Transcript Document

A Practical IT Approach To Sarbanes-Oxley
Compliance
Managing IT in the real world
Ecora and Sarbanes-Oxley Compliance
Agenda
•
•
•
•
•
•
Sarbanes-Oxley -- What is It?
Some Definitions
Where are companies in compliance effort?
Why should I care?
Why a Framework?
COSO
–
–
•
•
COSO IT Controls
IT General Controls
Example of compliance work with a customer
Summary
Managing IT in the real world
Sarbanes-Oxley – What is it?
Federal law that imposes strict new
financial reporting requirements for
publicly traded companies.
Places burden on management to devise
safeguards around the financial reporting
process
Specifically identifies IT as a key
component of process and audit activity
Managing IT in the real world
Sarbanes-Oxley – Definitions
Section 302 – Quarterly and annual reporting – set up
internal controls. CEO and CFO own it.
Section 404 – Management Assessment of Internal
Controls
» Annual evaluation of internal controls
» Quarterly filing of material changes to
internal controls
» Independent audit of internal controls
» Recognized control framework required for
assessment
Managing IT in the real world
Sarbanes-Oxley – Definitions
•
•
•
•
•
PCAOB – Public Company Accounting Oversight Board –
established to oversee audits…
Audit Standard No. 2 -- 200 page document defines SOX
auditing standards
COSO -- Committee of Sponsoring Organizations of the
Treadway Commission – Internal Control – Integrated
Framework, PCAOB referenced framework
CobIT – Control Objectives for Information and Related
Technology – another well known framework
Internal Control – A process designed….to provide reasonable
assurance regarding the reliability of financial reporting and the
preparation of financial statements for external purposes in
accordance with generally accepted accounting principles….
(SEC Definition)
Managing IT in the real world
Sarbanes-Oxley – Definitions
•
•
•
•
Internal Control (cont.) – Internal control is not “one-size-fitsall,” and the nature and extent of controls that are necessary
depend, to a great extent, on the size and complexity of the
company.
PCAOB Auditing Standard No. 2
Control Deficiency – exists when design or operation of a
control does not allow management or employees …to prevent or
detect misstatements on a timely basis.
Significant Deficiency – control deficiency (or combination of
CDs) that adversely affects company’s ability to initiate,
authorize, record, process, or report external financial data
reliably
Material Weakness – significant deficiency (or combination of
SDs) that results in more than remote likelihood that a material
misstatement of annual or interim financial statements will not be
prevented or detected
Managing IT in the real world
Where are companies in the process?
Plan
Document
Test
Report
Two Groups
< $75M Market Cap – 11/15/04
64% Testing
34% Documentation
2% Reporting
> $75M Market Cap – 7/15/05
60% Testing
34% Documentation
3% Reporting
3% Planning
Ernst&Young 2004
Managing IT in the real world
Sarbanes-Oxley – Why should I care?
SOX is changing IT
– No more IT closed “black box”
– Auditors – with technical expertise -- are now
looking closely at IT
– E&Y projects that next year IT portion of SOX audit
will grow from 10% to 25%.
Managing IT in the real world
Sarbanes-Oxley – Why should I care?
IT an integral part of the financial reporting and
control process
• Management’s heavy dependency on IT
» High degree of automation in
processing day to day transactions
» IT data elements are the primary
source of data used in decision-making
» IT availability / integrity critical to the
financial statement close and reporting
processes
Managing IT in the real world
Why a Framework?
1. SOX Mandate -- Assessment of effectiveness requires
“..suitable, recognized control framework...”
• Must be identified in annual report
• COSO is specifically referenced by PCAOB and forms
foundation of its Auditing Standard No. 2.
2. It makes sense
• Provides structure
• Identifies functional areas of focus
Managing IT in the real world
COSO Framework
A common sense approach to implementing
internal controls
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Managing IT in the real world
COSO IT Controls
COSO identifies two broad groupings of
information system control activities.
Control Activities
Application Controls
Application controls – apply to business processes
and designed within applications to prevent/detect
unauthorized transactions.
General Controls
General Controls – apply to all information systems,
support secure and continuous operation. They support
all other controls
Managing IT in the real world
IT General Controls
IT general controls are foundation for all IT controls
Significant Accounts in Financial Statements
Balance
Sheet
Income
Statement
SCFP
Notes
Other
Business Processes/ Transaction Classes
Process 1
Process 1
Process 1
Application
Controls
Financial Applications
Application X
Application Y
Application Z
IT Infrastructure Services
General Controls
Database
Operating System
Network
Managing IT in the real world
Adapted from IT Control
Objectives for SarbanesOxley by the IT
Governance Institute
IT General Controls
IT General Controls are IT processes and related controls
that are generally applied to support the computer
application level. However, they may be performed on a
single platform or application.
IT general controls provide a focus for IT to identify,
assess, and develop internal controls around defined
areas of operation as they relate to financial controls
Tests for controls are specific activities or processes that
demonstrate and document proof that the controls are real
and in place.
Remember -- the whole point of SOX is financial reporting
– the objective is to provide documented proof that IT
systems associated with financial reporting are locked
down.
Managing IT in the real world
IT General Controls
Your infrastructure figuratively surrounds you’re
your financial reporting data. You need controls at
each level.
