We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlize Ellsworth
Modified about 1 year ago
© Copyright 2006 Anexinet Corp. 1 Regain Control of IT Compliance Costs through Process Improvement John Bryer Practice Director, Health Insurance Solutions Anexinet
© Copyright 2006 Anexinet Corp. 2 Agenda Sarbanes-Oxley Overview Compliance and Controls SOX for Private Companies? Common Frameworks – COBIT, COSO, ITIL Examples of Effective Controls 8 Ways That You Can Take Control
© Copyright 2006 Anexinet Corp. 3 Sarbanes-Oxley (SOX) Act of 2002 Section 404 deals with Management Assessment of Internal Controls SOX requires that Management document, control, and secure processes that have bearing on reported financial result s. No compliance “checklist” ~ each company’s risk profile is unique SOX typically involves four phases: PLAN, REMEDIATE, TEST, SUSTAIN
© Copyright 2006 Anexinet Corp. 4 Compliance and Controls Compliance - Being in accord with their Rules of some Authority In Simplest Terms - You’re on your way to compliance if an objective 3rd party (external auditor) believes that: Your Rules (Controls) are appropriate, given your organization’s unique risks Your Rules are in accord with the Authority’s rules (SOX 404) Your Rules are adhered to, as demonstrated by Evidential Matter
© Copyright 2006 Anexinet Corp. 5 “My company is private. Compliance doesn’t apply to me” Private Application Service Provider (ASP) whose service is relevant to a public company’s financial reporting ASP may need to demonstrate that systems and processes are sufficiently controlled SAS 70 Type II audit “Statement on Auditing Standards No. 70” demonstrates that ASP offers a consistent, reliable and secure operating environment
© Copyright 2006 Anexinet Corp. 6 “My company is private and I’m not an ASP. Compliance still doesn’t apply to me.” A private company’s ability to demonstrate effective control has competitive benefit and can enhance customer satisfaction and retention. When selecting (public) vendor who has relevance to your financial reporting see if they have a SAS70 Even if the service they are to provide has nothing to do with your financial reporting, it’s a way to gain insight into potential vendors
© Copyright 2006 Anexinet Corp. 7 “My company is private, I’m not an ASP, and I don’t use vendors. Compliance still doesn’t apply to me.” Even organizations that don’t need to be “compliant” need to be in control… … even Mario Andretti’s racing team: “If things seem under control, you are just not going fast enough.” – Mario Andretti All organizations have some Controls in place (SLAs, metrics, policies) Are your controls part of cohesive, business-aligned governance? If controls don’t encourage strong business alignment, you’re missing the big payoff (because that ultimately increases technology ROI)
© Copyright 2006 Anexinet Corp. 8 Even if they don’t recognize it as “compliance” all IT organizations are involved in control activities Does your IT organization engage in any of the following? We’ve just summarized the 34 high level COBIT control objectives
© Copyright 2006 Anexinet Corp. 9 Agenda Sarbanes-Oxley Overview Compliance and Controls SOX for Private Companies? Common Frameworks – COBIT, COSO, ITIL Examples of Effective Controls 8 Ways That You Can Take Control
© Copyright 2006 Anexinet Corp. 10 Common Frameworks – COSO, COBIT & ITIL Sarbanes-Oxley COSO ITIL CMM ISO Others SEC Regulation Corporate Governance IT Governance COBIT
© Copyright 2006 Anexinet Corp. 11 Key concept: internal control is a process that depends upon people at every level of the organization Control objectives are intended to provide reasonable assurance regarding: operational effectiveness and efficiency reliability of financial reporting compliance with applicable laws and regulations COSO's target audience is management at large; COBIT focuses more on IT COSO – The Committee Of Sponsoring Organizations of the Treadway Commission
© Copyright 2006 Anexinet Corp. 12 COBIT - Control OBjectives for Information and related Technology COBIT is best described as IT governance with a clear business focus that fulfills COSO requirements for the IT control environment COBIT-based IT governance focuses on the following areas: Strategic alignment of business and IT Ensuring that IT delivers the promised benefits Resource management (processes, people, apps, systems, and information) Risk management Performance measurement
© Copyright 2006 Anexinet Corp. 13 ITIL - Information Technology Infrastructure Library Focuses on IT services Often used to complement the COBIT framework Detailed comprehensive set of management procedures Customizable framework of best practices Owned by United Kingdom Government’s Office of Government Commerce Consists of 8 “sets” of documents: 1)Service Support discipline 2)Service/Help Desk discipline 3)Security Management 4)The Business Perspective 5)Planning to Implement Service Mgt 6)ICT Infrastructure Management 7)Applications Management 8)Software Asset Management
