paring sox down to size: the impact of sarbanes-oxley on it governance cal braunstein ceo and...

Paring SOX Down to Size: The Impact of Sarbanes-Oxley on IT Governance

Cal Braunstein CEO and Executive Director of ResearchRobert Frances Group

Copyright © 2004 by RFG. All Rights Reserved.

Robert Frances GroupRobert Frances Group

• Robert Frances Group provides consulting and research services to our clients who are senior executives in IT and LOB management as well as in marketing/sales management for companies that provide IT and communications services and products.

• RFG’s core competency is aligning business with IT.

• One component of RFG research focuses on analyzing the impact that compliance legislation will have IT infrastructure investments and corporate governance.


Agenda

• What is SOX?• What does it require, why and who cares?

• State of the market• Investments and Organization

• Building a Defensible Compliance Strategy• Recommendations

“We did not formally build a compliance architecture. It just sort of happened.”


The Sarbanes-Oxley Act of 2002 • Increasing responsibilities and liabilities for:

• CEOs, CFOs, Ind. Auditors, Boards/Committees

• Internal Controls

• Adequacy

• Changes

• Auditors and management

• Must report & attest to accuracy of financial statements and disclosures


The Sarbanes-Oxley Act of 2002 • Applies to US public companies, private companies

with public debt and accounting firms• Does not exempt foreign private firms or non-U.S.

public accounting firms• Driven by the Enron, Tyco and WorldCom fiascos • SOX has sections covering

Reporting – improves disclosure requirements Roles – strengthens corporate governance Conduct – expands on accountability Enforcement – improves oversight Penalties – broadens sanctions Relationships – forces auditor independence


Why is it a Big Deal for IT?

• Lack of comprehensive documentation of existing internal controls at most firms

• No comprehensive evaluation of internal controls by the majority of firms

• SOX often has to be fit into on-going development activities

• Limited resources available

• 1 in 10 companies have made financial restatements in the past five years (U.S. GAO study)


What the Fortune 50 are Saying• “Our controller’s department has direct responsibility

for Sarbanes-Oxley implementation. We have a program team with finance devoted to this today.”

• “We are still trying to put together a plan of what should be the overall governance of all IT systems. We want to use the structure we have put in place for Sarbanes-Oxley to be used for other compliance initiatives.”

• “Our success in working through activities the first time has depended on buy in from the CEO and CFO.”

• “The IT compliance manager and internal audit are joined at the hip and coordinate all activities together.”


Big IT Impact Anticipated


People, Processes and Systems will be Impacted


Which Provisions Apply to IT?• 302 – Corporate responsibility for financial reporting

• Is our financial data accurate?

• Do we have transaction level detail if required?

• Do we understand all the processes involved?

• 404 – Annual mgmt assessment of internal controls• How does our control structure operate?

• Who is accountable?

• Is it monitored?

• Is it documented?

• 409 – Real-time disclosure of material changes

• 802 – Retention of relevant records for audits/reviews


Emerging IT Requirements/Impact

• Definitely influence, perhaps certify… Anti-fraud techniques – development & operations Change management process Data integrity Disaster recovery practices Electronic records retention policy

“properly recorded and reported” transactions “reasonable assurance” test

Integrity of communications Patch management Process/work flows – internal & partners Security policies and practices

SOX compliance built into overall security architecture

Copyright © 2004 by RFG. All Rights Reserved.Cross-Tab Label0/0

30% 30%

20% 20%

1 2 3 4

What is SOX’s impact on IT?

1. Minimal2. Some impact3. Big impact

4. Impacts most of development

and operations


Key 404 Dates and Penalties

• For public companies with market cap > $75 million• June 15, 2004 now November 15, 2004

• For all other public companies• April 15, 2005 now July 15, 2005

• Penalties:

CEO/CFO knowingly submits a wrong certification

– $1 million and up to 10 years in jail

If the wrong certification is submitted “willfully”

– up to $5 million and 20 years in jail


Spending Levels

• Most Fortune 100 companies spend less than $3 Million per year on IT compliance initiatives and have 3 to 6 compliance staff across the organization dedicated to compliance consisting of finance and IT personnel.

• First year costs related to complying with a specific compliance directive may be two or three times higher than follow-on years.

• Most companies are working compliance into existing budgets as much as possible and as needed. They do not generally know exactly what they are spending.


IT implementation costs

One time / Initial costs

Ongoing / Annual costs

Finance/accounting/Reporting expansion

$250,000 - $500,000 $250,000 - $300,000

Process improvements

$200,000 - $400,000 $100,000 - $200,000

System enhancements

$250,000 - $500,000 $200,000 - $300,000

Consulting services $200,000 - $300,000 $100,000 - $200,000

Total added IT costs $900,000 - $1,700,000

$650,000 - $1,000,000

Source: PricewaterhouseCoopers LLP & RFG


20% 20% 20% 20% 20%

1 2 3 4 5

Should I care?

1. No, not asked to participate

2. No, project belongs to another

3. Yes, but not a big deal 4. “Bet your job” project 5. Job put on the line

annually


Key Organizational Issues• The Sarbanes-Oxley Act of 2002 has brought

companies to focus on a more centralized way to address governance and compliance.

• Centralized authority usually resides in finance or an audit group for assuring overall regulatory compliance. IT compliance is treated as an operational consideration and is usually handled by an IT compliance officer or an IT compliance committee.

• Companies normally have a compliance committee that consists of members from IT, finance and lines of business (LOBs). The committee facilitates constant and clear communications among the member participant departments.


Organizational Structure

Internal Audit or Controller has overall responsibility for SOX compliance for all systems and operations

Compliance Task Force within Finance

Overall Compliance Task Force with Participants from across the org. Audit & IT are members.

Director or VP of IT Compliance provides input & Recommends action to IT operating groups

Exec Steering Committee

IT Steering Committee

ApplicationsProgramming


Which Departments Are Affected?


Building a Defensible Compliance Strategy

Three Lines of Defense

“I made a mistake.”

“I bought a mistake.”

“Nobody could do it better."


“Nobody could do it better.”(so sue us all and shut down our industry)

Benefits RisksPeers are in the best position to develop common best practices. In the event of non-compliance, a penalty to one participant results in a penalty to all.

Minimized if sharing partners have similar reputations in one's market.

Collaborate & Share: If a group of leading firms collaborates to develop best practices for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone.


1. Companies not focusing on technology fixes - instead auditing, procedures and reporting. Most not buying new technology to solve, but may upgrade or partially replace to address. Most drive to 90%+.

2. Split on whether finance understands technology issues involved in SOX compliance, and whether IT understands the business issues

3. IT will be affected by SOX, more so than all other departments except finance. Most viewed SOX compliance more resource intensive than other regulatory compliance projects.

4. Confident that 404 requirements will be met.

5. Almost 1 in 10 think their job is at risk if the firm is non-compliant and 1 in 4 must certify results personally.

6. Successful companies have strong support by CxO management in driving compliance activities across the organization. It was not just the role of the CIO.

Key Findings of Recent Research


Recommendations• Establish an overall cross-functional compliance team

and a dedicated sub team managed by a director level person. The team should be supported by C-level executives and include executive from finance, IT, legal, marketing and affected business units.

• Coordinate IT activities within the scope of an overall security and disaster recovery plan.

• Have Finance or Audit take final responsibility to ensure compliance with SOX. Marketing should take the lead on customer data usage decisions affecting privacy as well as the Do Not Call Registry. IT is one input to the whole process.


20% 20% 20% 20%

10% 10%

1 2 3 4 5 6

What must one do to be compliant?1. Nothing2. Test and document only3. Become process oriented + above4. Build a wall between development

and operations + above5. Beef up security, change

management, e-records retention, anti-fraud techniques, and patch management + above

6. Audit outsourcers (devt and ops) and business partners with access + above


Questions & Answers

Cal Braunstein CEO/Executive Director of Research Robert Frances GroupBusiness Advisors to IT Executiveswww.rfgonline.com phone: 203-291-6900 x104 (US Eastern Time) fax: [email protected]


About RFGBusiness Model Single service model Focus on IT executive issues S.P.O.R.T. Model Hybrid retainer consulting model

SPORT Model Strategies, SLAs Processes, Procedures, Policies, Best Practices, and Politics Organizational, Operational Issues Resources, Regulations, ROI/ROV and Requirements Technology, and Ts & Cs

Unique Attributes Unique Demand Driven Research In-context vs. trend/futures focus Business reqmts. vs. product focus Primary research vs. packaged

Blended Client Base 85% end-users; 15% vendors Risk, Regulatory, and Compliance

Research focus since 1998 Architecture, Infrastructure and

Operations ExpertiseAnalysts were IT executives

paring sox down to size: the impact of sarbanes-oxley on it governance cal braunstein ceo and...

Documents

jail slide

auditsreviews slide

impacted slide

impact anticipated slide

compliance architecture

compliance initiatives

component of rfg research

practices sox compliance