Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Using COBiT For Sarbanes Oxley
Japan November 18th 2006Gary A Bannister
Who am I & What I Do ?• I am an accountant with 28 years experience working in
various International Control & IT roles.• I am British and resident in the US.• I speak 4 languages, but unfortunately not Japanese.• I was involved in the implementation of the BP SOX
program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.
Who Am I ?
I am an accountant with 28 years experience working in various International Control & IT roles.
I am British and resident in the US.
I speak 4 languages, but unfortunately not Japanese.
I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.
AGENDA
Some Context about Compliance – Sarbanes Oxley – “Differences in Japan & Other countries”The BP Process In SOX Using COBiT – Selection & mapping.BP Gap Analysis & Remediation CriteriaKey Learning’s & Some Tips for You
Sarbanes-Oxley (SOX) Act Highlights
Established the Public Company Accounting Oversight Board (PCAOB) and gave it broad powers to oversee the public accounting firms
Introduced new limitations on auditors including mandatory partner rotation and limits on services
Requires new “disclosure controls” that inform corporate officers of “material information” during the reporting period
Sarbanes Oxley Two Key Sections
Sec 302Financial Reporting
Sec 404Internal Controls
SOX 404Requires management to include an internal control report
in each SEC filing that:- States the responsibility of management for
establishing and maintaining an adequate internal control structure and procedures for financial reporting, and
- Contains an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures
Requires an audit of management’s report on internal controls
SOX Effect on Other countries
SOX legislation coming to Japan, Canada, South Africa & Europe.COBiT & COSO I Frameworks become more
important in documenting and testing the effectiveness of internal controls. Some Differences – external Auditors are
NOT required to attest to Management’s attestation on Internal Controls in Canada.
Relationships Between IT & Business
Business Processes
Applications
Data/DBMS
Platforms
Networks
Physicals
Financial & Business Teams review manual and automated business process controls
Data Center Operations Manager and IT SOX evaluate supporting infrastructure for all financial applications as a part of the IT General Controls review
Application Manager and IT SOX perform Application General Controls and Application Security Reviews
An effective automated business process control requires effective operating IT controls
Overview of SOX Program
Prioritise Gaps,agree Timeline
Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting
(Operate)
Overview of ICE/DCT SOX Program
Agree in-scope processes
Agree control framework
Agree gap prioritisation
process
Agree remediation
timetable
Agree Financial Control
monitoring & compliance
process
Identify supporting
applications
Prioritise Gaps,agree Timeline
Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting
(Operate)
FinanceDecisionson scope
Overview of ICE/DCT SOX Program
Agree in-scope processes
Agree control framework
Agree gap prioritisation
process
Agree remediation
timetable
Agree Financial Control
monitoring & compliance
process
Identify supporting
applications
Prioritise Gaps,agree Timeline
Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting
(Operate)
FinanceDecisionson scope
4 Workstreams:
IT General Controls
Application General Controls
Application Security Review
Application Business Controls
Evaluate in “Batches”
100 Applications& 10 data centres
+ 100 Applications
+ 10 data centres
ITOwns &Implements
Overview of ICE/DCT SOX Program
Agree in-scope processes
Agree control framework
Agree gap prioritisation
process
Agree remediation
timetable
Agree Financial Control
monitoring & compliance
process
Identify supporting
applications
Prioritise Gaps,agree Timeline
Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting
(Operate)
FinanceDecisionson scope
4 Workstreams:
IT General Controls
Application General Controls
Application Security Review
Application Business Controls
Evaluate in “Batches”
100Applications& 150data centres
+ 100 Applications
+ 10 data centres
ITOwns &Implements
Filter gaps Challenge gaps
Integrate with IT plans
Tier 2
Identified COBIT GapsIdentified COBIT Gaps
Tier 1
Tier 3
Tier 4r
IT Own, Fund, Deliver Plan
IT Central(data centres)
IT Segments & functions
(applications)
Process embedded across IT
Repeatable annual process
Staff trained
Internal resource
Overview of SOX Program
Agree in-scope processes
Agree control framework
Agree gap prioritisation
process
Agree remediation
timetable
Agree Financial Control
monitoring & compliance
process
Identify supporting
applications
Prioritise Gaps,agree Timeline
Agree Processes & Applications Evaluate/Document Remediate Gaps Monitoring/Reporting
(Operate)
FinanceDecisionson scope
4 Workstreams:
IT General Controls
Application General Controls
Application Security Review
Application Business Controls
Evaluate in “Batches”
100 Applications10 data centres
+ 100 Applications
+ 10 data centres
IT Owns &Implements
Filter gaps Challenge gaps
Integrate with IT plans
Tier 2
Identified COBIT GapsIdentified COBIT Gaps
Tier 1
Tier 3
Tier 4r
IT Own, Fund, Deliver Plan
IT Central(data centres)
IT segments & functions
(applications)
Process embedded across IT
Repeatable annual process
Staff trained
Internal resource
Prioritised set of gaps
& TimelineDocumented CETs & Gaps
Gaps remediated by ITGroup-wide
integrated planIT own on-going
process
IT Progress Reporting:
Why COBiT …. How was CobiT chosen
Control Systems consideredCOBIT ISO 17799 ITIL (Information Technology
Infrastructure Library) Assessment criteria used
Control needs of SOX: Consistency with the General and Application control needs of SOX. COBiT more comprehensive.
Extent of use outside BP: The use of each system by other companies for this purpose
Page 29
BREADTH OF IT CONTROL COVERAGE
HOW
DETAILED
LOW
MED
HIGH
HIGHLOW MED
ITIL
COBITCOBIT
COSOCOSO
TURNBULLTURNBULL
ISO 17799
Why COBIT
Why COBiT ….
Why COBiT ….
Why COBiT ….
Planning andOrganization
Acquisition and Implementation
Information and IT Systems
Delivery and Support
Monitoring
• Define the IT Plan• Define the Information Architecture• Define the Technology Direction• Define the Organization and
Relationships• Manage the IT Investment
• Communicate Management Aims• Manage HR• Ensure Compliance with External
Requirements• Assess Risks• Manage Projects• Manage Quality
• Identify Solutions• Acquire (Develop) and Maintain
Application Software• Acquire and Maintain Technology
Infrastructure• Develop & Maintain Procedures• Install and Accredit Systems• Manage Changes
• Define Service Levels• Manage Third Party Services• Manage Performance and Capacity• Ensure Continuous Service• Ensure System Security• Identify and Attribute Costs• Educate and Train Users
• Assist and Advise IT Customers• Manage the Configuration• Manage Problems and Incidents• Manage Facilities• Manage Data• Manage Operations
• Monitor the Process• Assess Internal Control Adequacy• Obtain Independent Assurance• Provide for Independent Audit
CobiT v3 Overview – July 2004.
RED IT Processes are a part of the DCT SOX Control Framework[12 Control processes-68 Control Activities]
Planning andOrganization
Acquisition and Implementation
Information and IT Systems
Delivery and Support
Monitoring
• Define the IT Plan• Define the Information Architecture• Define the Technology Direction• Define the IT processes, Organization
and Relationships• Manage the IT Investment
• Communicate Management Aims• Manage HR• Manage Quality• Assess & Manage IT Risks• Manage Projects
• Identify Automated Solutions• Acquire (Develop) and Maintain
Application Software• Acquire and Maintain Technology
Infrastructure• Enable Operations & Use• Procure IT Resources• Manage Changes• Install and Accredit Systems
• Define Service Levels• Manage Third Party Services• Manage Performance and Capacity• Ensure Continuous Service• Ensure System Security• Identify and Allocate Costs• Educate and Train Users
• Manage Service Desk & Incidents• Manage the Configuration• Manage Problems • Manage Data• Manage Physical Environment• Manage Operations
• Monitor & Evaluate IT performance• Monitor & Evaluate Internal Control• Ensure regulatory Compliance• Provide IT Governance
CobiT v4 Overview – August 2006Amendments for ‘Compliance Business as Usual’
RED IT Processes are a part of the DCT Compliance Control Framework[11 Control processes – 32 Control Activities]
IT Risk Analysis Criteria
2) COBIT Detailed ranking @ CO level
2) COBIT Detailed ranking @ CO level
1st Filter
E-learning suitability
A prioritised set of Sarbanes Oxley
gaps
2nd Filter
Filter ActivityIdentified BP COBIT GapsIdentified BP COBIT Gaps
COBIT Gap CriteriaControl Process Level
COBIT Gap Criteria Control Objective level
Tier 1 to Tier 4
Global vs. Local, PriorAudit etc.
