The Nature of SOX ProjectsAugust 16, 2006 PMI Chapter Luncheon MeetingAmin Leiman, CISA

Agenda:

Characteristics of SOX Projects “Instant Managers” Challenges Conducting an “instant” analysis of a SOX project

Material Weakness Reported by Type

Key Phases of Project Compliance

ProjectPlanning

DocumentKey Processes

SourceRisks

DocumentControls

AssessDesign

ValidateOperation

Report

Develop the Compliance Plan Select the priority accounts and disclosures from financial statement risk assessment (FSRA) Consider significance to financial reporting and risk of misstatement

Identify the key processes impacting financial reporting Document the transaction flows that materially impact the priority financial reporting elements Designate a standard framework for documenting and testing

Use financial reporting assertions to source “what can go wrong” within the process What are the risks?

Document entity controls (“tone at the top”) Document the controls at the source of the risk (preventive) or downstream in the process (detective and corrective)

What are the key controls? Who owns the controls? Identify control objectives

Assess effectiveness of controls design at Entity and Activity / Process Levels How is the controls

design rated? Test effectiveness of controls operation at Entity and Activity / Process Levels Identify exceptions, classify and remediate deficiencies

Conclude Disclose Report

How are controls performing?

Current Status

Collaboration and Communication

Coordinate with External Auditor

Project Status at a Glance

Key Project Task Status Progress Target Dates Comments

Project Planning & Risk Assessment

Determine Overall Scope of Project

Assessment & Definition of Materiality

Determine Significant Accounts and Disclosures

Identify Critical Processes

Determine Applicable Business Units

Determine Level of Documentation and Standard Formats

Complete Compliance Plan

Meet with External Auditor to Discuss Compliance Plan

Complete IT SOX Compliance Project Plan

IT General Control Risk Assessment

Identify Significant Control Objectives

Consider Entity-level Control Significant Objectives

Analyze Entity-level Control Documentation Gaps

IT Application & General Controls Risk Assessment Plan 80%

KEY Not Started In Process Concern Great Concern Complete

Characteristics of SOX Projects:

As a result of corporate “911” events Panic Mode Uncertainties Last minute action plans Unintended consequences Primarily driven by external auditors

Challenges of “Instant” Managers:

Organizations and projects are, by nature, political The ultimate inspiration is the deadline Relying on ballpark estimates Victim of Parkinson’s Law – Work will expand to take the

time allowed Balancing the Right and Left Brain “You can’t solve a problem with the same thinking that

created it in the first place” Albert Einstein

Your Roles in Helping Them Out:

“Instant” PM PMP-certified PM

Organizations and projects are, by nature, political

Implement Project Integration Management

The ultimate inspiration is the deadline

Project Time Management

Relying on ballpark estimates Project Scope Management - Enforce SOW and WBS

Victim of Parkinson’s Law Project HR Management

Balancing the Right and Left Brain

Project Communications Mgmt.

“You can’t solve a problem with the same thinking that created it in the first place”

Project Quality Management

Conducting an “instant” analysis of a SOX project:

Principle Action

Symptoms tell us we have a problem but the symptom is not the problem itself

Identify and “kill” the bottlenecks quickly before they kill the project.

Close-ended problems have single solutions. Open-ended problems have multiple solutions.

“Close-ended” requires a left-brained approach and “Open-ended” requires a right-brained approach.

If the definition is wrong, you will develop the right solution to the wrong problem.

Clarify a shared understanding of the team’s mission.

Where there is no vision, the people perish (Proverbs 29:18)

Confirm the team’s understanding of what the final result will look like.

Web Sites

http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/ http://weblog.gartner.com/weblog/index.php?blogid=11 http://www.pwcglobal.com http://www.protiviti.com/

Q&A

“Misunderstandings sometimes occur because of differences in thinking preferences”

Thank you for coming to our presentation today !