Control Solutions InternationalTECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT GROUP

A Sarbanes-Oxley Roadmap to Business Continuity

NEDRIX ConferenceNEDRIX ConferenceJune 23, 2004June 23, 2004

Dr. Eric SchmidtDr. Eric Schmidteschmidt@controlsolutions.comeschmidt@controlsolutions.com

In July of 2002, U.S. Congress passed the Sarbanes -Oxley Act (SOX) mandating that all public companies (SEC registrants) make changes to the way their financial results are reported.

Legislation was a response to the high profile failures experienced in the United States during 2001-02 and intended to be “a massive restructuring to the regulatory system governing US capital markets” that would improve the quality of financial reporting and disclosures.

Public Company Accounting Oversight Board (PCAOB) was created to oversee the activities of the auditing profession.

Background

The Sarbanes-Oxley Act contains two Sections (302, 404) dealing with management

responsibility for controls and one Section (409) on real-time reporting

NotesNotes

Cash FlowCash Flow

Income Income StatementStatement

BalanceBalanceSheetSheet

FinancialFinancialStatementsStatements

Internal Controls and Procedures for Financial

Reporting

FinancialFinancialStatementsStatements

BusinessBusiness

PropertiesProperties

LegalLegalProceedingProceeding

ss

Disclosure Controls and Procedures

Section 302Section 404

Annual Annual Report onReport onForm 10Form 10--KK

Annual Annual Report onReport onForm 10Form 10--KK

Three Sources of SOX Guidelines

CobiT COSO

FrameworksFrameworks Best PracticesBest Practices Future StandardsFuture Standards

Departments Impacted by SOX

Source: The Robert Francis Group

8.7%Other17.4%Marketing30.4%Customer Service39.1%Human Resources43.5%Sales95.7%IT100%Finance

SOX-Driven Changes

Source: Robert Francis Group

17.4%Reporting Technologies21.7%Reporting Frequency21.7%Organizational Structure26.1%Re-training of Personnel43.5%Financial Systems52.2%Reporting Procedures78.3 %Audit Procedures

Which of the following is the company changing to address SOX?

Complexity of SOX for IT

Source: Robert Francis Group

4.3%Slightly Higher4.3%Lower17.4%Much Higher17.4%Same26.1%Not sure/Do Not Know30.4%Higher

How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense?

48+% rated SOXimpact as higher

Does SOX Mandate an Enterprise-wide Business Continuity Process?

“NO” A BCP is not required by PCAOB (March 2004)

SAS70 (type 2)3rd party service providersAICPA “suspended” BCP requirement during SOX

Growing number of executives influenced by external auditors with knowledge of business continuity and potential risks

Conclude they must have business continuity processes or show why they do not

Section 404 attestation is based on two assessments

Adequate documentation of ICsSufficient evidence (testing)

A company must have a framework against which management can make assertions

CCompletenessAAccuracyVValidation (authorization)RRestriction

Defining Internal Control (IC)

What’s Required for Key Controls

Five W’sWHO performs the control?WHAT is being done and WHAT could go wrong?WHEN and WHERE is control being performed or occurring?WHY is control activity performed – to prevent or detect what?

What evidence is there?

Why are General Controls Important?

Weak General Computer Controls Strong General Computer Controls

Automated control procedures, and manual control procedures that use computer-generated information, are dependent on effectiveness of

general computer controls.

The control conscience of an organization. The

“tone at the top”

The evaluation of internal and external factors that impact an

organization’s performance

The policies and procedures that help ensure that actions

identified to manage risk are executed and timely

The process which ensures that relevant

information is identified and communicated in

a timely manner

The process to determine whether internal control is

adequately designed, executed, effective and

adaptive

COSO Framework

All five components must be in placefor a control to be effective

Five Components

Tying It All TogetherControl

Environment

Application Controls

IT General Controls

IT ServicesIT ServicesOS/Data/Telecom/Continuity/NetworksOS/Data/Telecom/Continuity/Networks

Busi

ness

Pro

cess

Busi

ness

Pro

cess

Fina

nce

Fina

nce

Busi

ness

Pro

cess

Busi

ness

Pro

cess

Man

ufac

turing

Man

ufac

turing

Busi

ness

Pro

cess

Busi

ness

Pro

cess

Logistics

Logistics

Busi

ness

Pro

cess

Busi

ness

Pro

cess

Etc.

Etc.

Executive Executive ManagementManagement

Source: IT Governance Institute

IT Control Components

IT Considerations in Control Environment

Systems planningGovernanceEnterprise policiesOperating style

IT General Controls Systems Security / AccessChange ManagementSystem DevelopmentComputer Operations

Application Controls AuthorizationConfiguration / account mappingException / edit reportsInterface / conversionSystem access

CollaborationInformation SharingCode of ConductFraud Prevention

Tone at the TopAssertions (C, A, V, R)Definition of Materiality/SignificanceSignificant Accounts and ProcessesScope – locations, cyclesControl frameworkRemediationTestingManagement certification

Roadmap to Compliance

Engagement Walk-Thru

Roadmap to Compliance

Phase I – Tone at the Top

Identify all relevant documents, policies, procedures and communications

Audit Committee CharterStandards of ConductOfficer Code of EthicsComplaint Reporting MechanismsWhistleblower Policies

