Sarbanes Oxley Compliance Data Mgmt

8/2/2019 Sarbanes Oxley Compliance Data Mgmt

1/40


2/40


3/40

2005 Data Advantage Incorporated and Principle Partners, Inc. Page 3

Sarbanes-Oxley Act, July 2002

Directed at over 8,000 publicly traded companies andtheir auditors.

It increases the responsibility of the corporatemanagement and the auditors to personally certify the

accuracy and effectiveness of financial controls andprocesses and the corporations financial results.

Requirement to rotate the lead audit partner and auditreview partner every five years.

Audit firm partners and staff must work more closelywith the clients audit committee to satisfy Sarbanes-Oxley requirements.


4/40


Is SOX Old News ?

Not an event, but a new way of life for Corporate America!

SOX Compliance Review Processes

Initial Compliance Planning and SOX Management Plan

Initial Internal Audit Review for Compliance

Initial External Audit Review for Compliance

Annual Reviews (Section 404) Quarterly Reviews (Section 302)

On-going Real-time Reviews


5/40


Significant Sections of SOX


6/40


Section 302: Corporate Responsibilityfor Financial Reports

The CEO and CFO of each issuer shall prepare astatement to accompany the audit report tocertify the "appropriateness of the financialstatements and disclosures contained in the

periodic report, and that those financialstatements and disclosures fairly present, in allmaterial respects, the operations and financialcondition of the issuer."

A violation of this section must be knowing andintentional to give rise to liability.


7/40


Section 302: Corporate Responsibilityfor Financial Reports

Sec. 302(Quarterly)

Signing officers are responsible for Designing

Establishing and maintaining

Evaluating the effectiveness Presenting conclusions

Have disclosed Significant deficiencies Fraud

Significant changes


8/40


Section 404: Management Assessmentof Internal Controls

Requires each annual report of an issuer to contain an "internal control

report," which shall:

(1) state the responsibility of management for establishing and maintaining anadequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the issuer's fiscal year, of the

effectiveness of the internal control structure and procedures of the issuer forfinancial reporting.

Each issuer's auditor shall attest to, and report on, the assessment made bythe management of the issuer. An attestation made under this section shall bein accordance with standards for attestation engagements issued or adoptedby the Board. An attestation engagement shall not be the subject of a

separate engagement.

The language in the report of the Committee which accompanies the bill toexplain the legislative intent states, "--- the Committee does not intend thatthe auditor's evaluation be the subject of a separate engagement or the basisfor increased charges or fees."


9/40


Section 404: Management Assessmentof Internal Controls

Sec. 404 (Annual)

Management states responsibility forestablishing and maintaining controls

Contains an assessment of theeffectiveness

Outside auditor performs attestation ofmanagements assessment


10/40


Primary Objective is Manage Risk

Alternatives:

Accept or ignore risk

Transfer risk (to insurance policies) Reduce or mitigate risk

Measure and manage

Teach and train

Reduce Risk take action and safeguard


11/40


Consequences of SOX

IT IS THE ABOUT DATA!

Sarbanes-Oxley requires more data management than ever before.

RECORD RETENTION IS MORE STRINGENTSarbanes-Oxley requires auditors to retain for a seven-year period all

relevant documents (work-papers, memos, correspondence andrecords [electronic and / or paper]) that contain conclusions,opinions, analyses or financial data created, sent or received inconnection with the audit of a public company.

ENSURE TRANSPARENCY & RELIABLE PROCESSAimed at improving trust and investor confidence

It Will Cost Clients More

The 321 U.S. public companies responding to a Financial Executives International survey on the costs ofimplementing Sarbanes-Oxley said they expected to incur an increase of 38% over current audit fees.

Source: Business Performance Management Forum, www.bpmforum.org, 2003.
http://www.bpmforum.org/http://www.bpmforum.org/


12/40


Additional Reference Sources

URL Resources

Example of Approved SOX Framework

Summary of SOX Acthttp://www.aicpa.org/info/sarbanes_oxley_summary.htm

Full Text of SOX Act is available from

The American Institute of Certified Public Accountants (AICPA)http://www.aicpa.org/sarbanes/index.asp

CobiT Framework, IT Governance InstituteControl Objectives for Information and related Technology

http://it.safemode.org/index.php?page=IT_Governance_Institute

ISO 17799International Standards Organization 17799 security standard for IT

http://www.iso17799software.com/presentation/ andhttp://iso-17799.com/
http://www.aicpa.org/info/sarbanes_oxley_summary.htmhttp://www.aicpa.org/sarbanes/index.asphttp://it.safemode.org/index.php?page=IT_Governance_Institutehttp://www.iso17799software.com/presentation/http://iso-17799.com/http://iso-17799.com/http://iso-17799.com/http://iso-17799.com/http://www.iso17799software.com/presentation/http://it.safemode.org/index.php?page=IT_Governance_Institutehttp://www.aicpa.org/sarbanes/index.asphttp://www.aicpa.org/info/sarbanes_oxley_summary.htm


13/40


Framework for SOX Compliance

CobiT

A structure of relationships and processes todirect and control the Enterprise in order to

achieve the Enterprises goals by addingvalue while balancing risk vs. return overIT and its processes.

