An Efficient Framework for IT Controls of Bill 198 (Canada Sarbanes-Oxley) Compliance by Aligning...

2009 International Conference on Computational Science and Engineering

An Efficient Framework for IT Controls of Bill 198 (Canada Sarbanes-Oxley)Compliance by Aligning COBIT 4.1, ITIL v3 and ISO/IEC 27002

Zhitao Huang, Pavol Zavarsky, Ron RuhlDepartment of Information Systems Security

Concordia University College of Alberta7128 Ada Boulevard, Edmonton, AB Canada, T5B 4E4

http://infosec.concordia. ab.ca

Abstract

Canadian companies have been struggling with theBill 198 (CSOX) compliance. The main problem is thelack of clear guidelines and the non-existence of aspecific compliance process the IT staff could use toachieve the IT control objectives of the Bill 198. Thisresearch paper demonstrates a possibility of creatinga new comprehensive framework to accomplish thecompliance goal by aligning three existing effectiveframeworks COBIT 4.1, ITIL v3, and the ISO/IEC27002 standard. It is shown in the paper, that relativeto the current CSOX compliance practices, the newframework provides for higher efficiency andreduction ofresources needed to comply with the Bill.

Keywords-CSOX Bill 198, COBIT, ITIL, IS027002,compliance

I. INTRODUCTION

Since 2002, when Canada got its own version ofSarbane Oxley-Bill 198, Canadian corporations havebeen struggling with its compliance. The complianceprocess requires time, money and resources. It lacksclear guidelines.

A.CSOXvs. SOXBill 198 is similar to the Sarbane Oxley (SOX) of

the United States and is also called Canadian SOX(CSOX). Both are created to protect business fromfinancial deception and to emphasize the enhancementof internal controls over financial reporting.

CSOX is the equivalent of the U.S. At the verybeginning, when we talked about how SOX affectedIT staff, two sections are most relevant-Section 302(internal control certifications) and Section 404(assessments of internal controls). Similarly, theoriginal CSOX had Multilateral Instrument 52-109(MI 52-109) and Multilateral Instrument 52-Ill (MI

978-0-7695-3823-5/09 $26.00 © 2009 IEEEDOl 10.1l09/CSE.2009.336

386

52-Ill). Section 302 and MI 52-109 both required thedemonstration of effective disclosure controls [1, 2].Section 404 and MI 52-Ill emphasized effectiveinternal controls over financial reporting and clarifiedresponsibilities [1, 3]. These sections were the majorconcerns of IT staff for achieving compliance.

In order to address Canadian business's specificneeds, some changes have been made to CSOX. Themost affecting one for IT is that MI 52-Ill and MI52-109 are combined.

After extensive review and consultation, theCanadian Securities Administrators (CSA) hasdetermined not to implement MI 52-Ill [4]. Becauseof this change, Canadian companies do not have to getthe opinions of an external auditor when reporting ontheir internal controls. This change allows smallercorporations to save on expensive auditor services [5].This also affects the compliance process. Besides,CSA has modified MI 52-109, which assigns, plusdisclosure controls, more responsibilities tomanagement of companies to evaluate the design andthe operating effectiveness of internal control overfinancial reporting. In addition, "Although a publicaccounting oversight board has been established inCanada (pCAB), the board does not have the samelevel of independence and transparency as the PCAOBin the US" [6]. PCAOB is created by SOX and haspublished Auditing Standard No.5, which indicateswhat is expected for SOX compliance. However,PCAB relies on CSA to publish auditing standardsand to oversee auditing.

In 2004, IT Governance Institute published adocument which used COBIT Lite as a framework toachieve IT control objectives of SOX compliance [1].Although, Bill 198 and SOX are similar, they are notcompletely identical. Yet business must still achievethe goal of Bill 198 compliance.

This paper demonstrates a possibility for IT staff toachieve Bill 198 compliance by aligning the existingframeworks COBIT4.l, IIIL v3, and the ISO/IEC

IEEE~computer

society

Authorized licensed use limited to: CONCORDIA UNIVERSITY LIBRARIES. Downloaded on October 21, 2009 at 13:47 from IEEE Xplore. Restrictions apply.

27002 standard. Those frameworks and standard hasbeen well accepted and have proven to be useful inmeeting the requirements of sox. This paper does notaddress the effectiveness of them. The new proposedframework is expected to provide higher efficiency.However, due to the limit of time and resources,economic analysis of the framework is beyond thescope of this paper.

PD PC co APD

Acquire technology infrastructure. ~ ~ ~

Manage changes. ~ ~

Manage problems and incidents. ~

Note. PD-Program Development, PC-Program Changes, COComputer Operations, APD- Access to Programs and Data

II. FRAMEWORKS MAPPING

TABLE I CONTROL PROCESS MAPING.Reproduced with pennission from [1]. Copyright 2007 IT

Governance Institute

CSA does not give any particular process to ensurethe compliance. Therefore, the accounting industryand business adopt the Commission of SponsoringOrganizations of Treadway Commission (COSO)internal control framework as a guideline. COSO isdedicated to improving the quality of financialreporting through business ethics, effective internalcontrol and corporate governance [1]. It, however, hasvery little to do with IT. A more efficient framework isproposed by combining COBIT 4.1, IIlL v3 and ISO27002, which are wide-accepted and effective controlframeworks and standards for IT control and practices.COBIT 4.1 focuses on how to deliver information to satisfybusiness needs. ITIL is more concerned about IT processes.ISO/IEC 27002 has been proved as the best practice forinformation security management.

A. Planning1) Addressing IT Control ObjectivesAs the Canadian equivalent of the U.S. SOX, Bill

198 compliance can borrow some experience to achievethe goal. The US PCAOB approved PCAOB AuditingStandard No.5. This audit standard establishes therequirements for performing an audit of internalcontrols over financial reporting and provides someimportant directions on the scope and approachrequired of auditors [7]. Twelve of COBIT controlobjectives are aligned with PCAOBs' requirements:Program Development (PD), Program Changes (PC),Computer Operations (CO), and Access to Programsand Data (APD) [1]. Therefore, the control processmapping could be a basis for implementing SOX andCSOX compliance. In this paper, the following threecontrol objectives out of the twelve will be discussed indetail:

TABLE II THE AT! CSF&KPI METRIC

2) Selecting COBIT 4.1 Control ObjectivesIn the following paragraphs, 3 control objectives are

selected from COBIT 4.1 to demonstrate thepossibility of creating a more efficient framework forBill 198 compliance. Besides, those critical factors andkey indicators which play important roles for thesuccess of the compliance will be identified. COBIT4.1 provides well-developed metrics for each controlobjective. They will be introduced to the proposedframework to help compliance personnel notice andcollect significant information [8].

"Acquire Technology Infrastructure (AT!)"control objective requires a planned approach toacquisition, maintenance and protection ofinfrastructure in line with agreed-upon technologystrategies and the provision of development and testenvironments. This ensures that there is ongoingtechnological support for business applications. Thereare four sub-objectives:

• AB.l Technological Infrastructure Acquisition• AB.2Infrastructure Resource Protection and

AvailabilityIn order to improve the efficiency, redundant controlobjectives will be eliminated or reorganized. COBITcontrol objectives AB.3 Infrastructure Maintenanceand AB.4 Feasibility Test Environment are notdefined and discussed within this main IT controlobjective of the proposed framework.

There are some critical successful factors (CSF) andkey process indicators (KPI), which may affect theobjective of "Acquiring Technology Infrastructure".Compliance personnel need to pay more attention. TheCSF-KPI metric is shown as TABLE II:

·Number of critical business processes supported by obsolete (or soonto-be obsolete) infrastructure

·Percent of platfonns that are not in line with the defined ITarchitecture and technology standards

• Number of different technology platfonns by function across theenterprise• Percent of infrastructure components acquired outside the acquisition

process• Number of infrastructure components that are no longer supportable

(or will not be in the near future)·Number and tvne of emergencv changes to the infrastructure

PCAOB IT GeneralControl Heading

COBIT Control Obiective

387


components• Number of outstanding acquisition requests• Average time to configure infrastructure components

"Manage Changes (MC)" control objective requiresthat all changes relating to infrastructure andapplications within the production environment areformally managed in a controlled manner. Changesincluding those to procedures, processes, and systemand service parameters are logged, assessed andauthorized prior to implementation and reviewedagainst planned outcomes following implementation.This assures mitigation of the risks of negativelyimpacting the stability or integrity of the productionenvironment. The control objective consists of six subobjectives:

• AI6.1 Change Standards and Procedures• AI6.2 Impact Assessment, Prioritization and

Authorization• AI6.3 Emergency Changes• AI6.4 Change Status Tracking and Reporting• AI6.5 Change Closure and Documentation.

The CSF and KPI for MC are shown in TABLE III:

TABLE III THE MC CSF&KPI METRIC• Number of disruptions or data errors caused by inaccurate

specifications or incomplete impact assessment• Amount of application rework caused by inadequate changespecifications• Reduced time and effort required to make changes• Percent of total changes that are emergency fixes• Percent of unsuccessful changes to the infrastructure due to

inadequate change specifications• Number of changes not formally tracked, reported or authorized• Number of backlogged change requests• Percent of changes recorded and tracked with automated tools• Percent of changes that follow formal change control processes• Ratio of accepted to refused change requests• Number of different versions of each business application or

infrastructure being maintained• Number and type of emergency changes to the infrastructurecomponents• Number and type ofpatches to the infrastructure components

"Manage Problems and Incidents (MP&I)"consists of two COBIT main control objectives-DS 8and DS 10. It requires a well-designed and wellexecuted incident management process. This processincludes incident registration, escalation, trend androot cause analysis, and resolution. Besides, effectiveproblem management requires the identification andclassification of problems, root cause analysis andresolution of problems. The problem managementprocess also includes the formulation ofrecommendations for improvement, maintenance ofproblem records and review of the status of correctiveactions. An effective problem management process

388

maximizes system availability, improves service levels,reduces costs, and improves customer convenience andsatisfaction. The seven related sub-objectives are listedas followed:

DS8.2 Registration of Customer QueriesDS8.3 Incident EscalationDS8.4 Incident ClosureDSlO.l Identification and Classification ofProblemsDSlO.2 Problem Tracking and ResolutionDSlO.3 Problem ClosureDS10.4 Integration of Configuration, Incidentand Problem Management.

Service desks are the interfaces between people and IT.Control objective DS 8.1 Service Desk is more focusedon providing service and has very little with internalcontrols. It is not in the scope of the proposedframework. Control objective DS 8.5 Incident Reportand Analysis is covered in DS 10.4 IncidentManagement. The efficiency analysis section willprovide more detailed reasons why the proposedframework omits the objectives. The CSF and KPI forMP&I are shown in TABLE IV:

TABLE IV THE MP&I CSF&KPI METRIC• Number of recurring problems with an impact on the business• Number ofbusiness disruptions caused by operational problems• Percent of problems recorded and tracked• Percent of problems that recur (within a time period), by severity• Percent of problems resolved within the required time period• Number of open/new/closed problems, by severity• Average and standard deviation of time lag between problem

identification and resolution• Average and standard deviation of time lag between problem

resolution and closure• Average duration between the logging of a problem and the

identification of the root cause• Percent of problems for which a root cause analysis was undertaken• Frequency of reports or updates to an ongoing problem, based on the

problem severity

• Percent of incidents resolved within an agreed-upon/acceptable periodof time

• Percent of first-line resolutions based on total number of requests• Percent of incidents reopened• Average duration of incidents by severity• Percent of incidents and service requests reported and logged using

automated tools• Percent of incidents that require local support (field support, personalvisit)• Number ofunresolved queries

3) Selecting Related ITIL v3 ActivitiesThe focus of COBIT 4.1 is on general control

objectives-how to deliver information to satisfybusiness needs, while IIlL v3 is more focused on ITprocesses. "It provides best practice guidelines andarchitectures to ensure that IT processes are closely


aligned to business processes and that IT delivers thecorrect and appropriate business solutions" [9]. SinceIIlL and COBIT correspond with each other, ITprocesses of IIlL v3 will be used to provide detailinstructions on how to achieve the IT controlobjectives from COBIT 4.1. For example, withinthose well-defined activities, the activities from theIIlL v3 volumes of Service Design (SD) and ServiceOperation (SO) provide guidelines for IT staff toachieve the objective of "AI 3.2 InfrastructureResource Protection and Availability". The mappingof COBIT 4.1 and IIlL v3 is shown in TABLE V.

TABLE V COMBINING COBIT4 1 and ITIL v3 [10]IT Objectives (COBIT) Activities (ITIL)

AI3.2 Infrastructure Resource SD 4.6.5.1 Security controlsProtection and Availability SO 5.4 Server management and

support

4) Selecting Relatedpractice ofISO/lEe 27002ISO/IEC 27002 severally accepted is the best

practice for information security management. Itrecommends activities defined by COBIT to achievethe goal of IT control objectives. As the mapping ofCOBIT 4.1 control objectives, IIlL v3 activities andISO 27002 practices is shown in TABLE VI.

TABLE VI COMBINING COBIT ITIL and ISE 27002ACQUIRE TECHNOLOGY INFRASTRUCTURE

IT ObjectivesActivities (ITIL)

Security Practices(COBIT) (IS027002)

AI3.2 Infrastructure SD 4.6.5.1 Security 12.1.1 SecurityResource Protection controls requirementsand Availability SO 5.4 Server analysis and

management and specificationsupport

5) IdentifYing Key PersonnelMI 52-109 emphasizes the importance of internal

control; key activities must be authorized. The CEOand CFO, or people with similar responsibilities mustfile and sign annual certification [2]. Therefore, keypersonnel for the compliance must be identified. Rolesmust be assigned to individuals to implement thecompliance. External auditors are not required by Bill198; they are optional and not included within the keypersonnel list.

6) Implementing control policiesSince MI 52-109 emphasizes the existence of

internal control, in this section, control policies areprovided for implementation. Although the proposed

389

framework is intended for achieving Bill 198compliance, different corporations may have differentclients, may provide different products and are subjectto different business. General objectives, processes,activities and practices may not be enough to meetcompliance requirements; hence corporations canimplement their own policies to minimize the gapsbetween their individual requirements and the generalframework requirements. For example, a controlpolicy can be implemented to maintain equipment logsfor future evaluation and maintenance. Moreover, keypersonnel's responsibilities and roles are identifiedand assigned to individuals within the policiesaccording to the needs.

B. EvaluatingIt is one of the requirements of MI 52-109 that the

CEO and CFO must evaluate internal controls andmake sure of their effectiveness; besides, thecompliance must be verified by the CEO and CFO orpeople from higher management; hence an evaluationprocess is important [2].

"Senior managers in corporate and publicenterprises are increasingly asked to consider howwell IT is being managed. In response to this, businesscases require development for improvement andreaching the appropriate level of management andcontrol over the information infrastructure" [8]. It isdifficult to supply meaningful and concise answers. ACOBIT-IIlL-ISO Capability Maturity Model (CIlCMM) can be developed for evaluation and can beused as a benchmark for comparison based on theCOBIT Capability Maturity Model (CCMM). The CIlCMM will integrate combined requirements forCOBIT, IIlL and IS027002 audit. It will have 5levels from 1 to 5. In this compliance case, when acontrol process is just initiated, it is in Levell. Thefinal goal is to achieve the optimistic Level 5 througha process of planning, designing, evaluating andImprovmg.

Once management identifies a company's currentstatus, improvement measures will help theorganization grow and mature.

III. ILLUSTRATION OF BENEFITS

A.Analyzing the Feasibility ofthe MethodologyDue to the similarity between SOX and Bill 198,

Bill 198 compliance has 3 phases [1]:A. Assessing the current state of the IT control

environment


B. Designing control necessary to meet the directivesof Bill 198 and MI 52-109

C. Closing the gap between A and BBased on the requests presented by Bill 198 and MI

52-109, the proposed framework brings controlobjectives from COBIT 4.1 and introduces IIlL v3and ISO 27002 to provide necessary activities toachieve them. A ClI-CMM will be developed as abenchmark for evaluation. The purpose is to ensurethe effectiveness and efficiency of the proposedframework, to minimize risks to acceptable levels andalso to increase the corporation maturity to anoptimized level.

B. Efficiency AnalysisThis section will demonstrate the efficiency of the

proposed framework. According to Americans'experience, SOX compliance is a very time and costconsuming task. When companies are achievingCSOX compliance, efficiency is very important. Theproposed framework is intended for achieving thisgoal by internal personnel involvement, controlobjectives reorganizing and a Top-Down approach.

1). Internal personnel involvementIn order to reflect the distinction of Bill 198 (CSOX)

from the U. S. SOx, the proposed framework does notrequire the involvement of external auditing. Incontrast, it does emphasize internal personnel beinvolved. "External auditors are required to performwalkthroughs of key business processes to ensure theirunderstanding of every point where misstatementsrelated to relevant financial statement assertions couldoccur" [11]. It is time consuming. When comparedwith external auditors, internal personnel are morefamiliar with the company environment. This changesaves companies lots of time and costs. For example, acompany will not need to spend weeks and salaries onfilling a year position for an external auditor [12].During the planning and implementing phases, keyresponsibilities must be defined and assigned toindividuals. Besides, CEOs and CFOs have to take theresponsibilities of verifYing, evaluating, andauthorizing critical operation through the wholecompliance processes.

2). Reorganizing Control ObjectivesFirst of all, in order to cut down costs and improve

efficiency of audit, the new framework removesunnecessary control objectives from COBIT 4.1. It isnot included in the proposed framework that thosecontrol objectives of COBIT4.1 do not contribute to

390

Bill 198 compliance. For example, the proposedframework does not concern establishing "ServiceDesk", which is emphasized by COBIT 4.1. AlthoughCOBIT provides high-level and detailed controlobjectives for aligning business needs and key ITpractices, only a small set of specific control objectivesmeet MI 52-109. Building service desks is useful forproviding service but not in the scope of thecompliance: strengthening governance over financialreporting and internal control. Therefore, it can beremoved. Secondly, the new framework harmonizessimilar control objectives. For example: it integratestwo high level control objectives of COBIT-"ManageService Desk and Incidents" and "Manage problems"into one IT control objective to meet the Bill 198compliance requirements. Incidents and problemsmanagement measures both include processes ofreporting, analyzing, implementing, evaluating anddocumenting. There is not a distinctive difference.They can be combined together. Besides, redundantlow-level controls are erased. "Incident report andanalysis" control is removed and replaced by an"Incident and Problem Management" process, whichwill take care of both incident and problem issues. Inthis way, there are fewer control objectives, but relatedtasks are managed by the same process and personnel.It will save time and costs to assign and identifYpeople.

To sum up, in the demonstration, compared withCOBIT 4.1, the new framework is more efficient. Twounnecessary control objectives are removed from the"Acquire Technology Infrastructure" objective:

AI 3.3 Infrastructure MaintenanceAI 3.4 Feasibility Test environment

Two redundant controls are replaced m the"Manage Problems and Incidents" objective:DS 8.1 Service DeskDS 8.5 Reporting and Analysis

By removing and replacing unnecessary controlobjectives, it can save a company's time and costsfrom assigning related personnel twice to conductsimilar tasks.

3). Top-Down approachThe Top-Down approach helps personnel identifY

the priority of using resources. "A key component ofthis strategy is the understanding that not all risks,accounts, and transactions are equally important" [13].Companies should focus on the top-level andcompany-wide controls and processes, which shouldbe assigned the most resources and should avoidspending too much time and efforts on low-level tasks.


Significant CFS and KPI are identified in the planningphase of the proposed framework. They determine thepriority of using resources for compliance personnel.When time and costs are rare, those lower-level andprocess-based controls could be sacrificed to ensurethe compliance of high-level controls. For example, asidentified in the Appendix, when acquiring suitabletechnology infrastructures, information, such as "thenumber of critical business supported by obsoleteinfrastructure", should be identified at the firstmoment. Then, IT operational teams could take afurther step, such as purchasing new equipment,outsourcing or borrowing devices for shortly use.

IV. DISCUSSIONCOBIT, IIlL, and ISO 27002 are well-accepted and

popular frameworks and standards for IT management.COBIT 4.1 focuses on how to deliver information tomeet business needs. IIlL v3 provides practiceguidelines for IT management. ISO 27002 isconcerned about security. They all have their ownstrengths. However, only parts of them are requiredfor the Bill 198 compliance.

Various frameworks can be adopted for thecompliance, but people prefer to use what they havebeen educated with. For example, although COSO iswell used in Canada and the U.S., Japanese developedtheir own internal control framework for J-SOX(Japanese SOX) compliance [14]. "The InternalControl Committee of the Business AccountingCouncil of the Japanese Financial Services Agencyprovided final Implementation Guidance forManagement Assessment and Audit of InternalControls over Financial Reporting (ICFR) in February2007" [15].

In order to achieve better efficiency, besideseffective methodology, compliance personnel need tobe more open-minded. When we learn more aboutdifferent frameworks, we can consider all possibleways to achieve the optimistic compliance goal.

v. CONCLUSION

The Bill 198 aims to enhance reliability, quality andconfidentiality over financial reporting and maintainand rebuild investors' trusts. This paper demonstratesa new methodology of achieving Bill 198 complianceby aligning those frameworks and standard. The newframework brings better effectiveness and highefficiency for the compliance.

391

REFERENCES

[1] IT Governance Institute, "IT Control Objectives for SarbanesOxley", the U.S., 2nd Ed, 2006, ISACA, Avaialbe: http://www.Isaca.orgrremplateRedirect.cfin?template~!MembersOnly.cfm&ContentID~

3277. [Accessed Augnst 1, 2008]

[2] "Multilateral Instrument 52-109", Ontario Security Commission,Available:http://osc.gov.on.ca/Regulation/Rulemaking/Current/Part5/rule_20040116_52-l09_mi.pdf. [Accessed Augnst 10,2008]

[3] "Multilateral Instrument 52-111", the Manitoba SecurityCommission, Available: http://www.msc.gov.mb.ca/legal_docs/legislation/notices/52_Ill proposed.pdf. [Accessed August 10, 2008]

[4] "The New Pillar of Compliance", Prod Actitviti, Available:http://prodactiviti.com/Compliance.pdf [Accessed March 15, 2009]

[5] "Canada gets its own version of SOX", (March 20, 2006)INFOWATCH, March 20, 2006. Available: http://www.infowatch.com/threats?chapter~14883l547&id~18242ll64. [Accessed August 1,2008]

[6] "Bill 198, MI 52-109, "C-SOX" and its impact on Canada",GFSConsulting, Available: http://www.gfsconsulting.ca/inforrnation-and-resources/c-sox-and-its-impact-on-canada. [Accessed March 15,2009]

[7] "Auditing Standard No.5", PACOB, SEC Release No. 34056152,Available: http://www.pcaobus.org/Rules/Rules_oCthe_Board/Auditing_Standard_5.pdf [Accessed January 26,2009]

[8] "COBIT 4.1", IT Governance Institute, ISBN 1-933284-72-2,USA, 2007

[9] Colin Rudd, An Introductory Overview ofITIL, version 1.Oa, UK:itSME Ltd, 2004

[10] "Mapping ofITIL v3 With COBIT 4.1", IT Governance Institute"ISBN 978-1-60420-035-5, USA, 2008

[11] Xenia Ley Parker, "The impact of Sarbanes-Oxley Compliance onIT audit", Apirl2004, Available: http://accounting.smartpros.com/x43l96.xml. [Accessed December 14, 2008]

[12] "Leading staffmg company saves cost, increase efficiency inSarbanes-Oxley compliance process", Remedy Intelligent Staffing,Available: http://download.microsoft.com/documents/customerevidence/22000_Remedy_SOX_casestudy.doc. [AccessedDecember 15, 2008]

[13] "SOX optimization improving compliance efficiency andeffectiveness", Deloitte, 2007, Available: http://www.deloitte.com/dtt/cda/doc/content/us_assur_soxoptimization_090707.pdf. [AccessedNovember 30,2008]

[14] Kathleen Lau, "Canadian IT execs face 'J-SOX' compliancerules", July 31, 2007 Available: http://www.itworldcanada.com/a/News/cadI fa44-f63 0-4626-9d7a-da24d8d7c866 .html. [AccessedDecember 15, 2008]

[15] "J-SOX compliance", Metricstream, Available: http://www.metricstream.com/solutions/jsox_compliance_software_solution.htm.[Accessed December 15, 2008]


An Efficient Framework for IT Controls of Bill 198 (Canada Sarbanes-Oxley) Compliance by Aligning...

Documents

Transcript of An Efficient Framework for IT Controls of Bill 198 (Canada Sarbanes-Oxley) Compliance by Aligning...