standards and compliance issues

1

Standards and Compliance Issues

IncludingCMM, ISO, ITIL,&Sarbanes-Oxley

Presented By:

Lauren Eilers

Michele Hummel

Eno Veshi

2

Why Regulate and Impose Standards?

Definitions:• Regulation= “a legal restriction promulgated by

government administrative agencies through rulemaking supported by a threat of sanction or a fine”.1

• Standard= “a level of quality or excellence that is accepted as the norm or by which actual attainments are judged”.2

1 en.wikipedia.org/wiki/Regulate 2 encarta.msn.com/dictionary_/standard.html

•Ensure quality & maintain competitiveness

•Avoid disparate practices within same industry

3

Why Regulate and Impose Standards? (Cont’d)

• Increasing cost of IT – 1In U.S., “spend more than $250 billion each year on IT

application development of approximately 175,000 projects… (and) a staggering 31.1% of projects will be canceled before they ever get completed… (and) 52.7% of projects will cost 189% of their original estimates”. (CHAOS report by Standishgroup:1994 reseasrch survey of IT executive managers, from large, medium, and small companies, across major industry segments. Total sample size: 365 respondents, representing 8,380 applications. )

• Increasing size of IT workforce– 10 million in 2000 to 10.5million in 2004 in U.S.2

(Study commissioned by ITAA, with 500 random people from organizations, who were involved in hiring workers; based on phone conversations from Feb. 24-Mar. 23, 2004)

1www.standishgroup.com/sample_research/chaos_1994_1.php

2www.itaa.org/workforce/studies/04wfstudy.pdf

4

Time Line

• ISO- International Standards Organization• CMM- Capability Maturity Model• ITIL- Information Technology Infrastructure

Library• SOX- Sarbanes-Oxley

5

ISO(International Standard

Organization)

http://www.iso.org/iso/en/ISOOnline.frontpage

6

International Standard Organization (ISO)

• It is the world’s leading developer of International Standards.

• It has 156 member countries. • Its portfolio holds more than 15,036

standards that are used in every sector of business, industry and technology.

http://www.iso.org/

7

ISO Partners

• International Electrotechnical Commission (IEC)

• International Telecommunication Union (ITU)

• World Bank

http://www.iso.org/

8

ISO Path Forward

• The environment – develop standards for meeting new requirements such as greenhouse gas verification, climate mitigation, and other aspects of sustainable development.

• The service sectors – standards for personal financial services, market opinion, social research and tourism.

• Security - maritime port security, freight transport, countering illegal trafficking

• Good Managerial and Organizational Practice – develop social responsibility.

http://www.iso.org/

9

ISO Benefits

• World wide recognition.( 156 members, developed, developing countries)

• Level the playing field.• Disseminate new technologies and

businesses.

http://www.iso.org/

10

CMM(Capability Maturity Model)

• Created by the Software Engineering Institute, a research center founded by Congress in 1984

• A structure designed to direct IT organizations through software process improvement

• Philosophy of “continuous process improvement”

Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004

11

5 Levels of the Capability Maturity Model:

Optimizing 18.4%

Managed 4.5%

Defined 32.9%

Repeatable 32.9%

Initial 2.2%

9.0%

www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/ 2006marCMMI.pdf

12

CMMI Process Maturity Profile

www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2006marCMMI.pdf

9.0%

2.2%

32.9% 32.9%

4.5%

18.4%

Not Given Initial Managed Defined QuantitativelyManaged

Optimizing

Num

ber

of O

rgan

izat

ions

50

100

150

200

250

300

350

400

450

500

550

Based on most recent appraisal of 1,106 organizations , from 3/2002 – 12/2005 & reported by 1/2006. Incl.s results for system engineering, software engineering, integrated prod & process developm, & supplier sourcing

SEI CMMI v.1.1 Class A Appraisal Results

13

The Initial Level

• Probability of producing quality software is low

• No management practices• No documentation or evaluation• If reach quality, usually due to

extreme efforts of a few people or to individual practices by a manager

• Respond to crisesPersse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001.Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004..

14

The Repeatable Level

• Requirements management begins: identification of project prerequisites & assignment to the appropriate area

• Project management begins: responsibility, software development plan, implementation and analysis of project plan

• Quality assurance begins: comparing actual progress on the project with the project plan

• Software management begins: collection of data, identification of elements of success and application to new projects

• Quality of projects able to be replicatedPersse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001.

Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004.

