280 likes | 452 Views
Introduction of Panel Members. Sarbanes-Oxley Workshop February 10, 2004 John Lambeth , CISSP, CISA. Insert Worlds Image / Client Specific Image Here. Agenda. Overview of Sarbanes-Oxley Requirements and COSO Framework Impact on Corporate IT organizations A proposed Project Approach
E N D
Introduction of Panel Members Sarbanes-Oxley WorkshopFebruary 10, 2004John Lambeth, CISSP, CISA Insert Worlds Image / Client Specific Image Here
Agenda Overview of Sarbanes-Oxley Requirements and COSO Framework Impact on Corporate IT organizations A proposed Project Approach Data Collection and Documentation Approach Roles and Responsibilities PMO Set-up and Scoping Leveraging CPM/BI projects to meet real-time disclosure requirements After initial compliance, what’s next…
Objectives for today’s workshop • Provide you with an overview of some of the key issues that CIOs need to be aware of when responding to Sarbanes Oxley • Create an interactive environment in today’s workshop to share tips and experiences with each other • Create a personal checklist of items to discuss with your internal audit and business partners
Overview of Sarbanes-Oxley Requirements Sarbanes-Oxley Act • Section 302: • Quarterly Certification by CEO/CFO • Responsible for “Disclosure Control Procedures” (DCP) – a broad range of information (Financial and Non-Financial) • Certify to effectiveness of DCPs based on evaluation within 90 days • Disclose to Audit Committee and external auditor any significant deficiencies / material weakness or fraud (material or not) Section 404: • Annual Assertion by management • Responsible for effectiveness of controls over reliable Financial reporting – e.g., a deep view of internal control procedures and practices • Focus on both design and operational effectiveness of financial reporting controls • Controls must be documented and tested • External auditor to render opinion (“attestation”) on management’s internal control assertion LEGEND Internal Controls over Disclosure Requirements Disclosure Controls and Procedures Internal Controls Over Financial Reporting Slide Credit: PriceWaterhouseCoopers
Overview of Sarbanes-Oxley Requirements Sarbanes-Oxley Act • Section 409: • Call for Real-time Disclosure of significant changes to financial position • Requires public companies to report material events in a timely manner • “Timely” yet to be defined, but may be as soon as 48 hours from event. Impacts: • Extends effort from controls documentation of reporting systems to real-time reporting requirements • Batch or historic reporting capabilities need to be reviewed for ability to support on-going CPM/BI capability LEGEND Internal Controls over Disclosure Requirements Disclosure Controls and Procedures Internal Controls Over Financial Reporting Image Credit: PriceWaterhouseCoopers
AICPA’s Statement on Standards for Attestation EngagementsSection 501, as amended • Stronger requirement of management to document and evaluate internal controls • Required management procedures: • Material divisions and locations included in evaluation • Identification and documentation of significant controls to cover control objectives • Evaluation and review of design effectiveness • Tests of operating effectiveness • Evaluation of control deficiencies to determine whether they are deficiencies, significant deficiencies or material weaknesses • Written assertion required • Communications of findings to auditor and audit committee • Auditor to evaluate management’s assertion as of a point in time (December 31, 2004) • Scope of work includes independent testing of controls as well as testing of management’s assessment process • Scope of controls testing includes testing over areas that generate judgments and estimates
The COSO FrameworkThe Only Recognized Internal Control Framework • While Internal Control was not defined in the Sarbanes-Oxley, the COSO definition has been accepted by the US government and its agencies, incorporated in US auditing standards (AU 319), and is a generally accepted integrated framework for control infrastructure. Under regulations for Section 404, the SEC will use AU319 as the reference. • Internal Control is defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • COSO identifies five components of control that need to be in place and integrated to ensure the achievement of each of the objectives. COSO is an integrated framework for internal control which, when implemented, can provide a baseline to establish a control structure that meets Section 302 requirements and supports 404 attestation.
