Rose Andert and Lance Wright

1
Sarbanes Oxley and Information Technology Linking
Technology Risks and Controls to Sarbanes-Oxley
Section 404 Initiatives

• Presented by
• Rose Andert and Lance Wright
• Protiviti

2
Approach to IT General and Application Controls
Assessment
IT general controls and the underlying
application controls they support are
increasingly relied upon by companies in
protecting the integrity of the financial
information used in financial statements.
External auditors and regulators continue to
focus a spotlight on the topic.
Entity-Level Controls Evaluation
IT General Controls and Processes
Application Level Controls
Analyze Test Results
Update Testing

• Gain Understanding of Current Environment
• Change Management
• Security
• Computer Operations
• Backup and Recovery
• Assess Inherent Risks
• Review Identified System Infrastructure Controls
• Test Identified Key System, and Infrastructure
  Controls
• Assess Control Gaps and Residual Risk

• IT Governance Activities
• Monitoring Controls
• IT Policies and Procedures

• Edit checks
• Three-way match
• Transaction thresholds/limits
• Calculations, posting, and data validation
• Application security/logical segregation of
  duties
• Review Identified Application Security Controls
• Test Identified Key Application Security Controls
• Assess Control Gaps and Residual Risk

• Evaluate sample results
• Formulate interim testing conclusions
• Document adequacy of control environment

• Update testing documentation
• Perform refresh testing
• Finalize operating effectiveness assertion
• Assess noted exceptions

3
SOX 302 404 Requirements

• Section 302 Requirements
• Certification/disclosure in quarterly/annual
  reports SEC reports by CEO and CFO
• Disclosure of effective controls/procedures
• Disclosure of significant deficiencies
• Section 404 Requirements
• Management report on internal control over
  financial reorting
• Documentation of control design of effectiveness
  testing
• Disclosure of any material weaknesses
• Attestation by external auditors

4
Failure to Comply with SOX

• Potential market implications
• Negative press/perception
• Lower value of stock price
• Difficulties in accessing capital markets
• Difficulties attracting qualified associates
• Civil implications
• Monetary penalties
• Restrictions to public market
• Criminal implications
• Bernard Ebbers, CEO WorldCom 25 years
• Jamie Olis, midlevel executive Dynergy 24 years
• John and Tim Rigas, founders of Adelphia 15
  years
• Andrew Fastow, CFO of Enron 10 years

5
COSO Internal Control Framework

• Consists of three objectives
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Consists of five elements
• Control environment
• Risk assessment
• Control activities
• Information/Communication
• Monitoring
• Requires an entity level focus and an activity
  level focus

6
Applying the COSO Framework

• Section 404 applies to financial reporting
• Review could be expanded to other objectives
• COSO components must be assessed at both the
  entity and process levels
• COBIT framework is used to augment COSO for
  Information Technology General Controls

SOME CONTROL PROCESSES ADDRESS MULTIPLE OBJECTIVES
Regulatory Compliance
Financial Reporting
Operations
7
Overall Approach to Technology

• FOUR STEPS
• (1) Understand the applications associated with
  the critical business processes related to
  financial related internal controls
• Understand the key IT risks related to these
  applications
• (3) Understand the IT processes which support
  these key applications and the IT infrastructure
  components that could compromise data and
  processing integrity
• (4) Perform risk and control documentation for
• Application level controls and procedures
• IT supporting processes (Information Technology
  General Controls)

8
Step 1- Determine Critical Applications for Key
Business Processes
Map each critical process affecting priority
financial reporting elements to the appropriate
application(s)
9
Step 2 - Determine Key Risks for Critical
Applications
Sample Business Process
Applications
Complex Calculations
Key Interfaces
Key Management Reports
10
Step 3 - Document IT General Controls Supporting
the Key Applications
11
Step 4 - Evaluate Risks and Controls Related to
Applications and Processes

• Once the critical IT applications and processes
  are identified, evaluate risks and controls for
  technology-related risks in two broad areas

Information Technology General Controls

• The IT organization and structure that supports
  the critical applications and data
• Applications and data relevant to the financial
  statements and disclosure

Application and Data Ownership
12
Information Technology General Controls
IT General Controls -- Entity Level Assessment
Typically the CIO

• Participates on the Section 404 Compliance
  Steering Committee
• Communicates importance of internal controls
  within the IT organization
• Understands and documents the IT organizations
  role in internal control over financial reporting
  
• Determines where risks are related to the
  internal control areas (based on how the IT
  processes affect the integrity of applications
  and data)
• Documents internal controls related to mitigation
  of the risks
• Develops monitoring mechanisms so that control
  breakdowns or issues would identified on a timely
  basis

13
Application and Data Owner Governance
Applications and Data Entity Level Assessment
Within the organization, ownership of the
applications and data should be specified with
someone in the business organization These owners

• Determine the effect their applications have on
  the key processes and periodically update this
  determination and assessment
• Work with the CIO to establish the entity-wide
  processes that impact the performance of
  applications germane to the activities of
  business process owners
• Change control processes
• Segregation of incompatible duties
• Business impact analysis and continuity planning
• Develop and implement monitoring procedures which
  would detect control issues in the above areas

14
Risk and Control Documentation -- Sample Document
that Considers Each IT Component

• Once the assertions and risks have been
  identified, the mitigating controls should be
  identified
• As these controls and risks are identified,
  consideration should be given to IT components
  that are relevant to concluding on the financial
  statement assertions
• Applications
• Databases
• Platforms
• Networks

Processes
Risks and Controls
15
Process Evaluation Cycle
Identify Process
Document Process
Modify Process (if needed)
Identify Risks and Controls
Determine if Process is Adequate
Evaluate if Risks are Mitigated and Objectives Met
Evaluate Design Effectiveness of Controls
Test Controls
Evaluate Operating Effectiveness of Controls
Analyze Test Results
16
SOX IT Integration

• In Summary
• IT controls assessments should be integrated
  within the assessment of business process risks
  and controls
• Understand the overall IT organization when
  planning and organizing the project and during
  the entity-level assessment
• Understand the applications that affect the
  critical processes relating to financial
  reporting
• All work focuses on financial reporting
  assertions i.e., how do the IT controls relate
  to achievement of the assertions?
• State the effect of the applications in the form
  of the additional risks at the business process
  level (within the context of the assertions)
• Overall work in IT will include a review of (1)
  IT processes that are entity-wide in scope and
  (2) IT controls within applications that effect
  the critical business processes

17
About Protiviti
18
Global Presence
Cleveland
Cincinnati
Toronto
Milwaukee
Chicago
Minneapolis
St. Louis
Kansas City
Salt Lake City
Seattle
Netherlands
London
Portland
Boston
San Francisco
New York
San Jose
Tokyo Osaka
Philadelphia
Sacramento
Pittsburgh
Los Angeles
Baltimore
Phoenix
Washington, DC
Beijing Shenzen Shanghai
Richmond
Denver
Atlanta
Mexico City
Memphis
Delhi
Dallas
Caracas
Hong Kong
Bangalore
Houston
Mumbai
Ft. Lauderdale
Lima
Singapore
Tampa
Orlando
Paris

• Australia
• - Adelaide
• Brisbane
• Sydney
• - Melbourne

Protiviti
Milan Rome Turino
Protiviti Alliance
19
Key Service Offerings
Business Risk Services
Internal Audit Services
Technology Risk Services

• Co-Sourcing
• Full Out-Sourcing
• IT Internal Audit
• Quality Assurance Reviews
• Internal Audit Transformation
• Special Projects

• Corporate Governance
• Enterprise Risk Mgmt.
• Financial Process Effectiveness
• Spend Risk Solutions
• Supply Chain Risk
• Revenue Optimization
• Contract Management
• Event Response
• Construction Project Risk

• Application Controls Effectiveness
• Security and Privacy
• Business Continuity
• Project Risk Management
• Technology Change Management
• IT Asset Management

20
What Makes Us Different?

• Protiviti fills a unique and valuable position in
  the market, as depicted below. We bring a unique
  blend of knowledge and experience to the table
  which combine the focus, dedication and
  independence of a boutique firm, with the
  methodologies tools, global presence, and deep
  skill-sets of the Big 4.

• Big Four
• Recognized in the marketplace
• Global presence
• Methodologies tools
• Experienced professionals
• Depth of risk consulting services
• Financial management stability

• Boutique
• Lack of SEC restrictions
• Responsive client service
• Focus on core technology risk, business risk and
  internal audit offerings
• Independent from attest tax services
• Better teaming with external auditors

21
Representative Clients
All logos used with client permission
22
Risk Management Thought Leadership
With numerous published newsletters, articles,
and thought pieces, we have established ourselves
as a recognized thought leader in corporate
governance, internal audit, enterprise risk
management, and technology risk management areas.
KnowledgeLeaderSM is a subscription-based website
(www.knowledgeleader.com) that provides tools,
templates and resources to help you save time,
stay up-to-date, and manage business risk. The
material is focused on business risk, technology
risk and internal audit and is updated weekly.
23
Questions???
www.Protiviti.com
Rose Andert rose.andert_at_protiviti.com Lance
Wright lance.wright_at_protiviti.com