Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Compliance With Sarbanes-Oxley

Published byDale Lloyd Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Compliance With Sarbanes-Oxley"— Presentation transcript:

1 IT Compliance With Sarbanes-Oxley
Through an IT Process Oriented Best Practices Framework (ITIL) and an Integrated Process Workflow Model (IPW) Dr. Charles Newman, THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED, REPRODUCED OR TRANSLATED TO ANOTHER LANGUAGE WITHOUT THE PRIOR CONSENT OF QUINT WELLINGTON REDWOOD ACADEMY, AMSTERDAM © Copyright 2003 Quint Wellington Redwood Academy

2 Compliance Framework Compliance Framework is a set of internal controls for managing organizations The Compliance Framework is part of a compliance architecture, which includes technology controls

3 ITIL ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools.

4 ITIL according to Gartner
Base for driving performance and quality improvements in the service management domain. Can be an integral part of a wider quality initiative by combining it with other frameworks such as CMM, CobiT or Six Sigma. Companies need to have an objective assessment of ITIL's current and target process capability to understand what it is trying to achieve.

5 The Role of ITIL When applied to Sarbanes-Oxley IT Control Compliance, in a manner consistent with the overall COSO and COBIT frameworks, ITIL gives companies a proven, practical, highly focused solution for assessing, building and continuously improving a tightly controlled IT environment. It specifically deals with the “how” as well as the “what” for implementing IT Controls.

6

7 Incorporating People, Process and Technology
IT service “80% of unplanned downtime is due to people and processes.” (source: Gartner Group)

8 ITIL Service Management Best Practices

9 Why Use ITIL for Sarbanes-Oxley Control Compliance
A large portion of the IT Control requirement of SOX are covered by ITIL ITIL is an independent, globally accepted standard of best practices which has a history of over 12 years of development, use and continuous improvement by thousands of major companies and tens of thousands of IT professionals. Though ITIL and Quint’s IPW (Integrated Process Workflow Method), a company can be specifically, measured, trained, monitored and continuously improved along a well defined path of process maturity (which is consistant with other standards such as COBIT, CMM, etc.).

10 ITIL and Sarbanes-Oxley
ITIL and controls Change management Improved risk assessment Better assessment of the cost of proposed changes before they are incurred Availability management Single point of accountability for availability is established within the IT organization The required and agreed availability levels are measured and monitored Ensures security aspects - Confidentiality, Integrity and Availability - of data and applications are defined and incorporated within the overall availability design

11 ITIL and Sarbanes-Oxley / SOX404
ITIL and controls Finance Management Increased confidence in setting and managing budgets Accurate cost information to support IT investment decisions Accurate cost information for determining cost of ownership for ongoing services Security management Segregation of duties Separation of development and production Accountability for Assets Access control in all aspects of IT

12 ITIL and Sarbanes-Oxley
ITIL and controls Release management Complete audit trail of changes to the live environment (both HW and SW) Reduced likelihood of illegal copies of software in use at any location Releases are subject to quality control and testing under release management reducing errors Safeguarding of hardware and software assets Service Level management Availability of specific targets against which service quality can be measured

13 Quint Quest Assessment and SOX IT Control Compliance
Quint Wellington Redwood has conducted systematic asessment of the IT Service Management Processes of companies for over 12 years with a proven, highly focused methodology. Quint Quests are largely driven by the best practice framework of ITIL, but also taken to a more integrated process maturity model perspective though Quint’s unique IPW Model (Implementation of Process Oriented Workflow) and through the transformation and change management tool, AURRA.

14 Quint Quest and SOX continued
Now Quint has developed a set of Quint Quest Assessments specifically designed to provide substantive support to the IT Control Compliance efforts of companies regarding Sarbanes-Oxley. These Assessments are conducted by an experienced team of senior consultants who are also available to continue to work as part of a company’s internal Sarbanes-Oxley Compliance Team and with any other external entities that are part of the team.

15 QuintQuest/SOX Assessment Areas
Change Management Service Level Management Configuration Management Security Management Incident Management Problem Management Contigency Planning Availability Management Release Management Capacity Management Financial Management

16 QuintQuest/SOX Assessment Dimensions
Intention (Mission, Policies, Objectives, Definition, Function) Process (Submitting, Classification, Planning, Authorization, Build, Test, Implementation, Acceptance, Finalizing, Communications, Progress) Procedures (Tasks, Tools, Procedures, Urgent Changes Control (Metrics, Reports, Process Analysis, Improvement) Relations (All processes, Senior Level Management, Development))

17 QuintQuest Assessment Example for the Process Dimension of Change Management
Submitting: How are changes (RfC’s) requested? What is the point of entry for a change? Who is permitted to submit a RfC? Does one know where to submit and RfC? What are the possible reasons for submitting an RfC? What information is required in an RfC? Classification: Via what method does classification take place (category, priority, impact, investments, SLA’s)? Planning: Who manages the change calender? Which other persons are involved with organizing the changes? Who performs the actual allocation of time and resources for a change?

18 Example Assessment Continued
Authorization: Who manages the change calender? Which other persons are involved with the organizing of changes? Who performs the actual allocation of time and resources for a change? Build: What phases are defined during building changes? Who is involved in each phase? Is a standardized method of change building used? Test: How does a test take place? Is there a standard script for testing? Does the test script contain both functional and technical issues?

19 Example Assessment Continued
Implementation: When and in what way does the implementation of changes take place? Are there certain dedicated timeframes for the implementation of changes? Is there always a back-out and /or fallback possible and is that defined in a plan? What does that plan look like? Are specialists during an implementation on standby? Acceptance: Who is involved in the actual acceptance and in what way? Based on what criteria is the acceptance performed and are criteria to determine this formalized?

20 Example Assessment Continued
Finalizing: When is a change formally closed? Is there a “decharge” of those involved? Evaluation: Are changes evaluated? How and when are changes evaluated (e.g., size, effort, planning, result, quality)? Communication: Who is informed before and after a change? Progress: How is the progress being monitored and who is involved with this monitoring?

21 Relationship Management
Quint’s IPW™-model Information Magnet. ICT valueing Commercial Policy Strategic Sourcing Supplier Portfolio Strategic Supplier processes HRM Strategy Architecture Finance Relationship Management Service Level Management Supplier planning Service Development Service Planning Security Management Financial Management Service Build & Test Functional Management Demand Management Supply Management Contract Management Business planning Continuity Management Availability Management Capacity Management Service Design Change Management Business Support Application Management Incident Management Problem Management Purchase Management Operation Support Configuration Management Services Operations Operations Management Release Management Supplier Operations Business Operations BITA BITA Service Desk Business Domain Business ICT Alignment Domain (BITA) ICT Domain Supplier ICT Alignment Domain (SITA) Supplier Domain

22 How SOX affects the processes in your organization: General IT Controls

23 How SOX affects the processes in your organization: Application and data-owner process

24 How SOX affects the processes in your organization: Outsourcing
SAS70

25 Quint’s IPW Maturity Modeltm Stage 3 or higher needed for SOX
Dependent processes Environmental conditions / constraints Service Improving Self steering incorporated 5 Excelling Service control Realise “external fit” 4 Exceeding Realise “Internal fit” Operational control 3 Extended Ops & Measurement Operational monitoring 2 Generic 1 For free... Initial

26 IPW Maturity Modeltm Assessment of ‘as is’ and ‘to be’
improving proactive controlled monitored not identified not performed Initial Service improving operational monitoring service control cfm rlm chm pm im Service Support IPWSM™ is een handelsmerk van Quint Wellington Redwood

27 Quint’s IPW Maturity Modeltm : Improvement experience
Logical sequence Aligned with customer maturity Limited parallel improvement Staged improvement Integration with development domain (CMMsm/SPICE) Compliant with ITIL Benchmarking (of outsourcers) possible De-mystify ITIL-consultancy Professional judgement remains necessary

28 For further information Contact: Dr
For further information Contact: Dr. Charles Newman Director, Quint Wellington Redwood Mobile:

Download ppt "IT Compliance With Sarbanes-Oxley"

Similar presentations

Alignment of Enterprise Governance and IT Governance

Alignment of Enterprise Governance and IT Governance
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
COBIT - II.

COBIT - II.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Confidential THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED,

Confidential THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED,
Integrated IT Service Management

Integrated IT Service Management
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Quint Wellington Redwood ©2002 business value through IT performance Performance Based Service Management (PBSM) “A new approach for quick & measurable.

Quint Wellington Redwood ©2002 business value through IT performance Performance Based Service Management (PBSM) “A new approach for quick & measurable.
The Evergreen, Background, Methodology and IT Service Management Model

The Evergreen, Background, Methodology and IT Service Management Model

Similar presentations

Ads by Google