Demo site script_1.03.ppt

January 2012

Mizuho Bank Internal Audit Evaluation Quick Start Guide

Any site inquiries please contact:

Matt McDonough, Pre-Sales Engineer

312.364.4916

[email protected]

© 2012 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

A definition of ERM

Proposed SolutionProposed Solution

Protiviti's Governance Portal offers clients a flexible technology solution to balance sound governance with business performance.

2

Fina

ncia

l Con

trol

s

Com

plia

nce

Ente

rpris

e R

isk

IT G

over

nanc

e

Inte

rnal

Aud

it

Shared Database with Configuration

Protiviti Governance Portal

Monitoring, Workflow and Reporting

GRC Module

A GRC system that supports risk, control management,

and incident management.

Internal Audit Module

An integrated audit management system that facilitates

risk assessment, planning, electronic work papers,

issue management and reporting.

System Navigation


Log OnLog On

4

• Access the Portal through your internet browser at:

http://grc5.protiviti.com/demosecond40/Default.aspx

• Enter your Admin ID and password

• IDs:

[email protected]

Password: password1

Click the Lock symbol to log into the Portal.

Enter Admin email address and password.

mailto:[email protected]


RibbonRibbon

5

• After logging in, the first thing you will notice is a basic homepage with a welcome message and some key administration activities.

• Ribbon includes a configurable layout that allows you to manage navigation for users and allows you to expand or collapse the particular view you’re going to go into without having to go out to the homepage.

“Click” Default GRC


Default GRC View: GRC RegisterDefault GRC View: GRC Register

6

• GRC Register contains an Entity Hierarchy. GRC Register is flexible to support client frameworks and entities. If a client has a basic approach it can be simplified. As you expand out the organizations, you will notice a series of sub-units and sub-processes.


GRC Register: Entity HierarchyGRC Register: Entity Hierarchy

7

• Four processes with key data:

• Chicago – Payables Process

• Chicago – Information Security Process

• New York – Underwriting Process

• Desk Officers – Trading Process

• Expand out individual risk control matrices right on the hierarchy.

• Gives flexibility to build out and manage your framework right from this page.

• Can add risks and controls by right clicking on “Add Risks or Controls”.

Expanded Out View


GRC Register: Entity HierarchyGRC Register: Entity Hierarchy

8

• Filtering capabilities: The filtering capabilities allow you to view only what you want highlighted. In this example, Project with High Risks are highlighted, and what defines High Risks is completely configurable to clients internal methodology.

• From the entity tree you can begin to scope out an audit directly on this page.

Filter Entities by Project – High Risks

By clicking scope you can begin to plan an audit.


Projects: ScheduleProjects: Schedule

9

• Shows all the different projects that have been set up in the tool.

• Can expand and collapse projects with details down below.

• Full staffing capability in the tool that allows you look at who is assigned/not assigned to a particular project.

• Can search and filter resources assigned to project.


Workflow Management: EventsWorkflow Management: Events

10

• Workflow feature in the tool that is highly flexible. Workflow is driven off of two types of activities: Event and structured templates that you deploy.

• Events that are configurable by clients allows you to build out very specific activities that will define or trigger out a workflow path. Events can be very specific to client methodology.


Workflow Management: AssessmentsWorkflow Management: Assessments

11

• On the Assessment link there are a variety of different of surveys. Surveys or assessments can be used to perform testing risk reviews, awareness, educational training, etc.

• Survey functionality has been redesigned in 4.0 version, it allows clients to take advantage of latest technology, including mobile device support.

• I.E.: The Risk Assessment in the tool is just a highlight of how you can pull data from the risk register to send out an email alert to complete assessments. Once completed, the results automatically feed back into register.

Follow Risk Assessment hyperlink.


Analysis: GRC DashboardAnalysis: GRC Dashboard

12

• Analysis component contains a Dashboard that shows 9 reports:

• Action Assessment Summary

• Regulatory Alert Status

• Mitigation Plans

• Performance Rating

• Performance Indicators

• Key Indicators

• Information Security

• Internal Compliance

• Financial Controls

All Reports have drill-down capabilities.