IT Governance Institute


14/40


Examples of CobiT Compliance Categories

10 Specific Categories * Payroll and Personnel Expenditures

Revenue

Fixed Assets

Supply Chain

Manage Tax

Treasury

Benefits

Financial Close and Reporting

Information Technology, and

Entity Controls Controls to ensure compliance of each of the

categories as a Business Entity.

* CobiT Framework, IT Governance Institute.


15/40


Examples ofCobiT IT Control Areas*

Application Systems Implementation & Maintenance

Database Implementation and Supports

Information Security

Information Systems Operations

Network Support

Relationship with Outsourced Vendors

System Software Support* CobiT Framework, IT Governance Institute.


16/40


ISO 17799-Security Standard for IT

ISO17799 is "a comprehensive set of controls comprisingbest practices in information security

The Contents of the Standard?The ISO 17799 standard comprises ten prime sections:

Security PolicySystem Access ControlComputer & Operations ManagementSystem Development and MaintenancePhysical and Environmental SecurityCompliance

Personnel SecuritySecurity OrganizationAsset Classification andControlBusiness Continuity Management (BCM)


17/40


Managing the Testing for Compliance

1. Define the Control

2. Define the Test

3. Test the Control

4. Audit the Test Results

(now do 3 & 4 again!)


18/40


Data for Tracking the Audit for Compliance

Control Objective Number Control Activity Number Control Objective and Control Activity Short

Description Control Objective and Control Activity Test

Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item


19/40


Managing the Audit for Compliance

Line

Item

#

Control

Objective

Number

Control

Activity

Number

Control Objective and

Control Activity Short

Description

Control Objective &

Control Activity Test

Short Description

Activity

Sample

Collection

Frequency

Activity

Testing

Frequency

IT Owner

Responsibility

IT Competency

Center Name

IT

Competency

Center

Responsibility

Related

Control

Item

1 IT-AP-01 Objective

New application systems

are appropriately

implemented and function

consistent with

management's intentions.

[COBIT: AI2,6]

2 IT-AP-01 AP-01-01

Implementation and

Maintenance of

Application Systems

Process

Implementation: 5 samples

of implemented projects.

Maintenance: from list of

SAP Transports, select 10

non-project related.

Weekly

Implementa-

tion

Daily Maint Semi-Annual

Name for

Technical

Responsibility

Application

System

Implementation

& Maintenance

Name for

Management

Responsibility

3 IT-AP-01 AP-01-02

Testing for Application

Systems Implementation

Implementation: Five

samples of implemented

projects from PMO shared

drive.

Maintenance: Obtain a list

of transports from SAP

production , select a

sample of 10.

Weekly

Implementa-

tion

Daily Maint Semi-Annual

Name for

Technical

Responsibility

Application

System

Implementation

& Maintenance

Name for

Management

Responsibility


20/40

2005 Data Advantage Incorporated and Principle Partners, Inc.Page 20

Tracking Compliance-By Control ObjectiveControl

Objective

Category

Compliance

Area Name

IT

Responsibility

Number of

Controls *

Responsible

for # of

Control Tests

# Controls

Tested

# Tests

Passed

# of Tests

Pending

# Tests

Failed

Score

Card

Status

AP

Application

SystemImplementation

& Maintenance 21

Director A 30 30 30 Green

Director C 2 2 2 Green

DB

Database

Implementation

and Support 14



NW

Network

Support 7


OP

Information

Systems

Operations 7

Director D 2 2 2 Green



SE

Information

Security 43



Director B 8 8 8 Green

SY

SystemSoftware

Support 16


VE

Relationship

with Outside

Vendors 2


Totals 110 174 174 174 0 0

* Note: Several Controls have multiple Competency Center or area responsibilities with test components.

Therefore, Control tests are greater than the number of controls


21/40


22/40


23/40


Findings & Implications

Not a one-time project, but a new way of lifefor corporate America

Few organizations anticipated effort or cost

Management wants payback from efforts

Advantages of stream-lined processes &controls (Align with other compliancerequirements)


24/40


Future for SOX Activities

Reduced investments, because of initialefforts

Business processes are more rigorous andefficient

Risks are reduced

Stream-lined and automated controls havebeen integrated into the Business Processes


25/40


26/40


SOX IT Considerations

SOX compliance would not be feasible withoutcomputerized systems.