Financial Reporting Overview What is it? Who does it? Audit committee charter, whistleblower program, Internal audit, legal,regulatorycompliance… Board of Directors, AuditCommittee, SeniorManagement Governance Process for compiling the financial statementsand preparing financial reporting (e.g., closingprocesses and procedures, policies, accountingmanuals, etc.) CFO, Corporate Controller,DivisionLevel CAO, Corporate Accounting department Consolidation Reporting Transactions that are not reflectedin subsidiary or admin systemswithin books and records (e.g,.Accruals, sale of subsidiary, taxes) Accounting departmentmanagement (e.g., CAO, Financial Reporting Director). Accounting Transactions that occur inoperations and are includedin the subsidiary or adminsystems (e.g., premiumremittance, benefitpayment). Systems with hightransaction volume,make complexcalculations, and reliedupon for accuracy. Counting Overview of Financial ReportingDevelop and Document Activities, Polices, Inputs, and Disclosures PriceWaterhouseCoopers
Impact to IT and Audit staffs • Significant unplanned, and possibly unbudgeted activity for IT • Causes trade-offs with other existing IT projects • Remediation effort difficult to quantify until after controls are documented and gaps noted • Impact to internal audit staffs • Audit experience should place them in high-profile position on Sarbox project • Trade-off of limited audit staff resources with on-going internal audit responsibilities • Need goal to reestablish ownership of ongoing Sarbox compliance with the business partner • Record keeping • Adequate control over paper and electronic records • Intersection of record requirements with company record retention policies
Project Approach Overview • Phase 1 – Project and PMO Set-up and Scoping • Phase 2 – Data Collection and Documentation • Phase 3 – Gap Analysis • Phase 4 – Validation and Testing • Phase 5 – Remediation
Phase I: Project and PMO Set-up and Scoping • Finalize project scope – divisions, financial statement components, processes • Define approach and team organization • Establish assessment criteria for process areas and IT • Implement communications strategy and issue management process • Conduct training • Awareness: All project participants • Process and Tools: Core project team members
404 Project Team Roles and Responsibilities Project Sponsor • Provide enterprise sponsorship and oversight throughout project • Review and resolve significant issues escalated through Steering Committee • Review results of management assessment • Estimated Level of Effort: Involvement throughout project, as needed Steering Committee • Participate in monthly, or as needed, Committee Meetings • Review and resolve issues escalated through Project Manager • Review status on key milestones • Re-align resources as required throughout the project • Support Project Manager in planning and risk management • Signoff on key deliverables • Estimated Level of Effort: Monthly meetings and other involvement as needed
404 Project Team Roles and Responsibilities Project Office • Provide day-to-day management/support to Project Team Members • Ensure team activities conform to authorized guidelines, policies and standards • Facilitate monthly Steering Committee and weekly Project Team status meetings • Present resource concerns, dependencies, issues, risks and progress to Project Managers • Monitor/escalate unresolved issues and risks for resolution • Provide monthly status reports to Steering Committee • Communicate project tasks and objectives to Project Team Members • Monitor communication activities (internal and external)
404 Project Team Roles and Responsibilities Division Team Leaders • Deliver project activities • Participate in weekly status meetings • Support Team Members and monitor Team Member task completion • Apply policies, guidelines and standards across function and division • Track definition and implementation of remediation plans for Division Environment Liaisons • Provide overview of cycle and participate in Divisional Team meetings, as required • Designate process SMEs to provide detailed process and control information • Assist in the organization of the workshops around the process flow of the cycle • Assist in understanding and assessing interfaces between and among different transactions within the cycle • Oversee implementation of remediation actions to address control gaps
404 Project Team Roles and Responsibilities Project Manager • Single contact for all Project Team Members • Provide direction to Project Team Members • Participate in monthly, or as needed, Disclosure Committee meetings and weekly project team meetings • Review and resolve issues escalated by the Project Office; escalate priority issues • Exercise objectivity in decision-making, resource allocation and dispute resolution • Provide guidance and support for Project Team Members in performing tasks • Ensure Project Team Members adhere to established guidelines, policies and standards • Estimated Level of Effort: Full time dedicated, through duration of project
