Dan Schroeder

Director, Business Process and Technology Management

Sarbanes Oxley Act of 2002IT Compliance Road Map

SOA IT Controls Compliance Road Map

2. Risk Assessment

5. Remediation

4. Effectiveness Assessment

3. Controls Definition and Documentation

IT Services (General Controls)

Plan & Organize

Acquire & Implement

Business Processes and Applications(Application controls)

Process 1

Delivery & Support

Monitor

1. Scoping & Planning:Ø Financial TransactionsØ Financial ReportingØ Disclosure ReportingØ Related Applications and

General IT infrastructureProcess

3Process

2Process

4

II. Compliance Evaluation and Reporting (SOA 404 / SAS70)

Financial Application A

Financial Application C

Financial Application B

I. Readiness Activities

III. Ongoing Monitoring and Sustainability

Compliance Road Map: Step 1. Scoping and Planning

Determine where technology supports financial reporting process: Identify where systems support support initiation, recording,

processing, and reporting of financial information. PCAOB Guidance as to relevant process and controls activities:

Application / process controls over initiating, recording, processing, and reporting significant accounts and disclosures.

Antifraud programs and controls. IT General Controls. Controls over significant non-routine and nonsystematic

transactions. Controls over period-end financial reporting process,

including controls over procedures used to enter transaction totals into the GL and to record adjustments.

Step 1 Example DeliverableMapping of Business Processes, Supporting Application, 3rd Parties and Process Owner

XYZ Corp.SAO 404 Readiness

Form: Business Process Summary

Primary Business Processes Sub-ProcessesBusiness Application Third Parties Business Unit/Org.

New Business AIMS Steve SmithRate Pursuit (telephone interviews & questionnaires) PP & NJ PAIP AIMS/MSIRenewals AIMSEndorsements AIMSCancellations AIMSNew Business CGI* Carol JonesRate Pursuit (telephone interviews & questionnaires) CGI*Renewals CGI*Endorsements CGI*Cancellations CGI*

DMV, ISO, NICB, CLUE, CARCO

DMV, ISO, NICB, CLUE, CARCO

Underwriting – NY, VT & CA Private Passenger Assigned Risk, APTOP & PDO voluntary

Underwriting – Commercial Assigned Risk & Multi-State Assigned Risk (excl. NY, VT & CA)

Legend: * Servicing company. May have a SAS 70 prepared.(A) - reviewed during cash disbursements project(B) - reviewed within SOAR/Maria

Start with scope determined in Step 1. Consider “likelihood” of potential risk event occurrence and

“impact” of the event (i.e., materiality). Risk considerations:

Quality and integrity of information Access and authorization controls Availability and timeliness of information Continuity and recoverability.

Service organization affect: consider potential enterprise impact from internal and external service organizations.

Deliverable for Step 2 is a Risk Assessment Matrix that identifies and prioritizes risks across key business processes showing the relationships to IT General and Application controls.

Compliance Road Map: Step 2. Risk Assessment

Risk Assessment – Example Report XYZ Corp.SAO 404 Readiness 2/18/2004

Risk Assessment Summary Report1- Highest5- Lowest

Business Processes

Rel

iab

ilit

y of

fin

anci

al

rep

orti

ng

Eff

ecti

ven

ess

&

effi

cien

cy o

f op

erat

ion

s

Com

pli

ance

wit

h l

aws

&

regu

lati

ons

Inherent Risk

Risk Materiality

FactorRiskRank

AIMS Private Passenger Underwriting (new business, renewals, endorsements, cancellations, rate pursuit)

Y Y Y Greater than 50% of total premium volumeRegulatory timeframesPremiums mis-statedManual processesUnrealized premiums due to inadequate rate pursuitUnauthorized changes to policies information

1 1

CGI Commercial & Multi-State Private Passenger Underwriting (new business, renewals, endorsements, cancellations, rate pursuit)

Y Y Y Greater than 30% of total premium volumeRegulatory timeframesPremiums mis-statedManually intensive processesUnrealized premiums due to inadequate rate pursuitInadequate inspections on garage policiesInefficient handling of checksMultiple States requirements (Texas 2 complaint limit)Unauthorized changes to policies information Inadequate error/exception reports

1 2

COSO Control Dimensions

Compliance Road Map: Step 3. Controls Definition and Documentation

Leverage leading standards such as COSO, and IT Controls for SOA to determine control requirements: General Controls include operations and management,

infrastructure, security, acquisition and maintenance, oversight and monitoring.

