0
Sarbanes Oxley Act of 2002 IT Compliance Road Map Dan Schroeder Director, Business Process and Technology Management
SOA IT Controls Compliance Road Map
Compliance Road Map:  Step 1. Scoping and Planning <ul><li>Determine where technology supports financial reporting process...
Step 1 Example Deliverable Mapping of Business Processes, Supporting Application, 3 rd  Parties and Process Owner
<ul><li>Start with scope determined in Step 1. </li></ul><ul><li>Consider “likelihood” of potential risk event occurrence ...
Risk Assessment – Example Report
Compliance Road Map:  Step 3. Controls Definition and Documentation <ul><li>Leverage leading standards such as COSO, and I...
PCAOB Documentation  Guidelines October 7, 2003 Briefing Paper <ul><li>Documentation is important to effective functioning...
Potential Documentation Requirements  <ul><li>Entity / General Level: </li></ul><ul><li>Strategic IT Planning </li></ul><u...
SOA IT Controls Compliance Road Map
Compliance Road Map:  Step 4.  Effectiveness Assessment <ul><li>Substantive testing and of the operational effectiveness o...
Compliance Road Map:  Step 5. Remediation <ul><li>Prioritized approach to resolving control weaknesses. </li></ul><ul><li>...
Compliance  Road Map:  Ongoing Monitoring and Sustainability <ul><li>Take steps to institutionalize awareness and understa...
Common IT Compliance Challenges <ul><li>Organizational:  IT Controls not treated as a process </li></ul><ul><ul><li>Manage...
Summary of SOA Impact to IT Management <ul><li>Cultural impact:  “control” mentality versus “project” mentality  </li></ul...
Next Steps include:  <ul><li>Promote understanding and awareness </li></ul><ul><li>Establish internal compliance roadmap <...
Dan Schroeder,  Director, Business Process and Technology Management 732.287-1000 x 278,  [email_address] Questions or add...
Upcoming SlideShare
Loading in...5
×

IT Compliance with SOX: Dan Schroeder

411

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
411
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "IT Compliance with SOX: Dan Schroeder"

  1. 1. Sarbanes Oxley Act of 2002 IT Compliance Road Map Dan Schroeder Director, Business Process and Technology Management
  2. 2. SOA IT Controls Compliance Road Map
  3. 3. Compliance Road Map: Step 1. Scoping and Planning <ul><li>Determine where technology supports financial reporting process: </li></ul><ul><ul><li>Identify where systems support support initiation, recording, processing, and reporting of financial information. </li></ul></ul><ul><li>PCAOB Guidance as to relevant process and controls activities: </li></ul><ul><ul><li>Application / process controls over initiating, recording, processing, and reporting significant accounts and disclosures. </li></ul></ul><ul><ul><li>Antifraud programs and controls. </li></ul></ul><ul><ul><li>IT General Controls. </li></ul></ul><ul><ul><li>Controls over significant non-routine and nonsystematic transactions. </li></ul></ul><ul><ul><li>Controls over period-end financial reporting process, including controls over procedures used to enter transaction totals into the GL and to record adjustments. </li></ul></ul>
  4. 4. Step 1 Example Deliverable Mapping of Business Processes, Supporting Application, 3 rd Parties and Process Owner
  5. 5. <ul><li>Start with scope determined in Step 1. </li></ul><ul><li>Consider “likelihood” of potential risk event occurrence and “impact” of the event (i.e., materiality). </li></ul><ul><li>Risk considerations: </li></ul><ul><ul><li>Quality and integrity of information </li></ul></ul><ul><ul><li>Access and authorization controls </li></ul></ul><ul><ul><li>Availability and timeliness of information </li></ul></ul><ul><ul><li>Continuity and recoverability. </li></ul></ul><ul><li>Service organization affect: consider potential enterprise impact from internal and external service organizations. </li></ul><ul><li>Deliverable for Step 2 is a Risk Assessment Matrix that identifies and prioritizes risks across key business processes showing the relationships to IT General and Application controls. </li></ul>Compliance Road Map: Step 2. Risk Assessment
  6. 6. Risk Assessment – Example Report
  7. 7. Compliance Road Map: Step 3. Controls Definition and Documentation <ul><li>Leverage leading standards such as COSO, and IT Controls for SOA to determine control requirements: </li></ul><ul><ul><li>General Controls include operations and management, infrastructure, security, acquisition and maintenance, oversight and monitoring. </li></ul></ul><ul><ul><li>Application Controls include activities related to ensuring completeness, accuracy, authorization, availability, and validity of transactions. </li></ul></ul><ul><li>SOA documentation requirements are expected to represent a significant challenge for most organizations. </li></ul><ul><ul><li>Inadequate documentation by management can represent a deficiency in internal control over financial reporting. </li></ul></ul><ul><ul><li>Management should discuss the proposed extent and detail of their control documentation with their external auditors early in the process to reduce the potential that documentation will be deficient. </li></ul></ul>
  8. 8. PCAOB Documentation Guidelines October 7, 2003 Briefing Paper <ul><li>Documentation is important to effective functioning of internal control and to the auditor’s internal control audit…this includes documentation about: </li></ul><ul><ul><li>the design of controls, </li></ul></ul><ul><ul><li>how the controls are supposed to operate; </li></ul></ul><ul><ul><li>the objectives they are designed to achieve; </li></ul></ul><ul><ul><li>the necessary qualifications of the people performing the control for the control to function effectively. </li></ul></ul><ul><li>Documentation should be sufficient for the external auditor to review the design and test the effectiveness of a control. </li></ul><ul><li>No one form of documentation is required and the extent of documentation will vary depending on the size, nature and complexity of the company. </li></ul>
  9. 9. Potential Documentation Requirements <ul><li>Entity / General Level: </li></ul><ul><li>Strategic IT Planning </li></ul><ul><li>Policy Manuals </li></ul><ul><li>IT Security Policy </li></ul><ul><li>Business Continuity Planning / Disaster Recovery Planning </li></ul><ul><li>IT Architecture, Data Dictionary </li></ul><ul><li>System Development Life Cycle </li></ul><ul><li>Change Management </li></ul><ul><li>IT Operations Management </li></ul><ul><li>IT Organization and Responsibilities </li></ul><ul><li>Problem and Incident Management </li></ul><ul><li>Process / Application Level: </li></ul><ul><li>Process description / flowcharts </li></ul><ul><li>Risk and Control Matrices </li></ul><ul><li>System / application schematics </li></ul><ul><li>Access Controls </li></ul><ul><li>Data Relationships and Database designs </li></ul><ul><li>System user documentation </li></ul><ul><li>Job Descriptions </li></ul>
  10. 10. SOA IT Controls Compliance Road Map
  11. 11. Compliance Road Map: Step 4. Effectiveness Assessment <ul><li>Substantive testing and of the operational effectiveness of the required controls. Determine if: </li></ul><ul><ul><li>Controls are operational. </li></ul></ul><ul><ul><li>Functioning as designed. </li></ul></ul><ul><ul><li>Personnel are trained and knowledgeable. </li></ul></ul><ul><li>Document and assess level of control weakness; from Inconsequential to Material Weaknesses. </li></ul><ul><li>Determining if the weakness is significant or material requires professional judgment and the consideration of various factors such as: </li></ul><ul><ul><ul><li>Size of the operation </li></ul></ul></ul><ul><ul><ul><li>Complexity and diversity of activities </li></ul></ul></ul><ul><ul><ul><li>Organizational structure </li></ul></ul></ul><ul><ul><ul><li>Likelihood that the IT Control weakness could result in a material misstatement of the financial records </li></ul></ul></ul>
  12. 12. Compliance Road Map: Step 5. Remediation <ul><li>Prioritized approach to resolving control weaknesses. </li></ul><ul><li>Types of remediation required: </li></ul><ul><ul><li>Documentation </li></ul></ul><ul><ul><li>Procedures </li></ul></ul><ul><ul><li>Personnel / organization changes </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Process / method development (e.g., BCP, SDLC) </li></ul></ul><ul><ul><li>System Enhancements: </li></ul></ul><ul><ul><ul><li>E-Mail / records management </li></ul></ul></ul><ul><ul><ul><li>Integration </li></ul></ul></ul><ul><ul><ul><li>Validations </li></ul></ul></ul><ul><ul><ul><li>Business Intelligence / </li></ul></ul></ul><ul><ul><ul><li>Corporate Performance Management </li></ul></ul></ul>
  13. 13. Compliance Road Map: Ongoing Monitoring and Sustainability <ul><li>Take steps to institutionalize awareness and understanding of IT control requirements: </li></ul><ul><ul><li>Training and education </li></ul></ul><ul><ul><li>Organizational Structure </li></ul></ul><ul><ul><li>Job Responsibilities </li></ul></ul><ul><ul><li>Service Level Agreements </li></ul></ul><ul><ul><li>Performance Measurement </li></ul></ul><ul><ul><li>Internal Quality Management Program </li></ul></ul><ul><li>Conduct ongoing monitoring and review: </li></ul><ul><ul><li>Remediation </li></ul></ul><ul><ul><li>Business Changes </li></ul></ul><ul><ul><li>Ongoing compliance </li></ul></ul>
  14. 14. Common IT Compliance Challenges <ul><li>Organizational: IT Controls not treated as a process </li></ul><ul><ul><li>Management ownership and roles </li></ul></ul><ul><ul><li>Deployment – internally and to service providers </li></ul></ul><ul><ul><li>Ability to monitor / sustain </li></ul></ul><ul><li>System Development Life Cycle (SDLC) Process </li></ul><ul><li>Business Continuity Planning as a Process </li></ul><ul><li>Latency: </li></ul><ul><ul><li>Lack of infrastructure and processes for timely disclosure and reporting </li></ul></ul><ul><li>Documentation </li></ul>
  15. 15. Summary of SOA Impact to IT Management <ul><li>Cultural impact: “control” mentality versus “project” mentality </li></ul><ul><li>Enhances need for enterprise-wide IT leadership and strong IT Governance framework. </li></ul><ul><li>Enhanced need for “real-time” disclosure reporting; e.g., Enterprise Performance Management. </li></ul><ul><li>Enhances need for integration. </li></ul><ul><li>Increased awareness of service provider related control dependencies. </li></ul><ul><li>Document management and retention. </li></ul>
  16. 16. Next Steps include: <ul><li>Promote understanding and awareness </li></ul><ul><li>Establish internal compliance roadmap </li></ul><ul><ul><li>Define responsibilities, action plan </li></ul></ul><ul><li>Synchronize with existing Quality Management Program </li></ul><ul><li>Monitor developments in standards and guidelines: </li></ul><ul><ul><li>PCAOB Standards. </li></ul></ul><ul><ul><li>ITGI IT Control Standards. </li></ul></ul><ul><ul><li>SEC Approval of PCAOB Audit Standard #2 </li></ul></ul>
  17. 17. Dan Schroeder, Director, Business Process and Technology Management 732.287-1000 x 278, [email_address] Questions or additional information?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×