Analysis: Ad Hoc (Risk and Controls)Analysis: Ad Hoc (Risk and Controls)

13

• Search capabilities will highlight data in a very flexible query engine.

• Switch to filter mode and it will allow you to look for very specific records.

Click Search Filter Mode.

Risk and Controls filtered by those containing the word “Cash”.


Click into Audit Management and Risk Management:Click into Audit Management and Risk Management:

14

• At this point, it’s a matter of focusing on the most relevant aspects for the particular clients needs.

• For example, if client’s using tool for risk management it would be appropriate to drill into the Risk Management. Vice Versa for Internal Audit.

Risk Management View

Audit Management View


Risk Management View: RCM Library Risk Management View: RCM Library

15

• RCM Library allows you to establish the RCM Templates; risks, controls, and objectives.

All Objectives:


Risk Management View: Analysis (Entity Ratings)Risk Management View: Analysis (Entity Ratings)

16

• On the Analysis tab, you have all the key aspects of analytics: Assessment Ratings, Control Ratings, KRIs, KPIs, Loss Events, and Identification of Actions.

• Click into Entity Ratings, illustrate can start to use the tool to assess at an entity level some of your different metrics.

Click into Entity Ratings.


Risk Management View: Reporting (Heat Map)Risk Management View: Reporting (Heat Map)

17

• On the Reporting tab, you will have a serious of different reports that are available.

• Heat Map Report: will pull up an aggregated view of all of risks across the system looking at their inherent residual and inherent assessments. Can drill into those risks by clicking on risk name and looking at the details.

Heat Map Pop-up


Risk Management View: Reporting (Risk Register Risk Management View: Reporting (Risk Register Search)Search)

18

• Search Builder: Risk Register Search. Demonstrate flexibility by clicking on filter mode and looking for very specific controls that contain text or evaluation. Also, can drag and drop columns to group data to your liking.

Apply different Filters:


Risk Management View: Reporting (RCM Excel)Risk Management View: Reporting (RCM Excel)

19

• This excel link allows you to demonstrate to flexibility of tool’s excel generated reports. You can export a search into excel, make a report in in excel, and then load file back into application (and it will continue to refresh for you).

• The report is being updated concurrently with tool.

Excel File is constantly updated as new information is entered:


Internal Controls View: Internal ControlsInternal Controls View: Internal Controls

20

• Testing information and action plans in the Internal Controls views.

• Main Point: Different dashboards and different links can be provided for various stakeholders.

Menu very similar to Risk Mgmt. View:


Audit Management: Home (Dashboard)Audit Management: Home (Dashboard)

21

• Audit View has its on dashboards. Reports have drill downs with more details and you have the ability to perform updates right in the report.

Drilldown Capabilities:


Audit Management: Audit Planning (Audit Universe)Audit Management: Audit Planning (Audit Universe)

22

• In the Audit Universe, look at all areas with high risks and create a new audit for high risk area.

• For clients who prefer the more traditional approach without going to org. tree, they can just click “Quick Create”.

“Click” Quick Create.

“Click” Scope to add to existing audit or create new audit.


Audit Management: Completing AuditAudit Management: Completing Audit

23

• Can manage the Audit through the scheduling link.

• From the scheduling view, you can push and pull resources in and out of the audit.

• In the audit 8 steps. One of more the common ones is a opening/planning meeting. User can edit the audit by changing the status of the audit.

User can manually change the status of the audit.


Audit Management: Field Work StepAudit Management: Field Work Step

24

“Click” Not Started under RCM Development and Completion.

“Click” Click Here

• Once you go into the RCM Development and Completion, you can go in to the payables process where the payables risks and controls can be viewed.

• The key thing is you can pull in assessments that was made from the risk team, internal controls team, or the business.

• The concept of having a shared risk register is completely true that is integrated with rest of the system. Data can be leveraged and shared.


