© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes Using ITIL to Improve Sarbanes-Oxley Related Processes October 31, :00pm EST, 11:00am PST George Spafford, Principal Consultant Pepperweed Consulting

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Housekeeping Submitting questions to speaker –Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console. –Questions about presentation content will be answered during 10 minute Q&A session at end of webcast. Technical difficulties? –Click on “Help” link –Use “Ask a question” interface

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Main Presentation

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Copyright Notices ITIL® is a registered trademark of the UK Office of Government Commerce COBIT® and IT Control Objectives for Sarbanes-Oxley ® are the trademarks of the Information Security Audit and Control Organization Visible Ops is the copyright of the IT Process Institute This courseware is the property of Spafford Global Consulting, Inc. All other trademarks and company names are the property of their respective owners

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Why Are People Really Attending? To learn about Sox, Risk and ITIL? Or is it really to learn how to improve costly compliance processes and optimize the overall corporate system? ITIL is a means to an ends and not the real objective! We want to maximize sustainable profits for our investors

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Agenda The Impacts of Sarbanes-Oxley (SOX) Introduction to –Risk Management –Controls –IT Infrastructure Library (ITIL) Key ITIL Processes for SOX

© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes The Intent of the Sarbanes-Oxley Act of 2002: To restore investor confidence in public companies

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes The Results Intended Results –Quality of filings did improve –Controls radically improved Intentional malicious acts Human Error Unintended Results –Increased costs to companies Economic Accounting –Flight of foreign companies to other exchanges –Reduced public filings –Some public companies even went private

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Need to Optimize Brute force projects implemented controls Attention shifted to sustainable controls The move is now to optimization To optimize –We must recognize that compliance is a business requirement that must be factored into the design of services! –We must start at the beginning – what are we doing and why? –We must recognize the importance of risk management

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Why Is Risk Management So Important? Limited Resources and Seemingly Unlimited Risks! Companies need to understand and prioritize risks in order to focus compliance efforts.

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes The Goal Isn’t This

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes This Is Our Goal! Hence a tension will always exist between balancing compliance and the need to attain our goal

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Legal and Regulatory Compliance For Sarbanes-Oxley, we want to address risks to the financial reporting process. Regulatory compliance is best viewed as a risk that must be managed along with the organization’s other risks holistically. This creates tension – too many controls waste resources yet too few risk internal control problems! Beware of over optimizing localized risks. –Turn off the lights and lock the doors –Need to manage risks to the organization – not just the department The objective is to arrive at a balance between risks, the costs of controls and the need to attain goals for the organization as a whole. Our greatest risk is going out of business.

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes What Is a Risk? The probability of a negative event impacting the realization of functional area objectives and/or organizational goals Key words –Probability – there is a degree of uncertainty –Impact – if the event happens, there will be results –Organization – focus on objectives and goals Does a risk matter if it doesn’t impact a functional area objective or organizational goal? In the world of SOX, we are just concerned with risks to the integrity of financial reporting Other regulations pose additional risks that must be factored in and managed holistically

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Risk Management and SOX IT must work with senior management, accounting and internal audit – not around them! Critical financial processes must be identified Identify the critical financial systems that are involved Identify risks that are present to those financial systems Identify controls that are present and what the residual risk score is Is the remaining level of risk (the residual risk) acceptable to the relevant stakeholders? –If not, determine how to mitigate the risk –If the residual risk is acceptable, then document and continue to monitor it but otherwise don’t do anything The Shewhart Cycle of Plan – Do – Check – Act applies to risk management as it spurs process evolution

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Why Is IT Involved? Due to the critical financial systems –There isn’t a manual paper trail any longer –The data resides in IT systems –The logic resides in IT systems and this includes automated control logic (If the credit score is X then do Y …) –The financial reports are generated, at least in part, by the systems –If the systems are compromised, then financial reporting is compromised Fraud Human Error (Statistically, this is the most likely source of any problems that will be encountered) –On average, over half of the SOX 404 findings in US firms in the last two years were from Information Technology (IT) Accounting has hundreds of years of history and evolution of controls The willing adoption and improvement of formal IT controls is still nascent Due to the potential of revised processes and automation –As compliant processes are defined, automation becomes possible

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Using Risk Management to Navigate Risk Management identifies and prioritizes threats to financial reporting Controls identify “what” to do but not “how” Best practices such as ITIL and ISO identify “how” to implement controls

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Controls

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Use Controls to Manage Risk Risks cause variation around the achievement of objectives and goals Some variation is always present and inevitable By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective In the case of SOX, our objective is the integrity of financial reporting

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Controls A control may be a constraint but it is not synonymous –Only able to do 100 vs –The real question – what was the quality yield before and after? A correctly designed and implemented control may actually help you go faster –For example, brakes on a car are a control All controls should benefit the entity but not necessarily the locality. One area’s productivity may be hindered in order for the overall entity to thrive –Why centralized compliance, risk management, and auditing functions can be beneficial Controls are a systemic design requirement Do not simply layer controls on top of existing processes without re-engineering Does anyone here like cars? Think back to the 1980s and the impact of regulatory emissions requirements on engines and vehicular performance

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Two Control Frameworks IT Control Objectives for Sarbanes-Oxley from the IT Governance Institute (ITGI) who is part of the Information Systems Audit and Control Association (ISACA) –The best choice if SOX is all you are worried about –For many organizations, there are additional regulations and other risks to be mitigated as well –Second draft aligns with COBIT version four Control Objectives for Information and related Technologies (COBIT) from ISACA. –This the control framework for the future –Versatility allows for a multitude of uses –Version four is very readable and a huge improvement over version three

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Don’t Try to Eliminate Risk! Level of Assurance Level of Investment 100% You can spend a fortune and you will never truly hit a 100% level of assurance The objective is to lower risk to an acceptable level, not eliminate it because that is not possible! Work with senior management and Internal Audit to define what level of residual risk is acceptable There is no prize for overly controlled processes – only costs

© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes To implement controls we need company specific processes We need to design and implement “controlled processes” based on the goals, functional area objectives, resources, risk appetite and constraints of the firm.

© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes "We should work on the processes, not the outcome of the processes.“ -- W. Edwards Deming

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Organizational Change Compliance to regulations represent design requirements Changes to processes and mindsets represent cultural change Use ITIL and other best practices to compress the curve and increase the probability of success Use formal project management to implement processes Do not forget the soft skills needed to foster the changes you need Time Productivity

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Process Improvement The business will change over time Resources will change over time Risks will change over time … and so to must the manner in which IT chooses to manage those risks * Adapted from ITIL Service Support Graphic

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Compliance Necessitates Continuous Process Improvement Compliance to process Effectiveness Efficiency Economy Equality You either follow a process or formally change it. There is no other option.

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes IT Infrastructure Library (ITIL)

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes What ITIL Represents ITIL is de facto standard approach towards IT Service Management Developed initially in the UK in the late 1980s A new “refresh” will be published in April 2007 Yes, ITIL is a collection of best practices but it is far more than that It is about IT delivering quality services that meet the needs of the organization IT services enable business processes that, in turn, enable the business to meet goals It is a fundamental shift from a focus on technology to a focus on customer service and quality

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes The ITIL Books 1.Introduction to ITIL 2.Service Support 3.Service Delivery 4.Planning to Implement Service Management 5.Security Management 6.The Business Perspective 7.ICT Infrastructure Management 8.Application Management 9.Small-Scale Implementation 10.Software Asset Management My stack of the first 9 books is five inches thick, weighs 15.6 pounds and cost over $1,000 USD

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Service Support and Delivery Are the Core Books Service Support –Change Management –Configuration Management –Service Desk –Incident Management –Problem Management Service Delivery –Service Level Management –Capacity Management –Availability Management –IT Financial Management –IT Service Continuity Management IT Security

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Experience Matters The books are great resources but don’t give the whole picture The books describe ideal states and organizations must still determine how best to start, what to do, etc. Classes can help – but do not do the “ITIL by Leming Method” sending everyone to classes without a plan The itSMF has Local Interest Groups (LIGs) where people can exchange ideas Experienced practitioners can make a tremendous difference in terms of accelerating implementation and avoiding pitfalls –New hires and/or consultants Bear in mind that this requires organizational change and the right people must be involved with the right plan and the right resources

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Important ITIL Processes for Consideration Note: What IT and Management identify as key controls drives process adoption from a compliance perspective.

