Internal controls are incredibly important to business operations but are often seen as something abstract and separate while they in fact should be part of business as usual and all ongoing development activities. Trying to resolve and remedy a lack of internal controls as a separate, post-event activity is not only risky – it’s also expensive. Control and assurance must be based on the business risk, be in line with external rules and regulations and be built in from the start.
COSO Implementation: Getting Real, Getting It RightBlackLine
Join this webcast featuring senior-level financial executives with deep knowledge of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Hear first-hand how Pfizer, Raytheon and Dow have implemented the updated framework (which will supersede COSO’s original 1992 guidelines at the end of this year).
COSO Implementation: Getting Real, Getting It RightBlackLine
Join this webcast featuring senior-level financial executives with deep knowledge of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Hear first-hand how Pfizer, Raytheon and Dow have implemented the updated framework (which will supersede COSO’s original 1992 guidelines at the end of this year).
Learn with SAZZAD - ISA 315 (Revised)
Identifying and Assessing The Risks of Material Misstatement Through
Understanding the Entity and its Environment
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
In this webinar, Bob Hirth, COSO Chair, will provide a brief overview of the new COSO Framework, followed by an interactive discussion around the December 15 deadline set by COSO and what this means for companies that have – and have not yet – implemented the updated framework.
In addition, participants will hear what is required under the new COSO Framework, and how those requirements relate to SEC rules for determining if the system of internal controls over financial reporting is “effective,” specifically for purposes of Sarbanes-Oxley reporting.
In this session we will discuss:
- Best practices and lessons learned working with clients as they transition to the new COSO Framework along with industry adoption rates
- How adoption of COSO 2013 provides an opportunity for companies to review and potentially improve internal controls
- How financial management software can streamline the mapping, documenting, and testing activities relating to COSO 2013
Presentation to the Austin ISACA Chapter on best practices in the art of organizational change. Focused on COBIT BAI05 - Organizational Change Enablement - March 1, 2016
This compact presentation elucidates the key elements of the Public Company Accounting Reform & Investor Protection Act, and contemporary inquires related to it, such as steps the corporations should take to comply with the Act and whether or not, the Act has solved all the problems it was intended to address? DOI: 10.13140/RG.2.1.1049.9923
Top 10 lessons learned from COSO 2013 Implementation Amit Bhargava
Please refer the TOP 10 lessons learned from COSO 2013 Implementation. I do hope that readers will find this stuff informative and enjoyable and implement the lessons learned in their respective Organizations. Thanks to Protiviti team !!!!!!
Only in fairytales are emperors told they are naked3gamma
Many organisations don’t do effective project governance. Often, conversations like this are heard up and down the corridors of our businesses: “I don’t care what the report says. I don’t care if you think that you’re going to deliver late with less functionality. That’s not going to happen. You will be on time, and it will work. Now stop wasting time in my office and go make it happen.”
Most traditional methodologies hold that a business case is something that a project manager inherits and that its responsibility sits with a sponsor, project executive or even a governance board of some sort. However the project manager can, and should, play a critical role in assessing and critiquing the business case to guard against project failure..
Taking the right approach in project and programme management is often half the battle. Wise choices early on can set you on a course to success. However, an inappropriate choice can leave you wasting valuable time. In this white paper we use a recent project to explore the pros and cons of using agile and waterfall methodologies, and highlight the advantages that can be had from adopting an agile development approach, but supported within an overall PRINCE2 framework.
Agility and flexibility will be key success factors for future IT. Meeting the need for flexible delivery in an outsourced environment requires new thinking and innovative methods as traditional sourcing models are seen as too rigid and transaction oriented. This white paper explores the nature of agility and outlines methods for each step in the outsourcing process to ensure a successful and agile IT delivery.
Learn with SAZZAD - ISA 315 (Revised)
Identifying and Assessing The Risks of Material Misstatement Through
Understanding the Entity and its Environment
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
In this webinar, Bob Hirth, COSO Chair, will provide a brief overview of the new COSO Framework, followed by an interactive discussion around the December 15 deadline set by COSO and what this means for companies that have – and have not yet – implemented the updated framework.
In addition, participants will hear what is required under the new COSO Framework, and how those requirements relate to SEC rules for determining if the system of internal controls over financial reporting is “effective,” specifically for purposes of Sarbanes-Oxley reporting.
