© Information Systems Audit and Control Association and IT Governance Institute

Sarbanes-Oxley:A Focus on IT Controls

The Role of the IT Professional in Sarbanes-Oxley Compliance

Marios DamianidesPartner, Ernst & Young LLPISACA and ITGI International PresidentJune 2004

About IT governance IT and Sarbanes-Oxley Implementing IT governance for compliance Implications for IT and IT professionals

Agenda

Increasing Expectations of IT Function

Cost Value Risk• Cost Efficiency• Higher ROI

• Driving Shareholder Value

• Revenue Generation

• Decision Support

• IT Governance & Management

• Financial Reporting• Transparent

Disclosure• Information

Security• Program

Assurance

Internal & ExternalStakeholders

CEO• Board of Directors• CFO• Audit Committee• COO• Shareholders• Head of IA• Regulators• Directors• Capital Markets• Business Partners• Employees• Others

Important

Critical

Urgent

Pre 1990’s 1990’s Post Sarbanes-Oxley

ITGI Research

Problems Encountered with IT in Last 12 Months

41%40%

38%38%

35%35%

34%28%

27%24%

5%7%

Inadequate view on how well IT is performing

Operational failures of IT

IT staffing problems

Number of problems and incidents

High cost of IT with low return on investment

Lack of knowledge of critical systems

Manageability of data

Disconnect between IT strategy and business strategy

Unmanaged dependencies on entities beyond direct control

Number of errors introduced by critical systems

None

Other

ITGI Research

What do you hope to address through an IT governance solution/framework?

18%

47%

50%

51%

52%

56%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Others

Management of risk in relation to IT investment

Management of IT resources against objectives

Measurement of performance of IT infrastructure

Delivery of business value through IT

Management of risk in relation to IT operations

Alignment of IT with company strategy

Cost Value Risk

What Is IT Governance?

“IT governanceIT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.”

Board Briefing on IT Governance, 2nd EditionIT Governance Institutewww.itgi.org

Dimensions of IT Governance

Strategic

Alignment

IT Governance

Value Delivery

Reso

urce

M

anag

emen

t

Risk Management

Performance

Measurem

ent

34% of respondents

34% of respondents

50% of respondents

39% of respondents49% of respondents

Roles and Responsibilities of IT Governance

Boards

IT Strategy Comm

CEOs

Business Executives

CIOs

IT Steering Comm

Technology Council

IT Architecture Review Board

Why Now?302 404

Who A company's management, with the participation of the principal executive and financial officers (the certifying officers)

Corporate management, executives and financial officer (“management” has not been defined by the PCAOB)

What 1. Certifying officers are responsible for establishing and maintaining internal control over financial reporting.

2. Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.*

3. Any changes in the company's internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company's internal control over financial reporting are disclosed.

1. When the reason for a change in internal control over

financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading.

1. A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company

2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company's internal control over financial reporting

3. An assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective

4. A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting

5. A written conclusion by management about the effectiveness of the company's internal control over financial reporting included both in its report on internal control over financial reporting and in its representation letter to the auditor. The conclusion about the effectiveness of a company's internal control over financial reporting can take many forms. However, management is required to state a direct conclusion about whether the company's internal control over financial reporting is effective.

6. Management is precluded from concluding that the company's internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year.

When Already in effect as of July 2002 Year-ends beginning on or after 15 November 2004**How Often

Quarterly and annual assessment Annual assessment by management and independent auditors

*Annual for foreign private issuers **Nonaccelerated filers (<US $75 million can defer to 15 July 2005

The House of Internal Controls

General IT Processes / ControlsPeople and Manual Processes / Controls

InherentControls

ConfigurableControls

ReportingControls

SecurityControls

Executive Managementand

Entity-Level Controls

IT Involvement

General Controls:Security

Change Control / MaintenanceOperations

Development and Implementation

SummarizeAggregated

Deficicienes (in

synchronizationwith the overall Sarbanes effort)

Integrate with the overall Sarbanes effortCompanies have process documentation.For the full picture of the process and its controls, automated application controls should be appropriately integrated

Document and Test

Controls - Manual and Automated

(in synchronization with the overall

Sarbanes effort… where IT

important for the documenting and

“initial testing” of automated application controls and

general controls)

Implications for IT Professionals

Develop solid understanding of control theoryGeneral controlsAutomated application controls

Develop and incorporate an ongoing risk assessment process into IT management activities

Develop and implement new controls for new risks identified in risk assessment process

Implications for IT Professionals

Develop and maintain documentation of controls performed within the IS environment

Continuously assess design of controls in changing IS environments

Learn how to test the operating effectiveness of controls with the IS environment and conduct annual tests of key controls

Develop and maintain evidence of tests of controls

IT Must

Enhance its knowledge of internal control Understand the company's Sarbanes-Oxley

compliance plan Develop a compliance plan to specifically address

IT controls Integrate this plan into the overall Sarbanes-Oxley

compliance plan Perform pre-assessment of key IT controls in

conjunction with key financial reporting processes Allow sufficient time for corrective action

IT and 404

Understand your environment and processesUnderstand your environment and processesWhat applications/platforms/data centers support processing of

significant accounts, significant processes and significant business locations/units defined by the overall Sarbanes team?

What are the automated control procedures for those? Integrate teams Integrate teams Maintain evidenceMaintain evidenceUnderstand how the audit will work in your environment Understand how the audit will work in your environment

“The auditor should subject manual controls to more extensive testing than automated controls. In some circumstances, testing a single operation of an automated control may be sufficient to obtain a high level of assurance that the control operated effectively, provided that information technology general controls also are operating effectively. …” PCAOB release 2004-001

Controls Remediation

Most organizations have a number of control deficienciesMost organizations have a number of control deficienciesDeficiencies must be remedied ifDeficiencies must be remedied if

External audit or management deem them as “significant deficiencies” or “material weaknesses”

o Any material weakness results in an adverse opinion on internal control!

Deficiencies need not be remedied ifDeficiencies need not be remedied ifRisk is mitigated by other controlsExternal audit and management do not deem them as

“significant”

IT Controls—A Unique Challenge

Understanding the organization’s internal control program, financial reporting process

Mapping IT systems to financial statementsIdentifying risksDesigning, implementing and monitoring

controlsDocumenting and testing IT controlsEnsuring that IT controls are updatedMonitoring IT controls

Top 10 Controls Deficiencies

#10 System documentation does not match actual process

#9 Procedures for manual processes do not exist or are not followed

#8 Custom programs, tables & interfaces unsecured

#7 Posting periods not restricted within GL application

#6 Terminated employees or departed consultants still have access

Top 10 Controls Deficiencies

#5 Large number of users with access to “super user” transactions in production

#4 Development staff can run business transactions in production

#3 Database (e.g. Oracle) supporting Financial Applications (e.g. SAP, Oracle, Peoplesoft, JDE) not hardened

#2 Operating system (e.g. Unix) supporting Financial Applications or Portal not hardened

#1 Unidentified or unresolved segregation of duties issues

An Implementation Road Map

Implementation Approaches

Process Model Selection MatrixSpecific

General

Holistic

IS/IT Relevance

Low Moderate High

Level of Abstraction

Source: Gartner Research, June 2003

TCO

ITIL CMM

COBIT

P.CMM

Six SigmaISO 9000

National Awards (such as Malcolm Baldrige)

Scorecards

COBIT: An IT Governance Framework

COBIT Framework

Control Objectives

Control Practices

Audit Guidelines Implementation Guide

Management Guidelines

Board BriefingPractices

Responsibilities

Executives & BoardsExecutives & Boards

Business and Technology ManagementBusiness and Technology Management

Performance measuresPerformance measures Critical success factorsCritical success factors Maturity modelsMaturity models

Audit, control and security professional Audit, control and security professional

What is the ITWhat is the ITControl Framework ?Control Framework ?

How to assess the ITHow to assess the ITControl Framework ?Control Framework ?

How to introduce itHow to introduce itin the enterprise ?in the enterprise ?

PracticesResponsibilities

Executives & BoardsExecutives & Boards

Business and Technology ManagementBusiness and Technology Management

Performance measuresPerformance measures Critical success factorsCritical success factors Maturity modelsMaturity models

Audit, control and security professional Audit, control and security professional

What is the ITWhat is the ITControl Framework ?Control Framework ?

How to assess the ITHow to assess the ITControl Framework ?Control Framework ?

How to introduce itHow to introduce itin the enterprise ?in the enterprise ?

PracticesResponsibilities

Executives & BoardsExecutives & Boards

Business and Technology ManagementBusiness and Technology Management

Performance measuresPerformance measures Critical success factorsCritical success factors Maturity modelsMaturity models

Audit, control and security professional Audit, control and security professional

What is the ITWhat is the ITControl Framework ?Control Framework ?

How to assess the ITHow to assess the ITControl Framework ?Control Framework ?

How to introduce itHow to introduce itin the enterprise ?in the enterprise ?

PracticesResponsibilities

Executives & Boards

Business and Technology Management

Performance measures Critical success factors Maturity models

Audit, Control and Security Professional

What is the ITWhat is the ITcontrol framework ?

How to assess the ITHow to assess the ITcontrol framework ?

How to introduce itin the enterprise ?

An open standard at www.isaca.org

Pro

duct

Set

To Learn More

www.itgi.org

www.isaca.org

Thank You!

Marios Damianides, PartnerErnst & Young LLP5 Times Square, New York, NY, 10036Phone: 212 773 5776E-Mail: marios.damianides@ey.com

ISACA/ITGI International President3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008Phone: +1.847.253.1545Fax: +1.847.253.1443E-mail: info@isaca.org; info@itgi.orgWeb sites: www.isaca.org; www.itgi.org