© 2006 Jupitermedia Corporation Webcast Title Using ITIL to Improve SOX Related Processes Using ITIL to Improve Sarbanes- Oxley Related Processes October 31, 2006 2:00pm EST, 11:00am PST George Spafford, Principal Consultant Pepperweed Consulting
Oct 31, 2014
© 2006 Jupitermedia Corporation
Webcast TitleUsing ITIL to Improve SOX Related Processes
Using ITIL to Improve Sarbanes-Oxley Related Processes
October 31, 20062:00pm EST, 11:00am PST
George Spafford, Principal ConsultantPepperweed Consulting
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Housekeeping
• Submitting questions to speaker– Submit question at any time by using the “Ask a question”
section located on lower left-hand side of your console.– Questions about presentation content will be answered
during 10 minute Q&A session at end of webcast.
• Technical difficulties?– Click on “Help” link– Use “Ask a question” interface
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Main Presentation
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Copyright Notices
• ITIL® is a registered trademark of the UK Office of Government Commercehttp://www.ogc.gov.uk/index.asp?id=2261
• COBIT® and IT Control Objectives for Sarbanes-Oxley ® are the trademarks of the Information Security Audit and Control Organizationhttp://www.isaca.org
• Visible Ops is the copyright of the IT Process Institutehttp://www.itpi.org
• This courseware is the property of Spafford Global Consulting, Inc.
• All other trademarks and company names are the property of their respective owners
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Why Are People Really Attending?
• To learn about Sox, Risk and ITIL?• Or is it really to learn how to improve costly
compliance processes and optimize the overall corporate system?
• ITIL is a means to an ends and not the real objective!
• We want to maximize sustainable profits for our investors
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Agenda
• The Impacts of Sarbanes-Oxley (SOX)• Introduction to
– Risk Management– Controls– IT Infrastructure Library (ITIL)
• Key ITIL Processes for SOX
© 2006 Jupitermedia Corporation
Webcast TitleUsing ITIL to Improve SOX Related Processes
The Intent of the Sarbanes-Oxley Act of 2002:
To restore investor confidence in public companies
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
The Results
• Intended Results– Quality of filings did improve– Controls radically improved
• Intentional malicious acts• Human Error
• Unintended Results– Increased costs to companies
• Economic• Accounting
– Flight of foreign companies to other exchanges– Reduced public filings– Some public companies even went private
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Need to Optimize
• Brute force projects implemented controls• Attention shifted to sustainable controls• The move is now to optimization• To optimize
– We must recognize that compliance is a business requirement that must be factored into the design of services!
– We must start at the beginning – what are we doing and why?
– We must recognize the importance of risk management
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Why Is Risk Management So Important?
Limited Resources and Seemingly Unlimited Risks!
Companies need to understand and prioritize risks in order to focus compliance efforts.
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
The Goal Isn’t This
Accurate Financial Reporting
Accounting Manufacturing
Sales Customer ServicePayroll
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
This Is Our Goal!
Maximize Sustainable
Profits
Accounting Manufacturing
Sales Customer ServicePayroll
Hence a tension will always exist between balancing compliance and the need to attain our goal
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Legal and Regulatory Compliance• For Sarbanes-Oxley, we want to address
risks to the financial reporting process.• Regulatory compliance is best viewed as
a risk that must be managed along with the organization’s other risks holistically.
• This creates tension – too many controls waste resources yet too few risk internal control problems!
• Beware of over optimizing localized risks.– Turn off the lights and lock the doors– Need to manage risks to the organization – not
just the department
• The objective is to arrive at a balance between risks, the costs of controls and the need to attain goals for the organization as a whole.
• Our greatest risk is going out of business.
Risk Mitigation Cost
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
What Is a Risk?
• The probability of a negative event impacting the realization of functional area objectives and/or organizational goals
• Key words– Probability – there is a degree of uncertainty– Impact – if the event happens, there will be results– Organization – focus on objectives and goals
• Does a risk matter if it doesn’t impact a functional area objective or organizational goal?
• In the world of SOX, we are just concerned with risks to the integrity of financial reporting
• Other regulations pose additional risks that must be factored in and managed holistically
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Risk Management and SOX
• IT must work with senior management, accounting and internal audit – not around them!
• Critical financial processes must be identified• Identify the critical financial systems that are involved• Identify risks that are present to those financial systems• Identify controls that are present and what the residual risk
score is• Is the remaining level of risk (the residual risk) acceptable to the
relevant stakeholders?– If not, determine how to mitigate the risk– If the residual risk is acceptable, then document and continue to monitor
it but otherwise don’t do anything
• The Shewhart Cycle of Plan – Do – Check – Act applies to risk management as it spurs process evolution
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Why Is IT Involved?
• Due to the critical financial systems– There isn’t a manual paper trail any longer– The data resides in IT systems– The logic resides in IT systems and this includes automated control logic (If
the credit score is X then do Y …)– The financial reports are generated, at least in part, by the systems– If the systems are compromised, then financial reporting is compromised
• Fraud• Human Error (Statistically, this is the most likely source of any problems that will be
encountered)
– On average, over half of the SOX 404 findings in US firms in the last two years were from Information Technology (IT)
• Accounting has hundreds of years of history and evolution of controls• The willing adoption and improvement of formal IT controls is still nascent
• Due to the potential of revised processes and automation– As compliant processes are defined, automation becomes possible
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Using Risk Management to Navigate
• Risk Management identifies and prioritizes threats to financial reporting
• Controls identify “what” to do but not “how”
• Best practices such as ITIL and ISO 17799 identify “how” to implement controls
Control Identification (COBIT)
RIS
K M
AN
AG
EM
EN
T
(CO
SO
ER
M)
Quality Management (IS0, Six Sigma, etc)
BE
ST
PR
AC
TIC
ES
(IT
IL, ISO
, NIS
T,
PM
I, PR
INC
E2, etc)
Initial Risk Assessment
Begins it all
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Controls
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Use Controls to Manage Risk
• Risks cause variation around the achievement of objectives and goals
• Some variation is always present and inevitable
• By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective
• In the case of SOX, our objective is the integrity of financial reporting
ME
AS
UR
EM
EN
T
TIME
Mean
LCL
UCL
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Controls
• A control may be a constraint but it is not synonymous– Only able to do 100 vs. 1000– The real question – what was the quality yield before and after?
• A correctly designed and implemented control may actually help you go faster
– For example, brakes on a car are a control
• All controls should benefit the entity but not necessarily the locality. One area’s productivity may be hindered in order for the overall entity to thrive
– Why centralized compliance, risk management, and auditing functions can be beneficial
• Controls are a systemic design requirement• Do not simply layer controls on top of existing processes without re-
engineering• Does anyone here like cars? Think back to the 1980s and the impact of
regulatory emissions requirements on engines and vehicular performance
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Two Control Frameworks
• IT Control Objectives for Sarbanes-Oxley from the IT Governance Institute (ITGI) who is part of the Information Systems Audit and Control Association (ISACA)– The best choice if SOX is all you are worried about– For many organizations, there are additional regulations and other
risks to be mitigated as well– Second draft aligns with COBIT version four
• Control Objectives for Information and related Technologies (COBIT) from ISACA.– This the control framework for the future– Versatility allows for a multitude of uses– Version four is very readable and a huge improvement over version
three
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Don’t Try to Eliminate Risk!
Lev
el o
f A
ssu
ran
ceLevel of Investment
100%• You can spend a fortune and
you will never truly hit a 100% level of assurance
• The objective is to lower risk to an acceptable level, not eliminate it because that is not possible!
• Work with senior management and Internal Audit to define what level of residual risk is acceptable
• There is no prize for overly controlled processes – only costs
© 2006 Jupitermedia Corporation
Webcast TitleUsing ITIL to Improve SOX Related Processes
To implement controls we need company specific processes
We need to design and implement “controlled processes” based on the goals, functional area objectives, resources, risk appetite
and constraints of the firm.
© 2006 Jupitermedia Corporation
Webcast TitleUsing ITIL to Improve SOX Related Processes
"We should work on the processes, not the outcome of the processes.“ -- W. Edwards Deming
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Organizational Change
• Compliance to regulations represent design requirements
• Changes to processes and mindsets represent cultural change
• Use ITIL and other best practices to compress the curve and increase the probability of success
• Use formal project management to implement processes
• Do not forget the soft skills needed to foster the changes you need
STATUS QUO
CHAOS
NEW STATUS QUO
LEARNING BEGINS
FINE TUNING
CHANGE EVENT
TimeP
rod
uctiv
ity
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Process Improvement
• The business will change over time
• Resources will change over time
• Risks will change over time
• … and so to must the manner in which IT chooses to manage those risks
Where do we want to be?
Where are we now?
How do we get to where we want to be?
How do we monitorProgress?
Vision and Objectives
Audits / Assessments
Process Improvement(Leverage Best Practices)
Metrics and Critical Success Factors
* Adapted from ITIL Service Support Graphic
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Compliance Necessitates Continuous Process Improvement
• Compliance to process• Effectiveness• Efficiency• Economy• Equality• You either follow a
process or formally change it. There is no other option.
PLAN
CHECK
Process Improvement
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
IT Infrastructure Library (ITIL)
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
What ITIL Represents
• ITIL is de facto standard approach towards IT Service Management
• Developed initially in the UK in the late 1980s• A new “refresh” will be published in April 2007• Yes, ITIL is a collection of best practices but it is far more
than that• It is about IT delivering quality services that meet the needs
of the organization• IT services enable business processes that, in turn, enable
the business to meet goals• It is a fundamental shift from a focus on technology to a
focus on customer service and quality
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
The ITIL Books
1. Introduction to ITIL
2. Service Support
3. Service Delivery
4. Planning to Implement Service Management
5. Security Management
6. The Business Perspective
7. ICT Infrastructure Management
8. Application Management
9. Small-Scale Implementation
10. Software Asset Management
My stack of the first 9 books is five inches thick, weighs 15.6 pounds and cost over $1,000 USD
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Service Support and Delivery Are the Core Books
• Service Support– Change Management
– Configuration Management
– Service Desk
– Incident Management
– Problem Management
• Service Delivery– Service Level Management
– Capacity Management
– Availability Management
– IT Financial Management
– IT Service Continuity Management
IT Security
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Experience Matters
• The books are great resources but don’t give the whole picture
• The books describe ideal states and organizations must still determine how best to start, what to do, etc.
• Classes can help – but do not do the “ITIL by Leming Method” sending everyone to classes without a plan
• The itSMF has Local Interest Groups (LIGs) where people can exchange ideas
• Experienced practitioners can make a tremendous difference in terms of accelerating implementation and avoiding pitfalls– New hires and/or consultants
• Bear in mind that this requires organizational change and the right people must be involved with the right plan and the right resources
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Important ITIL Processes for Consideration
Note: What IT and Management identify as key controls drives process adoption from a compliance perspective.
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
At Odds?
• Are compliance, security and good business mutually exclusive?
• No, but they don’t always overlap either
• Pick key controls judiciously
• Implement company specific processes and leverage best practices
Operational Excellence
ComplianceSecurity
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Control and Release Processes: The Trinity
• Quite possibly the three most important processes in terms of regulatory compliance
• Change Management Is the set of standardized processes and tools used to handle change requests in order to support the business while managing risks. (Risk Management)
• Release ManagementUses formal controls and processes to safeguard the production environment. Coordinates the rollout of changes. (Quality Control)
• Configuration ManagementFocuses on tracking and documenting configurations and then providing this information to other areas including Change and Release Management. Configuration tracks relationships to understand who is affected and assesses impact. (Logical Model of the IT World)
For more information about a central configuration, change and release function see the ITIL Service Support volume,
Annex 7A
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Change Management
• This is a very key control for compliance, security and operational excellence
– 80% of availability problems are related to human error– Fraud gets the majority of press coverage but it is human error that is most likely to
cause integrity/security problems
• The integrity of services can only be guaranteed if changes are controlled– A baselined system without change management can no longer be considered
baselined!
• An objective detective control is vital• This process has a needlessly bad reputation – it must be designed and
implemented based on organizational needs including risks– This is a process area where expertise can really help.
• The IT Process Institute’s Visible Ops methodology offers additional insight – http://www.itpi.org
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Release Management
• This is about quality• Defining standards for releases• Understanding requirements, testing, gaining
approval• Project Planning is integral• With the need to ensure that critical financial
systems are properly designed, tested and approved, this process is vital
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Configuration Management
• Configuration Management is about having a logical model of IT that includes relationships between configuration items– Services, Hardware, Software, Documentation, Data Records,
People, Facilities, etc.
• If something is important enough to be in Configuration Management then it must be controlled by Change Management and vice versa
• Configuration Management never goes in first! – If it goes in first, integrity/accuracy can not be safeguarded
• Either Change Management first or Change and Configuration Management at the same time
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
An Additional Function and Processes for Consideration
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Service Desk Function
• Serves as the Single Point of Contact (SPOC) for IT
• Effective interpersonal communication is a skill• Reduces interruptions to IT staff• Facilitates coordination of activities• Ensures proper recording of activity• Often overlaps with Incident Management• From a SOX perspective, it allows for activity logs
to be generated
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Incident Management
• Concerned with services not operating normally or threats to services
• Objective is speedy restoration of service• Automated alerts should feed into Incident
Management• Allows for tracking of incidents related to critical
financial systems / services
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Problem Management
• Desires to establish the root cause of incidents• Proactive aspect wants to prevent incidents from
happening in the first place• This makes a lot of sense from an operational
excellence perspective• It could be involved with compliance if there are
concerns about availability, security, etc.
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Diminishing Returns
• The power of ITIL lies in its systemic integration of processes areas – not simply piecemeal adoption
• Any single process in isolation will reach a level of diminishing returns
• As Goldratt has taught us, to optimize the throughput of a system requires optimization of the system – not just one area
• Continuous improvement requires a systemic mentality of adoption and continuous refinement
• Each area both draws information from, and supplies information to, other processes and functions
Service LevelManagement
ChangeManagement
IncidentManagement
ProblemManagement
Service DeskFunction
ConfigurationManagement
CapacityManagement
AvailabilityManagement
IT FinancialManagement
IT ServiceContinuity
Management
IT SecurityManagement
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
In Summary
• SOX compliance must be driven by risks• Necessitates that IT work with the business and vice versa• Controls are identified to reduce residual risks to a level
acceptable to management• Controlled processes must be implemented with best
practices in mind– Compliance is a systemic requirement now and for the future
• ITIL offers not just best practices but a quality management framework for IT
• Risk Management and Continuous Process Improvement must be leveraged for optimization
© 2006 Jupitermedia Corporation
Webcast TitleUsing ITIL to Improve SOX Related Processes
Thank you for the privilege of facilitating this webcast
George [email protected] http://www.pepperweed.com
Daily News Archive and Subscription Instructionshttp://www.spaffordconsulting.com/dailynews.html
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Questions?
© 2006 Jupitermedia Corporation
Using ITIL to Improve SOX Related Processes
Thank you for attendingIf you have any further questions, e-mail