Your SlideShare is downloading. ×
0
A Practical IT Approach To Sarbanes-Oxley Compliance
Ecora and Sarbanes-Oxley Compliance <ul><li>Agenda  </li></ul><ul><ul><ul><li>Sarbanes-Oxley --  What is It? </li></ul></u...
Sarbanes-Oxley – What is it? <ul><li>Federal law that imposes strict new financial reporting requirements for publicly tra...
Sarbanes-Oxley – Definitions <ul><li>Section 302  – Quarterly and annual reporting – set up internal controls. CEO and CFO...
Sarbanes-Oxley – Definitions <ul><li>PCAOB  – Public Company Accounting Oversight Board  – established to oversee audits… ...
Sarbanes-Oxley – Definitions <ul><li>Internal Control   (cont.) – Internal control is not “one-size-fits-all,” and the nat...
Where are companies in the process? <ul><li>Two Groups  </li></ul><ul><li>< $75M Market Cap – 11/15/04 </li></ul><ul><li>6...
Sarbanes-Oxley – Why should I care? <ul><li>SOX is changing IT   </li></ul><ul><ul><li>No more IT closed “black box”  </li...
Sarbanes-Oxley – Why should I care? <ul><li>IT an integral part of the financial reporting and control process </li></ul><...
Why a Framework? <ul><li>1. SOX Mandate -- Assessment  of effectiveness requires “..suitable, recognized control framework...
COSO Framework <ul><li>A common sense approach to implementing internal controls </li></ul>Monitoring Information and Comm...
COSO IT Controls <ul><li>COSO identifies two broad groupings of information system control activities. </li></ul>Control A...
IT General Controls <ul><li>IT general controls are foundation for all IT controls </li></ul>Application Controls General ...
IT General Controls IT General Controls are IT processes and related controls that are generally applied to support the co...
IT General Controls Financial Reporting Data Your infrastructure figuratively surrounds you’re your financial reporting da...
How Ecora helps with IT General Controls General Controls Ecora Auditor maps to IT general controls. We provide documented...
Client Example <ul><li>Database Internal Controls </li></ul>Verify Function Ensure Verify Function exists and valid to ens...
Client Example <ul><li>Database Internal Controls </li></ul>Public Links Identify all public database links. Review and re...
<ul><li>Database Internal Controls </li></ul>Client Example Initialization Parameters Set Initialization Parameters to pro...
<ul><li>OS Internal Controls </li></ul>Client Example User Access Select sample of terminated employees and determine if t...
<ul><li>OS Internal Controls </li></ul>Client Example Ecora Report for Test  Test for Internal Control Internal Control Co...
<ul><li>OS Internal Controls </li></ul>Client Example SNMP If using SNMP ensure appropriate Community String(s) defined to...
<ul><li>OS Internal Controls </li></ul>Client Example Event Log  Ensure event log setting are configured to retain recorde...
Summary Sarbanes-Oxley is here to stay – annual and quarterly  Internal controls defined by each company IT will bear an i...
And now a word from our sponsor… <ul><li>Enterprise Auditor automates the collection of configuration data from the major ...
Upcoming SlideShare
Loading in...5
×

Managing IT in the real world

474

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
474
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • In 2002 the Sarbanes-Oxley Act was signed into law. It mandates more stringent controls on financial reporting for public companies. There’s been quite a bit written about Sarbanes over the past couple of years – particularly about its impact on IT. The purpose of this presentation is to educate you on what SOX means to IT and to introduce you to Ecora, our products, and show you how Ecora products can help you achieve SOX IT compliance.
  • Lots has been written about COSO – however it’s actually a fairly intuitive and logical approach to project management. Control environment – sets the tone of an organization, influencing the way people understand and contribute to the control process. It is the foundation for all other components of internal control, providing discipline and structure. Risk Assessment – involves identification and analysis by management – not internal auditor – of relevant risks to achieving objectives. Brings business sensibility and responsibility to the process. Control Activities– policies, procedures and practices that ensure management objectives are achieved and risk mitigation strategies are carried out – this is where IT plays a central role Information and Communication – supports all other control components by communicating control responsibilities to employees and providing information in a form and timeframe that allows people to carry out their duties Monitoring – Just hat the name implies -- consists of processes that assess the quality of internal control performance over time. -- it covers external oversight of internal controls by managing/ mentoring other parties outside the process; or the application of independent methodologies, like customized procedures or standard checklists, by employees within a process.
