A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT GROUP
Background In July of 2002, U.S. Congress passed the Sarbanes - Oxley Act (SOX) mandating that all public companies (SEC registrants) make changes to the way their financial results are reported. Legislation was a response to the high profile failures experienced in the United States during 2001-02 and intended to be a massive restructuring to the regulatory system governing US capital markets that would improve the quality of financial reporting and disclosures. Public Company Accounting Oversight Board (PCAOB) was created to oversee the activities of the auditing profession.
The Sarbanes-Oxley Act contains two Sections (302, 404) dealing with management responsibility for controls and one Section (409) on real-time reporting Internal Controls and Procedures for Financial Reporting Disclosure Controls and Procedures Notes Cash Flow Income Statement Balance Sheet Financial Statements Financial Statements Business Properties Legal Proceeding s Annual Report on Form 10-K Section 404 Section 302
Three Sources of SOX Guidelines Frameworks Best Practices Future Standards CobiT COSO
Departments Impacted by SOX Finance IT Sales Human Resources Customer Service Marketing Other 100% 95.7% 43.5% 39.1% 30.4% 17.4% 8.7% Source: The Robert Francis Group
SOX-Driven Changes Which of the following is the company changing to address SOX? Source: Robert Francis Group Audit Procedures Reporting Procedures Financial Systems Re-training of Personnel Organizational Structure Reporting Frequency Reporting Technologies 78.3 % 52.2% 43.5% 26.1% 21.7% 21.7% 17.4%
Complexity of SOX for IT How does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense? Source: Robert Francis Group Higher Not sure/do Not Know Same Much Higher Lower Slightly Higher 30.4% 26.1% 17.4% 17.4% 4.3% 4.3% 48+% rated SOX impact as higher
Does SOX Mandate an Enterprise-wide Business Continuity Process? NO A BCP is not required by PCAOB (March 2004) SAS70 (type 2) 3 rd party service providers AICPA suspended BCP requirement during SOX Growing number of executives influenced by external auditors with knowledge of business continuity and potential risks Conclude they must have business continuity processes or show why they do not
Defining Internal Control (IC) Section 404 attestation is based on two assessments Adequate documentation of ICs Sufficient evidence (testing) A company must have a framework against which management can make assertions Completeness Accuracy Validation (authorization) Restriction
What s Required for Key Controls Five W s WHO performs the control? WHAT is being done and WHAT could go wrong? WHEN and WHERE is control being performed or occurring? WHY is control activity performed to prevent or detect what? What evidence is there?
Why are General Controls Important? Weak General Computer Controls Strong General Computer Controls Automated control procedures, and manual control procedures that use computer-generated information, are dependent on effectiveness of general computer controls.
COSO Framework Five Components The process which ensures that relevant information is identified and communicated in a timely manner The evaluation of internal and external factors that impact an organization s performance The process to determine whether internal control is adequately designed, executed, effective and adaptive The policies and procedures that help ensure that actions identified to manage risk are executed and timely The control conscience of an organization. The tone at the top All five components must be in place for a control to be effective
Tying It All Together Control Environment Executive Management IT Services OS/Data/Telecom/Continuity/Networks IT General Controls Application Controls Source: IT Governance Institute Business Process Finance Business Process Manufacturing Business Process Logistics Business Process Etc.
IT Control Components IT Considerations in Control Environment Systems planning Governance Enterprise policies Operating style Collaboration Information Sharing Code of Conduct Fraud Prevention IT General Controls Systems Security / Access Change Management System Development Computer Operations Application Controls Authorization Configuration / account mapping Exception / edit reports Interface / conversion System access
Roadmap to Compliance Tone at the Top Engagement Walk-Thru Assertions (C, A, V, R) Definition of Materiality/Significance Significant Accounts and Processes Scope locations, cycles Control framework Remediation Testing Management certification
Roadmap to Compliance Phase I Tone at the Top Identify all relevant documents, policies, procedures and communications Audit Committee Charter Standards of Conduct Officer Code of Ethics Complaint Reporting Mechanisms Whistleblower Policies Assess adequacy of documentation and tone Internal audit monitoring and risk assessment
Roadmap to Compliance Phase II Entity Level Assessment Corporate Americas Region Europe Region Rest of World ID material reporting organizations South Carolina Mexico South Carolina Milan Erfurt Budapest Milan China India Thailand China Manufacturing ID material units within each organization Materiality based on: Mexico Sao Paolo San Diego Marseilles Copenhagen Erfurt India Thailand Australia Distribution Revenue / Assets Subjectivity of entries / reporting Chicago Prague Japan Extraordinary / one-time charges History of issues
Open Position Personnel Requisition Form Candidate interviewed Prepare Offer Letter Accept Offer Provide Benefits summary to employee Termination Voluntary? 04 No Director of HR Approve Yes Yes Accrued Benefits paid Proper notice given? No 05 Accrued Benefits not paid Create Employee Action Form (EAF) Other P/R changes Department Approval Review by HR 03 Verify Increases within $ pool, properly authorized Input in ADP PR System Annual Increases Included with Annual Review and Approved 02 To PR/PRO Roadmap to Compliance Department Phase III Process Mapping Human Resources Candidate Cycle reviews begin with the cycles selected being based on the legal entity assessment in Phase II. Documentation of each cycle: Narrative of key controls Process Map (Flow chart) Control Matrix including all control objectives (Excel or software tool) Documents aim to provide external audit firms with a complete understanding of the flow of transactions and controls in place.
