Sarbanes Oxley & CMMI Mazars / Lamri April 2005

Agenda What is Sarbanes Oxley? COSO Framework (1992 & 2004) What does SOX mean for IT? Control frameworks – what is available CMMI – how does it address the SOX agenda CMMI Based Appraisals – Giving Confidence Summary

What is Sarbanes Oxley (SOX) ? Single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws of the early 1930s

What is Sarbanes Oxley (SOX) ? US law passed in 2002 OBJECTIVE - strengthen corporate governance and restore investor confidence. WHY - response to major corporate & accounting scandals in prominent companies in USA

Criminal Penalties for Corporate Management What Does SOX Address? New responsibilities for boards of directors New responsibilities for management of public companies, More powers for Security and Exchange Commission (SEC) Created the Public Company Accounting Oversight Board (PCAOB). Criminal Penalties for Corporate Management

What Does SOX Address? Section 302 Section 404 Who When What Frequency Management Independent auditors When July 2002 Year-ends beginning 15 /11/2004** What Management certification on company’s internal control over financial reporting Management Conclusion Auditor Attestation Frequency Quarterly Annual

What Does SOX Mean for UK Companies? Public Companies US Listed or Listed Parent SEC Registrants Private Companies Entering a public market IPO Acquisition target Best in class - internal control framework Complex third parties/ relationship with US listed companies Dispersed shareholdings

COSO Voluntary Organisation 1985 - Commission on Fraudulent Financial Reporting SEC final rules refer to COSO COSO framework – application of SOX Original COSO framework Internal Control 2004 COSO framework Integrated Enterprise

COSO & Internal Control The control environment Risk assessment Control activities. Information and communication Monitoring 1+2 +3 +4 +5 = integrated system of controls

COSO & Integrated Framework 2004 Expands Includes objective setting Entity objectives : Strategic Operations Reporting Compliance

What Does it Mean for IT? IT is a key component of IT controls IT supports corporate reporting & compliance IT controls at Company level Business process level IT function level 2004 PWC Survey – 46% increase in IT budget

What Does it Mean for IT?

What Does IT Mean for IT? Example – Application Interfaces Interface can only be run once for each data set Values are completely & accurately transferred from source to target Only valid transactions are processed Evidence of successful processing is recorded In progress run errors are notified to the operator Difficult to evaluate – look to maturity models

Addressing the Problem How to demonstrate control?

Control Frameworks – What is Available? BS7799 / ISO… ISO 9000:2000 ITIL COBIT ITSM SAS70 Control Frameworks Baldridge FRAG 21 CMMI EFQM BEM SW-CMM SPICE SE-CMM

Strengths of CMMI Integrated Model Directly involves Senior Management Improvement Model Customise Approach to fit Organisation Need E.g. Staged or Continuous Representation Appraisal Methods Integrated Model SW, Systems, IPPD & SS Integrated approach with Business Objectives Directly Involves Senior Management The model directly requires senior management participation It gives specific “hints” where/how senior management should be involved The model is strong on linking measurement needs to the management information needs Improvement Model It doesn’t just give you a model, but also helps you to chart your way through Model of how to introduce change into a business – still stay in control Appraisal Methods Rigorous repeatable approach (Class A) – Through to quick & dirty (Class C) Means of evaluating progress Means of demonstrating control of improvement Appraisal of Maturity – Demonstrates a level of control

The model shows what to do, NOT how to do it or who does it. Remember A model is not a process. The model shows what to do, NOT how to do it or who does it.

How Can CMMI Help? STRONG INFLUENCE CMMI & ITIL SOME INFLUENCE

Software Development & Maintenance MATURITY LEVEL PROCESS AREAS 5- OPTIMISING Organisational Innovation & Deployment Causal Analysis & Resolution 4- QUANTITATIVELY MANAGED Organisational Process Performance Quantitative Project Management 3- DEFINED Organisational Process Focus Organisation Process Definition Organisational Training Organisational Environment For Integration Integrated Teaming Decision Analysis & Resolution Integrated Supplier Management Requirements Development Product Integration Risk Management Integrated Project Management The story is one of developing ability to control SW Development & Maintenance as the Maturity of the Organisation Increases Maturity Level 2 – Organisation can demonstrate basic level of controls Engineering Process Areas – Build on control obtained at ML2; But also apply directly within the Application Controls Technical Solution Verification Validation 2- MANAGED Requirements Management Project Planning Project Monitoring & Control Supplier Agreement Management Measurement & Analysis Process & Product Quality Assurance Configuration Management

CMMI Continuous Representation CATEGORY PROCESS AREAS PROJECT MANAGEMENT Project Planning Project Monitoring & Control Supplier Agreement Management Risk Management Integrated Teaming Integrated Project Management Quantitative Project Management Integrated Supplier Management ENGINEERING Requirements Management Requirements Development Technical Solution Validation Verification Product Integration SUPPORT Configuration Management Measurement & Analysis Process & Product Quality Assurance Decision Analysis & Resolution Casual Analysis & Resolution Organisational Environment for Integration PROCESS MANAGEMENT Organisational Process Focus Organisation Process Definition Organisational Training Organisational Innovation & Deployment Organisational Process Performance CAPABILITY LEVELS 5- OPTIMISING 4- QUANTITATIVELY MANAGED 3- DEFINED 2- MANAGED 1- PERFORMED 0- INCOMPLETE

Institutionalisation – The Generic Practices GP 2.1: Establish an Organisational Policy GP 2.2: Plan the Process GP 2.3: Provide Resources GP 2.4: Assign Responsibility GP 2.5: Train People GP 2.6: Manage Configurations GP 2.7: Identify and Involve Relevant Stakeholders GP 2.8: Monitor and Control the Process GP 2.9: Objectively Evaluate Adherence GP 2.10: Review Status with Higher Level Management

Configuration Management SOX – CMMI & ITIL Service Delivery Processes PP & OPP (Partially) Information Security Management Capacity Management Service Level Management Service Continuity & Availability Management MA & GP2.8 Service Reporting Budgeting & Accounting for IT Services CM Control Processes Configuration Management Release Processes Change Management Relationship Processes Resolution Processes PI Release Management PPQA Incident Management Business Relationship Management OPF CAR Problem Management SAM & ISM Supplier Management Source: BS15000-1:2002

CMMI Based Appraisals - Giving Confidence

CMMI Appraisal Method Classes Characteristics Class A Class B Class C Amount of Objective Evidence Gathered (relative) High Medium Low Ratings Generated Yes No Resource Needs (relative) Team Size (relative) Large Small Appraisal Team Leader Requirements Lead appraiser or person trained and experienced Person trained and experienced State there are three classes of appraisals. They are described in a requirements document that can be found on the CMMI web site. The three key differentiating attributes for appraisal classes are: Degree of confidence in the appraisal outcomes The generation of ratings Appraisal cost and duration State that Class C is the least formal. Organizations may choose to use it very routinely. (maybe monthly) State that Class B is more formal. Organizations may choose to use it periodically. (maybe every 6-12 months) State that Class A is very formal. Organizations must use Class A if a rating is desired. Extracted from Appraisal Requirements for CMMI, Version 1.1 (ARC) (CMU/SEI-2001-TR-034)

Features of SCAMPI Appraisals Team approach Internal & External Team Members Rigorous Method Repeatable Objective Evidence Based (PIIDs) Direct, Indirect & Affirmation Generates Specific Data for Process Improvement Rigor + Part of PI Effort = Organisation Establishing Control

Summary Sarbanes Oxley brings new Requirements for Organisations to demonstrate control of their processes CMMI is one vehicle that can be used to demonstrate this compliance CMMI’s advantages: Integrated Model Process Areas & Practices provide tangible steps Appraisal process – provides confidence and evidence of way forward

Questions ?

SCAMPI Class A Pre On-site Activities This graphic is notional and does not represent a specific time line. As a Lead Appraiser, identify the pre on-site activities that have been performed, and identify to the participants that they are now on the box labeled “Train Team.” You will see this slide again in Module D several times. Each time it appears, a dark red box will appear in the background indicating the particular area of focus for the upcoming slides. The red box will move as the course progresses.

SCAMPI Class A On-site Activities Identify that the blue box “Confirming Practice Implementation” is where the team will be spending most of its time. Three modules are dedicated to this box (Modules E, F, and G). When the class gets to these modules, this box will be expanded to identify the detailed tasks. Note: The Report Results phase is included in this graphic

Characterizing Practice Implementation Point out that “Characterizing” will be covered in Module G in a great deal of detail. Point out the term substantial is used here versus significant which is the term used when rating. Instructor should make the students aware of how to characterize the following potential situation: “Situations where the project has not yet reached the appropriate point in time where the practice would be enacted are omitted from this characterization.” (MDD Activity 2..2.2, Implementation Guidance)