Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using ITIL to Improve Sarbanes- Oxley Related IT Processes By George Spafford, Principal Consultant Pepperweed Consulting, LLC October 31, 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Using ITIL to Improve Sarbanes- Oxley Related IT Processes By George Spafford, Principal Consultant Pepperweed Consulting, LLC October 31, 2006."— Presentation transcript:

1 Using ITIL to Improve Sarbanes- Oxley Related IT Processes By George Spafford, Principal Consultant Pepperweed Consulting, LLC October 31, 2006

2 Copyright Notices ITIL® is a registered trademark of the UK Office of Government Commerce http://www.ogc.gov.uk/index.asp?id=2261 http://www.ogc.gov.uk/index.asp?id=2261 COBIT® and IT Control Objectives for Sarbanes-Oxley ® are the trademarks of the Information Security Audit and Control Organization http://www.isaca.org http://www.isaca.org Visible Ops is the trademark of the IT Process Institute http://www.itpi.org http://www.itpi.org This courseware is the property of Spafford Global Consulting, Inc. All other trademarks and company names are the property of their respective owners

3 Agenda The Impacts of Sarbanes-Oxley (SOX) Introduction to –Risk Management –Controls –IT Infrastructure Library (ITIL) Key ITIL Processes for SOX

4 The Intent To restore confidence in public companies

5 The Results Intended Results –Quality of filings did improve –Controls radically improved Intentional malicious acts Human Error Unintended Results –Increased costs to companies Economic Accounting –Flight of foreign companies to other exchanges –Reduced public filings –Some public companies went private

6 Need to Optimize Brute forces projects implemented controls Attention shifted to sustainable controls Move is now to optimization To optimize, we must start at the beginning Risk management must drive everything

7 Why is risk management so important? Limited Resources and Seemingly Unlimited Risks! US companies are adopting a risk based approach and going after what matters most in order to be sustainable. It makes sense to spend $1,000 to safeguard $1Billion but not to safeguard $100. Understand and prioritize risks to focus compliance efforts.

8 The Goal Isn’t This

9 This is Our Goal!

10 Legal and Regulatory Compliance For Sarbanes-Oxley, we want to address risks to the financial reporting process. Regulatory compliance is best viewed as a risk that must be managed along with the organization’s other risks holistically. Compliance is not the goal of an organization. This creates tension – too many controls are wasteful yet too few risk internal control problems. Beware of over optimizing localized risks. –Turn off the lights and lock the doors –Need to manage risks to the organization – not just the department The objective is to arrive at a balance between risks and the costs of controls for the organization as a whole.

11 What is a risk? The probability of a negative event impacting the realization of functional area objectives and/or organizational goals Key words –Probability – there is a degree of uncertainty –Impact – if the event happens, there will be results –Organization – focus on objectives and goals Does a risk matter if it doesn’t impact a functional area objective or organizational goal? In the world of SOX, we are just concerned with risks to the integrity of financial reporting Other regulations pose additional risks that must be factored in and managed holistically

12 Risk Management and SOX IT must work with senior management, accounting and internal audit – not around them! Critical financial processes must be identified Identify the critical financial systems that are involved Identify risks that are present to those financial systems Identify controls that are present and what the residual risk score is Is the remaining level of risk (the residual risk) acceptable to the relevant stakeholders? –If not, determine how to mitigate the risk –If the residual risk is acceptable, then document and continue to monitor it but otherwise don’t do anything The Shewhart Cycle of Plan – Do – Check – Act applies to risk management as it spurs process evolution

13 Why is IT involved? Due to the critical financial systems –There isn’t a manual paper trail any longer –The data resides in IT systems –The logic resides in IT systems and this includes automated control logic (If the credit score is X then do Y …) –The financial reports are generated, at least in part, by the systems –If the systems are compromised, then financial reporting is compromised Fraud Human Error (Statistically, this is the most likely source of any problems that will be encountered) –On average, over half of the SOX 404 findings in US firms in the last two years were from Information Technology (IT) Accounting has hundreds of years of history and evolution of controls The willing adoption and improvement of formal IT controls is still nascent Due to the potential of revised processes and automation –As compliant processes are defined, automation becomes possible

14 Controls

15 Use Controls to Manage Risk Risks cause variation around the achievement of objectives and goals Some variation is always present and inevitable By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective In the case of SOX, our objective is the integrity of financial reporting

16 Controls A control may be a constraint but it is not synonymous –Only able to do 100 vs. 1000 –The real question – what was the quality yield before and after? A correctly designed and implemented control may actually help you go faster –For example, brakes on a car are a control All controls should benefit the entity but not necessarily the locality. One area’s productivity may be hindered in order for the overall entity to thrive –One reason why centralized auditing is beneficial Controls are a systemic design requirement Do not simply layer controls on top of existing processes without re- engineering Does anyone here like cars? Think back to the 1980s and the impact of regulatory emissions requirements on engines and vehicular performance

17 Two Control Frameworks IT Control Objectives for Sarbanes-Oxley from the IT Governance Institute (ITGI) who is part of the Information Systems Audit and Control Association (ISACA) –The best choice if SOX is all you are worried about –For many organizations, there are additional regulations and other risks to be mitigated as well –Second draft aligns with COBIT version four Control Objectives for Information and related Technologies (COBIT) from ISACA. –This the control framework for the future –Versatility allows for a multitude of uses –Version four is very readable and a huge improvement over version three

18 Don’t try to eliminate risk! Level of Assurance Level of Investment 100% You can spend a fortune and you will never truly hit a 100% level of assurance The objective is to lower risk to an acceptable level, not eliminate it because that is not possible! Work with senior management and Internal Audit to define what level of residual risk is acceptable There is no prize for overly controlled processes – only costs

19 To implement controls we need company specific processes

20 "We should work on the processes, not the outcome of the processes.“ -- W. Edwards Deming

21 Organizational Change Compliance to regulations represent design requirements Changes to processes and mindsets represent cultural change Use ITIL and other best practices to compress the curve and increase the probability of success Use formal project management to implement processes Do not forget the soft skills needed to foster the changes you need

22 Process Improvement The business will change over time Resources will change over time Risks will change over time … and so to must the manner in which IT chooses to manage those risks * Adapted from ITIL Service Support Graphic

23 Compliance Necessitates Continuous Process Improvement Compliance to process Effectiveness Efficiency Economy Equality You either follow a process or formally change it. There is no other option.

24 Using Risk Management to Navigate Risk Management identifies and prioritizes threats Controls identify “what” to do but not “how” Best practices such as ITIL and ISO 17799 identify “how” to implement controls

25 IT Infrastructure Library (ITIL)

26 What ITIL Represents ITIL is de facto standard approach towards IT Service Management Developed initially in the UK in the late 1980s Yes, it is a collection of best practices but it is far more than that It is about IT delivering quality services that meet the needs of the organization IT services enable business processes that, in turn, enable the business to meet goals It is a fundamental shift from a focus on technology to a focus on customer service and quality

27 The ITIL Books 1.Introduction to ITIL 2.Service Support 3.Service Delivery 4.Planning to Implement Service Management 5.Security Management 6.The Business Perspective 7.ICT Infrastructure Management 8.Application Management 9.Small-Scale Implementation 10.Software Asset Management My stack of the first 9 books is five inches thick, weighs 15.6 pounds and cost over $1,000 USD

28 Service Support and Delivery are the Core Books Service Support –Change Management –Configuration Management –Service Desk –Incident Management –Problem Management Service Delivery –Service Level Management –Capacity Management –Availability Management –IT Financial Management –IT Service Continuity Management IT Security

29 Experience The books are great resources but don’t give the whole picture The books describe ideal states and organizations must still determine how best to start, what to do, etc. Experienced practitioners can make a tremendous difference The itSMF has Local Interest Groups (LIGs) where people can exchange ideas

30 Key ITIL Processes

31 Control and Release Processes Change Management Is the set of standardized processes and tools used to handle change requests in order to support the business while managing risks. (Risk Management) Release Management Uses formal controls and processes to safeguard the production environment. Coordinates the rollout of changes. (Quality Control) Configuration Management Focuses on tracking and documenting configurations and then providing this information to other areas including Change and Release Management. Configuration tracks relationships to understand who is affected and assesses impact. For more information about a central configuration, change and release function see the ITIL Service Support volume, Annex 7A

32 Change Management

33 Configuration Management

34 Release Management

35 Service Desk Function

36 Incident Management

37 Problem Management

38 In Summary SOX compliance must be driven by risks Controls are identified to reduce residual risks to a level acceptable to management Controlled processes must be implemented with best practices in mind ITIL offers not just best practices but a quality management framework for IT Risk Management and Continuous Process Improvement must be leveraged for optimization

39 Thank you for the privilege of facilitating this webcast George Spafford George.Spafford@Pepperweed.com http://www.pepperweed.com Daily News Archive and Subscription Instructions http://www.spaffordconsulting.com/dailynews.html

Download ppt "Using ITIL to Improve Sarbanes- Oxley Related IT Processes By George Spafford, Principal Consultant Pepperweed Consulting, LLC October 31, 2006."

Similar presentations

IT Governance & Quality Management

IT Governance & Quality Management
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
IT Governance Infocom India Presentation December 6, 2006.

IT Governance Infocom India Presentation December 6, 2006.
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
IT Infrastructure Library ITIL vs COBIT. ANDRIAN EDUARD BANGGA IKHSAN BASKARA JOOVANNY PASUHUK RANGGA FAJARULLAH TEAM.

IT Infrastructure Library ITIL vs COBIT. ANDRIAN EDUARD BANGGA IKHSAN BASKARA JOOVANNY PASUHUK RANGGA FAJARULLAH TEAM.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Improving IT Governance Through Formal Change Management

Improving IT Governance Through Formal Change Management
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes Using ITIL to Improve Sarbanes-Oxley Related Processes October.

© 2006 Jupitermedia Corporation Webcast TitleUsing ITIL to Improve SOX Related Processes Using ITIL to Improve Sarbanes-Oxley Related Processes October.
© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management December 19, 2006 2:00pm EST, 11:00am PST Speaker: George Spafford,

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management December 19, :00pm EST, 11:00am PST Speaker: George Spafford,
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

Similar presentations

Ads by Google