Sarbanes-Oxley Act Compliance

The New Data Management Challenge
Walter Moeller - 650-631-0600 WMoeller@PrinciplePartners.Com Frank Toms - 510-417-5454 FToms2@Comcast.net
© 2005 Data Advantage Incorporated and Principle Partners, Inc. Page 1

Agenda
   


     

Sarbanes-Oxley Act, July 2002 Is SOX Old News ? Significant Sections of SOX Primary Objective of SOX Consequences of SOX Additional Reference Sources Framework(s) for SOX Compliance Managing & Tracking The Compliance Process Findings & Implications The Future of SOX Act Compliance Questions and Answers
Page 2

© 2005 Data Advantage Incorporated and Principle Partners, Inc.

Sarbanes-Oxley Act, July 2002

Directed at over 8,000 publicly traded companies and their auditors.

It increases the responsibility of the corporate management and the auditors to personally certify the accuracy and effectiveness of financial controls and processes and the corporations‟ financial results.
Requirement to rotate the lead audit partner and audit review partner every five years. Audit firm partners and staff must work more closely with the client‟s audit committee to satisfy SarbanesOxley requirements.
Page 3

© 2005 Data Advantage Incorporated and Principle Partners, Inc.

Is SOX Old News ?
Not an event, but a new way of life for Corporate America!

SOX Compliance Review Processes

  


Initial Compliance Planning and SOX Management Plan Initial Internal Audit Review for Compliance Initial External Audit Review for Compliance Annual Reviews (Section 404) Quarterly Reviews (Section 302) On-going Real-time Reviews
Page 4

© 2005 Data Advantage Incorporated and Principle Partners, Inc.

Significant Sections of SOX © 2005 Data Advantage Incorporated and Principle Partners. Page 5 . Inc.

. the operations and financial condition of the issuer. Page 6 © 2005 Data Advantage Incorporated and Principle Partners. and that those financial statements and disclosures fairly present." A violation of this section must be knowing and intentional to give rise to liability.Section 302: Corporate Responsibility for Financial Reports   The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report. Inc. in all material respects.

. 302 (Quarterly)  Signing officers are responsible for     Designing Establishing and maintaining Evaluating the effectiveness Presenting conclusions  Have disclosed    Significant deficiencies Fraud Significant changes Page 7 © 2005 Data Advantage Incorporated and Principle Partners. Inc.Section 302: Corporate Responsibility for Financial Reports Sec.

the assessment made by the management of the issuer.the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees.  The language in the report of the Committee which accompanies the bill to explain the legislative intent states. An attestation engagement shall not be the subject of a separate engagement. "--. as of the end of the issuer's fiscal year. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. Inc." © 2005 Data Advantage Incorporated and Principle Partners. and (2) contain an assessment.  Each issuer's auditor shall attest to. of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.Section 404: Management Assessment of Internal Controls  Requires each annual report of an issuer to contain an "internal control report. and report on. Page 8 ." which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.

Inc.Section 404: Management Assessment of Internal Controls Sec. 404 (Annual)  Management states responsibility for establishing and maintaining controls  Contains an assessment of the effectiveness  Outside auditor performs attestation of management‟s assessment © 2005 Data Advantage Incorporated and Principle Partners. Page 9 .

Primary Objective is Manage Risk    Alternatives: Accept or ignore risk Transfer risk (to insurance policies) Reduce or mitigate risk Measure and manage  Teach and train  Reduce Risk – take action and safeguard  © 2005 Data Advantage Incorporated and Principle Partners. Page 10 . Inc.

correspondence and records [electronic and / or paper]) that contain conclusions. memos. © 2005 Data Advantage Incorporated and Principle Partners. Inc. analyses or financial data created. 2003.org. sent or received in connection with the audit of a public company.  ENSURE TRANSPARENCY & RELIABLE PROCESS Aimed at improving trust and investor confidence It Will Cost Clients More The 321 U.Consequences of SOX  IT IS THE ABOUT DATA! Sarbanes-Oxley requires more data management than ever before.  RECORD RETENTION IS MORE STRINGENT Sarbanes-Oxley requires auditors to retain for a seven-year period all relevant documents (work-papers.S.bpmforum. www. public companies responding to a Financial Executives International survey on the costs of implementing Sarbanes-Oxley said they expected to incur an increase of 38% over current audit fees. opinions. Source: Business Performance Management Forum. Page 11 .

