Agenda

Sarbanes Oxley Act Compliance(SOX) - SOX Compliance Requirements - Control System and Sections in SOX - Advantages and Disadvantages of SOX Segregation of Duties (SOD) - SOD Conflicts - Segregation of Duties and Role Matrix - SOD Risks and Remediation Approach - SOD Implementation - Advantages of SOD

Historical Perspective of SOX

SOX Act is a United States Federal Law SOX created as a reaction to corporate scandals like, 1960-1980s : Quality Movement(TQM,BPR, Deming, etc) 1990s : Dot-com-bubble, Market Euphoria 2001 : Enron 2002 : WorldCom 2002 : Sarbanes Oxley Also known as - 'Public Company Accounting Reform and Investor Protection Act' and - 'Corporate and Auditing Accountability and Responsibility Act It is named SOX, after sponsors U.S. SenatorPaul Sarbanesand U.S.Representative(Congressman) Michael G. Oxley

Sarbanes Oxley Act 2002

To prevent the corporate and accounting scandals of prominent public companies, and to protect the investors. SOX is designed to protect from scandal and deception of shareholders investment It does not apply to privately held companies. The act contains 11 titles or sections ranging from additional corporate board responsibilities to criminal penalties And requires theSecurities and Exchange Commission(SEC) to implement rulings on requirements to comply Changes how companies manage : - Auditors - Financial Reporting - Executive Responsibility - Internal Controls

SOX Compliance Requirements

SOX Act are based on three principles - Integrity - Accuracy - Accountability SOX must comply all public traded companies in the United States Companies initiating their Initial Public Offering(IPO) and also must comply with SOX Companies release all relevant financial data ensure the integrity of data The released data is reliable to ensure its accuracy Finally, mandates the Chief Executive Officer(CEO) and Chief Financial Officer(CFO) verify the data and accept accountability for errors

Control System
What is Control System ? For sox compliance, the process of organizing and monitoring the different procedures and processes that happens in an organization at companys and investors best interest is called as control system. Many industries follow COSO(Committee of Sponsoring Organizations) and ITGI standards for SOX compliance. Financial reporting system heavily dependent on well controlled IT Environment(ITGI 2004) Internal controls include information security controls ITGI identified security controls required by SOX in the following areas: - Security Policy - Security Standards - Access and Authentication - Network Security - Monitoring - Segregation of Duties - Physical Security

Sections of SOX
The Sarbanes-Oxley Act is arranged into eleven titles or sections. As far as compliance is concerned, the most important sections are as follows Section 103 - Auditing, Quality Control, And Independence Standards and Rules - Requires maintenance of all audit-related records (including electronic) for 7 years. Section 201 - Services outside the scope of practice of Auditors Section 302 - Corporate Responsibility For Financial Reports - Requires CEO and CFO to certify the accuracy of corporate financial reports. Section 404 - Management Assessment Of Internal Controls - Requires CEO, CFO and auditors to confirm the effectiveness of internal controls for financial reporting. Section 406 - Code of Ethics for senior financial officers Section 409 - Real Time Disclosure - Requires any significant changes in financial state of issuer "on a rapid and current basis." Section 802 - Criminal Penalties For Altering Documents - Requires retention and protection of audit and related documents, including electronic records.

Importance of 302,404
Section 302 requirements CEO and CFO must certify the following: - Review the financial report quarterly or annually - Report fairly represents the companys financial position - Responsible for disclosure of controls and procedures - Evaluate the effectiveness of controls and procedures - Disclose any weaknesses or control charges to external auditors Section 404 requirements Internal Control reports and external auditor attestation: - Each auditor report must contain an internal control report - The internal control report requires external auditors to attest to managements assertions about internal controls and procedures for financial reporting

Advantages of SOX
Improves to organize and develop controls Encouragement to reevaluate and monitor current controls Organize year-end financial process effectively Prevention of fraud Improved company image

Disadvantages
Increasing the number and functions of internal controls slows, delays financial statement preparation. Using current employees outside the accounting office is not acceptable because it breaks down the internal controls function Global problem local hell

Segregation of Duties (SOD)

To segregate the separation of incompatible business duties and/or responsibilities Segregation of Duties deals with access controls Access Control ensures that no single individual should have control over two or more phases of a transaction or operation SOD controls only Information Technology and Business Unit

Segregation of Duties ensures that: - There are no errors, as SoD ensures cross check of roles/responsibilities. - Risk of Fraud is reduced as fraud will involve two or more than two individuals. - Clear separation of Roles/Responsibilities across various functions in organization. - Sarbanes-Oxley regulation specifically states the need for good SOD controls

What will happen if SOD does not exists?

If proper SoD does not exist in an organization, then:

- Ineffective internal access controls - Improper use of materials, money, financial assets and resources. - Estimation of financial condition may be wrong. - Financial documents produced for audits and review may be incorrect.

