Standards and Compliance Issues

• Including

• CMM, ISO, ITIL,&

• Sarbanes-Oxley

Why Regulate and Impose Standards?

• Definitions:

• Regulation= “a legal restriction promulgated by government administrative agencies through rulemaking supported by a threat of sanction or a fine”.1

• Standard= “a level of quality or excellence that is accepted as the norm or by which actual attainments are judged”.2

Why Regulate and Impose Standards? (Cont’d)

• Increasing cost of IT

• 1In U.S., “spend more than $250 billion each year on IT application development of approximately 175,000 projects… (and) a staggering 31.1% of projects will be canceled before they ever get completed… (and) 52.7% of projects will cost 189% of their original estimates”. (CHAOS report by Standishgroup:1994 reseasrch survey of IT executive managers, from large, medium, and small companies, across major industry segments. Total sample size: 365 respondents, representing 8,380 applications. )

• Increasing size of IT workforce

• 10 million in 2000 to 10.5million in 2004 in U.S.2
• (Study commissioned by ITAA, with 500 random people from organizations, who were involved in hiring workers; based on phone conversations from Feb. 24-Mar. 23, 2004)

Time Line

• ISO- International Standards Organization

• CMM- Capability Maturity Model

• ITIL- Information Technology Infrastructure Library

• SOX- Sarbanes-Oxley

ISO (International Standard Organization)

International Standard Organization (ISO)

• It is the world’s leading developer of International Standards.

• It has 156 member countries.

• Its portfolio holds more than 15,036 standards that are used in every sector of business, industry and technology.

ISO Partners

• International Electrotechnical Commission (IEC)

• International Telecommunication Union (ITU)

• World Bank

ISO Path Forward

• The environment – develop standards for meeting new requirements such as greenhouse gas verification, climate mitigation, and other aspects of sustainable development.

• The service sectors – standards for personal financial services, market opinion, social research and tourism.

• Security - maritime port security, freight transport, countering illegal trafficking

• Good Managerial and Organizational Practice – develop social responsibility.

ISO Benefits

• World wide recognition.( 156 members, developed, developing countries)

• Level the playing field.

• Disseminate new technologies and businesses.

CMM (Capability Maturity Model)

• Created by the Software Engineering Institute, a research center founded by Congress in 1984

• A structure designed to direct IT organizations through software process improvement

• Philosophy of “continuous process improvement”

5 Levels of the Capability Maturity Model:

• Optimizing 18.4%

• Managed 4.5%

• Defined 32.9%

• Repeatable 32.9%

• Initial 2.2%

• 9.0%

• www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/ 2006marCMMI.pdf

CMMI Process Maturity Profile

The Initial Level

• Probability of producing quality software is low

• No management practices

• No documentation or evaluation

• If reach quality, usually due to extreme efforts of a few people or to individual practices by a manager

• Respond to crises

The Repeatable Level

• Requirements management begins: identification of project prerequisites & assignment to the appropriate area

• Project management begins: responsibility, software development plan, implementation and analysis of project plan

• Quality assurance begins: comparing actual progress on the project with the project plan

• Software management begins: collection of data, identification of elements of success and application to new projects

• Quality of projects able to be replicated

The Defined Level

• Defining and implementing proven practices throughout the organization

• Increased productivity, efficiency and effectiveness using these practices

• Emergence of training group to provide organization-wide knowledge

• Emergence of a group called the Software Engineering Process Group, which continues development of software processes

The Managed Level

• Increased management of software products and processes

• Measurable goals set for quality of software products and processes

• Collection and analysis of data from all current projects using a software process database

• Increased predictability and decreased

• risk due to improved standardized practices

• used throughout the organization

The Optimizing Level

• “Continuous process improvement”

• Proactive consideration of potential problems and weaknesses

• Work to prevent defects

• Analysis of any defects or problems and making adjustments to prevent reoccurrence

ITIL Standards (Information Technology Infrastructure Library)

What is ITIL?

• ITSM (Service Management)

• Managing IT services in support of one or more business units

• ITIL (Infrastructure Library)

• Developed to provide a set of Best Practices for Cost Effective IT Services

• Adapted for delivery services.

• Presents a comprehensive set of mgr. procedures with which an organization can manage its IT operations.

ITIL

Core ITSM Components

ITIL Benefits

• Reduces costs.

• Improves IT services, increasing customer satisfaction.

• Offers guidance, and standards.

• Improves productivity.

• Recognized worldwide.

ITIL Qualifications

• Foundation Certificate-

• Aimed to all personnel who wish to become familiar with IT management practices
• Enables people to understand the terminology used within ITSM

• Practitioner’s Certificate-

• Aimed at the personnel responsible for designing specific processes within the IT Service Management discipline
• Focuses on depth in understanding and applying IT Service Management services

• Manager’s Certificate-

• Aimed at those who need to demonstrate capability of managing ITIL-based solutions directed to the field of IT Services Management

Sarbanes Oxley Act

What is Sarbanes-Oxley?

• It is a US federal law commonly called Sox or SarbOx.

• It gives additional powers and responsibilities to the U.S Securities and Exchange Program.

• Why important? 210,453 US and 234,086 Int’l SEC registrants

History Behind Sarbanes Oxley Act

• Stock market boom of the 1990s and crash in 2000

• Fraud, misconduct and manipulation of financial information led to financial scandals and huge losses by investors

• Examples: Enron, WorldCom,
• Tyco

• Act sponsored by

• Senator Paul S. Sarbanes (MD)

• and Representative

• Michael G. Oxley (OH)

Goals of Sarbanes Oxley Act

• Renew Investors’ Trust in Accounting and Auditing Professions

• Corporate responsibility for financial reporting

• Accurate reporting and release of information

• Increased auditor independence

Renew Investors’ Trust in Accounting and Auditing Professions

• Established the Public Company

• Accounting Oversight Board (101)

• Separation of auditing from

• accounting

• Limitation of services provided

• by auditors (201)

• Financial Accounting Standards Board named as the accounting standard setter and supplied with an independent funding source

• Retention of audit records by outside auditors

• FAIR Funds for Investors established (308a)

Corporate Responsibility for Financial Reporting

• CEOs and CFOs must evaluate controls and certify this information in quarterly and annual reports (302, 404)

• More severe civil and criminal penalties

• for fraud and misconduct

• New regulations related to insiders

• No personal loans to director or executive director

• CEO and CFO compensation and profit information released to the public

• CIOs are responsible for Security, Accuracy, and Reliability of the systems that manage and report the financial data.

Accurate Reporting and Release of Information

• New rules regarding disclosure

• Annual management reports on internal controls over financial reporting:

• Financial data
• Material changes
• Effectiveness/ Security
• Material weaknesses

• Auditor verification of internal controls over financial reporting:

• “Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring”

• SEC to review Exchange Act reports at least once every three years

Costs Associated with Implementation

• Section 404- Requires Management and Independent auditors to issue separate assessments of a publicly held company’s internal control over financial recording

• Requires two new public reports

• A management report on the effectiveness of the company’s internal control over financial reporting
• An independent auditor’s report that includes both an opinion on management report and it’s own opinion of the company’s control over financial reporting

Estimated Costs vs. Actual costs

• First year compliance estimated at $1 million for $1 billion in revenue

• Actual cost

Costs to Decline in Year Two

• CRA International conducted a survey of Sarbanes-Oxley Implementation Issues

• Findings include

• Average total Section 404 costs are to decline for both large and small companies in the second year
• Smaller companies expect decline of 39% from $1.5 million to $900,000
• Larger companies expect decline of 42% from $7.3 million to $4.3 million
• Audit fees account for minority of cost in first year
• Smaller companies 35% of total cost
• Larger companies 26% of total cost

Year-One Average per Company Section 404 Implementation Costs for Smaller Companies

Other Compliance Costs

• Software development and/or acquisition

• Increased general and administrative expenses

• Additional human resources and training

• Technological improvements and process improvements

• Projects to reorganize accounting and IT departments

• Additional expenses ranged from $1200 to

• $34,000,000, per study by Hall & Gaetanos of 50 random accelerated filers with SICC codes ranging from 2111- 9999 & direct mention of Sct 404 costs.

• Hall, Linda A., and Gaetanos, Christ, “Treatment of Section 404 Compliance Costs”, The CPA Journal, New York: Mar 2006. Vol.76, Iss.3, Pgs. 58-62.

Global Effects of SOX

• SOX is in Direct violation of Europe’s Data Protection Act of 1998

• UK Companies must get employee permission to disclose certain information, permission is not guaranteed, so it is impossible to complete item 8.1 of SOX agreeing to provide information at any time in the future

• Some firms threatening to de-list from US Stock Exchange

Global Effects of SOX

• SOX regulations costs for UK businesses directly comparable to US costs for compliance

• $1 million per $1 billion in revenue
• Second and third year costs should decrease 30-40%

Case Studies

Background of Utility Company

• One of the nation’s top utility company.

• Has over 9,300 employees.

• Revenue = 6.78 B ( 2005 )

• Gross Profit = 2.28 B

• Net Profit = 628 M

• Serves 2.3 M electric customers

• Serves 900,000 natural gas customers.

Energy Delivery Dept.

• Our interviewee: Mr. Jerry Pisarek, Business Performance Controller.

• Dept. is responsible for the transmission and the delivery of energy.

• System used TRIS (Time Reporting Information System) – payroll accumulation system)

• From the interview with Mr. Jerry Pisarek ( march 2006)

IS Department

• 3,500 employees.

• Cost of meeting Sarbanes-Oxley requirements is $3-5 million annually.

• TRIS Department

Effects of SOX at the Utility Co.

• Request in writing to access information.

• Before SOX, Performance Controller approves/denies request.

• After SOX, Performance Controller makes the decision, but needs the upper management to approve it.

• From the interview with Mr. Jerry Pisarek, ( March 2006 )

Solutia Background/Overview

• Specialty Chemicals Company.

• $2.7 billion in annual sales(2004).

• $1.9billion in assets.

• More than 5,700 employees located at 60 manufacturing sites throughout 27 countries.

Solutia’s Product Line:

• Performance Films for:

• - car windows

• - computer screens

• Specialty products such as

• - avionic hydraulic fluid.

• - heat-transfer fluids.

• - plastic products.

Solutia’s Product Line: (cont’d)

• Integrated Nylon used to make:

• - wear-resistant carpets.

• - vibrant upholstery fabrics.

• - tires

Solutia’s IT Department

• Our interviewee – Lori Kirk, Information Security Manager.

• Hierarchy in IT department:

• IT annual budget is $29M.

• IT Department has approx. 100 employees.

Implementation of SOX at Solutia (2003 – 12/31/2004)

• Planning (2003)

• Awareness(2003)

• Intensive Documentation(2004)

• Testing(2004)

Solutia and Maintaining Compliance

• Update narrative and control activity documents.

• Test quarterly the control environments.

• Annual management testing (internal).

• Annual external audit.

Impact of SOX at Solutia

• Higher costs.

• Time consuming.

• - 25% of time on average.

• - 75% of time in the fourth quarter.

• More detailed documentation.

PricewaterhouseCoopers (PwC) Background/Overview

• ~30,000 employees in U.S., 110,000 worldwide

• ~3000 firm partners in U.S.

• Clients are primarily mid to large-sized companies, mostly audit clients, and usually from the financial services, consumer or industrial products and services, technology or entertainment sectors

Interview with Mark Meiner, Business Development Director at PwC

• SOX affected all 3 areas of PwC: assurance/audit, tax, advisory (business processes)

• Costs: audit costs increased by 50% for most clients; est. 25% of costs due to documentation of control systems, 225 clients noted 275 control deficiencies each–- est. 25% of new/revised controls contributed to costs of year 1

• SOX created need for increased software development and increased IT budgets: tools to track SOX projects, IT tools to automate the way control structures are reviewed, controls to monitor access to the IT applications

Interview with Mark Meiner, Business Development Director at PwC (cont’d)

• First year of SOX compliance: companies rushed to become compliant, many had underestimated the time and cost to do this

• Second year of compliance: how will companies “do it better” in year 2 --- more efficient and less costly

• Benefits of SOX:

• With audit clients: gave companies a greater awareness of their control structures and how they mitigate risk across the enterprise
• With non-audit clients: started them thinking about some of the issues

Time Line Completed

• ISO- International Standards Organization

• A global organization used to determine general industry standards across all industries

• CMM- Capability Maturity Model

• Sequential path towards increasing quality, used by companies as guidelines or to document quality level

• ITIL- Information Technology Infrastructure Library

• ITIL is not a standard, it is a framework for best practice to be adopted and adapted to fit each individual company

• SOX- Sarbanes-Oxley

• SOX created new documentation requirements for all publicly held companies, in order to create greater financial disclosure as well as increase security against fraudulent activity

Any Questions???

• Any Questions???

Source Information

Sources Continued:

• Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006.

• Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006.

• Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001.

• Pisarek, Jerry, Business Performance Specialist, Utility Company, interviewed in person by Lauren Eilers, Michele Hummel and Eno Veshi, March 12, 2006.

• Price Waterhouse Coopers Logo- (http://www.pwcglobal.com/gx/eng/main/home/index.html), viewed 4/10/2006

• Sarbanes-Oxley Implementation Costs What Companies are Reporting in their SEC Filings, February 2005 (www.auditnet.org/articles/Sarbanes-Oxley_Implementation_Costs.pdf)

• Sarbanes Oxley Compliance (http://sarbanes-oxley-101.com/SOX-404.htm)

• Solutia, Company Profile ( www. Solutia.com/)

• Solutia Logo- http://www.solutia.com/pages/corporate, viewed 4/10/2006

• Swartz, Nikki, SOX Compliance Costs U.K. Firms,. Information Management Journal Lenexa: Jan/Feb 2006. Vol. 40, Iss 1, p. 19 (1 pp)

• Utility Company overall information ( www.finance.yahoo.com )

• Wagner, Stephen, and Dittmar, Lee, “The Unexpected Benefits of Sarbanes-Oxley” Harvard Business Review, April 2006, Vol. 84, Iss. 4.

• ww.secinfo.com/$/SEC/Location.asp, viewed on March 1, 2006.

Sources Cont’d

• en.wikipedia.org/wiki/Regulate, viewed on April 7, 2006.

• en.wikipedia.org/wiki/Sarbanes_Oxley, viewed on March 28, 2006

• www.encarta.msn.com/dictionary_/standard.html, viewed on April 7, 2006.

• www.itaa.org/workforce/studies/04wfstudy.pdf, viewed on April 7, 2006.

• www.secinfo.com/$/SEC/Location.asp, viewed on March 1, 2006.

• www.sec.gov/news/press/2003-89a.htm, viewed on March 27, 2006.

• www.sec.gov/news/studies/sox308creport.pdf, viewed on March 1, 2006.

• www.sec.gov/news/testimony/090903tswhd.htm, viewed on March 27, 2006.

• www.sec.gov/news/testimony/022603tssmc.htm, viewed on March 1, 2006.

• www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006.

• www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2006marCMMI.pdf

• www.sox-online.com/sox_humor.html, viewed on March 28 & April 11, 2006.

• www.standishgroup.com/sample_research/chaos_1994_1.php, viewed on April 7, 2006.