Inc. IT Governance Institute Control Objectives for Information and related Technology http://it.htm Full Text of SOX Act is available from The American Institute of Certified Public Accountants (AICPA) http://www.org/sarbanes/index.aicpa.asp  Example of Approved SOX Framework CobiT® Framework.aicpa.com/presentation/ and http://iso-17799.org/info/sarbanes_oxley_summary.iso17799software.safemode.com/ © 2005 Data Advantage Incorporated and Principle Partners. Page 12 .org/index.php?page=IT_Governance_Institute ISO 17799 International Standards Organization 17799 security standard for IT http://www.Additional Reference Sources  URL Resources Summary of SOX Act http://www.

return over IT and its processes.Framework for SOX Compliance CobiT® “A structure of relationships and processes to direct and control the Enterprise in order to achieve the Enterprise‟s goals by adding value while balancing risk vs. Page 13 . Inc.” IT Governance Institute © 2005 Data Advantage Incorporated and Principle Partners.

© 2005 Data Advantage Incorporated and Principle Partners. Inc.Examples of CobiT® Compliance Categories  10 Specific Categories *           Payroll and Personnel Expenditures Revenue Fixed Assets Supply Chain Manage Tax Treasury Benefits Financial Close and Reporting Information Technology. IT Governance Institute. Page 14 . * CobiT® Framework. and  Entity Controls  Controls to ensure compliance of each of the categories as a Business Entity.

Examples of CobiT® IT Control Areas*    Application Systems Implementation & Maintenance Database Implementation and Supports Information Security     Information Systems Operations Network Support Relationship with Outsourced Vendors System Software Support * CobiT® Framework. Inc. IT Governance Institute. Page 15 © 2005 Data Advantage Incorporated and Principle Partners. .

ISO 17799-Security Standard for IT ISO17799 is "a comprehensive set of controls comprising best practices in information security” The Contents of the Standard? The ISO 17799 standard comprises ten prime sections: Security Policy System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Asset Classification and Control Business Continuity Management (BCM) © 2005 Data Advantage Incorporated and Principle Partners. Inc. Page 16 .

Managing the Testing for Compliance 1. Inc. Page 17 . Define the Control Define the Test 2. Test the Control Audit the Test Results (now do 3 & 4 again!) 4. 3. © 2005 Data Advantage Incorporated and Principle Partners.

Inc.Data for Tracking the Audit for Compliance           Control Objective Number Control Activity Number Control Objective and Control Activity Short Description Control Objective and Control Activity Test Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item Page 18 © 2005 Data Advantage Incorporated and Principle Partners. .

Managing the Audit for Compliance Line Control Control Item Objective Activity # Number Number 1 2 Control Objective and Control Objective & Control Activity Short Control Activity Test Description Short Description New application systems are appropriately implemented and function consistent with management's intentions. Inc. select a sample of 10. Maintenance of Maintenance: from list of Application Systems SAP Transports. Activity Sample Collection Frequency Activity Testing Frequency IT Owner IT Competency Responsibility Center Name IT Competency Related Center Control Responsibility Item Weekly Implementation Daily Maint Application Name for System Name for Technical Implementation Management Semi-Annual Responsibility & Maintenance Responsibility 3 Testing for Application IT-AP-01 AP-01-02 Systems Implementation Weekly Implementation Daily Maint Application Name for System Name for Technical Implementation Management Semi-Annual Responsibility & Maintenance Responsibility © 2005 Data Advantage Incorporated and Principle Partners. Implementation: Five samples of implemented projects from PMO shared drive. IT-AP-01 Objective [COBIT: AI2. Maintenance: Obtain a list of transports from SAP production . Page 19 .6] Implementation: 5 samples Implementation and of implemented projects. select 10 IT-AP-01 AP-01-01 Process non-project related.

Therefore. Control tests are greater than the number of controls © 2005 Data Advantage Incorporated and Principle Partners.Tracking Compliance-By Control Objective Control Objective Category AP Compliance IT Area Name Responsibility Application System Implementation & Maintenance Director A Director C Database Implementation and Support Director C Director A Network Support Director C Information Systems Operations Director D Director A Director C Information Security Director A Director C Director B System Software Support Director C Relationship with Outside Vendors Director C Responsible Number of for # of Controls * Control Tests # Controls Tested # Tests Passed # of Tests Pending # Tests Failed Score Card Status 21 30 2 30 2 30 2 Green Green DB 14 10 5 7 7 7 7 Green 10 5 10 5 Green Green NW OP 7 2 4 2 43 42 44 8 42 44 8 42 44 8 Green Green Green 2 4 2 2 4 2 Green Green Green SE SY 16 16 16 16 Green VE Totals 2 Green 0 2 2 2 110 174 174 174 0 * Note: Several Controls have multiple Competency Center or area responsibilities with test components. Page 20 . Inc.

Therefore.Tracking Compliance – By Person Total Number IT Organizational of Your Responsibility Control Tests Director A 81 Control Objective Category AP-Applic Impl & Maint DB-Database Support OP-Info Sys Support SE-Info Security Total Tests within Your Area 30 5 4 42 8 2 10 7 2 44 16 2 # Controls Tested 30 5 4 42 8 2 10 7 2 44 16 2 Tests Passed 30 5 4 42 8 2 10 7 2 44 16 2 Tests Pending Tests Failed Test Not Yet Score Card Executed Status Green Green Green Green Green Green Green Green Green Green Green Green Green Director B Director C 8 SE-Info Security 83 AP-Applic Impl & Maint DB-Database Support NW-Network Support OP-Info Sys Support SE-Info Security SY-System Software Support VE-Relations w/ Vendors Director D 2 0 0 OP-Info Sys Support 2 2 2 Totals 174 174 174 174 0 * Note: Several Controls have multiple Competency Center or area responsibilities with test components. Control tests are greater than the number of controls © 2005 Data Advantage Incorporated and Principle Partners. Inc. Page 21 .

Tools  # 1 Recommendation  Database to manage data during the process  Many vendors coming to market with “SOX Management and Compliance Tools” © 2005 Data Advantage Incorporated and Principle Partners. Inc. Page 22 .

Page 23    .Findings & Implications  Not a one-time project. but a new way of life for corporate America Few organizations anticipated effort or cost Management wants „payback from efforts‟ Advantages of stream-lined processes & controls (Align with other compliance requirements) © 2005 Data Advantage Incorporated and Principle Partners. Inc.

because of initial efforts Business processes are more rigorous and efficient Risks are reduced    Stream-lined and automated controls have been integrated into the Business Processes © 2005 Data Advantage Incorporated and Principle Partners.Future for SOX Activities  Reduced investments. Inc. Page 24 .

Inc. now here’s Frank! © 2005 Data Advantage Incorporated and Principle Partners. Page 25 .Questions & Answers ? Thanks for Attending.

Inc. . System requirements (e. Page 26 Batch oriented Sequential processing Redundant data storage © 2005 Data Advantage Incorporated and Principle Partners. business rules) may be poorly understood and poorly documented. Financial systems were among the first to be automated..SOX IT Considerations    SOX compliance would not be feasible without computerized systems.g. Many financial systems are based on 30 year old design approaches      Many business users are unable to distinguish the business from the system that supports it.

Compliance Levels of Effort 1) Do the minimum required.  Tighten controls and procedures. Inc. © 2005 Data Advantage Incorporated and Principle Partners.  Make it part of the company‟s “DNA”.  Use it to make a thorough review of policies and practices. 2) Make a reasonable effort. Page 27 .  Recognize the importance of proactive Data Management. 3) Embrace the opportunity.

Back-door access to data. Ineffective Change Management. . Inc. Page 28  Unintentional       © 2005 Data Advantage Incorporated and Principle Partners. Poorly documented systems. Chaotic development process.Threats to Data Quality  Intentional     Fraud Disgruntled Employees Hackers Terrorists Poorly defined requirements. Uncontrolled redundancy.

The Data Management Audit        Philosophical Factors Organizational Factors Procedural Factors Conceptual Factors Logical Factors Physical Factors Architectural Factors 20 Points 20 Points 20 Points 10 Points 10 points 10 Points 10 Points 100 Points Total © 2005 Data Advantage Incorporated and Principle Partners. Page 29 . Inc.

If the total is more than 8 points. Are there formally defined measures for Data Quality? Does the CIO regularly report on Data Quality to the Executives? Are Data Quality metrics included in Management Objectives. double the total © 2005 Data Advantage Incorporated and Principle Partners. Page 30 . Inc.Philosophical Factors  20 Possible Points 2 Points 2 Points 2 Points 2 Points 2 Points     Is Data treated as an Asset or an Expense? Are there business initiatives to improve Data Quality.

double the total © 2005 Data Advantage Incorporated and Principle Partners.Organizational Factors  20 Possible Points 2 Points    Is there an Organization Unit that has the overall responsibility for Data Management? Does it have a formal Charter? Does it have an Enterprise-wide perspective? Is it adequately resourced?  1 Point 2 Points 5 Points 3 of 5 2 of 5  Skilled Personnel Software Tools If the total is more than 8 points. Page 31 . Inc.

Procedural Factors  20 Possible Points 2 Points     Are Logical Data Models included in the formal Systems Development Life Cycle? Is the Logical Data Model subject to business approval? Is the Logical Data Model updated when the design changes? Is the Logical Data Model used to generate database source code? Is the Logical Data Model used in the development of a test plan? 2 Points 2 Points 2 Points 2 Points If the total is more than 8 points. Page 32 . double the total © 2005 Data Advantage Incorporated and Principle Partners. Inc.

subtract 4 from the total © 2005 Data Advantage Incorporated and Principle Partners. Inc. Page 33 .Conceptual Factors   10 Possible Points 2 Points 2 Points 2 Points 2 Points 2 Points    Is there a formal Information Strategy? Is there an Enterprise Conceptual Data Model? Is it used to kick-start development Projects? Are Project data models used to update the Enterprise model? Are all Project Managers aware that the Enterprise model exists? If the total is less than 8 points.

Page 34 . subtract 4 from the total © 2005 Data Advantage Incorporated and Principle Partners.Logical Factors  10 Possible Points 2 Points     Are Business Subject Matter Experts involved with Logical Data Models? Are Logical Data Models used in Business Requirements? Are Data Modeling tools and techniques standardized? Are there formal Data Naming Standards? Are Logical and Physical models separate. but related? 2 Points 2 Points 2 Points 2 Points If the total is less than 8 points. Inc.

subtract 4 from the total © 2005 Data Advantage Incorporated and Principle Partners. Page 35 . Inc.Physical Factors  10 Possible Points    Is there a standardized set of data Domains? Are Physical Data Models updated when the implementation changes? Is the database used to enforce integrity? Is the data accessed using Views? 2 Points 4 Points 1 Point 3 Points If the total is less than 8 points.

Architectural Factors     10 Possible Points 2 Points 2 Points 2 Points  Does all Strategic Data have a defined System of Record? Is there an agreed Architectural Framework? Is there a shared Metadata Repository? Is Data Access functionality separate from business logic and presentation? Does the Architecture cover the entire Systems Development Lifecycle? 2 Points 2 Points © 2005 Data Advantage Incorporated and Principle Partners. Inc. Page 36 .

. Inc. but there is room for improvement.Adding it Up  60 Points or Less  A SOX Audit is likely to reveal embarrassing flaws in your financial systems. Your financial systems are not as healthy as they should be. Page 37 © 2005 Data Advantage Incorporated and Principle Partners.  70 – 80 Points   80 – 90 Points   90 – 100 Points  You are likely to have a strategic advantage over your competition. You are doing well at managing financial data.

Assess what is actually going on.The Data Management Audit Process     Interview Senior Management to determine their targets and expectations. © 2005 Data Advantage Incorporated and Principle Partners. Develop an Action Plan. Inc. Define the Gap. Page 38 .

Compliance is not cheap. Inc. . Page 39 © 2005 Data Advantage Incorporated and Principle Partners. there is an opportunity to review Data Management policies. The benefits of a small additional cost go beyond just enabling SOX Compliance. and Audits. Accountability. It is very Process-oriented. Most companies have SOX Programs under way.In Summary       SOX Compliance focuses on Roles and Responsibilities. While the SOX teams and resources are in place. practices and risks. some with multiple teams.

Questions & Answers ? Good Luck with your SOX Compliance! © 2005 Data Advantage Incorporated and Principle Partners. Inc. Page 40 .

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.