There was an excellent article on compliance for government contractors published on 2/28/2007 in the legal times and posted on Law.com.  The article outlines the recent activity launched by the Justice Department

Last fall, the Justice Department launched a National Procurement Fraud Task Force to focus "resources at all levels of government to increase criminal enforcement" in areas of procurement fraud. The stepped-up attention to this area throughout the government may signal that the $3.1 billion record in federal fraud recoveries in 2006 could soon be broken. More than 50 inspectors general from across all government departments and agencies also are actively pursuing thousands of investigations. 

Perhaps to emphasize the seriousness of the effort, the Justice Department, on the day it announced the creation of the task force, also announced that Oracle Corp. had agreed to pay almost $100 million to settle False Claims Act allegations that a company it acquired had overcharged the government under its GSA Federal Supply Schedule Contract. The task force more recently announced a criminal case in which a former Defense Department contractor was sentenced to serve nine years in prison and ordered to pay a $3.6 million fine for his role in a bribery and fraud scheme flowing from contracts for the reconstruction of Iraq.

Read the full article here:  Government Contractors Must Take Early Compliance Steps

A common theme that is a focus of most governance, risk, and compliance initiatives is how to establish a control and oversight of IT related processes and controls.  This discipline has commonly become to be known as IT Governance.                                                                                                                                                                         

Similar to the implementation and sustentation of other governance, risk, and compliance initiatives, the concept of IT governance, by definition, is very abstract. IT governance is founded in the same basic principles of corporate governance. In order to effectively implement a business improvement process, it must first be defined and clarified and while many different and fragmented definitions of IT governance are being used by vendors, analysts and IT professionals, Paisley Consulting employs a comprehensive and holistic definition of IT governance:                                                                                            

“IT governance is the process of establishing visible, positive oversight over the management of IT, practices, assets and resources to demonstrate risks are managed and corporate objectives are supported and achieved.”                                                                                                                         

Two important words in this definition are oversight and corporate objectives. Simply put, IT governance ensures the proper use of IT resources to achieve corporate goals and the discipline to provide visible, positive oversight to defined processes. There are many different ways in which IT governance may be implemented – but the heart of IT governance is a formalized process and positive, visible oversight to provide assurance to the process.                                                                  

Similar to the implementation and sustentation of other corporate governance initiatives, IT governance provides structure through the use of a best practice framework. A framework provides clarity and defensibility in the face of broad IT regulatory requirements and technological complexity and serves as a catalyst for IT governance initiatives. At the heart of a governance framework are three main components:

• Structure: Who makes the decisions? What structure will be created, who will take part in IT governance and what responsibilities will they assume?
• Process: How are management’s decisions made and implemented? What are the decision-making processes for proposing investments, managing projects, complying with laws and regulations and maintaining infrastructure and assets?
• Communication: How will the results of these processes and decisions be monitored, measured and communicated? What mechanisms will be used to communicate IT stewardship issues to the board of directors, executive management, business management, IT management, employees and shareholders?

While there is no universally accepted framework for managing IT, many organizations have migrated to COBIT, ITIL or ISO 17799 and 27001. COBIT or Control Objectives for Information and related technologies is by far the most widely adopted IT governance framework. COBIT was developed in 1996 by the Information Systems Audit and Control Association and is now issued and maintained by the IT governance Institute as a framework for providing control mechanisms over the IT domain. Now in its fourth edition, COBIT has been extended to serve as an IT governance framework by providing maturity models, critical success factors and key performance indicators for the management of IT. Whether a company chooses COBIT or some other standard, effective IT governance is dependent on the adoption and use of a recognized framework to provide best practices.                                                                                                                                                

More information on COBIT can be found at the IT Governance Institute.  For more information on IT Governance, please download the following whitepaper an Introduction to IT Governance

For those smaller firms facing Sarbanes-Oxley requirements in early 2007, the SEC has delivered an early holiday gift. On December 15, 2006 the SEC announced that it will provide another extension to the date for which non-accelerated filers have to comply with the internal control reporting requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002.  The Commission also is extending the date by which a non-accelerated filer must begin to comply with the auditor attestation requirement.

For references purposes, the below chart provides guidance to the new revised time periods for compliance.

	Accelerated Filer Status	Revised Compliance Dates and Final Rules Regarding the Internal Control Over Financial Reporting Requirements
		Management's Report	Auditor's Attestation
U.S. Issuer	Large Accelerated Filer OR Accelerated Filer ($75MM or more)	Already complying (Annual reports for fiscal years ending on or after November 15, 2004)	Already complying (Annual reports for fiscal years ending on or after November 15, 2004)
	Non-accelerated Filer (less than $75MM)	Annual reports for fiscal years ending on or after December 15, 2007	Annual reports for fiscal years ending on or after December 15, 2008
Foreign Issuer	Large Accelerated Filer ($700MM or more)	Annual reports for fiscal years ending on or after July 15, 2006	Annual reports for fiscal years ending on or after July 15, 2006
	Accelerated Filer ($75MM or more and less than $700MM)	Annual reports for fiscal years ending on or after July 15, 2006	Annual reports for fiscal years ending on or after July 15, 2007
	Non-accelerated Filer (less than $75MM)	Annual reports for fiscal years ending on or after December 15, 2007	Annual reports for fiscal years ending on or after December 15, 2008
U.S. or Foreign Issuer	Newly Public Company	Second Annual Report	Second Annual Report

The SEC's decision to extend the filing period deadline is prudent in light of the many proposed changes that are on the table for both SEC rule changes related to Sarbanes-Oxley and to the upcoming announcement this week for changes to AS 2.  Although the SEC has issued another extension, it is clear from the December 13th announcement that Sarbanes-Oxley is here to stay - albeit with a renewed focus on materiality and top-down risk based approach. 

For those non-accelerated filers that have yet to invest in process and technologies to support both the management reporting and auditor attestation requirements for Sarbanes-Oxley compliance, you can consider this one of the last extensions that you are likely to receive.   The good news is, with this renewed focus on a risk based approach, any investments you make to address these SOX requirements should be able to be leveraged for your broader governance, risk, and compliance initiatives.

On December 13th, the Securities and Exchange Commission voted to propose for public comment interpretive guidance for management regarding their evaluations of internal control over financial reporting. The Commission also proposed amendments to Rules 13a-15 and 15d-15 that would make it clear that a company choosing to perform an evaluation of internal control in accordance with the interpretive guidance would satisfy the annual evaluation required by those rules.  Although they have yet to release all of the details, the details released as part of the press release indicates that the SEC has taken the initiative to make some material changes yet have not made radical reforms.

Some of the highlights of the December 13th announcement include:

• The evaluation of internal controls will be principles based.  This new approach would be guided by two principles.  The first principle is that of management evaluating controls based on the reasonable possibility that a material misstatement in the financial statements would not be prevented or detected.  The second principle is that controls being evaluated based on the assessment of the risk associated with those control.
• The proposed guidance describes a risk-based approach.  The risk-based approach is targeted to reduce the current problem of excessive documentation and excessive testing
• The new guidance will be coordinated with changes by the PCAOB to Audit Standard 2 which are planned to be announced on December 19.

In addition to the above mentioned guidelines, the proposal addresses four specific areas including:

• Identification of risks to reliable financial reporting and the related controls that management has implemented to address those risks
• Evaluation of the operating effectiveness of controls
• Reporting the overall results of management's evaluation
• Flexibility in approaches to documentation

While is is difficult to understand the full implications of these Sarbanes-Oxley reform proposals without the full report being published and the yet-to-be published PCAOB AS2 revisions, it is encouraging to see the direction that the SEC has taken.   The key messages in the press release regarding flexibility, materiality, and top-down risk disciplines should provide organizations to take a pragmatic, cost effective, and yet meaningful approach to managing their internal controls.  As with the first go-around with Sarbanes-Oxley, the true change of organizational behavior will be significantly influenced on the requirements outlined in the forthcoming revised AS2.

Sarbanes-Oxley reform has been front page news for the past several months and will continue to dominate headlines in the foreseeable future.   With all of the official and semi-official governing bodies issuing reports in the November/December time frame this post will attempt to drive some clarity around the who’s and what’s of all of this Sarbanes-Oxley reform conversation.

Who are the players in the Sarbanes-Oxley debate:

US Congress:  The US Congress passed the Sarbanes-Oxley law in 2002. Section 404 of the Sarbanes-Oxley act (which is only 174 words long) provided the requirement that internal controls must be audited. Section 404 is very vague in specific guidance regarding on what organizations really need to do. There has been talk of Congress changing the law, but that will not be discussed until Congress is in session in early 2007.

SEC:  The SEC provides specific rules and guidance on what companies specifically have to do as it relates to Sarbanes-Oxley. The SEC has been reforming the rules over the past 2 years. On December 13, 2006, the SEC will propose for public comment interpretive guidance for managements regarding their evaluations of internal control over financial reporting and proposed amendments to SEC rules.

PCAOB:  The PCAOB is a private-sector, non-profit corporation, created by the Sarbanes-Oxley Act, to oversee the auditors of public companies.  The PCAOB sets the rules and standards for external auditors as it relates to how and what they audit for those companies subject to the Sarbanes-Oxley act. The PCAOB has planned to issue guidance to Audit Standard 2 on December 19^th, 2006.

Committee on Capital Market Reform:  The Committee on Capital Markets Reform is an independent, bipartisan committee composed of 22 corporate and financial leaders from the investor community, business, finance, law, accounting, and academia.  They have no rule-setting or law making function.  This group is an influencing group – with the Secretary of the Treasury as strong charging leader

Christopher Cox:  Christopher Cox is the 28th Chairman of the Securities and Exchange Commission. He was appointed by President Bush on June 2, 2005, and unanimously confirmed by the Senate on July 29, 2005.  Christopher Cox has been aggressively pursuing reforms to SOX over the past 18 months.

Hank Pauslon:  Hank is the United States Treasury Secretary. He was nominated by U.S. President George W. Bush to succeed John Snow as the Treasury Secretary on May 30, 2006. On June 28, 2006, he was confirmed by the United States Senate to serve in the position.   As the former CEO of Goldman Sachs, Hank has been pressing for Sarbanes-Oxley reform with the motive of improving the competitiveness of the United States public capital markets and removing unnecessary burdens

The Recommendation Reports – What and When:

12/05/2006 - Committee on Capital Markets - Interim Report of the Committee on Capital Market Regulation

12/13/2006 - SEC Votes to Propose Interpretive Guidance for Management to Improve Sarbanes-Oxley 404 Implementation.   The full report has yet to be posted

12/19/2006 – The PCAOB will issue reforms to Audit Standard 2

For each of the above items, the process will be for a period of public comment and discussion prior to final rulings and conclusions. You can expect that the first three months of 2007 will be very active in the continued debate of Sarbanes-Oxley reform.

I spent December 4 and 5th participating in the Open Compliance and Ethics Group IT Forum in San Francisco.  For those of you not familiar with OCEG, they are a nonprofit offering comprehensive guidance, standards, benchmarks and tools for integrating governance, risk and compliance (GRC) processes.  Companies participating in the event included SAP, Axentis, Deloitte, Paisley Consulting and Oracle among others.   There was a mix of attendees representing both compliance and information technology functions in leading organizations, consultants, and plenty of GRC vendors in the audience.                                                                                                                         

Some of the common themes discussed at the conference included:

• There in no one single owner of GRC
• There is a gap of understanding between IT professionals and those responsible for GRC including compliance, legal, risk managers, and internal audit. 
• Internal Audit plays a significant role in effectively implementing GRC
• GRC is the capability that assist the organization to drive to corporate objectives and to stay within boundaries
• Challenges to effectively implenting GRC include the volume and complexity of regulations, demanding stakeholders, and organizational fragmentation and silos

