We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byPatricia Girdley
Modified over 2 years ago
Paring SOX Down to Size: The Impact of Sarbanes-Oxley on IT Governance Cal Braunstein CEO and Executive Director of Research Robert Frances Group
Copyright © 2004 by RFG. All Rights Reserved. Robert Frances Group Robert Frances Group provides consulting and research services to our clients who are senior executives in IT and LOB management as well as in marketing/sales management for companies that provide IT and communications services and products. RFG’s core competency is aligning business with IT. One component of RFG research focuses on analyzing the impact that compliance legislation will have IT infrastructure investments and corporate governance.
Copyright © 2004 by RFG. All Rights Reserved. Agenda What is SOX? What does it require, why and who cares? State of the market Investments and Organization Building a Defensible Compliance Strategy Recommendations “We did not formally build a compliance architecture. It just sort of happened.”
Copyright © 2004 by RFG. All Rights Reserved. The Sarbanes-Oxley Act of 2002 Increasing responsibilities and liabilities for: CEOs, CFOs, Ind. Auditors, Boards/Committees Internal Controls Adequacy Changes Auditors and management Must report & attest to accuracy of financial statements and disclosures
Copyright © 2004 by RFG. All Rights Reserved. The Sarbanes-Oxley Act of 2002 Applies to US public companies, private companies with public debt and accounting firms Does not exempt foreign private firms or non-U.S. public accounting firms Driven by the Enron, Tyco and WorldCom fiascos SOX has sections covering Reporting – improves disclosure requirements Roles – strengthens corporate governance Conduct – expands on accountability Enforcement – improves oversight Penalties – broadens sanctions Relationships – forces auditor independence
Copyright © 2004 by RFG. All Rights Reserved. Why is it a Big Deal for IT? Lack of comprehensive documentation of existing internal controls at most firms No comprehensive evaluation of internal controls by the majority of firms SOX often has to be fit into on-going development activities Limited resources available 1 in 10 companies have made financial restatements in the past five years (U.S. GAO study)
Copyright © 2004 by RFG. All Rights Reserved. What the Fortune 50 are Saying “Our controller’s department has direct responsibility for Sarbanes-Oxley implementation. We have a program team with finance devoted to this today.” “We are still trying to put together a plan of what should be the overall governance of all IT systems. We want to use the structure we have put in place for Sarbanes-Oxley to be used for other compliance initiatives.” “Our success in working through activities the first time has depended on buy in from the CEO and CFO.” “The IT compliance manager and internal audit are joined at the hip and coordinate all activities together.”
Copyright © 2004 by RFG. All Rights Reserved. Big IT Impact Anticipated
Copyright © 2004 by RFG. All Rights Reserved. People, Processes and Systems will be Impacted
Copyright © 2004 by RFG. All Rights Reserved. Which Provisions Apply to IT? 302 – Corporate responsibility for financial reporting Is our financial data accurate? Do we have transaction level detail if required? Do we understand all the processes involved? 404 – Annual mgmt assessment of internal controls How does our control structure operate? Who is accountable? Is it monitored? Is it documented? 409 – Real-time disclosure of material changes 802 – Retention of relevant records for audits/reviews
Copyright © 2004 by RFG. All Rights Reserved. Emerging IT Requirements/Impact Definitely influence, perhaps certify… Anti-fraud techniques – development & operations Change management process Data integrity Disaster recovery practices Electronic records retention policy “properly recorded and reported” transactions “reasonable assurance” test Integrity of communications Patch management Process/work flows – internal & partners Security policies and practices SOX compliance built into overall security architecture
Copyright © 2004 by RFG. All Rights Reserved. Cross-Tab Label 0/0 What is SOX’s impact on IT? 1. 1. Minimal 2. 2. Some impact 3. 3. Big impact 4. 4. Impacts most of development and operations
Copyright © 2004 by RFG. All Rights Reserved. Key 404 Dates and Penalties For public companies with market cap > $75 million June 15, 2004 now November 15, 2004 For all other public companies April 15, 2005 now July 15, 2005 Penalties: CEO/CFO knowingly submits a wrong certification – $1 million and up to 10 years in jail If the wrong certification is submitted “willfully” – up to $5 million and 20 years in jail
Copyright © 2004 by RFG. All Rights Reserved. Spending Levels Most Fortune 100 companies spend less than $3 Million per year on IT compliance initiatives and have 3 to 6 compliance staff across the organization dedicated to compliance consisting of finance and IT personnel. First year costs related to complying with a specific compliance directive may be two or three times higher than follow-on years. Most companies are working compliance into existing budgets as much as possible and as needed. They do not generally know exactly what they are spending.
Copyright © 2004 by RFG. All Rights Reserved. IT implementation costs One time / Initial costs Ongoing / Annual costs Finance/accounting/ Reporting expansion $250,000 - $500,000 $250,000 - $300,000 Process improvements $200,000 - $400,000 $100,000 - $200,000 System enhancements $250,000 - $500,000 $200,000 - $300,000 Consulting services$200,000 - $300,000 $100,000 - $200,000 Total added IT costs$900,000 - $1,700,000 $650,000 - $1,000,000 Source: PricewaterhouseCoopers LLP & RFG
Copyright © 2004 by RFG. All Rights Reserved. Cross-Tab Label 0/0 Should I care? 1. 1. No, not asked to participate 2. 2. No, project belongs to another 3. 3. Yes, but not a big deal 4. 4. “Bet your job” project 5. 5. Job put on the line annually
Copyright © 2004 by RFG. All Rights Reserved. Key Organizational Issues The Sarbanes-Oxley Act of 2002 has brought companies to focus on a more centralized way to address governance and compliance. Centralized authority usually resides in finance or an audit group for assuring overall regulatory compliance. IT compliance is treated as an operational consideration and is usually handled by an IT compliance officer or an IT compliance committee. Companies normally have a compliance committee that consists of members from IT, finance and lines of business (LOBs). The committee facilitates constant and clear communications among the member participant departments.
Copyright © 2004 by RFG. All Rights Reserved. Organizational Structure Internal Audit or Controller has overall responsibility for SOX compliance for all systems and operations Compliance Task Force within Finance Overall Compliance Task Force with Participants from across the org. Audit & IT are members. Director or VP of IT Compliance provides input & Recommends action to IT operating groups Exec Steering Committee IT Steering Committee Applications Programming
Copyright © 2004 by RFG. All Rights Reserved. Which Departments Are Affected?
Copyright © 2004 by RFG. All Rights Reserved. Building a Defensible Compliance Strategy Three Lines of Defense “I made a mistake.” “I bought a mistake.” “Nobody could do it better."
Copyright © 2004 by RFG. All Rights Reserved. “Nobody could do it better.” (so sue us all and shut down our industry) BenefitsRisks Peers are in the best position to develop common best practices. In the event of non- compliance, a penalty to one participant results in a penalty to all. Minimized if sharing partners have similar reputations in one's market. Collaborate & Share: If a group of leading firms collaborates to develop best practices for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone.
Copyright © 2004 by RFG. All Rights Reserved. 1. 1.Companies not focusing on technology fixes - instead auditing, procedures and reporting. Most not buying new technology to solve, but may upgrade or partially replace to address. Most drive to 90%+. 2. 2.Split on whether finance understands technology issues involved in SOX compliance, and whether IT understands the business issues 3. 3.IT will be affected by SOX, more so than all other departments except finance. Most viewed SOX compliance more resource intensive than other regulatory compliance projects. 4. 4.Confident that 404 requirements will be met. 5. 5.Almost 1 in 10 think their job is at risk if the firm is non- compliant and 1 in 4 must certify results personally. 6. 6.Successful companies have strong support by CxO management in driving compliance activities across the organization. It was not just the role of the CIO. Key Findings of Recent Research
Copyright © 2004 by RFG. All Rights Reserved. Recommendations Establish an overall cross-functional compliance team and a dedicated sub team managed by a director level person. The team should be supported by C- level executives and include executive from finance, IT, legal, marketing and affected business units. Coordinate IT activities within the scope of an overall security and disaster recovery plan. Have Finance or Audit take final responsibility to ensure compliance with SOX. Marketing should take the lead on customer data usage decisions affecting privacy as well as the Do Not Call Registry. IT is one input to the whole process.
