Upload
jecoba
View
223
Download
0
Embed Size (px)
Citation preview
7/28/2019 Sarbanes Oxley Compliance Using Control m
1/8
SOLUTION WHITE
Sarbanes-Oxley ComplianceUsing BMC CONTROL-M Solutions for
Operations Management
7/28/2019 Sarbanes Oxley Compliance Using Control m
2/8
Table of Contents
SECTION 1Executive Summary .................................................................................................................. 1
SECTION 2Abstract ...................................................................................................................................1
SECTION 3
Sarbanes-Oxley Compliance ........................................................................................................ 2
> Sarbanes-Oxley Section 404 .................................................................................................... 2
SECTION 4
COBIT Objectives and BMC CONTROL-M .................................................................................... 3
> Security ................................................................................................................................. 3
> Service Level Agreements 4
> Monitoring and Reporting ....................................................................................................... 4
> Workload Forecasting 5
> Continuity and Recovery Planning ........................................................................................... 6
> Backup and Restorationg ........................................................................................................ 6
> Job Scheduling ....................................................................................................................... 6
SECTION 5
BMC CONTROL-M Solutions ........................................................................................................ 6
SECTION 6
Conclusion .................................................................................................................................. 6
7/28/2019 Sarbanes Oxley Compliance Using Control m
3/8
PA G E 1
Executive Summaryhen corporate executives certify their company financial statements this year, in compliance with Sarbanes-Oxley
inancial reporting guidelines, they will do so under the possibility of fines or even imprisonment for inaccurate reporting
r noncompliance. The business information relied on by CXOs culled from multiple information management systems
will be subject to higher levels of scrutiny by auditors than ever before.
mplementing the necessary controls toward Sarbanes-Oxley compliance is an evolving process that is likely shepherded
by a project team run by the finance department, and includes both internal and external auditors. This team may already be
using automation tools targeted toward compliance, but it is important to choose solutions that are extensible and flexible
nough to adequately validate the control and processes and minimize the increasing costs associated with full
ompliance. This paper will help the operations department to communicate effectively with the compliance project team,
understand their requirements, and ensure that the operations processes are in place to fully support the Sarbanes-Oxley
ompliance effort.
MC Software BMC CONTROL-M solutions help you to cost effectively automate business processes, conserve resources,
nd control costs as your company moves toward mandatory Sarbanes-Oxley compliance.
Abstracthe Sarbanes-Oxley Act of 2002 was enacted by U.S. legislature to protect investors and the public from fraudulent
orporate accounting practices and erroneously reported corporate financial information. The Securities and ExchangeCommission (SEC) established the rules, requirements, and deadlines, and continues to administer compliance. The
burden of compliance now falls largely on the IT staffs that are responsible for supporting their organizations business and
ccounting processes.
his white paper provides an overview of Sarbanes-Oxley requirements for IT organizations, and reviews how BMC
Softwares BMC CONTROL-M solutions provide the means to easily address compliance for operations management
initially and going forward procedurally. Specifically, this paper discusses:
Sarbanes-Oxley Act and Section 404 directives
Sarbanes-Oxley demands on IT operations
COBIT and COSO internal control frameworks How CONTROL-M solutions help you gain control of operations management and ass ist in your compliance projects
7/28/2019 Sarbanes Oxley Compliance Using Control m
4/8
PA G E 2
Sarbanes-Oxley ComplianceIdeally, compliance initiatives will restore investor
onfidence in the stock market by making the financial
tates of companies transparent to investors. By enhancing
orporate governance, strengthening supervision of
auditors, focusing attention on internal controls, and
imposing strong penalties for noncompliance, companies
an prevent undetected financial fraud. Ultimately, this
window into management performance should enable
investors to better judge a companys true value.
Companies are investing heavily in compliance processes,
much of it unbudgeted. Studies suggest that a $3
billion company could spend up to $9.5 million on initial
ompliance costs and up to $8 million per year on ongoing
ompliance measures. Current reports indicate that the
ongoing costs of compliance are costing companies as
much as 1.25 percent of their annual revenues. Compliance
fforts can readily be compared with the Y2K technology
undertaking, but with no visible end to the process.
The Sarbanes-Oxley Act itself does not standardize
business practices or specify a framework for organizing
processes toward compliance. However, many companies
are using standardized sets of approved frameworks to
nforce compliance and to describe to auditors (internal and
xternal) how they are achieving compliance controls. These
frameworks for IT governance and accounting controls
are used to link Sarbanes-Oxley documentation activities
with corporate IT management procedures, and are often
underwritten and promoted by the auditing and accounting
ommunity to measure compliance and to highlighteviations from guidelines.
In 1985, the Committee of Sponsoring Organizations of the
Treadway Commission 1 (COSO) was formed to sponsor the
National Commission on Fraudulent Financial Reporting. This
independent private sector initiative developed a framework
of recommendations for public companies and their
independent auditors, educational institutions, and the SEC
and other regulators. The COSO framework was adopted by
many organizations to standardize and improve the quality
of financial reporting.
To address the role of IT in compliance, the IT Governance
Institute (ITGI) and the Information Systems Audit and
Control Association (ISACA) subsequently created a
framework called Control Objectives for Information
and Related Technologies (COBIT) guidelines. COBIT is
based on the COSO recommendations, and provides an
IT governance model and management guidelines for
etermining how effectively a company controls IT and
where improvements can be made.
For further information, visit www.itgovernance.org or
www.isaca.org/cobit.htm
Sarbanes-Oxley Section 404
Following the initial Sarbanes-Oxley compliance audits,
companies will need to comply with Section 404 of the
act, which directly address the role of IT in compliance
processes. Section 404 focuses heavily on the critical role
of internal control over financial reporting, reemphasizingthe importance of ethical conduct and reliable information
in the preparation of financial information reported to
investors.
Section 404 directives specify that audit reports must be
accompanied by an assessment of all internal controls
and processes that have been certified as Sarbanes-Oxley
compliant by independent auditors. To do so, each company
must:
Establish a set of financial control processes that must be
erified and certified as accurate by an external auditor
Conduct a quarterly evaluation of all certified controls
Incorporate an independent assessment of control
processes into the companys annual financial report
Section 404 now requires management and auditors to
publicly report material weaknesses in internal control over
financial reporting existing a t their fiscal year-end. These
material weaknesses must be listed in a companys annual
filings, which could adversely effect stock price and market
perception. Although Section 404 does not address how
to address Section 404 objectives, the SEC has mandatedthat companies must use a recognized internal control
framework such as COBIT or COSO. Using the COBIT
framework, an organization can readily design a system of
IT controls to comply with Section 404.
Auditors need to readily understand the flow of an
organizations financial transactions from initiation through
to reporting. Because these transactions will be part of
IT applications processing, the IT department is under
constant and intense scrutiny to document the controls
in place and manage these flows. Auditors will not only
be required to monitor the application flow, but will alsoneed to be able to map and monitor the integrity of all
the resources in use to support a given application. These
resources will include, but not be limited to, networks,
databases, servers, operating systems, and IT system
management software.
The Treadway Commission is named for James C. Treadway, Jr., a former member of the Securities and Exchange Commission and the initial chairperson of COSO.
7/28/2019 Sarbanes Oxley Compliance Using Control m
5/8
PA G E 3
COBIT Objectives and BMC CONTROL-MThis section reviews some of the COBIT objectives
relevant to Section 404 compliance, and outlines how
perations management can achieve COBIT objectives by
ully exploiting the functionality of CONTROL-M solutions.
CONTROL-M is an enterprise-wide batch scheduling
olution that lets you monitor, manage and automate
ll job scheduling and link the scheduled processes and
pplications to business objective metrics.
COBIT objectives relevant to Section 404 compliance:
Security
Service level agreements
Monitoring and reporting
Workload forecasting
Continuity and recovery planning
Backup and restoration
Job scheduling
Security
CONTROL-M solutions provide extensive security facilities
hat enable:
Access to the product itself
Access to specific product functionality by configuring
which users can use certain product functions
Control over the submission of work
Control over what applications may be monitored and
managed
Monitoring and reporting of attempted security violations
Forced changing of security passwords
Audit logs containing details of all accesses including both
approved and rejected
Operations management and security teams should work
together to develop, implement, document, and continually
ssess these functions including staff changes, process
hanges, and new applications deployment. Audit logs
hould be printed and regularly reviewed to determine the
reason for violations and to ensure that any violations are
not willful or intentional.
1. PlanandScope Financial
reporting Supporting
systems
Probability andimpact on business
Size Complexity
2. PerformRisk
Assessment
Application controlsover initializingrecording, processing
and reporting IT panel controls
3. IdentitySignificantAccounts/Controls
Eliminate controlrisk to anacceptable level
Understood byusers
5. EvaluateControlDesign Coordination with auditors Internal sign-off (312, 414)
Independent sign-off (404)
8. DocumentProcess andResults
Internal evaluation External evaluation
9. BuildSustainability
Significant deficiency Material weakness Remediation
7. Identify andRemediateDeficiencies
Internal audit Technical testing Self-assessment All locations and controls
(annual)
6. EvaluateOperationalEffectiveness
Policy manuals Procedures Narratives Flowcharts Configurations Assessment questionaires
4. DocumentControlDesign
SARBANES-OXLEY COMPLIANCE
B U S I N E S S V A L U E
Sarbox compliance roadmap
Figure 2. CONTROL-M security administration screen
7/28/2019 Sarbanes Oxley Compliance Using Control m
6/8
PA G E 4
Service Level Agreements
CONTROL-M architecture includes BMC Batch Impact
Manager (CONTROL-M/BIM), a unique option that nables
operations teams to define business services and then
monitor and manage these processes from a business
perspective. This frees the operations staff to concentrate
on critical individual services rather than large groups of
jobs or applications. CONTROL-M/BIM continually monitors
the critical path of any given service and issues updates for
the projected end-time of that service. If a critical service
is delayed beyond its targeted completion time, an alert
is then issued to ensure operations teams will place duemphasis on returning that critical business service to its
cheduled completion time.
This information is vital to producing accurate financial
reports. Auditors can use this information to produce daily
reports that show if services completed beyond their
targeted service time.
Monitoring and Reporting
To meet Sarbox Section 404 compliance using the COBIT
framework guidelines, IT management must produce
and retain extensive reports to monitor the existing job
cheduling process and to project future trends. Reports
must show the work scheduled each day, actual jobs run,
any exceptions encountered, and the actions taken to
handle and correct exceptions. The reports (and logs used
to produce the reports) should be retained and archived to
nsure effective auditing and control of those applications
that directly affect the companys fiscal results.
CONTROL-M has extensive capabilities
in historical reporting and future
orecasting that help operations
management and external auditors
validate past production runs and
valuate future runs and trends.
For example, CONTROL-M enables the
ata center to store historical job-flowiagram networks, which graphically
how all jobs run. Operations
management teams can store older
versions of networked applications
(which directly impact a companys
inancial reporting applications), and
use the product playback feature
o view historical information. The
playback feature works similarly to a
Figure 3. Batch Impact Manager monitoring screen
Figure 4. CONTROL-M report generator screen
Figure 5. CONTROL-M report generator screen
7/28/2019 Sarbanes Oxley Compliance Using Control m
7/8
PA G E 5
VCR or DVD player, enabling an authorized user to choose
particular network (former or existing) and replay the
vents by simulating the application environment at a point
in time.
For full benefit from this feature, operations staff and
uditors should consult to decide which historical networks
re the most relevant. The backup and retention of this
information should then be scheduled through CONTROL-M,
o enable management and auditors to review a simulation
f the processes that took place on the applications in
uestion.
When a company also uses BMC CONTROL-D solutions,
aily reports can be produced from archived logs, or as a
better alternative, the reports themselves may be retained,
nd viewed from the CONTROL-D archive.
Using CONTROL-D solutions, reports can be indexed
nd then viewed by date, application, job, run-time, and
uch. Both internal and external auditors can readily view
online any pertinent archived report.
Workload Forecasting
COBIT control objectives state that a data center must
have processes in place to periodically produce workload
forecasts, identify trends, and provide feedback to a
apacity plan. The idea is to guarantee the availability of the
resources needed to produce the company fiscal findings in
timely manner.
The BMC CONTROL-M/Forecast facility produces a numberf graphical and tabular reports that show projected
pplication processing times for future dates and various
trend analyses.
Figure 6. CONTROL-M archive selection screen
Figure 7. View of old networkigure 8. CONTROL-M forecast tabular report
gure 9. CONTROL-M forecast trend report
7/28/2019 Sarbanes Oxley Compliance Using Control m
8/8
PA G E 6
Continuity and Recovery Planning
A good continuity plan uses well documented and
ommunicated procedures to ensure that, in the event of
any failure, IT operations can continue to process the data
vital to producing company financial statements.
All CONTROL-M solutions have built-in failover processes,
uch as database mirroring and cluster support, enabling
processing to continue even when a vital infrastructure
omponent is missing or not functioning. These failover
processes are extensively documented in various BMC
Software manuals and white papers, as are the integration
f proprietary failover methods from vendors such as IBM.
Backup and Restoration
Backup and restoration processes for financial and database
information (including scheduling tables, logs, security
profiles, reports, and job scheduling documentation) should
be scheduled as routine daily tasks, using facilities such as
the AFT process to schedule and monitor the success oftransmissions to offsite backup servers.
Restoration of a vital database can be built into the
CONTROL-M solutions post-processing facilities, whenever
an error is detected.
Job Scheduling
COBIT guidelines suggest that companies implement an
automatic scheduling process. These guidelines further
tipulate paying particular attention to interdependencies,
ocumentation, security, scheduling deviations, and backup
procedures. A recent audit at one financial company
trongly suggested the installation of an industry leading
and comprehensive automatic scheduler to help the
ompany avert reporting a material weakness in its internal
ontrols. CONTROL-M, with cross-platform scheduling,
monitoring, and management facilities, fulfill all of these
requirements, and is positioned by IT industry analysts as
the leading scheduler.
BMC CONTROL-M SolutionsCONTROL-M solutions by BMC Software provide support
for operations management needs. To learn more about
CONTROL-M products, please visit www.bmc.com/
products.
BMC CONTROL-M for Distributed Systems
BMC CONTROL-M for Microsoft Windows
BMC CONTROL-M for OS/390 and z/OS
BMC CONTROL-M for SAP
BMC CONTROL-M Option for Baan
BMC CONTROL-M Plus Module for Tivoli
BMC CONTROL-M Smart Plug-in for HP OpenView
BMC CONTROL-M/Analyzer
BMC CONTROL-M/Assist
BMC CONTROL-M/CM for Advanced File Transfer
BMC CONTROL-M/CM for PeopleSoft
BMC CONTROL-M/Enterprise Manager
BMC CONTROL-M/Links for Distributed Systems
BMC CONTROL-M/Links for OS/390
BMC CONTROL-M/Restart
BMC CONTROL-M/Tape
ConclusionAs companies evolve their corporate processes toward
Sarbanes-Oxley compliance, it is important to involve the
operations management team and the IT team. While
targeted compliance automation tools may be used, it
is imperative that companies make the best use of the
features and facilities of the existing BMC CONTROL-M
olutions in use. When operations management teams
ngage with IT organizations, their efforts not only validate
ompliance but also to ensure that costs are minimized.