In this session we will discuss:
- Best practices and lessons learned working with clients as they transition to the new COSO Framework along with industry adoption rates
- How adoption of COSO 2013 provides an opportunity for companies to review and potentially improve internal controls
- How financial management software can streamline the mapping, documenting, and testing activities relating to COSO 2013
Presentation to the Austin ISACA Chapter on best practices in the art of organizational change. Focused on COBIT BAI05 - Organizational Change Enablement - March 1, 2016
This compact presentation elucidates the key elements of the Public Company Accounting Reform & Investor Protection Act, and contemporary inquires related to it, such as steps the corporations should take to comply with the Act and whether or not, the Act has solved all the problems it was intended to address? DOI: 10.13140/RG.2.1.1049.9923
Top 10 lessons learned from COSO 2013 Implementation Amit Bhargava
Please refer the TOP 10 lessons learned from COSO 2013 Implementation. I do hope that readers will find this stuff informative and enjoyable and implement the lessons learned in their respective Organizations. Thanks to Protiviti team !!!!!!
Only in fairytales are emperors told they are naked3gamma
Many organisations don’t do effective project governance. Often, conversations like this are heard up and down the corridors of our businesses: “I don’t care what the report says. I don’t care if you think that you’re going to deliver late with less functionality. That’s not going to happen. You will be on time, and it will work. Now stop wasting time in my office and go make it happen.”
Most traditional methodologies hold that a business case is something that a project manager inherits and that its responsibility sits with a sponsor, project executive or even a governance board of some sort. However the project manager can, and should, play a critical role in assessing and critiquing the business case to guard against project failure..
Taking the right approach in project and programme management is often half the battle. Wise choices early on can set you on a course to success. However, an inappropriate choice can leave you wasting valuable time. In this white paper we use a recent project to explore the pros and cons of using agile and waterfall methodologies, and highlight the advantages that can be had from adopting an agile development approach, but supported within an overall PRINCE2 framework.
Agility and flexibility will be key success factors for future IT. Meeting the need for flexible delivery in an outsourced environment requires new thinking and innovative methods as traditional sourcing models are seen as too rigid and transaction oriented. This white paper explores the nature of agility and outlines methods for each step in the outsourcing process to ensure a successful and agile IT delivery.
Embedding risk management as an integral part of the project framework is an essential and fundamental part of any project, programme or portfolio as a way of keeping costs down, benefits high, and increasing the probability of successful delivery.
Leveraging IT to create business agility: Why leading IT organisations are re...3gamma
CIOs are under pressure. Some analysts are even predicting the end of the CIO role. In the light of digitalisation and an ever-increasing need for business agility, IT is becoming an embedded part of the business. Information technology is no longer just a utility but a deeply integrated driver of products and services within most companies. An ever-changing environment means that old assumptions on how to deliver IT services need to be revisited if the IT organisation is to remain relevant.
Digital innovation leadership: How to master digital transformation in the fa...3gamma
In the new digital economy, long-established ways of doing business are quickly becoming obsolete and disruption is taking place across every sector. But what separates the digital frontrunners from the laggards and how can organisations stay ahead in a digitally transformed future?
Emerging technologies: A transformative force of the new digital economy (ide...3gamma
In the new digital economy, driven by emerging technologies transforming how business is being done, IT is moving from being a reactive cost-centre to become a proactive business partner. IT is no longer just about servers and networks – it’s about delivering customer value across multiple internal and external touch-points.
The Service Management Office - Driving it performance in the face of rising ...3gamma
Delivering IT services efficiently and effectively while managing a multi-vendor environment requires planning, coordination and a high degree of service management expertise. Establishing a Service Management Office (SMO) provides the single point of focus to achieve this.
3gamma insights - Ideas in brief - Creating a solid foundation through cost-e...3gamma
A brief overview of 3gamma Insights: Creating a solid foundation through cost-effective risk management. A selection of thought leadership relating to risk management. It includes insights into how IT organisations and project managers should approach risk management in a cost-effective way to maintain control but also enable rapid development and flexible IT outsourcing. It includes guest point of views from Fondia Legal Services and Transcendent Group.
2002’s Sarbanes-Oxley Act (SOX) led to the establishment of SOX 404 programs. Many, though, haven’t been updated since their inception, and don’t account for new developments in technology, business environment, and operating methods. What’s the first step in modernizing your SOX program? A SOX assessment can help you extract new value.
