SOX Compliance Presentation

Document Sample
SOX Compliance Presentation Powered By Docstoc
					 SOX Compliance
Don’t fight what can help you
              Skye L. Rogers
   9 Years experience working in Systems &
    Operations in various roles.
   4 years focusing on SOX related tasks.
   Currently working with TransCore.
   Skye is not an attorney or an auditor.

 Approaching 70 years
in the transportation                        Operations
 Installations and
                           Track and Trace                 Fleet
products in 46 countries                                   Management
around the world
 Key technologies:

RFID, wireless
communications, GPS,
web-based information      Financial
                           Services                              Compliance
systems                                                          Services

                                              Freight Matching
                   What is SOX?
   SOX provides the foundation for new corporate
    governance rules, regulations & standards issued by the
    Securities and Exchange Commission. It covers a range
    of topics from criminal penalties to Corporate Board
    responsibilities. SOX also covers issues such as
    independent auditing requirements, corporate
    governance, internal control assessment, and enhanced
    financial disclosure.
   CEO’s of publicly traded companies will be held
    accountable for the quality of the controls established
    which enable accurate Financial reporting (including IT
    processes, systems & roles).
   Section 802(a) of the SOX states: “ Whoever knowingly
    alters, destroys, mutilates, conceals, covers up, falsifies,
    or makes a false entry in any record, document, or
    tangible object with the intent to impede, obstruct, or
    influence the investigation or proper administration of
    any matter within the jurisdiction of any department or
    agency of the United States or any case filed under title
    11, or in relation to or contemplation of any such matter
    or case, shall be fined under this title, imprisoned not
    more than 20 years, or both.”
          What prompted SOX?

   Sarbanes-Oxley was
    passed in the wake of
    a number of notable
    corporate accounting
    scandals including
    Enron and
           SOX on the horizon?
   The primary thing to
    remember is that SOX
    is about mitigating
    the risk of fraud,
    financial transparency
    and process control.
    This will change how
    you do things but that
    does not have to be a
    bad thing.
             A hint on policies.
   Bear in mind that you will be held to the letter of
    all policies your company develops related to
    SOX even if they exceed federal requirements.
    This is very important to remember when
    drafting policies.

   Policies should ensure that corporate behavior is
    consistent, controlled, and can be proven.
     A word on Frameworks
There are many
frameworks out there
to assist you with SOX
compliance. The key
is to find a framework
that works for your
team, commit to it,
train on it, and use it
to your best possible
Examples of COBIT Controls
              Network Security –
             Firewalls, secure network
             configuration including

              Virus Protection –anti-
             virus and anti-spyware
             updated regularly
    Examples of COBIT Controls
   Backups & Restore –
    Regularly tested

   IT Continuity –
    Disaster Recovery
Examples of COBIT Controls
                Files Access Privilege
                Identity Management
                 – password
                 strength/age and
                 access. Who has
                 access and is that
                 appropriate now?
    Examples of COBIT Controls
   Risk Evaluation
    Programs – Risk
    Assessment and
    internal auditing.
   Employee IT
    Security Training –
    Training of end users
    related to utilization
    of resources.
    Examples of COBIT Controls

   Management support/buy in – Executive level
    oversight of projects related to IT.

   IT as part of strategic planning – The business
    must be supported by technologies.
            Change Management
              (Skye’s favorite)
    Standardized change control is a great place to
    find fast rewards in pursuit of compliance.
   Change Approval
   Change Categorization
   Change Documentation
   Change Prioritization
   Formal Request for Change Process
   A body of subject matter experts that oversee
           Consistent Logging

   Change Management
   Configuration Mgmt.
   Event Management
   Incident Management
   Knowledge Mgmt.
   Problem Management
“Operationalize” information.
   Connect the internal changes needed with the
    strategic objectives of the company.
   Illustrate that real-time information flow
    enhances your organization’s ability to make
    decisions while making compliance easier.
   Point out the significance of new activities that
    may seem mundane or inconsequential. This will
    help actions taken by staff at every level feel
    more relevant and less painful.
Remember W. Edward Deming?

SOX Compliance is
not a fix it and forget
it endeavor. As
companies and the
ecosystems that
support them change
new compliance
quandaries will
come up.
    Wait, how can SOX help me?
   Perspectives on operational control, consistency,
    and quality take on a whole different meaning
    once they have a clear relationship to fiduciary

   It is amazing how different the conversation
    about project prioritization becomes once
    executive management are offered the
    opportunity to make decisions guiding it.
This is assuming that we have time
             for any.
Thank you very much for your kind

Shared By: