Introduction by Compliancy Software

heavyweightuttermostΜηχανική

5 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

55 εμφανίσεις

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
0

Software

www.compliancysoftware.com


Transform risk management and compliance into business value

Introduction by Compliancy Software

This is a presentation delivered by Scott Rogers, Director of Internal
Audit for PPD at the IT Compliancy Institute conference on Risk
Management and Compliance on May 4, 2007 in Washington, DC.


In this session, Scott is addressing how PPD solved the challenges
of complying with Sarbanes
-
Oxley.


The automation components referred to in this presentation were
accomplished with the Compliancy Software solution.

Sarbanes
-
Oxley
Compliance Process
Automation


Scott Rogers

Director of Internal Audit



Pharmaceutical Product Development

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
2


Background


SOX Overview and Challenges


The Rules


The Scope and Purpose


The End Product


The Challenges


SOX and the IT Function


What is ITGC?


Using IT to Automate Controls.


Automation of the SOX Compliance Process


Group Discussion and Questions


Agenda

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
3


Scott Rogers, CPA, Director of Internal Audit


Responsible for the Global Sarbanes
-
Oxley Compliance Process





Pharmaceutical Product Development, Inc.



Contract Research Organization, Phase I
-
IV Development
Services


HQ in Wilmington, NC


$1.3B Revenue


$1.4B Market Cap


10,000 Employees in 28 Countries


Background

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
4

The SOX Landscape:


HQ in Wilmington, NC


12 SOX Geographic Locations Throughout Americas


55 Significant Processes


Approximately 500 Key Control Procedures


35 Process Owners


10 Internal Auditors, Globally


Initially the documentation was completely paper based (i.e.
Access, Word, Excel, etc.).


In 2006 we transitioned to a Professional System to manage
the Risk Assessment, Process Documentation, Issues
Management, Certification and Testwork processes.



Background

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
5

ITGC

Financial

Entity
Level

Mix of Controls

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
6

SOX Overview




The Rules



The Scope and Purpose



The End Product



The Challenges


IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
7


PCAOB Established by Congress.


Established to Provide Oversight to the Public Accounting
Industry.


For Lack of Other Guidance, Management’s Compliance
Program Has Been Designed to Comply with PCAOB
Standards.


Your External Auditor Has a Significant Influence on
Management’s Compliance Program.


New Rules are Coming Soon!


PCAOB Is Issuing a Standard for External Auditors.


SEC Will Issue a Standard for Management To Follow


How are the New Rules Different?



SOX Overview


The Rules

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
8


Any Process, System, Transaction or Communication that
could potentially have a Significant effect on the Accuracy of
the Financial Statements.


Fraud
-

The Existence of Fraud Must Be Considered and
Evaluated Throughout the Process.


Entity Level Controls.


IT General Controls.


IT Application Controls.


The Sole Purpose Is To Ensure That Financial Statements are
Accurately Reported.

SOX Overview


Scope and Purpose

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
9

QUARTERLY


CEO and CFO Must Personally Sign a Public Statement
which states that the Internal Control Structure is
Appropriately Working


ANNUALY


Two Separate Audit Opinions From the External Auditor

1.
Opinion on the Design of the Internal Control Structure

2.
Opinion on the Quality of Management’s Compliance Process


Audit Opinion From Management



SOX Overview


The End Product

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
10


Maintaining a Real Time Risk Assessment and Understanding
of the Entity Level, Financial and IT General Control
Processes.


Empowering Process Owners to Take Ownership in the Risk
Assessment and Enforcement of Control Processes.


Dealing With Change in Transactions, Human Resources,
Systems and Rules.


Tracking and Reporting Design and Operation Internal Control
Issues.


External Auditor’s Concurrent Review of the Process.


Involvement of a Large Cross Functional Group of People,
Systems and Processes.


Audit Evidence of Control Performance and Effectiveness.


