Using COBiT For Sarbanes Oxley

Using COBiT For Sarbanes Oxley

Japan November 18th 2006Gary A Bannister

Who am I & What I Do ?• I am an accountant with 28 years experience working in

various International Control & IT roles.• I am British and resident in the US.• I speak 4 languages, but unfortunately not Japanese.• I was involved in the implementation of the BP SOX

program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.

Who Am I ?

I am an accountant with 28 years experience working in various International Control & IT roles.

I am British and resident in the US.

I speak 4 languages, but unfortunately not Japanese.

I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.

AGENDA

Some Context about Compliance – Sarbanes Oxley – “Differences in Japan & Other countries”The BP Process In SOX Using COBiT – Selection & mapping.BP Gap Analysis & Remediation CriteriaKey Learning’s & Some Tips for You

Sarbanes-Oxley (SOX) Act Highlights

Established the Public Company Accounting Oversight Board (PCAOB) and gave it broad powers to oversee the public accounting firms

Introduced new limitations on auditors including mandatory partner rotation and limits on services

Requires new “disclosure controls” that inform corporate officers of “material information” during the reporting period

Sarbanes Oxley Two Key Sections

Sec 302Financial Reporting

Sec 404Internal Controls

SOX 404Requires management to include an internal control report

in each SEC filing that:- States the responsibility of management for

establishing and maintaining an adequate internal control structure and procedures for financial reporting, and

- Contains an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures

Requires an audit of management’s report on internal controls

SOX Effect on Other countries

SOX legislation coming to Japan, Canada, South Africa & Europe.COBiT & COSO I Frameworks become more

important in documenting and testing the effectiveness of internal controls. Some Differences – external Auditors are

NOT required to attest to Management’s attestation on Internal Controls in Canada.

Relationships Between IT & Business

Business Processes

Applications

Data/DBMS

Platforms

Networks

Physicals

Financial & Business Teams review manual and automated business process controls

Data Center Operations Manager and IT SOX evaluate supporting infrastructure for all financial applications as a part of the IT General Controls review

Application Manager and IT SOX perform Application General Controls and Application Security Reviews

An effective automated business process control requires effective operating IT controls

Overview of SOX Program

Prioritise Gaps,agree Timeline

Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting

(Operate)

Overview of ICE/DCT SOX Program

Agree in-scope processes

Agree control framework

Agree gap prioritisation

process

Agree remediation

timetable

Agree Financial Control

monitoring & compliance

process

Identify supporting

applications

Prioritise Gaps,agree Timeline

Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting

(Operate)

FinanceDecisionson scope

Overview of ICE/DCT SOX Program

Agree in-scope processes

Agree control framework

Agree gap prioritisation

process

Agree remediation

timetable

Agree Financial Control

monitoring & compliance

process

Identify supporting

applications

Prioritise Gaps,agree Timeline

Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting

(Operate)

FinanceDecisionson scope

4 Workstreams:

IT General Controls

Application General Controls

Application Security Review

Application Business Controls

Evaluate in “Batches”

100 Applications& 10 data centres

+ 100 Applications

+ 10 data centres

ITOwns &Implements

Overview of ICE/DCT SOX Program

Agree in-scope processes

Agree control framework

Agree gap prioritisation

process

Agree remediation

timetable

Agree Financial Control

monitoring & compliance

process

Identify supporting

applications

Prioritise Gaps,agree Timeline

Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting

(Operate)

FinanceDecisionson scope

4 Workstreams:

IT General Controls

Application General Controls

Application Security Review

Application Business Controls

Evaluate in “Batches”

100Applications& 150data centres

+ 100 Applications

+ 10 data centres

ITOwns &Implements

Filter gaps Challenge gaps

Integrate with IT plans

Tier 2

Identified COBIT GapsIdentified COBIT Gaps

Tier 1

Tier 3

Tier 4r

IT Own, Fund, Deliver Plan

IT Central(data centres)

IT Segments & functions

(applications)

Process embedded across IT

Repeatable annual process

Staff trained

Internal resource

Overview of SOX Program

Agree in-scope processes

Agree control framework

Agree gap prioritisation

process

Agree remediation

timetable

Agree Financial Control

monitoring & compliance

process

Identify supporting

applications

Prioritise Gaps,agree Timeline

Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting

(Operate)

FinanceDecisionson scope

4 Workstreams:

IT General Controls

Application General Controls

Application Security Review

Application Business Controls

Evaluate in “Batches”

100 Applications10 data centres

+ 100 Applications

+ 10 data centres

IT Owns &Implements

Filter gaps Challenge gaps

Integrate with IT plans

Tier 2

Identified COBIT GapsIdentified COBIT Gaps

Tier 1

Tier 3

Tier 4r

IT Own, Fund, Deliver Plan

IT Central(data centres)

IT segments & functions

(applications)

Process embedded across IT

Repeatable annual process

Staff trained

Internal resource

Prioritised set of gaps

& TimelineDocumented CETs & Gaps

Gaps remediated by ITGroup-wide

integrated planIT own on-going

process

IT Progress Reporting:

Why COBiT …. How was CobiT chosen

Control Systems consideredCOBIT ISO 17799 ITIL (Information Technology

Infrastructure Library) Assessment criteria used

Control needs of SOX: Consistency with the General and Application control needs of SOX. COBiT more comprehensive.

Extent of use outside BP: The use of each system by other companies for this purpose

Page 29

BREADTH OF IT CONTROL COVERAGE

HOW

DETAILED

LOW

MED

HIGH

HIGHLOW MED

ITIL

COBITCOBIT

COSOCOSO

TURNBULLTURNBULL

ISO 17799

Why COBIT

Why COBiT ….

Why COBiT ….

Why COBiT ….

Planning andOrganization

Acquisition and Implementation

Information and IT Systems

Delivery and Support

Monitoring

• Define the IT Plan• Define the Information Architecture• Define the Technology Direction• Define the Organization and

Relationships• Manage the IT Investment

• Communicate Management Aims• Manage HR• Ensure Compliance with External

Requirements• Assess Risks• Manage Projects• Manage Quality

• Identify Solutions• Acquire (Develop) and Maintain

Application Software• Acquire and Maintain Technology

Infrastructure• Develop & Maintain Procedures• Install and Accredit Systems• Manage Changes

• Define Service Levels• Manage Third Party Services• Manage Performance and Capacity• Ensure Continuous Service• Ensure System Security• Identify and Attribute Costs• Educate and Train Users

• Assist and Advise IT Customers• Manage the Configuration• Manage Problems and Incidents• Manage Facilities• Manage Data• Manage Operations

• Monitor the Process• Assess Internal Control Adequacy• Obtain Independent Assurance• Provide for Independent Audit

CobiT v3 Overview – July 2004.

RED IT Processes are a part of the DCT SOX Control Framework[12 Control processes-68 Control Activities]

Planning andOrganization

Acquisition and Implementation

Information and IT Systems

Delivery and Support

Monitoring

• Define the IT Plan• Define the Information Architecture• Define the Technology Direction• Define the IT processes, Organization

and Relationships• Manage the IT Investment

• Communicate Management Aims• Manage HR• Manage Quality• Assess & Manage IT Risks• Manage Projects

• Identify Automated Solutions• Acquire (Develop) and Maintain

Application Software• Acquire and Maintain Technology

Infrastructure• Enable Operations & Use• Procure IT Resources• Manage Changes• Install and Accredit Systems

• Define Service Levels• Manage Third Party Services• Manage Performance and Capacity• Ensure Continuous Service• Ensure System Security• Identify and Allocate Costs• Educate and Train Users

• Manage Service Desk & Incidents• Manage the Configuration• Manage Problems • Manage Data• Manage Physical Environment• Manage Operations

• Monitor & Evaluate IT performance• Monitor & Evaluate Internal Control• Ensure regulatory Compliance• Provide IT Governance

CobiT v4 Overview – August 2006Amendments for ‘Compliance Business as Usual’

RED IT Processes are a part of the DCT Compliance Control Framework[11 Control processes – 32 Control Activities]

IT Risk Analysis Criteria

2) COBIT Detailed ranking @ CO level

2) COBIT Detailed ranking @ CO level

1st Filter

E-learning suitability

A prioritised set of Sarbanes Oxley

gaps

2nd Filter

Filter ActivityIdentified BP COBIT GapsIdentified BP COBIT Gaps

COBIT Gap CriteriaControl Process Level

COBIT Gap Criteria Control Objective level

Tier 1 to Tier 4

Global vs. Local, PriorAudit etc.

1) COBIT Summary Rank @ CP Level

1) COBIT Summary Rank @ CP Level

3) ICE Financial Tier Rankings

3) ICE Financial Tier Rankings

3rd Filter

4th Filter

4) Additional Business info

4) Additional Business info

2) COBIT Detailed ranking @ CO level

2) COBIT Detailed ranking @ CO level

1) COBIT Summary Rank @ CP Level

1) COBIT Summary Rank @ CP Level

Key GAP Prioritization Explained

Tier 2

Identified COBIT GapsIdentified COBIT Gaps

Tier 1

Tier 3

Tier 4r

2) COBIT Detailed ranking @ CO level

2) COBIT Detailed ranking @ CO level

1) COBIT Summary Rank @ CP Level

1) COBIT Summary Rank @ CP Level

Key GAP Prioritization Explained

Effectiveness – The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line]

Tier 2

Identified COBIT GapsIdentified COBIT Gaps

Tier 1

Tier 3

Tier 4r

2) COBIT Detailed ranking @ CO level

2) COBIT Detailed ranking @ CO level

1) COBIT Summary Rank @ CP Level

1) COBIT Summary Rank @ CP Level

Key GAP Prioritization Explained

Effectiveness – The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line]

Colour Coding:VH

H

L

M

COBIT HIGH split into Very High – AI6 & DS5Change Management & Ensure System Security.Maps to ICE tier 1 HIGH – Remaining COBIT Reds Maps to ICE Tier 2

Medium – As Per COBIT- Maps to Ice Tier 3

Low – As per COBIT – maps to ICE Tier 4

Tier 2

Identified COBIT GapsIdentified COBIT Gaps

Tier 1

Tier 3

Tier 4r

N No Gap – 0 Rank – Maps to BP Risk convention

Financial Criteria – Maps one to one with the COBIT ranking- Tier One - = > $100m – COBiT Very High- Tier Two < $100m > $20m – COBiT High- Tier Three < $20m > $1m – COBiT Medium- Tier Four < $1m - COBiT Low

Other Criteria – Example “Application $ Throughput- Very High - > $1b- High > $1b < $1b > $250m- Medium < $250m > $100m- Low < $100m

3) ICE Financial Tier Rankings

3) ICE Financial Tier Rankings

4) Additional Business info

4) Additional Business info

Tier 2

Identified COBIT GapsIdentified COBIT Gaps

Tier 1

Tier 3

Tier 4r

Key GAP Prioritization Explained

Key Learning’s & Some Tips For you

Do Not Use COSO alone, it is not detailed enough for IT. ISO 17799 is NOT ENOUGH. It does not cover well the following:-

- Data Management- Third Party processes- IT Delivery & Support Operations- Audit & Governance issues- Software & Hardware development controls- Segregation of Duties

Consult & Agree your framework with your external auditors before you implement your program.

Do not select too many COBiT control objectives and control practices. Simplify & Simplify. Concentrate on Key IT Control deficiencies that are high or are a

critical risk:-- Change Management Issues- Access Controls & Segregation of Duties- Some Data Management Issues like back ups & storage.

Include your IT applications (e.g. SAP) with your business process documentation. Why ? Most of your business controls are defined by your systems and applications.

Key Learning’s & Tips continued…..

Do not Test too many applications & processes – take a Risk & Business Impact Approach.

Look out for spreadsheets. Errors in relatively simple spreadsheets can result in potentially material misstatements in financial results.- The best feature is their worst – flexibility- Use Pricewaterhouse-Coopers Five step process

- Inventory Spreadsheets- Evaluate use, complexity- Determine level of controls- Evaluate existing controls- Develop remediation

Key Learning’s & Tips continued…..

Use Frameworks like COSO & COBiT as benchmarks, they don’t give you the answers or the specific controls, only the templates; tailor them to your company’s needs

Beware Email. E.G. Spreadsheets emailed to controllers for consolidation. Potential email security & storage issue.

Beware use of compliance tools/software. It is still not a mature market.

Consider how you will administer Third Parties & Outsourced Partners

Assign Accountabilities for each Business & IT process (e.g. Order to Pay for Business & Change Management for IT – Note Segregation of Duties is a business accountability but facilitated by IT)

Thank you

What Role Does IT Play?

• Infrastructure• Application Controls• Business Partner to ensure controls are

operating effectively across the organization• New Applications

Process vs. Control

• Control Objective: – User access to network is appropriately assigned.

