Quint Sox Newyork Damian Ides Presentation
description
Transcript of Quint Sox Newyork Damian Ides Presentation
© Information Systems Audit and Control Association and IT Governance Institute
Sarbanes-Oxley:A Focus on IT Controls
The Role of the IT Professional in Sarbanes-Oxley Compliance
Marios DamianidesPartner, Ernst & Young LLPISACA and ITGI International PresidentJune 2004
About IT governance IT and Sarbanes-Oxley Implementing IT governance for compliance Implications for IT and IT professionals
Agenda
Increasing Expectations of IT Function
Cost Value Risk• Cost Efficiency• Higher ROI
• Driving Shareholder Value
• Revenue Generation
• Decision Support
• IT Governance & Management
• Financial Reporting• Transparent
Disclosure• Information
Security• Program
Assurance
Internal & ExternalStakeholders
CEO• Board of Directors• CFO• Audit Committee• COO• Shareholders• Head of IA• Regulators• Directors• Capital Markets• Business Partners• Employees• Others
Important
Critical
Urgent
Pre 1990’s 1990’s Post Sarbanes-Oxley
ITGI Research
Problems Encountered with IT in Last 12 Months
41%40%
38%38%
35%35%
34%28%
27%24%
5%7%
Inadequate view on how well IT is performing
Operational failures of IT
IT staffing problems
Number of problems and incidents
High cost of IT with low return on investment
Lack of knowledge of critical systems
Manageability of data
Disconnect between IT strategy and business strategy
Unmanaged dependencies on entities beyond direct control
Number of errors introduced by critical systems
None
Other
ITGI Research
What do you hope to address through an IT governance solution/framework?
18%
47%
50%
51%
52%
56%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Others
Management of risk in relation to IT investment
Management of IT resources against objectives
Measurement of performance of IT infrastructure
Delivery of business value through IT
Management of risk in relation to IT operations
Alignment of IT with company strategy
Cost Value Risk
What Is IT Governance?
“IT governanceIT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.”
Board Briefing on IT Governance, 2nd EditionIT Governance Institutewww.itgi.org
Dimensions of IT Governance
Strategic
Alignment
IT Governance
Value Delivery
Reso
urce
M
anag
emen
t
Risk Management
Performance
Measurem
ent
34% of respondents
34% of respondents
50% of respondents
39% of respondents49% of respondents
Roles and Responsibilities of IT Governance
Boards
IT Strategy Comm
CEOs
Business Executives
CIOs
IT Steering Comm
Technology Council
IT Architecture Review Board
Why Now?302 404
Who A company's management, with the participation of the principal executive and financial officers (the certifying officers)
Corporate management, executives and financial officer (“management” has not been defined by the PCAOB)
What 1. Certifying officers are responsible for establishing and maintaining internal control over financial reporting.
2. Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.*
3. Any changes in the company's internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company's internal control over financial reporting are disclosed.
1. When the reason for a change in internal control over
financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading.
1. A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company
2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company's internal control over financial reporting
3. An assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective
4. A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting
5. A written conclusion by management about the effectiveness of the company's internal control over financial reporting included both in its report on internal control over financial reporting and in its representation letter to the auditor. The conclusion about the effectiveness of a company's internal control over financial reporting can take many forms. However, management is required to state a direct conclusion about whether the company's internal control over financial reporting is effective.
6. Management is precluded from concluding that the company's internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year.