Copyright © 2004 by RFG. All Rights Reserved. Cross-Tab Label 0/0 What must one do to be compliant? 1. 1. Nothing 2. 2. Test and document only 3. 3. Become process oriented + above 4. 4. Build a wall between development and operations + above 5. 5. Beef up security, change management, e-records retention, anti-fraud techniques, and patch management + above 6. 6. Audit outsourcers (devt and ops) and business partners with access + above
Copyright © 2004 by RFG. All Rights Reserved. Questions & Answers Cal Braunstein CEO/Executive Director of Research Robert Frances Group Business Advisors to IT Executives www.rfgonline.com phone: 203-291-6900 x104 (US Eastern Time) fax: 203-291-6906 firstname.lastname@example.org
Copyright © 2004 by RFG. All Rights Reserved. About RFG Business Model Single service model Focus on IT executive issues S.P.O.R.T. Model Hybrid retainer consulting model SPORT Model Strategies, SLAs Processes, Procedures, Policies, Best Practices, and Politics Organizational, Operational Issues Resources, Regulations, ROI/ROV and Requirements Technology, and Ts & Cs Unique Attributes Unique Demand Driven Research In-context vs. trend/futures focus Business reqmts. vs. product focus Primary research vs. packaged Blended Client Base 85% end-users; 15% vendors Risk, Regulatory, and Compliance Research focus since 1998 Architecture, Infrastructure and Operations Expertise Analysts were IT executives
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Internal Auditing and Outsourcing
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Building on Our Core Values Building on Our Core Values © 2003 by the AICPA The Sarbanes-Oxley Act.
© 2007 PROSKAUER ROSE LLP® SARBANES-OXLEY ACT OF 2002 Presented by: Julie M. Allen
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
The Age of Compliance How Sarbanes-Oxley affects IT management.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Sarbanes-Oxley Overview. 2 Sarbanes-Oxley Act Summary The Sarbanes-Oxley Act of 2002 §201Prohibited Non-Audit Services §202Audit Committee Pre-Approval.
Sarbanes-Oxley Act of Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Copyright © 2002 Open Applications Group, Inc. All rights reserved Project Definition Project name - RiskML Project Leader name – ? Date – 9/12/03.
ForrTel: IT Governance Frameworks Craig Symons Principal Analyst Forrester Research June 21, Call in at 12:55 p.m. Eastern Time.
The Sarbanes-Oxley Act of Overview of the Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act and the related SEC rule-making provide clarity and.
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.
Mark Carey, CPA, CISA President x8431 Management-ese: An Introductory Course.
WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
Agency Risk Management & Internal Control Standards (ARMICS)
Sarbanes-Oxley Compliance Process Automation
Forces of Change Don H. Hansen Health Care Services Partner
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Risk Management & Corporate Governance 1. What is Risk? Risk arises from uncertainty; but all uncertainties do not carry risk. Possibility of an unfavorable.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
Purpose of the Standards
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Sarbanes-Oxley: Corporate Governance and Agile Development Charles Leinbach Managing Partner Freshwater Partners, Inc.
North Carolina Office of the State Auditor Honesty Integrity Professionalism.
Implementing and Auditing Ethics Programs
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
Internal Control in a Financial Statement Audit
Roles and Responsibilities
1 A Common Sense Look at Sarbanes-Oxley Presentation to the MIT Auditing Committee of the Corporation June 8, 2003.
Prepared by the Institute of Internal Auditors–Australia January 2014 Internal Audit Quality Assessment Guide.
© 2007 by Prentice HallManagement Information Systems, 10/e Raymond McLeod and George Schell 1 Information Auditing ► External auditors from outside the.
Chapter 1 Accounting: The Key to Success. What’s so important about Accounting? Accounting is at the heart of every business It is the means through which.
Scandals (in the public and private sector) Enron Worldcom Livent Nortel HRDC Sponsorship Scandal.
MANAGERIAL ACCOUNTING AND THE BUSINESS ENVIRONMENT Chapter 1.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
12 August 2004 Strategic Alignment By Maria Rojas.
© 2017 SlidePlayer.com Inc. All rights reserved.