404 Project Team Roles and Responsibilities IT Systems Experts • Participate in main facilitated workshops to support SME understanding of automated application-level controls • Assist in understanding systems supporting major processes and determining which are considered in scope (including interfaces) • Assist in validating IT control criteria and training Documentation Specialists • Participate in IT-specific workshops to define and document general computer controls • Oversee implementation of remediation actions and address control gaps • Assist in understanding Corporate systems supporting cycles and determining which are considered in scope (including interfaces) • Participate in IT-specific workshops to define and document general computer controls • Oversee implementation of remediation actions and address control gaps
Phase II: Data Collection • Inventory and review existing documentation • Conduct preliminary workshops • Enhance education • Develop high-level process overviews • Tailor project tools (e.g., control matrices) • Pre-populate control matrices • Interview, observation and/or self assessment to complete documentation
Workshop OverviewParticipants, Objectives, Activities, Outputs • Primary Objectives: • Understand the flow of information through the transactions under discussion • Identify linkages and inter-dependencies with other transactions and processes (where does its start and stop) • Understand risks and controls in a sufficient manner to tailor control matrices for documentation effort • Key Activities: • Validate initial scoping • Discuss and document high-level flow of information within the process, interfaces to other processes, and supporting systems • Discuss risks and control objectives • Workshop Outputs: • Schematic diagram of process • Tailored control matrix
404 Project Team Roles and Responsibilities Documentation Specialists • Participate in specialized training sessions to obtain working knowledge of project documentation approach and tools • Participate in facilitated workshops and working meetings for specific cycle/processes • Document detailed process and control information for assigned area • Assess documented controls for design/existence gaps • Report risk/issues and progress to Project Team Leader
Phase III: Gap Analysis • Assess current state analysis for design gaps (per COSO control objectives and best practices) • Identify and report design gaps • Define recommendations to address gaps
IT Control Evaluation Process • Perform gap analysis, validation/testing and remediation • Close coordination with process teams • Use same reporting format for findings as cycles/processes • Will require close coordination with process teams, especially regarding the impact of identified gaps
Phase IV: Validation and Testing • Identify key controls to test • Design tests of controls • Execute tests of controls • Evaluate test results • Identify and report operating effectiveness gaps
Phase V: Remediation • Define remediation steps • Implement remediation steps • Re-test design and operating effectiveness
Ongoing 404 Considerations • Ownership of ongoing Sarbanes-Compliance • Establish overall responsibility for on-going compliance • Role of IT in quarterly 302 attestations • Process for updates to controls • Supporting documentation • Where? • In what format? • For how long? • Updates to documentation, document retention
Surveying Sarbanes - Oxley Solutions • Control documentation requirements of Sarbox have lead to a variety of vendor tool offerings • Sarbanes-Oxley compliance does not come packaged in any IT solution • Compliance is achieved by effective processes and how you leverage technology to Sarbanes-Oxley compliance through more effective collaboration and record management • Before making significant investments in “Sarbox software”, it is important to look at your company’s collaboration and document management challenges and how your technical architecture currently deals with them • E-mail policy • Workgroup collaboration • BI / CPM 1 Gartner “Sarbanes–Oxley Vendor evaluation Framework”
CRM / Business Intelligence • Section 409 • Calls for real-time disclosure • Straight-through information processing In many cases effective ERP solution serves as foundation for financial reporting and analysis tools • BI / CPM solutions • Create environment that fosters validity of data flowing through the enterprise • Integrated tools for reporting and Web-based statuses Credit: C. Imhoff DM Review Jan’04
CRM / Business Intelligence • BAM (Business Activity Monitoring) strategies may play a significant role in on-going real-time reporting strategies • Visibility into critical events • Captures events that modify the state of business processes • What is the role of Executive dashboards in your enterprise reporting strategy • Create real-time flow of key financial points/trends • Data strategy • Common data definitions • Common data labels / tags • Validate “official sources” of information
Summary • Overview of Sarbanes-Oxley Requirements and COSO Framework • Sarbox has a significant, and somewhat unpredictable impact Corporate IT organizations • A structured project approach is the most effective way to attack the project • Examine current technical architecture components and use this information to guide selection of additional software components • Consider role of CPM/BI projects • Create active forum for discussion of ongoing Sarbox compliance ownership