Assessment Services - EnterpriseGRC Solutions, Implementing a Compliance Framework

EnterpriseGRC Solutions will supply consulting and recommendation in support of IT resource assignment and organization structure as it pertains to support of the Control Objectives for Information and Related Technology.  EnterpriseGRC Solutions focuses corporations in implementing an overall framework for control and assessment.  EnterpriseGRC Solutions, Inc. guides clients to:

  • Ensure preparation to demonstrate effective internal control structure and procedure
  • Demonstrate appropriate standards for gathering evidence and reporting these findings
  • Establish a system of enterprise-wide Risk Assessment
  • Identify financial exposures along with management steps to monitor and control such exposures
  • The scope of IT auditing includes:
    • Reviewing the reliability and integrity of information and the means used to identify measure, classify, and report such information.
    • Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations, which could have a significant impact on operations and reports, determining whether the organization is in compliance.
    • Reviewing the means of safeguarding information (backups), verifying the existence of such backup sets.
    • Appraising the efficiency with which resources are employed.
    • Reviewing operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

All tools and procedures supported by EnterpriseGRC Solutions International(EnterpriseGRC Solutions) facilitate meeting SEC requirements on internal control over financial reporting.  EnterpriseGRC Solutions provides consulting and products that isolate internal control deficiency while supplying both internal assessment reporting and response in the form of written and implemented IT procedures and controls.  Three major elements work together to provide content, guidance, and criteria toward a consensus-driven strategy for a properly controlled business environment. We refer to this as our compliance framework:
framework

  • ITIL® is FORM, content, and concept behind IT Control Programs
  • Facilitated Compliance Management™ is the FUNCTION, a working data and process model of HOW we manage and capture IT control events
  • CobiT®, COSO, and other Security Program control programs are the MEASURE or criteria by which we agree to define an IT environment as appropriately controlled.

ITIL CobiT ISO

New and increasing business regulations bring added context to the need for highly mature IT programs.  The main purpose of Sarbanes-Oxley Act, for example, is to protect investors by improving accuracy and reliability of Corporate Disclosures.  This legislation has made it necessary for all publicly traded companies to ensure corporate preparation to demonstrate "effective internal control structure and procedure."   EnterpriseGRC Solutions facilitates definition of effective internal control while supplying tools and project implementation to reach this goal.  In addition, nonpublic companies are increasingly aware of SEC driven requirements around security, data management and the demonstrations of other IT controls as required by SOC 2 v. 2016 plus privacy (SSAE no. 16).

So, what is the EnterpriseGRC Solutions approach?

assessmentverification650

EnterpriseGRC Solutions works with many current and relevant organizations and standards including ISO 27002, PMBOK, NIST, CSF, and ITL, ITIL® Service Support, Six Sigma Process Control, ISO 9000 and14000, FCAPS, CMM, TMN, to name only a few.  The goal of EnterpriseGRC Solutions is to assess the implementation of process across all areas of IT.

For broad and comprehensive IT assessment EnterpriseGRC Solutions uses CobiT®.
"CobiT® provides management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. CobiT® helps bridge the gaps between business risks, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems."
CobiT® (Control Objectives for Information and Related Technology) doesn't suggest that it replace all standards, but that it is used to assess whether and to what extent standards are in place both across the IT infrastructure and in the corporate management IT.   
Risk Management and IT Control

  • Sarbanes-Oxley Section 404 and CobiT®. Client Training, compliance review
  • Establishing guidelines and policies representing good governance.
  • Prescriptive tools approach to remediate low control maturity, matching tools with areas of defined exposure to risk
  • Security Assessment and risk mitigation plan

All tools and procedures supported by EnterpriseGRC Solutions International (EnterpriseGRC Solutions) facilitate meeting SEC, Federal and International requirements on internal control over financial reporting. EnterpriseGRC Solutions provides consulting and products that isolate internal control deficiency while supplying both internal assessment reporting and response in the form of written and implemented IT procedures and controls. 

