SlideShare a Scribd company logo

Agile in a highly regulated organization 2014

Download as PPTX, PDF
T
Tami Flowers

First part of my 2 part session on Agile in a Highly Regulated Environment. Given at Kansas City Developers Conference in 2014.

TechnologyBusiness
1 of 25
Tami Flowers KCDC - May 15, 2014 AGILE IN A HIGHLY REGULATED ORGANIZATION
Titanium Sponsors Platinum Sponsors Gold Sponsors
 I worked for a company with these words in it’s name:  Federal  Home Loan  Bank  That meant we had to consider  Sarbanes Oxley Act (SOx)  COBIT  = internal auditors, external auditors, internal risk management group, examiners  = 6-9 months a year of being audited or examined HIGHLY REGULATED ENVIRONMENT
 Why did some of these regulations come about?  What do COBIT and SOx say?  Ok, so what does that mean?  Where to start  What to do on a project  Tips and lessons learned  Implementing new or changed regulations TODAY’S DISCUSSION
 Our friends at wikipedia say:  A regulation is a rule or law designed to control or govern conduct.  Regulation creates, limits, constrains a right, creates or limits a duty, or allocates a responsibility. REGULATION
MOST INDUSTRIES AND BUSINESSES HAVE REGULATIONS
 Before its bankruptcy on December 2, 2001, Enron employed approximately 20,000 staff and was one of the world's major electricity, natural gas, communications, and pulp and paper companies, with claimed revenues of nearly $101 billion during 2000. Fortune named Enron "America's Most Innovative Company" for six consecutive years.  At the end of 2001, it was revealed that its reported financial condition was sustained substantially by an institutionalized, systematic, and creatively planned accounting fraud.  The scandal also brought into question the accounting practices and activities of many corporations in the United States and was a factor in the creation of the Sarbanes–Oxley Act of 2002.  Arthur Anderson was dissolved, shareholders lost, employees lost their jobs and retirements. ENRON
 SOx  Sarbanes-Oxley; Senator Paul Sarbanes and Rep Michael Oxley  Aka “Public Company Accounting Reform and Investor Protection Act”  Thank you Enron, Tyco, and WorldCom  Contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission(SEC) to implement rulings on requirements to comply with the law  Controls, assessment of internal controls, disclosures in reports, audits, etc.  Controls around anything that impacts what goes onto a financial statement WHAT IS SOX?
 Business units  Any business department that impacts financial statements  Accounting  Finance  HR (executive compensation, etc.)  IT  IT general controls  IT application controls TYPES OF CONTROLS
 Our friends at wikipedia say:  IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise.  IT controls are often described in two categories: IT general controls and IT application controls. IT CONTROLS
 Framework for IT Governance and Control  Policy development and good practices for IT control  “COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the enterprises' IT governance and control framework.” COBIT
In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley. Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley , 2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
 From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley: “The work required to meet the requirements of the Sarbanes -Oxley Act should not be regarded as a compliance process, but rather as an opportunity to establish strong governance models designed to result in accountability and responsiveness to business requirements. Building a strong internal control program within IT can help to:  Gain competitive advantage through more efficient and effective operations  Enhance risk management competencies and prioritization of initiatives  Enhance overall IT governance  Enhance the understanding of IT among executives  Optimize operations with an integrated approach to security, availability and processing integrity  Enable better business decisions by providing higher-quality, more timely information  Contribute to the compliance of other regulatory requirements, such as privacy  Align project initiatives with business requirements  Prevent loss of intellectual assets and the possibility of system breach” IT GOVERNANCE INSTITUTE
 Some of the important areas of responsibility for IT include:  Understanding the organization’s internal control program and its financial reporting process  Mapping the IT environment (IT services and processes) that supports internal control and the financial reporting process to the financial statements  Identifying risks related to these IT systems  Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness  Documenting and testing IT and systems-based controls  Ensuring that IT controls are updated and changed as necessary to correspond with changes in internal control or financial reporting processes  Monitoring IT controls for effective operation over time  Participating in the Sarbanes-Oxley project management office THINGS TO CONSIDER FROM THE IT GOVERNANCE INSTITUTE
 Controls, not the HOW or the process, is the focus.  As long as your process can show  the controls,  that the controls are implemented and tested  Then the process you use to build software is up to you and your organization. WHAT DOES THIS MEAN?
Feasibility Initiation Release Planning Iterate Close Out PROJECT LIFECYCLE
MAP CONTROLS TO PROJECT LIFECYCLE Feasibility Initiation/Planning Iterate Close Out COBIT Prioritization of Requests Project Approvals Testing & Documentation Approach Project Status Reporting Testing Documentation and Sponsor Approvals Security Review - least privileges in an application Security Testing Documentation Change Management Approvals Cycle 0 Testing Documentation Cycle 0 Security Testing Documentation Code Storage SOx Prioritization of Requests Testing & Documentation Approach Testing Documentation and Sponsor Approvals Security Review – least privileges in an application Security Testing Documentation Change Management Approvals Cycle 0 Testing Documentation Cycle 0 Security Testing Documentation Install Documentation
 Use your SDLC to define your project process and deliverables.  Ensure those deliverables are created for each project.  Make sure they are stored where they can be easily found when requested by auditors and examiners. SAY WHAT YOU ARE GOING TO DO, AND DO IT
 One size of Agile may not be right for all types of projects and teams.  For large longer-term projects, daily standups, release plans, iteration planning meetings, retrospectives may be required with stories and tasks located on a project board.  An infrastructure team charged with installing servers, routers, and firewalls and keeping it all up and running may have an overall plan and daily standups with tasks as sticky notes on a Kanban board. ONE SIZE MAY NOT FIT ALL
 Consider adding different Service Levels, with increasing types of deliverables, based on project characteristics.  For instance, a year long project with a larger project team should have far more controls and deliverables than a 1 week project with one developer.  Don’t have an overwhelming number of deliverables so it takes longer to do paperwork or document than it does to do the project.  Want to learn more? Stay for my next session! CONSIDER USING SERVICE LEVELS
 Identify SOX controls up-front during the early stages of project planning.  When creating test scripts, explicitly identify the SOX controls that need to be tested.  After testing, explicitly document that those controls were tested. This doesn’t mean provide pages of documentation; identify what you are testing, test it, and document that you tested it. A test scenario can be documented with a simple “pass” or “fail”. DURING A PROJECT
 Stay tool-agnostic. Don’t tie yourself to specific tools when documenting your processes. Keep development environments, bug tracking software, testing tools, etc. out of the documentation. KEEP IT SIMPLE!
 It’s rare that you know exactly what the regulation states until right before it’s supposed to be implemented  Use time once you know about the reg until you know exactly what it states to:  Research what it means  Talk with regulators to understand it’s impacts, if possible  Identify applications that need changed/created to implement the regulation  Work with the product owner(s) to identify highest risks and value, prioritize work that you can upfront  Agile helps you be flexible to make adjustments once you get the final ruling, regulations, etc. IMPLEMENTING REGULATORY CHANGES
 Your SDLC should guide your deliverables. Keep it updated and “fresh”. Consider updating it and training your team members annually.  Focus on deliverables that prove the controls have been tested.  Don’t overdo it on deliverables. Keep it as simple as possible.  Work to educate auditors, examiners, etc. on what Agile means.  When possible, include them early in the development of your process.  Say what you are going to do…and do it! Then make sure it’s saved and easy to find when asked. LESSONS LEARNED
 Twitter: TamiLFlowers  LinkedIn: Tami Flowers  Slideshare: www.slideshare.nettamiflowers  Thanks! ME

Recommended

Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Tami Flowers
 
It Consulting & Change Management
It Consulting & Change ManagementIt Consulting & Change Management
It Consulting & Change ManagementCarlos J. Costa
 
Summary of Accelerate - 2019 State of Devops report by Google Cloud's DORA
Summary of Accelerate - 2019 State of Devops report by Google Cloud's DORASummary of Accelerate - 2019 State of Devops report by Google Cloud's DORA
Summary of Accelerate - 2019 State of Devops report by Google Cloud's DORARagavendra Prasath
 
SDLC Control
SDLC ControlSDLC Control
SDLC Controlbenji00
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013Jim Sutter
 
Defining Segregation of Duties
Defining Segregation of DutiesDefining Segregation of Duties
Defining Segregation of DutiesWill Kelly
 
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...Red Gate Software
 
Governing Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessGoverning Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessTechWell
 

Recommended

Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Tami Flowers
 
It Consulting & Change Management
It Consulting & Change ManagementIt Consulting & Change Management
It Consulting & Change ManagementCarlos J. Costa
 
Summary of Accelerate - 2019 State of Devops report by Google Cloud's DORA
Summary of Accelerate - 2019 State of Devops report by Google Cloud's DORASummary of Accelerate - 2019 State of Devops report by Google Cloud's DORA
Summary of Accelerate - 2019 State of Devops report by Google Cloud's DORARagavendra Prasath
 
SDLC Control
SDLC ControlSDLC Control
SDLC Controlbenji00
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013Jim Sutter
 
Defining Segregation of Duties
Defining Segregation of DutiesDefining Segregation of Duties
Defining Segregation of DutiesWill Kelly
 
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...Red Gate Software
 
Governing Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessGoverning Agile Teams: Disciplined Strategies to Increase Agile Effectiveness
Governing Agile Teams: Disciplined Strategies to Increase Agile EffectivenessTechWell
 
Delivering your Oracle EBS R12 Upgrade with 100% Confidence
Delivering your Oracle EBS R12 Upgrade with 100% ConfidenceDelivering your Oracle EBS R12 Upgrade with 100% Confidence
Delivering your Oracle EBS R12 Upgrade with 100% ConfidenceOriginal Software
 
How to Deliver your Oracle EBS R12 Upgrade
How to Deliver your Oracle EBS R12 UpgradeHow to Deliver your Oracle EBS R12 Upgrade
How to Deliver your Oracle EBS R12 UpgradeOriginal Software
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Five biggest secrets to an it audit webinar slides
Five biggest secrets to an it audit webinar slidesFive biggest secrets to an it audit webinar slides
Five biggest secrets to an it audit webinar slidesMichelle
 
DC Business Intelligentsia January Meetup: Agile BI and Data Chaos
DC Business Intelligentsia January Meetup: Agile BI and Data ChaosDC Business Intelligentsia January Meetup: Agile BI and Data Chaos
DC Business Intelligentsia January Meetup: Agile BI and Data ChaosExcella
 
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)Ragavendra Prasath
 
Numara change & approval mgmt
Numara change & approval mgmtNumara change & approval mgmt
Numara change & approval mgmtSan Francisco Bay Area
 
June2007 Implementing Itil Problem Mgmt
June2007 Implementing Itil Problem MgmtJune2007 Implementing Itil Problem Mgmt
June2007 Implementing Itil Problem MgmtIT Service and Support
 
The Forgotten Secret to DevOps Success: Measurement
The Forgotten Secret to DevOps Success: MeasurementThe Forgotten Secret to DevOps Success: Measurement
The Forgotten Secret to DevOps Success: MeasurementXebiaLabs
 
Disciplined Agile Delivery: An Introduction
Disciplined Agile Delivery: An IntroductionDisciplined Agile Delivery: An Introduction
Disciplined Agile Delivery: An IntroductionIBM Rational software
 
Andy singleton continuous delivery-fcb - nov 2014
Andy singleton continuous delivery-fcb - nov 2014Andy singleton continuous delivery-fcb - nov 2014
Andy singleton continuous delivery-fcb - nov 2014Brad Power
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsDan Aldridge, ERP Software Evangelist, LION
 
