Download - Sarbanes Oxley Compliance Data Mgmt
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
1/40
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
2/40
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
3/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 3
Sarbanes-Oxley Act, July 2002
Directed at over 8,000 publicly traded companies andtheir auditors.
It increases the responsibility of the corporatemanagement and the auditors to personally certify the
accuracy and effectiveness of financial controls andprocesses and the corporations financial results.
Requirement to rotate the lead audit partner and auditreview partner every five years.
Audit firm partners and staff must work more closelywith the clients audit committee to satisfy Sarbanes-Oxley requirements.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
4/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 4
Is SOX Old News ?
Not an event, but a new way of life for Corporate America!
SOX Compliance Review Processes
Initial Compliance Planning and SOX Management Plan
Initial Internal Audit Review for Compliance
Initial External Audit Review for Compliance
Annual Reviews (Section 404) Quarterly Reviews (Section 302)
On-going Real-time Reviews
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
5/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 5
Significant Sections of SOX
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
6/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 6
Section 302: Corporate Responsibilityfor Financial Reports
The CEO and CFO of each issuer shall prepare astatement to accompany the audit report tocertify the "appropriateness of the financialstatements and disclosures contained in the
periodic report, and that those financialstatements and disclosures fairly present, in allmaterial respects, the operations and financialcondition of the issuer."
A violation of this section must be knowing andintentional to give rise to liability.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
7/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 7
Section 302: Corporate Responsibilityfor Financial Reports
Sec. 302(Quarterly)
Signing officers are responsible for Designing
Establishing and maintaining
Evaluating the effectiveness Presenting conclusions
Have disclosed Significant deficiencies Fraud
Significant changes
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
8/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 8
Section 404: Management Assessmentof Internal Controls
Requires each annual report of an issuer to contain an "internal control
report," which shall:
(1) state the responsibility of management for establishing and maintaining anadequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the issuer's fiscal year, of the
effectiveness of the internal control structure and procedures of the issuer forfinancial reporting.
Each issuer's auditor shall attest to, and report on, the assessment made bythe management of the issuer. An attestation made under this section shall bein accordance with standards for attestation engagements issued or adoptedby the Board. An attestation engagement shall not be the subject of a
separate engagement.
The language in the report of the Committee which accompanies the bill toexplain the legislative intent states, "--- the Committee does not intend thatthe auditor's evaluation be the subject of a separate engagement or the basisfor increased charges or fees."
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
9/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 9
Section 404: Management Assessmentof Internal Controls
Sec. 404 (Annual)
Management states responsibility forestablishing and maintaining controls
Contains an assessment of theeffectiveness
Outside auditor performs attestation ofmanagements assessment
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
10/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 10
Primary Objective is Manage Risk
Alternatives:
Accept or ignore risk
Transfer risk (to insurance policies) Reduce or mitigate risk
Measure and manage
Teach and train
Reduce Risk take action and safeguard
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
11/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 11
Consequences of SOX
IT IS THE ABOUT DATA!
Sarbanes-Oxley requires more data management than ever before.
RECORD RETENTION IS MORE STRINGENTSarbanes-Oxley requires auditors to retain for a seven-year period all
relevant documents (work-papers, memos, correspondence andrecords [electronic and / or paper]) that contain conclusions,opinions, analyses or financial data created, sent or received inconnection with the audit of a public company.
ENSURE TRANSPARENCY & RELIABLE PROCESSAimed at improving trust and investor confidence
It Will Cost Clients More
The 321 U.S. public companies responding to a Financial Executives International survey on the costs ofimplementing Sarbanes-Oxley said they expected to incur an increase of 38% over current audit fees.
Source: Business Performance Management Forum, www.bpmforum.org, 2003.
http://www.bpmforum.org/http://www.bpmforum.org/ -
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
12/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 12
Additional Reference Sources
URL Resources
Example of Approved SOX Framework
Summary of SOX Acthttp://www.aicpa.org/info/sarbanes_oxley_summary.htm
Full Text of SOX Act is available from
The American Institute of Certified Public Accountants (AICPA)http://www.aicpa.org/sarbanes/index.asp
CobiT Framework, IT Governance InstituteControl Objectives for Information and related Technology
http://it.safemode.org/index.php?page=IT_Governance_Institute
ISO 17799International Standards Organization 17799 security standard for IT
http://www.iso17799software.com/presentation/ andhttp://iso-17799.com/
http://www.aicpa.org/info/sarbanes_oxley_summary.htmhttp://www.aicpa.org/sarbanes/index.asphttp://it.safemode.org/index.php?page=IT_Governance_Institutehttp://www.iso17799software.com/presentation/http://iso-17799.com/http://iso-17799.com/http://iso-17799.com/http://iso-17799.com/http://www.iso17799software.com/presentation/http://it.safemode.org/index.php?page=IT_Governance_Institutehttp://www.aicpa.org/sarbanes/index.asphttp://www.aicpa.org/info/sarbanes_oxley_summary.htm -
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
13/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 13
Framework for SOX Compliance
CobiT
A structure of relationships and processes todirect and control the Enterprise in order to
achieve the Enterprises goals by addingvalue while balancing risk vs. return overIT and its processes.
