Sarbanes-Oxley was passed in the wake of a number of notable corporate accounting scandals including Enron and WorldCom.
And now in this training presentation, you will understand why and how this is important for us.
2. Amarnath Gupta
11 Years experience working in Systems & Operations in
various roles.
4 years focusing on SOX related tasks.
Amarnath is not an attorney or an auditor.
Have delivered 300+ hours of training on various IT and IT
related methodologies
3. What is SOX?
SOX provides the foundation for new corporate
governance rules, regulations & standards issued by
the Securities and Exchange Commission. It covers a
range of topics from criminal penalties to Corporate
Board responsibilities. SOX also covers issues such as
independent auditing requirements, corporate
governance, internal control assessment, and
enhanced financial disclosure.
CEO’s of publicly traded companies will be held
accountable for the quality of the controls
established which enable accurate Financial
reporting (including IT processes, systems & roles).
4. Penalties
Section 802(a) of the SOX states: “ Whoever
knowingly alters, destroys, mutilates, conceals,
covers up, falsifies, or makes a false entry in any
record, document, or tangible object with the
intent to impede, obstruct, or influence the
investigation or proper administration of any matter
within the jurisdiction of any department or agency
of the United States or any case filed under title 11,
or in relation to or contemplation of any such
matter or case, shall be fined under this title,
imprisoned not more than 20 years, or both.”
5. What prompted SOX?
Sarbanes-Oxley was passed in
the wake of a number of notable
corporate accounting scandals
including Enron and WorldCom.
6.
7. SOX on the horizon?
The primary thing to remember is
that SOX is about mitigating the
risk of fraud, financial
transparency and process
control. This will change how you
do things but that does not have
to be a bad thing.
8. A hint on policies.
Bear in mind that you will be held to the letter of
all policies your company develops related to
SOX even if they exceed federal requirements.
This is very important to remember when drafting
policies.
Policies should ensure that corporate behavior is
consistent, controlled, and can be proven.
9. A word on Frameworks
There are many frameworks out
there to assist you with SOX
compliance. The key is to find a
framework that works for your
team, commit to it, train on it, and
use it to your best possible
advantage.
10. Examples of COBIT Controls
Network Security –
Firewalls, secure network
configuration including
802.11x
Virus Protection –anti-
virus and anti-spyware
updated regularly
11. Examples of COBIT Controls
Backups & Restore – Regularly
tested procedures
IT Continuity – Disaster Recovery
Procedures
12. Examples of COBIT Controls
Files Access Privilege Controls
Identity Management –
password strength/age and
access. Who has access and is
that appropriate now?
13. Examples of COBIT Controls
Risk Evaluation Programs –
Risk Assessment and
internal auditing.
Employee IT Security
Training – Training of end
users related to utilization
of resources.
14. Examples of COBIT Controls
Management support/buy in – Executive
level oversight of projects related to IT.
IT as part of strategic planning – The
business must be supported by
technologies.
15. Change Management
(Amarnath’s favorite)
Standardized change control is a great place
to find fast rewards in pursuit of compliance.
Change Approval
Change Categorization
Change Documentation
Change Prioritization
Formal Request for Change Process
A body of subject matter experts that
oversee change.
17. “Operationalize” information
Connect the internal changes needed with
the strategic objectives of the company.
Illustrate that real-time information flow
enhances your organization’s ability to make
decisions while making compliance easier.
Point out the significance of new activities that
may seem mundane or inconsequential. This
will help actions taken by staff at every level
feel more relevant and less painful.
18. Remember W. Edward Deming?
• SOX Compliance is
not a fix it and forget
it endeavor.
• As companies and
the ecosystems that
support them
change new
compliance
quandaries will come
up.
19. Wait, how can SOX help me?
Perspectives on operational control,
consistency, and quality take on a whole
different meaning once they have a clear
relationship to fiduciary responsibility.
It is amazing how different the
conversation about project prioritization
becomes once executive management
are offered the opportunity to make
decisions guiding it.