Passive to Aggressive

1
Passive to Aggressive

• A New Strategy for Information Technology
• Compliance

2
Agenda

• First, a chat.
• Process for SOX
• Manual Process Examples
• Workflow Management Process
• Serenas SOX Solution with TeamTrack

3
Lets Talk

• Hows it going? I hear it might rain today.

4
Process for SOX

• IT Process SOX Controls
• Based on COBIT
• 32 overall controls
• 124 Detailed process considerations
• Internal Control Testing
• Based on COBIT
• 32 overall controls
• 124 detailed considerations
• 72 pieces of walkthrough evidence

5
Types of Processes

• Change Approval
• Incident Management
• Policy Review
• Operations Daily Checklist
• Backup Request

6
Manual Process Examples

• How it can workif it has to.

7
Change Approval

• Change Approval Assumptions
• 4 requests per week
• 50 weeks per year
• 200 requests annually

8
Change Approval (Non-Sequential)

• Minimum number of email exchanges per requests
  8
• Total number of email exchanges 1600
  (8x2001600)

9
Change Approval (Sequential)

• Minimum number of email exchanges per requests
  5
• Total number of email exchanges 1000
  (5x2001000)

10
Change Approval (Paper)

• Minimum amount of documentation per request 17
  pages
• Total amount of documentation generated by
  incident management process3400 pages

11
Incident Management

• Assumptions
• 5 days a week
• 52 weeks a year
• 260 days of incident management
• 15 incidents a day
• 3900 incidents a year

12
Incident Management Process (Email)

• Minimum number of emails per request 5
• Total number of emails generated by incident
  management process 19,500 (3900x519,500)

13
Incident Management Process (Basic Ticketing
System)

• Minimum amount of correspondence per request 3
• Total amount of correspondence generated by
  incident management process11,100 (3900x311,100)

14
Incident Management Process (Paper)

• Minimum amount of documentation per request 1
• Total amount of documentation generated by
  incident management process3900 (3900x13900)

15
Policy Review Process

• Assumptions
• 7 policies
• 7 stakeholders
• 1 annual review
• 7 total number of reviews per year

16
Policy Review Process (Email Non-Sequential)

• Minimum number of emails required per review 15
• Total number of emails required for entire review
  process 105

17
Policy Review Process (Paper)

• Minimum amount of documentation required per
  review 1
• Total number of emails required for entire review
  process 7

18
Operations Daily Checklist

• Assumptions
• 5 days a week
• 52 weeks a year
• 260 days of review activities
• 1 server
• 5 log reviews per sever
• 1300 items
• 260x51300 per server

19
Operations Daily Checklist (Email)

• Minimum number of emails per review 3
• Total number of emails per year 3900

20
Operations Daily Checklist (Paper)

• Minimum number pages of documentation per review
  65
• (1300/ 20 items per page)

21
Operations Daily Checklist (Paper)

• 6 servers 6x1300/20 390 pages
• 40 server 6x1300/40 2600 pages
• 150 servers 6x1300/20 9750 pages
• 1500 servers - 6x1300/20 97,500 pages

22
Backup Request

• Assumptions
• 50 requests annually

23
Backup Requests (Email)

• Minimum number of emails per request 3
• Total number of requests annually 150

24
Backup Requests (Paper)

• Minimum amount of documentation per request 1
• Total amount of documentation per year 50

25
Manual Process Scorecard

• Process Email Paper
• Change Approval 1600 3400
• Incident Management 19,500 3900
• Policy Review 105 7
• Daily Checklist 3900 370
• Backup Request 150 50
• 25,255 7727 Total
• 5051 1545.4 Average
• 126,275 38,635

26
Workflow Management Process

• Engineered efficiencies.

27
Workflow Management Overview
28
Change Approval
Minimum amount of documentation per request 1
pages Total amount of documentation generated by
incident management process 200 records 10
pages
29
Incident Management
Minimum amount of documentation per request
1 Total amount of documentation generated by
incident management process 3900 records 195
pages
30
Policy Review Process
Minimum amount of documentation required per
review 1 Total amount of documentation required
for entire review process 7
31
Daily Operations Checklist
Minimum number pages of documentation per review
260 records 13 pages
32
Daily Operations Checklist

• 6 servers 1x260/20 13 pages
• 40 server 1x260/40 13 pages
• 150 servers 1x260/20 13 pages
• 1500 servers - 1x260/20 13 pages

33
Backup Request
Minimum amount of documentation per request
1 Total amount of documentation per year 50
34
Scorecard Revisited

• Process Email Paper Workflow
  Management
• Change Approval 1600 3400 10
• Incident Mgmt 19,500 3900 195
• Policy Review 105 7 7
• Daily Checklist 3900 370 260
• Backup Request 150 50
  50
• 25,255 7727 522 Total
• 5051 1545.4 104 Average
• 126,275 38,635 (70) 2610(98)(94)

35
Internal Controls Testing

• The relationship to IT process.

