250 likes | 421 Views
Introduction by Compliancy Software. This is a presentation delivered by Scott Rogers, Director of Internal Audit for PPD at the IT Compliancy Institute conference on Risk Management and Compliance on May 4, 2007 in Washington, DC.
E N D
Introduction by Compliancy Software This is a presentation delivered by Scott Rogers, Director of Internal Audit for PPD at the IT Compliancy Institute conference on Risk Management and Compliance on May 4, 2007 in Washington, DC. In this session, Scott is addressing how PPD solved the challenges of complying with Sarbanes-Oxley. The automation components referred to in this presentation were accomplished with the Compliancy Software solution. Software Transform risk management and compliance into business value www.compliancysoftware.com IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Sarbanes-Oxley Compliance Process Automation Scott Rogers Director of Internal Audit Pharmaceutical Product Development
Agenda • Background • SOX Overview and Challenges • The Rules • The Scope and Purpose • The End Product • The Challenges • SOX and the IT Function • What is ITGC? • Using IT to Automate Controls. • Automation of the SOX Compliance Process • Group Discussion and Questions IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Background • Scott Rogers, CPA, Director of Internal Audit • Responsible for the Global Sarbanes-Oxley Compliance Process • Pharmaceutical Product Development, Inc. • Contract Research Organization, Phase I-IV Development Services • HQ in Wilmington, NC • $1.3B Revenue • $1.4B Market Cap • 10,000 Employees in 28 Countries IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Background The SOX Landscape: • HQ in Wilmington, NC • 12 SOX Geographic Locations Throughout Americas • 55 Significant Processes • Approximately 500 Key Control Procedures • 35 Process Owners • 10 Internal Auditors, Globally • Initially the documentation was completely paper based (i.e. Access, Word, Excel, etc.). • In 2006 we transitioned to a Professional System to manage the Risk Assessment, Process Documentation, Issues Management, Certification and Testwork processes. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Mix of Controls ITGC Entity Level Financial IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview • The Rules • The Scope and Purpose • The End Product • The Challenges IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – The Rules • PCAOB Established by Congress. • Established to Provide Oversight to the Public Accounting Industry. • For Lack of Other Guidance, Management’s Compliance Program Has Been Designed to Comply with PCAOB Standards. • Your External Auditor Has a Significant Influence on Management’s Compliance Program. • New Rules are Coming Soon! • PCAOB Is Issuing a Standard for External Auditors. • SEC Will Issue a Standard for Management To Follow • How are the New Rules Different? IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – Scope and Purpose • Any Process, System, Transaction or Communication that could potentially have a Significant effect on the Accuracy of the Financial Statements. • Fraud - The Existence of Fraud Must Be Considered and Evaluated Throughout the Process. • Entity Level Controls. • IT General Controls. • IT Application Controls. • The Sole Purpose Is To Ensure That Financial Statements are Accurately Reported. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – The End Product QUARTERLY • CEO and CFO Must Personally Sign a Public Statement which states that the Internal Control Structure is Appropriately Working ANNUALY • Two Separate Audit Opinions From the External Auditor • Opinion on the Design of the Internal Control Structure • Opinion on the Quality of Management’s Compliance Process • Audit Opinion From Management IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – The Challenges • Maintaining a Real Time Risk Assessment and Understanding of the Entity Level, Financial and IT General Control Processes. • Empowering Process Owners to Take Ownership in the Risk Assessment and Enforcement of Control Processes. • Dealing With Change in Transactions, Human Resources, Systems and Rules. • Tracking and Reporting Design and Operation Internal Control Issues. • External Auditor’s Concurrent Review of the Process. • Involvement of a Large Cross Functional Group of People, Systems and Processes. • Audit Evidence of Control Performance and Effectiveness. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
What are auditors looking for? EVIDENCE • Verbal Inquiry, alone, generally does not constitute audit evidence. • Verbal inquiry, alone, does NOT constitute audit evidence. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX and the IT Function • What is ITGC? • Using IT to Automate Controls. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX and the IT Function – What Is ITGC? • Information Technology General Controls (“ITGC”) • How Does ITGC Effect the Financial Statements? • Change Control • Logical Access • IT Infrastructure – Networks, Data Centers, Underlying Data Structures, Physical Assets • Segregation of Duties • Centralization and Consistency Will Make ITGC Easier. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX and the IT Function – Using IT To Automate Controls • Any IT Application’s Functionality That Helps Ensure Accuracy and Integrity of Financial Data Can Be Relied Upon as a Control. • The Testing Frequency of Programmed Controls Can Be Significantly Less Than Manual Controls. • Application Development Should Include Your Company’s Internal Controls Experts. They and IT Can Work to Build, Identify and Rely on Programmed Controls. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation of the Processes • Risk Assessment • Testing • Planning and Management • Reporting IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation - Risk Assessment • Management Certification Process • Quarterly Management is Required to Certify That the Business and Control Processes Have Not Significantly Changed. • Utilized a Customized Workflow to Deliver the Data to Management. • Management’s Review is Scalable to Their Needs Allowing For Many Different Levels of Review. • Utilized to Identify Changes and Enhance Our Understanding of the Processes. • Helps Drive Management to “Own” the Processes. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation - Risk Assessment (cont) • Other Risk Assessment Activities • Status and Effectiveness of Controls is Automatically Linked to Testing and Issues Processes. • Automated Issues Workflows Ensure Management Knows Where They Have Remediation To Perform. • Change Control Provides External Auditors With a Clear and Ongoing Map From One Period to the Next. • Maintaining an Ongoing List of Design Issues. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation – Audit Testing • Design and configuration. • Scheduling – Allows Creativity and Flexibility in the Nature, Timing and Frequency of Tests. • Change Control Over the Test Strategies. • Utilizes Workflow to Pass the Test to the Planner, Performer, Reviewer and File Preparation Steps. • Electronic Work Papers and Audit Evidence. • Sample Selection Processes • Portals for Auditor / Management Communication and Data Transfer • Automatic Selection of Samples IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation – Planning and Management • Scheduling the Planning Related Activities and Communications. • Scheduling the Key Communication and Reporting Dates. • Portal For Capturing Auditor’s Time Spent on Tests. • Maintaining the Global Scheduling, Time Analysis and Efficiency Metric Analyses. • Portal for Capturing Auditor’s Recommendations and Design Issues Noted. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation - Reporting • Comprehensive Listing of Issues with Status. • Reporting of Delinquent Certifications. • Reporting of Delinquent Test Areas. • Dashboard Status Views of All Processes. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Summary • SOX Is A Broad, Complicated and Changing Process Driving the Need For Process Automation. • Process Automation Can Be Found In The Following: • Risk Assessment • Testing • Planning and Management • Reporting • Develop Strong Relationships With Internal Control Experts In Your Company to Help: • Ensure ITGC Is Appropriately Designed. • Ensure Programmed Controls Are Identified and Utilized. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Questions and Discussion IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Contact Information Scott Rogers PPD scott.rogers@wilm.ppdi.com 910 558 6790 Please Complete Your Session Evaluation
For More Information about Compliancy Software Please visit our website at www.compliancysoftware.com Or Call us at 1-919-342-6212 Or Email us at info@compliancysoftware.com Software Transform risk management and compliance into business value IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation