👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
The Sane Solution To Sox Costs
1. The Sane Solution to
Sarbanes-Oxley Costs
Dwayne E. Jorgensen, CIA, CFE
Consultant, Sarbanes-Oxley Services
& IT Governance
PROPRIETARY CONFIDENTIAL 1 The Sane Solution to Sarbanes-Oxley Costs
2. Who’s Watching the Store?
Frequency
Role Responsibility
COSO SOX 302 SOX 404
Owner of internal
Management controls and ongoing Ongoing Quarterly Annually
monitoring
Validators independent of
Internal
management, but part of Periodically Quarterly Annually
auditors
company
External Validators independent of
Annually Quarterly Annually
auditors company
PROPRIETARY CONFIDENTIAL 2 The Sane Solution to Sarbanes-Oxley Costs
3. Cost of SOX Implementation
2005 SOX Expenditure by US firms: $6 Billion
Internal expenses: $2 Billion
Hardware/Software: $2 Billion
Consulting: $2 Billion
2006, 2007, etc. : ???
Source: Gartner
PROPRIETARY CONFIDENTIAL 3 The Sane Solution to Sarbanes-Oxley Costs
4. So What’s a Corporation to Do?
Continuous monitoring (CM) offers the only
practical, cost-effective solution.
Build a system that provides a perpetual inventory
of governance
Leverage IT to maximize automation and reduce
staffing loads
PROPRIETARY CONFIDENTIAL 4 The Sane Solution to Sarbanes-Oxley Costs
5. Proposed CM Solution Pyramid
Oversight Component
Oversight Component
“Tone at the top”:
“Tone at the top”:
Executive buy-in, “spirit” vs. “letter”
Executive buy-in, “spirit” vs. “letter”
Planning Component
Planning Component
SOX methodology:
SOX methodology:
Assess, document, test, report
Assess, document, test, report
Co-sourcing component?
Co-sourcing component?
Independent IT test services
Independent IT test services
Software Component
Software Component
Various vendor process automation products:
Various vendor process automation products:
Ex.: Documentum®,, Movaris OneClose®,, ACL CCM®
Ex.: Documentum® Movaris OneClose® ACL CCM®
Hardware/Data Integrity Component
Hardware/Data Integrity Component
EMC: Centera®,, Proofspace encryption, record management automation
EMC: Centera® Proofspace encryption, record management automation
PROPRIETARY CONFIDENTIAL 5 The Sane Solution to Sarbanes-Oxley Costs
6. CM Solution Requirements
Tool or process
needed
(examples Resources
only): needed
One Close® Monitoring
)
SW
Documentum® W/ Information & Communication
(H
ACL CCM/
gy
Control Activities
olo
One Close®
t.)
hn
gm
, m le
op
Risk Assessment
c
Te
One Close®
Pe
aff
Organizational
Control Environment
(st
Consulting
PROPRIETARY CONFIDENTIAL 6 The Sane Solution to Sarbanes-Oxley Costs
7. Key Recommendation
Validate methodology through execution on a pilot
process (assess, document, and test)
Remediate consistently and constantly
Work with external auditor to ensure approach is
satisfactory via a full trial on a key process before
rollout
PROPRIETARY CONFIDENTIAL 7 The Sane Solution to Sarbanes-Oxley Costs
8. Internal Control Maturity Model
Initial Repeatable Defined Managed Optimizing
Initial Control structure is not defined. Control occurs incidentally.
Repeatable Control structure is not defined, but control processes may occur
based on past success and management oversight.
Defined Control structure is documented, standardized and integrated into
control processes for the organization.
Managed The control process is regularly assessed and tested. Detailed
measures of the control process are collected and reported.
Optimizing Continuous process improvement is enabled by quantitative
feedback from the control process.
Predictability, effectiveness and efficiency of an organization's
internal controls improve as the organization moves through these five stages.
PROPRIETARY CONFIDENTIAL 8 The Sane Solution to Sarbanes-Oxley Costs
9. COSO-Driven Methodology: Assess
ASSESS
ASSESS DOCUMENT TEST REPORT
Remediate
Ongoing coordination between management,
external auditor, and consultant
Process Outcomes
Define overall SO requirements Management support
Form
Form Identify and form team
team
team Partner with external audit firm Internal champion
Trained team
Confirm audit universe
Perform risk
Perform risk Define risk weighting Consensus on objectives
assessment
assessment Conduct assessment Risk-ranked universe
The plan
Analyze assessment results
Confirm
Confirm Confirm risk rankings
results
results Map to knowledge base of mitigating practices
Present findings to management
Develop
Develop Develop plan for documentation phase
work plan
work plan Review plan with external auditor, management
PROPRIETARY CONFIDENTIAL 9 The Sane Solution to Sarbanes-Oxley Costs
10. COSO-Driven Methodology: Document
ASSESS DOCUMENT
DOCUMENT TEST REPORT
Remediate
Ongoing coordination between management,
external auditor, and consultant
Process Outcomes
Define target maturity level by process COSO maturity ranking
COSO
COSO Assess COSO maturity by process
alignment
alignment Consensus on end state
Identify where improvements are needed
Improved controls environment
Document
Document Define control objectives
Ongoing monitoring
control
control Determine tool approach
activities
activities Map assessment to objectives and identify gaps Documented controls
Develop plan to address gaps with control changes
Improve
Improve Assess and implement changes in controls
controls
controls Test new processes and train users
Define
Define Confirm the role of the internal audit department
monitoring
monitoring Assess current monitoring environment
process
process Implement monitoring process
PROPRIETARY CONFIDENTIAL 10 The Sane Solution to Sarbanes-Oxley Costs
11. COSO-Driven Methodology: Test
ASSESS DOCUMENT TEST
TEST REPORT
Remediate
Ongoing coordination between management,
external auditor, and consultant
Process Outcomes
Management
Management Educate management on controls Management control monitoring
controls
controls Develop framework for management monitoring
Independent monitoring
monitoring
monitoring Facilitate management monitoring of controls
Management reporting process
Independent
Independent Develop framework for independent monitoring Ongoing reporting
internal audit
internal audit Facilitate independent monitoring of controls
Testing
Testing
Identify weaknesses from management test
Material
Material Develop action plan for weaknesses
weakness plan
weakness plan Reiterate if necessary
Implement process for ongoing quarterly reports
Ongoing
Ongoing Define process for development of IC report
report process
report process Partner with external auditor on report requirements
PROPRIETARY CONFIDENTIAL 11 The Sane Solution to Sarbanes-Oxley Costs
12. COSO-Driven Methodology: Report
ASSESS DOCUMENT TEST REPORT
REPORT
Remediate
Ongoing coordination between management,
external auditor, and consultant
Process Outcomes
Management reports on role in controls Management report
Management
Management Management reports on testing process
report
report External audit report
Management delivers final controls report
External assertion
External
External External audit commences
audit
audit
External External auditor tests controls per requirements
External
control testing External auditor reviews management report
control testing
External auditor issues final report
External
External
auditor
auditor External auditor issues final assertion
assertion
assertion
PROPRIETARY CONFIDENTIAL 12 The Sane Solution to Sarbanes-Oxley Costs
13. Benefits/ROI
ROIs are easily calculated, by the determination of
FTE reduction due to PCAOB’s Standard II
regarding the testing of automated controls once,
versus reiterative testing necessary for manual
controls.
Secondary benefit, especially in the ability to store
the results of continuous monitoring in an
authenticated, digital format, should have a
significant impact on future third-party litigation
revolving around alleged misconduct by
management, in proving the validity of the
effectiveness of key control activities.
PROPRIETARY CONFIDENTIAL 13 The Sane Solution to Sarbanes-Oxley Costs