Title : Compliance Management Tool
Subtitle : Meet compliance obligations, improve business processes, and enhance enterprise value
Date : June 30, 2005
Name : Bierhoff
First name : Jan Joost
Student number : 1179578
Address : Nachtwachtlaan 315
Zip code : 1058 EL
City : Amsterdam
University : Groningen University
Program : Msc Industrial Engineering and Management Science
Period : January 01, 2005 – June 30, 2005.
Supervisors : dr. T.W. de Boer
dr. ir. F.W. Melissen
Company : Deloitte Accountants B.V.
Service Line : Enterprise Risk Services
Supervisors : R.M. Amato CMA CPA CISA
drs. J. Mammen CISA
Preface
I wrote this thesis during the final period of my Master of Science in Industrial Engineering and Management Science at Groningen University. It aims to the realization of the
specification of a Compliance Management Tool, so Deloitte can respond to the need of its clients.
I really enjoyed my internship at Deloitte’s Enterprise Risk Services. It is a healthy, dynamic, relatively small, but important part of the Deloitte organization. The colleagues were very friendly, cooperative and willing to help with the realization of this thesis.
This thesis is not only the result of my internship at Deloitte, but also the end of my study at Groningen University. I am sure that the future will contain a lot of flashbacks to this fantastic, but also important period in my life. I shall miss Groningen, but for now I cannot wait to join the team of professionals of Deloitte.
Acknowledgements
This thesis has integrated ideas and hard work from many people to whom I am grateful. The reviewers and interviewees made an especially important contribution. They praised many parts, were critical of things that did not work well, and offered valuable suggestions. I would like to express my special thanks to drs. J. Mammen CISA and R.M. Amato CMA, CPA, CISA of Deloitte’s Enterprise Risk Services and dr. T.W. de Boer and dr. ir. F.W. Melissen of Groningen University, for their continuous and qualitative support and supervision during this final project.
Among my professional colleagues, I am grateful to my friends and colleagues at Deloitte’s Enterprise Risk Services – Silvia van Brummelen, Jelger Groenland, Anita Jharap, Martijn Knuiman, Patrick Koen, Jan Sneekes, Annemieke Stoffelsen, and Xiang Tjoa – for their intellectual stimulation and feedback. I also owe a special debt to K.J. Vos, the personification of Google, for providing time and resources for me to stay current on relevance literature.
Dr. H. Broekhuis, dr. C.A. Huijgen, dr. E.P. Jansen, drs. A.J. Kerkhof, drs. P.J. Lont, and drs.
A. Smeenge of Groningen University, ir. A.A.M. Vermeulen of Eindhoven University, and mr. dr. H.J. Mouthaan RA of Leiden University for topic-related discussions and provision of useful information.
Drs. P.C. van Batenburg, ir. T. de Boer RE CISA, ir. H.D.A. Braam, W.T. Eysink RA, L.M.
van Hoof RE CISA, drs. A.J.H.M. Lucassen RE, drs. E.R. Mekel RA, J.G.A van der Kaaij RE RA, ir. A. Niesen RE CISA, ing. E.J. Oud CISA, drs. D.M. Wieringa RE, drs. M. van Zwam RE CISA CPIM of Deloitte’s Enterprise Risk Services for being an interviewee during my research. I really appreciated their willingness and availability.
Furthermore, I would like to thank everybody below that cooperated for the sake of this study.
Drs. ing. F.M. Ackermann, drs. M.C.J. Bot, B.E. Brand, drs. C. de Bruijn, I. Buitelaar, A.
Demneri MBA, C.C. ten Duis, R.A.R. Hellsloten, drs. O. Helmond, drs. M. Helmus, drs. R.
Hoekman, drs. M.P. Kahlmann, drs. N. la Verge, drs. N.J. Lee CISA, drs. RGM de Leeuw, B.J. Muntinga, drs. C.B. Nguyen, G.F. Sanchez, E. Stoelhorst, M.V. van Tongeren-van Ofwegen, drs. C.B. van de Vorle, P. Veldhuizen, drs. ing. I. de Vries, drs. P. Weel, G.M.
Werlemann, and drs. T.I.A. de Windt of Deloitte’s Enterprise Risk Services.
Of course, this thesis took shape through the specific contribution of my parents, Jan Bierhoff and Liesbeth Bouwmeester and a few friends. I am grateful to Erkan Bayar, Frank Herruer, David Muller, Tjalling Maurits Baron thoe Schwartzenberg en Hohenlandsberg, and Loek van Winden for all the quick dinners, deep discussions and late-night whisky’s.
Finally, I want to acknowledge the love and contributions of my girlfriend, Geeske Smid.
Jan Joost Bierhoff
Amstelveen, 23 August 2005.
Summary
Over the past few years, cases of miserable failure in corporate governance have shocked the financial world. This created a wave of regulations, the most significant being the Sarbanes- Oxley Act of 2002. Facing increased compliance obligations, organizations are seeking a formalized approach to managing enterprise risk and compliance. At present, the companies generally accept none of the offered Compliance Management applications. Instead of just comply with the requirements, Deloitte encourage their clients to treat compliance as a catalyst to improve business processes and enhance enterprise value.
Deloitte’s Enterprise Risk Services provides professional services and advice to many of the world’s largest companies. Enterprise Risk Services has to respond to the latent need of a comprehensive Compliance Management Tool by its clients. In doing so, the aim of this research is:
the realization of the specification of a Compliance Management Tool so Deloitte can respond to the latent need of its clients.
In this thesis Compliance Management is defined as:
the process that organizes activities to meet the set of compliance requirements, which are demanded by all stakeholders, improve business processes and enhance enterprise value.
The thesis starts with the explanation of Internal Control and Risk Management, the current way Deloitte deals with risks and uncertainties. This chapter discusses the activities, tools, and methods, which Deloitte is using.
The next chapter discusses the questions about Compliance and Compliance Management; it will also deal with the history of Compliance Management. This chapter concludes:
• Compliance Management should be an ongoing process embedded in the organization with a defined strategy for dealing with future requirements.
