Dan Schroeder
Director, Business Process and Technology Management
Sarbanes Oxley Act of 2002IT Compliance Road Map
SOA IT Controls Compliance Road Map
2. Risk Assessment
5. Remediation
4. Effectiveness Assessment
3. Controls Definition and Documentation
IT Services (General Controls)
Plan & Organize
Acquire & Implement
Business Processes and Applications(Application controls)
Process 1
Delivery & Support
Monitor
1. Scoping & Planning:Ø Financial TransactionsØ Financial ReportingØ Disclosure ReportingØ Related Applications and
General IT infrastructureProcess
3Process
2Process
4
II. Compliance Evaluation and Reporting (SOA 404 / SAS70)
Financial Application A
Financial Application C
Financial Application B
I. Readiness Activities
III. Ongoing Monitoring and Sustainability
Compliance Road Map: Step 1. Scoping and Planning
Determine where technology supports financial reporting process: Identify where systems support support initiation, recording,
processing, and reporting of financial information. PCAOB Guidance as to relevant process and controls activities:
Application / process controls over initiating, recording, processing, and reporting significant accounts and disclosures.
Antifraud programs and controls. IT General Controls. Controls over significant non-routine and nonsystematic
transactions. Controls over period-end financial reporting process,
including controls over procedures used to enter transaction totals into the GL and to record adjustments.
Step 1 Example DeliverableMapping of Business Processes, Supporting Application, 3rd Parties and Process Owner
XYZ Corp.SAO 404 Readiness
Form: Business Process Summary
Primary Business Processes Sub-ProcessesBusiness Application Third Parties Business Unit/Org.
New Business AIMS Steve SmithRate Pursuit (telephone interviews & questionnaires) PP & NJ PAIP AIMS/MSIRenewals AIMSEndorsements AIMSCancellations AIMSNew Business CGI* Carol JonesRate Pursuit (telephone interviews & questionnaires) CGI*Renewals CGI*Endorsements CGI*Cancellations CGI*
DMV, ISO, NICB, CLUE, CARCO
DMV, ISO, NICB, CLUE, CARCO
Underwriting – NY, VT & CA Private Passenger Assigned Risk, APTOP & PDO voluntary
Underwriting – Commercial Assigned Risk & Multi-State Assigned Risk (excl. NY, VT & CA)
Legend: * Servicing company. May have a SAS 70 prepared.(A) - reviewed during cash disbursements project(B) - reviewed within SOAR/Maria
Start with scope determined in Step 1. Consider “likelihood” of potential risk event occurrence and
“impact” of the event (i.e., materiality). Risk considerations:
Quality and integrity of information Access and authorization controls Availability and timeliness of information Continuity and recoverability.
Service organization affect: consider potential enterprise impact from internal and external service organizations.
Deliverable for Step 2 is a Risk Assessment Matrix that identifies and prioritizes risks across key business processes showing the relationships to IT General and Application controls.
Compliance Road Map: Step 2. Risk Assessment
Risk Assessment – Example Report XYZ Corp.SAO 404 Readiness 2/18/2004
Risk Assessment Summary Report1- Highest5- Lowest
Business Processes
Rel
iab
ilit
y of
fin
anci
al
rep
orti
ng
Eff
ecti
ven
ess
&
effi
cien
cy o
f op
erat
ion
s
Com
pli
ance
wit
h l
aws
&
regu
lati
ons
Inherent Risk
Risk Materiality
FactorRiskRank
AIMS Private Passenger Underwriting (new business, renewals, endorsements, cancellations, rate pursuit)
Y Y Y Greater than 50% of total premium volumeRegulatory timeframesPremiums mis-statedManual processesUnrealized premiums due to inadequate rate pursuitUnauthorized changes to policies information
1 1
CGI Commercial & Multi-State Private Passenger Underwriting (new business, renewals, endorsements, cancellations, rate pursuit)
Y Y Y Greater than 30% of total premium volumeRegulatory timeframesPremiums mis-statedManually intensive processesUnrealized premiums due to inadequate rate pursuitInadequate inspections on garage policiesInefficient handling of checksMultiple States requirements (Texas 2 complaint limit)Unauthorized changes to policies information Inadequate error/exception reports
1 2
COSO Control Dimensions
Compliance Road Map: Step 3. Controls Definition and Documentation
Leverage leading standards such as COSO, and IT Controls for SOA to determine control requirements: General Controls include operations and management,
infrastructure, security, acquisition and maintenance, oversight and monitoring.
Application Controls include activities related to ensuring completeness, accuracy, authorization, availability, and validity of transactions.
SOA documentation requirements are expected to represent a significant challenge for most organizations. Inadequate documentation by management can represent a
deficiency in internal control over financial reporting. Management should discuss the proposed extent and detail of their
control documentation with their external auditors early in the process to reduce the potential that documentation will be deficient.
PCAOB Documentation Guidelines October 7, 2003 Briefing Paper
Documentation is important to effective functioning of internal control and to the auditor’s internal control audit…this includes documentation about: the design of controls, how the controls are supposed to operate; the objectives they are designed to achieve; the necessary qualifications of the people performing the
control for the control to function effectively. Documentation should be sufficient for the external
auditor to review the design and test the effectiveness of a control.
No one form of documentation is required and the extent of documentation will vary depending on the size, nature and complexity of the company.
Potential Documentation Requirements
Entity / General Level: Strategic IT Planning Policy Manuals IT Security Policy Business Continuity Planning /
Disaster Recovery Planning IT Architecture, Data Dictionary System Development Life Cycle Change Management IT Operations Management IT Organization and Responsibilities Problem and Incident Management
Process / Application Level: Process description / flowcharts Risk and Control Matrices System / application schematics Access Controls Data Relationships and Database
designs System user documentation Job Descriptions
SOA IT Controls Compliance Road Map
2. Risk Assessment
5. Remediation
4. Effectiveness Assessment
3. Controls Definition and Documentation
IT Services (General Controls)
Plan & Organize
Acquire & Implement
Business Processes and Applications(Application controls)
Process 1
Delivery & Support
Monitor
1. Scoping & Planning:Ø Financial TransactionsØ Financial ReportingØ Disclosure ReportingØ Related Applications and
General IT infrastructureProcess
3Process
2Process
4
II. Compliance Evaluation and Reporting (SOA 404 / SAS70)
Financial Application A
Financial Application C
Financial Application B
I. Readiness Activities
III. Ongoing Monitoring and Sustainability
Compliance Road Map: Step 4. Effectiveness Assessment
Substantive testing and of the operational effectiveness of the required controls. Determine if: Controls are operational. Functioning as designed. Personnel are trained and knowledgeable.
Document and assess level of control weakness; from Inconsequential to Material Weaknesses.
Determining if the weakness is significant or material requires professional judgment and the consideration of various factors such as:
• Size of the operation• Complexity and diversity of activities• Organizational structure• Likelihood that the IT Control weakness could result in a
material misstatement of the financial records
Compliance Road Map: Step 5. Remediation
Prioritized approach to resolving control weaknesses. Types of remediation required:
Documentation Procedures Personnel / organization changes Training Process / method development (e.g., BCP, SDLC) System Enhancements:
• E-Mail / records management• Integration• Validations• Business Intelligence / Corporate Performance Management
Compliance Road Map: Ongoing Monitoring and Sustainability
Take steps to institutionalize awareness and understanding of IT control requirements: Training and education Organizational Structure Job Responsibilities Service Level Agreements Performance Measurement Internal Quality Management Program
Conduct ongoing monitoring and review: Remediation Business Changes Ongoing compliance
Common IT Compliance Challenges
Organizational: IT Controls not treated as a process Management ownership and roles Deployment – internally and to service providers Ability to monitor / sustain
System Development Life Cycle (SDLC) Process Business Continuity Planning as a Process Latency:
Lack of infrastructure and processes for timely disclosure and reporting
Documentation
Summary of SOA Impact to IT Management
Cultural impact: “control” mentality versus “project” mentality
Enhances need for enterprise-wide IT leadership and strong IT Governance framework.
Enhanced need for “real-time” disclosure reporting; e.g., Enterprise Performance Management.
Enhances need for integration. Increased awareness of service provider related control
dependencies. Document management and retention.
Next Steps include:
Promote understanding and awareness Establish internal compliance roadmap
Define responsibilities, action plan Synchronize with existing Quality Management Program Monitor developments in standards and guidelines:
PCAOB Standards. ITGI IT Control Standards. SEC Approval of PCAOB Audit Standard #2
Dan Schroeder,
Director, Business Process and Technology Management
732.287-1000 x 278, [email protected]
Questions or additional information?