Post on 13-Jan-2016
Agenda
Sarbanes Oxley Act Where to Begin Creating the Risk Library Assessments / Audits Signing Officer Business Process Owners Documenting Procedures Q & A
Sarbanes-Oxley ActSarbanes-Oxley ActA Response to the Deterioration in A Response to the Deterioration in
Public ConfidencePublic Confidence
Sarbanes Oxley ActHighlights
Section 103: Your auditor must (and therefore, you should) maintain all audit-related records, including electronic ones, for seven years. Effective now.
Section 201: Firms that audit your company’s books can no longer provide you with IT-related services. Effective now.
Section 301: You must provide systems or procedures that let whistle-blowers communicate confidentially with company’s audit committee. No effective date.
Section 302: Your CEO and CFO must sign statements verifying the completeness and accuracy of financials reports. Effective now.
Section 404: CEO’s, CFO’s and outside auditors must attest to the effectiveness of internal controls for financial reporting. Effective now.
Section 409: Companies must report material changes in their financial conditions “on a rapid and current basis.” The act calls it “real-time disclosure” but doesn’t define what that means. No date set.
Computerworld, April 14, 2003
You must ensure internal controls over your financial reporting.
Sections 302 and 404 of Sarbanes Oxley
The Act states…
You must be able to attest to…
The Processes affecting values in accounts,
which are exposed to Risks,
which are mitigated by Controls,
which are verified by Audit Procedures.
Internal Control TestingInternal Control TestingWhere to StartWhere to Start
Setting Up Internal Controls
Review and Update Review and Update ProceduresProcedures
-Business Process -Business Process OwnersOwners
Identify and Organize Identify and Organize ProcessesProcesses
-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner
Identify Risks & Identify Risks & Controls for ProcessesControls for Processes
-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner
Create Risks & Create Risks & Controls LibraryControls Library
-Risk Assurance -Risk Assurance PartnerPartner
Upload Risks & Upload Risks & Controls LibraryControls Library
-Risk Assurance -Risk Assurance PartnerPartner
Identify Controls within Identify Controls within your systemyour system
-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner
Link Risks to ControlsLink Risks to Controls
-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner
Link Key Controls to Link Key Controls to Audit ProceduresAudit Procedures
-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner
Link Processes to Key Link Processes to Key AccountsAccounts
-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner
Risk & Control LibraryRisk & Control LibraryDEMODEMO
Assessment / AuditAssessment / AuditDEMODEMO
Signing OfficerSigning OfficerDEMODEMO
Business Process OwnerBusiness Process OwnerDEMODEMO
You must ensure internal controls over your financial reporting.
Sections 302 and 404 of Sarbanes Oxley
The Act states…
You must be able to attest to…
The Processes affecting values in accounts,
which are exposed to Risks,
which are mitigated by Controls,
which are verified by Audit Procedures.
ICM / Tutor
Business Process
Risks
Controls
TUTOR
Do You Want to: Comply with Corporate Governance regulations by having documented business
policies and procedures? Achieve success through user acceptance of business process and technology
changes? Reduce time spent documenting implementation decisions? Easily create and maintain all documentation and training material? Reduce training costs (development, travel, time away)? Regularly deploy role specific, accurate, up-to-date, procedure manuals? Modify Oracle eBusiness Suite online help? Provide employees documentation on an as needed basis; improve employee
performance? Train employees based on their role in the organization? Manage change within the organization? Leverage documentation and training resources across the organization?
Oracle Tutor - How it worksTutor Tools
AUTHOR
PUBLISHER
Apps Help
Printed/PDF Student & Instructor Guides
Online Help &Reference Materials
Online and Printed Desk Manuals
Owners Manuals and Reports
Content Repository
Procedure Documents
(MS-Word)
Online Help
Courseware(MS-PowerPoint)
Methodology
Tutor Demo
Let’s Take a Closer Look
Customer’s:
Uses– US Department of Transportation
– University of Virginia
– US Army Corps of Engineers
– San Francisco State University
Testimony– Medela
Articles– Motorola
– ETEC
Oracle Tutor
Mature Product 250 + Pre-built business process
– Arthur Andersen Study 10 – 12 man hr’s create a procedure 2 - 4 man hr’s to modify an existing procedure
------------
8 man hr’s time savings per process
Integration Update to Procedure, automatically updates all other
procedures that reference it Not just for Process Documentation
Why Oracle? Our solution addresses all needs, not just
documentation of processes or entering testing results
Uses the business processes that you create or can be modeled from the applications
Leverage your existing information and environment, especially in your GL which directly relates to your financial reporting
Uses powerful Workflow engine to enforce controls and automate what can be automated (reminders, notifications, etc)
Tutor offers delivered content for documentation, desk manuals, and training materials
You must ensure internal controls over your financial reporting.
Sections 302 and 404 of Sarbanes Oxley
The Act states…
Q & A
Audit Projects
Audit Scope
Audit Tasks
Controls that are being audited
Risks that are being audited
Findings
Certification Status
Certification tied to Financial items
Business Process Owner View
Business Process Owner View
Business Process View-issues