topleft
topright

Unified Framework

Basis for a Unified Framework

Operational Goals

Operations Overview
Supply Chain Event Management (SCEM)
Business Activity Monitoring (BAM)
Implementation
Fast Track with Categoric
Procurement and Operations
ERP Solutions

Governance

Overview and Stakeholders
Compliance Frameworks, Regulations and Bodies
Continuous Audit
Intelligent Controls Assurance

By Business Role

Business Role Overview
The Board
Audit Committee
Senior Management
Internal Audit
Risk Management
Compliance
Operations
I.S. and I.T.
Compliance Frameworks, Regulations and Bodies

Categoric - Solutions for GRC, BAM and SCEM

  • Supports established frameworks - COSO, COBIT, Turnbull, GRI and OCEG etc.
  • Allows the reuse of GRC spending across the business.
  • Enhances an organizations ability to react quickly and flexibly to new governance requirements.
  • Allows joined up management with reuse of similar processes and frameworks.
  • Facilitates "across the board" metrics.
  • Presents a flexible solution to the imposed burden and associated costs of compliance both now and in the future.
  • Offers smaller businesses a way of enjoying the benefits of automation.
  • Allows compliance with laws and regulations that are not only related to financial statements.


Similar Frameworks and Processes
For modern organisations it makes real sense to adopt a joined up approach to Governance, Risk Management, Compliance and Corporate Ethics or Social Responsibility. Many of the processes will be similar, and the frameworks selected should reflect the evolving need for a range of "across the board" metrics.


One obvious way to demonstrably bring an organization into compliance with the various regulatory requirements is to closely align its control objectives with established standards and frameworks. For example:

  • COSO for financial reporting (Committee of Sponsoring Organizations of the Treadway Commission).
  • COBIT specifically for IT (Control Objectives for Information and Related Technology)
  • The Turnbull Report (Internal Control: Guidance for Directors on the Combined Code.)

COSO believes that the most efficient and cost-effective way to implement and assess internal control over financial reporting is to build control-consciousness throughout the culture. This potentially means a large increase in the overall audit universe.

There are two logical ways to supplement the traditional auditing methodology and Categoric supports both:
  • Self-Assessment (by empowering operations)
  • Continuous/100% Auditing

COBIT is a framework for control over IT that fits with and supports COSO.

The COBIT control framework contributes to this by making a link to the business requirements and organizing IT activities into a generally accepted process model. It helps identify the major IT resources to be leveraged and assists with defining the management control objectives to be considered.


This means that monitoring and automation will make sure that the right things are done at the right time and are in line with the set directions and policies, which will allow an organization to move towards an “optimized” ranking within the COBIT maturity model. 

As with COSO, Categoric supports this framework by providing a solution to assist with a systematic and timely reporting of performance and prompt (potentially automated) action upon deviations.

The Turnbull Report is the abbreviated name given to guidance provided by The Institute of Chartered Accountants in England and Wales to enable UK companies to implement the internal controls required by the Combined Code on Corporate Governance. The report says that the system of internal control should:

  • be embedded in the operation of the organization and form part of its culture.
  • be capable of responding quickly to evolving risks.
  • include procedures for reporting any significant control failings immediately to appropriate levels of management.


Categoric directly supports the Turnbull recommendations. Turnbull puts the emphasis on the need to design processes which monitor the continuing effectiveness of the way the company manages risk. For smaller businesses Turnbull says that, in the absence of an internal audit function, the board will need to assess whether other monitoring processes provide sufficient and objective assurance - an area ripe for continuous monitoring and auditing.

 

Compliance - not just about financial controls...

It should also be noted that the term “internal control” includes controls associated with the effectiveness and efficiency of operations and compliance with laws and regulations that are not only related to financial statements. 


Examples of compliance regulations and bodies
  • United Kingdom Regulations
    • Data Protection Act 1998
    • Freedom of Information Act 2000
    • Human Rights Act 2000
    • Human Rights Act 2000
    • Regulation of Investigatory Powers Act 2000 (RIPA)
    • Regulation of Investigatory Powers Act (Communications Data) Order 2003
    • Access to Health Records Act 1990
    • Proceeds of Crime Act 2002
    • Money Laundering Regulations 2003
    • Electronic Communications Act 2000
    • Electronic Signature Regulations 2002
    • Privacy and Electronic Communications (EC Directive) Regulations 2003
    • Electronic Commerce (EC Directive) Regulations 2003
    • Companies (Audit, Investigations and Community Enterprise) Bill

  • European Regulations
    • The Basel II Agreement For International Convergence Of Capital Management And Capital Standards
    • Data Protection Directive (DPD)
    • European Electronic Signature Standardization Initiative (EESSI)
    • Markets In Financial Instruments Directive (MIFID)

  • United States Regulations
    • Financial Services Modernization Act 1999
    • Health Insurance Portability and Accountability Act 1996 (HIPAA)
    • Securities and Exchange Act 1934 17a-3/4, NASD 3010/3110
    • Department of Defense Directive No. 5015.2
    • USA Patriot Act 2001
    • Sarbanes-Oxley Act 2002 (SOX)

  • Standards and Bodies
    • British Standard ISO/IEC 17799:2000 (Information Security Management)
    • ISO 15489 (Information and Documentation - Records Management)
    • Public Records Office II (PRO II) - Records Management
    • e-Government Interoperability Framework (e-GIF)
    • e-Government Meta Data Framework (e-GMF)
    • COBIT Control Objectives For Information And Related Technologies
    • COSO commission Of Sponsoring Organizations, Treadway commission
    • ISF-SOGP Information Security Forum's Standard Of Good Practice
    • ISO 17799 International Standards Organization's Information Security Standard
    • ITIL Information Technology Infrastructure Library

Of all the numerous examples quoted here, surveys suggest that typically only three are currently getting senior management attention - Basel II for banks, the Data Protection Directive and Sarbanes-Oxley for US companies.


The Markets in Financial Instruments Directive (MiFID) replaces the existing Investment Services Directive (ISD) and is likely to have a profound effect on the European financial industry when it takes effect in November 2007.


Faced with this increased level of complexity and uncertainty, businesses need to have a clear idea how they can meet the imposed burden and associated costs of compliance both now and in the future.


GRC - a joined up approach

As mentioned previously, organizations will benefit from a joined up approach to Governance, Risk Management, Compliance and Corporate Ethics or Social Responsibility. A good starting point for organizations that are unclear how a co-ordinated approach could benefit them will be to look at the work of organizations like the Global Reporting Initiative - GRI or the Open Compliance and Ethics Group – OCEG.


Categoric have designed their GRC offering - "Accord"  - with the guidance and principles from the likes of GRI and OCEG in mind, in order to directly support this unified framework approach.


For example, Accord supports the following key sections in the OCEG Foundation Guidelines:

PR - Prevent, Protect and Prepare

D - Detect, Monitor and Evaluate

M – Ongoing Monitoring

R – Respond and Improve

I - Information and Communication

And, of course leveraging

T - Technology - to support the programme.


With an increasing number of directives in the pipeline and an emphasis on compliance with non financial regulations, adopting this joined-up approach undoubtedly strengthens an organizations ability to react quickly and flexibly to new governance requirements. 

 
For example, in the UK the Companies Act 2006 includes metrics and KPIs around such things as:

  • environmental matters (including the impact of the company’s business on the environment) 
  • the company’s employees  
  • social and community issues, including information about any company policies on those matters and their effectiveness 
  • persons with whom the company has contractual or other arrangements which are essential to the company’s business (a.k.a. the “supply chain” amendment).


The opportunity presented therefore is to use Categoric's solutions to build a flexible GRC framework based around a pragmatic recognition that while the expenditure might be necessary (possibly even compulsory), it makes sense to reuse that investment to benefit as much of the business as possible.


Our section "Basis for a Unified Framework" examines this concept in more detail.
 
[ Back ]
Copyright 2007 WKD Solutions Limited Incorporating Categoric Software  (View Site Map)