Embed Size (px)
DESCRIPTION
Sarbanes-Oxley was passed in the wake of a number of notable corporate accounting scandals including Enron and WorldCom. And now in this training presentation, you will understand why and how this is important for us.
Citation preview
SOX Compliance DON’T FIGHT WHAT CAN HELP YOU
BY AMARNATH GUPTA
Amarnath Gupta
11 Years experience working in Systems & Operations in various roles.
4 years focusing on SOX related tasks.
Amarnath is not an attorney or an auditor.
Have delivered 300+ hours of training on various IT and IT related methodologies
What is SOX?
SOX provides the foundation for new corporate governance rules, regulations & standards issued by the Securities and Exchange Commission. It covers a range of topics from criminal penalties to Corporate Board responsibilities. SOX also covers issues such as independent auditing requirements, corporate governance, internal control assessment, and enhanced financial disclosure.
CEO’s of publicly traded companies will be held accountable for the quality of the controls established which enable accurate Financial reporting (including IT processes, systems & roles).
Penalties Section 802(a) of the SOX states: “ Whoever
knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
What prompted SOX?
Sarbanes-Oxley was passed in the wake of a number of notable corporate accounting scandals including Enron and WorldCom.
SOX on the horizon?
The primary thing to remember is that SOX is about mitigating the risk of fraud, financial transparency and process control. This will change how you do things but that does not have to be a bad thing.
A hint on policies.
Bear in mind that you will be held to the letter of all policies your company develops related to SOX even if they exceed federal requirements. This is very important to remember when drafting policies.
Policies should ensure that corporate behavior is consistent, controlled, and can be proven.
A word on Frameworks
There are many frameworks out there to assist you with SOX compliance. The key is to find a framework that works for your team, commit to it, train on it, and use it to your best possible advantage.
Examples of COBIT Controls
Network Security –Firewalls, secure network configuration including 802.11x
Virus Protection –anti-virus and anti-spyware updated regularly
Examples of COBIT Controls
Backups & Restore – Regularly tested procedures
IT Continuity – Disaster Recovery Procedures
Examples of COBIT Controls
Files Access Privilege Controls
Identity Management – password strength/age and access. Who has access and is that appropriate now?
Examples of COBIT Controls
Risk Evaluation Programs – Risk Assessment and internal auditing.
Employee IT Security Training – Training of end users related to utilization of resources.
Examples of COBIT Controls
Management support/buy in – Executive level oversight of projects related to IT.
IT as part of strategic planning – The business must be supported by technologies.
Change Management (Amarnath’s favorite)
Standardized change control is a great place to find fast rewards in pursuit of compliance.
Change Approval Change Categorization Change Documentation Change Prioritization Formal Request for Change Process A body of subject matter experts that
oversee change.
Consistent Logging
Change Management
Configuration Mgmt.
Event Management
Incident Management
Knowledge Mgmt.
Problem Management
“Operationalize” information
Connect the internal changes needed with the strategic objectives of the company.
Illustrate that real-time information flow enhances your organization’s ability to make decisions while making compliance easier.
Point out the significance of new activities that may seem mundane or inconsequential. This will help actions taken by staff at every level feel more relevant and less painful.
Remember W. Edward Deming?
• SOX Compliance is not a fix it and forget it endeavor.
• As companies and the ecosystems that support them change new compliance quandaries will come up.
Wait, how can SOX help me? Perspectives on operational control,
consistency, and quality take on a whole different meaning once they have a clear relationship to fiduciary responsibility.
It is amazing how different the conversation about project prioritization becomes once executive management are offered the opportunity to make decisions guiding it.
Questions? THIS IS ASSUMING THAT WE HAVE TIME FOR ANY.
