2012 05 corp fin 1c


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Title:  How SOX-404 Exposed The Dysfunctional Marriage Between Business And IT... And How Lawyers Can Help Description: I'm proposing to talk about the awful and almost inevitable problems that result when regulatory compliance and IT meet.  
For many, the problem was most evident during the first years of SOX-404, where 90% of the deficiencies discovered by auditors were IT related, resulting in $3 billion of needless compliance efforts.  Which is an absurd state of affairs, because SOX-404 was all about ensuring that we don't have undetected material errors in financial statements, not about IT.
n 2006, I helped lead a project at the Institute of Internal Auditors that investigated this problem, which eventually led to creating scoping guidance for the IT portions of SOX-404.  Among the root causes that we identified were the imprecision of terminology used in both the regulatory requirements, as well as between the business and its IT organization.
I'll talk about my top lessons learned in my journey attempting to modify regulatory regimes, as well the dead bodies I uncovered that became one of the primary reasons for writing "When IT Fails: A Business Novel.”>>>Gene—Great to hear from you, and hope you are well.  I think the third title and first abstract would be of the most interest to our audience.  Most are much more familiar with SOX 404 (and client complaints about it) than PCI matters, and would appreciate and understand your thoughts on SOX 404 much better.  I also told folks you might take a few questions about entrepreneurship, your novel, etc.  Gwen is also looking forward to meeting you.  Look forward to seeing you tomorrow.  TPP    
  • There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances…
  • [ text ] My personal goal is to prescriptively define 1) what does Dev need to do to become a reliable partner, 2) what does IT Operations need to do to become a realiable partner, and then 3) how do they work together to deliver unbelievable value to the business.Of course, the goal is more than happy coexistence. It’s to replicate the Etsy and LinkedIn stories:Increase the rate of features that we can put into production, while simultaneously maintaining the reliability, stability, security and survivability of the production environment.
  • 2012 05 corp fin 1c

    1. 1. How SOX-404 Exposed TheDysfunctional Marriage Between Business And IT... And How Lawyers Can Help Gene Kim @realgenekim genek@realgenekim.me
    2. 2. Where Did The High Performers Come From?
    3. 3. Since 1999, We’ve Benchmarked 1500+ IT Organizations Source: EMA (2009) Source: IT Process Institute (2008)
    4. 4. Visible Ops: Playbook of High Performers• The IT Process Institute has been studying high-performing organizations since 1999 – What is common to all the high performers? – What is different between them and average and low performers? – How did they become great?• Answers have been codified in the Visible Ops Methodology www.ITPI.org
    5. 5. Story of GAIT and SOX-404• Tell you a story involving IT organizations, businesses, their auditors, the auditors’ regulators – A large and complex problem – How defining two words solved it and made a difference• My top lessons learned• What I’m doing about it now
    6. 6. Problem Statement• 2001: Enron fails ($63B market cap), Arthur Andersen dissolution• 2002: WorldCom (peak $117B market cap)• Leads to Sarbanes-Oxley Act of 2002
    7. 7. “OMG. 952 IT Deficiencies?!?”
    8. 8. Holy cow!!! Enron wasn’t caused by a DBA. So, why areWhat were/are people worried about? the auditors digging here?? --gkIT controls dominate the deficiencies, significantdeficiencies, and material weaknesses identified through the S-O 404 assessment.The estimated percentage of deficiencies identified show IT controlsaccounting for the most (34 percent), followed distantly by revenue(13 percent), procure to pay (10 percent), and fixed assets (10percent).The estimated percentage of significant deficiencies identified againshows IT controls leading the way (23 percent), followed by financialreporting and close (14 percent), procure to pay (13 percent), andrevenue (12 percent).The estimated percentages of material weaknesses identified includeIT controls (27 percent), revenue (18 percent), taxes (11 percent), andfinancial reporting and close (10 percent).It is important to note that the results presented here are based on self-reporting by the companies thatparticipated in the survey. Conclusions may be affected by the differing methods companies use to report onvarious elements of Sarbanes-Oxley compliance. © 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 9
    9. 9. Again, holy cow!!! If the risk isn’t inPROBLEMS & CHALLENGES IT, then auditors are not only generating efforts, but finding deficiencies that don’t matters… IT V NON - IT COMPARISON --gk 100%  Disproportionate Share:  Compliance effort.% 50% IT  Deficiencies. NON - IT  Non Finance Apps. 0% EFFORT DEFICIENCIES  Financial Statement Impact:  Indirect linkage Applications in Scope  Least likely impact 100%  Business & IT integration. % 50% 0% Fin Apps Non Fin Apps10 February 2006 Corporate Finance
