Success with SOX

1
Success with SOX

• Tina Slankas, PMP
• Darryl Harvey

2
Overview

• SOX Overview
• Players
• Project Methodology
• Documentation
• Results
• Buy-in
• Take-away

3
Overview - Definition of SOX

• Sarbanes-Oxley Act of 2002 (SOX)
• Provides for new corporate governance rules,
  regulations and standards for specified public
  companies
• Many sections within the Sarbanes-Oxley Act
• Focus on section 404 internal control over
  financial reporting
• Requires involvement of management
• Management must assess the effectiveness of the
  organizations internal control over financial
  reporting
• Management must annually report the result of
  that assessment
• Source IT CONTROL OBJECTIVES FOR SARBANES-OXLEY,
  IT Governance Institute

4
Overview - Why was it implemented?

• Response to major corporate and accounting
  scandals
• Scandals resulted in a lack of confidence in the
  financial markets
• Most extensive reform since the Securities Act of
  1933 and the Securities Exchange Act of 1934.

5
Overview - Why does it matter?

• Financial Statements must be certified by the CEO
  and CFO.
• The certification must fully comply with
  provisions of the Securities Exchange Act
• Maximum penalties for willful and knowing
  violations of this section are a fine of not more
  than 500,000 and/or imprisonment of up to 5
  years.

6
Players - Whos Who
Executive Management Cycle Owner Functional
Designate Finance Business Owners Control Owners
Project Managers
Facilitator
External Auditor
7
Players Executive Level
8
Players Cycle Level
9
Players Cycle Level
10

• Testing Team Roles Responsibilities
• VP Auditing Services
• Provides oversight and strategic direction to
  Testing Validation and QA team
• Testing Guidelines and Methodology Lead
• Establishes AWS Testing Standards.
• Provides direction and guidance to Business
  groups, regarding testing. Addresses questions.
• Reviews and determines need to revise AWS Testing
  Standards, and verifies that any exceptions to
  standards are appropriate.
• Director, Validation Testing Oversight
• Manages validation testing teams to re-perform
  and independently perform tests of key controls
• Directs quality assurance review of test design
  and test results
• Resolves testing issues and development of
  company testing policy
• Communicates test results and preliminary
  evaluation of control deficiencies.
• Test Team Project Manager
• Test team enterprise schedule
• Validate dates with all project managers
• Project Reporting
• Testing Validation Teams (Business Process,
  Application Controls, GCCs)
• Conducts procedures to independently validate
  managements testing results
• Reports results of validation testing to the
  Testing QA Team.

11
Players PMO Strategy
A PMO has been established to drive successful
delivery.
Company must comply with the Sarbanes Oxley Act
in FY2004 in order to remain listed on the NYSE
and facilitate the pending acquisition. The
SOX404 Program has been established to accomplish
the following

• Gain Section 404 approval from external auditors
• Establish the ongoing compliance framework

The PMO is working through these major challenges
The approach provides disciplined management
across projects (horizontal) to assure quality
and across the lifecycle (vertical) to assure
plan completion.

• Enabling current work to continue on track while
  performing due diligence on the plan
• Establishing common processes, tools and
  standards for disparate projects and
  organizations
• Transitioning quickly to a fully functioning PMO
  in May

Time is critical and success is the only option!
Senior Leadership is engaged via the Steering
Committee, Senior Leadership Team (SLT) and
Functional Designates (FD) to ensure alignment
across the enterprise and provide strong
sponsorship.
12
Players PMO Perspective
During my project there were 17 Business Cycles
which crossed across the entire organization
13
Methodology - Cycle Project Phases
The following represent the standard project
phases and key milestones, with high level
estimates for the distribution of the work effort.
14
Methodology Scope Identification
Stage 1 Cycle Project Team maps in scope
accounts/applications given by PMO to the high
level Business Processes that impact them.
Balance Sheet Cash PPE zzzzzz
In Scope Processes xxxx yyyy zzzz
Income Statement Services CGS Tax
2.1 Scope Summary 2.2 Trial Balance Sheet 2.3
Trial Income Statement 2.4 Applications in
Scope 2.5 Applications Out of Scope
Applications Oracle RIMS PeopleSoft
In Scope Processes xxxx yyyy zzzz
Stage 2 Process Facilitator drafts the High
Level Cycle Diagram that confirms the high level
scope.
Applications Oracle RIMS PeopleSoft
1.3 Key Process Roadmap (draft) 1.11 Project
Plan 1.12 Contact List
High Level Cycle Diagram
Anticipate that lt20 of the in scope
processes or applications will fall into the not
sure category
15
Methodology Cycle Documentation (part 1)
Stage 3 Cycle Project Team conducts a high
level risk assessment which serves as a starting
point for identifying potential key controls and
the detailed process/applications which need to
be documented.
High Level Cycle Diagram
1.9 Combined Key Control Matrix (draft) 5.1
SAS70 Vendor Request Position paper (if needed)
for scope rationale TBD COSO Evaluation???
Not sure process questions should be
resolved by this point.
Stage 4 Cycle Project Team reviews (or creates,
if they dont already exist) detailed
process/application diagrams that link to the in
scope high level Business Processes where
potential key controls exist.
Legend
For sure process
In scope application
Not sure process
Detailed process steps
Risk area
Detailed App Diagram
Detailed Process Diagram
1.3 Key Process Roadmap 1.4 Application
Flow 1.5 Transactional Flow 1.6 Key Process to
Detailed Process Mapping 3.2 Detailed Process
Flow 4.3 Detailed Application Flow
Detailed Process Diagram
Detailed Process Diagram
16
Methodology Cycle Documentation (part 2)
Stage 5 Process Owners create the inventory of
controls for their specific process based on the
cycle level risk areas identified.
Legend
High Level Cycle Diagram
3.3 Detailed Process Control Matrix 4.4
Detailed Application Control Matrix
For sure process
In scope application
Not sure process
Detailed process steps
Risk area
Control
Detailed App Diagram
Detailed Process Diagram
Control Matrix
Control Matrix
Detailed Process Diagram
Detailed Process Diagram
Control Matrix
Control Matrix
Detailed App Diagram
Detailed Process Diagram
Stage 6 Process Owners create the Detailed
Narrative for their specific process.
3.1 Detailed Process Narrative 4.1 Detailed
Application Cover Sheet 4.2 Detailed Application
Narrative
Detailed Process Diagram
Detailed Process Diagram
17
Methodology Cycle Documentation (part 3)
Stage 6a SAS70 preparation begins and occurs in
parallel for outsourced parts of the Cycle with
key controls.
5.1 SAS70 Vendor Request (if not previously
created)
Stage 7 Process Facilitator guides Process
Owners and Application SMEs to create the
Combined Key Control Matrix, focusing on
application controls first.
Legend
High Level Cycle Diagram
Combined Key Control Matrix

• Gating Signoff
• Cycle Owner or FD
• Finance Owner
• Process Owners
• Project Managers
• Process Facilitator
• PMO Process Lead
• PMO App Control Lead
• PMO SAS70 Lead

For sure process
In scope application
Not sure process
Detailed process steps
Risk area
Control
Detailed App Diagram
Detailed Process Diagram
Control Matrix
Control Matrix
Detailed Process Diagram
Detailed Process Diagram
1.9 Combined Key Control Matrix (final) 5.3
SAS70 Risk Assessment 5.6 SAS70 Control
Objectives
Control Matrix
Control Matrix
Stage 8 Known gaps are documented that can be
identified while creating the Combined Key
Control Matrix.
1.9 Combined Key Control Matrix (updated with
gaps) 1.10 Gap Remediation Plan
18
Methodology Business Testing
Stage 9 Test plans are created for only those
items that were included in the Integrated Key
Control Matrix.

• Gating Signoff
• Process Owner
• Test Plan Author
• PMO Test QA SME

Test Plans
Combined Key Control Matrix
3.4 Process Test Plan 3.5 Process Test Detail
Sheet 4.5 Application Test Plan 4.6 Application
Test Detail Sheet
Stage 10 Within impacted work groups, test
preparation is completed (e.g., gather artifacts,
build application queries, etc.).
Stage 11 Tests are executed by someone not
responsible for that function and results are
recorded in Test Summaries.

