A Sarbanes-Oxley Roadmap to Business Continuity - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

A Sarbanes-Oxley Roadmap to Business Continuity

Description:

... Quantitatively significant Material Weakness More than remote and Material to Financial Statements *Source: Does Your SOX 404 Work Measure Up?, ... – PowerPoint PPT presentation

Number of Views:296
Avg rating:3.0/5.0
Slides: 32
Provided by: EricS163
Category:

less

Transcript and Presenter's Notes

Title: A Sarbanes-Oxley Roadmap to Business Continuity


1
  • A Sarbanes-Oxley Roadmap to Business Continuity
  • NEDRIX Conference
  • June 23, 2004
  • Dr. Eric Schmidt
  • eschmidt_at_controlsolutions.com

2
Background
  • In July of 2002, U.S. Congress passed the
    Sarbanes -Oxley Act (SOX) mandating that all
    public companies (SEC registrants) make changes
    to the way their financial results are reported.
  • Legislation was a response to the high profile
    failures experienced in the United States during
    2001-02 and intended to be a massive
    restructuring to the regulatory system governing
    US capital markets that would improve the
    quality of financial reporting and disclosures.
  • Public Company Accounting Oversight Board (PCAOB)
    was created to oversee the activities of the
    auditing profession.

3
The Sarbanes-Oxley Act contains two Sections
(302, 404) dealing with management responsibility
for controls and one Section (409) on real-time
reporting
4
Three Sources of SOX Guidelines
Frameworks
Best Practices
Future Standards
CobiT
COSO
5
Departments Impacted by SOX
Finance 100
IT 95.7
Sales 43.5
Human Resources 39.1
Customer Service 30.4
Marketing 17.4
Other 8.7
Source The Robert Francis Group Source The Robert Francis Group
6
SOX-Driven Changes
Which of the following is the company changing to address SOX? Which of the following is the company changing to address SOX?
Audit Procedures 78.3
Reporting Procedures 52.2
Financial Systems 43.5
Re-training of Personnel 26.1
Organizational Structure 21.7
Reporting Frequency 21.7
Reporting Technologies 17.4
Source Robert Francis Group Source Robert Francis Group
7
Complexity of SOX for IT
How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense? How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense?
Higher 30.4
Not sure/Do Not Know 26.1
Same 17.4
Much Higher 17.4
Lower 4.3
Slightly Higher 4.3
Source Robert Francis Group Source Robert Francis Group
48 rated SOXimpact as higher
8
Does SOX Mandate an Enterprise-wide Business
Continuity Process?
  • NO
  • A BCP is not required by PCAOB (March 2004)
  • SAS70 (type 2)
  • 3rd party service providers
  • AICPA suspended BCP requirement during SOX
  • Growing number of executives influenced by
    external auditors with knowledge of business
    continuity and potential risks
  • Conclude they must have business continuity
    processes or show why they do not

9
Defining Internal Control (IC)
  • Section 404 attestation is based on two
    assessments
  • Adequate documentation of ICs
  • Sufficient evidence (testing)
  • A company must have a framework against which
    management can make assertions
  • Completeness
  • Accuracy
  • Validation (authorization)
  • Restriction

10
Whats Required for Key Controls
  • Five Ws
  • WHO performs the control?
  • WHAT is being done and WHAT could go wrong?
  • WHEN and WHERE is control being performed or
    occurring?
  • WHY is control activity performed to prevent or
    detect what?
  • What evidence is there?

11
Why are General Controls Important?
Weak General Computer Controls
Strong General Computer Controls
Automated control procedures, and manual control
procedures that use computer-generated
information, are dependent on effectiveness of
general computer controls.
12
COSO Framework
Five Components
The process to determine whether internal control
is adequately designed, executed, effective and
adaptive
The process which ensures that relevant
information is identified and communicated in a
timely manner
The policies and procedures that help ensure that
actions identified to manage risk are executed
and timely
The evaluation of internal and external factors
that impact an organizations performance
The control conscience of an organization. The
tone at the top
All five components must be in place for a
control to be effective
13
Tying It All Together
Control Environment
Application Controls
IT General Controls
Source IT Governance Institute
14
IT Control Components
IT Considerations in Control Environment
  • Systems planning
  • Governance
  • Enterprise policies
  • Operating style
  • Collaboration
  • Information Sharing
  • Code of Conduct
  • Fraud Prevention
  • Systems Security / Access
  • Change Management
  • System Development
  • Computer Operations

IT General Controls
  • Authorization
  • Configuration / account mapping
  • Exception / edit reports
  • Interface / conversion
  • System access

Application Controls
15
Roadmap to Compliance Engagement Walk-Thru
  • Tone at the Top
  • Assertions (C, A, V, R)
  • Definition of Materiality/Significance
  • Significant Accounts and Processes
  • Scope locations, cycles
  • Control framework
  • Remediation
  • Testing
  • Management certification

16
Roadmap to Compliance Phase I Tone at the Top
  • Identify all relevant documents, policies,
    procedures and communications
  • Audit Committee Charter
  • Standards of Conduct
  • Officer Code of Ethics
  • Complaint Reporting Mechanisms
  • Whistleblower Policies
  • Assess adequacy of documentation and tone
  • Internal audit monitoring and risk assessment

17
Roadmap to Compliance Phase II Entity Level
Assessment
  • ID material reporting organizations
  • ID material units within each organization
  • Materiality based on
  • Revenue / Assets
  • Subjectivity of entries / reporting
  • Extraordinary / one-time charges
  • History of issues

18
Roadmap to Compliance Phase III Process Mapping
  • Cycle reviews begin with the cycles selected
    being based on the legal entity assessment in
    Phase II.
  • Documentation of each cycle
  • Narrative of key controls
  • Process Map (Flow chart)
  • Control Matrix including all control objectives
    (Excel or software tool)
  • Documents aim to provide external audit firms
    with a complete understanding of the flow of
    transactions and controls in place.

19
Roadmap to Compliance Phase IV Overall Internal
Control Effectiveness
  • Evaluation of the overall effectiveness of
    internal controls, identification of matters for
    improvement and the establishment of monitoring
    systems.
  • Management assessment of effectiveness of
    controls.
  • Internal Audit provides a report detailing areas
    for improvement and recommendations for ensuring
    an environment of continuous monitoring to
    maintain the system of internal control and take
    corrective action in a timely manner when
    necessary.
  • External Audit Firm will commence its Attestation
    Dry Run

20
SOX Compliance Roadmap
Source www.erm.coso.org
21
Alignment with Business Continuity
  • Management involvement
  • Risk Management
  • Process and Change Management
  • IT role

22
Key Aspects of SOX Audit
  • Segregation of Duties is Key
  • IT roles separate from process owners,
    specifically those in Finance
  • Hand off from process owners requires control
    duality
  • Program Application specific
  • IT Process owner
  • Manual Automated
  • Preventative Detective
  • Change Management is Critical
  • Records and document management
  • Configuration management
  • Business process and controls changes
  • Access Restriction (Security) is Mandated

23
Program Development
  • Project management standards are defined and used
    for all aspects of system development life cycle
    (SDLC)
  • Project initiation
  • Analysis and design
  • Construction or package selection
  • Testing and quality assurance
  • Data conversion
  • Go-live
  • Documentation and training

24
Program Changes
  • Project management standards are defined and used
    for all aspects of the program change cycle
  • Specification, approval and tracking of change
    requests
  • Construction
  • Testing and quality assurance
  • Authorization of transfers to live environment
  • Including emergency fixes and access to live
    environment
  • Documentation and training

25
Situational Assessment
A recent Deloitte survey of Fortune 500 companies
indicates that a significant amount of work
remains
Source Does Your SOX 404 Work Measure Up?, IIA
webcast May 25, 2004
26
What Constitutes a Gap?
Type
Likelihood Magnitude
and/or
Inconsequential
Deficiency
Remote
and
More than Inconsequential or Quantitatively
significant
Significant Deficiency
More than remote
More than remote
and
Material to Financial Statements
Material Weakness
Source Does Your SOX 404 Work Measure Up?, IIA
webcast May 25, 2004
27
A Word on Testing
Plan carefully to avoid mixed results because
tests are not well designed
ProgramTesting
IT Management and interaction with process owners
and stakeholders
Functional and transaction based for systems key
to financial statements and reporting, plus
critical systems
Application Testing
Shared services and support systems OS,
networks, backup, etc.
Infrastructure Testing
Slowly changing systems, COTS
Benchmark Testing
28
Remediation Challenges
  • Effective Decision Governance Process
  • Complex Program Management Initiatives
  • Significant IT Environment Changes
  • Impact on Human Resources
  • Complex Re-testing, Roll-Forward Testing
    Activities
  • Overall Need for Best Practices

29
Span of Enterprise Risk Management
Operational Risk
Market Risk
Credit Risk
Operational Risk Management (ERM) Overall
compliance
Integrated solutions
Compliance
Sarbanes-Oxley
Government Regulations
HIPPA
302
Quarterly Certification by C-Level Management
SOX ComplianceRequirements Control Assurance
Patriot
Basel II
404
Control Documentation and Testing
GLBA
409
Real-time Reporting
FFIEC
NRC
30
Risk Management Business Continuity
  • Disciplines of business continuity and risk
    management often blurred
  • Use similar tools and techniques, including risk
    assessment, business continuity planning, and
    BIAs
  • Business continuity encompasses all processes
    necessary to restore business functionality
    during a time of crisis
  • Risk management incorporates a wider variety of
    functions, including positive impact, negative
    impact, and business non-stoppage
  • Inherent value of business continuity is clearer
    when we consider that not all risks can be
    managed
  • Unless risk management and business continuity
    are institutionalized into day-to-day activities,
    organizations will find themselves exposed

31
Questions?
Source John Wehr
Source John Wehr
Write a Comment
User Comments (0)
About PowerShow.com