1) COBIT Summary Rank @ CP Level
1) COBIT Summary Rank @ CP Level
3) ICE Financial Tier Rankings
3) ICE Financial Tier Rankings
3rd Filter
4th Filter
4) Additional Business info
4) Additional Business info
2) COBIT Detailed ranking @ CO level
2) COBIT Detailed ranking @ CO level
1) COBIT Summary Rank @ CP Level
1) COBIT Summary Rank @ CP Level
Key GAP Prioritization Explained
Tier 2
Identified COBIT GapsIdentified COBIT Gaps
Tier 1
Tier 3
Tier 4r
2) COBIT Detailed ranking @ CO level
2) COBIT Detailed ranking @ CO level
1) COBIT Summary Rank @ CP Level
1) COBIT Summary Rank @ CP Level
Key GAP Prioritization Explained
Effectiveness – The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line]
Tier 2
Identified COBIT GapsIdentified COBIT Gaps
Tier 1
Tier 3
Tier 4r
2) COBIT Detailed ranking @ CO level
2) COBIT Detailed ranking @ CO level
1) COBIT Summary Rank @ CP Level
1) COBIT Summary Rank @ CP Level
Key GAP Prioritization Explained
Effectiveness – The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line]
Colour Coding:VH
H
L
M
COBIT HIGH split into Very High – AI6 & DS5Change Management & Ensure System Security.Maps to ICE tier 1 HIGH – Remaining COBIT Reds Maps to ICE Tier 2
Medium – As Per COBIT- Maps to Ice Tier 3
Low – As per COBIT – maps to ICE Tier 4
Tier 2
Identified COBIT GapsIdentified COBIT Gaps
Tier 1
Tier 3
Tier 4r
N No Gap – 0 Rank – Maps to BP Risk convention
Financial Criteria – Maps one to one with the COBIT ranking- Tier One - = > $100m – COBiT Very High- Tier Two < $100m > $20m – COBiT High- Tier Three < $20m > $1m – COBiT Medium- Tier Four < $1m - COBiT Low
Other Criteria – Example “Application $ Throughput- Very High - > $1b- High > $1b < $1b > $250m- Medium < $250m > $100m- Low < $100m
3) ICE Financial Tier Rankings
3) ICE Financial Tier Rankings
4) Additional Business info
4) Additional Business info
Tier 2
Identified COBIT GapsIdentified COBIT Gaps
Tier 1
Tier 3
Tier 4r
Key GAP Prioritization Explained
Key Learning’s & Some Tips For you
Do Not Use COSO alone, it is not detailed enough for IT. ISO 17799 is NOT ENOUGH. It does not cover well the following:-
- Data Management- Third Party processes- IT Delivery & Support Operations- Audit & Governance issues- Software & Hardware development controls- Segregation of Duties
Consult & Agree your framework with your external auditors before you implement your program.
Do not select too many COBiT control objectives and control practices. Simplify & Simplify. Concentrate on Key IT Control deficiencies that are high or are a
critical risk:-- Change Management Issues- Access Controls & Segregation of Duties- Some Data Management Issues like back ups & storage.
Include your IT applications (e.g. SAP) with your business process documentation. Why ? Most of your business controls are defined by your systems and applications.
Key Learning’s & Tips continued…..
Do not Test too many applications & processes – take a Risk & Business Impact Approach.
Look out for spreadsheets. Errors in relatively simple spreadsheets can result in potentially material misstatements in financial results.- The best feature is their worst – flexibility- Use Pricewaterhouse-Coopers Five step process
- Inventory Spreadsheets- Evaluate use, complexity- Determine level of controls- Evaluate existing controls- Develop remediation
Key Learning’s & Tips continued…..
Use Frameworks like COSO & COBiT as benchmarks, they don’t give you the answers or the specific controls, only the templates; tailor them to your company’s needs
Beware Email. E.G. Spreadsheets emailed to controllers for consolidation. Potential email security & storage issue.
Beware use of compliance tools/software. It is still not a mature market.
Consider how you will administer Third Parties & Outsourced Partners
Assign Accountabilities for each Business & IT process (e.g. Order to Pay for Business & Change Management for IT – Note Segregation of Duties is a business accountability but facilitated by IT)
Thank you
What Role Does IT Play?
• Infrastructure• Application Controls• Business Partner to ensure controls are
operating effectively across the organization• New Applications
Process vs. Control
• Control Objective: – User access to network is appropriately assigned.