CEI Compliance is the UK's fastest growing regulatory consultancy and provides associate opportunities to consultants and cost effective value to financial services and other regulated companies.
We show you the methodology for conducting the Compliance Risk Assessment and how to provide meaningful action plans.
Lecture 17 sas framework internal control - james a. hall book chapter 3Habib Ullah Qamar
SAS Framework,Chapter 3 Of Accounting Information System. Frauds ,ethics and Internal Control, Levels of SAS-78/COSO Framework. The Control Environment, Risk Assessment, Monitoring, Supervision and in the end Control Acvities
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enr.pdfnipuns1983
The Sarbanes-Oxlet act (SOX) was primarily enacted following the Enron and other scandals. It
basically sought to remove the compliance and audit gaps that may lead to the same kind or
scandals in future. This is considering the fact that these scandals lead to losses worth trillion
dollars to the investors and the general public and hurts the image of corporates and government
identically.
The SOX was enacted for US corporations and sought to tighten accounting, financial reporting
and audit practices to strengthen the basic foundations that may lead to humongous
consequences. However the basic difference was that this act only was implemented to the
corporations and management alike.
The following were the major points which impacted corporations financial reports in a way that
set a benchmark for all future compliances:
This was basically set up to oversee the funtioning of independent audit firms which do
compliance and financial audit for the specific companies. It was taken care that there the
auditors be registered and there be specific set and defined processes which should be followed.
All systems for process, compliance, quality control etc. were put in place to prevent any further
slippage and mistake.
This takes care of the utmost factor of independence of the audit firms. It seeks to minimize the
conflict of interest that may arise in the event that a particular audit firm auditing the company is
already providing some said non-audit service to the company. This is taken care of by this
provision.
This basically takes care of micro-reporting of sorts. There are enhanced reporting of all
financial transactions i.e. off-balance-sheet transactions, any stock transactions of corporate
management etc. The point also mandates strict internal controls for disclosures, and accuracy of
the financial reports. It specifies audit controls and enhanced reviews by the SEC or its agents.
This includes measures related to help and restore investor confidence. This paves way for
investor confidence in reporting of securities analyst. This also mandates disclosures of conflict
of interests is any and code of conduct for these analysts.
This consists of sections which require the SEC with the Comptroller General to report specific
findings. These reports include the effect of credit rating agencies, whether there are any
securities violations, and whether any investment banks assist the companeis to manipulate
financials. ALso reporting related to effects of consolidation of public accounting firms are
provided in this.
This seeks to provide whistle-blower protection for any information that they reveal. It mandates
penalties i.e. criminal in sense, for alteration and manipulation of financial records.
This is expecially a step ahead of point 8 in terms of the penalties. It recommends stronger and
stricter sentences and implies that any failure to properly certify financial reports is a crimilThis
section increases the criminal penalties associated.
Architecting for speed - how agile innovators accelerate growth through micro...3gamma
In a world where software has become the key differentiator, enterprises are forced to transform the way they build, ship and run software in order to stay in the game. Competitive pressure requires applications to be rapidly and continuously upgraded with nonstop availability, and companies that lack the capacity to experiment, innovate and get new features out quickly, will be at disadvantage.
This is driving many IT organisations to adopt the software design model known as microservices architecture, which quickly is gaining traction as a new way to think about structuring applications, and is changing the fundamentals of enterprise application management.
Architecting for speed: how agile innovators accelerate growth through micros...3gamma
In a world where software has become the key differentiator, enterprises are forced to transform the way they build, ship and run software in order to stay in the game. Adopting a microservices architecture enables organisations to not only become more agile but also to cut costs and increase stability.
A strategic view of service provider relationships: How to realise value in c...3gamma
Today’s CIOs view IT outsourcing as a strategic tool and no longer only as a means for cost-takeout. 3gamma’s research shows that a majority of IT organisations already have, or are in the process of, entering into second and third generation outsourcing deals. However, to leverage the benefits of specialised capabilities, it is crucial to nurture and manage positive and mutually beneficial relationships. To do this, IT organisations need to take a strategic view on the vendor. They need to identify selected strategic vendor relationships and invest in these to ensure operational efficiency and long-term strategic alignment.
3gamma Insights - Idea in brief - Improving flexibility in IT outsourcing by ...3gamma
A summary of "Improving flexibility in IT outsourcing by collaboration and relationsship management" from 3gamma Insights - IT outsourcing in an ever-chaning environment. It is based on the whitepaper Agile IT outsourcing written by Göran Kördel and Maria Ekberg.
