Tami FlowersKCDC - May 3, 2013
PLATINUM SPONSORSGOLD SPONSORSSILVER SPONSORS
 I worked for a company with these words in it’sname:• Federal• Home loan• Bank That meant we had to consider• Sarbanes ...
What do COBIT and SOx say?Ok, so what does that mean?Where to startWhat to do on a projectTips and lessons learned
In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board(PCAOB) Auditing Standard No...
 From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley:“The work required to meet the requirements of ...
 Some of the important areas of responsibility for IT include:• Understanding the organization’s internal control program...
Controls, not the HOW or the process, isthe focus.As long as your process can show• the controls,• that the controls are...
Feasibility InitiationReleasePlanningIterate Close Out
Feasibility Initiation/Planning Iterate Close OutPrioritization ofRequestsCOBITSOxApprovalsCOBITChange ManagementApprovals...
Use your SDLC to define your projectprocess and deliverables.Ensure those deliverables are created foreach project.Make...
One size of Agile may not be right for alltypes of projects and teams.• For large longer-term projects, daily standups,re...
 Consider adding different Service Levels, withincreasing types of deliverables, based onproject characteristics.• For in...
 Identify SOX controls up-front during the earlystages of project planning. When creating test scripts, explicitly ident...
 Stay tool-agnostic. Don’t tie yourself tospecific tools when documenting yourprocesses. Keep developmentenvironments, bu...
 Your SDLC should guide your deliverables. Keep itupdated and “fresh”. Consider updating and trainingannually. Focus on ...
Twitter: TamiLFlowersLinkedInThanks!
Upcoming SlideShare
Loading in …5
×

Agile in a highly regulated organization

292 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
292
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Public Company Accounting Oversight Board
  • Agile in a highly regulated organization

    1. 1. Tami FlowersKCDC - May 3, 2013
    2. 2. PLATINUM SPONSORSGOLD SPONSORSSILVER SPONSORS
    3. 3.  I worked for a company with these words in it’sname:• Federal• Home loan• Bank That meant we had to consider• Sarbanes Oxley Act (SOx)• COBIT = internal auditors, external auditors, internal riskmanagement group, examiners = 6-9 months a year of being audited or examined
    4. 4. What do COBIT and SOx say?Ok, so what does that mean?Where to startWhat to do on a projectTips and lessons learned
    5. 5. In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board(PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley.Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley ,2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
    6. 6.  From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley:“The work required to meet the requirements of the Sarbanes-Oxley Act shouldnot be regarded as a compliance process, but rather as an opportunity toestablish strong governance models designed to result in accountabilityand responsiveness to business requirements. Building a strong internalcontrol program within IT can help to:• Gain competitive advantage through more efficient and effective operations• Enhance risk management competencies and prioritization of initiatives• Enhance overall IT governance• Enhance the understanding of IT among executives• Optimize operations with an integrated approach to security, availability andprocessing integrity• Enable better business decisions by providing higher-quality, more timelyinformation• Contribute to the compliance of other regulatory requirements, such as privacy• Align project initiatives with business requirements• Prevent loss of intellectual assets and the possibility of system breach”
    7. 7.  Some of the important areas of responsibility for IT include:• Understanding the organization’s internal control program and itsfinancial reporting process• Mapping the IT environment (IT services and processes) that supportsinternal control and the financial reporting process to the financialstatements• Identifying risks related to these IT systems• Designing and implementing controls designed to mitigate the identifiedrisks and monitoring them for continued effectiveness• Documenting and testing IT and systems-based controls• Ensuring that IT controls are updated and changed as necessary tocorrespond with changes in internal control or financial reportingprocesses• Monitoring IT controls for effective operation over time• Participating in the Sarbanes-Oxley project management office
    8. 8. Controls, not the HOW or the process, isthe focus.As long as your process can show• the controls,• that the controls are implemented and testedThen the process you use to build softwareis up to you and your organization.
    9. 9. Feasibility InitiationReleasePlanningIterate Close Out
    10. 10. Feasibility Initiation/Planning Iterate Close OutPrioritization ofRequestsCOBITSOxApprovalsCOBITChange ManagementApprovalsCOBITSOxProject StatusReportingCOBITTesting &DocumentationApproachCOBITSOxTesting Documentationand Sponsor ApprovalsCOBITSoxCycle 0 TestingDocumentationCOBITSOxSecurity Review - userroles within anapplicationCOBITSOxCycle 0 Security TestingDocumentationCOBITSOxSecurity TestingDocumentationCOBITSOxInstall DocumentationSOxSecurity Review - howapplication security isdesigned/coded.COBITSOxCode StorageCOBIT
    11. 11. Use your SDLC to define your projectprocess and deliverables.Ensure those deliverables are created foreach project.Make sure they are stored where they canbe easily found when requested byauditors and examiners.
    12. 12. One size of Agile may not be right for alltypes of projects and teams.• For large longer-term projects, daily standups,release plans, iteration planning meetings,retrospectives may be required with stories andtasks located on a project board.• An infrastructure team charged with installingservers, routers, and firewalls and keeping it all upand running may have an overall plan and dailystandups with tasks as sticky notes on a Kanbanboard.
    13. 13.  Consider adding different Service Levels, withincreasing types of deliverables, based onproject characteristics.• For instance, a year long project with a larger projectteam should have far more controls and deliverablesthan a 1 week project with one developer. Don’t have an overwhelming number ofdeliverables so it takes longer to dopaperwork or document than it does to do theproject.
    14. 14.  Identify SOX controls up-front during the earlystages of project planning. When creating test scripts, explicitly identifythe SOX controls that need to be tested. After testing, explicitly document that thosecontrols were tested. This doesn’t meanprovide pages of documentation; identify whatyou are testing, test it, and document that youtested it. A test scenario can be documentedwith a simple “pass” or “fail”.
    15. 15.  Stay tool-agnostic. Don’t tie yourself tospecific tools when documenting yourprocesses. Keep developmentenvironments, bug tracking software,testing tools, etc. out of the documentation.
    16. 16.  Your SDLC should guide your deliverables. Keep itupdated and “fresh”. Consider updating and trainingannually. Focus on deliverables that prove the controls havebeen tested. Don’t overdo it on deliverables. Keep it as simple aspossible. Work to educate auditors, examiners, etc. on whatAgile means. When possible, include them early in the developmentof your process. Say what you are going to do…and do it! Then makesure it’s saved and easy to find when asked.
    17. 17. Twitter: TamiLFlowersLinkedInThanks!

    ×