PwC

Integrated Compliance

Driving ROI with Compliance

Presenters:JJ Marais, Managing Director Risk AssuranceChetan Trivedi, Manager, Risk Assurance

PwC

Copyright:© 2013 PwC. All rights reserved.

Definition:PwC refers to the PwC network and/or one or more of its memberfirms, each of which is a separate legal entity. Please seewww.pwc.com/structure for further details.

Disclaimer:This content is for general information purposes only, and shouldnot be used as a substitute for consultation with professionaladvisors.

Description:PwC helps organisations and individuals create the value they’relooking for. We’re a network of firms in 157 countries with morethan 184,000 people who are committed to delivering quality inassurance, tax and advisory services. Tell us what matters to youand find out more by visiting us at www.pwc.com

PwC

Integrated Compliance Overview

3

PwC

Integrated Compliance Defined

Provide value and cost savings to our clients by:

• developing an entity-wide sustainable compliance program

- which leverages a single set of integrated controls thatsatisfies regulatory, financial, and operational requirements,

◦ eliminates redundancy in controls execution and testing and

› reduces compliance risk

4

PwC

Complex and Evolving Compliance Landscape

5

Organizational RequirementsOperational Objectives

Strategic InitiativesCustomer

Vendor

Regulatory Agencies

Regulatory RequirementsGLBA

NERC

Best Practice and Frameworks

COBITISO COSO

SEC FDAFERC

OSHA

FISMA SOXHIPAA

FCPAPCI

SSAE 16

NIST

PwC

The Common Response?

• Response to regulatory and best practice guidance is often tacticaland remedial rather than strategic

• Each executive independently identifies and addresses their pieceof the compliance puzzle

6

PwC

The Result?

This structure results in…

• Managed in silos

• Duplicate and uncoordinated efforts resulting in redundant costs

• Fractured and potentially conflicting reporting

• Increased risk of non-compliance

• Uncoordinated efforts to address new compliance requirements

• Increased risk of audits and audit findings

• Unclear roles and responsibilities

• Inconsistent and isolated technology

7

Info Security

Privacy

PCI

Vendor

Consumer Protection

AML

Info Security

Privacy

FCPA

Vendor

OSHA

PCI

Basel/SII

FDA

SEC

Vendor

Basel

SOX

Consumer Protection

AML

FSG

Vendor

ComplianceRisk

ManagementFinance LegalIT

PCI

SOX

FCPA

Internal Audit & Compliance Assessors

PwC

Where to Start

Organizations often have one or both of the following needs:

• Bottom Up - Control Landscape: Increase the efficiency and effectiveness ofcontrol processes and activities

• Top Down - Compliance Sustainability: Improve the sustainability of thecompliance program

Potential areas of focus could include a combination of the following:

8

Compliance SustainabilityControl Landscape

• Sustainability Program

• Compliance Coordination andManagement

• Compliance Change Management

• Comprehensive Reporting

• Policies and Procedures

• Training and Awareness

• Controls Optimization

• Controls Rationalization

• Gap and Remediation Analysis

• Cost of Controls Analysis

• Testing Procedures

• Project Management

Supporting GRC Technology

PwC

Controls Optimization, Testing and Reporting

9

Optimized Control Framework

Change ManagementInformation Security

Data Classification/Privacy

Credit Card Processing

FISMA

SSAE 16

HIPAA/HITECH

PCI

Ra

tion

alize,

Co

sto

fC

on

trols

&T

esting

Ap

ply

To

Ma

ny

Test Once

PwC

Su

sta

ina

bil

ity

People

Compliance Sustainability

Structure

Process

Technology

Strategy

Optimized Control Framework

Change ManagementInformation Security

Data Classification/PrivacyTelecommunication

Credit Card Processing

FISMAHIPAA/HITECH

SSAE 16PCI

More than controls optimization…Integrated Compliance leverages people, process and technology to create a compliancestructure that ensures an efficient, effective and sustainable compliance program.

GLBA TIA 942-2

10

Ongoing Updates

Additional Regulation

PwC

Technology Enables Compliance

11

Technology

Integrated Compliance

FoundationalComponentsForm the basicreference dataand standards /methodologiesused by allparticipants inthe process.

Analysis &ReportingMetrics-basedinformationenabling effectivemanagementresponse.

Core CompliancePrinciples

Centralized control framework

Communications and Training

Roles and responsibilities

Testing approach and results

Reporting

CommonLanguage

CommonOrganizational

View

ConsistentMethodology

DataAggregation

Data Analysis

DataPresentation

PwC

Roles and responsibilities for Integrated ComplianceEffective organizations implement three distinct lines of defense into theirIntegrated Compliance programs

12

Clarity of Roles and Responsibilities Structured into “Three Lines of Defense”

Senior Management

Board / Audit Committee

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

Ma

na

ge

me

nt

Co

ntr

ols

Inte

rn

al

Co

ntr

ol

Me

as

ur

es

Financial Control

Security

Risk Management

Quality

Compliance

Inspection

Inte

rn

al

Au

dit

Re

gu

lato

r

Ex

ter

na

lA

ud

itor

PwC

Roles & Responsibilities

• Convert strategy into operational objectives

• Operational management of the day to day organization

• Oversees the risk management efforts of the operations

• Assigns procedural and operational responsibilities

• Assigns responsibility for the controls to service linemembers

13

Senior Management

1st Line of Defense

Ma

na

ge

me

nt

Co

ntr

ols

Inte

rn

al

Co

ntr

ol

Me

as

ur

es

1st line of defense

Operational management has ownership, responsibility and accountabilityfor assessing, controlling and mitigating risks.

PwC

Roles & Responsibilities

• Provides positive Tone at the Top

• Establish compliance and risk managementpolicies, roles and responsibilities andimplementation goals

• Establishing the integrated control and riskframework (common language)

• Promotes compliance and risk managementcompetence

• Facilitates the development of the risk andcontrol monitoring and reporting process

• Reporting to senior management and board onprogress and recommended actions

14

Senior Management

2nd Line of Defense

Financial Control

Security

Risk Management

Quality

Compliance

Inspection

2nd line of defense

Risk Management and Compliance facilitates and monitors practices byoperational management and assists in reporting information up and downthe organization.

PwC

Roles & Responsibilities:

• Provide objective assurance to the board andsenior management

• Serves as an in-house consultant to the secondand first line of defense

• Provide the connection with the externalauditor and regulatory

• Coordinates of the internal audit plan with theinspection activities performed by the first andsecond line of defense

15

3rd Line of Defense

Inte

rn

al

Au

dit

Re

gu

lato

r

Ex

ter

na

lA

ud

itor

Board / Audit Committee

3rd line of defense

Internal Audit provides assurance to the board and senior management onthe effectiveness of compliance and risk management.

PwC

Benefits of Integrated Compliance

• Greater awareness andunderstanding of responsibilities forcontrol performers

• Significant reduction of compliancecosts resulting from centralizedgovernance structure and elimination ofduplicate audit/compliance activities

• Greater transparency and visibilityinto the aggregated risk and controls andbroader business posture

• Increased sustainability leveraging acommon technology platform

• Reallocation of internal resources tocore revenue and operational activities as aresult of reduction in controls

• Reduction of compliance risk due togreater coordination, awareness andvisibility

16

• Leverage the compliance program to drivestrategic initiatives and operationalobjectives

• Improved executive and Board reportingleveraging advanced dashboards and real-timereporting

• Reduce the organizational impact ofnew regulations through establishedcompliance change management practices

• Streamline audit preparation, designevaluation and execution

• Gain a competitive advantage and firstmover status by implementing an agilecompliance framework, which facilitates theaddition of standards in demand by customers

Shorter Term Benefits Longer Term Benefits

Efficient Agile SustainableStrategicCoordinated

PwC 17

PwC 18

PwC

Exhibit – Detailed Integrated Compliance Methodology

19

PwC

Integrated Compliance: Assess Phase

20

Assess and Rationalization: Understand the current program structure and compliancerequirements and perform a controls rationalization

Task 1 – Determine the current compliance structure and requirements:• Gather the current program structure, strategies, processes and controls• Understand the detailed compliance requirements and control objectives

Task 2 – Map and rationalize the program structure and control frameworks:• Create and/or validate the compliance register• Establish compliance frameworks to be rationalized• Rationalize the current controls to arrive at a common control framework• Map the current governance structure

3. Gap Analysis 4. Remediation5. Implementand Execute

Assess Phase

2. ControlsRationalization

1. AssessCurrent

State

Implement PhaseRemediate Phase

Activities

Deliverables

• Summary of the current compliance structure• Map of the compliance requirements via the compliance register• Documented set of rationalized controls

Organizational Change Management

6. Sustain

PwC

Integrated Compliance: Remediate Phase

21

Gap and Remediation: Identify risks, gaps and remediation solutions in both theprogram structure and control requirements

Task 3 – Perform a gap analysis to identify gaps in program structure and in the rationalized set of controls:• Evaluate existing compliance governance structure against the desired level of maturity and leading practices

including the use of GRC technology• Identify control objectives and activities defined in the common control framework that are not addressed, or are

duplicated, in the existing control environment

Task 4 – Work collaboratively to identify appropriate remediation actions for the identified redundancies and gaps• Provide leading practices for management’s consideration and recommended remediation procedures• Document decisions and action points in a remediation roadmap

5. Implementand Execute

Assess Phase

2. ControlsRationalization

1. AssessCurrent

State

Implement PhaseRemediate Phase

Activities

Deliverables

• Program and control gap analysis including leading practices• Detailed remediation roadmap documenting current state, future state and recommendations on remediation

procedures to arrive at future state

Organizational Change Management

6. Sustain3. Gap Analysis 4. Remediation

PwC

Integrated Compliance: Implement Phase

22

Implement and Test: Implement the program and control structure and assess thepost-implementation compliance posture

Task 5 – Assist in the implementation and execution of the compliance program:• Provide leading practice guidance on the implementation of an integrated compliance program• Work collaboratively to assist in the implementation of the new program structure and optimized control

framework• Assess the operating effectiveness of remediation activity over control management and rationalization• Assist in the integrated compliance program implementation• Assist in the implementation of the GRC technology solution

Task 6 – Create a sustainable compliance model:• Assess and provide remediation plan to create a change management process with supporting GRC technology• Implement change management procedures including updates to policies/procedures and training

Assess Phase

2. ControlsRationalization

1. AssessCurrent

State

Implement PhaseRemediate Phase

Activities

Deliverables• Implement leading practices for integrated compliance implementation• Recommendations for program and control rationalization remediation activity• Provide the sustainability roadmap including change management procedures and training activities

Organizational Change Management

3. Gap Analysis 4. Remediation5. Implementand Execute 6. Sustain

PwC

Q&A

PwC

Thank You

Contact Information:

Scott Peyton

Integrated Compliance PracticeLeader

Scott.Peyton@us.pwc.com

(702) 931-7765

JJ Marais

Managing Director RiskAssurance

johannes.j.marais@us.pwc.com

(602) 364-8232

Chetan Trivedi

Manager, Risk Assurance

Chetan.Trivedi@us.pwc.com

(602) 364-8168

24

PwC

Q&A

PwC

Copyright:© 2013 PwC. All rights reserved.

Definition:PwC refers to the PwC network and/or one or more of its memberfirms, each of which is a separate legal entity. Please seewww.pwc.com/structure for further details.

Disclaimer:This content is for general information purposes only, and shouldnot be used as a substitute for consultation with professionaladvisors.

Description:PwC helps organisations and individuals create the value they’relooking for. We’re a network of firms in 157 countries with morethan 184,000 people who are committed to delivering quality inassurance, tax and advisory services. Tell us what matters to youand find out more by visiting us at www.pwc.com