SOX Overview


The Challenges

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
11

EVIDENCE


Verbal Inquiry, alone,
generally does not
constitute audit
evidence.


Verbal inquiry, alone,
does NOT constitute
audit evidence.

What are auditors looking for?

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
12

SOX and the IT
Function




What is ITGC?



Using IT to Automate
Controls.

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
13



Information Technology General Controls (“ITGC”)


How Does ITGC Effect the Financial Statements?


Change Control


Logical Access


IT Infrastructure


Networks, Data Centers, Underlying Data
Structures, Physical Assets


Segregation of Duties


Centralization and Consistency Will Make ITGC Easier.





SOX and the IT Function


What Is
ITGC?

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
14



Any IT Application’s Functionality That Helps Ensure Accuracy
and Integrity of Financial Data Can Be Relied Upon as a
Control.


The Testing Frequency of Programmed Controls Can Be
Significantly Less Than Manual Controls.


Application Development Should Include Your Company’s
Internal Controls Experts. They and IT Can Work to Build,
Identify and Rely on Programmed Controls.






SOX and the IT Function


Using IT To
Automate Controls

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
15

Automation of the
Processes




Risk Assessment



Testing



Planning and Management



Reporting


IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
16


Management Certification Process


Quarterly Management is Required to Certify That the
Business and Control Processes Have Not
Significantly Changed.


Utilized a Customized Workflow to Deliver the Data to
Management.


Management’s Review is Scalable to Their Needs
Allowing For Many Different Levels of Review.


Utilized to Identify Changes and Enhance Our
Understanding of the Processes.


Helps Drive Management to “Own” the Processes.




Automation
-

Risk Assessment

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
17


Other Risk Assessment Activities


Status and Effectiveness of Controls is Automatically
Linked to Testing and Issues Processes.


Automated Issues Workflows Ensure Management
Knows Where They Have Remediation To Perform.


Change Control Provides External Auditors With a
Clear and Ongoing Map From One Period to the Next.


Maintaining an Ongoing List of Design Issues.






Automation
-

Risk Assessment (cont)

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
18


Design and configuration.


Scheduling


Allows Creativity and Flexibility in the Nature,
Timing and Frequency of Tests.


Change Control Over the Test Strategies.


Utilizes Workflow to Pass the Test to the Planner, Performer,
Reviewer and File Preparation Steps.


Electronic Work Papers and Audit Evidence.


Sample Selection Processes


Portals for Auditor / Management Communication and Data
Transfer


Automatic Selection of Samples



Automation


Audit Testing

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
19


Scheduling the Planning Related Activities and
Communications.


Scheduling the Key Communication and Reporting Dates.


Portal For Capturing Auditor’s Time Spent on Tests.


Maintaining the Global Scheduling, Time Analysis and
Efficiency Metric Analyses.


Portal for Capturing Auditor’s Recommendations and Design
Issues Noted.


Automation


Planning and
Management

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
20


Comprehensive Listing of Issues with Status.


Reporting of Delinquent Certifications.


Reporting of Delinquent Test Areas.


Dashboard Status Views of All Processes.


Automation
-

Reporting

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
21



SOX Is A Broad, Complicated and Changing Process Driving
the Need For Process Automation.



Process Automation Can Be Found In The Following:


Risk Assessment


Testing


Planning and Management


Reporting



Develop Strong Relationships With Internal Control Experts In
Your Company to Help:


Ensure ITGC Is Appropriately Designed.


Ensure Programmed Controls Are Identified and Utilized.

Summary

IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
22

Questions

and Discussion

Contact Information

Scott Rogers

PPD

scott.rogers@wilm.ppdi.com

910 558 6790


Please Complete Your Session Evaluation


IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation

P.
24

Software

Transform risk management and compliance into business value

For More Information about Compliancy Software

Please visit our website at
www.compliancysoftware.com

Or

Call us at 1
-
919
-
342
-
6212

Or

Email us at info@compliancysoftware.com