Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using igrafx SOX Accelerator



Similar documents
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

Impact of New Internal Control Frameworks

Risk Management Solution for NPO

The Magic Quadrant Framework

The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform

How To Ensure Internal Control Of Financial Reporting In India

Internal Control over Financial Reporting Guidance for Smaller Public Companies

Published April Executive Summary

Process Automation Administrator Guide

SharePoint as a Document Management System. Tyler Durham Microsoft Corporation Grant Newton Clifford Chance LLP

MANAGE. Sarbanes-Oxley Readiness with Microsoft Dynamics NAV. Microsoft Dynamics NAV 5.0. White Paper

A Sarbanes-Oxley Roadmap to Business Continuity

ORACLE TUTOR. Oracle Tutor provides organizations with powerful tools to develop,

Administrator s Guide

Netwrix Auditor. Role-Based Access. Version: /27/2015

Experience Business Success Invest in Microsoft CRM Today

AvePoint SearchAll for Microsoft Dynamics CRM

ORACLE HYPERION DATA RELATIONSHIP MANAGEMENT

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

Getting Started Guide

GFI Archiver Evaluation guide: Online Demo Evaluation Guide

Streamlined Planning and Consolidation for Finance Teams in Any Organization

Server Virtualization with QNAP Turbo NAS and Citrix XenServer How to Set up QNAP Turbo NAS as Storage Repositories on Citrix XenServer via iscsi

How To Use Haccp 4.1.1

AvePoint SearchAll for Microsoft Dynamics CRM

Auditing Standard 5- Effective and Efficient SOX Compliance

CaseWare Time. CaseWare Cloud Integration Guide. For Time 2015 and CaseWare Cloud

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

A tour of HP Sarbanes-Oxley IT assessment accelerator. White paper

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

A fresh approach to accelerating the Financial Close

COSO Internal Control Integrated Framework (2013)

Essentials of Financial Consolidation Applications. A white paper prepared by PROPHIX Software October 2010

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

GROW. From Intuit QuickBooks to Microsoft Dynamics GP: A move that makes sense for growing businesses

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

ORACLE S PRIMAVERA FEATURES PORTFOLIO MANAGEMENT. Delivers value through a strategy-first approach to selecting the optimum set of investments

IT Governance Dr. Michael Shaw Term Project

The Importance of IT Controls to Sarbanes-Oxley Compliance

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Application Setup help topics for printing

FOR WINDOWS FILE SERVERS

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Management Reporter for Microsoft Dynamics ERP. Frequently Asked Questions (FAQs)

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Business Intelligence for Everyone

Streamline Financial Consolidation and Reporting for a Faster Close

Directory Integration in LANDesk Management Suite

Microsoft SQL Server Master Data Services Roadmap

Netwrix Auditor for SQL Server

Sarbanes-Oxley Section 404: Management s Assessment Process

ITIL 2011 Summary of Updates

Netwrix Auditor for Exchange

AvePoint Record Rollback for Microsoft Dynamics CRM

Streamlined Planning and Consolidation for Finance Teams Running SAP Software

Integrating Tutor and UPK Content: A Complete User Documentation Solution. An Oracle White Paper April 2008

Reporting Entity: General purpose vs. Special purpose financial reports

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

Netwrix Auditor for SQL Server

Don't Pay to Support CRM 'Shelfware'

UNISYS. Server Management 2.0. Software Release Announcement. imagine it. done. Server Management 2.0 and Higher. May

Sarbanes-Oxley Control Transformation Through Automation

FORUM ON TAX ADMINISTRATION

Secure Web Gateway 11.7 Upgrade Release Notes

Business Intelligence: The European Perspective

ABC COMPANY Extended Accounting System (EAS) Project Charter Sample

Management Update: The Cornerstones of Business Intelligence Excellence

Deciding When to Deploy Microsoft Windows SharePoint Services and Microsoft Office SharePoint Portal Server White Paper

Microsoft Dynamics GP. Electronic Signatures

VERITAS NetBackup Vault 6.0

Administration and Business Collaboration. User Manual

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

Magic Quadrant for Storage Services, 2Q05 25 May 2005 Adam W. Couture Robert E. Passmore

Lepide Event Log Manager: Installation Guide. Installation Guide. Lepide Event Log Manager. Lepide Software Private Limited

Compliance Management, made easy

Vendor Classification

RSM McGladrey Business Continuity Planning System

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

Configuring and Monitoring SharePoint Servers

BMC Remedyforce Asset Management. Frequently Asked Questions

Credit Card Encryption 9.0

AvePoint Record Rollback for Microsoft Dynamics CRM

Sarbanes-Oxley Compliance and Identity and Access Management

NETWRIX EVENT LOG MANAGER

ComplianceSP TM on SharePoint. Complete Document & Process Management for Life Sciences on SharePoint 2010 & 2013

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Transcription:

Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using igrafx SOX Accelerator 2007 Corel Corporation. All Rights Reserved.

