sarbanes-oxley section 404 compliance ... section 404 compliance: a guiding framework using igrafx®...

Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator

© 2007 Corel Corporation. All Rights Reserved.

Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX AcceleratorTOC

Table of Contents

Introduction ................................................................................................ P - 1

Using iGrafx® for SOX Compliance ........................................................... P - 3

1. Select Priority Elements ......................................................................... P - 4

2. Document Processes .............................................................................. P - 4

3. Source Risks ............................................................................................ P - 6

4. Document Controls ................................................................................ P - 8

5. Assess Design .......................................................................................... P - 9

6. Validate Operation ................................................................................ P - 9

7. Report.................................................................................................... P - 10

Summary ................................................................................................... P - 12


Introduction

Under Section 404 of the Sarbanes-Oxley Act (SOX), public enterprises are required to

produce an annual report that affirms the establishment and maintenance of an adequate

internal control structure and procedures for financial reporting. The report must also

contain an assessment of the effectiveness of the internal control structure and financial

reporting procedures.

Complying with this mandate has proven to be more demanding than first anticipated.

Many companies underestimated the scope of this effort, and are being faced with

challenges when documenting, evaluating and testing internal controls, as well as

meeting the human resource needs to achieve compliance. As a result, companies are

adopting frameworks provided by independent consultants and vendors to aid them with

these requirements.

Drawing on our experience as a recognized leader delivering business process improvement

software, and utilizing the COSO framework as a basis, iGrafx has developed the iGrafx®

SOX Accelerator, a pre-built model to help organizations document, manage and audit

financial processes and internal controls.

This document utilizes a set of seven steps in order to demonstrate what tasks a company

needs to perform to achieve compliance. Specific iGrafx applications are illustrated, as we

walk the reader through the following summary diagram from Protiviti® Inc.

(www.protiviti.com), a leading international provider of internal audit and risk consulting

services, and a highly regarded expert on Sarbanes-Oxley compliance:

P - 1


Note: This diagram is reprinted with permission from Protiviti’s publication on Sarbanes-Oxley Section 404 compliance, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements.

The following pages describe how iGrafx applications can help managers, auditors and

independent advisors identify, document, and assess controls to ensure SOX compliance.

This publication will show how the iGrafx SOX Accelerator can be used for documenting

financial accounts, mitigating risk, aligning strategies, goals and requirements for the

control model, and creating project plans for testing and measuring the effectiveness of

the controls.

P - 2

A PLAIN ENGLISH SUMMARY

Select PriorityElements

Select the priority accounts and disclosures Consider significance to financial reporting and risk of misstatement

DocumentProcesses

Document the transaction flows that materiallyimpact the priority financial reporting elements

SourceRisks

Use financial reporting assertions to source“what can go wrong” within the processes

DocumentControls

Document entity controls (”tone at the top”) Document the controls at the source of the risk (preventive)

or downstream in the process (detective and corrective)

AssessDesign

Assess effectiveness of controls design at entity and process levels

ValidateOperation

Test effectiveness of controls operation at entity and process levels

Report Conclude Disclose Report

What are the risks?

What are the controls? Who owns the controls?

How is the controls design rated?

How are the controls performing?


Using iGrafx® for SOX Compliance

iGrafx provides the modeling and reporting capabilities necessary to ensure enterprise SOX

compliance. Corel® Corporation, the parent company of iGrafx, for example, uses iGrafx

tools to model and report its financial processes and controls to meet its SOX requirements

as a public organization.

iGrafx models include, but are not limited to, the following aspects of an organization:

• Financial accounts

• Processes and activities that affect the financial accounts

• Risks (things that could go wrong with financial processes)

• High-level strategies, goals, and requirements for the control model

• Controls (how to reduce and mitigate risk)

• Project plans describing control tests and measurements of their

effectiveness

In addition, the iGrafx SOX Accelerator provides a best practice starting point for building

the enterprise model. By leveraging the Accelerator while modeling Corel’s finance

department, a team of two individuals completed the Corel SOX model in two months.

The journey to SOX compliance typically involves consultants and auditors to help define

and configure a company-specific model. Auditors help describe the necessary periodic

reports and how those reports should be formatted. Consultants assist with documenting

and defining the list of risks, necessary controls, and other organizational entities.

As described earlier, Protiviti, Inc. represents the path to SOX compliance with the following

stages:

1. Select Priority Elements

2. Document Processes

3. Source Risks

4. Document Controls

5. Assess Design

6. Validate Operation

7. Report

Next, we illustrate how an enterprise may use iGrafx software to implement the

requirements contained in these stages described by Protiviti.

P - 3


1. Select Priority Elements

Enterprise modeling for SOX begins by identifying Balance Sheet and Income Statement

financial accounts.

The iGrafx® Enterprise Central™ (a powerful client server solution that is the hub of the

SOX Accelerator) screenshot below shows some typical financial accounts. A few properties

of the “Cash and Cash Equivalents” account are also displayed on the right:

2. Document Processes

After defining the organizational accounts, the SOX team of internal associates and external

consultants work with process owners to document all processes and activities that affect

these accounts.

P - 4


The iGrafx screenshot below displays a few activities of the “Accounts Receivable” process.

Some properties of the “SKU Set Up” are displayed on the right side:

Important associations are defined for each activity described. In the screenshot above, for

example, Joe is shown responsible and Stephen is accountable for the “SKU Set Up”

activity.

Accounts affected by activities are also identified:

iGrafx Enterprise Central displays processes in both tree and diagram views. iGrafx®

FlowCharter™ users draw the diagrams or iGrafx Enterprise Central automatically generates

process maps described by the tree view.

P - 5


Here is an example of a generated process map of the Sales Transactions activity:

3. Source Risks

After financial processes are documented, the SOX team works with consultants to define

the list of things that could go wrong with these processes and adversely impact the

financial accounts. This list is modeled by the Risk Catalog shown below:

P - 6


The Risk Catalog contains multiple Risk Templates that describe each risk and how it relates

to high-level financial reporting assertions (goals) and controls (described later). For

example, the Risk Template named “What ensures that cash and cash equivalents are

recorded and complete?” is associated with the Completeness assertion (goal) below:

Within the product user interface, associations are navigated by clicking an object name (i.e.

“Completeness”) and then clicking “Jump to…” as shown below:

The “Completeness” goal is one of six Financial Statement assertions:

A set of high-level requirements (control objectives) are linked to specific controls that

mitigate the documented risks:

P - 7


“Segregation of Duties” is one objective that reduces risk. It’s associated to multiple

controls in the “Is Requirement for” property:

4. Document Controls

A SOX model may have hundreds of financial controls. Here some typical controls:

Using iGrafx, each control is associated to its:

• Responsible party

• Risk(s) mitigated

• Processes and activities under control

• Control objective

• High-level assertion

P - 8


Each control is also described by a summary and has these custom properties defined:

• Control type

• Frequency

• IT Application (Yes or No)

• Key Control (Yes or No)

• Test Required (Yes or No)

For example, for each control, the “Validation Object” property shows the risks mitigated

and the “Validation Point” property shows the activities under control:

All elements of the organization internal control structure required for SOX compliance are

now modeled. The iGrafx model describes how financial data is stored and modified, where

it’s stored, when it’s stored, who can view it, and who can change it.

5. Assess Design

The model design is assessed by publishing and reporting of the model to communicate

its design to key constituents. All iGrafx tools include sophisticated features for publishing

models to the web and Microsoft® Office applications.

6. Validate Operation

The SOX Act also includes requirements for testing the effectiveness of key controls. The

iGrafx Enterprise Central Project Plan model describes SOX tests and stores their results.

For example, the “Log bank transfers” project activity describes a bank transfer monitor.

This test plan activity is linked to the model object that describes the bank transfer activity:

P - 9


The current value of the latest test measurement is shown in the Measurement field of the

“Log bank transfers” object:

The iGrafx Enterprise Central Application Programming Interface reads the current

measurement value (99.98 in the screenshot above) from an external application that

measures this activity or measurements are manually entered into the model. These values

are included in the SOX report.

7. Report

Public firms include an ICR (Internal Control Report) as part of their annual report. Building

this report can be a time-consuming task. Using iGrafx, an ICR is automatically generated in

seconds to save time and reduce errors. A simple iGrafx wizard builds the report:

P - 10


The Excel report is reviewed to confirm that the organization is in compliance. The wizard

uses model relationships to build an easy-to-read report with the following data:

• The Operating Resource column shows financial accounts

• The Control column gives the name of the control that affects those accounts

• The next two columns show the relationship to the assertions and control objective

• The Risk column shows the risks mitigated by the control

• Each control has a description

• The Validation Point column displays processes and activities where the control is in place

• The Responsible column shows ownership of a control

• Finally, the custom data values for the control are displayed

A portion of the SOX Report:

Using iGrafx, organizations benefit from reuse of the model whenever necessary. The

enterprise maintains and updates the model as the organization changes. When it’s time to

create a new ICR, a single command rebuilds it for the auditor.

SOX auditors appreciate this capability because it gives them confidence in the validity and

reliability of the ICR.

P - 11


Summary

iGrafx significantly reduces the time and expense to maintain SOX compliance. iGrafx

makes it easy to document financial processes, risks and controls while improving

communication, reliability, and compliance report quality. iGrafx models are simple to

maintain and accessible for rapid auditing.

Using iGrafx for SOX Compliance is only one benefit of the iGrafx product line. The iGrafx

suite of business process improvement software allows users to document, analyze, refine

and communicate processes in the pursuit of corporate goals and objectives. Whether

complying with mandatory regulations such as Sarbanes-Oxley, ISO or Basel II, aligning

business activities with IT, or implementing Six Sigma or Lean, iGrafx establishes and

manages the process information that will ensure your success. By creating a collaborative

process mapping and analysis environment, iGrafx links initiatives with the implementation

environment for measurable productivity improvements.

For more information, visit the iGrafx web site at www.iGrafx.com.

© 2007 Corel Corporation. All rights reserved. Corel, iGrafx, iGrafx FlowCharter, iGrafx Process, iGrafx Process for Six Sigma, and iGrafx Enterprise Central are trademarks or registered trademarks of Corel Corporation and/or its subsidiaries in Canada, the U.S. and/or other countries. Other products and company names may be trademarks or registered trademarks of their respective companies.

Reproduction or dissemination of this publication in any form without prior written permission is forbidden. Corel disclaims all warranties as to the accuracy, completeness or adequacy of this publication. Corel shall have no liability for errors, omissions or inadequacies in the information contained herein. The opinions expressed herein are subject to change without notice.

P - 12

sarbanes-oxley section 404 compliance ... section 404 compliance: a guiding framework using igrafx®...

Documents