SlideShare una empresa de Scribd logo

KCDC Agile Project Management for SOx Compliance

Descargar como PPTX, PDF
T
Tami Flowers

This document discusses Sarbanes-Oxley (SOX) and Control Objectives for Information and related Technology (COBIT) compliance for organizations using Agile development practices. It provides an overview of SOX and COBIT requirements and recommends mapping controls to the software development lifecycle (SDLC) and ensuring controls are tested and documented for each project. The document advises focusing on control deliverables that prove controls were tested rather than overly burdensome documentation. It also stresses the importance of educating auditors on Agile and involving them early to design SOX-compliant processes.

TecnologíaEmpresariales
1 de 17
Tami Flowers KCDC - May 3, 2013
PLATINUM SPONSORS GOLD SPONSORS SILVER SPONSORS
 I worked for a company with these words in it’s name: • Federal • Home loan • Bank  That meant we had to consider • Sarbanes Oxley Act (SOx) • COBIT  = internal auditors, external auditors, internal risk management group, examiners  = 6-9 months a year of being audited or examined
What do COBIT and SOx say? Ok, so what does that mean? Where to start What to do on a project Tips and lessons learned
In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley. Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley , 2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
 From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley: “The work required to meet the requirements of the Sarbanes-Oxley Act should not be regarded as a compliance process, but rather as an opportunity to establish strong governance models designed to result in accountability and responsiveness to business requirements. Building a strong internal control program within IT can help to: • Gain competitive advantage through more efficient and effective operations • Enhance risk management competencies and prioritization of initiatives • Enhance overall IT governance • Enhance the understanding of IT among executives • Optimize operations with an integrated approach to security, availability and processing integrity • Enable better business decisions by providing higher-quality, more timely information • Contribute to the compliance of other regulatory requirements, such as privacy • Align project initiatives with business requirements • Prevent loss of intellectual assets and the possibility of system breach”
 Some of the important areas of responsibility for IT include: • Understanding the organization’s internal control program and its financial reporting process • Mapping the IT environment (IT services and processes) that supports internal control and the financial reporting process to the financial statements • Identifying risks related to these IT systems • Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness • Documenting and testing IT and systems-based controls • Ensuring that IT controls are updated and changed as necessary to correspond with changes in internal control or financial reporting processes • Monitoring IT controls for effective operation over time • Participating in the Sarbanes-Oxley project management office
Controls, not the HOW or the process, is the focus. As long as your process can show • the controls, • that the controls are implemented and tested Then the process you use to build software is up to you and your organization.
Feasibility Initiation Release Planning Iterate Close Out
Feasibility Initiation/Planning Iterate Close Out Prioritization of Requests COBIT SOx Approvals COBIT Change Management Approvals COBIT SOx Project Status Reporting COBIT Testing & Documentation Approach COBIT SOx Testing Documentation and Sponsor Approvals COBIT Sox Cycle 0 Testing Documentation COBIT SOx Security Review - user roles within an application COBIT SOx Cycle 0 Security Testing Documentation COBIT SOx Security Testing Documentation COBIT SOx Install Documentation SOx Security Review - how application security is designed/coded. COBIT SOx Code Storage COBIT
Use your SDLC to define your project process and deliverables. Ensure those deliverables are created for each project. Make sure they are stored where they can be easily found when requested by auditors and examiners.
One size of Agile may not be right for all types of projects and teams. • For large longer-term projects, daily standups, release plans, iteration planning meetings, retrospectives may be required with stories and tasks located on a project board. • An infrastructure team charged with installing servers, routers, and firewalls and keeping it all up and running may have an overall plan and daily standups with tasks as sticky notes on a Kanban board.
 Consider adding different Service Levels, with increasing types of deliverables, based on project characteristics. • For instance, a year long project with a larger project team should have far more controls and deliverables than a 1 week project with one developer.  Don’t have an overwhelming number of deliverables so it takes longer to do paperwork or document than it does to do the project.
 Identify SOX controls up-front during the early stages of project planning.  When creating test scripts, explicitly identify the SOX controls that need to be tested.  After testing, explicitly document that those controls were tested. This doesn’t mean provide pages of documentation; identify what you are testing, test it, and document that you tested it. A test scenario can be documented with a simple “pass” or “fail”.
 Stay tool-agnostic. Don’t tie yourself to specific tools when documenting your processes. Keep development environments, bug tracking software, testing tools, etc. out of the documentation.
 Your SDLC should guide your deliverables. Keep it updated and “fresh”. Consider updating and training annually.  Focus on deliverables that prove the controls have been tested.  Don’t overdo it on deliverables. Keep it as simple as possible.  Work to educate auditors, examiners, etc. on what Agile means.  When possible, include them early in the development of your process.  Say what you are going to do…and do it! Then make sure it’s saved and easy to find when asked.
Twitter: TamiLFlowers LinkedIn Thanks!

