sox- it perspective
DESCRIPTION
SOX from IT PerspectiveTRANSCRIPT
Neelabh Srivastava
SOX: IT Perspective
SOX: IT Perspective
Background
Facts about SOX ACT
Objective
Section 404: Key Points
A Burden or Opportunity
Challenges
Sox Benefits
SOX Compliance Frameworks
FAQs
Conclusion
September 2012 Neelabh Srivastava 2
Agenda
SOX: IT Perspective
Two largest US companies goes bankrupt.
Other financial frauds follow.
Investors lost money & faith in companies
Debacle in Stock Market.
US govt. took action.
Sarbanes and Oxley Act was made Law.
September 2012 Neelabh Srivastava 3
Background
SOX: IT Perspective
The Act was passed on 30 July, 2002.
Names after its Architects US Senator
Paul Sarbanes and US Representative
Michael Oxley.
Also Known as SOA (Sarbanes-Oxley Act)
Applies to Publicly-traded companies in US.
The act consists of 11 sections.
Known as one of the worst Tech related Bills
of all time.
September 2012 Neelabh Srivastava 4
Facts about SOX Act
SOX: IT Perspective
Fundamentally, Sarbanes-Oxley (SOX) requires that financial reports are based on
accurate information and that
the processes by which this
information is collected are
themselves accurate & controlled.
Rebuilding Public Trust.
September 2012 Neelabh Srivastava 5
Objective:
SOX: IT Perspective
Refers to “Management assessment of Internal Controls”
With only 180 words, this section has created a furor in
various depts. including IT.
As IT controls financial processing and reporting,
therefore falls in SOX ambit.
Effectively it is forced implementation of the best
practices.
404 Most contentious part of SOX.
September 2012 Neelabh Srivastava 6
Section 404: Key Points
SOX: IT Perspective
It’s a matter of Perspective.
Classic Example of “Glass Half Empty or Half Full”
September 2012 Neelabh Srivastava 7
A Burden or An Opportunity
SOX: IT Perspective
High Compliance Costs
Segregation of Duties
(too few people)
Increase in Project Durations.
High Administrative work.
Increased workload on IT staff.
September 2012 Neelabh Srivastava 8
Challenges:
SOX: IT Perspective
Standardizing/Eliminating Variation of Computing Envt.
Automation of Manual Processes.
Identification and addressing risks and in your
environment.
Improved efficiencies through consolidation.
Reduced Operating costs.
Reduced Incidents
Documentation for every process/operation.
September 2012 Neelabh Srivastava 9
SOX Benefits:
SOX: IT Perspective
COBIT (Control Objectives for Information and Related Technology)
COSO (Committee of Sponsoring Organizations).
ITIL (Information Technology Infrastructure Library)
COCO (Criteria of Control).
Tumbull Framework
King Framework
COSO is the most widely adopted framework in US.
September 2012 Neelabh Srivastava 10
SOX Compliance Frameworks
SOX: IT Perspective
1) How often do companies need to comply with
SOX - annually or quarterly?
All publicly traded companies must comply with SOX both
annually and quarterly. Section 404 is an annual evaluation of
internal controls which requires annual compliance, whereas
other sections like 302 and 906 are both quarterly
certification requirements.
September 2012 Neelabh Srivastava 11
FAQ:
SOX: IT Perspective
2) What does Section 404 mean from practical
perspective?
In practice it will depend on the external auditor to
define what aspects of the overall operations that they feel
are material and then to what degree. It can be based on
multiple criterion including their own control objectives.
September 2012 Neelabh Srivastava 12
FAQ:
SOX: IT Perspective
3) If the SOX is intended for Financial reforms then
how does IT came in picture?
The thing to remember about SOX is that it is primarily
focused on the accuracy of financial reporting data. IT per
say is important under SOX only to the extent that it
enhances the reliability and integrity of that reporting
which of course can be achieved by having full controls
over IT infra, Change management, IT security etc…
September 2012 Neelabh Srivastava 13
FAQ:
SOX: IT Perspective
4) Whether non-production systems such as Dev, QA,
Test etc.. systems should be in-scope for SOX?
They might not be in the "direct" scope of SOX, but these
environments certainly play a role in the Change
Management process and other Life Cycles. Thus, they
cannot be completely ignored.
September 2012 Neelabh Srivastava 14
FAQ:
SOX: IT Perspective
5) If this is ever going to finish?
Unfortunately No, there will be an ongoing need to update
and validate the processes and supporting documentation.
September 2012 Neelabh Srivastava 15
FAQ:
SOX: IT Perspective
The better reason to have good controls over IT and IT
security, however, is not because it will make you SOX
compliant but because it will make your business more
efficient, enable you to better utilize your data, and allow
you to trust ALL the data, not just financial reporting
data.
September 2012 Neelabh Srivastava 16
Conclusion:
SOX: IT Perspective
http://en.wikipedia.org/wiki/Sarbanes–Oxley_Act
http://en.wikipedia.org/wiki/Information_technology_controls
http://www.securityfocus.com/columnists/322
http://www.sarbanes-oxley-101.com
September 2012 Neelabh Srivastava 17
References: