IT and Financial Compliance:  Closing the Gaps in Sarbanes-Oxley April 19, 2005 Steve Greenstein / Rudy Kiste
Closing / Explaining the Gaps in Sarbanes-Oxley
About BridgeMark <ul><li>BDO Seidman, LLP’s BridgeMark practice is dedicated to Risk Consulting and Advisory Services.  We...
BridgeMark Spectrum of Services <ul><ul><li>Experienced in executing integrated Non-US SOX Compliance Projects </li></ul><...
Reporting Requirements The Requirements:  Key Sections 302, 404 and 409 (Appendix A) and  SEC Rulemaking  Management’s Ass...
COBI T Components
Information Technology Compliance <ul><ul><li>Today’s Organizations are Concerned About: </li></ul></ul><ul><ul><ul><li>Ri...
BridgeMark Can Add Value By: <ul><ul><ul><li>Financial  and  IT experience in performing integrated  off-shore and Non-US ...
Non-US BridgeMark SOX Compliance Projects <ul><li>Examples of Financial and IT experience of off-shore and foreign locatio...
COSO Components <ul><li>Monitoring  </li></ul><ul><li>Assess control system performance over time </li></ul><ul><li>Ongoin...
The COSO ERM Framework <ul><ul><ul><li>Entity objectives can be viewed in the context of four categories: </li></ul></ul><...
Compliance & Information Technology Governance <ul><ul><li>Building a strong internal control program: </li></ul></ul><ul>...
Relationship to Internal Control - Integrated Framework <ul><li>A strong system of internal control is essential to effect...
Our Approach to SOX Compliance BridgeMark’s comprehensive approach is designed to help companies meet the requirements und...
Key Process Derivation & Financial Statement Coverage <ul><li>Determine Significant Accounts at the Financial Statement Le...
General and Application Controls
General and Application Controls <ul><li>Designed to ensure financial information generated from the Company’s application...
Assessing IT Controls
IT Audit Structure and Controls Audit Committee Interface Methodologies Assessment Frequency Risk Control Matrices Monitor...
On-Going Compliance / Continuous Monitoring Senior Management External Auditor Board of Directors Effective Governance Bri...
Visit us in Booth 21 and Contact Us Financial / Operations / Sales Steven Greenstein Sr. Customer Relationship Director 21...
Sarbanes-Oxley, Some Key Provisions (Appendix A) <ul><li>Sarbanes-Oxley Act of 2002 </li></ul><ul><ul><li>Expands reportin...
General Controls (Appendix B) <ul><li>Administration -   planning and controlling IT activities </li></ul><ul><li>Logical ...
Application Controls (Appendix C) <ul><li>Controls embedded within software programs to prevent or detect unauthorized tra...
Upcoming SlideShare
Loading in...5
×

IT and Financial Compliance: Closing the Gaps in Sarbanes-Oxley

789
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
789
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Steve
  • Steve
  • Steve
  • Rudy
  • Rudy
  • Rudy
  • Rudy
  • Steve
  • Rudy
  • Rudy
  • Rudy
  • Rudy
  • Steve
  • Rudy
  • Rudy
  • Rudy
  • Rudy
  • Rudy
  • Steve
  • Steve
  • IT and Financial Compliance: Closing the Gaps in Sarbanes-Oxley

    1. 1. IT and Financial Compliance: Closing the Gaps in Sarbanes-Oxley April 19, 2005 Steve Greenstein / Rudy Kiste
    2. 2. Closing / Explaining the Gaps in Sarbanes-Oxley
    3. 3. About BridgeMark <ul><li>BDO Seidman, LLP’s BridgeMark practice is dedicated to Risk Consulting and Advisory Services. We leverage our more than 90-year heritage as a CPA firm, entrepreneurial spirit, full service capabilities and extraordinary responsiveness to deliver value to companies throughout our local offices and our global network. </li></ul><ul><li>BDO Seidman </li></ul><ul><li>U.S. member firm of BDO International </li></ul><ul><li>$375 million in revenue </li></ul><ul><li>Over 2,100 people in 36 offices plus over 5,000 professionals in 185 alliance firm locations </li></ul><ul><li>BDO International </li></ul><ul><li>$2.9 billion in revenue </li></ul><ul><li>5 th largest global accounting firm in the world </li></ul><ul><li>Over 22,600 people in 590 member firm offices in 100 countries </li></ul>
    4. 4. BridgeMark Spectrum of Services <ul><ul><li>Experienced in executing integrated Non-US SOX Compliance Projects </li></ul></ul><ul><li>Compliance Services </li></ul><ul><li>Sarbanes-Oxley Readiness Service </li></ul><ul><li>Corporate Governance Assessment </li></ul><ul><li>Regulatory Risks (PATRIOT, HIPAA, SAS 70, GLB) </li></ul><ul><li>Human Resource Compliance </li></ul><ul><li>Federal and State Regulations </li></ul><ul><li>Business Process Improvement </li></ul><ul><li>Operational Performance Reviews </li></ul><ul><li>Business Process Integration </li></ul><ul><li>Financial Analysis & Modeling </li></ul><ul><li>System Implementation Support </li></ul><ul><li>Special Accounting Projects </li></ul><ul><li>Project Management Office (PMO) </li></ul><ul><li>Technology Risk & Security </li></ul><ul><li>Enterprise Security </li></ul><ul><li>System Controls and Effectiveness </li></ul><ul><li>Business Continuity Planning </li></ul><ul><li>Privacy & Data Protection </li></ul><ul><li>Vulnerability Analysis and Testing </li></ul><ul><li>Technology & Strategy Alignment </li></ul><ul><li>Change Management </li></ul><ul><li>Internal Audit – Financial, Operational </li></ul><ul><li>and Information Technology </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Internal Audit Transformation </li></ul><ul><li>Strategic Partnering & Staffing </li></ul><ul><li>Vendor, Royalty & Construction Audits </li></ul><ul><li>Fraud/Forensic Investigations </li></ul><ul><li>Establishment of Internal Audit Function </li></ul><ul><li>Information Technology Audit </li></ul>
    5. 5. Reporting Requirements The Requirements: Key Sections 302, 404 and 409 (Appendix A) and SEC Rulemaking Management’s Assertion COSO & COSO ERM, COBIT, Basel II ISO17799 and AS/NZS 4360:1999 Frameworks PCAOB Auditing Standard No.2 Company’s Assessment Process, Documentation and Testing
    6. 6. COBI T Components
    7. 7. Information Technology Compliance <ul><ul><li>Today’s Organizations are Concerned About: </li></ul></ul><ul><ul><ul><li>Risk Management </li></ul></ul></ul><ul><ul><ul><li>Governance </li></ul></ul></ul><ul><ul><ul><li>Control </li></ul></ul></ul><ul><ul><ul><li>Assurance (and Consulting) </li></ul></ul></ul><ul><ul><li>Importance of IT Compliance and integration: </li></ul></ul><ul><ul><ul><li>Enhances corporate accountability. </li></ul></ul></ul><ul><ul><ul><li>IT plays a vital role in the internal control structure. </li></ul></ul></ul><ul><ul><ul><li>Systems, data and infrastructure components, are critical to the financial reporting process. </li></ul></ul></ul><ul><ul><ul><li>Develop a compliance plan that specifically addresses IT controls. </li></ul></ul></ul><ul><ul><ul><li>Integrating the Sarbanes-Oxley compliance plan into the overall IT plan. </li></ul></ul></ul>
    8. 8. BridgeMark Can Add Value By: <ul><ul><ul><li>Financial and IT experience in performing integrated off-shore and Non-US SOX Compliance projects. </li></ul></ul></ul><ul><ul><ul><li>Defining risk tolerances where none have been identified, based on experience, judgment, and consultation with management. </li></ul></ul></ul><ul><ul><ul><li>Reviewing critical control systems and risk management processes. </li></ul></ul></ul><ul><ul><ul><li>Performing continuous reviews and evaluation on the effectiveness of management's risk assessments and internal controls. </li></ul></ul></ul><ul><ul><ul><li>Providing advice in the design and improvement of control systems and risk mitigation strategies. </li></ul></ul></ul><ul><ul><ul><li>Implementing a risk-based approach to planning and executing compliance processes to ensure that resources are directed at those areas most important to the organization. </li></ul></ul></ul><ul><ul><ul><li>Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies. </li></ul></ul></ul>
    9. 9. Non-US BridgeMark SOX Compliance Projects <ul><li>Examples of Financial and IT experience of off-shore and foreign location SOX Compliance Projects: </li></ul><ul><li>UK </li></ul><ul><li>Scotland </li></ul><ul><li>Israel </li></ul><ul><li>Thailand </li></ul><ul><li>Japan </li></ul><ul><li>Korea </li></ul><ul><li>Mexico </li></ul><ul><li>Panama </li></ul><ul><li>Brazil </li></ul><ul><li>Argentina </li></ul><ul><li>Dominican </li></ul><ul><li>Republic </li></ul><ul><li>France </li></ul><ul><li>Germany </li></ul><ul><li>Belgium </li></ul><ul><li>Italy </li></ul>
