© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Sarbanes-Oxley and IT Service Management October 2004 US Public Company Accounting Reform and Investor Protection Act of 2002

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.2 Agenda Brief overview of the Sarbanes-Oxley Act Challenges posed to Management, Auditors, and IT Directors Internal Controls −IT Control Frameworks IT Service Management −Philosophy and Components Summary

Sarbanes-Oxley* mandates accountability in the financial reporting for SEC regulated (publicly traded) companies *Also known as Sarbox, SOX or SOA

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.4 Key Sections Reporting: Improve Disclosures −Section 302 – Management Certifications −Section 404 – Evaluation of Internal Controls −Section 409 – Real Time Issuer Disclosures Roles: Strengthen Corporate Governance (audit) Conduct: Expand Insider Accountability (ethics) Enforcement: Increase Oversight (PCAOB) Penalties: Broaden Sanctions Relationships: Increase Auditor Independence

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.5 Management Challenges CFO −Quarterly & Annual signoff on corporate financial statements Internal Control Frameworks needed On-going maintainability of SOX compliance monitoring Effective external Auditor interaction Determining what is “Material” −Reduce on-going internal & external auditing costs associated with Sarbanes-Oxley Fortune ~500 class companies are spending $2-$10 Million HP has the ability to reduce these numbers dramatically for on- going compliance CEO −Legal exposure and consequences of non-compliance −Financial market consequences of non-compliance or presence of material weaknesses −Compliance & Auditing internal & external costs

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.6 Corporate Challenges - continued CIO −Responsible for delivering the financial application services & infrastructure availability CFO & CEO need CIO assurances for IT Control sign-off Must response to Audit requirements Delivery & support of SOX IT controls −IT budget demands due to compliance efforts Can be a significant component of IT budget Leverage for IT benefit and company competitive advantage

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.7 Section 404 Internal Controls Management assessment of internal controls −(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and −(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting −Each issuer’s auditor shall attest to, and report on, the assessment made by the management of the issuer. −For fiscal years ending after November 15, 2004 date for US-based companies valued over $75M

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.8 Internal Control Example Inventory Value Internal Inventory Transfer Existing Goods Application Change Management Controls Scenario – Business makes a change to its inventory system to facilitate internal transfers between stores Control Objective – Inventory is appropriately valued Controls needed – Change Management User Access Data Integrity of Inventory Values Availability of the inventory applications Inventory Transfer User Access Controls Data Integrity Controls Inventory Process/ Applications Transferred Goods values

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.9 Internal Control Example Segregation of Duties Scenario – A user is promoted from Procurement Analyst to Accounts Payable (AP) Supervisor Control Objective – Segregation of duties between initiating and authorizing transactions Controls needed – User Access Vendor Database Purchase Orders Procurement Analyst Accounts Payable Supervisor Add Enter Approve If the AP supervisor’s access privileges are not updated upon promotion, they could be able to both initiate and approve payments Accounts Payable Process

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.10 Sarbanes-Oxley Scope and Assessment Approach AccountsProcessesApplicationsInfrastructure Materiality and Risk Processes generating account balances (Process, Business, Site) Applications supporting processes Infrastructure supporting applications (Data Centers, Networks, Security) Supporting Data Centers, Networks, ERP Platforms

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.11 Example Financial Processes Accounts > Processes > Applications InboundOutbound Purchasing Order Entry Receiving Inventory Invoicing/billing Accounts payable Settlement Sales Credit Order Entry Inventory Shipping Invoicing/billing Accounts receivable Settlement Customer service Frequently built on ERP and/or financial application platforms: SAP (mySAP suite), Oracle, Peoplesoft, …

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.12 User Access Controls The right people, the right resources, the right time −Single point of control for managing entitlements Corporate accountability −Log administrative and user actions −Enforce business procedures −Segregation of duties Managing identity life-cycle −Accurate & complete identity information −Eliminate potential of errors, omissions, redundancies HP OpenView Identity Management Solutions −Select Access & Select Identity Maintenance/ management Termination/ Deletion Registration/ Creation Accounts & Polices Provisioning Adapted from Burton Group’s life-cycle management taxonomy, April, 2004

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.13 Change Management Controls Manage, schedule, and document all planned changes −Includes modification of system infrastructure components - servers, ERP platforms, … Ensure that only authorized, tested, and documented changes are made Focal point for auditors −High and increasing change rates could indicate risk −Documented and well controlled processes are fundamental for operational risk management in Sarbanes-Oxley and similar regulations Focal point for IT/Business Alignment HP OpenView Service Desk −Change Management Request for Change Plan, Build, Test Implement/ Release Authorize Prioritize Risk Assessment Review

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.14 Operations Availability Controls Procedures, people, software, data, and infrastructure to achieve system availability objectives in accordance with established policies and standards Monitor the system and take action to achieve compliance with system availability objectives, policies, and standards Service-Driven Management −Built on relationships between applications, systems, network, and other components HP OpenView IT Service Management Solutions Order Processing ERP Order Credit Storage Network Server DB Security / Spread- Sheet Web Services EAI/ B2Bi l App Server Managed Services SAS 70 Reports

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.15 IT Operations Audit Challenge monitoring risk and management response CFOCIO Provide verifiable Information external auditor Change Mng’t Maintenance Availability uptime, outages User Access Security Integrity data transactions 100+ Business Applications 100+ Key Servers 1000’s of Objects Document Management communication, archival & information flow Distributed Managed Environment IT Control Management Functions CEO KPIs KRIs

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.16 IT needs to respond Support the corporate finance and audit groups need to insure the integrity of business processes (and applications) that impact financial reporting −For Sarbox, auditors need to manage the risk associated with these business processes across the underlying application infrastructure. Provide verifiable IT Controls −Control Frameworks exist that provide recommended objectives and methodologies −Following such guidelines enable corporations to meet Section 404 internal control requirements

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.17 Addressing IT Controls There are well recognized auditing Internal and IT Control Frameworks The IT Control Frameworks are quite similar to IT best practice methodologies defined by ITIL and embodied by ITSM −Having a verifiable IT Control process is more important than use of any one specific framework There are critical functions related to the auditing and risk management issues of Sarbanes-Oxley −Change & Configuration Management, Availability Management, and User Access Management Other Governance and Regulatory mandates place similar requirements on IT Basel II requirements on banking liquidity requires improved IT systems Change Management & Monitoring for the pharmaceutical, chemical, power, and other regulated or tightly controlled industries ISO 17799, HIPAA, GLBA, …

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.18 Interwoven Internal and IT Control Frameworks COSO – The Committee of Sponsoring Organizations of the Treadway Commission − C OBI T – Control Objectives for Information and related Technology −IT Governance Institute ( −Information Systems Audit and Control Association ( SysTrust −AICPA American Institute of Certified Public Accountants ( −Based, in part, on C OBI T Control Objectives −Similar to SAS70 ITIL − − COSO C OBI T ITIL

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.19 COSO Internal Control Framework Recommended by the SEC & PCAOB Primary starting point for Internal Controls Not part of the actual Sarbanes-Oxley Act (SOA) Not specific to IT Result of 1990 Bank Failures Risk Management Internal Controls Components* Control Environment : the foundation for all other elements of internal control including the ethical values and competency of a company’s employees Risk Assessment : the identification and analysis of relevant risks that can hinder the achievement of business objectives Control Activities : specific tasks to mitigate each of the risks identified above Information and Communications : information pathways from management to employees and vice versa Monitoring : the evaluation and assessment of internal control *Deloitte definitions Control Environment Information and Communication Monitoring Control Activities Risk Assessment Compliance Financial Reporting Operations Units Functionality

