How Perforce Can Help with Sarbanes-Oxley Compliance



Similar documents
Perforce. elearning Catalog

Software Configuration Management for Embedded Systems Developers

The Business Case for Perforce SCM. Software Configuration Management Delivers A Competitive Advantage

Continuous Delivery: The New Normal for Software Development

High Availability and Disaster Recovery Solutions for Perforce

Seven Steps for Choosing a Software Configuration Management System

Practical IT Governance - Using MKS's Enterprise Software Change Management Solution for Greater Auditability and Control

Perforce Helix vs. ClearCase

The Case for Better Document Collaboration. Findings from Harris Interactive Knowledge Worker Survey, Commissioned by Perforce Software

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Driving Your Business Forward with Application Life-cycle Management (ALM)

Leveraging Sarbanes-Oxley (SOX) to Build Better Practices

One solution for all your Source Configuration Management Needs

Regulatory Compliance Needs Process Management

The Importance of IT Controls to Sarbanes-Oxley Compliance

What Should IS Majors Know About Regulatory Compliance?

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

What is Sarbanes Oxley (SOX)

Centralized Secure Vault with Serena Dimensions CM

Sarbanes-Oxley Control Transformation Through Automation

Addressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

The Role of Governance, Risk and Compliance in a Firm

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

White Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX

Comparison: Perforce and Microsoft Team Foundation Server (TFS)

A Sarbanes-Oxley Roadmap to Business Continuity

Distributed Software Development with Perforce Perforce Consulting Guide

2007 Executive Survey Report: Insights Into Optimizing Contact Center Performance

Realizing business flexibility through integrated SOA policy management.

engage. empower. evolve. SARBANES-OXLEY COMPLIANCE

WHITEPAPER. Compliance: what it means for databases

Making Business Intelligence Easy. White Paper Spreadsheet reporting within a BI framework

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

How To Manage Log Management

Global Software Change Management for PVCS Version Manager

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

A Guide To Evaluating a Bug Tracking System

The business benefits of database source control

How Varonis Can Help With Efforts Toward Sarbanes-Oxley Compliance

Product Financial Control Solutions Spreadsheet Workbench

Compliance with Sarbanes-Oxley and Enterprise Risk Management Creates Best Practices in Remittance Processing for Treasury and Cash Management

The Impact of Sarbanes-Oxley on the Collections Process. A Decision Analytics briefing paper from Experian

Self-Service SOX Auditing With S3 Control

An introduction to the benefits of Application Lifecycle Management

The role of integrated requirements management in software delivery.

PM Planning Configuration Management

Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

Title: Lucent s ITSM Journey Session #: 299 Speaker: Sheila Bridge Company: Lucent Technologies, Inc.

Comply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan

Reducing Sarbanes-Oxley Operational Risk. Using. A Document Management System

WHITE PAPER. Best Practices for the Use of Data Analysis in Audit. John Verver, CA, CISA, CMC

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Reining In SharePoint

Making Compliance Work for You

DATATRAK Customer Case Study

Using TechExcel s DevSuite to Achieve FDA Software Validation Compliance For Medical Software Device Development

The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform

IT Process Conformance Measurement: A Sarbanes- Oxley Requirement

Customer Service Strategy Guide: Customer Experience for the Millennial Generation

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Best Practices Report

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

An Introduction to Continuous Controls Monitoring

BMC Control-M Workload Automation

Automation can dramatically increase product quality, leading to lower field service, product support and

Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future

How to Produce an Actionable IT Service Catalog

How To Integrate Legacy Management With Distributed Systems

Resource Management. Resource Management

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Optimizing Automation of Internal Controls for GRC and General Business Process Compliance

Take control of inbound packages

Optimizing Cloud Efficiency Through Enhanced Visibility and Control. business White paper

Version 6.1 SYSPRO Wor SYSPRO W kflo kf w lo Services

How Rational Configuration and Change Management Products Support the Software Engineering Institute's Software Capability Maturity Model

Controlling and Managing Security with Performance Tools

What s New Guide: Version 5.6

Promotion Model. CVS SUITE QUICK GUIDE 2009 Build 3701 February March Hare Software Ltd

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Agile Power Tools. Author: Damon Poole, Chief Technology Officer

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Trustworthy Computing Spring 2006

Incorporate CMMI with Corporate Governance Using Enterprise Software Change Management Solutions

Section 404 of Sarbanes-Oxley is effectively the Forced Implementation of Best Practices.

