TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS
CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley
Compliance With Unified Processes.
Table of Contents
Executive Summary 1
SECTION 1: CHALLENGE 2
Establishing the foundations for good governance and continuous compliance
Reducing business and IT risks Keeping control in the balance
SECTION 2: OPPORTUNITY 3
Unified governance platform simplifies global compliance
Achieving the same result with half the number of IT controls
Real-time view of compliance risks
SECTION 3: BENEFITS 5
Reduced compliance costs and complexity Improved risk management increases customer confidence
SECTION 4: CONCLUSIONS 6
ABOUT CA Back Cover
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS 1
Executive Summary
Challenge
With operations in 45 countries, CA must comply with a broad range of regulations as well as its own internal controls. A renewed focus on corporate governance and risk management had resulted in CA monitoring hundreds of internal controls for Sarbanes- Oxley (SOX) and other regulations. This plethora of controls not only increased the risk of duplication but also the costs involved with risk management, compliance and auditing.
The company needed to find a way to simplify and integrate its processes while at the same time reducing exposure to risk by ensuring continuous compliance with new and existing legislation.
Opportunity
The company established a global and unified approach to compliance and governance, which is underpinned by one of its own solutions. Using CA Governance, Risk and
Compliance (GRC) Manager, the company has been able to create a single repository for all its global controls, test results and risks. New legislation can be automatically mapped against existing controls and any gaps identified and displayed on a real-time management dashboard. By automating and centralizing key compliance processes, CA has been able to free up resources and reduce the number of SOX controls by more than 50 percent.
Benefits
The cost and complexity of compliance has been reduced. CA estimates it will halve the cost of testing IT controls for Sarbanes-Oxley as well as reduce its external auditing costs.
With its governance processes working more effectively, the company has also been able to:
• Increase business agility
• Free up internal resources
• React faster to new legislation
These factors are all key for mitigating risk and ensuring that CA can continue to meet its business objectives and customer expectations.
Establishing the foundations for good governance and continuous compliance
Risk is a natural feature of today’s business landscape. While it can never be entirely
eradicated, it can be mitigated through good corporate governance. The possibility of human error, natural disasters, financial negligence, terrorism and IT failures can all be planned for and contingency programs put in place.
Increasingly these plans are becoming mandatory rather than voluntary as governments around the world impose corporate governance controls on organizations in the form of new rules and laws.
With this legislative trend set to continue, organizations face an ever more bumpy ride on the regulatory rollercoaster — unless they take steps to simplify the compliance process and adopt a truly holistic and global approach to governance.
Reducing business and IT risks
Good governance is at the heart of CA’s operations and culture. It is essential not only for minimizing risk but also for ensuring operational efficiency and integrity — one of CA’s core values.
With CA’s clients including 99 percent of Fortune 1000® companies, the demonstration of good governance is often key to maintaining these relationships and selling more software solutions.
The need to establish — and prove — good governance has been particularly important for CA, given its deferred prosecution agreement with the US government over past accounting practices. This agreement expired in May 2007 after all the terms were met by CA.
As part of the renewed focus on governance, CA established a framework of corporate controls along with dedicated teams for enterprise risk management, Sarbanes-Oxley compliance, internal auditing and IT compliance.
With technology touching every area of CA’s business — from product development and customer support to finance and procurement — IT in particular has come under the fierce glare of the governance spotlight. Rob Zanella, Vice President of IT Compliance at CA, comments, “A lot of previously manual business processes have now become automated, which for example means we are reliant on electronic data rather than physical files that in the past could have been locked in a filing cabinet to ensure confidentiality.”
To help identify and mitigate the risks that are inherent in a more automated and digital world, CA has developed an IT risk assessment methodology, which is now embedded into IT project planning and being used to help people set up control self-assessments.
Keeping control in the balance
The desire to mitigate risk in every area of the business and ensure compliance with
international regulations can lead to a highly controlled environment. Following its governance SECTION 1:CHALLENGE
With CA’s clients
including 99 percent of
Fortune 1000 companies,
the demonstration of good
governance is often key
to maintaining these
relationships and selling
more software solutions.
CA’s IT controls are focused around four key areas, which are important both for regulatory compliance and good governance:
• Finance
• Privacy
• Records management
• Operations
As well as a repetition of controls, CA’s compliance, risk management and governance efforts were also managed in silos. As Zanella explains, “All compliance teams were working
independently and using different IT systems. There was no way we could combine our activities, which meant we were unable to leverage the work or tests carried out by another team. This was not only inefficient but also very costly.”