• Example of Process:– Management reviews user access on a monthly basis.

• Example of Control:– Management reviews and signs off on a report generated

on a monthly basis containing user accounts and roles to ensure appropriateness and accuracy.

A New Internal Control Paradigm – PCAOB Guidance

Examples of Documentation:Documentation that provides reasonable support for

management’s assessment of the effectiveness of internal control over financial reporting covers:

• The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements,

• Information about how significant transactions are initiated, recorded, processed, and reported,

• Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur,

• Controls designed to prevent or detect fraud,• Controls over the period-end financial reporting process,• Controls over safeguarding of assets, and• The results of management’s testing and evaluation.

Identification of Control Points

Definition of a control point:

1. An action within a process where the key data changes form;

2. A handoff between individuals or programs within a process; or

3. A handoff between software applications

Control Type Categories

• Identifying the control types may reveal an over-reliance on a particular type of control or an absence of a key control type

•Policies & Procedures•Authorization Controls•Key Performance Indicators•Management Review•Detailed (Data Comparison)•Reconciliation•Segregation of Duties•System Access•Automated Exception Report

Control Categories - Definitions

Policies & ProceduresPolicy and procedure control documentation is often needed where directly linked adhering to standard policies and procedures is critical to the effectiveness of the control, especially where control procedures cross organizational or geographic boundaries. Policies and procedures related controls generally include formal written documents that have been recently updated, and is both accessible and used by the individuals involved in executing the control activities documented.

Authorization ControlsApproval of transactions executed in accordance within authority as set by senior management's general or specific policies and procedures

Key Performance IndicatorsKey performance indicators are financial and non-financial quantitative measurements that are: Collected by the entity, either continuously or periodically Used by management to evaluate the extent of progress toward meeting the entity's

defined objectives

In order for key performance indicators to be an effective control, they must have a level of precision that enables detection of errors

38

Control Categories - Definitions

Management Review Management review is a review conducted by someone, other than the preparer of the transaction or journal entry, who analyses and oversees activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other's work.

DetailedA detailed control activity consists of a comparison between two sets of data. An example of a detailed control could be a comparisonbetween two sets of information where the individual components of the data are compared. This control can be either a detailed manual control when the comparison is performed by humans, or a detailed automated control when the activity is performed by a system.

ReconciliationA reconciliation is a control designed to check whether two sumsmatch and identifying the differences between the two sums. It does not involve comparing on an item by item basis the information in two different sets of data..

39

Control Categories - Definitions

Segregation of DutiesSegregation of duties is the separating of duties and responsibilities of authorizing transactions, recording transactions, and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.

System AccessSystem access are the access rights that individual users or groups of users have within a computer information system-processing environment, as determined and defined by the configuration of the system.

Automated Exception ReportsAn exception report control shows a violation of a set standard to a responsible party who conducts follow ups and resolves the item.

40

General IT Controls

EXAMPLES GENERAL IT CONTROLSInformation Security

Management Of Philosophy & PolicyLogical Security Over the Operating SystemLogical security Over DataSecurity within ApplicationsSystems Administration & The Use of Privileged AccountsPhysical SecurityNetwork/Dial-up AccessExternal Network Connections

Computer Operations

Service Level AgreementsProblem ManagementBusiness ContinuityNetwork ManagementOperational Performance & Data Centre Environment.Scheduling, preparing & running batch processes.Backup & RecoveryUpgrades To System software.

Development & Implementation

Requirements DefinitionDesign & build in-house systems or package

selection.Unit, system & user testingData ConversionGo-Live decisionDocumentation & training

Program Change Control

Management of maintenance activitiesSpecification, authorization & tracking of

change requests.Unit, system & user testingAuthorization of transfers to live environmentUpdating technical & user documentation &

training.Database Administration

Relationship Between General IT & Application Controls.

General IT Controls contribute to the effectiveness of application controls.General controls do not provide direct coverage

of application control objectives.( E.g. completeness, accuracy, validity, restricted access)When designing & relying on application

controls, the strength of the underlining general controls needs to be considered.

Relationship Between General IT & Application Controls

Ensure that overall It environment is well controlled

The It Organization meets its intended purposes & there is proper management control over IT.

Physical & logical security is correctly implemented & maintained.

New apps & changes to existing apps are properly authorized.

Ensure that computer applications process as intended

Business processes may be enabled by one or more applications.

