Sarbanes Oxley Compliance Data MGMT

Sarbanes-Oxley Act Compliance
The New Data Management Challenge

Walter Moeller - 650-631-0600 WMoeller@PrinciplePartners.Com Frank Toms - 510-417-5454 FToms2@Comcast.net
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 1
Agenda

Sarbanes-Oxley Act, July 2002 Is SOX Old News ? Significant Sections of SOX Primary Objective of SOX Consequences of SOX Additional Reference Sources Framework(s) for SOX Compliance Managing & Tracking The Compliance Process Findings & Implications The Future of SOX Act Compliance Questions and Answers
Page 2
2005 Data Advantage Incorporated and Principle Partners, Inc.
Sarbanes-Oxley Act, July 2002
Directed at over 8,000 publicly traded companies and their auditors.
It increases the responsibility of the corporate management and the auditors to personally certify the accuracy and effectiveness of financial controls and processes and the corporations financial results.
Requirement to rotate the lead audit partner and audit review partner every five years. Audit firm partners and staff must work more closely with the clients audit committee to satisfy SarbanesOxley requirements.
Page 3
Is SOX Old News ?

Not an event, but a new way of life for Corporate America!
SOX Compliance Review Processes
Initial Compliance Planning and SOX Management Plan Initial Internal Audit Review for Compliance Initial External Audit Review for Compliance Annual Reviews (Section 404) Quarterly Reviews (Section 302) On-going Real-time Reviews
Page 4
Significant Sections of SOX
Page 5
Section 302: Corporate Responsibility for Financial Reports
The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." A violation of this section must be knowing and intentional to give rise to liability.
Page 6
Section 302: Corporate Responsibility for Financial Reports
Sec. 302 (Quarterly) Signing officers are responsible for

Designing Establishing and maintaining Evaluating the effectiveness Presenting conclusions
Have disclosed

Significant deficiencies Fraud Significant changes

Page 7
Section 404: Management Assessment of Internal Controls
Requires each annual report of an issuer to contain an "internal control report," which shall:
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.
The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."
Section 404: Management Assessment of Internal Controls
Sec. 404 (Annual) Management states responsibility for establishing and maintaining controls Contains an assessment of the effectiveness Outside auditor performs attestation of managements assessment
Primary Objective is Manage Risk
Alternatives: Accept or ignore risk Transfer risk (to insurance policies) Reduce or mitigate risk
Measure and manage Teach and train Reduce Risk take action and safeguard
Page 10
Consequences of SOX
IT IS THE ABOUT DATA!
Sarbanes-Oxley requires more data management than ever before.
RECORD RETENTION IS MORE STRINGENT
Sarbanes-Oxley requires auditors to retain for a seven-year period all relevant documents (work-papers, memos, correspondence and records [electronic and / or paper]) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with the audit of a public company.
ENSURE TRANSPARENCY & RELIABLE PROCESS
Aimed at improving trust and investor confidence

It Will Cost Clients More The 321 U.S. public companies responding to a Financial Executives International survey on the costs of implementing Sarbanes-Oxley said they expected to incur an increase of 38% over current audit fees.
Source: Business Performance Management Forum, www.bpmforum.org, 2003.
Page 11
Additional Reference Sources
URL Resources
Summary of SOX Act http://www.aicpa.org/info/sarbanes_oxley_summary.htm Full Text of SOX Act is available from
The American Institute of Certified Public Accountants (AICPA)

http://www.aicpa.org/sarbanes/index.asp
Example of Approved SOX Framework

CobiT Framework, IT Governance Institute Control Objectives for Information and related Technology http://it.safemode.org/index.php?page=IT_Governance_Institute ISO 17799 International Standards Organization 17799 security standard for IT http://www.iso17799software.com/presentation/ and http://iso-17799.com/
Page 12
Framework for SOX Compliance
CobiT A structure of relationships and processes to direct and control the Enterprise in order to achieve the Enterprises goals by adding value while balancing risk vs. return over IT and its processes.
IT Governance Institute
Page 13
Examples of CobiT Compliance Categories
10 Specific Categories *

Payroll and Personnel Expenditures Revenue Fixed Assets Supply Chain Manage Tax Treasury Benefits Financial Close and Reporting Information Technology, and
Entity Controls
Controls to ensure compliance of each of the categories as a Business Entity.

* CobiT Framework, IT Governance Institute.
Page 14
Examples of CobiT IT Control Areas*

Application Systems Implementation & Maintenance Database Implementation and Supports Information Security
Information Systems Operations

Network Support
Relationship with Outsourced Vendors

System Software Support
* CobiT Framework, IT Governance Institute.
Page 15
ISO 17799-Security Standard for IT

ISO17799 is "a comprehensive set of controls comprising
best practices in information security
The Contents of the Standard?
The ISO 17799 standard comprises ten prime sections:
Security Policy System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Asset Classification and Control Business Continuity Management (BCM)
Page 16
Managing the Testing for Compliance

1.
Define the Control Define the Test
2.
3.
Test the Control

Audit the Test Results (now do 3 & 4 again!)
4.
Page 17
Data for Tracking the Audit for Compliance

Control Objective Number Control Activity Number Control Objective and Control Activity Short Description Control Objective and Control Activity Test Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item
Page 18
Managing the Audit for Compliance
Line Control Control Item Objective Activity # Number Number
Control Objective and Control Objective & Control Activity Short Control Activity Test Description Short Description New application systems are appropriately implemented and function consistent with management's intentions. IT-AP-01 Objective [COBIT: AI2,6] Implementation: 5 samples Implementation and of implemented projects. Maintenance of Maintenance: from list of Application Systems SAP Transports, select 10 IT-AP-01 AP-01-01 Process non-project related. Implementation: Five samples of implemented projects from PMO shared drive. Maintenance: Obtain a list of transports from SAP production , select a sample of 10.
Activity Sample Collection Frequency
Activity Testing Frequency
IT Owner IT Competency Responsibility Center Name
IT Competency Related Center Control Responsibility Item
Weekly Implementation Daily Maint
Application Name for System Name for Technical Implementation Management Semi-Annual Responsibility & Maintenance Responsibility
Testing for Application IT-AP-01 AP-01-02 Systems Implementation
Weekly Implementation Daily Maint
Application Name for System Name for Technical Implementation Management Semi-Annual Responsibility & Maintenance Responsibility
Page 19
Tracking Compliance-By Control Objective

Control Objective Category AP Compliance IT Area Name Responsibility Application System Implementation & Maintenance Director A Director C Database Implementation and Support Director C Director A Network Support Director C Information Systems Operations Director D Director A Director C Information Security Director A Director C Director B System Software Support Director C Relationship with Outside Vendors Director C Responsible Number of for # of Controls * Control Tests # Controls Tested # Tests Passed # of Tests Pending # Tests Failed Score Card Status 21 30 2 30 2 30 2 Green Green
DB
14 10 5 7 7 7 7 Green 10 5 10 5 Green Green
NW
OP
7 2 4 2 43 42 44 8 42 44 8 42 44 8 Green Green Green 2 4 2 2 4 2 Green Green Green
SE
SY
16 16 16 16 Green
VE Totals
2 Green 0
2 2 2 110 174 174 174 0 * Note: Several Controls have multiple Competency Center or area responsibilities with test components. Therefore, Control tests are greater than the number of controls
Page 20
Tracking Compliance By Person
Total Number IT Organizational of Your Responsibility Control Tests Director A 81
Control Objective Category AP-Applic Impl & Maint DB-Database Support OP-Info Sys Support SE-Info Security
Total Tests within Your Area 30 5 4 42 8 2 10 7 2 44 16 2
# Controls Tested 30 5 4 42 8 2 10 7 2 44 16 2
Tests Passed 30 5 4 42 8 2 10 7 2 44 16 2
Tests Pending
Tests Failed
Test Not Yet Score Card Executed Status Green Green Green Green Green Green Green Green Green Green Green Green Green
Director B Director C
8 SE-Info Security 83 AP-Applic Impl & Maint DB-Database Support NW-Network Support OP-Info Sys Support SE-Info Security SY-System Software Support VE-Relations w/ Vendors
Director D
2 0 0
OP-Info Sys Support 2 2 2 Totals 174 174 174 174 0 * Note: Several Controls have multiple Competency Center or area responsibilities with test components. Therefore, Control tests are greater than the number of controls
Page 21
Tools
# 1 Recommendation
Database to manage data during the process
Many vendors coming to market with SOX Management and Compliance Tools
Page 22
Findings & Implications
Not a one-time project, but a new way of life for corporate America Few organizations anticipated effort or cost Management wants payback from efforts Advantages of stream-lined processes & controls (Align with other compliance requirements)
Future for SOX Activities
Reduced investments, because of initial efforts Business processes are more rigorous and efficient Risks are reduced
Stream-lined and automated controls have been integrated into the Business Processes
Questions & Answers ?
Thanks for Attending, now heres Frank!