© Copyright 2006 Anexinet Corp. 14 Agenda Sarbanes-Oxley Overview Compliance and Controls SOX for Private Companies? Common Frameworks – COBIT, COSO, ITIL Examples of Effective Controls 8 Ways That You Can Take Control
© Copyright 2006 Anexinet Corp. 15 Example of Controlling a Process - “Improper account provisioning with segregation of duties” Simple scenario: A manager ask system admin for user account for new employee. The admin knows the person making the request; grants access. Approval is implied; accountability is ambiguous. Problematic from a Control perspective: Poor separation of responsibilities: REQUEST, APPROVE, IMPLEMENT Does policy permit this type of employee to have this access? Accountability is ambiguous No evidential matter for internal and external audit to test
© Copyright 2006 Anexinet Corp. 16 Example of Controlling a Process - “Improper account provisioning with segregation of duties” How to Get Control of the Process 1.Recognize that improperly controlled granting of access is a risk area. 2.Craft policy defining acceptable system access by employee position. 3.Define who can request, approve, and implement access. 4.Implement controls to ensure that the policy is being adhered to. 5.Educate all affected employees about the policy and the control. Remediated Process: Requestor documents the Request Approver documents that they approve the Request Implementation occurs Implementer documents that the Implementation occurred Auditors examine all documentation and ensure coherence with policy
© Copyright 2006 Anexinet Corp. 17 More Examples of Insufficient Separation of Duties A/R A/P Changes to code Deploy to production
© Copyright 2006 Anexinet Corp. 18 Example of Change Control While Generating Savings - “Insufficient controls for change management” Situation: Public company had 20 SOX 404-critical financial spreadsheets 80% of organizations use Excel in some form to do financial reporting Spreadsheets resided on user’s PCs and were manually maintained Risks: No versioning Prone to errors No consistent back-ups Conflicting results across spreadsheets Company wanted to address 404 risk and reduce expenses
© Copyright 2006 Anexinet Corp. 19 Example, continued… Solution: Spreadsheets moved to central servers Microsoft Visual Studio Tools for Office (VSTO) used to greatly improve control of the process VSTO provides users with a familiar Excel tool set User Interface provides an action pane to control data management Costs: Reports were run to collect information (1.5 hrs/ss) Information from the reports was entered into spreadsheet (1.5 hrs/ss) Spreadsheet calculations were run and verified (2 hrs/ss) Resolve any discrepancies (0-4 hrs/ss) Results communicated to management Total annual cost for 20 spreadsheets: $168,000
© Copyright 2006 Anexinet Corp. 20 Example, continued… Cost savings: Solution (Phase 1 of 4) Management runs reports directly Lengthiest run time reduced to 20 seconds Cost estimated to be $80,000/year Savings in Year 1: $88,000 Savings in Year 2+: $168,000 Benefits (Phase 1 of 4): Greatly reduced 404 risk Spreadsheets now being secured Spreadsheets backed up Spreadsheets maintained Data inconsistencies addressed
© Copyright 2006 Anexinet Corp. 21 Agenda Sarbanes-Oxley Overview Compliance and Controls SOX for Private Companies? Common Frameworks – COBIT, COSO, ITIL Examples of Effective Controls 8 Ways That You Can Take Control
© Copyright 2006 Anexinet Corp Ways That You Can Take Control 1) Get help and build positive relationships Essential to engage the services of an experienced SOX partner External auditors are careful to not provide SOX consulting Develop positive relationships Among company, a SOX partner and the external auditor Between IT and the business 2) Get control by giving control Require the business to play active role Alleviates uneasiness about technology cost Helps fight perceptions of IT unresponsiveness and non- alignment
© Copyright 2006 Anexinet Corp Ways That You Can Take Control The most direct way to foster IT- business alignment CIO as facilitator of discussion about discretionary IT resource expenditures Maintain business support by frequent re-evaluation of business alignment Avoid old perceptions of IT dictating Demystifies IT 3) IT Steering Committee - a good way to keep the business engaged
© Copyright 2006 Anexinet Corp Ways That You Can Take Control 4) Make sure control environment is designed correctly and that everyone is on board “Obtain management commitment.” “Assess entity-level ‘tone-at-the-top’ controls early in the process.’” Executive “tone” has huge impact on control internalization
© Copyright 2006 Anexinet Corp Ways That You Can Take Control 5) Build support across the organization Allow input from those affected by it; need their strong buy-in Controls are most effective if based on clearly understood policy Broad understanding of the need for a control reduces resistance Educate affected population to understand that controls are not arbitrary
© Copyright 2006 Anexinet Corp Ways That You Can Take Control 6) Look for ways to control cost and to reap benefit from investments Determine if external auditors will use results of 3 rd party testing: Saves on external audit expense. Advances testing of controls to earlier in the process. Raises audit concerns earlier in the process when there is still time to remediate Rely on automated tools Need a cohesive, end-to-end control infrastructure Automate request/approve/implement workflows Provide evidential matter Reduces day-to-day interruptions
© Copyright 2006 Anexinet Corp Ways That You Can Take Control 7) Get control through knowledge and understanding You can’t control what you can’t measure. Process documentation helps clarify R&R Documentation that results aids new employees, reduces dependency others Project lifecycle standardization: Helps clarify and finalize requirements earlier it the process Enables project comparisons for prioritization Yields efficient resource utilization 8) Manage and test control processes Frequent testing to ensure controls are working If evidential matter isn’t being created, the control isn’t working
© Copyright 2006 Anexinet Corp. 28 In Summary Benefits of Control: Decrease Costs Improves the efficiency of resource consumption (“Never time to do it right; always time to do it twice”) Increase Revenue Improves customer satisfaction Improves customer (and investor, and auditor) confidence. Improve Quality The process discipline will allow clarification of Requirements earlier in the development process Promotes better IT-business alignment (e.g., IT Steering Committee)
© Copyright 2006 Anexinet Corp. 29 Thank You Contact Information: John Bryer, Practice Director, Health Insurance Solutions #
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
Migration of Internal Control Requirements to State Governments: Are You Ready? Dr. Sridhar Ramamoorti, Partner National Corporate Governance Group Christian.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Workshop: Governance, Risk, Compliance (GRC) & Identity Management , 09:00-12:30, Track: Workshop I Dr. Horst Walther, Kuppinger Cole + Partner.
© John Beveridge CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007.
Final Report – November 3, 2003 Organization of American States Management Study of the Operations of the General Secretariat Part I – Executive Summary.
Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012.
Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals.
1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA.
Software Development QA Best Practices May 20, 2010 Suzette Hackl, CSM Senior Project Manager Skyline Technologies, Inc.
INTERNAL CONTROL BASED ON THE COSO REPORT. Objective COSO C OBI T To use COSO, the Corporate Governance model, and C OBI T, the Information Technology.
E-Sourcing Today A Perspective on the Role and Scope of e- Sourcing and the State of the e-Sourcing Marketplace.
Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University.
An overview of COSOs 2013 update to the Internal Control – Integrated Framework COSO changes coming in 2014 January 7, 2014.
Insert Local Authority Transformation Strategy Workshop Insert date This document is part of the personalisation toolkit
The External Auditors Perspective and use of Internal Audit Brent Currey Live Seminar 9:00am – 4:30pm October 12, 2011 Relationships backed by performance.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice The Business Case for Configuration.
Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP.
IP Audit "We're in an object-oriented, outsourced, and open-sourced world, and organizations are anxious to take steps to ensure that the software they.
SAS 99 – Consideration of Fraud in a Financial Statement Audit The New Fraud Standards Impact on Auditors and Financial Managers.
SharePoint Governance Questions January 2014 ©2014 SUSAN HANLEY LLC.
End the Madness - Section 508 Compliance in the Enterprise.
UMW Administrative and Professional Faculty Performance Planning and Appraisal System.
© 2007 Jupitermedia Corporation The Role of Security in IT Service Management October 31, :00pm EDT, 11:00am PDT George Spafford, Principal Consultant.
Guidelines For Site Management Approaches Floyd Homer WCPA-Caribbean & SUSTRUST.
Competence is the demonstrated ability to apply knowledge and/or skills and, where relevant, personal attributes. A certification scheme contains.
Managing IT Budgets in Uncertain Economic Times: IT Optimization.
Gainful Governance A Primer for Board Members. 2 Objectives At the end of the workshop you will know: The role, tasks & functions of a board Your role.
Compliance Technology Solutions NASACT Presentation Material Robert Garagiola – AERS National Technology Practice January 31 st, 2007.
March 2011 Created by: Margie Harvey & Dorraine Teitsch.
© 2016 SlidePlayer.com Inc. All rights reserved.