Sarbanes Oxley Compliance Using Control m

7/28/2019 Sarbanes Oxley Compliance Using Control m

1/8

SOLUTION WHITE

Sarbanes-Oxley ComplianceUsing BMC CONTROL-M Solutions for

Operations Management


2/8

Table of Contents

SECTION 1Executive Summary .................................................................................................................. 1

SECTION 2Abstract ...................................................................................................................................1

SECTION 3

Sarbanes-Oxley Compliance ........................................................................................................ 2

> Sarbanes-Oxley Section 404 .................................................................................................... 2

SECTION 4

COBIT Objectives and BMC CONTROL-M .................................................................................... 3

> Security ................................................................................................................................. 3

> Service Level Agreements 4

> Monitoring and Reporting ....................................................................................................... 4

> Workload Forecasting 5

> Continuity and Recovery Planning ........................................................................................... 6

> Backup and Restorationg ........................................................................................................ 6

> Job Scheduling ....................................................................................................................... 6

SECTION 5

BMC CONTROL-M Solutions ........................................................................................................ 6

SECTION 6

Conclusion .................................................................................................................................. 6


3/8

PA G E 1

Executive Summaryhen corporate executives certify their company financial statements this year, in compliance with Sarbanes-Oxley

inancial reporting guidelines, they will do so under the possibility of fines or even imprisonment for inaccurate reporting

r noncompliance. The business information relied on by CXOs culled from multiple information management systems

will be subject to higher levels of scrutiny by auditors than ever before.

mplementing the necessary controls toward Sarbanes-Oxley compliance is an evolving process that is likely shepherded

by a project team run by the finance department, and includes both internal and external auditors. This team may already be

using automation tools targeted toward compliance, but it is important to choose solutions that are extensible and flexible

nough to adequately validate the control and processes and minimize the increasing costs associated with full

ompliance. This paper will help the operations department to communicate effectively with the compliance project team,

understand their requirements, and ensure that the operations processes are in place to fully support the Sarbanes-Oxley

ompliance effort.

MC Software BMC CONTROL-M solutions help you to cost effectively automate business processes, conserve resources,

nd control costs as your company moves toward mandatory Sarbanes-Oxley compliance.

Abstracthe Sarbanes-Oxley Act of 2002 was enacted by U.S. legislature to protect investors and the public from fraudulent

orporate accounting practices and erroneously reported corporate financial information. The Securities and ExchangeCommission (SEC) established the rules, requirements, and deadlines, and continues to administer compliance. The

burden of compliance now falls largely on the IT staffs that are responsible for supporting their organizations business and

ccounting processes.

his white paper provides an overview of Sarbanes-Oxley requirements for IT organizations, and reviews how BMC

Softwares BMC CONTROL-M solutions provide the means to easily address compliance for operations management

initially and going forward procedurally. Specifically, this paper discusses:

Sarbanes-Oxley Act and Section 404 directives

Sarbanes-Oxley demands on IT operations

COBIT and COSO internal control frameworks How CONTROL-M solutions help you gain control of operations management and ass ist in your compliance projects


4/8

PA G E 2

Sarbanes-Oxley ComplianceIdeally, compliance initiatives will restore investor

onfidence in the stock market by making the financial

tates of companies transparent to investors. By enhancing

orporate governance, strengthening supervision of

auditors, focusing attention on internal controls, and

imposing strong penalties for noncompliance, companies

an prevent undetected financial fraud. Ultimately, this

window into management performance should enable

investors to better judge a companys true value.

Companies are investing heavily in compliance processes,

much of it unbudgeted. Studies suggest that a $3

billion company could spend up to $9.5 million on initial

ompliance costs and up to $8 million per year on ongoing

ompliance measures. Current reports indicate that the

ongoing costs of compliance are costing companies as

much as 1.25 percent of their annual revenues. Compliance

fforts can readily be compared with the Y2K technology

undertaking, but with no visible end to the process.

The Sarbanes-Oxley Act itself does not standardize

business practices or specify a framework for organizing

processes toward compliance. However, many companies

are using standardized sets of approved frameworks to

nforce compliance and to describe to auditors (internal and

xternal) how they are achieving compliance controls. These

frameworks for IT governance and accounting controls

are used to link Sarbanes-Oxley documentation activities

with corporate IT management procedures, and are often

underwritten and promoted by the auditing and accounting

ommunity to measure compliance and to highlighteviations from guidelines.

In 1985, the Committee of Sponsoring Organizations of the

Treadway Commission 1 (COSO) was formed to sponsor the

National Commission on Fraudulent Financial Reporting. This

independent private sector initiative developed a framework

of recommendations for public companies and their

independent auditors, educational institutions, and the SEC

and other regulators. The COSO framework was adopted by

many organizations to standardize and improve the quality

of financial reporting.

To address the role of IT in compliance, the IT Governance

Institute (ITGI) and the Information Systems Audit and

Control Association (ISACA) subsequently created a

framework called Control Objectives for Information

and Related Technologies (COBIT) guidelines. COBIT is

based on the COSO recommendations, and provides an

IT governance model and management guidelines for

etermining how effectively a company controls IT and

where improvements can be made.

For further information, visit www.itgovernance.org or

www.isaca.org/cobit.htm

Sarbanes-Oxley Section 404

Following the initial Sarbanes-Oxley compliance audits,

companies will need to comply with Section 404 of the

act, which directly address the role of IT in compliance

processes. Section 404 focuses heavily on the critical role

of internal control over financial reporting, reemphasizingthe importance of ethical conduct and reliable information

in the preparation of financial information reported to

investors.

Section 404 directives specify that audit reports must be

accompanied by an assessment of all internal controls

and processes that have been certified as Sarbanes-Oxley

compliant by independent auditors. To do so, each company

must:

Establish a set of financial control processes that must be

erified and certified as accurate by an external auditor

Conduct a quarterly evaluation of all certified controls

Incorporate an independent assessment of control

processes into the companys annual financial report

Section 404 now requires management and auditors to

publicly report material weaknesses in internal control over

financial reporting existing a t their fiscal year-end. These

material weaknesses must be listed in a companys annual

filings, which could adversely effect stock price and market

perception. Although Section 404 does not address how

to address Section 404 objectives, the SEC has mandatedthat companies must use a recognized internal control

framework such as COBIT or COSO. Using the COBIT

framework, an organization can readily design a system of

IT controls to comply with Section 404.

Auditors need to readily understand the flow of an

organizations financial transactions from initiation through

to reporting. Because these transactions will be part of

IT applications processing, the IT department is under

constant and intense scrutiny to document the controls

in place and manage these flows. Auditors will not only

be required to monitor the application flow, but will alsoneed to be able to map and monitor the integrity of all

the resources in use to support a given application. These

resources will include, but not be limited to, networks,

databases, servers, operating systems, and IT system

management software.

The Treadway Commission is named for James C. Treadway, Jr., a former member of the Securities and Exchange Commission and the initial chairperson of COSO.


5/8

PA G E 3

COBIT Objectives and BMC CONTROL-MThis section reviews some of the COBIT objectives

relevant to Section 404 compliance, and outlines how

perations management can achieve COBIT objectives by

ully exploiting the functionality of CONTROL-M solutions.

CONTROL-M is an enterprise-wide batch scheduling

olution that lets you monitor, manage and automate

ll job scheduling and link the scheduled processes and

pplications to business objective metrics.

COBIT objectives relevant to Section 404 compliance:

Security

Service level agreements

Monitoring and reporting

Workload forecasting

Continuity and recovery planning

Backup and restoration

Job scheduling

Security

CONTROL-M solutions provide extensive security facilities

hat enable:

Access to the product itself

Access to specific product functionality by configuring

which users can use certain product functions

Control over the submission of work

Control over what applications may be monitored and

managed

Monitoring and reporting of attempted security violations

Forced changing of security passwords

Audit logs containing details of all accesses including both

approved and rejected

Operations management and security teams should work

together to develop, implement, document, and continually

ssess these functions including staff changes, process

hanges, and new applications deployment. Audit logs

hould be printed and regularly reviewed to determine the

reason for violations and to ensure that any violations are

not willful or intentional.

1. PlanandScope Financial

reporting Supporting

systems

Probability andimpact on business

Size Complexity

2. PerformRisk

Assessment

Application controlsover initializingrecording, processing

and reporting IT panel controls

3. IdentitySignificantAccounts/Controls

Eliminate controlrisk to anacceptable level

Understood byusers

5. EvaluateControlDesign Coordination with auditors Internal sign-off (312, 414)

Independent sign-off (404)

8. DocumentProcess andResults

Internal evaluation External evaluation

9. BuildSustainability

Significant deficiency Material weakness Remediation

7. Identify andRemediateDeficiencies

Internal audit Technical testing Self-assessment All locations and controls

(annual)

6. EvaluateOperationalEffectiveness

Policy manuals Procedures Narratives Flowcharts Configurations Assessment questionaires

4. DocumentControlDesign

SARBANES-OXLEY COMPLIANCE

B U S I N E S S V A L U E

Sarbox compliance roadmap

Figure 2. CONTROL-M security administration screen


6/8

PA G E 4

Service Level Agreements

CONTROL-M architecture includes BMC Batch Impact

Manager (CONTROL-M/BIM), a unique option that nables

operations teams to define business services and then

monitor and manage these processes from a business

perspective. This frees the operations staff to concentrate

on critical individual services rather than large groups of

jobs or applications. CONTROL-M/BIM continually monitors

the critical path of any given service and issues updates for

the projected end-time of that service. If a critical service

is delayed beyond its targeted completion time, an alert

is then issued to ensure operations teams will place duemphasis on returning that critical business service to its

cheduled completion time.

This information is vital to producing accurate financial

reports. Auditors can use this information to produce daily

reports that show if services completed beyond their

targeted service time.

Monitoring and Reporting

To meet Sarbox Section 404 compliance using the COBIT

framework guidelines, IT management must produce

and retain extensive reports to monitor the existing job

cheduling process and to project future trends. Reports

must show the work scheduled each day, actual jobs run,

any exceptions encountered, and the actions taken to

handle and correct exceptions. The reports (and logs used

to produce the reports) should be retained and archived to

nsure effective auditing and control of those applications

that directly affect the companys fiscal results.

CONTROL-M has extensive capabilities

in historical reporting and future

orecasting that help operations

management and external auditors

validate past production runs and

valuate future runs and trends.

For example, CONTROL-M enables the

ata center to store historical job-flowiagram networks, which graphically

how all jobs run. Operations

management teams can store older

versions of networked applications

(which directly impact a companys

inancial reporting applications), and

use the product playback feature

o view historical information. The

playback feature works similarly to a

Figure 3. Batch Impact Manager monitoring screen

Figure 4. CONTROL-M report generator screen

Figure 5. CONTROL-M report generator screen


7/8

PA G E 5

VCR or DVD player, enabling an authorized user to choose

particular network (former or existing) and replay the

vents by simulating the application environment at a point

in time.

For full benefit from this feature, operations staff and

uditors should consult to decide which historical networks

re the most relevant. The backup and retention of this

information should then be scheduled through CONTROL-M,

o enable management and auditors to review a simulation

f the processes that took place on the applications in

uestion.

When a company also uses BMC CONTROL-D solutions,

aily reports can be produced from archived logs, or as a

better alternative, the reports themselves may be retained,

nd viewed from the CONTROL-D archive.

Using CONTROL-D solutions, reports can be indexed

nd then viewed by date, application, job, run-time, and

uch. Both internal and external auditors can readily view

online any pertinent archived report.

Workload Forecasting

COBIT control objectives state that a data center must

have processes in place to periodically produce workload

forecasts, identify trends, and provide feedback to a

apacity plan. The idea is to guarantee the availability of the

resources needed to produce the company fiscal findings in

timely manner.

The BMC CONTROL-M/Forecast facility produces a numberf graphical and tabular reports that show projected

pplication processing times for future dates and various

trend analyses.

Figure 6. CONTROL-M archive selection screen

Figure 7. View of old networkigure 8. CONTROL-M forecast tabular report

gure 9. CONTROL-M forecast trend report


8/8

PA G E 6

Continuity and Recovery Planning

A good continuity plan uses well documented and

ommunicated procedures to ensure that, in the event of

any failure, IT operations can continue to process the data

vital to producing company financial statements.

All CONTROL-M solutions have built-in failover processes,

uch as database mirroring and cluster support, enabling

processing to continue even when a vital infrastructure

omponent is missing or not functioning. These failover

processes are extensively documented in various BMC

Software manuals and white papers, as are the integration

f proprietary failover methods from vendors such as IBM.

Backup and Restoration

Backup and restoration processes for financial and database

information (including scheduling tables, logs, security

profiles, reports, and job scheduling documentation) should

be scheduled as routine daily tasks, using facilities such as

the AFT process to schedule and monitor the success oftransmissions to offsite backup servers.

Restoration of a vital database can be built into the

CONTROL-M solutions post-processing facilities, whenever

an error is detected.

Job Scheduling

COBIT guidelines suggest that companies implement an

automatic scheduling process. These guidelines further

tipulate paying particular attention to interdependencies,

ocumentation, security, scheduling deviations, and backup

procedures. A recent audit at one financial company

trongly suggested the installation of an industry leading

and comprehensive automatic scheduler to help the

ompany avert reporting a material weakness in its internal

ontrols. CONTROL-M, with cross-platform scheduling,

monitoring, and management facilities, fulfill all of these

requirements, and is positioned by IT industry analysts as

the leading scheduler.

BMC CONTROL-M SolutionsCONTROL-M solutions by BMC Software provide support

for operations management needs. To learn more about

CONTROL-M products, please visit www.bmc.com/

products.

BMC CONTROL-M for Distributed Systems

BMC CONTROL-M for Microsoft Windows

BMC CONTROL-M for OS/390 and z/OS

BMC CONTROL-M for SAP

BMC CONTROL-M Option for Baan

BMC CONTROL-M Plus Module for Tivoli

BMC CONTROL-M Smart Plug-in for HP OpenView

BMC CONTROL-M/Analyzer

BMC CONTROL-M/Assist

BMC CONTROL-M/CM for Advanced File Transfer

BMC CONTROL-M/CM for PeopleSoft

BMC CONTROL-M/Enterprise Manager

BMC CONTROL-M/Links for Distributed Systems

BMC CONTROL-M/Links for OS/390

BMC CONTROL-M/Restart

BMC CONTROL-M/Tape

ConclusionAs companies evolve their corporate processes toward

Sarbanes-Oxley compliance, it is important to involve the

operations management team and the IT team. While

targeted compliance automation tools may be used, it

is imperative that companies make the best use of the

features and facilities of the existing BMC CONTROL-M

olutions in use. When operations management teams

ngage with IT organizations, their efforts not only validate

ompliance but also to ensure that costs are minimized.

Documents

Sarbanes Oxley Compliance Using Control m