GRC-XML Program Working Session: GRC-XML Risk and Control Taxonomy GRC-XML Prototype XBRL International Conference, Paris France June 25th, :30 – 15:00

Said Tabet Technical Director, OCEG Eric E. Cohen Executive Member, OCEG GRC-XML Working Group Your Speakers

 Overview of the GRC XML Program and its architecture  Demonstration of disparate systems sharing standardized GRC data to illustrate the use of the GRC XML taxonomy of Risks and Controls, the foundation of the future GRC-XML deliverables  Next steps ◦ For OCEG ◦ For those interested in the work OCEG GRC-XML Program

 Today’s business environment is highly volatile  In response, there is increasing attention to GRC policies and procedures  Today’s GRC architecture is predominantly silo-based, making sharing data difficult and error-prone  A common language to represent their risks, controls, policies, procedures and test of controls can facilitate discussion, comparison and interchange  We are driving the development of GRC-XML to address this problem  OCEG is currently a provisional jurisdiction of XBRL  GRC-XML ◦ Is XBRL ◦ Leverages XBRL's external reporting taxonomies ◦ Is highly integrated with XBRL's Global Ledger Framework  We hope GRC-XML will enable highly efficient and agile Risk and Control Monitoring systems in a format that is application-neutral and easy to integrate OCEG GRC-XML Program

Orgs With An Invested Interest 1 WorkGroups* Risk and Control Taxonomy Fujitsu’s ERM XBRL Program Taxonomy/ Messaging Standards Area Related Council Member Targets Identified Taxonomy “Quick Wins” OCEG GRC-XML Program

GRC-XML Taxonomy: The Business Case A common language of risk and control is a prerequisite for effective management of audit, risk, and compliance processes Most organizations currently struggle with a common language of risk and control between their internal GRC silos There is no standard risk and control language for multiple information systems to communicate or pass information

GRC-XML Taxonomy: Assumptions Risk and control taxonomies, from a business process view, function very similar to a chart of accounts Standard risk and control models exist and are utilized by many organizations (COSO, COBIT), yet there is no common language for systems to communicate on these taxonomies XBRL is a functional technology for enabling systems to communicate business and financial reporting information XBRL can be effectively leveraged to enable information systems to communicate Risk, Control and Test of Control information

GRC-XML Taxonomy: Requirements Define a standard XBRL Taxonomy for Controls and Risks Define an XBRL for GRC integration specification (leveraging the XBRL Global Ledger Framework - XBRL GL) that will enable the mapping and delivery of a payload of information Leverage XBRL for external reporting Use XBRL GL for evidence and other payload

Business Process Risk Internal Control Test of Control ProcedureTask Financial Risk Operational Risk COSO Internal Policy Regulations GRC-XML Model (very simplified) Other Risk

COSO Framework Overview

GRC-XML Taxonomy: The Extended COSO Taxonomy  DTS (Discoverable Taxonomy Sets) of COSO IC taxonomy -COSO Template consists of 25 components (sample: INBOUND) -Risk Evaluation for Organizations Copyright Fujitsu Research Institute 2009 fujitsu-rcm.xsd coso-act.xsd coso-cta.xsd coso-rsk.xsd fujitsu-rol.xsd coso-obj.xsd COSO Layer Fujitsu Evaluation Layer Fujitsu Risk/Control Layer -Testing for Control Activities -Related Organizations -Relation among activity, objectives, risks and control activities coso.xsd fujitsu-cta.xsd 11 -Viewer (Presentation) fujitsu-rsk.xsd Instance FY2008evaluation.xml

 25 activities defined in COSO Evaluation Tool. 1/Activity : INBOUND 2/Activity : OPERATIONS 3/Activity : OUTBOUND 4/Activity : MARKETING AND SALES 5/Activity : SERVICE 6/Activity : PROCUREMENT 7/Activity : TECHNOLOGY DEVELOPMENT 8/Activity : HUMAN RESOURCES 9/Activity : MANAGE THE ENTERPRISE 10/Activity : MANAGE EXTERNAL RELATIONS 11/Activity : PROVIDE ADMINISTRATIVE SERVICES 12/Activity : MANAGE INFORMATION TECHNOLOGY 13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS 15/Activity : PLAN 16/Activity : PROCESS ACCOUNTS PAYABLE 17/Activity : PROCESS ACCOUNTS RECEIVABLE 18/Activity : PROCESS FUNDS 19/Activity : PROCESS FIXED ASSETS 20/Activity : ANALYZE AND RECONCILE 21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 22/Activity : PROCESS PAYROLL 23/Activity : PROCESS TAX COMPLIANCE 24/Activity : PROCESS PRODUCT COSTS 25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING Copyright Fujitsu Research Institute 2009 GRC-XML Taxonomy: The COSO Taxonomy (Cont’d)

Extended Risk and Control in Fujitsu-RCM taxonomy GRC-XML Taxonomy: The Viewer

Values in Instance document – FY2008evaluation.xml in dimensional view. GRC-XML Taxonomy: The Viewer (Cont’d)

The Prototype GRC-XML at work OCEG GRC-XML Program

ERP Financial Application GL, AP, AR, FA, etc. Controls Testing & Monitoring Risk & Controls Repository GRC XML Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys Sampling Risk models Controls documentation Organization / Process Test Procedures Test Results GRC-XML Taxonomy: Prototype Architecture

Demonstration

Next Steps OCEG GRC-XML Program

Strategy and Measurement Corporate Disclosure Issue and Incident Management Legal Requirements Orgs With An Invested Interest Target areas* Risk and Control Taxonomy Taxonomy/ Messaging Standards Area Related Council Member Targets OCEG GRC-XML Program

 If this project is of interest to you and your organization, or if you have specific skills, knowledge and expertise you can provide, please contact OCEG  Join OCEG and take part  If you can’t join but you have expertise or have intellectual property to contribute, please contact OCEG  Said Tabet ◦ Call to Action: Come Join Us!