1

SOX & IT Governance

A New Reality

Corey Benish, CISA

2

Background

Certified Information Systems Auditor.

Experience in various industries including broker-dealer, private asset management, mortgage and commercial lending, manufacturing, software development, and other financial services.

Managed Sarbanes-Oxley compliance activities for both business and IT processes.

Consulted with organizations of various sizes (< $1 billion in revenue to >$10 billion in revenue) on their Sarbanes-Oxley compliance.

3

Agenda

Sarbanes – Oxley (SOX) Review

Outcomes of SOX

Common IT Governance Frameworks

“Typical” Compliance Approach

Key Success Factors

Question & Answer

4

Sarbanes – Oxley (SOX) Review

5

SOX Review - Intent of the Law Strong corporate governance.

Increased accountability of executives.

Strengthen anti-fraud measures.

Protect public interest and restore investor confidence.

6

SOX Review - Intent of the Law

The Bottom Line…

SOX is designed to ensure public companies have controls in place over financial reporting; controls that support the assertions that are made in public disclosures of

financial statements.

7

SOX Review - Effective Dates The Sarbanes-Oxley Act of 2002 was enacted by Congress on

July 26, 2002.

Companies were required to be compliant by various dates (based upon several factors including market capitalization, spin-off exclusions, etc.). Currently considering extending deadline for non-accelerated filers (On

of after 12/31/2007 for management assessment; On or after 12/31/2008 for auditor attestation).

Going forward, every public company will have to provide certifications quarterly and annually.

8

SOX Review - Key Sections Section 302 (Certification): Officers of the company must make

representations related to the disclosure of controls, procedures, internal controls and assurance from fraud.

Officers personally responsible.

Officers could be subject to criminal prosecution and fines. Unintentionally Bad Certification: Fines up to $1 Million and up to 10

years imprisonment. “Willfully” Bad Certification: Fines up to $5 Million and up to 20

years imprisonment. Ultimately, SEC can order the company be de-listed.

9

SOX Review - Key Sections Section 404 (Internal Controls): Management must provide an

annual assessment as to the effectiveness of internal controls over financial reporting; and obtain an attestation from external auditors that management’s approach was effective and that controls are effective. Annual reports will need to contain a report that:

States the responsibility management has been given to establish and maintain an adequate internal control structure and procedures for financial reporting.

Contains a current, point-in-time assessment of the effectiveness of that structure and procedures.

The external auditor has attested to and reported on assessments made by management.

10

SOX Review - Key Sections Section 404 Annual Assessment

Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness. Inquiry alone will generally not provide and adequate basis for assessment.

Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness.

Any material weakness in internal controls over financial reporting must be disclosed by management in its filings and management is precluded from reporting that internal controls over financial reporting are effective if a material weakness is detected.

Management must be actively involved in the assessment process; it cannot delegate assessment responsibility to the auditor.

11

SOX Review - Key Sections

Section 404 – A small section…

…but a bulk of the work!!

12

SOX Review - Groups that Oversee Securities & Exchange Commission (SEC)

The primary overseer and regulator of the U.S. securities market. Oversees key participants in the securities world, including securities exchanges, securities brokers and dealers, investment advisors, and mutual funds.

Public Company Accounting Oversight Board (PCAOB)

“…a private-sector, non-profit corporation, created by the Sarbanes – Oxley Act of 2002, to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.”

PCAOB website (www.pcaobus.org)

13

Outcomes of SOX

14

SOX – Consequences & Cost

External audit fees are dramatically increasing.

Smaller companies are having difficulty acquiring audit services.

Less competition in the assurance industry (particularly internationally).

Changing relationships between external auditors and their clients.

It is estimated that Sarbanes-Oxley compliance cost firms in the U.S. approximately $6 billion a year and that this level of spending will continue for the upcoming years.

15

SOX – Positive Outcomes Development of an efficient, organized approach to regulatory

challenges.

Process improvements driving company performance.

IT infrastructure enhancements.

Stronger tone at the top.

Internal audit viewed as key team member.

Faster identification and remediation of exceptions.

Improved cultural awareness of controls and control activities.

16

Common IT Governance Frameworks

17

Governance - COSO Comprehensive framework for evaluating an organization’s controls;

process-oriented and controls-based.

Focuses on fiduciary controls; lends itself well to evaluating business processes for SOX.

3 objective categories. Operations, Financial Reporting, and Compliance.

5 control components. Control Environment, Risk Assessment, Control Activities, Information &

Communication, Monitoring.

More information available online (www.coso.org).

18

Governance - COBIT IT framework established by IT Governance Institute (ITGI) and

Information System Audit and Control Association (ISACA).

Comprehensive framework with 4 domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

ITGI/ISACA recently issued the second edition of “IT Control Objectives for Sarbanes-Oxley”. Maps 12 (of 34) high-level objectives from COBIT to the PCAOB’s 4

categories for General Computer Controls: Program Changes, Program Development, Computer Operations, and Access to Programs and Data.

More information available at ITGI (www.itgi.org) or ISACA (www.isaca.org).

19

Governance - Other While COSO and COBIT are widely utilized, there are other

frameworks available that can also be leveraged in support of SOX including:

IT Infrastructure Library (ITIL) – www.itil.co.uk

International Organization for Standardization (ISO) 17799 – www.iso.org Can be used to augment COBIT security objectives.

