Hello,
I am interested in learning where I can get additional information on what Sarbanes-Oxley entails and whether anyone has Project Managed such a project like this before. What are the pitfalls that should be avoided and what good techniques and controls to put in place to manage such projects successfully. What has worked successfully for you as a Project Manager. Also, has anyone used COSO which is the framework for financial standards and organizational control as well as CoBIT which is the predominant model for IT controls which aligns with COSO. Where can I get more information on these two frameworks and how do they tie together for building compliance. Any information would be very helpful.
Thanks, Rick Saving Changes...
Rick,
These are things that work for me, your mileage, of course, may vary._____First, get yourself a copy of the actual law, read it, highlight the heck out of it. The legislation is the universe of business requirements, and their associated definitions.______Second, make one of the compliance litigators one of your very best friends. They can tell you how the law is being interpreted and enforced out on the street, as it were. Between the litigator and senior management, you can carve down the universe of requirements to those you need to work on. If you do this right, you have an automatic deliverable back to the board that says "We are already in compliance on the following things, and are actively working on the others."_____There are some requirements of the law that could be split off into separate projects, (publishing financial results comes to mind), if you like._______Third, in many respects Sarbanes-Oxley compliance is like the efforts you already put forth in regular operations. Exploit them for all they're worth. It provides you with easily understood metaphors, it gives parts of the project an 'enhancement' flavor instead of a 'new thing' flavor'._______And before you do anything else, learn to call it 'SOX' (grin).______Hope this helps. Ask more if you want, I do a lot of compliance projects. Saving Changes...
I am going to be working on the SOX project from an IT perspective. Basically coordinating efforts for documenting current procedures to identify gaps and to plan changes to existing systems and processes that are not in compliant. Do you happen to know how the CoBIT framework is used to identify gaps and deficiencies and ultimately changes that are required? Do you have any suggestions on templates used and how these types of activities should be tracked? Also, I want to get a good book on learning the law and techniques used to successfully manage these types of projects. Thanks again for your feedback.
Rick Saving Changes...
Rick, I'm not familiar with CoBIT, so I can't help you there. There are tools/applications for documenting processes and procedures. I've only used one of them, so I'm not in a position to make any recommendations beyond that you should look into some sort of 'power tool' for documenting procedures. Part of compliance is being able to demonstrate and document compliance.____ The key to any template you'd use or make in this project is keep a very crisp understanding of what would be accepted as evidence of compliance. There should be some sort of decision-tree or formal analysis that you apply each time, and some kind of hard documentation that you can use to demonstrate that you're done with something.___ At some point, I think you're going to have a long list of business processes, systems and applications to review. If you're feeling adventurous, steal, I mean borrow, the 'short cycle iteration' concept from agile development methods to publish your results at the end of each week, keeping a pretty good eye on the work involved in each one._____A book on managing compliance projects? I don't know of one (maybe I should write one, develop a special purpose methodology for compliance work, run seminars,....nah...) As for learning the law, go straight to the source first. Download it from the Federal Govt. Anyone else's book will be *their* interpretation. You and your company will be better off working to your own interpretation. That way, you can review others' recommendations with a more discerning and knowledgable eye. Saving Changes...
Another point in favor of reading the actual law is that there is almost nothing that can beat stopping a pointles argument by citing a section and paragraph._____I did that in one meeting, coming up with the citation before the lawyer could, and it absolutely cemented my releationship with her on the project. I had her respect and support from that point on.... Saving Changes...
Len GreenPrincipal| TSI Transforming Solutions IncPalatine, Il, United States
For real good information from "the horse's mouth" search the following websites for official documents, FAQs, etc:
www.coso.org - the official COSO site
www.pcaobus.org - the body that oversees public company accounting now (PCAOB)
www.theiia.org - Internal Audit Institute
www.isaca.org - covers COBIT and how it maps to the COSO framework
www.aicpa.org - go to the bookshop to get the COSO Internal Framework and templates.
On these sites look especially for the publication on Enterprise Risk Management. Lots to read :)
Saving Changes...
For brevity, I've posted a snippet of the SOX section 404 rules that should keep the auditors in demand for some time -
"...to contain an internal control report, which shall- (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the company's most recent fiscal year of the issuer, of the effectiveness of the company's internal control structure and procedures for financial reporting. (b) Internal, Control, Evaluation and Reporting - With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection
shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement."
Basically, the rules require that due diligence be exhibited for any business process flow that can have a material effect on SEC filings. Since, so much of what we do revolves around technology, we need to ensure ample controls exist to manage risk. There is no specific guidance for implementing compliance although the SEC does reference COSO as an endorsed framework for assessment. Note: ISO/IEC 17799 or NIST might work just as well but it's not mentioned by the SEC. That's why you'll probably end up being pushed down the CobIT path.
The amount of remediation required will vary significantly. Simply stating basic integrity controls exist probably won't be enough to satisfy any auditor worth his/her salt. You'll need to show that there were standards in place, that they were being followed, and that controls were tested and documented. CobIt will not provide you the detailed technical criteria needed to perform self directed assessments. For that you'll have to consult with your security and audit staff. Saving Changes...
Rick, before we go into major details on SOX; are you doing the SOX initiative for your own company or are you consulting for another company; important question since the view will differ in either cases.
I am sure by now you will have known 10% of Sarbanes Law and its filing procedures. If you are specifically looking for 404 controls, then this is the right time for you. Question 1, if you are doing for your company, are you document aware, do you have business processes in place, are your business process owners aware of their processes and do they take ownership of the same. If you are doing for another client, then you need to check with the CFO and the business users if they are done with their internal controls, their ASIS processes and documentation of the same. More often than not, you will get a negative as a reply. It is expected as people are scurrying for the deadline to meet 404 specifications more than anything else. Again back to my question on if you were doing it for your company or not, if yes then you need to check with your internal auditors if they have been able to identify the high risk processes in your company and if they are able to quantify it. Have they checked with your external auditors, if they are ok in not ratifying the low risk processes. If you are doing it for your client, then the internal auditor will not reply to you, and you will have to ask the CFO to answer these questions for you.
But hey this is the just the tip of the iceberg, if you need more info you can always contact me directly; Amitesh Sinha, [email protected].
Thanks
Saving Changes...
Rick, to add on to what I have mentioned before. If you are looking out to work on IT controls on SOX, then you will want to know more about the governance from a business point of view. What you eventually want to know is how can you be aware that a business process failed. Or how would be aware that processes failed to originate because some intermediate process failed. What we all are trying to achieve today is somehow meet 404 control deadlines; but as a matter of rule, you want to get yourself audited every quarter, and you want to be able to do a comparison of two quarters at any given point of time on how you fared. More often than not you will find variance in your pass and fail numbers. That is what is required to be alerted through a robust system. The end story of it all is we all need a portal system which gives you a dashboard view of the company at large and then break it down into departments. The Accounts guys, the CFO in particular would always want to know what are the max failures on the high risk items; he would need a mechanism to alert him if a PO got generated and a invoice got recd but never got entered. Basically what I am talking about it a command and control portal which helps you take control of your business. What I am also trying to force upon, is preemptive and detective alerts for efficient business processing.
I am sure we can keep talking about all this for ages, but SOX will come and go and another XYZ will come next; but if we are able to build a BAM (Business Activity Monitoring) System, and a build a portal like I have described, suddenly at the executive levels our lives have become a lot easier. Saving Changes...