3gamma Insights - Idea in brief - Managing risk in IT outsourcing3gamma
Brief summary of Understanding IT outsourcing risk: incorporating risk management in your IT sourcing strategy from 3gamma Insighs - IT outsourcing in an ever-changing environment.
http://www.3gamma.com/insight/it-outsourcing-in-an-ever-changing-environment-flexible-governance-of-outcomes-is-key-to-value-creation/understanding-it-outsourcing-risk-incorporating-risk-management-in-your-it-sourcing-strategy/
Business Valuation Principles for EntrepreneursBen Wann
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Skye Residences | Extended Stay Residences Near Toronto Airportmarketingjdass
Experience unparalleled EXTENDED STAY and comfort at Skye Residences located just minutes from Toronto Airport. Discover sophisticated accommodations tailored for discerning travelers.
Website Link :
https://skyeresidences.com/
https://skyeresidences.com/about-us/
https://skyeresidences.com/gallery/
https://skyeresidences.com/rooms/
https://skyeresidences.com/near-by-attractions/
https://skyeresidences.com/commute/
https://skyeresidences.com/contact/
https://skyeresidences.com/queen-suite-with-sofa-bed/
https://skyeresidences.com/queen-suite-with-sofa-bed-and-balcony/
https://skyeresidences.com/queen-suite-with-sofa-bed-accessible/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-king-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed-accessible/
#Skye Residences Etobicoke, #Skye Residences Near Toronto Airport, #Skye Residences Toronto, #Skye Hotel Toronto, #Skye Hotel Near Toronto Airport, #Hotel Near Toronto Airport, #Near Toronto Airport Accommodation, #Suites Near Toronto Airport, #Etobicoke Suites Near Airport, #Hotel Near Toronto Pearson International Airport, #Toronto Airport Suite Rentals, #Pearson Airport Hotel Suites
What is the TDS Return Filing Due Date for FY 2024-25.pdfseoforlegalpillers
It is crucial for the taxpayers to understand about the TDS Return Filing Due Date, so that they can fulfill your TDS obligations efficiently. Taxpayers can avoid penalties by sticking to the deadlines and by accurate filing of TDS. Timely filing of TDS will make sure about the availability of tax credits. You can also seek the professional guidance of experts like Legal Pillers for timely filing of the TDS Return.
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...Kumar Satyam
According to TechSci Research report, “India Orthopedic Devices Market -Industry Size, Share, Trends, Competition Forecast & Opportunities, 2030”, the India Orthopedic Devices Market stood at USD 1,280.54 Million in 2024 and is anticipated to grow with a CAGR of 7.84% in the forecast period, 2026-2030F. The India Orthopedic Devices Market is being driven by several factors. The most prominent ones include an increase in the elderly population, who are more prone to orthopedic conditions such as osteoporosis and arthritis. Moreover, the rise in sports injuries and road accidents are also contributing to the demand for orthopedic devices. Advances in technology and the introduction of innovative implants and prosthetics have further propelled the market growth. Additionally, government initiatives aimed at improving healthcare infrastructure and the increasing prevalence of lifestyle diseases have led to an upward trend in orthopedic surgeries, thereby fueling the market demand for these devices.
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
As a business owner in Delaware, staying on top of your tax obligations is paramount, especially with the annual deadline for Delaware Franchise Tax looming on March 1. One such obligation is the annual Delaware Franchise Tax, which serves as a crucial requirement for maintaining your company’s legal standing within the state. While the prospect of handling tax matters may seem daunting, rest assured that the process can be straightforward with the right guidance. In this comprehensive guide, we’ll walk you through the steps of filing your Delaware Franchise Tax and provide insights to help you navigate the process effectively.
2. 2
Failing to meet internal control requirements can be extremely costly – not only in
direct financial terms, but also from a reputational perspective. In the UK the £1.53
billion fine recently handed to Barclays Bank, including a £284 million fine from
the UK’s Financial Conduct Authority for failure to control business practices, made
headline news across the world.
September 2015
3. 3
Internal controls are incredibly important to business operations but are often seen as something
abstract and separate while they in fact should be part of business as usual and all ongoing develop
ment activities. Trying to resolve and remedy a lack of internal controls as a separate, post-event
activity is not only risky – it’s also expensive. Control and assurance must be based on the business
risk, be in line with external rules and regulations and be built in from the start.