• the scope of compliance is now defined more broad and requires a more comprehensive and structured approach to manage compliance
Assuming that organizations are dealing with several compliance requirements due to a few events and scandals, it might be necessary to look at the typical compliance requirements.
Chapter 4 will discuss these requirements and the possible enterprise value that might be possible to create. In doing so it concludes:
• In order to leverage the compliance effort, and create value, stakeholders requirements should be taken into account and where possible use compliance activities and gathered information to eliminate or reduce possible occurrence of ‘Value Killers’.
• Organization need to use technology in order to have more timely and accurate information regarding controls performance; corroborated data regarding financial reporting and the underlying controls, and overall improved oversight for management and the board.
Quality Management is used to meet a great part of organizational requirements. Chapter 5 will explain this management approach. The explanation of this management approach will consist of Total Quality Management and Six Sigma.
This thesis concludes the following:
• Quality Management, as a point of reference when implementing Compliance
Management, gives extra possibilities to create a more suitable, comprehensive, sustaining management approach, for dealing with the broad range of compliance requirements and in the mean time support improvement to business processes and the enhancement of enterprise value.
• Seven elements of Quality Management are identified to complete the list of specifications for the Compliance Management Tool.
Chapter 6 deals with the possible impact of current technology on today’s business. This chapter also shows the possible benefits of new technology. Chapter 7 will contain an example of the specification of the Compliance Management Tool.
From these chapters this thesis concludes the following:
• Information technology has evolved to a more complex system for managerial decision- making and control of the organization.
• In this chapter many opportunities of information technology have been identified. These opportunities can be of great importance to an organization faced with increasing
compliance obligations.
• New technology developments should be closely monitored, which can have a positive impact to the implementation of Compliance Management.
Table 1 is the summarization of Appendix G. The Compliance Management Tool should at least contain these 15 specifications mentioned below:
! "
#
#
# $ %
&'()
*
+ ,- *.#/ 0 1
#
# , $ %
$
$
Table 1: Specification Compliance Management Tool
Table of content
Preface ... 3
Acknowledgements... 3
Summary ... 5
Table of figures... 10
1 Introduction ... 11
1.1 Background ... 11
1.2 Problem definition... 11
1.2.1 Aim of this research ... 12
1.2.2 Research topics... 13
1.2.3 Scope ... 13
1.3 Definitions, Abbreviations, and Acronyms... 13
1.4 Overview chapters... 15
1.5 Research approach... 16
1.5.1 Planning... 17
1.5.2 Design process... 17
2 Internal Control and Risk Management... 19
2.1 Introduction ... 19
2.2 Definitions... 19
2.3 COSO ... 20
2.4 Internal Control ... 22
2.4.1 Scope and Plan the project ... 22
2.4.2 Assess and Define ... 22
2.4.3 Identify and Document Controls ... 23
2.4.4 Perform Tests and Remediate... 23
2.4.5 Monitor, Certify and Assert ... 23
2.5 Risk Management... 24
2.5.1 Identify Risks ... 24
2.5.2 Prioritize Risks ... 24
2.5.3 Analyze Root Causes ... 26
2.5.4 Develop Risk Strategies ... 26
2.5.5 Implement and Monitor... 27
2.6 Techniques and methods ... 27
2.7 RACK and Design Library... 28
2.8 Conclusions ... 29
3 Compliance Management... 30
3.1 Introduction ... 30
3.2 Definitions of Compliance Management ... 30
3.3 History of Compliance Management ... 30
3.3.1 Introduction ... 30
3.3.2 Historical facts... 31
3.4 Compliance Management in the 21st century... 32
3.5 Conclusions Compliance Management... 34
4 Compliance requirements... 35
4.1 Introduction ... 35
4.2 Stakeholder requirements... 35
4.3 How Compliance Management can create value ... 37
4.4 Information Management Requirements... 38
4.5 Conclusions of compliance requirements ... 38
5 Quality Management... 40
5.1 Introduction ... 40
5.2 Definitions of Quality Management... 40
5.2.1 Definitions of Total Quality Management ... 40
5.2.2 Definitions of Six Sigma ... 40
5.3 Six Steps to Process Improvement ... 41
5.4 Pitfalls and opportunities... 43
5.4.1 The time is right ... 43
5.4.2 The enthusiastic commitment of top management is essential ... 43
5.4.3 Develop an infrastructure ... 44
5.4.4 Invest in relevant hands-on training ... 44
5.4.5 Make all pervasive, and involve everybody... 44
5.4.6 Focus on the entire system ... 44
5.4.7 Customize to meet business needs ... 44
5.4.8 Plan to get the right data... 44
5.4.9 Keep the toolbox vital ... 44
5.5 Properties of Quality Management ... 45
5.6 Conclusions of Quality Management... 45
6 Impact of Technology... 47
6.1 Introduction ... 47
6.2 Definitions... 47
6.3 Evolution of organizational applications... 48
6.4 Benefits of Current Technology... 49
6.4.1 Communication ... 49
6.4.2 Visual technologies ... 49
6.4.3 Collaborative technologies... 50
6.4.4 Personalization ... 50
6.4.5 Security... 50
6.4.6 Content Management ... 51
6.4.7 Business Process Management... 51
6.4.8 Business Intelligence... 52
6.4.9 Enterprise Resource Planning ... 52
6.4.10 Portals... 53
6.4.11 Archiving... 53
6.5 Conclusion... 54
7 Specification Compliance Management Tool ... 55
7.1 Tier 1: Presentation ... 55
7.2 Tier 2: Web Services ... 55
7.3 Tier 3: Business Logic... 56
7.4 Tier 4: Data Services ... 57
Conclusion... 58
Recommendations ... 61
References ... 63
Appendix A: Legislative requirements... 70
Appendix B: Compliance Management Tools ... 74
Appendix C: Deloitte... 79
Appendix D: Interview techniques ... 83
Appendix E: Interview... 85
Appendix F: Methods and tools ... 86
Appendix G: Requirements Compliance Management Tool ... 90
Table of figures
Figure 1: Data Management & Information Accuracy ... 14
Figure 3: Internal control – integrated framework ... 20
Figure 4: Deloitte's 5 Phase Approach to Internal Control ... 22
Figure 5: Example of a Risk Map... 25
Figure 6: Control Map... 26
Figure 7: Example of a Sourcing Mind Map ... 26
Figure 8: Evolution of organizational applications (Daft 2004:287) ... 48
Figure 9: Compliance Management Tool architecture... 56
Figure 10: Company X and legislative requirements ... 70
Table 1: Specification Compliance Management Tool ... 6
Table 2: Planning internship... 17
Table 3: Example of a Risk Register ... 24
Table 4: Properties Compliance Management ... 35
Table 5: Stakeholder requirements (based on Daft 2003:23)... 36
Table 6: Value Killers (based on Deloitte 2005f:12)... 36
Table 7: Requirements of the Compliance Management Tool ... 39
Table 8: Process Improvement Model (Tenner 1992:110) ... 41
Table 9: Properties Quality Management... 45
Table 10: Identified elements of Quality Management... 46
Table 11: Aids in decision making (based on Turban 2001: 22)... 48
Table 12: Link between technology and Compliance Management... 54
Table 13: Specification Compliance Management Tool ... 60
Table 14: MarketScope: Compliance Management (based on Gartner 2004:6)... 74
1 Introduction 1.1 Background
Over the past few years, cases of failure in corporate governance have shocked the financial world. Enron and WorldCom are just two examples of how a few people in a position of power can cause unprecedented damage to hundreds of thousands of people, including investors, employees, and retirees. Lessons thus learned created a wave of regulations, the most significant being the Sarbanes-Oxley Act of 2002 1, the first major overhaul in this area of regulations since the Security Exchange Act of 1934 2 (Raval 2004:1).
Facing increased compliance obligations, a dynamic business and IT environment,
fragmented risk and compliance projects, and exposure to criminal liability, organizations are seeking a formalized approach to managing enterprise risk and compliance. One of the
questions most frequently asked by clients is: How do we know if we are meeting compliance requirements? (Forrester 2004a:1). This section of a Forrester article expresses clearly the issues that organizations are dealing with. Increasing demands for corporate governance force companies to review their enterprise compliance issues.
According to Gartner (2004:1), several software vendors are taking advantage of this developing search of companies to meet compliance requirements. Most vendors focus on solutions that are relevant to a particular problem that illuminates when stringent internal controls put into effect — for example, security, change management and configuration management solutions to help establish effective internal controls for IT. At present, the companies generally do not accept any of the offered Compliance Management applications (Gartner 2004:15). Most of the offerings are narrow in scope or new and unproven (Giga Research 2003:1).
1.2 Problem definition
This thesis assumes that organizations are dealing with compliance requirements. The pressure in satisfying regulators is coming from many fronts. In fact, it is not about meeting one set of requirements but a whole mixture of requirements imposed on the organization from different angles.
The scope of these requirements include mandates to protect information, provide for the privacy of individuals, safeguard against geopolitical and terrorist threats, share information with government, establish governance to verify financial integrity, and increase industry oversight. Additionally, organizations face the ongoing pressures of business integrity, protection of intellectual property, and providing a level of business practices to show due diligence protection against criminal and civil liability (Forrester 2004b:2).
1 The primary focus of the Sarbanes-Oxley Act is to assure accuracy and accountability of financial accounting and records retention of publicly traded companies in the United States.
2 The primary focus of this act is to ensure that parties who trade securities – exchanges, brokers and dealers – act in the best interests of investors.
Rodek states (2004:1) that many CEO’s 3 speak of compliance as something that happens separately from and takes away from running a sound and profitable business (in other words
“How – for example – Sarbanes-Oxley is going to suck the life out of your company.”).
Deloitte sees perspectives changing from a compliance focus (Sarbanes-Oxley as added cost of doing business) to an opportunity focus (Sarbanes-Oxley as an opportunity for
improvement); an opportunity to improve transparency, reliability, timeliness, and accuracy of financial information (Deloitte 2005a:17) and information on other business processes.
Deloitte assumes CEO’s are in need of this information, because they need evidence for all compliance issues. According to Eysink (Management Scope 2005: 8) ‘show-me-methods’
are not enough, the ‘prove-me-methods’ are demanded by the authorities.
Instead of just complying with the requirements, Deloitte encourages their clients to treat compliance as a catalyst to improve business processes and enhance enterprise value.
Collected information for compliance requirement has to be put in context for this improvement and enhancement.
Deloitte's Enterprise Risk Services practice is a global leader in helping clients manages risk and uncertainty, from the boardroom to the network. Enterprise Risk Services provides a broad array of services that allows clients around the world to better measure, manage, and control risk to enhance the reliability of systems and processes throughout the enterprise i. To continue helping the clients prepare for the compliance requirements, Deloitte is looking for tools and activities to support their practices.
According to Gartner (2004:15), there is no such tool generally accepted by the companies, but most publicly traded companies need applications that can provide, at a minimum, a clear status of internal controls at a given time, the ability to assess the causes of specific problems, and the ability to track testing and remediation.
No one seems to disagree with the statement that the costs of SOX (Sarbanes-Oxley Act) compliance will be significant and the external costs will raise substantially in the coming years. Whereas the legal needs take away the stress of justifying the outlays, it is important to see that the opportunity to make changes seized in making the most in terms of process streamlining, restructuring, improving efficiency, and enhancing productivity. Perhaps the incremental costs of additional benefits (beyond just compliance) might be marginal compared to the minimum costs of a compliance solution (Raval 2004:19).
1.2.1 Aim of this research
Deloitte’s Enterprise Risk Services provides professional services and advice to many of the world’s largest companies. Enterprise Risk Services has to respond to various request of their clients in the area of comprehensive Compliance Management software. In doing so, the aim of this research is
3 Chief Executive Officer, often also the chairman of the board, and sometimes the president. The CEO oversees the company's finances and strategic planning.
the realization of the specification of a Compliance Management Tool so Deloitte can respond to the latent need of its clients.
1.2.2 Research topics
The section background (§1.1) gives a rough sketch of subjects that will be discussed during this research. Together with the elaboration of some other subjects, this thesis tries to meet the aim of this research. The thesis discusses following subjects:
1. Internal Control and Risk Management to give an overview of current activities, tools and best practices for dealing with compliance issues.
2. Compliance Management to discuss Compliance Management and the belonging properties.
3. History of Compliance Management to show the evolution of Compliance Management and to take a look a Compliance Management during this century.
4. Compliance requirements to show the range of stakeholders and their requirements.
5. Quality Management to compare this management approach with the activities of Internal Control and Risk Management, and to compare it with the properties of Compliance Management.
6. Current Technology to show the evolution of organizational applications and the possibilities of current IT for Compliance Management.
7. Specification of a Compliance Management Tool to meet the aim of this thesis.
1.2.3 Scope
The scope of this study is as follow:
• The research period is six months.
• I wrote this thesis during the final period of my Master of Science in Industrial
Engineering and Management Science at Groningen University under authority of two supervisors of Deloitte Accountants B.V., and two supervisors of Groningen University.
• Deloitte’s Enterprise Risk Services gave the opportunity to interview several partners and senior managers. Deloitte’s professionals are familiar with issues due to financial and legislative requirements, interviewing the respondents gave extra information on this topic.
• The combination of Total Quality Management and Six Sigma in this thesis, will be called Quality Management.
• Because of the time constraint, I confined the comparison of Compliance Management to one management approach, Quality Management.
• Because of the time constraint, the synthesis of this thesis generates only one solution.
• The specification of the Compliance Management Tool is only one possible specification.
It might not be the best possible specification or an incomplete specification.
1.3 Definitions, Abbreviations, and Acronyms
Data is items about things, events, activities, and transactions that are recorded, classified, and stored but are not organized to convey any specific meaning (Turban 2001:131).
Information is organized data so that they have meaning for the recipient (Turban 2001:131).
Information is linked data with other data and converted into a useful context for specific use (Daft 2004:297).
Knowledge consists of data items and/or information organized and processed to convey understanding, experience, accumulated learning, and expertise as they apply to a current problem or activity (Turban 2001:131).
Figure 1: Data Management & Information Accuracy
Stakeholder is any group within or outside of the organization that has a stake in the organization’s performance.
Design requirements a condition or capability needed by the (external) stakeholder to solve a problem or achieve an objective.
Specification a list that specifies the requirements, design, behavior, or other characteristics of a system or a component.
Enterprise Value is a measure of what the market believes a company’s ongoing operations are worth ii.
Risk is an event or condition that affects the ability to achieve company objectives (Demneri 2005:1). In other words according to COSO 4 (2004:16) is “Risk is the possibility that an event will occur and adversely affect the achievement of objectives.”
Quality is the conformance to requirements (Crosby 1979:167).
COSO: Committee of Sponsoring Organizations of the Treadway Commission CM: Compliance Management
DMAIC: Define, Measure, Analyze, Improve, Control. Incremental process improvement using Six Sigma methodology
ERS: Enterprise Risk Services IC: Internal Control
QM: Quality Management RM: Risk Management
SEC: Security Exchange Commission TQM: Total Quality Management
6 : Six Sigma
4 Committee of Sponsoring Organizations of the Treadway Commission
1.4 Overview chapters
The thesis starts with the explanation of Internal Control and Risk Management, the current way Deloitte deals with risks and uncertainties. This chapter discusses the activities, tools, and methods, which Deloitte is using.
The next chapter discusses the questions about Compliance and Compliance Management; it will also deal with the history of Compliance Management.
Assuming that organizations are dealing with several compliance requirements due to a few events and scandals, it might be necessary to look at the typical compliance requirements.
Chapter 4 will discuss these requirements and the possible enterprise value that might be possible to create.
Quality Management is used to meet a great part of organizational requirements. Chapter 5 will explain this management approach. The explanation of this management approach will consist of Total Quality Management and Six Sigma.
Chapter 6 deals with the possible impact of current technology on today’s business. This chapter also shows the possible benefits of new technology. Chapter 7 will contain the specification of the Compliance Management Tool followed by the conclusion.
Recommendations about corresponding methods and techniques of this tool follow this chapter. It also contains recommendations concerning Compliance Management in general.
A few events described in the history of Compliance Management led to the development of several legislative requirements. Chapter 3 discusses these legislative requirements,
organizations dealt with over the past centuries. In succession, Appendix A gives an enumerative description of several legislative requirements.
As long organizations are searching for applications to meet compliance requirements several vendors are taking advantage of this tendency. Appendix B contains a summary of different applications available now. Properties, possibilities, and pitfalls of these applications might be interesting for the realization of the specification of a Compliance Management Tool.
In Appendix C, an overview of Deloitte Touche Tohmatsu, Deloitte Netherlands, and ERS and its activities will be given, this for the readers understanding of the activities of ERS.
Appendix D and E contain all information about interview techniques and interview questions.
The set of tools, techniques and methods used by Internal Control and Risk Management are discussed in Appendix F.
Appendix G is the summarization of Appendix . The Compliance Management Tool should at least contain these 15 specifications mentioned below:
1.5 Research approach
People have always designed things. One of the most basic characteristics of human beings is that they make a wide range of tools […] to suit their own purpose (Cross 1994:1).
It does not matter how the designer works, as long he or she produces that final description of the proposed artifact. When a client asks a designer for ‘a design’, that is what they want – the description. The focus of all design activities is that end-point (Cross 1994:2).
At the start of the design process, the designer is usually faced with a very poorly defined problem; yet he or she has to come up with a well-defined solution. The designer’s difficulties are therefore two-fold: understanding the problem and finding a solution (Cross 1994:8).
Design problems normally originate as some form of problem statement provided to the designer by someone else – the client or the company management. These problem statements are normally called a design ‘brief’ – can vary widely in their form and content (Cross
1994:9).
Deloitte’s Enterprise Risk Services provides professional services and advice to many of the world’s largest companies. Enterprise Risk Services has to respond to the latent need of a comprehensive Compliance Management Tool by its clients. In doing so, the aim of this research is the realization of the specification of a Compliance Management Tool.
Archer’s model of the design process includes interactions with the world outside of the design process itself, such as inputs from the client, the designer’s training and experience, other sources of information, etc. The output is, of course, the communication of a specific solution. These various inputs and outputs are shown external to the design process in the flow diagram, which also features many feedback loops. Within the design process, Archer identified six types of activity:
1. Programming: establish crucial issues; propose a course of action.
2. Data collection: collect, classify and store data.
3. Analysis: identify sub-problems;
prepare performance (or design) specification; reappraise
proposed program and estimate.
4. Synthesis: prepare outline design proposal(s).
5. Development: develop
prototype design(s); prepare and execute validation studies.
6. Communication: prepare manufacturing documentation.
This thesis will cover the first four phases partially.
Solution
Programming Experience
Data collection
Analysis
Synthesis
Development Brief
Training
Communication
Figure 2: Activities of the design process
1.5.1 Planning
The planning of this thesis is in table 2. This planning represents the time spent on programming, data collection, analysis and synthesis.
! " # $ % # & "#% # # ' # $%
( # )'
*# #
! ) ) ' ) )
Table 2: Planning internship
1.5.2 Design process
As mentioned above, this thesis will cover the first four phases, from the problem definition in the programming-phase to the specification of one possible solution in the synthesis-phase.
1.5.2.1 Programming
In this phase, the background of the problem will be explored. I did research on Deloitte, Deloitte’s ERS, the latent need of the clients of Deloitte, and on the requirements in the context of this research. Desk research and interviews are done to several legislations, laws, and requirements.
The problem definition and belonging research questions are composed by desk research and interviewing my supervisors and several other interviewees.
1.5.2.2 Data collection
Compliancy, Compliance Management, and the belonging process are new subjects. Wisker (2001:120) explains that exploratory research is commonly used when new knowledge is sought. Extensive gathering of information is done to perform a sound primary study to answer the research questions. This gathering contains:
a. literature review (January 2005 – April 2005).
b. single survey (January 2005 – February 2005).
By doing a proper literature review it is possible to answer several sub questions stated in the introduction chapter. The reasons for literature reviews are twofold. You need to read yourself into the field of study in order to gauge where your ideas fit, what can inform them, what others think and have discovered, and to define where/in what ways your area of questioning, your research and your findings could contribute to existing knowledge (Wisker 2003:127).
Articles of research institutes (Gartner, Forrester), literature from several libraries of
Groningen University, and different articles, flyers and other resources will be the sources of this literature review.
Literature review are done for several topics that are used in this thesis:
1. activities of ERS and the possible benefits/pitfalls of those activities;
2. several requirements and the possible benefits/pitfalls of those requirements;
3. quality Management, and specifically on Six Sigma and Total Quality Management;
4. impact of technology and the possible benefits/pitfalls of technology.
A single survey has been set up for gathering information of the professionals inside of ERS.
Literature (in either its paper or its electronic form) is not the only way to find about the topic area in a particular subject. Indeed, probably the quickest way to find ‘where things are at’ is to ask someone ‘in the know’ (Wisker 2003: 124).
A survey has been set up for interviewing the several persons ‘in the know’. To read more about the survey, and the points of particular interests during an interview, please look at Appendix D and E.
1.5.2.3 Analysis
The first four chapters identify the sub-problems. The conclusion of chapter 4 will finish with a table filled with several requirements of the Compliance Management Tool.
Listing of all design requirements and the reduction of these to a complete set of logically related performance specification (Cross 1994:24) is done during chapter 5, 6, and 7.
1.5.2.4 Synthesis
Chapter 7 will contain a possible solution for each individual performance specification. The building up of the complete design (Cross 1994:24) is reduced to the specification of a possible Compliance Management Tool.
The set of solutions brought up by chapter 7 is just one of the possibilities of solutions. It might not be the best set or even a incomprehensive set. It was not possible to explore more sets due to the time constraint of this internship.
i http://www.deloitte.com/dtt/section_node/0,1042,sid%253D3489,00.html
ii http://www.investorwords.com
2 Internal Control and Risk Management 2.1 Introduction
Recent business scandals have found executives testifying that they were “unaware” of dubious activities – off-the-book partnerships, improper revenue recognition, etc. – carried on by their companies. Sarbanes-Oxley aims to discourage such claims through a number of measures that will strengthen internal checks and balances and enhance accountability. Most notably, Sarbanes-Oxley focuses heavily on the critical role of “internal control.”
It makes CEO’s and CFO’s explicitly responsible for establishing, evaluating, and monitoring the effectiveness of internal control over financial reporting and disclosure (Deloitte &
Touche 2003b:3).
According to Deloitte, in the introduction of this thesis, executives should see Sarbanes-Oxley as an opportunity to improve transparency, reliability, timeliness, and accuracy of
management information, instead of an extra threat for the company’s continuity. This is the information that creates ‘situational awareness’, which is not only used to avoid new scandals and to comply with several requirements, but can also be used to improve business processes and enhance enterprise value.
To meet Sarbanes-Oxley’s obligations, organizations generally use a control framework. The most widely accepted framework is the COSO framework (§2.3) for internal controls and operational risk management. The Public Company Accounting Oversight Board, in response to the Sarbanes-Oxley Act, has promoted but not endorsed COSO as an example of a
framework to use for compliance. The adoption of a control framework simplifies
communication and validation of controls with regulators, auditors, and business partners (Forrester 2004b:10).
Section §2.4 gives an overview of the Internal Control process to illustrates how ERS is helping their clients to meet compliance obligations. Besides Internal Control, the first chapter of this thesis describes ERS as a global leader in helping clients manage risk and uncertainty.
§1.3 defines risk as an event or condition that influences the ability to achieve company objectives. In this thesis, the organization’s objective is to deal with compliance requirements of an organization. Therefore, the methods and tools used by Risk Management (§2.5) might also be useful to meet other requirements organizations are dealing with. §2.6 gives an overview of used methods and techniques to support Internal Control and Risk Management.
2.2 Definitions
Demneri (2005:1) defines Risk Management as a structured, documented way of dealing with risks across the company in order to achieve its overall objectives. According to the website of the Committee of Sponsoring Organizations of the Treadway Commission Internal Control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
1. effectiveness and efficiency of operations;
2. reliability of financial reporting;
3. compliance with applicable laws and regulations.
2.3 COSO
iThe formalized approach to internal control and risk management has resulted in the
development of several frameworks. These frameworks are used to implement internal control and risk management within organizations (Murk 2004:25). The COSO framework will be discussed to give the reader a better feeling on what can be expected of such a framework.
The Committee of Sponsoring Organizations (COSO) of the Treadway commission was originally formed in 1985 in the US to sponsor the National Commission on Fraudulent Financial Reporting. This is an independent private sector initiative, which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. COSO is dedicated to improve the quality of financial reporting through business ethics, effective internal controls and corporate governance.
COSO is considered the ‘de facto’ standard in the world nowadays, for the goal mentioned above. The Public Company Accounting Oversight Board (2004) refers to this as follows:
Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures to develop the framework. In the United States, the Committee of Sponsoring Organizations
("COSO") of the Treadway Commission has published Internal Control Integrated Framework. COSO's publication (also referred to simply as COSO) provides a suitable framework for purposes of management's assessment.
The internal-control-integrated-framework consists of five components: Monitoring, Information & Communication, Control Activities, Risk Assessment and Control
Environment. These five component are/must be designed to ensure the three internal control areas mentioned earlier. Additionally, COSO recognizes that these components can be active at different organizational levels. COSO internal-control-integrated-framework is depicted in figure 3 below. Thereupon the five components will be explained briefly to get a grip on their specific meaning and goal.
Figure 3: Internal control – integrated framework
Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Information and Communication: Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.
Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective
communication also must occur in a broader sense, flowing down, across and up the
organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring: Internal control systems need to be monitored by a process that assesses the quality of the system's performance over time. This is accomplished through ongoing
monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
There is synergy and linkage among these components, forming an integrated system that reacts dynamically to changing conditions. The internal control system is intertwined with the entity's operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity's infrastructure and are a part of the
essence of the enterprise. ‘Built in’ controls support quality and empowerment initiatives, avoid unnecessary costs and enable quick response to changing conditions.
There is a direct relationship between the three categories of objectives, which are what an entity strives to achieve, and components, which represent what is needed to achieve the objectives. All components are relevant to each objective category. When looking at any one category – the effectiveness and efficiency of operations, for instance – all five components must be present and functioning effectively to conclude that internal control over operations is effective.
The internal control definition – with its underlying fundamental concepts of a process, effected by people, providing reasonable assurance – together with the categorization of objectives and the components and criteria for effectiveness, and the associated discussions, constitute this internal control framework.
2.4 Internal Control
Now that the various components of internal control have been discussed, this section turns the attention to considering these components when obtaining an understanding of internal control and assessing control risk. In practice, the procedures used to gain an understanding of internal control and assess control risk vary considerably from client to client. Deloitte uses a five-phase approach for Internal Control.
Figure 4: Deloitte's 5 Phase Approach to Internal Control
2.4.1 Scope and Plan the project 1. Conduct readiness survey.
2. Understand client’s business and operations.
3. Assist in performing internal control framework (COSO) assessment.
4. Assist in performing internal control reliability model assessment.
5. Assist in performing internal control process thread scope and approach (materiality, processes, locations).
2.4.2 Assess and Define Entity Level Risk Assessment
1. Evaluate existing risk assessment process.
2. Identify entity level risk related to financial reporting (includes business process, IT, disclosures, fraud).
3. Develop on-going risk assessment process Process Level Risk Assessment
4. Perform mapping of key accounts/processes/systems 5. Define process level objectives.
6. Identify process level risks to achieving control objectives.
+ +
*
* '' **## ,,
) ))) ))))++
!
!
(
(-- ++
!
! %%
## ))
*
* ## ## )))) +
+.. --
#
#// ## + + )))) ##
2.4.3 Identify and Document Controls Control Activities Identification and Documentation
1. Document and map existing significant control activities to control objectives and process level risks to identify design deficiencies.
Forensic Audit
2. Identify scope and process owners for forensic audit.
3. Define forensic audit techniques/procedures and perform.
Process Improvement
4. Conduct analysis and determine opportunities.
5. Develop recommendations and implementation plan.
6. Execute and monitor implementation of process improvements 2.4.4 Perform Tests and Remediate
Control Activities Testing and Deficiency Remediation 1. Perform initial testing of control activities.
2. Identify and document control testing deficiencies.
3. Prioritize control design and testing deficiencies based on risk cost/benefit.
4. Develop control deficiency remediation plan.
5. Design and implement controls to address deficiencies.
Internal Audit
1. Define internal audit scope of services.
2. Perform monitoring/execution of supporting activities.
Process Improvement
1. Execute and monitor implementation of process improvements.
2.4.5 Monitor, Certify and Assert Internal Audit
1. Perform monitoring/execution of supporting activities.
Monitoring Program
1. Identify control constituencies and management organization (int./ext. audit, committees).
2. Evaluate and develop monitoring process.
3. Develop self-assessment process.
4. Develop sub-certification process.
5. Execute sub-certification, self-assessment, and monitoring processes.
6. Monitor sub-certification, self-assessment, and monitoring processes.
Certification
1. Prepare internal control and disclosure conclusions.
2. Disclosure to auditors and audit committee.
3. CEO and CFO to sign and file certification.
Assertion
1. Assess the effectiveness of controls over financial reporting.
2. Prepare sign, and file internal control assertion report.
2.5 Risk Management
In this part the ERM practice of Deloitte will be described. As a start, Deloitte defines the risk management process as follows: “A structured, documented way of dealing with risks across the company, from implicit to explicit.” (Amato and Eysink 2005). The Deloitte approach is based on five steps that make up the whole risk management process.
