keeping your sox on: quality improvement for sustaining sox compliance proprietary and confidential...
TRANSCRIPT
Keeping Your SOX on: Quality Improvement for Sustaining SOX compliance
Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
2 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Purpose of today’s discussion
To discuss the challenges and opportunities presented by the SOX compliance
To outline an information centric approach towards improving organizational performance for sustaining SOX compliance
3 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Agenda
State of Financial reporting and SOX mandate
Modeling Enterprise Information
SOX compliance and continuous improvements
Key Benefits
4 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Agenda
State of Financial reporting and SOX mandate
Modeling Enterprise Information
SOX compliance and continuous improvements
Key Benefits
5 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
State of Financial reporting
172159
228
312
394
0
50
100
150
200
250
300
350
400
450
1999 2000 2001 2002 2003
Year
Nu
mb
er o
f R
esta
tem
ents
[Ref: Huron Consulting Group; Information Integrity Coalition; http://www.forbes.com ]
Inaccurate, Inconsistent and Unreliable financial report is a Quality Issue
6 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
SOX Primer
Sarbanes-Oxley was enacted in a major effort to prevent accounting scandals and other reporting problems from recurring, and to rebuild public trust in corporate business practices and reporting.
Establishes new or enhanced standards for corporate accountability and penalties for corporate wrongdoing.
Contains 11 titles, ranging from additional responsibilities for audit committees to tougher criminal penalties for white-collar crimes such as securities fraud.
Defines a higher level of responsibility, accountability, and financial reporting transparency – changes that ultimately are intended to return to investors the confidence.
7 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
SOX key requirements
CEO and CFO certification Real time disclosure of material events Disclosure Control and Procedures Internal Controls Over Financial Reporting Internal Control Reports and Assertions External Auditor Attestation
8 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Challenges
Multiple isolated compliance efforts
Focus is on compliance ( read documentation)
Distraction from “Business as Usual” activities
Compliance does not guarantee business sustainability – Quality does
For better value ,Compliance management should be part of “business as usual activities.
60%
27%
13%
0%
10%
20%
30%
40%
50%
60%
70%
Strategic Operational Compliance
Reasons for loss of share holders value
[Ref: Booz, Allen Hamilton, 2004]
9 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
I
Manufacturing Transportation Energy Explosion in products
II
Software Internet E-Commerce Explosion in Information
Industrial Revolutions
Ref: Martin Bariff, 2004 at ISACA
10 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Improving Quality of Financial Reporting
Process Focus Assure the quality of the financial reporting processes Assure the integrity and accuracy of the controls relevant to financial
reporting processes Assure the integrity of the information outputs Reduce fraud through regulations
11 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Agenda
State of Financial reporting and SOX mandate
Modeling Enterprise Information
SOX compliance and continuous improvements
Key Benefits
12 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
What is Information Integrity?
Information Integrity (I*I) is the trustworthiness or dependabilityof information as defined by the accuracy, consistency &reliability of information content, processes and systems.
Accuracy: The degree of agreement between a particular value and an identified source that provides the correct value at a specific point in time.
Consistency: The degree of agreement among repeated instances of the same information (occur in space, over time, and in relation to one another at the same point in time).
Reliability: The degree to which information is complete, current, and verifiable.
13 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
I*I Risks are linked to
“Static” business models in changing markets
Process re-engineering initiatives
Growth in business, information, and data
Information systems initiatives
“Off System” analytical work
14 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Industry Impact of I*I failures
Telecom About 5-11% of revenue is lost [1]. That is about $15-30 billion a year[1].
Banking 30 banks had reported total operational losses of around 2.6 billion euros. [5,6]
During year 2000, UK lost £113 million through non- compliant documents being presented under letters of credit.[3]
Insurance US Medicare program lost between 7-10% of its budget due to I*I related errors[4].
Retail US retail companies lost about $5.6 billion in year 2001 [2] due to clerical and administrative errors.
[1] D&T, Revenue assurance survey, PWC, KPMG publications [4] GAO report,1999, IIC report,2001[2] 2001, National security survey, university of Florida [5] BIS, “Quantitative Impact Study” , 2002[3] SITPRO, 2003 [6] Rick Harris, “Domestic regulatory approaches to operational risk”, 2002
Reported magnitude of I*I issues
15 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Unitech’s Framework is comprehensive
The Unitech’s Enterprise Information Model (EIM) is a comprehensive framework for identifying focal business processes for integrity evaluation
The four quadrants can be populated with issues and processes representing every aspect of enterprise operations
16 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Information Exchange Integrity
Value of Cycle time improvement in process analyticsValue of Cycle time improvement in process analytics
INTEGRITY RISKS AS VARIATION IN
A/C/R
MINIMZED INTEGRITY
RISKS
Re-engineered process
Re-engineered process
LSL USLTarget
LSL USLLSL USLTarget
LSL USLTarget
17 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
S Y S T E M
P R O C E S S
C O N T E N TS t a n d a r d T o l e r a n c e S p a t i a l T e m p o r a l R e l a t i o n a l C o m p l e t e n e s s C u r r e n c y V e r i f i a b i l i t y
M e t r i c s
M e t h o d s
S t a n d a r d s
T o o l s
A c c u r a c y C o n s i s t e n c y R e l i a b i l i t y
Pra
ctic
e C
ompo
nent
sI*I Assessments
Ref: Martin Bariff, 2004 at ISACA
18 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
I*I Rating Systems
• Process-Based Ratings – Management Requirements
Ref: "Building an Information Integrity Rating System,“ by Craig M. Watson, April 12, 2004
Examples from Quality world
Usually for business process
1
2
3
4
5
AWAREEnterprises have some awareness of information integrity issues. Few of theseissues are addressed adequately.
DETECTIVEAfter the fact initiatives. Typical processes are Data cleaning, Audit, processquality measurement , system reliability measurement
PREVENTIVE
I*I risk analysis, Continuous I*I risk monitoring. Focus on business requirements
MANAGED I*I risk management is integrated across all key business processes.
OPTIMIZED
I*I risk management is integrated with enterprise wide risk management process
19 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
AAA Investment Grade
BBB Non-Investment Grade
Bbb Junk
Source: "Building an Information Integrity Rating System,“ by Craig M. Watson, April 12, 2004
• Outcome-Based Ratings – Performance Requirements
I*I Rating Systems
Usually for information exchanges. Examples include financial statement released to public, individual bank statements etc.
Similar examples
Trustworthy information
Acceptable non critical information
Non Acceptable
20 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Agenda
State of Financial reporting and SOX mandate
Modeling Enterprise Information
SOX compliance and continuous improvements
Key Benefits
21 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Baldrige Framework
22 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Several Concepts – Several Tools
Quality Management Risk Management Control Management Information Integrity
Management
Six Sigma, Quality Circle Business Process
Reengineering Integrity Risk Assessment Enterprise Risk Management COSO, COBIT
(Baldrige Criteria for Performance Excellence )
Corporate Governance Model
23 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Integrated Management Systems Approach
Baldrige based Management System
Information Integrity Requirements
Quality Requirements
Integrity Tools Quality Tools
SOX Compliance Regulatory Compliance Performance Excellence
Corporate Governance
24 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Agenda
State of Financial reporting and SOX mandate
Modeling Enterprise Information
SOX compliance and continuous improvements
Key Benefits
25 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved
Benefits of the Unitech Approach
Enterprise-based The Enterprise Information Model embraces all major processes in the enterprise. One tool provides
the total perspective
Process-Focused Our approach is driven by a relentless focus on practical process understanding. As a result, we connect
with management thinking and deliver practical integrity improvements.
Effective/Efficient We look at processes from both effectiveness and efficiency perspectives, thus broadening performance impact
Compliance-rich Unitech is particularly suitable for supporting Sarbanes-Oxley and Basel II compliance initiatives. We provide
documentation of controls, as well as a high-level of confidence in the results
Generally adaptable Unitech’s approach can be applied to ANY business process, yielding powerful insights into information integrity, as well as performance improvement potential