SlideShare una empresa de Scribd logo

Khazi Sox A

Descargar como PPT, PDF
A
ahmedjeelani
1 de 30
Sarbanes Oxley & IT Compliance By KhaziSyed T. AhmedJeelani November 15th 2005
2 Sarbanes Oxley ActSarbanes Oxley Act Agenda:  What is SOX? »What does it require, why, and who cares?  State of the mind »Confusion, Complacency, Communications-challenges  Building a Defensible Compliance Strategy for ETIS » ETIS SOX Strategies: From KYC to ROI
3 What Is SOX? Sarbanes-Oxley OverviewSarbanes-Oxley Overview
4 Background OfBackground Of The ProblemThe Problem  May 2, 2005 headline stated: “Audit flaws wipe $2.7bn from AIG.”  Discoveries of improper accounting at American International Group (AIG) are to knock $2.7 billion off the value of the world's biggest insurer.  AIG said it would restate its accounts for each of the last 5 years from 2000 onwards, lowering the company’s value by 3.3%.  It said it had found “material weaknesses” in its control systems and postponed filing its 2004 accounts.  Source: http://news.bbc.co.uk/1/hi/business/4504865.stm
5 Sarbanes-Oxley OverviewSarbanes-Oxley Overview  The act was signed into law on July 30, 2002.  It includes regulations regarding: » Public Company Accounting Oversight Board (PCAOB). » Auditor independence. » Corporate responsibility. » Enhanced financial disclosures. » Corporate and criminal fraud accountability.  It applies primarily to publicly traded companies.  SOX is actually a combination of: » Sarbanes Oxley Act of 2002 (H.R. 3763). » Rules of the PCAOB. » Rules of the SEC.
6 Sarbanes Oxley ActSarbanes Oxley Act BackgroundBackground Why Do I Care About Sarbanes-Oxley in ETIS ?
7 Background OfBackground Of The ProblemThe Problem  SOX was a reaction to corporate scandals and lack of investor confidence: » Enron. » Arthur Andersen. » MCI.  Intense competition and pressure, conflicts of interest, and poor practices led to poor reporting and mismanagement.  Criminal activities also contributed to the problem.  Many other smaller examples of “dot com” booms that turned out to be investor busts all combined to prompt congressional action.  Source: Bauer College of Business
8 Cost of ComplianceCost of Compliance  Compliance will cost public companies an average 62 percent more than previously anticipated. The average company expects to spend $3.14 million in its first year of compliance. (Financial Executives International).  $1.24 billion and 5,396,266 man-hours will be the aggregate annual costs of implementing Section 404(a) of the Sarbanes-Oxley Act, according to the SEC's PRA burden estimates.  PWC estimates that 76% of added cost for Sarbanes-Oxley compliance will come from additional internal resources  SOX compliance costs average $16 Million per company. (Business Wire, Nov 15, 2004)  85% of public companies intend to change their IT systems as part of their efforts to comply with Sarbanes-Oxley legislation. (CIO Insight)  “The Sarbanes-Oxley compliance impact is not just being felt by large public companies. Rather, its impact will be felt by most companies doing business in the US." (META Group)  Compliance Efforts Still Somewhat Haphazard. (Information Week, July 26, 2004)
9 Cost of ComplianceCost of Compliance  AMR Research estimates that companies will spend $5.8 billion on meeting SOX requirements in 2005.   Despite initial thoughts that SOX spending would be a one time expenditure, 36% of companies plan to increase spending, 52% will maintain current levels and 12% will decrease SOX spending. Spend allocation will be: 42% on internal labor 29% on services 28% on technology 1% on other  “Technology will play an increasingly significant role in the integration of SOX compliance initiatives into business processes” (AMR Research)
10 Which Departments Are Affected?Which Departments Are Affected?
11 People, Processes, and Systems will be Impacted
12 1. Companies not focusing on technology fixes - instead auditing, procedures, and reporting. Most not buying new technology to solve, but may upgrade or partially replace to address. 2. Split on whether finance understands technology issues involved in SOX compliance, and whether IT understands the business issues 3. IT will be affected by SOX, more so than all other departments except finance. 4. Almost 1 in 10 think their job is at risk if the firm is non-compliant and 1 in 4 must certify results personally. 5. Companies are talking about SOX but not delivering much 6. Most viewed SOX compliance more resource intensive than other regulatory compliance projects Key findings:Key findings:
13 Building a Defensible Compliance StrategyBuilding a Defensible Compliance Strategy Three Lines of Defense "I made a mistake." "No one else did it better." "Nobody could do it better."
14 ““I Made A Mistake”I Made A Mistake” (so, sue me)(so, sue me) Build your own solutions. Benefits Risks Full control over the process, possibly the fastest and cheapest route for some regulations, if the appropriate infrastructure is in place. In the event that a firm is found to be out of compliance, this is the worst possible scenario, and maximum penalties may apply. It also has the greatest potential for reputational risk, in addition to punitive risks.
15 ““I Bought A Mistake”I Bought A Mistake” (so, sue me and I’ll sue the vendor)(so, sue me and I’ll sue the vendor) Benefits Risks When a packaged solution exists, maintenance of the process should be less expensive. If the solution achieves significant market share, the defensive position of the firm is enhanced in the event of non-compliance. Keeping up to date with regulations is a very challenging task. If this application were to be built in house, the organization would have to devote a minimum of one full-time employee to this. Regulations may change frequently Vendors may also provide some best practices for maintaining compliance. And, their solutions may offer improvements (automation) over current processes. This option entrusts, but cannot delegate, some aspects of compliance to a third party. Typical vendor due diligence concerns are magnified based on potential exposure, including reputational risk.
16 ““Nobody could do it better.”Nobody could do it better.” (so sue us all and shut down our industry)(so sue us all and shut down our industry) Benefits Risks Peers are in the best position to develop common best practices. In the event of non-compliance, a penalty to one participant results in a penalty to all. Minimized if sharing partners have similar reputations in one's market. Collaborate & Share: If a group of leading firms collaborates to develop best practices for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone.
