SOLUTION WHITE PAPER

Sarbanes-Oxley Compliance
Using BMC CONTROL-M Solutions for Operations Management

Table of Contents

SECTION 1
Executive Summary.................................................................................................................. 1

SECTION 2
Abstract ...................................................................................................................................1

SECTION 3
Sarbanes-Oxley Compliance ........................................................................................................ 2

> Sarbanes-Oxley Section 404

.................................................................................................... 2

SECTION 4
COBIT Objectives and BMC CONTROL-M .................................................................................... 3

> Security

................................................................................................................................. 3 ...................................................................................................... 4 ....................................................................................................... 4

> Service Level Agreements > Monitoring and Reporting > Workload Forecasting

............................................................................................................. 5 ........................................................................................... 6

> Continuity and Recovery Planning > Backup and Restorationg > Job Scheduling

........................................................................................................ 6

....................................................................................................................... 6

SECTION 5
BMC CONTROL -M Solutions........................................................................................................ 6

SECTION 6
Conclusion .................................................................................................................................. 6

Executive Summary
When corporate executives certify their company financial statements this year, in compliance with Sarbanes-Oxley financial reporting guidelines, they will do so under the possibility of fines or even imprisonment for inaccurate reporting or noncompliance. The business information relied on by CXOs culled from multiple information management systems will be subject to higher levels of scrutiny by auditors than ever before. Implementing the necessary controls toward Sarbanes-Oxley compliance is an evolving process that is likely shepherded by a project team run by the finance department, and includes both internal and external auditors. This team may already be using automation tools targeted toward compliance, but it is important to choose solutions that are extensible and flexible enough to adequately validate the control and processes and minimize the increasing costs associated with full compliance. This paper will help the operations department to communicate effectively with the compliance project team, understand their requirements, and ensure that the operations processes are in place to fully support the Sarbanes-Oxley compliance effort. BMC Software BMC CONTROL -M solutions help you to cost effectively automate business processes, conserve resources,

and control costs as your company moves toward mandatory Sarbanes-Oxley compliance.

Abstract
The Sarbanes-Oxley Act of 2002 was enacted by U.S. legislature to protect investors and the public from fraudulent corporate accounting practices and erroneously reported corporate financial information. The Securities and Exchange Commission (SEC) established the rules, requirements, and deadlines, and continues to administer compliance. The burden of compliance now falls largely on the IT staffs that are responsible for supporting their organizations business and accounting processes. This white paper provides an overview of Sarbanes-Oxley requirements for IT organizations, and reviews how BMC Softwares BMC CONTROL -M solutions provide the means to easily address compliance for operations management

initially and going forward procedurally. Specifically, this paper discusses: Sarbanes-Oxley Act and Section 404 directives Sarbanes-Oxley demands on IT operations COBIT and COSO internal control frameworks How CONTROL -M solutions help you gain control of operations management and assist in your compliance projects

PA G E > 1

Sarbanes-Oxley Compliance
Ideally, compliance initiatives will restore investor confidence in the stock market by making the financial states of companies transparent to investors. By enhancing corporate governance, strengthening supervision of auditors, focusing attention on internal controls, and imposing strong penalties for noncompliance, companies can prevent undetected financial fraud. Ultimately, this window into management performance should enable investors to better judge a companys true value. Companies are investing heavily in compliance processes, much of it unbudgeted. Studies suggest that a $3 billion company could spend up to $9.5 million on initial compliance costs and up to $8 million per year on ongoing compliance measures. Current reports indicate that the ongoing costs of compliance are costing companies as much as 1.25 percent of their annual revenues. Compliance efforts can readily be compared with the Y2K technology undertaking, but with no visible end to the process. The Sarbanes-Oxley Act itself does not standardize business practices or specify a framework for organizing processes toward compliance. However, many companies are using standardized sets of approved frameworks to enforce compliance and to describe to auditors (internal and external) how they are achieving compliance controls. These frameworks for IT governance and accounting controls are used to link Sarbanes-Oxley documentation activities with corporate IT management procedures, and are often underwritten and promoted by the auditing and accounting community to measure compliance and to highlight deviations from guidelines. In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed to sponsor the
1

For further information, visit www.itgovernance.org or www.isaca.org/cobit.htm.

Sarbanes-Oxley Section 404

Following the initial Sarbanes-Oxley compliance audits, companies will need to comply with Section 404 of the act, which directly address the role of IT in compliance processes. Section 404 focuses heavily on the critical role of internal control over financial reporting, reemphasizing the importance of ethical conduct and reliable information in the preparation of financial information reported to investors. Section 404 directives specify that audit reports must be accompanied by an assessment of all internal controls and processes that have been certified as Sarbanes-Oxley compliant by independent auditors. To do so, each company must: Establish a set of financial control processes that must be verified and certified as accurate by an external auditor Conduct a quarterly evaluation of all certified controls Incorporate an independent assessment of control processes into the companys annual financial report Section 404 now requires management and auditors to publicly report material weaknesses in internal control over financial reporting existing at their fiscal year-end. These material weaknesses must be listed in a companys annual filings, which could adversely effect stock price and market perception. Although Section 404 does not address how to address Section 404 objectives, the SEC has mandated that companies must use a recognized internal control framework such as COBIT or COSO. Using the COBIT framework, an organization can readily design a system of IT controls to comply with Section 404. Auditors need to readily understand the flow of an organizations financial transactions from initiation through to reporting. Because these transactions will be part of IT applications processing, the IT department is under constant and intense scrutiny to document the controls in place and manage these flows. Auditors will not only be required to monitor the application flow, but will also need to be able to map and monitor the integrity of all the resources in use to support a given application. These resources will include, but not be limited to, networks, databases, servers, operating systems, and IT system management software.

National Commission on Fraudulent Financial Reporting. This independent private sector initiative developed a framework of recommendations for public companies and their independent auditors, educational institutions, and the SEC and other regulators. The COSO framework was adopted by many organizations to standardize and improve the quality of financial reporting. To address the role of IT in compliance, the IT Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA) subsequently created a framework called Control Objectives for Information and Related Technologies (COBIT) guidelines. COBIT is based on the COSO recommendations, and provides an IT governance model and management guidelines for determining how effectively a company controls IT and where improvements can be made.
1

The Treadway Commission is named for James C. Treadway, Jr., a former member of the Securities and Exchange Commission and the initial chairperson of COSO.

PA G E > 2

3. Identity Significant Accounts/Controls 1. Plan and Scope 2. Perform Risk Assessment

Probability and impact on business Size Complexity Application controls over initializing recording, processing and reporting IT panel controls

5. Evaluate Control Design

Eliminate control risk to an acceptable level Understood by users

8. Document Process and Results

9. Build Sustainability

Internal evaluation External evaluation

Coordination with auditors Internal sign-off (312, 414) Independent sign-off (404)

BUSINESS VALUE

Financial reporting Supporting systems

6. Evaluate Operational Effectiveness 4. Document Control Design

Policy manuals Procedures Narratives Flowcharts Configurations Assessment questionaires

7. Identify and Remediate Deficiencies

Significant deficiency Material weakness Remediation

Internal audit Technical testing Self-assessment All locations and controls (annual)

SARBANES-OXLEY COMPLIANCE
Figure 1. Sarbox compliance roadmap

COBIT Objectives and BMC CONTROL-M

This section reviews some of the COBIT objectives relevant to Section 404 compliance, and outlines how operations management can achieve COBIT objectives by fully exploiting the functionality of CONTROL -M solutions. CONTROL -M is an enterprise-wide batch scheduling solution that lets you monitor, manage and automate all job scheduling and link the scheduled processes and applications to business objective metrics. COBIT objectives relevant to Section 404 compliance: Security Service level agreements Monitoring and reporting Workload forecasting Continuity and recovery planning Backup and restoration Job scheduling

Control over what applications may be monitored and managed Monitoring and reporting of attempted security violations Forced changing of security passwords Audit logs containing details of all accesses including both approved and rejected Operations management and security teams should work together to develop, implement, document, and continually assess these functions including staff changes, process changes, and new applications deployment. Audit logs should be printed and regularly reviewed to determine the reason for violations and to ensure that any violations are not willful or intentional.

Security
CONTROL -M solutions provide extensive security facilities that enable: Access to the product itself Access to specific product functionality by configuring which users can use certain product functions Control over the submission of work Figure 2. CONTROL-M security administration screen

PA G E > 3

CONTROL-M has extensive capabilities in historical reporting and future forecasting that help operations management and external auditors validate past production runs and evaluate future runs and trends. For example, CONTROL-M enables the data center to store historical job-flow diagram networks, which graphically show all jobs run. Operations management teams can store older versions of networked applications (which directly impact a companys financial reporting applications), and use the product playback feature to view historical information. The playback feature works similarly to a Figure 3. Batch Impact Manager monitoring screen

Service Level Agreements

CONTROL -M architecture includes BMC Batch Impact

Manager (CONTROL -M/BIM), a unique option that enables operations teams to define business services and then monitor and manage these processes from a business perspective. This frees the operations staff to concentrate on critical individual services rather than large groups of jobs or applications. CONTROL -M/BIM continually monitors the critical path of any given service and issues updates for the projected end-time of that service. If a critical service is delayed beyond its targeted completion time, an alert is then issued to ensure operations teams will place due emphasis on returning that critical business service to its scheduled completion time. This information is vital to producing accurate financial reports. Auditors can use this information to produce daily reports that show if services completed beyond their targeted service time. Figure 4. CONTROL-M report generator screen

