Upload
billy82
View
481
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
SOX Compliance in the Age of SOA
with Hugh Taylor
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 2
SOA Software – Company Overview
• Headquartered in Santa Monica, California• Provider of software products and solutions for implementing Web Services
Management and Security• Investors
– Redpoint Ventures, Mellon Ventures, Paladin Capital, Palisades Ventures
• Experienced Team– Executives/Managers drawn From: IBM, Oracle, Intel, HP, US Interactive– Entrepreneurs with successful exits
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 3
SOA Software Representative Customers
A Reynolds and Reynolds Company
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 4
Partners and Alliances
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 5
About Me
• VP Marketing at SOA Software• MBA• Industries worked in:
– Enterprise Software– Website development– Printing– Entertainment
• Author of 3 books:– Understanding Enterprise SOA (with Eric Pulier)– The Joy of SOX– Hollywood Job Hunter’s Survival Guide
• Why I am telling you this:– I know that business sometimes operates differently in reality than it does on paper
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 6
Session Preview
1. Why SOX is a critical, stressful and complex issue for IT professionals today 2. SOA’s impact on SOX3. Example of SOX 404 Internal Controls being disrupted by SOA4. Approaches to a solution5. SOA Software’s and SOX
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 7
1. Why SOX is a critical, stressful and complex issue for IT professionals today
• A massive, costly hassle and disruption for CIOs
• A huge expense (estimated at 10%-15% of IT budgets for 2006 – Gartner)
– Viacom conducted 19,600 tests of internal controls in 2004– Time Warner Spent 350,000 person-hours on financial and
IT controls in 2004– Dow Chemical tested 30,000 internal controls – These efforts are not projected to decrease in 2006 and
beyond (Computerworld data)
• “Imagine Y2K every year” – Search CIO.com
• “SOX affects IT more than any other department except finance. Sixty-five percent of the attendees at the session said that SOX is having a major impact on them, and 40% said that SOX was a "bet your job" project that would put their jobs on the line every year. – Search CIO.com
• “It's rare to have something literally fall from the sky that stops all of the projects that we had on the table from an IT perspective.”Bobby RussellIT Manager, First American CIG
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 8
What is SOX, anyway?
• Sarbanes Oxley Section 404, the major headache for CIOs, says:
…each annual report [required by the Securities Exchange Act of 1934] contain an internal control report, which shall--(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
• Translated into English, this means that CIOs are now responsible for the IT aspects of Internal Controls, including:– Segregation of roles in accounting, as enforced by IT systems– Correlation of data across systems for exception monitoring and account
reconciliation– Security of data and IT processes– COBIT – the IT version of COSO (the financial auditor’s internal control
framework)
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 9
Internal controls
• Section 404 of Sarbanes Oxley requires that management attest to the existence and effectiveness of internal controls. A public company’s auditor will also audit the internal controls and disclose if there are any deficiencies. (bad for share price)
• Internal Control: a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
– Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations
• Attainment of each internal control objective is reliant on properly functioning IT. – Internal controls involve integration of ERP, financial systems, CRM, and more– Internal controls rely on security of systems and control over provisioning– IT is required to enforce segregation of roles, a key component of internal controls
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 10
Preventive and Detective Internal Controls
• There are two types of internal controls:– Preventive – Internal Controls designed to prevent fraud and errors. Eg a lock on a cash
register.– Detective – Internal Controls designed to detect fraud or errors after a transaction has
been completed. Eg a cash register tape.
• Q: What does this have to do with IT?• A: Today, many preventive controls are digital (for example, passwords and
User role settings that prohibit unauthorized access to financially relevant systems). Many detective controls, such as audit logs or exception monitoring software packages, are IT-based. In other cases, both types of controls rely on an interplay between manual and IT controls.
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 11
Example of internal control
For example, a company might have an internal control that aimsto provide assurance that cost of goods expense is stated accuratelyin the period in which it occurred.
Q: Why does this matter to the SOX 404 auditor?
A: If the company cannot reliably report its expenses accurately in the period, then its financial statements may not be accurate. It might over-report earnings. SOX is concerned with reliability of financial reporting.
Q: What does this have to do with IT?
A: A lot… accurate reporting of vendor expenses relies on proper governance of the systems involved in procurement
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 12
The COSO framework
• The COSO internal controls framework (specified by the Public Company Accounting Oversight Board for Sarbanes Oxley) breaks internal controls down into pairings of Control Objectives, Risks, and Control Procedures.
• In the procurement example, the Objective/Risk/Procedure pairing might look like this:
Control Objective Risk Control Procedure
Company needs to be reasonably sure that its sourcing costs are booked into the correct accounting period
Company faces a risk of material misstatement of financial results if sourcing costs are not booked in the correct period. The company has risk if there are improper cut offs of purchase records at the end of the period.
To have an effective internal control for assuring that sourcing costs are booked into the correct period, the company needs to establish proper cut off procedures at the end of the month for all purchase orders.
• So What? Realizing the Control Procedure to mitigate the Risk and attain the Control Objective is heavily reliant on IT governance
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 13
Different Perspectives Make the Issue More Complex
• Auditors and CPAs – see SOX as a technical auditing issue relating to controls– Think in terms of PCAOB rules and COS
• Lawyers – see SOX as a matter of risk and liability related to governance– Think in terms of caselaw precedents, such as HealthSouth, and legislative agendas
• Executives – see SOX as a stock price issue, a personal threat (ie go to jail) and a cost to be controlled
– Think in terms of dollars
• Developers – see SOX as a set of hoops to jump through in making applications “SOX compliant”
– May not think about it much
• Infrastructure staff and executives – see SOX as a set of hoops to jump through in making servers and networks “SOX compliant”
– May think about it in terms of COBIT, ITIL, etc.
• Security staff and executives – see SOX as another set of security type policies to be defined, enforced, and measured
– May think about it in terms of COBIT, ITIL, etc.
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 14
2. SOA’s Impact on SOX
• First, Let’s Distinguish what counts with SOA and SOX
• SOA does not have a big impact on – IT General Controls relating to the perimeter– IT General Controls related to infrastructure and hardware/OS/network application
change management– Compliance in the general sense
• SOA has the potential to affect– Application Controls that support Internal Controls over Financial Reporting– Section 802 of SOX (Document retention and integrity)
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 15
SOA’s Impact on SOX
• Openness• Machine to Machine security• Segregation of roles• Lack of perimeter
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 16
3. Example of SOX disrupted by SOA
• Distribution business
• Architecture:– Integration
between General Ledger, warehouse, and customer portal
– Web access to customer portal
– Multiple platforms, tightly coupled but secure
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 17
Business Processes Involved
CustomerPlaces order
Check Customer
CreditApprove?
Write upOrderCompany
Customer
In Stock?NotifyBad Credit
ReceiveOrder ShipNotify of
Stock-out
Fix Credit Problem.Resubmit Order
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 18
Example: BPM in Conventional IT Architecture
CustomerPlaces order
Check Customer
CreditApprove?
Write upOrderCompany
Customer
In Stock?NotifyBad Credit
ReceiveOrder ShipNotify of
Stock-out
Fix Credit Problem.Resubmit Order
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 19
Internal Control in the Example
Control Objective
Risk Control Practice
Accurately record invoices from all authorized shipments.
Missing documents or incorrect information.
Invoiced amounts are properly recorded as to account, amount and period.
CustomerPlaces order
Check Customer
CreditApprove?
Write upOrderCompany
Customer
In Stock?NotifyBad Credit
ReceiveOrder ShipNotify of
Stock-out
Fix Credit Problem.Resubmit Order
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 20
What Can Go Wrong
• Fraud – Employees selling goods for cash “out the back door”
• Fraud – “Channel Stuffing”
• Errors – inaccurate revenue numbers can result in material misstatements of financial results
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 21
Same Process, Now With SOA
• Architecture:– Web services
connect all internal applications
– Web portal replaced by B2B hub for customers
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 22
Compliance Problems in a Poorly Governed SOA
Allowing programmatic access to separate firms creates a potential security and compliance problem
Interdependencies between separate Web Services can create a compliance problem. e.g. internal controls related to:
– Revenue recognition– Segregation of roles– Inventory asset
valuation
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 23
Increased Control Risk in a Poorly Governed SOA
• Openness• Machine to machine
security• No perimeter• Segregation of Roles
Control risk with SOA
If the interface between applications that connect to the General Ledger are not well-managed or secure, the auditor may find the control deficient
Control PracticeInvoiced amounts are properly recorded as to account, amount and period.
Potential for accidental or malicious modification of documents
RiskMissing documents or incorrect information.
Risk of unauthorized Purchases from users who are not authenticated or authorized. Also, lack of non-repudiation.
Control ObjectiveAccurately record invoices from all authorized shipments.
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 24
This is no joke…
• Non-compliance penalties under SOX include:– Fines – SEC investigations– Imprisonment for CEO or CFO– De-listing from stock exchange
• Raise your hand if you want this to be your fault
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 25
4. Approaches to a Solution
• To stay SOX compliant but proceed with SOA (and its business advantages) you need:
– To be able to secure Web services effectively– Map individual users of Web services to machine-based Web service consumers– Service Levels– Implement well-governed SOA Infrastructure
• Authentication• Authorization• Map to identity and access management systems that drive segregation of role definitions• Provisioning of Web services• Flexible management of Web services• Dynamic binding of Web services to consumers
– Audit Trail– Documented, auditable SDLC for SOA components
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 26
5. SOA Software and SOX
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 27
SOA Software Service Manager in SOX compliance
• Policy enforcement points
• Integration with Tivoli, eTrust, and LDAP
• Dynamic binding of service end points to consumers
• Mainframe Web services
• Continuous monitoring
• Non-repudation• Signatures and
keys
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 28
Book Drawing
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 29
Parting Shot
• Question: Can you really have compliance without SOA?– If you want to use proprietary technologies to achieve segregation of roles, data
correlation for exception monitoring, and a COBIT mature cycle of BPM/Development/Deployment and revision…
– YOU WILL BE PARALYZED
• This is the “SOX Paradox”
• Let us help you find a solution
April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.
Slide 30
Thank you!
• Email me if you want these slides and the whitepaper Managing SOX in the Age of SOA
• 310-570-4130
• Visit www.soa.com