Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister

Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles. I am an accountant with 28 years experience working in various International Control & IT roles. I am British and resident in the US. I am British and resident in the US. I speak 4 languages, but unfortunately not Japanese. I speak 4 languages, but unfortunately not Japanese. I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes. I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.

AGENDA Some Context about Compliance Sarbanes Oxley Differences in Japan & Other countries The BP Process In SOX Using COBiT Selection & mapping. BP Gap Analysis & Remediation Criteria Key Learning s & Some Tips for You

Sarbanes-Oxley (SOX) Act Highlights Established the Public Company Accounting Oversight Board (PCAOB) and gave it broad powers to oversee the public accounting firms Introduced new limitations on auditors including mandatory partner rotation and limits on services Requires new disclosure controls that inform corporate officers of material information during the reporting period

Sarbanes Oxley Two Key Sections Sec 302 Financial Reporting Sec 404 Internal Controls

SOX 404 Requires management to include an internal control report in each SEC filing that: - States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and - Contains an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures Requires an audit of management s report on internal controls

SOX Effect on Other countries SOX legislation coming to Japan, Canada, South Africa & Europe. COBiT & COSO I Frameworks become more important in documenting and testing the effectiveness of internal controls. Some Differences external Auditors are NOT required to attest to Management s attestation on Internal Controls in Canada.

Relationships Between IT & Business Financial & Business Teams review manual and automated business process controls Business Processes Applications Data/DBMS Platforms Networks Physicals Application Manager and IT SOX perform Application General Controls and Application Security Reviews Data Center Operations Manager and IT SOX evaluate supporting infrastructure for all financial applications as a part of the IT General Controls review An effective automated business process control requires effective operating IT controls

Overview of SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate)

Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process

Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches IT Owns & Implements Application General Controls Application Security Review 100 Applications & 10 data centres + 100 Applications + 10 data centres IT General Controls

Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches Identified COBIT Gaps Identified COBIT Gaps Tier 1 IT Own, Fund, Deliver Plan Process embedded across IT IT Owns & Implements Application General Controls Application Security Review IT General Controls 100Applications & 150data centres + 100 Applications + 10 data centres Tier 2 Tier 3 Tier 4r Filter gaps Challenge gaps Integrate with IT plans IT Central (data centres) IT Segments & functions (applications) Repeatable annual process Staff trained Internal resource

Overview of SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches Identified COBIT Gaps Identified COBIT Gaps Tier 1 IT Own, Fund, Deliver Plan Process embedded across IT IT Owns & Implements Application General Controls Application Security Review IT General Controls 100 Applications 10 data centres + 100 Applications + 10 data centres Tier 2 Tier 3 Tier 4r Filter gaps Challenge gaps Integrate with IT plans IT Central (data centres) IT segments & functions (applications) Repeatable annual process Staff trained Internal resource Group-wide integrated plan Documented CETs & Gaps Prioritised set of gaps & Timeline Gaps remediated by IT IT own on-going process IT Progress Reporting:

Why COBiT. Page 29 How was CobiT chosen Control Systems considered COBIT ISO 17799 ITIL (Information Technology Infrastructure Library) Assessment criteria used Control needs of SOX: Consistency with the General and Application control needs of SOX. COBiT more comprehensive. Extent of use outside BP: The use of each system by other companies for this purpose

Why COBIT H O W HIGH ITIL ISO 17799 COBIT D E T A I L E D MED LOW COSO TURNBULL LOW MED HIGH BREADTH OF IT CONTROL COVERAGE

Why COBiT.

Why COBiT.

Why COBiT.

CobiT v3 Overview July 2004. RED IT Processes are a part of the DCT SOX Control Framework [12 Control processes- 68 Control Activities] Monitor the Process Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit Define the IT Plan Define the Information Architecture Define the Technology Direction Define the Organization and Relationships Manage the IT Investment Planning and Organization Communicate Management Aims Manage HR Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality Monitoring Information and IT Systems Acquisition and Implementation Define Service Levels Manage Third Party Services Manage Performance and Capacity Ensure Continuous Service Ensure System Security Identify and Attribute Costs Educate and Train Users Delivery and Support Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Facilities Manage Data Manage Operations Identify Solutions Acquire (Develop) and Maintain Application Software Acquire and Maintain Technology Infrastructure Develop & Maintain Procedures Install and Accredit Systems Manage Changes

CobiT v4 Overview August 2006 Amendments for Compliance Business as Usual RED IT Processes are a part of the DCT Compliance Control Framework [11 Control processes 32 Control Activities] Monitor & Evaluate IT performance Monitor & Evaluate Internal Control Ensure regulatory Compliance Provide IT Governance Define the IT Plan Define the Information Architecture Define the Technology Direction Define the IT processes, Organization and Relationships Manage the IT Investment Planning and Organization Communicate Management Aims Manage HR Manage Quality Assess & Manage IT Risks Manage Projects Monitoring Information and IT Systems Acquisition and Implementation Define Service Levels Manage Third Party Services Manage Performance and Capacity Ensure Continuous Service Ensure System Security Identify and Allocate Costs Educate and Train Users Delivery and Support Manage Service Desk & Incidents Manage the Configuration Manage Problems Manage Data Manage Physical Environment Manage Operations Identify Automated Solutions Acquire (Develop) and Maintain Application Software Acquire and Maintain Technology Infrastructure Enable Operations & Use Procure IT Resources Manage Changes Install and Accredit Systems

IT Risk Analysis Criteria Filter Activity Identified BP BP COBIT COBIT Gaps Gaps 1) 1) COBIT COBIT Summary Summary Rank Rank @ CP CP Level Level 2) 2) COBIT COBIT Detailed Detailed ranking ranking @ CO CO level level 3) 3) ICE ICE Financial Financial Tier Tier Rankings Rankings 1st Filter 2nd Filter 3 rd Filter COBIT Gap Criteria Control Process Level COBIT Gap Criteria Control Objective level Tier 1 to Tier 4 4) 4) Additional Additional Business Business info info 4 th Filter A prioritised set of Sarbanes Oxley gaps Global vs. Local, Prior Audit etc. E-learning suitability

Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank Rank @ CP CP Level Level Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking ranking @ CO CO level level

Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank Rank @ CP CP Level Level Identified COBIT Gaps Identified COBIT Gaps Effectiveness The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line] Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking ranking @ CO CO level level

Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank Rank @ CP CP Level Level Effectiveness The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line] Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking ranking @ CO CO level level Colour Coding: COBIT HIGH split into Very High AI6 & DS5 VH Change Management & Ensure System Security. Maps to ICE tier 1 HIGH Remaining COBIT Reds Maps to ICE Tier 2 H M L N Medium As Per COBIT- Maps to Ice Tier 3 Low As per COBIT maps to ICE Tier 4 No Gap 0 Rank Maps to BP Risk convention

Key GAP Prioritization Explained 3) 3) ICE ICE Financial Financial Tier Tier Rankings Rankings Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 4) 4) Additional Additional Business Business info info Financial Criteria Maps one to one with the COBIT ranking - Tier One - = > $100m COBiT Very High - Tier Two < $100m > $20m COBiT High - Tier Three < $20m > $1m COBiT Medium - Tier Four < $1m - COBiT Low Other Criteria Example Application $ Throughput - Very High - > $1b - High > $1b < $1b > $250m - Medium < $250m > $100m - Low < $100m

Key Learning s & Some Tips For you Do Not Use COSO alone, it is not detailed enough for IT. ISO 17799 is NOT ENOUGH. It does not cover well the following:- - Data Management - Third Party processes - IT Delivery & Support Operations - Audit & Governance issues - Software & Hardware development controls - Segregation of Duties Consult & Agree your framework with your external auditors before you implement your program. Do not select too many COBiT control objectives and control practices. Simplify & Simplify. Concentrate on Key IT Control deficiencies that are high or are a critical risk:- - Change Management Issues - Access Controls & Segregation of Duties - Some Data Management Issues like back ups & storage. Include your IT applications (e.g. SAP) with your business process documentation. Why? Most of your business controls are defined by your systems and applications.

Key Learning s & Tips continued.. Do not Test too many applications & processes take a Risk & Business Impact Approach. Look out for spreadsheets. Errors in relatively simple spreadsheets can result in potentially material misstatements in financial results. - The best feature is their worst flexibility - Use Pricewaterhouse-Coopers Five step process - Inventory Spreadsheets - Evaluate use, complexity - Determine level of controls - Evaluate existing controls - Develop remediation

Key Learning s & Tips continued.. Use Frameworks like COSO & COBiT as benchmarks, they don t give you the answers or the specific controls, only the templates; tailor them to your company s needs Beware Email. E.G. Spreadsheets emailed to controllers for consolidation. Potential email security & storage issue. Beware use of compliance tools/software. It is still not a mature market. Consider how you will administer Third Parties & Outsourced Partners Assign Accountabilities for each Business & IT process (e.g. Order to Pay for Business & Change Management for IT Note Segregation of Duties is a business accountability but facilitated by IT)

Thank you

What Role Does IT Play? Infrastructure Application Controls Business Partner to ensure controls are operating effectively across the organization New Applications

Process vs. Control Control Objective: User access to network is appropriately assigned. Example of Process: Management reviews user access on a monthly basis. Example of Control: Management reviews and signs off on a report generated on a monthly basis containing user accounts and roles to ensure appropriateness and accuracy.

A New Internal Control Paradigm PCAOB Guidance Examples of Documentation: Documentation that provides reasonable support for management s assessment of the effectiveness of internal control over financial reporting covers: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements, Information about how significant transactions are initiated, recorded, processed, and reported, Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur, Controls designed to prevent or detect fraud, Controls over the period-end financial reporting process, Controls over safeguarding of assets, and The results of management s testing and evaluation.

Identification of Control Points Definition of a control point: 1. An action within a process where the key data changes form; 2. A handoff between individuals or programs within a process; or 3. A handoff between software applications

Control Type Categories Identifying the control types may reveal an over-reliance on a particular type of control or an absence of a key control type Policies & Procedures Authorization Controls Key Performance Indicators Management Review Detailed (Data Comparison) Reconciliation Segregation of Duties System Access Automated Exception Report

Control Categories - Definitions Policies & Procedures Policy and procedure control documentation is often needed where directly linked adhering to standard policies and procedures is critical to the effectiveness of the control, especially where control procedures cross organizational or geographic boundaries. Policies and procedures related controls generally include formal written documents that have been recently updated, and is both accessible and used by the individuals involved in executing the control activities documented. Authorization Controls Approval of transactions executed in accordance within authority as set by senior management's general or specific policies and procedures Key Performance Indicators Key performance indicators are financial and non-financial quantitative measurements that are: Collected by the entity, either continuously or periodically Used by management to evaluate the extent of progress toward meeting the entity's defined objectives In order for key performance indicators to be an effective control, they must have a level of precision that enables detection of errors 38

Control Categories - Definitions Management Review Management review is a review conducted by someone, other than the preparer of the transaction or journal entry, who analyses and oversees activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other's work. Detailed A detailed control activity consists of a comparison between two sets of data. An example of a detailed control could be a comparison between two sets of information where the individual components of the data are compared. This control can be either a detailed manual control when the comparison is performed by humans, or a detailed automated control when the activity is performed by a system. Reconciliation A reconciliation is a control designed to check whether two sums match and identifying the differences between the two sums. It does not involve comparing on an item by item basis the information in two different sets of data.. 39

Control Categories - Definitions Segregation of Duties Segregation of duties is the separating of duties and responsibilities of authorizing transactions, recording transactions, and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity. System Access System access are the access rights that individual users or groups of users have within a computer information system-processing environment, as determined and defined by the configuration of the system. Automated Exception Reports An exception report control shows a violation of a set standard to a responsible party who conducts follow ups and resolves the item. 40

General IT Controls

EXAMPLES GENERAL IT CONTROLS Information Security Management Of Philosophy & Policy Logical Security Over the Operating System Logical security Over Data Security within Applications Systems Administration & The Use of Privileged Accounts Physical Security Network/Dial-up Access External Network Connections

Computer Operations Service Level Agreements Problem Management Business Continuity Network Management Operational Performance & Data Centre Environment. Scheduling, preparing & running batch processes. Backup & Recovery Upgrades To System software.

Development & Implementation Requirements Definition Design & build in-house systems or package selection. Unit, system & user testing Data Conversion Go-Live decision Documentation & training

Program Change Control Management of maintenance activities Specification, authorization & tracking of change requests. Unit, system & user testing Authorization of transfers to live environment Updating technical & user documentation & training. Database Administration

Relationship Between General IT & Application Controls. General IT Controls contribute to the effectiveness of application controls. General controls do not provide direct coverage of application control objectives.( E.g. completeness, accuracy, validity, restricted access) When designing & relying on application controls, the strength of the underlining general controls needs to be considered.