I found the most interesting part of the conference to be those panel discussions that involved the analysts and actual governance, risk, and compliance practitioners. My personal favorites were the panel discussions that included the audit directors of both Microsoft and Hewlett-Packard.  They both participated on several panels and were very vocal on how their organizations are approaching governance, risk, and compliance.  It was very clear in listening to their comments as well as speaking to other conference attendees that internal auditors are playing a central and leading role in evangelizing the benefits of governance, risk, and compliance in their organizations.                                                                                                                           

Another benefit of the conference was listening to Scott Mitchell discuss some of OCEG's recent publications related to alignment of GRC initiatives and making a business case for integrated governance, risk, and compliance.  OCEG has become a regular contributor to Compliance Week and has positioned itself as a thought leader in the area of governance, risk, and compliance.                                                                                                              

Although a bit light on attendees, the OCEG IT Forum had some good content and was a good overall value from an attendee perspective.

The big news in governance, risk, and compliance this week centers around the publishing of the Interim Report of the Committee on Capital Market Regulation by Treasury Secretary Hank Paulson and those that he invited to be on his committee.  The 152 page “Paulson Report” contains some very interesting and thought provoking material as it relates to the competitiveness of US capital markets and the effect of Sarbanes-Oxley on those markets.

I applaud the aggressiveness of the committee on forming some bold conclusions, trying to support them with facts, and mixing in some self-serving thought provoking questions.  The report reads as part essay, part fact based GAO report, and part newspaper editorial.  For those that do not want to spend the time to read through the 152 pages of the entire report, I have summarized some of the main points and recommendations as they pertain to Sarbanes-Oxley reform. As stated in the report:                                                                                                                                             

The Problem:

• The trend in so-called “global” IPOs, i.e., IPOs done outside a company’s home country, provides evidence of a decline in the U.S.competitive position. As measured by value of IPOs, the U.S.share declined from 50 percent in 2000 to 5 percent in 2005. Measured by number of IPOs, the decline is from 37 percent in 2000 to 10 percent in 2005
• Lower activity in capital markets is bad for securities firms and may jeopardize the jobs of the highly paid employees that work there and may have an impact on US GDP
• Too much regulation is the root cause of this problem

Recommendations:

• Do not change the language of Section 404
• Redefine a Material Weakness:  Revise the scope and materiality standards in AS2 to ensure that reviews are truly risk-based and focus on significant control weaknesses.
• Development of Enhanced PCAOB and SEC Guidance: 
  • Clarify and permit greater judgment as to the auditor’s role in understanding and evaluating management’s assessment process;
  • Confirming that auditors, in attesting to management’s assessment, are not required to perform similar assessments to those needed in issuing their own opinions;
  • Reinforce the appropriateness of the auditor’s use of judgment throughout the audit of internal controls over financial reporting, including in the evaluation of strong indicators of material weakness;
  • Clarify that the auditor attestation does not require the auditor to report separately on management’s own internal control assessment process   incorporating the frequently-asked questions guidance into the text of
• Permit Multi-Year Rotational Testing and Increased Reliance on Work of Others:  Higher risk areas such as procedures for preparing the annual financial statements and related disclosures should be tested each year. For lower-risk components of financial processes and other areas, such as certain elements of the information technology environment, management and the auditor should be allowed to use a multi-year rotational testing approach.  The SEC and PCAOB should also confirm that auditors may increase reliance on the work of others and give guidance to both management and auditors regarding the auditor’s maximum reliance on inputs from existing sources.
• Small Companies Should Either Be Subject to the Same (Revised) Section 404 Requirements as Large Companies or Congress Should Reshape 404 for Small Companies
• Do Not Apply Section 404 to Foreign Companies Subject to Equivalent Home Country Requirements.
• Provide for More Data Collection and Ongoing Monitoring

Whether or not you agree with some or all of the conclusions of this report, it is a clear indication of the political and private support and momentum behind compliance reform. With the hard charging Hank Paulson pushing for reforms, new congressional leadership looking to make an impact, and the December 13 recommendations from the SEC, it is clear that 2007 will be very active year for compliance reform.                                                                                                                                                                                                                                                                                  

Stay tuned for further commentary and analysis on the Interim Report of the Committee on Capital Market Regulation in upcoming blog posts.

