A Sarbanes-Oxley Roadmap to Business Continuity - Roadmap to Continuity.pdf · Control Solutions...
Transcript of A Sarbanes-Oxley Roadmap to Business Continuity - Roadmap to Continuity.pdf · Control Solutions...
Control Solutions InternationalTECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT GROUP
A Sarbanes-Oxley Roadmap to Business Continuity
NEDRIX ConferenceNEDRIX ConferenceJune 23, 2004June 23, 2004
Dr. Eric SchmidtDr. Eric [email protected]@controlsolutions.com
In July of 2002, U.S. Congress passed the Sarbanes -Oxley Act (SOX) mandating that all public companies (SEC registrants) make changes to the way their financial results are reported.
Legislation was a response to the high profile failures experienced in the United States during 2001-02 and intended to be “a massive restructuring to the regulatory system governing US capital markets” that would improve the quality of financial reporting and disclosures.
Public Company Accounting Oversight Board (PCAOB) was created to oversee the activities of the auditing profession.
Background
The Sarbanes-Oxley Act contains two Sections (302, 404) dealing with management
responsibility for controls and one Section (409) on real-time reporting
NotesNotes
Cash FlowCash Flow
Income Income StatementStatement
BalanceBalanceSheetSheet
FinancialFinancialStatementsStatements
Internal Controls and Procedures for Financial
Reporting
FinancialFinancialStatementsStatements
BusinessBusiness
PropertiesProperties
LegalLegalProceedingProceeding
ss
Disclosure Controls and Procedures
Section 302Section 404
Annual Annual Report onReport onForm 10Form 10--KK
Annual Annual Report onReport onForm 10Form 10--KK
Three Sources of SOX Guidelines
CobiT COSO
FrameworksFrameworks Best PracticesBest Practices Future StandardsFuture Standards
Departments Impacted by SOX
Source: The Robert Francis Group
8.7%Other17.4%Marketing30.4%Customer Service39.1%Human Resources43.5%Sales95.7%IT100%Finance
SOX-Driven Changes
Source: Robert Francis Group
17.4%Reporting Technologies21.7%Reporting Frequency21.7%Organizational Structure26.1%Re-training of Personnel43.5%Financial Systems52.2%Reporting Procedures78.3 %Audit Procedures
Which of the following is the company changing to address SOX?
Complexity of SOX for IT
Source: Robert Francis Group
4.3%Slightly Higher4.3%Lower17.4%Much Higher17.4%Same26.1%Not sure/Do Not Know30.4%Higher
How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense?
48+% rated SOXimpact as higher
Does SOX Mandate an Enterprise-wide Business Continuity Process?
“NO” A BCP is not required by PCAOB (March 2004)
SAS70 (type 2)3rd party service providersAICPA “suspended” BCP requirement during SOX
Growing number of executives influenced by external auditors with knowledge of business continuity and potential risks
Conclude they must have business continuity processes or show why they do not
Section 404 attestation is based on two assessments
Adequate documentation of ICsSufficient evidence (testing)
A company must have a framework against which management can make assertions
CCompletenessAAccuracyVValidation (authorization)RRestriction
Defining Internal Control (IC)
What’s Required for Key Controls
Five W’sWHO performs the control?WHAT is being done and WHAT could go wrong?WHEN and WHERE is control being performed or occurring?WHY is control activity performed – to prevent or detect what?
What evidence is there?
Why are General Controls Important?
Weak General Computer Controls Strong General Computer Controls
Automated control procedures, and manual control procedures that use computer-generated information, are dependent on effectiveness of
general computer controls.
The control conscience of an organization. The
“tone at the top”
The evaluation of internal and external factors that impact an
organization’s performance
The policies and procedures that help ensure that actions
identified to manage risk are executed and timely
The process which ensures that relevant
information is identified and communicated in
a timely manner
The process to determine whether internal control is
adequately designed, executed, effective and
adaptive
COSO Framework
All five components must be in placefor a control to be effective
Five Components
Tying It All TogetherControl
Environment
Application Controls
IT General Controls
IT ServicesIT ServicesOS/Data/Telecom/Continuity/NetworksOS/Data/Telecom/Continuity/Networks
Busi
ness
Pro
cess
Busi
ness
Pro
cess
Fina
nce
Fina
nce
Busi
ness
Pro
cess
Busi
ness
Pro
cess
Man
ufac
turing
Man
ufac
turing
Busi
ness
Pro
cess
Busi
ness
Pro
cess
Logistics
Logistics
Busi
ness
Pro
cess
Busi
ness
Pro
cess
Etc.
Etc.
Executive Executive ManagementManagement
Source: IT Governance Institute
IT Control Components
IT Considerations in Control Environment
Systems planningGovernanceEnterprise policiesOperating style
IT General Controls Systems Security / AccessChange ManagementSystem DevelopmentComputer Operations
Application Controls AuthorizationConfiguration / account mappingException / edit reportsInterface / conversionSystem access
CollaborationInformation SharingCode of ConductFraud Prevention
Tone at the TopAssertions (C, A, V, R)Definition of Materiality/SignificanceSignificant Accounts and ProcessesScope – locations, cyclesControl frameworkRemediationTestingManagement certification
Roadmap to Compliance
Engagement Walk-Thru
Roadmap to Compliance
Phase I – Tone at the Top
Identify all relevant documents, policies, procedures and communications
Audit Committee CharterStandards of ConductOfficer Code of EthicsComplaint Reporting MechanismsWhistleblower Policies
Assess adequacy of documentation and tone
Internal audit monitoring and risk assessment
Roadmap to Compliance
Phase II – Entity Level Assessment
ID material reporting organizations
ID material units within each organization
Materiality based on:Revenue / Assets
Subjectivity of entries / reporting
Extraordinary / one-time charges
History of issues
Rest ofWorld
EuropeRegion
AmericasRegion
Corporate
South Carolina
Erfurt
ChinaMilan
Budapest
Mexico
Thailand
India
South Carolina
Erfurt
ChinaMilan
Copenhagen
Mexico
Thailand
India
Prague
Marseilles
Japan
AustraliaSan Diego
Sao Paolo
Chicago
Dist ri but ion
Manuf actu ring
Roadmap to Compliance
Phase III – Process MappingCycle reviews begin with the cycles selected being based on the legal entity assessment in Phase II.
Documentation of each cycle:Narrative of key controlsProcess Map (Flow chart)Control Matrix including all control objectives (Excel or software tool)
Documents aim to provide external audit firms with a complete understanding of the flow of transactions and controls in place.
HumanResources
Open Position
Department
Candidate
PersonnelRequisition Form
Create EmployeeAction Form (EAF) Input in ADP PR
System
Termination
Directorof HR
Approve
Other P/R changes
Included withAnnual
Review andApproved
ToPR/PRO
Candidateinterviewed
Prepare OfferLetter
Voluntary?
No
AccruedBenefits
paid
AccruedBenefitsnot paid
Proper noticegiven?Yes
Yes No
Provide Benefitssummary toemployee
Review by HR
02
03
05
04
Accept Offer
DepartmentApproval
Annual Increases
Verify Increaseswithin $ pool,
properlyauthorized
Roadmap to Compliance
Phase IV – Overall Internal Control EffectivenessEvaluation of the overall effectiveness of internal controls, identification of matters for improvement and the establishment of monitoring systems.
Management assessment of effectiveness of controls.
Internal Audit provides a report detailing areas for improvement and recommendations for ensuring an environment of continuous monitoring to maintain the system of internal control and take corrective action in a timely manner when necessary.
External Audit Firm will commence its Attestation “Dry Run”
Source: www.erm.coso.org
SOX Compliance Roadmap
Alignment with Business Continuity
Management involvementRisk ManagementProcess and Change ManagementIT role
Key Aspects of SOX AuditSegregation of Duties is Key
IT roles separate from process owners, specifically those in FinanceHand off from process owners requires control duality
Program & Application specificIT & Process owner Manual & AutomatedPreventative & Detective
Change Management is CriticalRecords and document managementConfiguration managementBusiness process and controls changes
Access Restriction (Security) is Mandated
Program Development
Project management standards are defined and used for all aspects of system development life cycle (SDLC)
Project initiationAnalysis and designConstruction or package selectionTesting and quality assurance Data conversionGo-liveDocumentation and training
Program Changes
Project management standards are defined and used for all aspects of the program change cycle
Specification, approval and tracking of change requestsConstructionTesting and quality assuranceAuthorization of transfers to live environment
Including emergency fixes and access to live environmentDocumentation and training
Situational Assessment
21%Remediation
21%Testing of operating effectiveness
47%Evaluation of design effectiveness
75%Documentation
Percentage CompleteActivity
A recent Deloitte survey of Fortune 500 companies indicates that a significant amount of work remains*
*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004
What Constitutes a Gap?
Type Likelihood MagnitudeDeficiency
Significant Deficiency
Remote and/or Inconsequential
More than remote
and More than Inconsequential
or
Quantitatively significant
Material Weakness
More than remote
and Material to Financial
Statements
*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004
A Word on Testing
Benchmark Testing Slowly changing systems, COTS
Infrastructure Testing
Shared services and support systems; OS, networks, backup, etc.
Application Testing
Functional and transaction based for systems key to financial statements and reporting, plus critical systems
ProgramTesting
IT Management and interaction with process owners and stakeholders
Plan carefully to avoid mixed results because tests are not well designed
Remediation ChallengesEffective Decision & Governance Process
Complex Program Management Initiatives
Significant IT Environment Changes
Impact on Human Resources
Complex Re-testing, Roll-Forward Testing Activities
Overall Need for Best Practices
Span of Enterprise Risk Management
Compliance
PatriotHIPPA
GovernmentRegulations
302
404
Quarterly Certification by C-Level Management
Control Documentation and Testing
Operational Risk Management (ERM)Overall compliance
Integrated solutions
Credit Risk Operational Risk Market Risk
Sarbanes-Oxley
SOX ComplianceRequirements
Control Assurance 409 Real-time Reporting
Basel II
FFIECGLBA
NRC
Risk Management & Business Continuity
Disciplines of business continuity and risk management often blurred
Use similar tools and techniques, including risk assessment, business continuity planning, and BIAsBusiness continuity encompasses all processes necessary to restore business functionality during a time of crisis Risk management incorporates a wider variety of functions, including positive impact, negative impact, and business non-stoppage
Inherent value of business continuity is clearer when we consider that not all risks can be managed
Unless risk management and business continuity are institutionalized into day-to-day activities, organizations will find themselves exposed
Questions?
Source: John Wehr Source: John Wehr