1 / 39

Sarbanes-Oxley Act Compliance

Agenda. Sarbanes-Oxley Act, July 2002 Is SOX Old News ? Significant Sections of SOX Primary Objective of SOX Consequences of SOX Additional Reference Sources Framework(s) for SOX Compliance Managing

maya
Download Presentation

Sarbanes-Oxley Act Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Sarbanes-Oxley Act Compliance

    2. Agenda Sarbanes-Oxley Act, July 2002 Is SOX Old News ? Significant Sections of SOX Primary Objective of SOX Consequences of SOX Additional Reference Sources Framework(s) for SOX Compliance Managing & Tracking The Compliance Process Findings & Implications The Future of SOX Act Compliance Questions and Answers

    3. Sarbanes-Oxley Act, July 2002 Directed at over 8,000 publicly traded companies and their auditors. It increases the responsibility of the corporate management and the auditors to personally certify the accuracy and effectiveness of financial controls and processes and the corporations’ financial results. Requirement to rotate the lead audit partner and audit review partner every five years. Audit firm partners and staff must work more closely with the client’s audit committee to satisfy Sarbanes-Oxley requirements.

    4. Is SOX Old News ? Not an event, but a new way of life for Corporate America! SOX Compliance Review Processes Initial Compliance Planning and SOX Management Plan Initial Internal Audit Review for Compliance Initial External Audit Review for Compliance Annual Reviews (Section 404) Quarterly Reviews (Section 302) On-going Real-time Reviews

    5. Significant Sections of SOX

    6. Section 302: Corporate Responsibility for Financial Reports The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." A violation of this section must be knowing and intentional to give rise to liability.

    7. Section 302: Corporate Responsibility for Financial Reports Sec. 302 (Quarterly) Signing officers are responsible for Designing Establishing and maintaining Evaluating the effectiveness Presenting conclusions Have disclosed Significant deficiencies Fraud Significant changes

    8. Section 404: Management Assessment of Internal Controls Requires each annual report of an issuer to contain an "internal control report," which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement. The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."

    9. Section 404: Management Assessment of Internal Controls Sec. 404 (Annual) Management states responsibility for establishing and maintaining controls Contains an assessment of the effectiveness Outside auditor performs attestation of management’s assessment

    11. Consequences of SOX IT IS THE ABOUT DATA! Sarbanes-Oxley requires more data management than ever before. RECORD RETENTION IS MORE STRINGENT Sarbanes-Oxley requires auditors to retain for a seven-year period all relevant documents (work-papers, memos, correspondence and records [electronic and / or paper]) that contain conclusions, opinions, analyses or financial data created, sent or received in connection with the audit of a public company. ENSURE TRANSPARENCY & RELIABLE PROCESS Aimed at improving trust and investor confidence

    12. Additional Reference Sources URL Resources Example of Approved SOX Framework

    13. Framework for SOX Compliance CobiT® “A structure of relationships and processes to direct and control the Enterprise in order to achieve the Enterprise’s goals by adding value while balancing risk vs. return over IT and its processes.” IT Governance Institute

    14. Examples of CobiT® Compliance Categories 10 Specific Categories * Payroll and Personnel Expenditures Revenue Fixed Assets Supply Chain Manage Tax Treasury Benefits Financial Close and Reporting Information Technology, and Entity Controls Controls to ensure compliance of each of the categories as a Business Entity.

    15. Examples of CobiT® IT Control Areas* Application Systems Implementation & Maintenance Database Implementation and Supports Information Security Information Systems Operations Network Support Relationship with Outsourced Vendors System Software Support

    16. ISO 17799-Security Standard for IT ISO17799 is "a comprehensive set of controls comprising best practices in information security” The Contents of the Standard? The ISO 17799 standard comprises ten prime sections: Security Policy  System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Asset Classification and Control Business Continuity Management (BCM)

    17. Managing the Testing for Compliance Define the Control Define the Test Test the Control Audit the Test Results (now do 3 & 4 again!)

    18. Data for Tracking the Audit for Compliance Control Objective Number Control Activity Number Control Objective and Control Activity Short Description Control Objective and Control Activity Test Short Description Activity Sample Collection Frequency Activity Testing Frequency IT Owner Responsibility IT Competency Center Name IT Competency Center Responsibility Related Control Item

    19. Managing the Audit for Compliance

    20. Tracking Compliance-By Control Objective

    21. Tracking Compliance – By Person

    22. Tools # 1 Recommendation Database to manage data during the process Many vendors coming to market with “SOX Management and Compliance Tools”

    23. Findings & Implications Not a one-time project, but a new way of life for corporate America Few organizations anticipated effort or cost Management wants ‘payback from efforts’ Advantages of stream-lined processes & controls (Align with other compliance requirements)

    24. Future for SOX Activities Reduced investments, because of initial efforts Business processes are more rigorous and efficient Risks are reduced Stream-lined and automated controls have been integrated into the Business Processes

    25. Questions & Answers ?

    26. SOX IT Considerations SOX compliance would not be feasible without computerized systems. Financial systems were among the first to be automated. Many financial systems are based on 30 year old design approaches Batch oriented Sequential processing Redundant data storage Many business users are unable to distinguish the business from the system that supports it. System requirements (e.g., business rules) may be poorly understood and poorly documented.

    27. Compliance Levels of Effort 1) Do the minimum required. 2) Make a reasonable effort. 3) Embrace the opportunity. Use it to make a thorough review of policies and practices. Tighten controls and procedures. Recognize the importance of proactive Data Management. Make it part of the company’s “DNA”.

    28. Threats to Data Quality Intentional Fraud Disgruntled Employees Hackers Terrorists Unintentional Poorly defined requirements. Poorly documented systems. Chaotic development process. Ineffective Change Management. Back-door access to data. Uncontrolled redundancy.

    29. The Data Management Audit Philosophical Factors Organizational Factors Procedural Factors Conceptual Factors Logical Factors Physical Factors Architectural Factors

    30. Philosophical Factors Is Data treated as an Asset or an Expense? Are there business initiatives to improve Data Quality. Are there formally defined measures for Data Quality? Does the CIO regularly report on Data Quality to the Executives? Are Data Quality metrics included in Management Objectives.

    31. Organizational Factors Is there an Organization Unit that has the overall responsibility for Data Management? Does it have a formal Charter? Does it have an Enterprise-wide perspective? Is it adequately resourced? Skilled Personnel Software Tools

    32. Procedural Factors Are Logical Data Models included in the formal Systems Development Life Cycle? Is the Logical Data Model subject to business approval? Is the Logical Data Model updated when the design changes? Is the Logical Data Model used to generate database source code? Is the Logical Data Model used in the development of a test plan?

    33. Conceptual Factors Is there a formal Information Strategy? Is there an Enterprise Conceptual Data Model? Is it used to kick-start development Projects? Are Project data models used to update the Enterprise model? Are all Project Managers aware that the Enterprise model exists?

    34. Logical Factors Are Business Subject Matter Experts involved with Logical Data Models? Are Logical Data Models used in Business Requirements? Are Data Modeling tools and techniques standardized? Are there formal Data Naming Standards? Are Logical and Physical models separate, but related?

    35. Physical Factors Is there a standardized set of data Domains? Are Physical Data Models updated when the implementation changes? Is the database used to enforce integrity? Is the data accessed using Views?

    36. Architectural Factors Does all Strategic Data have a defined System of Record? Is there an agreed Architectural Framework? Is there a shared Metadata Repository? Is Data Access functionality separate from business logic and presentation? Does the Architecture cover the entire Systems Development Lifecycle?

    37. Adding it Up 60 Points or Less A SOX Audit is likely to reveal embarrassing flaws in your financial systems. 70 – 80 Points Your financial systems are not as healthy as they should be. 80 – 90 Points You are doing well at managing financial data, but there is room for improvement. 90 – 100 Points You are likely to have a strategic advantage over your competition.

    38. The Data Management Audit Process Interview Senior Management to determine their targets and expectations. Assess what is actually going on. Define the Gap. Develop an Action Plan.

    39. In Summary SOX Compliance focuses on Roles and Responsibilities, Accountability, and Audits. It is very Process-oriented. Compliance is not cheap. Most companies have SOX Programs under way, some with multiple teams. While the SOX teams and resources are in place, there is an opportunity to review Data Management policies, practices and risks. The benefits of a small additional cost go beyond just enabling SOX Compliance.

    40. Questions & Answers ?

More Related