Sarbanes Oxley It Co

7/30/2019 Sarbanes Oxley It Co

1/12

serena.com

The ImpacT

OF SarbaneS-OxleyOn IT and corporate governance

August 2006


2/12

serena.com

Table OF cOnTenTS

Abstract ........................................................................................................................................................................................ 3

The Impact o Sarbanes-Oxley on IT and Corporate Governance ........................................... 4The rOle OF IT In SarbaneS-Oxley ......................................................................................................................................... 4

enTerprISe-WIde cOmplIanceSTOp The InSanITy ......................................................................................................... 5

enSurIng ITS hOuSe IS In Order .............................................................................................................................................. 5

Payroll ReconciliationMonths or Seconds?....................................................................................... 6

Compliance with Section 302 .................................................................................................................................. 8SpecIFIc cerTIFIcaTIOn FuncTIOnalITy .................................................................................................................................. 8

The Proo.................................................................................................................................................................................... 10

Summary ................................................................................................................................................................................... 11

Sarbanes-Oxley and Serena Products ............................................................................................................. 11


3/12

serena.com

Abstract

The intent o the Sarbanes-Oxley Act o 2002 is to protect investors by improving the accuracy and reliability

o corporate disclosures. The Sarbanes-Oxley Act created new standards or corporate accountability, as

well as new penalties or acts o wrongdoing. It changes how corporate boards and executives must interact

with each other and with corporate auditors. Holding the CEO and CFO accountable or the accuracy o

nancial statements eliminates the possibility o an individual deending his action with, I wasnt aware

o nancial issues.

SImple InTenT. Far-reachIng ImpacT.

All public U.S. and international companies that have registered equity or debt securities with the Securities

and Exchange Commission need to comply. The key components o Sarbanes-Oxley are ormalizing and

strengthening internal checks and balances within corporations and instituting levels o control and sign-o

to ensure that nancial reporting exercises ull disclosure and corporate governance is transacted with ull

transparency. This rests on the ability to document, trace and audit any change that a ects the nancial

reporting structure.


4/12

serena.com

The Impact o Sarbanes-Oxley on IT and Corporate Governance

Practically speaking, beore the Sarbanes-Oxley Act, the stance regarding controls was all too oten, i

nothing goes wrong, it is assumed that the controls are working. Not only has that bar been raised, but it is

now also under a microscope. I the control activity is not identied, documented and validated, the control

is not considered eective even i it happens in practice. Controls must now be supported by evidence to

demonstrate that they are in place and working eectively.

Although there is more than enough general inormation available on the Act; this paper specically ocuses

on how the Sarbanes-Oxley Act impacts the IT Department. IT and corporate governance ensure a transpar-

ent, compliant, and accountable inormation inrastructure throughout the enterprise. Mistakes are costly.

Without the oundation o technology, compliance with Sarbanes-Oxley can easily become a prot leech

that is likely to switly and dramatically impact a companys success.

rOle OF IT In SarbaneS-Oxley

The role o IT is twoold. First, provide support or enterprise-wide compliance. These process controls provide

checks and balances or the unctional organizations, such as Finance, Order Processing, and so orth. For

example, a standard process or managing an order rom initiation through collection o payment must exist

and be ollowed with appropriate approvals. Second, ensure that IT itsel has adequate and documented

controls around security, application deployment, change management and other areas. Thus, changes to

an internal SAP system must be tested and signed o by the appropriate parties beore being approved or

implementation.

All companies have various levels o IT control, but the processes are oten inormal, or they lack adequate

documentation and evidence. Frequently, the deciency lies in the consistency and quality

o the documentation and evidential matter.

Anyone who knowingly alters, alsies, destroys, or otherwise tampers with a document

or record can be ned and/or imprisoned or up to 20 years. Ss-O at o 00


5/12

serena.com

enTerprISe-WIde cOmplIanceSTOp The InSanITy

At any given time, IT juggles hundreds o projects and change requests rom business users throughout

the organization. Since any application that impacts the balance sheet must comply with Sarbanes-Oxley,

IT must manage and track each and every change request. Managing this via e-mail, spreadsheets and

sticky notes, or relying on nonintegrated systems is time-consuming, costly and most o all, risky. Imagine

tracking 700 change requests across multiple locations and several hundred users. As one Serena customer

discovered, it wasnt very ecient or productive. Yet this customer was not unlike most mid-size to large

companies. To gain control, the company implemented Serena TeamTrack enterprise-wide. TeamTrack

is a web-architected, secure and highly congurable process and issue management system. Now, every

department submits change requests to IT and participates in the sign-o process, increasing productivity

as well as providing complete, secure documentation and evidential matter in compliance with Sarbanes-

Oxley requirements.

enSurIng ITS hOuSe IS In Order

Any change that can aect nancial data must be reported under Sarbanes-Oxley. I a deect in the ERP

system means past nancial data was not correct, the company may need to restate earnings. This means

change management must be much more careully documented and monitored than in the past.

Application liecycle solutions provide control over IT processes to make them certiable and auditable.

Eective and enorced processes ensure that a companys mission-critical sotware applications are not

exposed to potential ailure due to oversight, error and other various risks. Moreover, a good solution oers

an eective way o controlling IT processes around and beyond sotware development, providing the ability

to capture, track, version and report on changes to any process or system in an IT setting.

The objective o Sarbanes-Oxley is to govern companies internal controls over nancial reporting to ensure

accuracy. For years, nancial management has been using spreadsheets to manage many processes. Some

o these spreadsheets are quite complex in nature, with complicated ormulas, layers o linked spreadsheets,

data imports rom other applications and multiple people entering and pulling data. Because spreadsheets

do not provide the process controls, audit trail, versioning or reporting required to submit adequate evi-

dence, they are no longer an eective means o managing nancial data by themselves. Subsequently,

many companies have tried to implement or recongure their existing high-overhead, complex ERP system.

Because these systems are dicult to congure, use and maintain, management quickly discovers how

inordinately time-consuming these systems can be.


6/12

payrOll recOncIlIaTIOnmOnThS Or SecOndS?

Each pay period the Payroll Clerk at a mid-sized manuacturing company must review and reconcile budgeted

payroll against actual payroll. I there is a dierence over 2.5%, the Payroll Clerk must raise an issue and

document the reason. A dierence o 5% or more must go to the Department Manager or explanation

(a one-time bonus, etc). This data must then go to the Financial Director, who reviews the data and approves

it or raises urther issues or resolution by the Payroll Clerk. The process continues until all issues are resolved

and approved by the Financial Director.

Providing evidence o this one internal control can take months to implement in most ERP systems, and i

the process or people change, it may require consulting services to recongure the system appropriately.

Unortunately, the law isnt so patient.

TeamTrack, Serenas process and issue management solution provides the process wrapper around the inter-

nal control processesdriving the right inormation to the right people at the right time. Sel-documenting

and secure audit trails, and version control o spreadsheets and other Microsot Oce les (when combined

with Serena ChangeMan Meritage) automatically provide the evidence required by Sarbanes-Oxley.

Without the nancial or the system overhead.

Serena TeamTrack manages this internal control eortlessly. An automated script creates an issue in

TeamTrack and the Payroll Clerk is notied when it is time to reconcile payroll. Whether payroll reconciliation

is tracked in a spreadsheet, in TeamTrack or another system, the le is simply attached to the issue (this does

not apply i its already in TeamTrack) and Sent or Approval. This noties the Financial Director, who

reviews the attached or inherent data, and either Approves or Rejects it with detailed notes. The complete

and secure audit trail is sel-documenting, and the evidence is provided to ulll the requirements o

Sarbanes-Oxley.

serena.com


7/12

serena.com

Some other examples o fnancial internal control processes (also easily managed by TeamTrack) include:

General Ledger entry, reconciliation and approval

Procurement to Payables including purchase request, approvals, budget reconciliation and payment

Customer Orders to Cash including discount approvals, legal and nancial management approvals,

customer signatures, credit approvals and accounts receivable validation

There are no two organizations alike, thus there are no one-size-ts-all solutions. All solutions require

adaptability and congurability to meet the needs o individual organizations and their specic processes.

The dierence is in how easy the solution is to congure, modiy, maintain, and employ by non-technical users.

