The Sane Solution to
                             Sarbanes-Oxley Costs

                           Dwayne E. Jorgensen, CI...
Who’s Watching the Store?


                                                                      Frequency
             R...
Cost of SOX Implementation

          2005 SOX Expenditure by US firms: $6 Billion
                 Internal expenses: $2 ...
So What’s a Corporation to Do?

          Continuous monitoring (CM) offers the only
          practical, cost-effective s...
Proposed CM Solution Pyramid

                                         Oversight Component
                               ...
CM Solution Requirements


                Tool or process
                    needed
                  (examples         ...
Key Recommendation

          Validate methodology through execution on a pilot
          process (assess, document, and t...
Internal Control Maturity Model

                               Initial        Repeatable       Defined       Managed     ...
COSO-Driven Methodology: Assess

           ASSESS
           ASSESS          DOCUMENT        TEST        REPORT


       ...
COSO-Driven Methodology: Document

            ASSESS     DOCUMENT
                       DOCUMENT         TEST       REPO...
COSO-Driven Methodology: Test

            ASSESS         DOCUMENT        TEST
                                           ...
COSO-Driven Methodology: Report

            ASSESS         DOCUMENT        TEST       REPORT
                            ...
Benefits/ROI

          ROIs are easily calculated, by the determination of
          FTE reduction due to PCAOB’s Standar...
Questions?




PROPRIETARY CONFIDENTIAL       14       The Sane Solution to Sarbanes-Oxley Costs
Thank You!




PROPRIETARY CONFIDENTIAL       15       The Sane Solution to Sarbanes-Oxley Costs
Contact Information

    Dwayne E. Jorgensen, CIA, CFE
                   Consultant
                   1851 Baltusrol Tra...
Upcoming SlideShare
Loading in …5
×

The Sane Solution To Sox Costs

876 views
699 views

Published on

Role of automation in good corporate governance.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
876
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Sane Solution To Sox Costs

  1. 1. The Sane Solution to Sarbanes-Oxley Costs Dwayne E. Jorgensen, CIA, CFE Consultant, Sarbanes-Oxley Services & IT Governance PROPRIETARY CONFIDENTIAL 1 The Sane Solution to Sarbanes-Oxley Costs
  2. 2. Who’s Watching the Store? Frequency Role Responsibility COSO SOX 302 SOX 404 Owner of internal Management controls and ongoing Ongoing Quarterly Annually monitoring Validators independent of Internal management, but part of Periodically Quarterly Annually auditors company External Validators independent of Annually Quarterly Annually auditors company PROPRIETARY CONFIDENTIAL 2 The Sane Solution to Sarbanes-Oxley Costs
  3. 3. Cost of SOX Implementation 2005 SOX Expenditure by US firms: $6 Billion Internal expenses: $2 Billion Hardware/Software: $2 Billion Consulting: $2 Billion 2006, 2007, etc. : ??? Source: Gartner PROPRIETARY CONFIDENTIAL 3 The Sane Solution to Sarbanes-Oxley Costs
  4. 4. So What’s a Corporation to Do? Continuous monitoring (CM) offers the only practical, cost-effective solution. Build a system that provides a perpetual inventory of governance Leverage IT to maximize automation and reduce staffing loads PROPRIETARY CONFIDENTIAL 4 The Sane Solution to Sarbanes-Oxley Costs
  5. 5. Proposed CM Solution Pyramid Oversight Component Oversight Component “Tone at the top”: “Tone at the top”: Executive buy-in, “spirit” vs. “letter” Executive buy-in, “spirit” vs. “letter” Planning Component Planning Component SOX methodology: SOX methodology: Assess, document, test, report Assess, document, test, report Co-sourcing component? Co-sourcing component? Independent IT test services Independent IT test services Software Component Software Component Various vendor process automation products: Various vendor process automation products: Ex.: Documentum®,, Movaris OneClose®,, ACL CCM® Ex.: Documentum® Movaris OneClose® ACL CCM® Hardware/Data Integrity Component Hardware/Data Integrity Component EMC: Centera®,, Proofspace encryption, record management automation EMC: Centera® Proofspace encryption, record management automation PROPRIETARY CONFIDENTIAL 5 The Sane Solution to Sarbanes-Oxley Costs
  6. 6. CM Solution Requirements Tool or process needed (examples Resources only): needed One Close® Monitoring ) SW Documentum® W/ Information & Communication (H ACL CCM/ gy Control Activities olo One Close® t.) hn gm , m le op Risk Assessment c Te One Close® Pe aff Organizational Control Environment (st Consulting PROPRIETARY CONFIDENTIAL 6 The Sane Solution to Sarbanes-Oxley Costs
  7. 7. Key Recommendation Validate methodology through execution on a pilot process (assess, document, and test) Remediate consistently and constantly Work with external auditor to ensure approach is satisfactory via a full trial on a key process before rollout PROPRIETARY CONFIDENTIAL 7 The Sane Solution to Sarbanes-Oxley Costs
  8. 8. Internal Control Maturity Model Initial Repeatable Defined Managed Optimizing Initial Control structure is not defined. Control occurs incidentally. Repeatable Control structure is not defined, but control processes may occur based on past success and management oversight. Defined Control structure is documented, standardized and integrated into control processes for the organization. Managed The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Optimizing Continuous process improvement is enabled by quantitative feedback from the control process. Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages. PROPRIETARY CONFIDENTIAL 8 The Sane Solution to Sarbanes-Oxley Costs
  9. 9. COSO-Driven Methodology: Assess ASSESS ASSESS DOCUMENT TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Define overall SO requirements Management support Form Form Identify and form team team team Partner with external audit firm Internal champion Trained team Confirm audit universe Perform risk Perform risk Define risk weighting Consensus on objectives assessment assessment Conduct assessment Risk-ranked universe The plan Analyze assessment results Confirm Confirm Confirm risk rankings results results Map to knowledge base of mitigating practices Present findings to management Develop Develop Develop plan for documentation phase work plan work plan Review plan with external auditor, management PROPRIETARY CONFIDENTIAL 9 The Sane Solution to Sarbanes-Oxley Costs
  10. 10. COSO-Driven Methodology: Document ASSESS DOCUMENT DOCUMENT TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Define target maturity level by process COSO maturity ranking COSO COSO Assess COSO maturity by process alignment alignment Consensus on end state Identify where improvements are needed Improved controls environment Document Document Define control objectives Ongoing monitoring control control Determine tool approach activities activities Map assessment to objectives and identify gaps Documented controls Develop plan to address gaps with control changes Improve Improve Assess and implement changes in controls controls controls Test new processes and train users Define Define Confirm the role of the internal audit department monitoring monitoring Assess current monitoring environment process process Implement monitoring process PROPRIETARY CONFIDENTIAL 10 The Sane Solution to Sarbanes-Oxley Costs
  11. 11. COSO-Driven Methodology: Test ASSESS DOCUMENT TEST TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Management Management Educate management on controls Management control monitoring controls controls Develop framework for management monitoring Independent monitoring monitoring monitoring Facilitate management monitoring of controls Management reporting process Independent Independent Develop framework for independent monitoring Ongoing reporting internal audit internal audit Facilitate independent monitoring of controls Testing Testing Identify weaknesses from management test Material Material Develop action plan for weaknesses weakness plan weakness plan Reiterate if necessary Implement process for ongoing quarterly reports Ongoing Ongoing Define process for development of IC report report process report process Partner with external auditor on report requirements PROPRIETARY CONFIDENTIAL 11 The Sane Solution to Sarbanes-Oxley Costs
  12. 12. COSO-Driven Methodology: Report ASSESS DOCUMENT TEST REPORT REPORT Remediate Ongoing coordination between management, external auditor, and consultant Process Outcomes Management reports on role in controls Management report Management Management Management reports on testing process report report External audit report Management delivers final controls report External assertion External External External audit commences audit audit External External auditor tests controls per requirements External control testing External auditor reviews management report control testing External auditor issues final report External External auditor auditor External auditor issues final assertion assertion assertion PROPRIETARY CONFIDENTIAL 12 The Sane Solution to Sarbanes-Oxley Costs
  13. 13. Benefits/ROI ROIs are easily calculated, by the determination of FTE reduction due to PCAOB’s Standard II regarding the testing of automated controls once, versus reiterative testing necessary for manual controls. Secondary benefit, especially in the ability to store the results of continuous monitoring in an authenticated, digital format, should have a significant impact on future third-party litigation revolving around alleged misconduct by management, in proving the validity of the effectiveness of key control activities. PROPRIETARY CONFIDENTIAL 13 The Sane Solution to Sarbanes-Oxley Costs
  14. 14. Questions? PROPRIETARY CONFIDENTIAL 14 The Sane Solution to Sarbanes-Oxley Costs
  15. 15. Thank You! PROPRIETARY CONFIDENTIAL 15 The Sane Solution to Sarbanes-Oxley Costs
  16. 16. Contact Information Dwayne E. Jorgensen, CIA, CFE Consultant 1851 Baltusrol Trail Duluth, GA 30097 Office: 678/957-0838 Mobile: 770/789-7581 E-mail: ddawg1960@charter.net PROPRIETARY CONFIDENTIAL 16 The Sane Solution to Sarbanes-Oxley Costs

×