The process is the PM's best friend

1
The process is the PM's best friend

• Approaching a project in a SOX world,
• Understanding your process
• Impacts of SOX Risks and Controls.

2
Introduction

• SOX audit strikes the fear in the hearts of the
  bravest PMs. This presentation focuses on
• How to approach a project
• Avoid the SOX surprises at the end.
• We will understand how your process feeds the SOX
  audits and how to identify the real requirements

3
Agenda

• 1. The mission of SOX
• 2. Knowing your process benefits.
• 3. Key Initiation points 
• 4. Key Planning points
• 5. Key Execution Points
• 6. Key Closing Points.
• 7. Key deliverables

4
The mission of SOX - Financial reporting

• SOX was passed to insure that financial
  statements are accurate for investors.
• In order for the financial statement to be
  accurate,
• Risks must be managed by the use of controls
• For projects, SOX requires companies
• Have a process for change
• Ensure the process is effective

5
SOX Audit Objective

• SOX Audit objective is to demonstrate that the
  controls are effective reducing risks, and there
  is no material risk to the financial statement
• Key Point, was the process, an effective
  control of the risk
• Ultimately, it is about the control of risks, not
  the process.

6
Under S-Ox section 404

• -each annual report of the company is required
  to contain
• a statement of management's responsibility for
  establishing and maintaining an adequate internal
  control structure and procedures for financial
  reporting
• a statement identifying the framework used by
  management to evaluate the effectiveness of this
  internal control
• an assessment by management of the effectiveness
  of the company's internal control structure and
  procedures for financial reporting.
• Section 404 also requires the company's auditor
  to attest to, and report on management's
  assessment of the effectiveness of the company's
  internal controls and procedures for financial
  reporting

7
How to get around the SOX requirement

• Quit!
• Retire!
• Die!

8
Roadmap For Control Development
Risks
Corporate Audit Committee
Controls
Addresses
Defines
Note The organization defines the process, not
the Law!!!
Maps
Demonstrates
Processes
Project
Evidence
Require
Provides
9
Examples of Controls (Logical Access)

• Only Authorized Users have Privileged Access
• All Inactive Accounts are disabled after 60 days
  and deleted after 90
• All Users Have Expiring Passwords
• http//redmondmag.com/features/article.asp?editori
  alsid550

10
Knowing your process benefits.

• Know the end goals before you start a project
• Take your internal auditor to lunch to find out
  the common problems
• Review a project that has been audited
• Review and understand your processes
• Understand key process artifacts as they relate
  to SOX.
• SOX is an open book test make sure you have the
  book!

11
Key Initiation points 

• Who is the Sponsor?
• What is the Scope?
• Who are the authorized approvers?
• What is the process and process choices?
• What are the audit deliverable?
• What systems are impacted?

12
Key Planning points

• Does the production systems change?
• If there are no changes in production the
  project is not material for SOX GCC.
• How is it going to be tested
• Deliverables?

13
Key Execution Points

• Follow the plan
• Change control!!! Get the business involved!
• Document deviations and deviations approval
• Management Oversight (Business)

14
Key Closing Points.

• Self audit
• Project Archives
• Final acceptance of the project/product
• Formal Review?
• Have lunch with the internal auditor, has
  anything changed? Last Chance for fixing

15
Key Project deliverables

• Formal request with approval
• Management oversight (approvals)
• Segregation of duties
• Evidence
• Documentation
• Inspections (auditors verification)
• Certifications

16
Tip for Fixing projects (use with caution)

• Certifications
• Missing an approval or evidence?
• Use a certification in its place
• I certify that I had reviewed and approved the
  business requirements during the project.
• Certifications are After the fact, not good,
  but less bad
• Business Approval of Process Deviations
• If the business approved the process
  modification, the risk is approved by the
  business.

17
Summary

• Know and follow the process
• Be active in changing the process if possible
  Remember the process is not there to make your
  job easier it is there to do the job right!
• Be proactive
• Planning is the key, addressing SOX issues at the
  end of the process is too late

18
Lets Keep In touch!

• Yahoo Group for networking
• http//groups.yahoo.com/group/socal_networking/
• Blog (under construction)
• http//360.yahoo.com/mike_graupner_pm
• Email
• Work mike.graupner_at_rxsol.com
• Home mike.graupner_at_marlai.com
• Networking
• Third Wednesday of the month (8/16/06)
• Karl Strauss Brewing Company, CM901A South Coast
  Drive, Costa Mesa, CA