Audit Management:Audit Management:

25

“Click” Add to add WorkPaper

• Highlight you can add a new testing work paper, work paper step, and the details around that step.


Audit Management: Audit Management:

26

• Through the Traditional Template Library, you can import a payables risk control matrix tests directly into the RCM.

“Click” Traditional Template Library

“Click” Audit Templates

“Click” Payables


Audit Management: Test ReviewsAudit Management: Test Reviews

27

“Click” Disbursements

• Take a look at the Test Reviews Tab, shows all of the assigned tests that are ready for review.

• If you click into the test you can see the details of the tests performed, look at any attachments, and perform the review. Once the review is formed it will take it off you cue as action needed.


Auditor View:Auditor View:

28

• In the Auditor View, you will see this user is only been assigned to an Auditor role so the homepage just a has list of current audits.

• Assigned Test: In the Assigned Test tab the Auditor can see the tests they have been assigned and likewise for Assigned Findings.

Homepage for Auditor View:

“Click” Assigned Tests Tab


Compliance View:Compliance View:

29

• Compliance can mean a couple different things for clients: Regulatory Compliance, Internal Compliance, and Case Management. These all have different tabs across the top of the portal under the Compliance View.

• If you going to demonstrate regulatory compliance you will need to log back in as a different user, the reason being we are proxying how our separation of forms will be in the future.

Regulatory Compliance Log-In: username: [email protected]: password1




Compliance: (John Russell Log-In)Compliance: (John Russell Log-In)

30

• Regulatory Updates Tab shows the updates assigned to the user from a regulatory change perspective which can be created manually or through integration with a 3rd party content provider.

• This form is the loss event form which is being used for alerts.

• If you drill into an Alert, there is information about the Rule name, description, what's changing from a regulatory perspective, which business entities are assigned to alert, which classifications is the alert linked to, which risks the alert linked to, and which controls the alert is linked to.

“Drill” into a particular Rule for further details.


Compliance: (John Russell Log-In)Compliance: (John Russell Log-In)

31

• Regulatory Dashboard will be looking at alerts across the system trying to understand which business units are they associated to, the status of the alerts, and which regulatory themes are the alerts associated with.

• The report has drill-down capabilities which will show the details of the alert.

Drill Down Capabilities:


Compliance: Internal ComplianceCompliance: Internal Compliance

32

• You have the ability to manage policy compliance in the tool.

• You can build out a entity hierarchy that includes corporate policies and within those policies you can establish relationships to organizations.

• You can document and attach files into the tool and when you mark status for review, it will trigger out a workflow for individuals to perform their reviews.

• Policy Review tab will allow you to see all policies that are up for review and you will be able to download the documentation to your computer or Sharepoint Integration is another option.

“Click” into create documentation in order to attach documents.


Compliance: Case ManagementCompliance: Case Management

33

• The tool has a case management feature that allows users to identify issues/cases in the organization. As you click save the event will go through a case review process. Individuals will be notified via email that there is a new case, then they can document the case, and take that through workflow. You can build out projects which leverage the audit functionality of the tool.

• The information will be similar to audit view but the workplan flow will be specific to cases. This is customizable according to a client’s case management methodology.

Enter Data in the required fields.

“Click” Save.


IT Governance View: IT HierarchyIT Governance View: IT Hierarchy

34

• IT Governance View have links to all IT Controls and Action Plan Summary.

• IT Hierarchy filtered to show entities relevant to IT area such IT Services, IT Applications, and IT Organizations.

• Flexible to handle the Service concept which is the linking of a single service to multiple organizations and multiple applications.

• As you perform Assessments, reporting feature allows you aggregate data and tell you which services are most impacted by the organization. Provides higher level view of data by different cuts.

Aggregated Data Reports in the Dashboard View.


Business User View and Issue Management View:Business User View and Issue Management View:

35

• Shows what a business user might see when they log-in to the portal. The view that users see is based on their role in the organization.

• Issue Management View is a more basic view without the complexities of the entire portal.

Business User View:

Issue Management View:

Data & Analytics

Demo site script_1.03.ppt