The International Association of Risk and Compliance Professionals (IARCP) develops and maintains a compendium of risk and compliance topics. Subject matter experts review and update this body of knowledge.

• Introduction
• Regulatory Compliance and Risk Management. Definitions, roles and responsibilities
• The role of the board of directors, the supervisors, the internal and external auditors
• The new international landscape and the interaction among laws, regulations, and professional standards
• The difference between a best practice and a regulatory obligation
• Benefits of an enterprise wide compliance program
• Compliance culture: Why it is important, and how to communicate the regulatory obligations
•  
• Policies, Workplace Ethics, Risk and Compliance
• Policies, procedures and the ethical code of conduct
• Privacy and information security
• Handling confidential information
• Conflicts of interest
• Use of organizational property
• Fair dealings with customers, vendors and competitors
• Reporting ethical concerns
•  
• Governance, Risk and Compliance
• The definition of Governance, Risk and Compliance
• The need for Internal Controls
• Understand how to identify, mitigate and control risks effectively 
• Approaches to risk assessment 
• Qualitative, quantitative
• Integrating risk management into corporate governance and compliance

• Internal Controls - COSO
• The Internal Control — Integrated Framework by the COSO committee
• Using the COSO framework effectively
• The Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
• Effectiveness and Efficiency of Operations
• Reliability of Financial Reporting
• Compliance with applicable laws and regulations
• IT Controls
• IT Controls and Sarbanes Oxley Act Relevance
• Program Development and Program Change
• Deterrent, Preventive, Detective, Corrective, Recovery, Compensating, Monitoring and Disclosure Controls
• Layers of overlapping controls
•  
• COSO Enterprise Risk Management (ERM) Framework
• Is COSO ERM needed for compliance?
• COSO AND COSO ERM
• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring
• The two cubes
• Objectives: Strategic, Operations, Reporting, Compliance
• ERM – Application Techniques
• Core team preparedness
• Implementation plan
• Likelihood Risk Ranking
• Impact Risk Ranking
•  
• COBIT - the framework that focuses on IT
• Is COBIT needed for compliance?
• COSO or COBIT?
• Corporate governance or financial reporting?
• Executive Summary
• Management Guidelines
• The Framework
• The 34 high-level control objectives
• What to do with the 318 specific control objectives
• COBIT Cube
• Maturity Models
• Critical Success Factors (CSFs)
• Key Goal Indicators (KGIs)
• Key Performance Indicators (KPIs)
• How to use COBIT for Sarbanes Oxley compliance
   

• The Sarbanes Oxley Act
• The Need
• US federal legislation: Financial reporting or corporate governance?
• The Sarbanes-Oxley Act of 2002: Key Sections
• SEC, EDGAR, PCAOB, SAG
• The Act and its interpretation by SEC and PCAOB
• PCAOB Auditing Standards: What we need to know
• Management's Testing
• Management's Documentation
• Reports used to Validate SOX Compliant IT Infrastructure
• Documentation Issues
•  
• Sections 302, 404, 906: The three certifications
• Sections 302, 404, 906: Examples and case studies
• Management's Responsibilities
• Committees and Teams
• Project Team – Section 404: Reports to Steering Committee
• Steering Committee – Section 404: Reports to Certifying Officers and cooperates with Disclosure Committee
• Disclosure Committee: Reports to Certifying Officers and cooperates with Audit Committee
• Certifying Officers and Audit Committee: Report to the Board of Directors
•  
• Control Deficiency
• Deficiency in Design
• Deficiency in Operation
• Significant Deficiency
• Material Weakness
• Is it a Deficiency, or a Material Weakness?
• Reporting Weaknesses and Deficiencies
• Examples
• Case Studies
• Public Disclosure Requirements
• Real Time Disclosures on a rapid and current basis?
• Whistleblower protection
• Rulemaking process
• Companies Affected
• International companies
• Foreign Private Issuers (FPIs)
• American Depository Receipts (ADRs)
• Employees Affected
• Effective Dates
   

 

 

 

Objectives:

This course has been designed to provide IT and Information Security professionals with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management, and to promote best practices and international standards that align with business and regulatory requirements. The course provides with the skills needed to pass the Certified Information Systems Risk and Compliance Professional (CISRCP) exam.

 

Target Audience:

This course is intended for IT and Information Security professionals that want to understand risk and compliance and to work as risk and compliance officers, or IT managers and directors (and need to understand compliance and business risk management). They will prove that they are qualified, when they pass the Certified Information Systems Risk and Compliance Professional (CISRCP) exam.

This course is intended for employers demanding qualified IT and Information Security risk and compliance professionals.

This course is recommended for senior executives with IT and Information Security background involved in risk and compliance.

 

About the Course

 

PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND RISK MANAGEMENT

• Introduction
• Regulatory Compliance and Risk Management. Definitions, roles and responsibilities
• The role of the board of directors, the supervisors, the internal and external auditors
• The new international landscape and the interaction among laws, regulations, and professional standards
• The difference between a best practice and a regulatory obligation
• Benefits of an enterprise wide compliance program
• Compliance culture: Why it is important, and how to communicate the regulatory obligations
•  
• Policies, Workplace Ethics, Risk and Compliance
• Policies, procedures and the ethical code of conduct
• Privacy and information security
• Handling confidential information
• Conflicts of interest
• Use of organizational property
• Fair dealings with customers, vendors and competitors
• Reporting ethical concerns
•  
• Governance, Risk and Compliance
• The definition of Governance, Risk and Compliance
• The need for Internal Controls
• Understand how to identify, mitigate and control risks effectively 
• Approaches to risk assessment 
• Qualitative, quantitative
• Integrating risk management into corporate governance and compliance
•  
• IT, Information Security, business risk and compliance

 

• Internal Controls - COSO
• The Internal Control — Integrated Framework by the COSO committee
• Using the COSO framework effectively
• The Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
• Effectiveness and Efficiency of Operations
• Reliability of Financial Reporting
• Compliance with applicable laws and regulations
• IT Controls
• IT Controls and Sarbanes Oxley Act Relevance
• Program Development and Program Change
• Deterrent, Preventive, Detective, Corrective, Recovery, Compensating, Monitoring and Disclosure Controls
• Layers of overlapping controls
•  
• COSO Enterprise Risk Management (ERM) Framework
• Is COSO ERM needed for compliance?
• COSO AND COSO ERM
• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring
• The two cubes
• Objectives: Strategic, Operations, Reporting, Compliance
• ERM – Application Techniques
• Core team preparedness
• Implementation plan
• Likelihood Risk Ranking
• Impact Risk Ranking
•  
• COBIT - the framework that focuses on IT
• Is COBIT needed for compliance?
• COSO or COBIT?
• Corporate governance or financial reporting?
• Executive Summary
• Management Guidelines
• The Framework
• The 34 high-level control objectives
• What to do with the 318 specific control objectives
• COBIT Cube
• Maturity Models
• Critical Success Factors (CSFs)
• Key Goal Indicators (KGIs)
• Key Performance Indicators (KPIs)
• How to use COBIT for Sarbanes Oxley compliance
•  
• The alignment of frameworks
• COSO and COBIT
• COSO ERM and COBIT
• ITIL and COBIT
• ISO/IEC 17799:2000 and COBIT
• ISO/IEC 15408 and COBIT
•  
• Software and Spreadsheets
• Is software necessary for risk and compliance?
  Is software needed?
• When and why
• How large is your organization?
• Is it geographically dispersed?
• How many processes will you document?
• Are there enough persons for that?
• Selection process
•  
• Spreadsheets
• It is just a spreadsheet…
• Certain spreadsheets must be considered applications
• Development Lifecycle Controls
• Access Control (Create, Read, Update, Delete)
• Integrity Controls
• Change Control
• Version Control
• Documentation Controls
• Continuity Controls
• Segregation of Duties Controls
• Spreadsheets – Errors
• Spreadsheets and material weaknesses
• Third-party service providers and vendors
• Redefining outsourcing
• Key risks of outsourcing
• What is needed from vendors and service providers
• SAS 70
• Type I, II reports
• Advantages of SAS 70 Type II
• Disadvantages of SAS 70 Type II