This situation is by no means unique to CA. The very nature of compliance means that the goalposts are constantly moving as new regulations or internal policies are initiated. As a result, organizations’ compliance efforts often become localized and reactive, which leads to unproductive silos of operation — a model that CA wanted to move away from. “We needed to take a global approach to compliance with a common operating structure to reduce risk, cost and inefficiency,” adds Zanella.
This global approach is particularly important for enterprises of CA’s scale and geographical spread. With operations in more than 45 countries, CA must comply with a wide set of
regulations — from Europe’s stringent privacy laws and SOX to the Health Insurance Portability and Accountability Act (HIPAA) and Foreign Corrupt Practices Act. The company’s regulatory compliance obligations are constantly evolving. As a result, CA wanted to be able to not only track new legislation but also reuse existing controls to maximize the efficiency of its regulatory compliance processes.
Unified governance platform simplifies global compliance
The need for visibility of new state and national laws was one of the key drivers behind the implementation of CA’s own Governance solution: CA Governance, Risk & Compliance (GRC) Manager. Every quarter, the solution receives a direct feed from an external provider that specifies the latest rules that need to be adhered to.
CA GRC Manager, however, goes much further than just alerting organizations to recent legislation. As Zanella explains, “CA GRC Manager automatically maps new regulatory
requirements to existing corporate controls and policies. This enables us to quickly identify any gap in our governance and compliance profile and embark on remediation.”
CA’s unified approach to compliance, however, means that such gaps are becoming less likely
— especially when it comes to IT controls. CA GRC Manager incorporates the control SECTION 2:OPPORTUNITY
“We needed to take a global approach to compliance with a common operating structure to reduce risk, cost and inefficiency.”
Rob Zanella
Vice President of IT Compliance at CA
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS 3
objectives and regulatory mappings provided by the Unified Compliance Framework (UCF), which is based on more than 280 international and national standards and regulations, such as:
• Control Objectives for Information and related Technology (COBIT)
• Payment Card Industry (PCI) Data Security Standard
• Australia Telecommunications Act
• HIPAA
• UK Data Protection Act
Achieving the same result with half the number of IT controls
COBIT, which is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), is an IT governance framework that allows organizations to bridge the gap between control requirements, technical issues and business risks.
By adopting COBIT in tandem with CA GRC Manager, CA has been able to move away from a localized approach to IT controls and create standardized and global governance processes.
This has helped to reduce the number of IT controls from 500 to 250. “Although we have halved the number of IT controls, they remain just as effective,” comments Zanella.
The company has had similar success with reducing the total number of its business controls by half. Many of these controls relate to SOX, which has been credited with costing companies millions of dollars in compliance and auditing costs. Such an overhead is not surprising given the level of testing that can be required to ensure ongoing compliance.
At present, CA conducts around 6,000 hours of testing IT controls in relation to SOX every year
— this volume will eventually reduce once the company reaches a higher level of compliance maturity and completes its migration from legacy applications to a company-wide enterprise resource planning system.
Thanks to CA GRC Manager, some of this testing can now take place internally rather than relying on expensive external sources and auditors. As Zanella explains, “By using CA GRC Manager to create a single repository for all our global controls, test results and risks, we can share information and free up resources across our teams which helps increase efficiency.”
Real-time view of compliance risks
Since deploying CA GRC Manager in summer 2007, the software company has already migrated its SOX and internal operational controls to CA GRC Manager and is in the process of adding international privacy laws. As a result, CA can now see at a glance any risk that might impact compliance with SOX or internal governance policies using real-time dashboards.
Although these role-based and interactive views can be configured to meet the specific visualization and organizational needs of each company, CA GRC Manager includes a suite of pre-defined dashboards for Regulatory Controls, Performance Trends, Enterprise Risk, Control
“CA GRC Manager automatically maps new regulatory requirements to existing corporate controls and policies. This enables us to quickly identify any gap in our governance and compliance profile.”
Rob Zanella
Vice President of IT Compliance at CA
according to their importance and resources prioritized accordingly to ensure an effective remediation.”
In the future, CA will also be using the solution to help manage this remediation process. CA GRC Manager includes rich project management capabilities to help simplify and smooth the remediation process and can be used to track progress, enhance communication and capture important information.
CA also hopes to integrate CA GRC Manager with core IT management systems. This will facilitate continuous monitoring of security and governance tools and help identify if a control has been compromised, which could help to further reduce the volume of compliance testing required in the future.
FIGURE A AUTOMATED CONTROL MAPPING
AIDS CONTINUOUS COMPLIANCE CA GRC Manager enables
organizations to respond more effectively to new legislation and reduce duplication of controls and effort. The solution automatically matches new regulatory requirements with existing controls, and enables organizations to simplify the remediation process with advanced project management capabilities.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS 5
Reduced compliance costs and complexity
Although CA has yet to extend the solution to its entire governance and compliance operation, the company has already reaped considerable rewards. Most notably around cost control and efficiency: two factors that can quickly spiral out of control without the unification of processes, people and technology.
These benefits stem from the simple fact that the company’s controls are now working better, and as such, are less likely to fail a test by an external auditor. Audits are a fact of life for any listed company but the cost of this process can vary considerably depending on the time involved and the number of control failures. As Zanella explains, “Every time an IT control fails a test, we have to carry out a remediation, a second a test, an exposure analysis and a financial statement analysis. All of which involve time and expense. By ensuring our controls pass the first time, we can make considerable savings and operational efficiencies.”
In the first year of using CA GRC Manager, the company estimates it will:
• Halve the cost of testing IT controls for SOX
• Significantly reduce external auditing costs for IT controls
The solution has also helped the company make better use of its compliance, governance and risk management resources. As Zanella confirms, “Prior to deploying CA GRC Manager, we had one person dedicated to migrating data from one governance system to another and a second person responsible for reporting. By deploying an automated and centralized global repository for compliance, governance and risk management, we have been able to free up these
resources for more valuable work within the department.”
Improved risk management increases customer confidence
In addition to the financial and efficiency gains, CA GRC Manager and the new approach to governance has also delivered less tangible benefits. For example, the software company has been able to:
INCREASE BUSINESS AGILITYBy ensuring that the company’s 14,500 employees have well- defined governance policies and controls to follow, CA is more flexible and productive. It is also easier for new members of staff to understand the company’s operating principles and to adapt to this culture more quickly.
IMPROVE CUSTOMER CONFIDENCE Good governance and compliance is often a key factor in the decision-making process for clients when buying software. They need to know their chosen provider is stable and reliable. CA can now demonstrate its best practice approach to governance, which is underpinned by its own solution and methodology.
RESPOND FASTER TO NEW LEGISLATION CA can quickly identify if it has the right controls in place to meet the demands of a new regulation. Controls developed for one law can be re-used for another — for example the privacy laws enforced by different European countries overlap some of the HIPAA requirements.
MITIGATE RISK By adopting an internationally recognized control framework, CA can ensure SECTION 3:BENEFITS
“CA GRC Manager has helped to mitigate business risk and has provided us with a platform for enabling continuous compliance. We can now take a proactive and global approach to compliance, which will help to reduce operational costs.”
Rob Zanella
Vice President of IT Compliance at CA
All these factors are essential for ensuring the ongoing success of the company. “Risk and poor governance can stop a company from achieving its objectives — for example developing new products or improving profitability,” comments Zanella. “CA GRC Manager has helped to mitigate business risk to an acceptable level, and has provided us with a platform for enabling continuous compliance. We can now take a proactive and global approach to compliance, which will help to reduce operational costs while at the same time enabling the company to meet its business and governance objectives.”
With companies’ operating systems and processes increasingly becoming the subject of national and international legislation, organizations need to ensure they are complying with not only their own internal governance controls but also those set down in the world’s statute books.
Establishing the necessary governance controls to ensure continuous compliance, however, can be a highly complex process resulting in duplication of effort and excessive cost. Organizations therefore need to adopt a holistic and global approach to compliance to ensure they can re-use business and IT controls and minimize the company’s exposure to risk.
By adopting a common platform for governance, compliance and risk management, organizations can not only reduce cost and complexity but also ensure a more effective response to new legislation. As a result, governance standards will be enhanced, which can have a positive impact on customer confidence, competitive advantage and business agility.
To learn more about the CA GRC Manager architecture and technical approach, visit ca.com SECTION 4:CONCLUSIONS
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS 7