  • When you dig into control activities the COSO framework breaks information system control activities into two groups Application Controls – these are internal to an application such as passwords, and other internal security features that protect a specific application Then there are general controls – these controls are those that apply to all information systems. They provide continuous and ongoing protection of the infrastructure – they are the foundation for all other IT controls and that’s where Ecora plays a strong role.
  • *SCFP – statement of change in financial position As you can see by this diagram – General controls are a foundation for all other IT controls – this makes sense because if you neglect infrastructure security and access you undermine any other control scheme you put into play.
  • Let’s recap. Sarbanes-Oxley requires creation and assessment of internal control for financial reporting. Those internal controls must be defined by the company – which by the way has some latitude in their definition – and they must be audited. Auditors ask broad questions about access. Although this is changing – today 10% of internal controls are IT. That’s expected to rise to 25% in the next two years. Ecora Enterprise Auditor collects and reports on a wide range of IT infrastructure configuration data which can be used in SOX compliance. Let’s look at some concrete examples of IT internal controls and the auditor reports that support them.
  • Another way to look at it is that we help validate the multiple layers surrounding your financial systems. Each ring or layer needs its own set of internal controls, tests, and documentation to show that you are complying with Sarbanes-Oxley.
  • I’m introducing Ecora here because I’m going to show you some concrete examples of internal controls from one of our clients. Ecora Enterprise auditor gives you an out of the box solution that reports on a significant portion of your infrastructure. We map pretty well to the COSO general control standard. We cover the major OSs, databases, and infrastructure applications. Our reporting and documentation capability can be used for a solid SOX foundation. The next series of slides show actual controls used by a recent SOX client.
  • Let’s recap. Sarbanes-Oxley requires creation and assessment of internal control for financial reporting. Those internal controls must be defined by the company – which by the way has some latitude in their definition – and they must be audited. Auditors ask broad questions about access. Although this is changing – today 10% of internal controls are IT. That’s expected to rise to 25% in the next two years.
  • Before we begin I’d like to make one thing clear – we are not a Sarbanes-Oxley silver bullet. None – to my knowledge exists. Ecora Enterprise Auditor however can play a substantial role in defining controls – and more importantly – giving you audit ready reports that prove you are complying with those internal controls. And as we’ll see Internal Controls are central to Sarbanes-Oxley
  • Transcript of "Managing IT in the real world"

    1. 1. A Practical IT Approach To Sarbanes-Oxley Compliance
    2. 2. Ecora and Sarbanes-Oxley Compliance <ul><li>Agenda </li></ul><ul><ul><ul><li>Sarbanes-Oxley -- What is It? </li></ul></ul></ul><ul><ul><ul><li>Some Definitions </li></ul></ul></ul><ul><ul><ul><li>Where are companies in compliance effort? </li></ul></ul></ul><ul><ul><ul><li>Why should I care? </li></ul></ul></ul><ul><ul><ul><li>Why a Framework? </li></ul></ul></ul><ul><ul><ul><li>COSO </li></ul></ul></ul><ul><ul><ul><ul><li>COSO IT Controls </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IT General Controls </li></ul></ul></ul></ul><ul><ul><ul><li>Example of compliance work with a customer </li></ul></ul></ul><ul><ul><ul><li>Summary </li></ul></ul></ul>
    3. 3. Sarbanes-Oxley – What is it? <ul><li>Federal law that imposes strict new financial reporting requirements for publicly traded companies. </li></ul><ul><li>Places burden on management to devise safeguards around the financial reporting process </li></ul><ul><li>Specifically identifies IT as a key component of process and audit activity </li></ul>
    4. 4. Sarbanes-Oxley – Definitions <ul><li>Section 302 – Quarterly and annual reporting – set up internal controls. CEO and CFO own it. </li></ul><ul><li>Section 404 – Management Assessment of Internal Controls </li></ul><ul><ul><ul><ul><ul><li>Annual evaluation of internal controls </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Quarterly filing of material changes to internal controls </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Independent audit of internal controls </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Recognized control framework required for assessment </li></ul></ul></ul></ul></ul>
