SOXIT@Novartis · 2016-11-22 · April 05 ISACA After Hour Seminar -SOX IT@ Novartis / Stefan Laux...
Transcript of SOXIT@Novartis · 2016-11-22 · April 05 ISACA After Hour Seminar -SOX IT@ Novartis / Stefan Laux...
SOX IT @ Novartis
Monika Josi
Novartis Animal Health, IT Compliance Officer
Member of Novartis SOX IT Coreteam
ISACA, April 27 2005
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 2April 05
Agenda
• Novartis
• Introduction SOX 404
• History of SOX 404 in Novartis
• Setting the scene: preparatory work for the rollout
• The Rollout
• Lessons learned
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 3April 05
Novartis at a Glance
Sales: USD 28.2 billion
Net income: USD 5.8 billion
Employees: 81,400
Countries: 140
Headquarters: Basel, Switzerland
• One of the fastest growing healthcarecompanies in 2004
• Poised to further expand marketshare in 2005
• One of the best combinationsof strong pharma pipeline and lowpatent-risk exposure
• Bold research investments to ensureongoing leadership in innovation
• Consumer Health division focused onimproving health and well being ofconsumers worldwide
• Sandoz leading global supplier ofgeneric pharmaceuticals
2004 key facts
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 4April 05
Building a Global Leader in Medicines
A/B/G/H/I: Arthritis/Bone/Gastrointestinal/Hormone Replacement Therapy/IncontinenceSource: Novartis Annual Report 2004
Novartis
Pharmaceuticals Consumer Health
General Medicines
• Cardiovascular/metabolism
• Neuroscience
• A/B/G/H/I
• Respiratory/Dermatology
• Infectious diseases
• Mature Products
Specialty Medicine
• Oncology
• Transplantation
• Ophthalmics
OTC
Animal Health
Medical Nutrition
Infant & Baby (Gerber)
CIBA Vision
Sales by division 2004*
Operating income bydivision 2004*
Sandoz
Generics
Pharma-ceuticals
ConsumerHealth 82%
14%
Pharma-ceuticals
ConsumerHealth 65%
24%
* Sandoz a separate division since January 2005
Sandoz
11%
Sandoz 4%
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 8April 05
History of SOX S404 in Novartis
•For foreign private issuers (like Novartis) SOX takes effect for yearsending on or after 15 April 2005
•Corporate Governance is high on Novartis priority list, therefore
- Novartis has voluntarily decided to meet the deadline for USregistrants (years ending after 15 June 2004) for major sites
- SOX Business Project Sponsor: Head Group Financial Reporting& Accounting reporting to the Novartis Audit and ComplianceCommittee
•Scope
- 2004: 42 entities (approx 75 % contribution)
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 9April 05
History of SOX S404 in Novartis
• As a result of the SOX Business requirement, a SOX IT projectmanager was appointed in March 2004
• Key Stakeholder IT: CIO Novartis
• Timelines according to SOX Business, meaning
- August 30, 2004: Novartis testing completed / SOX IT auditbegins
- September, 2004: audits by external auditors begin
- December 31, 2004: Effective date of attestation by externalauditor
• But who, what and how?
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 10April 05
Who: Novartis SOX IT project setup
SOX IT Steering Committee
SOX IT Program Lead
SOX IT Project Leader SOX Program
SOX IT
US
SOX IT
Basel
SOX IT
SAP
SOX IT
CH
SOX IT
Infra
SOX IT
Japan
SOX IT
CV
SOX IT
Sandoz
SOX IT
MN
SOX IT
AH
SOX IT
I&B
SOX IT
OTC Core Team
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 11April 05
What: Scope of SOX IT S404
• Primary principle: SOX IT follows SOX Business cycles
- Finance
- Revenue & Receivables
- Purchasing & Accounts Payables
- Plant, Property & Equipment
- Production & Inventory
- Payroll
• All applications supporting SOX business processes
• All data centers & support organizations supporting theseapplications
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 12April 05
Identifying datacenters & support centers inscope
Hosting & Support
Appl. B
Hosting Appl. B
Hosting Appl. A
Support
Appl. A
Support for Appl A & B local
Hosting
Appl. A
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 13April 05
What: the SOX IT Key Controls
• Pre-definition of SOX IT controls by Core Team based on ITGovernance Institute discussion paper (available on www.itgi.org)
- Using the framework (Governance, control and audit forinformation and related technology) as a basis
• Scope of discussion paper regarded as too open
- Decision to focus on Control Activities (e.g. no strategic processes)
- Decision to focus on high-risk areas
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 14April 05
What: SOX IT Controls
• Decision on 41 Key Controls in 7 areas (sub-cycles)
- Corporate Policies
- Project Management
- Change Management
- Disaster Recovery
- Security Management (user authentication, physical security,virus protection, network security, backup, incident reporting)
- Problem Management
- Service Level Management
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 15April 05
Timelines and Milestones for SOX IT S404
May June July Aug Sep Oct Nov Dec
Document
Key Controls
Test Key
Controls
Remediate
Gaps
Document
Gaps
Audit / ReviewsWalkthroughs
Documentation
Completed
Gaps
Closed
Testing
completed
Management
Attestation
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 16April 05
How: SOX IT rollout
• Agreement in SOX IT Core Team that deadlines can only be met bytight project management and a lot of support
• Decision on a ‚cookbook‘-style manner rollout into the countries
• Strong emphasis on training of all SOX IT coordinators to ensurethat project goal can be met
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 17April 05
Documenting Key Controls
• Document all key controls for each system and infrastructure inscope
- Documentation and Flowcharts
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 18April 05
Identifying/remediating gaps
• Document all gaps found in the prepared gap remediation template
• Gaps in controls, e.g.:
• Processes not adequately documented
• Controls not established, poorly designed or not effective
• Control maturity required: monitored (standardized and testedcontrols)
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 19April 05
Stop, look and listen: the Walkthroughs
• All sites were visited in walkthroughs to determine:
- The quality of documentation
- Check if the right/all gaps were identified
- Discuss the remediation actions with the local sites
- Determine the tests to be conducted at the local sites
• Sample sizes
• Test intervals (yearly, monthly, quarterly)
• Test strategies
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 20April 05
Testing the Key Controls
• Local sites to perform and document all tests for Key Controls
- E.g. test xx change control forms if they meet definedrequirements
• Experience:
- Testing the most difficult and time consuming part of the wholeproject
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 21April 05
The final stage: the SOX IT audits/reviews
• Until the end of November, all SOX IT S404 sites whereaudited/reviewed and according reports were produced
• In mid-December 2004, the external auditor issued the SOX ITattestation (business attestation in mid-January 2005)
• This was also stated in the Annual Report
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 22April 05
Lessons learned
Challenges:
• Timelines, Resources
• Managing scope changes in terms of sites / applications
• Handling of outsourcers, interfaces between systems/functions,reports/query-type software
• Concept of sites testing the effectiveness of their controls was new
- Needs a lot of time / resources
• Find/coordinate projects/activities with related scope (SOXBusiness, IT & Information Security, IT Quality Management, ITIL ..)
• Y2K perception
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 23April 05
Lessons learned
Positive:
• After initial problems, most sites accepting SOX IT and using it as ameans to improve overall IT quality
• Backup / support from Business to comply with SOX IT
• Good feedback from sites regarding the guided way through SOX IT
• Good experience with identifying global processes that can bedocumented/tested once for all sites (e.g. IT Security) or for whichdocumentation can be re-used with little adaption
• Top Management Committment is a must to ensure projectmomentum
•New word of the year: To Soxify
ISACA After Hour Seminar - SOX IT@ Novartis / Stefan Laux / Feb 15, 2005 Seite 24April 05
Outlook 2005
• Activities for 2005 have already started for SOX IT entities in scope
• Furthermore, projects to cover all entities with a control frameworkhave been initiated