PowerPoint Presentation

$S:\Robert's Share\NA CACS\NACACS 05\naCACSleft.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

$T:\ISACA Logos\10-7-2002 Zip Disk\ISACA\ISACA centered Color.tif$

#327 – Legal and RegulatoryRisk: Silent and Possibly Deadly

Deborah Frazer, CPA CISA CISSP

Senior Director, Internal Audit

PalmSource, Inc.

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Overview

•Identifying legal and regulatory risks

•Quantifying and weighing these risks

•Proactively mitigating legal and regulatory risk

•Communicating legal and regulatory risk to thebusiness process owners

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Identifying Legal and RegulatoryRisks

•COSO framework

–Control environment

–Information and communication

–Risk assessment

–Monitoring

•Determining where the gaps are

–Inherent risk

–Controls in place

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Internal Control – IntegratedFramework

•Familiar Cube

•Three objective categories

•Five Components

•Entity and organizational units

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Control Environment

•Integrity and ethical values

•Commitment to competence

•Board of Directors/Audit Committee

•Management’s philosophy and operating style

•Organizational Structure

•Assignment of authority and responsibility

•Human resource policies and procedures

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Information and Communication

•Information is identified, captured, processed andreported by information systems. Relevant informationincludes industry, economic and regulatory informationobtained from external sources, as well as internallygenerated information.

•Communication is inherent in information processing.Communication also takes place in a broader sense,dealing with expectations and responsibilities ofindividuals and groups. Effective communication mustoccur down, across and up an organization and withparties external to the organization.

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Risk Assessment

•Entity-wide objectives

–Include broad statements of what an entity desires to achieve, and aresupported by related strategic plans

•Activity level objectives

–Flow from entity-wide objectives

–Are frequently stated as goals with specific targets and deadlines

•Risks

–Consider external and internal factors that could impact achievement of theobjectives

•Managing Change

–Economic, industry and regulatory environments change and entities'activities evolve; mechanisms are needed to identify and react to changingconditions.

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Monitoring

•Ongoing monitoring occurs in the ordinary course ofoperations, and includes regular management andsupervisory activities, and other actions personnel takein performing their duties that assess the quality ofinternal control system performance.

•The scope and frequency of separate evaluations willdepend primarily on an assessment of risks, and ongoingmonitoring procedures.

•Internal control deficiencies should be reportedupstream with certain matters reported to topmanagement and the board.

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

ERM Integrated Framework

•Expands the original cube

•Four objective categories

•Eight Components

•Entity and organizationalunits

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

ERM Framework

•Objective Setting

–Strategic

•High level goals

•Aligned with mission/vision

–Operations

•Relates to effectiveness and efficiency

–Reporting

•Effectiveness; relates to internal and external

– Compliance

•Applicable laws and regulations

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Compliance Objectives

•Relevant laws and regulations

–Examples

•Wage and hour laws

•EEOC

•IRS/SEC

•Dependent on external factors

–Examples:

•Environmental regulation

•Sarbanes-Oxley Act

•Homeland Security/Patriot Act

•Tend to be similar

–Across entities or industries

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Applicable Laws and Regulations

•Establish minimum standards for behavior

–Entities must integrate into compliance objectives

•Compliance records

–Significantly – positively or negatively – affect anentity’s reputation in the community and marketplace

•Overlap of objectives

–Compliance objectives can affect other categories

•Strategic, operational, reporting

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Achievement of Objectives

•Measurable targets toward which an entitymoves

•Will have differing degrees of importance andpriority

•Reasonable assurance objectives are achieved

–May not pertain to all objectives

–Compliance objectives are largely under entity’scontrol

–Has the ability to do what’s needed to meet them

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Risk Appetite

•Expressed as the acceptable balance between:

–Growth, risk and return – OR –

–Risk-adjusted shareholder value-added measures

•Risk appetite vs strategy

–Strategy may exceed entity’s risk appetite

–Strategy may not embrace sufficient risk to allowentity to achieve its vision/mission

•Guide resource allocation

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Risk Tolerances

•Acceptable levels of variation relative to theachievement of objectives

•Measurable

•Performance measures

–Help ensure actual results will be within theacceptable risk tolerances

–Based on relative importance of related objectives

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Event Identification

•Governmental changes

–Changes in overall climate

•Legislation

–Sarbanes-Oxley Act

–Patriot Act

•Regulation

–Certain required processes and disclosures

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Proactively Mitigating Legal andRegulatory Risk

•Some examples

–Establish a compliance office

–Establish policies and procedures for appropriatelegal reviews of contracts

–Ensure line recognizes primary complianceresponsibilities

–Review privacy policies and practices

–Benchmark against government requirements andbest practices

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Mitigating Risk vs ImpedingProgress

•Establish guidelines

–What requires review

–Articulate where leverage may be applied

•Develop tools

–Checklists

–Standard language

•Empower business partners to perform their owncontrol self assessment

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

Communicating Legal andRegulatory Risk

•Use layperson’s terms

–Avoid “sounding” like an attorney or compliance officer

•Demonstrate with examples

–Likelihood – have other entities been affected

–Impact – what is a worst case scenario

•Know your audience

–Sales objectives often collide with legal risk management

–What does the risk mean to the executive group

$S:\Robert's Share\NA CACS\NACACS 05\naCACSleft.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

$T:\ISACA Logos\10-7-2002 Zip Disk\ISACA\ISACA centered Color.tif$

Open Discussion andExamples

$S:\Robert's Share\NA CACS\NACACS 05\naCACSleft.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

$T:\ISACA Logos\10-7-2002 Zip Disk\ISACA\ISACA centered Color.tif$

Questions?

$S:\Robert's Share\NA CACS\NACACS 05\naCACSright.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

For More Information:

Deborah Frazer, CPA, CISA, CISSP

Senior Director, Internal Audit

PalmSource, Inc.

deborah.frazer@Palmsource.com

$C:\Program Files\Common Files\Microsoft Shared\Clipart\cagcat50\MP00640_.wmf$

$S:\Robert's Share\NA CACS\NACACS 05\naCACSleft.jpg$

$T:\ISACA Logos\10-7-2002 Zip Disk\NA CACS\2002 naCACS (4c).tif$

$T:\ISACA Logos\10-7-2002 Zip Disk\ISACA\ISACA centered Color.tif$

Thank you!