1
SOX & IT Governance
A New Reality
Corey Benish, CISA
2
Background
Certified Information Systems Auditor.
Experience in various industries including broker-dealer, private asset management, mortgage and commercial lending, manufacturing, software development, and other financial services.
Managed Sarbanes-Oxley compliance activities for both business and IT processes.
Consulted with organizations of various sizes (< $1 billion in revenue to >$10 billion in revenue) on their Sarbanes-Oxley compliance.
3
Agenda
Sarbanes – Oxley (SOX) Review
Outcomes of SOX
Common IT Governance Frameworks
“Typical” Compliance Approach
Key Success Factors
Question & Answer
4
Sarbanes – Oxley (SOX) Review
5
SOX Review - Intent of the Law Strong corporate governance.
Increased accountability of executives.
Strengthen anti-fraud measures.
Protect public interest and restore investor confidence.
6
SOX Review - Intent of the Law
The Bottom Line…
SOX is designed to ensure public companies have controls in place over financial reporting; controls that support the assertions that are made in public disclosures of
financial statements.
7
SOX Review - Effective Dates The Sarbanes-Oxley Act of 2002 was enacted by Congress on
July 26, 2002.
Companies were required to be compliant by various dates (based upon several factors including market capitalization, spin-off exclusions, etc.). Currently considering extending deadline for non-accelerated filers (On
of after 12/31/2007 for management assessment; On or after 12/31/2008 for auditor attestation).
Going forward, every public company will have to provide certifications quarterly and annually.
8
SOX Review - Key Sections Section 302 (Certification): Officers of the company must make
representations related to the disclosure of controls, procedures, internal controls and assurance from fraud.
Officers personally responsible.
Officers could be subject to criminal prosecution and fines. Unintentionally Bad Certification: Fines up to $1 Million and up to 10
years imprisonment. “Willfully” Bad Certification: Fines up to $5 Million and up to 20
years imprisonment. Ultimately, SEC can order the company be de-listed.
9
SOX Review - Key Sections Section 404 (Internal Controls): Management must provide an
annual assessment as to the effectiveness of internal controls over financial reporting; and obtain an attestation from external auditors that management’s approach was effective and that controls are effective. Annual reports will need to contain a report that:
States the responsibility management has been given to establish and maintain an adequate internal control structure and procedures for financial reporting.
Contains a current, point-in-time assessment of the effectiveness of that structure and procedures.
The external auditor has attested to and reported on assessments made by management.
10
SOX Review - Key Sections Section 404 Annual Assessment
Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness. Inquiry alone will generally not provide and adequate basis for assessment.
Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness.
Any material weakness in internal controls over financial reporting must be disclosed by management in its filings and management is precluded from reporting that internal controls over financial reporting are effective if a material weakness is detected.
Management must be actively involved in the assessment process; it cannot delegate assessment responsibility to the auditor.
11
SOX Review - Key Sections
Section 404 – A small section…
…but a bulk of the work!!
12
SOX Review - Groups that Oversee Securities & Exchange Commission (SEC)
The primary overseer and regulator of the U.S. securities market. Oversees key participants in the securities world, including securities exchanges, securities brokers and dealers, investment advisors, and mutual funds.
Public Company Accounting Oversight Board (PCAOB)
“…a private-sector, non-profit corporation, created by the Sarbanes – Oxley Act of 2002, to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.”
PCAOB website (www.pcaobus.org)
13
Outcomes of SOX
14
SOX – Consequences & Cost
External audit fees are dramatically increasing.
Smaller companies are having difficulty acquiring audit services.
Less competition in the assurance industry (particularly internationally).
Changing relationships between external auditors and their clients.
It is estimated that Sarbanes-Oxley compliance cost firms in the U.S. approximately $6 billion a year and that this level of spending will continue for the upcoming years.
15
SOX – Positive Outcomes Development of an efficient, organized approach to regulatory
challenges.
Process improvements driving company performance.
IT infrastructure enhancements.
Stronger tone at the top.
Internal audit viewed as key team member.
Faster identification and remediation of exceptions.
Improved cultural awareness of controls and control activities.
16
Common IT Governance Frameworks
17
Governance - COSO Comprehensive framework for evaluating an organization’s controls;
process-oriented and controls-based.
Focuses on fiduciary controls; lends itself well to evaluating business processes for SOX.
3 objective categories. Operations, Financial Reporting, and Compliance.
5 control components. Control Environment, Risk Assessment, Control Activities, Information &
Communication, Monitoring.
More information available online (www.coso.org).
18
Governance - COBIT IT framework established by IT Governance Institute (ITGI) and
Information System Audit and Control Association (ISACA).
Comprehensive framework with 4 domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
ITGI/ISACA recently issued the second edition of “IT Control Objectives for Sarbanes-Oxley”. Maps 12 (of 34) high-level objectives from COBIT to the PCAOB’s 4
categories for General Computer Controls: Program Changes, Program Development, Computer Operations, and Access to Programs and Data.
More information available at ITGI (www.itgi.org) or ISACA (www.isaca.org).
19
Governance - Other While COSO and COBIT are widely utilized, there are other
frameworks available that can also be leveraged in support of SOX including:
IT Infrastructure Library (ITIL) – www.itil.co.uk
International Organization for Standardization (ISO) 17799 – www.iso.org Can be used to augment COBIT security objectives.
20
“Typical” Compliance Approach
21
“Typical” Compliance Approach
TrainScope Document Test Remediate Re-Test Certify
Repeat
22
“Typical” Compliance Approach
SOX requires companies develop and align compliance approach and methodology with generally accepted internal control framework (e.g. – COSO & COBIT).
Define materiality (e.g. - 5% of Income Before Taxes). Deficiency = <20% of materiality. Significant Deficiency = 20% - 99% of materiality. Material Weakness = 100% or more of materiality.
Scope and map processes based upon materiality and other qualitative risk factors.
TrainScope Document Test Remediate Re-Test Certify
Repeat
23
“Typical” Compliance Approach
Decentralized organizations often have processes spread across various business units, locations, countries, etc. If the company is U.S. based and publicly held, foreign locations can
also be subject to compliance if they are material enough to be in-scope.
Training is critical to ensuring cultural acceptance of controls and consistent understanding of compliance requirements.
Define terms to create a common vocabulary.
TrainScope Document Test Remediate Re-Test Certify
Repeat
24
“Typical” Compliance Approach
Utilize risk based approach. Process & control ranking (e.g. - High, Medium, Low).
Complete documentation Entity-level controls. Business process controls, anti-fraud controls, outside service provider
controls. IT controls
General computing controls. Application & interface controls. End-user computing controls.
Complete design assessment.
TrainScope Document Test Remediate Re-Test Certify
Repeat
25
“Typical” Compliance Approach
Perform testing (operating effectiveness assessment). Use a risk based testing approach focused on high-ranked processes
and primary controls. Focus on evidence – it is the key to proving the control existed and was
operating as designed. PCAOB (AS2) specifies that inquiry alone is not sufficient.
Identify potential control weaknesses resulting from design and operating effectiveness assessments.
Coordinate with external auditors for their evaluation and testing.
TrainScope Document Test Remediate Re-Test Certify
Repeat
26
“Typical” Compliance Approach
Assess overall impact of potential control weaknesses and determine remediation plan, ownership, and completion dates. Control weaknesses are evaluated individually and in aggregate.
TrainScope Document Test Remediate Re-Test Certify
Repeat
Example Evaluation Matrix
InconsequentialMore than
InconsequentialMaterial
More thanRemote
DeficiencySignificant Deficiency
Material Weakness
RemoteOther
ObservationsDeficiency
Significant Deficiency
Lik
elih
oo
d
Significance
27
“Typical” Compliance Approach
Re-test near year-end in support of 404 opinion. High risk processes may require a full retest. Include any remediated control weaknesses in the retesting. Be aware of sampling needs when determining the roll-forward testing
timing (i.e. – ensure enough days remain in the year to obtain a daily sample of 25 days).
Coordinate with external auditors for their evaluation and testing.
TrainScope Document Test Remediate Re-Test Certify
Repeat
28
“Typical” Compliance Approach
Since the CEO and CFO certify to the financial statements quarterly, it is common for organizations to utilize a quarterly certification process.
The quarterly certifications roll-up to the CEO and CFO beginning with the process owners, then the process managers, then senior management and IT. Certifications can be tailored to the quarter and the audience.
Once the effort is complete for the current fiscal year, the process starts over again for the next fiscal year.
TrainScope Document Test Remediate Re-Test Certify
Repeat
29
“Typical” Compliance ApproachSOX-404 Compliance
Timeline Jan
Fiscal Year
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Planning & Oversight
Risk Assessment & Scoping
Training
Documentation
Testing
Remediation
Certification
External Audit
Ongoing Planning & Oversight Provided by Ownership Group
Q1 Q2 Q3 Q4
Initial Scoping
Refresh Training for Process Owners & Process ManagersTraining for New Hires - Ongoing
New In-Scope Processes & Controls
L/H Risk Processes M Risk Processes Roll-Forward
Ongoing Remediation
Finalize Risk Assessment & Mapping for Year-End
New In-Scope Processes & Controls
L/H Risk Processes M Risk Processes Roll-Forward
Planning
LEGEND: L = Low M = Medium H = High
Walkthroughs Testing Roll-Forward
30
Key Success Factors
31
Key Success Factors
Additions or changes should be SOX-compliant upon implementation.
After completing your first-year filing, the requirements for accuracy of interim financial statements becomes much more rigorous since SOX legislation requires real-time disclosure of significant or material changes in the control environment.
This leaves companies with a limited remediation window if they should discover that an addition or change created a control weakness.
32
Key Success Factors
Process owners and process managers should own and maintain documentation.
Process owners and process managers should be prepared to participate in testing.
The organization should continue to identify and communicate ongoing change to the ownership group for impact assessment on
process/control documentation.
33
Compliance MaturityThe level of sophistication with which a company manages its
compliance initiatives is directly proportional to the value it derives in terms of internal control effectiveness
and risk management.
Bu
sin
ess
Val
ue
Compliance Management Maturity
Integrated
Perpetual
FundamentalFoundational
Internal Audit
Internal Audit
StrategicPlanningStrategicPlanning
RiskMgmtRisk
MgmtOpsOps
TreasuryTreasury
LegalLegal
Sustainable
•Year one compliance
•Redundant efforts
•Minimum required beyond year one
•Disclosure and change management
•Operationalize SOX compliance activities
•Risk based financials
•Integration of operational and financial risk mgmt.
•Mature governance processes
•Continuous monitoring and risk assessment
•Real time response enabled by technology
34
Question & Answer