Securities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View. October, 2004

Similar documents
SAS70 Type II Reports Use and Interpretation for SOX

Effective COBIT Learning Solutions Information package Corporate customers

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Information Technology General Control Review

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

EVERYONE SHOULD HAVE AN IT COMPLIANCE OFFICER OR SUFFER THE CONSEQUENCES. About Ralph Villanueva. Objectives

Security and Privacy Governance Program Guidelines

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR SARBANES OXLEYANDCOBIT

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

McAfee Database Security

Balancing Between Risk and Compliance

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Policies and Procedures Date: February 28, 2012

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

Certified Information Security Manager (CISM) Course Overview

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Table of Contents. PCI Information Security Policy

Risk Management in Electronic Banking: Concepts and Best Practices

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Information Technology Branch Organization of Cyber Security Technical Standard

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

Workshop Item 1 - ISO 9001: 2008 migration

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

Google Cloud & the General Data Protection Regulation (GDPR)

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

NERC Staff Organization Chart Budget 2019

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Oracle Audit Vault Implementation

NERC Staff Organization Chart Budget 2018

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Access to University Data Policy

NERC Staff Organization Chart Budget 2019

Introduction to Access Management. J. Tony Goulding CISSP, ITIL Security Solution Strategist, CA Inc. San Francisco Chapter

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Compliance and Privileged Password Management

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

locuz.com SOC Services

SECURITY & PRIVACY DOCUMENTATION

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NERC Staff Organization Chart Budget 2017

QuickBooks Online Security White Paper July 2017

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

Security Architecture

Administration and Data Retention. Best Practices for Systems Management

SARBANES-OXLEY (SOX) ACT

Exam Requirements v4.1

NERC Staff Organization Chart Budget 2017

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Sarbanes-Oxley Act (SOX)

ISACA Cincinnati Chapter March Meeting

The Common Controls Framework BY ADOBE

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. EventTracker 8815 Centre Park Drive, Columbia MD 21045

What is the Value of IT Certification?

SECTION 10 CONTRACTING FOR PROFESSIONAL SERVICES CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA)

THE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA. CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.

Security Compliance and Data Governance: Dual problems, single solution CON8015

The Honest Advantage

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Bringing Cybersecurity to the Boardroom Bret Arsenault

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

REPORT 2015/010 INTERNAL AUDIT DIVISION

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

IBM Managed Security Services - Vulnerability Scanning

The Etihad Journey to a Secure Cloud

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Using GRC for PCI DSS Compliance

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Subject: University Information Technology Resource Security Policy: OUTDATED

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Standard for Security of Information Technology Resources

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

POSITION DESCRIPTION

White Paper. Complying with SOX Regulations Using the Exabeam Security Intelligence Platform

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Contracting for an IT General Controls Audit

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Executive Summary. The amendments become effective on September 10, The text of the amendments is attached (see Attachment A).

ECLIPSE FOUNDATION, INC. INDIVIDUAL COMMITTER AGREEMENT

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

Session ID: CISO-W22 Session Classification: General Interest

COBIT 5 With COSO 2013

Network Instruments white paper

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Auditing IT General Controls

INFORMATION SECURITY & IT COMPLIANCE. Frank Bunn, Symantec Roger Cummings, Symantec

CLOUD COMPUTING READINESS CHECKLIST

Transcription:

Securities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View October, 2004

Introduction Influences on Bear Stearns approach Bear Stearns IT Strategy 2

SOX Section 404 SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. 3

Generally Accepted Standards COSO COBIT Industry Standard Consultant Recommendations 4

COSO Control Environment The tone is set at the top! Risk Assessment Internal control risks Control Activities General controls plus application controls Information and Communication Roles and responsibilities awareness Monitoring Metrics 5

Control Objectives for Information Technology COBIT Control Objectives COSO Components Controls that focus on COSO objectives COBIT is a product of the Information Systems Audit and Control Association, www.isaca.org 6

ISACA s Common Sense Source: IT Control Objectives for Sarbanes-Oxley The IT Governance Institute, an ISACA Research Foundation Organization The SEC regulations that affect Sarbanes-Oxley are undeniably complicated, and implementation will be both time-consuming and costly. In proceeding with an IT control program, there are two important considerations that should be taken into account: 1. There is no need to reinvent the wheel; virtually all public companies have some semblance of IT control. While they may be informal and lacking sufficient documentation, IT controls generally exist in areas such as security and availability. 2. Many companies will be able to tailor existing IT control processes to comply with the provisions of Sarbanes-Oxley. Frequently, it is the consistency and quality of control documentation and evidential matter that is lacking, but the general process is often in place, only requiring some modification. 7

BSC IT Roles and Responsibilities 8

Key IT SOX Roles and Responsibilities SOX IT Liaison SOX IT Committee SOX IT Liaison (committee chair) Internal Audit s IT Division Information Security Group IT Compliance Management Office IT Assessors Accountable Directors IT Reviewers CXOs or Direct Reports 9

Standard Consultant Recommendation 1. Determine the scope of your SOX effort 2. Evaluate current control structure with respect to systems in scope 3. Develop action plan to mitigate identified gaps 4. Implement required controls and update documentation 5. Validate and certify controls 10

Step 1: Determine the scope of your SOX Effort Start with the business control structure and processes for financial reporting Reduce the processes to a set of procedures Identify the control objectives that are supported by those procedures Identify the applications as known to the business to support their controls This is done by the SOX PMO. As we follow this process, the IT Liaison compiles: a list of applications 11

Example: Determining the scope of SOX Effort Process Revenue Sub-Process Recording a sales contract Control Objective Contract pricing is recorded accurately Control Activity Current Practice Contract prices reviewed and approved by authorized personnel. Contract pricing review and approvals require authorization via automated controls and are maintained in CPSYS. IN SCOPE 12

Step 2. Evaluate control structure with respect to scope Start with the list of applications Identify IT control objectives common to all applications with reference to current Policies and Procedures Review Control Objectives with Internal and External audit Identify the control practices for each application with reference to Control Objectives Collect documentation on control practices that are common to all applications, these are General Controls Collect documentation on control practices common to applications of common architecture, these are Application Controls As this step was completed, we compiled: a list of control objectives and associated control practices 13

Example: Control structure with respect to scope GENERAL CONTROLS Application: CPSYS (Contract Pricing System) IT Governor: Jeannette Santos, Senior Managing Director, IT Pricing Development IT Manager: Carol Godwin, Vice President, IT Pricing Development Change Control Administrator: Kristin Klark, Associate Director, IT Quality Assurance Recovery Administrator: Josh Smith, Associate Director, IT Operations Description: CPSYS allows sales to enter proposed and change pricing for contract printing and contract negotiation. Once contracts are signed, legal uses CPSYS to compare to the signed contract and accepts as revenue. Application Component list: Component Name: GUI (various applications) Platform: Motif/X-Windows/accessed through Hummingbird Exceed on Wintel Specifics: Startup executables on network file share //ntshare/cpsys Support Team: IT Wintel Administration Component Name: Database Platform: Sybase DBMS Specifics: Sybase ASE server CPSYSDB1 on Sun Solaris machine cpsyssol1 Support Team: IT UNIX and Sybase Administration Change Control Overview: Developers use Clearcase for source code versioning. QA compiles and delivers to IT Wintel and/or UNIX Administration with corresponding install instruction. Source Code Repository: Clearcase on ccserver1 Access Control Overview: Users login to the X-Windows GUI via single-sign-on, it retrieves the Sybase password which is unknown to the user. Entitlements are stored in Sybase. Certain business users can add or remove SSO users from the application and also change their roles and privileges. Network Access Category: Internal Primary Password Repository: Single-Sign-On Secondary Repository: Sybase User Admin Team: Access Admin User Admin Team: Sybase Admin Entitlement Repository: Sybase User Admin Team: Business users under Sam Jones APPLICATION CONTROLS 14

Step 3: Develop action plan to mitigate gaps Start with the list of control objectives and documentation on associated practices. Identify any application that does not meet control objectives, that is, documentation on corresponding practice is missing or inadequate to cover control objective. Notify CXOs of deficient applications that they must change current practice and update documentation. Identify metrics that show progress in gap mitigation. Review planned practices and implementation timeframe to ensure they are compliant. When this step was completed, we had: actionable plans and visible metrics 15

Example: Develop action plan to mitigate gaps Identify any application that does not meet control objectives, that is, practices are missing or inadequate. Notify CXOs of deficient applications that they must change current practice. Identify metrics that show progress in gap mitigation. Review planned practices and implementation timeframe to ensure they are compliant. Enough time to schedule communication with Senior Managers Enough time for a development lifecycle The day external audit needs to start testing to assess SOX Compliance 16

Example SOX IT Committee Lists Control Objective General Control Practice Logical security tools and techniques are implemented, configured, and administered to enable restriction of access to data and programs. Network Firewalls restrict traffic into the Internal Network from all external sources to application that require strong authentication. Control Objective Application Control Practice Logical security tools and techniques are implemented, configured, and administered to enable restriction of access to data and programs. Client/Server (CPSYS, CSAPP2, etc) Strong authentication is provided via Single-Sign-On. OS and DBMS Security configured at group level. Entitlements configured via BU-administered screen that updates DB2 table. 17

Step 4: Implement Required Controls, Update Documentation Start with the actionable plans for gap mitigation. Publish metrics. Identify Documentation. When this step is completed, we have: documentation and awareness 18

Example CXO Documentation Control Practice Description 19

Example Compliance Metrics % required projects completed % docs completed % apps well-defined BU-1 BU-2 BU-3 BU-4 BU-5 BU-6 BU-7 BU-8 BU-9 BU-10 20

Step 5: Validate and certify controls Start with the documentation on control objectives as well as the documentation on the servers and software that comprise the applications and all associated control practices. Test all general controls. Test all the control practices associated with each application infrastructure type to ensure that they exist and are consistently implemented. Do this periodically and document test results. When this step is completed, you have: compliance 21

Putting it all together Determine the scope of your SOX effort Application List Evaluate current control structure with respect to systems in scope Control Objectives Develop action plan to mitigate identified gaps Actionable Plans Documentation Implement required controls and update documentation Validate and certify controls Compliance 22

For more information. Useful sites: www.pcaobus.org www.sec.gov/spotlight/sarbanes-oxley.htm www.coso.org www.isaca.org www.ffiec.gov 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback