+ All Categories
Home > Documents > Managing IT in the real world

Managing IT in the real world

Date post: 28-Oct-2014
Category:
Upload: mricky
View: 691 times
Download: 0 times
Share this document with a friend
Description:
 
Embed Size (px)
Popular Tags:
of 25 /25
Managing IT in the real world A Practical IT Approach To Sarbanes-Oxley Compliance
Transcript
Page 1: Managing IT in the real world

Managing IT in the real world

A Practical IT Approach To Sarbanes-Oxley Compliance

Page 2: Managing IT in the real world

Managing IT in the real world

Ecora and Sarbanes-Oxley Compliance

Agenda • Sarbanes-Oxley -- What is It?• Some Definitions• Where are companies in compliance effort?• Why should I care?• Why a Framework?• COSO

– COSO IT Controls

– IT General Controls

• Example of compliance work with a customer• Summary

Page 3: Managing IT in the real world

Managing IT in the real world

Sarbanes-Oxley – What is it?

Federal law that imposes strict new financial reporting requirements for publicly traded companies.

Places burden on management to devise safeguards around the financial reporting process

Specifically identifies IT as a key component of process and audit activity

Page 4: Managing IT in the real world

Managing IT in the real world

Sarbanes-Oxley – Definitions

Section 302 – Quarterly and annual reporting – set up internal controls. CEO and CFO own it.

Section 404 – Management Assessment of Internal Controls

» Annual evaluation of internal controls» Quarterly filing of material changes to

internal controls» Independent audit of internal controls» Recognized control framework required for

assessment

Page 5: Managing IT in the real world

Managing IT in the real world

Sarbanes-Oxley – Definitions

• PCAOB – Public Company Accounting Oversight Board – established to oversee audits…

• Audit Standard No. 2 -- 200 page document defines SOX auditing standards

• COSO -- Committee of Sponsoring Organizations of the Treadway Commission – Internal Control – Integrated Framework, PCAOB referenced framework

• CobIT – Control Objectives for Information and Related Technology – another well known framework

• Internal Control – A process designed….to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles…. (SEC Definition)

Page 6: Managing IT in the real world

Managing IT in the real world

Sarbanes-Oxley – Definitions

• Internal Control (cont.) – Internal control is not “one-size-fits-all,” and the nature and extent of controls that are necessary depend, to a great extent, on the size and complexity of the company. PCAOB Auditing Standard No. 2

• Control Deficiency – exists when design or operation of a control does not allow management or employees …to prevent or detect misstatements on a timely basis.

• Significant Deficiency – control deficiency (or combination of CDs) that adversely affects company’s ability to initiate, authorize, record, process, or report external financial data reliably

• Material Weakness – significant deficiency (or combination of SDs) that results in more than remote likelihood that a material misstatement of annual or interim financial statements will not be prevented or detected

Page 7: Managing IT in the real world

Managing IT in the real world

Where are companies in the process?

Two Groups < $75M Market Cap – 11/15/04

64% Testing 34% Documentation 2% Reporting

> $75M Market Cap – 7/15/0560% Testing34% Documentation 3% Reporting 3% Planning

Ernst&Young 2004

Plan Document Test Report

Page 8: Managing IT in the real world

Managing IT in the real world

Sarbanes-Oxley – Why should I care?

SOX is changing IT

– No more IT closed “black box”

– Auditors – with technical expertise -- are now looking closely at IT

– E&Y projects that next year IT portion of SOX audit will grow from 10% to 25%.

Page 9: Managing IT in the real world

Managing IT in the real world

Sarbanes-Oxley – Why should I care?

IT an integral part of the financial reporting and control process

• Management’s heavy dependency on IT

» High degree of automation in processing day to day transactions

» IT data elements are the primary source of data used in decision-making

» IT availability / integrity critical to the financial statement close and reporting processes

Page 10: Managing IT in the real world

Managing IT in the real world

Why a Framework?

1. SOX Mandate -- Assessment of effectiveness requires “..suitable, recognized control framework...”

• Must be identified in annual report• COSO is specifically referenced by PCAOB and forms

foundation of its Auditing Standard No. 2.

2. It makes sense• Provides structure

• Identifies functional areas of focus

Page 11: Managing IT in the real world

Managing IT in the real world

Monitoring

Information and Communication

Control Activities

COSO Framework

A common sense approach to implementing internal controls

Risk Assessment

Control Environment

Page 12: Managing IT in the real world

Managing IT in the real world

Control Activities

COSO IT Controls

COSO identifies two broad groupings of information system control activities.

Application Controls

General Controls

Application controls – apply to business processes and designed within applications to prevent/detect unauthorized transactions.

General Controls – apply to all information systems, support secure and continuous operation. They support all other controls

Page 13: Managing IT in the real world

Managing IT in the real world

IT General Controls

IT general controls are foundation for all IT controlsSignificant Accounts in Financial Statements

Balance

Sheet

Income Stateme

nt

SCFP Notes Other

Business Processes/ Transaction ClassesProcess 1 Process 1 Process 1

Financial ApplicationsApplication X Application Y Application Z

IT Infrastructure ServicesDatabase

Operating System

Network

Application Controls

General Controls

Adapted from IT Control Objectives for Sarbanes-Oxley by the IT Governance Institute

Page 14: Managing IT in the real world

Managing IT in the real world

IT General ControlsIT General Controls are IT processes and related controls that are generally applied to support the computer application level. However, they may be performed on a single platform or application.

IT general controls provide a focus for IT to identify, assess, and develop internal controls around defined areas of operation as they relate to financial controls

Tests for controls are specific activities or processes that demonstrate and document proof that the controls are real and in place.

