Sox presentation 10 04


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sox presentation 10 04

  1. 1. The Role of CIOsIn a Sarbanes-Oxley World Dwayne E. Jorgensen, CIA, CFE Director, Sarbanes Oxley Services Information Security Solutions
  2. 2. Agenda • Introduction/Sarbanes-Oxley • COSO overview • Your role • Spirit or Letter of the Law? • A Risk-based approach… • What’s Next? • Q&A 2
  3. 3. Sarbanes – Oxley in a Nutshell • The Act was signed into law on July 30, 2002 and includes eleven titled sections: • Title I Public Company Accounting Oversight Board • Title II Auditor Independence • Title III Corporate Responsibility • Title IV Enhanced Financial Disclosures • Title V Analyst Conflicts of Interest • Title VI Commission Resources and Authority • Title VII Studies and Reports • Title VIII Corporate and Criminal Fraud Accountability • Title IX White Collar Crime Penalty Enhancements • Title X Corporate Tax Returns • Title XI Corporate Fraud and Accountability 3
  4. 4. Sarbanes – Oxley: The Reality 4
  5. 5. COSO - Overview• COSO Definition of Internal Control – Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations• Key Concepts – Internal control is a process. It is a means to an end, not an end in itself. – Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. – Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. – Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. 5
  6. 6. COSO - OverviewRisks• Evaluated by: • Severity • Likelihood• Types of risks: • Inherent risks • Managed risks • Residual risks 6
  7. 7. Spirit or Letter of the Law?• Sarbanes-Oxley: The “end” or “means?”• Positive/negative effects of the intent for creating the ideal control environment • “Static vs. Perpetual”• Current debate over role of External Auditor • “4 – 3 – 2” 7
  8. 8. Sarbanes-Oxley’s Impact onthe COSO Cube Section Section 404 302 Section 409 IT Components Serv er Logs , Database Logs, Fi rewall Logs, Intrusion Detection, I ncident Response, Awareness T raini ng M onitoring IT Policies, Standards & ProceduresEmail, S corecards, Dashboards, Project Information & Control, Help Desk Communication F irewal ls, Security, DRP, Business Continuity, SDLC, Change Control , Operations Control Activities IT Risk Managem ent, IT Ri sk Asses sments, Busi ness Impact A nalysis Risk Assessment “Tone at the top”, IT Governance, Regulatory Compli ance Control Environment 8
  9. 9. The Compliance Iceberg What You Know 404 Sarbanes-Oxley Act 302 Compliance Requirements 301 409 Cerner Regulations (FDIC1A, etc.) Industry Compliance What You Might Public C R (NYSE, NASD , etc.) o. eg. AQ Standards Not Know Lending Covenants Mission Statements Policies Company-Specific Procedures Standards Tasks Unique Control Events© 2004 CTG 9
  10. 10. Spirit or Letter of the Law? 4-3-2• Section 404 • Can external auditors “independently” test and opine on management’s report on internal controls if they played any role in preparing the document? 10
  11. 11. Spirit or Letter of the Law? 3 4- -2• Section 302 • Is management comfortable with this decision in light of pending guidance on disclosure protocols, and the subsequent potential harm if something was deemed “inappropriate” about the external auditor’s role at a later date?” 11
  12. 12. Spirit or Letter of the Law? 4-3- 2• Section 201 • Since this assistance of operating management in preparing their assertion falls outside the scope of actual external audit work, does it require audit committee approval, and is management therefore comfortable asking for it? 12
  13. 13. SuggestedRisk Assessment Process
  14. 14. Internal Control MaturityModel Initial Repeatable Defined Managed Optimizing Initial Control structure is not defined. Control occurs incidentally. Repeatable Control structure is not defined, but control processes may occur based on past success and management oversight. Defined Control structure is documented, standardized and integrated into control processes for the organization. Managed The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Optimizing Continuous process improvement is enabled by quantitative feedback from the control process. Predictability, effectiveness and efficiency of an organizations internal controls improve as the organization moves through these five stages. 14
  15. 15. Key Recommendation:• Pick a Pilot!!!!!!• Work with external auditor to pick a key process to run the entire approach through, then ensure the approach is satisfactory to the auditor, prior to commencing on the remaining processes 15
  16. 16. Recommended Approach:Assess ASSESS DOCUMENT TEST REPORT Process Outcomes Define overall SO requirements  Management support Form Form Identify and form team Team Team  Internal champion Partner with external audit firm  Trained team Confirm audit universe Perform Risk Perform Risk  Consensus on objectives Define risk weighting Assessment Assessment Conduct assessment  Risk-ranked universe Analyze assessment results  The PLAN Confirm Confirm Confirm risk rankings Results Results Map to knowledge base of mitigating practices Present findings to management Develop Develop Develop plan for documentation phase Workplan Workplan Review plan with external auditor and management 16
  17. 17. Recommended Approach:Document ASSESS DOCUMENT TEST REPORT Process Outcomes Define target maturity level by process  COSO maturity ranking COSO COSO Assess COSO maturity by process Alignment Alignment  Consensus on end state Identify where improvements are needed  Improved controls Document Document Define control objectives environment Control Control Determine tool approach  Ongoing monitoring Activities Activities Map assessment to objectives and identify gaps  Documented controls Develop plan to address gaps with control Improve Improve changes Controls Controls Assess and implement changes in controls Test new processes and train users Define Define Confirm the role of the internal audit Monitoring Monitoring department Process Process Assess current monitoring environment Implement monitoring process 17
  18. 18. Recommended Approach:Test ASSESS DOCUMENT TEST REPORT Process Outcomes Management Management Educate management on controls  Management control monitoring Controls Controls Develop framework for management monitoring  Independent monitoring Monitoring Monitoring Facilitate management monitoring of controls  Management reporting process Independent Independent Develop framework for independent monitoring  Ongoing reporting Internal Audit Internal Audit Facilitate independent monitoring of controls Testing Testing Identify weaknesses from management test Material Material Develop action plan for weaknesses Weakness Plan Weakness Plan Reiterate if necessary Implement process for ongoing quarterly reports Ongoing Ongoing Define process for development of IC report Report Process Report Process Partner with external auditor on report requirements 18
  19. 19. Recommended Approach:Report ASSESS DOCUMENT TEST REPORT Process Outcomes Management reports on role in controls  Management report Management Management Management reports on testing process Report Report  External audit report Management delivers final controls report  External assertion External External External audit commences Audit Audit External auditor tests controls per requirements External External External auditor reviews management report Control Testing Control Testing External auditor issues final report External External Auditor Auditor External auditor issues final assertion Assertion Assertion 19
  20. 20. Illustrative Assessment WorkPlan Week Number 1 2 3 4 5 6 7 8 9 10 Weeks Remaining: 10 9 8 7 6 5 4 3 2 1 # Task Description: 1 Initial planning and information gathering 2 Conduct initial interv iews 3 Rev iew Engagement Letter 4 Finalize interv iew list 5 Finalize specialists required 6 Prepare letter for interv iewees to ov erv iew project/ team 7 Prepare interv iew objectiv es and general questions 8 Finalize workplan 9 Dev elop ov erv iew of client business/industry 10 Finalize tailored questions by functional interv iew 11 Draft format for deliv erables 12 Schedule interv iews (approx . 25-35 interv iews) 13 Perform interv iews (approx . 25-35 interv iews @ approx . 1.5 hrs each) Interv iews led by IA with client internal audit personnel inv olv ement 14 Document results of interv iews / confirm with interv iewees 15 Dev elop risk ranking 16 Dev elop audit plan 17 Determine resource needs to ex ecute audit plan 18 Obtain client management consensus on risk profile 19 Finalize and present deliv erables 20
  21. 21. Control Assessment StructureGeneral Controls Control COSO Control Capabilities Com ponent Risk Factors ControlControl Capabilities Authorization Environment Delegation of Authoritya) Authorization Authority and approval levels is not delegated to the low est levels.b) Processing and Recording Authority is delegated to the front lines how ever executive management is involved.c) Safeguarding Authority is delegated to the front lines and decision making resides at that level.d) Reportinge) Compliance Processing and Control Recording Environment Skill setsf) Risk Management Employees possess the know ledge and skills necessary to effectively execute their job.g) Resource Availability Employees possess some of the skills required to effectively execute their job. Employees generally do not have the know ledge or skills to effectively execute their job. Processing and ControlCOSO Control Components: Recording Environment Volume of transactionsa) Control Environment Low volume of transactions and minimal interventions and hand-offs.b) Risk Assessment Average volume of transactions and considerable number of manual interventions.c) Control Activities High volume of automated and manual transactions and hand-offs.d) Information & Communicatione) Monitoring Risk Control Management Environment Organization Structure Operations are highly centralized with effective communication systems. Operations are fairly decentralized with fairly effective communication systems. Operations are very decentralized with ineffective communication systems. 21
  22. 22. Framework for RiskAssessment• Identify • What are the risks?• Measure • What is the relative degree of risk? (Determined by Severity and Likelihood .)• Prioritize • Which risks are most important? 22
  23. 23. Risk Assessment: The Big Picture • Internal and external risks faced by all organizations. • Requires linked and consistent management objectives. • Identified/analyzed to manage and achieve objectives. • A system to address organization impact of external and internal condition changes. IIA Definition-“… a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. …organize and integrate professional judgments for development of the audit work schedule.” 23
  24. 24. Enterprise Risk Assessment Driven by enterprise strategies and overall goals. Risk rank audit universe, applying the same risk factors to all audit entities. Top-down focus begins at the enterprise level. Bottoms-up begins at the entity level. • Approach dependent on management’s objectives and other initiatives in place. 24
  25. 25. Enterprise Risk AssessmentDefined• Enterprise Risk – Potential exposures which could significantly impact or impede an enterprise’s ability to succeed in accomplishing its overall financial and operational goals and objectives.• Risks can be categorized as follows: • Strategic – relating to high-level goals, aligned with and supporting the entity’s mission/vision. • Operations – relating to effectiveness and efficiency of the entity’s operations, including performance and profitability goals. • Reporting – relating to the effectiveness of the entity’s reporting. • Compliance – relating to the entity’s compliance with applicable laws and regulations. 25
  26. 26. Ways To Look At Risk• Quantitative • Assign a value to each control risk times a probability of the threat of the risk • Higher value/greater risk• Qualitative • High, medium, low or adequate/inadequate 26
  27. 27. Approaching Risk Assessment Solicit executive management’s enterprise strategies, goals, objectives and concerns. If applicable, obtain external auditor’s perspective of the company. Also consider insurers, outside counsel, other third-party service providers. Capture organization, products, processes, functions, locations, systems, support areas, etc. relevant to auditable entities. Develop a model using risk factors, weightings and scoring criteria. Objective is a risk-ranked audit universe. 27
  28. 28. An Enterprise Risk Assessment Tool  Provide analyses regarding risk exposures at an audit universe (enterprise) level.  No pre-defined database of standard questionnaires, risk factors and set risk weightings.  Information compiled by experienced professionals.  Information/analyses as good as the information compiled. 28
  29. 29. Types of Risk Factors • Assets at risk  Systems • Cash • Information quality • Inventory • Security Architecture • Intellectual property • Contingency planning • Operational • Equipment/software • Procurement  Financial • Production • Data accuracy • Material Handling • Sales • Available information • Service • Completeness of data • Human Resources • A/R, A/P, Cash flow, • Planning etc. • Legal • Environmental 29
  30. 30. Risk Weighting and Scoring Weigh risks based on customized criteria. • Relative importance of individual risk factor. • Risk factor impact on business units based on likelihood of occurrence and severity of impact. • Facilitate with management and process owners. Risk weighting results reviewed by management and the process owners. • Risk score is assessed for each risk factor. • Scores summed for a total risk score. • Supports risk ranked audit universe. 30