Speaking before the U.S. Capital Markets Economic Club of New York last week, Treasury Secretary Henry Paulson declared a call for action on reducing compliance associated with the Sarbanes-Oxley Act. These comments came just weeks before the SEC and the PCAOB are to release proposals aimed at making compliance regulations more risked-based and cost efficient.  These comments also came a week before the November 30th release of the Paulson backed report on how to better tackle financial compliance regulations. 

In his speech, Paulson said "It seems clear that a significant portion of the time, energy and expense associated with implementing Section 404 might have been better focused on direct business matter that create jobs and reward shareholders".  We need to implement the law in ways that better balance the benefits of the legislation with the very significant costs that it imposes, especially on small businesses." (SarBull!!! The truth behind America's IPO imbalance) there is a good explanation of why there have been fewer IPO listings in the US.  According to the article, the driving factors for not listing in the US exchanges include:

While there are many arguments to be made to change the way Sarbanes-Oxley has been implemented, the fact that much of Paulson's discontent with the Sarbanes-Oxley Act stems from its perceived affect on the capital market and the lack of new IPO listings is just plain wrong. According to a November 13th article in Financial Week, the top reason for IPO's not listing on US exchanges include:

1. Nationalism: 8 of the top 25 IPO's last year had state owned interests.  SOX or not, these IPO's were incented to list on the exchange of their own country.
2. Suspect Companies:  Companies such as PartyGaming (on-line gambling based in Gibraltar) and KazMunaiGas, the Kazakh energy company would be looked at with a suspect eye from US institutional investors.
3. Too Small:  Since few U.S. investment banks will consider taking a company worth less than $100 million public on the Nasdaq, many of those smaller listings are choosing to list on the Alternative Investment Market (AIM) in London. 

On the eve of releasing his report, it is important to point out that Henry Paulson has not presented data to support that Sarbanes-Oxley is the driver for keeping market accepted IPO's from listing in the US.  While it is true that SOX has caused a lot of pain in heartache for many organizations (primarily in year 1), it has also created a market environment that has resulted in record levels on the US exchanges.  Because US publicly traded companies have to live up to rules of oversight, assurance, and proper control environments, investors in these companies have the confidence to continue to invest.  Since the passing of SOX law, S&P 500 earnings have grown 10% or more year over year in each of the past 18 quarters.

While the emotional debate on SOX - good or bad - will continue on in the coming years and months, it is important to evaluate this issue based gathering the facts and evaluating the data.   In the case of the IPO argument, the data shows that SOX is not the issue. 

Looking to cut your costs of implementing and sustaining your governance, risk, and compliance initiatives ?   According to recent research by the Hackett Group, world class companies have figured out how. 

As part of the research conducted for their 2006 Finance Book of Numbers, companies that they classify as world class have reduced overall finance costs and spend significantly less on compliance costs.  Hackett's research identified an array of techniques that world-class finance organizations use to control compliance costs. According to the Hackett Group report, leading companies spend 55% less than their typical peers on finance controls, and report 53% lower compliance costs. One key strategy employed is complexity reduction. Leading companies have 40-60% fewer controls than typical companies in five key finance areas - general accounting, revenue cycle, cash disbursements, tax management, and treasury.

Also noted in this report is the fact that world-class finance organizations rely more heavily on technology than typical companies, and use it to automate transactional activities and drive down costs and staffing levels, while also improving information access.

I am struck by simplicity of what this survey suggests.  As with your personal health, the answers to solving the health of your governance, risk, and compliance programs are not that difficult to prescribe.  When I ask my doctor how to get to a world-class weight and fitness level, his prescription is to eat right and exercise.  The same holds true for governance, risk, and compliance.  If you want to be world-class you must reduce complexity (take a top-down risk based approach) and automate process (invest in technology). 

