A Sarbanes-Oxley Roadmap to Business Continuity

1

• A Sarbanes-Oxley Roadmap to Business Continuity
• NEDRIX Conference
• June 23, 2004
• Dr. Eric Schmidt
• eschmidt_at_controlsolutions.com

2
Background

• In July of 2002, U.S. Congress passed the
  Sarbanes -Oxley Act (SOX) mandating that all
  public companies (SEC registrants) make changes
  to the way their financial results are reported.
• Legislation was a response to the high profile
  failures experienced in the United States during
  2001-02 and intended to be a massive
  restructuring to the regulatory system governing
  US capital markets that would improve the
  quality of financial reporting and disclosures.
• Public Company Accounting Oversight Board (PCAOB)
  was created to oversee the activities of the
  auditing profession.

3
The Sarbanes-Oxley Act contains two Sections
(302, 404) dealing with management responsibility
for controls and one Section (409) on real-time
reporting
4
Three Sources of SOX Guidelines
Frameworks
Best Practices
Future Standards
CobiT
COSO
5
Departments Impacted by SOX
Finance 100
IT 95.7
Sales 43.5
Human Resources 39.1
Customer Service 30.4
Marketing 17.4
Other 8.7
Source The Robert Francis Group Source The Robert Francis Group
6
SOX-Driven Changes
Which of the following is the company changing to address SOX? Which of the following is the company changing to address SOX?
Audit Procedures 78.3
Reporting Procedures 52.2
Financial Systems 43.5
Re-training of Personnel 26.1
Organizational Structure 21.7
Reporting Frequency 21.7
Reporting Technologies 17.4
Source Robert Francis Group Source Robert Francis Group
7
Complexity of SOX for IT
How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense? How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense?
Higher 30.4
Not sure/Do Not Know 26.1
Same 17.4
Much Higher 17.4
Lower 4.3
Slightly Higher 4.3
Source Robert Francis Group Source Robert Francis Group
48 rated SOXimpact as higher
8
Does SOX Mandate an Enterprise-wide Business
Continuity Process?

• NO
• A BCP is not required by PCAOB (March 2004)
• SAS70 (type 2)
• 3rd party service providers
• AICPA suspended BCP requirement during SOX
• Growing number of executives influenced by
  external auditors with knowledge of business
  continuity and potential risks
• Conclude they must have business continuity
  processes or show why they do not

9
Defining Internal Control (IC)

• Section 404 attestation is based on two
  assessments
• Adequate documentation of ICs
• Sufficient evidence (testing)
• A company must have a framework against which
  management can make assertions
• Completeness
• Accuracy
• Validation (authorization)
• Restriction

10
Whats Required for Key Controls

• Five Ws
• WHO performs the control?
• WHAT is being done and WHAT could go wrong?
• WHEN and WHERE is control being performed or
  occurring?
• WHY is control activity performed to prevent or
  detect what?
• What evidence is there?

11
Why are General Controls Important?
Weak General Computer Controls
Strong General Computer Controls
Automated control procedures, and manual control
procedures that use computer-generated
information, are dependent on effectiveness of
general computer controls.
12
COSO Framework
Five Components
The process to determine whether internal control
is adequately designed, executed, effective and
adaptive
The process which ensures that relevant
information is identified and communicated in a
timely manner
The policies and procedures that help ensure that
actions identified to manage risk are executed
and timely
The evaluation of internal and external factors
that impact an organizations performance
The control conscience of an organization. The
tone at the top
All five components must be in place for a
control to be effective
13
Tying It All Together
Control Environment
Application Controls
IT General Controls
Source IT Governance Institute
14
IT Control Components
IT Considerations in Control Environment

• Systems planning
• Governance
• Enterprise policies
• Operating style

• Collaboration
• Information Sharing
• Code of Conduct
• Fraud Prevention

• Systems Security / Access
• Change Management
• System Development
• Computer Operations

IT General Controls

• Authorization
• Configuration / account mapping
• Exception / edit reports
• Interface / conversion
• System access

Application Controls
15
Roadmap to Compliance Engagement Walk-Thru

• Tone at the Top
• Assertions (C, A, V, R)
• Definition of Materiality/Significance
• Significant Accounts and Processes
• Scope locations, cycles
• Control framework
• Remediation
• Testing
• Management certification

16
Roadmap to Compliance Phase I Tone at the Top

• Identify all relevant documents, policies,
  procedures and communications
• Audit Committee Charter
• Standards of Conduct
• Officer Code of Ethics
• Complaint Reporting Mechanisms
• Whistleblower Policies
• Assess adequacy of documentation and tone
• Internal audit monitoring and risk assessment