• Example of Process:– Management reviews user access on a monthly basis.
• Example of Control:– Management reviews and signs off on a report generated
on a monthly basis containing user accounts and roles to ensure appropriateness and accuracy.
A New Internal Control Paradigm – PCAOB Guidance
Examples of Documentation:Documentation that provides reasonable support for
management’s assessment of the effectiveness of internal control over financial reporting covers:
• The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements,
• Information about how significant transactions are initiated, recorded, processed, and reported,
• Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur,
• Controls designed to prevent or detect fraud,• Controls over the period-end financial reporting process,• Controls over safeguarding of assets, and• The results of management’s testing and evaluation.
Identification of Control Points
Definition of a control point:
1. An action within a process where the key data changes form;
2. A handoff between individuals or programs within a process; or
3. A handoff between software applications
Control Type Categories
• Identifying the control types may reveal an over-reliance on a particular type of control or an absence of a key control type
•Policies & Procedures•Authorization Controls•Key Performance Indicators•Management Review•Detailed (Data Comparison)•Reconciliation•Segregation of Duties•System Access•Automated Exception Report
Control Categories - Definitions
Policies & ProceduresPolicy and procedure control documentation is often needed where directly linked adhering to standard policies and procedures is critical to the effectiveness of the control, especially where control procedures cross organizational or geographic boundaries. Policies and procedures related controls generally include formal written documents that have been recently updated, and is both accessible and used by the individuals involved in executing the control activities documented.
Authorization ControlsApproval of transactions executed in accordance within authority as set by senior management's general or specific policies and procedures
Key Performance IndicatorsKey performance indicators are financial and non-financial quantitative measurements that are: Collected by the entity, either continuously or periodically Used by management to evaluate the extent of progress toward meeting the entity's
defined objectives
In order for key performance indicators to be an effective control, they must have a level of precision that enables detection of errors
38
Control Categories - Definitions
Management Review Management review is a review conducted by someone, other than the preparer of the transaction or journal entry, who analyses and oversees activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other's work.
DetailedA detailed control activity consists of a comparison between two sets of data. An example of a detailed control could be a comparisonbetween two sets of information where the individual components of the data are compared. This control can be either a detailed manual control when the comparison is performed by humans, or a detailed automated control when the activity is performed by a system.
ReconciliationA reconciliation is a control designed to check whether two sumsmatch and identifying the differences between the two sums. It does not involve comparing on an item by item basis the information in two different sets of data..
39
Control Categories - Definitions
Segregation of DutiesSegregation of duties is the separating of duties and responsibilities of authorizing transactions, recording transactions, and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.
System AccessSystem access are the access rights that individual users or groups of users have within a computer information system-processing environment, as determined and defined by the configuration of the system.
Automated Exception ReportsAn exception report control shows a violation of a set standard to a responsible party who conducts follow ups and resolves the item.
40
General IT Controls
EXAMPLES GENERAL IT CONTROLSInformation Security
Management Of Philosophy & PolicyLogical Security Over the Operating SystemLogical security Over DataSecurity within ApplicationsSystems Administration & The Use of Privileged AccountsPhysical SecurityNetwork/Dial-up AccessExternal Network Connections
Computer Operations
Service Level AgreementsProblem ManagementBusiness ContinuityNetwork ManagementOperational Performance & Data Centre Environment.Scheduling, preparing & running batch processes.Backup & RecoveryUpgrades To System software.
Development & Implementation
Requirements DefinitionDesign & build in-house systems or package
selection.Unit, system & user testingData ConversionGo-Live decisionDocumentation & training
Program Change Control
Management of maintenance activitiesSpecification, authorization & tracking of
change requests.Unit, system & user testingAuthorization of transfers to live environmentUpdating technical & user documentation &
training.Database Administration
Relationship Between General IT & Application Controls.
General IT Controls contribute to the effectiveness of application controls.General controls do not provide direct coverage
of application control objectives.( E.g. completeness, accuracy, validity, restricted access)When designing & relying on application
controls, the strength of the underlining general controls needs to be considered.
Relationship Between General IT & Application Controls
Ensure that overall It environment is well controlled
The It Organization meets its intended purposes & there is proper management control over IT.
Physical & logical security is correctly implemented & maintained.
New apps & changes to existing apps are properly authorized.
Ensure that computer applications process as intended
Business processes may be enabled by one or more applications.