Tomas Butkus: Agile Practices in Enterprise Environment
Tomas Butkus: Agile Practices in Enterprise EnvironmentTomas Butkus: Agile Practices in Enterprise Environment
Tomas Butkus: Agile Practices in Enterprise EnvironmentAgile Lietuva
 
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...Institut Lean France
 
Process improvement scrum_agile_v2_by_david_mann
Process improvement scrum_agile_v2_by_david_mannProcess improvement scrum_agile_v2_by_david_mann
Process improvement scrum_agile_v2_by_david_mannJim Sutter
 
Breakdowns and Breakthroughs: Handoffs Between Sales and Marketing
Breakdowns and Breakthroughs: Handoffs Between Sales and MarketingBreakdowns and Breakthroughs: Handoffs Between Sales and Marketing
Breakdowns and Breakthroughs: Handoffs Between Sales and MarketingBrad Power
 
EXIN Lean IT Course Preview
EXIN Lean IT Course PreviewEXIN Lean IT Course Preview
EXIN Lean IT Course PreviewInvensis Learning
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Enterprise Architecture in the Business Technology Age
Enterprise Architecture in the Business Technology AgeEnterprise Architecture in the Business Technology Age
Enterprise Architecture in the Business Technology AgeJean-François Caenen
 
Agile in a highly regulated organization
Agile in a highly regulated organizationAgile in a highly regulated organization
Agile in a highly regulated organizationTami Flowers
 
How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planningTami Flowers
 
Real-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldReal-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldDATAVERSITY
 

More Related Content

What's hot

Delivering your Oracle EBS R12 Upgrade with 100% Confidence
Delivering your Oracle EBS R12 Upgrade with 100% ConfidenceDelivering your Oracle EBS R12 Upgrade with 100% Confidence
Delivering your Oracle EBS R12 Upgrade with 100% ConfidenceOriginal Software
 
How to Deliver your Oracle EBS R12 Upgrade
How to Deliver your Oracle EBS R12 UpgradeHow to Deliver your Oracle EBS R12 Upgrade
How to Deliver your Oracle EBS R12 UpgradeOriginal Software
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Five biggest secrets to an it audit webinar slides
Five biggest secrets to an it audit webinar slidesFive biggest secrets to an it audit webinar slides
Five biggest secrets to an it audit webinar slidesMichelle
 
DC Business Intelligentsia January Meetup: Agile BI and Data Chaos
DC Business Intelligentsia January Meetup: Agile BI and Data ChaosDC Business Intelligentsia January Meetup: Agile BI and Data Chaos
DC Business Intelligentsia January Meetup: Agile BI and Data ChaosExcella
 
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)Ragavendra Prasath
 
June2007 Implementing Itil Problem Mgmt
June2007 Implementing Itil Problem MgmtJune2007 Implementing Itil Problem Mgmt
June2007 Implementing Itil Problem MgmtIT Service and Support
 
The Forgotten Secret to DevOps Success: Measurement
The Forgotten Secret to DevOps Success: MeasurementThe Forgotten Secret to DevOps Success: Measurement
The Forgotten Secret to DevOps Success: MeasurementXebiaLabs
 
Disciplined Agile Delivery: An Introduction
Disciplined Agile Delivery: An IntroductionDisciplined Agile Delivery: An Introduction
Disciplined Agile Delivery: An IntroductionIBM Rational software
 
Andy singleton continuous delivery-fcb - nov 2014
Andy singleton continuous delivery-fcb - nov 2014Andy singleton continuous delivery-fcb - nov 2014
Andy singleton continuous delivery-fcb - nov 2014Brad Power
 
Tomas Butkus: Agile Practices in Enterprise Environment
Tomas Butkus: Agile Practices in Enterprise EnvironmentTomas Butkus: Agile Practices in Enterprise Environment
Tomas Butkus: Agile Practices in Enterprise EnvironmentAgile Lietuva
 
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...Institut Lean France
 
Process improvement scrum_agile_v2_by_david_mann
Process improvement scrum_agile_v2_by_david_mannProcess improvement scrum_agile_v2_by_david_mann
Process improvement scrum_agile_v2_by_david_mannJim Sutter
 
Breakdowns and Breakthroughs: Handoffs Between Sales and Marketing
Breakdowns and Breakthroughs: Handoffs Between Sales and MarketingBreakdowns and Breakthroughs: Handoffs Between Sales and Marketing
Breakdowns and Breakthroughs: Handoffs Between Sales and MarketingBrad Power
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
Enterprise Architecture in the Business Technology Age
Enterprise Architecture in the Business Technology AgeEnterprise Architecture in the Business Technology Age
Enterprise Architecture in the Business Technology AgeJean-François Caenen
 

What's hot (19)

Delivering your Oracle EBS R12 Upgrade with 100% Confidence
Delivering your Oracle EBS R12 Upgrade with 100% ConfidenceDelivering your Oracle EBS R12 Upgrade with 100% Confidence
Delivering your Oracle EBS R12 Upgrade with 100% Confidence
 
How to Deliver your Oracle EBS R12 Upgrade
How to Deliver your Oracle EBS R12 UpgradeHow to Deliver your Oracle EBS R12 Upgrade
How to Deliver your Oracle EBS R12 Upgrade
 
T CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit CenterT CompliIT Compliance: Shifting from Cost Center to Profit Center
T CompliIT Compliance: Shifting from Cost Center to Profit Center
 
Five biggest secrets to an it audit webinar slides
Five biggest secrets to an it audit webinar slidesFive biggest secrets to an it audit webinar slides
Five biggest secrets to an it audit webinar slides
 
DC Business Intelligentsia January Meetup: Agile BI and Data Chaos
DC Business Intelligentsia January Meetup: Agile BI and Data ChaosDC Business Intelligentsia January Meetup: Agile BI and Data Chaos
DC Business Intelligentsia January Meetup: Agile BI and Data Chaos
 
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
Upstream Value Mapping - Reducing the End-to-End Time to Value (IT Delivery)
 
Numara change & approval mgmt
Numara change & approval mgmtNumara change & approval mgmt
Numara change & approval mgmt
 
June2007 Implementing Itil Problem Mgmt
June2007 Implementing Itil Problem MgmtJune2007 Implementing Itil Problem Mgmt
June2007 Implementing Itil Problem Mgmt
 
The Forgotten Secret to DevOps Success: Measurement
The Forgotten Secret to DevOps Success: MeasurementThe Forgotten Secret to DevOps Success: Measurement
The Forgotten Secret to DevOps Success: Measurement
 
Disciplined Agile Delivery: An Introduction
Disciplined Agile Delivery: An IntroductionDisciplined Agile Delivery: An Introduction
Disciplined Agile Delivery: An Introduction
 
Andy singleton continuous delivery-fcb - nov 2014
Andy singleton continuous delivery-fcb - nov 2014Andy singleton continuous delivery-fcb - nov 2014
Andy singleton continuous delivery-fcb - nov 2014
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Tomas Butkus: Agile Practices in Enterprise Environment
Tomas Butkus: Agile Practices in Enterprise EnvironmentTomas Butkus: Agile Practices in Enterprise Environment
Tomas Butkus: Agile Practices in Enterprise Environment
 
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
Turn a disastrous ERP implementation into a successful one with Lean IT by Kl...
 
