SarbanesOxley Compliance: Get IT Wrong and Go to Jail - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

SarbanesOxley Compliance: Get IT Wrong and Go to Jail

Description:

Free Your Enterprise From the Sarbanes-Oxley Hype Cycle. Peak of Inflated Expectations ... Hype. Sect. 404 Compliance. Hawthorne Effect fades. ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 27
Provided by: caldwel
Category:

less

Transcript and Presenter's Notes

Title: SarbanesOxley Compliance: Get IT Wrong and Go to Jail


1
Sarbanes-Oxley ComplianceGet IT Wrong and Go
to Jail
  • French Caldwell

2
About Gartner, Inc.
  • Gartner, Inc. is the leading provider of research
    and analysis on the global IT industry. We help
    support enterprises as they drive innovation and
    growth through the use of technology. We help
    clients make informed technology and business
    decisions by providing in-depth analysis and
    actionable advice on virtually all aspects of
    technology.
  • Gartner Intelligence offers advice for IT
    professionals, technology companies and
    technology investors in the form of research
    reports, briefings or events.
  • Gartner Executive Programs offers peer networking
    services and membership programs designed
    specifically for CIOs and other senior
    executives.
  • Gartner Consulting offers customized engagements
    that allow CIOs and other business executives to
    apply our knowledge to their specific situation,
    with an emphasis on outsourcing and IT
    management.

3
Free Your Enterprise From the Sarbanes-Oxley Hype
Cycle
Vendor activity peaks
Hype
Sect. 404 Compliance
Sect. 409 Compliance
Hawthorne Effect fades. Compliance burden exceeds
operational and technology support for compliance
Hawthorne Effect kicks in
Sect. 302 Compliance
Reaching Plateau depends on effective investment
in compliance
Sarbanes-Oxley Act
Enron
Depth of Trough depends on rate of investment in
easing compliance burden
Peak of Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment
Plateau of Productivity
Innovation Trigger
Maturity
4
Client Issues
  • 1. What are the priorities for Sarbanes-Oxley
    compliance, and how do they translate into
    technology?
  • 2. What is the role of IT in Sarbanes-Oxley
    compliance?
  • 3. Which vendors, systems integrators and
    consultants can help enterprises meet
    Sarbanes-Oxley requirements?
  • 4. What will happen next in the compliance and
    regulatory landscape, and how can IT meet those
    challenges?

5
Sarbanes-Oxley Act
  • Overview of the Sarbanes-Oxley Act
  • Holds the CEO and CFO personally responsible for
    restatements due to misconduct
  • Imposes new obligations and responsibilities on
    audit committees
  • Requires process control and documentation
  • Strengthens penalties for corporate fraud
  • Requires rules to address securities analyst
    conflict of interest
  • Technology Response
  • The CIO and CTO will drive risk assessments of
    enterprise applications
  • Systems to monitor compliance with codes of
    conduct will be installed
  • Business process modeling, analysis and
    management software installed
  • Will secure the confidentiality of systems and
    data leading to report generation
  • Records management policies and applications get
    increased focus

6
Section 302 C-Level Responsibility
Trouble Ahead Sure enough to sign and personally
attest to the accuracy of the annual report?
It will never be simple!
Yes or No?
Trouble Behind Executives must be sure of
processes, controls and information sources
7
Strategic Planning Assumption
  • Audit firms will capture 50 to 75 of corporate
    spending on Sarbanes-Oxley through July 2004
    (0.8 probability).
  • Action Item Decrease reliance on audit firms
    over time and build internal expertise of process
    controls, accounting and regulatory frameworks.

