7/19/2010 1 Deploying GRC Automation John J. Chico, CPA, MBA, CIA Manager, Global Compliance Johnson Controls, Inc. Building Efficiency Group Learning Points • How to be sure a GRC solution is worth the effort • What are common misconceptions about deployment strategy and mistakes often made due to poor planning • Lessons learned after completing just one phase and relevance to later phases 2
13
Embed
Deploying GRC Automation HO · 7/19/2010 1 Deploying GRC Automation John J. Chico, CPA, MBA, CIA Manager, Global Compliance Johnson Controls, Inc. Building Efficiency Group Learning
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/19/2010
1
Deploying GRC Automation
John J. Chico, CPA, MBA, CIA
Manager, Global Compliance
Johnson Controls, Inc.
Building Efficiency Group
Learning Points
• How to be sure a GRC solution is worth the
effort
• What are common misconceptions about
deployment strategy and mistakes often made
due to poor planning
• Lessons learned after completing just one
phase and relevance to later phases2
7/19/2010
2
Background• Company
– Johnson Controls is a global leader in energy and operational efficiency for personal and workplace environments, achieving over $38 billion revenue
in 2008. Founded in 1885, the company is headquartered in Milwaukee, Wisconsin and is ranked 58 on the Fortune 500, with 140,000 employees
serving customers in over 125 countries. The company is comprised of three divisions: Automotive, Building Efficiency and Power Solutions. SAP GRC
is currently being deployed in the Building Efficiency (BE) Group.
• Existing challenges– In 2005, Johnson Controls acquired York International, a global supplier of heating, ventilating, air-conditioning and refrigeration equipment and
services and combined it with existing BE operations. As with any major acquisition, a significant challenge has been standardizing processes and
controls across the newly formed organization.
• Company vision– Johnson Controls is poised for significant global growth grow over the next decade. The sustainability of standard processes and controls is critical to
the company’s strategy.
• Why GRC– The GRC tool enables an environment which promotes standardization and convergence, which addresses existing and future challenges. A
structured framework will enable future acquisitions to easily adapt, resulting in a quick and effective integration into the BE organization.
– Overall, we feel the GRC automation allows us to creatively address our immediate and future needs and more than reflects the
phrase beneath our company logo:
3
Challenges before GRC Automation
Operations
• GL reporting: By region except US (Line of Business)
• Matrix and hierarchical organization structures in use
Process Standardization
• Merged organizations with differing policy approach (formal vs. informal)
• Inconsistent use of shared service centers
Assessments
• Self-assessments of controls stop at process owner, not control based
• Self-assessments not accompanied by self-testing
• Internal controls documentation (spreadsheets) for “in-scope” locations only.
• Field organizations have limited visibility to control environment
4
7/19/2010
3
Program Maturity Characteristics
Blissful IgnoranceBlissful Ignorance
� Limited visibility to
controls effectiveness
• Bus. process focus
• Manual trend analyses
• Significant org
structure coverage
• Negative assurance
• Reactive remediation.
� De-centralized
visibility,
� Business driven
solution development
� Real time risk
assessment
� Risk based resource
allocation re-testing,
solution development
� Self-testing integrated
into monthly processes
� Automated reports,
remote monitoring
� Business strategies
linked to org goals
� Performance vs.
objectives drives
strategy tuning
� Enhanced visibility to
controls effectiveness
• Risk-Control focus
• Configured trend
analyses
• Complete org
structure coverage
• Positive confirmation
• Assign, track issues
Business Value
IncreasedIncreased
Awareness,Awareness,
RemediationRemediation
ProPro--activeactive
Sophistication,Sophistication,
SolutionsSolutions
OperationalOperational
ExcellenceExcellence
Blissful
Ignorance
FY2009 FY2010 FY2011Prior FY2012 and beyond…….
Return on Investment: The Development Continuum
5
BOS Policy
Uncont rolled copy of an online document.
Ti tle: Project Accounting &
Revenue Recognition
Number: 14 –00.001.BE H
Sponsor: Effective Date: October 1, 2007
Owner: Controller BE Group Operations Revision: Initi al release
1. PURPOSE The purpose of this guide line is to document the basis for proper reporting of contract status, revenue , and
margin on al l contracts and s ervices related to revenue from external custom ers, in order to comply with the Revenue Recognition policy of Johnson Controls, Inc ., as noted in the Com pany’s annual report , a s follows:
The Compa ny recogni zes revenue f ro m lon g-t erm systems i nst alla tion contract s o ver the con tra ctual period under
the p ercen tage-of-compl etion (POC) method of a ccount ing. This met hod of acco unti ng recogn izes sal es a nd gross
profit as work is performed based o n the rela tion sh ip bet ween actu al costs in curred and total est imat ed costs at the
compl etion . Sal es a nd gross profi t are ad justed p ro sp ectively f or revisio ns in esti mated tota l cont ra ct costs an d
contract valu es. Estim ated l osses are recorded wh en iden tifi ed. Cla ims aga inst custo mers a re recog nized as revenue
upo n settlemen t.
Reven ue from extended warran ties and lon g-t erm service a nd ma inten ance ag reemen ts is recognized on a strai ght-
line basis over the respecti ve contract term.
Wh ere multi ple p rod ucts an d/or servi ces a re involved in t he sale o f HVAC product s a nd services in a bund led
arra ngemen t, th e bund led arrang ement i s t o be d ivided into sep arate del iverables an d revenue is al locat ed to each
deliverab le based on th e rel ative f air valu e of a ll elem ents or the fair val ue of u ndeli vered element s, i n acco rda nce
with Em ergi ng I ssues Task Force Issue No. 0 0-2 1, “Revenu e Arrang ements wit h Multi ple Del ivera bles.”
In all o ther cases, the Co mpan y reco gnizes revenue at the t ime prod ucts are shipp ed and titl e passes to th e customer
or as servi ces a re p erf ormed.
Timely and accura te report ing of contract status, revenue, and margin provides the fol lowing inform ation necessary to s uccessfully manage our business:
• revenue forecas ts, • manpower requirements,
• incentive calculations, and • financial reports
2. SCOPE
As ia Europe Japan Americas
Compliance expected as
written
C an be ta ilor ed to
local needs Spec ific Applicability / Variance / Exceptions
B EHQ X X X X X
GWS X X X X X
UPG X X X X X
Systems X X X X X
Service X X X X X
R efr igr tn X X X X X
Mf g X X X X X
Navy, Snow,
Other
X X X X X
<In this area state any exceptions or expansions to applicability described in the boxes at the left .>
Catalog of BE Controls
E nti ty Divis ion Bus iness
Unit
Mega Major Process C ontrol ID R isk D esc ription Rev ised R isk C ontrol D escr iption Revised Control Control Type Control
Ow ner
C ontrol
Frequency
Control
Automation
Tes t Plan - Ind. R ev ised Tesst Plan
Controls
Group
Controls
North
America
Sys tems &
Services
North
America
Subjec tive
R eserves
Process A)
Es timates
for Asset
Impairment
Es timates for
Asset
Impairment 1
Fair value decl ines ar e not
properly identified, valued,
and/or r ecorded.
Assumptions for
impairment es timates are
incorr ec t. Key fac tors affec ting the impairment
es timate are not identi fied.
No Change A schedule of potential impaired assets (intangibles and P OAs) is
reviewed and approved by SS A A ccounting Management on a
quarterly bas is.
A schedule of potential impaired assets
( intangibles and P OAs) is reviewed and
approved by Accounting Management on a
quarterly bas is .
Key performance
indicator
Rachel
Hernande
z-Systems
and Jim
Keller-
Service
Quarterly Manual Examine the asset impairment analys is
for the mos t recent quarter. Val idate
that the schedule was reviewed and
approved by SSA Accounting
Management.
Roll forward Tes ting: Same as the initial tes ting.
Examine the asset impairment
analysis for the most recent quarter .
Val idate that the schedule was
rev iewed and approved by
Accounting Management.
Rol l forward Testing: Same as the initial testing.
Controls
Group
Controls
North
America
Sys tems &
Services
North
America
Subjec tive
R eserves
Process B)
Es timation
of
Commitme
nts &
Contigencie
s
Es timation of
Commitments &
Contingencies 1
Assumptions for
commitments and
contingenc ies are
incorr ec t.
No Change Account reconc il iations for accruals are prepared, reviewed and
approved by a member of the professional staff on a periodic
bas is, refer to the month-end c lose check list for the control
frequenc ies for indiv idual accounts .
A ccount reconci l iations for acc ruals ar e
prepared, reviewed and approved by a member
of the profess ional s taff on a per iodic bas is,
r efer to the reconc i liation check l is t for the
control frequenc ies for indiv idual accounts .
Reconci l iation Rachel
Hernande
z-Systems
and Jim
Keller-
Service
Monthly Manual Obtain 2 months of account
reconci l iations for acc ruals accounts.
Examine account reconci l iations to
val idate that they were prepared timely
and appropriately approved. Sample
size to be determined based on the
number of acc ruals accounts. Note: coordinate testing w ith account
reconci l iation testing performed for the
SS NA "Ledger Maintenance &
Financial Reporting" Matrix.