Monitoring and Reporting

To meet Sarbox Section 404 compliance using the COBIT framework guidelines, IT management must produce and retain extensive reports to monitor the existing job scheduling process and to project future trends. Reports must show the work scheduled each day, actual jobs run, any exceptions encountered, and the actions taken to handle and correct exceptions. The reports (and logs used to produce the reports) should be retained and archived to ensure effective auditing and control of those applications that directly affect the companys fiscal results. Figure 5. CONTROL-M report generator screen

PA G E > 4

Workload Forecasting
COBIT control objectives state that a data center must have processes in place to periodically produce workload forecasts, identify trends, and provide feedback to a capacity plan. The idea is to guarantee the availability of the resources needed to produce the company fiscal findings in a timely manner. The BMC CONTROL-M/Forecast facility produces a number of graphical and tabular reports that show projected application processing times for future dates and various trend analyses. Figure 6. CONTROL -M archive selection screen

Figure 7 . View of old network VCR or DVD player, enabling an authorized user to choose a particular network (former or existing) and replay the events by simulating the application environment at a point in time. For full benefit from this feature, operations staff and auditors should consult to decide which historical networks are the most relevant. The backup and retention of this information should then be scheduled through CONTROL-M, to enable management and auditors to review a simulation of the processes that took place on the applications in question. When a company also uses BMC CONTROL -D solutions,

Figure 8. CONTROL-M forecast tabular report

daily reports can be produced from archived logs, or as a better alternative, the reports themselves may be retained, and viewed from the CONTROL -D archive. Using CONTROL -D solutions, reports can be indexed and then viewed by date, application, job, run-time, and such. Both internal and external auditors can readily view online any pertinent archived report. Figure 9. CONTROL-M forecast trend report

PA G E > 5

Continuity and Recovery Planning

A good continuity plan uses well documented and communicated procedures to ensure that, in the event of any failure, IT operations can continue to process the data vital to producing company financial statements. All CONTROL -M solutions have built-in failover processes, such as database mirroring and cluster support, enabling processing to continue even when a vital infrastructure component is missing or not functioning. These failover processes are extensively documented in various BMC Software manuals and white papers, as are the integration of proprietary failover methods from vendors such as IBM.

BMC CONTROL-M Solutions

CONTROL-M solutions by BMC Software provide support for operations management needs. To learn more about CONTROL-M products, please visit www.bmc.com/ products. BMC CONTROL-M for Distributed Systems BMC CONTROL-M for Microsoft Windows BMC CONTROL-M for OS/390 and z/OS BMC CONTROL-M for SAP BMC CONTROL-M Option for Baan BMC CONTROL-M Plus Module for Tivoli

Backup and Restoration

Backup and restoration processes for financial and database information (including scheduling tables, logs, security profiles, reports, and job scheduling documentation) should be scheduled as routine daily tasks, using facilities such as the AFT process to schedule and monitor the success of transmissions to offsite backup servers. Restoration of a vital database can be built into the CONTROL -M solutions post-processing facilities, whenever an error is detected.

BMC CONTROL-M Smart Plug-in for HP OpenView BMC CONTROL-M/Analyzer BMC CONTROL-M/Assist BMC CONTROL-M/CM for Advanced File Transfer BMC CONTROL-M/CM for PeopleSoft BMC CONTROL-M/Enterprise Manager BMC CONTROL-M/Links for Distributed Systems BMC CONTROL-M/Links for OS/390 BMC CONTROL-M/Restart BMC CONTROL-M/Tape

Job Scheduling
COBIT guidelines suggest that companies implement an automatic scheduling process. These guidelines further stipulate paying particular attention to interdependencies, documentation, security, scheduling deviations, and backup procedures. A recent audit at one financial company strongly suggested the installation of an industry leading and comprehensive automatic scheduler to help the company avert reporting a material weakness in its internal controls. CONTROL -M, with cross-platform scheduling, monitoring, and management facilities, fulfill all of these requirements, and is positioned by IT industry analysts as the leading scheduler.

Conclusion
As companies evolve their corporate processes toward Sarbanes-Oxley compliance, it is important to involve the operations management team and the IT team. While targeted compliance automation tools may be used, it is imperative that companies make the best use of the features and facilities of the existing BMC CONTROL-M solutions in use. When operations management teams engage with IT organizations, their efforts not only validate compliance but also to ensure that costs are minimized.

PA G E > 6