2.5.1 Identify Risks
The identification of risks is done through internal interviews with middle and higher management, desk research and a workshop. During this identification both the internal as well as the external environment is being considered.
The questions asked are about what management considers the most important risks to
achieve their goals in the upcoming year(s). Taking the goals and missions as a starting point, risks are events that are a potential danger for the achievements of these goals. Normally a time period for one or two years is considered. Important to remember is the fact that risk is a deviation from a goal and therefore has two sides: a down-side risk is a potential negative outcome and an upside-risk is a potential positive outcome (Groenland 2005).
. )0 . )0! ) # )
1 23%) )) 4 #
$ 2 3 $ &45
'45
1 3
6
#
3 3
7 8 3
1 2 % #)
0
3 3
1 2 %) # #
# 3 7
+
Table 3: Example of a Risk Register
2.5.2 Prioritize Risks
After the identification of a comprehensive set of risks, the risks must be prioritized. This is done during a workshop in which the top risks are identified or by using an internet
application. Prioritizing in a workshop is done by voting. During the risk assessment
workshop, senior management vote on the likelihood that a risk will occur and on the impact that the risk will have on the organization. Because the voting process is executed with the
facilitation of software, the participants can not influence each other. First the participants rank the risk on the likelihood of occurrence. This is measured on a scale from one to nine, with a one indicating a very low likelihood and nine indicating a very high likelihood.
This process is repeated for the impact a risk can have on organizational goals.
The same process of prioritizing the risks is also being executed with an internet application.
Deloitte has an in-house developed internet platform called Survey Web. With this application surveys are easily being built and put online, all in a secure environment. The same voting process can be done with this application and is anonymous. This way the respondents can not influence each other which in turn provide more objective data. An outcome of this process is a risk map where the likelihood and impact are plotted in a matrix.
*
2
#
7
$
#
9 :
2 (
$ 9
$
#
#
%
$ 1
#
%
*
#
;
Figure 5: Example of a Risk Map
During a typical risk assessment conducted by Deloitte, the existing control effectiveness in an organization is also taken into consideration. Assessing the control effectiveness is similar to the assessment of the risks. Instead of voting about the impact and likelihood of the risk, the level of control is identified. This way the residual risk is identified. When there is a risk with a high score on impact and likelihood, but there is a high level of control effectiveness, there will not be a big problem for the organization. The only action a company should take is to get assured that their controls are really effective against the risk. If a top risk is identified that has high impact/likelihood but the control effectiveness is low, action should be taken change this.
In the situation that the risk and the level of control effectiveness are low, the company should only monitor these risks to make sure the situation is not changing. Another situation is over- control. In this situation effective controls are in place, but the significance of the risk is low.
This can be an indication that the company is putting to much effort in controlling a certain type of risk and it might be wise to evaluate the control to see if control efforts can be focused on other risks.
The four possible scenarios are presented in the control effectiveness/risk significance matrix on the next page:
Figure 6: Control Map
2.5.3 Analyze Root Causes
Sourcing helps in determining action strategy and steering based on cause-and-effect analysis.
Figure 7: Example of a Sourcing Mind Map
2.5.4 Develop Risk Strategies
There are several risk strategies which can be developed. In his book Doherty (2000:5) identifies four different actions toward risk. He states that risk can be:
1. Transferred to a counter-party by purchase of an insurance policy or financial hedge.
2. Retained in either an active or passive way. Simply not insuring is retaining risk. But the firm can mimic the insurance process by self insuring with internal pricing, reserving, and loss settlement.
3. Reduced by investing in sprinklers, smoke alarms, inspections and other safety measures.
4. Avoided by not undertaken activities that are risky or by substituting less risky processes.
According to Amato and Eysink (2005), Shell uses a comparable classification of actions toward risk: Take, Treat, Transfer, Terminate.
The real foundation for the development of risk management strategies is to understand why risk is costly to the firm in the first place (Doherty, 2000). When risk is costly to the firm it will destroy income and thus will have a negative effect on shareholders value. Not only understanding the risks, but also being able to form a strategy to counter these risks, will create value for the firm.
The strategy to treat risk will result in the creation of internal controls or other actions to diminish either the likelihood or the impact for the organization. This can be done by taking actions so that the company can be assured that it will be unlikely that a risk will happen. An example is being compliant to government rules. If a company investigates their compliancy following new rules and regulations, it can judge the potential problems that can arise in the future and by doing so avoid penalty fees or worse, shutdown of operations. If a company knows it is not compliant, it can change this by restructuring and therefore diminish the likelihood of this risk drastically. Another good example on how to diminishing the impact of a potential risks is about the supply of raw materials. If a company has just one supplier to rely on for its raw materials, the dependency on this supplier is big. If this supplier stops delivering its raw materials, the company must stop its operations. By exploring the possibility to buy raw materials from other suppliers will diminish the dependency and therefore the impact of this risk.
2.5.5 Implement and Monitor
There are a few important elements to have Risk Management successfully embedded in the current management structure (Demneri 2005).
• Define a risk management policy and specific guidelines within which the Risk Management will be executed aligned with the existing business policies.
• A common risk language contributes to a common understanding and communication of risks across the organization (Funston 2003:59-63).
• Establish a structure with the purpose to define and communicate the accountabilities for managing risks in a structured manner.
• Develop a risk management process. This to identify, prioritize and act upon risks on a continuous basis and in an integrated manner with other business activities aligned with the planning and control cycle.
• Enhance management reporting with the purpose to provide management with
information on risks, “what if” scenarios and trends in risk causes as part of the regular management reporting.
• Develop supporting tools to support the execution of the process, generation of reporting and communication.
• Progress of Risk Management and its implementation has to be monitored for a clear status for internal and external responsible.
• Risk Management is an ongoing and iterative process. Trends and new risk scenario’s have to be mapped for timely intervention and anticipation.
2.6 Techniques and methods
Several techniques and methods are used during the processes of Internal Control and Risk Management. The following are techniques and methods generally used by Deloitte’s ERS.
• Update and evaluate auditor’s previous experience. The same Certified Public Accountant (CPA) firm does most audits of a company annually. Except for initial engagements, the auditor begins the audit with a great deal of information developed in
prior years about the client’s internal control. Because systems and controls usually do not change frequently, this information can be updated and carried forward to the current year’s audit (Arens 2003:284).
• Desk research and interviews are commonly used in order to come to an overview of the potential internal control deficiencies and potential risks of a company in a specific branch.
• Workshops are often used to reveal information about risks. They are frequently used within risk management to discover which uncertainties are present, how likely they are and what their impact may be (Canadian Treasury Board 2001).
• The opinions on the extent and level of risk can be collected individually or collectively by means of voting workshops.
• Survey (using SurveyWeb) or questionnaires are used as well for the identification and assessment of risks. In an attempt to make a judgment on the impact and likelihood of risks, this is a useful technique.
• Read client’s policy and system manuals. This information is read by the auditor and discussed with company personnel to ensure that it is properly interpreted and understood (Arens 2003:284).
• Checklists contain checkpoints that are common to all types of risks and hence they are helpful when identifying risks (Canadian Treasury Board 2001).
• Narrative. A narrative is a written description of a client’s internal controls. A proper narrative of an accounting system and related controls includes four characteristics:
1. the origin of every document and record in the system;
2. all processing that takes place;
3. the disposition of every document and record in the system;
4. an indication of the controls relevant to the assessment of control risk.
• Flowchart. An internal control flowchart is a symbolic, diagrammatic representation of the client’s documents and their sequential flow in the organization. An adequate
flowchart includes the same four characteristics identified for narratives (Arens 2003:285)
• Root cause analysis is a graphical analysis used to assess risks. It can help during the process of risk identification and cause and effect analysis. This can be done in different formats, one of which is the mind map, causes associated with the effect (risks) shows how causes are related (Rooney and Van den Heuvel 2004:45-53).
2.7 RACK and Design Library
The Risk and Control Knowledgebase (RACK) is a centralized repository of financial, operational and regulatory risks, control objectives and controls. RACK is a repository for industry-specific process and business cycle risk and control content, which is currently being used in connection with Deloitte’s Sarbanes-Oxley readiness engagements, typically in pre- configured spreadsheets as part of a "starter kit" for Deloitte’s clients to begin to document their controls. The RACK content is also used in connection with other advisory and consulatative services, such as in Sarbanes-Oxley related testing and remediation services.
RACK is COSO-based, and offers risk and control frameworks, as well as the ability to view either business process or business cycle views of controls.
Design library is for standardization, consistency and efficiency. Centrally defined
frameworks can easily be (re-)applied to the organization and its entities. For example it is possible to collect all your requirements in those libraries and adjust the collection if needed.
2.8 Conclusions
Activities of Risk Management and Internal Control are used to deal with risks, which might impact the ability to achieve several company objectives. Meeting the requirements of an organization can be seen as one of the company’s objective. To continue helping the clients prepare for the compliance requirements, Deloitte is looking for tools and methodologies to support their practices. Methods and tools used by Risk Management and Internal Control can be used for meeting typical requirements of an organization.
As described in the Problem definition of this thesis Deloitte wants their clients to treat compliance as a catalyst to improve business processes and enhance enterprise value instead of just comply with the requirements.
To improve business processes and enhance enterprise value, executive need information. By compliance with Sarbanes-Oxley, companies will adopt a number of measures that will strengthen internal checks and balances and enhance accountability. This will provide the executives with a lot of management information, which give them the opportunity to expand their situational awareness.
The Information and Communication component of the COSO-framework enables companies to identify, capture, and communicate the management information in a form and timeframe that enable people to carry out their responsibilities.
Many organizations are viewing the various pieces of legislation and regulation as an assault on their business, and are taking a defensive stance – looking to buy point solutions to do very minimum. According to Butler (2004a:30) this is a waste of money – and opportunity.
Compliance ‘point’ solutions will become the new data silos and will not add any value to the business. Instead of just data silos and compliance with several requirements, executives also need management information to improve business processes and enhance enterprise value.
i Koen, P. (2005) Sarbanes Oxley; The role of technical IT structure.
3 Compliance Management 3.1 Introduction
In the introduction of this thesis, the Compliance Management Tool has been introduced as a possible example for meeting comprehensive compliance requirements at a structured
approach.
The increasing emphasis of Compliance Management is to ensure that business decision- making is based on accurate information. This information can also be analyzed assess the potential risks that a business faces. Beyond that, information generated under the compliance
“umbrella” can be used as a performance-management tool (Gartner 2005c:2).
Chapter 2 assumes that executives are in need of such information to avoid new scandals and to comply with several requirements, but also give them the opportunity to improve business processes and enhance enterprise value.
Because Compliance Management is a new approach, some subjects, which are closely related to Compliance Management, will be discussed in this chapter to make the area of Compliance Management clearer.
3.2 Definitions of Compliance Management
According to the interviewees of ERS, the meaning of compliance in the context of the activities of ERS 12 is:
comply with the set of requirements (sections of a law, regulations, policies, and requests) which are stated in advance by the stakeholders (government,
shareholders, union, and other organizations) is intended to result in improved corporate accountability, but it should also become a catalyst to improve business processes and enhance enterprise value.
In this thesis Compliance Management is defined as:
the process that organizes activities to meet the set of compliance requirements, which are demanded by all stakeholders, improve business processes and enhance enterprise value.
This description of Compliance Management will be used during the rest of this research.
3.3 History of Compliance Management
3.3.1 Introduction
Among other things, stakeholders want organizations to improve corporate accountability as stated above. This expectation is a result of several events during the last centuries.
1 See Appendix A for the description of Deloitte, ERS and the corresponding activities.
2 During the interview, the main properties of a certain Compliance Management Tool have been discussed, these will be the starting point of chapter 4.