Assess adequacy of documentation and tone

Internal audit monitoring and risk assessment

Roadmap to Compliance

Phase II – Entity Level Assessment

ID material reporting organizations

ID material units within each organization

Materiality based on:Revenue / Assets

Subjectivity of entries / reporting

Extraordinary / one-time charges

History of issues

Rest ofWorld

EuropeRegion

AmericasRegion

Corporate

South Carolina

Erfurt

ChinaMilan

Budapest

Mexico

Thailand

India

South Carolina

Erfurt

ChinaMilan

Copenhagen

Mexico

Thailand

India

Prague

Marseilles

Japan

AustraliaSan Diego

Sao Paolo

Chicago

Dist ri but ion

Manuf actu ring

Roadmap to Compliance

Phase III – Process MappingCycle reviews begin with the cycles selected being based on the legal entity assessment in Phase II.

Documentation of each cycle:Narrative of key controlsProcess Map (Flow chart)Control Matrix including all control objectives (Excel or software tool)

Documents aim to provide external audit firms with a complete understanding of the flow of transactions and controls in place.

HumanResources

Open Position

Department

Candidate

PersonnelRequisition Form

Create EmployeeAction Form (EAF) Input in ADP PR

System

Termination

Directorof HR

Approve

Other P/R changes

Included withAnnual

Review andApproved

ToPR/PRO

Candidateinterviewed

Prepare OfferLetter

Voluntary?

No

AccruedBenefits

paid

AccruedBenefitsnot paid

Proper noticegiven?Yes

Yes No

Provide Benefitssummary toemployee

Review by HR

02

03

05

04

Accept Offer

DepartmentApproval

Annual Increases

Verify Increaseswithin $ pool,

properlyauthorized

Roadmap to Compliance

Phase IV – Overall Internal Control EffectivenessEvaluation of the overall effectiveness of internal controls, identification of matters for improvement and the establishment of monitoring systems.

Management assessment of effectiveness of controls.

Internal Audit provides a report detailing areas for improvement and recommendations for ensuring an environment of continuous monitoring to maintain the system of internal control and take corrective action in a timely manner when necessary.

External Audit Firm will commence its Attestation “Dry Run”

Source: www.erm.coso.org

SOX Compliance Roadmap

Alignment with Business Continuity

Management involvementRisk ManagementProcess and Change ManagementIT role

Key Aspects of SOX AuditSegregation of Duties is Key

IT roles separate from process owners, specifically those in FinanceHand off from process owners requires control duality

Program & Application specificIT & Process owner Manual & AutomatedPreventative & Detective

Change Management is CriticalRecords and document managementConfiguration managementBusiness process and controls changes

Access Restriction (Security) is Mandated

Program Development

Project management standards are defined and used for all aspects of system development life cycle (SDLC)

Project initiationAnalysis and designConstruction or package selectionTesting and quality assurance Data conversionGo-liveDocumentation and training

Program Changes

Project management standards are defined and used for all aspects of the program change cycle

Specification, approval and tracking of change requestsConstructionTesting and quality assuranceAuthorization of transfers to live environment

Including emergency fixes and access to live environmentDocumentation and training

Situational Assessment

21%Remediation

21%Testing of operating effectiveness

47%Evaluation of design effectiveness

75%Documentation

Percentage CompleteActivity

A recent Deloitte survey of Fortune 500 companies indicates that a significant amount of work remains*

*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004

What Constitutes a Gap?

Type Likelihood MagnitudeDeficiency

Significant Deficiency

Remote and/or Inconsequential

More than remote

and More than Inconsequential

or

Quantitatively significant

Material Weakness

More than remote

and Material to Financial

Statements

*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004

A Word on Testing

Benchmark Testing Slowly changing systems, COTS

Infrastructure Testing

Shared services and support systems; OS, networks, backup, etc.

Application Testing

Functional and transaction based for systems key to financial statements and reporting, plus critical systems

ProgramTesting

IT Management and interaction with process owners and stakeholders

Plan carefully to avoid mixed results because tests are not well designed

Remediation ChallengesEffective Decision & Governance Process

Complex Program Management Initiatives

Significant IT Environment Changes

Impact on Human Resources

Complex Re-testing, Roll-Forward Testing Activities

Overall Need for Best Practices

Span of Enterprise Risk Management

Compliance

PatriotHIPPA

GovernmentRegulations

302

404

Quarterly Certification by C-Level Management

Control Documentation and Testing

Operational Risk Management (ERM)Overall compliance

Integrated solutions

Credit Risk Operational Risk Market Risk

Sarbanes-Oxley

SOX ComplianceRequirements

Control Assurance 409 Real-time Reporting

Basel II

FFIECGLBA

NRC

Risk Management & Business Continuity

Disciplines of business continuity and risk management often blurred

Use similar tools and techniques, including risk assessment, business continuity planning, and BIAsBusiness continuity encompasses all processes necessary to restore business functionality during a time of crisis Risk management incorporates a wider variety of functions, including positive impact, negative impact, and business non-stoppage

Inherent value of business continuity is clearer when we consider that not all risks can be managed

Unless risk management and business continuity are institutionalized into day-to-day activities, organizations will find themselves exposed

Questions?

Source: John Wehr Source: John Wehr