15

The Defined Level

• Defining and implementing proven practices throughout the organization

• Increased productivity, efficiency and effectiveness using these practices

• Emergence of training group to provide organization-wide knowledge

• Emergence of a group called the Software Engineering Process Group, which continues development of software processes

Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004.

16

The Managed Level

• Increased management of software products and processes

• Measurable goals set for quality of software products and processes

• Collection and analysis of data from all current projects using a software process database

• Increased predictability and decreased risk due to improved standardized practices used throughout the organization


17

The Optimizing Level

• “Continuous process improvement”• Proactive consideration of potential

problems and weaknesses • Work to prevent defects • Analysis of any defects or problems and

making adjustments to prevent reoccurrence


18

ITIL Standards(Information Technology

Infrastructure Library)

19

What is ITIL?

• ITSM (Service Management)– Managing IT services in support of one or more business

units

• ITIL (Infrastructure Library)– Developed to provide a set of Best Practices for Cost

Effective IT Services

• Adapted for delivery services.

• Presents a comprehensive set of mgr. procedures with which an organization can manage its IT operations.

ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 5 & 9

20

ITIL

Planning to Implement Service ManagementTh

e Bu

sin

es

s

Th

e Te

chn

olo

gy

Applications Management

Th

e Bu

siness

Persp

ective

ICT

In

frastructu

re M

anag

emen

t

Security Management

Service Management

Service Support

Service Delivery

Main Reason for Creating ITIL

ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 9

21

Core ITSM Components

Service Management

Service Delivery

Service Support

Service Level Management

Capacity Management

Availability Management

Service Continuity Management

Financial Management

Incident Management

Service Desk

Release Management

Problem Management

Configuration Management

Tactical- Medium Term Mgmt Cycles

Operational- Short Term Mgmt Cycles

ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 23

22

ITIL Benefits

• Reduces costs.• Improves IT services, increasing customer

satisfaction.• Offers guidance, and standards.• Improves productivity.• Recognized worldwide.

ITIL Foundations for IT Service Management, HP Training, Student Guide. Pg. 16-17

23

ITIL Qualifications

• Foundation Certificate- – Aimed to all personnel who wish to become familiar with

IT management practices– Enables people to understand the terminology used

within ITSM

• Practitioner’s Certificate-– Aimed at the personnel responsible for designing specific

processes within the IT Service Management discipline– Focuses on depth in understanding and applying IT

Service Management services

• Manager’s Certificate-– Aimed at those who need to demonstrate capability of

managing ITIL-based solutions directed to the field of IT Services Management

ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 7-8

ITIL Practitioner’s Certificate in Change Management, http://www.ddls.com.au/VendCourseDet/ITL/60/ITILPrCM.htm

ITIL Manager Certificate, http://www.itilsurvival.com/ITILManagerCertificate.html

24

Sarbanes Oxley Act

http://www.economist.com/business/displayStory.cfm?story_id=3984019

25

What is Sarbanes-Oxley?

• It is a US federal law commonly called Sox or SarbOx.

• It gives additional powers and responsibilities to the U.S Securities and Exchange Program.

• Why important? 210,453 US and 234,086 Int’l SEC registrants

www.secinfo.com/$/SEC/Location.asp

26

History Behind Sarbanes Oxley Act• Stock market boom of the 1990s and crash in

2000• Fraud, misconduct and manipulation of

financial information led to financial scandals and huge losses by investors – Examples: Enron, WorldCom, Tyco

• Act sponsored by Senator Paul S. Sarbanes (MD) and Representative Michael G. Oxley (OH)

http://www.cartoonbank.com/product_details.asp?mscssid=J0NC8F3AST458KRV1WKPNH51641V5JX4&sitetype=1&did=4&sid=47897&pid=&keyword=enron&section=notecards&title=undefined

&whichpage=1&sortBy=popularID: 47897, Published in The New Yorker March 18, 2002

27

Goals of Sarbanes Oxley Act

• Renew Investors’ Trust in Accounting and Auditing Professions

• Corporate responsibility for financial reporting• Accurate reporting and release of information• Increased auditor independence

www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006.

28

Renew Investors’ Trust in Accounting and Auditing

Professions• Established the Public Company Accounting Oversight Board (101)• Separation of auditing from accounting• Limitation of services provided by auditors (201)• Financial Accounting Standards Board named as the

accounting standard setter and supplied with an independent funding source

• Retention of audit records by outside auditors • FAIR Funds for Investors established (308a)

www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006. www.sec.gov/news/testimony/022603tssmc.htm

29

Corporate Responsibility for Financial Reporting

• CEOs and CFOs must evaluate controls and certify this information in quarterly and annual reports (302, 404)

• More severe civil and criminal penalties for fraud and misconduct

• New regulations related to insiders• No personal loans to director or executive director• CEO and CFO compensation and profit information

released to the public• CIOs are responsible for Security, Accuracy, and

Reliability of the systems that manage and report the financial data.


30

Accurate Reporting and Release of Information

• New rules regarding disclosure• Annual management reports on internal controls

over financial reporting:– Financial data– Material changes– Effectiveness/ Security– Material weaknesses

• Auditor verification of internal controls over financial reporting:– “Control Environment, Risk Assessment, Control

Activities, Information and Communication, and Monitoring”

• SEC to review Exchange Act reports at least once every three years

Haworth, Dwight A., and Pietron, Leah R., “Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799” Information Systems Management, Boston: Winter 2006. Vol. 23, Iss. 1, pp. 73-87.


31

Costs Associated with Implementation

• Section 404- Requires Management and Independent auditors to issue separate assessments of a publicly held company’s internal control over financial recording

• Requires two new public reports– A management report on the effectiveness of

the company’s internal control over financial reporting

– An independent auditor’s report that includes both an opinion on management report and it’s own opinion of the company’s control over financial reporting

Sarbanes Oxley Compliance (http://sarbanes-oxley-101.com/SOX-404.htm)

32

Estimated Costs vs. Actual costs• First year compliance estimated at $1 million

for $1 billion in revenue• Actual cost

Average Company Annual Sales in US

$

Average Cost of Section 404

Compliance for External Resources

Only

0-250 Million $1.56 Million



750-1 Billion $2.03 Million

1-2 Billion $2.4 Million

2-7 Billion Insufficient Data

7-10 Billion $10 Million

Sarbanes-Oxley Implementation Costs What Companies are Reporting in their SEC Filings, February 2005 (www.auditnet.org/articles/Sarbanes-Oxley_Implementation_Costs.pdf)

33

Costs to Decline in Year Two

• CRA International conducted a survey of Sarbanes-Oxley Implementation Issues

• Findings include– Average total Section 404 costs are to decline for

both large and small companies in the second year

• Smaller companies expect decline of 39% from $1.5 million to $900,000

• Larger companies expect decline of 42% from $7.3 million to $4.3 million

– Audit fees account for minority of cost in first year• Smaller companies 35% of total cost• Larger companies 26% of total cost

CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf)

34

Year-One Average per Company Section 404 Implementation Costs for Smaller

Companies

65%

35%

Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost

Average Section 404 Audit-Related Fees as a Percentage of Total Average Issuer Cost

Year 1 Year 2

$1.5 Million

$0.9 Million

39% Decline

Expected Change Year 1 to Year 2

CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf

35

Year-One Average per Company Section 404 Implementation Costs for Larger Companies

74%

26%

Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost

Average Section 404 Audit-Related Fees as a Percentage of Total Average Issuer Cost

Year 1 Year 2

$7.3 Million

$4.3 Million

42% Decline

Expected Change Year 1 to Year 2

CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf)

36

Other Compliance Costs

• Software development and/or acquisition• Increased general and administrative expenses• Additional human resources and training• Technological improvements and process

improvements• Projects to reorganize accounting and IT departments• Additional expenses ranged from $1200 to $34,000,000, per study by Hall & Gaetanos of 50

random accelerated filers with SICC codes ranging from 2111- 9999 & direct mention of Sct 404 costs.

Hall, Linda A., and Gaetanos, Christ, “Treatment of Section 404 Compliance Costs”, The CPA Journal, New York: Mar 2006. Vol.76, Iss.3, Pgs. 58-62.

37

Global Effects of SOX

• SOX is in Direct violation of Europe’s Data Protection Act of 1998– UK Companies must get employee permission

to disclose certain information, permission is not guaranteed, so it is impossible to complete item 8.1 of SOX agreeing to provide information at any time in the future

• Some firms threatening to de-list from US Stock Exchange

Fran Howarth., Bloor Research 1-11-05 (http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/html)

38

Global Effects of SOX

• SOX regulations costs for UK businesses directly comparable to US costs for compliance– $1 million per $1 billion in revenue– Second and third year costs should decrease

30-40%

SOX Compliance Costs U.K. Firms, Nikki Swartz. Information Management Journal Lenexa: Jan/Feb 2006. Vol. 40, Iss 1, p. 19 (1 pp)

39

Case Studies

Utility Company

http://www.solutia.com/pages/corporate/ & http://www.pwcglobal.com/gx/eng/main/home/index.html

40

Background of Utility Company

• One of the nation’s top utility company.• Has over 9,300 employees.• Revenue = 6.78 B ( 2005 ) • Gross Profit = 2.28 B • Net Profit = 628 M• Serves 2.3 M electric customers• Serves 900,000 natural gas customers.

http://www.finance.yahoo.com

41

Energy Delivery Dept.

• Our interviewee: Mr. Jerry Pisarek, Business Performance Controller.

• Dept. is responsible for the transmission and the delivery of energy.

• System used TRIS (Time Reporting Information System) – payroll accumulation system)

From the interview with Mr. Jerry Pisarek ( march 2006)

42

IS Department

• 3,500 employees.• Cost of meeting Sarbanes-Oxley

requirements is $3-5 million annually.• TRIS Department

Director of Finance Director of IT Business Performance Specialist

Employee Request for Security Clearance

Direct Supervisor of Employee

CEO

From the interview with Mr. Jerry Pisarek ( March 2006 )

43

Effects of SOX at the Utility Co.

• Request in writing to access information.

• Before SOX, Performance Controller approves/denies request.

• After SOX, Performance Controller makes the decision, but needs the upper management to approve it.

From the interview with Mr. Jerry Pisarek, ( March 2006 )

44

Solutia Background/Overview

• Specialty Chemicals Company.• $2.7 billion in annual sales(2004).• $1.9billion in assets.• More than 5,700 employees located at 60

manufacturing sites throughout 27 countries.

http://www.solutia.com/pages/corporate/

45

Solutia’s Product Line:

• Performance Films for: - car windows - computer screens

• Specialty products such as - avionic hydraulic fluid. - heat-transfer fluids. - plastic products.

http://www.solutia.com/pages/corporate/about/overview.asp

46

Solutia’s Product Line: (cont’d)

• Integrated Nylon used to make: - wear-resistant carpets. - vibrant upholstery fabrics. - tires

http://www.solutia.com/pages/corporate/about/overview.asp

47

Solutia’s IT Department

• Our interviewee – Lori Kirk, Information Security Manager.

• Hierarchy in IT department:

• IT annual budget is $29M.• IT Department has approx. 100

employees.

CEO

IS ManagerVP ITCIO

VP Business Operations

Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006

48

Implementation of SOX at Solutia(2003 – 12/31/2004)

• Planning (2003)

• Awareness(2003)

• Intensive Documentation(2004)

• Testing(2004)


49

Solutia and Maintaining Compliance

• Update narrative and control activity documents.

• Test quarterly the control environments.• Annual management testing (internal).• Annual external audit.


50

Impact of SOX at Solutia

• Higher costs.• Time consuming. - 25% of time on average. - 75% of time in the fourth quarter.• More detailed documentation.


51

PricewaterhouseCoopers (PwC)Background/Overview

• ~30,000 employees in U.S., 110,000 worldwide• ~3000 firm partners in U.S.• Clients are primarily mid to large-sized companies,

mostly audit clients, and usually from the financial services, consumer or industrial products and services, technology or entertainment sectors

Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006.

http://www.pwcglobal.com/gx/eng/main/home/index.html

52

Interview with Mark Meiner, Business Development Director at

PwC• SOX affected all 3 areas of PwC:

assurance/audit, tax, advisory (business processes)

• Costs: audit costs increased by 50% for most clients; est. 25% of costs due to documentation of control systems, 225 clients noted 275 control deficiencies each–- est. 25% of new/revised controls contributed to costs of year 1

• SOX created need for increased software development and increased IT budgets: tools to track SOX projects, IT tools to automate the way control structures are reviewed, controls to monitor access to the IT applications

Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006.Current Developments for Audit Committees 2006, PricewaterhouseCoopers, 2006.

53

Interview with Mark Meiner, Business Development Director at

PwC (cont’d)

• First year of SOX compliance: companies rushed to become compliant, many had underestimated the time and cost to do this

• Second year of compliance: how will companies “do it better” in year 2 --- more efficient and less costly

• Benefits of SOX: – With audit clients: gave companies a greater awareness of

their control structures and how they mitigate risk across the enterprise

– With non-audit clients: started them thinking about some of the issues


54

Time Line Completed

ISO- International Standards Organization A global organization used to determine general industry standards

across all industries

CMM- Capability Maturity Model Sequential path towards increasing quality, used by companies as

guidelines or to document quality level

ITIL- Information Technology Infrastructure Library ITIL is not a standard, it is a framework for best practice to be adopted

and adapted to fit each individual company

SOX- Sarbanes-Oxley SOX created new documentation requirements for all publicly held

companies, in order to create greater financial disclosure as well as increase security against fraudulent activity

55

Any Questions???

Sarbanes-Oxley Blues

Deface an Enron Exec

http://www.headwatersmb.com/content/audio_02.html

http://politicalhumor.about.com/library/images/blenronwarp.htm

56

Source InformationCRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf)

Current Developments for Audit Committees 2006, PricewaterhouseCoopers, 2006

Freedman, Rick, “More on Standards-Based IT Consulting”, Consulting to Management, Burlingame: Jun 2005. Vol. 16, Iss. 2; pgs. 43-46.

Griggs, M., and Sauter, V., “Quality Management in the Software Industry” , University of Missouri Working Paper, 2004.

Hall, Linda A., and Gaetanos, Christ, “Treatment of Section 404 Compliance Costs”, The CPA Journal, New York: Mar 2006. Vol.76, Iss.3, Pgs. 58-62.

Herbsleb, James, Zubrow, David, et al., “Software Quality and the Capability Maturity Model”, Association for Computing Machinery. Communications of the ACM. New York: Jun 1997. Vol.40, Iss. 6; pgs. 30-

41.

Howarth, Fran, Anti Sarbanes-Oxley mood rises in Europe,., Bloor Research 1-11-05 (http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/html)

ISO, Detailed Information about the International Standards Organization ( www.iso.org/)

ITIL Practitioner’s Certificate in Change Management, (http://www.ddls.com.au/VendCourseDet/ITL/60/ITILPrCM.htm), viewed April 11, 2006

ITIL Manager Certificate, (http://www.itilsurvival.com/ITILManagerCertificate.html), viewed April 11, 2006

Keller, Eric, “The Last Mile of Finance” Strategic Finance, March 2006.

57

Sources Continued:Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele

Hummel, March 29, 2006.


Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001.

Pisarek, Jerry, Business Performance Specialist, Utility Company, interviewed in person by Lauren Eilers, Michele Hummel and Eno Veshi, March 12, 2006.

Price Waterhouse Coopers Logo- (http://www.pwcglobal.com/gx/eng/main/home/index.html), viewed 4/10/2006

Sarbanes-Oxley Implementation Costs What Companies are Reporting in their SEC Filings, February 2005 (www.auditnet.org/articles/Sarbanes-Oxley_Implementation_Costs.pdf)

Sarbanes Oxley Compliance (http://sarbanes-oxley-101.com/SOX-404.htm)

Solutia, Company Profile ( www. Solutia.com/)

Solutia Logo- http://www.solutia.com/pages/corporate, viewed 4/10/2006

Swartz, Nikki, SOX Compliance Costs U.K. Firms,. Information Management Journal Lenexa: Jan/Feb 2006. Vol. 40, Iss 1, p. 19 (1 pp)

Utility Company overall information ( www.finance.yahoo.com )

Wagner, Stephen, and Dittmar, Lee, “The Unexpected Benefits of Sarbanes-Oxley” Harvard Business Review, April 2006, Vol. 84, Iss. 4.

ww.secinfo.com/$/SEC/Location.asp, viewed on March 1, 2006.

58

Sources Cont’den.wikipedia.org/wiki/Regulate, viewed on April 7, 2006.

en.wikipedia.org/wiki/Sarbanes_Oxley, viewed on March 28, 2006

www.encarta.msn.com/dictionary_/standard.html, viewed on April 7, 2006.

www.itaa.org/workforce/studies/04wfstudy.pdf, viewed on April 7, 2006.

www.secinfo.com/$/SEC/Location.asp, viewed on March 1, 2006.


www.sec.gov/news/studies/sox308creport.pdf, viewed on March 1, 2006.

www.sec.gov/news/testimony/090903tswhd.htm, viewed on March 27, 2006.

www.sec.gov/news/testimony/022603tssmc.htm, viewed on March 1, 2006.


www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2006marCMMI.pdf

www.sox-online.com/sox_humor.html, viewed on March 28 & April 11, 2006.

www.standishgroup.com/sample_research/chaos_1994_1.php, viewed on April 7, 2006.

standards and compliance issues

Documents

service sectors standards

software industry

standard organization

social research

maturity modelcreated

htmlensure quality

quality management

level of quality