The Need for an Open Controls Definition and

The Need for an Open Controls Definition and Reporting Standard 12 th Continuous Auditing and Reporting Symposium Rutgers Univ. , Newark, NJ November 3, 2006 © 2006 Approva Corporation. All rights reserved.

Agenda • Vision of an Open Controls Framework • Current market situation • Why a standard for defining controls • Proposed XML formats • Control Definition Language (XCDL) • Control Reporting Language (XCRL) • Status and Next Steps 2 © 2006 Approva Corporation. All rights reserved.

Introduction to the Open Controls Framework The Open Controls Framework (OCF) is the industry’s first standards-based approach for companies and their auditors to simplify the way they design and analyze controls, report violations and audit key application and operational controls. OCF defines an open and extensible architecture, along with a standards-based approach for acquiring and normalizing controls data, writing and organizing rules to analyze controls and creating and publishing control exception reports. Open Controls Framework Operational Controls General IT Controls Financial Controls Application Controls Process Controls Access Controls Key Concept 1 Key Concept 2 Standard Data Gathering and Normalization Standard Rule Definition Goal 1 Goal 2 Rapid Design & Implementation of Continuous Controls Solutions Effortless Sharing of Controls, Rules, Tests & Reports Key Concept 3 Key Concept 4 Standard Testing Procedures Standard Reporting And Publishing Standard 1 3 © 2006 Approva Corporation. All rights reserved. Standard 2 XCDL Controls Definition Language XCRL Controls Reporting Language

Custom Interfaces Dominate the GRC Landscape Networks Databases, Operating Systems External Audit Internal Audit Vendors Control Definitio n Business Application API Controls Assessment API Policy & Procedure Identity Management Audit Reports 4 © 2006 Approva Corporation. All rights reserved. External Audit Internal Audit Business Stakeholders

Today’s Market: A Broad Spectrum of Compliance Solutions 5 © 2006 Approva Corporation. All rights reserved.

The Cost of Diversity in the GRC Space • No standard currently exists to define and report upon controls within the specific domains of GRC, much less across them. • Within many of the domains, conversion between differing formats requires substantial efforts. • Vendors are seeking to leverage complimentary technologies, but rely heavily on custom APIs to integrate. • Organizations face increased cost and difficulty in achieving sustainable compliance efforts due to the wide disparity in controls definition and reporting. 6 © 2006 Approva Corporation. All rights reserved.

Keys to Defining a Standard for Controls Information • Allow content and report data sharing across a broad ecosystem of vendor products, service providers, and organizational stakeholders • Standardize documentation of common objects across domains while allowing for domain specific definitions within the overall standard • Enable clearly defined roles for content and technology players • Technology vendors can focus on expanding platforms and broaden market presence and compatibility • Content providers can focus on developing better domain specific controls in a single language • Benchmark analysis and reporting functionality and features within the market space 7 © 2006 Approva Corporation. All rights reserved.

The Proposed Reporting and Controls Standards XCRL (Controls Reporting Language) XCRL is an XML based taxonomy with which users can prepare, publish (in a variety of formats), exchange and analyze financial controls information, including financial statement linkage with corresponding controls and controls summary information. An XCRL Instance Document is a business report, such as a summary of findings for a segregation of duties audit prepared to the XCRL specification. The meaning of each value in the Instance Document is explained by the taxonomy. XCDL (Controls Definition Language) XCDL is an XML based common controls definition language with which users can trade, combine and publish controls across business process, infrastructures, platforms and regulations. For example, controls to test Web Service controls on a Java stack for a HIPPA review, SAP purchasing configurations for Sarbanes Oxley and Unix security settings for a internal audit review can all be documented in the same format using the same XML tags that are specific to compliance. 8 © 2006 Approva Corporation. All rights reserved.

How can Standardization Impact the GRC Landscape? Networks Databases, Operating Systems External Audit Internal Audit Vendors Controls Business Application API Controls Assessment API Identity Management Policy & Procedure Reports Embedded References 9 © 2006 Approva Corporation. All rights reserved. External Audit Internal Audit Business Stakeholders

How can XCDL Support Multiple Domains? Domain Independent Attributes Many aspects of controls are universal. Attributes used to define the name, description, and type of control are easily standardized into a uniformat. The specification’s primary focus is the definition of controls and risks independent of their assignment within a given organization. Domain Specific Attributes In order to effectively test controls, domain specific tests must be defined. XCDL utilizes domain specific taxonomies to define the recognized objects, operators, and hierarchies within a standardized xml tag set. The XCDL code will tell the consuming analysis engine what is to be analyzed, but will not define how it is to be analyzed. It will still be the responsibility of the consuming engine to determine how the test definition is to be analyzed against the target data. This preserves the readability of the language while simultaneously protecting the intellectual property of the analysis vendor. 10 © 2006 Approva Corporation. All rights reserved.

XCDL Basic Nesting Structure 11 © 2006 Approva Corporation. All rights reserved.

XCDL Example …Control. Set Attributes… …Control Attributes… …Risk Attributes… …Test Attributes… …Domain Specific Control Test Definition… 12 Control and Risk attributes are standardized across domains and can easily be referenced from another document while tests follow domain specific nomenclature. For example, Application Security controls for Segregation of Duties will follow an industry standard Rule – Task – Test nesting. © 2006 Approva Corporation. All rights reserved.

XCRL Example XBRL Example 727 The value of Gross Capital Leases at calendar year end 2005 for IBM were $727, 000. XCRL Example TRUE 13 The results of testing IBM’s control (#32) around Gross Capital Leases at calendar year end 2005, involved testing the “SAP IMG Setting Lease_Auto” in the GDR system. Settings were appropriately configured on Nov 31 2005 per automated testing in Approva’s Biz. Rights. No exceptions noted for this high priority risk. © 2006 Approva Corporation. All rights reserved.

The Value and Benefit of an Open Controls Standard 1 2 3 …VALUE A standard would end inflexible, proprietary, “hard-coded” controls solutions. With a standards-based approach, organizations can rapidly design and deploy an optimized enterprise controls solution specific to their organization and business processes. …AGILITY A standard also allows finance, business and IT, as well as auditors and their clients, to speak a common language and implement a consistent approach to managing their controls regardless of the type of control or the underlying infrastructure and business processes. …RETURN A standard will lead to a reduction in the cost of compliance by decreasing the time and expenses associated with implementing, monitoring and auditing enterprise controls. 14 © 2006 Approva Corporation. All rights reserved.

Status and Next Steps • Initial draft XCDL specification has been created • It needs further definition and input from other stakeholders • Collect and solicit feedback to ensure broad coverage and applicability • Need a standards organization to own and manage the development of the overall standard • OCEG? • To receive a copy of the draft XCDL specification send an email request to Open. Controls. Forum@approva. net 15 © 2006 Approva Corporation. All rights reserved.