Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Greatest Risk Regulatory Compliance Solutions Introduction to Automation Validation for Public Companies Concerning their Sarbanes-Oxley Regulatory.

Similar presentations


Presentation on theme: "The Greatest Risk Regulatory Compliance Solutions Introduction to Automation Validation for Public Companies Concerning their Sarbanes-Oxley Regulatory."— Presentation transcript:

1 The Greatest Risk Regulatory Compliance Solutions Introduction to Automation Validation for Public Companies Concerning their Sarbanes-Oxley Regulatory Compliance Initiatives

2 Your Greatest Risk Toward Regulatory Compliance Presents: The key issues in achieving your goal of SOX Regulatory Compliance

3 Congressional Challenges As an understandable reaction to financial fraud and corporate scandals… Congress has mandated new regulations, for which compliance is technically challenging and perhaps not even feasible in the real world of IT. This is not the first time they did this…

4 Congressional Challenges Congress once mandated to the Department of Education “KNOW YOUR CUSTOMER” so that students who cheat the government would not get any further financial assistance. A great idea to save money and catch cheaters! The project was to combine 12 loan and grant systems to accomplish this worthy goal. The price was 2.2 billion dollars and the contract was issued to CSC. The GAO sensed the project was not technically possible. Analyzing source code and data proved it (with the same tools Xactis uses today). The taxpayers saved most of the money and a scandal was averted. Xactis tools were acknowledged in the US Congressional Record as the technology employed to validate these Information Systems – the basis of the auditors findings.

5 Congressional Challenges Therefore Compliance is really:  An elusive goal -- not a destination  A risk to be managed – not solved  A highly evolving scenario -- with changes that affect your professional operations and personal security, as they relate to Sarbanes Oxley – Section 404

6 The Greatest Risk We Face – Automation Validation Reviewers and auditors have traditionally relied on bank statements, interviews and documentation reviews to assess regulatory related risks and to assist management in becoming compliant with regulations. Sample testing is the common technique used to partially validate automated processes and rules embedded in the IT systems. As the roles and complexity of enterprise information systems has grown, a new need is emerging to have online controls and business intelligence systems. But only the most knowledgeable companies and IT Governors know that in-depth system analysis is required to validate these automated processes, rules and data -- as they pertain to new regulations that require more integrated and more accurate information about their controls under Section 404, AML, etc.

7 The Greatest Risk We Face – Automation Validation Managers, Compliance Officers and IT providers are scrambling to package tools and services to help their customers reach compliance – but, no matter which controls are chosen, the risk of the initiative will depend on: Compliance Initiative support and budget Compliance Officers that are well-trained and given authority over autonomous entities with the organization Effective analysis of Information Systems used in Financial Reporting: –Financial applications and business intelligence –programs and data Effective monitoring for insider misconduct Effective reporting to management and regulators Diligence and Enhanced Due Diligence Compliance Information Integration Data Management Skills – including data quality to facilitate meaningful integration Documentation of policies, procedures and personnel Documentation of automated systems Audit / Review – Validating the Adequacy and Effectiveness of Controls with all of the above information

8 Mitigating Risks Through Automation Validation The Purpose of Audit is to Validate the Adequacy and Effectiveness of Controls! (Let’s remove the policies and procedures from the discussion to focus on the greatest risk) No matter what compliance related automation we select, validating that the automated system was well-planned, well-purchased, well-installed, optimally configured and that it is working effectively must be done with a different set of tools and methods – before the regulators catch infractions and audit.

9 Mitigating Risks Through Automation Validation The audit process must: 1.Be viewed with prestige and in a positive way 2.Bring together all aspects of the company to do what is nearly impossible – team building 3.Analyze all controls 4.Document rules and processes in the automation 5.Document the data lineage from reports 6.Have access to and check historical data to see what the people and automated systems are catching and what they are missing 7.Effectively and proactively handle external audits to minimize penalties for infractions

10 Information Validation Methodology Step One: Identify Critical Information End-items Step Two: Trace Data Lineage Back to Origins Step Three: Determine the Meaning and Validate the Quality of the Original Data Step Four: Validate Application Processes, Business Rules and Related Controls and Verify Automation Security Step Five: Follow Data Lineage Forward to Validate Mappings, Transformations and Data Quality Step Six: Verify Security at Data Consumption Points

11 Applications Data Origination Points Code and Data Step One: Identify Critical Information End-items Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L

12 Applications Data Origination Points Code and Data Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L Step Two: Trace Data Lineage Back to Origins Via Data Marts