SOX IT Considerations

SOX compliance would not be feasible without computerized systems. Financial systems were among the first to be automated. Many financial systems are based on 30 year old design approaches

Many business users are unable to distinguish the business from the system that supports it. System requirements (e.g., business rules) may be poorly understood and poorly documented.
Page 26
Batch oriented Sequential processing Redundant data storage
Compliance Levels of Effort

1) Do the minimum required. 2) Make a reasonable effort. 3) Embrace the opportunity. Use it to make a thorough review of policies and practices. Tighten controls and procedures. Recognize the importance of proactive Data Management. Make it part of the companys DNA.
Threats to Data Quality
Intentional

Fraud Disgruntled Employees Hackers Terrorists Poorly defined requirements. Poorly documented systems. Chaotic development process. Ineffective Change Management. Back-door access to data. Uncontrolled redundancy.
Page 28
Unintentional

The Data Management Audit

Philosophical Factors Organizational Factors Procedural Factors Conceptual Factors Logical Factors Physical Factors Architectural Factors
20 Points 20 Points
20 Points
10 Points 10 points 10 Points 10 Points 100 Points Total
Page 29
Philosophical Factors
20 Possible Points 2 Points 2 Points 2 Points 2 Points 2 Points
Is Data treated as an Asset or an Expense? Are there business initiatives to improve Data Quality. Are there formally defined measures for Data Quality? Does the CIO regularly report on Data Quality to the Executives? Are Data Quality metrics included in Management Objectives.
If the total is more than 8 points, double the total

Organizational Factors
20 Possible Points 2 Points
Is there an Organization Unit that has the overall responsibility for Data Management? Does it have a formal Charter? Does it have an Enterprise-wide perspective? Is it adequately resourced?
1 Point 2 Points 5 Points 3 of 5 2 of 5
Skilled Personnel Software Tools

Procedural Factors
Are Logical Data Models included in the formal Systems Development Life Cycle? Is the Logical Data Model subject to business approval? Is the Logical Data Model updated when the design changes? Is the Logical Data Model used to generate database source code? Is the Logical Data Model used in the development of a test plan?
2 Points 2 Points 2 Points 2 Points

Conceptual Factors

10 Possible Points 2 Points 2 Points 2 Points 2 Points 2 Points
Is there a formal Information Strategy? Is there an Enterprise Conceptual Data Model? Is it used to kick-start development Projects? Are Project data models used to update the Enterprise model? Are all Project Managers aware that the Enterprise model exists?
If the total is less than 8 points, subtract 4 from the total

Logical Factors
Are Business Subject Matter Experts involved with Logical Data Models? Are Logical Data Models used in Business Requirements? Are Data Modeling tools and techniques standardized? Are there formal Data Naming Standards? Are Logical and Physical models separate, but related?
2 Points 2 Points 2 Points 2 Points

Physical Factors
10 Possible Points
Is there a standardized set of data Domains? Are Physical Data Models updated when the implementation changes? Is the database used to enforce integrity? Is the data accessed using Views?
2 Points 4 Points
1 Point 3 Points

