Introduction by Compliancy Software This is a presentation delivered by Scott Rogers, Director of Internal Audit for PPD at the IT Compliancy Institute conference on Risk Management and Compliance on May 4, 2007 in Washington, DC. In this session, Scott is addressing how PPD solved the challenges of complying with Sarbanes-Oxley. The automation components referred to in this presentation were accomplished with the Compliancy Software solution. Software Transform risk management and compliance into business value www.compliancysoftware.com IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Sarbanes-Oxley Compliance Process Automation Presentation Title Sarbanes-Oxley Compliance Process Automation Scott Rogers Director of Internal Audit Pharmaceutical Product Development
Agenda Background SOX Overview and Challenges SOX and the IT Function Presentation Title Background SOX Overview and Challenges The Rules The Scope and Purpose The End Product The Challenges SOX and the IT Function What is ITGC? Using IT to Automate Controls. Automation of the SOX Compliance Process Group Discussion and Questions IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Background Scott Rogers, CPA, Director of Internal Audit Presentation Title Scott Rogers, CPA, Director of Internal Audit Responsible for the Global Sarbanes-Oxley Compliance Process Pharmaceutical Product Development, Inc. Contract Research Organization, Phase I-IV Development Services HQ in Wilmington, NC $1.3B Revenue $1.4B Market Cap 10,000 Employees in 28 Countries IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Background The SOX Landscape: HQ in Wilmington, NC Presentation Title The SOX Landscape: HQ in Wilmington, NC 12 SOX Geographic Locations Throughout Americas 55 Significant Processes Approximately 500 Key Control Procedures 35 Process Owners 10 Internal Auditors, Globally Initially the documentation was completely paper based (i.e. Access, Word, Excel, etc.). In 2006 we transitioned to a Professional System to manage the Risk Assessment, Process Documentation, Issues Management, Certification and Testwork processes. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Mix of Controls ITGC Entity Level Financial Presentation Title IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview The Rules The Scope and Purpose The End Product The Challenges IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – The Rules Presentation Title PCAOB Established by Congress. Established to Provide Oversight to the Public Accounting Industry. For Lack of Other Guidance, Management’s Compliance Program Has Been Designed to Comply with PCAOB Standards. Your External Auditor Has a Significant Influence on Management’s Compliance Program. New Rules are Coming Soon! PCAOB Is Issuing a Standard for External Auditors. SEC Will Issue a Standard for Management To Follow How are the New Rules Different? IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – Scope and Purpose Presentation Title Any Process, System, Transaction or Communication that could potentially have a Significant effect on the Accuracy of the Financial Statements. Fraud - The Existence of Fraud Must Be Considered and Evaluated Throughout the Process. Entity Level Controls. IT General Controls. IT Application Controls. The Sole Purpose Is To Ensure That Financial Statements are Accurately Reported. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – The End Product Presentation Title QUARTERLY CEO and CFO Must Personally Sign a Public Statement which states that the Internal Control Structure is Appropriately Working ANNUALY Two Separate Audit Opinions From the External Auditor Opinion on the Design of the Internal Control Structure Opinion on the Quality of Management’s Compliance Process Audit Opinion From Management IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX Overview – The Challenges Presentation Title Maintaining a Real Time Risk Assessment and Understanding of the Entity Level, Financial and IT General Control Processes. Empowering Process Owners to Take Ownership in the Risk Assessment and Enforcement of Control Processes. Dealing With Change in Transactions, Human Resources, Systems and Rules. Tracking and Reporting Design and Operation Internal Control Issues. External Auditor’s Concurrent Review of the Process. Involvement of a Large Cross Functional Group of People, Systems and Processes. Audit Evidence of Control Performance and Effectiveness. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
What are auditors looking for? EVIDENCE Verbal Inquiry, alone, generally does not constitute audit evidence. Verbal inquiry, alone, does NOT constitute audit evidence. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX and the IT Function What is ITGC? Using IT to Automate Controls. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX and the IT Function – What Is ITGC? Presentation Title Information Technology General Controls (“ITGC”) How Does ITGC Effect the Financial Statements? Change Control Logical Access IT Infrastructure – Networks, Data Centers, Underlying Data Structures, Physical Assets Segregation of Duties Centralization and Consistency Will Make ITGC Easier. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
SOX and the IT Function – Using IT To Automate Controls Presentation Title Any IT Application’s Functionality That Helps Ensure Accuracy and Integrity of Financial Data Can Be Relied Upon as a Control. The Testing Frequency of Programmed Controls Can Be Significantly Less Than Manual Controls. Application Development Should Include Your Company’s Internal Controls Experts. They and IT Can Work to Build, Identify and Rely on Programmed Controls. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation of the Processes Risk Assessment Testing Planning and Management Reporting IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation - Risk Assessment Presentation Title Management Certification Process Quarterly Management is Required to Certify That the Business and Control Processes Have Not Significantly Changed. Utilized a Customized Workflow to Deliver the Data to Management. Management’s Review is Scalable to Their Needs Allowing For Many Different Levels of Review. Utilized to Identify Changes and Enhance Our Understanding of the Processes. Helps Drive Management to “Own” the Processes. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation - Risk Assessment (cont) Presentation Title Other Risk Assessment Activities Status and Effectiveness of Controls is Automatically Linked to Testing and Issues Processes. Automated Issues Workflows Ensure Management Knows Where They Have Remediation To Perform. Change Control Provides External Auditors With a Clear and Ongoing Map From One Period to the Next. Maintaining an Ongoing List of Design Issues. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation – Audit Testing Presentation Title Design and configuration. Scheduling – Allows Creativity and Flexibility in the Nature, Timing and Frequency of Tests. Change Control Over the Test Strategies. Utilizes Workflow to Pass the Test to the Planner, Performer, Reviewer and File Preparation Steps. Electronic Work Papers and Audit Evidence. Sample Selection Processes Portals for Auditor / Management Communication and Data Transfer Automatic Selection of Samples IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation – Planning and Management Presentation Title Scheduling the Planning Related Activities and Communications. Scheduling the Key Communication and Reporting Dates. Portal For Capturing Auditor’s Time Spent on Tests. Maintaining the Global Scheduling, Time Analysis and Efficiency Metric Analyses. Portal for Capturing Auditor’s Recommendations and Design Issues Noted. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Automation - Reporting Presentation Title Comprehensive Listing of Issues with Status. Reporting of Delinquent Certifications. Reporting of Delinquent Test Areas. Dashboard Status Views of All Processes. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Summary Presentation Title SOX Is A Broad, Complicated and Changing Process Driving the Need For Process Automation. Process Automation Can Be Found In The Following: Risk Assessment Testing Planning and Management Reporting Develop Strong Relationships With Internal Control Experts In Your Company to Help: Ensure ITGC Is Appropriately Designed. Ensure Programmed Controls Are Identified and Utilized. IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Questions and Discussion Presentation Title Questions and Discussion IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation
Please Complete Your Session Evaluation Presentation Title Contact Information Scott Rogers PPD scott.rogers@wilm.ppdi.com 910 558 6790 Please Complete Your Session Evaluation
For More Information about Compliancy Software Please visit our website at www.compliancysoftware.com Or Call us at 1-919-342-6212 Email us at info@compliancysoftware.com Software Transform risk management and compliance into business value IT COMPLIANCE CONFERENCE 2007 | Sarbanes Oxley Compliance Process Automation