1 / 59

Lessons Learned from Sarbanes-Oxley: A Data Perspective

Lessons Learned from Sarbanes-Oxley: A Data Perspective. By Gwen Thomas Editor, SOX-online. Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com. Agenda. Lessons Learned from Sarbanes-Oxley: A Data Perspective. Morning Overview Introductions

kallima
Download Presentation

Lessons Learned from Sarbanes-Oxley: A Data Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lessons Learned from Sarbanes-Oxley:A Data Perspective By Gwen Thomas Editor, SOX-online Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  2. Agenda Lessons Learned from Sarbanes-Oxley: A Data Perspective Morning • Overview • Introductions • What Do You Want? • Background • How Important is SOX? • Affect of SOX on Your Company andThe Change in Executive Mindset • The New Paradigm for Data Departments: Do it – Control it – Doc it – Prove it • Talking the Talk • The Language of Risk Management • What Risks Do You Manage?

  3. Agenda Lessons Learned from Sarbanes-Oxley: A Data Perspective Afternoon • Controls • Definitions • The Controls Hierarchy • Results of Audits • Common Control Deficiencies • Database Controls • Challenges and Opportunities • Where Are You at Risk? • How Can You Benefit From SOX?

  4. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Introductions Gwen Thomas • Editor of www.sox-online.comand SarboxAlert www.riskcenter.com/sarboxalertdownload.php • Consultant in Data Governance and Sarbanes-Oxley issuesindependently and in partnership withsystem integrator CIBER, Inc. • Recent work: • NDCHealth • Mail-Well • ESAI • Giant Eagle • A Northeastern Blue Cross- Blue Shield • Walt Disney World • Ford International Headquarters • Coors Brewing Company Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  5. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Introductionswww.SOX-online.com • Free • The web's largest vendor-neutral Sarbanes-Oxley information site • 2 years old • Thousands of news articles • Hundreds of pages of reference material and humor Advice columnist Ms. Sarbox Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  6. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities IntroductionsSarboxAlertwww.riskcenter.com/sarboxalertdownload.php • Bi-weekly subscription newsletter • Covers SOX-relatedissues in depth • Comes with downloadable ready-to-use Sarbanes-Oxley Project Management Templates Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  7. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities IntroductionsWho Are You, and What Do You Want? • What Companies Are Represented Here Today? • Who Are Your Auditors? • E&Y, Deloitte, KPMG, PricewaterhouseCoopers, Other, Don’t Know • Who Helped You Prepare Last Year? • E&Y, Deloitte, KPMG, PricewaterhouseCoopers, Other, Don’t Know • Do You Have to Provide SAS 70 Reports? • What Positions Do You Hold? • What Are Your Goals for Today?

  8. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities BackgroundWhy Sarbanes-Oxley? Investors and politicians got fed up by… • Fraud • Greed • Plausible deniability by executives • No way to truly gauge financial health of company • Too little transparency into processes • Lack of accountability Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  9. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities BackgroundSarbanes-Oxley FAQs • The Sarbanes-Oxley Act was passed in 2002. • Sponsors: US Senator Paul Sarbanes and US Representative Michael Oxley. • Applies to: publicly-traded companies. • Overseen by the SEC and the new Public Company Accounting Oversight Board (PCAOB) More information: www.sox-online.com/basics.htmlwww.sox-online.com/sarbanes_and_oxley.htmlwww.sox-online.com/act.htmlwww.sox-online.com/pcaob.html Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  10. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities BackgroundStated Purpose of the Act To strengthen corporate governance and restore investor confidence

