Beruflich Dokumente
Kultur Dokumente
Sarbanes-Oxley Compliance
Using BMC CONTROL-M Solutions for Operations Management
Table of Contents
SECTION 1
Executive Summary.................................................................................................................. 1
SECTION 2
Abstract ...................................................................................................................................1
SECTION 3
Sarbanes-Oxley Compliance ........................................................................................................ 2
.................................................................................................... 2
SECTION 4
COBIT Objectives and BMC CONTROL-M .................................................................................... 3
> Security
> Service Level Agreements > Monitoring and Reporting > Workload Forecasting
............................................................................................................. 5 ........................................................................................... 6
> Continuity and Recovery Planning > Backup and Restorationg > Job Scheduling
........................................................................................................ 6
....................................................................................................................... 6
SECTION 5
BMC CONTROL -M Solutions........................................................................................................ 6
SECTION 6
Conclusion .................................................................................................................................. 6
Executive Summary
When corporate executives certify their company financial statements this year, in compliance with Sarbanes-Oxley financial reporting guidelines, they will do so under the possibility of fines or even imprisonment for inaccurate reporting or noncompliance. The business information relied on by CXOs culled from multiple information management systems will be subject to higher levels of scrutiny by auditors than ever before. Implementing the necessary controls toward Sarbanes-Oxley compliance is an evolving process that is likely shepherded by a project team run by the finance department, and includes both internal and external auditors. This team may already be using automation tools targeted toward compliance, but it is important to choose solutions that are extensible and flexible enough to adequately validate the control and processes and minimize the increasing costs associated with full compliance. This paper will help the operations department to communicate effectively with the compliance project team, understand their requirements, and ensure that the operations processes are in place to fully support the Sarbanes-Oxley compliance effort. BMC Software BMC CONTROL -M solutions help you to cost effectively automate business processes, conserve resources,
and control costs as your company moves toward mandatory Sarbanes-Oxley compliance.
Abstract
The Sarbanes-Oxley Act of 2002 was enacted by U.S. legislature to protect investors and the public from fraudulent corporate accounting practices and erroneously reported corporate financial information. The Securities and Exchange Commission (SEC) established the rules, requirements, and deadlines, and continues to administer compliance. The burden of compliance now falls largely on the IT staffs that are responsible for supporting their organizations business and accounting processes. This white paper provides an overview of Sarbanes-Oxley requirements for IT organizations, and reviews how BMC Softwares BMC CONTROL -M solutions provide the means to easily address compliance for operations management
initially and going forward procedurally. Specifically, this paper discusses: Sarbanes-Oxley Act and Section 404 directives Sarbanes-Oxley demands on IT operations COBIT and COSO internal control frameworks How CONTROL -M solutions help you gain control of operations management and assist in your compliance projects
PA G E > 1
Sarbanes-Oxley Compliance
Ideally, compliance initiatives will restore investor confidence in the stock market by making the financial states of companies transparent to investors. By enhancing corporate governance, strengthening supervision of auditors, focusing attention on internal controls, and imposing strong penalties for noncompliance, companies can prevent undetected financial fraud. Ultimately, this window into management performance should enable investors to better judge a companys true value. Companies are investing heavily in compliance processes, much of it unbudgeted. Studies suggest that a $3 billion company could spend up to $9.5 million on initial compliance costs and up to $8 million per year on ongoing compliance measures. Current reports indicate that the ongoing costs of compliance are costing companies as much as 1.25 percent of their annual revenues. Compliance efforts can readily be compared with the Y2K technology undertaking, but with no visible end to the process. The Sarbanes-Oxley Act itself does not standardize business practices or specify a framework for organizing processes toward compliance. However, many companies are using standardized sets of approved frameworks to enforce compliance and to describe to auditors (internal and external) how they are achieving compliance controls. These frameworks for IT governance and accounting controls are used to link Sarbanes-Oxley documentation activities with corporate IT management procedures, and are often underwritten and promoted by the auditing and accounting community to measure compliance and to highlight deviations from guidelines. In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed to sponsor the
1
National Commission on Fraudulent Financial Reporting. This independent private sector initiative developed a framework of recommendations for public companies and their independent auditors, educational institutions, and the SEC and other regulators. The COSO framework was adopted by many organizations to standardize and improve the quality of financial reporting. To address the role of IT in compliance, the IT Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA) subsequently created a framework called Control Objectives for Information and Related Technologies (COBIT) guidelines. COBIT is based on the COSO recommendations, and provides an IT governance model and management guidelines for determining how effectively a company controls IT and where improvements can be made.
1
The Treadway Commission is named for James C. Treadway, Jr., a former member of the Securities and Exchange Commission and the initial chairperson of COSO.
PA G E > 2
9. Build Sustainability
Coordination with auditors Internal sign-off (312, 414) Independent sign-off (404)
BUSINESS VALUE
Internal audit Technical testing Self-assessment All locations and controls (annual)
SARBANES-OXLEY COMPLIANCE
Figure 1. Sarbox compliance roadmap
Control over what applications may be monitored and managed Monitoring and reporting of attempted security violations Forced changing of security passwords Audit logs containing details of all accesses including both approved and rejected Operations management and security teams should work together to develop, implement, document, and continually assess these functions including staff changes, process changes, and new applications deployment. Audit logs should be printed and regularly reviewed to determine the reason for violations and to ensure that any violations are not willful or intentional.
Security
CONTROL -M solutions provide extensive security facilities that enable: Access to the product itself Access to specific product functionality by configuring which users can use certain product functions Control over the submission of work Figure 2. CONTROL-M security administration screen
PA G E > 3
CONTROL-M has extensive capabilities in historical reporting and future forecasting that help operations management and external auditors validate past production runs and evaluate future runs and trends. For example, CONTROL-M enables the data center to store historical job-flow diagram networks, which graphically show all jobs run. Operations management teams can store older versions of networked applications (which directly impact a companys financial reporting applications), and use the product playback feature to view historical information. The playback feature works similarly to a Figure 3. Batch Impact Manager monitoring screen
Manager (CONTROL -M/BIM), a unique option that enables operations teams to define business services and then monitor and manage these processes from a business perspective. This frees the operations staff to concentrate on critical individual services rather than large groups of jobs or applications. CONTROL -M/BIM continually monitors the critical path of any given service and issues updates for the projected end-time of that service. If a critical service is delayed beyond its targeted completion time, an alert is then issued to ensure operations teams will place due emphasis on returning that critical business service to its scheduled completion time. This information is vital to producing accurate financial reports. Auditors can use this information to produce daily reports that show if services completed beyond their targeted service time. Figure 4. CONTROL-M report generator screen
PA G E > 4
Workload Forecasting
COBIT control objectives state that a data center must have processes in place to periodically produce workload forecasts, identify trends, and provide feedback to a capacity plan. The idea is to guarantee the availability of the resources needed to produce the company fiscal findings in a timely manner. The BMC CONTROL-M/Forecast facility produces a number of graphical and tabular reports that show projected application processing times for future dates and various trend analyses. Figure 6. CONTROL -M archive selection screen
Figure 7 . View of old network VCR or DVD player, enabling an authorized user to choose a particular network (former or existing) and replay the events by simulating the application environment at a point in time. For full benefit from this feature, operations staff and auditors should consult to decide which historical networks are the most relevant. The backup and retention of this information should then be scheduled through CONTROL-M, to enable management and auditors to review a simulation of the processes that took place on the applications in question. When a company also uses BMC CONTROL -D solutions,
daily reports can be produced from archived logs, or as a better alternative, the reports themselves may be retained, and viewed from the CONTROL -D archive. Using CONTROL -D solutions, reports can be indexed and then viewed by date, application, job, run-time, and such. Both internal and external auditors can readily view online any pertinent archived report. Figure 9. CONTROL-M forecast trend report
PA G E > 5
BMC CONTROL-M Smart Plug-in for HP OpenView BMC CONTROL-M/Analyzer BMC CONTROL-M/Assist BMC CONTROL-M/CM for Advanced File Transfer BMC CONTROL-M/CM for PeopleSoft BMC CONTROL-M/Enterprise Manager BMC CONTROL-M/Links for Distributed Systems BMC CONTROL-M/Links for OS/390 BMC CONTROL-M/Restart BMC CONTROL-M/Tape
Job Scheduling
COBIT guidelines suggest that companies implement an automatic scheduling process. These guidelines further stipulate paying particular attention to interdependencies, documentation, security, scheduling deviations, and backup procedures. A recent audit at one financial company strongly suggested the installation of an industry leading and comprehensive automatic scheduler to help the company avert reporting a material weakness in its internal controls. CONTROL -M, with cross-platform scheduling, monitoring, and management facilities, fulfill all of these requirements, and is positioned by IT industry analysts as the leading scheduler.
Conclusion
As companies evolve their corporate processes toward Sarbanes-Oxley compliance, it is important to involve the operations management team and the IT team. While targeted compliance automation tools may be used, it is imperative that companies make the best use of the features and facilities of the existing BMC CONTROL-M solutions in use. When operations management teams engage with IT organizations, their efforts not only validate compliance but also to ensure that costs are minimized.
PA G E > 6