Why do corporations continue to fail, regardless of the increase (or decrease) in regulatory efforts? Until management adopts a "risk-centric" stance, we will continue to repeat the sins of the past...
31. Proposed CM Solution Pyramid Hardware/Data Integrity Component EMC: Centera ® , Proofspace encryption, record management automation Software Component Various vendor process automation products: Ex.: Documentum ® , Movaris OneClose ® , ACL CCM ® Co-sourcing component? Independent IT test services Planning Component SOX methodology: Assess, document, test, report Oversight Component “ Tone at the top”: Executive buy-in, “spirit” vs. “letter”
32. Sarbanes-Oxley’s Impact on the COSO Cube IT Components Section 302 Section 409 Section 404 Risk Assessment Control Environment IT Risk Management, IT Risk Assessments, Business Impact Analysis “ Tone at the top”, IT Governance, Regulatory Compliance Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awareness Training Monitoring Information & Communication Control Activities
33. CM Solution Requirements One Close® Organizational Consulting ACL CCM/ One Close ® Documentum ® One Close ® Technology (HW/SW) People (staff, mgmt.) Risk Assessment Control Environment Monitoring Information & Communication Control Activities Resources needed Tool or process needed (examples only):
34.
35. Internal Control Maturity Model Control structure is not defined. Control occurs incidentally. Control structure is not defined, but control processes may occur based on past success and management oversight. Control structure is documented, standardized and integrated into control processes for the organization. The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Continuous process improvement is enabled by quantitative feedback from the control process. Initial Repeatable Defined Managed Optimizing Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages. Initial Repeatable Defined Managed Optimizing