13 Applications Data Origination Points Code and Data Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L Step Two: Trace Data Lineage Back to Origins Via Data Stores and Warehouses

14 Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Applications Website EDI Message “Green Screen” Data Origination Points Query ETL Query ETL EAI ET L Step Two: Trace Data Lineage Back to Origins Code and Data And Via Source Applications

15 Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Applications Website EDI Message “Green Screen” Data Origination Points Query ETL Query ETL EAI ET L Step Two: Trace Data Lineage Back to Origins Code and Data Until the Origins Are Reached

16 Applications Data Origination Points Code and Data Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L Step Three: Determine Meaning & Validate The Quality of Original Data

17 Applications Data Origination Points Code and Data Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L Step Four: Validate Application Processes, With Related Business Rules and Controls

18 Applications Data Origination Points Code and Data Step Five: Validate Mappings, Transformations & Data Quality Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L Via Data Warehouses

19 Applications Data Origination Points Code and Data Step Five: Validate Mappings, Transformations and Data Quality Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L And Via Data Marts

20 Applications Data Origination Points Code and Data Step Five: Validate Mappings, Transformations & Data Quality Query Management Reports Data Marts ETL Data Stores and Warehouses ETL Website EDI “Green Screen” Query ETL Query ETL EAI ET L Until Critical Information End-items Are Validated

21 Step Six: Validate End-to-end System Security Authorized Unauthorized

22 RULES ARE THEN COMPILED INTO A LIBRARY WITH AN INDEX: Note: Which rule would you investigate? How quickly could Auditors review rules with this information?

23 Xactis Services Offerings  Review Report from a Certified Auditor  Risk Mitigation Plan Compliance Consulting Compliance Consulting : Risk Assessment of the current compliance Initiatives  Strategic Planning  Implementing and Enhancing Controls Audit Preparedness Program Compliance Information Integration

24 Compliance Assurance Methodology Policies, Procedures, Personnel, Automation & Data Integration Assistance (AML, BASEL ll, Sarbanes-Oxley, Graham-Leach-Bliley, etc.) Customer Knowledge (CIP/KYC) & Privacy Compliance Training Validate & Optimize Controls Implement Solutions & Integrate Data Select or Support the Products Suspicious Activity Monitoring, Insider Misconduct & Intruder Detecting / Reporting From Risk Assessment To Audit Preparedness Validate & Optimize Controls Analyze the Controls incl. Policies, Procedures, Personnel & Focus on Automation Validation Certified Auditor’s Review Report of Compliance Risks using Software & Database Tool Risk Mitigation Plan & Presentation Through Compliance Consulting Implement Solutions & Integrate Data Select or Support the Products Employee & Customer Awareness Compliance Officer(s) Advanced Training Audit Report Preparations & Documentation Audit Meeting Assistance Focusing on Exactly What the Regulator Will Be Checking Apply Global Perspective & Experiences

25 Tools & Methods Summary  Imperative Profiler tm (for data profiling)  Imperative Fusion tm (for semantic interoperability)  AutoReArchbench tm Source Code Analysis Toolset  BRP Library - Business Rule Packet Repository  Management & Audit Support Processes For Compliance Remediation : For Automation Discovery & Compliance Validation:  Data Quality and Integrity Approach  Network and Systems Discovery, Analysis, and Mapping Xactis Corporation 180 Old Short Hills Road Short Hills, NJ Alan Kaplan President / CTO Direct

26 Summary – Your Greatest Risk Toward Compliance Reviewers and auditors have traditionally relied on interviews and documentation reviews to assess regulatory related risks and to assist management in becoming compliant. Sample testing is the common technique used to partially validate automated processes and rules embedded in the IT systems. As the roles and complexity of enterprise information systems has grown, a new need is emerging to have in-depth system analysis to validate these automated processes, rules and data as they pertain to new regulations that require more integrated and more accurate information. IT providers are scrambling to package tools and services to help their customers reach compliance – but, no matter which applications and approaches are chosen, the success or failure of the initiative will depend on data quality and integration. The Catch-22 phenomenon is real – you are in fact damned if you do and damned if you don’t. The more you do… the more the regulators expect. The solution is to also bring in an independent 3 rd party to validate the entire Regulatory Compliance Initiative.


Download ppt "The Greatest Risk Regulatory Compliance Solutions Introduction to Automation Validation for Public Companies Concerning their Sarbanes-Oxley Regulatory."

Similar presentations


Ads by Google