Sarbanes-Oxley Guide for Finance and Information Technology Professionals SANJAY ANAND John Wiley & Sons, Inc.
Sarbanes-Oxley Guide for Finance and Information Technology Professionals
Sarbanes-Oxley Guide for Finance and Information Technology Professionals SANJAY ANAND John Wiley & Sons, Inc.
This book is printed on acid-free paper. Copyright 2006 by Sarbanes Oxley Group. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at http://www.wiley.com. SOCKET (Sarbanes-Oxley Compliant Key Enterprise Technology) is trademarked by the Sarbanes-Oxley Group. Library of Congress Library of Congress Cataloging in Publication Division CIP 20540-4320 101 Independence Avenue, S.E. 9140 East Hampton Drive Washington, DC 20540-4320 Capitol Heights, MD 20743 Library of Congress Cataloging-in-Publication Data Anand, Sanjay. Sarbanes-Oxley guide for finance and information technology professionals / Sanjay Anand. p. cm. Includes index. ISBN-13: 978-0-471-78553-8 (cloth) ISBN-10: 0-471-78553-9 (cloth) 1. United States. Sarbanes-Oxley Act of 2002. 2. Corporations Accounting Law and legislation United States. 3. Disclosure of information Law and legislation United States. 4. Financial statements Law and legislation United States. I. Title. KF1446.A945 2006 346.73 06648 dc22 2005031928 Printed in the United States of America 10987654321
This guide is dedicated to my family and to the innocents who have endured the harsh consequence of corporate fraud.
Contents PREFACE xi ACKNOWLEDGEMENTS xiii INTRODUCTION 1 PART I Sarbanes-Oxley For The Finance Professional 24 CHAPTER 1 Scope and Assessment of the Act 25 Integrity 25 Independence 25 Proper Oversight 26 Accountability 26 Strong Internal Controls 26 Transparency 26 Deterrence 27 Corporate Process Management 27 CHAPTER 2 Internal Controls 32 Components of Internal Control 33 Purpose of Internal Control 36 Developing an Internal Control System 37 CHAPTER 3 Control Environment 49 Risk Assessment 49 Information and Communication 54 Monitoring 56 CHAPTER 4 Material Weaknesses 58 Specific Internal Controls to Evaluate 58 Disclosure Committee 59 vii
viii Contents CHAPTER 5 Implementing Sarbanes-Oxley: What Does Compliance Look Like? 62 Time Line 62 Checklists 64 Reporting, Documentation, and Archiving 72 Disclosure 72 CHAPTER 6 Technology Implications 74 Storage Systems 75 IT Solutions 77 Changes in IT Management 78 CHAPTER 7 Sarbanes-Oxley Related Bodies 79 Public Company Accounting Oversight Board 79 Committee of Sponsoring Organizations 80 Securities and Exchange Commission 82 Financial Accounting Standards Board 83 CHAPTER 8 Opportunities and Challenges Created by Sarbanes-Oxley 84 Opportunities 84 Challenges 86 CHAPTER 9 Summary for the CFO 90 Changes to Corporate Governance 90 Catalyst for Improvement 91 PART II Sarbanes-Oxley For The IT Professional 93 CHAPTER 10 Impact of Sarbanes-Oxley 95 Impact on the Enterprise, the CEO, and the CFO 95 Impact of Sarbanes-Oxley on Corporate Management Systems 97 Impact of Sarbanes-Oxley on the Technology Infrastructure 100 CHAPTER 11 Technologies Affected by Sarbanes-Oxley: From Sarbanes-Oxley to SOCKET 106 Separate Vendor Hype from Reality 106 Sarbanes-Oxley Compliance as an IT Project 107 Perspective on Sarbanes-Oxley Goals 108 Steps for Sarbanes-Oxley Compliance 109