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes At Odds? Are compliance, security and good business mutually exclusive? No, but they don’t always overlap either Pick key controls judiciously Implement company specific processes and leverage best practices Operational Excellence ComplianceSecurity

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Control and Release Processes: The Trinity Quite possibly the three most important processes in terms of regulatory compliance Change Management Is the set of standardized processes and tools used to handle change requests in order to support the business while managing risks. (Risk Management) Release Management Uses formal controls and processes to safeguard the production environment. Coordinates the rollout of changes. (Quality Control) Configuration Management Focuses on tracking and documenting configurations and then providing this information to other areas including Change and Release Management. Configuration tracks relationships to understand who is affected and assesses impact. (Logical Model of the IT World) For more information about a central configuration, change and release function see the ITIL Service Support volume, Annex 7A

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Change Management This is a very key control for compliance, security and operational excellence –80% of availability problems are related to human error –Fraud gets the majority of press coverage but it is human error that is most likely to cause integrity/security problems The integrity of services can only be guaranteed if changes are controlled –A baselined system without change management can no longer be considered baselined! An objective detective control is vital This process has a needlessly bad reputation – it must be designed and implemented based on organizational needs including risks –This is a process area where expertise can really help. The IT Process Institute’s Visible Ops methodology offers additional insight –

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Release Management This is about quality Defining standards for releases Understanding requirements, testing, gaining approval Project Planning is integral With the need to ensure that critical financial systems are properly designed, tested and approved, this process is vital

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Configuration Management Configuration Management is about having a logical model of IT that includes relationships between configuration items –Services, Hardware, Software, Documentation, Data Records, People, Facilities, etc. If something is important enough to be in Configuration Management then it must be controlled by Change Management and vice versa Configuration Management never goes in first! –If it goes in first, integrity/accuracy can not be safeguarded Either Change Management first or Change and Configuration Management at the same time

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes An Additional Function and Processes for Consideration

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Service Desk Function Serves as the Single Point of Contact (SPOC) for IT Effective interpersonal communication is a skill Reduces interruptions to IT staff Facilitates coordination of activities Ensures proper recording of activity Often overlaps with Incident Management From a SOX perspective, it allows for activity logs to be generated

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Incident Management Concerned with services not operating normally or threats to services Objective is speedy restoration of service Automated alerts should feed into Incident Management Allows for tracking of incidents related to critical financial systems / services

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Problem Management Desires to establish the root cause of incidents Proactive aspect wants to prevent incidents from happening in the first place This makes a lot of sense from an operational excellence perspective It could be involved with compliance if there are concerns about availability, security, etc.

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Diminishing Returns The power of ITIL lies in its systemic integration of processes areas – not simply piecemeal adoption Any single process in isolation will reach a level of diminishing returns As Goldratt has taught us, to optimize the throughput of a system requires optimization of the system – not just one area Continuous improvement requires a systemic mentality of adoption and continuous refinement Each area both draws information from, and supplies information to, other processes and functions

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes In Summary SOX compliance must be driven by risks Necessitates that IT work with the business and vice versa Controls are identified to reduce residual risks to a level acceptable to management Controlled processes must be implemented with best practices in mind –Compliance is a systemic requirement now and for the future ITIL offers not just best practices but a quality management framework for IT Risk Management and Continuous Process Improvement must be leveraged for optimization

© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes Thank you for the privilege of facilitating this webcast George Spafford Daily News Archive and Subscription Instructions

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Questions?

© 2006 Jupitermedia Corporation Using ITIL to Improve SOX Related Processes Thank you for attending If you have any further questions,