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Change Management. Why Change Management? CHAPTER

Creative Shorts: The business value of Release Management

Hybrid: The Next Generation Cloud Interviews Among CIOs of the Fortune 1000 and Inc. 5000

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

As databases grow, performance drops, backup and recovery times increase, and storage and infrastructure costs rise.

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Information Security and Governance in ERP Implementation (JD Edwards)

Task Manager. Task Management

How to use Alertsec to Enable SOX Compliance for Your Customers

Leveraging a Maturity Model to Achieve Proactive Compliance

Building Security into the Software Life Cycle

Transcription:

How Perforce Can Help with Sarbanes-Oxley Compliance C. Thomas Tyler Chief Technology Officer, The Go To Group, Inc. In collaboration with Perforce Software

Perforce and Sarbanes-Oxley The Sarbanes-Oxley Act requires accountability in the management of systems that affect financial reporting. Perforce delivers key features necessary to comply with the law, such as access control, strong accountability, and policy enforcement tools. Better still, Perforce provides an efficient infrastructure for an automation-based approach to compliance that yields enhanced productivity a nice side benefit. 02 Sarbanes-Oxley in a Nutshell The Sarbanes-Oxley Act of 2002 is legislation aimed at improving investor confidence in the American financial trading system. The Act promotes new standards for financial reporting for public companies, and sets up a policing mechanism to ensure those standards are adhered to. The big news for information technology is Section 404 of the Act, titled Management Assessment Of Internal Controls. Section 404 effectively expands the scope of financial report auditing to include internal controls. Among other things, that involves IT systems and processes that produce financial reports. The Act requires that management of public companies attest to the effectiveness of those systems, and that registered public accounting firms audit the internal controls, then append their own independent assessments of the effectiveness of those controls. To form an opinion about the effectiveness of IT systems, financial reporting auditors are more technically savvy about the management and operation of IT systems than ever before. They re asking tough questions: How can changes made to your financial reporting software be audited? What Software Configuration Management systems are in place, and are they used for all systems that significantly affect financial reports? What access controls are in place to prevent unauthorized personnel from modifying financial reporting systems? What is your change management workflow? For those in the software development world who have been involved in efforts to improve the software development process, these are familiar questions. Sarbanes- Oxley simply forces public companies to answer them, at least with regard to those systems contributing significantly to financial reporting. What You Need to Know About Sarbanes-Oxley Compliance If you work for a public company, you need to know that following established best practices for development and maintenance of certain software systems those that can significantly impact financial reporting is now required by law. Audits of financial reports go far deeper than just reviewing the financial reports. They go into the heart of IT systems that produce those reports. The law makes it clear that corporate executives are responsible for attesting to the quality of the controls that produce their financial reports, and that statements they make must be auditable. Further, auditors from public accounting firms are responsible How Perforce Can Help with Sarbanes-Oxley Compliance

for making their own independent assessments of the effectiveness of the company s controls. How do auditors determine what s effective? It turns out they have some good ideas about how to ensure that IT systems are managed effectively, because best practices have been established, have evolved, and have matured within the software world for decades. Established disciplines such as configuration management and change management have evolved to help answer the questions auditors love to ask, such as Who changed what?, When did they do it?, and Why? With Sarbanes-Oxley, you can t get away with answering those questions just once during the audit. You have to show how the systems you have in place can answer those questions at any time. This is reinforced by Section 409 of the Sarbanes-Oxley Act, titled Real Time Issuer Disclosures. Thus, there s a natural tendency for auditors to favor solutions involving extensive automation. Prior to Sarbanes-Oxley, audits focused primarily on the resulting financial reports, and rarely on internal controls surrounding the systems companies used to generate those reports. When audits of systems Established disciplines such as configuration management and change management have evolved to help answer the questions auditors love to ask, such as Who changed what?, When did they do it?, Who approved the change?, and Why? With Sarbanes-Oxley, you can t get away with answering those questions just once during the audit. did occur, the standards used to evaluate a company s systems weren t consistent. With Sarbanes-Oxley, the efforts of public auditing firms are now coordinated by the Public Company Accounting Oversight Board, or PCAOB (http://www.pcaob.org), which was charted by the law. The PCAOB is responsible for establishing and adopting standards used for auditing internal controls of public companies. The Board ensures that internal controls of all public companies are audited against a common set of standards. What are the auditors looking for from CIOs and IT managers? They re looking to make sure that systems used to produce financial reports follow industry best practices. Although the law doesn t explicitly define best practices, in practice auditors rely on established standards for measuring the maturity of various processes. For example, if your organization has been climbing the SEI scale, 1 or working toward ISO 9001 certification, you ll be able to answer some of the auditors initial questions quickly. Auditors consider a wide range of factors, such as the ability of your process to provide basic quality assurance, and the ability of your systems to assure that only authorized personnel have access, to name a few things. 03 1. The SEI scale is an informal reference to the Software Engineering Institute s Capability Maturity Model.

04 Prominent features that make Perforce particularly well suited to Sarbanes- Oxley compliance efforts Configuration management. Software Development Life Cycle (SDLC) support, including support for clear handoffs and promotions. Promotions can involve anything represented as a file: source code; documents; and runtime environment files such as libraries, executables, images, and even large files such as CD images. Access controls and the ability to assign promotion authority to groups of authorized users. Audit trails for various activities. Ability to rollback changes. Change management for runtime environments. Document management and document promotion. Change review notification. Policy enforcement triggers. Integrated enhancement, bug, and issue tracking. Workflow process management support. capability level scale, CM is one of the key process areas that your organization needs to establish. When auditors are seeking to determine the effectiveness of internal controls, their job, and your audit, will go a lot easier if you can show that you have the basics, such as CM, under control. One word of caution: be wary of scope creep in your efforts to comply with Sarbanes-Oxley. The reality of modern public companies is that everyone depends extensively on IT to support financial reporting. The intent of Sarbanes-Oxley is to ensure that the IT systems used for financial reporting have effective controls that are designed and operated in such a way that they re reliable. The focus is on just those IT systems that can materially affect your financial reporting. Sarbanes-Oxley audits typically start with an assessment of just which systems and controls should be audited. The scope of a Sarbanes-Oxley audit is limited with regards to IT: it doesn t apply to your products or services, which can also rely extensively on IT. For reasons of efficiency, you might want all such systems to follow best practices, but that s going above and beyond what s required for Sarbanes-Oxley. For example, take Configuration Management (CM) as a sample discipline. Within the software development world, CM (sometimes called SCM, for Software Configuration Management) is considered the foundation of any organized software development process. When you attempt to achieve any measure of quality for a software development process, CM infrastructure must be in place, just as surely as the computer network. For example, to climb only to Maturity Level 2 on the Software Engineering Institute s Ways Perforce Helps with Compliance Yes, Perforce can indeed help with compliance. In practice, Sarbanes- Oxley compliance projects often involve automation of internal controls. To that end, Perforce takes you much farther down the road to Sarbanes-Oxley compliance than traditional SCM systems. Perforce provides strong mechanisms to ensure compliance with established policies. Perforce s extremely efficient and robust architecture allows you to use it to manage much more than source code, extending the ability to How Perforce Can Help with Sarbanes-Oxley Compliance

Figure 1: Perforce managing runtime environments 05 1. The Development Release Area is a no humans allowed area, populated by automated build processes. Several builds are shown deposited here. 2. Selected builds were promoted to the QA Release Area. 3. Software from the QA Release Area was deployed to a runtime environment on the QAWWW301 machine. 4. The QA d software was later deployed to Production runtime servers: Web105, Web106, and Web109. 5. You can see the details of when and where changes occurred. You can use Perforce policy enforcement mechanisms to ensure certain information is provided to allow a promotion, such as QA Signoff or an authorization ID.

