Click here for the

© 2006 Jupitermedia Corporation

Webcast TitleUsing ITIL to Improve SOX Related Processes

Using ITIL to Improve Sarbanes-Oxley Related Processes

October 31, 20062:00pm EST, 11:00am PST

George Spafford, Principal ConsultantPepperweed Consulting


Using ITIL to Improve SOX Related Processes

Housekeeping

• Submitting questions to speaker– Submit question at any time by using the “Ask a question”

section located on lower left-hand side of your console.– Questions about presentation content will be answered

during 10 minute Q&A session at end of webcast.

• Technical difficulties?– Click on “Help” link– Use “Ask a question” interface



Main Presentation



Copyright Notices

• ITIL® is a registered trademark of the UK Office of Government Commercehttp://www.ogc.gov.uk/index.asp?id=2261

• COBIT® and IT Control Objectives for Sarbanes-Oxley ® are the trademarks of the Information Security Audit and Control Organizationhttp://www.isaca.org

• Visible Ops is the copyright of the IT Process Institutehttp://www.itpi.org

• This courseware is the property of Spafford Global Consulting, Inc.

• All other trademarks and company names are the property of their respective owners



Why Are People Really Attending?

• To learn about Sox, Risk and ITIL?• Or is it really to learn how to improve costly

compliance processes and optimize the overall corporate system?

• ITIL is a means to an ends and not the real objective!

• We want to maximize sustainable profits for our investors



Agenda

• The Impacts of Sarbanes-Oxley (SOX)• Introduction to

– Risk Management– Controls– IT Infrastructure Library (ITIL)

• Key ITIL Processes for SOX



The Intent of the Sarbanes-Oxley Act of 2002:

To restore investor confidence in public companies



The Results

• Intended Results– Quality of filings did improve– Controls radically improved

• Intentional malicious acts• Human Error

• Unintended Results– Increased costs to companies

• Economic• Accounting

– Flight of foreign companies to other exchanges– Reduced public filings– Some public companies even went private



Need to Optimize

• Brute force projects implemented controls• Attention shifted to sustainable controls• The move is now to optimization• To optimize

– We must recognize that compliance is a business requirement that must be factored into the design of services!

– We must start at the beginning – what are we doing and why?

– We must recognize the importance of risk management



Why Is Risk Management So Important?

Limited Resources and Seemingly Unlimited Risks!

Companies need to understand and prioritize risks in order to focus compliance efforts.



The Goal Isn’t This

Accurate Financial Reporting

Accounting Manufacturing

Sales Customer ServicePayroll



This Is Our Goal!

Maximize Sustainable

Profits

Accounting Manufacturing

Sales Customer ServicePayroll

Hence a tension will always exist between balancing compliance and the need to attain our goal



Legal and Regulatory Compliance• For Sarbanes-Oxley, we want to address

risks to the financial reporting process.• Regulatory compliance is best viewed as

a risk that must be managed along with the organization’s other risks holistically.

• This creates tension – too many controls waste resources yet too few risk internal control problems!

• Beware of over optimizing localized risks.– Turn off the lights and lock the doors– Need to manage risks to the organization – not

just the department

• The objective is to arrive at a balance between risks, the costs of controls and the need to attain goals for the organization as a whole.

• Our greatest risk is going out of business.

Risk Mitigation Cost



What Is a Risk?

• The probability of a negative event impacting the realization of functional area objectives and/or organizational goals

• Key words– Probability – there is a degree of uncertainty– Impact – if the event happens, there will be results– Organization – focus on objectives and goals

• Does a risk matter if it doesn’t impact a functional area objective or organizational goal?

• In the world of SOX, we are just concerned with risks to the integrity of financial reporting

• Other regulations pose additional risks that must be factored in and managed holistically



Risk Management and SOX

• IT must work with senior management, accounting and internal audit – not around them!

• Critical financial processes must be identified• Identify the critical financial systems that are involved• Identify risks that are present to those financial systems• Identify controls that are present and what the residual risk

score is• Is the remaining level of risk (the residual risk) acceptable to the

relevant stakeholders?– If not, determine how to mitigate the risk– If the residual risk is acceptable, then document and continue to monitor

it but otherwise don’t do anything

• The Shewhart Cycle of Plan – Do – Check – Act applies to risk management as it spurs process evolution



Why Is IT Involved?

• Due to the critical financial systems– There isn’t a manual paper trail any longer– The data resides in IT systems– The logic resides in IT systems and this includes automated control logic (If

the credit score is X then do Y …)– The financial reports are generated, at least in part, by the systems– If the systems are compromised, then financial reporting is compromised

• Fraud• Human Error (Statistically, this is the most likely source of any problems that will be

encountered)

– On average, over half of the SOX 404 findings in US firms in the last two years were from Information Technology (IT)

• Accounting has hundreds of years of history and evolution of controls• The willing adoption and improvement of formal IT controls is still nascent

• Due to the potential of revised processes and automation– As compliant processes are defined, automation becomes possible



Using Risk Management to Navigate

• Risk Management identifies and prioritizes threats to financial reporting

• Controls identify “what” to do but not “how”

• Best practices such as ITIL and ISO 17799 identify “how” to implement controls

Control Identification (COBIT)

RIS

K M

AN

AG

EM

EN

T

(CO

SO

ER

M)

Quality Management (IS0, Six Sigma, etc)

BE

ST

PR

AC

TIC

ES

(IT

IL, ISO

, NIS

T,

PM

I, PR

INC

E2, etc)

Initial Risk Assessment

Begins it all



Controls



Use Controls to Manage Risk

• Risks cause variation around the achievement of objectives and goals

• Some variation is always present and inevitable

• By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective

• In the case of SOX, our objective is the integrity of financial reporting

ME

AS

UR

EM

EN

T

TIME

Mean

LCL

UCL



Controls

• A control may be a constraint but it is not synonymous– Only able to do 100 vs. 1000– The real question – what was the quality yield before and after?

• A correctly designed and implemented control may actually help you go faster

– For example, brakes on a car are a control

• All controls should benefit the entity but not necessarily the locality. One area’s productivity may be hindered in order for the overall entity to thrive

– Why centralized compliance, risk management, and auditing functions can be beneficial

• Controls are a systemic design requirement• Do not simply layer controls on top of existing processes without re-

engineering• Does anyone here like cars? Think back to the 1980s and the impact of

regulatory emissions requirements on engines and vehicular performance



Two Control Frameworks

• IT Control Objectives for Sarbanes-Oxley from the IT Governance Institute (ITGI) who is part of the Information Systems Audit and Control Association (ISACA)– The best choice if SOX is all you are worried about– For many organizations, there are additional regulations and other

risks to be mitigated as well– Second draft aligns with COBIT version four

• Control Objectives for Information and related Technologies (COBIT) from ISACA.– This the control framework for the future– Versatility allows for a multitude of uses– Version four is very readable and a huge improvement over version

three



Don’t Try to Eliminate Risk!

Lev

el o

f A

ssu

ran

ceLevel of Investment

100%• You can spend a fortune and

you will never truly hit a 100% level of assurance

• The objective is to lower risk to an acceptable level, not eliminate it because that is not possible!

• Work with senior management and Internal Audit to define what level of residual risk is acceptable

• There is no prize for overly controlled processes – only costs



To implement controls we need company specific processes

We need to design and implement “controlled processes” based on the goals, functional area objectives, resources, risk appetite

and constraints of the firm.



"We should work on the processes, not the outcome of the processes.“ -- W. Edwards Deming



Organizational Change

• Compliance to regulations represent design requirements

• Changes to processes and mindsets represent cultural change

• Use ITIL and other best practices to compress the curve and increase the probability of success

• Use formal project management to implement processes

• Do not forget the soft skills needed to foster the changes you need

STATUS QUO

CHAOS

NEW STATUS QUO

LEARNING BEGINS

FINE TUNING

CHANGE EVENT

TimeP

rod

uctiv

ity



Process Improvement

• The business will change over time

• Resources will change over time

• Risks will change over time

• … and so to must the manner in which IT chooses to manage those risks

Where do we want to be?

Where are we now?

How do we get to where we want to be?

How do we monitorProgress?

Vision and Objectives

Audits / Assessments

Process Improvement(Leverage Best Practices)

Metrics and Critical Success Factors

* Adapted from ITIL Service Support Graphic



Compliance Necessitates Continuous Process Improvement

• Compliance to process• Effectiveness• Efficiency• Economy• Equality• You either follow a

process or formally change it. There is no other option.

PLAN

CHECK

Process Improvement



IT Infrastructure Library (ITIL)



What ITIL Represents

• ITIL is de facto standard approach towards IT Service Management

• Developed initially in the UK in the late 1980s• A new “refresh” will be published in April 2007• Yes, ITIL is a collection of best practices but it is far more

than that• It is about IT delivering quality services that meet the needs

of the organization• IT services enable business processes that, in turn, enable

the business to meet goals• It is a fundamental shift from a focus on technology to a

focus on customer service and quality



The ITIL Books

1. Introduction to ITIL

2. Service Support

3. Service Delivery

4. Planning to Implement Service Management

5. Security Management

6. The Business Perspective

7. ICT Infrastructure Management

8. Application Management

9. Small-Scale Implementation

10. Software Asset Management

My stack of the first 9 books is five inches thick, weighs 15.6 pounds and cost over $1,000 USD



Service Support and Delivery Are the Core Books

• Service Support– Change Management

– Configuration Management

– Service Desk

– Incident Management

– Problem Management

• Service Delivery– Service Level Management

– Capacity Management

– Availability Management

– IT Financial Management

– IT Service Continuity Management

IT Security



Experience Matters

• The books are great resources but don’t give the whole picture

• The books describe ideal states and organizations must still determine how best to start, what to do, etc.

