IT and Financial Compliance: Closing the Gaps in Sarbanes-
Oxley
April 19, 2005
Steve Greenstein / Rudy Kiste
2
Closing / Explaining the Gaps in Sarbanes-Oxley
3
About BridgeMarkBDO Seidman, LLP’s BridgeMark practice is dedicated to Risk Consulting and Advisory Services. We leverage our more than 90-year heritage as a CPA firm, entrepreneurial spirit, full service capabilities and extraordinary responsiveness to deliver value to companies throughout our local offices and our global network.
BDO Seidman• U.S. member firm of BDO International• $375 million in revenue• Over 2,100 people in 36 offices plus over 5,000 professionals in 185 alliance firm locations
BDO International• $2.9 billion in revenue• 5th largest global accounting firm in the world• Over 22,600 people in 590 member firm offices in 100 countries
4
BridgeMark Spectrum of Services
Internal Audit – Financial, Operational and Information Technology
• Risk Assessment
• Internal Audit Transformation
• Strategic Partnering & Staffing
• Vendor, Royalty & Construction Audits
• Fraud/Forensic Investigations
• Establishment of Internal Audit Function
• Information Technology Audit
Technology Risk & Security
• Enterprise Security
• System Controls and Effectiveness
• Business Continuity Planning
• Privacy & Data Protection
• Vulnerability Analysis and Testing
• Technology & Strategy Alignment
• Change Management
Business Process Improvement
• Operational Performance Reviews
• Business Process Integration
• Financial Analysis & Modeling
• System Implementation Support
• Special Accounting Projects
• Project Management Office (PMO)
Compliance Services
• Sarbanes-Oxley Readiness Service
• Corporate Governance Assessment
• Regulatory Risks (PATRIOT, HIPAA, SAS 70, GLB)
• Human Resource Compliance
• Federal and State Regulations
Experienced in executing integrated Non-US SOX Compliance Projects
5
Reporting Requirements
The Requirements: Key Sections 302, 404 and 409
(Appendix A)and
SEC Rulemaking
Management’sAssertion
COSO & COSO ERM,COBIT, Basel IIISO17799 and
AS/NZS 4360:1999Frameworks
PCAOB Auditing Standard No.2
Company’sAssessment Process,
Documentation and Testing
6
COBIT Components
7
Information Technology Compliance
Today’s Organizations are Concerned About:
• Risk Management
• Governance
• Control
• Assurance (and Consulting)
Importance of IT Compliance and integration:
• Enhances corporate accountability.
• IT plays a vital role in the internal control structure.
• Systems, data and infrastructure components, are critical to the financial reporting process.
• Develop a compliance plan that specifically addresses IT controls.
• Integrating the Sarbanes-Oxley compliance plan into the overall IT plan.
8
BridgeMark Can Add Value By:
• Financial and IT experience in performing integrated off-shore and Non-US SOX Compliance projects.
• Defining risk tolerances where none have been identified, based on experience, judgment, and consultation with management.
• Reviewing critical control systems and risk management processes.
• Performing continuous reviews and evaluation on the effectiveness of management's risk assessments and internal controls.
• Providing advice in the design and improvement of control systems and risk mitigation strategies.
• Implementing a risk-based approach to planning and executing compliance processes to ensure that resources are directed at those areas most important to the organization.
• Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.
9
Non-US BridgeMark SOX Compliance Projects
Examples of Financial and IT experience of off-shore and foreign location SOX Compliance Projects:
• UK
• Scotland
• Israel• Thailand
• Japan• Korea
• Mexico
• Panama
• Brazil
• Argentina
• Dominican
Republic
• France
• Germany
• Belgium
• Italy
10
COSO Components
Monitoring
• Assess control system performance over time
• Ongoing and separate evaluations
• Management and supervisory activities
Control Activities
• Policies that ensure management directives are carried out
• Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties
Control Environment
• Sets “tone at the top”
• Foundation for all other components of control
• Integrity, ethical values, competence, authority, responsibility
Information and Communication
• Relevant information identified, captured and communicated timely
• Access to internal and externally generated information
• Information flow allows for management action
Risk Assessment
• Identify and analyze relevant risks to achieving the entity’s objectives
11
The COSO ERM Framework
Entity objectives can be viewed in the context of four categories:
ERM considers activities at all levels of the organization:
• Enterprise-level
• Division or subsidiary
• Business unit processes
The eight components of the Framework are interrelated …
12
Compliance & Information Technology Governance
Building a strong internal control program:
• Enhances overall IT governance
• Enhances the understanding and importance of IT among executives.
• Improves business decisions with high-quality, more timely information.
• Aligns project initiatives with business requirements.
• Prevents loss of intellectual assets.
• Minimizes the possibility of a system breach.
• Gaining competitive advantages through more efficient and effective operations and processing integrity.
• Enhances risk management competencies.
• Enhances prioritization of initiatives.