In the article “Risky Business!” published in May 2015, 3gamma outlined the effects of the cost asso
ciated with treating internal controls as discrete, separate activities. A key takeaway being that it’s
crucial to integrate the right level of internal control and risk assurance in all ongoing activities, both
within the business and the IT organisation.
3gamma was recently engaged in a large, complex programme to streamline financial reporting within
a large, multi-national manufacturing organisation. The first phase of this programme was targeted at
financial simplification, reduction of complexity in financial processes and the streamlining of General
Ledger codes and reporting charts. As a part of this engagement, 3gamma was responsible for ensur
ing the project had a financial controls plan, which included a plan to ensure compliance with a very
specific financial control – the Sarbanes-Oxley Act. The approach taken was to operate the project in
a controlled way, not to operate the project and then create evidence of control.
Based on these experiences, 3gamma has compiled a set of key recommendations on how to ensure
compliance with Sarbanes-Oxley in a project setting. However, the approaches outlined in this article
are not unique or limited to Sarbanes-Oxley, but can be adapted to other external and internal control
frameworks as well.
Compliance: Having the right approach
Some might say that projects that fall under a regulatory audit require a large set of additional activ
ities in order to “be compliant”, as if having compliance requirements is an additional deliverable in
itself. However, your project should already be managed in a controlled framework. In most cases
the regulatory aspect is an application of good practice and sensible control. Any project that has a
clear assessment of risk and a clear, structured approach to delivery, taking into account those risks,
should only see the regulatory aspect as provision of available evidence – not as additional activities
in themselves. Understanding the audit requirements and evidence presentation up front means you
should be able to operate controls seamlessly, providing the auditors with access to the documents
you have already created as part of your delivery. If you’re creating one document as part of your
project methodology and another to evidence compliance, consider how to merge the two to achieve
both objectives.
The Sarbanes-Oxley Act: Ensuring correct financial reporting
across companies
The Sarbanes-Oxley (SOX) Act was introduced in 2002 in the wake of several financial scandals.
Previously, financial organisations were self-regulating but the Enron and WorldCom affairs in the
early 2000s led to shareholder and general public scepticism in the ability of the financial industry to
self-regulate, and US congress was forced to take action to improve accountability and clarity of finan
cial practices. SOX compliance is mandatory for any organisation trading on the US stock exchange
(defined as a public company) but many other organisations also adopt SOX processes as an internal
measure of financial best-practice even if they are not legally required to do so.
SOX is primarily a financial governance and accountability regulation. Most of its clauses are aimed
at providing clarity, preventing fraud and securing error avoidance in financial practices. However,
since IT in the modern world supports corporate finance in such an integrated way it is not possible
4. 4
to isolate financial activities from their supporting IT systems. This is why IT controls within a SOX
context are inevitable.
SOX is not limited to projects though; business as usual-SOX controls affect things such as IT change
management, user access and data retention. However, due to the more invasive and revolutionary
impact of IT projects, there are often more activities or controls to apply during a project phase. Con
sequently, project managers need to appraise themselves of SOX to keep business and IT projects on
the right side of compliance.
A project’s full impact on a company’s financial processes
must be understood
A project in isolation is not “SOX compliant”, but following the guidelines below will ensure it doesn’t
put the organisation’s compliance at risk.
Any organisation impacted by the SOX Act is obliged to be independently audited on a regular basis
and the results are submitted to the financial regulator. Therefore most organisations will operate an
internal policy to ensure they will be successful in such an audit. Depending on the size of the organ
isation and the number of SOX-impacted projects taking place, an organisation may choose to bring
in an external company or a specific internal function, separate from the external auditors, to fulfil
what is known as 2nd line assurance. This is a pre-audit designed to test the controls implemented
at 1st line (the project). It points out any risks before the external auditors (3rd line) arrive. This 2nd
line assurance is a helpful resource for any project manager.
When this is the case, this group will usually attend the project decision board and attest that the pro
ject has been delivered in a way that meets the requirements of a SOX audit. In some cases, the 2nd
line assurance group may choose to ‘operate’ or test the controls, which means putting the evidence
through the same rigor as an external audit. This can sometimes lead to rework, lessons or additional
evidence provision. If the project has applied agreed controls and provided requisite evidence, it
should pass easily through this stage.
Understanding the impact: Risk assessment
As a project manager, the first step is to understand whether the project is impacting a financial system
or a financial process. Significant thought should be given to this since it’s not always obvious if there
will be an impact. For example, it’s quite obvious that a SAP payroll project will have financial impli
cations, but a new HR system could also have SOX implications since it interfaces with the financial
systems. This is also true for a software upgrade if it’s for an application that interfaces with financial
systems. This impact assessment itself will actually form a key part of your SOX ‘control’. One way of
doing this is to complete an impact risk assessment or regulatory impact determination (RID) report.
This could be a simple set of questions which determine whether your project has a regulatory impact.
On the following page, an example is given for SOX.
5. 5
SOX and financial controls impact
The purpose is to provide guidance to determine the system’s impact on data and record integrity in
the area of financial reporting.
Questions
No Question
Check impact
Yes No
1
Is the solution or system used to automate, calculate or approve financial
transactions including requisitions, purchase orders, cash disbursement
requests, cash collection, approvals of expenditures, invoice processing/
payment, or workflow routing?
2
Does the solution or system control, record or monitor the acquisition or
disposal of assets?
3 Does the solution or system involve the entering of contracts?
4
Does the solution or system control, record or monitor donations or
other issues that impact taxes?
5
Does the solution or system collect, maintain or manipulate information
for financial close reporting?
6 Does the solution or system affect sales reporting, including net sales?
7 Does the solution or system affect cost of sales or inventory?
8
Will the system or change impact the segregation of duties that are
required to ensure prevention of fraud?
9
Will the system or change affect an existing report/transaction or new
report/transaction that is identified as part of a SOX key Control?
10
Will the system or change impact the configuration of master data (e.g.
customers, vendors, products, etc.) or affect the General Ledger?
11
Will the system or change be evidenced and auditable by external
sources (e.g. internal auditors, SOX auditors, external financial auditors)?
12
Does the system or change interact with a previously identified SOX/FCF
application?
Conclusion:
Please document your result and rationale in the space provided.
Yes = SOX/FCF Impact
No = No SOX/FCF Impact
Result Rationale
Yes/No Does the system or change interact with a previously identified SOX/FCF application?
6. 6
Control and transparency in the project is not enough – it
must be supported by documented evidence
SOX is not in itself an activity or a set of tasks. If a project is being delivered in a controlled, trans
parent and methodical way, then most SOX requirements should be inherently met. The key word is
evidence, and it’s the collation and provision of this evidence that may require planning and tracking
in your project plan. Setting up regular checkpoints to ensure you are building a portfolio of evidence
is also wise, as waiting until the end is both a daunting and potentially risky strategy. SOX mandates
that you run your project in a compliant way. Going back to create requisite documents after the event
is not acceptable to an auditor. Most additional work, compared to a non-SOX project, stems from
documenting and collecting evidence to prove that your project was delivered in a controlled manner
against SOX principles.
A number of IT controls exist as part of SOX and their relevance depends on the size, type and impact
of the project being delivered. These requisite controls should be identified and agreed at the start
of the project. Once this identification stage is completed, it is critical to consider what evidence the
project will provide so that every control area can be evidenced.
Break down control categories into general controls applied
within the project
In a recent 3gamma client project, the following categories of SOX control objectives were considered
based on the risk analysis:
• Project methodology: Demonstrate that the project has been delivered in a controlled manner
using a defined methodology.
• Impact assessment: Demonstrate that the project has completed an impact assessment on all
affected systems to ensure that any downstream systems are also assessed for SOX impact.
• Testing: Demonstrate that the project has been tested and that the testing was signed-off accord
ing to a recognised test plan.
• Data migration: Demonstrate that any financial data integrity is maintained and controlled
through the project lifecycle including how access to financial data is enforced and what pro
cesses are in place to prevent unauthorised access or changes to financial data. This applies to
production and non-production environments.
• Implementation and go-live: Demonstrate that the required and necessary approvals from both
business and IT were in place prior to putting the project into the live environment. Also ensure
that any business as usual-SOX controls (such as change management) were applied to any sys
tem identified as part of the impact assessment.
The above list of controls is not exhaustive but provides a sound basis for ensuring compliance. Con
trols need to be defined based on the company’s audit policies, risk analysis and project value. For
each control objective a set of controls must be identified.