  31. 31. Risk-based Approach:Examples Functional Risk Conversion Risk Strategic Risk Business Processes Authority Alignment Capital Availability Bench Strength Business Continuity Competition Financial Reporting Budgeting & Planning Compliance Capacity Financial Markets Financial Assessment Contracting Commodity Flexibility Evaluation Empowerment Communication Industry Financial Statement Environmental Cycle Time Leadership Falsification Fraud Efficiency Legal Regulatory Reporting Health and Safety Human Resources Regulatory Taxation Illegal Activities Organization Structures Product Life Cycle Management Information Performance Metrics Product Development Obsolescence/Shrinkage Pricing Reputation Product/Service Quality Finance Resource Allocation Trademark Erosion Relevance Collateral Supplier Sovereign Unauthorized Use Counterparty Technology Selection Strategic Assumptions Credit Technology Deployment Valuation Currency Technology Derivatives Availability Interest Rate Access Liquidity Functionality Reinvestment Integrity Settlement Usability 31
  32. 32. Risk-based Approach: Process Executive Management Input Company Strategies Risk Factor Model Audit Universe Risk Exposure Audit Plan Development Development Scoring Development • Executive Management • Input Obtained from • Scoring Occurs from • Compute Risk-Ranked Input and Buy-in Many Sources Interviews with Senior Audit Universe from Management Completion of the ERA • Extract Risk Factors • Organizational Charts, Responsible for the model from Strategies Internal Management Auditable Entities Reports, Company • Develop Audit Plan • Identify & Define Risk Directory, Annual • One Person may be Based on Risk-Ranking Factors to be Used Report, General Ledger, Responsible for and Available • Define Related Scoring Location Listings, Major Scoring Multiple Resources Criteria for Each Risk Projects or Contracts, Entities • Obtain Executive Factor Information Systems, • Many Persons may be Management Approval etc. • Weight the Risk Factors Responsible for • Execute Audit Plan • Cost Centers, Profit Scoring One Entity Centers, Investment • Reassess Risk Centers, Locations, Exposures Functions, Processes, etc. 32
  33. 33. Risk-based Approach Re-cap • Risk-based approach • Defined model of enterprise risk factors • Customized to fit our client’s needs • Efficient direction of audit resources • Supported by an electronic tool that provides for data analysis • Provides sufficient information to build an audit plan • Performed by experienced professionals • Cost effective solution to improve enterprise risk management initiatives 33
  34. 34. Security ArchitectureRisk Assessment Process
  35. 35. Technology EvolutionCentralized Distributed Virtual Mainframes Gateways Super Server High-Speed Network Large Branch Large Branch Large Branch Low-Speed Network Small Branch Small Branch Small Branch Data 70’s 80’s 90’s 00’s 35
  36. 36. Evolution of Technology Risk • Exponential Expansion of Technology Major Trends that • Excessive Focus on Cost • Accelerated Pace of Change Adversely Impact Risk • Complexity of Infrastructure • Short Term Vision • Mergers, Collaborative Initiatives • Security Impact on ROI Virtual DistributedRISK DRIVERS Centralized • Viruses and Program • Industrial Espionage and R• Sabotage R Introduction of Value R I Contamination • Chain Interdependency I Software Piracy / Licensing R • Unauthorized Access • Users I • Back-up and Redundancy I • Hardware/Data Portability Decentralized Procurement • • Viruses and Program Contamination Software Piracy / Licensing S Control Point/ of Data and Programs Allowed Unauthorized • Hardware / Data Portability Connectivity Complexity S K • Business Continuity • Introduction of S Activities • Authentication & Authorization S• Decentralized Procurement Allowed Unauthorized Activities • Authentication & Authorization Reaction Time K • Back-up and Redundancy of Data and • Back-up and Redundancy of Data and K Technology Dependency K S Programs Programs • Business Continuity S • Introduction of Technology Dependency • Business Continuity • Introduction of Technology Dependency S• Infrastructure Support S 1970 Risks Are Continually Compounding 200X 36
