2 Agenda What is Sarbanes Oxley? COSO Framework (1992 & 2004) What does SOX mean for IT?Control frameworks – what is availableCMMI – how does it address the SOX agendaCMMI Based Appraisals – Giving ConfidenceSummary
3 What is Sarbanes Oxley (SOX) ? Single most important piece of legislation affectingcorporate governance, financial disclosure and thepractice of public accounting since the US securitieslaws of the early 1930s
4 What is Sarbanes Oxley (SOX) ? US law passed in 2002OBJECTIVE - strengthen corporate governance and restore investor confidence.WHY - response to major corporate & accounting scandals in prominent companies in USA
5 Criminal Penalties for Corporate Management What Does SOX Address?New responsibilities for boards of directorsNew responsibilities for management of public companies,More powers for Security and Exchange Commission (SEC)Created the Public Company Accounting Oversight Board (PCAOB).Criminal Penalties for Corporate Management
6 What Does SOX Address? Section 302 Section 404 Who When What Frequency ManagementIndependent auditorsWhenJuly 2002Year-ends beginning15 /11/2004**WhatManagement certification on company’s internal control over financial reportingManagement ConclusionAuditor AttestationFrequencyQuarterlyAnnual
7 What Does SOX Mean for UK Companies? Public CompaniesUS Listed or Listed ParentSEC RegistrantsPrivate CompaniesEntering a public marketIPOAcquisition targetBest in class - internal control frameworkComplex third parties/ relationship with US listed companiesDispersed shareholdings
8 COSO Voluntary Organisation Commission on Fraudulent Financial ReportingSEC final rules refer to COSOCOSO framework – application of SOXOriginal COSO framework Internal Control2004 COSO framework Integrated Enterprise
9 COSO & Internal Control The control environmentRisk assessmentControl activities.Information and communicationMonitoring= integrated system of controls
11 What Does it Mean for IT? IT is a key component of IT controls IT supports corporate reporting & complianceIT controls atCompany levelBusiness process levelIT function level2004 PWC Survey – 46% increase in IT budget
13 What Does IT Mean for IT? Example – Application Interfaces Interface can only be run once for each data setValues are completely & accurately transferred from source to targetOnly valid transactions are processedEvidence of successful processing is recordedIn progress run errors are notified to the operatorDifficult to evaluate – look to maturity models
14 Addressing the Problem How to demonstrate control?
15 Control Frameworks – What is Available? BS7799 / ISO…ISO 9000:2000ITILCOBITITSMSAS70Control FrameworksBaldridgeFRAG 21CMMIEFQM BEMSW-CMMSPICESE-CMM
16 Strengths of CMMI Integrated Model Directly involves Senior Management Improvement ModelCustomise Approach to fit Organisation NeedE.g. Staged or Continuous RepresentationAppraisal MethodsIntegrated ModelSW, Systems, IPPD & SSIntegrated approach with Business ObjectivesDirectly Involves Senior ManagementThe model directly requires senior management participationIt gives specific “hints” where/how senior management should be involvedThe model is strong on linking measurement needs to the management information needsImprovement ModelIt doesn’t just give you a model, but also helps you to chart your way throughModel of how to introduce change into a business – still stay in controlAppraisal MethodsRigorous repeatable approach (Class A) – Through to quick & dirty (Class C)Means of evaluating progressMeans of demonstrating control of improvementAppraisal of Maturity – Demonstrates a level of control
17 The model shows what to do, NOT how to do it or who does it. RememberA model is not a process.The model shows what to do, NOT how to do it or who does it.
18 How Can CMMI Help? STRONG INFLUENCE CMMI & ITIL SOME INFLUENCE
19 Software Development & Maintenance MATURITYLEVELPROCESSAREAS5- OPTIMISINGOrganisationalInnovation &DeploymentCausalAnalysis &Resolution4- QUANTITATIVELYMANAGEDOrganisationalProcessPerformanceQuantitativeProjectManagement3- DEFINEDOrganisationalProcessFocusOrganisationProcessDefinitionOrganisationalTrainingOrganisationalEnvironmentForIntegrationIntegratedTeamingDecisionAnalysis &ResolutionIntegratedSupplierManagementRequirementsDevelopmentProductIntegrationRiskManagementIntegratedProjectManagementThe story is one of developing ability to control SW Development & Maintenance as the Maturity of the Organisation IncreasesMaturity Level 2 – Organisation can demonstrate basic level of controlsEngineering Process Areas – Build on control obtained at ML2; But also apply directly within the Application ControlsTechnicalSolutionVerificationValidation2- MANAGEDRequirementsManagementProjectPlanningProjectMonitoring &ControlSupplierAgreementManagementMeasurement&AnalysisProcess &ProductQualityAssuranceConfigurationManagement
21 Institutionalisation – The Generic Practices GP 2.1: Establish an Organisational PolicyGP 2.2: Plan the ProcessGP 2.3: Provide ResourcesGP 2.4: Assign ResponsibilityGP 2.5: Train PeopleGP 2.6: Manage ConfigurationsGP 2.7: Identify and Involve Relevant StakeholdersGP 2.8: Monitor and Control the ProcessGP 2.9: Objectively Evaluate AdherenceGP 2.10: Review Status with Higher Level Management
24 CMMI Appraisal Method Classes CharacteristicsClass AClass BClass CAmount of Objective Evidence Gathered (relative)HighMediumLowRatings GeneratedYesNoResource Needs (relative)Team Size (relative)LargeSmallAppraisal Team Leader RequirementsLead appraiseror person trained and experiencedPerson trained and experiencedState there are three classes of appraisals. They are described in a requirements document that can be found on the CMMI web site.The three key differentiating attributes for appraisal classes are:Degree of confidence in the appraisal outcomesThe generation of ratingsAppraisal cost and durationState that Class C is the least formal. Organizations may choose to use it very routinely. (maybe monthly)State that Class B is more formal. Organizations may choose to use it periodically. (maybe every 6-12 months)State that Class A is very formal. Organizations must use Class A if a rating is desired.Extracted from Appraisal Requirements for CMMI, Version 1.1 (ARC) (CMU/SEI-2001-TR-034)
25 Features of SCAMPI Appraisals Team approachInternal & External Team MembersRigorous MethodRepeatableObjective Evidence Based (PIIDs)Direct, Indirect & AffirmationGenerates Specific Data for Process ImprovementRigor + Part of PI Effort = Organisation Establishing Control
26 SummarySarbanes Oxley brings new Requirements for Organisations to demonstrate control of their processesCMMI is one vehicle that can be used to demonstrate this complianceCMMI’s advantages:Integrated ModelProcess Areas & Practices provide tangible stepsAppraisal process – provides confidence and evidence of way forward
28 SCAMPI Class A Pre On-site Activities This graphic is notional and does not represent a specific time line. As a Lead Appraiser, identify the pre on-site activities that have been performed, and identify to the participants that they are now on the box labeled “Train Team.”You will see this slide again in Module D several times. Each time it appears, a dark red box will appear in the background indicating the particular area of focus for the upcoming slides. The red box will move as the course progresses.
29 SCAMPI Class A On-site Activities Identify that the blue box “Confirming Practice Implementation” is where the team will be spending most of its time. Three modules are dedicated to this box (Modules E, F, and G). When the class gets to these modules, this box will be expanded to identify the detailed tasks.Note: The Report Results phase is included in this graphic
30 Characterizing Practice Implementation Point out that “Characterizing” will be covered in Module G in a great deal of detail.Point out the term substantial is used here versus significant which is the term used when rating.Instructor should make the students aware of how to characterize the following potential situation:“Situations where the project has not yet reached the appropriate point in time where the practice would be enacted are omitted from this characterization.” (MDD Activity , Implementation Guidance)