GRC-XML Program Working Session GRC-XML Risk and Control

GRC-XML Program Working Session: GRC-XML Risk and Control Taxonomy GRC-XML Prototype XBRL International Conference, Paris France June 25 th, 2009 14: 30 – 15: 00

Your Speakers Said Tabet Technical Director, OCEG stabet@oceg. org Eric E. Cohen Executive Member, OCEG GRC-XML Working Group eric. e. cohen@us. pwc. com

OCEG GRC-XML Program Agenda Overview of the GRC XML Program and its architecture Demonstration of disparate systems sharing standardized GRC data to illustrate the use of the GRC XML taxonomy of Risks and Controls, the foundation of the future GRC-XML deliverables Next steps ◦ For OCEG ◦ For those interested in the work

OCEG GRC-XML Program Overview Today’s business environment is highly volatile In response, there is increasing attention to GRC policies and procedures Today’s GRC architecture is predominantly silo-based, making sharing data difficult and error-prone A common language to represent their risks, controls, policies, procedures and test of controls can facilitate discussion, comparison and interchange We are driving the development of GRC-XML to address this problem OCEG is currently a provisional jurisdiction of XBRL GRC-XML ◦ Is XBRL ◦ Leverages XBRL's external reporting taxonomies ◦ Is highly integrated with XBRL's Global Ledger Framework We hope GRC-XML will enable highly efficient and agile Risk and Control Monitoring systems in a format that is application -neutral and easy to integrate

OCEG GRC-XML Program Work Groups* Taxonomy/ Messaging Standards Area 1 Risk and Control Taxonomy Orgs With An Invested Interest Related Council Member Targets Identified Taxonomy “Quick Wins” Fujitsu’s ERM XBRL Program

GRC-XML Taxonomy: The Business Case • A common language of risk and control is a prerequisite for effective management of audit, risk, and compliance processes • Most organizations currently struggle with a common language of risk and control between their internal GRC silos • There is no standard risk and control language for multiple information systems to communicate or pass information

GRC-XML Taxonomy: Assumptions • Risk and control taxonomies, from a business process view, function very similar to a chart of accounts • Standard risk and control models exist and are utilized by many organizations (COSO, COBIT), yet there is no common language for systems to communicate on these taxonomies • XBRL is a functional technology for enabling systems to communicate business and financial reporting information • XBRL can be effectively leveraged to enable information systems to communicate Risk, Control and Test of Control information

GRC-XML Taxonomy: Requirements • Define a standard XBRL Taxonomy for Controls and Risks • Define an XBRL for GRC integration specification (leveraging the XBRL Global Ledger Framework - XBRL GL) that will enable the mapping and delivery of a payload of information • Leverage XBRL for external reporting • Use XBRL GL for evidence and other payload

GRC-XML Model (very simplified) Business Process COSO Internal Control Risk Internal Policy Regulations Financial Risk Task Operational Risk Other Risk Procedure Test of Control

COSO Framework Overview

GRC-XML Taxonomy: The Extended COSO Taxonomy DTS (Discoverable Taxonomy Sets) Instance Fujitsu Evaluation Layer Fujitsu Risk/Control Layer of COSO IC taxonomy FY 2008 evaluation. xml fujitsu-rcm. xsd fujitsu-rol. xsd fujitsu-rsk. xsd -Risk Evaluation for Organizations -Testing for Control Activities -Related Organizations -Relation among activity, objectives, risks and control activities fujitsu-cta. xsd coso. xsd -Viewer (Presentation) coso-act. xsd COSO Layer coso-obj. xsd coso-rsk. xsd coso-cta. xsd Copyright Fujitsu Research Institute 2009 -COSO Template consists of 25 components (sample: INBOUND)

GRC-XML Taxonomy: The COSO Taxonomy (Cont’d) 25 activities defined in COSO Evaluation Tool. 1/Activity : INBOUND 15/Activity : PLAN 2/Activity : OPERATIONS　 16/Activity : PROCESS ACCOUNTS PAYABLE 　 3/Activity : OUTBOUND 　 17/Activity : PROCESS ACCOUNTS RECEIVABLE 4/Activity : MARKETING AND SALES 　 18/Activity : PROCESS FUNDS 5/Activity : SERVICE 　 19/Activity : PROCESS FIXED ASSETS 　 6/Activity : PROCUREMENT　 20/Activity : ANALYZE AND RECONCILE 7/Activity : TECHNOLOGY DEVELOPMENT 　 21/Activity : PROCESS BENEFITS AND RETIREE 8/Activity : HUMAN RESOURCES 　 INFORMATION 　 9/Activity : MANAGE THE ENTERPRISE 22/Activity : PROCESS PAYROLL 　 10/Activity : MANAGE EXTERNAL RELATIONS 23/Activity : PROCESS TAX COMPLIANCE 　 11/Activity : PROVIDE ADMINISTRATIVE 24/Activity : PROCESS PRODUCT COSTS 　 25/Activity : PROVIDE FINANCIAL AND MANAGEM SERVICES 　 12/Activity : MANAGE INFORMATION TECHNOLOGY REPORTING 13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS 　 Copyright Fujitsu Research Institute 2009

GRC-XML Taxonomy: The Viewer Extended Risk and Control in Fujitsu-RCM taxonomy

GRC-XML Taxonomy: The Viewer (Cont’d) Values in Instance document – FY 2008 evaluation. xml in dimensional view.

OCEG GRC-XML Program The Prototype GRC-XML at work

GRC-XML Taxonomy: Prototype Architecture Risk & Controls Repository Controls Testing & Monitoring ERP Financial Application GRC XML Risk models Controls documentation Organization / Process Test Procedures Test Results Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys Sampling GL, AP, AR, FA, etc.

Demonstration

OCEG GRC-XML Program Next Steps

OCEG GRC-XML Program Target areas* Taxonomy/ Messaging Standards Area Orgs With An Invested Interest Related Council Member Targets 1 Risk and Control Taxonomy 2 Legal Requirements 3 Issue and Incident Management 4 Corporate Disclosure 5 Strategy and Measurement

Call to Action: Come Join Us! If this project is of interest to you and your organization, or if you have specific skills, knowledge and expertise you can provide, please contact OCEG Join OCEG and take part If you can’t join but you have expertise or have intellectual property to contribute, please contact OCEG Said Tabet ◦ stabet@oceg. org