Now those are easy words to come by while writing a simple blog entry and easy words to prescribe when you are not responsible for execution.  However, having worked with many clients in improving business processes there is something to say for just taking the time and effort to get something started.  An obvious place to start is to look at the number and types of internal controls that you are testing and reporting on.  Just because you have been testing a set of controls since year 1 of SOX does not mean that you have identified the correct set of controls to evaluate in the long run.  A simple test of materiality and risk on each of your controls should allow you to evaluate the relevance, importance, and time required to invest in those controls.

Stayed tuned for the December 13th guidance from the SEC - risk and materiality will likely be a significant theme.

Internal audit professionals are guided to establish a risk-based audit universe by the Institute of Internal Auditors (IIA) Professional Practices Framework and related practice advisories. Professional Practices Framework Performance Standard 2010, “Planning,” states, “The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.”  Although broad in guidance, this performance standard provides the expectation that risk based plans are a required component of the audit process.                                                                                                                                                       

According to recently published information, there is plenty of room for improvement related to the execution of a risk based audit approach.  A recent study published by the Financial Executives Research Foundation (FERF), Control Deficiency Reporting: Review and Analysis of Filings During 2004, analyzes the control deficiency disclosures made by 329 companies in their various SEC filings from November 1, 2003, to October 31, 2004.  It analyzes more than 950 such disclosures in a number of important categories to identify trends to help users of financial statements better understand the nature of control deficiency reporting made by SEC registrants.                                                                                                                  

Management and internal auditors appear to have performed poorly in detecting and reporting deficiencies. Evidence from these public disclosures suggests that only about 28 percent of companies were proactive in bringing reportable deficiencies to the attention of their audit committees or external auditors. This strongly suggests that internal auditors either used risk prioritization models that routinely scoped out high-risk areas for internal control deficiencies or did not detect or report deficiencies that were found.                                                                            

A different study by Glass, Lewis & Co. also analyzed 2004 deficiencies and early 2005 disclosures. That study suggested:

·         The number of companies disclosing material weaknesses (the most severe type of control problem) increased 87 percent (to 586 companies) in the first four months of 2005 over the entire year of 2004 (313 companies).

·         Only 43 percent of companies that received a qualified opinion on internal control effectiveness had previously cautioned investors that deficiencies existed, and 94 percent had certified their internal controls as effective as recently as the quarterly filing before the annual report was issued with a qualified opinion.

·         Internal control deficiency disclosures increased 39 percent, from 462 companies in 2004 to 642 through May 2, 2005.                                                                                                   

The trend in reported deficiencies is alarming. While individual companies and their internal auditors may fail to detect or report some internal control deficiencies in audits they conduct, the rising trend in the total number and increasing materiality of deficiencies, the number of companies reporting deficiencies, and their late and sudden disclosure suggest that the problem is a systemic one. Deficiencies are simply not being found and reported by management.                                                                                                                                                      

For further information, please download the "Considering Risk in Audit Management" whitepaper.

A Brief Introduction to the Authors

As professionals who have dedicated their careers to various components of the governance, risk and compliance industry, we are commited to sharing our thoughts, experiences and insights in this GRC blog.  We hope you enjoy the content that we provide in our posts and welcome you comments and thoughts as well.  By way of introduction, we have posted some brief bios as it relates to our experience related to GRC disciplines.

Tim Leech

Tim J. Leech is a recognized expert in the disciplines of governance, risk, and compliance.  Currently, Tim is currently Principal Consultant & Chief Methodology Officer with Paisley Consulting.  From 1991 to 2004 Tim was CEO and founder of CARD®decisions, a global pioneer in the ERM and CRSA areas. Paisley Consulting acquired CARD®decisions in June of 2004. Other positions he has had include Managing Director of a subsidiary of the Hambros Bank, Director Control & Risk Management Services with Coopers & Lybrand Consulting, and a range of comptrollership and internal audit roles with Gulf Canada. Tim was elected Fellow of the Institute of Chartered Accountants Ontario in 1997 in recognition of distinguished service to the auditing profession.                                                                                                                                    

Tim is a frequent contributor to Compliance Week and other industry publications and is a frequent speaker and industry conferences and roundtables.  Tim has provided training for public and private sector staff located in Canada, the U.S., the EU, Australia, South America, Africa and the Middle and Far East.  He has provided training for public and private sector staff located in Canada, the U.S., the EU, Australia, South America, Africa and the Middle and Far East. Leech has received worldwide recognition as a pioneer and thought leader in the fields of enterprise risk and assurance.                                                                                                                    

Bruce McCuaig

Bruce McCuaig is Principal Consultant, Collaborative Assurance and Risk Design with Paisley Consulting.  Prior to joining Paisley, Bruce held senior executive positions with Gulf Canada in Calgary and Toronto and Gulf Oil Corporation in Houston, Texas. While CAE of Gulf Canada Resources Bruce implemented the original work team self-assessment concept, including development of officer and board level presentations outlining the benefits of this new control model based approach.                                                                                                 

Bruce’s practice involves consulting, training and strategic implementation assistance related to Sarbanes-Oxley (and related Canadian legislation), Basel II Operational Risk assessments, Enterprise Risk Management and governance initiatives, and Control and Risk Self-Assessment training and implementation support.  Bruce's work experience includes extensive audit and financial management in the oil and gas industry, both upstream and downstream, as well as exposure to the mining and banking sectors.  Bruce has worked with clients around the world training and overseeing complex, innovative Enterprise Risk & Assurance Management (“ERAM”), Control & Risk Self Assessment (“CRSA”), and Collaborative Assurance & Risk Design (“CARD® ”)  implementation initiatives in public and private sector clients ranging in size from individual departments to some of the world’s largest multi-national corporations.                                                                                    

Mike Rost

Mike Rost is a veteran of both corporate finance and the financial software applications industry.   Mike has more than 16 years of experience marketing and managing financial software applications and supporting accounting and finance business processes.  He joined Paisley from Xiotech, a storage area network provider, where he led the marketing and product management efforts in the startup of a new compliance software division. Previously Mike held several management positions in a 7 year career for Lawson Software a leading supplier of financial, human resources, supply chain, and business intelligence applications.   Prior to joining Lawson, Mike spent 7 years in a variety of accounting and financial management positions with Pillsbury and Rollerblade Inc.  Mike is currently Vice President, Marketing for Paisley Consulting.                                                                                                            

Mike provides a unique GRC perspective with his experience in transitioning from corporate finance to software product management and marketing.  Mike has worked with leading organizations in the purchase and implementation or ERP, BPM, BI, and GRC applications and has extensive contacts and experience in working with the leading provides of software applications related to GRC including:  EMC, FileNet, Hyperion, Cognos, Business Objects, Lombardi, IBM, Microsoft, Lawson, SAP, Paisley Consulting.

Governance.   Risk.   Compliance                                                                                                                      

These three words are transforming the way companies are required to operate and have lead to a new category of business processes and technology solutions.                                                                                                               

GRC Excellence is the first blog dedicated exclusively to fostering and accelerating excellence in the field of governance, risk, and compliance. To this end, we will profile GRC industry trends, best practices, and case studies to help companies of all sizes and industries accelerate results and drive continuous improvements in the implementation and optimization of GRC disciplines. We will also provide a unique, objective, and interactive forum for governance, risk management and compliance executives to identify and share best practices on all aspects of GRC — from determining the right organizational structure and capitalizing on investments in internal audit, implementing a top-down risk based approach to financial controls compliance, implementing IT governance, or getting control of your broader compliance requirements.                                                                                                              

We encourage your participation and feedback to ensure lively exchange of ideas that can help your company accelerate and sustain GRC management excellence.                                                                                          

Mike Rost, Tim Leech, Bruce McCuaig