IT Governance and SARBOX Compliance

1
IT Governance and SARBOX Compliance

• Presenter Lily Shue
• Internet Now Technologies Ltd.

2
Objectives

• Overview of
• What is IT Governance?
• Why IT Governance?
• What are the relationships between IT Governance,
  SARBOX, COSO and CobiT

3
What is IT Governance?

• Direct IT endeavors
• Ensure the performance of IT addresses
• Alignment of IT with the enterprise and
  realization of the promised benefits
• Use of IT to enable the enterprise by exploiting
  opportunities and maximizing benefits
• Responsible use of IT resources
• Appropriate management of IT related risks

4
What is IT Governance?
Focus Areas of IT Governance
IT Resource Management
IT Value Delivery
IT Strategic Alignment
Risk Management
Stockholder Value Drivers
Performance Measurement
5
What is IT Governance?

• IT Governance
• Is part of a broad framework of Enterprise
  Governance
• Is the responsibility of executives and board
  members, including
• CIO, CEO and CFO
• Should be addressed like any other strategic
  agenda item of the board

6
IT Governance Reporting Structures
Board
Executive
Manager
Manager
Team Leader
Team Leader
Team Leader
Team Leader
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
7
IT Governance Responsibilities

• The Board should
• Drive enterprise alignment
• Direct management to deliver measurable value
• Manage enterprise risk
• Support learning and growth and manage resources
• Measure performance

8
IT Governance Responsibilities

• Executive management should address the
  following board expectations
• Cascade strategy, policies and goals down into
  the enterprise and align the IT organization with
  the enterprise goals
• Provide organizational structures to support the
  implementation of IT strategies and an IT
  infrastructure to facilitate the creation and
  sharing of business information
• Measure performance

9
IT Governance Responsibilities

• Executive management should focus on
• Core competencies that IT must support
• Key IT processes that improve business value
• IT competencies relate to planning and overseeing
  the management of IT assets, risks, projects,
  customers and vendors
• Optimization of IT costs to obtain the right
  value from IT resources
• Have clear external sourcing strategies

10
IT Governance Framework

• Set Objectives
• IT is aligned with the business
• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT related risks are managed appropriately

• IT Activities
• Increase automation (make the business effective)
• Decrease cost (make the enterprise efficient)
• Manage risks (security, reliability and
  compliance)

Provide Direction
Compare
Measure Performance
Source ITGI Board Briefing on IT governance
11
Why IT Governance?

• Good governance of IT is critical in supporting
  and enabling enterprise goals
• Boards expects management to
• Deliver IT solutions of the right quality, on
  time and on budget
• Harness and exploit IT to return business value
• Leverage IT to increase efficiency and
  productivity while managing IT risks
• Minimize negative impacts

12
SARBOX Requirements
13
SARBOX Requirements
14
SARBOX Requirements
15
COSO Components

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

16
COSO Components

• Control Environment
• Creates the foundation for
• Effective internal control
• Establishes the tone at the top
• Represent the apex of the corporate governance
  structure
• Apply throughout an organization
• Address at the company level
• IT frequently has the characteristics that may
  require additional emphasis on business
  alignment, roles and responsibilities, policies
  and procedures, and technical competence

17
COSO Components

• Risk Assessment
• The identification and analysis by management of
  relevant risks to achieve predetermined
  objectives and form the basis for determining
  control activities
• Occur at the company level or at the activity
  level for a specific process or business unit
• Control activities
• Policies, procedures and practices that are put
  into place to ensure that business objectives are
  achieved and risk mitigation strategies are
  carried out
• Two broad groupings of information system control
  activities
• General controls
• Application system development and maintenance
  controls

18
COSO Components

• Information and Communication
• COSO states that information is needed at all
  levels of an organization to run the business and
  achieve the entitys control objectives
• Monitoring
• COSO states that monitoring which covers the
  oversight of internal control by management
  through continuous and point-in-time assessment
  processes
• Two types of monitoring
• Continuous monitoring
• Separate evaluations
• IT performance measures to evaluate underlying
  control is operating effectively, defect
  identification and management and security
  monitoring

19
General and Application Controls

• Examples of general controls
• Data center operation controls
• System software controls
• Access security controls
• Application system development and maintenance
  controls
• Examples of application controls
• Balancing control activities
• Check digits
• Predefined data listings
• Data reasonableness tests
• Logic tests

20
CobiT Control Objectives

• Plan and organize
• Acquire and implement
• Deliver and Support
• Monitor and evaluate

21
CobiT Control Objectives

• Plan and Organize
• Define a strategic IT plan
• Define the information architecture
• Determine technological direction
• Define the IT organization and relationships
• Manage the IT investment
• Communicate management aims and direction
• Manage human resources
• Ensure compliance with external requirements
• Assess risks
• Manage projects
• Manage quality

22
CobiT Control Objectives

• Acquire and implement
• Identify automated solutions
• Acquire and maintain application software
• Acquire and maintain technology infrastructure
• Develop and maintain procedures
• Install and accredit systems
• Manage changes

23
CobiT Control Objectives

• Deliver and Support
• Define and manage service level
• Manage performance and capacity
• Ensure continuous service
• Ensure system security
• Identify and allocate costs
• Educate and train users
• Assist and advise customers
• Manage the configuration
• Manage problems and incidents
• Manage data
• Manage facilities
• Manage operations

24
CobiT Control Objectives

• Monitor and Evaluate
• Monitor the process
• Assess internal control adequacy
• Obtain independent assurance
• Provide for independent audit

25
Relationships between SARBOX and IT Governance

• SARBOX aims to enhance corporate/IT governance
  through measures that will strengthen
• Internal checks and balances
• Corporate accountability
• Established and maintain an adequate internal
  control structure
• Assess the effectiveness on an annual bases

26
Relationships between SARBOX and IT Governance

• Building a strong internal control program within
  IT can help enhance overall IT governance
• CEOs should provide organizational structures to
  support the implementation of IT strategy
• CIOs must be business oriented and provide a
  bridge between IT and the business
• All executives should become involved in IT
  steering or similar committees

27
Relationships between SARBOX and COSO

• COSO is the recommended internal control
  framework to be used for evaluating the
  effectiveness of the companys internal control
  over financial reporting
• COSO addresses the topic of IT general controls,
  but does not dictate requirements for such
  control objectives and related control activities
• PCAOB highlight the importance of IT general
  controls but do not specify which in particular
  must be included

28
Relationships between SARBOX and COSO

• General Controls- ensure financial information
  from a companys application systems can be
  relied upon
• Application controls embedded within software
  programs to prevent or detect unauthorized
  transactions
• When combined with general controls, application
  controls ensure the completeness, accuracy,
  authorization and validity of processing
  transactions

29
Relationships between COSO and CobiT

• Specific IT control objectives decisions remain
  the responsibility of an organizations
  management and independent auditors
• Companies should assess the nature and extent of
  IT on a case-by-case basis

30
Relationships between COSO and CobiT

• IT management requires more examples to
• help identify, document and evaluate IT controls
• provide guidance on specific control objectives
  for consideration for compliance with COSO and
  ultimately SARBOX
• A company can use CobiT (Control Objectives for
  Information and Related Technologies) established
  by the IT Governance Institute (ITGI) framework
  to design a system of IT controls to comply with
  Section 404

31
Relationships between SARBOX and CobiT

• CobiT ---
• Is a comprehensive approach for managing risk and
  control of IT
• Has been used by IT and control professionals as
  the initial IT controls baseline to develop a
  control objective template
• Provides both company and activity objectives
  along with associated controls
• Is an open framework and an IT governance model

32
Relationships between COSO and CobiT

• COSO identifies 5 components of internal control
  that need to be in place and integrated to
  achieve financial reporting and disclosure
  objectives
• CobiT provides 4 categories of control objectives

33
Relationships between COSO and CobiT
CobiT Objectives

• Plan and Organize
• Acquire and Implementation
• Delivery and Support
• Monitor and Evaluation

Section 302 Section 404
COSO Components

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

34
Cobit Relationship to COSO
COSO Components
1-Control Environment 2-Risk Assessment 3-Control
Activities 4-Information and Communication 5-Monit
oring Source ITGI IT Control Objectives for
Sarbanes-Oxley Discussion Document
35
Cobit Relationship to COSO
COSO Components
1-Control Environment 2-Risk Assessment 3-Control
Activities 4-Information and Communication 5-Monit
oring Source ITGI IT Control Objectives for
Sarbanes-Oxley Discussion Document
36
Cobit Relationship to COSO
COSO Components
1-Control Environment 2-Risk Assessment 3-Control
Activities 4-Information and Communication 5-Monit
oring Source ITGI IT Control Objectives for
Sarbanes-Oxley Discussion Document
37
Cobit Relationship to COSO
COSO Components
1-Control Environment 2-Risk Assessment 3-Control
Activities 4-Information and Communication 5-Monit
oring Source ITGI IT Control Objectives for
Sarbanes-Oxley Discussion Document
38
Relationships between COSO and CobiT

• Key Points
• Ensure compliance with external requirements
• Manage change
• System logics and business rules from end-to-end
• Manage data
• Data lineage from end-to-end

39
Frequent Asked Questions by CFOs and CEOs

• How do we assure that business roles and
  calculations for financial reporting are correct?
  
• How do we assure that change management relating
  to financial reporting are appropriately
  implemented in all applications/systems?
• How do we assure that documentation in compliance
  to Section 404 are correct?
• How do we assure that the data flow for financial
  reporting are correct?
• How do we ensure the environment are adequately
  controlled going forward?

40
Summary

• SARBOX provides the impetus to develop an IT
  financial reporting control framework that links
  COSO financial reporting objectives to existing
  IT management and control framework
• SARBOX provides the foundation for new
  Corporate/IT Governance
• SEC final rule made specific reference to the
  recommendation of COSO
• PCAOB directions are based on COSO
• CobiT provides both company and activity
  objectives along with associated controls, a
  company can use the CobiT framework to design a
  system of IT controls to comply with Section 404

41
Summary

• CIOs must now take on the challenges of
• Enhancing their knowledge of Internal Control
• Understanding their companys overall SARBOX
  compliance plan
• Developing a compliance plan to specifically
  address IT controls
• Integrating this plan into overall SARBOX
  compliance
• IT professionals, especially those in executive
  positions need to be well versed in internal
  control theory and practice to meet the
  requirements of the Act

42

• Questions?