    5. 5. Sarbanes-Oxley – Definitions <ul><li>PCAOB – Public Company Accounting Oversight Board – established to oversee audits… </li></ul><ul><li>Audit Standard No. 2 -- 200 page document defines SOX auditing standards </li></ul><ul><li>COSO -- Committee of Sponsoring Organizations of the Treadway Commission – Internal Control – Integrated Framework , PCAOB referenced framework </li></ul><ul><li>CobIT – Control Objectives for Information and Related Technology – another well known framework </li></ul><ul><li>Internal Control – A process designed….to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles…. (SEC Definition) </li></ul>
    6. 6. Sarbanes-Oxley – Definitions <ul><li>Internal Control (cont.) – Internal control is not “one-size-fits-all,” and the nature and extent of controls that are necessary depend, to a great extent, on the size and complexity of the company. PCAOB Auditing Standard No. 2 </li></ul><ul><li>Control Deficiency – exists when design or operation of a control does not allow management or employees …to prevent or detect misstatements on a timely basis. </li></ul><ul><li>Significant Deficiency – control deficiency (or combination of CDs) that adversely affects company’s ability to initiate, authorize, record, process, or report external financial data reliably </li></ul><ul><li>Material Weakness – significant deficiency (or combination of SDs) that results in more than remote likelihood that a material misstatement of annual or interim financial statements will not be prevented or detected </li></ul>
    7. 7. Where are companies in the process? <ul><li>Two Groups </li></ul><ul><li>< $75M Market Cap – 11/15/04 </li></ul><ul><li>64% Testing </li></ul><ul><li>34% Documentation </li></ul><ul><li> 2% Reporting </li></ul><ul><li>> $75M Market Cap – 7/15/05 </li></ul><ul><li>60% Testing </li></ul><ul><li>34% Documentation </li></ul><ul><li> 3% Reporting </li></ul><ul><li> 3% Planning </li></ul><ul><li>Ernst&Young 2004 </li></ul>Plan Document Test Report
    8. 8. Sarbanes-Oxley – Why should I care? <ul><li>SOX is changing IT </li></ul><ul><ul><li>No more IT closed “black box” </li></ul></ul><ul><ul><li>Auditors – with technical expertise -- are now looking closely at IT </li></ul></ul><ul><ul><li>E&Y projects that next year IT portion of SOX audit will grow from 10% to 25%. </li></ul></ul>
    9. 9. Sarbanes-Oxley – Why should I care? <ul><li>IT an integral part of the financial reporting and control process </li></ul><ul><ul><ul><li>Management’s heavy dependency on IT </li></ul></ul></ul><ul><ul><ul><ul><ul><li>High degree of automation in processing day to day transactions </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IT data elements are the primary source of data used in decision-making </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IT availability / integrity critical to the financial statement close and reporting processes </li></ul></ul></ul></ul></ul>
    10. 10. Why a Framework? <ul><li>1. SOX Mandate -- Assessment of effectiveness requires “..suitable, recognized control framework...” </li></ul><ul><ul><ul><li>Must be identified in annual report </li></ul></ul></ul><ul><ul><ul><li>COSO is specifically referenced by PCAOB and forms foundation of its Auditing Standard No. 2. </li></ul></ul></ul><ul><li>2. It makes sense </li></ul><ul><ul><ul><li>Provides structure </li></ul></ul></ul><ul><ul><ul><li>Identifies functional areas of focus </li></ul></ul></ul>
    11. 11. COSO Framework <ul><li>A common sense approach to implementing internal controls </li></ul>Monitoring Information and Communication Control Activities Risk Assessment Control Environment
    12. 12. COSO IT Controls <ul><li>COSO identifies two broad groupings of information system control activities. </li></ul>Control Activities Application Controls General Controls Application controls – apply to business processes and designed within applications to prevent/detect unauthorized transactions. General Controls – apply to all information systems, support secure and continuous operation. They support all other controls
    13. 13. IT General Controls <ul><li>IT general controls are foundation for all IT controls </li></ul>Application Controls General Controls Adapted from IT Control Objectives for Sarbanes-Oxley by the IT Governance Institute Significant Accounts in Financial Statements Balance Sheet Income Statement SCFP Notes Other Business Processes/ Transaction Classes Process 1 Process 1 Process 1 Financial Applications Application X Application Y Application Z IT Infrastructure Services Database Operating System Network
    14. 14. IT General Controls IT General Controls are IT processes and related controls that are generally applied to support the computer application level. However, they may be performed on a single platform or application. IT general controls provide a focus for IT to identify, assess, and develop internal controls around defined areas of operation as they relate to financial controls Tests for controls are specific activities or processes that demonstrate and document proof that the controls are real and in place. Remember -- the whole point of SOX is financial reporting – the objective is to provide documented proof that IT systems associated with financial reporting are locked down.
