Track I: Managing Risk & Compliance I

1st European Identity Conference

07.05. - 10.05.2007, Munich

Moderator:

Dr. Christoph Capellaro, Ernst & Young AG

Governance & Compliance Trends

08.05.2007 11:00-12:00

Corporate Governance & Compliance - Current Developments and Trends in Europe

Klaus-Michael Thelemann, Ernst & Young AG

The European Union just recently adopted numerous directives, introducing a whole string of additional requirements for a “new” form of corporate governance. In this context, the changes to the Fourth, Seventh and Eighth EU Directives as well as the Transparency Directive are in the focus of particular interest - their provisions will intervene significantly in the corporate governance of all impacted companies.
The new requirements aim at further boosting the confidence of market participants in the financial statements and annual reports of European companies and at greater transparency for investors and are intended to improve the safeguards against accounting scandals in the European Union.

IT Governance - New Tasks for IT-Management

Dr. Wolfgang Johannsen, ITs okay

IT in Business is facing new requirements driven by simultaneously occurring forces. Particularly the quest for assessing the value contribution
of IT, the introduction of more compliance rules, the search for ways to align Business and IT better and the need to manage security and risks are to be considered.

The presentation addresses IT Governance as a comprehensive management approach within a newly understood IT-Business-Architecture.
Frameworks will be discussed with respect to their fit into this architecture and COBIT will be addressed specifically with respect to support of IT Governance.

Mastering Risk ? Ernst & Young Study

08.05.2007 12:00-13:00

Mastering Risk: Results of a Recent Study on Enterprise Risk Management by Ernst & Young

Stephan Chrobok, Ernst & Young AG

ERM - current situation and future challenges
Survey Approach
Our Findings - a cross-stakeholder Perspective on Risk
ERM Leading Practice Analysis
The E&Y Perspective on Risk

Compliance Automation I

08.05.2007 14:00-15:00

Creating Business Value Through Compliance Automation

Tim Cole, KuppingerCole

Priska Altorfer, wikima4 AG

Jutta Neudeck, Pennova Systems AG

Compliance automation tools supply a wealth of information that can be used to create value within the enterprise. However, before organizations can access this hidden treasure they have to think long and hard about business processes and system integration. Done correctly, compliance automation can pay its own way by achieving significant ROI as well as auditability and security.

Compliance Automation II

08.05.2007 15:00-16:00

Compliance Automation - Vendor panel

Alberto Yépez, Oracle Corporation

Eckhard Völcker, Völcker Informatik AG

Marina Walser, Novell Europe, Middle East & Africa (EMEA)

Gonzalo Cuatrecasas, Approva

Mel Holloway, Vaau Inc.

Michael Heckner, SAP AG

The number of so-called compliance automation tools being offered in the market continues to grow, but each vendor, it seems, has a very different idea of what such a tool really is. This is confusing for users and customers. The panel will try to find a common definition and will examine the different ways various vendors address the issue.

Compliance Management

08.05.2007 16:30-17:30

A new Approach for Compliance Management

Marc Sel, PwC Belgium

Hanco Gerritse, KPN

KPN’s 'fixed network' division had to prepare for a SOX compliance review as from January 2007. KPN launched various parallel initiatives, including both an identity management improvement programme and a SOX compliance programme. The identity programme aimed at making sure the authorisations in the various applications were appropriate. The SOX compliance programme had as mission to demonstrate that KPN had sufficient control over authorisations in the SOX-material applications. In total, 48 applications were considered SOX-material. These applications spanned a wide range of standard packages such as SAP as well as many in-house developed applications running on a wide variety of platforms.

A team from PwC first performed a pilot with regard to analysing the authorisations in KPN's billing applications. They had to select a tool that was not tied to any particular technology solution. This criteria puts tools such as ACE or Virsa's compliance calibrator out of the question, since they only handle SAP. KPN has a whole range of systems, and they preferred a single tool capable of addressing them all. For this reason, Eurekify’s Sage product was selected. The NIST’s RBAC model (role based access control) was used as a unification mechanism across the various applications. The Sage ‘business process rule’ feature was used to capture business controls such as segregation of duty.

As the pilot was considered successful, the team continued and implemented SOX-based ‘business process rules’ for all 48 SOX-material applications. This was done in approximately three months. The SOX ‘business process rules’ are now executed periodically to demonstrate ongoing compliance for KPN.

Navigation