Application Controls include activities related to ensuring completeness, accuracy, authorization, availability, and validity of transactions.

SOA documentation requirements are expected to represent a significant challenge for most organizations. Inadequate documentation by management can represent a

deficiency in internal control over financial reporting. Management should discuss the proposed extent and detail of their

control documentation with their external auditors early in the process to reduce the potential that documentation will be deficient.

PCAOB Documentation Guidelines October 7, 2003 Briefing Paper

Documentation is important to effective functioning of internal control and to the auditor’s internal control audit…this includes documentation about: the design of controls, how the controls are supposed to operate; the objectives they are designed to achieve; the necessary qualifications of the people performing the

control for the control to function effectively. Documentation should be sufficient for the external

auditor to review the design and test the effectiveness of a control.

No one form of documentation is required and the extent of documentation will vary depending on the size, nature and complexity of the company.

Potential Documentation Requirements

Entity / General Level: Strategic IT Planning Policy Manuals IT Security Policy Business Continuity Planning /

Disaster Recovery Planning IT Architecture, Data Dictionary System Development Life Cycle Change Management IT Operations Management IT Organization and Responsibilities Problem and Incident Management

Process / Application Level: Process description / flowcharts Risk and Control Matrices System / application schematics Access Controls Data Relationships and Database

designs System user documentation Job Descriptions

SOA IT Controls Compliance Road Map

2. Risk Assessment

5. Remediation

4. Effectiveness Assessment

3. Controls Definition and Documentation

IT Services (General Controls)

Plan & Organize

Acquire & Implement

Business Processes and Applications(Application controls)

Process 1

Delivery & Support

Monitor

1. Scoping & Planning:Ø Financial TransactionsØ Financial ReportingØ Disclosure ReportingØ Related Applications and

General IT infrastructureProcess

3Process

2Process

4

II. Compliance Evaluation and Reporting (SOA 404 / SAS70)

Financial Application A

Financial Application C

Financial Application B

I. Readiness Activities

III. Ongoing Monitoring and Sustainability

Compliance Road Map: Step 4. Effectiveness Assessment

Substantive testing and of the operational effectiveness of the required controls. Determine if: Controls are operational. Functioning as designed. Personnel are trained and knowledgeable.

Document and assess level of control weakness; from Inconsequential to Material Weaknesses.

Determining if the weakness is significant or material requires professional judgment and the consideration of various factors such as:

• Size of the operation• Complexity and diversity of activities• Organizational structure• Likelihood that the IT Control weakness could result in a

material misstatement of the financial records

Compliance Road Map: Step 5. Remediation

Prioritized approach to resolving control weaknesses. Types of remediation required:

Documentation Procedures Personnel / organization changes Training Process / method development (e.g., BCP, SDLC) System Enhancements:

• E-Mail / records management• Integration• Validations• Business Intelligence / Corporate Performance Management

Compliance Road Map: Ongoing Monitoring and Sustainability

Take steps to institutionalize awareness and understanding of IT control requirements: Training and education Organizational Structure Job Responsibilities Service Level Agreements Performance Measurement Internal Quality Management Program

Conduct ongoing monitoring and review: Remediation Business Changes Ongoing compliance

Common IT Compliance Challenges

Organizational: IT Controls not treated as a process Management ownership and roles Deployment – internally and to service providers Ability to monitor / sustain

System Development Life Cycle (SDLC) Process Business Continuity Planning as a Process Latency:

Lack of infrastructure and processes for timely disclosure and reporting

Documentation

Summary of SOA Impact to IT Management

Cultural impact: “control” mentality versus “project” mentality

Enhances need for enterprise-wide IT leadership and strong IT Governance framework.

Enhanced need for “real-time” disclosure reporting; e.g., Enterprise Performance Management.

Enhances need for integration. Increased awareness of service provider related control

dependencies. Document management and retention.

Next Steps include:

Promote understanding and awareness Establish internal compliance roadmap

Define responsibilities, action plan Synchronize with existing Quality Management Program Monitor developments in standards and guidelines:

PCAOB Standards. ITGI IT Control Standards. SEC Approval of PCAOB Audit Standard #2

Dan Schroeder,

Director, Business Process and Technology Management

732.287-1000 x 278, dschroeder@amper.com

Questions or additional information?