Contents ix Sarbanes-Oxley and The SEC 113 CHAPTER 12 Enterprise Technology Ecosystem 114 Organic IT Architecture 114 Ecosystem and Sarbanes-Oxley 115 CHAPTER 13 Implementing the SOCKET Methodology 117 Species or Components of the Enterprise Technology Ecosystem 117 COSO Framework 119 SOCKET Technologies 121 Transactional Systems: ERP, SCM, CRM 121 Analytical and Reporting Systems 126 Data Warehousing 129 CHAPTER 14 SOCKET and Enterprise Information Management 132 Document Management and Sarbanes-Oxley 132 Document Security 137 Communication and Networking 146 CHAPTER 15 The Process 150 Introduction to the Process 150 Strategic (Top-Down) Approach 155 Tactical (Bottom-Up) Approach 159 Monitoring the Audit Team 161 Implementation Process: Reengineering for Sarbanes-Oxley Compliance 164 Beyond Sarbanes-Oxley: From SOCKET to Success Ecosystem 166 Conclusions 167 APPENDIX A Sarbanes-Oxley Implementation Plan: Developing an Internal Control System for Compliance (Focusing on Sections 302 and 404) 169 APPENDIX B Project to Process: Making the House a Home 193 APPENDIX C Enterprise Project Management and the Sarbanes-Oxley Compliance Project 220 APPENDIX D Enterprise Risk Management Integrated Framework 224 APPENDIX E COBIT 3 Executive Summary 233 APPENDIX F COBIT 4 Executive Summary 247 INDEX 271
Preface (For updates and worksheets, visit www.sarbanesoxleyguide.com.) This book is a comprehensive, authoritative guide to getting your organization compliant with Sarbanes-Oxley. It provides a foundation and an advanced reference for finance and information technology (IT) executives, professionals, and consultants who are involved in or are looking to get involved in Sarbanes-Oxley related compliance projects. Among other things, the book addresses: Key aspects and components of the Sarbanes-Oxley Act. A methodology to achieve Sarbanes-Oxley compliancy for your company. The road map to compliance, including checklists, worksheets, and project plans. The business and technology implications and resource requirements for compliance. The future of Sarbanes-Oxley and its impact on corporate America and the world. The book includes practical, actionable advice that all finance and IT professionals must have at their fingertips as they pursue, or consider pursuing, a journey of Sarbanes-Oxley compliance. Because of the enormity of the Act itself, this book is by no means all-encompassing. Nevertheless, it is a comprehensive guide and an extremely valuable reference book for Sarbanes-Oxley compliance for your organization. Since the world of Sarbanes-Oxley is not static, and neither is the body of knowledge associated with it, please visit www.sarbanes OxleyGuide.com for recent updates and new worksheets as they are posted to the website. xi
Acknowledgements Producing a comprehensive guide like this one requires a team effort. I am grateful to my team at the Sarbanes-Oxley Group and elsewhere, listed here in alphabetical order by last name, for assisting me with the creation of this book: Paul J. Boller, CPA, CISA, CIA, CFSA, in Switzerland for constructive feedback and edits. Madeleine Ferris, CMA, CSOX, at FEI in Calgary, Canada for contributing to the appendices. Vikas V. Gupta, PhD, at Inkorus in Bombay, India for helping to create the SOCKET Framework. David Kimball, CMA, near Boston, Massachusetts for providing process-related content. John LaCagnina, PMP, CSOX, at KPMG in New York for the project management aspects. Dianna Podmoroff, CHRP, in Vancouver, Canada for the finance and human resource context. Robert Schwind, CSOX, at GKBN in Albany, New York for security and related IT aspects. Joann Skiba, Director, ISACA, in Chicago, Illinois for COBIT-related reprint permissions. William Suda, AICPA in Jersey City, New Jersey for COSO-related reprinted permissions. Jennifer Tran, CSOX, at Oracle in Teaneck, New Jersey for providing the enterprise context. John Wiley & Sons, Inc. s staff across the United States for editorial and publishing expertise. Thanks also to our families, who allowed us to spend many nights and weekends working on this guide so that we could bring it to you. xiii