The list on the next page provides examples with illustrative project actions. None of the these items
should be additional tasks or activities if the project is run in a controlled way. However, structuring
the project in such a way that evidence is captured consistently, and can be referenced easily, is criti
cal. Spending time thinking about project governance in the context of evidence provision is time well
spent, as it will also lead to a better, more traceable delivery of your project. Embedding this in the
project setup and delivery will significantly reduce effort needed.
7. 7
Control objective Control Project Action
1. Project
methodology
Key control 1.0: The project plan is
signed off by the project sponsor
This is a key control because the project
must ensure that there is an individual
who has overall accountability for the
plan including the project’s impact on
the organisation’s financial systems and
data.
Obtain sign-off at project governance
gate 1. Ensure SharePoint is used as
document repository.
Key control 1.1: The project plan is
governed by change control.
This is a key control because unless
there is change management over the
plan, it cannot be made clear who is
accountable and how the financial data
will be affected and when.
SharePoint version tracking is switched
on and the weekly programme board
reviews the plan. Any changes are
captured in the programme board
minutes stored on SharePoint at
[location].
General control 1.0: The project plan is
stored in an accessible repository (such
as SharePoint)
This is a general control and best
practice but not strictly governed by SOX.
Setup clear SharePoint structure for
document retention. Ensure that the
project team is aware of the need to
update version on SharePoint and avoid
local versions.
SOX and external regulations can be a daunting prospect but
preparation and integration of controls reduces overall effort
Managing SOX compliance can be a daunting prospect for a project manager, but it’s a critical depend
ency for go-live and a key deliverable. Receiving a “no” decision on your project go-live because you
cannot provide SOX assurance will be a critical issue in your project at exactly the wrong time.
In 3gamma’s experience, when a company is required to remain Sarbanes-Oxley compliance, it is
critical to approach SOX as early as possible in the project lifecycle. Every new project should be
approached with a SOX perspective and perform the required impact assessment, since it’s not always
clear when and where SOX is applicable. If it’s applicable, ensure that the project operates with a clear
methodology and plan for evidence collection and retention upfront.
References
http://eradar.eu/why-is-sox-compliance-important-to-uk-business/
https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act
http://www.express.co.uk/finance/city/578648/Barclays-hit-with-1-53billion-rate-rigging-fine
http://www.3gamma.com/insight/creating-a-solid-foundation-through-cost-effective-risk-management/risky-business/
About the Author
Matt Williamson is a senior IT management consultant at 3gamma, with 14 years of experience from
a wide variety of leadership roles in IT programme delivery and IT service management.
8. 8
ABOUT 3GAMMA
3gamma is a leading professional services firm focusing on IT management. As an independent specialist
in IT management, 3gamma provides advisory, consulting services and fact-based insights to many of the
world’s most respected companies. 3gamma operates globally from offices across the Nordics and UK.
3gamma is a knowledge firm that bases its expertise of six core capabilities:
• IT strategy and governance
• IT sourcing lifecycle
• IT legal advisory
• IT risk and assurance
• IT operational excellence
• IT project management and delivery
3gamma Insights brings leading-edge thinking at the intersection of IT and business, illuminating central
topics relevant to CIOs and decision makers.
GROUP HEAD OFFICE
3gamma Sweden AB
Drottningtorget 5
SE-411 03 Göteborg
Sweden
Phone: +46 31 309 7910
STOCKHOLM
3gamma Sweden AB
Centralplan 15
SE-111 20 Stockholm
Sweden
Phone: +46 8 748 0330
FINLAND
3gamma OY
Sentnerikuja 2
FI-00440 Helsinki
Phone +358 50 3 748 371
DENMARK
3gamma ApS
Frederiksborggade 15
DK-1360 Copenhagen K
Phone: +45 53 700 400
MALMÖ
3gamma Sweden AB
WTC Teknikportalen
Skeppsgatan 19
SE-211 19 Malmö
Sweden
Phone : +46 40 627 04 05
UNITED KINGDOM
3gamma UK Ltd
River Court,
3 The Meadows Business Park
Station Approach, Blackwater
Surrey GU17 9ABL
United Kingdom
Phone +44 192 879 6800
UNITED KINGDOM
3gamma Ltd
Manchester Business Park
3000 Aviator Way
Manchester M22 5TG
Phone +44 192 879 6800
3GAMMA INSIGHTS