17 User Strategy:User Strategy: Focus Where Customers NoticeFocus Where Customers Notice Control Activities  Policies/procedures that ensure management directives are carried out.  Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Monitoring  Assessment of a control system’s performance over time.  Combination of ongoing and separate evaluation.  Management and supervisory activities.  Internal audit activities. Control Environment  Sets tone of organization- influencing control consciousness of its people.  Factors include integrity, ethical values, competence, authority, responsibility.  Foundation for all other components of control. Information and Communication  Pertinent information identified, captured and communicated in a timely manner.  Access to internal and externally generated information.  Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Risk Assessment  Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives- forming the basis for determining control activities. All five components must be in place for a control to be effective.
18 Compliance Road PlanCompliance Road Plan Public Companies have generally adopted aPublic Companies have generally adopted a methodology for SOX compliance…methodology for SOX compliance… SOX Compliance Plan (GTS) NCG Controls Framework ETIS Control Documentation & Test Plans Internal Control Testing & Remediation Auditor Attestation of Controls Looking ahead, we will see focus on reducing compliance resource requirements through technology. ….in addition to refinement of controls. Continuous Improvement
19 Cost of ComplianceCost of Compliance Strategy for Refinement of Controls….Strategy for Refinement of Controls….
20 Revisit the Compliance PlanRevisit the Compliance Plan Address organizational or infrastructure changes Implement a compliance organizational framework (GTS) to sustain the on-going control revisions, quarterly control reviews, and documentation related to key controls.  Address resource requirements  NCG to Budget for compliance  ETIS to identify and leverage technology solutions to reduce resource requirements.  EAS to revise business process control procedures to reduce resource requirements. Optimize control procedures  EAS to eliminate controls that are redundant.  EAS to replace or revise controls that are ineffective.  EAS to investigate automated controls to replace manual controls.  EAS to focus effort on those applications which impact financial controls (compliance related ex FileNet)
21 Revisit the Compliance PlanRevisit the Compliance Plan Utilize published, recognized frameworks as your IT control foundational framework  NCG to adopt or construct a Framework from acknowledged Risk Management Frameworks such a COBIT or COSO ERM (Enterprise Risk Management).  NCG to seek out generally accepted control frameworks from auditing or compliance consulting companies (you are not permitted to utilize your attesting auditor).  Document your specific IT Controls Framework Simplify the foundational framework to fit ETIS & EAS requirements. Seek internal buy-in to Bank of America specific Controls framework. Review and seek consensus with the auditor, to perform controls audit. Provide a testing plan Adopt generally accepted sampling techniques of the auditor.
22 ETIS Document IT ControlsETIS Document IT Controls and Test plansand Test plans Revisit the Compliance PlanRevisit the Compliance Plan  Document IT Key Controls » Adopt a standard procedure for documenting key IT Controls and approvals. » Internally test the IT controls and document results. » Remediate controls when deficiencies are identified from the test results.  Construct a testing plan » Adopt a standard procedure for documenting test plans and test results. » Construct a test plan to insure the effectiveness of each key control, not the control procedures. (Test results, not the process) » Utilize generally accepted sampling techniques of your auditor.
23 Internal Testing & Controls AttestationInternal Testing & Controls Attestation  Agree on a testing strategy & timeline  Meet with your BOA Auditor and agree on the controls to be tested, testing procedure, sample sizes, items to be sampled, and schedule.  Suggest use of standard control reports, audit tools, logs, and software that are available and can be used by both the company and auditor to perform the controls attestation.  Focus on key controls and control activities that support financial systems.  Agree on outcome goals necessary to support effectiveness of the controls.  Start Early  Conduct internal testing early and provide it to the auditor.  Encourage as much of the attestation by the auditor to be done prior to year end as possible and follow up with a review of control changes at year end.
24 Internal Testing & Controls AttestationInternal Testing & Controls Attestation  Investigate Technology Solutions to reduce Compliance Resource Requirements….
25 What’s Ahead?What’s Ahead?  2005 – A windfall year for Auditors  2006 – A windfall year for ETIS  Application Security  Document Management, Imaging and Workflow  Backup, Recovery and Data Archival  Infrastructure Security  Change Management  “Compliance Audit Solutions”
27 ConclusionConclusion What Are the Key Points?
28 RecommendationsRecommendations  Establish an overall cross-functional compliance team and a dedicated sub team managed by a director level person. The team should be supported by C- level executives and include executive from GTS, NCG, ETIS and Lob’s units.  Coordinate ETIS activities within the scope of an overall security and disaster recovery plan.  Have ETIS or NCG take final responsibility to ensure compliance with SOX. ETIS should take the lead on Lob’s data usage. ETIS is one input to the whole process.
29 RecommendationsRecommendations Document Management, Imaging, Workflow Seek Solutions that…  EAS to integrate with existing systems and establish control procedures.  EAS to provide easy document retention and archival system (FileNet).  EAS to effectively manage change control and change tracking.  EAS to start audit practices of sampling and reporting that would be part of SOX .
30 What must one do to be compliant?What must one do to be compliant? 1. Nothing 2. Test and document only 3. Become process oriented + above 4. Build a wall between development and operations + above 5. Beef up security, change management, e-records retention, anti-fraud techniques, and patch management + above 6. Audit outsourcers (dev and ops) and business partners with access + above 20% 20% 20% 20% 10% 10% 1 2 3 4 5 6
Q & AQ & A

