Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sarbanes Oxley & CMMI Mazars / Lamri

Similar presentations

Presentation on theme: "Sarbanes Oxley & CMMI Mazars / Lamri"— Presentation transcript:

1 Sarbanes Oxley & CMMI Mazars / Lamri
April 2005

2 Agenda What is Sarbanes Oxley? COSO Framework (1992 & 2004)
What does SOX mean for IT? Control frameworks – what is available CMMI – how does it address the SOX agenda CMMI Based Appraisals – Giving Confidence Summary

3 What is Sarbanes Oxley (SOX) ?
Single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws of the early 1930s

4 What is Sarbanes Oxley (SOX) ?
US law passed in 2002 OBJECTIVE - strengthen corporate governance and restore investor confidence. WHY - response to major corporate & accounting scandals in prominent companies in USA

5 Criminal Penalties for Corporate Management
What Does SOX Address? New responsibilities for boards of directors New responsibilities for management of public companies, More powers for Security and Exchange Commission (SEC) Created the Public Company Accounting Oversight Board (PCAOB). Criminal Penalties for Corporate Management

6 What Does SOX Address? Section 302 Section 404 Who When What Frequency
Management Independent auditors When July 2002 Year-ends beginning 15 /11/2004** What Management certification on company’s internal control over financial reporting Management Conclusion Auditor Attestation Frequency Quarterly Annual

7 What Does SOX Mean for UK Companies?
Public Companies US Listed or Listed Parent SEC Registrants Private Companies Entering a public market IPO Acquisition target Best in class - internal control framework Complex third parties/ relationship with US listed companies Dispersed shareholdings

8 COSO Voluntary Organisation
Commission on Fraudulent Financial Reporting SEC final rules refer to COSO COSO framework – application of SOX Original COSO framework Internal Control 2004 COSO framework Integrated Enterprise

9 COSO & Internal Control
The control environment Risk assessment Control activities. Information and communication Monitoring = integrated system of controls

10 COSO & Integrated Framework
2004 Expands Includes objective setting Entity objectives : Strategic Operations Reporting Compliance

11 What Does it Mean for IT? IT is a key component of IT controls
IT supports corporate reporting & compliance IT controls at Company level Business process level IT function level 2004 PWC Survey – 46% increase in IT budget

12 What Does it Mean for IT?

13 What Does IT Mean for IT? Example – Application Interfaces
Interface can only be run once for each data set Values are completely & accurately transferred from source to target Only valid transactions are processed Evidence of successful processing is recorded In progress run errors are notified to the operator Difficult to evaluate – look to maturity models

14 Addressing the Problem
How to demonstrate control?

15 Control Frameworks – What is Available?
BS7799 / ISO… ISO 9000:2000 ITIL COBIT ITSM SAS70 Control Frameworks Baldridge FRAG 21 CMMI EFQM BEM SW-CMM SPICE SE-CMM

16 Strengths of CMMI Integrated Model Directly involves Senior Management
Improvement Model Customise Approach to fit Organisation Need E.g. Staged or Continuous Representation Appraisal Methods Integrated Model SW, Systems, IPPD & SS Integrated approach with Business Objectives Directly Involves Senior Management The model directly requires senior management participation It gives specific “hints” where/how senior management should be involved The model is strong on linking measurement needs to the management information needs Improvement Model It doesn’t just give you a model, but also helps you to chart your way through Model of how to introduce change into a business – still stay in control Appraisal Methods Rigorous repeatable approach (Class A) – Through to quick & dirty (Class C) Means of evaluating progress Means of demonstrating control of improvement Appraisal of Maturity – Demonstrates a level of control

17 The model shows what to do, NOT how to do it or who does it.
Remember A model is not a process. The model shows what to do, NOT how to do it or who does it.


19 Software Development & Maintenance
MATURITY LEVEL PROCESS AREAS 5- OPTIMISING Organisational Innovation & Deployment Causal Analysis & Resolution 4- QUANTITATIVELY MANAGED Organisational Process Performance Quantitative Project Management 3- DEFINED Organisational Process Focus Organisation Process Definition Organisational Training Organisational Environment For Integration Integrated Teaming Decision Analysis & Resolution Integrated Supplier Management Requirements Development Product Integration Risk Management Integrated Project Management The story is one of developing ability to control SW Development & Maintenance as the Maturity of the Organisation Increases Maturity Level 2 – Organisation can demonstrate basic level of controls Engineering Process Areas – Build on control obtained at ML2; But also apply directly within the Application Controls Technical Solution Verification Validation 2- MANAGED Requirements Management Project Planning Project Monitoring & Control Supplier Agreement Management Measurement & Analysis Process & Product Quality Assurance Configuration Management

20 CMMI Continuous Representation
CATEGORY PROCESS AREAS PROJECT MANAGEMENT Project Planning Project Monitoring & Control Supplier Agreement Management Risk Management Integrated Teaming Integrated Project Management Quantitative Project Management Integrated Supplier Management ENGINEERING Requirements Management Requirements Development Technical Solution Validation Verification Product Integration SUPPORT Configuration Management Measurement & Analysis Process & Product Quality Assurance Decision Analysis & Resolution Casual Analysis & Resolution Organisational Environment for Integration PROCESS MANAGEMENT Organisational Process Focus Organisation Process Definition Organisational Training Organisational Innovation & Deployment Organisational Process Performance CAPABILITY LEVELS 5- OPTIMISING 4- QUANTITATIVELY MANAGED 3- DEFINED 2- MANAGED 1- PERFORMED 0- INCOMPLETE

21 Institutionalisation – The Generic Practices
GP 2.1: Establish an Organisational Policy GP 2.2: Plan the Process GP 2.3: Provide Resources GP 2.4: Assign Responsibility GP 2.5: Train People GP 2.6: Manage Configurations GP 2.7: Identify and Involve Relevant Stakeholders GP 2.8: Monitor and Control the Process GP 2.9: Objectively Evaluate Adherence GP 2.10: Review Status with Higher Level Management

22 Configuration Management
SOX – CMMI & ITIL Service Delivery Processes PP & OPP (Partially) Information Security Management Capacity Management Service Level Management Service Continuity & Availability Management MA & GP2.8 Service Reporting Budgeting & Accounting for IT Services CM Control Processes Configuration Management Release Processes Change Management Relationship Processes Resolution Processes PI Release Management PPQA Incident Management Business Relationship Management OPF CAR Problem Management SAM & ISM Supplier Management Source: BS :2002

23 CMMI Based Appraisals - Giving Confidence

24 CMMI Appraisal Method Classes
Characteristics Class A Class B Class C Amount of Objective Evidence Gathered (relative) High Medium Low Ratings Generated Yes No Resource Needs (relative) Team Size (relative) Large Small Appraisal Team Leader Requirements Lead appraiser or person trained and experienced Person trained and experienced State there are three classes of appraisals. They are described in a requirements document that can be found on the CMMI web site. The three key differentiating attributes for appraisal classes are: Degree of confidence in the appraisal outcomes The generation of ratings Appraisal cost and duration State that Class C is the least formal. Organizations may choose to use it very routinely. (maybe monthly) State that Class B is more formal. Organizations may choose to use it periodically. (maybe every 6-12 months) State that Class A is very formal. Organizations must use Class A if a rating is desired. Extracted from Appraisal Requirements for CMMI, Version 1.1 (ARC) (CMU/SEI-2001-TR-034)

25 Features of SCAMPI Appraisals
Team approach Internal & External Team Members Rigorous Method Repeatable Objective Evidence Based (PIIDs) Direct, Indirect & Affirmation Generates Specific Data for Process Improvement Rigor + Part of PI Effort = Organisation Establishing Control

26 Summary Sarbanes Oxley brings new Requirements for Organisations to demonstrate control of their processes CMMI is one vehicle that can be used to demonstrate this compliance CMMI’s advantages: Integrated Model Process Areas & Practices provide tangible steps Appraisal process – provides confidence and evidence of way forward

27 Questions ?

28 SCAMPI Class A Pre On-site Activities
This graphic is notional and does not represent a specific time line. As a Lead Appraiser, identify the pre on-site activities that have been performed, and identify to the participants that they are now on the box labeled “Train Team.” You will see this slide again in Module D several times. Each time it appears, a dark red box will appear in the background indicating the particular area of focus for the upcoming slides. The red box will move as the course progresses.

29 SCAMPI Class A On-site Activities
Identify that the blue box “Confirming Practice Implementation” is where the team will be spending most of its time. Three modules are dedicated to this box (Modules E, F, and G). When the class gets to these modules, this box will be expanded to identify the detailed tasks. Note: The Report Results phase is included in this graphic

30 Characterizing Practice Implementation
Point out that “Characterizing” will be covered in Module G in a great deal of detail. Point out the term substantial is used here versus significant which is the term used when rating. Instructor should make the students aware of how to characterize the following potential situation: “Situations where the project has not yet reached the appropriate point in time where the practice would be enacted are omitted from this characterization.” (MDD Activity , Implementation Guidance)

Download ppt "Sarbanes Oxley & CMMI Mazars / Lamri"

Similar presentations

Ads by Google