Recomendados

Essential Project Documents
Essential Project DocumentsEssential Project Documents
Essential Project DocumentsMike Pepelea
 
Evaluation of energy efficiency projects
Evaluation of energy efficiency projectsEvaluation of energy efficiency projects
Evaluation of energy efficiency projectsZondits
 
My Huffman Design
My Huffman DesignMy Huffman Design
My Huffman Designbigdeecross
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?Polsinelli PC
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Project Time Management
Project Time Management Project Time Management
Project Time Management Waqar Ali
 
Driving Innovative IT Metrics (Project Management Institute Presentation)
Driving Innovative IT Metrics (Project Management Institute Presentation)Driving Innovative IT Metrics (Project Management Institute Presentation)
Driving Innovative IT Metrics (Project Management Institute Presentation)Joe Hessmiller
 

Recomendados

Essential Project Documents
Essential Project DocumentsEssential Project Documents
Essential Project DocumentsMike Pepelea
 
Evaluation of energy efficiency projects
Evaluation of energy efficiency projectsEvaluation of energy efficiency projects
Evaluation of energy efficiency projectsZondits
 
My Huffman Design
My Huffman DesignMy Huffman Design
My Huffman Designbigdeecross
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?OCR Audits Are Coming – Is Your Organization Prepared?
OCR Audits Are Coming – Is Your Organization Prepared?Polsinelli PC
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Project Time Management
Project Time Management Project Time Management
Project Time Management Waqar Ali
 
Driving Innovative IT Metrics (Project Management Institute Presentation)
Driving Innovative IT Metrics (Project Management Institute Presentation)Driving Innovative IT Metrics (Project Management Institute Presentation)
Driving Innovative IT Metrics (Project Management Institute Presentation)Joe Hessmiller
 
205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedule205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedulep6academy
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templatesIT-Toolkits.org
 
PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2Skillogic Solutions
 
Internal Quality Audit At Sites
Internal Quality Audit At SitesInternal Quality Audit At Sites
Internal Quality Audit At Sitesprashanth
 
Technology Assessment Framework
Technology Assessment FrameworkTechnology Assessment Framework
Technology Assessment FrameworkMark S. Mahre
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsMark S. Mahre
 
There and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metricsThere and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metricsZbyszek Mockun
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateJeff Thomas
 
Project initiation
Project initiationProject initiation
Project initiationukrulz4u
 
3 how to improve strategyc planning
3 how to improve strategyc planning3 how to improve strategyc planning
3 how to improve strategyc planningMirna Mendoza
 
Governance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesGovernance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesMark S. Mahre
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
HDouglasResume 11-2015
HDouglasResume 11-2015HDouglasResume 11-2015
HDouglasResume 11-2015Horace Douglas
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseDesmond Devendran
 
Activities of project planning
Activities of project planningActivities of project planning
Activities of project planningPrakash Tyata
 
Measurement of Project Management Success
Measurement of Project Management SuccessMeasurement of Project Management Success
Measurement of Project Management SuccessInternational Institute for Learning
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification OverviewAl Imran, CISA
 
Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012satish526
 
How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planningTami Flowers
 
Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014Tami Flowers
 

Más contenido relacionado

La actualidad más candente

205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedule205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedulep6academy
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templatesIT-Toolkits.org
 
PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2Skillogic Solutions
 
Internal Quality Audit At Sites
Internal Quality Audit At SitesInternal Quality Audit At Sites
Internal Quality Audit At Sitesprashanth
 
Technology Assessment Framework
Technology Assessment FrameworkTechnology Assessment Framework
Technology Assessment FrameworkMark S. Mahre
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsMark S. Mahre
 
There and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metricsThere and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metricsZbyszek Mockun
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateJeff Thomas
 
Project initiation
Project initiationProject initiation
Project initiationukrulz4u
 
3 how to improve strategyc planning
3 how to improve strategyc planning3 how to improve strategyc planning
3 how to improve strategyc planningMirna Mendoza
 
Governance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesGovernance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesMark S. Mahre
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
HDouglasResume 11-2015
HDouglasResume 11-2015HDouglasResume 11-2015
HDouglasResume 11-2015Horace Douglas
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseDesmond Devendran
 
Activities of project planning
Activities of project planningActivities of project planning
Activities of project planningPrakash Tyata
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification OverviewAl Imran, CISA
 
Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012satish526
 

La actualidad más candente (20)

