introduction of panel members

Introduction of Panel Members

Insert

Worlds Image /

Client Specific Image

Here

Sarbanes-Oxley

Workshop

February 10, 2004

John Lambeth, CISSP, CISA

2

Agenda

Overview of Sarbanes-Oxley Requirements and COSO

Framework

Impact on Corporate IT organizations

A proposed Project Approach

Data Collection and Documentation Approach

Roles and Responsibilities

PMO Set-up and Scoping

Leveraging CPM/BI projects to meet real-time disclosure

requirements

After initial compliance, what’s next…

3

Objectives for today’s workshop

• Provide you with an overview of some of the key issues that

CIOs need to be aware of when responding to Sarbanes

Oxley

• Create an interactive environment in today’s workshop to

share tips and experiences with each other

• Create a personal checklist of items to discuss with your

internal audit and business partners

4

Overview of Sarbanes-Oxley Requirements

Internal Controls Over Financial Reporting

Disclosure Controls and Procedures

Internal Controls over Disclosure Requirements

LEGEND

Sarbanes-Oxley Act

Section 302:

Quarterly Certification by CEO/CFO Responsible for “Disclosure Control Procedures”

(DCP) – a broad range of information (Financial and Non-Financial)

Certify to effectiveness of DCPs based on evaluation within 90 days

Disclose to Audit Committee and external auditor any significant deficiencies / material weakness or fraud (material or not)

Section 404:

Annual Assertion by management Responsible for effectiveness of controls over

reliable Financial reporting – e.g., a deep view of internal control procedures and practices

Focus on both design and operational effectiveness of financial reporting controls

Controls must be documented and tested External auditor to render opinion (“attestation”)

on management’s internal control assertion

Slide Credit: PriceWaterhouseCoopers

5

Overview of Sarbanes-Oxley Requirements

Internal Controls Over Financial Reporting

Disclosure Controls and Procedures

Internal Controls over Disclosure Requirements

LEGEND

Sarbanes-Oxley Act

Section 409:

Call for Real-time Disclosure of significant changes to financial position

Requires public companies to report material events in a timely manner

“Timely” yet to be defined, but may be as soon as 48 hours from event.

Impacts: Extends effort from controls documentation of

reporting systems to real-time reporting requirements

Batch or historic reporting capabilities need to be reviewed for ability to support on-going CPM/BI capability

Image Credit: PriceWaterhouseCoopers

6

AICPA’s Statement on Standards for Attestation EngagementsSection 501, as amended

Stronger requirement of management to document and evaluate internal controls

Required management procedures: Material divisions and locations included in evaluation Identification and documentation of significant controls to cover control

objectives Evaluation and review of design effectiveness Tests of operating effectiveness Evaluation of control deficiencies to determine whether they are deficiencies,

significant deficiencies or material weaknesses Written assertion required Communications of findings to auditor and audit committee

Auditor to evaluate management’s assertion as of a point in time (December 31, 2004)

Scope of work includes independent testing of controls as well as testing of management’s assessment process

Scope of controls testing includes testing over areas that generate judgments and estimates

7

COSO is an integrated framework for internal control which, when implemented, can provide a

baseline to establish a control structure that meets Section 302 requirements and supports 404

attestation.

The COSO FrameworkThe Only Recognized Internal Control Framework

While Internal Control was not defined in the Sarbanes-Oxley, the COSO

definition has been accepted by the US government and its agencies,

incorporated in US auditing standards (AU 319), and is a generally accepted

integrated framework for control infrastructure. Under regulations for Section

404, the SEC will use AU319 as the reference.

Internal Control is defined as a process, effected by an entity’s board of

directors, management and other personnel, designed to provide reasonable

assurance regarding the achievement of objectives in the following

categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

COSO identifies five components of control that need to be in place and

integrated to ensure the achievement of each of the objectives.

8

Overview of Financial Reporting Develop and Document Activities, Polices, Inputs, and Disclosures

Financial Reporting Overview

Counting

Accounting

ConsolidationReporting

What is it?

GovernanceAudit committee charter, whistle blower program, Internal audit, legal, regulatory compliance…

Process for compiling the financial statements and preparing financial reporting (e.g., closing processes and procedures, policies, accounting manuals, etc.)

Transactions that are not reflected in subsidiary or admin systems within books and records (e.g,. Accruals, sale of subsidiary, taxes)

Transactions that occur in operations and are included in the subsidiary or admin systems (e.g., premium remittance, benefit payment).

Who does it?

Board of Directors, Audit Committee, Senior Management

CFO, Corporate Controller, Division Level CAO, Corporate Accounting department

Accounting department management (e.g., CAO, Financial Reporting Director).

Systems with high transaction volume, make complex

calculations, and relied upon for accuracy.

PriceWaterhouseCoopers

9

Impact to IT and Audit staffs

Significant unplanned, and possibly unbudgeted activity for IT

• Causes trade-offs with other existing IT projects

• Remediation effort difficult to quantify until after controls are documented and

gaps noted

Impact to internal audit staffs

• Audit experience should place them in high-profile position on Sarbox project

• Trade-off of limited audit staff resources with on-going internal audit

responsibilities

• Need goal to reestablish ownership of ongoing Sarbox compliance with the

business partner

Record keeping

• Adequate control over paper and electronic records

• Intersection of record requirements with company record retention policies

10

Project Approach Overview

Phase 1 – Project and PMO Set-up and Scoping

Phase 2 – Data Collection and Documentation

Phase 3 – Gap Analysis

Phase 4 – Validation and Testing

Phase 5 – Remediation

11

Phase I: Project and PMO Set-up and Scoping

Finalize project scope – divisions, financial statement

components, processes

Define approach and team organization

Establish assessment criteria for process areas and IT

Implement communications strategy and issue management

process

Conduct training Awareness: All project participants Process and Tools: Core project team members

12

Project Sponsor

Provide enterprise sponsorship and oversight throughout project Review and resolve significant issues escalated through Steering Committee Review results of management assessment Estimated Level of Effort: Involvement throughout project, as needed

Steering Committee

Participate in monthly, or as needed, Committee Meetings

Review and resolve issues escalated through Project Manager

Review status on key milestones

Re-align resources as required throughout the project

Support Project Manager in planning and risk management

Signoff on key deliverables

Estimated Level of Effort: Monthly meetings and other involvement as needed

404 Project TeamRoles and Responsibilities

13

Project Office

Provide day-to-day management/support to Project Team Members

Ensure team activities conform to authorized guidelines, policies and standards

Facilitate monthly Steering Committee and weekly Project Team status meetings

Present resource concerns, dependencies, issues, risks and progress to Project Managers

Monitor/escalate unresolved issues and risks for resolution

Provide monthly status reports to Steering Committee

Communicate project tasks and objectives to Project Team Members

Monitor communication activities (internal and external)


14

Division Team Leaders Deliver project activities

Participate in weekly status meetings

Support Team Members and monitor Team Member task completion

Apply policies, guidelines and standards across function and division

Track definition and implementation of remediation plans for Division

Environment Liaisons Provide overview of cycle and participate in Divisional Team meetings, as required

Designate process SMEs to provide detailed process and control information

Assist in the organization of the workshops around the process flow of the cycle

Assist in understanding and assessing interfaces between and among different transactions within the cycle

Oversee implementation of remediation actions to address control gaps


15

Project Manager

Single contact for all Project Team Members

Provide direction to Project Team Members

Participate in monthly, or as needed, Disclosure Committee meetings and weekly project team meetings

Review and resolve issues escalated by the Project Office; escalate priority issues

Exercise objectivity in decision-making, resource allocation and dispute resolution

Provide guidance and support for Project Team Members in performing tasks

Ensure Project Team Members adhere to established guidelines, policies and standards

Estimated Level of Effort: Full time dedicated, through duration of project


16

IT Systems Experts

Participate in main facilitated workshops to support SME understanding of automated application-level controls

Assist in understanding systems supporting major processes and determining which are considered in scope (including interfaces)

Assist in validating IT control criteria and training Documentation Specialists

Participate in IT-specific workshops to define and document general computer controls

Oversee implementation of remediation actions and address control gaps

Assist in understanding Corporate systems supporting cycles and determining which are considered in scope (including interfaces)

Participate in IT-specific workshops to define and document general computer controls

Oversee implementation of remediation actions and address control gaps


17

Phase II: Data Collection

Inventory and review existing documentation

Conduct preliminary workshops Enhance education Develop high-level process overviews Tailor project tools (e.g., control matrices) Pre-populate control matrices

Interview, observation and/or self assessment to complete

documentation

18

Workshop OverviewParticipants, Objectives, Activities, Outputs

Primary Objectives:

Understand the flow of information through the transactions under discussion Identify linkages and inter-dependencies with other transactions and processes

(where does its start and stop) Understand risks and controls in a sufficient manner to tailor control matrices for

documentation effort

Key Activities:

Validate initial scoping Discuss and document high-level flow of information within the process,

interfaces to other processes, and supporting systems Discuss risks and control objectives

Workshop Outputs:

Schematic diagram of process Tailored control matrix

19

Documentation Specialists

Participate in specialized training sessions to obtain working knowledge of project documentation approach and tools

Participate in facilitated workshops and working meetings for specific cycle/processes

Document detailed process and control information for assigned area

Assess documented controls for design/existence gaps

Report risk/issues and progress to Project Team Leader


20

Phase III: Gap Analysis

Assess current state analysis for design gaps (per COSO

control objectives and best practices)

Identify and report design gaps

Define recommendations to address gaps

21

IT Control Evaluation Process

Perform gap analysis, validation/testing and remediation

Close coordination with process teams

Use same reporting format for findings as cycles/processes

Will require close coordination with process teams, especially regarding the impact of identified gaps

22

Phase IV: Validation and Testing

Identify key controls to test

Design tests of controls

Execute tests of controls

Evaluate test results

Identify and report operating effectiveness gaps

23

Phase V: Remediation

Define remediation steps

Implement remediation steps

Re-test design and operating effectiveness

24

Ongoing 404 Considerations

Ownership of ongoing Sarbanes-Compliance

• Establish overall responsibility for on-going compliance• Role of IT in quarterly 302 attestations • Process for updates to controls

Supporting documentation

• Where?• In what format?• For how long?• Updates to documentation, document retention

25

Surveying Sarbanes - Oxley Solutions

Control documentation requirements of Sarbox have lead to a variety of

vendor tool offerings

Sarbanes-Oxley compliance does not come packaged in any IT solution

• Compliance is achieved by effective processes and how you leverage

technology to Sarbanes-Oxley compliance through more effective

collaboration and record management

• Before making significant investments in “Sarbox software”, it is

important to look at your company’s collaboration and document

management challenges and how your technical architecture currently

deals with them

• E-mail policy• Workgroup collaboration• BI / CPM

1 Gartner “Sarbanes–Oxley Vendor evaluation Framework”

26

CRM / Business Intelligence

Section 409

• Calls for real-time disclosure

• Straight-through information processing In many cases effective ERP solution serves as foundation for financial reporting and analysis tools

• BI / CPM solutions

• Create environment that fosters validity of data flowing through the enterprise

• Integrated tools for reporting and Web-based statuses

Credit: C. Imhoff DM Review Jan’04

27

CRM / Business Intelligence

BAM (Business Activity Monitoring) strategies may play a significant role in on-going real-time reporting strategies

• Visibility into critical events• Captures events that modify the state of business processes

What is the role of Executive dashboards in your enterprise reporting strategy

• Create real-time flow of key financial points/trends

Data strategy• Common data definitions• Common data labels / tags • Validate “official sources” of information

28

Summary

Overview of Sarbanes-Oxley Requirements and COSO Framework

Sarbox has a significant, and somewhat unpredictable impact Corporate IT organizations

A structured project approach is the most effective way to attack the project

Examine current technical architecture components and use this information to guide selection of additional software components

Consider role of CPM/BI projects

Create active forum for discussion of ongoing Sarbox compliance ownership

introduction of panel members

Documents