RE: Use of frameworks for SOX documentation

Subject: RE: Use of frameworks for SOX documentation
From: Rose -dot- Wilcox -at- aps -dot- com
To: "TECHWR-L" <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Wed, 22 Sep 2004 11:08:46 -0700


Lisa Wright wrote:
<<
Since January I've been working on Sarbanes-Oxley 404 documentation
projects. Most have been at the business activity level and a bit at the
entity level, but now I'm getting more involved on the IT side. The
legislation declares that the company must adopt a framework against
which to doument their controls. Several standards that have been
adopted are:
>>

I've been involved mainly on the IT side.

<<
1. COSO, for Business Activity processes (i.e., generation of financial
transactions and related processes that affect the financial
statements.) 2. COBIT, for IT General Application Controls. The Cobit
standard has more than 300 items and is now generally considered too
broad for SOX purposes. ISACA (www.isaca.org) has worked with the big
four to whittle down the list and they have issued a document detailing
a more focused list of controls. The ISACA web site has a whole section
on Cobit. 3. External auditor's list of questions for entity level
controls (i.e., the overall environment at the company, the "tone at the
top.")
>>

We have adopted COBIT, but we have adopted it through the guise of CMMI.
One of our QA people, who happens to be brilliant, mapped COBIT to CMMI.
According to her, COBIT is organized in terms of "work products" which
could be documents provided to stake holders, and CMMI is organized in
"how to provide" such information to stake holders. So she saw a
mapping and drew it. This was very useful for us, as IT is adopting
CMMI Level II and so we can use this to ensure we also meet SOX
requirements.

I am checking out the ISACA list.

I haven't seen any list from an external auditor on entity level
controls, so I am not sure what that looks like.


<<

One of the big four I'm working with now has adopted its own 80-item
standard for IT controls, which closely resembles, but is not identical
to, the Cobit list. I think they did this out of self defense, as the
ISACA standard had not been released yet and no one was quite sure what
to do. One of the IT auditors I am working with at my company is
approaching this from the CMM model of thinking, and deriving suggested
best practices from that. I have noticed among clients that it does seem
to be the accepted model. The processes must be documented, and then the
testing is to ensure that they are followed. I have found that approach
to be helpful, too.
>>

Looks like great minds run alike, although we are using CMMI which is
slightly different from CMM. However, the focus is on the Change
process. We have already had documented processes for a couple of years
so were ahead of the curve that way. However, our internal auditors
found that IS as a whole was not following the processes to the tune of
around only 50% compliance. We are shooting for 95% compliance in 95%
of audited records. The main focus of our processes is the lifecycle:
planning, design, build and develop and implement.

The main cause of lack of compliance was not unwillingness, but rather
communication and training. We started a huge project to train everyone
in IS so they know the basics that the SOX auditors will be looking for.
Fortunately or unfortunately, politics ensued and a little bit of
process improvement work was done too. The good side of that is that we
are better positioned for our continuing process improvements. The bad
side was that the "emergency" training effort had more material to cover
in a short amount of time.

<<
I have a couple of questions. First, what other frameworks have others
been working with? Has anyone been through a review of their
documentation with the external auditors and gotten concrete feedback
yet? It may be a bit early for this second one, as 10K audits have not
started yet and I believe many firms are waiting until then to start
their control assessment.
>>

Our audit for IT is just starting (this week), and I haven't been
apprised of how we are doing yet. We are trying to be done with the
audit by the end of year.

<<
Just curious to see where others are at. I haven't had the benefit of
seeing through a project from beginning to end yet, and not having much
feedback from the final arbiter makes it difficult. Clients seem happy,
though.

Thanks, looking forward to some discussion.
>>

I hope you and I aren't the only ones.

Rose A. Wilcox
Center for Process Excellence, CHQ 8th Floor
602-250-3195
Rose -dot- Wilcox -at- aps -dot- com
"Great ability develops and reveals itself increasingly with every new
assignment."
Baltasar Gracian


"MMS <apsc.com>" made the following annotations.
------------------------------------------------------------------------------
--- NOTICE ---
This message is for the designated recipient only and may contain confidential, privileged or proprietary information. If you have received it in error, please notify the sender immediately and delete the original and any copy or printout. Unintended recipients are prohibited from making any other use of this e-mail. Although we have taken reasonable precautions to ensure no viruses are present in this e-mail, we accept no liability for any loss or damage arising from the use of this e-mail or attachments, or for any delay or errors or omissions in the contents which result from e-mail transmission.

==============================================================================


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ROBOHELP X5: Featuring Word 2003 support, Content Management, Multi-Author
support, PDF and XML support and much more!
TRY IT TODAY at http://www.macromedia.com/go/techwrl

WEBWORKS FINALDRAFT: New! Document review system for Word and FrameMaker
authors. Automatic browser-based drafts with unlimited reviewers. Full
online discussions -- no Web server needed! http://www.webworks.com/techwr-l

---
You are currently subscribed to techwr-l as:
archiver -at- techwr-l -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- techwr-l -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.techwr-l.com/techwhirl/ for more resources and info.



Previous by Author: RE: ADMIN: TECHWR-L's Next Steps (Part II)
Next by Author: ABCNews.com article on writing and the workplace
Previous by Thread: Re: Errors and Omissions Insurance
Next by Thread: Re: Another question that I have had


What this post helpful? Share it with friends and colleagues:


Sponsored Ads