Recomendados

CEO Magazine 09 05
CEO Magazine 09 05CEO Magazine 09 05
CEO Magazine 09 05Dwayne Jorgensen
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT PerspectiveNeelabh Srivastava
 
CEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCorporater
 
Compliance Overview
Compliance OverviewCompliance Overview
Compliance OverviewWilliam Hodge
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
8 Reasons Why You Need A Strategy Management Software
8 Reasons Why You Need A Strategy Management Software8 Reasons Why You Need A Strategy Management Software
8 Reasons Why You Need A Strategy Management SoftwareCorporater
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 

Recomendados

CEO Magazine 09 05
CEO Magazine 09 05CEO Magazine 09 05
CEO Magazine 09 05Dwayne Jorgensen
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT PerspectiveNeelabh Srivastava
 
CEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCorporater
 
Compliance Overview
Compliance OverviewCompliance Overview
Compliance OverviewWilliam Hodge
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
8 Reasons Why You Need A Strategy Management Software
8 Reasons Why You Need A Strategy Management Software8 Reasons Why You Need A Strategy Management Software
8 Reasons Why You Need A Strategy Management SoftwareCorporater
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
EDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records ManagementEDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records ManagementGeorgetown University Law Center Office of Continuing Legal Education
 
NEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Security Services
 
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...Corporater
 
Data as a Hidden Gem in Compliance Programs
Data as a Hidden Gem in Compliance ProgramsData as a Hidden Gem in Compliance Programs
Data as a Hidden Gem in Compliance ProgramsJamal Ahmad, Esq., CPA, CFF, CFE
 
Taking Private Out of Private Equity
Taking Private Out of Private EquityTaking Private Out of Private Equity
Taking Private Out of Private EquityJamal Ahmad, Esq., CPA, CFF, CFE
 
Sox Ima
Sox ImaSox Ima
Sox Imasteinkamps6
 
Third Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionThird Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionSam Gibbins 紀俊森
 
Fortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processFortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processBill Velasco
 
Surviving in The New Normal of regulation within financial markets
Surviving in The New Normal of regulation within financial marketsSurviving in The New Normal of regulation within financial markets
Surviving in The New Normal of regulation within financial marketsRodney Dennis
 
Managing Assets for Maximum Performance and Value
Managing Assets for Maximum Performance and ValueManaging Assets for Maximum Performance and Value
Managing Assets for Maximum Performance and ValueEMC
 
Governance of Outsourcing
Governance of OutsourcingGovernance of Outsourcing
Governance of OutsourcingVishal Sharma
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industryravindra sharma
 