Roadmap to Compliance Phase IV Overall Internal Control Effectiveness Evaluation of the overall effectiveness of internal controls, identification of matters for improvement and the establishment of monitoring systems. Management assessment of effectiveness of controls. Internal Audit provides a report detailing areas for improvement and recommendations for ensuring an environment of continuous monitoring to maintain the system of internal control and take corrective action in a timely manner when necessary. External Audit Firm will commence its Attestation Dry Run
Source: www.erm.coso.org SOX Compliance Roadmap
Alignment with Business Continuity Management involvement Risk Management Process and Change Management IT role
Key Aspects of SOX Audit Segregation of Duties is Key IT roles separate from process owners, specifically those in Finance Hand off from process owners requires control duality Program & Application specific IT & Process owner Manual & Automated Preventative & Detective Change Management is Critical Records and document management Configuration management Business process and controls changes Access Restriction (Security) is Mandated
Program Development Project management standards are defined and used for all aspects of system development life cycle (SDLC) Project initiation Analysis and design Construction or package selection Testing and quality assurance Data conversion Go-live Documentation and training
Program Changes Project management standards are defined and used for all aspects of the program change cycle Specification, approval and tracking of change requests Construction Testing and quality assurance Authorization of transfers to live environment Including emergency fixes and access to live environment Documentation and training
Situational Assessment A recent Deloitte survey of Fortune 500 companies indicates that a significant amount of work remains* Activity Documentation Evaluation of design effectiveness Testing of operating effectiveness Remediation Percentage Complete 75% 47% 21% 21% *Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004
What Constitutes a Gap? Type Likelihood Magnitude Deficiency Remote and/or Inconsequential Significant Deficiency More than remote and More than Inconsequential or Quantitatively significant Material Weakness More than remote and Material to Financial Statements *Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004
A Word on Testing Plan carefully to avoid mixed results because tests are not well designed Program Testing Application Testing Infrastructure Testing IT Management and interaction with process owners and stakeholders Functional and transaction based for systems key to financial statements and reporting, plus critical systems Shared services and support systems; OS, networks, backup, etc. Benchmark Testing Slowly changing systems, COTS
Remediation Challenges Effective Decision & Governance Process Complex Program Management Initiatives Significant IT Environment Changes Impact on Human Resources Complex Re-testing, Roll-Forward Testing Activities Overall Need for Best Practices
Span of Enterprise Risk Management Credit Risk Operational Risk Market Risk Operational Risk Management (ERM) Overall compliance Compliance Integrated solutions SOX Compliance Requirements Sarbanes-Oxley 302 404 Quarterly Certification by C-Level Management Control Documentation and Testing Control Assurance 409 Real-time Reporting Government Regulations HIPPA Patriot Basel II GLBA FFIEC NRC
Risk Management & Business Continuity Disciplines of business continuity and risk management often blurred Use similar tools and techniques, including risk assessment, business continuity planning, and BIAs Business continuity encompasses all processes necessary to restore business functionality during a time of crisis Risk management incorporates a wider variety of functions, including positive impact, negative impact, and business nonstoppage Inherent value of business continuity is clearer when we consider that not all risks can be managed Unless risk management and business continuity are institutionalized into day-to-day activities, organizations will find themselves exposed
Questions? Source: John Wehr Source: John Wehr