Pres Schmidt

A Sarbanes-Oxley Roadmap

to Business Continuity



NEDRIX Conference

June 23, 2004

Dr. Eric Schmidt

eschmidt@controlsolutions.com









Control Solutions International

TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT GROUP

Background

 In July of 2002, U.S. Congress passed the Sarbanes -

Oxley Act (SOX) mandating that all public companies

(SEC registrants) make changes to the way their

financial results are reported.



 Legislation was a response to the high profile failures

experienced in the United States during 2001-02 and

intended to be “a massive restructuring to the regulatory

system governing US capital markets” that would

improve the quality of financial reporting and disclosures.



 Public Company Accounting Oversight Board (PCAOB)

was created to oversee the activities of the auditing

profession.

The Sarbanes-Oxley Act contains two

Sections (302, 404) dealing with management

responsibility for controls and one Section (409)

on real-time reporting

Internal Controls and Disclosure Controls and

Procedures for Financial Procedures

Reporting

Notes

Cash Flow

Financial

Statements

Income

Statement Business





Balance Properties

Sheet

Legal

Financial Proceeding

Statements s









Section 404 Section 302

Three Sources of SOX Guidelines



Frameworks Best Practices Future Standards









CobiT COSO

Departments Impacted by SOX

Finance 100%

IT 95.7%

Sales 43.5%

Human Resources 39.1%

Customer Service 30.4%

Marketing 17.4%

Other 8.7%

Source: The Robert Francis Group

SOX-Driven Changes

Which of the following is the company changing to

address SOX?

Audit Procedures 78.3 %

Reporting Procedures 52.2%

Financial Systems 43.5%

Re-training of Personnel 26.1%

Organizational Structure 21.7%

Reporting Frequency 21.7%

Reporting Technologies 17.4%

Source: Robert Francis Group

Complexity of SOX for IT

How does SOX compare with other compliance or

regulatory projects in IT in terms of complexity

and impact of resources and expense?

Higher 30.4%

Not sure/Do Not Know 26.1% 48+% rated SOX

Same 17.4% impact as higher



Much Higher 17.4%

Lower 4.3%

Slightly Higher 4.3%

Source: Robert Francis Group

Does SOX Mandate an Enterprise-wide

Business Continuity Process?

 “NO”

 A BCP is not required by PCAOB (March 2004)



 SAS70 (type 2)

 3rd party service providers

 AICPA “suspended” BCP requirement during SOX



 Growing number of executives influenced by external

auditors with knowledge of business continuity and

potential risks

 Conclude they must have business continuity processes or show

why they do not

Defining Internal Control (IC)



 Section 404 attestation is based on two

assessments

 Adequate documentation of ICs

 Sufficient evidence (testing)



 A company must have a framework against

which management can make assertions

 Completeness

 Accuracy

 Validation (authorization)

 Restriction

What’s Required for Key Controls



Five W’s

 WHO performs the control?

 WHAT is being done and WHAT could go

wrong?

 WHEN and WHERE is control being performed

or occurring?

 WHY is control activity performed – to prevent

or detect what?



What evidence is there?

Why are General Controls Important?









Weak General Computer Controls Strong General Computer Controls

Automated control procedures, and manual control procedures that use

computer-generated information, are dependent on effectiveness of general

computer controls.

COSO Framework

Five Components



The process to determine

whether internal control is

adequately designed,

The process which executed, effective and

ensures that relevant adaptive

information is identified

and communicated in a The policies and

timely manner procedures that help

ensure that actions

identified to manage risk

The evaluation of are executed and timely

internal and external

factors that impact an The control conscience

organization’s of an organization. The

performance “tone at the top”





All five components must be in place

for a control to be effective

Tying It All Together

Control

Environment

Executive

Management Application

Controls









Business Process

Business Process







Business Process

Business Process









Manufacturing







Logistics

Finance









Etc.

IT Services

OS/Data/Telecom/Continuity/Networks



IT General Controls

Source: IT Governance Institute

IT Control Components

Systems planning Collaboration

IT Considerations in Governance InformationSharing

Enterprise policies Code of Conduct

Control Environment Operating style Fraud Prevention









Systems Security / Access

IT General Controls Change Management

System Development

Computer Operations









Authorization

Configuration / account mapping

Application Controls Exception / edit reports

Interface / conversion

System access

Roadmap to Compliance



Engagement Walk-Thru

 Tone at the Top

 Assertions (C, A, V, R)

 Definition of Materiality/Significance

 Significant Accounts and Processes

 Scope – locations, cycles

 Control framework

 Remediation

 Testing

 Management certification

Roadmap to Compliance



Phase I – Tone at the Top



 Identify all relevant documents, policies,

procedures and communications

 Audit Committee Charter

 Standards of Conduct

 Officer Code of Ethics

 Complaint Reporting Mechanisms

 Whistleblower Policies



 Assess adequacy of documentation and tone

 Internal audit monitoring and risk assessment

Roadmap to Compliance



Phase II – Entity Level Assessment

Corporate









Americas Europe Rest of  ID material reporting

Region Region World

organizations

 ID material units within each

South Carolina Milan China







Ma n u fa c tu r i n g

Mexico Erfurt India





Budapest Thailand

organization

South Carolina Milan China  Materiality based on:

Mexico Marseilles India

 Revenue / Assets

D i s tr i b u ti o n









Sao Paolo Copenhagen Thailand





San Diego Erfurt Australia

 Subjectivity of entries / reporting

Chicago Prague Japan



 Extraordinary / one-time charges

 History of issues

Roadmap to Compliance Open Position







Department

Personnel

Termination







Other P/R changes

Annual Increases









Requisition Form Candidate 05

interviewed

Proper notice

Voluntary? Yes Included with

given?

Department Annual

04 Approval 03 Review and

Approved



Yes No







No









Phase III – Process Mapping

Accrued Review by HR

Accrued

Benefits

Benefits

not paid

paid

Verify Increases 02

Prepare Offer within $ pool,

Letter Director properly

of HR authorized

Approve







Human To

PR/PRO

Resources Provide Benefits Create Employee

summary to Action Form (EAF) Input in ADP PR

employee System









Accept Offer

Candidate









 Cycle reviews begin with the cycles selected

being based on the legal entity assessment in

Phase II.



 Documentation of each cycle:

 Narrative of key controls

 Process Map (Flow chart)

 Control Matrix including all control objectives (Excel

or software tool)



 Documents aim to provide external audit firms

with a complete understanding of the flow of

transactions and controls in place.

Roadmap to Compliance





Phase IV – Overall Internal Control Effectiveness

 Evaluation of the overall effectiveness of internal

controls, identification of matters for improvement and

the establishment of monitoring systems.



 Management assessment of effectiveness of controls.



 Internal Audit provides a report detailing areas for

improvement and recommendations for ensuring an

environment of continuous monitoring to maintain the

system of internal control and take corrective action in a

timely manner when necessary.



 External Audit Firm will commence its Attestation “Dry

Run”

SOX Compliance Roadmap









Source: www.erm.coso.org

Alignment with Business Continuity



 Management involvement

 Risk Management

 Process and Change Management

 IT role

Key Aspects of SOX Audit

 Segregation of Duties is Key

 IT roles separate from process owners, specifically those in

Finance

 Hand off from process owners requires control duality

 Program & Application specific

 IT & Process owner

 Manual & Automated

 Preventative & Detective





 Change Management is Critical

 Records and document management

 Configuration management

 Business process and controls changes



 Access Restriction (Security) is Mandated

Program Development



Project management standards are defined and

used for all aspects of system development life

cycle (SDLC)

 Project initiation

 Analysis and design

 Construction or package selection

 Testing and quality assurance

 Data conversion

 Go-live

 Documentation and training

Program Changes



Project management standards are defined and

used for all aspects of the program change cycle

 Specification, approval and tracking of change

requests

 Construction

 Testing and quality assurance

 Authorization of transfers to live environment

 Including emergency fixes and access to live environment

 Documentation and training

Situational Assessment

A recent Deloitte survey of Fortune 500 companies

indicates that a significant amount of work remains*



Percentage

Activity

Complete

Documentation 75%

Evaluation of design

47%

effectiveness

Testing of operating

21%

effectiveness

Remediation 21%



*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004

What Constitutes a Gap?

Type Likelihood Magnitude

Deficiency Remote and/or Inconsequential





Significant More than and More than

Deficiency remote Inconsequential



or



Quantitatively

significant



Material More than and Material to

Weakness remote Financial

Statements





*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004

A Word on Testing

Plan carefully to avoid mixed results because

tests are not well designed





IT Management and interaction with

Program process owners and stakeholders

Testing

Functional and transaction based for

Application systems key to financial statements and

Testing reporting, plus critical systems



Shared services and support

Infrastructure Testing systems; OS, networks, backup, etc.





Slowly changing systems, COTS

Benchmark Testing

Remediation Challenges

 Effective Decision & Governance Process

 Complex Program Management Initiatives

 Significant IT Environment Changes



 Impact on Human Resources



 Complex Re-testing, Roll-Forward Testing

Activities

 Overall Need for Best Practices

Span of Enterprise Risk Management

Credit Risk Operational Risk Market Risk



Operational Risk Management (ERM)

Overall compliance

Integrated

Compliance solutions



Sarbanes-Oxley Government

Regulations

Quarterly Certification HIPPA

302

SOX Compliance by C-Level Management Patriot

Requirements

404 Control Documentation and Testing Basel II

GLBA

Control Assurance 409 Real-time Reporting FFIEC

NRC

Risk Management & Business Continuity



 Disciplines of business continuity and risk

management often blurred

 Use similar tools and techniques, including risk assessment,

business continuity planning, and BIAs

 Business continuity encompasses all processes necessary to

restore business functionality during a time of crisis

 Risk management incorporates a wider variety of functions,

including positive impact, negative impact, and business non-

stoppage

 Inherent value of business continuity is clearer

when we consider that not all risks can be

managed

 Unless risk management and business continuity are

institutionalized into day-to-day activities, organizations will find

themselves exposed

Questions?









Source: John Wehr Source: John Wehr