SARBANES- OXLEYPlaybook. A comprehensive guide for managing compliance by CIOs for CIOs



Similar documents
The Role of Governance, Risk and Compliance in a Firm

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

STAFF QUESTIONS AND ANSWERS

International Institute of Management

The IBM data governance blueprint: Leveraging best practices and proven technologies

Internal Audit Practice Guide

Building a Strategic Internal Audit Function. A 10-Step Framework

Moving Internal Audit Back into Balance

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

Audit of the Test of Design of Entity-Level Controls

Practical IT Governance - Using MKS's Enterprise Software Change Management Solution for Greater Auditability and Control

IT Governance Dr. Michael Shaw Term Project

Guide to the Sarbanes-Oxley Act:

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Innovative Financing Strategies for Green IT: Using Energy Efficiency Savings to Support IT Transformation

Achieving Database Compliance with Sarbanes-Oxley Using Sentrigo Hedgehog

The Importance of IT Controls to Sarbanes-Oxley Compliance

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

IFRS in Asia 2008 Driving the Capital Markets of Tomorrow October 2008, Beijing, China

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Blending Corporate Governance with. Information Security

How to move your company to sustainable Sarbanes-Oxley compliance from project to process* PwC Advisory Performance Improvement

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

SOA ROI, Deconstructed by: Kyle Gabhart, SOA Lead, Web Age Solutions

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Information Security Program CHARTER

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Company A Project Plan

Audit of the Management of Projects within Employment and Social Development Canada

An Introduction to Continuous Controls Monitoring

Automating Sarbanes-Oxley Compliance Testing for SAP Applications. A Guide to Cost and Time Efficiencies for Annual SOX Compliance Initiatives

Sarbanes Oxley Act Statement of Ability. An AdRem Software White Paper

Qualification in Internal Audit Leadership (QIAL ) Exam Syllabus

How To Ensure Internal Control Of Financial Reporting In India

Strengthening Business Practices:

Research in Action. This brief describes findings of that study and implications for practice and policy.

2010 Sarbanes-Oxley Compliance Survey. Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes

Sarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director.

What Should IS Majors Know About Regulatory Compliance?

Equinix Increases IT and Employee Productivity with ServiceNow Cloud-Based IT Service Automation Solution

Solvency II data requirements Raising the Bar

Impact of New Internal Control Frameworks

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Unified Communications and Collaboration The Questions You Need to Ask

Current Challenges in Managing Contract Lifecycle Management

Audit of the Policy on Internal Control Implementation

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Navigating the Standards for Information Technology Controls

STATE OF NORTH CAROLINA

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY

JUTNet Managed Network Service

Title: Lucent s ITSM Journey Session #: 299 Speaker: Sheila Bridge Company: Lucent Technologies, Inc.

U.S. Department of the Treasury. Treasury IT Performance Measures Guide

THE C.R.M. POCKETBOOK

ITIL V3 AND THE SERVICE LIFECYCLE PART I THE MISSING COMPONENT

Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo

MINNESOTA STATE STANDARD

IT Service Desk Unit Opportunities for Improving Service and Cost-Effectiveness

Digital Transformation In The Age Of The Customer: A Spotlight On B2C

EDI Hosting Managed Services

Best Practices for Building a Security Operations Center

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Addressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014

Process Control Optimisation with SAP

Preface Introduction

Risk Management Policy

Principles for An. Effective Risk Appetite Framework

FIRST CITIZENS BANCSHARES, INC. FIRST-CITIZENS BANK & TRUST COMPANY CHARTER OF THE JOINT AUDIT COMMITTEE

The Updated COSO Internal Control Framework

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Risk Management. Best Practices. ERP System Implementation Challenges and Risks

Executiveaction. Navigating Energy Management: A Roadmap for Business

Internal Auditing is an Asset for Small Companies as well as Large Ones

Status Report of the Auditor General of Canada to the House of Commons

IT service management: resetting priorities for an uncertain economy.

Managing ICT contracts in central government. An update

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

Managing the Auditor/Client Relationship

How to Choose the Right Accounting Software for Your Business

May 2, 2016 OIG-16-69

Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies

Workforce Management Strategies Before, During and After a Merger or Acquisition Tips for Ensuring a Successful Go-Forward Strategy

SEVEN WAYS THAT BUSINESS PROCESS MANAGEMENT CAN IMPROVE YOUR ERP IMPLEMENTATION SPECIAL REPORT SERIES ERP IN 2014 AND BEYOND

Statutory Corporate Governance Report for 2014, cf. art. 107b of the Danish Financial Statements Act

SECURITY CONFIGURATION WITH ACTIVE DIRECTORY FOR MICROSOFT DYNAMICS:

Internal Auditing Guidelines

2011 NASCIO Recognition Award Nomination State of Georgia

UNCOVER WHAT S HIDDEN IN YOUR SAP ERP DATA TO HELP CUT COSTS AND RAISE COMPLIANCE

Michael Landry, MBA, PMP Chief Project Controller

ITAG RESEARCH INSTITUTE

Effective Enterprise Performance Management

CRISP Technologies Inc.

Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls

Fleet Services Review - Strategy for the Fleet Services Division. Government Management Committee

Reducing Sarbanes-Oxley Operational Risk. Using. A Document Management System

WHERE S THE ROI? Leveraging Benefits Realization Activities to Optimize Your Organization s Investment in ERP Software

Transcription:

SARBANES- OXLEYPlaybook A comprehensive guide for managing compliance by CIOs for CIOs

TABLE OF CONTENTS EXECUTIVE SUMMARY............................................1-3 THE ROLE OF THE CIO............................................4-8 Integrate with compliance organization...............................................4 Deliver shareholder value and return on investment......................................5 Establish a strong compliance tone..................................................5 Lead and monitor................................................................6 Coordinate with auditors..........................................................7 ACHIEVING COMPLIANCE........................................9-19 Understand controls.............................................................10 Identify and use a framework.......................................................11 Define scope...................................................................13 Evaluate IT entity-level controls and their effectiveness...................................14 Evaluate IT general controls process design effectiveness.................................15 Test operating effectiveness.......................................................16 Consider programmed and configurable controls.......................................17 Build internal control around interfaces..............................................18 Baseline functionality............................................................18 SURVIVING THE AUDIT.........................................20-24 Develop audit expectations and protocols............................................20 Meet periodically with the external audit firm, including the audit partner....................20 Understand auditor objectives and language..........................................21 Obtain buy-in early on scoping decisions.............................................21 Perform detailed walk-through of design effectiveness...................................22 Understand testing strategy and approach............................................22 Define the protocol for escalating issues..............................................23 Create management s point of view for evaluating deficiencies.............................23 WHAT S NEW IN YEAR TWO AND BEYOND...........................25-27 Risk identification...............................................................25 Recognition and management of change.............................................26 Relationship to other aspects of SOA................................................27 ACHIEVING ROI................................................28-31 Efficient compliance processes and activities..........................................29 IT process enhancement.........................................................30 Consolidation of IT environment....................................................30 Improvements in risk management..................................................31 APPENDICES.................................................32-36 Appendix A: Glossary of Terms.....................................................32 Appendix B: Tool Selection........................................................34 Appendix C: Testing Guidelines....................................................35 Appendix D: List of CIOs Interviewed................................................36

EXECUTIVE SUMMARY The CIO Executive Council, a professional organization of leading chief information officers (CIOs) was formed in 2004 to give CIOs a united voice on important technology and critical business matters, including Sarbanes-Oxley. Many CIOs continue to struggle with the resource demands and complexities of complying with the Sarbanes-Oxley Act of 2002. To ease this burden, Council members formed a Sarbanes-Oxley Task Force last summer and began developing a resource guide to help CIOs better navigate thorny compliance issues. The CIO Executive Council has developed this CIO Playbook to provide you, the CIO, with a view of your role in complying with The Sarbanes-Oxley Act of 2002 (SOA). Today s CIO has critical responsibilities in enabling the organization not only to meet Sarbanes-Oxley requirements but to improve processes that will help the company achieve ongoing compliance. Much of the information contained in this Playbook came directly from CIOs. Their views and insights helped establish many of the key points in this publication and ensured that we addressed relevant topics. Interviews and other forums in which CIOs discussed the impact of Sarbanes-Oxley on them and their organizations have made it clear that there is no defined and specific approach to SOA compliance. Given that many companies either just completed or are in the final stages of firstyear (or Year One) compliance, leading practices to meet SOA s objectives are only now beginning to emerge. However, some of these practices and approaches being identified are enabling companies to comply efficiently and cost-effectively. We will address these in detail in this Playbook. A key area of concern for CIOs is the cost of SOA compliance. This Playbook does not advocate an appropriate budget for this process, yet recognizes it is critical for the CIO to achieve and maintain SOA compliance while effectively controlling the cost. As noted throughout this publication, it is imperative for the CIO to be involved directly in corporate compliance leadership and in the coordination of the IT organization in the compliance process as the company works to achieve and maintain SOA compliance. In addition, there are several other key themes communicated throughout the CIO Playbook. In Year One of Sarbanes-Oxley compliance, IT was clearly an add-on and not the primary focus of the effort. To complicate matters further, external audit firms and management have not taken a consistent approach to compliance. CIOs must recognize that IT should be one of the drivers going forward. It is possible for CIOs to drive the SOA process. The mind-set must change that Sarbanes-Oxley is about being able to pass the external audit test. It is not about the audit; rather, it is about the CIO establishing a solid environment of internal controls. If you have not yet started your SOA effort, it is extremely helpful to begin incorporating process thinking in your Year One SOA project. CIOs should incorporate lessons learned from others. 1

CIOs must resist the temptation to purchase a tool to solve the SOA puzzle. This effort is not about the tool but rather systematically implementing IT processes. The ultimate focus for company IT leadership must be effective controls over IT processes. There must be linkage between the application processes and the business processes. The Playbook is organized into the following categories: The Role of the CIO Achieving Compliance Surviving the Audit What s New in Year Two and Beyond Achieving ROI Appendices Finally, the Playbook incorporates a possible timeline for SOA compliance. Each section is linked to a portion of the time line. Achieving ROI Achieving Compliance 404 Compliance "Baseline" Surviving the Audit What's new in Year Two and beyond Year 1 Year 2 and beyond HOW THIS DOCUMENT WAS PREPARED In November 2004, at the request of Council membership, the CIO Executive Council initiated a project to develop a Playbook for CIOs that would assist them in understanding the basics of Sarbanes-Oxley and its impact on their role and on the IT organization. The council s Sarbanes- Oxley Task Force, co-chaired by Marc West, SVP and CIO of H&R Block, and Larry Brown, VP IS & CIO of Arch Coal, engaged Protiviti Inc. to assist in working with the membership to develop this Sarbanes-Oxley Playbook for CIOs. To prepare this Playbook, Protiviti professionals attended several CIO Executive Council events between December 2004 and March 2005 to interact with CIOs and understand the issues they currently are facing. 2

Protiviti also interviewed more than a dozen CIOs and their direct reports responsible for leading their organizations Sarbanes-Oxley project, and they attended a CIO Executive Council event where representatives from each of the Big Four public accounting firms responded to questions posed by the CIO Executive Council. In addition to this direct interaction with the CIO Executive Council, Protiviti offered the insight and expertise it has developed in part from advising hundreds of companies on complying with the requirements of Sarbanes-Oxley. The CIO Executive Council recognizes that the requirements of complying with the Sarbanes-Oxley Act undoubtedly will change over the coming months and years. As it is the CIO Executive Council s goal to provide timely information to its members, we will periodically update this document. 3

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information