Table of Contents Introduction...P - 1 Using igrafx for SOX Compliance...P - 3 1. Select Priority Elements...P - 4 2. Document Processes...P - 4 3. Source Risks...P - 6 4. Document Controls...P - 8 5. Assess Design...P - 9 6. Validate Operation...P - 9 7. Report... P - 10 Summary... P - 12 TOC

Introduction Under Section 404 of the Sarbanes-Oxley Act (SOX), public enterprises are required to produce an annual report that affirms the establishment and maintenance of an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment of the effectiveness of the internal control structure and financial reporting procedures. Complying with this mandate has proven to be more demanding than first anticipated. Many companies underestimated the scope of this effort, and are being faced with challenges when documenting, evaluating and testing internal controls, as well as meeting the human resource needs to achieve compliance. As a result, companies are adopting frameworks provided by independent consultants and vendors to aid them with these requirements. Drawing on our experience as a recognized leader delivering business process improvement software, and utilizing the COSO framework as a basis, igrafx has developed the igrafx SOX Accelerator, a pre-built model to help organizations document, manage and audit financial processes and internal controls. This document utilizes a set of seven steps in order to demonstrate what tasks a company needs to perform to achieve compliance. Specific igrafx applications are illustrated, as we walk the reader through the following summary diagram from Protiviti Inc. (www.protiviti.com), a leading international provider of internal audit and risk consulting services, and a highly regarded expert on Sarbanes-Oxley compliance: P - 1

A PLAIN ENGLISH SUMMARY Select Priority Elements Select the priority accounts and disclosures Consider significance to financial reporting and risk of misstatement Document Processes Document the transaction flows that materially impact the priority financial reporting elements What are the risks? Source Risks Use financial reporting assertions to source what can go wrong within the processes What are the controls? Who owns the controls? Document Controls Document entity controls ( tone at the top ) Document the controls at the source of the risk (preventive) or downstream in the process (detective and corrective) How is the controls design rated? Assess Design Assess effectiveness of controls design at entity and process levels How are the controls performing? Validate Operation Test effectiveness of controls operation at entity and process levels Report Conclude Disclose Report Note: This diagram is reprinted with permission from Protiviti s publication on Sarbanes-Oxley Section 404 compliance, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements. The following pages describe how igrafx applications can help managers, auditors and independent advisors identify, document, and assess controls to ensure SOX compliance. This publication will show how the igrafx SOX Accelerator can be used for documenting financial accounts, mitigating risk, aligning strategies, goals and requirements for the control model, and creating project plans for testing and measuring the effectiveness of the controls. P - 2

Using igrafx for SOX Compliance igrafx provides the modeling and reporting capabilities necessary to ensure enterprise SOX compliance. Corel Corporation, the parent company of igrafx, for example, uses igrafx tools to model and report its financial processes and controls to meet its SOX requirements as a public organization. igrafx models include, but are not limited to, the following aspects of an organization: Financial accounts Processes and activities that affect the financial accounts Risks (things that could go wrong with financial processes) High-level strategies, goals, and requirements for the control model Controls (how to reduce and mitigate risk) Project plans describing control tests and measurements of their effectiveness In addition, the igrafx SOX Accelerator provides a best practice starting point for building the enterprise model. By leveraging the Accelerator while modeling Corel s finance department, a team of two individuals completed the Corel SOX model in two months. The journey to SOX compliance typically involves consultants and auditors to help define and configure a company-specific model. Auditors help describe the necessary periodic reports and how those reports should be formatted. Consultants assist with documenting and defining the list of risks, necessary controls, and other organizational entities. As described earlier, Protiviti, Inc. represents the path to SOX compliance with the following stages: 1. Select Priority Elements 2. Document Processes 3. Source Risks 4. Document Controls 5. Assess Design 6. Validate Operation 7. Report Next, we illustrate how an enterprise may use igrafx software to implement the requirements contained in these stages described by Protiviti. P - 3

1. Select Priority Elements Enterprise modeling for SOX begins by identifying Balance Sheet and Income Statement financial accounts. The igrafx Enterprise Central (a powerful client server solution that is the hub of the SOX Accelerator) screenshot below shows some typical financial accounts. A few properties of the Cash and Cash Equivalents account are also displayed on the right: 2. Document Processes After defining the organizational accounts, the SOX team of internal associates and external consultants work with process owners to document all processes and activities that affect these accounts. P - 4

The igrafx screenshot below displays a few activities of the Accounts Receivable process. Some properties of the SKU Set Up are displayed on the right side: Important associations are defined for each activity described. In the screenshot above, for example, Joe is shown responsible and Stephen is accountable for the SKU Set Up activity. Accounts affected by activities are also identified: igrafx Enterprise Central displays processes in both tree and diagram views. igrafx FlowCharter users draw the diagrams or igrafx Enterprise Central automatically generates process maps described by the tree view. P - 5

