Lessons Learned from
Sarbanes-Oxley:
A Data Perspective
By Gwen Thomas
Editor, SOX-online
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
Lessons Learned from Sarbanes-Oxley: A Data Perspective
Morning

Agenda
Overview
–
–
–
–
–
Introductions
What Do You Want?
Background
How Important is SOX?
Affect of SOX on Your Company and
The Change in Executive Mindset
– The New Paradigm for Data Departments:
Do it – Control it – Doc it – Prove it

Talking the Talk
– The Language of Risk Management
– What Risks Do You Manage?
2
Lessons Learned from Sarbanes-Oxley: A Data Perspective
Agenda
Afternoon

Controls
– Definitions
– The Controls Hierarchy

Results of Audits
– Common Control Deficiencies
– Database Controls

Challenges and Opportunities
– Where Are You at Risk?
– How Can You Benefit From SOX?
3
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Introductions
Gwen Thomas

Editor of www.sox-online.com
and SarboxAlert
www.riskcenter.com/sarboxalertdownload.php

Consultant in Data Governance and
Sarbanes-Oxley issues
independently and in partnership with
system integrator CIBER, Inc.

Recent work:
• A Northeastern Blue CrossBlue Shield
• Walt Disney World
• Ford International
Headquarters
• Coors Brewing Company
•
•
•
•
NDCHealth
Mail-Well
ESAI
Giant Eagle
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
4
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Introductions
www.SOX-online.com

Free

The web's largest vendorneutral Sarbanes-Oxley
information site

2 years old

Thousands of news articles

Hundreds of pages of
reference material and
humor
Advice columnist
Ms. Sarbox
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
5
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Introductions
SarboxAlert
www.riskcenter.com/sarboxalertdownload.php
 Bi-weekly subscription
newsletter

Covers SOX-related
issues in depth

Comes with
downloadable
ready-to-use
Sarbanes-Oxley
Project Management
Templates
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
6
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Introductions
Who Are You, and
What Do You Want?
What Companies Are Represented Here
Today?
 Who Are Your Auditors?

– E&Y, Deloitte, KPMG, PricewaterhouseCoopers, Other, Don’t Know

Who Helped You Prepare Last Year?
– E&Y, Deloitte, KPMG, PricewaterhouseCoopers, Other, Don’t Know
Do You Have to Provide SAS 70 Reports?
 What Positions Do You Hold?
 What Are Your Goals for Today?

7
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Background
Why Sarbanes-Oxley?
Investors and politicians got fed up by…
 Fraud
 Greed
 Plausible deniability by executives
 No way to truly gauge financial health
of company
 Too little transparency into processes
 Lack of accountability
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
8
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Background
Sarbanes-Oxley FAQs

The Sarbanes-Oxley Act was passed
in 2002.
 Sponsors: US Senator Paul Sarbanes and
US Representative Michael Oxley.
 Applies to: publicly-traded companies.
 Overseen by the SEC and the new Public
Company Accounting Oversight Board
(PCAOB)
More information: www.sox-online.com/basics.html
www.sox-online.com/sarbanes_and_oxley.html
www.sox-online.com/act.html
www.sox-online.com/pcaob.html
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
9
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Background
Stated Purpose of the Act
To strengthen
corporate
governance
and restore
investor
confidence
10
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Background
What’s it REALLY About?
It’s
the data,
stupid!
SOX humor:
• www.soxonline.com/sox_humor.html
• www.soxonline.com/ms_sarbox.html
• www.soxonline.com/sing_along_with_
sarbox.html
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
11
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
How Important is SOX?
If a Public Company Fails…

If they report material weaknesses and/or fail the
audit: Market reaction (falling stock price)

If the CEO/CFO submits
a bad certification:
a fine up to $1 million
and imprisonment for up to ten years.
If it was submitted “willfully”:
the fine can be increased up to $5 million and the
prison term can be increased up to twenty years.


If certain actions aren't taken
(e.g., hotline): SEC can order delisting
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
12
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Your Input:
How Did Your Company Do?
Last year, did your company

Pass your 404 audit
 Fail your 404 audit
 Not have a 404 audit
 Don’t know
Did your company report weaknesses?
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
13
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
How Important is SOX?
How Bad is Market Reaction?
Companies are “relieved”
when their announcements
result in “only” a 3%
drop in their stock price.
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
14
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
How Important is SOX?
How Bad is Market Reaction?
How you can determine
the potential cost of not
passing your audit:
What’s your company worth?
What’s 3% of that?
Examples:
3% of $100 million is $3 million
3% of a billion is $30 million
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
15
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
How Important is SOX?
What This Means to You
A high enough potential cost
means…
you should be able to get the attention
of management if you believe your
department is at risk.
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
16
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
How Important is SOX?
What This Means to You
Also…
Using hard numbers can help justify
productivity tools if they can also keep
you from failing an audit.
Reminder: Just because they didn’t fail
you for something THIS year doesn’t
mean they won’t NEXT year.
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
17
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities





Affect of SOX on Your Company
Affect on Board of Directors
Must include independent directors
More liability
They must hire and deal with auditors (execs
can't any more)
New responsibilities for committees – audit
committee especially
Must provide oversight of internal control
system
To read sections of the Act that apply to Boards:
www.sox-online.com/act_sections.html
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
18
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Affect of SOX on Your Company
Affect on Executives

Can't control auditors
 CEO and CFO must attest to data in financial
reports – no more plausible deniability
 CEO and CFO must attest to adequate
internal controls
 New executive mindset = Trickle-down affect
on other executives and managers
More information about key sections of the Act:
www.sox-online.com/act_sections.html
Management Responsibilities:
www.sox-online.com/as02.html
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
19
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Affect of SOX on Your Company
Affect on Finance Dept.
Financial data must unambiguously roll up
from multiple departments and locations into
single report
(problem if multiple systems are in place)

Processes must be documented
 Controls over processes must be
documented
SOX Accounting and Auditing Center:
 Much more…
www.sox-online.com/acc_aud.html
Accountant jokes:
www.sox-online.com/accountant_jokes.html
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
20
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
The New Paradigm for Data Departments:
Affect on Data Departments

Affect on funding and time reporting
 Affect on financial systems and staff that
support them
 Extra responsibilities – and more are coming
Bottom line:
Before: “Just Do It!”
Now: “Do it – Control It – Document it – Prove it!”
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
21
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Do it – Control it – Doc it – Prove it
What Does “Just Do It” Mean?

You still have to do your jobs.

You still have to do your jobs.

You still have to do your jobs!!!
But now, there’s intense interest
in what the job entails,
and who's doing it.
Why? a corporate focus on Governance,
Risk, Controls, and Security (GRCS).
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
22
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Do it – Control it – Doc it – Prove it
Why You Should Understand GRCS
(Governance, Risk, Controls, Security)

Your auditors must
issue an adverse opinion (failed audit)
if your company has inadequate
governance or inadequate security

Does this mean data governance?
Not last year…

Does this mean security at the
database level? Yes!
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
23
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Do it – Control it – Doc it – Prove it
Why You Should Understand GRCS
(Governance, Risk, Controls, Security)
SOX requires that all companies assess
their risk, using a universal risk
language
(e.g., probability, impact of risks)
and risk framework
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
24
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
GRCS:
Measuring Risk
Probability
of the risk
occurring
Risk =
Probability
times
Impact
Impact if the risk does occur
25
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Goal:
Lower Probability
of the risk
occurring
the
Probability
or
the Impact
or Both
GRCS:
Managing Risk


Impact if the risk does occur
26
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
GRCS:
Risk Frameworks
SOX says you must use an industryrecognized risk framework
 Most commonly-used:

– COSO
– COBIT (supplemented with ISO 17799 and
sometimes ITIL)
27
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
GRCS:
COSO Control Framework
Focuses on fiduciary controls
 Has five control components:

– Control
Environment
– Risk Assessment
– Control Activities
– Information
and
Communication
– Monitoring
28
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
GRCS:
COSO-ERM Framework
Enterprise Risk Management Focus
same
29
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
GRCS:
COBIT Control Framework
COBIT = Control Objectives for Information
and Related Technologies
 Open standard published by the IT
Governance Institute (ITGI) and the
Information Systems Audit and Control
Association (ISACA)
 Addresses information quality and security
requirements in seven overlapping
categories:

– effectiveness, efficiency, confidentiality, integrity, availability,
compliance, and reliability of information.
30
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

GRCS:
Using COBIT for SOX
SOX concentrates on “CIA” data qualities
– Confidentiality
– Integrity
– Availability
COBIT is comprehensive – contains much
more than is needed for SOX
 ITGI has published guidance:

IT Control Objectives for Sarbanes-Oxley

COBIT doesn’t focus enough on security to
satisfy SOX: most companies use ISO 17799
standard.
31
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Your Input:
Where Do You Fit In?
What Risks Do You Help Manage?
 How?
 What Tools Are You Missing to Help Do
a Better Job?

32
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Talking the Talk
One Idea - Three Languages
IT Speak
A computer virus could shut down our critical
network.
Risk Speak
Computer viruses pose a risk with a critical impact.
Audit Speak
The risk posed by computer viruses must be
controlled.
33
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Talking the Talk
Risk and Controls
For every identified risk, your company must
choose one or more strategies
– Accept it
– Transfer it to someone else
– Mitigate it by
 Preventing it from happening
 Detecting it if it does happen
 Reducing its impact if it does happen

Once you pick a strategy, you design
corresponding controls
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
34
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

This Afternoon
Controls
– Aligning Risk and Controls
– Definitions
– The Controls Hierarchy

Results of Audits
- SarboxAlert
Newsletters
- SarboxAlert Project
Templates
Challenges and
Opportunities
Both are available
to you free,
for a limited time
– Common Control Deficiencies
– Database Controls

For More Information
About Managing Risk
– Where Are You at Risk?
– How Can You Benefit From SOX?
35
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Controls
Risk and Controls
For every identified risk, your company must
choose one or more strategies
– Accept it
– Transfer it to someone else
– Mitigate it by
 Preventing it from happening
 Detecting it if it does happen
 Reducing its impact if it does happen

Once you pick a strategy, you design
corresponding controls
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
36
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Controls
Examples of Controls
Preventive controls:
– required approval for all purchase orders
over a certain dollar threshold
– use of passwords to gain access to
networks, systems, and data

Detective controls:
– reviews
– reconciliations
– analyses
37
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Your Input
Your Controls
What controls are you aware of in your
environment?
– To detect a problem
– To correct a problem
– To prevent a problem
– To transfer responsibility
– Other
38
Controls
Process and
application
controls are
only as good
as supporting
DB controls.
Hah!
Hierarchy of controls
Manual
Process Controls
Application Controls
Database Controls
Operating System / Infrastructure
Controls
General IT & Operations Controls
39
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Controls
Your Importance
Data controls support most process and
application controls
 Does your SOX internal group know
data management as well as you?
 CEO/CFO attestations include your area

Your work could affect
the outcome of your audit, your company
stock price, CEO/CFO fines, jail time
Don’t screw up!
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
40
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Controls
Database Controls
 What
we all want:
To know exactly how our auditors
will be judging us
But that’s
proprietary
information!
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
41
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Controls
Database Controls
 What
we can do:
Review some published materials,
then start a dialogue
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
42
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Controls
Database Controls
Protivity has published great documents
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
43
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Your Input
Your Controls
What controls are you now aware of
in your environment?
(Consider all levels of the controls hierarchy)
– To detect a problem
– To correct a problem
– To prevent a problem
– To transfer responsibility
– Other
44
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Controls and Documentation
What Needs to be Documented?
System documentation
 Process flows
 Risk management approaches
 Controls documentation
 Roles and Responsibilities
 Activity logs
How much & how
well is up to your
 Other…

auditor
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
45
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Controls and Documentation
What Needs to be Proven?
Governance and stewardship records
 Activity logs
 Audit trails
 Controls tests
Only your auditor
 Other…
knows what it will take

to prove compliance…
More information:
What do auditors do? www.sox-online.com/acc_aud_do.html
Auditing Standard No. 2: www.sox-online.com/as02.html
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
46
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Controls
When Problems Occur
You should know the following
definitions (see handout)
–
–
–
–
–
–
–
Disclosure Controls
Control Deficiencies
Significant Deficiencies
Reportable Condition
Material Weakness
Control Environment
Segregation of Duties
Material
Weakness
Likelihood
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
Significance
47
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Results of Audits
This ain’t pretty…
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
48
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Results of Audits
Bad News
 2004
– 582 companies disclosed material
weaknesses or significant deficiencies
in internal controls.
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
49
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Results of Audits
Late News: 2005
Hundreds of companies missed filing
deadline (May 10) for Annual Reports
 At least 77 companies with market
capitalizations of more than $100 million
recently notified the SEC they would need
more time to finish their quarterly reports. 44
working late on reports. 29 were restating
financials. http://accounting.smartpros.com/x48279.xml

Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
50
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities

Results of Audits
Threat of Delisting
The New York Stock Exchange and the
Nasdaq Stock Market have notified at least
four companies that they may be delisted for
not filing their year-end report after being
granted an extension.
http://www.cfo.com/article.cfm/3832599/c_3833225?f=archives&origin=archive
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
51
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Results of Audits
This Year’s Failures
Who is failing this year? Too soon to say.
Maybe under 10%.
 Earlier, Big 4 Auditors predicted 15-20% of
clients will fail.

What’s the cost of failure for the US?
Let’s see...
Total value of the stock market
times 15 % failure rate
times 3% drop equals… let me think…
Just don’t screw up!
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
52
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and
Opportunities
Results of Audits
Most Common Problems
Half: problems with financial systems and
procedures.
 30%: how people did their jobs.

inadequate staffing, inadequate training, supervision problems, lack of
competence in a specific GAAP-reporting area, inadequate segregation
of duties
7%: inadequate or poor documentation
 5%: issues with revenue recognition
 <5%: problems with IT systems and controls

access controls, security, and backup and recovery.
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
53
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and Opportunities
Challenges and Opportunities
Here’ where you can get
what’s coming to you…
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
54
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and Opportunities
Challenges and Opportunities
Special Challenges
Segregation of Duties – too few people
 Audit Trails – productivity vs. proof
 Change Management – agility vs.
thoroughness
 Time spent in "Doc it" and "Prove it" is
less time for "Do it"

Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
55
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and Opportunities
Challenges and Opportunities
Opportunities for
Your Department
You may be able to:
 Justify productivity tools to enable
Segregation of Duties
 Justify upgrades to enable audit trails
 Gain a voice in other departments
because of the controls hierarchy
 Gain new place at table for Change
Management
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
56
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and Opportunities
Challenges and Opportunities
Opportunities for
You Personally
You may have:
 Chance to demonstrate business savvy
 Chance to be seen as part of solution,
not problem
 Chance to move into outsource-safe
role
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
57
o
o
o
o
o
Overview
Talking the Talk
Controls
Results of Audits
Challenges and Opportunities

Challenges and Opportunities
Action Plan
Become familiar with Risk Management
language
– risk grids & approaches (accept – avoid – reduce – transfer)
– COSO risk management framework
– COBIT risk management framework
Become familiar with language of
controls
 Become familiar with Governance
concepts

Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
58
Feel free to contact me
Gwen Thomas
[email protected]
321-438-0774
for help justifying a tool at your company:
Subject line: justify
[email protected]
Copyright 2005 SOX-online. All Rights Reserved. Contact Gwen Thomas at [email protected]
59
Descargar

Lessons Learned from Sarbanes