Deploying GRC Automation HO · 7/19/2010 1 Deploying GRC Automation John J. Chico, CPA, MBA, CIA Manager, Global Compliance Johnson Controls, Inc. Building Efficiency Group Learning

Page 1

7/19/2010

1

Deploying GRC Automation

John J. Chico, CPA, MBA, CIA

Manager, Global Compliance

Johnson Controls, Inc.

Building Efficiency Group

Learning Points

• How to be sure a GRC solution is worth the

effort

• What are common misconceptions about

deployment strategy and mistakes often made

due to poor planning

• Lessons learned after completing just one

phase and relevance to later phases2

Page 2

7/19/2010

2

Background• Company

– Johnson Controls is a global leader in energy and operational efficiency for personal and workplace environments, achieving over $38 billion revenue

in 2008. Founded in 1885, the company is headquartered in Milwaukee, Wisconsin and is ranked 58 on the Fortune 500, with 140,000 employees

serving customers in over 125 countries. The company is comprised of three divisions: Automotive, Building Efficiency and Power Solutions. SAP GRC

is currently being deployed in the Building Efficiency (BE) Group.

• Existing challenges– In 2005, Johnson Controls acquired York International, a global supplier of heating, ventilating, air-conditioning and refrigeration equipment and

services and combined it with existing BE operations. As with any major acquisition, a significant challenge has been standardizing processes and

controls across the newly formed organization.

• Company vision– Johnson Controls is poised for significant global growth grow over the next decade. The sustainability of standard processes and controls is critical to

the company’s strategy.

• Why GRC– The GRC tool enables an environment which promotes standardization and convergence, which addresses existing and future challenges. A

structured framework will enable future acquisitions to easily adapt, resulting in a quick and effective integration into the BE organization.

– Overall, we feel the GRC automation allows us to creatively address our immediate and future needs and more than reflects the

phrase beneath our company logo:

3

Challenges before GRC Automation

Operations

• GL reporting: By region except US (Line of Business)

• Matrix and hierarchical organization structures in use

Process Standardization

• Merged organizations with differing policy approach (formal vs. informal)

• Inconsistent use of shared service centers

Assessments

• Self-assessments of controls stop at process owner, not control based

• Self-assessments not accompanied by self-testing

• Risk assessment process only annually performed

Monitoring technology• Primitive database tool requires manual trend analysis

• Internal controls documentation (spreadsheets) for “in-scope” locations only.

• Field organizations have limited visibility to control environment

4

Page 3

7/19/2010

3

Program Maturity Characteristics

Blissful IgnoranceBlissful Ignorance

� Limited visibility to

controls effectiveness

• Bus. process focus

• Manual trend analyses

• Significant org

structure coverage

• Negative assurance

• Reactive remediation.

� De-centralized

visibility,

� Business driven

solution development

� Real time risk

assessment

� Risk based resource

allocation re-testing,

solution development

� Self-testing integrated

into monthly processes

� Automated reports,

remote monitoring

� Business strategies

linked to org goals

� Performance vs.

objectives drives

strategy tuning

� Enhanced visibility to

controls effectiveness

• Risk-Control focus

• Configured trend

analyses

• Complete org

structure coverage

• Positive confirmation

• Assign, track issues

Business Value

IncreasedIncreased

Awareness,Awareness,

RemediationRemediation

ProPro--activeactive

Sophistication,Sophistication,

SolutionsSolutions

OperationalOperational

ExcellenceExcellence

Blissful

Ignorance

FY2009 FY2010 FY2011Prior FY2012 and beyond…….

Return on Investment: The Development Continuum

5

BOS Policy

Uncont rolled copy of an online document.

Ti tle: Project Accounting &

Revenue Recognition

Number: 14 –00.001.BE H

Sponsor: Effective Date: October 1, 2007

Owner: Controller BE Group Operations Revision: Initi al release

1. PURPOSE The purpose of this guide line is to document the basis for proper reporting of contract status, revenue , and

margin on al l contracts and s ervices related to revenue from external custom ers, in order to comply with the Revenue Recognition policy of Johnson Controls, Inc ., as noted in the Com pany’s annual report , a s follows:

The Compa ny recogni zes revenue f ro m lon g-t erm systems i nst alla tion contract s o ver the con tra ctual period under

the p ercen tage-of-compl etion (POC) method of a ccount ing. This met hod of acco unti ng recogn izes sal es a nd gross

profit as work is performed based o n the rela tion sh ip bet ween actu al costs in curred and total est imat ed costs at the

compl etion . Sal es a nd gross profi t are ad justed p ro sp ectively f or revisio ns in esti mated tota l cont ra ct costs an d

contract valu es. Estim ated l osses are recorded wh en iden tifi ed. Cla ims aga inst custo mers a re recog nized as revenue

upo n settlemen t.

Reven ue from extended warran ties and lon g-t erm service a nd ma inten ance ag reemen ts is recognized on a strai ght-

line basis over the respecti ve contract term.

Wh ere multi ple p rod ucts an d/or servi ces a re involved in t he sale o f HVAC product s a nd services in a bund led

arra ngemen t, th e bund led arrang ement i s t o be d ivided into sep arate del iverables an d revenue is al locat ed to each

deliverab le based on th e rel ative f air valu e of a ll elem ents or the fair val ue of u ndeli vered element s, i n acco rda nce

with Em ergi ng I ssues Task Force Issue No. 0 0-2 1, “Revenu e Arrang ements wit h Multi ple Del ivera bles.”

In all o ther cases, the Co mpan y reco gnizes revenue at the t ime prod ucts are shipp ed and titl e passes to th e customer

or as servi ces a re p erf ormed.

Timely and accura te report ing of contract status, revenue, and margin provides the fol lowing inform ation necessary to s uccessfully manage our business:

• revenue forecas ts, • manpower requirements,

• incentive calculations, and • financial reports

2. SCOPE

As ia Europe Japan Americas

Compliance expected as

written

C an be ta ilor ed to

local needs Spec ific Applicability / Variance / Exceptions

B EHQ X X X X X

GWS X X X X X

UPG X X X X X

Systems X X X X X

Service X X X X X

R efr igr tn X X X X X

Mf g X X X X X

Navy, Snow,

Other

X X X X X

<In this area state any exceptions or expansions to applicability described in the boxes at the left .>

Catalog of BE Controls

E nti ty Divis ion Bus iness

Unit

Mega Major Process C ontrol ID R isk D esc ription Rev ised R isk C ontrol D escr iption Revised Control Control Type Control

Ow ner

C ontrol

Frequency

Control

Automation

Tes t Plan - Ind. R ev ised Tesst Plan

Controls

Group

Controls

North

America

Sys tems &

Services

North

America

Subjec tive

R eserves

Process A)

Es timates

for Asset

Impairment

Es timates for

Asset

Impairment 1

Fair value decl ines ar e not

properly identified, valued,

and/or r ecorded.

Assumptions for

impairment es timates are

incorr ec t. Key fac tors affec ting the impairment

es timate are not identi fied.

No Change A schedule of potential impaired assets (intangibles and P OAs) is

reviewed and approved by SS A A ccounting Management on a

quarterly bas is.

A schedule of potential impaired assets

( intangibles and P OAs) is reviewed and

approved by Accounting Management on a

quarterly bas is .

Key performance

indicator

Rachel

Hernande

z-Systems

and Jim

Keller-

Service

Quarterly Manual Examine the asset impairment analys is

for the mos t recent quarter. Val idate

that the schedule was reviewed and

approved by SSA Accounting

Management.

Roll forward Tes ting: Same as the initial tes ting.

Examine the asset impairment

analysis for the most recent quarter .

Val idate that the schedule was

rev iewed and approved by

Accounting Management.

Rol l forward Testing: Same as the initial testing.

Controls

Group

Controls

North

America

Sys tems &

Services

North

America

Subjec tive

R eserves

Process B)

Es timation

of

Commitme

nts &

Contigencie

s

Es timation of

Commitments &

Contingencies 1

Assumptions for

commitments and

contingenc ies are

incorr ec t.

No Change Account reconc il iations for accruals are prepared, reviewed and

approved by a member of the professional staff on a periodic

bas is, refer to the month-end c lose check list for the control

frequenc ies for indiv idual accounts .

A ccount reconci l iations for acc ruals ar e

prepared, reviewed and approved by a member

of the profess ional s taff on a per iodic bas is,

r efer to the reconc i liation check l is t for the

control frequenc ies for indiv idual accounts .

Reconci l iation Rachel

Hernande

z-Systems

and Jim

Keller-

Service

Monthly Manual Obtain 2 months of account

reconci l iations for acc ruals accounts.

Examine account reconci l iations to

val idate that they were prepared timely

and appropriately approved. Sample

size to be determined based on the

number of acc ruals accounts. Note: coordinate testing w ith account

reconci l iation testing performed for the

SS NA "Ledger Maintenance &

Financial Reporting" Matrix.

No Change

Controls

Group

Controls

North

America

Sys tems &

Services

North

America

Subjec tive

R eserves

Process B)

Es timation

of

Commitme

nts &

Contigencie

s

Es timation of

Commitments &

Contingencies 2

Calculation is based on

incorr ec t data / key factors

affec ting contingency

es timates are not

identi fied.

No Change Judgemental reserves are reviewed and approved by the SS

Accounting Management for determination of judgmental reserve

amounts on a quarterly bas is. The AP Acc rual and Late Charge

Reserves are rev iewed and approved by SS Accounting

Management on an annual basis.

N o C hange Management

review

Rachel

Hernande

z-Systems

and Jim

Keller-

Service

Quarterly Manual Examine approval for subjec tive

reserves for the mos t recent quarter.

Validate that the judgemental reser ve

analys is was rev iewed and approved by

SSA Accounting Management. Scope

inc ludes the fol lowing accounts : AP

acc rual, guaranteed savings shortfall ,

late charge reserve, revenue

acc ruals/cost deferrals, & other

acc ruals/defer rals .

Roll forward Tes ting: Same as the initial tes ting.

No Change

Controls

Group

Controls

North

America

Sys tems &

Services

North

America

Subjec tive

R eserves

Process B)

Es timation

of

Commitme

nts & Contigencie

s

Es timation of

Commitments &

Contingencies 3

Commitments /

contingenc ies are not

identi fied and/or recorded.

No Change The VP of General Counc i l for Controls-A mericas dis tributes a

report l is ting outs tanding material legal matters , and this report is

reviewed and approved by the CG Controller of Accounting

Services on a quarterly bas is .

The VP of G eneral C ounsel for C ontrols-

A mericas dis tributes a report l isting outstanding

material legal matters , and this report is

r ev iewed and approved by the C G Control ler of

A ccounting Services on a quarterly bas is.

Management

review

JA NE

WILSON

Quarterly Manual Examine the legal analys is for the mos t

recent quarter. Validate that the

schedule was rev iew ed and approved

by the Control ler(s) of SSA.

No Change

Controls

Group

Controls

North

America

Sys tems &

Services

North

America

Subjec tive

R eserves

Process C)

Es timated

Al low ance

for Doubtful

Accounts

Es timated

Al low ance for

Doubtful

Accounts 1

Bad debt calculations are

improperly recorded in the

system. Assumptions are

incorr ec t. Calculation is

based on incorrec t aging

data.

No Change An al low ance for doubtful accounts r eserve analys is is reviewed

and approved by the SS Accounting Management on a quarterly

bas is.

N o C hange Management

review

Rachel

Hernande

z-Systems

and Jim

Keller-

Service

Quarterly Manual Examine the al lowance for doubtful

accounts analysis for the most recent

quarter. Val idate that the schedule w as

reviewed and appr oved by SSA

Accounting Management.

Roll forward Tes ting: Same as the initial

tes ting procedure.

No Change

Controls

Group

Controls

North

America

Sys tems &

Services

North

America

Subjec tive

R eserves

Process D) W arranty

Reserve

and

Expense

Warranty

Reserve and

Expense 1

Assumptions for warranty

reserves are incorrect/key

fac tors are not identified.

No Change A warranty reserve schedule is rev iew ed and approved by the

SSA Control ler s on a quarterly bas is for determination of reser ve

amounts .

A w arr anty reserve schedule is rev iewed and

approved by the SS Accounting Management

on a quarterly bas is for determination of reserve

amounts .

Key performance

indicator

Rachel

Hernande

z-Systems

and Jim

Keller-

Service

Quarterly Manual Examine the warranty analys is for the

mos t r ecent quarter. Validate that the

schedule was rev iew ed and approved

by SSA Accounting Management.Roll forward Tes ting: Same as the initial

tes ting procedure.

Examine the warranty analysis for

the most recent quarter. Val idate

that the schedule was rev iewed and

approved by SS Accounting Management.

Rol l forward Testing: Same as the

initial testing procedure.

Assessment Tools

BE Business

Processes

Performance Reporting,

Remote Monitoring,

CRT Preparation

Policies

SOX Matrices

“THE GRC”

GAP Analysis

Assessment

Results, Issues

Remediation TrackerRemediation Tracker

Region 1

Region2

Issues

Remediation

Organization Structure

6

GRC structure allowsJCI (BE) to establish standard controlsand assessments of effectiveness across the entire org structure, while tracking resulting gaps and solutions.

WHAT’S IN “THE GRC” ?

Page 4

7/19/2010

4

Comparison of Survey Processes

Identify

Participants

• Survey Planning tool

• Locations

• Org level

Ensure coverage

• Participation report verified in each region

• Participation file created each qtr

Survey completion

• Indicate org

• Indicate level

• Overlapping surveys req’d

Summarize Responses & Reports• Centralized

• Data consolidatn

• Report formats

w/

GR

C A

uto

ma

tio

n -Org structure set up in tool

-All BE locations in Hyperion

-Participant target below 302 level

w/G

RC

Au

tom

ati

on -Repeatable

Survey participation plan

-Participation plan file maintained in GRC

w/

GR

C A

uto

ma

tio

n -Org structure turned converts to survey workflow

-Relevant controls configurable by location

w/

GR

C A

uto

ma

tio

n Report links pre-configured data summarization routines to pre-configured report formats

Before GRC Automation:

7

GRC Automation Survey Flow� How does the tool work for surveys?

– Control based approached to control self assessments (CSA)

– Workflow Driven Process:

Assess Controls/Identify Issues/Create Remediation Plans/Close Remediation/Re-Assess

8

Example of Accounts Payable –Invoice Entry Sub-Process

Control Self Assessment Survey (Flow Diagram)

Page 5

7/19/2010

5

Control Owner Rates the Effectiveness of the Control

The Control Owner can choose from one of the following ratings:

• Adequate: An effectively controlled process based on satisfactory

business evaluation of the controls. (green square icon)

• Exception: An instance or a combination of instances that is less severe than

a deficiency but is important enough to merit attention by those responsible

for the overall operational and financial processes. (yellow triangular icon)

• Deficient: An instance or a combination of instances where there is a

reasonable possibility that a material misstatement will not be

prevented or detected on a timely basis. (red circle icon)

9

Testing Process Overview

Retrieve Test Form from e-room (“pdf” file)

•Located in one e-room folder for “Test Forms” “Available for pick-up”

•One form required for each control.

Retrieve documents to be tested

•Located in e-room folders by control #.

Perform Testing

•Record results

•Submit all test documents and test forms to reviewer.

Retrieve Test Form from e-room.

•Held in staging area accessible only to reviewer and BEGC

Upload Test Form to GRC

•Test Form Tracker updated

Ensure data properly loaded to GRC

•Data compared

Obtain Test docs, Forms for

Review

Review Completed

Completed , Reviewed Test Forms moved to

“Final Forms “folder in e-

room

Back-up made, Test Form

Tracker updated

Tester:

Reviewer:

BE Global Compliance:

10

Page 6

7/19/2010

6

Perform Control Testing – Flow Diagram Example of Testing Issues & Remediation

11

Benefits• Focus improves awareness of internal control activities

• Path to increased field ownership of control environment

• Increased visibility between regions / among similar

lines of business

• Improved reliability of business processes

• Better accountability of field remediation

• Enables more timely, comprehensive risk assessments

12

Page 7

7/19/2010

7

Key Deployment Tasks

• Define Organizational Hierarchy– Aligning with Hyperion for Fin/Ops/SOX

– Need to Determine How IT Organizations Need to Be Structured (i.e., by application platform, infrastructure)

• Identify Risks and Controls for each CSA Question

• Identify User Roles and Management Review Process (i.e., CSA Completer, CSA Reviewer, CSA Approver)

• Define Correction Action/Remediation WorkFlow

• Develop End-User Training Materials and Targeted Training Sessions

• Define Reporting Requirements (i.e., Location Management, BE HQ Management, Corporate Audit/Compliance)

13

Original Implementation Approach

Aug – Sept 2009

•UPG North America “pilot” participation in Quarterly Control Self Assessment (CSA)

using the GRC tool.