• Classes can help – but do not do the “ITIL by Leming Method” sending everyone to classes without a plan

• The itSMF has Local Interest Groups (LIGs) where people can exchange ideas

• Experienced practitioners can make a tremendous difference in terms of accelerating implementation and avoiding pitfalls– New hires and/or consultants

• Bear in mind that this requires organizational change and the right people must be involved with the right plan and the right resources



Important ITIL Processes for Consideration

Note: What IT and Management identify as key controls drives process adoption from a compliance perspective.



At Odds?

• Are compliance, security and good business mutually exclusive?

• No, but they don’t always overlap either

• Pick key controls judiciously

• Implement company specific processes and leverage best practices

Operational Excellence

ComplianceSecurity



Control and Release Processes: The Trinity

• Quite possibly the three most important processes in terms of regulatory compliance

• Change Management Is the set of standardized processes and tools used to handle change requests in order to support the business while managing risks. (Risk Management)

• Release ManagementUses formal controls and processes to safeguard the production environment. Coordinates the rollout of changes. (Quality Control)

• Configuration ManagementFocuses on tracking and documenting configurations and then providing this information to other areas including Change and Release Management. Configuration tracks relationships to understand who is affected and assesses impact. (Logical Model of the IT World)

For more information about a central configuration, change and release function see the ITIL Service Support volume,

Annex 7A



Change Management

• This is a very key control for compliance, security and operational excellence

– 80% of availability problems are related to human error– Fraud gets the majority of press coverage but it is human error that is most likely to

cause integrity/security problems

• The integrity of services can only be guaranteed if changes are controlled– A baselined system without change management can no longer be considered

baselined!

• An objective detective control is vital• This process has a needlessly bad reputation – it must be designed and

implemented based on organizational needs including risks– This is a process area where expertise can really help.

• The IT Process Institute’s Visible Ops methodology offers additional insight – http://www.itpi.org



Release Management

• This is about quality• Defining standards for releases• Understanding requirements, testing, gaining

approval• Project Planning is integral• With the need to ensure that critical financial

systems are properly designed, tested and approved, this process is vital



Configuration Management

• Configuration Management is about having a logical model of IT that includes relationships between configuration items– Services, Hardware, Software, Documentation, Data Records,

People, Facilities, etc.

• If something is important enough to be in Configuration Management then it must be controlled by Change Management and vice versa

• Configuration Management never goes in first! – If it goes in first, integrity/accuracy can not be safeguarded

• Either Change Management first or Change and Configuration Management at the same time



An Additional Function and Processes for Consideration



Service Desk Function

• Serves as the Single Point of Contact (SPOC) for IT

• Effective interpersonal communication is a skill• Reduces interruptions to IT staff• Facilitates coordination of activities• Ensures proper recording of activity• Often overlaps with Incident Management• From a SOX perspective, it allows for activity logs

to be generated



Incident Management

• Concerned with services not operating normally or threats to services

• Objective is speedy restoration of service• Automated alerts should feed into Incident

Management• Allows for tracking of incidents related to critical

financial systems / services



Problem Management

• Desires to establish the root cause of incidents• Proactive aspect wants to prevent incidents from

happening in the first place• This makes a lot of sense from an operational

excellence perspective• It could be involved with compliance if there are

concerns about availability, security, etc.



Diminishing Returns

• The power of ITIL lies in its systemic integration of processes areas – not simply piecemeal adoption

• Any single process in isolation will reach a level of diminishing returns

• As Goldratt has taught us, to optimize the throughput of a system requires optimization of the system – not just one area

• Continuous improvement requires a systemic mentality of adoption and continuous refinement

• Each area both draws information from, and supplies information to, other processes and functions

Service LevelManagement

ChangeManagement

IncidentManagement

ProblemManagement

Service DeskFunction

ConfigurationManagement

CapacityManagement

AvailabilityManagement

IT FinancialManagement

IT ServiceContinuity

Management

IT SecurityManagement



In Summary

• SOX compliance must be driven by risks• Necessitates that IT work with the business and vice versa• Controls are identified to reduce residual risks to a level

acceptable to management• Controlled processes must be implemented with best

practices in mind– Compliance is a systemic requirement now and for the future

• ITIL offers not just best practices but a quality management framework for IT

• Risk Management and Continuous Process Improvement must be leveraged for optimization



Thank you for the privilege of facilitating this webcast

George [email protected] http://www.pepperweed.com

Daily News Archive and Subscription Instructionshttp://www.spaffordconsulting.com/dailynews.html



Questions?



Thank you for attendingIf you have any further questions, e-mail

[email protected]

Click here for the

Documents

critical financial

functional

configuration

financial

incident management

internal audit

residual risk

release management