Marimba Product Line

Sarbanes-Oxley
Act:
Automate
Compliance
Processes
Throughout
System Lifecycle
Jeanne Morain

S-OX and IT Controls

Information technology plays a crucial role in
supporting the integrity of financial
information.
The PCAOB audit standards highlighted the
importance of auditing key IT controls.
PCAOB requires transaction
walkthroughs of financially
significant transactions
and assessment of
related controls
including IT controls.

Transaction
Walkthroughs

(PCAOB p71-

82)

For each significant general ledger financial

account the auditor must:
Trace transactions from origination through the
company's information systems until reflected
in the company's financial reports.

Include the entire process of initiating, authorizing,

recording, processing, and reporting individual
transactions including controls intended to
address the risk of fraud.

Finance Systems
Interfaces

Procurement System
Flow

IT General Controls

Poor controls in any of the IT infrastructure

areas will adversely affect reliability of
application controls.
Physical security
Logical security (access controls)
Database security
Operating system security
Network security
Program change management

IT Application Controls

Application controls help ensure the

completeness, accuracy, security of
information.
Logical security (access controls)
Program change management
Input controls
Processing controls
Output controls

Control Documentation
A significant task!
Work involved depends on companys
starting point on control documentation
Many companies dont have good control
documentation.
Number of impacted systems could include
over 100 individual application systems.
Manually obtaining the list
of impacted systems
can take months

Control Documentation
Minimum Requirements for Control
Documentation

Description of the process

Control gaps

Associated risks
Control activities
Control testing
& evaluation
Plans to fix the gaps

Control Framework

S-OX 404 requires management to assess

controls against an established control
framework.
COSO is a recommended control
framework.
COBIT (Control Objectives for IT) is being
used for IT control assessments.
COBIT consists of 34 specific IT control
objectives.

BUSINESS OBJECTIVES

COBIT
INFORMATION
effectiveness
efficiency
confidentiality
integrity
availability
compliance
reliability
MONITORING

IT RESOURCES

DELIVERY AND
SUPPORT

PLANNING AND
ORGANIZATION

data
application systems
technology
facilities
people
ACQUISITION AND
IMPLEMENTATION

COBIT Control Objectives

AI2
Acquire and Maintain Application Software
AI3
Acquire and Maintain Technology Infrastructure
AI4
Develop and Maintain Procedures
AI5
Install and Accredit Systems
AI6
Manage Changes
DS1 Define and Manage Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service (Data Mgt)
DS5 Ensure Systems Security
DS9 Manage the Configuration
DS10 Manage Problems and Incidents
DS11 Manage Data
DS13 Manage Operations
M1
Monitor the Processes

S-OX/404 Compliance
The control evaluation, documentation
and testing are major tasks involving
significant allocations of resources
primarily people and software.
Implementation of systems based control
software should result in process /
control consistency and a reduced
investment of people resources for
the control evaluation efforts.

How prepared are you

for an audit?

Reduce Business Impact

of Compliance
Compliance Automation throughout System Lifecycle

Automate manual processes

Inventory, Software Distribution

Secure Apps, Code, Records

Patch, SSL, Code Signing

Access, Systems, Schedules
Audit Reports across Enterprise

Access, Inventory, Health

Disparate Systems
Reduce Impact

Resources, Productivity, Business

Total Cost of Compliance

Sarbanes Audit Overview

Compliance Automation
Automated Business Processes throughout Client Lifecycle

Data Center

Procurement
Provisioning

Partners/Customers
Outside
The Firewall

Help Desk
Call Center

Network
Operations
End Users
Regulatory
Controls

Inside/Outside
The Firewall

How does CCM Automate

Compliance?
Control Objective

Marimba Automates By:

AI2 - Acquire and Maintain

Application Software
AI3 Develop and Maintain
Technology Infrastructure
AI4 Develop and Maintain
Procedures
AI5 Install and Accredit
Systems
AI6 Manage Changes

Centralized Infrastructure & Admin

Interface :
Policy Based Targeting WHO/WHAT
Orchestration - Global TASKs
Patch Remediation - System
Integrity
Deploy OS, Apps, Content Test,
Self Service - Failover, Repair,
Verify
Inventory Identify, Address Risks

DS 2 Manage 3rd Party

Services
DS 3 Manage Performance &
Capacity
DS 4 Ensure Continuous
Service (Data)

Reporting Scheduled, Email,

Software Distribution Take Action
Content Replication Failover,
Patch Remediation/Software
Metering
Secure Transport SSL, Code

Compliance Automation: Marimba & Remedy

The Marimba Integration for Remedy Combines Marimba automation and
facility with Remedy applications (Asset /Configuration) and workflow

Remedy Solutions

Marimba Solution

Remedy Asset Management

Marimba Inventory Discovery

License Management leverage Marimba

Asset
InventoryRemedy
& Software
UsageManagement
information to
validate procured vs deployed assets

Populates Remedy asset repositories with

software/hardware inventory scans providing
current, accurate asset data

Remedy Change Management

Marimba Desktop/Mobile/Server
Management Solution

Leverage Remedy change process with

Marimba policy based configuration
management

Automatic online servicing, or taking action on

software assets that are not in compliance with
corporate policies

Head Start: CCM

Marimba Integration for Remedy, is a jointly developed, fullydocumented productized integration that features:

Leverage Vendor Forms OR Enterprise Integration Engine (EIE)-based

inventory mapping from Marimba inventory scanner to Remedy asset
repositories
Access Marimba consoles and administration from Remedy applications*
Automatically open Remedy trouble tickets when Marimba server is offline

Complete I-note documentation also available on MarimbaRemedy integration

* Out-of-box functionality maps to the Remedy Asset Management but is

extendable to ANY Remedy form/Application such as Help Desk,
Configuration Management