Remember -- the whole point of SOX is financial reporting – the objective is to provide documented proof that IT systems associated with financial reporting are locked down.

Page 15: Managing IT in the real world

Managing IT in the real world

Network Access

System (OS) Access to System

System (OS) Access to Data

Database Access

IT General Controls

Financial Reporting

Data

Your infrastructure figuratively surrounds you’re your financial reporting data. You need controls at each level.

Page 16: Managing IT in the real world

Managing IT in the real world

How Ecora helps with IT General Controls

IT Infrastructure ServicesDatabase

Operating System

Network

General Controls

Ecora Auditor maps to IT general controls. We provide documented proof that you are complying with internal controls for IT systems that impact financial reporting.

Ecora Enterprise Auditor

Ecora Infrastructure Coverage

Operating System Windows, Solaris, HP-UX, AIX, Red Hat Linux, Novell

Network Cisco

Database MS-SQL, Oracle

Page 17: Managing IT in the real world

Managing IT in the real world

Client Example

Database Internal ControlsInternal Control Test of Internal Control Ecora Report for Test

A process exists to review and confirm access rights.

Ensure each DBA has own account and no generic accounts used to bypass audit trail of DBA activity

DBA Accounts

Ensure appropriate Authentication Mode is configured

Authentication Mode

Ensure all logins have passwords and not default password

Login Password

Review role memberships and permissions to ensure appropriate access and privileges to databases

Role Permissions &

Memberships

Set file system privileges to prevent unauthorized access to database server data files, log files, and backup files

System Privileges

Ensure Verify Function exists and valid to ensure user passwords are validated and strong password criteria required

Verify Function

Page 18: Managing IT in the real world

Managing IT in the real world

Client Example

Database Internal ControlsInternal Control Test of Internal Control Ecora Report for Test

Prove adequate password validation in place

Password Lifetime, Password Grace Period, Password Reuse Time, Failed Login Attempts, Password Lock Time

Appropriate controls exist to review and manage remote network access

Audit and review list of linked and remote servers

External Servers

Identify all public database links. Review and replace with private links as appropriate to restrict access to confidential data

Public Links

Page 19: Managing IT in the real world

Managing IT in the real world

Database Internal ControlsInternal Control Test of Internal Control Ecora Report for Test

Controls exist to insure data is collected for tracking user activity

Set Initialization Parameters to provide security and ensure database auditing is active

Initialization Parameters

Enable audit events to provide audit trail of user activity

Auditing Enabled

Audit and review DB owner for each database

DB Owner

Enable Archive Log Mode to allow point in time recovery to ensure data not lost when recovering

Archive Log Mode

Client Example

Page 20: Managing IT in the real world

Managing IT in the real world

OS Internal ControlsInternal Control Test for Internal Control Ecora Report for Test

A control process exists to review and confirm access OS rights.

Audit and review user privileges on each system

User Privileges

Audit and review system access permissions to sensitive files

NTFS Permissions

Ensure systems configured to restrict anonymous remote access to your systems.

Remote Access

Select sample of terminated employees and determine if their access has been removed

User Access

Client Example

Page 21: Managing IT in the real world

Managing IT in the real world

OS Internal Controls

Internal Control Test for Internal Control Ecora Report for Test

Procedures for protection against malicious programs are in place through the use of anti-virus and other software and measures

Ensure systems are updated with appropriate service packs and hotfixes

Patch Levels

Ensure anti-virus software installed on systems

Computer without Ant-virus Installed

Client Example

Page 22: Managing IT in the real world

Managing IT in the real world

OS Internal ControlsInternal Control Test for Internal Control Ecora Report for Test

Procedures exist to maintain effectiveness of authentication and access mechanisms

Ensure built-in local administrator account is renamed

Built-in Admin Renamed

Ensure strong password and account lockout policies are implemented.

Password Policy

Ensure all services are configured appropriately and that only required services are running to protect system from unauthorized access

Services Summary

Audit and review list of local administrators to ensure only appropriate accounts have full admin privileges

Admins Group Report

If using SNMP ensure appropriate Community String(s) defined to prevent unauthorized users from obtaining systems status information

SNMP

Client Example

Page 23: Managing IT in the real world

Managing IT in the real world

OS Internal ControlsInternal Control

Test for Internal Control Ecora Report for Test

IT administration insures appropriate audit mechanisms are in place to allow detail event tracking

Ensure strong audit policy configured to ensure audit trail of events is recorded to provide audit trail of user activity (e.g. account login events, policy change, object access, process tracking, etc..)

Audit Policy

Ensure event log setting are configured to retain recorded events for appropriate time and prevent guest access to logs

Event Log

Client Example

Page 24: Managing IT in the real world

Managing IT in the real world

Summary

Sarbanes-Oxley is here to stay – annual and quarterly

Internal controls defined by each company

IT will bear an increasing burden of SOX compliance

Framework can be guide

IT general controls are foundation of all controls

Sustainability is requirement

Automation tools will make your job easier

Page 25: Managing IT in the real world

Managing IT in the real world

And now a word from our sponsor…

• Enterprise Auditor automates the collection of configuration data from the major infrastructure applications, databases, OSs, and network components and delivers audit ready reports.

• Ecora’s Enterprise Auditor forms the foundation for Sarbanes-Oxley IT internal controls. It gives you a platform for, and proof of compliance with IT internal controls.

• Solution Express combines Enterprises Auditor and an Ecora Systems Engineer (no-charge) to get your IT Sarbanes-Oxley compliance effort on a fast track.

Ecora Software, Inc. and Enterprise Auditor


Recommended