Memo to CEOs
Memo to CEOsMemo to CEOs
Memo to CEOsKeith Darcy
 
7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance StrategyMaarten Boonen
 
Ey top-10-risks-in-telecommunications-2014
Ey top-10-risks-in-telecommunications-2014Ey top-10-risks-in-telecommunications-2014
Ey top-10-risks-in-telecommunications-2014CMR WORLD TECH
 
Legal Management Process: A paradigm shift as a Business Enabler
Legal Management Process: A paradigm shift as a Business EnablerLegal Management Process: A paradigm shift as a Business Enabler
Legal Management Process: A paradigm shift as a Business EnablerAmber Gupta
 
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...Accenture Insurance
 
Session One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony WongSession One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony Wonganthonywong
 
Sub Material Fraud Risk White Paper
Sub Material Fraud Risk White PaperSub Material Fraud Risk White Paper
Sub Material Fraud Risk White Paperjhare
 
В облаке AWS
В облаке AWSВ облаке AWS
В облаке AWSАртём Курапов
 
Reportes de-evaluacion-2014-2015
Reportes de-evaluacion-2014-2015Reportes de-evaluacion-2014-2015
Reportes de-evaluacion-2014-2015Jose Angel Silva Castillo
 
Designing Information Structures For Performance And Reliability
Designing Information Structures For Performance And ReliabilityDesigning Information Structures For Performance And Reliability
Designing Information Structures For Performance And Reliabilitybryanrandol
 

Más contenido relacionado

La actualidad más candente

10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...Corporater
 
Third Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionThird Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionSam Gibbins 紀俊森
 
Fortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processFortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processBill Velasco
 
Surviving in The New Normal of regulation within financial markets
Surviving in The New Normal of regulation within financial marketsSurviving in The New Normal of regulation within financial markets
Surviving in The New Normal of regulation within financial marketsRodney Dennis
 
Managing Assets for Maximum Performance and Value
Managing Assets for Maximum Performance and ValueManaging Assets for Maximum Performance and Value
Managing Assets for Maximum Performance and ValueEMC
 
Governance of Outsourcing
Governance of OutsourcingGovernance of Outsourcing
Governance of OutsourcingVishal Sharma
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industryravindra sharma
 
7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance StrategyMaarten Boonen
 
Ey top-10-risks-in-telecommunications-2014
Ey top-10-risks-in-telecommunications-2014Ey top-10-risks-in-telecommunications-2014
Ey top-10-risks-in-telecommunications-2014CMR WORLD TECH
 
Legal Management Process: A paradigm shift as a Business Enabler
Legal Management Process: A paradigm shift as a Business EnablerLegal Management Process: A paradigm shift as a Business Enabler
Legal Management Process: A paradigm shift as a Business EnablerAmber Gupta
 
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...Accenture Insurance
 
Session One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony WongSession One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony Wonganthonywong
 
Sub Material Fraud Risk White Paper
Sub Material Fraud Risk White PaperSub Material Fraud Risk White Paper
Sub Material Fraud Risk White Paperjhare
 

La actualidad más candente (19)

EDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records ManagementEDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records Management
 
NEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Compliance Automation
NEMEA Compliance Automation
 
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
10 Observations on Using Technology for SMCR - Senior Managers and Certificat...
 
Data as a Hidden Gem in Compliance Programs
Data as a Hidden Gem in Compliance ProgramsData as a Hidden Gem in Compliance Programs
Data as a Hidden Gem in Compliance Programs
 
Taking Private Out of Private Equity
Taking Private Out of Private EquityTaking Private Out of Private Equity
Taking Private Out of Private Equity
 
Sox Ima
Sox ImaSox Ima
Sox Ima
 
Third Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionThird Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study Discussion
 
Fortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processFortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-process
 
Surviving in The New Normal of regulation within financial markets
Surviving in The New Normal of regulation within financial marketsSurviving in The New Normal of regulation within financial markets
Surviving in The New Normal of regulation within financial markets
 
Managing Assets for Maximum Performance and Value
Managing Assets for Maximum Performance and ValueManaging Assets for Maximum Performance and Value
Managing Assets for Maximum Performance and Value
 
Governance of Outsourcing
Governance of OutsourcingGovernance of Outsourcing
Governance of Outsourcing
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industry
 
Memo to CEOs
Memo to CEOsMemo to CEOs
Memo to CEOs
 
7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy
 
Ey top-10-risks-in-telecommunications-2014
Ey top-10-risks-in-telecommunications-2014Ey top-10-risks-in-telecommunications-2014
Ey top-10-risks-in-telecommunications-2014
 
Legal Management Process: A paradigm shift as a Business Enabler
Legal Management Process: A paradigm shift as a Business EnablerLegal Management Process: A paradigm shift as a Business Enabler
Legal Management Process: A paradigm shift as a Business Enabler
 
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
Accenture 2015 Global Structural Reform Study: Unlocking the Potential of Glo...
 
Session One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony WongSession One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony Wong
 
Sub Material Fraud Risk White Paper
Sub Material Fraud Risk White PaperSub Material Fraud Risk White Paper
Sub Material Fraud Risk White Paper
 

Destacado

Designing Information Structures For Performance And Reliability
Designing Information Structures For Performance And ReliabilityDesigning Information Structures For Performance And Reliability
Designing Information Structures For Performance And Reliabilitybryanrandol
 
Βιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & Twitter
Βιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & TwitterΒιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & Twitter
Βιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & TwitterLevadia Library
 
Città del Messico dall\'alto
Città del Messico dall\'altoCittà del Messico dall\'alto
Città del Messico dall\'altoAdriana Herrerias
 
The Mobile Future
The Mobile FutureThe Mobile Future
The Mobile FutureMintTwist
 
Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς
Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς
Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς Levadia Library
 
Materisoalmatematika
MaterisoalmatematikaMaterisoalmatematika
Materisoalmatematikabenipurnama
 
Redis varnish js
Redis varnish jsRedis varnish js
Redis varnish jsiliakan
 

Destacado (20)

В облаке AWS
В облаке AWSВ облаке AWS
В облаке AWS
 
Reportes de-evaluacion-2014-2015
Reportes de-evaluacion-2014-2015Reportes de-evaluacion-2014-2015
Reportes de-evaluacion-2014-2015
 
Designing Information Structures For Performance And Reliability
Designing Information Structures For Performance And ReliabilityDesigning Information Structures For Performance And Reliability
Designing Information Structures For Performance And Reliability
 
Materisoalips
MaterisoalipsMaterisoalips
Materisoalips
 
Pedagogia vocal
Pedagogia vocalPedagogia vocal
Pedagogia vocal
 
Βιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & Twitter
Βιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & TwitterΒιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & Twitter
Βιβλιοθήκες και Κοινωνικά Δίκτυα - Facebook & Twitter
 
Città del Messico dall\'alto
Città del Messico dall\'altoCittà del Messico dall\'alto
Città del Messico dall\'alto
 
Content Pages
Content PagesContent Pages
Content Pages
 
Presentation1
Presentation1Presentation1
Presentation1
 
Timeline Chhetri
Timeline ChhetriTimeline Chhetri
Timeline Chhetri
 
Swine Flu
Swine FluSwine Flu
Swine Flu
 
The Mobile Future
The Mobile FutureThe Mobile Future
The Mobile Future
 
Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς
Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς
Η χρήση του Web 2.0 και της κοινωνικής δικτύωσης στη Βιβλιοθήκη Λιβαδειάς
 
Materisoalmatematika
MaterisoalmatematikaMaterisoalmatematika
Materisoalmatematika
 
PETacular Picks!!
PETacular Picks!!PETacular Picks!!
PETacular Picks!!
 
Nycaflt conference apr 09 2011
Nycaflt conference apr 09 2011Nycaflt conference apr 09 2011
Nycaflt conference apr 09 2011
 
Desafios matematicos
Desafios matematicosDesafios matematicos
Desafios matematicos
 
Redis varnish js
Redis varnish jsRedis varnish js
Redis varnish js
 
Ensamble coral como momento de arendizaje
Ensamble coral como momento de arendizajeEnsamble coral como momento de arendizaje
Ensamble coral como momento de arendizaje
 
Portfolio
PortfolioPortfolio
Portfolio
 

Similar a Khazi Sox A

Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects3gamma
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
How are Banks Turning Regulatory Compliance into An Opportunity.pdf
How are Banks Turning Regulatory Compliance into An Opportunity.pdfHow are Banks Turning Regulatory Compliance into An Opportunity.pdf
How are Banks Turning Regulatory Compliance into An Opportunity.pdfMaveric Systems
 
Aerospace-Defence-Efficient-Compliance
Aerospace-Defence-Efficient-ComplianceAerospace-Defence-Efficient-Compliance
Aerospace-Defence-Efficient-ComplianceSimon Aplin
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft CorpAntoinette Williams
 
2014-05-15 Raffa BDO Managing Government Contracts
2014-05-15 Raffa BDO Managing Government Contracts2014-05-15 Raffa BDO Managing Government Contracts
2014-05-15 Raffa BDO Managing Government ContractsRaffa Learning Community
 
Accenture 2015 Global Structural Reform Study
Accenture 2015 Global Structural Reform StudyAccenture 2015 Global Structural Reform Study
Accenture 2015 Global Structural Reform Studyaccenture
 
Building public-trust-eccles-en-2038
Building public-trust-eccles-en-2038Building public-trust-eccles-en-2038
Building public-trust-eccles-en-2038Girma Biresaw
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptssuser45a8a6
 
There are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxThere are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxrandymartin91030
 

Similar a Khazi Sox A (20)

Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects
 
Minimum viable compliance whitepaper
Minimum viable compliance whitepaperMinimum viable compliance whitepaper
Minimum viable compliance whitepaper
 
Case study v7.2
Case study v7.2Case study v7.2
Case study v7.2
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)
 
Compliance Risk Assessment
Compliance Risk AssessmentCompliance Risk Assessment
Compliance Risk Assessment
 
How are Banks Turning Regulatory Compliance into An Opportunity.pdf
How are Banks Turning Regulatory Compliance into An Opportunity.pdfHow are Banks Turning Regulatory Compliance into An Opportunity.pdf
How are Banks Turning Regulatory Compliance into An Opportunity.pdf
 
Aerospace-Defence-Efficient-Compliance
Aerospace-Defence-Efficient-ComplianceAerospace-Defence-Efficient-Compliance
Aerospace-Defence-Efficient-Compliance
 
Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_duties
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft Corp
 
2014-05-15 Raffa BDO Managing Government Contracts
2014-05-15 Raffa BDO Managing Government Contracts2014-05-15 Raffa BDO Managing Government Contracts
2014-05-15 Raffa BDO Managing Government Contracts
 
Accenture 2015 Global Structural Reform Study
Accenture 2015 Global Structural Reform StudyAccenture 2015 Global Structural Reform Study
Accenture 2015 Global Structural Reform Study
 
Building public-trust-eccles-en-2038
Building public-trust-eccles-en-2038Building public-trust-eccles-en-2038
Building public-trust-eccles-en-2038
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Swan Davis Inc
Swan Davis IncSwan Davis Inc
Swan Davis Inc
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.ppt
 
Audit Committee
Audit CommitteeAudit Committee
Audit Committee
 
There are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxThere are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docx
 

Khazi Sox A

  • 1. Sarbanes Oxley & IT Compliance By KhaziSyed T. AhmedJeelani November 15th 2005
  • 2. 2 Sarbanes Oxley ActSarbanes Oxley Act Agenda:  What is SOX? »What does it require, why, and who cares?  State of the mind »Confusion, Complacency, Communications-challenges  Building a Defensible Compliance Strategy for ETIS » ETIS SOX Strategies: From KYC to ROI
  • 3. 3 What Is SOX? Sarbanes-Oxley OverviewSarbanes-Oxley Overview
  • 4. 4 Background OfBackground Of The ProblemThe Problem  May 2, 2005 headline stated: “Audit flaws wipe $2.7bn from AIG.”  Discoveries of improper accounting at American International Group (AIG) are to knock $2.7 billion off the value of the world's biggest insurer.  AIG said it would restate its accounts for each of the last 5 years from 2000 onwards, lowering the company’s value by 3.3%.  It said it had found “material weaknesses” in its control systems and postponed filing its 2004 accounts.  Source: http://news.bbc.co.uk/1/hi/business/4504865.stm
  • 5. 5 Sarbanes-Oxley OverviewSarbanes-Oxley Overview  The act was signed into law on July 30, 2002.  It includes regulations regarding: » Public Company Accounting Oversight Board (PCAOB). » Auditor independence. » Corporate responsibility. » Enhanced financial disclosures. » Corporate and criminal fraud accountability.  It applies primarily to publicly traded companies.  SOX is actually a combination of: » Sarbanes Oxley Act of 2002 (H.R. 3763). » Rules of the PCAOB. » Rules of the SEC.
  • 6. 6 Sarbanes Oxley ActSarbanes Oxley Act BackgroundBackground Why Do I Care About Sarbanes-Oxley in ETIS ?
  • 7. 7 Background OfBackground Of The ProblemThe Problem  SOX was a reaction to corporate scandals and lack of investor confidence: » Enron. » Arthur Andersen. » MCI.  Intense competition and pressure, conflicts of interest, and poor practices led to poor reporting and mismanagement.  Criminal activities also contributed to the problem.  Many other smaller examples of “dot com” booms that turned out to be investor busts all combined to prompt congressional action.  Source: Bauer College of Business
  • 8. 8 Cost of ComplianceCost of Compliance  Compliance will cost public companies an average 62 percent more than previously anticipated. The average company expects to spend $3.14 million in its first year of compliance. (Financial Executives International).  $1.24 billion and 5,396,266 man-hours will be the aggregate annual costs of implementing Section 404(a) of the Sarbanes-Oxley Act, according to the SEC's PRA burden estimates.  PWC estimates that 76% of added cost for Sarbanes-Oxley compliance will come from additional internal resources  SOX compliance costs average $16 Million per company. (Business Wire, Nov 15, 2004)  85% of public companies intend to change their IT systems as part of their efforts to comply with Sarbanes-Oxley legislation. (CIO Insight)  “The Sarbanes-Oxley compliance impact is not just being felt by large public companies. Rather, its impact will be felt by most companies doing business in the US." (META Group)  Compliance Efforts Still Somewhat Haphazard. (Information Week, July 26, 2004)
  • 9. 9 Cost of ComplianceCost of Compliance  AMR Research estimates that companies will spend $5.8 billion on meeting SOX requirements in 2005.   Despite initial thoughts that SOX spending would be a one time expenditure, 36% of companies plan to increase spending, 52% will maintain current levels and 12% will decrease SOX spending. Spend allocation will be: 42% on internal labor 29% on services 28% on technology 1% on other  “Technology will play an increasingly significant role in the integration of SOX compliance initiatives into business processes” (AMR Research)
  • 10. 10 Which Departments Are Affected?Which Departments Are Affected?
  • 11. 11 People, Processes, and Systems will be Impacted
  • 12. 12 1. Companies not focusing on technology fixes - instead auditing, procedures, and reporting. Most not buying new technology to solve, but may upgrade or partially replace to address. 2. Split on whether finance understands technology issues involved in SOX compliance, and whether IT understands the business issues 3. IT will be affected by SOX, more so than all other departments except finance. 4. Almost 1 in 10 think their job is at risk if the firm is non-compliant and 1 in 4 must certify results personally. 5. Companies are talking about SOX but not delivering much 6. Most viewed SOX compliance more resource intensive than other regulatory compliance projects Key findings:Key findings:
  • 13. 13 Building a Defensible Compliance StrategyBuilding a Defensible Compliance Strategy Three Lines of Defense "I made a mistake." "No one else did it better." "Nobody could do it better."
  • 14. 14 ““I Made A Mistake”I Made A Mistake” (so, sue me)(so, sue me) Build your own solutions. Benefits Risks Full control over the process, possibly the fastest and cheapest route for some regulations, if the appropriate infrastructure is in place. In the event that a firm is found to be out of compliance, this is the worst possible scenario, and maximum penalties may apply. It also has the greatest potential for reputational risk, in addition to punitive risks.
  • 15. 15 ““I Bought A Mistake”I Bought A Mistake” (so, sue me and I’ll sue the vendor)(so, sue me and I’ll sue the vendor) Benefits Risks When a packaged solution exists, maintenance of the process should be less expensive. If the solution achieves significant market share, the defensive position of the firm is enhanced in the event of non-compliance. Keeping up to date with regulations is a very challenging task. If this application were to be built in house, the organization would have to devote a minimum of one full-time employee to this. Regulations may change frequently Vendors may also provide some best practices for maintaining compliance. And, their solutions may offer improvements (automation) over current processes. This option entrusts, but cannot delegate, some aspects of compliance to a third party. Typical vendor due diligence concerns are magnified based on potential exposure, including reputational risk.
  • 16. 16 ““Nobody could do it better.”Nobody could do it better.” (so sue us all and shut down our industry)(so sue us all and shut down our industry) Benefits Risks Peers are in the best position to develop common best practices. In the event of non-compliance, a penalty to one participant results in a penalty to all. Minimized if sharing partners have similar reputations in one's market. Collaborate & Share: If a group of leading firms collaborates to develop best practices for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone.
  • 17. 17 User Strategy:User Strategy: Focus Where Customers NoticeFocus Where Customers Notice Control Activities  Policies/procedures that ensure management directives are carried out.  Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Monitoring  Assessment of a control system’s performance over time.  Combination of ongoing and separate evaluation.  Management and supervisory activities.  Internal audit activities. Control Environment  Sets tone of organization- influencing control consciousness of its people.  Factors include integrity, ethical values, competence, authority, responsibility.  Foundation for all other components of control. Information and Communication  Pertinent information identified, captured and communicated in a timely manner.  Access to internal and externally generated information.  Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Risk Assessment  Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives- forming the basis for determining control activities. All five components must be in place for a control to be effective.
  • 18. 18 Compliance Road PlanCompliance Road Plan Public Companies have generally adopted aPublic Companies have generally adopted a methodology for SOX compliance…methodology for SOX compliance… SOX Compliance Plan (GTS) NCG Controls Framework ETIS Control Documentation & Test Plans Internal Control Testing & Remediation Auditor Attestation of Controls Looking ahead, we will see focus on reducing compliance resource requirements through technology. ….in addition to refinement of controls. Continuous Improvement
  • 19. 19 Cost of ComplianceCost of Compliance Strategy for Refinement of Controls….Strategy for Refinement of Controls….
  • 20. 20 Revisit the Compliance PlanRevisit the Compliance Plan Address organizational or infrastructure changes Implement a compliance organizational framework (GTS) to sustain the on-going control revisions, quarterly control reviews, and documentation related to key controls.  Address resource requirements  NCG to Budget for compliance  ETIS to identify and leverage technology solutions to reduce resource requirements.  EAS to revise business process control procedures to reduce resource requirements. Optimize control procedures  EAS to eliminate controls that are redundant.  EAS to replace or revise controls that are ineffective.  EAS to investigate automated controls to replace manual controls.  EAS to focus effort on those applications which impact financial controls (compliance related ex FileNet)
  • 21. 21 Revisit the Compliance PlanRevisit the Compliance Plan Utilize published, recognized frameworks as your IT control foundational framework  NCG to adopt or construct a Framework from acknowledged Risk Management Frameworks such a COBIT or COSO ERM (Enterprise Risk Management).  NCG to seek out generally accepted control frameworks from auditing or compliance consulting companies (you are not permitted to utilize your attesting auditor).  Document your specific IT Controls Framework Simplify the foundational framework to fit ETIS & EAS requirements. Seek internal buy-in to Bank of America specific Controls framework. Review and seek consensus with the auditor, to perform controls audit. Provide a testing plan Adopt generally accepted sampling techniques of the auditor.
  • 22. 22 ETIS Document IT ControlsETIS Document IT Controls and Test plansand Test plans Revisit the Compliance PlanRevisit the Compliance Plan  Document IT Key Controls » Adopt a standard procedure for documenting key IT Controls and approvals. » Internally test the IT controls and document results. » Remediate controls when deficiencies are identified from the test results.  Construct a testing plan » Adopt a standard procedure for documenting test plans and test results. » Construct a test plan to insure the effectiveness of each key control, not the control procedures. (Test results, not the process) » Utilize generally accepted sampling techniques of your auditor.
  • 23. 23 Internal Testing & Controls AttestationInternal Testing & Controls Attestation  Agree on a testing strategy & timeline  Meet with your BOA Auditor and agree on the controls to be tested, testing procedure, sample sizes, items to be sampled, and schedule.  Suggest use of standard control reports, audit tools, logs, and software that are available and can be used by both the company and auditor to perform the controls attestation.  Focus on key controls and control activities that support financial systems.  Agree on outcome goals necessary to support effectiveness of the controls.  Start Early  Conduct internal testing early and provide it to the auditor.  Encourage as much of the attestation by the auditor to be done prior to year end as possible and follow up with a review of control changes at year end.
  • 24. 24 Internal Testing & Controls AttestationInternal Testing & Controls Attestation  Investigate Technology Solutions to reduce Compliance Resource Requirements….
  • 25. 25 What’s Ahead?What’s Ahead?  2005 – A windfall year for Auditors  2006 – A windfall year for ETIS  Application Security  Document Management, Imaging and Workflow  Backup, Recovery and Data Archival  Infrastructure Security  Change Management  “Compliance Audit Solutions”
  • 27. 28 RecommendationsRecommendations  Establish an overall cross-functional compliance team and a dedicated sub team managed by a director level person. The team should be supported by C- level executives and include executive from GTS, NCG, ETIS and Lob’s units.  Coordinate ETIS activities within the scope of an overall security and disaster recovery plan.  Have ETIS or NCG take final responsibility to ensure compliance with SOX. ETIS should take the lead on Lob’s data usage. ETIS is one input to the whole process.
  • 28. 29 RecommendationsRecommendations Document Management, Imaging, Workflow Seek Solutions that…  EAS to integrate with existing systems and establish control procedures.  EAS to provide easy document retention and archival system (FileNet).  EAS to effectively manage change control and change tracking.  EAS to start audit practices of sampling and reporting that would be part of SOX .
  • 29. 30 What must one do to be compliant?What must one do to be compliant? 1. Nothing 2. Test and document only 3. Become process oriented + above 4. Build a wall between development and operations + above 5. Beef up security, change management, e-records retention, anti-fraud techniques, and patch management + above 6. Audit outsourcers (dev and ops) and business partners with access + above 20% 20% 20% 20% 10% 10% 1 2 3 4 5 6
  • 30. Q & AQ & A