13
Relationship to Internal Control - Integrated Framework
A strong system of internal control is essential to effective enterprise risk management:
• Expands and elaborates on elements of internal control as set out in COSO’s control framework.
• Includes objective setting as a separate component. Objectives are a prerequisite for internal control.
• Expands the control framework’s “Financial Reporting” and “Risk Assessment.”
14
Our Approach to SOX Compliance
BridgeMark’s comprehensive approach is designed to help companies meet the requirements under Section 404 of the Sarbanes-Oxley Act.
Engagement Management
Organizeand PlanProject
Phase I
Corporate-Level
Control Assessment
Phase II
Process-LevelControl
Assessment
Phase III
Testing, Reporting & Continuous Monitoring
Phase IV
Phase I Deliverables:
Project team organizational chart
Project team roles and responsibility matrix
Preliminary significant accounts and process matrix
Project plan (includes project timeline, responsibilities and milestones)
Phase II Deliverables:
Documentation of general controls over key technology systems
Corporate-level control assessment and recommendations for improvement
Final significant accounts, processes and transaction stream matrix
Updated project plan
Phase III Deliverables:
Process maps for significant processes
Matrix of all key risks and related control points
Assessment of the design of controls and recommendations for improvement
Phase IV Deliverables:
Summary of critical findings
Updated control matrix reflecting procedures performed, results of such procedures and assessment of risks
Documentation of all detailed testing
15
Key Process Derivation & Financial Statement Coverage
1. Determine Significant Accounts at the Financial Statement Level.
2. Map General Ledger Accounts to Significant Processes.
3. Determine Material Reporting Units (PCAOB Release No. 2003-17).
4. Map Processes and Sub-processes to Material Reporting Units - significant account balances.
High-level summary
YesSummaryLow
SummaryYesLimitedMedium
DetailedYesComprehensiveHigh
Process Narrative
Risk/Control Matrix
Level of Documentation
Process Rating
High-level summary
YesSummaryLow
SummaryYesLimitedMedium
DetailedYesComprehensiveHigh
Process Narrative
Risk/Control Matrix
Level of Documentation
Process Rating
H
M
L
16
General and Application Controls
17
General and Application Controls
• Designed to ensure financial information generated from the Company’s application systems can be relied upon via:• Data Center operations controls
• Access security controls
• Application systems developments and information infrastructure implementation and maintenance controls
• Support the functioning of application controls to help ensure accurate information processing and the integrity of the resulting information used to managed.
18
Assessing IT Controls
Understanding IT Controls
Roles and Responsibilities
Based on Risk
Monitoring and Techniques
Assessment
Importance of Controls
19
IT Audit Structure and Controls
Assess
IT
Controls
Understanding IT Controls
Governance, Management, Technical
General / Application
Preventative, Detective, Corrective
Information Security
Importance of IT Controls
Reliability and Effectiveness
Competitive Advantage
Legislation and Regulation
Roles and Responsibilities
Governance
Management
Audit
Based on Risk
Risk Analysis
Risk Response
Baseline Controls
Monitoring and Techniques
Risk Control Matrices
Frequency
Assessment
Methodologies
Audit Committee Interface
20
On-Going Compliance / Continuous Monitoring
EffectiveEffective
GovernanceGovernance
21
Visit us in Booth 21 and Contact UsFinancial / Operations / Sales
Steven Greenstein
Sr. Customer Relationship Director
212.885.8074
Rudy Kiste
Engagement Manager
212.885.8400 x:5261
Information Technology
David Smokler
Director
212.885.8077
Lily Shue
Senior Manager
201.788.2323
22
Sarbanes-Oxley, Some Key Provisions (Appendix A)
• Sarbanes-Oxley Act of 2002
• Expands reporting requirements and accountabilities – requires CEO and CFO attestations/filing of internal control reports with annual report (Sections 302 & 404).
• External auditors will be required to attest to and report on management’s assessment in the internal controls report (Section 404).
• Disclose to public on a “rapid and current basis” material changes to financial condition or results of operations (Section 409).
• Empowers audit committees (Section 407).
• Requires disclosure regarding code of ethics (Section 406).
• Creates new oversight for external auditors, mandates audit partner rotation and establishes audit firm rotation study (Sections 203 & 303).
• Increases civil and criminal penalties.
23
General Controls (Appendix B)
• Administration - planning and controlling IT activities
• Logical Security Controls - access control
• Accounting Systems Development - application system development life cycle
• Accounting Systems Change Management - change control and authorization
• Packaged Software Evaluation - maintenance of software packages
• System Software - development and maintenance of infrastructure support software
• Data Center/Network Operations - backup, recovery and contingency planning, job scheduling, performance and monitoring
24
Application Controls (Appendix C)
• Controls embedded within software programs to prevent or detect unauthorized transactions.
• Controls that ensure the completeness, accuracy and validity of processing transactions.
Examples of application controls:
• Balancing control activity within the system
• Check digits
• Predefined data listings
• Data reasonableness tests
• Logic tests, range limits, etc.