Process improvement scrum_agile_v2_by_david_mann
Process improvement scrum_agile_v2_by_david_mannProcess improvement scrum_agile_v2_by_david_mann
Process improvement scrum_agile_v2_by_david_mann
 
Breakdowns and Breakthroughs: Handoffs Between Sales and Marketing
Breakdowns and Breakthroughs: Handoffs Between Sales and MarketingBreakdowns and Breakthroughs: Handoffs Between Sales and Marketing
Breakdowns and Breakthroughs: Handoffs Between Sales and Marketing
 
EXIN Lean IT Course Preview
EXIN Lean IT Course PreviewEXIN Lean IT Course Preview
EXIN Lean IT Course Preview
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit Center
 
Enterprise Architecture in the Business Technology Age
Enterprise Architecture in the Business Technology AgeEnterprise Architecture in the Business Technology Age
Enterprise Architecture in the Business Technology Age
 

Viewers also liked

Agile in a highly regulated organization
Agile in a highly regulated organizationAgile in a highly regulated organization
Agile in a highly regulated organizationTami Flowers
 
How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planningTami Flowers
 
Real-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldReal-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldDATAVERSITY
 
the Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementthe Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementrosshilton
 
The Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit ManagementThe Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit Managementrosshilton
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Simon Storm
 
Data Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldData Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldDATAVERSITY
 
How can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyHow can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyAssociation for Project Management
 
Agile Data Governance
Agile Data GovernanceAgile Data Governance
Agile Data GovernanceTami Flowers
 
Agile Data Governance Tutorial
Agile Data Governance TutorialAgile Data Governance Tutorial
Agile Data Governance TutorialTami Flowers
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data GovernanceTami Flowers
 
Agile and Auditors
Agile and AuditorsAgile and Auditors
Agile and AuditorsVersionOne
 
Jens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardJens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardMarko Gargenta
 

Viewers also liked (15)

Agile in a highly regulated organization
Agile in a highly regulated organizationAgile in a highly regulated organization
Agile in a highly regulated organization
 
How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planning
 
Real-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldReal-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be Told
 
the Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementthe Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit management
 
The Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit ManagementThe Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit Management
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Agile Process Audit
Agile Process AuditAgile Process Audit
Agile Process Audit
 
Data Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldData Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP World
 
Sanoma Media: Publish or Perish
Sanoma Media: Publish or PerishSanoma Media: Publish or Perish
Sanoma Media: Publish or Perish
 
How can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyHow can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophy
 
Agile Data Governance
Agile Data GovernanceAgile Data Governance
Agile Data Governance
 
Agile Data Governance Tutorial
Agile Data Governance TutorialAgile Data Governance Tutorial
Agile Data Governance Tutorial
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data Governance
 
Agile and Auditors
Agile and AuditorsAgile and Auditors
Agile and Auditors
 
Jens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardJens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So Hard
 

Similar to Agile in a highly regulated organization 2014

Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Nimonik Brochure
Nimonik BrochureNimonik Brochure
Nimonik BrochureNimonik
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"David Pedreno
 
Business Objectives & Control Objectives in Information Technology
Business Objectives & Control Objectives in Information TechnologyBusiness Objectives & Control Objectives in Information Technology
Business Objectives & Control Objectives in Information TechnologyMufaddal Nullwala
 
Berkeley publisher and Compliance
Berkeley publisher and ComplianceBerkeley publisher and Compliance
Berkeley publisher and ComplianceBerkeley Bridge
 
Assessing risks and internal controls training
Assessing risks and internal controls trainingAssessing risks and internal controls training
Assessing risks and internal controls trainingshifataraislam
 

Similar to Agile in a highly regulated organization 2014 (20)

Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
Nimonik Brochure
Nimonik BrochureNimonik Brochure
Nimonik Brochure
 
Regulatory Compliance Audit Management Solution
Regulatory Compliance Audit Management SolutionRegulatory Compliance Audit Management Solution
Regulatory Compliance Audit Management Solution
 
Control Freak Ver 1.0
Control Freak Ver 1.0Control Freak Ver 1.0
Control Freak Ver 1.0
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Getting It Right
Getting It RightGetting It Right
Getting It Right
 
Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"
 
Business Objectives & Control Objectives in Information Technology
Business Objectives & Control Objectives in Information TechnologyBusiness Objectives & Control Objectives in Information Technology
Business Objectives & Control Objectives in Information Technology
 
Berkeley publisher and Compliance
Berkeley publisher and ComplianceBerkeley publisher and Compliance
Berkeley publisher and Compliance
 