17
Roadmap to Compliance Phase II Entity Level
Assessment

• ID material reporting organizations
• ID material units within each organization
• Materiality based on
• Revenue / Assets
• Subjectivity of entries / reporting
• Extraordinary / one-time charges
• History of issues

18
Roadmap to Compliance Phase III Process Mapping

• Cycle reviews begin with the cycles selected
  being based on the legal entity assessment in
  Phase II.
• Documentation of each cycle
• Narrative of key controls
• Process Map (Flow chart)
• Control Matrix including all control objectives
  (Excel or software tool)
• Documents aim to provide external audit firms
  with a complete understanding of the flow of
  transactions and controls in place.

19
Roadmap to Compliance Phase IV Overall Internal
Control Effectiveness

• Evaluation of the overall effectiveness of
  internal controls, identification of matters for
  improvement and the establishment of monitoring
  systems.
• Management assessment of effectiveness of
  controls.
• Internal Audit provides a report detailing areas
  for improvement and recommendations for ensuring
  an environment of continuous monitoring to
  maintain the system of internal control and take
  corrective action in a timely manner when
  necessary.
• External Audit Firm will commence its Attestation
  Dry Run

20
SOX Compliance Roadmap
Source www.erm.coso.org
21
Alignment with Business Continuity

• Management involvement
• Risk Management
• Process and Change Management
• IT role

22
Key Aspects of SOX Audit

• Segregation of Duties is Key
• IT roles separate from process owners,
  specifically those in Finance
• Hand off from process owners requires control
  duality
• Program Application specific
• IT Process owner
• Manual Automated
• Preventative Detective
• Change Management is Critical
• Records and document management
• Configuration management
• Business process and controls changes
• Access Restriction (Security) is Mandated

23
Program Development

• Project management standards are defined and used
  for all aspects of system development life cycle
  (SDLC)
• Project initiation
• Analysis and design
• Construction or package selection
• Testing and quality assurance
• Data conversion
• Go-live
• Documentation and training

24
Program Changes

• Project management standards are defined and used
  for all aspects of the program change cycle
• Specification, approval and tracking of change
  requests
• Construction
• Testing and quality assurance
• Authorization of transfers to live environment
• Including emergency fixes and access to live
  environment
• Documentation and training

25
Situational Assessment
A recent Deloitte survey of Fortune 500 companies
indicates that a significant amount of work
remains
Source Does Your SOX 404 Work Measure Up?, IIA
webcast May 25, 2004
26
What Constitutes a Gap?
Type
Likelihood Magnitude
and/or
Inconsequential
Deficiency
Remote
and
More than Inconsequential or Quantitatively
significant
Significant Deficiency
More than remote
More than remote
and
Material to Financial Statements
Material Weakness
Source Does Your SOX 404 Work Measure Up?, IIA
webcast May 25, 2004
27
A Word on Testing
Plan carefully to avoid mixed results because
tests are not well designed
ProgramTesting
IT Management and interaction with process owners
and stakeholders
Functional and transaction based for systems key
to financial statements and reporting, plus
critical systems
Application Testing
Shared services and support systems OS,
networks, backup, etc.
Infrastructure Testing
Slowly changing systems, COTS
Benchmark Testing
28
Remediation Challenges

• Effective Decision Governance Process
• Complex Program Management Initiatives
• Significant IT Environment Changes
• Impact on Human Resources
• Complex Re-testing, Roll-Forward Testing
  Activities
• Overall Need for Best Practices

29
Span of Enterprise Risk Management
Operational Risk
Market Risk
Credit Risk
Operational Risk Management (ERM) Overall
compliance
Integrated solutions
Compliance
Sarbanes-Oxley
Government Regulations
HIPPA
302
Quarterly Certification by C-Level Management
SOX ComplianceRequirements Control Assurance
Patriot
Basel II
404
Control Documentation and Testing
GLBA
409
Real-time Reporting
FFIEC
NRC
30
Risk Management Business Continuity

• Disciplines of business continuity and risk
  management often blurred
• Use similar tools and techniques, including risk
  assessment, business continuity planning, and
  BIAs
• Business continuity encompasses all processes
  necessary to restore business functionality
  during a time of crisis
• Risk management incorporates a wider variety of
  functions, including positive impact, negative
  impact, and business non-stoppage
• Inherent value of business continuity is clearer
  when we consider that not all risks can be
  managed
• Unless risk management and business continuity
  are institutionalized into day-to-day activities,
  organizations will find themselves exposed

31
Questions?
Source John Wehr
Source John Wehr