Financial systems were among the first to beautomated.

Many financial systems are based on 30 year old

design approaches Batch oriented Sequential processing Redundant data storage

Many business users are unable to distinguishthe business from the system that supports it. System requirements (e.g., business rules) may

be poorly understood and poorly documented.


27/40


Compliance Levels of Effort

1) Do the minimum required.2) Make a reasonable effort.

3) Embrace the opportunity.

Use it to make a thorough review ofpolicies and practices.

Tighten controls and procedures.

Recognize the importance of proactiveData Management.

Make it part of the companys DNA.


28/40


Threats to Data Quality

Intentional Fraud

Disgruntled Employees

Hackers

Terrorists Unintentional

Poorly defined requirements.

Poorly documented systems.

Chaotic development process. Ineffective Change Management.

Back-door access to data.

Uncontrolled redundancy.


29/40


The Data Management Audit

Philosophical Factors Organizational Factors

Procedural Factors

Conceptual Factors Logical Factors

Physical Factors

Architectural Factors

20 Points20 Points

20 Points

10 Points

10 points

10 Points

10 Points

100 Points Total


30/40


Philosophical Factors

Is Data treated as an Asset or an Expense?

Are there business initiatives to improveData Quality.

Are there formally defined measures forData Quality?

Does the CIO regularly report on DataQuality to the Executives?

Are Data Quality metrics included inManagement Objectives.

2 Points

2 Points

2 Points

2 Points

2 Points

20 Possible Points

If the total is more than 8 points, double the total


31/40


Organizational Factors

Is there an Organization Unit thathas the overall responsibility forData Management?

Does it have a formal Charter?

Does it have an Enterprise-wideperspective?

Is it adequately resourced?

Skilled Personnel Software Tools

2 Points

1 Point

2 Points

5 Points

3 of 52 of 5

20 Possible Points



32/40


Procedural Factors

Are Logical Data Models included in

the formal Systems DevelopmentLife Cycle?

Is the Logical Data Model subject tobusiness approval?

Is the Logical Data Model updatedwhen the design changes?

Is the Logical Data Model used togenerate database source code?

Is the Logical Data Model used inthe development of a test plan?


20 Possible Points

2 Points

2 Points

2 Points

2 Points

2 Points


33/40


Conceptual Factors

Is there a formal Information Strategy?

Is there an Enterprise Conceptual DataModel?

Is it used to kick-start development

Projects? Are Project data models used to update

the Enterprise model?

Are all Project Managers aware that the

Enterprise model exists?

2 Points

2 Points

2 Points

2 Points

2 Points

10 Possible Points

If the total is less than 8 points, subtract 4 from the total


34/40


Logical Factors

Are Business Subject Matter

Experts involved with Logical DataModels?

Are Logical Data Models used inBusiness Requirements?

Are Data Modeling tools andtechniques standardized?

Are there formal Data NamingStandards?

Are Logical and Physical modelsseparate, but related?

2 Points

2 Points

2 Points

2 Points

2 Points


10 Possible Points


35/40


Physical Factors

Is there a standardized set ofdata Domains?

Are Physical Data Modelsupdated when theimplementation changes?

Is the database used to enforceintegrity?

Is the data accessed using

Views?


10 Possible Points

2 Points

4 Points

1 Point

3 Points


36/40


Architectural Factors

Does all Strategic Data have a

defined System of Record? Is there an agreed Architectural

Framework? Is there a shared Metadata

Repository? Is Data Access functionality

separate from business logic andpresentation?

Does the Architecture cover theentire Systems DevelopmentLifecycle?

2 Points

2 Points

2 Points

2 Points

2 Points

10 Possible Points


37/40


Adding it Up

60 Points or Less

A SOX Audit is likely to reveal embarrassing flaws inyour financial systems.

70 80 Points

Your financial systems are not as healthy as theyshould be.

80 90 Points

You are doing well at managing financial data, but

there is room for improvement.

90 100 Points

You are likely to have a strategic advantage overyour competition.


38/40


The Data Management Audit Process

Interview Senior Management todetermine their targets andexpectations.

Assess what is actually going on. Define the Gap.

Develop an Action Plan.


39/40


In Summary

SOX Compliance focuses on Roles andResponsibilities, Accountability, and Audits.

It is very Process-oriented.

Compliance is not cheap.

Most companies have SOX Programs under way,some with multiple teams.

While the SOX teams and resources are in place,there is an opportunity to review Data

Management policies, practices and risks. The benefits of a small additional cost go beyond

just enabling SOX Compliance.


40/40


Questions & Answers ?

Good Luck with your SOX Compliance!

Documents

Sarbanes Oxley Compliance Data Mgmt