When Already in effect as of July 2002 Year-ends beginning on or after 15 November 2004**How Often
Quarterly and annual assessment Annual assessment by management and independent auditors
*Annual for foreign private issuers **Nonaccelerated filers (<US $75 million can defer to 15 July 2005
The House of Internal Controls
General IT Processes / ControlsPeople and Manual Processes / Controls
InherentControls
ConfigurableControls
ReportingControls
SecurityControls
Executive Managementand
Entity-Level Controls
IT Involvement
General Controls:Security
Change Control / MaintenanceOperations
Development and Implementation
SummarizeAggregated
Deficicienes (in
synchronizationwith the overall Sarbanes effort)
Integrate with the overall Sarbanes effortCompanies have process documentation.For the full picture of the process and its controls, automated application controls should be appropriately integrated
Document and Test
Controls - Manual and Automated
(in synchronization with the overall
Sarbanes effort… where IT
important for the documenting and
“initial testing” of automated application controls and
general controls)
Implications for IT Professionals
Develop solid understanding of control theoryGeneral controlsAutomated application controls
Develop and incorporate an ongoing risk assessment process into IT management activities
Develop and implement new controls for new risks identified in risk assessment process
Implications for IT Professionals
Develop and maintain documentation of controls performed within the IS environment
Continuously assess design of controls in changing IS environments
Learn how to test the operating effectiveness of controls with the IS environment and conduct annual tests of key controls
Develop and maintain evidence of tests of controls
IT Must
Enhance its knowledge of internal control Understand the company's Sarbanes-Oxley
compliance plan Develop a compliance plan to specifically address
IT controls Integrate this plan into the overall Sarbanes-Oxley
compliance plan Perform pre-assessment of key IT controls in
conjunction with key financial reporting processes Allow sufficient time for corrective action
IT and 404
Understand your environment and processesUnderstand your environment and processesWhat applications/platforms/data centers support processing of
significant accounts, significant processes and significant business locations/units defined by the overall Sarbanes team?
What are the automated control procedures for those? Integrate teams Integrate teams Maintain evidenceMaintain evidenceUnderstand how the audit will work in your environment Understand how the audit will work in your environment
“The auditor should subject manual controls to more extensive testing than automated controls. In some circumstances, testing a single operation of an automated control may be sufficient to obtain a high level of assurance that the control operated effectively, provided that information technology general controls also are operating effectively. …” PCAOB release 2004-001
Controls Remediation
Most organizations have a number of control deficienciesMost organizations have a number of control deficienciesDeficiencies must be remedied ifDeficiencies must be remedied if
External audit or management deem them as “significant deficiencies” or “material weaknesses”
o Any material weakness results in an adverse opinion on internal control!
Deficiencies need not be remedied ifDeficiencies need not be remedied ifRisk is mitigated by other controlsExternal audit and management do not deem them as
“significant”
IT Controls—A Unique Challenge
Understanding the organization’s internal control program, financial reporting process
Mapping IT systems to financial statementsIdentifying risksDesigning, implementing and monitoring
controlsDocumenting and testing IT controlsEnsuring that IT controls are updatedMonitoring IT controls
Top 10 Controls Deficiencies
#10 System documentation does not match actual process
#9 Procedures for manual processes do not exist or are not followed
#8 Custom programs, tables & interfaces unsecured
#7 Posting periods not restricted within GL application
#6 Terminated employees or departed consultants still have access
Top 10 Controls Deficiencies
#5 Large number of users with access to “super user” transactions in production
#4 Development staff can run business transactions in production
#3 Database (e.g. Oracle) supporting Financial Applications (e.g. SAP, Oracle, Peoplesoft, JDE) not hardened
#2 Operating system (e.g. Unix) supporting Financial Applications or Portal not hardened
#1 Unidentified or unresolved segregation of duties issues
Implementation Approaches
Process Model Selection MatrixSpecific
General
Holistic
IS/IT Relevance
Low Moderate High
Level of Abstraction
Source: Gartner Research, June 2003
TCO
ITIL CMM
COBIT
P.CMM
Six SigmaISO 9000
National Awards (such as Malcolm Baldrige)
Scorecards
COBIT: An IT Governance Framework
COBIT Framework
Control Objectives
Control Practices
Audit Guidelines Implementation Guide
Management Guidelines
Board BriefingPractices
Responsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures Critical success factorsCritical success factors Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures Critical success factorsCritical success factors Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures Critical success factorsCritical success factors Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & Boards
Business and Technology Management
Performance measures Critical success factors Maturity models
Audit, Control and Security Professional
What is the ITWhat is the ITcontrol framework ?
How to assess the ITHow to assess the ITcontrol framework ?
How to introduce itin the enterprise ?
An open standard at www.isaca.org
Pro
duct
Set
Thank You!
Marios Damianides, PartnerErnst & Young LLP5 Times Square, New York, NY, 10036Phone: 212 773 5776E-Mail: [email protected]
ISACA/ITGI International President3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008Phone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected]; [email protected] sites: www.isaca.org; www.itgi.org