e-Discovery)� IT infrastructure (legacy, existing and planned)
� Address:� Litigation readiness and effectiveness� Ability to operationalize record retention program� Proper disposition of outdated and unnecessary records
� Findings and Recommendations
40
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
What’s Important?
Processes People Reports
Getting Risk Management, Controls and Compliance Right.
� Good Faith Efforts
� Reasonable Practices
� Defensible Processes
� Significant Cost Savings from Practical Solutions
Policies Approach Technology���� ���� ���� ���� ���� ����
41
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.
Roundtable Discussion Questions
• Who owns this risk area in your organization (IT, Legal, Compliance, IA, etc) and what have been the coordination and ownership challenges?
• Has your organization inventoried all the applicable regulations in this area?
• Has this area surfaced on your risk assessment and what level of prioritization has it taken on?
• What lessons learned or roadblocks have you encountered in auditing this area?
42
© 2008 Protiviti Inc.This document is for your company’s internal use only and may not be distributed to any third party.