    10. 10. COSO Components <ul><li>Monitoring </li></ul><ul><li>Assess control system performance over time </li></ul><ul><li>Ongoing and separate evaluations </li></ul><ul><li>Management and supervisory activities </li></ul><ul><li>Control Activities </li></ul><ul><li>Policies that ensure management directives are carried out </li></ul><ul><li>Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties </li></ul><ul><li>Control Environment </li></ul><ul><li>Sets “tone at the top” </li></ul><ul><li>Foundation for all other components of control </li></ul><ul><li>Integrity, ethical values, competence, authority, responsibility </li></ul><ul><li>Information and Communication </li></ul><ul><li>Relevant information identified, captured and communicated timely </li></ul><ul><li>Access to internal and externally generated information </li></ul><ul><li>Information flow allows for management action </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Identify and analyze relevant risks to achieving the entity’s objectives </li></ul>
    11. 11. The COSO ERM Framework <ul><ul><ul><li>Entity objectives can be viewed in the context of four categories: </li></ul></ul></ul><ul><li>ERM considers activities at all levels of the organization: </li></ul><ul><ul><li>Enterprise-level </li></ul></ul><ul><ul><li>Division or subsidiary </li></ul></ul><ul><ul><li>Business unit processes </li></ul></ul>The eight components of the Framework are interrelated …
    12. 12. Compliance & Information Technology Governance <ul><ul><li>Building a strong internal control program: </li></ul></ul><ul><ul><ul><li>Enhances overall IT governance </li></ul></ul></ul><ul><ul><ul><li>Enhances the understanding and importance of IT among executives. </li></ul></ul></ul><ul><ul><ul><li>Improves business decisions with high-quality, more timely information. </li></ul></ul></ul><ul><ul><ul><li>Aligns project initiatives with business requirements. </li></ul></ul></ul><ul><ul><ul><li>Prevents loss of intellectual assets. </li></ul></ul></ul><ul><ul><ul><li>Minimizes the possibility of a system breach. </li></ul></ul></ul><ul><ul><ul><li>Gaining competitive advantages through more efficient and effective operations and processing integrity. </li></ul></ul></ul><ul><ul><ul><li>Enhances risk management competencies. </li></ul></ul></ul><ul><ul><ul><li>Enhances prioritization of initiatives. </li></ul></ul></ul>
    13. 13. Relationship to Internal Control - Integrated Framework <ul><li>A strong system of internal control is essential to effective enterprise risk management: </li></ul><ul><ul><ul><li>Expands and elaborates on elements of internal control as set out in COSO’s control framework. </li></ul></ul></ul><ul><ul><ul><li>Includes objective setting as a separate component. Objectives are a prerequisite for internal control. </li></ul></ul></ul><ul><ul><ul><li>Expands the control framework’s “ Financial Reporting” and “Risk Assessment.” </li></ul></ul></ul>
    14. 14. Our Approach to SOX Compliance BridgeMark’s comprehensive approach is designed to help companies meet the requirements under Section 404 of the Sarbanes-Oxley Act. Engagement Management Organize and Plan Project Phase I Corporate-Level Control Assessment Phase II Process-Level Control Assessment Phase III Testing, Reporting & Continuous Monitoring Phase IV <ul><li>Phase I Deliverables: </li></ul><ul><li>Project team organizational chart </li></ul><ul><li>Project team roles and responsibility matrix </li></ul><ul><li>Preliminary significant accounts and process matrix </li></ul><ul><li>Project plan (includes project timeline, responsibilities and milestones) </li></ul><ul><li>Phase II Deliverables: </li></ul><ul><li>Documentation of general controls over key technology systems </li></ul><ul><li>Corporate-level control assessment and recommendations for improvement </li></ul><ul><li>Final significant accounts, processes and transaction stream matrix </li></ul><ul><li>Updated project plan </li></ul><ul><li>Phase III Deliverables: </li></ul><ul><li>Process maps for significant processes </li></ul><ul><li>Matrix of all key risks and related control points </li></ul><ul><li>Assessment of the design of controls and recommendations for improvement </li></ul><ul><li>Phase IV Deliverables: </li></ul><ul><li>Summary of critical findings </li></ul><ul><li>Updated control matrix reflecting procedures performed, results of such procedures and assessment of risks </li></ul><ul><li>Documentation of all detailed testing </li></ul>