Here is an example of a generated process map of the Sales Transactions activity: 3. Source Risks After financial processes are documented, the SOX team works with consultants to define the list of things that could go wrong with these processes and adversely impact the financial accounts. This list is modeled by the Risk Catalog shown below: P - 6

The Risk Catalog contains multiple Risk Templates that describe each risk and how it relates to high-level financial reporting assertions (goals) and controls (described later). For example, the Risk Template named What ensures that cash and cash equivalents are recorded and complete? is associated with the Completeness assertion (goal) below: Within the product user interface, associations are navigated by clicking an object name (i.e. Completeness ) and then clicking Jump to as shown below: The Completeness goal is one of six Financial Statement assertions: A set of high-level requirements (control objectives) are linked to specific controls that mitigate the documented risks: P - 7

Segregation of Duties is one objective that reduces risk. It s associated to multiple controls in the Is Requirement for property: 4. Document Controls A SOX model may have hundreds of financial controls. Here some typical controls: Using igrafx, each control is associated to its: Responsible party Risk(s) mitigated Processes and activities under control Control objective High-level assertion P - 8

Each control is also described by a summary and has these custom properties defined: Control type Frequency IT Application (Yes or No) Key Control (Yes or No) Test Required (Yes or No) For example, for each control, the Validation Object property shows the risks mitigated and the Validation Point property shows the activities under control: All elements of the organization internal control structure required for SOX compliance are now modeled. The igrafx model describes how financial data is stored and modified, where it s stored, when it s stored, who can view it, and who can change it. 5. Assess Design The model design is assessed by publishing and reporting of the model to communicate its design to key constituents. All igrafx tools include sophisticated features for publishing models to the web and Microsoft Office applications. 6. Validate Operation The SOX Act also includes requirements for testing the effectiveness of key controls. The igrafx Enterprise Central Project Plan model describes SOX tests and stores their results. For example, the Log bank transfers project activity describes a bank transfer monitor. This test plan activity is linked to the model object that describes the bank transfer activity: P - 9

The current value of the latest test measurement is shown in the Measurement field of the Log bank transfers object: The igrafx Enterprise Central Application Programming Interface reads the current measurement value (99.98 in the screenshot above) from an external application that measures this activity or measurements are manually entered into the model. These values are included in the SOX report. 7. Report Public firms include an ICR (Internal Control Report) as part of their annual report. Building this report can be a time-consuming task. Using igrafx, an ICR is automatically generated in seconds to save time and reduce errors. A simple igrafx wizard builds the report: P - 10

The Excel report is reviewed to confirm that the organization is in compliance. The wizard uses model relationships to build an easy-to-read report with the following data: The Operating Resource column shows financial accounts The Control column gives the name of the control that affects those accounts The next two columns show the relationship to the assertions and control objective The Risk column shows the risks mitigated by the control Each control has a description The Validation Point column displays processes and activities where the control is in place The Responsible column shows ownership of a control Finally, the custom data values for the control are displayed A portion of the SOX Report: Using igrafx, organizations benefit from reuse of the model whenever necessary. The enterprise maintains and updates the model as the organization changes. When it s time to create a new ICR, a single command rebuilds it for the auditor. SOX auditors appreciate this capability because it gives them confidence in the validity and reliability of the ICR. P - 11

Summary igrafx significantly reduces the time and expense to maintain SOX compliance. igrafx makes it easy to document financial processes, risks and controls while improving communication, reliability, and compliance report quality. igrafx models are simple to maintain and accessible for rapid auditing. Using igrafx for SOX Compliance is only one benefit of the igrafx product line. The igrafx suite of business process improvement software allows users to document, analyze, refine and communicate processes in the pursuit of corporate goals and objectives. Whether complying with mandatory regulations such as Sarbanes-Oxley, ISO or Basel II, aligning business activities with IT, or implementing Six Sigma or Lean, igrafx establishes and manages the process information that will ensure your success. By creating a collaborative process mapping and analysis environment, igrafx links initiatives with the implementation environment for measurable productivity improvements. For more information, visit the igrafx web site at www.igrafx.com. 2007 Corel Corporation. All rights reserved. Corel, igrafx, igrafx FlowCharter, igrafx Process, igrafx Process for Six Sigma, and igrafx Enterprise Central are trademarks or registered trademarks of Corel Corporation and/or its subsidiaries in Canada, the U.S. and/or other countries. Other products and company names may be trademarks or registered trademarks of their respective companies. Reproduction or dissemination of this publication in any form without prior written permission is forbidden. Corel disclaims all warranties as to the accuracy, completeness or adequacy of this publication. Corel shall have no liability for errors, omissions or inadequacies in the information contained herein. The opinions expressed herein are subject to change without notice. P - 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information