Architectural Factors

10 Possible Points 2 Points 2 Points 2 Points
Does all Strategic Data have a defined System of Record? Is there an agreed Architectural Framework? Is there a shared Metadata Repository? Is Data Access functionality separate from business logic and presentation? Does the Architecture cover the entire Systems Development Lifecycle?
2 Points
2 Points
Page 36
Adding it Up
60 Points or Less
A SOX Audit is likely to reveal embarrassing flaws in your financial systems. Your financial systems are not as healthy as they should be. You are doing well at managing financial data, but there is room for improvement.
70 80 Points
80 90 Points
90 100 Points
You are likely to have a strategic advantage over your competition. Page 37 2005 Data Advantage Incorporated and Principle Partners, Inc.
The Data Management Audit Process
Interview Senior Management to determine their targets and expectations. Assess what is actually going on. Define the Gap. Develop an Action Plan.
Page 38
In Summary
SOX Compliance focuses on Roles and Responsibilities, Accountability, and Audits. It is very Process-oriented. Compliance is not cheap. Most companies have SOX Programs under way, some with multiple teams. While the SOX teams and resources are in place, there is an opportunity to review Data Management policies, practices and risks. The benefits of a small additional cost go beyond just enabling SOX Compliance.
Page 39
Questions & Answers ?
Good Luck with your SOX Compliance!


Sarbanes Oxley Compliance Data MGMT

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sarbanes Oxley Compliance Data MGMT

Hochgeladen von

Copyright:

Verfügbare Formate

Sarbanes-Oxley Act Compliance

The New Data Management Challenge

2005 Data Advantage Incorporated and Principle Partners, Inc.

Sarbanes-Oxley Act, July 2002

Directed at over 8,000 publicly traded companies and their auditors.

2005 Data Advantage Incorporated and Principle Partners, Inc.

Is SOX Old News ?

SOX Compliance Review Processes

2005 Data Advantage Incorporated and Principle Partners, Inc.

Significant Sections of SOX

2005 Data Advantage Incorporated and Principle Partners, Inc.

Section 302: Corporate Responsibility for Financial Reports

2005 Data Advantage Incorporated and Principle Partners, Inc.

Section 302: Corporate Responsibility for Financial Reports

Sec. 302 (Quarterly) Signing officers are responsible for

Designing Establishing and maintaining Evaluating the effectiveness Presenting conclusions

Significant deficiencies Fraud Significant changes

2005 Data Advantage Incorporated and Principle Partners, Inc.

Section 404: Management Assessment of Internal Controls

Section 404: Management Assessment of Internal Controls

Primary Objective is Manage Risk

2005 Data Advantage Incorporated and Principle Partners, Inc.

IT IS THE ABOUT DATA!

Sarbanes-Oxley requires more data management than ever before.

RECORD RETENTION IS MORE STRINGENT

ENSURE TRANSPARENCY & RELIABLE PROCESS

Aimed at improving trust and investor confidence

2005 Data Advantage Incorporated and Principle Partners, Inc.

Additional Reference Sources

The American Institute of Certified Public Accountants (AICPA)

Example of Approved SOX Framework

2005 Data Advantage Incorporated and Principle Partners, Inc.

Framework for SOX Compliance

2005 Data Advantage Incorporated and Principle Partners, Inc.

Examples of CobiT Compliance Categories

Controls to ensure compliance of each of the categories as a Business Entity.

2005 Data Advantage Incorporated and Principle Partners, Inc.

Examples of CobiT IT Control Areas*

Information Systems Operations

Relationship with Outsourced Vendors

2005 Data Advantage Incorporated and Principle Partners, Inc.

ISO 17799-Security Standard for IT

best practices in information security

The Contents of the Standard?

The ISO 17799 standard comprises ten prime sections:

Managing the Testing for Compliance

Define the Control Define the Test

Test the Control

2005 Data Advantage Incorporated and Principle Partners, Inc.

Data for Tracking the Audit for Compliance

2005 Data Advantage Incorporated and Principle Partners, Inc.

Managing the Audit for Compliance

Line Control Control Item Objective Activity # Number Number

Activity Sample Collection Frequency

Activity Testing Frequency

IT Owner IT Competency Responsibility Center Name

IT Competency Related Center Control Responsibility Item

Weekly Implementation Daily Maint

Testing for Application IT-AP-01 AP-01-02 Systems Implementation

Weekly Implementation Daily Maint

2005 Data Advantage Incorporated and Principle Partners, Inc.

Tracking Compliance-By Control Objective