Many Common applications utilize configurable controls.

Controls to ensure the maintenance of data quality should be considered.

General Controls Application Controls

Relationship Between General IT & Application Controls

Platform Security (IT) &Restricted Application Level Access. Inappropriate access to data libraries at for example the

UNIX platform level, circumvents any good application level access controls that limits user access to specific transactions.

External Network Security (IT) & validity controls ( Application)Weak Network Security that allows outsiders to access the

internal network (e.g. from the internet, dial-up, or third party connections) increases the likelihood that unauthorized individuals will have an opportunity to enter “invalid”transaction data or standing data.

Relationship Between General IT & Application Controls

Backup & Recovery (IT) & Completeness Controls (application) If a full day’s transactions is lost due to a system disk

crash, then all “completed transactions” entered that day would be lost and be required to be reentered the next day if possible

Development & Implementation (IT) & Accuracy Controls ( Application)User acceptance testing performed by business area

personnel during the system development lifecycle will help ensure that the necessary accuracy controls built into the application are working as planned prior to production rollout.

Relationship Between General IT & Application Controls

Program Change Control (IT) & Accuracy Controls Application.– Inadequate change control procedures over the

application program code could allow programmers to modify the manner in which the application processes a transaction. This could intentionally or unintentionally disable input and /or balancing controls within the application that would identify transaction problems.

Relationship Between General IT & Application Controls

Problem Management (IT) & Completeness Controls (Application) Inadequate procedures to identify and resolve system

problems, could result in numerous application transactions being processed incompetently. For example, if the nightly batch processing was interrupted, good problem management procedures would be required to identify the problem, notify the proper personnel, correct the problem and restart the batch from the prior stopping point.

Application Control for accuracy that requires a code to be present on a database is compromised if IT controls don’t limit programmers form updating the database.

Application Controls

Application Controls

Manual and automated controls exist to ensure that information within the business process is:– Complete– Accurate– Valid and authorized– Restricted form unauthorized access

A combination of controls is needed to PREVENT, DETECT and CORRECT processing errors.

Application Control Objectives

CAVIAR–Completeness

–Accuracy

–Validity

–Restricted Access

Application Controls- Completeness

All transactions are recorded , input and accepted for processing once and only once.

All transactions that are input and accepted for processing are updated to the appropriate data file.

Duplicates are rejected Rejected transactions are evaluated and re-

entered Once data is updated to a file, that data remains

correct and current on the file and represents balances that exist.

Application Controls- CompletenessExamples

Invoice Numbering should be system assigned and sequential.Any interfaces to the General Ledger

should be complete and accurate.When entering account information, all

key fields are required to ensure completeness.

Application Controls- Accuracy

Key Data elements are recorded and input to the system accurately through data entry design features.

Changes to standing data are accurately input All transactions input and accepted for

processing, update the appropriate file All transactions affect the proper accounting

period**** Accuracy Controls are evaluated at the data element level.

Application Controls- Accuracy Examples

SSN Data field enforces entry of 9 numeric characters.

Customer credit limits determine amount range Business Unit limited to using their own GL

accounts Correct Zip code required in address field Sales can only be entered in proper accounting

period. Foreign currency tables are updated daily.

Application Controls- Validity

Transactions are AuthorizedTransactions are not fictitious and they

relate to the company.Changes To standard Data are

authorized & reviewed

Application Controls- Validity Examples

Buyer limits force email to supervisor for additional approval.

Customers who require non-standard prices require management approval.

Only the HR manager can approve a new employee to be added via a special user ID.

A sales Order will not be accepted unless customer number is present on Customer Master File.

To achieve appropriate segregation of duties, no one user has the ability to: a) Update/create vendor in vendor master file b) Enter new invoices c) Select invoices for payment.

Rate tables are maintained only by authorized users.

Application Controls – Restricted Access

Protect against unauthorized amendments of data.Ensure confidentiality of data.Protect physical assets such as cash and

inventory from theft or misuse.

Application Controls – Restricted Access Examples

Periodic review of users on the system is performed to ensure users have access to those functions and data required to perform their job functions.

IT personnel are granted only temporary access to production data.

Sales teams have the ability to view all of their accounts and current opportunities

Pending contracts are restricted from all but the legal dept. once terms are set.

System controls user access by function User access forms are completed, appropriately approved

& submitted to the Security Administrator