No Change
Controls
Group
Controls
North
America
Sys tems &
Services
North
America
Subjec tive
R eserves
Process B)
Es timation
of
Commitme
nts &
Contigencie
s
Es timation of
Commitments &
Contingencies 2
Calculation is based on
incorr ec t data / key factors
affec ting contingency
es timates are not
identi fied.
No Change Judgemental reserves are reviewed and approved by the SS
Accounting Management for determination of judgmental reserve
amounts on a quarterly bas is. The AP Acc rual and Late Charge
Reserves are rev iewed and approved by SS Accounting
Management on an annual basis.
N o C hange Management
review
Rachel
Hernande
z-Systems
and Jim
Keller-
Service
Quarterly Manual Examine approval for subjec tive
reserves for the mos t recent quarter.
Validate that the judgemental reser ve
analys is was rev iewed and approved by
SSA Accounting Management. Scope
inc ludes the fol lowing accounts : AP
acc rual, guaranteed savings shortfall ,
late charge reserve, revenue
acc ruals/cost deferrals, & other
acc ruals/defer rals .
Roll forward Tes ting: Same as the initial tes ting.
No Change
Controls
Group
Controls
North
America
Sys tems &
Services
North
America
Subjec tive
R eserves
Process B)
Es timation
of
Commitme
nts & Contigencie
s
Es timation of
Commitments &
Contingencies 3
Commitments /
contingenc ies are not
identi fied and/or recorded.
No Change The VP of General Counc i l for Controls-A mericas dis tributes a
report l is ting outs tanding material legal matters , and this report is
reviewed and approved by the CG Controller of Accounting
Services on a quarterly bas is .
The VP of G eneral C ounsel for C ontrols-
A mericas dis tributes a report l isting outstanding
material legal matters , and this report is
r ev iewed and approved by the C G Control ler of
A ccounting Services on a quarterly bas is.
Management
review
JA NE
WILSON
Quarterly Manual Examine the legal analys is for the mos t
recent quarter. Validate that the
schedule was rev iew ed and approved
by the Control ler(s) of SSA.
No Change
Controls
Group
Controls
North
America
Sys tems &
Services
North
America
Subjec tive
R eserves
Process C)
Es timated
Al low ance
for Doubtful
Accounts
Es timated
Al low ance for
Doubtful
Accounts 1
Bad debt calculations are
improperly recorded in the
system. Assumptions are
incorr ec t. Calculation is
based on incorrec t aging
data.
No Change An al low ance for doubtful accounts r eserve analys is is reviewed
and approved by the SS Accounting Management on a quarterly
bas is.
N o C hange Management
review
Rachel
Hernande
z-Systems
and Jim
Keller-
Service
Quarterly Manual Examine the al lowance for doubtful
accounts analysis for the most recent
quarter. Val idate that the schedule w as
reviewed and appr oved by SSA
Accounting Management.
Roll forward Tes ting: Same as the initial
tes ting procedure.
No Change
Controls
Group
Controls
North
America
Sys tems &
Services
North
America
Subjec tive
R eserves
Process D) W arranty
Reserve
and
Expense
Warranty
Reserve and
Expense 1
Assumptions for warranty
reserves are incorrect/key
fac tors are not identified.
No Change A warranty reserve schedule is rev iew ed and approved by the
SSA Control ler s on a quarterly bas is for determination of reser ve
amounts .
A w arr anty reserve schedule is rev iewed and
approved by the SS Accounting Management
on a quarterly bas is for determination of reserve
amounts .
Key performance
indicator
Rachel
Hernande
z-Systems
and Jim
Keller-
Service
Quarterly Manual Examine the warranty analys is for the
mos t r ecent quarter. Validate that the
schedule was rev iew ed and approved
by SSA Accounting Management.Roll forward Tes ting: Same as the initial
tes ting procedure.
Examine the warranty analysis for
the most recent quarter. Val idate
that the schedule was rev iewed and
approved by SS Accounting Management.
Rol l forward Testing: Same as the
initial testing procedure.
Assessment Tools
BE Business
Processes
Performance Reporting,
Remote Monitoring,
CRT Preparation
Policies
SOX Matrices
“THE GRC”
GAP Analysis
Assessment
Results, Issues
Remediation TrackerRemediation Tracker
Region 1
Region2
Issues
Remediation
Organization Structure
6
GRC structure allowsJCI (BE) to establish standard controlsand assessments of effectiveness across the entire org structure, while tracking resulting gaps and solutions.
