SARBANES- OXLEYPlaybook A comprehensive guide for managing compliance by CIOs for CIOs
TABLE OF CONTENTS EXECUTIVE SUMMARY............................................1-3 THE ROLE OF THE CIO............................................4-8 Integrate with compliance organization...............................................4 Deliver shareholder value and return on investment......................................5 Establish a strong compliance tone..................................................5 Lead and monitor................................................................6 Coordinate with auditors..........................................................7 ACHIEVING COMPLIANCE........................................9-19 Understand controls.............................................................10 Identify and use a framework.......................................................11 Define scope...................................................................13 Evaluate IT entity-level controls and their effectiveness...................................14 Evaluate IT general controls process design effectiveness.................................15 Test operating effectiveness.......................................................16 Consider programmed and configurable controls.......................................17 Build internal control around interfaces..............................................18 Baseline functionality............................................................18 SURVIVING THE AUDIT.........................................20-24 Develop audit expectations and protocols............................................20 Meet periodically with the external audit firm, including the audit partner....................20 Understand auditor objectives and language..........................................21 Obtain buy-in early on scoping decisions.............................................21 Perform detailed walk-through of design effectiveness...................................22 Understand testing strategy and approach............................................22 Define the protocol for escalating issues..............................................23 Create management s point of view for evaluating deficiencies.............................23 WHAT S NEW IN YEAR TWO AND BEYOND...........................25-27 Risk identification...............................................................25 Recognition and management of change.............................................26 Relationship to other aspects of SOA................................................27 ACHIEVING ROI................................................28-31 Efficient compliance processes and activities..........................................29 IT process enhancement.........................................................30 Consolidation of IT environment....................................................30 Improvements in risk management..................................................31 APPENDICES.................................................32-36 Appendix A: Glossary of Terms.....................................................32 Appendix B: Tool Selection........................................................34 Appendix C: Testing Guidelines....................................................35 Appendix D: List of CIOs Interviewed................................................36
EXECUTIVE SUMMARY The CIO Executive Council, a professional organization of leading chief information officers (CIOs) was formed in 2004 to give CIOs a united voice on important technology and critical business matters, including Sarbanes-Oxley. Many CIOs continue to struggle with the resource demands and complexities of complying with the Sarbanes-Oxley Act of 2002. To ease this burden, Council members formed a Sarbanes-Oxley Task Force last summer and began developing a resource guide to help CIOs better navigate thorny compliance issues. The CIO Executive Council has developed this CIO Playbook to provide you, the CIO, with a view of your role in complying with The Sarbanes-Oxley Act of 2002 (SOA). Today s CIO has critical responsibilities in enabling the organization not only to meet Sarbanes-Oxley requirements but to improve processes that will help the company achieve ongoing compliance. Much of the information contained in this Playbook came directly from CIOs. Their views and insights helped establish many of the key points in this publication and ensured that we addressed relevant topics. Interviews and other forums in which CIOs discussed the impact of Sarbanes-Oxley on them and their organizations have made it clear that there is no defined and specific approach to SOA compliance. Given that many companies either just completed or are in the final stages of firstyear (or Year One) compliance, leading practices to meet SOA s objectives are only now beginning to emerge. However, some of these practices and approaches being identified are enabling companies to comply efficiently and cost-effectively. We will address these in detail in this Playbook. A key area of concern for CIOs is the cost of SOA compliance. This Playbook does not advocate an appropriate budget for this process, yet recognizes it is critical for the CIO to achieve and maintain SOA compliance while effectively controlling the cost. As noted throughout this publication, it is imperative for the CIO to be involved directly in corporate compliance leadership and in the coordination of the IT organization in the compliance process as the company works to achieve and maintain SOA compliance. In addition, there are several other key themes communicated throughout the CIO Playbook. In Year One of Sarbanes-Oxley compliance, IT was clearly an add-on and not the primary focus of the effort. To complicate matters further, external audit firms and management have not taken a consistent approach to compliance. CIOs must recognize that IT should be one of the drivers going forward. It is possible for CIOs to drive the SOA process. The mind-set must change that Sarbanes-Oxley is about being able to pass the external audit test. It is not about the audit; rather, it is about the CIO establishing a solid environment of internal controls. If you have not yet started your SOA effort, it is extremely helpful to begin incorporating process thinking in your Year One SOA project. CIOs should incorporate lessons learned from others. 1
CIOs must resist the temptation to purchase a tool to solve the SOA puzzle. This effort is not about the tool but rather systematically implementing IT processes. The ultimate focus for company IT leadership must be effective controls over IT processes. There must be linkage between the application processes and the business processes. The Playbook is organized into the following categories: The Role of the CIO Achieving Compliance Surviving the Audit What s New in Year Two and Beyond Achieving ROI Appendices Finally, the Playbook incorporates a possible timeline for SOA compliance. Each section is linked to a portion of the time line. Achieving ROI Achieving Compliance 404 Compliance "Baseline" Surviving the Audit What's new in Year Two and beyond Year 1 Year 2 and beyond HOW THIS DOCUMENT WAS PREPARED In November 2004, at the request of Council membership, the CIO Executive Council initiated a project to develop a Playbook for CIOs that would assist them in understanding the basics of Sarbanes-Oxley and its impact on their role and on the IT organization. The council s Sarbanes- Oxley Task Force, co-chaired by Marc West, SVP and CIO of H&R Block, and Larry Brown, VP IS & CIO of Arch Coal, engaged Protiviti Inc. to assist in working with the membership to develop this Sarbanes-Oxley Playbook for CIOs. To prepare this Playbook, Protiviti professionals attended several CIO Executive Council events between December 2004 and March 2005 to interact with CIOs and understand the issues they currently are facing. 2
Protiviti also interviewed more than a dozen CIOs and their direct reports responsible for leading their organizations Sarbanes-Oxley project, and they attended a CIO Executive Council event where representatives from each of the Big Four public accounting firms responded to questions posed by the CIO Executive Council. In addition to this direct interaction with the CIO Executive Council, Protiviti offered the insight and expertise it has developed in part from advising hundreds of companies on complying with the requirements of Sarbanes-Oxley. The CIO Executive Council recognizes that the requirements of complying with the Sarbanes-Oxley Act undoubtedly will change over the coming months and years. As it is the CIO Executive Council s goal to provide timely information to its members, we will periodically update this document. 3