6_CSOE

Certified Sarbanes-Oxley Expert

(CSOE)
Part 6

Sarbanes Oxley Compliance

Professionals Association (SOXCPA)
The largest association of Sarbanes Oxley Professionals
in the world

The Scope of the SOX Project

Software
Spreadsheets

SAS 70
Problems
Cost

1
 6_CSOE

Is it Relevant to Sarbanes Oxley?

Many controls are significant to the success of the
IT function, but some of them are not relevant to
the Sarbanes-Oxley compliance effort

Don’t tell to your suppliers that I told you that

IT control activities need to meet specific criteria
to ensure relevance to the act's requirements

Your auditors will ask every time…

… is it directly or indirectly related to the timely
production of financial reports?

Using SOX as an excuse

Vendors consider SOX a great business
opportunity

Offensive marketing – they try to promote

products based on fear of something that
‘certifying officers’ still aren't understanding

2
 6_CSOE

Is BCP / DRP in the scope of SOX?

Cold Site – Only a room …

Warm Site – Only some servers are usually not

there

Hot Site – A real alternate location

Only your data and your people are not there

Extremely important differences in cost

Is BCP / DRP in the scope of SOX?

YES, all these are very important …

… but NO, a Business Continuity Plan is NOT in
the scope!

‘Management has decided against including a

disaster recovery plan in the scope of their SOX
initiative.’

3
 6_CSOE

On the one hand…

(next time choose an instructor with one hand
only…)

Sections 302, 404 & 409: Safeguarding assets,

backup and recovery, timely & accurate reporting,
availability of information

Section 404: Establish an infrastructure to
protect and preserve records and data from
destruction, loss, unauthorized alteration, or
other misuse

This infrastructure must ensure there is no room
for unauthorized alteration of records vital to
maintaining the integrity of the business
processes

On the other hand

In the event of a disaster we need to be able to
restore the financial data (for SOX)

Enough is enough
Q. (Innocent employee): But we do have and do need
a good disaster recovery plan!
A. Do you really need to provide documentation
(COSO, narratives, testing etc.) for that?

4
 6_CSOE

March 9, 2004, Auditing

Standard 2

‘C5. Furthermore, management's plans that could
potentially affect financial reporting in future
periods are not controls

For example, a company's business continuity or
contingency planning has no effect on the
company's current abilities to initiate, authorize,
record, process, or report financial data.
Therefore, a company's business continuity or
contingency planning is not part of internal
control over financial reporting.’

Finally, is in the Scope?

Data backup and off-site storage: The ultimate
solution for Disaster Recovery, Business
Continuity and Contingency Planning (according
SOX)

The courts have almost always conclude that not

recovering data is being treated as if "you're
hiding something"

5
 6_CSOE

Testing and Documenting BCP

Just testing is not enough! We have to
successfully recover the data

We should test the business continuity process

prior to the fiscal year close...

If you have a disaster (or a ‘disaster’) and you lose
some critical data and you have not done all the
necessary things to protect these assets, you have
a big problem

Business Intelligence

Very important issue but…

Out of scope of Sarbanes Oxley

BI systems turn data into intelligence

BI tools ensure timely dissemination of data for

reporting and analysis across the enterprise

6
 6_CSOE

Business Intelligence

Integrate data from legacy and ERP systems to
provide consolidated information on accounting
transactions, budgeting and planning information
including transaction level financial reporting
that meet GAAP requirements

Audit trail on financial documents - providing

traceability and capability to source transactional
information

Computer Forensics

Very important issue too but…

Out of scope of Sarbanes Oxley too

But… if we have legal problems…

Computer Forensics methodology is a mandatory
process whenever the results of a computer
investigation may ultimately be presented in a
legal or administrative proceeding

Computer evidence must be properly collected,
verified and handled under accepted computer
forensic procedures to ensure its accuracy and
admissibility in court

7
 6_CSOE

Computer Forensics

If a company does not have the tools necessary to
collect evidence in a manner that preserves its
admissibility in court

When an incident is first detected, it may not be

obvious that it will result in possible court action.
Evidence will be destroyed before the seriousness
of the incident is realized

Software

There are many companies that use excel
spreadsheets, emails, messages, risk control
matrices, simple tools and nothing more

External auditors do not ask for certain tools

Cost/Benefit analysis

Selection process

Only very large international companies really
need special software

Price range: From zero (Word, Excel Access, you
already have paid these) to $1M

8
 6_CSOE

Software
Tools (I am making no specific recommendations):

Movaris Certainty

Certus

OpenPages

Documentum

………

Movaris Certainty–
www.movaris.com

9
 6_CSOE

Movaris Certainty–
www.movaris.com

Certus Governance Suite –

www.certus.com

Certus 404 and Certus 302

Certus Audit

To ensure transparency and accuracy of internal
controls

10
 6_CSOE

OpenPages - Sarbanes-Oxley
Express

Enterprise compliance management software

“Reduces the time and resource costs associated

with ongoing compliance for Sections 302 and
404”

Document and business process management,

with reporting capabilities

OpenPages - Sarbanes-Oxley
Express

Helps corporations automate significant aspects of
their internal controls framework to reduce the
overall cost of compliance

Its dashboards can be used by project managers,

documentation team members and internal
auditors to plan, document and test the internal
controls of the company, and eventually to attest to
the financial statements

11
 6_CSOE

OpenPages - Sarbanes-Oxley
Express

Assists the project manager by starting new
controls documentation “projects” and capturing
information about the project (for example,
project name, reporting period, start date, due
date, assigned team members, etc.)

Project plans can be developed with milestones

and user task assignments

OpenPages - Sarbanes-Oxley
Express

Users can define specific attributes for each task
(such as name, description, owner, assignee,
business unit/location, start date, due date,
percent complete, completion date, notes,
preceding task, related documents, etc.)

12
 6_CSOE

OpenPages - Sarbanes-Oxley
Express

Controls access to project information

The project manager has unrestricted access to all

information at all times, while individual team
members have a read-only view of the entire
project, and write access to items assigned to them

OpenPages - Sarbanes-Oxley
Express

SOX Express enables members of the project team
to document details of their internal controls by
adding information about business entities,
accounts, processes, risks, controls, tests and test
results

Project team members can attach related

documents (e.g. policy manuals, pre-existing
corporate guidelines, etc.)

13
 6_CSOE

OpenPages - Section 404

Automates the planning, documentation, test,
review, approval and ongoing monitoring of a
company’s internal controls framework

Provides a COSO-based internal control

framework and a built-in controls library to
shorten time-to-compliance and to accelerate
compliance audits

OpenPages - Section 302

Automates the survey process for financial
disclosure certification…

… in which individual process owners first provide
sub-certification for their functional areas

Sub-certifications are then “rolled-up” throughout
the company and approved by managers at each
business level

SOX Express then presents a final certification
report in preparation of the company’s Section 302
representation letter from corporate officers

14
 6_CSOE

Compliance Automation

Task management

Team members see “My Tasks” list on home page –

like “document control X” or “test control Y”

Issues Management - can have multiple attributes

(such as name, description, status and/or severity)

Action Plans can also be developed in the context
of an issue, such as, Please update this document

Compliance Automation

Reports: Of all accounts, all processes, all risks,
all controls, ineffective controls, incomplete
documentation, poor segregation of
responsibilities, at-risk action items in project
plans, on issues

Third-party reporting applications, such as those

from Cognos, Hyperion and Business Objects

15
 6_CSOE

Software – time and money

Think about the time it requires to:

1. Purchase the software and the hardware

2. Install and configure the software to your needs

3. Train your users

4. Solve the problems

Software – time and money

Consider:

How large is your organization?

Is it geographically dispersed?

How many processes will you document?

Are there enough persons for that?

16
 6_CSOE

Spreadsheets

Many companies use spreadsheets for their
financial reporting and operational processes

Spreadsheet applications such as Microsoft Excel

or Lotus 1-2-3

Easy and flexible, but not always reliable

Spreadsheets

The challenge: Advanced features, formulas,
macros, multiple spreadsheets linked together -
minimal or no documentation

The lack of controls over spreadsheets has led to

reporting errors at a number of companies

Complex spreadsheets must be considered

applications

17
 6_CSOE

Controls for the Spreadsheets

Development Lifecycle Controls –

Remember, it is an application

A Software Development Life Cycle is absolutely
necessary to the development process of critical
and complex spreadsheets

(requirements, specification, design, building,
testing, maintenance)

Controls for the Spreadsheets

Access Control (Create, Read, Update, Delete) –

Do not permit to save them locally

Spreadsheets must be stored on a central server
(security, backups) and access must be controlled
and monitored. Password protection is not really
effective

Integrity Controls –

Lock and protect cells to prevent inadvertent or
intentional changes to standing data. Lock and
store (read only) historical files

18
 6_CSOE

Controls for the Spreadsheets

Change Control –

A process for requesting changes to a
spreadsheet, making changes and then testing the
changes

Version Control –

Only approved versions of spreadsheets must be
used

Controls for the Spreadsheets

Documentation Controls –

Never forget the documentation (keep up-to-date)

The auditors (and you after some days) will not
understand the business objective and the specific
functions of spreadsheets

Continuity Controls –

Backups

19
 6_CSOE

Controls for the Spreadsheets

Segregation of Duties Controls – Procedures,
roles, responsibilities, ownership:

Segregate among 1. Spreadsheet developer, 2.

Users and 3. Reviewer

1. The developer creates the spreadsheet with

formulas being protected in particular cells – he
keeps the password

Controls for the Spreadsheets

2. Users work using the spreadsheet. If they need
to change the formulas, they need the developer

3. Manager / reviewer checks the result before

posting it to the financial statement

Danger: The same person is both, the spreadsheet

developer and user, and no reviewer exists

20
 6_CSOE

Spreadsheets

Identify which spreadsheets fall into the scope of
SOX

‘We are just at the stage of finding all the

spreadsheets that people may be using that are
not documented, but the end product is going into
our financial systems’

Spreadsheets

Spreadsheets not used in calculating account
balances, journal entries, etc. should not be
subject to spreadsheet controls for SOX purposes

Patches:

There must be a testing phase and a defined
rollout strategy

21
 6_CSOE

Spreadsheets

1. Take inventory of spreadsheets that have
impact on financial statements

2. Validate data on cells that require data entry

3. Protect cells that contains formulas

4. Restrict access to the spreadsheets on the

network (permissions, rights)

Spreadsheets

5. Control version and changes

The lack of controls over spreadsheets has been a

contributing factor in financial reporting errors
at a large number of companies

22
 6_CSOE

Spreadsheets - Errors

1. Input errors: Flawed data entry, inaccurate
referencing or even cut-and-paste

2. Logic errors: Errors in formulas,
inappropriate definition of cell ranges and
referenced cells

3. Interface errors: Import / export of data

4. No documentation and no testing

5. No training…

SAS 70

Statement on Auditing Standards (SAS) No. 70

“Reports on the Processing of Transactions by

Service Organizations”

An internationally recognized auditing standard

developed by the American Institute of Certified
Public Accountants (AICPA) in 1993

23
 6_CSOE

SAS 70

Explains how an external auditor should assess
the internal controls of an outsourcing service
provider and issue an attestation report to
outside parties or to a client

For service organizations and service providers

host or process data belonging to their customers

They must demonstrate that they have adequate

controls and safeguards

SAS 70

They are considered auditor-to-auditor
communication in a uniform reporting format
and not assurance for management

Very important:

A proper outsourcing agreement must be in place.
Ask the lawyers!

The agreement must describe the responsibilities
of each party related to operations and
maintenance

24
 6_CSOE

SAS 70

Very important: The scope of SAS 70 – It may not
cover SOX requirements. It has happened many
times

You must address the issue of changes in the

service organization’s controls

SAS 70

Service Auditor's Report - A formal report
including the auditor's opinion is issued after the
SAS 70 examination

SAS 70 is not a pre-determined set of control
objectives or control activities - Auditors are
required to follow the AICPA's standards

Not a checklist audit

SAS 70 reports are annual

25
 6_CSOE

SAS 70 – The players, the type

1. An entity - user organization (that obtains
services)

2. Service organization

3. Auditor - user auditor

There are two types of Service Auditor's
Reports: Type I and Type II

Type I report: Description of controls at a specific

point in time

Type II report: Type I plus detailed testing of
controls over a minimum six month period

Type I, II reports
Type I reports: Auditors will express their opinion

1. On the design of the controls (are they designed
to achieve objectives?)

2. Is the description of these controls fair?
Type II reports: Auditors will express their opinion

1. The same with Type I

2. The same with Type I

3. On the effectiveness of the controls. The
controls must operate with reasonable (never
absolute, it is impossible) effectiveness and
provide reasonable assurance that meet their
specified objectives

26
 6_CSOE

SAS 70 – Who performs it?

Certified public accountants or CPA firms

Must be certified and adhere to specific
professional standards established by the
American Institute of Certified Public
Accountants (AICPA)

CPA firms employ IT and Security professionals
with both experience and certifications, such as
the CISSP (Certified Information System Security
Professional, www.isc2.org) or the CISA
(Certified Information Systems Auditors,
www.isaca.org)

SAS 70 – Steps

Plan & Scope

Understanding the organization

Identification - financial reporting process and
supporting systems

Risk Assessment

General controls and application controls

Gap analysis

27
 6_CSOE

SAS 70 – Steps

Significant deficiencies, material weakness

Corrective actions

Documentation

Test design and documentation

Tests

Operational effectiveness

Self assessments

SAS and SOX

Section 404 of SOX made SAS 70 even more
important to the process of reporting on effective
internal controls at service organizations

SAS 70 Type I is not suitable for SOX - It doesn't

say anything about the effectiveness of the tested
controls

28
 6_CSOE

Advantages of SAS 70 Type II

A SAS 70 demonstrates the establishment of
effective controls

Builds trust with its user organizations -

customers

Without it, each customer must sent the auditors

to the service organization – this means time and
additional costs

Advantages of SAS 70 Type II

The customer knows that the service organization
has policies, procedures and controls well tested
and evaluated

Companies are looking at outsourcing as a valid

way to address some SOX issues

29
 6_CSOE

Disadvantages of SAS 70 Type II

SAS 70 reviews of either type are expensive

It is not sure that you will ‘pass’

PCAOB may not accept a SAS 70 if the external

audit firm at both sides (the requiring and the
providing) side is the same

Disadvantages of SAS 70 Type II

The period covered should be a 6 month
minimum

SAS 70 cannot be produced on short notice

The use of service organizations does not reduce

management's responsibility to maintain effective
internal control over financial reporting

30
 6_CSOE

Disadvantages of SAS 70 Type II

Timing of the audit: If the audit is performed in
June and the client's fiscal year ends December 31,
there's a six-month gap in the attestation of the
outsourcer's internal controls

What to do? To request that the service provider

undergo SAS 70 audits on a quarterly basis!!! OR
To provide that controls as documented in the SAS
70 have not changed significantly from the date of
the report

Disadvantages of SAS 70 Type II

Discuss it with your external auditors

A service provider is required to inform its client

only about any failures of SAS 70 tests (so, make
the service provider disclose the scope of the
audit)

31
 6_CSOE

October 6, 2004, SEC FAQ

Question 14

“In many situations, a registrant relies on a third
party service provider to perform certain functions
where the outsourced activity affects the initiation,
authorization, recording, processing or reporting
of transactions in the registrant's financial
statements, such as payroll

October 6, 2004, SEC FAQ

In assessing internal controls over financial
reporting, management may rely on a Type 2 SAS
70 report performed by the auditors of the third
party service providers

If the auditors of the third party service provider
are the same as the auditors of the registrant, may
management still rely on that report?”

32
 6_CSOE

October 6, 2004, SEC FAQ

Answer

“In situations where management has outsourced
certain functions to third party service
provider(s), management maintains a
responsibility to assess the controls over the
outsourced operations

However, management would be able to rely on
the Type 2 SAS 70 report even if the auditors for
both companies were the same”

“On the other hand…

October 6, 2004, SEC FAQ

“On the other hand, if management were to engage
the registrant's audit firm to also prepare the Type
2 SAS 70 report on the service organization…

… management would not be able to rely on that
report for purposes of assessing internal control
over financial reporting”

33
 6_CSOE

October 6, 2004, SEC FAQ

Question 19

“Management has outsourced a significant process
to a service organization and it has determined
that evidence of the operating effectiveness of the
controls over that process is necessary

In addition, the service organization is unwilling to
provide either a Type 2 SAS 70 report or access to
assess the controls in place at the service
organization”

October 6, 2004, SEC FAQ

“Management does not have compensating
controls in place within the registrant’s internal
control over financial reporting that allow them to
determine the effectiveness of the controls over
the process in an alternative manner”

34
 6_CSOE

October 6, 2004, SEC FAQ

Answer

Management’s annual report on internal control

over financial reporting …

… must include a statement as to whether or not
internal control over financial reporting is
effective

October 6, 2004, SEC FAQ

Management is not allowed to issue a report on
internal control over financial reporting with a
scope limitation

Management must determine whether the inability

to assess controls over a particular process …

… is significant enough to conclude in their report
that internal control over financial reporting is not
effective

35
 6_CSOE

Problem areas

Data protection laws in Europe may make
compliance with Sarbanes-Oxley actually in
breach of the Data Protection Act of 1998

Companies must get consent from employees to

disclose certain items of information, but they
cannot be sure that the consent will be given

The European Union’s

Sarbanes-Oxley Act (E-SOX)

The 8th Company Law Directive

36
 6_CSOE

From SOX to E-SOX to J-SOX

A flat world…

Why?

The business intelligence / corporate espionage

risk

The registration of the auditors

The differences

(Regulatory retaliation?)

July 24, 2007

1799 firms registered with the
PCAOB

37
 6_CSOE

The 8th Company Law Directive

and the USA

After the passage of the US Sarbanes-Oxley Act in
2002…

… US and non-US companies …

… listed in a US stock exchange…

… have the difficult task to comply with the
Sarbanes-Oxley Act

After the passage of the European Union’s 8th
Company Law Directive…

… European and non-European companies…

… listed in any country of the EU …

… have to comply with the 8th company law
directive

Japanese SOX (J-SOX)

J-SOX is an unofficial term which refers to the
“Financial Instruments and Exchange Law”

Requirements similar to the Sarbanes-Oxley Act

Sections 302 and 404

The legislation was passed on June 2006

38
 6_CSOE

Japanese SOX (J-SOX)

Compliance effective for fiscal years beginning on
or after April 1, 2008

For most Japanese companies their first filing of a

management evaluation report on internal control
would be for the fiscal years ending March 31,
2009

Cost of SOX compliance

Companies have difficulty in assessing the cost of
SOX compliance …

… as some costs are hidden and the compliance
projects have a scope beyond just compliance

AMR Research Inc. in Boston estimates that the

average company will blow through about $1
million in Sarbanes-Oxley costs per $1 billion in
revenue

39
 6_CSOE

Cost of SOX compliance

Other studies found that companies with revenue
around $1 billion were spending around $3
million

For companies with $250 million in revenues, the

cost of year 1 compliance averaged $475k

Very few companies with turnover over $10 billion

have disclosed their costs

Cost of SOX compliance

You fix a system - is it SOX compliance cost or is
SOX an opportunity to solve a pre-existing
problem?

“I’ve never blown a budget as bad as I did with
Sarbanes-Oxley”
Amy Kwan, senior director,
Sarbanes-Oxley program, Cisco Systems.

Estimate: 40,000 hours

Actual: 130,000 hours

40
 6_CSOE

Problem areas

German chemicals producer BASF estimates that
the extra costs of Sarbanes-Oxley compliance are
somewhere between $30m -$40m per year

A survey conducted by Korn/Ferry during 2004

estimated that the average cost for individual
companies would be around $2m. Newer
estimates are about $3m

DNA!

“Simply complying with the rules is not enough.
Companies should, make this approach part of
their DNA

If companies view the new laws as opportunities —
opportunities to improve internal controls,
improve the performance of the board, and
improve their public reporting — they will
ultimately be better run, more transparent, and
therefore more attractive to investors.”
William Donaldson, SEC Chairman

41