    15. 15. Key Process Derivation & Financial Statement Coverage <ul><li>Determine Significant Accounts at the Financial Statement Level. </li></ul><ul><li>Map General Ledger Accounts to Significant Processes. </li></ul><ul><li>Determine Material Reporting Units ( PCAOB Release No. 2003-17). </li></ul><ul><li>Map Processes and Sub-processes to Material Reporting Units - significant account balances. </li></ul>
    16. 16. General and Application Controls
    17. 17. General and Application Controls <ul><li>Designed to ensure financial information generated from the Company’s application systems can be relied upon via: </li></ul><ul><ul><li>Data Center operations controls </li></ul></ul><ul><ul><li>Access security controls </li></ul></ul><ul><ul><li>Application systems developments and information infrastructure implementation and maintenance controls </li></ul></ul><ul><li>Support the functioning of application controls to help ensure accurate information processing and the integrity of the resulting information used to managed. </li></ul>
    18. 18. Assessing IT Controls
    19. 19. IT Audit Structure and Controls Audit Committee Interface Methodologies Assessment Frequency Risk Control Matrices Monitoring and Techniques Baseline Controls Risk Response Risk Analysis Based on Risk Audit Management Governance Roles and Responsibilities Legislation and Regulation Competitive Advantage Reliability and Effectiveness Importance of IT Controls Information Security Preventative, Detective, Corrective General / Application Governance, Management, Technical Understanding IT Controls Assess IT Controls
    20. 20. On-Going Compliance / Continuous Monitoring Senior Management External Auditor Board of Directors Effective Governance BridgeMark
    21. 21. Visit us in Booth 21 and Contact Us Financial / Operations / Sales Steven Greenstein Sr. Customer Relationship Director 212.885.8074 [email_address] Rudy Kiste Engagement Manager 212.885.8400 x:5261 [email_address] Information Technology David Smokler Director 212.885.8077 [email_address] Lily Shue Senior Manager 201.788.2323 [email_address]
    22. 22. Sarbanes-Oxley, Some Key Provisions (Appendix A) <ul><li>Sarbanes-Oxley Act of 2002 </li></ul><ul><ul><li>Expands reporting requirements and accountabilities – requires CEO and CFO attestations/filing of internal control reports with annual report ( Sections 302 & 404 ). </li></ul></ul><ul><ul><li>External auditors will be required to attest to and report on management’s assessment in the internal controls report ( Section 404 ). </li></ul></ul><ul><ul><li>Disclose to public on a “rapid and current basis” material changes to financial condition or results of operations ( Section 409 ). </li></ul></ul><ul><ul><li>Empowers audit committees (Section 407). </li></ul></ul><ul><ul><li>Requires disclosure regarding code of ethics (Section 406). </li></ul></ul><ul><ul><li>Creates new oversight for external auditors, mandates audit partner rotation and establishes audit firm rotation study (Sections 203 & 303). </li></ul></ul><ul><ul><li>Increases civil and criminal penalties. </li></ul></ul>
    23. 23. General Controls (Appendix B) <ul><li>Administration - planning and controlling IT activities </li></ul><ul><li>Logical Security Controls - access control </li></ul><ul><li>Accounting Systems Development - application system development life cycle </li></ul><ul><li>Accounting Systems Change Management - change control and authorization </li></ul><ul><li>Packaged Software Evaluation - maintenance of software packages </li></ul><ul><li>System Software - development and maintenance of infrastructure support software </li></ul><ul><li>Data Center/Network Operations - backup, recovery and contingency planning, job scheduling, performance and monitoring </li></ul>
    24. 24. Application Controls (Appendix C) <ul><li>Controls embedded within software programs to prevent or detect unauthorized transactions. </li></ul><ul><li>Controls that ensure the completeness, accuracy and validity of processing transactions. </li></ul><ul><ul><li>Examples of application controls: </li></ul></ul><ul><ul><ul><li>Balancing control activity within the system </li></ul></ul></ul><ul><ul><ul><li>Check digits </li></ul></ul></ul><ul><ul><ul><li>Predefined data listings </li></ul></ul></ul><ul><ul><ul><li>Data reasonableness tests </li></ul></ul></ul><ul><ul><ul><li>Logic tests, range limits, etc. </li></ul></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×