Vinod_Resume
Vinod_ResumeVinod_Resume
Vinod_Resume
 
Assessing risks and internal controls training
Assessing risks and internal controls trainingAssessing risks and internal controls training
Assessing risks and internal controls training
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Agile in a highly regulated organization 2014

  • 1. Tami Flowers KCDC - May 15, 2014 AGILE IN A HIGHLY REGULATED ORGANIZATION
  • 3.  I worked for a company with these words in it’s name:  Federal  Home Loan  Bank  That meant we had to consider  Sarbanes Oxley Act (SOx)  COBIT  = internal auditors, external auditors, internal risk management group, examiners  = 6-9 months a year of being audited or examined HIGHLY REGULATED ENVIRONMENT
  • 4.  Why did some of these regulations come about?  What do COBIT and SOx say?  Ok, so what does that mean?  Where to start  What to do on a project  Tips and lessons learned  Implementing new or changed regulations TODAY’S DISCUSSION
  • 5.  Our friends at wikipedia say:  A regulation is a rule or law designed to control or govern conduct.  Regulation creates, limits, constrains a right, creates or limits a duty, or allocates a responsibility. REGULATION
  • 6. MOST INDUSTRIES AND BUSINESSES HAVE REGULATIONS
  • 7.  Before its bankruptcy on December 2, 2001, Enron employed approximately 20,000 staff and was one of the world's major electricity, natural gas, communications, and pulp and paper companies, with claimed revenues of nearly $101 billion during 2000. Fortune named Enron "America's Most Innovative Company" for six consecutive years.  At the end of 2001, it was revealed that its reported financial condition was sustained substantially by an institutionalized, systematic, and creatively planned accounting fraud.  The scandal also brought into question the accounting practices and activities of many corporations in the United States and was a factor in the creation of the Sarbanes–Oxley Act of 2002.  Arthur Anderson was dissolved, shareholders lost, employees lost their jobs and retirements. ENRON
  • 8.  SOx  Sarbanes-Oxley; Senator Paul Sarbanes and Rep Michael Oxley  Aka “Public Company Accounting Reform and Investor Protection Act”  Thank you Enron, Tyco, and WorldCom  Contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission(SEC) to implement rulings on requirements to comply with the law  Controls, assessment of internal controls, disclosures in reports, audits, etc.  Controls around anything that impacts what goes onto a financial statement WHAT IS SOX?
  • 9.  Business units  Any business department that impacts financial statements  Accounting  Finance  HR (executive compensation, etc.)  IT  IT general controls  IT application controls TYPES OF CONTROLS
  • 10.  Our friends at wikipedia say:  IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise.  IT controls are often described in two categories: IT general controls and IT application controls. IT CONTROLS
  • 11.  Framework for IT Governance and Control  Policy development and good practices for IT control  “COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the enterprises' IT governance and control framework.” COBIT
  • 12. In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley. Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley , 2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
  • 13.  From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley: “The work required to meet the requirements of the Sarbanes -Oxley Act should not be regarded as a compliance process, but rather as an opportunity to establish strong governance models designed to result in accountability and responsiveness to business requirements. Building a strong internal control program within IT can help to:  Gain competitive advantage through more efficient and effective operations  Enhance risk management competencies and prioritization of initiatives  Enhance overall IT governance  Enhance the understanding of IT among executives  Optimize operations with an integrated approach to security, availability and processing integrity  Enable better business decisions by providing higher-quality, more timely information  Contribute to the compliance of other regulatory requirements, such as privacy  Align project initiatives with business requirements  Prevent loss of intellectual assets and the possibility of system breach” IT GOVERNANCE INSTITUTE
  • 14.  Some of the important areas of responsibility for IT include:  Understanding the organization’s internal control program and its financial reporting process  Mapping the IT environment (IT services and processes) that supports internal control and the financial reporting process to the financial statements  Identifying risks related to these IT systems  Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness  Documenting and testing IT and systems-based controls  Ensuring that IT controls are updated and changed as necessary to correspond with changes in internal control or financial reporting processes  Monitoring IT controls for effective operation over time  Participating in the Sarbanes-Oxley project management office THINGS TO CONSIDER FROM THE IT GOVERNANCE INSTITUTE
  • 15.  Controls, not the HOW or the process, is the focus.  As long as your process can show  the controls,  that the controls are implemented and tested  Then the process you use to build software is up to you and your organization. WHAT DOES THIS MEAN?
  • 17. MAP CONTROLS TO PROJECT LIFECYCLE Feasibility Initiation/Planning Iterate Close Out COBIT Prioritization of Requests Project Approvals Testing & Documentation Approach Project Status Reporting Testing Documentation and Sponsor Approvals Security Review - least privileges in an application Security Testing Documentation Change Management Approvals Cycle 0 Testing Documentation Cycle 0 Security Testing Documentation Code Storage SOx Prioritization of Requests Testing & Documentation Approach Testing Documentation and Sponsor Approvals Security Review – least privileges in an application Security Testing Documentation Change Management Approvals Cycle 0 Testing Documentation Cycle 0 Security Testing Documentation Install Documentation
  • 18.  Use your SDLC to define your project process and deliverables.  Ensure those deliverables are created for each project.  Make sure they are stored where they can be easily found when requested by auditors and examiners. SAY WHAT YOU ARE GOING TO DO, AND DO IT
  • 19.  One size of Agile may not be right for all types of projects and teams.  For large longer-term projects, daily standups, release plans, iteration planning meetings, retrospectives may be required with stories and tasks located on a project board.  An infrastructure team charged with installing servers, routers, and firewalls and keeping it all up and running may have an overall plan and daily standups with tasks as sticky notes on a Kanban board. ONE SIZE MAY NOT FIT ALL
  • 20.  Consider adding different Service Levels, with increasing types of deliverables, based on project characteristics.  For instance, a year long project with a larger project team should have far more controls and deliverables than a 1 week project with one developer.  Don’t have an overwhelming number of deliverables so it takes longer to do paperwork or document than it does to do the project.  Want to learn more? Stay for my next session! CONSIDER USING SERVICE LEVELS
  • 21.  Identify SOX controls up-front during the early stages of project planning.  When creating test scripts, explicitly identify the SOX controls that need to be tested.  After testing, explicitly document that those controls were tested. This doesn’t mean provide pages of documentation; identify what you are testing, test it, and document that you tested it. A test scenario can be documented with a simple “pass” or “fail”. DURING A PROJECT
  • 22.  Stay tool-agnostic. Don’t tie yourself to specific tools when documenting your processes. Keep development environments, bug tracking software, testing tools, etc. out of the documentation. KEEP IT SIMPLE!
  • 23.  It’s rare that you know exactly what the regulation states until right before it’s supposed to be implemented  Use time once you know about the reg until you know exactly what it states to:  Research what it means  Talk with regulators to understand it’s impacts, if possible  Identify applications that need changed/created to implement the regulation  Work with the product owner(s) to identify highest risks and value, prioritize work that you can upfront  Agile helps you be flexible to make adjustments once you get the final ruling, regulations, etc. IMPLEMENTING REGULATORY CHANGES
  • 24.  Your SDLC should guide your deliverables. Keep it updated and “fresh”. Consider updating it and training your team members annually.  Focus on deliverables that prove the controls have been tested.  Don’t overdo it on deliverables. Keep it as simple as possible.  Work to educate auditors, examiners, etc. on what Agile means.  When possible, include them early in the development of your process.  Say what you are going to do…and do it! Then make sure it’s saved and easy to find when asked. LESSONS LEARNED
  • 25.  Twitter: TamiLFlowers  LinkedIn: Tami Flowers  Slideshare: www.slideshare.nettamiflowers  Thanks! ME

Editor's Notes

  1. Public Company Accounting Oversight Board