© 2005 data advantage incorporated and principle partners, inc

© 2005 Data Advantage Incorporated and Principle Partners, Inc.

Sarbanes-Oxley Act Compliance

The New Data Management Challenge

Walter Moeller - [email protected]

Frank Toms - [email protected]


Agenda

Sarbanes-Oxley Act, July 2002 Is SOX Old News ? Significant Sections of SOX Primary Objective of SOX Consequences of SOX Additional Reference Sources Framework(s) for SOX Compliance Managing & Tracking The Compliance

Process Findings & Implications The Future of SOX Act Compliance Questions and Answers

Frank Toms


Sarbanes-Oxley Act, July 2002

Directed at over 8,000 publicly traded companies and their auditors.

It increases the responsibility of the corporate management and the auditors to personally certify the accuracy and effectiveness of financial controls and processes and the corporations’ financial results.

Requirement to rotate the lead audit partner and audit review partner every five years.

Audit firm partners and staff must work more closely with the client’s audit committee to satisfy Sarbanes-Oxley requirements.


Is SOX Old News ?

Not an event, but a new way of life for Corporate America!

SOX Compliance Review Processes

Initial Compliance Planning and SOX Management Plan

Initial Internal Audit Review for Compliance Initial External Audit Review for Compliance Annual Reviews (Section 404) Quarterly Reviews (Section 302) On-going Real-time Reviews


Significant Sections of SOX


Section 302: Corporate Responsibility for Financial Reports

The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."

A violation of this section must be knowing and intentional to give rise to liability.


Section 302: Corporate Responsibilityfor Financial Reports

Sec. 302 (Quarterly) Signing officers are responsible for

Designing Establishing and maintaining Evaluating the effectiveness Presenting conclusions

Have disclosed Significant deficiencies Fraud Significant changes


Section 404: Management Assessmentof Internal Controls

Requires each annual report of an issuer to contain an "internal control report," which shall:

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.

The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."


Section 404: Management Assessmentof Internal Controls

Sec. 404 (Annual) Management states responsibility

for establishing and maintaining controls

Contains an assessment of the effectiveness

Outside auditor performs attestation of management’s assessment


Primary Objective is Manage Risk

Alternatives: Accept or ignore risk Transfer risk (to insurance policies) Reduce or mitigate risk

Measure and manage Teach and train Reduce Risk – take action and

safeguard


Consequences of SOX

IT IS THE ABOUT DATA!

Sarbanes-Oxley requires more data management than ever before.

RECORD RETENTION IS MORE STRINGENT Sarbanes-Oxley requires auditors to retain for a seven-year period

all relevant documents (work-papers, memos, correspondence and records [electronic and / or paper]) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with the audit of a public company.

ENSURE TRANSPARENCY & RELIABLE PROCESS Aimed at improving trust and investor confidence

It Will Cost Clients MoreThe 321 U.S. public companies responding to a Financial Executives International survey on the costs of implementing Sarbanes-Oxley said they expected to incur an increase of 38% over current audit fees.

Source: Business Performance Management Forum, www.bpmforum.org, 2003.


Additional Reference Sources URL Resources

Example of Approved SOX Framework

Summary of SOX Acthttp://www.aicpa.org/info/sarbanes_oxley_summary.htm

Full Text of SOX Act is available from

The American Institute of Certified Public Accountants (AICPA)

http://www.aicpa.org/sarbanes/index.asp

CobiT® Framework, IT Governance InstituteControl Objectives for Information and related Technology

http://it.safemode.org/index.php?page=IT_Governance_Institute

ISO 17799 International Standards Organization 17799 security standard for IT

http://www.iso17799software.com/presentation/ andhttp://iso-17799.com/


Framework for SOX Compliance

CobiT®

“A structure of relationships and processes to direct and control the Enterprise in order to achieve the Enterprise’s goals by adding value while balancing risk vs. return over IT and its processes.”

IT Governance Institute


Examples of CobiT® Compliance Categories

10 Specific Categories * Payroll and Personnel Expenditures Revenue Fixed Assets Supply Chain Manage Tax Treasury Benefits Financial Close and Reporting Information Technology, and

Entity Controls Controls to ensure compliance of each of

the categories as a Business Entity.

* CobiT® Framework, IT Governance Institute.


Examples of CobiT® IT Control Areas*

Application Systems Implementation & Maintenance

Database Implementation and Supports

Information Security

Information Systems Operations

Network Support

Relationship with Outsourced Vendors

System Software Support * CobiT® Framework, IT Governance Institute.


ISO 17799-Security Standard for IT

ISO17799 is "a comprehensive set of controls comprising best practices in information security”

The Contents of the Standard?The ISO 17799 standard comprises ten prime sections: Security Policy System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Asset Classification and Control Business Continuity Management (BCM)


Managing the Testing for Compliance

1. Define the Control

2. Define the Test

3. Test the Control

4. Audit the Test Results

(now do 3 & 4 again!)


Data for Tracking the Audit for Compliance

Control Objective Number Control Activity Number Control Objective and Control Activity

Short Description Control Objective and Control Activity

Test Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item


Managing the Audit for Compliance

Line Item

#

Control Objective Number

Control Activity Number

Control Objective and Control Activity Short Description

Control Objective & Control Activity Test Short Description

Activity Sample Collection Frequency

Activity Testing Frequency

IT Owner Responsibility

IT Competency Center Name

IT Competency Center Responsibility

Related Control Item

1 IT-AP-01 Objective

New application systems are appropriately implemented and function consistent with management's intentions. [COBIT: AI2,6]

2 IT-AP-01 AP-01-01

Implementation and Maintenance of Application Systems Process

Implementation: 5 samples of implemented projects. Maintenance: from list of SAP Transports, select 10 non-project related.

Weekly Implementa-tionDaily Maint Semi-Annual

Name for Technical Responsibility

Application System Implementation & Maintenance

Name for Management Responsibility

3 IT-AP-01 AP-01-02Testing for Application Systems Implementation

Implementation: Five samples of implemented projects from PMO shared drive. Maintenance: Obtain a list of transports from SAP production , select a sample of 10.

Weekly Implementa-tionDaily Maint Semi-Annual

Name for Technical Responsibility

Application System Implementation & Maintenance

Name for Management Responsibility


Tracking Compliance-By Control Objective

Control Objective Category

Compliance Area Name

IT Responsibility

Number of Controls *

Responsible for # of

Control Tests# Controls

Tested# Tests Passed

# of Tests Pending

# Tests Failed

Score Card

Status

AP

Application System Implementation & Maintenance 21

Director A 30 30 30 GreenDirector C 2 2 2 Green

DB

Database Implementation and Support 14

Director C 10 10 10 GreenDirector A 5 5 5 Green

NWNetwork Support 7

Director C 7 7 7 Green

OP

Information Systems Operations 7

Director D 2 2 2 GreenDirector A 4 4 4 GreenDirector C 2 2 2 Green

SEInformation Security 43

Director A 42 42 42 GreenDirector C 44 44 44 GreenDirector B 8 8 8 Green

SY

System Software Support 16

Director C 16 16 16 Green

VE

Relationship with Outside Vendors 2

Director C 2 2 2 GreenTotals 110 174 174 174 0 0

* Note: Several Controls have multiple Competency Center or area responsibilities with test components. Therefore, Control tests are greater than the number of controls


Tracking Compliance – By Person

IT Organizational Responsibility

Total Number of Your

Control Tests Control Objective Category

Total Tests within Your

Area

# Controls Tested

Tests Passed

Tests Pending

Tests Failed

Test Not Yet

ExecutedScore Card

StatusDirector A 81

AP-Applic Impl & Maint 30 30 30 GreenDB-Database Support 5 5 5 GreenOP-Info Sys Support 4 4 4 GreenSE-Info Security 42 42 42 Green

Director B 8SE-Info Security 8 8 8 Green

Director C 83AP-Applic Impl & Maint 2 2 2 GreenDB-Database Support 10 10 10 GreenNW-Network Support 7 7 7 GreenOP-Info Sys Support 2 2 2 GreenSE-Info Security 44 44 44 GreenSY-System Software Support 16 16 16 GreenVE-Relations w/ Vendors 2 2 2 Green

Director D 2OP-Info Sys Support 2 2 2 Green

Totals 174 174 174 174 0 0 0* Note: Several Controls have multiple Competency Center or area responsibilities with test components. Therefore, Control tests are greater than the number of controls


Tools

# 1 Recommendation Database to manage data during the

process

Many vendors coming to market with “SOX Management and Compliance Tools”


Findings & Implications

Not a one-time project, but a new way of life for corporate America

Few organizations anticipated effort or cost

Management wants ‘payback from efforts’

Advantages of stream-lined processes & controls (Align with other compliance requirements)


Future for SOX Activities

Reduced investments, because of initial efforts

Business processes are more rigorous and efficient

Risks are reduced

Stream-lined and automated controls have been integrated into the Business Processes


Questions & Answers ?

Thanks for Attending, now here’s Frank!


SOX IT Considerations

SOX compliance would not be feasible without computerized systems.

Financial systems were among the first to be automated.

Many financial systems are based on 30 year old design approaches Batch oriented Sequential processing Redundant data storage

Many business users are unable to distinguish the business from the system that supports it.

System requirements (e.g., business rules) may be poorly understood and poorly documented.


Compliance Levels of Effort

1) Do the minimum required.2) Make a reasonable effort.3) Embrace the opportunity.

Use it to make a thorough review of policies and practices.

Tighten controls and procedures. Recognize the importance of

proactive Data Management. Make it part of the company’s “DNA”.


Threats to Data Quality

Intentional Fraud Disgruntled Employees Hackers Terrorists

Unintentional Poorly defined requirements. Poorly documented systems. Chaotic development process. Ineffective Change Management. Back-door access to data. Uncontrolled redundancy.


The Data Management Audit

Philosophical Factors Organizational Factors Procedural Factors Conceptual Factors Logical Factors Physical Factors Architectural Factors

20 Points

20 Points

20 Points

10 Points

10 points

10 Points

10 Points

100 Points Total


Philosophical Factors

Is Data treated as an Asset or an Expense?

Are there business initiatives to improve Data Quality.

Are there formally defined measures for Data Quality?

Does the CIO regularly report on Data Quality to the Executives?

Are Data Quality metrics included in Management Objectives.

2 Points

2 Points

2 Points

2 Points

2 Points

20 Possible Points

If the total is more than 8 points, double the total


Organizational Factors

Is there an Organization Unit that has the overall responsibility for Data Management?

Does it have a formal Charter? Does it have an Enterprise-wide

perspective? Is it adequately resourced?

Skilled Personnel Software Tools

2 Points

1 Point

2 Points

5 Points

3 of 5

2 of 5

20 Possible Points



Procedural Factors

Are Logical Data Models included in the formal Systems Development Life Cycle?

Is the Logical Data Model subject to business approval?

Is the Logical Data Model updated when the design changes?

Is the Logical Data Model used to generate database source code?

Is the Logical Data Model used in the development of a test plan?


20 Possible Points

2 Points

2 Points

2 Points

2 Points

2 Points


Conceptual Factors

Is there a formal Information Strategy?

Is there an Enterprise Conceptual Data Model?

Is it used to kick-start development Projects?

Are Project data models used to update the Enterprise model?

Are all Project Managers aware that the Enterprise model exists?

2 Points

2 Points

2 Points

2 Points

2 Points

10 Possible Points

If the total is less than 8 points, subtract 4 from the total


Logical Factors

Are Business Subject Matter Experts involved with Logical Data Models?

Are Logical Data Models used in Business Requirements?

Are Data Modeling tools and techniques standardized?

Are there formal Data Naming Standards?

Are Logical and Physical models separate, but related?

2 Points

2 Points

2 Points

2 Points

2 Points


10 Possible Points


Physical Factors

Is there a standardized set of data Domains?

Are Physical Data Models updated when the implementation changes?

Is the database used to enforce integrity?

Is the data accessed using Views?


10 Possible Points

2 Points

4 Points

1 Point

3 Points


Architectural Factors

Does all Strategic Data have a defined System of Record?

Is there an agreed Architectural Framework?

Is there a shared Metadata Repository?

Is Data Access functionality separate from business logic and presentation?

Does the Architecture cover the entire Systems Development Lifecycle?

2 Points

2 Points

2 Points

2 Points

2 Points

10 Possible Points


Adding it Up

60 Points or Less A SOX Audit is likely to reveal embarrassing

flaws in your financial systems. 70 – 80 Points

Your financial systems are not as healthy as they should be.

80 – 90 Points You are doing well at managing financial

data, but there is room for improvement. 90 – 100 Points

You are likely to have a strategic advantage over your competition.


The Data Management Audit Process

Interview Senior Management to determine their targets and expectations.

Assess what is actually going on.

Define the Gap. Develop an Action Plan.


In Summary

SOX Compliance focuses on Roles and Responsibilities, Accountability, and Audits.

It is very Process-oriented. Compliance is not cheap. Most companies have SOX Programs under

way, some with multiple teams. While the SOX teams and resources are in

place, there is an opportunity to review Data Management policies, practices and risks.

The benefits of a small additional cost go beyond just enabling SOX Compliance.


Questions & Answers ?

Good Luck with your SOX Compliance!

© 2005 data advantage incorporated and principle partners, inc

Documents

sox compliance cobit

text of sox act

sarbanesoxley act compliance

financial data

audit report

corporate management

responsibility of management

financial statements