20

“Typical” Compliance Approach

21

“Typical” Compliance Approach

TrainScope Document Test Remediate Re-Test Certify

Repeat

22

“Typical” Compliance Approach

SOX requires companies develop and align compliance approach and methodology with generally accepted internal control framework (e.g. – COSO & COBIT).

Define materiality (e.g. - 5% of Income Before Taxes). Deficiency = <20% of materiality. Significant Deficiency = 20% - 99% of materiality. Material Weakness = 100% or more of materiality.

Scope and map processes based upon materiality and other qualitative risk factors.

TrainScope Document Test Remediate Re-Test Certify

Repeat

23

“Typical” Compliance Approach

Decentralized organizations often have processes spread across various business units, locations, countries, etc. If the company is U.S. based and publicly held, foreign locations can

also be subject to compliance if they are material enough to be in-scope.

Training is critical to ensuring cultural acceptance of controls and consistent understanding of compliance requirements.

Define terms to create a common vocabulary.

TrainScope Document Test Remediate Re-Test Certify

Repeat

24

“Typical” Compliance Approach

Utilize risk based approach. Process & control ranking (e.g. - High, Medium, Low).

Complete documentation Entity-level controls. Business process controls, anti-fraud controls, outside service provider

controls. IT controls

General computing controls. Application & interface controls. End-user computing controls.

Complete design assessment.

TrainScope Document Test Remediate Re-Test Certify

Repeat

25

“Typical” Compliance Approach

Perform testing (operating effectiveness assessment). Use a risk based testing approach focused on high-ranked processes

and primary controls. Focus on evidence – it is the key to proving the control existed and was

operating as designed. PCAOB (AS2) specifies that inquiry alone is not sufficient.

Identify potential control weaknesses resulting from design and operating effectiveness assessments.

Coordinate with external auditors for their evaluation and testing.

TrainScope Document Test Remediate Re-Test Certify

Repeat

26

“Typical” Compliance Approach

Assess overall impact of potential control weaknesses and determine remediation plan, ownership, and completion dates. Control weaknesses are evaluated individually and in aggregate.

TrainScope Document Test Remediate Re-Test Certify

Repeat

Example Evaluation Matrix

InconsequentialMore than

InconsequentialMaterial

More thanRemote

DeficiencySignificant Deficiency

Material Weakness

RemoteOther

ObservationsDeficiency

Significant Deficiency

Lik

elih

oo

d

Significance

27

“Typical” Compliance Approach

Re-test near year-end in support of 404 opinion. High risk processes may require a full retest. Include any remediated control weaknesses in the retesting. Be aware of sampling needs when determining the roll-forward testing

timing (i.e. – ensure enough days remain in the year to obtain a daily sample of 25 days).

Coordinate with external auditors for their evaluation and testing.

TrainScope Document Test Remediate Re-Test Certify

Repeat

28

“Typical” Compliance Approach

Since the CEO and CFO certify to the financial statements quarterly, it is common for organizations to utilize a quarterly certification process.

The quarterly certifications roll-up to the CEO and CFO beginning with the process owners, then the process managers, then senior management and IT. Certifications can be tailored to the quarter and the audience.

Once the effort is complete for the current fiscal year, the process starts over again for the next fiscal year.

TrainScope Document Test Remediate Re-Test Certify

Repeat

29

“Typical” Compliance ApproachSOX-404 Compliance

Timeline Jan

Fiscal Year

Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Planning & Oversight

Risk Assessment & Scoping

Training

Documentation

Testing

Remediation

Certification

External Audit

Ongoing Planning & Oversight Provided by Ownership Group

Q1 Q2 Q3 Q4

Initial Scoping

Refresh Training for Process Owners & Process ManagersTraining for New Hires - Ongoing

New In-Scope Processes & Controls

L/H Risk Processes M Risk Processes Roll-Forward

Ongoing Remediation

Finalize Risk Assessment & Mapping for Year-End

New In-Scope Processes & Controls

L/H Risk Processes M Risk Processes Roll-Forward

Planning

LEGEND: L = Low M = Medium H = High

Walkthroughs Testing Roll-Forward

30

Key Success Factors

31

Key Success Factors

Additions or changes should be SOX-compliant upon implementation.

After completing your first-year filing, the requirements for accuracy of interim financial statements becomes much more rigorous since SOX legislation requires real-time disclosure of significant or material changes in the control environment.

This leaves companies with a limited remediation window if they should discover that an addition or change created a control weakness.

32

Key Success Factors

Process owners and process managers should own and maintain documentation.

Process owners and process managers should be prepared to participate in testing.

The organization should continue to identify and communicate ongoing change to the ownership group for impact assessment on

process/control documentation.

33

Compliance MaturityThe level of sophistication with which a company manages its

compliance initiatives is directly proportional to the value it derives in terms of internal control effectiveness

and risk management.

Bu

sin

ess

Val

ue

Compliance Management Maturity

Integrated

Perpetual

FundamentalFoundational

Internal Audit

Internal Audit

StrategicPlanningStrategicPlanning

RiskMgmtRisk

MgmtOpsOps

TreasuryTreasury

LegalLegal

Sustainable

•Year one compliance

•Redundant efforts

•Minimum required beyond year one

•Disclosure and change management

•Operationalize SOX compliance activities

•Risk based financials

•Integration of operational and financial risk mgmt.

•Mature governance processes

•Continuous monitoring and risk assessment

•Real time response enabled by technology

34

Question & Answer