SarbanesOxley

1
Sarbanes Oxley Act of 2002
Verification vs. Validation
2
Todays Objectives

• Provide a high-level overview of Sarbanes-Oxley
  and the internal control certification
  requirements
• Discuss the importance of information technology
  in internal control over financial reporting
• An overview of the importance ITIL and Cobit IT
  frameworks in Sarbanes Oxley Compliance
• Summarize the importance and impact of IT
  controls when dealing with the SEC
•  

3
The Sarbanes-Oxley Act of 2002 was written and
enacted in response to some rather large and
public failures of corporate governance. Enron.
WorldCom, and Tyco became well known brand names
for all the wrong reasons. Scenes of C level
executives being arrested and perp-walked in
handcuffs became common TV news fare.
Sarbanes-Oxley was fashioned to protect
investors by requiring accuracy, reliability, and
accountability of corporate disclosures. It
requires companies to put in place controls to
inhibit and deter financial misconduct. And it
places responsibility for all this
unambiguously in the hands of the CEO.
4
Sarbanes-Oxley Act of 2002

• What is internal control?
• Internal control is broadly defined as a process,
  effected by an entity's board of directors,
  management and other personnel, designed to
  provide reasonable assurance regarding the
  achievement of objectives in the following
  categories
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

5
Sarbanes-Oxley Act of 2002
Internal control is now the Law The
Sarbanes-Oxley Act of 2002 was created to restore
investor confidence in the public
markets Section 404 of the Act requires
management to establish and maintain internal
control and requires the independent auditors
to evaluate Compliance deadline Year-ends on or
after November 15, 2004 Preparing for
Sarbanes-Oxley compliance is a significant and
challenging task There are many requirements,
including the identification of significant
financial statement accounts, processes and
systems that support them and then documenting
and testing them
6
Overview of Internal Control Certification
Requirements

• Section 302 Certification Overview
• CEO and CFO to make specific certifications as of
  the end of each quarterly and annual reporting
  period, including
• Report contains no untrue statements
• Report is fairly presented in all material
  respects
• Responsibility for design and maintenance of
  disclosure controls and procedures as well as
  internal controls over financial reporting

• Section 404 Certification Overview
• CEO and CFO to certify as of the end of every
  annual reporting period
• Their responsibility for establishing and
  maintaining effective internal controls over
  financial reporting
• Their assessment of internal controls,
  accompanied by the independent auditors
  attestation report

7
The Importance of Information Technology in
Internal Control over Financial Reporting
8
The Importance of Information Technology (IT) in
Internal Control over Financial Reporting

• For most organizations, IT critical to the
  financial reporting process
• Financial and routine business applications are
  commonly used to initiate, authorize, record,
  process and report transactions
• Relevant IT controls include
• application controls - those that are embedded in
  financial and business applications
• general computer controls underlying
  infrastructure components that support the
  applications
• Statements made by the Public Company Accounting
  and Oversight Board (PCAOB) on the impact of IT
  (paragraph 75)
• The nature and characteristics of a company's
  use of information technology in its information
  system affect the company's internal control over
  financial reporting

9
CobiT IT Control Framework Overview
10
Control Objectives for Information and related
Technology
CobiT

• The IT Governance Institute (www.ITGI.org) has
  recently published revised guidance for IT
  professionals on how to address Sarbanes-Oxley
  from an IT perspective April 2004
• Sarbanes-Oxley The importance of information
  technology in the design, implementation and
  sustainability of internal control
• The publication is the result of a joint effort
  of industry and auditors, with leadership from
  the Big 4 PWC, DT, EY, KPMG
• The ITGI is a recognized global leader in IT
  governance, control and assurance with members in
  more than 100 countries

11
Top 5 List 404 IT Controls Requirements

• Security
• Application and platform based
• Focused on applications that may impact
  financials and supporting infrastructure
• Requires secure operating systems, database,
  network, firewalls and infrastructure
• Auditors will look for excessive access lack of
  segregation of duties inadequate approval of
  access they will be testing key processes to
  determine that they are effective
• Change Control
• Need to ensure that procedures are in place to
  control and ensure proper approval of changes to
  production
• Technical controls must tightly limit and control
  developer access to production
• Disaster Recovery
• Focus will be on basic backup and recoverability
  of financial data
• IT Governance
• Focus will be on determining of there are clear
  policies, procedures, and communications within
  IT
• Are there clear segregation of duties?
• Is there the appropriate tone at the top of the
  IT organization?
• Development And Implementation Activities
• Proper controls need to be built in before a new
  system or system changes go in the production
  environment
• Auditors may evaluate new financial systems data
  conversion and testing are critical

12
IT Control Readiness Roadmap
13
Sarbanes Oxley Readiness Roadmap

• Preparing for SOX 404 requires a structured and
  measured approach, otherwise you will find
  yourself doing too much or too little
• The current PCAOB rules require auditors to
  attest on management assessment process
• As such, the readiness roadmap that many
  organizations are following demonstrates the
  assessment process through a series of steps and
  activities that align to the PCAOB rules

14
SOX Readiness Roadmap

• 8. Document Process Results
• Coordination with Auditors
• Internal sign-off (302, 404)
• Independent sign-off (404)

• 9. Build Sustainability
• Internal evaluation
• External evaluation

• 5. Evaluate Control Design
• Mitigates control risk to an acceptable level
• Understood by users

• 3. Identify Significant Controls
• Application controls - over initiating,
  recording, processing reporting
• IT General Controls

• 2. Perform Risk Assessment
• Probability Impact to business
• Size / complexity

• 7. Identify Remediate Deficiencies
• Significant deficiencies
• Material weakness
• Remediation

• 1. Plan Scope
• Financial reporting process
• Supporting systems

Business Value

• 6. Evaluate Operational Effectiveness
• Internal audit
• Technical testing
• Self assessment
• Inquiry
• All locations and controls (annual)

• 4. Document Controls
• Policy manuals
• Procedures
• Narratives
• Flowcharts
• Configurations
• Assessment questionnaires

Sarbanes-Oxley IT Compliance
Deloitte Touche
15
A Readiness RoadmapPlan Scope

• Understand the financial reporting process and
  identify the information systems and related
  resources that are used.

• Key Considerations
• In-scope vs. out-of-scope systems
• Opportunities for improvement
• Prevention, identification and detection of fraud

• Key Components
• Financial reporting processes
• Initiating
• Recording
• Processing
• Reporting
• Classes of transactions
• Non-routine and systematic

16
A Roadmap for CompliancePerform Risk Assessment

• Identify risks associated with the information
  systems and related IT resources (what could go
  wrong?)

• Key Considerations
• Specific risk areas
• Data validation
• Data conversion
• Interfaces
• Management reports
• Complex or critical calculations
• Spreadsheets

• Key Components
• IT Risks
• Quality and Integrity failure
• Security failure
• Availability failure
• Risk assessment
• Probability of failure
• Impact to the business

17
A Roadmap for ComplianceIdentify Significant
Controls

• Identify application and general controls

• Key Components
• Application controls
• Embedded within business processes
• Directly support financial assertions
• General controls
• Program development
• Program changes
• Program operations
• Access control

• Key Considerations
• Control framework - CobiT
• Revised April 2004
• 12 primary control objectives at the process
  level
• Control environment questionnaire for entity
  level

18
A Roadmap for Compliance Document Controls

• Document control processes to support
  managements assessment

• Key Components
• Process description
• Risk assessment
• Control objective
• Control activity
• Test of the control
• Conclusions and remediation plans

• Key Considerations
• Include compensating controls
• Impact on overall SOA testing program
• Report gaps in documentation
• Sufficient to support management assertion

19
A Roadmap for ComplianceEvaluate Control Design

• Controls should be designed to reduce the risk of
  error to an acceptable level

• Key Components
• Sufficient to demonstrate
• Control designed to prevent or detect material
  errors
• Conclusion that tests were appropriately
  conducted
• Results of tests appropriately evaluated

• Key Considerations
• Preventative vs. detective
• Automated vs. manual
• People, process and technology
• Control maturity level controls
• are defined, managed, measured and repeatable

20
A Roadmap for ComplianceEvaluate Operational
Effectiveness

• Test controls to ensure they are are operating as
  designed and consistently over a period of time

• Key Components
• Application controls and general controls
• Reliability
• Performed by knowledgeable person
• Performed consistently
• Appropriately monitored
• Problems followed up on a timely basis

• Key Considerations
• Period of time vs. point in time
• Audit evidence inquiry alone is not enough
• Sample sizes must be adequate given frequency
  of control operation
• Service organizations SAS70

21
A Roadmap for ComplianceIdentify Remediate
Deficiencies

• Identify weaknesses and remediate / retest prior
  to compliance deadline

• Key Components
• Impact to the financial statements
• Is it more than inconsequential?
• Likelihood of occurrence
• Is there more than a remote likelihood of
  occurrence?
• Compensating controls

• Key Considerations
• Isolated / manual errors vs. systematic errors
• Period of effective operation
• Has impact assessment been performed to determine
  the importance to the financial reporting
  process?
• May need to revisit control design or operation
  if deficiencies are observed

22
A Roadmap for ComplianceDocument Process
Results

• Maintain sufficient evidence to support
  management assessment process

• Key Components
• Overall assessment process
• Consider risk assessment results
• Disclose all known control deficiencies and
  weaknesses
• Include assessment of control design
  effectiveness

• Key Considerations
• Show-stoppers
• Material weaknesses
• Significant deficiencies

23
A Roadmap for ComplianceBuild Sustainability

• Establish a Center of Excellence model to
  support ongoing SOA compliance

• Key Components
• Continuous effectiveness of internal control
• Monitoring activities
• Change management
• Knowledge capture and sharing

• Key Considerations
• Continuous improvement process
• Rules, approaches and best practices are evolving
  stay tuned

24
In Summary

• Companies should ensure IT has an active role in
  Sarbanes-Oxley efforts
• Participate on the compliance steering committee
• Understand the financial reporting process and
  communicate the dependency on IT (applications,
  infrastructure, security, etc.)
• Establish ITs role in ensuring adequate controls
  over the financial reporting process
• Document IT risks and controls related to the
  financial reporting process
• Regularly test controls and remediate significant
  weaknesses
• Establish monitoring activities to ensure the
  effectiveness of IT controls over time

25
Questions?