Beruflich Dokumente
Kultur Dokumente
SAS 70
Problems
Cost
1
6_CSOE
2
6_CSOE
3
6_CSOE
4
6_CSOE
5
6_CSOE
Business Intelligence
Very important issue but…
Out of scope of Sarbanes Oxley
6
6_CSOE
Business Intelligence
Integrate data from legacy and ERP systems to
provide consolidated information on accounting
transactions, budgeting and planning information
including transaction level financial reporting
that meet GAAP requirements
Computer Forensics
Very important issue too but…
Out of scope of Sarbanes Oxley too
But… if we have legal problems…
Computer Forensics methodology is a mandatory
process whenever the results of a computer
investigation may ultimately be presented in a
legal or administrative proceeding
Computer evidence must be properly collected,
verified and handled under accepted computer
forensic procedures to ensure its accuracy and
admissibility in court
7
6_CSOE
Computer Forensics
If a company does not have the tools necessary to
collect evidence in a manner that preserves its
admissibility in court
Software
There are many companies that use excel
spreadsheets, emails, messages, risk control
matrices, simple tools and nothing more
External auditors do not ask for certain tools
Cost/Benefit analysis
Selection process
Only very large international companies really
need special software
Price range: From zero (Word, Excel Access, you
already have paid these) to $1M
8
6_CSOE
Software
Tools (I am making no specific recommendations):
Movaris Certainty
Certus
OpenPages
Documentum
………
Movaris Certainty–
www.movaris.com
9
6_CSOE
Movaris Certainty–
www.movaris.com
10
6_CSOE
OpenPages - Sarbanes-Oxley
Express
Enterprise compliance management software
OpenPages - Sarbanes-Oxley
Express
Helps corporations automate significant aspects of
their internal controls framework to reduce the
overall cost of compliance
11
6_CSOE
OpenPages - Sarbanes-Oxley
Express
Assists the project manager by starting new
controls documentation “projects” and capturing
information about the project (for example,
project name, reporting period, start date, due
date, assigned team members, etc.)
OpenPages - Sarbanes-Oxley
Express
Users can define specific attributes for each task
(such as name, description, owner, assignee,
business unit/location, start date, due date,
percent complete, completion date, notes,
preceding task, related documents, etc.)
12
6_CSOE
OpenPages - Sarbanes-Oxley
Express
Controls access to project information
OpenPages - Sarbanes-Oxley
Express
SOX Express enables members of the project team
to document details of their internal controls by
adding information about business entities,
accounts, processes, risks, controls, tests and test
results
13
6_CSOE
14
6_CSOE
Compliance Automation
Task management
Compliance Automation
Reports: Of all accounts, all processes, all risks,
all controls, ineffective controls, incomplete
documentation, poor segregation of
responsibilities, at-risk action items in project
plans, on issues
15
6_CSOE
16
6_CSOE
Spreadsheets
Many companies use spreadsheets for their
financial reporting and operational processes
Spreadsheets
The challenge: Advanced features, formulas,
macros, multiple spreadsheets linked together -
minimal or no documentation
17
6_CSOE
18
6_CSOE
Version Control –
Only approved versions of spreadsheets must be
used
Continuity Controls –
Backups
19
6_CSOE
20
6_CSOE
Spreadsheets
Identify which spreadsheets fall into the scope of
SOX
Spreadsheets
Spreadsheets not used in calculating account
balances, journal entries, etc. should not be
subject to spreadsheet controls for SOX purposes
Patches:
There must be a testing phase and a defined
rollout strategy
21
6_CSOE
Spreadsheets
1. Take inventory of spreadsheets that have
impact on financial statements
Spreadsheets
5. Control version and changes
22
6_CSOE
Spreadsheets - Errors
1. Input errors: Flawed data entry, inaccurate
referencing or even cut-and-paste
2. Logic errors: Errors in formulas,
inappropriate definition of cell ranges and
referenced cells
3. Interface errors: Import / export of data
4. No documentation and no testing
5. No training…
SAS 70
Statement on Auditing Standards (SAS) No. 70
23
6_CSOE
SAS 70
Explains how an external auditor should assess
the internal controls of an outsourcing service
provider and issue an attestation report to
outside parties or to a client
SAS 70
They are considered auditor-to-auditor
communication in a uniform reporting format
and not assurance for management
Very important:
A proper outsourcing agreement must be in place.
Ask the lawyers!
The agreement must describe the responsibilities
of each party related to operations and
maintenance
24
6_CSOE
SAS 70
Very important: The scope of SAS 70 – It may not
cover SOX requirements. It has happened many
times
SAS 70
Service Auditor's Report - A formal report
including the auditor's opinion is issued after the
SAS 70 examination
SAS 70 is not a pre-determined set of control
objectives or control activities - Auditors are
required to follow the AICPA's standards
25
6_CSOE
Type I, II reports
Type I reports: Auditors will express their opinion
1. On the design of the controls (are they designed
to achieve objectives?)
2. Is the description of these controls fair?
Type II reports: Auditors will express their opinion
1. The same with Type I
2. The same with Type I
3. On the effectiveness of the controls. The
controls must operate with reasonable (never
absolute, it is impossible) effectiveness and
provide reasonable assurance that meet their
specified objectives
26
6_CSOE
SAS 70 – Steps
Plan & Scope
Understanding the organization
Identification - financial reporting process and
supporting systems
Risk Assessment
General controls and application controls
Gap analysis
27
6_CSOE
SAS 70 – Steps
Significant deficiencies, material weakness
Corrective actions
Documentation
Test design and documentation
Tests
Operational effectiveness
Self assessments
28
6_CSOE
29
6_CSOE
30
6_CSOE
31
6_CSOE
32
6_CSOE
33
6_CSOE
34
6_CSOE
35
6_CSOE
Problem areas
Data protection laws in Europe may make
compliance with Sarbanes-Oxley actually in
breach of the Data Protection Act of 1998
36
6_CSOE
Why?
The differences
(Regulatory retaliation?)
37
6_CSOE
38
6_CSOE
39
6_CSOE
40
6_CSOE
Problem areas
German chemicals producer BASF estimates that
the extra costs of Sarbanes-Oxley compliance are
somewhere between $30m -$40m per year
DNA!
“Simply complying with the rules is not enough.
Companies should, make this approach part of
their DNA
If companies view the new laws as opportunities —
opportunities to improve internal controls,
improve the performance of the board, and
improve their public reporting — they will
ultimately be better run, more transparent, and
therefore more attractive to investors.”
William Donaldson, SEC Chairman
41