• BEGC will develop "help-desk" resource.

Sept 2009

•Lessons learned from “pilot” deployment will be documented and additional training

developed to role out to additional regions and business units.

Oct – Nov 2009

•Each region will receive training before the full roll-out of the GRC Control Self

Assessment which is planned to begin in November, 2009.

Nov – Dec 2009

• GRC tool to be utilized globally for the 4th Quarter CSA process.

14

Page 8

7/19/2010

8

Phase I Plan

15

Phase One Lessons Learned:• Variability of risks and controls understood prior to standardization

– Resulted in lengthy descriptions requiring several edits

• Clearer understanding of user base earlier in process

– BU input to user structure occurred too close to training and production load.

Resulted in revising structure during training, delayed production load.

• Differentiate “Pilot” process objectives from regional deployments

– Created overly optimistic timeline for full simultaneous deployment at “pilot”

location without back-up plan to address simpler baseline objectives.

• Logistic challenges must be better understood prior to project initiation

– Communication hurdles, bottlenecks, prioritizing ongoing responsibilities

• Team collaboration skills must be sharpened prior to project initiation

– Communication, collaboration skills, team functionality put to test16

Page 9

7/19/2010

9

Without A Team Collaboration Plan…..

•EFFECTS:

– Jumping to conclusions

– Poor attitudes

– Miscommunucation

– Silent resignation

– Anger

Which lead to…………. •Lack of project commitment•Failure to properly assign responsibility•Unclear project objectives•Misunderstanding roles•Lack of appropriate supervision•Lack of employee engagement•Lack of, or inadequate training•Lack of accountability•Poor Follow-up

17

Application of Lessons to next phases

18

� Prepare analysis of risks and controls variations to standards

prior to development of regional training

� Obtain user base (regional and country level compliance) input

to user structure early in deployment planning.

� Establish specific, results oriented, measurable, achievable and

time bound objectives for regional deployments.

� Sharpen team collaboration skills and develop integration

program (training) for new regional participants.

Page 10

7/19/2010

10

Task Control Listing

19

Control Owner Identification

20

Page 11

7/19/2010

11

Global Reach Desired

North America

Latin America

Europe

Middle East Asia

21

Future GRC Automation Phases

• Use CSA Pilot lessons

• Develop plan flexibility

Small

Regions

/ Pilot “Testing”

• Re-assess plan

• Enhance Coordination

Large

Regions

• Compliance Reviews

• Self-testing

• Risk assessment

Integrate Add’l

Functions

22

• Offline testing via interactive forms

• Continuous monitoring via automated controls

• Automation of effectiveness testing

• System based scoping

• Common Master Data Structures

• Common Processes• Enterprise wide survey’s• Common reporting

• Roll-out across regions• Test plan Functionality• Enhance Reporting• New Compliance Frameworks

Page 12

7/19/2010

12

Best Practices• Early involvement of users

• Sharpen team dynamics

• Anticipate user hurdles, questions, bottlenecks

• A back-up for every plan

• Have a step-by-step functionality roll-out vision23

Key Learning's

24

� GRC solution is worth the effort if:

� Standardization critical

� Decentralized organization

� Common misconceptions and mistakes:

� Optimistic timelines without back-up

� Lack of early user involvement

� Planned focus on team dynamics

Page 13

7/19/2010

13

Key Learning's - continued

25

� Lessons learned after one phase:

� Anticipate hurdles, user objections

� Need for flexibility in deployment plan

� Return on GRC investment:� Decentralization of control, process ownership

� Integration of controls assessment into financial processes to sustain

Contact Information

26