© 2003 IBM Corporation 4-Jun-15 IBM Lotus Workplace for Business Controls and Reporting V2.1...

Apr 18, 2023 © 2003 IBM Corporation

IBM Lotus Workplace for Business Controls and Reporting V2.1Reducing the cost of sustained compliance

Larry J. Kucera—WW Offerings Manager IBM Software Group

I BM – Sarbanes-Oxley View

© 2003 IBM Corporation2 SWG Value – All Sections Apr 18, 2023

Agenda

Compliance Challenges

SOX and Financial Controls, Section 404

“Gaps” to consider for sustained compliance

IBM Framework for Sustained Compliance

Reducing TCO

Why IBM?

Market Reaction

Q&A



Compliance Challenges

Basel IISarbanes-Oxley Act

SEC 17a-4 / NASD 3010/3110

HIPAA

DoD 5015.2 / PRO

21CFR11 Patriot Act

Gramm Leach-Bliley Act

ACORD

OSHA

IAS

(anti money laundering)

(Brokers, records for all correspondence)

(Financial confidentiality of non public info)

(Electronic Signature records for Food and Drug)

(Certification of electronic records mgt SW products)

CFO Act



Sarbanes-Oxley Act and Financial Controls

The Sarbanes-Oxley Act was signed into law on July 30, 2002, largely in response to a number of major corporate and accounting scandals. It establishes new or enhanced standards for corporate accountability. All publicly traded companies need to comply to this legislation.

Main Sections: • Section 302/906 Corporate Responsibility for Financial Reports now• Section 404 Management Assessment of Internal Controls 11/15/04• Section 409 Real Time Issuer Disclosures now • Section 802/103 Records Management now

“The environment has created significant challenges for US corporations and their management bodies, boards of directors, audit committees,

auditors, and the finance organization”



Total Cost of SOX Compliance

Although first year compliance is not complete, the cost of compliance continues to grow

– Survey by Finance Executive Institute (FEI) in July 2004 indicates SOX 404 compliance costs are 62% higher than previously estimated

– FEI estimates first year compliance costs estimated to be $8 million or more for companies with revenue $5 billion or greater

Source: FEI Survey July 2004



A look towards tomorrow-”gaps” to considerSection 404 established the need to ensure that appropriate controls are in place and operating effectively.

What do we need to enable 404 compliance?….becomes…..

What do we need to enable the business and monitor its controls?

Today

• Project driven

• Inconsistent

• Document centric

• Manual controls

• Owned by “support”

Tomorrow

• “The way we do business”

• Integrated into processes

• Data centric

• Dynamic controls

• Owned by the “business”

What happens when?

• People leave

• Processes get improved

• New systems get implemented

• Businesses get sold/acquired

• Processes are outsourced



CoBIT & COSO

COSO is the control framework of choice for Sarbanes-Oxley compliance. All five layers must be

considered when evaluating internal control.

COBIT is a widely accepted IT control framework (ITGI). COBIT provides four domains

of IT control. COBIT controls address the

five layers of COSOControl Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring

Plann

ing

&

Org

aniz

atio

nAcq

uisi

tion

&

Impl

emen

tatio

nD

eliv

ery

&

Suppo

t

Mon

itorin

g

Section 302

Section 404

CO

SO

Co

mp

on

ents

COBIT Components

Information technology controls should consider the overall governance framework to support the quality and integrity of information

Competency in all five layers of COSO’s framework is necessary to achieve an integrated control program

Controls in IT are relevant to both to financial reporting and disclosure requirements of SOX



CoBIT – 4 domains, 34 control objectives (318 detailed control objectives)

Planning & Organization

Planning & Organization

Delivery & SupportDelivery & Support

Acquisition & Implementation

Acquisition & ImplementationMonitoringMonitoring

Information & IT Systems

Identify Solutions Acquire (Develop) and

Maintain Application Software

Acquire and Maintain Technology

Infrastructure Maintain IT Procedures Install and Accredit

Systems Manage Changes

Assist and Advise IT Customers

Manage the Configuration Manage Problems and

Incidents Manage Facilities Manage Data Manage Operations

Define Service Levels Manage Third Party Services Manage Performance and

Capacity Ensure Continuous Service Ensure System Security Identify and Attribute Costs Educate and Train Users

Monitor the Process Assess Internal

Control Adequacy Obtain Independent

Assurance Provide for

Independent Audit

Define the IT Plan Define the Information Architecture Define the Technology Direction Define the Organization and

Relationships Manage the IT Investment Communicate Management Aims

Manage HR Ensure Compliance with

External Requirements Assess Risks Manage Projects Manage Quality

* Items in red show overlap of CoBIT with SOX 404



IBM Approach to Addressing Sarbanes-Oxley 404

Scope: Define organization Assign owners Use existing corporate

structure

Document: Document processes and

sub-processes for each business unit

For each process, define objectives and risks that jeopardize that objective

Document the appropriate business controls to mitigate the risks

Evaluate & Report: Test the defined

controls Determine effectiveness Mitigate ineffective

controls

Improve / Transform Business Processes:

Model areas that need improvement Enhance application integration Improve data quality



Lotus Workplace for Business Controls and Reporting Sarbanes Oxley Edition GAO / CFO Act Edition CoBIT Edition Basel II Edition International Accounting Standards Edition OSHA Edition Others

“Managing regulations on a one-off basis will cost 10 times more than a more proactive, framework approach” … “public companies that adopt a comprehensive compliance management architecture will spend 50% less per year than those that don't:

Additional

Offerings

over

time

IBM Approach to Sustainable Compliance



Market Analyst Recommendations

• Seek software that extends beyond SOX. Consider building a compliance technology infrastructure that goes well beyond the scope of Sarbanes-Oxley, supporting regulations such as ADA, Basel II, HIPAA, and Equal Employment Opportunity.

• Make your compliance process collaborative (Interactive Across Org.)

• Look for Compliance Apps w / Electronic Content Management

What it Means

• SOX compliance will become a Routine Part of Doing Business.

• SOX applications will more completely address all sections of SOX. The solutions will expand to encompass other SOX requirements, including whistleblower and disclosures (for example, 409 real-time disclosures and electronic document filings)



“One” IBM Product – "One" Business Solution

WebSphere Portal Server(User Interface)

Content Manager(Data Repository)

Reporting(Reporting Format) Control Catalogs

Workplace Assessment(Scope / Document / Evaluate)

Wo

rkp

lace

Bu

sin

ess

Co

ntr

ols

& R

epo

rtin

gW

ork

pla

ce B

usin

ess C

on

trols &

Rep

ortin

g

Instant Messaging(Communication)



User Interface provides context

Or browse the entire corporate hierarchy and choose an item

here

To work on an item, choose it from My Lists, or from Search results

All of this information relates to the

highlighted detail

The current selection is always shown here, with all its properties

More ways to understand and

navigate structures

More context for the current selection

Find things faster

Scrolling portlets eliminate table

paging and excess page refresh



IBM Key Features SECURITY

– Standard IBM Product & Functionality - WebSphere Portal Server

– Role-Based – Delegating Authority for Control Owners

REPORTING

– 30 standard Templates including COSO Heat maps, Linkage Maps

– Executive Dashboard views with more extensive "drill" down by role

NAVIGATION

– Easy & Flexible Navigation through Cooperative Portlets

– Ability to adjust look and feel for organization

GENERAL

– Extendable Platform (Standard Workplace Architecture- J2EE)

– Native Excel Spreadsheet Import

– Corporate Look is easy and flexible



IBM Workplace Business Controls & ReportingTransparency

Aggregates Information on enterprise level

Provides management snapshot of compliance status

Provides understanding of the details

Consistency and Automation

Users work on appropriate tasks quickly and resume day-to-day activities

Processes are linked to corresponding financial statements

Controls are defined and can be checked with test case for validation

Efficiency and Effectiveness

Simple, consistent process flow

Sustainable process and documentation

Workflow management

Accountability

Key roles and risks are defined by process (CFO, Business Unit Owner, Process Owner, Control Owner, etc.)

Ownership is assigned to drive business accountability



Components of Total Cost of Compliance (TCOC)

Control Management

Costs+ Testing

Costs= TCOC

Control Documentation

Ongoing Control Monitoring

Updating Control Documentation

External Auditor Testing

Management Testing

Disclosure and Reporting

Costs+

Financial Reporting Process

Periodic Disclosure Management Process

Real-time Disclosure Management Process



Reducing Disclosure and Reporting Costs

Financial Reporting and Disclosure Processes are generally involve …

– Workers geographically dispersed

– Multiple often non-integrated systems

– Mixture of Manual and automated activities

– Information from internal and external sources

As a result controls and documentation is generally decentralized



Reducing Disclosure and Reporting Costs

Lotus Workplace collaboration tools address these issues by providing …

– Instant messaging capabilities

– Electronic team rooms for discussion and document sharing as well as version control

– Archiving and document management for e-mail and instant messages

– Event tracking and and documentation through workflow



Reducing Control Management Costs

Control Catalogue updates to ensure consistency

Automatically create samples for simplified auditing and monitoring

Follow trends in control history to gauge momentum and progress

Create more detailed access control to ensure integrity

Customize language in the software to match your corporate parlance




Customize email notifications to meet corporate control policies and timelines

Integrate seamlessly into your corporate intranet reducing end user training

Team rooms for projects: data, plans, communications assignments, in one place

Expertise locator and Instant Messaging Shared

Customize email notifications to meet corporate control policies and timelines




Enhanced import capabilities; including directly from MS Excel®

Import procedures directly to avoid duplication and ensure consistency across units

Import data with default owners



Reducing Testing Costs

Share controls across multiple processes to reduce testing overhead

Centralized testing capability to ease auditing and endure consistency

Email alerts to simplify testing process

Configurable email alerts to focus employees on timely control activity



Why IBM ?

IBM Differentiators

• Global scale and delivery capabilities: world’s largest software organization

• Integrated services; strategy through implementation and operation

• Deep industry expertise and knowledge of industry processes

• Leading-edge Solution Focus on SOX and other risk & compliance areas

• Deep technology skills

• Strategic alliances with leading technology vendors

• Premier client list and “track record” of success

• Focused investment in innovative solutions, people development, and intellectual capital

Help reduce the cost of managing risk & compliance

Step-wise approach to addressing SOX challenges Start with 404 controls, expand into

modelling / improvements into financial business processes

Add 802 archiving / retention Move to 409 (speed 10k/10Q creation),

address real-time material event reporting Common infrastructure that can be leveraged

for multiple risk & compliance initiatives Consistent user experience Provide decision makers with the right

information at the right time At a glance status on “readiness”

Our Qualifications



Market Response

281 Customers Awaiting IBM Demo / Proposal

38 Proposals Currently Pending

18 New Customers Since April 1 Release

8000 User Community

64% Y-T-D SMB Customers

38% Y-T-D Non-Traditional IBM Accounts

Cross-Industry / Multi-National Environment

13 Customers considering IBM for COBIT Management

8 Customers planning to use for Business Performance Management

IBM Internal Audit Usage to Manage SOX 404



Workplace Business Controls & Reporting Users

"We wanted something robust and functional that would be supported and enhanced by a legitimate vendor going forward. Having IBM as that provider gave everyone a great sense of comfort. The product is functionally rich and the pricing was competitive. A bit of a no-brainer really."

--David Sewalk, Senior Vice President, Business Solutions Development, Huntington National Bank

"We wanted something robust and functional that would be supported and enhanced by a legitimate vendor going forward. Having IBM as that provider gave everyone a great sense of comfort. The product is functionally rich and the pricing was competitive. A bit of a no-brainer really."

--David Sewalk, Senior Vice President, Business Solutions Development, Huntington National Bank

“The total IBM software and services solution helped Ceres Group discover internal and external deployment risks and make timely and well-informed decisions that comply with the federally regulated requirements of the Sarbanes-Oxley Act.”

“The total IBM software and services solution helped Ceres Group discover internal and external deployment risks and make timely and well-informed decisions that comply with the federally regulated requirements of the Sarbanes-Oxley Act.”



IMPORTANT: Clients are responsible for ensuring their own compliance with the Sarbanes-Oxley Act. It is the

client's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of

any relevant laws, including but not limited to, the Sarbanes-Oxley Act, that may affect the client's

business and any actions client may need to take to comply with such laws. IBM does not provide legal,

accounting or audit advice or represent or warrant that its services or products will ensure that client is in

compliance with any law.

IMPORTANT: Clients are responsible for ensuring their own compliance with the Sarbanes-Oxley Act. It is the

client's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of

any relevant laws, including but not limited to, the Sarbanes-Oxley Act, that may affect the client's

business and any actions client may need to take to comply with such laws. IBM does not provide legal,

accounting or audit advice or represent or warrant that its services or products will ensure that client is in

compliance with any law.

© 2003 IBM Corporation 4-Jun-15 IBM Lotus Workplace for Business Controls and Reporting V2.1...

Documents

Transcript of © 2003 IBM Corporation 4-Jun-15 IBM Lotus Workplace for Business Controls and Reporting V2.1...