If the company hires good people ,SOD is not an issue Proper SOD cannot be implemented, in such cases there should be a mitigating control designed in order to keep a check on the unresolved SoD. Mitigating control that checks on database ,that is where his(User) creation and modification transactional data is saved, or may be a review of transactional logs can be a mitigating control.

404 and Segregation of Duties

To comply with section 404 of SOX, we should:

Requirements of Management: - Identify the document processes and SOD controls across IT Security and financial processes. - When appropriate SOD cannot be implemented then design mitigating controls and document - Design monitoring controls for critical processes and critical roles - Implement SOD and mitigating controls - Ensure continuous compliance by monitoring and tracking of controls Requirements of Auditors: - Auditor must understand how management contemplated the Segregation of Duties in its 404 compliance program - Auditor must test the effectiveness of the SOD controls

SOD Components
Incompatible job function To maintain the proper SODs, no employee should be responsible for two or more of the following four functions for a Keeping single Record transaction class.Asset Custody Creating and
maintaining Departmental records Authorization Reviewing and approving transactions Access to and/or control of physical assets Reconciliation Assurance that transactions are proper

Common SOD Conflicts

Common causes of SOD Conflicts - Lack of understanding of application security - Excessive access assigned to user community - Lack of management oversight and review - Organizational structure

Information Technology Organization - Developers with update access to production data and mitigation processes - Security officers with system administration capabilities

Process level - User with ability to add vendors and control payments - Payroll and employee administration capabilities - Input and review performed by same person

Technical Conflicts
There are two types of technical conflicts 1. Intra Conflict - Arises from a role (e.g. user profile) being defined with excessive conflicting privileges - Risk when assigned to a user through a single security object 2. Extra Conflicts - Multiple security roles being assigned to user, Securit conflicting privileges through Privile multiple security objects Privile
Securit User y Intra Conflict Object ge User Privile ge y Object ge

Securit y Object

Extra Conflict
Privile ge

Segregation of Duties and Role Matrix

Segregation of Duties can be represented over a role matrix. Role Matrix is a two dimensional matrix. All the roles/responsibilities and functions/processes in an enterprise are recognized and they are represented over each axis of matrix. It is identified by putting a flag, across each set of roles/responsibilities and function/processes, over x and y axis, whether they are conflicting or not.

Here is a sample role matrix. This role matrix has been identified for a set six processes and a set of six responsibilities, one for each process. XExistence of Conflict

SOD Risks
SOD conflicts exist when a user is assigned to multiple roles that allow a significant amount of control over a business process Control ID: This is the unique id which identifies the mitigation control. Control ID need to have functional team information so the team can be identified

Mitigate Control Once you accept an SOD conflict, you must mitigate the risk caused by allowing the SOD conflict to exist. To mitigate the risk, you must assign a Mitigating Control to the SOD conflict A Mitigating Control is in place to document: The reason why a risk is permitted to exist Names of the individuals who will own and monitor the risk The actions that a mitigation monitor will take to effectively monitor the risk The frequency that the risk will be monitored

Remediate Control You can remediate an SoD conflict by deleting the conflicting role assignment. The other option is to remove the transaction within the role

Remediation approach
Risk Identification and Remediation software helps automate all SOD related activities. Risk Identification and Remediation detect even the most obscure access Authorization risks across SAP and non-SAP applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring. Enables fast access and authorization control, efficient remediation Mitigation of access and authorization risks by automating workflows Enabling collaboration among business and technical users.

Examples of functional risks

To create a vendor and process payment to other vendor Change vendor bank account and process payment to a fraudulent bank account To enter invoice and invoice release Process purchase order to vendor To create or maintain shopping cart and approve shopping cart To maintain employee and process payroll

SOD Implimentation
Implementation of SOD is done in form of a project the following rules are described below: Identify the objective of organization and scan nature and job profiles in the organization Identify the processes that are being followed in organization. Identify the current state of roles/responsibilities and authorization in the enterprise. Create the Role Matrix. Mark roles on one axis of Matrix and functions on other axis. Identify will there be any SOD conflict if role access to particular function is given to a single individual. Assign Yes or No, flag the position in matrix After analyzing the SOD conflict from role matrix, discuss with management and make the required changes to resolve SOD conflicts.

 In role matrix at position where SOD Conflicts cannot be resolved, design the mitigating controls. According to findings in role matrix, generate the roles and mitigating controls within the enterprise system. Create a document that will well-define the changes required in a simple and organized manner. Document various roles, processes and mitigating controls for auditing and reporting. Inform and report the changes required to management

Advantages of SOD
SOD helps to managing risks. SOD controls when there are frequent audits and reviews. SOD controls can be use to measure and resolve the risks associated with the different roles and access to functions. To resolve conflicts, design various roles, functions and processes being executed in an enterprise as per the business needs