what you didnt know you dont know about compliance mar 29 07a

20
Elegantsolutions. ca What You Didn’t Know You Don’t Know About Compliance And What it Means to You as a Project Manager March 29, 2007 ProjectWorld Toronto Boyd Carter, PMP elegantsolutions.ca Please note that the content of this document is dated as at March 29, 2007. While the concept is valid, the regulations may have been amended since then. The content is best viewed in Slide Show format; the notes are useful.

Upload: elance-odesk

Post on 21-Aug-2015

655 views

Category:

Business


1 download

TRANSCRIPT

Page 1: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

What You Didn’t Know You Don’t Know About ComplianceAnd What it Means to You as a Project Manager

March 29, 2007

ProjectWorld Toronto

Boyd Carter, PMP

elegantsolutions.ca

Please note that the content of this document is

dated as at March 29, 2007. While the concept is

valid, the regulations may have been amended since then.

The content is best viewed in Slide Show format; the notes are useful.

Page 2: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 2

Agenda Survey – Compliance Knowledge and Risk What you know you don’t know about compliance What you didn’t know you don’t know about

compliance What it means to you as a project manager Resources for the Project Manager

Description of “must have” resource documents Links to the best online resources Link to a copy of the presentation

Page 3: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 3

Survey – Compliance Knowledge and Risk

If you were being interviewed to lead a compliance project tomorrow, do you think you could demonstrate enough knowledge to be selected to lead the project? Vote with a show of hands

Based on the answer you gave above, would the impact on your career be positive or negative? Vote POSITIVE with a show of hands

Or Negative? Vote NEGATIVE with a show of hands

Or not affect it at all? Vote WOULDN’T AFFECT ME with a show of hands

Page 4: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 4

What You Know You Don’t Know About Compliance

Most people know they don’t know:

Details of the legislation

About Assessments and Attestations

What CEO/CFO Certification means

Page 5: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 5

What You Know You Don’t Know About Compliance (Cont.)

Details of the US Legislation Sarbanes-Oxley Act of 2002 (Public Law 107-204---July 30, 2002, 107th

Congress of the United States of America) Title I – Public Company Accounting Oversight Board (PCAOB)

Section 102 – Registration with the Board (to prepare and/or issue Audit Reports) AS2 (Auditing Standard No. 2)

Title II – Auditor Independence Title III – Corporate Responsibility

Section 302 – Corporate Responsibility for Financial Reports Title IV – Enhanced Financial Disclosures

Section 404 – Management’s assertion of Internal Control over Financial Reporting (ICFR)

Titles V – XI V – Analysts Conflicts of Interest VI – Commission Resources and Authority VIII – Corporate and Criminal Fraud Accountability IX – White-collar Crime Penalty Enhancements X – Corporate Tax Returns XI – Corporate Fraud and Accountability

Page 6: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 6

What You Know You Don’t Know About Compliance (Cont.)

Details of the Canadian Legislation Bill 198 – An Act to implement budget measures and other initiatives of the

Government, 3rd Session, 37th Legislature, Ontario, 2002 (and subsequent amendments) Part XXVII – Amends the Ontario Securities Act

Ontario Securities Commission – A Self-funded Crown Corporation and the Regulator of Ontario’s Capital Markets: Charter of Corporate Governance (The OSC administers the Securities Act Ontario and Commodity Futures Act, and is empowered to make legally binding rules. )

CSA – Canadian Securities Administrators is the council of Canada’s thirteen provincial and territorial securities regulatory authorities (SRAs). NI 52-108 – Auditor Oversight MI 52-109 – Certification of Disclosure… MI 52-110 – Audit Committees MI 52-111 – Reporting on Internal Control… (not implemented) CSA Notice 52-313 – Status of MI 52-111 (Decision to not implement) and proposed to

amend and restate MI 52-109 CSA Notice 52-317 – Amended the planned effective date of (now) NI 52-109 to be

financial years ending on or after June 30, 2008

Page 7: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 7

What You Know You Don’t Know About Compliance (Cont.)

What’s the Difference between (SOX) Sections 302 and 404

SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS. (a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic

reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act…

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual

report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

(1) state* the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Page 8: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 8

What You Know You Don’t Know About Compliance (Cont.)

What’s the Difference between Assessments, Assertions and Attestations

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each

annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

(1) state* the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

*This statement regarding assessment is often referred to as an Assertion

Page 9: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 9

What CEO/CFO Certification meansThis is what CEO/CFO Certification means to one corporation

Key Requirements for a Compliance Framework (SOX 404 or NI 52-109)

What You Know You Don’t Know About Compliance

ControlDesign

ControlEffectiveness

Page 10: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 10

What You Didn’t Know You Don’t Know About Compliance

Most people didn’t know they really don’t know what is required in orderto assert “Internal Control Over Financial Reporting (ICFR or ICOFR)

Frameworks How to develop a Control Design How to evaluate Control Effectiveness How to provide evidence to support Assertions and Attestations

Page 11: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 11

Auditing Standard 2 (AS2)

COBITCOBITControl ObjectivesControl Objectives

ITILITILActivitiesActivities

ISO 17799ISO 17799SecuritySecurity

Internal ControlsInternal Controls--

Integrated FrameworkIntegrated Framework

(Not ERM)(Not ERM)

Version 2.0 benefits from lessons learned during the first two years.

Sarbanes-Oxley Act of 2002 Bill 198

What You Didn’t Know You Don’t Know About Compliance- Frameworks

Page 12: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 12

Conceptual Level

Framework Level

COSO (Sub-Components) Points of Focus - COBIT High-Level Control Objectives Level

COSO Bullets under Points of Focus – COBIT Detailed Control Objectives Level

COBITCOSO

COSOCOMPONENT

COBITDOMAIN

THE CORE FRAMEWORKPre-populated, fully annotated COSO and COBIT Control Objectives in increasing levels of detail.

> The company’s detailed processes

for achieving the Control Objectives

> Risk of Non-compliance N-C

THE EXTENDED FRAMEWORKThe Compliance Teams may populate the Processes, Risks, Controls and Tests at their preferred levels of granularity.

Activity-level guidance is provided with exemplar sets of controls and tests.

> Company Controls

Tests and subsequent Remediation

/ Remediation Action Plans, if required

What You Didn’t Know You Don’t Know About Compliance- Frameworks

Page 13: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 13

Certifications typically take place after remediation is completed, but remediation could be cut off at a point in time and status certified at that point in time. (“Certification” is certification of status at a point in time, not certification of compliance.)

If remediation is required, action plans are executed and the control re-tested. The current state of remediation (and future activity, if required) is documented at the time of certification.

> Remediation

> Remediation Action Plans

Achieving Operational Effectiveness

Documented at this level are the processes of the company

Documented at this level are specific risks associated with the process

Documented at this level are specific controls associated with the mitigation of risk

> The company’s detailed processes

for achieving the Control Objectives

> Risk of Non-compliance N-C

> Company Controls

> Tests

Documented at this level are specific tests associated with the control

Control

Design

Control

Effectiveness

What You Didn’t Know You Don’t Know About Compliance- How to Develop a Control Design and Evaluate Control Effectiveness

Page 14: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 14

“THE” Best Practices Frameworks

COSO – The Committee Of Sponsoring Organizations of the Treadway Committee

COBIT – Control Objectives for Information and Related Technology, Version 4

“THE” Best Practices Guidance

IT Control Objectives for Sarbanes-Oxley, Second Edition

and

“THE” Best Practices Project Plan The Compliance Road Map from IT Control Objectives

for Sarbanes-Oxley, Second Edition

What You Didn’t Know You Don’t Know About Compliance- How to provide evidence to support Certifications and Attestations

Page 15: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 15

What it Means to You as a Project Manager

- How to provide evidence to support Certifications and Attestations

Road Map Items 1 & 2

Page 16: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 16

What it Means to You as a Project Manager

- How to provide evidence to support Certifications and Attestations

Road Map Items 3 & 4

Page 17: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 17

What it Means to You as a Project Manager

- How to provide evidence to support Certifications and Attestations

Road Map Items 5 & 6

Page 18: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 18

What it Means to You as a Project Manager

Lets repeat the survey you took at the beginning of this session

If you were being interviewed to lead a compliance project tomorrow, do you think you could demonstrate enough knowledge to be selected to lead the project? Vote with a show of hands

Based on the answer you gave above, would the impact on your career be positive or negative? Vote POSITIVE with a show of hands

Or Negative? Vote NEGATIVE with a show of hands

Or not affect it at all? Vote WOULDN’T AFFECT ME with a show of hands

Page 19: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 19

Resources for the Project Manager

Description and links to “must have” resource documents (Remember, links are active only when the presentation is in “slide show mode”)

This Presentation: http://www.elegantsolutions.ca/Download.html AICPA (for COSO) http://www.aicpa.org/index.htm

ISACA (for COBIT) http://www.isaca.org/

ITIL (IT Infrastructure Library) http://www.itil.co.uk/

ISO (International Organization for Standardization) http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html

SEC on SOX http://www.sec.gov/spotlight/sarbanes-oxley.htm

PCAOB Latest News http://www.pcaob.org/News_and_Events/Updates/index.aspx

OSC List of Regulations http://www.osc.gov.on.ca/Regulation/Rulemaking/Current/rrn_part5_index.jsp

The Canadian Securities Administrators http://www.csa-acvm.ca/home.html

Deloitte on CSA Notice 52-313 (on dropping 52-111): http://www.deloitte.com/dtt/article/0,1002,sid%253D3557%2526cid%253D115078,00.html

PWC’s CFOdirect Network http://www.cfodirect.pwc.com/CFODirectWeb/Controller.jpf?NavCode=MSRA-6NR6EK

(This screen is also a page on: http://www.elegantsolutions.ca/gpage.html)

Page 20: What You Didnt Know You Dont Know About Compliance Mar 29 07a

Elegantsolutions.ca

Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) 20

Resources for the Project ManagerFinal thoughts for those attending today – buy these products for educational and project management purposes

COSO Small Public Companies Download

COSO Internal Controls – Integrated Frameworks download

COBIT4 Download and subscribe to COBIT Online

It Control Objectives for Sarbanes-Oxley, Version 2

Mapping Documents from ISACA – some require registering and/or membership (Example – COBIT4 to PMBOC)