SlideShare uma empresa Scribd logo
1 de 17
Tami Flowers
KCDC - May 3, 2013
PLATINUM SPONSORS
GOLD SPONSORS
SILVER SPONSORS
 I worked for a company with these words in it’s
name:
• Federal
• Home loan
• Bank
 That meant we had to consider
• Sarbanes Oxley Act (SOx)
• COBIT
 = internal auditors, external auditors, internal risk
management group, examiners
 = 6-9 months a year of being audited or examined
What do COBIT and SOx say?
Ok, so what does that mean?
Where to start
What to do on a project
Tips and lessons learned
In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board
(PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley.
Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley ,
2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
 From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley:
“The work required to meet the requirements of the Sarbanes-Oxley Act should
not be regarded as a compliance process, but rather as an opportunity to
establish strong governance models designed to result in accountability
and responsiveness to business requirements. Building a strong internal
control program within IT can help to:
• Gain competitive advantage through more efficient and effective operations
• Enhance risk management competencies and prioritization of initiatives
• Enhance overall IT governance
• Enhance the understanding of IT among executives
• Optimize operations with an integrated approach to security, availability and
processing integrity
• Enable better business decisions by providing higher-quality, more timely
information
• Contribute to the compliance of other regulatory requirements, such as privacy
• Align project initiatives with business requirements
• Prevent loss of intellectual assets and the possibility of system breach”
 Some of the important areas of responsibility for IT include:
• Understanding the organization’s internal control program and its
financial reporting process
• Mapping the IT environment (IT services and processes) that supports
internal control and the financial reporting process to the financial
statements
• Identifying risks related to these IT systems
• Designing and implementing controls designed to mitigate the identified
risks and monitoring them for continued effectiveness
• Documenting and testing IT and systems-based controls
• Ensuring that IT controls are updated and changed as necessary to
correspond with changes in internal control or financial reporting
processes
• Monitoring IT controls for effective operation over time
• Participating in the Sarbanes-Oxley project management office
Controls, not the HOW or the process, is
the focus.
As long as your process can show
• the controls,
• that the controls are implemented and tested
Then the process you use to build software
is up to you and your organization.
Feasibility Initiation
Release
Planning
Iterate Close Out
Feasibility Initiation/Planning Iterate Close Out
Prioritization of
Requests
COBIT
SOx
Approvals
COBIT
Change Management
Approvals
COBIT
SOx
Project Status
Reporting
COBIT
Testing &
Documentation
Approach
COBIT
SOx
Testing Documentation
and Sponsor Approvals
COBIT
Sox
Cycle 0 Testing
Documentation
COBIT
SOx
Security Review - user
roles within an
application
COBIT
SOx
Cycle 0 Security Testing
Documentation
COBIT
SOx
Security Testing
Documentation
COBIT
SOx
Install Documentation
SOx
Security Review - how
application security is
designed/coded.
COBIT
SOx
Code Storage
COBIT
Use your SDLC to define your project
process and deliverables.
Ensure those deliverables are created for
each project.
Make sure they are stored where they can
be easily found when requested by
auditors and examiners.
One size of Agile may not be right for all
types of projects and teams.
• For large longer-term projects, daily standups,
release plans, iteration planning meetings,
retrospectives may be required with stories and
tasks located on a project board.
• An infrastructure team charged with installing
servers, routers, and firewalls and keeping it all up
and running may have an overall plan and daily
standups with tasks as sticky notes on a Kanban
board.
 Consider adding different Service Levels, with
increasing types of deliverables, based on
project characteristics.
• For instance, a year long project with a larger project
team should have far more controls and deliverables
than a 1 week project with one developer.
 Don’t have an overwhelming number of
deliverables so it takes longer to do
paperwork or document than it does to do the
project.
 Identify SOX controls up-front during the early
stages of project planning.
 When creating test scripts, explicitly identify
the SOX controls that need to be tested.
 After testing, explicitly document that those
controls were tested. This doesn’t mean
provide pages of documentation; identify what
you are testing, test it, and document that you
tested it. A test scenario can be documented
with a simple “pass” or “fail”.
 Stay tool-agnostic. Don’t tie yourself to
specific tools when documenting your
processes. Keep development
environments, bug tracking software,
testing tools, etc. out of the documentation.
 Your SDLC should guide your deliverables. Keep it
updated and “fresh”. Consider updating and training
annually.
 Focus on deliverables that prove the controls have
been tested.
 Don’t overdo it on deliverables. Keep it as simple as
possible.
 Work to educate auditors, examiners, etc. on what
Agile means.
 When possible, include them early in the development
of your process.
 Say what you are going to do…and do it! Then make
sure it’s saved and easy to find when asked.
Twitter: TamiLFlowers
LinkedIn
Thanks!

Mais conteúdo relacionado

Mais procurados

Project initiation
Project initiationProject initiation
Project initiation
ukrulz4u
 
3 how to improve strategyc planning
3 how to improve strategyc planning3 how to improve strategyc planning
3 how to improve strategyc planning
Mirna Mendoza
 
HDouglasResume 11-2015
HDouglasResume 11-2015HDouglasResume 11-2015
HDouglasResume 11-2015
Horace Douglas
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review Course
Desmond Devendran
 
Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012
satish526
 

Mais procurados (20)

205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedule205610 managing p6 from an owners schedule
205610 managing p6 from an owners schedule
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
It management audits it management templates
It management audits   it management templatesIt management audits   it management templates
It management audits it management templates
 
PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2PMP Training - Project Time Management Part 2
PMP Training - Project Time Management Part 2
 
Internal Quality Audit At Sites
Internal Quality Audit At SitesInternal Quality Audit At Sites
Internal Quality Audit At Sites
 
Technology Assessment Framework
Technology Assessment FrameworkTechnology Assessment Framework
Technology Assessment Framework
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
 
There and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metricsThere and back again, Our journey with QA Reports and metrics
There and back again, Our journey with QA Reports and metrics
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automate
 
Project initiation
Project initiationProject initiation
Project initiation
 
3 how to improve strategyc planning
3 how to improve strategyc planning3 how to improve strategyc planning
3 how to improve strategyc planning
 
Governance - Project Management Office Professional Services
Governance - Project Management Office Professional ServicesGovernance - Project Management Office Professional Services
Governance - Project Management Office Professional Services
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
HDouglasResume 11-2015
HDouglasResume 11-2015HDouglasResume 11-2015
HDouglasResume 11-2015
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review Course
 
Activities of project planning
Activities of  project planningActivities of  project planning
Activities of project planning
 
Measurement of Project Management Success
Measurement of Project Management SuccessMeasurement of Project Management Success
Measurement of Project Management Success
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
 
Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012Do it, sf state project lifecycle management (plm) v1.19 091012
Do it, sf state project lifecycle management (plm) v1.19 091012
 

Destaque

Agile and Auditors
Agile and AuditorsAgile and Auditors
Agile and Auditors
VersionOne
 

Destaque (15)

How to simplify agile estimating and planning
How to simplify agile estimating and planningHow to simplify agile estimating and planning
How to simplify agile estimating and planning
 
Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014Agile in a highly regulated organization 2014
Agile in a highly regulated organization 2014
 
Real-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be ToldReal-World Data Governance: Agile Data Governance - The Truth Be Told
Real-World Data Governance: Agile Data Governance - The Truth Be Told
 
the Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit managementthe Use of Job Cards to facilitate Audit management
the Use of Job Cards to facilitate Audit management
 
The Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit ManagementThe Use of Daily Standups to facilitate Audit Management
The Use of Daily Standups to facilitate Audit Management
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Agile Process Audit
Agile Process AuditAgile Process Audit
Agile Process Audit
 
Data Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP WorldData Governance in an Agile SCRUM Lean MVP World
Data Governance in an Agile SCRUM Lean MVP World
 
Sanoma Media: Publish or Perish
Sanoma Media: Publish or PerishSanoma Media: Publish or Perish
Sanoma Media: Publish or Perish
 
How can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophyHow can audit and assurance mirror the agile delivery philosophy
How can audit and assurance mirror the agile delivery philosophy
 
Agile Data Governance
Agile Data GovernanceAgile Data Governance
Agile Data Governance
 
Agile Data Governance Tutorial
Agile Data Governance TutorialAgile Data Governance Tutorial
Agile Data Governance Tutorial
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data Governance
 
Agile and Auditors
Agile and AuditorsAgile and Auditors
Agile and Auditors
 
Jens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So HardJens Østergaard on Why Scrum Is So Hard
Jens Østergaard on Why Scrum Is So Hard
 

Semelhante a Agile in a highly regulated organization

DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile ProjectsDOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
Gene Kim
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT      .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT      .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
jeanettehully
 
Presentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics ProjectPresentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics Project
Sharad Srivastava
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
Abhishek Banerjee
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
Abhishek Banerjee
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007
Danial Khan
 

Semelhante a Agile in a highly regulated organization (20)

Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014
 
The project manager and business analyst partnership - ensuring project success
The project manager and business analyst partnership - ensuring project successThe project manager and business analyst partnership - ensuring project success
The project manager and business analyst partnership - ensuring project success
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdf
 
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile ProjectsDOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
DOES14 - Pat Reed - Project Labor Cost Accounting for Agile Projects
 
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT      .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT      .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
 
Presentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics ProjectPresentation - Scope and Schedule Management of Business Analytics Project
Presentation - Scope and Schedule Management of Business Analytics Project
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Test Planning and Test Estimation Techniques
Test Planning and Test Estimation TechniquesTest Planning and Test Estimation Techniques
Test Planning and Test Estimation Techniques
 
How to do a Project Audit
How to do a Project AuditHow to do a Project Audit
How to do a Project Audit
 
Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)Project Management for IT-related Projects (Logitrain)
Project Management for IT-related Projects (Logitrain)
 
Resume John Tzanetakis
Resume John TzanetakisResume John Tzanetakis
Resume John Tzanetakis
 
Stepwise Project planning in software development
Stepwise Project planning in software developmentStepwise Project planning in software development
Stepwise Project planning in software development
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Cost estimation
Cost estimationCost estimation
Cost estimation
 
IT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganIT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk Algan
 
تحليل النظم
تحليل النظمتحليل النظم
تحليل النظم
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007
 

Último

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Agile in a highly regulated organization

  • 1. Tami Flowers KCDC - May 3, 2013
  • 3.  I worked for a company with these words in it’s name: • Federal • Home loan • Bank  That meant we had to consider • Sarbanes Oxley Act (SOx) • COBIT  = internal auditors, external auditors, internal risk management group, examiners  = 6-9 months a year of being audited or examined
  • 4. What do COBIT and SOx say? Ok, so what does that mean? Where to start What to do on a project Tips and lessons learned
  • 5. In all, 12 IT control objectives, which align to the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 and Control Objectives for Information and related Technology (COBIT ®), were defined for Sarbanes-Oxley. Figure 1 provides a high-level mapping of the IT control objectives for Sarbanes-Oxley described in the IT Control Objectives for Sarbanes Oxley , 2nd edition document, IT general controls identified by the PCAOB and the COBIT 4.0 processes.
  • 6.  From the April 2004 issuance of IT Control Objectives for Sarbanes-Oxley: “The work required to meet the requirements of the Sarbanes-Oxley Act should not be regarded as a compliance process, but rather as an opportunity to establish strong governance models designed to result in accountability and responsiveness to business requirements. Building a strong internal control program within IT can help to: • Gain competitive advantage through more efficient and effective operations • Enhance risk management competencies and prioritization of initiatives • Enhance overall IT governance • Enhance the understanding of IT among executives • Optimize operations with an integrated approach to security, availability and processing integrity • Enable better business decisions by providing higher-quality, more timely information • Contribute to the compliance of other regulatory requirements, such as privacy • Align project initiatives with business requirements • Prevent loss of intellectual assets and the possibility of system breach”
  • 7.  Some of the important areas of responsibility for IT include: • Understanding the organization’s internal control program and its financial reporting process • Mapping the IT environment (IT services and processes) that supports internal control and the financial reporting process to the financial statements • Identifying risks related to these IT systems • Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness • Documenting and testing IT and systems-based controls • Ensuring that IT controls are updated and changed as necessary to correspond with changes in internal control or financial reporting processes • Monitoring IT controls for effective operation over time • Participating in the Sarbanes-Oxley project management office
  • 8. Controls, not the HOW or the process, is the focus. As long as your process can show • the controls, • that the controls are implemented and tested Then the process you use to build software is up to you and your organization.
  • 10. Feasibility Initiation/Planning Iterate Close Out Prioritization of Requests COBIT SOx Approvals COBIT Change Management Approvals COBIT SOx Project Status Reporting COBIT Testing & Documentation Approach COBIT SOx Testing Documentation and Sponsor Approvals COBIT Sox Cycle 0 Testing Documentation COBIT SOx Security Review - user roles within an application COBIT SOx Cycle 0 Security Testing Documentation COBIT SOx Security Testing Documentation COBIT SOx Install Documentation SOx Security Review - how application security is designed/coded. COBIT SOx Code Storage COBIT
  • 11. Use your SDLC to define your project process and deliverables. Ensure those deliverables are created for each project. Make sure they are stored where they can be easily found when requested by auditors and examiners.
  • 12. One size of Agile may not be right for all types of projects and teams. • For large longer-term projects, daily standups, release plans, iteration planning meetings, retrospectives may be required with stories and tasks located on a project board. • An infrastructure team charged with installing servers, routers, and firewalls and keeping it all up and running may have an overall plan and daily standups with tasks as sticky notes on a Kanban board.
  • 13.  Consider adding different Service Levels, with increasing types of deliverables, based on project characteristics. • For instance, a year long project with a larger project team should have far more controls and deliverables than a 1 week project with one developer.  Don’t have an overwhelming number of deliverables so it takes longer to do paperwork or document than it does to do the project.
  • 14.  Identify SOX controls up-front during the early stages of project planning.  When creating test scripts, explicitly identify the SOX controls that need to be tested.  After testing, explicitly document that those controls were tested. This doesn’t mean provide pages of documentation; identify what you are testing, test it, and document that you tested it. A test scenario can be documented with a simple “pass” or “fail”.
  • 15.  Stay tool-agnostic. Don’t tie yourself to specific tools when documenting your processes. Keep development environments, bug tracking software, testing tools, etc. out of the documentation.
  • 16.  Your SDLC should guide your deliverables. Keep it updated and “fresh”. Consider updating and training annually.  Focus on deliverables that prove the controls have been tested.  Don’t overdo it on deliverables. Keep it as simple as possible.  Work to educate auditors, examiners, etc. on what Agile means.  When possible, include them early in the development of your process.  Say what you are going to do…and do it! Then make sure it’s saved and easy to find when asked.

Notas do Editor

  1. Public Company Accounting Oversight Board