    10. 10. Vision: Create Equivalence to Nine Firm Document on IT Control Exceptions GAIT takes the approach used in the nine firm document. GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives www.theiia.org Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies , “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)
    11. 11. There Had To Be A Better Way
    12. 12. SOX-404 Value Network: Primary Constituencies
    13. 13. The Problem• The IT portions of SOX-404 compliance has frustrated auditors and management – Significant key controls reside inside IT and IT processes as well as in the business processes – No well-established guidance for scoping IT work results in inconsistency and the process being overly subjective – Sometimes result in overly broad scope and excessive testing costs – Significant risks to financial assertions may be left unaddressed – Suboptimal use of scarce resources www.theiia.org
    14. 14. Why Is There A Problem?• No clear guidance exists to define how IT processes and activities can invalidate financial application processing or financial assertions – COSO provides an accepted construct for defining overall internal control objectives, assertions, risks and controls, but its application to the IT environmet is ambiguous – COBIT doesn’t provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting)• Something else is needed… www.theiia.org
    15. 15. COSO ERM Cube v2
    16. 16. COBIT
    17. 17. Why Is There A Problem?• No clear guidance exists to define how IT processes and activities can invalidate financial application processing or financial assertions – COSO provides an accepted construct for defining overall internal control objectives, assertions, risks and controls, but its application to the IT environment is ambiguous – COBIT doesn’t provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting)• Something else is needed…
    18. 18. Thought Experiment• Auditors vs. Management• We can agree that there are two extremes in spectrum of financial reporting risk – eBay auction settlement business process – Grain elevators• Extremes are easy… Middle is hard…
    19. 19. Language Is Often An Obstacle• In Newton’s time, there were not concrete terms for several critical concepts: – Force, acceleration, mass, inertia• In the following slide, note how difficult it was for Newton to frame the “three laws of motion” without these concepts… www.theiia.org
    20. 20. Early Drafts Of Three Laws Of Motion • 1. If a quantity once move it will never rest unless hindered by some externall cause. • 2. A quantity will always move on in the same straight line (not changing the determination nor celerity of its motion) unless some externall cause divert it. • 3. There is exactly so much required and no more force to reduce a body to rest as there was to put it upon motion. • Axiom 100: A body once moved will always keep the same celerity, quantity and determination of its motion • Axiom 103: ...as the body (a) is to the body (b0), so must the power of efficacy vigor strength or virtue of the cause which begets the same quantity of velocity www.theiia.orgSource: Isaac Newton, James Gleick.
    21. 21. Benchmarks• Pythagorean theorem: 24 words• Archimedes Principle: 67 words• Newton’s Three Laws Of Motion: 91 words• The 10 Commandments: 179 words• GAIT Proposed Principles v3.0: 168 words• The Gettysburg Address: 286 words• The Declaration of Independence: 1,300 words• GAIT Principles v1.3: 6,856 words• GAIT Methodology v2.2: 11,348 words• The US Government regulations on the sale of cabbage: 26,911 words www.theiia.org
    22. 22. Solution: GAIT…• Released in Feb 2007, Establishes four principles that – Defines the relevance of IT infrastructure elements to financial reporting integrity – Define the three types of IT processes that can affect them: change management and systems development, operations and security – Defines an end-to-end process view of these three processes – Defines an approach to defining objectives and key controls within those three processes• Provides a methodology and thinking process that continues the top down, risk based approach started in AS2 to scope IT general controls• Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective – Initial target is internal control objectives for financial reporting, but should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)
    23. 23. GAIT Principle #1• The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data.(“What are the relevant IT infrastructure elements?”)
    24. 24. GAIT Principle #2• The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data: – Change management and systems development: the processes around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure – Operations management: the processes around managing the integrity of production data and program execution – Security management: the processes around limiting access to information assets (“What are the relevant end-to-end IT processes?”)
    25. 25. GAIT Principle #3• Implications to the reliability of financially- significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes. (“What are the relevant objectives of those IT processes? In other words, we shouldn’t get carried away when reaching a conclusion when testing a control.”)
    26. 26. GAIT Principle #4• The basis for identifying key controls in the three IT processes is based on: – Inherent risk of not achieving the IT process objectives – IT process risk indicators (“How do we select key controls within those IT processes?”)
    27. 27. GAIT Scoping: Step By Step AS2 begins hereIdentify key financial statement captions Identify the general ledger accounts related to the key financial statement accounts (significant account) Identify key transaction processes that affect the general ledger accounts Identify and understand related business processes Identify and understand applications and modules that support financially relevant business processes Identify and understand infrastructure that supports the business processes Analyze the risks within the integrated business process (Identify risks) Identify manual & automated controls & key functionality within Evaluate overall entity level controls the process that mitigate the risks (Identify key controls) Identify IT infrastructure elements which support the Identify IT entity level elements and the demonstrated maturity of the process application (the rest of the stack) Validate IT entity level controls Evaluate the risks related to (and within) the ITGAIT Starts Here processes which manage the infrastructure & apps
    28. 28. GAIT Tools• Principles Document• Scenarios and Tutorials – Online auction settlement process (high IT) – Rebate approval process (med IT) – Option expensing process (low IT)• Ask Dr. GAIT
    29. 29. Conclusions and Lessons Learned, Continued► Improved audit comment wording helps to connect to things management cares about: • “We noted poor change control procedures and were unable to obtain comfort that all changes were authorized and tested as required” -- vs. -- • “Poor change control practices introduced the risk of unauthorized or untested changes to key data such as annual threshold amounts for toxic chemical releases. Given the level of precision applied to reviewing the final report downstream, it is unlikely management would detect such errors. Our testing disclosed numerous “break/fix” changes had been made to code or data without supervisory review and approval or notifying the users.”
    30. 30. GAIT Evolution• Elements of GAIT was incorporated into PCAOB AS-5• GAIT-R for Business Risk – To me, its the first really well thought out way of linking IT to any COSO internal control objective – Unlike ITIL, COBIT: it helps focus on what matters• The Integrated Auditing Project (“Magic Glasses”)
    31. 31. PCI Problem Definition• Success of any PCI DSS compliance initiative is very dependent on accurate definition and scoping of the Cardholder Data Environment.• There is a wide variance in practice, experience and guidance in merchant and QSA community.• These contribute to scoping errors that result in: – Overly narrow scope that jeopardizes cardholder data – Overly broad scope that adds unnecessary cost and effort for compliance – Decreased confidence in and frustration with the PCI DSS standard
    32. 32. 33
    33. 33. 34
    34. 34. 35
    35. 35. Source: Gartner RVM Model(Proctor, Smith) 36
    36. 36. 37
    37. 37. 38
    38. 38. Top A-Ha Moments• I love auditors: they have a comprehensive vocabulary that we need – otherwise, we’re stuck in Flatland• Principles based guidance is great, as long as the words are precisely defined• Auditors have seen the dead people longer than anyone• It is possible to make a difference, even in complex social scenarios• COSO Cube is simple but great
    39. 39. You are only as smart as the averageof the top 5 people you hang out with 40
    40. 40. The Prescriptive DevOps Cookbook • “DevOps Cookbook” Authors – Patrick DeBois, Mike Orzen, John Willis • Goals – Codify how to start and finish DevOps transformations – How does Development, IT Operations and Infosec become dependable partners – Describe in detail how to replicate the transformations describe in “When IT Fails: The Novel”
    41. 41. “The Goal” by Dr. Eliyahu Goldratt
    42. 42. 43
    43. 43. 44
    44. 44. Fred Pond, CIO, Columbia Sportswear• “When you finish that book, everyone on my team will need to read it, as well as my auditors, my boss, and my boss’ boss…”
    45. 45. When IT Fails: The Novel and The DevOps Cookbook • Coming in July 2012 • “In the tradition of the best MBA case studies, this book should be mandatory reading for business and IT graduates alike.” Paul Muller, VP Software Marketing, Hewlett- PackardGene Kim, Tripwire founder, • “The greatest IT management book of ourVisible Ops co-author generation.” Branden Williams, CTO Marketing, RSA
    46. 46. When IT Fails: The Novel and The DevOps Cookbook • Our mission is to positively affect the lives of 1 million IT workers by 2017 • If you would like the “Top 10 Things Infosec Needs To Know About DevOps,” sample chapters and updates on the book:Gene Kim, Tripwire founder, – Sign up at http://itrevolution.comVisible Ops co-author – Email genek@realgenekim.me – Hand me a business card
    47. 47. If you’d like the slides from today’s presentation…• Text your name, email, website and the number 59871 to +1 (858) 598-3980• Visit: http://www.instantcustomer.com/go/59871• Or, scan this QR code:48