8
404 Process Documentation and Internal Controls
In the Boardroom
We achieved our financial objectives!
Where did THATnumber come from?
In the Engine room
?
?
?
?
?
?
?
?
9
Section 409 Real-Time Disclosure
SEC. 409. REAL TIME ISSUER DISCLOSURES. ...(l)
REAL TIME ISSUER DISCLOSURES.Each issuer
reporting under section 13(a) or 15(d) shall
disclose to the public on a rapid and current
basis such additional information concerning
material changes in the financial condition or
operations of the issuer, in plain English, which
may include trend and qualitative information and
graphic presentations, as the Commission
determines, by rule, is necessary or useful for
the protection of investors and in the public
interest.
10
Who Is Responsible for What?
What Sign accounts, ensure accuracy and
disclose anomalies Who BOD, CEO, CFO
Section 302 Ultimate responsibility
Section 204 Penultimateresponsibility
What Understand controls, test and attestWho
External auditors and audit committee
What Demonstrate compliance with
accounting standards, identify gaps and
remediateWho Auditors, CIO, chief counsel and
CGO/CCO
Section 103 Standards
What Process control, automation and
documentationWho Controller, internal auditors,
IT managers, process specialists and IT systems
Section 404Report oninternal controls
Section 409Rapid disclosure
What Operations, financial reporting and
complianceWho Records managers, accountants,
controllers, security and IT
11
Estimated Costs to Comply Millions
Fortune 1000 firms should allocate at least 2
million for SOX compliance through 2005 (0.8
probability).
12
Categories Most Likely to See SOX-Specific
Spending in 2004
Two most likely categories, 178 respondents,
normalized to 100
13
Good, Bad and Unsupportable
  • Standaloneprocess control documentation
  • Excelspreadsheet-based
  • Software toservices ratio 5050 or less (6040,
    etc.)
  • Free softwareif youbuy services!
  • Sarbanes-Oxley solution!
  • It finds whatyou need inexisting corpusof
    documents
  • Compatible with IT infrastructure
  • Connected to ERP and GL
  • Supports process definition
  • Document storage included
  • Integrated withe-mail

14
A Vendor Feeding Frenzy Think Y2K
E-Learning
Security
We have a Sarbanes-Oxley solution!
E-Mail Archiving
Audit Firms
BPM/Business Rule Engine
Enterprise Resource Planning/Financials/HR
Risk Assessment and Mangement
Document and Records Management
Legal Discovery
Sarbanes-Oxley Specialists
Business Intelligence
15
Strategic Planning Assumption
  • Companies that purchase Sarbanes-Oxley targeted
    solutions during 2004 will retire or replace
    those systems by YE05 (0.8 probability).
  • Action Item Limit the amount of data committed
    and training time devoted to Sarbanes-Oxley-specif
    ic solutions that should be regarded as stopgap
    solutions only. Assess what you have before
    purchasing additional software, and maximize
    flexibility when buying.

16
Comparative Control Methodologies
Comparison of Internal Control Concepts
COBIT
COSO
Primary Audience
management, users, information system auditors
management
IC viewed as a
set of processes including policies, procedures,
practices organizational structures
process
effective efficient operations
confidentiality, integrity availability of
information reliable financial reporting
compliance with laws regulations
effective and efficient operations reliable
financial reporting compliance with laws
regulations
IC Objectives
domains planning organization acquisition
implementation delivery support monitoring
components control environment risk-management
control activities information communication
monitoring
Components or Domains
Focus
overall entity
IT
17
Toward a Compliance Architecture
Analyze, Automate, Audit Business process
modeling, workflow and planning tools
Store Content
Manage Data
Performance Management
Response and Access
Operational store, data warehouse, metadata and
virtual
Statistical, ad hoc query, online analytical
processing, business intelligence and BAM
Web-based publishing and collaboration tools
IDM, RM and e-mail archiving
Report and Advise Reporting tools, alerts,
scorecards and dashboards
18
Strategic Planning Assumption
  • Enterprises that choose one-off solutions to each
    regulatory challenge that they face will spend 10
    times more on compliance projects than their
    counterparts that take a proactive approach (0.9
    probability).
  • Action Item Conduct all ongoing process design
    and documentation efforts according to the
    architectural principles dictated by a CPM
    strategy and supporting IT architecture.

