Transcript The Natue of SOX Projects

The Nature of SOX Projects
August 16, 2006 PMI Chapter Luncheon Meeting
Amin Leiman, CISA
Agenda:



Characteristics of SOX Projects
“Instant Managers” Challenges
Conducting an “instant” analysis of a SOX project
Material Weakness Reported by Type
Key Phases of Project Compliance
Project
Planning
 Develop the Compliance Plan
 Select the priority accounts and disclosures from financial statement risk assessment (FSRA)
 Consider significance to financial reporting and risk of misstatement
Document
Key Processes
 What are the risks?
 Identify the key processes impacting financial reporting
 Document the transaction flows that materially impact the priority financial reporting elements
 Designate a standard framework for documenting and testing
Source
Risks
 What are the key controls?
 Who owns the controls?
 Identify control objectives
Current Status
 Use financial reporting assertions to source “what can go wrong” within the process
Document
Controls
 How is the controls
design rated?
 Document entity controls (“tone at the top”)
 Document the controls at the source of the risk (preventive) or
downstream in the process (detective and corrective)
Assess
Design
 How are controls
performing?
 Assess effectiveness of controls design at
Entity and Activity / Process Levels
Validate
Operation
 Test effectiveness of
controls operation at Entity
and Activity / Process Levels
 Identify exceptions, classify
and remediate deficiencies
Report
Collaboration and Communication
Coordinate with External Auditor
 Conclude
 Disclose
 Report
Project Status at a Glance
Key Project Task
Status
Progress
Target Dates
Comments
Project Planning & Risk Assessment
Determine Overall Scope of Project
Assessment & Definition of Materiality
Determine Significant Accounts and
Disclosures
Identify Critical Processes
Determine Applicable Business Units
Determine Level of Documentation
and Standard Formats
Complete Compliance Plan
Meet with External Auditor to Discuss
Compliance Plan
Complete IT SOX Compliance
Project Plan
IT General Control Risk
Assessment
Identify Significant Control Objectives
Consider Entity-level Control
Significant Objectives
Analyze Entity-level Control
Documentation Gaps
IT Application & General Controls
Risk Assessment Plan
KEY
Not Started
80%
In Process
Concern
Great Concern
Complete
Characteristics of SOX Projects:






As a result of corporate “911” events
Panic Mode
Uncertainties
Last minute action plans
Unintended consequences
Primarily driven by external auditors
Challenges of “Instant” Managers:






Organizations and projects are, by nature, political
The ultimate inspiration is the deadline
Relying on ballpark estimates
Victim of Parkinson’s Law – Work will expand to take the
time allowed
Balancing the Right and Left Brain
“You can’t solve a problem with the same thinking that
created it in the first place” Albert Einstein
Your Roles in Helping Them Out:
“Instant” PM
PMP-certified PM
Organizations and projects are,
by nature, political
Implement Project Integration
Management
The ultimate inspiration is the
deadline
Project Time Management
Relying on ballpark estimates
Project Scope Management Enforce SOW and WBS
Victim of Parkinson’s Law
Project HR Management
Balancing the Right and Left
Brain
Project Communications Mgmt.
“You can’t solve a problem with
the same thinking that created it
in the first place”
Project Quality Management
Conducting an “instant” analysis of a SOX project:
Principle
Action
Symptoms tell us we have a
problem but the symptom is not
the problem itself
Identify and “kill” the bottlenecks
quickly before they kill the project.
Close-ended problems have
single solutions. Open-ended
problems have multiple
solutions.
“Close-ended” requires a leftbrained approach and “Openended” requires a right-brained
approach.
If the definition is wrong, you
will develop the right solution to
the wrong problem.
Clarify a shared understanding of
the team’s mission.
Where there is no vision, the
people perish (Proverbs 29:18)
Confirm the team’s understanding
of what the final result will look
like.
Web Sites





http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm
http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/
http://weblog.gartner.com/weblog/index.php?blogid=11
http://www.pwcglobal.com
http://www.protiviti.com/
Q&A
“Misunderstandings sometimes occur because of
differences in thinking preferences”
Thank you for coming to our presentation today !