WHAT’S IN “THE GRC” ?
7/19/2010
4
Comparison of Survey Processes
Identify
Participants
• Survey Planning tool
• Locations
• Org level
Ensure coverage
• Participation report verified in each region
• Participation file created each qtr
Survey completion
• Indicate org
• Indicate level
• Overlapping surveys req’d
Summarize Responses & Reports• Centralized
• Data consolidatn
• Report formats
w/
GR
C A
uto
ma
tio
n -Org structure set up in tool
-All BE locations in Hyperion
-Participant target below 302 level
w/G
RC
Au
tom
ati
on -Repeatable
Survey participation plan
-Participation plan file maintained in GRC
w/
GR
C A
uto
ma
tio
n -Org structure turned converts to survey workflow
-Relevant controls configurable by location
w/
GR
C A
uto
ma
tio
n Report links pre-configured data summarization routines to pre-configured report formats
Before GRC Automation:
7
GRC Automation Survey Flow� How does the tool work for surveys?
– Control based approached to control self assessments (CSA)
•UPG North America “pilot” participation in Quarterly Control Self Assessment (CSA)
using the GRC tool.
• BEGC will develop "help-desk" resource.
Sept 2009
•Lessons learned from “pilot” deployment will be documented and additional training
developed to role out to additional regions and business units.
Oct – Nov 2009
•Each region will receive training before the full roll-out of the GRC Control Self
Assessment which is planned to begin in November, 2009.
Nov – Dec 2009
• GRC tool to be utilized globally for the 4th Quarter CSA process.
14
7/19/2010
8
Phase I Plan
15
Phase One Lessons Learned:• Variability of risks and controls understood prior to standardization
– Resulted in lengthy descriptions requiring several edits
• Clearer understanding of user base earlier in process
– BU input to user structure occurred too close to training and production load.
Resulted in revising structure during training, delayed production load.
• Differentiate “Pilot” process objectives from regional deployments
– Created overly optimistic timeline for full simultaneous deployment at “pilot”
location without back-up plan to address simpler baseline objectives.
• Logistic challenges must be better understood prior to project initiation
– Communication hurdles, bottlenecks, prioritizing ongoing responsibilities
• Team collaboration skills must be sharpened prior to project initiation
– Communication, collaboration skills, team functionality put to test16
7/19/2010
9
Without A Team Collaboration Plan…..
•EFFECTS:
– Jumping to conclusions
– Poor attitudes
– Miscommunucation
– Silent resignation
– Anger
Which lead to…………. •Lack of project commitment•Failure to properly assign responsibility•Unclear project objectives•Misunderstanding roles•Lack of appropriate supervision•Lack of employee engagement•Lack of, or inadequate training•Lack of accountability•Poor Follow-up
17
Application of Lessons to next phases
18
� Prepare analysis of risks and controls variations to standards
prior to development of regional training
� Obtain user base (regional and country level compliance) input
to user structure early in deployment planning.
� Establish specific, results oriented, measurable, achievable and
time bound objectives for regional deployments.
� Sharpen team collaboration skills and develop integration
program (training) for new regional participants.
7/19/2010
10
Task Control Listing
19
Control Owner Identification
20
7/19/2010
11
Global Reach Desired
North America
Latin America
Europe
Middle East Asia
21
Future GRC Automation Phases
• Use CSA Pilot lessons
• Develop plan flexibility
Small
Regions
/ Pilot “Testing”
• Re-assess plan
• Enhance Coordination
Large
Regions
• Compliance Reviews
• Self-testing
• Risk assessment
Integrate Add’l
Functions
22
• Offline testing via interactive forms
• Continuous monitoring via automated controls
• Automation of effectiveness testing
• System based scoping
• Common Master Data Structures
• Common Processes• Enterprise wide survey’s• Common reporting
• Roll-out across regions• Test plan Functionality• Enhance Reporting• New Compliance Frameworks
7/19/2010
12
Best Practices• Early involvement of users
• Sharpen team dynamics
• Anticipate user hurdles, questions, bottlenecks
• A back-up for every plan
• Have a step-by-step functionality roll-out vision23
Key Learning's
24
� GRC solution is worth the effort if:
� Standardization critical
� Decentralized organization
� Common misconceptions and mistakes:
� Optimistic timelines without back-up
� Lack of early user involvement
� Planned focus on team dynamics
7/19/2010
13
Key Learning's - continued
25
� Lessons learned after one phase:
� Anticipate hurdles, user objections
� Need for flexibility in deployment plan
� Return on GRC investment:� Decentralization of control, process ownership
� Integration of controls assessment into financial processes to sustain