• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
IT Compliance with SOX: Dan Schroeder

IT Compliance with SOX: Dan Schroeder






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.lmodules.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    IT Compliance with SOX: Dan Schroeder IT Compliance with SOX: Dan Schroeder Presentation Transcript

    • Sarbanes Oxley Act of 2002 IT Compliance Road Map Dan Schroeder Director, Business Process and Technology Management
    • SOA IT Controls Compliance Road Map
    • Compliance Road Map: Step 1. Scoping and Planning
      • Determine where technology supports financial reporting process:
        • Identify where systems support support initiation, recording, processing, and reporting of financial information.
      • PCAOB Guidance as to relevant process and controls activities:
        • Application / process controls over initiating, recording, processing, and reporting significant accounts and disclosures.
        • Antifraud programs and controls.
        • IT General Controls.
        • Controls over significant non-routine and nonsystematic transactions.
        • Controls over period-end financial reporting process, including controls over procedures used to enter transaction totals into the GL and to record adjustments.
    • Step 1 Example Deliverable Mapping of Business Processes, Supporting Application, 3 rd Parties and Process Owner
      • Start with scope determined in Step 1.
      • Consider “likelihood” of potential risk event occurrence and “impact” of the event (i.e., materiality).
      • Risk considerations:
        • Quality and integrity of information
        • Access and authorization controls
        • Availability and timeliness of information
        • Continuity and recoverability.
      • Service organization affect: consider potential enterprise impact from internal and external service organizations.
      • Deliverable for Step 2 is a Risk Assessment Matrix that identifies and prioritizes risks across key business processes showing the relationships to IT General and Application controls.
      Compliance Road Map: Step 2. Risk Assessment
    • Risk Assessment – Example Report
    • Compliance Road Map: Step 3. Controls Definition and Documentation
      • Leverage leading standards such as COSO, and IT Controls for SOA to determine control requirements:
        • General Controls include operations and management, infrastructure, security, acquisition and maintenance, oversight and monitoring.
        • Application Controls include activities related to ensuring completeness, accuracy, authorization, availability, and validity of transactions.
      • SOA documentation requirements are expected to represent a significant challenge for most organizations.
        • Inadequate documentation by management can represent a deficiency in internal control over financial reporting.
        • Management should discuss the proposed extent and detail of their control documentation with their external auditors early in the process to reduce the potential that documentation will be deficient.
    • PCAOB Documentation Guidelines October 7, 2003 Briefing Paper
      • Documentation is important to effective functioning of internal control and to the auditor’s internal control audit…this includes documentation about:
        • the design of controls,
        • how the controls are supposed to operate;
        • the objectives they are designed to achieve;
        • the necessary qualifications of the people performing the control for the control to function effectively.
      • Documentation should be sufficient for the external auditor to review the design and test the effectiveness of a control.
      • No one form of documentation is required and the extent of documentation will vary depending on the size, nature and complexity of the company.
    • Potential Documentation Requirements
      • Entity / General Level:
      • Strategic IT Planning
      • Policy Manuals
      • IT Security Policy
      • Business Continuity Planning / Disaster Recovery Planning
      • IT Architecture, Data Dictionary
      • System Development Life Cycle
      • Change Management
      • IT Operations Management
      • IT Organization and Responsibilities
      • Problem and Incident Management
      • Process / Application Level:
      • Process description / flowcharts
      • Risk and Control Matrices
      • System / application schematics
      • Access Controls
      • Data Relationships and Database designs
      • System user documentation
      • Job Descriptions
    • SOA IT Controls Compliance Road Map
    • Compliance Road Map: Step 4. Effectiveness Assessment
      • Substantive testing and of the operational effectiveness of the required controls. Determine if:
        • Controls are operational.
        • Functioning as designed.
        • Personnel are trained and knowledgeable.
      • Document and assess level of control weakness; from Inconsequential to Material Weaknesses.
      • Determining if the weakness is significant or material requires professional judgment and the consideration of various factors such as:
          • Size of the operation
          • Complexity and diversity of activities
          • Organizational structure
          • Likelihood that the IT Control weakness could result in a material misstatement of the financial records
    • Compliance Road Map: Step 5. Remediation
      • Prioritized approach to resolving control weaknesses.
      • Types of remediation required:
        • Documentation
        • Procedures
        • Personnel / organization changes
        • Training
        • Process / method development (e.g., BCP, SDLC)
        • System Enhancements:
          • E-Mail / records management
          • Integration
          • Validations
          • Business Intelligence /
          • Corporate Performance Management
    • Compliance Road Map: Ongoing Monitoring and Sustainability
      • Take steps to institutionalize awareness and understanding of IT control requirements:
        • Training and education
        • Organizational Structure
        • Job Responsibilities
        • Service Level Agreements
        • Performance Measurement
        • Internal Quality Management Program
      • Conduct ongoing monitoring and review:
        • Remediation
        • Business Changes
        • Ongoing compliance
    • Common IT Compliance Challenges
      • Organizational: IT Controls not treated as a process
        • Management ownership and roles
        • Deployment – internally and to service providers
        • Ability to monitor / sustain
      • System Development Life Cycle (SDLC) Process
      • Business Continuity Planning as a Process
      • Latency:
        • Lack of infrastructure and processes for timely disclosure and reporting
      • Documentation
    • Summary of SOA Impact to IT Management
      • Cultural impact: “control” mentality versus “project” mentality
      • Enhances need for enterprise-wide IT leadership and strong IT Governance framework.
      • Enhanced need for “real-time” disclosure reporting; e.g., Enterprise Performance Management.
      • Enhances need for integration.
      • Increased awareness of service provider related control dependencies.
      • Document management and retention.
    • Next Steps include:
      • Promote understanding and awareness
      • Establish internal compliance roadmap
        • Define responsibilities, action plan
      • Synchronize with existing Quality Management Program
      • Monitor developments in standards and guidelines:
        • PCAOB Standards.
        • ITGI IT Control Standards.
        • SEC Approval of PCAOB Audit Standard #2
    • Dan Schroeder, Director, Business Process and Technology Management 732.287-1000 x 278, [email_address] Questions or additional information?