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.20 C OBI T Control Objectives Planning and Organization Acquisition and Implementation Delivery and Support Define strategic IT plan Acquire and maintain tech infrastructure Assess risksDevelop and maintain procedures Manage third-party services Install and accredit systems Manage performance and capacity Manage quality Manage changes Manage projects Monitoring Define and manage service levels Ensure continuous service Monitor the processes Assess internal control adequacy Obtain independent assurance Provide for independent audit Manage the configuration Ensure system security Manage problems and incidents Manage operations

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.21 ITIL Service Management Processes Service Support Service Desk* Incident Management Problem Management Configuration Management Change Management Release Management Service Delivery Service Level Management Financial Management for IT Services Capacity Management IT Service Continuity Management Availability Management * Service Desk is a function not a process

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.22 HP ITSM Reference Model People, Processes, and Technologies Service planning IT business assessment IT strategy & architecture planning Customer management Service build & test Release to production Availability management Continuity management Security management Capacity management Financial management Service level management Change management Configuration management Operations management Problem management Incident & service request management

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.23 IT Controls to Align with Business OpenView Solution ITIL Process C OBI T Control Objective Ensure systems security Select Access Select Identity Operations Availability Management Security COSO Component Control Environment Control Activities Information and Communication Monitoring Establish and Attest Control of Essential IT Services

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.24 IT Controls to Align with Business OpenView ITIL Process C OBI T Control Objective Ensure continuous service Operations Internet Services Service Desk SMART plug-ins Performance Insight Incident Mgt Availability Mgt IT Service Continuity Mgt COSO Component Control Environment Control Activities Monitoring Establish and Attest Control of Essential IT Services

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.25 IT Controls to Align with Business OpenView Solution ITIL Process C OBI T Control Objective Manage changes Service Desk Radia Change Mgt Release Mgt Configuration Mgt Problem Mgt COSO Component Control Activities Monitoring Establish and Attest Control of Essential IT Services

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.26 Sarbanes-Oxley Phases 1. Phase 1- Scope, Assess, Define, Document Policies & Processes Common Terminology Common Processes Evaluate & Remediate 2. Phase 2 - Move to Maintainability & Repeatability Automate Controls for providing Evidence Standardize Processes Continue to Evaluate & Remediate 3. Phase 3 - Use SOX process and information for competitive advantage Today

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.27 Focal point for auditors Documented, controlled processes fundamental to risk mgt. Includes Change, Config, & Asset Mgt modules Integrated with availability and business continuity solutions - Physical Asset Protection - Secure - Secure Printing - Application Scanning - Infrastructure Review & Implementation Design - Network, System and Host Security HP OpenView ITSM Solution Components for SOX Compliance Service Desk for Change Mgt. Trustworthy Infrastructure Compliance Monitoring Reports - Executive Dashboards - Financial Process Reports Enterprise Reporting SAP, PeopleSoft, Siebel, & Oracle Smart Plug-Ins Operations - the foundation for availability management Internet Services (OV- IS) simulates user access to apps. & monitors performance Service Information Portal - secure, custom presentation Service Driven Availability Mgt. Control & monitor user access to financial processes & applications Identity Provisioning based on contextual business models Tamper-resistant auditing tracks all access requests, authorization decisions, & administrative changes Select Access & Select Identity New HP Change & Config Mngt. Solution Compliance thru policy- based enforcement Continuous compliance provided via desired state checks Radia IT Service Management People, Process, Technologies

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.28 Summary The complete Sarbanes-Oxley act is broad and spans many disciplines and technology areas Robust IT Controls for Systems that impact Financial Reporting is a core component of Sarbanes-Oxley Internal Controls −Internal and External Auditors respectively need to manage and monitor risk IT Service Management (ITSM) closely aligns with recognized accounting and auditing IT Control Frameworks −ITIL recognized as an authoritative source ITSM solutions support −The business continuity of the financial reporting infrastructure −Help corporations more effectively monitor and manage their IT risks −Provide evidence of controls via reporting

5/23/2015Copyright © 2003 HP corporate presentation. All rights reserved.29 IT Service Management and Sarbanes-Oxley compliance IT Service Management Sarbanes Oxley Effort Limited High Limited High