  11. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities BackgroundWhat’s it REALLY About? It’s the data, stupid! SOX humor: • www.sox-online.com/sox_humor.html • www.sox-online.com/ms_sarbox.html • www.sox-online.com/sing_along_with_sarbox.html Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  12. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities How Important is SOX?If a Public Company Fails… • If they report material weaknesses and/or fail the audit: Market reaction (falling stock price) • If the CEO/CFO submits a bad certification:a fine up to $1 million and imprisonment for up to ten years. • If it was submitted “willfully”:the fine can be increased up to $5 million and the prison term can be increased up to twenty years. • If certain actions aren't taken (e.g., hotline): SEC can order delisting Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  13. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Your Input:How Did Your Company Do? Last year, did your company • Pass your 404 audit • Fail your 404 audit • Not have a 404 audit • Don’t know Did your company report weaknesses? Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  14. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities How Important is SOX?How Bad is Market Reaction? Companies are “relieved” when their announcements result in “only” a 3% drop in their stock price. Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  15. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities How Important is SOX?How Bad is Market Reaction? How you can determine the potential cost of not passing your audit: What’s your company worth?What’s 3% of that?Examples:3% of $100 million is $3 million3% of a billion is $30 million Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  16. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities How Important is SOX?What This Means to You A high enough potential cost means… you should be able to get the attention of management if you believe your department is at risk. Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  17. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities How Important is SOX?What This Means to You Also… Using hard numbers can help justify productivity tools if they can also keep you from failing an audit. Reminder: Just because they didn’t fail you for something THIS year doesn’t mean they won’t NEXT year. Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  18. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Affect of SOX on Your CompanyAffect on Board of Directors • Must include independent directors • More liability • They must hire and deal with auditors (execs can't any more) • New responsibilities for committees – audit committee especially • Must provide oversight of internal control system To read sections of the Act that apply to Boards:www.sox-online.com/act_sections.html Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  19. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Affect of SOX on Your CompanyAffect on Executives • Can't control auditors • CEO and CFO must attest to data in financial reports – no more plausible deniability • CEO and CFO must attest to adequate internal controls • New executive mindset = Trickle-down affect on other executives and managers More information about key sections of the Act:www.sox-online.com/act_sections.htmlManagement Responsibilities: www.sox-online.com/as02.html Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  20. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Affect of SOX on Your CompanyAffect on Finance Dept. • Financial data must unambiguously roll up from multiple departments and locations into single report(problem if multiple systems are in place) • Processes must be documented • Controls over processes must be documented • Much more… SOX Accounting and Auditing Center:www.sox-online.com/acc_aud.htmlAccountant jokes:www.sox-online.com/accountant_jokes.html Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  21. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities The New Paradigm for Data Departments:Affect on Data Departments • Affect on funding and time reporting • Affect on financial systems and staff that support them • Extra responsibilities – and more are coming Bottom line: Before: “Just Do It!” Now: “Do it – Control It – Document it – Prove it!” Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  22. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Do it – Control it – Doc it – Prove itWhat Does“Just Do It” Mean? • You still have to do your jobs. • You still have to do your jobs. • You still have to do your jobs!!! But now, there’s intense interest in what the job entails, and who's doing it. Why? a corporate focus on Governance, Risk, Controls, and Security (GRCS). Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  23. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Do it – Control it – Doc it – Prove itWhy You Should Understand GRCS(Governance, Risk, Controls, Security) • Your auditors mustissue an adverse opinion (failed audit) if your company has inadequate governance or inadequate security • Does this mean data governance?Not last year… • Does this mean security at the database level? Yes! Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  24. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Do it – Control it – Doc it – Prove itWhy You Should Understand GRCS(Governance, Risk, Controls, Security) • SOX requires that all companies assess their risk, using a universal risk language (e.g., probability, impact of risks)and risk framework Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  25. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:Measuring Risk Probabilityof the risk occurring Risk = ProbabilitytimesImpact Impact if the risk does occur

  26. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:Managing Risk     Goal:Lower theProbabilityor the Impactor Both Probabilityof the risk occurring Impact if the risk does occur

  27. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:Risk Frameworks • SOX says you must use an industry-recognized risk framework • Most commonly-used: • COSO • COBIT (supplemented with ISO 17799 and sometimes ITIL)

  28. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:COSO Control Framework • Focuses on fiduciary controls • Has five control components: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring

  29. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:COSO-ERM Framework Enterprise Risk Management Focus same

  30. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:COBIT Control Framework • COBIT = Control Objectives for Information and Related Technologies • Open standard published by the IT Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA) • Addresses information quality and security requirements in seven overlapping categories: • effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information.

  31. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities GRCS:Using COBIT for SOX • SOX concentrates on “CIA” data qualities • Confidentiality • Integrity • Availability • COBIT is comprehensive – contains much more than is needed for SOX • ITGI has published guidance:IT Control Objectives for Sarbanes-Oxley • COBIT doesn’t focus enough on security to satisfy SOX: most companies use ISO 17799 standard.

  32. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Your Input:Where Do You Fit In? • What Risks Do You Help Manage? • How? • What Tools Are You Missing to Help Do a Better Job?

  33. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Talking the TalkOne Idea - Three Languages IT Speak A computer virus could shut down our critical network. Risk Speak Computer viruses pose a risk with a critical impact. Audit Speak The risk posed by computer viruses must be controlled.

  34. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Talking the TalkRisk and Controls • For every identified risk, your company must choose one or more strategies • Accept it • Transfer it to someone else • Mitigate it by • Preventing it from happening • Detecting it if it does happen • Reducing its impact if it does happen • Once you pick a strategy, you design corresponding controls Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  35. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities This Afternoon • Controls • Aligning Risk and Controls • Definitions • The Controls Hierarchy • Results of Audits • Common Control Deficiencies • Database Controls • Challenges and Opportunities • Where Are You at Risk? • How Can You Benefit From SOX? For More InformationAbout Managing Risk- SarboxAlert Newsletters- SarboxAlert Project TemplatesBoth are available to you free, for a limited time

  36. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities ControlsRisk and Controls • For every identified risk, your company must choose one or more strategies • Accept it • Transfer it to someone else • Mitigate it by • Preventing it from happening • Detecting it if it does happen • Reducing its impact if it does happen • Once you pick a strategy, you design corresponding controls Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  37. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities ControlsExamples of Controls • Preventive controls: • required approval for all purchase orders over a certain dollar threshold • use of passwords to gain access to networks, systems, and data • Detective controls: • reviews • reconciliations • analyses

  38. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Your InputYour Controls • What controls are you aware of in your environment? • To detect a problem • To correct a problem • To prevent a problem • To transfer responsibility • Other

  39. ControlsHierarchy of controls Process and application controls are only as good as supporting DB controls. Hah! ManualProcess Controls Application Controls Database Controls Operating System / Infrastructure Controls General IT & Operations Controls

  40. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities ControlsYour Importance • Data controls support most process and application controls • Does your SOX internal group know data management as well as you? • CEO/CFO attestations include your area Your work could affect the outcome of your audit, your company stock price, CEO/CFO fines, jail time Don’t screw up! Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  41. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities ControlsDatabase Controls • What we all want:To know exactly how our auditors will be judging us But that’s proprietary information! Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  42. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities ControlsDatabase Controls • What we can do:Review some published materials, then start a dialogue Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  43. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities ControlsDatabase Controls • Protivity has published great documents Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  44. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Your InputYour Controls • What controls are you now aware of in your environment?(Consider all levels of the controls hierarchy) • To detect a problem • To correct a problem • To prevent a problem • To transfer responsibility • Other

  45. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Controls and DocumentationWhat Needs to be Documented? • System documentation • Process flows • Risk management approaches • Controls documentation • Roles and Responsibilities • Activity logs • Other… How much & how well is up to your auditor Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  46. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Controls and Documentation What Needs to be Proven? • Governance and stewardship records • Activity logs • Audit trails • Controls tests • Other… Only your auditor knows what it will take to prove compliance… More information:What do auditors do? www.sox-online.com/acc_aud_do.htmlAuditing Standard No. 2: www.sox-online.com/as02.html Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  47. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Controls When Problems Occur • You should know the following definitions (see handout) • Disclosure Controls • Control Deficiencies • Significant Deficiencies • Reportable Condition • Material Weakness • Control Environment • Segregation of Duties MaterialWeakness Likelihood Significance Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  48. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Results of Audits This ain’t pretty… Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  49. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Results of AuditsBad News • 2004 • 582 companies disclosed material weaknesses or significant deficiencies in internal controls. Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

  50. Overview • Talking the Talk • Controls • Results of Audits • Challenges and Opportunities Results of Audits Late News: 2005 • Hundreds of companies missed filing deadline (May 10) for Annual Reports • At least 77 companies with market capitalizations of more than $100 million recently notified the SEC they would need more time to finish their quarterly reports. 44 working late on reports. 29 were restating financials. http://accounting.smartpros.com/x48279.xml Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at gwen.thomas@sox-online.com.

More Related