Copyright © 2005 SOA Software, Inc. All Rights Reserved

Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.

SOX Compliance in the Age of SOA

with Hugh Taylor

April 8, 2023 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice.

Slide 2

SOA Software – Company Overview

• Headquartered in Santa Monica, California• Provider of software products and solutions for implementing Web Services

Management and Security• Investors

– Redpoint Ventures, Mellon Ventures, Paladin Capital, Palisades Ventures

• Experienced Team– Executives/Managers drawn From: IBM, Oracle, Intel, HP, US Interactive– Entrepreneurs with successful exits


Slide 3

SOA Software Representative Customers

A Reynolds and Reynolds Company


Slide 4

Partners and Alliances


Slide 5

About Me

• VP Marketing at SOA Software• MBA• Industries worked in:

– Enterprise Software– Website development– Printing– Entertainment

• Author of 3 books:– Understanding Enterprise SOA (with Eric Pulier)– The Joy of SOX– Hollywood Job Hunter’s Survival Guide

• Why I am telling you this:– I know that business sometimes operates differently in reality than it does on paper


Slide 6

Session Preview

1. Why SOX is a critical, stressful and complex issue for IT professionals today 2. SOA’s impact on SOX3. Example of SOX 404 Internal Controls being disrupted by SOA4. Approaches to a solution5. SOA Software’s and SOX


Slide 7

1. Why SOX is a critical, stressful and complex issue for IT professionals today

• A massive, costly hassle and disruption for CIOs

• A huge expense (estimated at 10%-15% of IT budgets for 2006 – Gartner)

– Viacom conducted 19,600 tests of internal controls in 2004– Time Warner Spent 350,000 person-hours on financial and

IT controls in 2004– Dow Chemical tested 30,000 internal controls – These efforts are not projected to decrease in 2006 and

beyond (Computerworld data)

• “Imagine Y2K every year” – Search CIO.com

• “SOX affects IT more than any other department except finance. Sixty-five percent of the attendees at the session said that SOX is having a major impact on them, and 40% said that SOX was a "bet your job" project that would put their jobs on the line every year. – Search CIO.com

• “It's rare to have something literally fall from the sky that stops all of the projects that we had on the table from an IT perspective.”Bobby RussellIT Manager, First American CIG


Slide 8

What is SOX, anyway?

• Sarbanes Oxley Section 404, the major headache for CIOs, says:

…each annual report [required by the Securities Exchange Act of 1934] contain an internal control report, which shall--(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

• Translated into English, this means that CIOs are now responsible for the IT aspects of Internal Controls, including:– Segregation of roles in accounting, as enforced by IT systems– Correlation of data across systems for exception monitoring and account

reconciliation– Security of data and IT processes– COBIT – the IT version of COSO (the financial auditor’s internal control

framework)


Slide 9

Internal controls

• Section 404 of Sarbanes Oxley requires that management attest to the existence and effectiveness of internal controls. A public company’s auditor will also audit the internal controls and disclose if there are any deficiencies. (bad for share price)

• Internal Control: a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

– Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations

• Attainment of each internal control objective is reliant on properly functioning IT. – Internal controls involve integration of ERP, financial systems, CRM, and more– Internal controls rely on security of systems and control over provisioning– IT is required to enforce segregation of roles, a key component of internal controls


Slide 10

Preventive and Detective Internal Controls

• There are two types of internal controls:– Preventive – Internal Controls designed to prevent fraud and errors. Eg a lock on a cash

register.– Detective – Internal Controls designed to detect fraud or errors after a transaction has

been completed. Eg a cash register tape.

• Q: What does this have to do with IT?• A: Today, many preventive controls are digital (for example, passwords and

User role settings that prohibit unauthorized access to financially relevant systems). Many detective controls, such as audit logs or exception monitoring software packages, are IT-based. In other cases, both types of controls rely on an interplay between manual and IT controls.


Slide 11

Example of internal control

For example, a company might have an internal control that aimsto provide assurance that cost of goods expense is stated accuratelyin the period in which it occurred.

Q: Why does this matter to the SOX 404 auditor?

A: If the company cannot reliably report its expenses accurately in the period, then its financial statements may not be accurate. It might over-report earnings. SOX is concerned with reliability of financial reporting.

Q: What does this have to do with IT?

A: A lot… accurate reporting of vendor expenses relies on proper governance of the systems involved in procurement


Slide 12

The COSO framework

• The COSO internal controls framework (specified by the Public Company Accounting Oversight Board for Sarbanes Oxley) breaks internal controls down into pairings of Control Objectives, Risks, and Control Procedures.

• In the procurement example, the Objective/Risk/Procedure pairing might look like this:

Control Objective Risk Control Procedure

Company needs to be reasonably sure that its sourcing costs are booked into the correct accounting period

Company faces a risk of material misstatement of financial results if sourcing costs are not booked in the correct period. The company has risk if there are improper cut offs of purchase records at the end of the period.

To have an effective internal control for assuring that sourcing costs are booked into the correct period, the company needs to establish proper cut off procedures at the end of the month for all purchase orders.

• So What? Realizing the Control Procedure to mitigate the Risk and attain the Control Objective is heavily reliant on IT governance


Slide 13

Different Perspectives Make the Issue More Complex

• Auditors and CPAs – see SOX as a technical auditing issue relating to controls– Think in terms of PCAOB rules and COS

• Lawyers – see SOX as a matter of risk and liability related to governance– Think in terms of caselaw precedents, such as HealthSouth, and legislative agendas

• Executives – see SOX as a stock price issue, a personal threat (ie go to jail) and a cost to be controlled

– Think in terms of dollars

• Developers – see SOX as a set of hoops to jump through in making applications “SOX compliant”

– May not think about it much

• Infrastructure staff and executives – see SOX as a set of hoops to jump through in making servers and networks “SOX compliant”

– May think about it in terms of COBIT, ITIL, etc.

• Security staff and executives – see SOX as another set of security type policies to be defined, enforced, and measured

– May think about it in terms of COBIT, ITIL, etc.


Slide 14

2. SOA’s Impact on SOX

• First, Let’s Distinguish what counts with SOA and SOX

• SOA does not have a big impact on – IT General Controls relating to the perimeter– IT General Controls related to infrastructure and hardware/OS/network application

change management– Compliance in the general sense

• SOA has the potential to affect– Application Controls that support Internal Controls over Financial Reporting– Section 802 of SOX (Document retention and integrity)


Slide 15

SOA’s Impact on SOX

• Openness• Machine to Machine security• Segregation of roles• Lack of perimeter


Slide 16

3. Example of SOX disrupted by SOA

• Distribution business

• Architecture:– Integration

between General Ledger, warehouse, and customer portal

– Web access to customer portal

– Multiple platforms, tightly coupled but secure


Slide 17

Business Processes Involved

CustomerPlaces order

Check Customer

CreditApprove?

Write upOrderCompany

Customer

In Stock?NotifyBad Credit

ReceiveOrder ShipNotify of

Stock-out

Fix Credit Problem.Resubmit Order


Slide 18

Example: BPM in Conventional IT Architecture


Check Customer

CreditApprove?


Customer



Stock-out



Slide 19

Internal Control in the Example

Control Objective

Risk Control Practice

Accurately record invoices from all authorized shipments.

Missing documents or incorrect information.

Invoiced amounts are properly recorded as to account, amount and period.


Check Customer

CreditApprove?


Customer



Stock-out



Slide 20

What Can Go Wrong

• Fraud – Employees selling goods for cash “out the back door”

• Fraud – “Channel Stuffing”

• Errors – inaccurate revenue numbers can result in material misstatements of financial results


Slide 21

Same Process, Now With SOA

• Architecture:– Web services

connect all internal applications

– Web portal replaced by B2B hub for customers


Slide 22

Compliance Problems in a Poorly Governed SOA

Allowing programmatic access to separate firms creates a potential security and compliance problem

Interdependencies between separate Web Services can create a compliance problem. e.g. internal controls related to:

– Revenue recognition– Segregation of roles– Inventory asset

valuation


Slide 23

Increased Control Risk in a Poorly Governed SOA

• Openness• Machine to machine

security• No perimeter• Segregation of Roles

Control risk with SOA

If the interface between applications that connect to the General Ledger are not well-managed or secure, the auditor may find the control deficient

Control PracticeInvoiced amounts are properly recorded as to account, amount and period.

Potential for accidental or malicious modification of documents

RiskMissing documents or incorrect information.

Risk of unauthorized Purchases from users who are not authenticated or authorized. Also, lack of non-repudiation.

Control ObjectiveAccurately record invoices from all authorized shipments.


Slide 24

This is no joke…

• Non-compliance penalties under SOX include:– Fines – SEC investigations– Imprisonment for CEO or CFO– De-listing from stock exchange

• Raise your hand if you want this to be your fault


Slide 25

4. Approaches to a Solution

• To stay SOX compliant but proceed with SOA (and its business advantages) you need:

– To be able to secure Web services effectively– Map individual users of Web services to machine-based Web service consumers– Service Levels– Implement well-governed SOA Infrastructure

• Authentication• Authorization• Map to identity and access management systems that drive segregation of role definitions• Provisioning of Web services• Flexible management of Web services• Dynamic binding of Web services to consumers

– Audit Trail– Documented, auditable SDLC for SOA components


Slide 26

5. SOA Software and SOX


Slide 27

SOA Software Service Manager in SOX compliance

• Policy enforcement points

• Integration with Tivoli, eTrust, and LDAP

• Dynamic binding of service end points to consumers

• Mainframe Web services

• Continuous monitoring

• Non-repudation• Signatures and

keys


Slide 28

Book Drawing


Slide 29

Parting Shot

• Question: Can you really have compliance without SOA?– If you want to use proprietary technologies to achieve segregation of roles, data

correlation for exception monitoring, and a COBIT mature cycle of BPM/Development/Deployment and revision…

– YOU WILL BE PARALYZED

• This is the “SOX Paradox”

• Let us help you find a solution


Slide 30

Thank you!

• Email me if you want these slides and the whitepaper Managing SOX in the Age of SOA

• [email protected]

• 310-570-4130

• Visit www.soa.com

Technology

Copyright © 2005 SOA Software, Inc. All Rights Reserved