19
Corporate Governance and Compliance Management
Milestones
When will it all come together?
1965 1985 1990 1998 2000
2002 2004 2006 2008 2010
Acronym Key CFR Code of Federal
Regulations FERC Federal Energy Regulatory
Commission IAS/IFRS International Accounting
Standards/International Financial Reporting
Standards PURPA Public Utility Regulatory
Policy Act
20
The Global Compliance Hype Cycle
Compliance requirements evolve at different rates
Key Time to Plateau
Visibility
Less than two years Two to five years Five to 10
years More than 10 years Obsolete before Plateau
As of January 2004
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivity
Innovation Trigger
Peak of Inflated Expectations
Maturity
CAD3 The European Commissions Capital Adequacy
Directive CFR Code of Federal Regulations FAS
Financial Accounting Standards HIPAA Health
Insurance Portability and Accountability Act IAIS
International Association of Insurance
Supervisors
IASB International Accounting Standards
Board IAS/IFRS International Accounting
Standards/International Financial Reporting
Standards RIPA Regulation of Investigatory
Powers Act
21
Strategic Planning Assumption
  • The complexity, pace and impact of legislation
    will continually challenge businesses
    capabilities. 70 of Fortune 500 companies will
    adopt comprehensive governance or compliance
    frameworks by 2006 (0.8 probability).
  • Action Item To mitigate the regulatory burden,
    enterprises must use core technology and process
    competencies to fuse compliance and corporate
    governance management into operational processes.

22
Facing an Evolving Compliance Framework
Risk Classification
Policy and Process Evolution
  • Consumers
  • Employees
  • Trading partners/ subsidiaries
  • Shareholders
  • Regulators/ enforcers
  • Privacy
  • Financial reporting
  • CRM/PRM/HCM
  • Import/export
  • Marketing/sales
  • Workforcemanagement
  • Operations
  • Sourcing
  • Applicationdevelopment

1
4
  • CFO/CCO/ internal audit
  • Legal counsel
  • Government affairs

2
3
Risk Monitoring
Policy and Process Evaluation
23
Compliance Challenges and Best Practices
Six Challenges
Eight Best Practices
  • Multiple rule sources FDA, SEC, European Union,
    4,000-plus federal regulations
  • Long duration Life Life-Plus-Seven
  • Monitoring responsibilities Son of
    Sarbanes-Oxley, Part 11.1
  • Multiphase requirements Testing is ongoing
  • Noncompliance costs Jail time, fines and brand
    devaluation
  • Skills shortages Have you tried to hire a risk
    or compliance officer lately?
  • Establish a compliance office or officer
  • Involve all stakeholders, including regulators
  • Go enterprisewide
  • Use a content management approach
  • Use workflow to manage events and tasks
  • File electronically, if possible
  • Define clear communication channels and protocols
  • Leverage industry best practices

24
Sarbanes-Oxley Why?
Sarbanes
Oxley
Technology
Business
Public Policy
The U.S. Public Company Accounting Reform and
Investor Protection Act
25
Recommendations
  • Get involved. IT should have a seat on the
    compliance committee.
  • Establish a regulatory weather bureau.
    Globalization accelerates the pace of
    rule-making.
  • Envision a flexible strategic compliance
    architecture, even if you cannot implement it
    immediately.
  • Sarbanes-Oxley solutions do not exist and may
    be dead ends requiring rework.
  • Even point solutions can be flexible Records and
    document management, business process management,
    business rule engines and business intelligence
    systems are all candidates for inclusion in the
    overall architecture.
  • The ultimate goal is corporate performance
    management.
  • Think of Sarbanes-Oxley as a blessing in disguise.

26
The Gartner Compliance Advisory Service
  • Provides exclusive Sarbanes-Oxley initiative
    support, including comprehensive how-to
    methodologies and frameworks, project management
    tools, example case studies and targeted
    discussions with subject matter experts to
    support specific compliance initiatives
  • Exclusive research agenda targets meeting the
    unique needs of the audit or compliance committee
    inside publicly traded companies
  • Enables you to align your IT, finance and
    business units and strategize, plan, implement,
    manage and measure SOX initiatives successfully
Write a Comment
User Comments (0)
About PowerShow.com