Relationship Between General IT & Application Controls General Controls Ensure that overall It environment is well controlled The It Organization meets its intended purposes & there is proper management control over IT. Physical & logical security is correctly implemented & maintained. New apps & changes to existing apps are properly authorized. Application Controls Ensure that computer applications process as intended Business processes may be enabled by one or more applications. Many Common applications utilize configurable controls. Controls to ensure the maintenance of data quality should be considered.

Relationship Between General IT & Application Controls Platform Security (IT) &Restricted Application Level Access. Inappropriate access to data libraries at for example the UNIX platform level, circumvents any good application level access controls that limits user access to specific transactions. External Network Security (IT) & validity controls ( Application) Weak Network Security that allows outsiders to access the internal network (e.g. from the internet, dial-up, or third party connections) increases the likelihood that unauthorized individuals will have an opportunity to enter invalid transaction data or standing data.

Relationship Between General IT & Application Controls Backup & Recovery (IT) & Completeness Controls (application) If a full day s transactions is lost due to a system disk crash, then all completed transactions entered that day would be lost and be required to be reentered the next day if possible Development & Implementation (IT) & Accuracy Controls ( Application) User acceptance testing performed by business area personnel during the system development lifecycle will help ensure that the necessary accuracy controls built into the application are working as planned prior to production rollout.

Relationship Between General IT & Application Controls Program Change Control (IT) & Accuracy Controls Application. Inadequate change control procedures over the application program code could allow programmers to modify the manner in which the application processes a transaction. This could intentionally or unintentionally disable input and /or balancing controls within the application that would identify transaction problems.

Relationship Between General IT & Application Controls Problem Management (IT) & Completeness Controls (Application) Inadequate procedures to identify and resolve system problems, could result in numerous application transactions being processed incompetently. For example, if the nightly batch processing was interrupted, good problem management procedures would be required to identify the problem, notify the proper personnel, correct the problem and restart the batch from the prior stopping point. Application Control for accuracy that requires a code to be present on a database is compromised if IT controls don t limit programmers form updating the database.

Application Controls

Application Controls Manual and automated controls exist to ensure that information within the business process is: Complete Accurate Valid and authorized Restricted form unauthorized access A combination of controls is needed to PREVENT, DETECT and CORRECT processing errors.

Application Control Objectives CAVIAR Completeness Accuracy Validity Restricted Access

Application Controls- Completeness All transactions are recorded, input and accepted for processing once and only once. All transactions that are input and accepted for processing are updated to the appropriate data file. Duplicates are rejected Rejected transactions are evaluated and reentered Once data is updated to a file, that data remains correct and current on the file and represents balances that exist.

Application Controls- Completeness Examples Invoice Numbering should be system assigned and sequential. Any interfaces to the General Ledger should be complete and accurate. When entering account information, all key fields are required to ensure completeness.

Application Controls- Accuracy Key Data elements are recorded and input to the system accurately through data entry design features. Changes to standing data are accurately input All transactions input and accepted for processing, update the appropriate file All transactions affect the proper accounting period **** Accuracy Controls are evaluated at the data element level.

Application Controls- Accuracy Examples SSN Data field enforces entry of 9 numeric characters. Customer credit limits determine amount range Business Unit limited to using their own GL accounts Correct Zip code required in address field Sales can only be entered in proper accounting period. Foreign currency tables are updated daily.

Application Controls- Validity Transactions are Authorized Transactions are not fictitious and they relate to the company. Changes To standard Data are authorized & reviewed

Application Controls- Validity Examples Buyer limits force email to supervisor for additional approval. Customers who require non-standard prices require management approval. Only the HR manager can approve a new employee to be added via a special user ID. A sales Order will not be accepted unless customer number is present on Customer Master File. To achieve appropriate segregation of duties, no one user has the ability to: a) Update/create vendor in vendor master file b) Enter new invoices c) Select invoices for payment. Rate tables are maintained only by authorized users.

Application Controls Restricted Access Protect against unauthorized amendments of data. Ensure confidentiality of data. Protect physical assets such as cash and inventory from theft or misuse.

Application Controls Restricted Access Examples Periodic review of users on the system is performed to ensure users have access to those functions and data required to perform their job functions. IT personnel are granted only temporary access to production data. Sales teams have the ability to view all of their accounts and current opportunities Pending contracts are restricted from all but the legal dept. once terms are set. System controls user access by function User access forms are completed, appropriately approved & submitted to the Security Administrator