IT Governance Institute
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
14/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 14
Examples of CobiT Compliance Categories
10 Specific Categories * Payroll and Personnel Expenditures
Revenue
Fixed Assets
Supply Chain
Manage Tax
Treasury
Benefits
Financial Close and Reporting
Information Technology, and
Entity Controls Controls to ensure compliance of each of the
categories as a Business Entity.
* CobiT Framework, IT Governance Institute.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
15/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 15
Examples ofCobiT IT Control Areas*
Application Systems Implementation & Maintenance
Database Implementation and Supports
Information Security
Information Systems Operations
Network Support
Relationship with Outsourced Vendors
System Software Support* CobiT Framework, IT Governance Institute.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
16/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 16
ISO 17799-Security Standard for IT
ISO17799 is "a comprehensive set of controls comprisingbest practices in information security
The Contents of the Standard?The ISO 17799 standard comprises ten prime sections:
Security PolicySystem Access ControlComputer & Operations ManagementSystem Development and MaintenancePhysical and Environmental SecurityCompliance
Personnel SecuritySecurity OrganizationAsset Classification andControlBusiness Continuity Management (BCM)
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
17/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 17
Managing the Testing for Compliance
1. Define the Control
2. Define the Test
3. Test the Control
4. Audit the Test Results
(now do 3 & 4 again!)
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
18/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 18
Data for Tracking the Audit for Compliance
Control Objective Number Control Activity Number Control Objective and Control Activity Short
Description Control Objective and Control Activity Test
Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
19/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 19
Managing the Audit for Compliance
Line
Item
#
Control
Objective
Number
Control
Activity
Number
Control Objective and
Control Activity Short
Description
Control Objective &
Control Activity Test
Short Description
Activity
Sample
Collection
Frequency
Activity
Testing
Frequency
IT Owner
Responsibility
IT Competency
Center Name
IT
Competency
Center
Responsibility
Related
Control
Item
1 IT-AP-01 Objective
New application systems
are appropriately
implemented and function
consistent with
management's intentions.
[COBIT: AI2,6]
2 IT-AP-01 AP-01-01
Implementation and
Maintenance of
Application Systems
Process
Implementation: 5 samples
of implemented projects.
Maintenance: from list of
SAP Transports, select 10
non-project related.
Weekly
Implementa-
tion
Daily Maint Semi-Annual
Name for
Technical
Responsibility
Application
System
Implementation
& Maintenance
Name for
Management
Responsibility
3 IT-AP-01 AP-01-02
Testing for Application
Systems Implementation
Implementation: Five
samples of implemented
projects from PMO shared
drive.
Maintenance: Obtain a list
of transports from SAP
production , select a
sample of 10.
Weekly
Implementa-
tion
Daily Maint Semi-Annual
Name for
Technical
Responsibility
Application
System
Implementation
& Maintenance
Name for
Management
Responsibility
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
20/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 20
Tracking Compliance-By Control ObjectiveControl
Objective
Category
Compliance
Area Name
IT
Responsibility
Number of
Controls *
Responsible
for # of
Control Tests
# Controls
Tested
# Tests
Passed
# of Tests
Pending
# Tests
Failed
Score
Card
Status
AP
Application
SystemImplementation
& Maintenance 21
Director A 30 30 30 Green
Director C 2 2 2 Green
DB
Database
Implementation
and Support 14
Director C 10 10 10 Green
Director A 5 5 5 Green
NW
Network
Support 7
Director C 7 7 7 Green
OP
Information
Systems
Operations 7
Director D 2 2 2 Green
Director A 4 4 4 Green
Director C 2 2 2 Green
SE
Information
Security 43
Director A 42 42 42 Green
Director C 44 44 44 Green
Director B 8 8 8 Green
SY
SystemSoftware
Support 16
Director C 16 16 16 Green
VE
Relationship
with Outside
Vendors 2
Director C 2 2 2 Green
Totals 110 174 174 174 0 0
* Note: Several Controls have multiple Competency Center or area responsibilities with test components.
Therefore, Control tests are greater than the number of controls
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
21/40
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
22/40
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
23/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 23
Findings & Implications
Not a one-time project, but a new way of lifefor corporate America
Few organizations anticipated effort or cost
Management wants payback from efforts
Advantages of stream-lined processes &controls (Align with other compliancerequirements)
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
24/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 24
Future for SOX Activities
Reduced investments, because of initialefforts
Business processes are more rigorous andefficient
Risks are reduced
Stream-lined and automated controls havebeen integrated into the Business Processes
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
25/40
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
26/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 26
SOX IT Considerations
SOX compliance would not be feasible withoutcomputerized systems.
Financial systems were among the first to beautomated.
Many financial systems are based on 30 year old
design approaches Batch oriented Sequential processing Redundant data storage
Many business users are unable to distinguishthe business from the system that supports it. System requirements (e.g., business rules) may
be poorly understood and poorly documented.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
27/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 27
Compliance Levels of Effort
1) Do the minimum required.2) Make a reasonable effort.
3) Embrace the opportunity.
Use it to make a thorough review ofpolicies and practices.
Tighten controls and procedures.
Recognize the importance of proactiveData Management.
Make it part of the companys DNA.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
28/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 28
Threats to Data Quality
Intentional Fraud
Disgruntled Employees
Hackers
Terrorists Unintentional
Poorly defined requirements.
Poorly documented systems.
Chaotic development process. Ineffective Change Management.
Back-door access to data.
Uncontrolled redundancy.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
29/40
2005 Data Advantage Incorporated and Principle Partners, Inc.Page 29
The Data Management Audit
Philosophical Factors Organizational Factors
Procedural Factors
Conceptual Factors Logical Factors
Physical Factors
Architectural Factors
20 Points20 Points
20 Points
10 Points
10 points
10 Points
10 Points
100 Points Total
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
30/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 30
Philosophical Factors
Is Data treated as an Asset or an Expense?
Are there business initiatives to improveData Quality.
Are there formally defined measures forData Quality?
Does the CIO regularly report on DataQuality to the Executives?
Are Data Quality metrics included inManagement Objectives.
2 Points
2 Points
2 Points
2 Points
2 Points
20 Possible Points
If the total is more than 8 points, double the total
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
31/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 31
Organizational Factors
Is there an Organization Unit thathas the overall responsibility forData Management?
Does it have a formal Charter?
Does it have an Enterprise-wideperspective?
Is it adequately resourced?
Skilled Personnel Software Tools
2 Points
1 Point
2 Points
5 Points
3 of 52 of 5
20 Possible Points
If the total is more than 8 points, double the total
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
32/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 32
Procedural Factors
Are Logical Data Models included in
the formal Systems DevelopmentLife Cycle?
Is the Logical Data Model subject tobusiness approval?
Is the Logical Data Model updatedwhen the design changes?
Is the Logical Data Model used togenerate database source code?
Is the Logical Data Model used inthe development of a test plan?
If the total is more than 8 points, double the total
20 Possible Points
2 Points
2 Points
2 Points
2 Points
2 Points
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
33/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 33
Conceptual Factors
Is there a formal Information Strategy?
Is there an Enterprise Conceptual DataModel?
Is it used to kick-start development
Projects? Are Project data models used to update
the Enterprise model?
Are all Project Managers aware that the
Enterprise model exists?
2 Points
2 Points
2 Points
2 Points
2 Points
10 Possible Points
If the total is less than 8 points, subtract 4 from the total
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
34/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 34
Logical Factors
Are Business Subject Matter
Experts involved with Logical DataModels?
Are Logical Data Models used inBusiness Requirements?
Are Data Modeling tools andtechniques standardized?
Are there formal Data NamingStandards?
Are Logical and Physical modelsseparate, but related?
2 Points
2 Points
2 Points
2 Points
2 Points
If the total is less than 8 points, subtract 4 from the total
10 Possible Points
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
35/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 35
Physical Factors
Is there a standardized set ofdata Domains?
Are Physical Data Modelsupdated when theimplementation changes?
Is the database used to enforceintegrity?
Is the data accessed using
Views?
If the total is less than 8 points, subtract 4 from the total
10 Possible Points
2 Points
4 Points
1 Point
3 Points
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
36/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 36
Architectural Factors
Does all Strategic Data have a
defined System of Record? Is there an agreed Architectural
Framework? Is there a shared Metadata
Repository? Is Data Access functionality
separate from business logic andpresentation?
Does the Architecture cover theentire Systems DevelopmentLifecycle?
2 Points
2 Points
2 Points
2 Points
2 Points
10 Possible Points
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
37/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 37
Adding it Up
60 Points or Less
A SOX Audit is likely to reveal embarrassing flaws inyour financial systems.
70 80 Points
Your financial systems are not as healthy as theyshould be.
80 90 Points
You are doing well at managing financial data, but
there is room for improvement.
90 100 Points
You are likely to have a strategic advantage overyour competition.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
38/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 38
The Data Management Audit Process
Interview Senior Management todetermine their targets andexpectations.
Assess what is actually going on. Define the Gap.
Develop an Action Plan.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
39/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 39
In Summary
SOX Compliance focuses on Roles andResponsibilities, Accountability, and Audits.
It is very Process-oriented.
Compliance is not cheap.
Most companies have SOX Programs under way,some with multiple teams.
While the SOX teams and resources are in place,there is an opportunity to review Data
Management policies, practices and risks. The benefits of a small additional cost go beyond
just enabling SOX Compliance.
-
8/2/2019 Sarbanes Oxley Compliance Data Mgmt
40/40
2005 Data Advantage Incorporated and Principle Partners, Inc. Page 40
Questions & Answers ?
Good Luck with your SOX Compliance!