The main purpose of Sarbanes-Oxley Act is to protect investors by improving accuracy and reliability of Corporate Disclosures. This legislation has made it necessary for all publicly traded companies to ensure corporate preparation to demonstrate "effective internal control structure and procedure." 

EnterpriseGRC Solutions works with all standards including ISO 9001 and 14000, ISO/IEC 27002, PMBOK, NIST and ITL, ITIL® Service Support, Six Sigma Process Control, FCAPS, CMM, TMN, to name only a few. The goal of EnterpriseGRC Solutions is to assess the implementation of process across all areas of IT. For broad and comprehensive IT assessment our primary standard and framework is CobiT 5®. 

"CobiT® provides management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. CobiT® helps bridge the gaps between business risks, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems."

CobiT®.(Control Objectives for Information and Related Technology) doesn't suggest that it replace all standards, but that it is used to assess whether and to what extent standards are in place both across the IT infrastructure and in the corporate management IT. 
EnterpriseGRC Solutions will supply consulting and recommendation in support of IT resource assignment and organization structure as it pertains to support of the Control Objectives for Information and Related Technology. EnterpriseGRC Solutions focuses corporations in implementing an overall framework for control and assessment. EnterpriseGRC Solutions guides clients to:

  • Ensure preparation to demonstrate effective internal control structure and procedure
  • Demonstrate appropriate standards for gathering evidence and reporting these findings
  • Establish a system of enterprise-wide Risk Assessment
  • Identify financial exposures along with management steps to monitor and control such exposures

Sarbanes-Oxley, Sections 302 and 404: Internal Controls
EnterpriseGRC Solutions helps clients to recognize appropriate industry models for their organization's needs and promotes a structure of process development that is consistent with the maturity measurements as defined by CobiT®. EnterpriseGRC Solutions provides rapid process development services, basing process selection on both standards and business reality. Since the enactment of Sarbanes-Oxley companies need to understand new risk and control requirements. IT Management, Financial, and Audit departments all want to know how they are required to respond. Companies are required to achieve transparency, accountability, and integrity while respecting the needs of a balanced business scorecard.

While no effort to implement a standard is wasted and all frameworks provide basis for a process, the answer to our current need for immediate and comprehensive evidence of internal controls across all systems and information technology is CobiT®. EnterpriseGRC Solutions will utilize Methodware's CobiT®. Advisor 3rd Edition to provide a single comprehensive tool for internal CobiT®. based assessment.

CobiT®. Training and Implementation 
Our Clients receive training and project management support to accomplish the following objectives:

  • Knowledge of the CobiT® Framework and Internal Audit Process
  • Prioritized process development based in identified control deficiencies
  • Completed Maturity Matrix with rankings to allow focus on risks
  • Time-phased follow-up audit plan with assigned owners to ensure success

Methodology in Achievement of these objectives is a three-phased plan. Each phase will be involve

  • Presentation
  • Individual and group development
  • Task assignment
  • Feedback and Follow-Up

IAligning controls to the right domain is a great way to start understanding some of CobiT®'s points of Alignment and general organization of the controls framework. 

This image shows one of the many tools we use to ensure our own and our client's success.
training

RiskManagement

Common Language in Controls and Application Controls

The output of any policy or process includes a list of quality measures.  Quality is measured by a set of controls or tests, each designed to provide feedback or align our actions to those policies and procedures.
A "control" over process is characterized by an ability to:

  • Communicates Repeatable Intention
  • Executes As Planned (Implementation Plan)
  • Measure (Risk Measurement & Impact Analysis)
  • Record (Management Reporting & KPI)
  • Respond (Thresholds)
  • Archive (Defined Data Retention)
  • Controls require a visible and recognized:
  • Name
  • Owner
  • Method –(Automation or Manual)
  • Program
  • Frequency
  • Test
  • Activity Definition
  • Location
  • Test Evidence
  • Information Processing Objective
  • Sequence ID and method of tracking