Across platorms, TeamTrack creates enorceable and congurable workfows or any IT process and docu-

ments every change and/or action made by every person involved in a given process, providing evidence

about what has been done, by whom and when. Easily modeled and ne-tuned, a clear view is provided everystep o the way and assurance that processes cannot be subverted is in place.

TeamTrack governs the access to systems and inormation including:

Dashboard view o compliance status in all areas

Functional department view o compliance status and open issues

Control o changes to the production environment

Approval o the change request by all pertinent stakeholders throughout the change

request liecycle

Detailed, secure audit trail throughout the change request liecycle

Managed process o the change itsel

Integration with existing tools in the environment


8/12

serena.com

SarbaneS-Oxley and SecTIOn 0

TeamTrack also automates the process o the quarterly representation letter certication process or

compliance with Section 302 o the Sarbanes-Oxley Act. This process tracks the certication o relevant

employees to make sure they have ully submitted and disclosed all revenue activities, and that no urther

revenue activities are pending. Fully congurable to match the organizational structure o any company,

individual employees rst provide certication or their areas o jurisdiction. Upon their approvals, thesecertications are rolled up into summary certications or business unit executives to provide their attesta-

tion. Once approved, a nal request is presented to corporate management or nal review and certication.

Very simply, each step o the process is tracked, employees are automatically notied as to their specic

tasks, and the executives have a ull view o compliance status.

Providing mechanisms or intelligent task management and routing among project team members, TeamTrack

provides workfows or each internal control document type to intelligently route tasks based on status or other

data associated with internal controls. Assigned tasks are indicated on each users Home Page. Task details provide

each user with links to work that must be perormed and actions they must take to complete their tasks.

Real-time dashboards provide executives and managers with congurable, up-to-the-minute status,alerts and drill-down capabilities that enable issues to be identied and corrected quickly and easily.

Specifc certifcation unctionality includes:

Full congurability o any orm

Full change control, audit trails and monitoring

Version control over each respondent state/instance o every issue

Automated workfow-driven processing rom assessor to certier to survey administration

to managerial oversight via monitorable, email notications

A highly fexible workfow, where certication processes may be executed or any object level,

including entity-specic, process-specic and/or control-specic views. Full certication and sub-certication support including standard templates to help ensure

the rapid deployment and consistent support o executive reporting obligations

With Proessional, we now have visibility and reportability into the projects. Sotware is a

really valuable resource its part o the companys assets. We need to know where theprojects are at any time and be able to obtain statistics about our productivity and then be

able to communicate this. Using Proessional is the perect tool or this. bi li, Sotwr&d m, aSm pif Too


9/12

serena.com

The time and eort o establishing rigorous, repeatable processes reaps many rewards including:

An enterprise-wide process or managing change

A single point o control or all changes, across other tools and platorms

Reduced risks o compliance issues and audit ailures

Greater compliance with processes and procedures

Greater scalability to support business expansion

Within the IT department, TeamTrack provides the process wrapper to ensure that there are repeatable,

enorceable, auditable processes around managing projects and managing the entire application

development liecycle.

At a minimum, the ollowing inormation is captured: date o the change request, person(s) requesting the change,

documentation update date, and move-date into production. The attached documents include: change verication,

baseline update and change control workfow.

Change Request

Completed in

TeamTrack

Forwarded to

Supervising

Manager

Forward to IT

for Approval

Forward to IT

Business Owner

for Approval

Implement

Change

Add Release

Notes

Upload

Verification

Close

Record

Change

Approved?

Change

Approved?

Change

Approved?

Yes Yes

Yes

No

No

No

change cOnTrOl WOrkFlOW


10/12

serena.com10

The prOOF

At Robert Mondavi, Serena TeamTrack was key in achieving government regulatory compliance. The company

had a critical audit trail covering the complete project liecycle and providing proo o internal customer approv-

als. Robert Mondavi ound itsel well prepared to achieve Sarbanes-Oxley compliance when it came to provid-

ing an audit trail o development activities. Each member o the team can easily create reports in TeamTrack

to show audit trails, so they can routinely spot-check processes to maintain Sarbanes-Oxley compliance.