06 support Sarbanes-Oxley objectives. And Perforce s powerful visualization tools can allow you to verify, for example, that software in Production first went to a QA environment. Sarbanes-Oxley audits go broadly and deeply into IT systems involved in financial reporting you need to do more than simply mark off a checkbox indicating that you have a CM system in place. Auditors take a big picture view, and they re responsible for making judgments about the overall effectiveness of your processes. A truly modern software production line that takes advantage of Perforce s extensive functionality goes a long way toward giving auditors the impression that you have everything in order and that makes them less likely to feel the need to dig deeply and look for holes. Perforce is an advanced SCM system, and provides a comprehensive foundation for a modern software production line. A Perforcebased software production line takes advantage of many aspects of Perforce s functionality that help support Sarbanes- Oxley objectives. Because Perforce is particularly efficient at distribution of vast numbers of text and binary files, it s often used not only to manage source code, but also to handle distribution of files to live, runtime environments. The benefits of using an SCM system in this role are particularly apparent in light of Sarbanes-Oxley compliance, because the ability to answer Perhaps the best thing about using Perforce to support your Sarbanes-Oxley compliance efforts is that the value added by using Perforce translates into a return on investment. whodunit-type questions applies not just to the source code, but to actual updates to runtime environments, such as Production or QA. For example, Perforce can answer questions such as, Who made updates to our Production systems today, who authorized them, and when did they occur? Figure 1 illustrates selected builds being promoted to new codelines. Note the details of when and where the changes occurred, as well as who made the changes and who authorized them. SCM systems generally provide good accountability and audit trails, but their use has traditionally been relegated to source code control. Perforce is typically used for much more, due to its efficiency at managing and incrementally distributing files. By extending its scope of control, Perforce becomes the heart of a runtime-environment management system, extending its strong controls and auditing capabilities far beyond the realm of source code. Perforce also provides document management functionality. Various documents, such as standards, policies, and procedures manuals that affect financial reporting systems of a public company are within the scope of an internal controls audit. Perforce can provide a clear workflow for documents, segregating in work or proposed policy documents, for example, from approved documents. Using Perforce to manage documents provides a clear audit trail for documents as they move through that life cycle, and also provides whodunit information for those documents. How Perforce Can Help with Sarbanes-Oxley Compliance

One interesting, often unexpected benefit of Sarbanes-Oxley compliance projects is the way they lead to enhanced communication, especially within larger organizations. For example, during this author s experience with Sarbanes-Oxley compliance projects, the first sign that an audit was in progress was a series of requests for Perforce licenses from business units that had never had a reason to interact previously. Until that point, Perforce had been associated primarily with the software development business unit within the organization. It became clear that other business units had CM needs as well. What followed was a wider appreciation of the benefits of Perforce within the enterprise, as more and more systems were put into Perforce, some driven by Sarbanes-Oxley compliance, others after they learned of the process benefits of doing so, such as process automation and rollback support. Technical experts from across organizational boundaries collaborated on compliance projects. The job got done, and the new relationships resulted in collateral benefit for the organization as a whole. Perhaps the best thing about using Perforce to support your Sarbanes-Oxley compliance efforts is that the value added by using Perforce translates into a return on investment. Sarbanes-Oxley driven compliance projects have yielded unexpected benefits in terms of increased efficiency through automation using Perforce. As mentioned earlier, auditors tend to favor internal controls that feature extensive automation, and Perforce is all about providing a foundation for a highly efficient automated software production line. 07

www.perforce.com North America Perforce Software Inc. 2320 Blanding Ave Alameda, CA 94501 USA Phone: +1 510.864.7400 info@perforce.com Europe Perforce Software UK Ltd. West Forest Gate Wellington Road Wokingham Berkshire RG40 2AQ UK Phone: +44 (0) 845 345 0116 uk@perforce.com Australia Perforce Software Pty. Ltd. Level 10, 100 Walker Street North Sydney NSW 2060 AUSTRALIA Phone: +61 (0)2 8912-4600 au@perforce.com Copyright 2006 Perforce Software Inc. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information