There are regulatory rules that must be met as well as organizatio.docx
Khazi Sox A
1. Sarbanes Oxley & IT Compliance
By
KhaziSyed T. AhmedJeelani
November 15th
2005
2. 2
Sarbanes Oxley ActSarbanes Oxley Act
Agenda:
What is SOX?
»What does it require, why, and who cares?
State of the mind
»Confusion, Complacency,
Communications-challenges
Building a Defensible Compliance Strategy
for ETIS
» ETIS SOX Strategies: From KYC to ROI
4. 4
Background OfBackground Of The ProblemThe Problem
May 2, 2005 headline stated: “Audit flaws wipe
$2.7bn from AIG.”
Discoveries of improper accounting at American
International Group (AIG) are to knock $2.7 billion off
the value of the world's biggest insurer.
AIG said it would restate its accounts for each of the
last 5 years from 2000 onwards, lowering the
company’s value by 3.3%.
It said it had found “material weaknesses” in its
control systems and postponed filing its 2004
accounts.
Source: http://news.bbc.co.uk/1/hi/business/4504865.stm
5. 5
Sarbanes-Oxley OverviewSarbanes-Oxley Overview
The act was signed into law on July 30, 2002.
It includes regulations regarding:
» Public Company Accounting Oversight Board (PCAOB).
» Auditor independence.
» Corporate responsibility.
» Enhanced financial disclosures.
» Corporate and criminal fraud accountability.
It applies primarily to publicly traded companies.
SOX is actually a combination of:
» Sarbanes Oxley Act of 2002 (H.R. 3763).
» Rules of the PCAOB.
» Rules of the SEC.
7. 7
Background OfBackground Of The ProblemThe Problem
SOX was a reaction to corporate scandals and lack of
investor confidence:
» Enron.
» Arthur Andersen.
» MCI.
Intense competition and pressure, conflicts of
interest, and poor practices led to poor reporting and
mismanagement.
Criminal activities also contributed to the problem.
Many other smaller examples of “dot com” booms
that turned out to be investor busts all combined to
prompt congressional action.
Source: Bauer College of Business
8. 8
Cost of ComplianceCost of Compliance
Compliance will cost public companies an average 62
percent more than previously anticipated. The average
company expects to spend $3.14 million in its first year of
compliance. (Financial Executives International).
$1.24 billion and 5,396,266 man-hours will be the aggregate
annual costs of implementing Section 404(a) of the
Sarbanes-Oxley Act, according to the SEC's PRA burden
estimates.
PWC estimates that 76% of added cost for Sarbanes-Oxley
compliance will come from additional internal resources
SOX compliance costs average $16 Million per company.
(Business Wire, Nov 15, 2004)
85% of public companies intend to change their IT systems
as part of their efforts to comply with Sarbanes-Oxley
legislation. (CIO Insight)
“The Sarbanes-Oxley compliance impact is not just being felt
by large public companies. Rather, its impact will be felt by
most companies doing business in the US." (META Group)
Compliance Efforts Still Somewhat Haphazard. (Information
Week, July 26, 2004)
9. 9
Cost of ComplianceCost of Compliance
AMR Research estimates that companies will spend
$5.8 billion on meeting SOX requirements in 2005.
Despite initial thoughts that SOX spending would be a
one time expenditure, 36% of companies plan to
increase spending, 52% will maintain current levels and
12% will decrease SOX spending. Spend allocation will
be:
42% on internal labor
29% on services
28% on technology
1% on other
“Technology will play an increasingly significant role in the
integration of SOX compliance initiatives into business processes”
(AMR Research)
12. 12
1. Companies not focusing on technology fixes - instead auditing,
procedures, and reporting. Most not buying new technology to
solve, but may upgrade or partially replace to address.
2. Split on whether finance understands technology issues involved
in SOX compliance, and whether IT understands the business
issues
3. IT will be affected by SOX, more so than all other departments
except finance.
4. Almost 1 in 10 think their job is at risk if the firm is non-compliant
and 1 in 4 must certify results personally.
5. Companies are talking about SOX but not delivering much
6. Most viewed SOX compliance more resource intensive than other
regulatory compliance projects
Key findings:Key findings:
13. 13
Building a Defensible Compliance StrategyBuilding a Defensible Compliance Strategy
Three Lines of Defense
"I made a mistake."
"No one else did it
better."
"Nobody could do it
better."
14. 14
““I Made A Mistake”I Made A Mistake”
(so, sue me)(so, sue me)
Build your own solutions.
Benefits Risks
Full control over the
process, possibly the
fastest and cheapest
route for some
regulations, if the
appropriate
infrastructure is in
place.
In the event that a firm
is found to be out of
compliance, this is the
worst possible
scenario, and
maximum penalties
may apply. It also has
the greatest potential
for reputational risk, in
addition to punitive
risks.
15. 15
““I Bought A Mistake”I Bought A Mistake”
(so, sue me and I’ll sue the vendor)(so, sue me and I’ll sue the vendor)
Benefits Risks
When a packaged solution exists,
maintenance of the process should be
less expensive. If the solution achieves
significant market share, the defensive
position of the firm is enhanced in the
event of non-compliance.
Keeping up to date with regulations is
a very challenging task. If this
application were to be built in house, the
organization would have to devote a
minimum of one full-time employee to
this. Regulations may change frequently
Vendors may also provide some best
practices for maintaining compliance.
And, their solutions may offer
improvements (automation) over current
processes.
This option entrusts, but cannot
delegate, some aspects of compliance to
a third party. Typical vendor due
diligence concerns are magnified
based on potential exposure,
including reputational risk.
16. 16
““Nobody could do it better.”Nobody could do it better.”
(so sue us all and shut down our industry)(so sue us all and shut down our industry)
Benefits Risks
Peers are in the best position to
develop common best practices.
In the event of non-compliance,
a penalty to one participant
results in a penalty to all.
Minimized if sharing partners
have similar reputations in
one's market.
Collaborate & Share: If a group of leading firms collaborates to develop best
practices for compliance and fails, it may serve as an informal proof of difficulty
or regulatory ambiguity. It would be much more difficult to extract the
maximum penalty from each of them than if any one individually came up with
the same solution and failed alone.
17. 17
User Strategy:User Strategy: Focus Where Customers NoticeFocus Where Customers Notice
Control Activities
Policies/procedures that ensure
management directives are carried
out.
Range of activities including
approvals, authorizations,
verifications, recommendations,
performance reviews, asset
security and segregation of duties.
Monitoring
Assessment of a control system’s
performance over time.
Combination of ongoing and
separate evaluation.
Management and supervisory
activities.
Internal audit activities.
Control Environment
Sets tone of organization-
influencing control
consciousness of its people.
Factors include integrity, ethical
values, competence, authority,
responsibility.
Foundation for all other
components of control.
Information and
Communication
Pertinent information identified,
captured and communicated in a
timely manner.
Access to internal and externally
generated information.
Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for
management action.
Risk Assessment
Risk assessment is the identification
and analysis of relevant risks to
achieving the entity’s objectives-
forming the basis for determining
control activities.
All five components must be in place
for a control to be effective.
18. 18
Compliance Road PlanCompliance Road Plan
Public Companies have generally adopted aPublic Companies have generally adopted a
methodology for SOX compliance…methodology for SOX compliance…
SOX Compliance
Plan (GTS)
NCG Controls
Framework
ETIS Control
Documentation
& Test Plans
Internal Control
Testing &
Remediation
Auditor
Attestation
of Controls
Looking ahead, we will see focus on reducing compliance resource
requirements through technology.
….in addition to refinement of controls.
Continuous
Improvement
19. 19
Cost of ComplianceCost of Compliance
Strategy for Refinement of Controls….Strategy for Refinement of Controls….
20. 20
Revisit the Compliance PlanRevisit the Compliance Plan
Address organizational or infrastructure changes
Implement a compliance organizational framework (GTS) to sustain the on-going control
revisions, quarterly control reviews, and documentation related to key controls.
Address resource requirements
NCG to Budget for compliance
ETIS to identify and leverage technology solutions to reduce resource requirements.
EAS to revise business process control procedures to reduce resource requirements.
Optimize control procedures
EAS to eliminate controls that are redundant.
EAS to replace or revise controls that are ineffective.
EAS to investigate automated controls to replace manual controls.
EAS to focus effort on those applications which impact financial controls (compliance related
ex FileNet)
21. 21
Revisit the Compliance PlanRevisit the Compliance Plan
Utilize published, recognized frameworks as your IT
control foundational framework
NCG to adopt or construct a Framework from acknowledged Risk Management
Frameworks such a COBIT or COSO ERM (Enterprise Risk Management).
NCG to seek out generally accepted control frameworks from auditing or
compliance consulting companies (you are not permitted to utilize your attesting
auditor).
Document your specific IT Controls Framework
Simplify the foundational framework to fit ETIS & EAS requirements.
Seek internal buy-in to Bank of America specific Controls framework.
Review and seek consensus with the auditor, to perform controls audit.
Provide a testing plan
Adopt generally accepted sampling techniques of the auditor.
22. 22
ETIS Document IT ControlsETIS Document IT Controls
and Test plansand Test plans
Revisit the Compliance PlanRevisit the Compliance Plan
Document IT Key Controls
» Adopt a standard procedure for documenting key IT Controls and approvals.
» Internally test the IT controls and document results.
» Remediate controls when deficiencies are identified from the test results.
Construct a testing plan
» Adopt a standard procedure for documenting test plans and test results.
» Construct a test plan to insure the effectiveness of each key control, not the control
procedures. (Test results, not the process)
» Utilize generally accepted sampling techniques of your auditor.
23. 23
Internal Testing & Controls AttestationInternal Testing & Controls Attestation
Agree on a testing strategy & timeline
Meet with your BOA Auditor and agree on the controls to be tested, testing
procedure, sample sizes, items to be sampled, and schedule.
Suggest use of standard control reports, audit tools, logs, and software that
are available and can be used by both the company and auditor to perform
the controls attestation.
Focus on key controls and control activities that support financial systems.
Agree on outcome goals necessary to support effectiveness of the controls.
Start Early
Conduct internal testing early and provide it to the auditor.
Encourage as much of the attestation by the auditor to be done prior to year
end as possible and follow up with a review of control changes at year end.
27. 28
RecommendationsRecommendations
Establish an overall cross-functional compliance team
and a dedicated sub team managed by a director
level person. The team should be supported by C-
level executives and include executive from GTS,
NCG, ETIS and Lob’s units.
Coordinate ETIS activities within the scope of an
overall security and disaster recovery plan.
Have ETIS or NCG take final responsibility to ensure
compliance with SOX. ETIS should take the lead on
Lob’s data usage. ETIS is one input to the whole
process.
28. 29
RecommendationsRecommendations
Document Management, Imaging, Workflow
Seek Solutions that…
EAS to integrate with existing systems and
establish control procedures.
EAS to provide easy document retention and
archival system (FileNet).
EAS to effectively manage change control and
change tracking.
EAS to start audit practices of sampling and
reporting that would be part of SOX .
29. 30
What must one do to be compliant?What must one do to be compliant?
1. Nothing
2. Test and document only
3. Become process oriented +
above
4. Build a wall between
development and operations +
above
5. Beef up security, change
management, e-records
retention, anti-fraud techniques,
and patch management + above
6. Audit outsourcers (dev and ops)
and business partners with
access + above
20% 20% 20% 20%
10% 10%
1 2 3 4 5 6