Robert Dietrich Chief Financial Officer for MKS MKS

The two sections of the Sarbanes-Oxley Act that should concern IT executives the most are 302 and 404(a) because they deal with the internal controls that a company has in place to ensure the accuracy of their data. This relates directly to the software systems that a company uses to control, transmit and calculate the data that is used in their financial reports.

Section 302
Effective August 29, 2002, Section 302 requires CEO's and CFO's to attest to the accuracy of their company's quarterly and annual reports.

CEO's and CFO's will be placing an enormous amount of trust in the people and systems that produce their company's financial data. Given the wide and deep spectrum of internal controls, it is a serious responsibility.

Section 404(a)
The deadline for complying with this rule was originally September 15, 2003, but has now been pushed back to November 15th, 2004. A number of experts view the extension as a sign of just how seriously authorities intend to enforce and monitor the new law. The SEC has also recognized the COSO framework as the official framework for establishing internal controls over financial reporting. Many companies are now actively working with internal and external audit firms to set expectations surrounding Section 404, and avoid unwanted surprises when Section 404 comes into full force.

The View From the Top
Understandably, CEO's and CFO's are taking Sarbanes-Oxley very seriously given the potential penalties for non-compliance. There is a tremendous amount of data that they will have to monitor to make sure the financial statements are accurate. From the point of view of an IT person, it is a given that IT will be relied upon to collect, store and compile this data from all areas of the company and transmit it to the appropriate people.

So, how do CEO's and CFO's view Sarbanes-Oxley from a compliance standpoint? Surprisingly, an informal survey by CIO Magazine of the top 19 companies on the Fortune 100 list revealed that most executives viewed compliance as a finance issue, not a systems issue¹ . This is a mistake, as IT is poised to play a major role in the implementation of controls for financial reporting.

What Sarbanes-Oxley Means to IT Executives
Sarbanes-Oxley paradoxically, has been a motivating factor to connect IT more closely to the business. Compliance can provide the CIO with a seat at the inner table of top executives, as an active partner in regulatory conformance. CIO's must be proactive in getting the attention of their CFO's so that they understand how important IT systems are to data integrity. One way to do this is by demonstrating a detailed understanding of Sarbanes-Oxley and the part you can play in achieving compliance — without claiming that IT holds all the answers. Seats at the inner table, "are usually reserved for CIOs who can explain the business value of technology changes, but who are also able to put on their business hat and review potential IT work in the context of the broader business needs."²

From a departmental perspective, IT organizations must be prepared for greater audit scrutiny. The financial reporting process depends heavily on internal software systems to generate and transmit the necessary financial data. IT processes, therefore, can be considered an "internal control" that must be audited to ensure compliance with the law and, equally important, that they are secure, comprehensive and repeatable. The benefits of such an audit extend beyond compliance with the law to the overall quality and reliability of your company's systems. This, and imposing deadline, should be incentive enough to start the auditing process now.

IT Governance and Auditing
The pervasiveness of IT in today's business environment points to its critical role in regulatory compliance, especially Sarbanes-Oxley. This includes software and hardware, but more importantly the processes that govern their use. Luckily, there are some good methodologies and guidelines that already exist to help bring IT processes under control so they are ready to be audited. ISO 9000 is a well known generic management system standard, which means it is concerned with the way an organization goes about its work, and not directly the result of this work. This standard can be applied to any organization, large or small, whatever its product or service in any sector of activity, including business, public administration, or government. If you consider financial reports as internal end products, then ISO standards can be helpful for achieving a high level of quality, but they do not specifically address financial reporting or IT processes. For that, frameworks specially designed for these purposes should be consulted.

The three frameworks, or methodologies, discussed below are a good starting point for these efforts. COSO, as mentioned, is a framework for establishing internal controls over financial reporting. COBIT is an IT governance framework that can be applied to the entire IT realm and its processes in general, and maturity models can be mapped within these frameworks to represent a more detailed and granular approach to controlling individual processes within the IT realm. While there are guidelines, there are no "one-size-fits-all" frameworks. The three frameworks and methodologies are listed below in descending order of granularity with regards to specific process control activities.

a) COSO — When speaking of Sarbanes-Oxley, COSO usually comes up as the leading framework in this area, especially after the SEC's June, 2003 announcement recognizing it as its preferred framework. COSO was established in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. The Commission was an independent private sector initiative, which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

COSO issued a groundbreaking report entitled Internal Control ? Integrated Framework in 1992, which identified the establishment of internal controls as a means for helping a company achieve numerous objectives. The objectives include achieving its performance and profitability targets, preventing loss of resources and ensuring reliable financial reporting. The reason this report has become entwined with Sarbanes-Oxley is its assertion that internal controls help ensure that the company complies with laws and regulations, avoiding damage to its reputation and other consequences. Many companies used this report as the basis for their immediate response to Sarbanes-Oxley.

Recently COSO released the most comprehensive update of its 1992 report. To date it incorporates and expands on the 1992 report to address Enterprise Wide Risk Management (EWRM). The new framework emphasizes the importance of identifying and managing risks across the enterprise. According to one expert organization that has seen advance copies of the framework, COSO's new ERM framework consists of eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. The three new components of the COSO framework are objective setting, event identification, and risk response. And the five taken from the control model are broader in their descriptions and in terms of the practical guidance.³ This draft is to be released in September of 2004.

COSO is only a guide for the entire organization and offers little about how IT organizations, in particular, can meet their unique challenges. The following frameworks represent the actual processes that IT organizations can use to establish effective internal controls in preparation for IT audits.

b) COBIT— COBIT (Control Objectives for Information and Related Technology) was developed by the IT Governance Institute as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. The institute was founded in 1998 by the Information Systems Audit and Control Association (ISACA) as a not-for-profit organization dedicated to sharing better practices for IT governance.

According to COBIT, IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes.⁴ It provides the structure that links IT processes, IT resources and information to enterprise strategies and objectives.

COBIT's framework for IT governance identifies 34 key, naturally grouped IT Control Objectives, which fall under one of four broad domains: planning and organization (11), acquisition and implementation (6), delivery and support (13), and monitoring (4). Each control objective can be regarded as a separate process to which COBIT's Management Guidelines are applied. The management guidelines are governed by a generic maturity model that allows managers to map where the organization is today, where it stands in relation to the best-in-class in its industry and to international standards and where the organization wants to be. The following section discusses maturity models, and in particular the Software Capability Maturity Model, as a means for controlling software development processes.

As it relates to Sarbanes-Oxley, COBIT represents an excellent reference point for assessing current internal process controls and implementing new and improved ones. An IT governance model such as this is a worthy goal to aspire to in the longer term, but to comply with the Act, more immediate and short term actions can and should be taken.

Maturity Models - Like any business process, IT processes lend themselves to auditing activities that track their effectiveness in achieving business goals. Key to this measurement is the use of maturity models for self-assessment and benchmarking. Maturity models are effective tools for determining the current status of the organization's processes and how they should evolve. They provide both the goals to strive for and the means of measuring the attainment of those goals, and they are complementary and foundational to both COBIT and COSO. If you are planning to audit your IT processes, they provide one of the readiest and effective tools for preparing for it. There are five levels that make up the generic maturity model:

Generic Maturity Model Levels — Source: Software Engineering Institute

The Capability Maturity Model (CMM)
To understand how maturity models are applied in the real world, consider the example of software development processes. For a number of years, software development organizations have used the Capability Maturity Model for Software (SW-CMM) as the de facto standard for assessing and improving software processes. Developed by the software community under the stewardship of the Software Engineering Institute (SEI) at Carnegie Mellon, it describes the principles and practices underlying software process maturity and is organized into the same five maturity levels as the generic model.

1) Initial — Software processes are ad hoc. There are few defined processes and success depends on individual effort.

2) Repeatable — Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.

3) Defined — The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization's standard software process for developing and maintaining software.

4) Managed — Detailed measurements of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.

5) Optimizing — Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Using Software Change and Configuration Management for Process Control and Auditing
One of the main goals of Sarbanes-Oxley is to improve companies' internal control over financial reporting. A software change and configuration management (SCCM) solution provides control over IT processes to make them more verifiable and auditable. Software configuration management and process management tools offer an effective way of controlling IT processes around and beyond mere software development at a modest price. SCCM was designed to provide assurance that a company's mission critical software applications are not exposed to potential failure due to human error, staff turnover or sabotage. As SCCM has become better understood and applied in different areas, however, a secondary but important role has emerged. SCCM, in conjunction with a flexible process and workflow management solution, provides the ability to capture, track, version and report on changes to any process or system in an IT setting.

A process-centric SCCM solution can help you bring your IT processes under control, so they are audit-ready for Sarbanes-Oxley. Flexible process and workflow management allows you to implement workflows that are customized for any IT process or system. It records every change and/or action made by every person involved in a given process, providing valuable details about "who's done what." The workflows are completely enforceable, meaning that a process cannot be subverted by an overzealous or malicious employee who wishes to skip steps in the process.

Go/no-go gates are the mechanisms that provide managers with the ability to enforce workflows and decide when the process can proceed and when it must remain stopped until another person in the process completes his/her action. Finally, an SCCM solution that provides a graphical workflow modeler, allows IT organizations to easily model and tweak development and business processes, providing a clear birds eye view of the processes at hand, and the people and actions involved.

A good cross-platform SCCM solution plays a central role in software development with its ability to version any type of file, guarantee the reproducibility of an application, and provide audit trails for illustrating migrations throughout the software development process.

An SCCM solution provides value for Sarbanes-Oxley compliance through its versioning capabilities and its integration with a process and workflow tool. A SCCM tool, while typically used by software developers, can be employed to version change to IT and business processes themselves. As processes improve and evolve, process documents will undergo almost constant revision. In an audit situation, a separation of duties and clear audit trail must be evident to illustrate that IT processes are up to date and in synchronization with what is being practiced by staff. An audit trail of approvals is also critical for demonstrating that internal controls are working properly.

In a typical company, processes and workflows are defined and documented, and implemented, in that order. Yet, it is not uncommon to find that there is a gap between documented process, and the actual day to day workings of the business creating an issue of compliance concern. By automating processes through a workflow tool, organizations can transform paper processes into action, and better enforce adherence.

Conclusion
A disciplined approach to internal process controls and good IT governance are the keys to complying with Sarbanes-Oxley. Section 404(a) calls on companies to identify the framework used by management to evaluate the effectiveness of their internal control and then to attest to the effectiveness of these controls in the year end financial report. As we have explored, there are available frameworks, such as COSO, to establish internal control over financial reporting, COBIT for IT governance and maturity models, such as the Capability Maturity Model for software, all suited to establishing good IT governance practices and assessing and measuring the effectiveness of IT processes. The trick is managing compliance without over burdening staff with bureaucracy and manual efforts. By implementing SCCM and automating processes through a workflow management solution, organizations can build a firm foundation for compliance, and achieve higher levels of productivity and business efficiency as well.

¹ Ben Worthen, Playing by New Rules — Sarbanes-Oxley: Your Risks and Responsibilities, May 15, 2003, CIO Magazine

² Playing by New Rules, p. 6

³ D'Arcangelo & Co.,LLP, Certified Public Accountants

⁴ COBIT 3rd Edition — Executive Summary, July 2000, p. 3

Robert Dietrich Chief Financial Officer for MKS MKS Robert J. Dietrich is Chief Financial Officer for MKS, and is responsible for all financial, administrative and legal functions within the company. Prior to joining MKS, Rob was with Cedara Software Corp. where he served as CFO from September 1997 to June 2001. Mr. Dietrich also gained significant financial and operational experience in a wide variety of roles at Mitel Corporation in Ottawa, including assignments as Vice President Corporate Affairs, General Manager Network Products Division, Vice President Corporate Planning, Treasurer and Corporate Controller. Rob Dietrich served eight years in the Audit practice of Ernst & Young, and four years in the company's mergers and acquisitions practice. Most recently he joined the Corporate Governance Task Force for the Issues and Policy Advisory Committee, Financial Executives International Canada, where he serves as Chair. He was awarded his CA designation in 1977, and holds a Bachelor of Commerce Degree from Queen's University (Kingston, ON). For information about MKS Inc., please visit www.mks.com.