A Sarbanes-Oxley Roadmap to Business Continuity

1 Control Solutions InternationalTECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT GROUPA Sarbanes-Oxley Roadmap to Business ContinuityNEDRIX ConferenceNEDRIX ConferenceJune 23, 2004 June 23, 2004Dr. Eric SchmidtDr. Eric July of 2002, Congress passed the sarbanes - oxley Act (SOX) mandating that all public companies (SEC registrants) make changes to the way their financial results are reported. zLegislation was a response to the high profile failures experienced in the United States during 2001-02 and intended to be a massive restructuring to the regulatory system governing US capital markets that would improve the quality of financial reporting and disclosures. zPublic Company Accounting Oversight Board (PCAOB) was created to oversee the activities of the auditing Sarbanes-Oxley Act contains two Sections (302, 404) dealing with management responsibility for controls and one Section (409)

2 On real-time reportingNotesNotesCash FlowCash FlowIncome Income StatementStatementBalanceBalanceSheetShe etFinancialFinancialStatementsStatements Internal Controls and Procedures for Financial ReportingFinancialFinancialStatementsSta tementsBusinessBusinessPropertiesPropert iesLegalLegalProceedingProceedingssDiscl osure Controls and ProceduresSection 302 Section 404 Annual Annual Report onReport onForm 10 Form 10--KKAnnual Annual Report onReport onForm 10 Form 10--KKThree Sources of SOX GuidelinesCobiTCOSOF rameworksFrameworksBest PracticesBest PracticesFuture StandardsFuture StandardsDepartments Impacted by SOXS ource: The Robert Francis ChangesSource: Robert Francis of %Audit ProceduresWhich of the following is the company changing to address SOX?Complexity of SOX for ITSource: Robert Francis sure/Do Not does SOX compare with other compliance or regulatory projects in IT in terms of complexity and impact of resources and expense?

3 48+% rated SOXimpact as higherDoes SOX Mandate an Enterprise-wide Business Continuity Process?z NO zA BCP is not required by PCAOB (March 2004)zSAS70(type 2)z3rdparty service providerszAICPA suspended BCP requirement during SOXzGrowing number of executives influenced by external auditors with knowledge of Business Continuity and potential riskszConclude they must have Business Continuity processes or show why they do notzSection 404 attestation is based on two assessmentszAdequate documentation of ICszSufficient evidence (testing)zA company must have a framework against which management can make assertionszzCCompletenesszzAAccuracyzzVV alidation (authorization)zzRRestrictionDefining Internal Control (IC)What s Required for Key ControlsFive W szWHOperforms the control?zWHATis being done and WHAT could go wrong?zWHENand WHEREis control being performed or occurring?

4 ZWHYis control activity performed to prevent or detect what?What evidence is there?Why are General Controls Important?Weak General Computer ControlsStrong General Computer ControlsAutomated control procedures, and manual control procedures that use computer-generated information,are dependent oneffectiveness of general computer control conscience of an organization. The tone at the top The evaluation of internal and external factors that impact an organization s performanceThe policies and procedures that help ensure that actions identified to manage risk are executed and timelyThe process which ensures that relevant information is identified and communicated in a timely mannerThe process to determine whether internal control is adequately designed, executed, effective and adaptiveCOSO FrameworkAll five components must be in placefor a control to be effectiveFive ComponentsTying It All TogetherControl EnvironmentApplication ControlsIT General ControlsIT ServicesIT ServicesOS/Data/Telecom/ Continuity /Netwo rksOS/Data/Telecom/ Continuity /NetworksBu siness ProcessBusiness ProcessFinanceFinanceBusiness ProcessBusiness ProcessManufacturingManufacturingBusines s ProcessBusiness ProcessLogisticsLogisticsBusiness ProcessBusiness Executive ManagementManagementSource.

5 IT Governance InstituteIT Control ComponentsIT Considerations in Control Environment Systems planning Governance Enterprise policies Operating style IT General Controls Systems Security / Access Change Management System Development Computer OperationsApplication Controls Authorization Configuration / account mapping Exception / edit reports Interface / conversion System access Collaboration Information Sharing Code of Conduct Fraud Prevention zTone at the TopzAssertions (C, A, V, R)zDefinition of Materiality/SignificancezSignificant Accounts and ProcesseszScope locations, cycleszControl frameworkzRemediationzTestingzManagement certificationRoadmap to ComplianceEngagement Walk-ThruRoadmap to CompliancePhase I Tone at the TopzIdentify all relevant documents, policies, procedures and communicationszAudit Committee CharterzStandards of ConductzOfficer Code of EthicszComplaint Reporting MechanismszWhistleblower PolicieszAssess adequacy of documentation and tonezInternal audit monitoring and risk assessmentRoadmap to CompliancePhase II Entity Level AssessmentzID material reporting organizationszID material units within each organizationzMateriality based on.

6 ZRevenue / AssetszSubjectivity of entries / reportingzExtraordinary / one-time chargeszHistory of issuesRest ofWorldEuropeRegionAmericasRegionCorpora teSouth CarolinaErfurtChinaMilanBudapestMexicoTh ailandIndiaSouth CarolinaErfurtChinaMilanCopenhagenMexico ThailandIndiaPragueMarseillesJapanAustra liaSan DiegoSao PaoloChicagoDistributionManufacturingRoa dmap to CompliancePhase III Process MappingzCycle reviews begin with the cycles selected being based on the legal entity assessment in Phase II. zDocumentation of each cycle:zNarrative of key controlszProcess Map (Flow chart)zControl Matrix including all control objectives (Excel or software tool)zDocuments aim to provide external audit firms with a complete understanding of the flow of transactions and controls in PositionDepartmentCandidatePersonnelRequ isition FormCreate EmployeeAction Form (EAF)Input in ADP PRSystemTerminationDirectorof HRApproveOther P/ R c hangesIncluded withAnnualRe vi e w andApprovedToPR/PROC andidateinterviewedPrepare OfferLetterVoluntary?

7 NoAccruedBenef i tspaidAccruedBenef i tsnot paidProper noticegiven?YesYesNoProvide Benefitssummary toemployeeRe vi e w by HR02030504 Accept OfferDepartmentApprovalAnnual IncreasesVerify Increaseswi thi n $ pool,properlyauthorizedRoadmap to CompliancePhase IV Overall Internal Control EffectivenesszEvaluation of the overall effectiveness of internal controls, identification of matters for improvement and the establishment of monitoring systems. zManagement assessment of effectiveness of Audit provides a report detailing areas for improvement and recommendations for ensuring an environment of continuous monitoring to maintain the system of internal control and take corrective action in a timely manner when Audit Firm will commence its Attestation Dry Run Source: Compliance RoadmapAlignment with Business ContinuityzManagement involvementzRisk ManagementzProcess and Change ManagementzIT roleKey Aspects of SOX AuditzSegregation of Duties is KeyzIT roles separate from process owners, specifically those in FinancezHand off from process owners requires control dualityzProgram & Application specificzIT & Process owner zManual & AutomatedzPreventative & DetectivezChange Management is CriticalzRecords and document managementzConfiguration managementzBusiness process and controls changeszAccess Restriction (Security) is MandatedProgram DevelopmentProject management standards are defined and used for all aspects of system development life cycle (SDLC)

8 ZProject initiationzAnalysis and designzConstruction or package selectionzTesting and quality assurance zData conversionzGo-livezDocumentation and trainingProgram ChangesProject management standards are defined and used for all aspects of the program change cyclezSpecification, approval and tracking of change requestszConstructionzTesting and quality assurancezAuthorization of transfers to live environmentzIncluding emergency fixes and access to live environmentzDocumentation and trainingSituational Assessment 21%Remediation 21%Testing of operating effectiveness 47%Evaluation of design effectiveness 75%Documentation Percentage CompleteActivity A recent Deloitte survey of Fortune 500 companies indicates that a significant amount of work remains**Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004 What Constitutes a Gap?

9 TypeLikelihoodMagnitudeDeficiencySignifi cant DeficiencyRemoteand/orInconsequentialMor e than remoteandMore than InconsequentialorQuantitatively significantMaterial WeaknessMore than remoteandMaterial to Financial Statements*Source: Does Your SOX 404 Work Measure Up?, IIA webcast May 25, 2004A Word on TestingBenchmark Testing Slowly changing systems, COTSI nfrastructure Testing Shared services and support systems; OS, networks, backup, TestingFunctional and transaction based for systems key to financial statements and reporting, plus critical systemsProgramTestingIT Management and interaction with process owners and stakeholdersPlan carefully to avoid mixed results because tests are not well designedRemediation ChallengeszEffective Decision & Governance ProcesszComplex Program Management InitiativeszSignificant IT Environment ChangeszImpact on Human ResourceszComplex Re-testing, Roll-Forward Testing ActivitieszOverall Need for Best PracticesSpan of Enterprise Risk ManagementCompliancePatriotHIPPAG overnmentRegulations302404 Quarterly Certification by C-Level ManagementControl Documentation and TestingOperational Risk Management (ERM)

10 Overall complianceIntegrated solutionsCredit RiskOperational RiskMarket RiskSarbanes-OxleySOX ComplianceRequirementsControl Assurance409 Real-time ReportingBasel IIFFIECGLBANRCRisk Management & Business ContinuityzDisciplines of Business Continuity and risk management often blurred zUse similar tools and techniques, including risk assessment, Business Continuity planning, and BIAszBusiness Continuity encompasses all processes necessary to restore Business functionality during a time of crisis zRisk management incorporates a wider variety of functions, including positive impact, negative impact, and Business non-stoppagezInherent value of Business Continuity is clearer when we consider that not all risks can be managedzUnless risk management and Business Continuity are institutionalized into day-to-day activities, organizations will find themselves exposedQuestions?