introduction of panel members
DESCRIPTION
Introduction of Panel Members. Sarbanes-Oxley Workshop February 10, 2004 John Lambeth , CISSP, CISA. Insert Worlds Image / Client Specific Image Here. Agenda. Overview of Sarbanes-Oxley Requirements and COSO Framework Impact on Corporate IT organizations A proposed Project Approach - PowerPoint PPT PresentationTRANSCRIPT
Introduction of Panel Members
Insert
Worlds Image /
Client Specific Image
Here
Sarbanes-Oxley
Workshop
February 10, 2004
John Lambeth, CISSP, CISA
2
Agenda
Overview of Sarbanes-Oxley Requirements and COSO
Framework
Impact on Corporate IT organizations
A proposed Project Approach
Data Collection and Documentation Approach
Roles and Responsibilities
PMO Set-up and Scoping
Leveraging CPM/BI projects to meet real-time disclosure
requirements
After initial compliance, what’s next…
3
Objectives for today’s workshop
• Provide you with an overview of some of the key issues that
CIOs need to be aware of when responding to Sarbanes
Oxley
• Create an interactive environment in today’s workshop to
share tips and experiences with each other
• Create a personal checklist of items to discuss with your
internal audit and business partners
4
Overview of Sarbanes-Oxley Requirements
Internal Controls Over Financial Reporting
Disclosure Controls and Procedures
Internal Controls over Disclosure Requirements
LEGEND
Sarbanes-Oxley Act
Section 302:
Quarterly Certification by CEO/CFO Responsible for “Disclosure Control Procedures”
(DCP) – a broad range of information (Financial and Non-Financial)
Certify to effectiveness of DCPs based on evaluation within 90 days
Disclose to Audit Committee and external auditor any significant deficiencies / material weakness or fraud (material or not)
Section 404:
Annual Assertion by management Responsible for effectiveness of controls over
reliable Financial reporting – e.g., a deep view of internal control procedures and practices
Focus on both design and operational effectiveness of financial reporting controls
Controls must be documented and tested External auditor to render opinion (“attestation”)
on management’s internal control assertion
Slide Credit: PriceWaterhouseCoopers
5
Overview of Sarbanes-Oxley Requirements
Internal Controls Over Financial Reporting
Disclosure Controls and Procedures
Internal Controls over Disclosure Requirements
LEGEND
Sarbanes-Oxley Act
Section 409:
Call for Real-time Disclosure of significant changes to financial position
Requires public companies to report material events in a timely manner
“Timely” yet to be defined, but may be as soon as 48 hours from event.
Impacts: Extends effort from controls documentation of
reporting systems to real-time reporting requirements
Batch or historic reporting capabilities need to be reviewed for ability to support on-going CPM/BI capability
Image Credit: PriceWaterhouseCoopers
6
AICPA’s Statement on Standards for Attestation EngagementsSection 501, as amended
Stronger requirement of management to document and evaluate internal controls
Required management procedures: Material divisions and locations included in evaluation Identification and documentation of significant controls to cover control
objectives Evaluation and review of design effectiveness Tests of operating effectiveness Evaluation of control deficiencies to determine whether they are deficiencies,
significant deficiencies or material weaknesses Written assertion required Communications of findings to auditor and audit committee
Auditor to evaluate management’s assertion as of a point in time (December 31, 2004)
Scope of work includes independent testing of controls as well as testing of management’s assessment process
Scope of controls testing includes testing over areas that generate judgments and estimates
7
COSO is an integrated framework for internal control which, when implemented, can provide a
baseline to establish a control structure that meets Section 302 requirements and supports 404
attestation.
The COSO FrameworkThe Only Recognized Internal Control Framework
While Internal Control was not defined in the Sarbanes-Oxley, the COSO
definition has been accepted by the US government and its agencies,
incorporated in US auditing standards (AU 319), and is a generally accepted
integrated framework for control infrastructure. Under regulations for Section
404, the SEC will use AU319 as the reference.
Internal Control is defined as a process, effected by an entity’s board of
directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following
categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
COSO identifies five components of control that need to be in place and
integrated to ensure the achievement of each of the objectives.
8
Overview of Financial Reporting Develop and Document Activities, Polices, Inputs, and Disclosures
Financial Reporting Overview
Counting
Accounting
ConsolidationReporting
What is it?
GovernanceAudit committee charter, whistle blower program, Internal audit, legal, regulatory compliance…
Process for compiling the financial statements and preparing financial reporting (e.g., closing processes and procedures, policies, accounting manuals, etc.)
Transactions that are not reflected in subsidiary or admin systems within books and records (e.g,. Accruals, sale of subsidiary, taxes)
Transactions that occur in operations and are included in the subsidiary or admin systems (e.g., premium remittance, benefit payment).
Who does it?
Board of Directors, Audit Committee, Senior Management
CFO, Corporate Controller, Division Level CAO, Corporate Accounting department
Accounting department management (e.g., CAO, Financial Reporting Director).
Systems with high transaction volume, make complex
calculations, and relied upon for accuracy.
PriceWaterhouseCoopers
9
Impact to IT and Audit staffs
Significant unplanned, and possibly unbudgeted activity for IT
• Causes trade-offs with other existing IT projects
• Remediation effort difficult to quantify until after controls are documented and
gaps noted
Impact to internal audit staffs
• Audit experience should place them in high-profile position on Sarbox project
• Trade-off of limited audit staff resources with on-going internal audit
responsibilities
• Need goal to reestablish ownership of ongoing Sarbox compliance with the
business partner
Record keeping
• Adequate control over paper and electronic records
• Intersection of record requirements with company record retention policies
10
Project Approach Overview
Phase 1 – Project and PMO Set-up and Scoping
Phase 2 – Data Collection and Documentation
Phase 3 – Gap Analysis
Phase 4 – Validation and Testing
Phase 5 – Remediation
11
Phase I: Project and PMO Set-up and Scoping
Finalize project scope – divisions, financial statement
components, processes
Define approach and team organization
Establish assessment criteria for process areas and IT
Implement communications strategy and issue management
process
Conduct training Awareness: All project participants Process and Tools: Core project team members
12
Project Sponsor
Provide enterprise sponsorship and oversight throughout project Review and resolve significant issues escalated through Steering Committee Review results of management assessment Estimated Level of Effort: Involvement throughout project, as needed
Steering Committee
Participate in monthly, or as needed, Committee Meetings
Review and resolve issues escalated through Project Manager
Review status on key milestones
Re-align resources as required throughout the project
Support Project Manager in planning and risk management
Signoff on key deliverables
Estimated Level of Effort: Monthly meetings and other involvement as needed
404 Project TeamRoles and Responsibilities
13
Project Office
Provide day-to-day management/support to Project Team Members
Ensure team activities conform to authorized guidelines, policies and standards
Facilitate monthly Steering Committee and weekly Project Team status meetings
Present resource concerns, dependencies, issues, risks and progress to Project Managers
Monitor/escalate unresolved issues and risks for resolution
Provide monthly status reports to Steering Committee
Communicate project tasks and objectives to Project Team Members
Monitor communication activities (internal and external)
404 Project TeamRoles and Responsibilities
14
Division Team Leaders Deliver project activities
Participate in weekly status meetings
Support Team Members and monitor Team Member task completion
Apply policies, guidelines and standards across function and division
Track definition and implementation of remediation plans for Division
Environment Liaisons Provide overview of cycle and participate in Divisional Team meetings, as required
Designate process SMEs to provide detailed process and control information
Assist in the organization of the workshops around the process flow of the cycle
Assist in understanding and assessing interfaces between and among different transactions within the cycle
Oversee implementation of remediation actions to address control gaps
404 Project TeamRoles and Responsibilities
15
Project Manager
Single contact for all Project Team Members
Provide direction to Project Team Members
Participate in monthly, or as needed, Disclosure Committee meetings and weekly project team meetings
Review and resolve issues escalated by the Project Office; escalate priority issues
Exercise objectivity in decision-making, resource allocation and dispute resolution
Provide guidance and support for Project Team Members in performing tasks
Ensure Project Team Members adhere to established guidelines, policies and standards
Estimated Level of Effort: Full time dedicated, through duration of project
404 Project TeamRoles and Responsibilities
16
IT Systems Experts
Participate in main facilitated workshops to support SME understanding of automated application-level controls
Assist in understanding systems supporting major processes and determining which are considered in scope (including interfaces)
Assist in validating IT control criteria and training Documentation Specialists
Participate in IT-specific workshops to define and document general computer controls
Oversee implementation of remediation actions and address control gaps
Assist in understanding Corporate systems supporting cycles and determining which are considered in scope (including interfaces)
Participate in IT-specific workshops to define and document general computer controls
Oversee implementation of remediation actions and address control gaps
404 Project TeamRoles and Responsibilities
17
Phase II: Data Collection
Inventory and review existing documentation
Conduct preliminary workshops Enhance education Develop high-level process overviews Tailor project tools (e.g., control matrices) Pre-populate control matrices
Interview, observation and/or self assessment to complete
documentation
18
Workshop OverviewParticipants, Objectives, Activities, Outputs
Primary Objectives:
Understand the flow of information through the transactions under discussion Identify linkages and inter-dependencies with other transactions and processes
(where does its start and stop) Understand risks and controls in a sufficient manner to tailor control matrices for
documentation effort
Key Activities:
Validate initial scoping Discuss and document high-level flow of information within the process,
interfaces to other processes, and supporting systems Discuss risks and control objectives
Workshop Outputs:
Schematic diagram of process Tailored control matrix
19
Documentation Specialists
Participate in specialized training sessions to obtain working knowledge of project documentation approach and tools
Participate in facilitated workshops and working meetings for specific cycle/processes
Document detailed process and control information for assigned area
Assess documented controls for design/existence gaps
Report risk/issues and progress to Project Team Leader
404 Project TeamRoles and Responsibilities
20
Phase III: Gap Analysis
Assess current state analysis for design gaps (per COSO
control objectives and best practices)
Identify and report design gaps
Define recommendations to address gaps
21
IT Control Evaluation Process
Perform gap analysis, validation/testing and remediation
Close coordination with process teams
Use same reporting format for findings as cycles/processes
Will require close coordination with process teams, especially regarding the impact of identified gaps
22
Phase IV: Validation and Testing
Identify key controls to test
Design tests of controls
Execute tests of controls
Evaluate test results
Identify and report operating effectiveness gaps
23
Phase V: Remediation
Define remediation steps
Implement remediation steps
Re-test design and operating effectiveness
24
Ongoing 404 Considerations
Ownership of ongoing Sarbanes-Compliance
• Establish overall responsibility for on-going compliance• Role of IT in quarterly 302 attestations • Process for updates to controls
Supporting documentation
• Where?• In what format?• For how long?• Updates to documentation, document retention
25
Surveying Sarbanes - Oxley Solutions
Control documentation requirements of Sarbox have lead to a variety of
vendor tool offerings
Sarbanes-Oxley compliance does not come packaged in any IT solution
• Compliance is achieved by effective processes and how you leverage
technology to Sarbanes-Oxley compliance through more effective
collaboration and record management
• Before making significant investments in “Sarbox software”, it is
important to look at your company’s collaboration and document
management challenges and how your technical architecture currently
deals with them
• E-mail policy• Workgroup collaboration• BI / CPM
1 Gartner “Sarbanes–Oxley Vendor evaluation Framework”
26
CRM / Business Intelligence
Section 409
• Calls for real-time disclosure
• Straight-through information processing In many cases effective ERP solution serves as foundation for financial reporting and analysis tools
• BI / CPM solutions
• Create environment that fosters validity of data flowing through the enterprise
• Integrated tools for reporting and Web-based statuses
Credit: C. Imhoff DM Review Jan’04
27
CRM / Business Intelligence
BAM (Business Activity Monitoring) strategies may play a significant role in on-going real-time reporting strategies
• Visibility into critical events• Captures events that modify the state of business processes
What is the role of Executive dashboards in your enterprise reporting strategy
• Create real-time flow of key financial points/trends
Data strategy• Common data definitions• Common data labels / tags • Validate “official sources” of information
28
Summary
Overview of Sarbanes-Oxley Requirements and COSO Framework
Sarbox has a significant, and somewhat unpredictable impact Corporate IT organizations
A structured project approach is the most effective way to attack the project
Examine current technical architecture components and use this information to guide selection of additional software components
Consider role of CPM/BI projects
Create active forum for discussion of ongoing Sarbox compliance ownership