Many Common applications utilize configurable controls.
Controls to ensure the maintenance of data quality should be considered.
General Controls Application Controls
Relationship Between General IT & Application Controls
Platform Security (IT) &Restricted Application Level Access. Inappropriate access to data libraries at for example the
UNIX platform level, circumvents any good application level access controls that limits user access to specific transactions.
External Network Security (IT) & validity controls ( Application)Weak Network Security that allows outsiders to access the
internal network (e.g. from the internet, dial-up, or third party connections) increases the likelihood that unauthorized individuals will have an opportunity to enter “invalid”transaction data or standing data.
Relationship Between General IT & Application Controls
Backup & Recovery (IT) & Completeness Controls (application) If a full day’s transactions is lost due to a system disk
crash, then all “completed transactions” entered that day would be lost and be required to be reentered the next day if possible
Development & Implementation (IT) & Accuracy Controls ( Application)User acceptance testing performed by business area
personnel during the system development lifecycle will help ensure that the necessary accuracy controls built into the application are working as planned prior to production rollout.
Relationship Between General IT & Application Controls
Program Change Control (IT) & Accuracy Controls Application.– Inadequate change control procedures over the
application program code could allow programmers to modify the manner in which the application processes a transaction. This could intentionally or unintentionally disable input and /or balancing controls within the application that would identify transaction problems.
Relationship Between General IT & Application Controls
Problem Management (IT) & Completeness Controls (Application) Inadequate procedures to identify and resolve system
problems, could result in numerous application transactions being processed incompetently. For example, if the nightly batch processing was interrupted, good problem management procedures would be required to identify the problem, notify the proper personnel, correct the problem and restart the batch from the prior stopping point.
Application Control for accuracy that requires a code to be present on a database is compromised if IT controls don’t limit programmers form updating the database.
Application Controls
Application Controls
Manual and automated controls exist to ensure that information within the business process is:– Complete– Accurate– Valid and authorized– Restricted form unauthorized access
A combination of controls is needed to PREVENT, DETECT and CORRECT processing errors.
Application Control Objectives
CAVIAR–Completeness
–Accuracy
–Validity
–Restricted Access
Application Controls- Completeness
All transactions are recorded , input and accepted for processing once and only once.
All transactions that are input and accepted for processing are updated to the appropriate data file.
Duplicates are rejected Rejected transactions are evaluated and re-
entered Once data is updated to a file, that data remains
correct and current on the file and represents balances that exist.
Application Controls- CompletenessExamples
Invoice Numbering should be system assigned and sequential.Any interfaces to the General Ledger
should be complete and accurate.When entering account information, all
key fields are required to ensure completeness.
Application Controls- Accuracy
Key Data elements are recorded and input to the system accurately through data entry design features.
Changes to standing data are accurately input All transactions input and accepted for
processing, update the appropriate file All transactions affect the proper accounting
period**** Accuracy Controls are evaluated at the data element level.
Application Controls- Accuracy Examples
SSN Data field enforces entry of 9 numeric characters.
Customer credit limits determine amount range Business Unit limited to using their own GL
accounts Correct Zip code required in address field Sales can only be entered in proper accounting
period. Foreign currency tables are updated daily.
Application Controls- Validity
Transactions are AuthorizedTransactions are not fictitious and they
relate to the company.Changes To standard Data are
authorized & reviewed
Application Controls- Validity Examples
Buyer limits force email to supervisor for additional approval.
Customers who require non-standard prices require management approval.
Only the HR manager can approve a new employee to be added via a special user ID.
A sales Order will not be accepted unless customer number is present on Customer Master File.
To achieve appropriate segregation of duties, no one user has the ability to: a) Update/create vendor in vendor master file b) Enter new invoices c) Select invoices for payment.
Rate tables are maintained only by authorized users.
Application Controls – Restricted Access
Protect against unauthorized amendments of data.Ensure confidentiality of data.Protect physical assets such as cash and
inventory from theft or misuse.
Application Controls – Restricted Access Examples
Periodic review of users on the system is performed to ensure users have access to those functions and data required to perform their job functions.
IT personnel are granted only temporary access to production data.
Sales teams have the ability to view all of their accounts and current opportunities
Pending contracts are restricted from all but the legal dept. once terms are set.
System controls user access by function User access forms are completed, appropriately approved
& submitted to the Security Administrator