Governance, Risk,

1
May 1, 2006 New Jersey IIA Chapter Software
Expo

• Governance, Risk, Compliance Protiviti
  DemonstrationPresenter Michael Mask
• Associate Director
• Risk Technology Solutions Group

2
Protiviti Who We Are
Protiviti Offices and Resources Atlanta,
GA Boston, MA Chicago, IL Cincinnati,
OH Cleveland, OH Dallas, TX Denver, CO Ft.
Lauderdale, FL Houston, TX Kansas City, MO Los
Angeles, CA Milwaukee, WI Minneapolis, MN New
York City, NY Orlando, FL Philadelphia,
PA Phoenix, AZ Pittsburgh, PA Salt Lake City,
UT San Francisco, CA San Jose, CA Seattle, WA St.
Louis, MO Tampa, FL Vienna, VA Toronto,
Canada Australia Asia Europe South America

• Who We Are
• Protiviti is an independent risk consulting and
  internal audit company that offers a full
  spectrum of internal audit services and specific
  operational risk competencies, delivered by way
  of proven methodologies and supporting
  technology.
• What We Do
• We provide the following services to our clients

Business Risk
Technology Risk
Internal Audit
Business Risk Consulting Event-Related Financial
Risk Governance/Sarbanes-Oxley Operational
Risk Credit Risk Treasury Basel II
Internal Audit Co-Sourcing Outsourcing Internal
Audit Transformation Quality Assurance
Reviews Risk Assessment
Technology Risk Consulting Applications Business
Continuity Data Mining Infrastructure Privacy Proj
ect Risk Management Security
3
An Integrated Governance Risk Compliance Platform
Protiviti Governance Portal (PGP) Overview
4
An Integrated Governance Risk Compliance Platform
Protiviti Governance Portal (PGP) Overview
5
The PGP Directs Individuals to Their Areas of
Responsibility
PGP Overview
My Portal Tailor user experience for specified
responsibilities

• Shared Governance Activities
• Monitor and resolve action plans through a
  single, on-line platform
• Execute workflow-driven tasks across multiple
  governance activities
• Measure risk and performance indicators linked to
  key RCMs, risks, controls, objectives, risk
  categories and financial elements

• The My Portal area creates a user-specific
  collection of tasks, reports, summaries and owned
  activities
• In much the same way that the Protiviti
  Governance Portal functions as an organized
  repository of an organizations governance data,
  the My Portal tab functions as a framework for an
  individuals governance data
• Each users view can easily be expanded or
  contracted based on their user profile

• Sarbanes-Oxley (SarbOx PortalTM)
• Perform tests and review owned controls

• Operational Risk Management (ORM PortalTM)
• - Assess enterprise risk event categories
• Manage risks via dashboard reporting

Self-Assessment (TSATM) - Conduct all aspects of
a self-assessment including test validation,
review, and sign-off
IA Portal (TSATM) - Facilitate audit activities
from planning and risk assessment to electronic
workpaper management
Available in ORM Portal
6
Foundational Frameworks
PGP Overview
Common Frameworks Provide Organizing Principles
of an Integrated System
CREATE
RISK EVENT MODEL

• The association of business processes with
  organizational units provides an analytical
  framework supporting varying analysis including
  documentation, risk and control analysis and risk
  event assessment.
• This analysis can be related to financial
  reporting to support SOX exercises or to
  enterprise risks to support broader risk
  management practices.

FINANCIAL MODEL
L I N K
PROCESS MODEL
ORGANIZATION MODEL
Information Technology MODEL
PROJECT EVENT MODEL
7
Common Features - Documentation
PGP Overview
Document management features make the PGP a
powerful document management repository

• Upload multiple files and/or URLs to documents
• Check in/Check out feature prevents numerous
  users from editing the same document at the same
  time
• Maintain the integrity of documents by retaining
  version history
• Track changes made to Document Evaluations and
  Attributes in Change History
• Maintain multiple versions of the same document,
  select a previous version to be the current
  version

8
Common Features Risk and Control Matrices
PGP Overview
The Risk Control Matrix Tool - analyze
Objective, Risk and Controls

• Quick Reports allow users to obtain rich
  information and provide a high level view of RCM
  content
• The RCM is a tool within a tool
• It allows for sophisticated analysis of
  objectives, risks and controls
• A library can be used to baseline risk and
  control activities
• Discipline is rewarded when reporting
• Review, Action Plans, Notes, Tasks, Attachments
  History facilitate resolution

9
Common Features Action Plans
PGP Overview
Identify, track, and resolve action items

• Gather and track action items in a single
  application providing management visibility into
  key issues across multiple risk management
  efforts
• Assign resolution or review responsibility to
  individuals or user groups such as an internal
  control group
• Notify users via email when action plans are
  created, edited or deleted
• Capture response and resolution steps
• Associate action plans with objectives, risks, or
  controls
• Build out additional tasks around action plans to
  delegate responsibilities

10
Dynamic Reports
Reporting Overview
Report from across control activities, risk
assessments and loss events via a single
application

• Crystal-based reporting engine allows
  organizations to develop reports to meet their
  unique needs over time, without requiring
  modification to code
• User Reports Drill-down dashboards contained
  within My Portal that present information based
  on individual users owned organizational units
• Quick Reports Provide printable information
  while performing analysis in a given area of the
  system
• Filterable Reports Provide flexible filtering
  options to support specified analysis

11
User-Defined Searches
Reporting Overview
Support specific reporting analysis via
user-defined searches

• The system contains over 40 searches that allow
  for development of user-defined search criteria
  across a range of topics
• Select and sort fields to include in the report
• Select filter criteria
• Save search as public or private search
• Drill directly to search results
• Export search results to develop specific and
  detailed analysis using familiar tools such as
  Excel

12
Project Team and Executive Dashboards
Reporting Overview
Provide holistic, multi-perspective views of SOX
evaluations performed

• Dashboards aggregate RCM process, objective,
  risk, and control evaluations by Financial
  Reporting Element, Process Classification, and
  Organizational Unit.
• The dashboards allow users to drill into more
  specific information. For example, if
  Organization 1 displays 4 ineffectively operating
  controls, users can drill directly to a list of
  ineffectively operating controls. From the list
  of ineffectively operating controls, users can
  then drill directly to a particular control in
  question.

13
SarbOx Overview
SarbOx Overview
Organization Model
The system allows for documentation and detailed
risk and control analysis that can be aggregated
via multiple perspectives Financial Reporting,
Business Process, and Organizational Hierarchies.

Documentation
Financial Model
Process Model (PCS)
Risk and ControlMatrix

• Common tasks performed in building these models
  under Protivitis risk-based approach are
• Identify control units
• Identify and prioritize all financial reporting
  elements
• Identify business processes that affect financial
  reporting
• Perform process risk assessment
• Link processes to related organizational units
  and financial reporting elements
• Determine overall process criticality based on
  process risk and priority of related financial
  elements
• Process criticality is a key determinant of the
  level of process documentation and control
  testing in a true risk-based approach

• Documentation may include
• Process Maps
• Policies Procedures
• Process Narratives
• Key Performance Indicators
• Job Aids
• Checklists
• Does not include a mapping tool.

Risk Control Library

Objectives Evaluation of Objective Achievement

Risks Evaluation of Control Design
Effectiveness Evaluation of Control Design
Operating Effectiveness

Controls Evaluation of Control Operating
Effectiveness

Control Testing Documentation
14
The Self Assessment Life Cycle
TSA Overview
Assessment Template
Deployed Assessment
Reporting
Assessment Lifecycle
Groups
Packages
Dashboards Reports Export
Assess
Questions
Assessors
Review
Group Review
Assessment Completion
Signoff
Objective
Risk
AP Review
TP Review
Best Practice
Group Review
Configuration
The groups primary function is to create a
domain of review, where a set of reviewer(s)
are limited to a pool of assessors. These
reviews can be performed by a single individual
or delegated to a maximum of 3 persons per group.
Action Plan
Action Plans
Test Plans
Test Plan
Required
Values
The administrator can build and re-use an
assessment template to periodically publish or
deploy an assessment. Each assessment can be
uniquely named, contain key messages and have
specific start and end dates for assessors and
reviewers. The primary activity is the assessor
window, which allows respondents to provide
feedback. Action and/or Test Plans may be created
based on the Question Configurations. If
initiated, these serve as to-dos that can be
documented and tracked as they move toward
conclusion. Review and Signoff introduce a
series of Quality Assurance activities.
A question may be designed or configured to
react to assessors feedback. Each
question-response combination can validate
behavior such as requiring answers or comments as
well as generating workflow.
15
ORM PortalTM Overview - RCSA
RCSA Overview
16
Internal Audit The Protiviti Way
IA Portal Overview
17
The Protiviti Story
Protiviti is a leading provider of independent
internal audit and business and technology risk
consulting services. Protiviti was formed in May
2002 when Robert Half International (RHI) hired
more than 650 experienced and highly qualified
partners and professionals formerly with Arthur
Andersen LLPs US internal audit and risk
consulting practices. These practices operated
separately from Andersens external audit and
attestation services. Today, Protiviti works with
over 25 of the Fortune 500, employs over 2,200
professionals in more than 45 locations
throughout North America, Latin America, Europe,
Asia and Australia. The firm retains the
intellectual capital used and developed by its
professionals over the past decade.
Our Market Positionand Future The name
Protiviti represents professionalism, integrity
and independence. Unlike most other risk
consulting practices, Protiviti has no
affiliation with an external audit firm, nor does
it provides any external audit services. This
offers us a key strategic advantage, as we can
offer the resources, quality, capabilities and
expertise of any large accounting firm without
regulatory or market concerns regarding conflicts
of interest.
About Our Parent Company Robert Half is a 3.3
billion public company with a 5 billion market
capitalization and 330 worldwide offices. It has
virtually no debt, a strong cash position and an
outstanding track record in growing businesses.
It is recognized as one of Forbes Most Admired
Companies.
18
Our Commitment to Technology Enabling Solutions

• Protiviti recognized as strong performer in
  governance, risk and compliance platforms by
  Forester Research (The Forester WaveTM Q1 2006)
• Since release in March 2003, the base of clients
  utilizing our technologies has steadily grown
• Our solution is battle-tested. Client feedback
  has infused continuous development resulting in 5
  incremental versions of our SarbOx PortalTM, the
  foundation of Protivitis Governance Portal
• To meet the needs of our clients seeking to
  evolve their governance programs, we developed
  and released the Protiviti Governance Portal, an
  integrated governance risk compliance platform,
  in April 2005
• We continue to seek and incorporate our clients
  feedback into the solution, and will continue to
  extend the capabilities of our framework, as
  reflected with the current development of an
  integrated Internal Audit module

• Our Vision
• To be recognized as the premier global risk
  consulting and internal audit services company.
• Our Mission
• To constantly improve how businesses manage risk.
  We will develop deep competencies in people
  which enhance their value. We will bring
  unparalleled expertise to clients in risk
  management.
• Our Core Values
• professional
• productive
• proactive
• objectiviti
• creativiti
• integriti

19
Protiviti Governance Portal Who to Contact
Other Information
We would be happy demonstrate our technology
tools and discuss how Protiviti can help you
create a sustainable compliance process. Scott
Gracyalny Managing Director, Risk Technology
Solutions 312.476.6381 Scott.Gracyalny_at_protiviti.c
om Scott Wisniewski Director, Risk Technology
Solutions 312.476.6302 Scott.Wisniewski_at_protiviti.
com Michael Mask Associate Director, Risk
Technology Solutions 312.476.6396 Michael.Mask_at_pro
tiviti.com