Lessons learned: COSO, COBiT and other emerging standards for SOX compliance.
After nearly three years, many companies still are coming to grips with the Sarbanes-Oxley Act See SOX. , specifically Sec. 404, and other new compliance laws, such as HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, and Gramm-Leach-Bliley.
And even now, there are lessons to learn regarding tools and methodologies used during these early stages of Sec. 404 compliance.
Although SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. is relatively new, the compliance methodologies that companies employ are well-established and direct outgrowths of established best practices.
Adopted frameworks used in rendering Sec. 404 compliance services include The Committee of Sponsoring Organizations' Internal Control-Integrated Framework and Control Objectives for Information and Related Technologies.
THE COSO COSO Committee of Sponsoring Organizations of the Treadway Commission
COSO Church of Spiral Oak
COSO Corporate South
COSO Class of Service Override
COSO Combat Oriented Supply Operations (USAF) REPORT
The most commonly used framework for evaluating financial reporting internal controls is COSO's Internal Control-Integrated Framework, which established a broad definition of internal control extending to all objectives of an organization.
The report establishes three categories of controls: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with laws and regulations.
COSO also identifies five, inter-related components that must be functioning to have an effective internal control system, as well as describes the criteria for effective internal control mechanisms.
THE COBiT STANDARD
COBiT is a 1996 IT control framework published by the IT Governance Governance makes decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. Institute and the Information Systems Audit and Control Association Information Systems Audit and Control Association (ISACA) is an international professional association for information system audit. ISACA is an affiliates member of IFAC and IT Governance Institute. . It's built, in part, upon COSO's framework and provides a comprehensive approach for managing risk and control of information technology. COBiT comprises four domains, 34 IT processes and 318 control objectives.
The framework has been adopted worldwide by leading companies, financial institutions and governments as a consistent approach to complying with SOX.
COBiT is considered a gold standard because it indicates good practices for the management of IT processes in a manageable and logical structure. This structure bridges the gaps between business risks, technical issues, control needs and performance measurement requirements.
No. 1: Automated au·to·mate
v. au·to·mat·ed, au·to·mat·ing, au·to·mates
1. To convert to automatic operation: automate a factory.
2. Software Tools Aren't the Solution. In response to SOX, many software companies and enterprise resource planning See ERP.
(application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. vendors sought to develop software that could document company processes, identify risks, develop test procedures, track the test results and document project status.
At first, the concept seems appealing. However, companies considered these compliance tools an additional cost to an already expensive government mandate. Such software solutions require companies to purchase the software license and database, additional hardware and network equipment; pay annual maintenance fees; and invest time and money in staff training.
The complexity added by new tools made it more difficult for companies to complete the project on time, in part, because the addition of a software package risked shifting the CFO's compliance project to an IT project.
As a result, many companies are using standard office automation tools, such as basic word processing word processing, use of a computer program or a dedicated hardware and software package to write, edit, format, and print a document. Text is most commonly entered using a keyboard similar to a typewriter's, although handwritten input (see pen-based computer) and software, spread-sheets and project management software, to document and report SOX compliance.
No. 2: Everyone Participates. SOX projects require participation from many levels of an organization, and for Sec. 404 compliance projects to succeed, companies must make their staff an active participant on the integrated project team.
People need to prepare for compliance consultants or auditors, and companies must commit staff and resources to make efficient use of outside consultants.
No. 3: SOX Soul Searching. For best results, SOX projects should be seen as an opportunity for the company to identify and eliminate or mitigate mit·i·gate
To moderate in force or intensity.
miti·gation n. weaknesses, as well as to build upon identified strengths.
SOX compliance can have multiple outcomes, ranging from the introduction of new initiatives to implementing business processes and business enablers throughout the company.
When looking into SOX compliance efforts, publicly held companies must articulate articulate /ar·tic·u·late/ (ahr-tik´u-lat)
1. to pronounce clearly and distinctly.
2. to make speech sounds by manipulation of the vocal organs.
3. to express in coherent verbal form.
4. the following:
* Management of the company is responsible for establishing and maintaining adequate internal controls and procedures for financial reports.
* Management's assessment of the effectiveness of the company's internal control over financial reporting, based on management's year-end evaluation, including the disclosure of any material weakness.
Proper SOX compliance will enable all business functions within the company to propose, debate and negotiate what the company's priorities and business initiatives ought to be.
APPROACHES TO COMPLIANCE
Although Sec. 404 compliance projects are intended to be comprehensive, they don't need to be overwhelming. Companies ought to use the opportunity to re-engineer and streamline their business processes.
As a rule, companies should consider the following when they embark on Verb 1. embark on - get off the ground; "Who started this company?"; "We embarked on an exciting enterprise"; "I start my day with a good breakfast"; "We began the new semester"; "The afternoon session begins at 4 PM"; "The blood shed started when the partisans a Sec. 404 compliance project:
1. Make staff available to the SOX project team.
2. The project team must include company management, company functional staff and members of the consulting team.
3. The team will apply the COSO framework for the business processes.
4. The team will apply the COBiT framework for its IT area.
5. The project must have program and project managers who are accountable.
A well-planned Sec. 404 project may be segmented into seven phases:
1. Project Planning project planning - project management and Orientation--Through interviews with company management and internal subject matter experts, consultants will gain an understanding of the company's business practices, policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental ; code of ethics Code of Ethics can refer to:
2. Corporate Level Control Assessment--Consultants interview company executives and board members to understand the company's internal controls and its commitment to its board of directors and audit committee; integrity and ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a ; and other related governance issues.
3. Process Documentation and Narratives--Project team leaders develop narratives (describing how tasks are accomplished) of the key processes, which are deemed "high" and "medium" complexity. The documentation and narratives address outstanding issues, risks and any initial design remediation that may be required.
4. Develop Individual Control Matrix--Consultants develop a control matrix for each of the identified processes. The matrix is part of the COSO framework and includes, but is not limited to, cycle identification; financial statement assertions; control objectives; control risks; control activities; control type; control frequency; control owner; test procedures; test results; gaps; and remediation needed.
5. Develop Early Remediation Plan--Consultants develop an early remediation matrix for the identified processes. The team then prioritizes and implements the remediation.
6. Develop Test Procedures and Test Performance--Consultants develop test procedures and determine the type of test to be performed for each of the control activities identified in Phase 4. After the tests are developed, the integrated project team performs the test procedures using specialized spe·cial·ize
v. spe·cial·ized, spe·cial·iz·ing, spe·cial·iz·es
1. To pursue a special activity, occupation, or field of study.
2. test templates. Any gaps or failed tests will be identified and evaluated, and a determination made as to whether or not the gap or failure is significant enough to constitute a material weakness.
7. Identify and Implement Remediation, then Re-test--The integrated project team recommends actions to close the gaps and pass the tests. This remediation plan prioritizes the agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations"
noncontroversial, uncontroversial - not likely to arouse controversy remediation. The integrated project helps implement the remediation suggestions. Finally, the remediation processes have to be tested.
BY ROBERT PUTRUS, PE, CMC (Common Messaging Calls) A programming interface specified by the XAPIA as the standard messaging API for X.400 and other messaging systems. CMC is intended to provide a common API for applications that want to become mail enabled.
Robert Putrus, PE, CMC is president of Institute of Management Consultants-San Diego Chapter. You can reach him at (760) 550-2160 or email@example.com.