As another example, a large national bank ound that TeamTrack helped them keep their own house in order

to support Sarbanes-Oxley compliance. By automating their development processes and meeting their Service

Level Agreements consistently, they created a more stable production environment, dramatically improved

their rate o change success rate, consumed less time resolving production issues, and had more IT projects

completed with the same number o resources. The bank has better metrics relating to production issues,

environment and change management. The IT Director said, I took an organization rom a stage 2 maturity

level to a stage 4.5 maturity level with TeamTrack, with minimal investment in 14 weeks, ully supporting

our Sarbanes-Oxley compliance initiatives.

Enorcable controls

Ensure that all unctional departments document, use, enorce and automatically provide evidence

o their process controls and control changes to the production environment.

Accountability

No step is orgotten. That way youll know exactly who did what and when.

Flexibility

Modiy your control processes on-the-fy, and automate the mechanisms or continual review.

Compliance is an ongoing, dynamic process. Once the initial work o Sarbanes-Oxley compliance is completed,

organizations must ocus on moving to an optimized level o internal control that improves the eciency

o the entire process.


11/12

serena.com11

Summary

Non-compliance penalties range rom the loss o exchange listing, loss o corporate insurance to multimillion

dollar nes and imprisonment. It can result in a lack o investor condence. A CEO or CFO who submits a

wrong certication is subject to a ne up to $1 million and imprisonment or up to ten years. I the wrong

certication was submitted willully, the ne can be increased up to $5 million and the prison term can be

increased up to twenty years.

Clearly, ailure to comply with these regulations will result in orced public disclosures, which may lower

shareholder condence and tarnish the companys brand. Compliance is not only a matter o the law,

ut critical to the protection o the companys brand and value in the marketplace.

Mistakes are costly. Without the oundation o a simple, yet fexible solution such as TeamTrack, compliance

with Sarbanes-Oxley can easily become a prot leech that is likely to switly and dramatically impact

a companys success.

SarbaneS-Oxley and Serena prOducTS

For more inormation on how the ollowing products support Sarbanes-Oxley, visit www.serena.com

or contact your account representative.

TeamTrack Enterprise Process ManagementThe process wrapper around the internal controls and

change requests

TeamTrack Connector or SAPPre-dened process or managing changes to the SAP environment

CollageAudit trail and process enorcement or Web content requests and changes

DimensionsRobust application liecycle management or distributed and mainrame environments

ChangeMan ZMFApplication development version control or the mainrame

ChangeMan MeritageVersion management or Microsot Oce les

ChangeMan Version ManagerApplication development version management


12/12

serena.com

S Wowi hqts

Serena Sotware, Inc.

Corporate Ofces

2755 Campus Drive

Third Floor

San Mateo, Caliornia 94403-2538

United States

800.457.3736 T

650.522.6699 F

[email protected]

S eo hqts

Serena Sotware Europe Ltd.

Hertordshire

Abbey View Everard Close

St. Albans

Hertordshire AL1 2PS

United Kingdom

+44 (0)800.328.0243 T

+44 (0)1727.869.804 F

[email protected]

S asi pif hqts

Serena Sotware Pte Ltd

360 Orchard Road

#12-10

International Building

Singapore 238869

+65 6834.9880 T

+65 6836.3119 F

[email protected]

abOuT Serena

Serena Sotware, the Change Governance leader, helps more than 15,000 organizations around the world

including 96 o the Fortune 100 and 90 o the Global 100turn change into a business advantage. Serena

is headquartered in San Mateo, Caliornia, and has oces throughout the U.S., Europe, and Asia Pacic.

cOnTacT

Learn more about the enterprise-wide power o Serena products by visiting www.serena.com or contacting

one o our sales representatives in your area.

Copyright 2006 Serena Software, Inc. All rights reserved. Serena, TeamTrack, ChangeMan, PVCS, StarTool, Collage and Comparex are registered trademarks o Serena Sotware.

Change Governance, Command Center, Dimensions, Mover and Composer are trademarks o Serena Sotware, Inc. All other product or company names are used or identication

purposes only, and may be trademarks o their respective owners. WP885_01_0205_08.06

Sarbanes Oxley It Co

Documents

Transcript of Sarbanes Oxley It Co