keeping your sox on: quality improvement for sustaining sox compliance proprietary and confidential...

Keeping Your SOX on: Quality Improvement for Sustaining SOX compliance

Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved

2 Proprietary and Confidential Copyright@2005 by Unitech Systems Inc. All rights reserved

Purpose of today’s discussion

To discuss the challenges and opportunities presented by the SOX compliance

To outline an information centric approach towards improving organizational performance for sustaining SOX compliance


Agenda

State of Financial reporting and SOX mandate

Modeling Enterprise Information

SOX compliance and continuous improvements

Key Benefits


Agenda




Key Benefits


State of Financial reporting

172159

228

312

394

0

50

100

150

200

250

300

350

400

450

1999 2000 2001 2002 2003

Year

Nu

mb

er o

f R

esta

tem

ents

[Ref: Huron Consulting Group; Information Integrity Coalition; http://www.forbes.com ]

Inaccurate, Inconsistent and Unreliable financial report is a Quality Issue


SOX Primer

Sarbanes-Oxley was enacted in a major effort to prevent accounting scandals and other reporting problems from recurring, and to rebuild public trust in corporate business practices and reporting.

Establishes new or enhanced standards for corporate accountability and penalties for corporate wrongdoing.

Contains 11 titles, ranging from additional responsibilities for audit committees to tougher criminal penalties for white-collar crimes such as securities fraud.

Defines a higher level of responsibility, accountability, and financial reporting transparency – changes that ultimately are intended to return to investors the confidence.


SOX key requirements

CEO and CFO certification Real time disclosure of material events Disclosure Control and Procedures Internal Controls Over Financial Reporting Internal Control Reports and Assertions External Auditor Attestation


Challenges

Multiple isolated compliance efforts

Focus is on compliance ( read documentation)

Distraction from “Business as Usual” activities

Compliance does not guarantee business sustainability – Quality does

For better value ,Compliance management should be part of “business as usual activities.

60%

27%

13%

0%

10%

20%

30%

40%

50%

60%

70%

Strategic Operational Compliance

Reasons for loss of share holders value

[Ref: Booz, Allen Hamilton, 2004]


I

Manufacturing Transportation Energy Explosion in products

II

Software Internet E-Commerce Explosion in Information

Industrial Revolutions

Ref: Martin Bariff, 2004 at ISACA


Improving Quality of Financial Reporting

Process Focus Assure the quality of the financial reporting processes Assure the integrity and accuracy of the controls relevant to financial

reporting processes Assure the integrity of the information outputs Reduce fraud through regulations


Agenda




Key Benefits


What is Information Integrity?

Information Integrity (I*I) is the trustworthiness or dependabilityof information as defined by the accuracy, consistency &reliability of information content, processes and systems.

Accuracy: The degree of agreement between a particular value and an identified source that provides the correct value at a specific point in time.

Consistency: The degree of agreement among repeated instances of the same information (occur in space, over time, and in relation to one another at the same point in time).

Reliability: The degree to which information is complete, current, and verifiable.


I*I Risks are linked to

“Static” business models in changing markets

Process re-engineering initiatives

Growth in business, information, and data

Information systems initiatives

“Off System” analytical work


Industry Impact of I*I failures

Telecom About 5-11% of revenue is lost [1]. That is about $15-30 billion a year[1].

Banking 30 banks had reported total operational losses of around 2.6 billion euros. [5,6]

During year 2000, UK lost £113 million through non- compliant documents being presented under letters of credit.[3]

Insurance US Medicare program lost between 7-10% of its budget due to I*I related errors[4].

Retail US retail companies lost about $5.6 billion in year 2001 [2] due to clerical and administrative errors.

[1] D&T, Revenue assurance survey, PWC, KPMG publications [4] GAO report,1999, IIC report,2001[2] 2001, National security survey, university of Florida [5] BIS, “Quantitative Impact Study” , 2002[3] SITPRO, 2003 [6] Rick Harris, “Domestic regulatory approaches to operational risk”, 2002

Reported magnitude of I*I issues


Unitech’s Framework is comprehensive

The Unitech’s Enterprise Information Model (EIM) is a comprehensive framework for identifying focal business processes for integrity evaluation

The four quadrants can be populated with issues and processes representing every aspect of enterprise operations


Information Exchange Integrity

Value of Cycle time improvement in process analyticsValue of Cycle time improvement in process analytics

INTEGRITY RISKS AS VARIATION IN

A/C/R

MINIMZED INTEGRITY

RISKS

Re-engineered process

Re-engineered process

LSL USLTarget

LSL USLLSL USLTarget

LSL USLTarget


S Y S T E M

P R O C E S S

C O N T E N TS t a n d a r d T o l e r a n c e S p a t i a l T e m p o r a l R e l a t i o n a l C o m p l e t e n e s s C u r r e n c y V e r i f i a b i l i t y

M e t r i c s

M e t h o d s

S t a n d a r d s

T o o l s

A c c u r a c y C o n s i s t e n c y R e l i a b i l i t y

Pra

ctic

e C

ompo

nent

sI*I Assessments

Ref: Martin Bariff, 2004 at ISACA


I*I Rating Systems

• Process-Based Ratings – Management Requirements

Ref: "Building an Information Integrity Rating System,“ by Craig M. Watson, April 12, 2004

Examples from Quality world

Usually for business process

1

2

3

4

5

AWAREEnterprises have some awareness of information integrity issues. Few of theseissues are addressed adequately.

DETECTIVEAfter the fact initiatives. Typical processes are Data cleaning, Audit, processquality measurement , system reliability measurement

PREVENTIVE

I*I risk analysis, Continuous I*I risk monitoring. Focus on business requirements

MANAGED I*I risk management is integrated across all key business processes.

OPTIMIZED

I*I risk management is integrated with enterprise wide risk management process


AAA Investment Grade

BBB Non-Investment Grade

Bbb Junk

Source: "Building an Information Integrity Rating System,“ by Craig M. Watson, April 12, 2004

• Outcome-Based Ratings – Performance Requirements

I*I Rating Systems

Usually for information exchanges. Examples include financial statement released to public, individual bank statements etc.

Similar examples

Trustworthy information

Acceptable non critical information

Non Acceptable


Agenda




Key Benefits


Baldrige Framework


Several Concepts – Several Tools

Quality Management Risk Management Control Management Information Integrity

Management

Six Sigma, Quality Circle Business Process

Reengineering Integrity Risk Assessment Enterprise Risk Management COSO, COBIT

(Baldrige Criteria for Performance Excellence )

Corporate Governance Model


Integrated Management Systems Approach

Baldrige based Management System

Information Integrity Requirements

Quality Requirements

Integrity Tools Quality Tools

SOX Compliance Regulatory Compliance Performance Excellence

Corporate Governance


Agenda




Key Benefits


Benefits of the Unitech Approach

Enterprise-based The Enterprise Information Model embraces all major processes in the enterprise. One tool provides

the total perspective

Process-Focused Our approach is driven by a relentless focus on practical process understanding. As a result, we connect

with management thinking and deliver practical integrity improvements.

Effective/Efficient We look at processes from both effectiveness and efficiency perspectives, thus broadening performance impact

Compliance-rich Unitech is particularly suitable for supporting Sarbanes-Oxley and Basel II compliance initiatives. We provide

documentation of controls, as well as a high-level of confidence in the results

Generally adaptable Unitech’s approach can be applied to ANY business process, yielding powerful insights into information integrity, as well as performance improvement potential


More Resources

www.asq.org/ii www.informationintegrity.org www.unitechsys.com

keeping your sox on: quality improvement for sustaining sox compliance proprietary and confidential...

Documents