205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedule205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedule
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templates
 
PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2
 
Internal Quality Audit At Sites
Internal Quality Audit At SitesInternal Quality Audit At Sites
Internal Quality Audit At Sites
 
Technology Assessment Framework
Technology Assessment FrameworkTechnology Assessment Framework
Technology Assessment Framework
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
 
There and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metricsThere and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metrics
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automate
 
Project initiation
Project initiationProject initiation
Project initiation
 
3 how to improve strategyc planning
3 how to improve strategyc planning3 how to improve strategyc planning
3 how to improve strategyc planning
 
Governance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesGovernance - Project Management Office Professional Services
Governance - Project Management Office Professional Services
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
HDouglasResume 11-2015
HDouglasResume 11-2015HDouglasResume 11-2015
HDouglasResume 11-2015
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review Course
 
Activities of project planning
Activities of project planningActivities of project planning
Activities of project planning
 
Measurement of Project Management Success
Measurement of Project Management SuccessMeasurement of Project Management Success
Measurement of Project Management Success
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
 
Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012
 

Destacado

How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planningTami Flowers
 
Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014Tami Flowers
 
Real-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldReal-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldDATAVERSITY
 
the Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementthe Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementrosshilton
 
The Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit ManagementThe Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit Managementrosshilton
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Simon Storm
 
Data Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldData Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldDATAVERSITY
 
How can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyHow can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyAssociation for Project Management
 
Agile Data Governance
Agile Data GovernanceAgile Data Governance
Agile Data GovernanceTami Flowers
 
Agile Data Governance Tutorial
Agile Data Governance TutorialAgile Data Governance Tutorial
Agile Data Governance TutorialTami Flowers
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data GovernanceTami Flowers
 
Agile and Auditors
Agile and AuditorsAgile and Auditors
Agile and AuditorsVersionOne
 
Jens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardJens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardMarko Gargenta
 

Destacado (15)

How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planning
 
Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014
 
Real-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldReal-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be Told
 
the Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementthe Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit management
 
The Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit ManagementThe Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit Management
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Agile Process Audit
Agile Process AuditAgile Process Audit
Agile Process Audit
 
Data Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldData Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP World
 
Sanoma Media: Publish or Perish
Sanoma Media: Publish or PerishSanoma Media: Publish or Perish
Sanoma Media: Publish or Perish
 
How can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyHow can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophy
 
Agile Data Governance
Agile Data GovernanceAgile Data Governance
Agile Data Governance
 
Agile Data Governance Tutorial
Agile Data Governance TutorialAgile Data Governance Tutorial
Agile Data Governance Tutorial
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data Governance
 
Agile and Auditors
Agile and AuditorsAgile and Auditors
Agile and Auditors
 
Jens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardJens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So Hard
 

Similar a KCDC Agile Project Management for SOx Compliance

Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Tami Flowers
 
The project manager and business analyst partnership - ensuring project success
The project manager and business analyst partnership - ensuring project successThe project manager and business analyst partnership - ensuring project success
The project manager and business analyst partnership - ensuring project successMark Troncone MBA, PMP, CBAP, ITILv3, CSM
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfnguyenanvuong2007
 
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile ProjectsDOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile ProjectsGene Kim
 
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Laszlo Szalvay
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxjeanettehully
 
Presentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics ProjectPresentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics ProjectSharad Srivastava
 
Test Planning and Test Estimation Techniques
Test Planning and Test Estimation TechniquesTest Planning and Test Estimation Techniques
Test Planning and Test Estimation TechniquesMurageppa-QA
 
Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Logitrain: New Zealand
 
Stepwise Project planning in software development
Stepwise Project planning in software developmentStepwise Project planning in software development
Stepwise Project planning in software developmentProf Ansari
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek Banerjee
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek Banerjee
 
IT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganIT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganBerk Algan
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007Danial Khan
 

Similar a KCDC Agile Project Management for SOx Compliance (20)

Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014
 
The project manager and business analyst partnership - ensuring project success
The project manager and business analyst partnership - ensuring project successThe project manager and business analyst partnership - ensuring project success
The project manager and business analyst partnership - ensuring project success
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdf
 
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile ProjectsDOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
 
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
 
Presentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics ProjectPresentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics Project
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Test Planning and Test Estimation Techniques
Test Planning and Test Estimation TechniquesTest Planning and Test Estimation Techniques
Test Planning and Test Estimation Techniques
 
How to do a Project Audit
How to do a Project AuditHow to do a Project Audit
How to do a Project Audit
 
Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)
 
Resume John Tzanetakis
Resume John TzanetakisResume John Tzanetakis
Resume John Tzanetakis
 
Stepwise Project planning in software development
Stepwise Project planning in software developmentStepwise Project planning in software development
Stepwise Project planning in software development
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Cost estimation
Cost estimationCost estimation
Cost estimation
 
IT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganIT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk Algan
 
تحليل النظم
تحليل النظمتحليل النظم
تحليل النظم
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007
 

Último

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

KCDC Agile Project Management for SOx Compliance

  • 1. Tami Flowers KCDC - May 3, 2013
  • 3.  I worked for a company with these words in it’s name: • Federal • Home loan • Bank  That meant we had to consider • Sarbanes Oxley Act (SOx) • COBIT  = internal auditors, external auditors, internal risk management group, examiners  = 6-9 months a year of being audited or examined
  • 4. What do COBIT and SOx say? Ok, so what does that mean? Where to start What to do on a project Tips and lessons learned
  • 5. In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley. Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley , 2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
  • 6.  From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley: “The work required to meet the requirements of the Sarbanes-Oxley Act should not be regarded as a compliance process, but rather as an opportunity to establish strong governance models designed to result in accountability and responsiveness to business requirements. Building a strong internal control program within IT can help to: • Gain competitive advantage through more efficient and effective operations • Enhance risk management competencies and prioritization of initiatives • Enhance overall IT governance • Enhance the understanding of IT among executives • Optimize operations with an integrated approach to security, availability and processing integrity • Enable better business decisions by providing higher-quality, more timely information • Contribute to the compliance of other regulatory requirements, such as privacy • Align project initiatives with business requirements • Prevent loss of intellectual assets and the possibility of system breach”
  • 7.  Some of the important areas of responsibility for IT include: • Understanding the organization’s internal control program and its financial reporting process • Mapping the IT environment (IT services and processes) that supports internal control and the financial reporting process to the financial statements • Identifying risks related to these IT systems • Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness • Documenting and testing IT and systems-based controls • Ensuring that IT controls are updated and changed as necessary to correspond with changes in internal control or financial reporting processes • Monitoring IT controls for effective operation over time • Participating in the Sarbanes-Oxley project management office
  • 8. Controls, not the HOW or the process, is the focus. As long as your process can show • the controls, • that the controls are implemented and tested Then the process you use to build software is up to you and your organization.
  • 10. Feasibility Initiation/Planning Iterate Close Out Prioritization of Requests COBIT SOx Approvals COBIT Change Management Approvals COBIT SOx Project Status Reporting COBIT Testing & Documentation Approach COBIT SOx Testing Documentation and Sponsor Approvals COBIT Sox Cycle 0 Testing Documentation COBIT SOx Security Review - user roles within an application COBIT SOx Cycle 0 Security Testing Documentation COBIT SOx Security Testing Documentation COBIT SOx Install Documentation SOx Security Review - how application security is designed/coded. COBIT SOx Code Storage COBIT
  • 11. Use your SDLC to define your project process and deliverables. Ensure those deliverables are created for each project. Make sure they are stored where they can be easily found when requested by auditors and examiners.
  • 12. One size of Agile may not be right for all types of projects and teams. • For large longer-term projects, daily standups, release plans, iteration planning meetings, retrospectives may be required with stories and tasks located on a project board. • An infrastructure team charged with installing servers, routers, and firewalls and keeping it all up and running may have an overall plan and daily standups with tasks as sticky notes on a Kanban board.
  • 13.  Consider adding different Service Levels, with increasing types of deliverables, based on project characteristics. • For instance, a year long project with a larger project team should have far more controls and deliverables than a 1 week project with one developer.  Don’t have an overwhelming number of deliverables so it takes longer to do paperwork or document than it does to do the project.
  • 14.  Identify SOX controls up-front during the early stages of project planning.  When creating test scripts, explicitly identify the SOX controls that need to be tested.  After testing, explicitly document that those controls were tested. This doesn’t mean provide pages of documentation; identify what you are testing, test it, and document that you tested it. A test scenario can be documented with a simple “pass” or “fail”.
  • 15.  Stay tool-agnostic. Don’t tie yourself to specific tools when documenting your processes. Keep development environments, bug tracking software, testing tools, etc. out of the documentation.
  • 16.  Your SDLC should guide your deliverables. Keep it updated and “fresh”. Consider updating and training annually.  Focus on deliverables that prove the controls have been tested.  Don’t overdo it on deliverables. Keep it as simple as possible.  Work to educate auditors, examiners, etc. on what Agile means.  When possible, include them early in the development of your process.  Say what you are going to do…and do it! Then make sure it’s saved and easy to find when asked.

Notas del editor

  1. Public Company Accounting Oversight Board