Beruflich Dokumente
Kultur Dokumente
Agenda
Sarbanes-Oxley Act, July 2002 Is SOX Old News ? Significant Sections of SOX Primary Objective of SOX Consequences of SOX Additional Reference Sources Framework(s) for SOX Compliance Managing & Tracking The Compliance Process Findings & Implications The Future of SOX Act Compliance Questions and Answers
Page 2
It increases the responsibility of the corporate management and the auditors to personally certify the accuracy and effectiveness of financial controls and processes and the corporations financial results.
Requirement to rotate the lead audit partner and audit review partner every five years. Audit firm partners and staff must work more closely with the clients audit committee to satisfy SarbanesOxley requirements.
Page 3
Initial Compliance Planning and SOX Management Plan Initial Internal Audit Review for Compliance Initial External Audit Review for Compliance Annual Reviews (Section 404) Quarterly Reviews (Section 302) On-going Real-time Reviews
Page 4
Page 5
The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." A violation of this section must be knowing and intentional to give rise to liability.
Page 6
Have disclosed
Requires each annual report of an issuer to contain an "internal control report," which shall:
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.
The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 8
Sec. 404 (Annual) Management states responsibility for establishing and maintaining controls Contains an assessment of the effectiveness Outside auditor performs attestation of managements assessment
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 9
Alternatives: Accept or ignore risk Transfer risk (to insurance policies) Reduce or mitigate risk
Measure and manage Teach and train Reduce Risk take action and safeguard
Page 10
Consequences of SOX
Sarbanes-Oxley requires auditors to retain for a seven-year period all relevant documents (work-papers, memos, correspondence and records [electronic and / or paper]) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with the audit of a public company.
Page 11
URL Resources
Summary of SOX Act http://www.aicpa.org/info/sarbanes_oxley_summary.htm Full Text of SOX Act is available from
Page 12
CobiT A structure of relationships and processes to direct and control the Enterprise in order to achieve the Enterprises goals by adding value while balancing risk vs. return over IT and its processes.
IT Governance Institute
Page 13
10 Specific Categories *
Payroll and Personnel Expenditures Revenue Fixed Assets Supply Chain Manage Tax Treasury Benefits Financial Close and Reporting Information Technology, and
Entity Controls
Page 14
Application Systems Implementation & Maintenance Database Implementation and Supports Information Security
Security Policy System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Asset Classification and Control Business Continuity Management (BCM)
2005 Data Advantage Incorporated and Principle Partners, Inc.
Page 16
2.
3.
4.
Page 17
Control Objective Number Control Activity Number Control Objective and Control Activity Short Description Control Objective and Control Activity Test Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item
Page 18
Control Objective and Control Objective & Control Activity Short Control Activity Test Description Short Description New application systems are appropriately implemented and function consistent with management's intentions. IT-AP-01 Objective [COBIT: AI2,6] Implementation: 5 samples Implementation and of implemented projects. Maintenance of Maintenance: from list of Application Systems SAP Transports, select 10 IT-AP-01 AP-01-01 Process non-project related. Implementation: Five samples of implemented projects from PMO shared drive. Maintenance: Obtain a list of transports from SAP production , select a sample of 10.
Application Name for System Name for Technical Implementation Management Semi-Annual Responsibility & Maintenance Responsibility
Application Name for System Name for Technical Implementation Management Semi-Annual Responsibility & Maintenance Responsibility
Page 19
DB
NW
OP
SE
SY
16 16 16 16 Green
VE Totals
2 Green 0
2 2 2 110 174 174 174 0 * Note: Several Controls have multiple Competency Center or area responsibilities with test components. Therefore, Control tests are greater than the number of controls
Page 20
Control Objective Category AP-Applic Impl & Maint DB-Database Support OP-Info Sys Support SE-Info Security
# Controls Tested 30 5 4 42 8 2 10 7 2 44 16 2
Tests Passed 30 5 4 42 8 2 10 7 2 44 16 2
Tests Pending
Tests Failed
Test Not Yet Score Card Executed Status Green Green Green Green Green Green Green Green Green Green Green Green Green
Director B Director C
8 SE-Info Security 83 AP-Applic Impl & Maint DB-Database Support NW-Network Support OP-Info Sys Support SE-Info Security SY-System Software Support VE-Relations w/ Vendors
Director D
2 0 0
OP-Info Sys Support 2 2 2 Totals 174 174 174 174 0 * Note: Several Controls have multiple Competency Center or area responsibilities with test components. Therefore, Control tests are greater than the number of controls
Page 21
Tools
# 1 Recommendation
Many vendors coming to market with SOX Management and Compliance Tools
Page 22
Not a one-time project, but a new way of life for corporate America Few organizations anticipated effort or cost Management wants payback from efforts Advantages of stream-lined processes & controls (Align with other compliance requirements)
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 23
Reduced investments, because of initial efforts Business processes are more rigorous and efficient Risks are reduced
Stream-lined and automated controls have been integrated into the Business Processes
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 24
SOX IT Considerations
SOX compliance would not be feasible without computerized systems. Financial systems were among the first to be automated. Many financial systems are based on 30 year old design approaches
Many business users are unable to distinguish the business from the system that supports it. System requirements (e.g., business rules) may be poorly understood and poorly documented.
Page 26
Intentional
Fraud Disgruntled Employees Hackers Terrorists Poorly defined requirements. Poorly documented systems. Chaotic development process. Ineffective Change Management. Back-door access to data. Uncontrolled redundancy.
Page 28
Unintentional
Philosophical Factors Organizational Factors Procedural Factors Conceptual Factors Logical Factors Physical Factors Architectural Factors
20 Points 20 Points
20 Points
10 Points 10 points 10 Points 10 Points 100 Points Total
Page 29
Philosophical Factors
Is Data treated as an Asset or an Expense? Are there business initiatives to improve Data Quality. Are there formally defined measures for Data Quality? Does the CIO regularly report on Data Quality to the Executives? Are Data Quality metrics included in Management Objectives.
Organizational Factors
Is there an Organization Unit that has the overall responsibility for Data Management? Does it have a formal Charter? Does it have an Enterprise-wide perspective? Is it adequately resourced?
Procedural Factors
Are Logical Data Models included in the formal Systems Development Life Cycle? Is the Logical Data Model subject to business approval? Is the Logical Data Model updated when the design changes? Is the Logical Data Model used to generate database source code? Is the Logical Data Model used in the development of a test plan?
Conceptual Factors
Is there a formal Information Strategy? Is there an Enterprise Conceptual Data Model? Is it used to kick-start development Projects? Are Project data models used to update the Enterprise model? Are all Project Managers aware that the Enterprise model exists?
Logical Factors
Are Business Subject Matter Experts involved with Logical Data Models? Are Logical Data Models used in Business Requirements? Are Data Modeling tools and techniques standardized? Are there formal Data Naming Standards? Are Logical and Physical models separate, but related?
Physical Factors
10 Possible Points
Is there a standardized set of data Domains? Are Physical Data Models updated when the implementation changes? Is the database used to enforce integrity? Is the data accessed using Views?
2 Points 4 Points
1 Point 3 Points
Architectural Factors
Does all Strategic Data have a defined System of Record? Is there an agreed Architectural Framework? Is there a shared Metadata Repository? Is Data Access functionality separate from business logic and presentation? Does the Architecture cover the entire Systems Development Lifecycle?
2 Points
2 Points
Page 36
Adding it Up
60 Points or Less
A SOX Audit is likely to reveal embarrassing flaws in your financial systems. Your financial systems are not as healthy as they should be. You are doing well at managing financial data, but there is room for improvement.
70 80 Points
80 90 Points
90 100 Points
You are likely to have a strategic advantage over your competition. Page 37 2005 Data Advantage Incorporated and Principle Partners, Inc.
Interview Senior Management to determine their targets and expectations. Assess what is actually going on. Define the Gap. Develop an Action Plan.
Page 38
In Summary
SOX Compliance focuses on Roles and Responsibilities, Accountability, and Audits. It is very Process-oriented. Compliance is not cheap. Most companies have SOX Programs under way, some with multiple teams. While the SOX teams and resources are in place, there is an opportunity to review Data Management policies, practices and risks. The benefits of a small additional cost go beyond just enabling SOX Compliance.
Page 39