    15. 15. IT General Controls Financial Reporting Data Your infrastructure figuratively surrounds you’re your financial reporting data. You need controls at each level. Network Access System (OS) Access to System System (OS) Access to Data Database Access
    16. 16. How Ecora helps with IT General Controls General Controls Ecora Auditor maps to IT general controls. We provide documented proof that you are complying with internal controls for IT systems that impact financial reporting. Ecora Enterprise Auditor Ecora Infrastructure Coverage Operating System Windows, Solaris, HP- UX, AIX, Red Hat Linux, Novell Network Cisco Database MS-SQL, Oracle IT Infrastructure Services Database Operating System Network
    17. 17. Client Example <ul><li>Database Internal Controls </li></ul>Verify Function Ensure Verify Function exists and valid to ensure user passwords are validated and strong password criteria required System Privileges Set file system privileges to prevent unauthorized access to database server data files, log files, and backup files Role Permissions & Memberships Review role memberships and permissions to ensure appropriate access and privileges to databases Login Password Ensure all logins have passwords and not default password Authentication Mode Ensure appropriate Authentication Mode is configured DBA Accounts Ensure each DBA has own account and no generic accounts used to bypass audit trail of DBA activity A process exists to review and confirm access rights. Ecora Report for Test Test of Internal Control Internal Control
    18. 18. Client Example <ul><li>Database Internal Controls </li></ul>Public Links Identify all public database links. Review and replace with private links as appropriate to restrict access to confidential data External Servers Audit and review list of linked and remote servers Appropriate controls exist to review and manage remote network access Password Lifetime, Password Grace Period, Password Reuse Time, Failed Login Attempts, Password Lock Time Prove adequate password validation in place Ecora Report for Test Test of Internal Control Internal Control
    19. 19. <ul><li>Database Internal Controls </li></ul>Client Example Initialization Parameters Set Initialization Parameters to provide security and ensure database auditing is active Controls exist to insure data is collected for tracking user activity DB Owner Audit and review DB owner for each database Archive Log Mode Enable Archive Log Mode to allow point in time recovery to ensure data not lost when recovering Auditing Enabled Enable audit events to provide audit trail of user activity Ecora Report for Test Test of Internal Control Internal Control
    20. 20. <ul><li>OS Internal Controls </li></ul>Client Example User Access Select sample of terminated employees and determine if their access has been removed Remote Access Ensure systems configured to restrict anonymous remote access to your systems. NTFS Permissions Audit and review system access permissions to sensitive files User Privileges Audit and review user privileges on each system A control process exists to review and confirm access OS rights. Ecora Report for Test Test for Internal Control Internal Control
    21. 21. <ul><li>OS Internal Controls </li></ul>Client Example Ecora Report for Test Test for Internal Control Internal Control Computer without Ant-virus Installed Ensure anti-virus software installed on systems Patch Levels Ensure systems are updated with appropriate service packs and hotfixes Procedures for protection against malicious programs are in place through the use of anti-virus and other software and measures
    22. 22. <ul><li>OS Internal Controls </li></ul>Client Example SNMP If using SNMP ensure appropriate Community String(s) defined to prevent unauthorized users from obtaining systems status information Admins Group Report Audit and review list of local administrators to ensure only appropriate accounts have full admin privileges Services Summary Ensure all services are configured appropriately and that only required services are running to protect system from unauthorized access Password Policy Ensure strong password and account lockout policies are implemented. Built-in Admin Renamed Ensure built-in local administrator account is renamed Procedures exist to maintain effectiveness of authentication and access mechanisms Ecora Report for Test Test for Internal Control Internal Control
    23. 23. <ul><li>OS Internal Controls </li></ul>Client Example Event Log Ensure event log setting are configured to retain recorded events for appropriate time and prevent guest access to logs Audit Policy Ensure strong audit policy configured to ensure audit trail of events is recorded to provide audit trail of user activity (e.g. account login events, policy change, object access, process tracking, etc..) IT administration insures appropriate audit mechanisms are in place to allow detail event tracking Ecora Report for Test Test for Internal Control Internal Control
    24. 24. Summary Sarbanes-Oxley is here to stay – annual and quarterly Internal controls defined by each company IT will bear an increasing burden of SOX compliance Framework can be guide IT general controls are foundation of all controls Sustainability is requirement Automation tools will make your job easier
    25. 25. And now a word from our sponsor… <ul><li>Enterprise Auditor automates the collection of configuration data from the major infrastructure applications, databases, OSs, and network components and delivers audit ready reports. </li></ul><ul><li>Ecora’s Enterprise Auditor forms the foundation for Sarbanes-Oxley IT internal controls. It gives you a platform for, and proof of compliance with IT internal controls. </li></ul><ul><li>Solution Express combines Enterprises Auditor and an Ecora Systems Engineer (no-charge) to get your IT Sarbanes-Oxley compliance effort on a fast track. </li></ul>Ecora Software, Inc. and Enterprise Auditor
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×