Database Reference
In-Depth Information
In this example, a subsidiary of Infission runs the U.S. Operations. Part of the results
for the subsidiary is the revenue line. The receivables management process has a
material impact on what is reported as revenue. There is an inherent risk that we
may apply improper revenue recognition policies. For example, we may recognize
revenue, even though we have written into the contract that the customer has right
of return if the product does not perform as specified, within 90 days. The control
may be that every contract with revenue over 100,000 dollars is reviewed by the
Revenue Recognition Team. That control may be tested by generating a report of all
contracts over 100,000 and testing for revenue recognition approval.
GRC Capability Maturity Model
The governance process itself can start small in a fairly ad hoc manner and can
mature to where the governance processes are truly optimized. The IT Policy
Compliance Group, an industry and advisory consortium adapted the
Capability
Maturity Model
first published by The Carnegie Mellon Software Engineering
Institute to the GRC Domain. It has provided a way for companies to measure
where they are on the spectrum, and give themselves a sense of how far they have
to go and the costs and benefits in getting there.
The following figure shows the levels in the Capability Maturity Model and the
process characteristics at each of the levels:
Optimized
Continuously
Improving
Measured
Documented
and Repeatable
Ad Hoc
5
1
2
3
3
We will be revisiting the Capability Maturity Model to see how different pieces of
our GRC solution help move us along the spectrum towards optimizing our controls
footprint, minimizing the costs, maximizing the repeatability, and ensuring we have
measurable results that can be expressed in terms of business value. The IT Policy
Compliance Group provides standardized assessments to help companies measure
where they are.
Search WWH ::
Custom Search