  37. 37. Common Enterprise Security Threats(Threat Colors: Red - External, Green - Internal, Blue - Both) Inadequate password Windows NT Workstation controls Information Internet DMZ/Gateway Servers "leakage" Unnecessary services HE WLETT HEWLETT HEWLETT PACKARD P ACKARD PACKARD Novell or Unix Server Inadequate logging and Improperly filtered detection Misconfigured networks web services SLAs, "Confidentiality, Internal Integrity, and Availability ", and LAN Inappropriate administrative encryption concerns rights and table attributes Inadequate controls over Excessive file and Misconfigured firewalls physical access to devices directory access and/or open TCP/IP "xSP" and port connections Clients Database Server(s) Inadequate application and data HEWLETT PACKARD integrity controls Excessive user rights Internal Router Perimeter Router 7x 8x 9x 10x 11x 12x 7x 8x 9x 10x 11x 12x rnet C 7x 8x 9x 10 1 12x x 1x 7x 8x 9 10x 11 1 x x 2x Ethe Internet 78 910 1112 rnet C Ethe 7 8910 12 11 A 12 34 5 6 1x 2x 3x 4x 5x 6x 1x 2x 3x 4x 5x 6x A B A 1 234 56 1x 2x 3x A 4x 5x 6x 1x 2x 3 B 4x x 5x 6x Windows 98 Station Dedicated Circuit Remote Access Server Improperly configured routing Unsecured Remote Internal Access Services (RAS) LAN Lack of effective enterprise policies and standards Excessive trust Dialup relationships O/S misconfigured Branch Office(s) Mobile/Home User Unauthorized servers on the network Inadequate data backup and retention Windows NT 4.0 or Windows 2000 Server Windows NT 4.0 or Windows 2000 Server 37
  38. 38. SAF Life Cycle 38
  39. 39. SAF Life CycleAssets – Assets to be secured and controlled from inadvertent and/orintentional misuse.Governance – Establish policies, procedures and standards to define behavior.Profile – Locate and identify all assets across the infrastructure.Value – Determine business worth of resources.Vulnerabilities – Identify potential vulnerabilities and the ability to exploit them.Threats – Identify potential threats and the likelihood of occurrence.Risk – Calculate level of risk based upon exposures and countermeasures.Solutions – Elimination or reduction of likelihood of vulnerabilities.Metrics – Establish measurements to determine impact and value of securityinitiatives.Monitoring – Ensure compliance with established policies, procedures andstandards. 39
  40. 40. Risk Assessment Process Threat Assessment DecisionProcess Risk Countermeasure SupportCapture Determination Assessment Analysis Vulnerability Assessment 40
  41. 41. Risk Assessment Process Threat Assessment Decision Process Risk Countermeasure Support Capture Determination Assessment Analysis Vulnerability Assessment Process Capture: • Identify critical/key Mega and Major Processes (Information, Physical and Functional) and their dependencies on one another. • Identify all of the infrastructure components that are required to support the various processes. (Current & Future State) • Hardware • Software • Communications (Network Protocol, connectivity) • Facilities • Personnel • Identify the owners, maintainers and consumers for the processes and infrastructure components that have been identified. • Help place both a value (imputed or intrinsic) and importance on critical/key processes/assets. 41
  42. 42. Risk Assessment Process Threat Assessment Decision Process Risk Countermeasure Support Capture Determination Assessment Analysis Vulnerability Assessment Threat Assessment: • Identify and rank those threats that apply to the organization. • Environmental • Man-made • External • Internal • Hostile (structured and unstructured) • Non-hostile (structured and unstructured) • Measure the amount of presence a threat has to the organization • Physical presence a threat could have to the organization • Electronic or logical presence a threat could have to the organization • Measure the relative motivation and capability of a threat 42
  43. 43. Risk Assessment Process Threat Assessment Decision Process Risk Countermeasure Support Capture Determination Assessment Analysis Vulnerability Assessment Vulnerability Assessment: • Identify and Rank the known vulnerabilities associated with the client’s specific processes/assets and infrastructure components. • Vulnerabilities are primarily driven by the system definition completed during process capture. • Determine if a vulnerability can be exploited via physical or electronic exposure to the vulnerability. • Measure the severity of the vulnerability by measuring: • Potential damage caused by exploitation • Age of the vulnerability (when it was discovered) • Amount of information available for the vulnerability • Determine the operational concerns that are impacted by the vulnerability 43
  44. 44. Risk Assessment Process Threat Assessment Decision Process Risk Countermeasure Support Capture Determination Assessment Analysis Vulnerability Assessment Risk Determination: Risk is the combination of a threat exploiting some vulnerability that could cause harm to some process/asset based on the threat, vulnerability and asset measure previously defined.  Determine what threats can exploit which vulnerabilities against what processes/assets. 44
  45. 45. Risk Assessment Process Threat Assessment Decision Process Risk Countermeasure Support Capture Determination Assessment Analysis Vulnerability Assessment Countermeasure Assessment: • Identify applicable countermeasures by considering infrastructure specific threats, vulnerabilities, processes/assets and components. • Produce a list of valid countermeasures to support the decision support analysis. • Countermeasure Factors are based on: • Process/Asset Factors: Sensitivity, Criticality, Perishability, Recoverability, Quantity, Quality, Economic Value. • Threat Factors: Physical Access, Electronic Access, Capability, Motivation. • Vulnerability Factors: Potential Damage, Available Information. • Conduct risk mitigation calculations by applying countermeasures to the risk factor that it mitigates. 45
  46. 46. Risk Assessment Process Threat Assessment Decision Process Risk Countermeasure Support Capture Determination Assessment Analysis Vulnerability Assessment Decision Support Analysis:  Conduct Cost Benefit Analysis:  Identify comparable alternative solution sets  Identify the most cost efficient solution set  Consider cost benefit ration: • Risk delta/cost H V • Highest cost benefit ration implies most cost effective solution A L M  Identify solution leading to the biggest bang for the buck U E L For a countermeasure to be considered it must mitigate at lease one factor L M H in the risk measure. RISK 46
  47. 47. Administration Rights, O/S User Rights, Transaction LogsSecurity Level, System Logs Authentication, Firewalls, Intrusion Detection Solutions, Physical Security, analyzers, SniffersAuthentication, Firewalls, IntrusionDetection Solutions, Physical Security 47
  48. 48. IT Control Layers IT ControlsData – Processes/Procedures and Management Monitoring: Manual • Completeness, Accuracy, Validity,processes and procedures that facilitate financial transactions and data and the Monitoring controlsmanagement monitoring that occurs around these activitiesSystems: The underlying hardware and operating systems where financial • Restricted Accesstransactions and data are stored through the business applications and databases • General IT ControlsApplications and Databases: The business applications and underlying • Completeness, Accuracy, Validity,databases that process, store, and report financial transactions and data Restricted Access, General IT ControlsInternal Networks: Network infrastructure components that facilitate the • Restricted Accessprocessing of transactions to/from internal locations and organizations and • General IT Controlsprovide access to internal business applications and databasesNetwork/Perimeter: Network infrastructure components that facilitate the • Restricted Accessprocessing of transactions to/from external organizations and provide access to • General IT Controlsexternal and internal business applications and databaseas 48
  49. 49. COSO – ERM Framework What’s next? 49
  50. 50. Enterprise Risk Framework • Four objective categories – Strive to achieve • Eight components – Needed to achieve • Entity and organizations units 50
  51. 51. Enterprise Risk Framework• Is a process - is a means to an end, not an end and itself.• Is effected by people- is not merely policies, survey and forms, but involves people at every level of an organization.• Is applied in strategy setting.• Is applied across an enterprise, at every level and unit, and includes taking an entity-level portfolio view of risks.  Four objective categories-Strive to achieve  Eight components-Needed to achieve  Entity and organizational units 51
  52. 52. Enterprise Risk Framework• Is designed to identify events potentially affecting the entity and manage risk within its risk appetite.• Provides reasonable assurance to an entity’s management and board.• Is geared to the achievement of objectives in one or more separate but overlapping categories  Four objective categories-Strive to achieve  Eight components-Needed to achieve  Entity and organizational units 52
  53. 53. Questions?Contact Information: Dwayne E. Jorgensen, CIA, CFE Director, Sarbanes-Oxley Practice Information Security Solutions 800 Delaware Avenue Buffalo, New York 14209 Office: 770/622-0073 Mobile: 770/789-7581 E-mail: 53
  54. 54. The Role of CIOSIn a Sarbanes-Oxley World Dwayne E. Jorgensen, CIA, CFE Director, Sarbanes Oxley Services Information Security Solutions