• Gating Signoff
• Tester
• Process Owner
• PMO Test QA SME
• Validation Test Lead

Test Summary
Test Plans
Testers
3.4 Process Test Plan (updated with results) 4.5
Application Test Plan (updated with results)
19
Methodology Validation Testing
Stage 12 Audit Services performs Validation
Testing while PMO Test QA SMEs assess test
results and gaps identified.

• Gating Signoff
• Validation Tester
• Validation Test Lead
• Process Owner
• PMO Test QA SME
• Cycle Owner or FD

Test Summary
Test Plans
Validation Testers
6.1 Cycle Test Signoff
Stage 13 Key Controls that did not pass the
test are recorded on the Gap Inventory.
Gap Inventory xxxx yyyy zzzz
Test Summary
1.9 Combined Key Control Matrix (updated with
gaps)
20
Methodology Gap Assessment
Stage 14 Gaps are prioritized and remediation
plans are created.

• Gap Inventory
• zzzz
• yyyy
• xxxx

Remediation Plans
Gap Inventory xxxx yyyy zzzz
1.10 Gap Remediation Plan
Stage 15 Remediation work is completed, then
the Cycle Project Team iterates through testing
again (including QA and gating signoffs).
1.9 Combined Key Control Matrix 1.10 Gap
Remediation Plan 3.4 Process Test Plan 3.5
Process Test Detail Sheet 4.5 Application Test
Plan 4.6 Application Test Detail Sheet
21
Methodology Cycle Wrapup
Stage 16 Final Narratives are produced for the
Cycle and Processes.
1.7 Cycle Level Narrative 1.8 Process Level
Narrative
Stage 17 Cycle Wrapup is conducted after all
gating checklists have been verified as
completed. The final Binder is reviewed and
approved by the Cycle Owner.

• Gating Signoff
• Cycle Owner
• SOX404 Program Manager
• Audit Services VP
• IT Risk Management VP

6.3 404 Readiness Checklist 6.4 Process Team
Signoff
22
Documentation

• Binders to be delivered to External Auditor
• QA of Binder Materials
• Table of Contents
• Shared Portal

23
Documentation - QA of Binder Materials

• Independent Auditor Review
• When Ongoing during development
• What - All cycle teams are meeting with
  Independent Auditor to review documents and
  receive feedback on specific documentation and
  key control selection.  These meetings will
  continue as long as cycle teams feel that it is
  necessary to continue meeting with Independent
  Auditor.
• PMO Quick Hit Review
• When Ongoing as documentation is completed
• What - The Process and Test Teams will be
  reviewing documentation completed to date for
  each cycle that is out on the eRoom.  This will
  be both a quality and completeness review.  The
  Process Team will QA the business documentation
  and the Test Team will QA Test documentation.

24
Documentation - QA Binder Materials

• External Auditor Pre-Audit Review
• When - Pre-audit. The cycles selected for review
  will be notified via a separate communication.
• What External Auditor will walk through
  documentation the cycle has created and provide
  feedback.
• PMO Final QA Review
• When - Once a cycle binder is complete.
• What - The PMO will complete a final quality
  review of each of the cycle binders prior to
  hand-off to External Auditor. 

25
Documentation Table of Contents
26
Documentation Table of Contents
27
Documentation Shared Portal
28
Results

• All Cycles were documented
• All controls were tested and validated
• Client able to meet deadline for sale
• External Auditor able to reach finding on
  documentation

29
Buy-In

• Client budgeted for effort (time, resources, )
• Control Owners active in process
• Financial Business Owners active in process
• Client budgeted for 2005 (time, resources, )
• Same PMO
• Dedicated Testing Resources
• Dedicated Documentation Resources

30
Take Aways

• Get the right resources
• Dont just use Auditors YOU NEED PMs
• What is this companys competency?
• What is this companys SOX experience?
• Are you going to use internal resources?
• Success Stories
• Define your timelines
• What documentation do you have today?
• What documentation do you need?
• Who will be involved?
• What is your budget?