SOXIT@Novartis · 2016-11-22 · April 05 ISACA After Hour Seminar -SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 8 History of SOX S404 in Novartis •For foreign private issuers

SOX IT @ Novartis

Monika Josi

Novartis Animal Health, IT Compliance Officer

Member of Novartis SOX IT Coreteam

ISACA, April 27 2005

ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 2April 05

Agenda

• Novartis

• Introduction SOX 404

• History of SOX 404 in Novartis

• Setting the scene: preparatory work for the rollout

• The Rollout

• Lessons learned


Novartis at a Glance

Sales: USD 28.2 billion

Net income: USD 5.8 billion

Employees: 81,400

Countries: 140

Headquarters: Basel, Switzerland

• One of the fastest growing healthcarecompanies in 2004

• Poised to further expand marketshare in 2005

• One of the best combinationsof strong pharma pipeline and lowpatent-risk exposure

• Bold research investments to ensureongoing leadership in innovation

• Consumer Health division focused onimproving health and well being ofconsumers worldwide

• Sandoz leading global supplier ofgeneric pharmaceuticals

2004 key facts


Building a Global Leader in Medicines

A/B/G/H/I: Arthritis/Bone/Gastrointestinal/Hormone Replacement Therapy/IncontinenceSource: Novartis Annual Report 2004

Novartis

Pharmaceuticals Consumer Health

General Medicines

• Cardiovascular/metabolism

• Neuroscience

• A/B/G/H/I

• Respiratory/Dermatology

• Infectious diseases

• Mature Products

Specialty Medicine

• Oncology

• Transplantation

• Ophthalmics

OTC

Animal Health

Medical Nutrition

Infant & Baby (Gerber)

CIBA Vision

Sales by division 2004*

Operating income bydivision 2004*

Sandoz

Generics

Pharma-ceuticals

ConsumerHealth 82%

14%

Pharma-ceuticals

ConsumerHealth 65%

24%

* Sandoz a separate division since January 2005

Sandoz

11%

Sandoz 4%


History of SOX S404 in Novartis

•For foreign private issuers (like Novartis) SOX takes effect for yearsending on or after 15 April 2005

•Corporate Governance is high on Novartis priority list, therefore

- Novartis has voluntarily decided to meet the deadline for USregistrants (years ending after 15 June 2004) for major sites

- SOX Business Project Sponsor: Head Group Financial Reporting& Accounting reporting to the Novartis Audit and ComplianceCommittee

•Scope

- 2004: 42 entities (approx 75 % contribution)


History of SOX S404 in Novartis

• As a result of the SOX Business requirement, a SOX IT projectmanager was appointed in March 2004

• Key Stakeholder IT: CIO Novartis

• Timelines according to SOX Business, meaning

- August 30, 2004: Novartis testing completed / SOX IT auditbegins

- September, 2004: audits by external auditors begin

- December 31, 2004: Effective date of attestation by externalauditor

• But who, what and how?


Who: Novartis SOX IT project setup

SOX IT Steering Committee

SOX IT Program Lead

SOX IT Project Leader SOX Program

SOX IT

US

SOX IT

Basel

SOX IT

SAP

SOX IT

CH

SOX IT

Infra

SOX IT

Japan

SOX IT

CV

SOX IT

Sandoz

SOX IT

MN

SOX IT

AH

SOX IT

I&B

SOX IT

OTC Core Team


What: Scope of SOX IT S404

• Primary principle: SOX IT follows SOX Business cycles

- Finance

- Revenue & Receivables

- Purchasing & Accounts Payables

- Plant, Property & Equipment

- Production & Inventory

- Payroll

• All applications supporting SOX business processes

• All data centers & support organizations supporting theseapplications


Identifying datacenters & support centers inscope

Hosting & Support

Appl. B

Hosting Appl. B

Hosting Appl. A

Support

Appl. A

Support for Appl A & B local

Hosting

Appl. A


What: the SOX IT Key Controls

• Pre-definition of SOX IT controls by Core Team based on ITGovernance Institute discussion paper (available on www.itgi.org)

- Using the framework (Governance, control and audit forinformation and related technology) as a basis

• Scope of discussion paper regarded as too open

- Decision to focus on Control Activities (e.g. no strategic processes)

- Decision to focus on high-risk areas


What: SOX IT Controls

• Decision on 41 Key Controls in 7 areas (sub-cycles)

- Corporate Policies

- Project Management

- Change Management

- Disaster Recovery

- Security Management (user authentication, physical security,virus protection, network security, backup, incident reporting)

- Problem Management

- Service Level Management


Timelines and Milestones for SOX IT S404

May June July Aug Sep Oct Nov Dec

Document

Key Controls

Test Key

Controls

Remediate

Gaps

Document

Gaps

Audit / ReviewsWalkthroughs

Documentation

Completed

Gaps

Closed

Testing

completed

Management

Attestation


How: SOX IT rollout

• Agreement in SOX IT Core Team that deadlines can only be met bytight project management and a lot of support

• Decision on a ‚cookbook‘-style manner rollout into the countries

• Strong emphasis on training of all SOX IT coordinators to ensurethat project goal can be met


Documenting Key Controls

• Document all key controls for each system and infrastructure inscope

- Documentation and Flowcharts


Identifying/remediating gaps

• Document all gaps found in the prepared gap remediation template

• Gaps in controls, e.g.:

• Processes not adequately documented

• Controls not established, poorly designed or not effective

• Control maturity required: monitored (standardized and testedcontrols)


Stop, look and listen: the Walkthroughs

• All sites were visited in walkthroughs to determine:

- The quality of documentation

- Check if the right/all gaps were identified

- Discuss the remediation actions with the local sites

- Determine the tests to be conducted at the local sites

• Sample sizes

• Test intervals (yearly, monthly, quarterly)

• Test strategies


Testing the Key Controls

• Local sites to perform and document all tests for Key Controls

- E.g. test xx change control forms if they meet definedrequirements

• Experience:

- Testing the most difficult and time consuming part of the wholeproject


The final stage: the SOX IT audits/reviews

• Until the end of November, all SOX IT S404 sites whereaudited/reviewed and according reports were produced

• In mid-December 2004, the external auditor issued the SOX ITattestation (business attestation in mid-January 2005)

• This was also stated in the Annual Report


Lessons learned

Challenges:

• Timelines, Resources

• Managing scope changes in terms of sites / applications

• Handling of outsourcers, interfaces between systems/functions,reports/query-type software

• Concept of sites testing the effectiveness of their controls was new

- Needs a lot of time / resources

• Find/coordinate projects/activities with related scope (SOXBusiness, IT & Information Security, IT Quality Management, ITIL ..)

• Y2K perception


Lessons learned

Positive:

• After initial problems, most sites accepting SOX IT and using it as ameans to improve overall IT quality

• Backup / support from Business to comply with SOX IT

• Good feedback from sites regarding the guided way through SOX IT

• Good experience with identifying global processes that can bedocumented/tested once for all sites (e.g. IT Security) or for whichdocumentation can be re-used with little adaption

• Top Management Committment is a must to ensure projectmomentum

•New word of the year: To Soxify


Outlook 2005

• Activities for 2005 have already started for SOX IT entities in scope

• Furthermore, projects to cover all entities with a control frameworkhave been initiated

Documents

SOXIT@Novartis · 2016-11-22 · April 05 ISACA After Hour Seminar -SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 8 History of SOX S404 in Novartis •For foreign private issuers