Network Access
System (OS)
Access to
System
Financial
Reporting
Data
System (OS)
Access to Data
Database Access
Managing IT in the real world
How Ecora helps with IT General Controls
Ecora Auditor maps to IT general controls. We provide
documented proof that you are complying with internal
controls for IT systems that impact financial reporting.
IT Infrastructure Services
General Controls
Database
Operating System
Network
Ecora Infrastructure Coverage
Database
MS-SQL, Oracle
Operating System
Windows, Solaris, HPUX, AIX, Red Hat Linux,
Novell
Network
Cisco
Managing IT in the real world
Ecora Enterprise
Auditor
Client Example
Database Internal Controls
Internal Control
Test of Internal Control
Ecora Report for Test
A process exists to
review and confirm
access rights.
Ensure each DBA has own account
and no generic accounts used to
bypass audit trail of DBA activity
DBA Accounts
Ensure appropriate Authentication
Mode is configured
Authentication Mode
Ensure all logins have passwords
and not default password
Login Password
Review role memberships and
permissions to ensure appropriate
access and privileges to databases
Role Permissions &
Memberships
Set file system privileges to prevent
unauthorized access to database
server data files, log files, and
backup files
System Privileges
Ensure Verify Function exists and
valid to ensure user passwords are
validated and strong password
criteria required
Verify Function
Managing IT in the real world
Client Example
Database Internal Controls
Internal Control
Appropriate
controls exist to
review and
manage remote
network access
Test of Internal Control
Ecora Report for Test
Prove adequate password validation in
place
Password Lifetime,
Password Grace Period,
Password Reuse Time,
Failed Login Attempts,
Password Lock Time
Audit and review list of linked and
remote servers
External Servers
Identify all public database links. Review
and replace with private links as
appropriate to restrict access to
confidential data
Public Links
Managing IT in the real world
Client Example
Database Internal Controls
Internal Control
Test of Internal Control
Ecora Report for Test
Controls exist to
insure data is
collected for
tracking user
activity
Set Initialization Parameters to provide
security and ensure database auditing
is active
Initialization
Parameters
Enable audit events to provide audit
trail of user activity
Auditing Enabled
Audit and review DB owner for each
database
DB Owner
Enable Archive Log Mode to allow
point in time recovery to ensure data
not lost when recovering
Archive Log Mode
Managing IT in the real world
Client Example
OS Internal Controls
Internal Control
Test for Internal Control
Ecora Report for Test
A control process
exists to review and
confirm access OS
rights.
Audit and review user privileges on
each system
User Privileges
Audit and review system access
permissions to sensitive files
NTFS Permissions
Ensure systems configured to restrict
anonymous remote access to your
systems.
Remote Access
Select sample of terminated
employees and determine if their
access has been removed
User Access
Managing IT in the real world
Client Example
OS Internal Controls
Internal Control
Test for Internal Control
Ecora Report for Test
Procedures for
protection against
malicious programs
are in place through
the use of anti-virus
and other software
and measures
Ensure systems are updated
with appropriate service
packs and hotfixes
Patch Levels
Ensure anti-virus software
installed on systems
Computer without Antvirus Installed
Managing IT in the real world
Client Example
OS Internal Controls
Internal Control
Test for Internal Control
Ecora Report for Test
Procedures exist
to maintain
effectiveness of
authentication
and access
mechanisms
Ensure built-in local administrator account
is renamed
Built-in Admin
Renamed
Ensure strong password and account
lockout policies are implemented.
Password Policy
Ensure all services are configured
appropriately and that only required
services are running to protect system
from unauthorized access
Services Summary
Audit and review list of local
administrators to ensure only appropriate
accounts have full admin privileges
Admins Group Report
If using SNMP ensure appropriate
Community String(s) defined to prevent
unauthorized users from obtaining
systems status information
SNMP
Managing IT in the real world
Client Example
OS Internal Controls
Internal
Control
Test for Internal Control
Ecora Report for Test
IT
administration
insures
appropriate
audit
mechanisms
are in place to
allow detail
event tracking
Ensure strong audit policy configured to
ensure audit trail of events is recorded to
provide audit trail of user activity (e.g.
account login events, policy change, object
access, process tracking, etc..)
Audit Policy
Ensure event log setting are configured to
retain recorded events for appropriate time
and prevent guest access to logs
Event Log
Managing IT in the real world
Summary
Sarbanes-Oxley is here to stay – annual and
quarterly
Internal controls defined by each company
IT will bear an increasing burden of SOX compliance
Framework can be guide
IT general controls are foundation of all controls
Sustainability is requirement
Automation tools will make your job easier
Managing IT in the real world
And now a word from our sponsor…
Ecora Software, Inc. and Enterprise Auditor
• Enterprise Auditor automates the collection of configuration
data from the major infrastructure applications, databases,
OSs, and network components and delivers audit ready
reports.
• Ecora’s Enterprise Auditor forms the foundation for
Sarbanes-Oxley IT internal controls. It gives you a platform
for, and proof of compliance with IT internal controls.
• Solution Express combines Enterprises Auditor and an
Ecora Systems Engineer (no-charge) to get your IT
Sarbanes-Oxley compliance effort on a fast track.
Managing IT in the real world