36
Internal Controls Testing

• Total Amount of Evidence Generated
• Email - 126,275
• Paper - 38,635
• TeamTrack - 2610

• Total Amount of Evidence to Review
• Email 31,568 artifacts collected and reviewed
  
• Paper 9658 artifacts collected and reviewed
• TeamTrack 652 artifacts collected and reviewed
  (Most are reviewed as exception reports)

37
Change Approval Testing (Paper)

• Minimum amount of documentation per request 17
  pages
• Total amount of documentation generated by
  incident management process3400 pages

38
Change Approval
Minimum amount of documentation per request 1
pages Total amount of documentation generated by
incident management process200 records 10 pages
39
Incident Management Process Testing (Paper)

• Minimum amount of documentation per request 1
• Total amount of documentation generated by
  incident management process3900 (3900x13900)

40
Incident Management
Minimum amount of documentation per request
1 Total amount of documentation generated by
incident management process3900 records 195
pages
41
Policy Review Process Testing (Paper)

• Minimum amount of documentation required per
  review 1
• Total number of emails required for entire review
  process 7

42
Policy Review Process
Minimum amount of documentation required per
review 1 Total amount of documentation required
for entire review process 7
43
Operations Daily Checklist Testing (Paper)

• Minimum number pages of documentation per review
  65
• (1300/ 20 items per page)

44
Daily Operations Checklist
Minimum number pages of documentation per review
260 records 13 pages
45
Backup Requests Testing (Paper)

• Minimum amount of documentation per request 1
• Total amount of documentation per year 50

46
Backup Request
Minimum amount of documentation per request
1 Total amount of documentation per year 50
47
Workflow Management Software The SOX Solution

• How I solved my SOX problem.

48
Internal Controls Testing
49
Internal Controls Testing

• Benefits
• Reduces testing execution timeline by 50-70
• Allows for test reporting/dashboards
• Centralized repository for testing data
• Control testers travel is minimized
• Simple maintenance
• Reporting can be representative of the
  internal/external auditors documentation
  requirements

50
SOX Solution

• 25 Information Technology Business Processes
• Pre-configured based on COBIT
• Configurable to any environment
• Basic reporting and documentation included
• Additional IT consulting services/assessments
  available
• 1 Internal Controls Testing Process
• Pre-configured based on COBIT
• Configurable to any environment
• Basic reporting and documentation included
• Additional audit consulting services/assessments
  available

51
Workflow Management

• Serena TeamTrack helps design, implement and
  enforce the enterprise processes that control
  change.
• Business Benefits
• Reduces need for meetings
• Quick e-mail submission
• Platform- and device-neutral accessibility
• Workflow changes without work interruption
• Real-time reporting and trend analysis
• Localized, web-based interface
• Integrated with Microsoft Outlook and Project

52
Workflow Management

• IT Benefits
• Quick and easy to deploy
• Lower cost of ownership
• No client installations
• Database creation wizards
• Graphical workflow editor
• Customizable templates
• Out-of-the-box integration
• Support for Web services

53
Workflow Management

• Workflow Automation Process Enforcement
• Out-Of-The-Box Or Build Your Own Workflows
• Automatic Ownership
• Skills-Based Routing
• Field Ordering By Project, State or Transition
• Required Fields By Transition
• Default Field Values By Transition
• Mass Transitions, Quick Transitions Copy
  Transitions
• File And URL Attachments
• Record Locking
• E-Mail Submission
• XML E-Mail Submission
• Customized and Preset E-Mail Item Notifications
  
• Cross Database Posting
• Archive Queries

54
Questions?
55
About the Speaker

• Renee Murphy
• Founder/ Principal Consultant, fyoozhen
  Consulting
• Technical Operations Process Expert Auditor
• renee_at_fyoozhen.com
• Renee, a former Vice President of Technical
  Operations, has over fourteen years of technology
  experience in the software, financial,
  entertainment, retail, and service industries
  implementing Control Objectives for Information
  and related Technology (CObIT) standards
  framework for auditable IT controls and Technical
  Operations generally accepted practices for
  Sarbanes-Oxley (SOX) and regulatory compliance.
  Prior to joining fyoozhenConsulting, Renees
  extensive experience includes serving as an
  external SOX auditor for the fifth largest CPA
  firm in the country and continues to provide
  internal audit services to several of fyoozhens
  clients.
• Her unique professional experience in both
  technology management and external audit give her
  an unparalleled approach to controls testing and
  evidence generation.