CHRIS KYRIAKAKIS, PARTNER

1
OPTIMIZING IT COMPLIANCE IN THE WAKE OF THE
EVOLVING SOX/COSO GUIDANCE
CHRIS KYRIAKAKIS, PARTNER FRAZIER DEETER,
LLC ATLANTA, GEORGIA ISACA GEEK WEEK SEPTEMBER
2008
2
Introduction

• Introduction
• The SEC, PCAOB, and COSO have evolved guidance
  intended to make Section 404 audits and
  management evaluations more efficient, risk-based
  and scalable to company size and complexity.
• This session will address

• Latest guidance
• Effect on existing IT compliance/SAS70 programs
• Steps for smaller companies to optimize their
  compliance programs

3
IT Timeline

• Information Technology Timeline

Late 70s EDI becomes common
place in business
1993 Audit at a workstation concept
2002 Sarbanes Oxley passed
12/31/1999 Y2K is a nonevent
1990 Windows was launched
1996 Y2K bug hits the press
1995 Netscape goes public
1972 IBM Mainframe achieves 1 MIPS
1992 SAP/R3 launched
2001 Enron bankruptcy
1959 COBOL Invented
1967 ISACA founded
1985 Novell Netware
1960 1970 Punch card data entry
1981 1990 Midrange Computers Rise of EDI
2001 and Beyond Ubiquitous Technology Heavy
Regulations
1971 1980 Magnetic Storage MainFrames
1991 2000 Client Server Advent of Ecommerce
4
IT Before SOX

• Information Technology Auditing and Compliance
  (Pre-SOX)
• Fast moving and dynamic
• Focused on deep technical risks in the evolving
  dotcom arena
• Y2K placed heavy focus on IT risk in financial
  operational systems
• Pervasiveness of IT was just beginning
• Perceived as confusing

5
IT Before SOX

• Information Technology Auditing and Compliance
  (Pre-SOX)
• The 21st century brought renewed emphasis on
  importance of IT controls as it relates to
  financials when Corporate scandals dominated the
  headlines
• Importance of interaction of information
  technology with financial processes
• Still perceived as confusing.
• Video Link Multiply, Divide, and Confuse

6
SOX Control Frameworks
Source CIO guide to SOX Reymann Group Inc., Jan
2005
7
New Guidance

• Changing SOX Redefinition, Refinement, and
  Reform
• What exactly is changing?
• Revised standard for auditors
• New and more detailed guidance
• Supplementary framework for assessing risk.
• What IT controls should be in scope with SOX?
• What does the future hold?
• Small cap companies
• Changing regulatory environment

8
New Guidance

• GAIT - Guide to the Assessment of IT General
  Controls
• Scope based on risk
• Top-down, risk-assessment methodology
• Designed to help management assess effect of IT
  control failures on financial applications
• Identifies IT process risks and objectives that
  mitigate them
• Not a control (COSO) or a governance (CobiT)
  framework but a methodology.

9
Optimizing the Compliance Program

• Steps for smaller companies to implement a more
  optimized compliance program
• Begin with an IT risk assessment
• identify the high, medium and low risk systems
  and applications
• Utilize an accepted methodology and framework to
  identify the key controls
• Result
• Far fewer key controls and a much more manageable
  audit

10
Evolving Past SOX

• Emerging Areas for IT Audit to Focus on
• Data Mining and Analysis
• Continuous Risk Assessment
• Continuous Control Assessment
• Green IT
• Unified Communications
• Metadata Management
• Mash-up and Composite Applications
• Social Software
• Industry specific standards (e.g. BITS)

11
Resources

• Resources
• Control Objectives for Information Technology
  (CobiT)
• www.isaca.org/cobit
• Information Technology Control Guidelines (ITGC)
• www.cica.ca
• Generally Accepted IT Principles (GAIT)
• www.theiia.org/guidance/technology/gait/
• IT Infrastructure Library (ITIL)
• www.itlibrary.org/
• ISO/IEC 17799
• www.iso-17799.com

12

• Chris Kyriakakis
  PartnerPhone
  404.253.7500
• Emailchris.kyriakakis_at_frazierdeeter.com
• Chris Kyriakakis joined Frazier Deeter in 2007
  and heads up the Information Technology Assurance
  and Governance Services Group. He provides his
  clients with assurance services such as SAS70s
  and Agreed Upon Procedures, as well as
  consultative services such as IT risk
  assessments, IT audit co-sourcing, and IT
  governance assessments. He brings more than 11
  years of public accounting experience to the
  assurance department with a focus on IT
  governance, risk, and controls.
• Chris joined Frazier and Deeter from Deloitte
  Touche LLP where he had extensive experience
  preparing and assessing his clients for Sarbanes
  Oxley compliance, assessing and implementing
  Enterprise Risk Management (ERM) capabilities,
  and performing SAS70 audits. While at Deloitte
  and Touche he specialized in implementing COSO
  and CobiT amongst large and medium sized
  accelerated filers primarily in the Technology,
  Manufacturing, and Consumer Business industries.
  Chris is also a former PCAOB IS Inspector where
  he assisted in developing and writing the
  inspection guidance for Internal Controls over
  Financial Reporting (ICFR).