Standards and Compliance Issues

1. Standards and Compliance Issues Including CMM, ISO, ITIL,& Sarbanes-Oxley Presented By: Lauren Eilers Michele Hummel Eno Veshi

2. Why Regulate and Impose Standards? Definitions: • Regulation= “a legal restriction promulgated by government administrative agencies through rulemaking supported by a threat of sanction or a fine”.1 • Standard= “a level of quality or excellence that is accepted as the norm or by which actual attainments are judged”.2 • Ensure quality & maintain competitiveness • Avoid disparate practices within same industry 1 en.wikipedia.org/wiki/Regulate 2 encarta.msn.com/dictionary_/standard.html

3. Why Regulate and Impose Standards? (Cont’d) • Increasing cost of IT • 1In U.S., “spend more than $250 billion each year on IT application development of approximately 175,000 projects… (and) a staggering 31.1% of projects will be canceled before they ever get completed… (and) 52.7% of projects will cost 189% of their original estimates”. (CHAOS report by Standishgroup:1994 reseasrch survey ofIT executive managers, from large, medium, and small companies, across major industry segments. Total sample size: 365 respondents, representing 8,380 applications. ) • Increasing size of IT workforce • 10 million in 2000 to 10.5million in 2004 in U.S.2 (Study commissioned by ITAA, with 500 random people from organizations, who were involved in hiring workers; based on phone conversations from Feb. 24-Mar. 23, 2004) 1www.standishgroup.com/sample_research/chaos_1994_1.php 2www.itaa.org/workforce/studies/04wfstudy.pdf

4. Time Line • ISO- International Standards Organization • CMM- Capability Maturity Model • ITIL- Information Technology Infrastructure Library • SOX- Sarbanes-Oxley

5. ISO(International Standard Organization) http://www.iso.org/iso/en/ISOOnline.frontpage

6. International Standard Organization (ISO) • It is the world’s leading developer of International Standards. • It has 156 member countries. • Its portfolio holds more than 15,036 standards that are used in every sector of business, industry and technology. http://www.iso.org/

7. ISO Partners • International Electrotechnical Commission (IEC) • International Telecommunication Union (ITU) • World Bank http://www.iso.org/

8. ISO Path Forward • The environment – develop standards for meeting new requirements such as greenhouse gas verification, climate mitigation, and other aspects of sustainable development. • The service sectors – standards for personal financial services, market opinion, social research and tourism. • Security - maritime port security, freight transport, countering illegal trafficking • Good Managerial and Organizational Practice – develop social responsibility. http://www.iso.org/

9. ISO Benefits • World wide recognition.( 156 members, developed, developing countries) • Level the playing field. • Disseminate new technologies and businesses. http://www.iso.org/

10. CMM(Capability Maturity Model) • Created by the Software Engineering Institute, a research center founded by Congress in 1984 • A structure designed to direct IT organizations through software process improvement • Philosophy of “continuous process improvement” Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004

11. 5 Levels of the Capability Maturity Model: Optimizing18.4% Managed4.5% Defined32.9% Repeatable 32.9% Initial2.2% 9.0% www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/ 2006marCMMI.pdf

12. CMMI Process Maturity Profile SEI CMMI v.1.1 Class A Appraisal Results 550 500 450 400 350 300 250 200 150 100 50 Based on most recent appraisal of 1,106 organizations , from 3/2002 – 12/2005 & reported by 1/2006. Incl.s results for system engineering, software engineering, integrated prod & process developm, & supplier sourcing www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2006marCMMI.pdf

13. The Initial Level • Probability of producing quality software is low • No management practices • No documentation or evaluation • If reach quality, usually due to extreme efforts of a few people or to individual practices by a manager • Respond to crises Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001. Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004. .

14. The Repeatable Level • Requirements management begins: identification of project prerequisites & assignment to the appropriate area • Project management begins: responsibility, software development plan, implementation and analysis of project plan • Quality assurance begins: comparing actual progress on the project with the project plan • Software management begins: collection of data, identification of elements of success and application to new projects • Quality of projects able to be replicated Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001. Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004.

15. The Defined Level • Defining and implementing proven practices throughout the organization • Increased productivity, efficiency and effectiveness using these practices • Emergence of training group to provide organization-wide knowledge • Emergence of a group called the Software Engineering Process Group, which continues development of software processes Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001 Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004.

16. The Managed Level • Increased management of software products and processes • Measurable goals set for quality of software products and processes • Collection and analysis of data from all current projects using a software process database • Increased predictability and decreased risk due to improved standardized practices used throughout the organization Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001 Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004.

17. The Optimizing Level • “Continuous process improvement” • Proactive consideration of potential problems and weaknesses • Work to prevent defects • Analysis of any defects or problems and making adjustments to prevent reoccurrence Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001 Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004.

18. ITIL Standards(Information Technology Infrastructure Library)

19. What is ITIL? • ITSM (Service Management) • ManagingIT servicesin support of one or more business units • ITIL (Infrastructure Library) • Developed to provide a set of Best Practices for Cost Effective IT Services • Adapted for delivery services. • Presents a comprehensive set of mgr. procedures with which an organization can manage its IT operations. ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 5 & 9

20. ITIL Main Reason for Creating ITIL The Technology Planning to Implement Service Management The Business Service Management ICT Infrastructure Management The Business Perspective Service Support Service Delivery Security Management Applications Management ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 9

21. Core ITSM Components Tactical- Medium Term Mgmt Cycles Service Delivery Service Level Management Capacity Management Availability Management Service Continuity Management Financial Management Service Management Service Support Incident Management Problem Management Operational- Short Term Mgmt Cycles Service Desk Release Management Configuration Management ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 23

22. ITIL Benefits • Reduces costs. • Improves IT services, increasing customer satisfaction. • Offers guidance, and standards. • Improves productivity. • Recognized worldwide. ITIL Foundations for IT Service Management, HP Training, Student Guide. Pg. 16-17

23. ITIL Qualifications • Foundation Certificate- • Aimed to all personnel who wish to become familiar with IT management practices • Enables people to understand the terminology used within ITSM • Practitioner’s Certificate- • Aimed at the personnel responsible for designing specific processes within the IT Service Management discipline • Focuses on depth in understanding and applying IT Service Management services • Manager’s Certificate- • Aimed at those who need to demonstrate capability of managing ITIL-based solutions directed to the field of IT Services Management ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 7-8 ITIL Practitioner’s Certificate in Change Management, http://www.ddls.com.au/VendCourseDet/ITL/60/ITILPrCM.htm ITIL Manager Certificate, http://www.itilsurvival.com/ITILManagerCertificate.html

24. Sarbanes Oxley Act http://www.economist.com/business/displayStory.cfm?story_id=3984019

25. What is Sarbanes-Oxley? • It is a US federal law commonly called Sox or SarbOx. • It gives additional powers and responsibilities to the U.S Securities and Exchange Program. • Why important? 210,453 US and 234,086 Int’l SEC registrants SEC SOX www.secinfo.com/$/SEC/Location.asp

26. History Behind Sarbanes Oxley Act • Stock market boom of the 1990s and crash in 2000 • Fraud, misconduct and manipulation of financial information led to financial scandals and huge losses by investors • Examples: Enron, WorldCom, Tyco • Act sponsored by Senator Paul S. Sarbanes (MD) and Representative Michael G. Oxley (OH) http://www.cartoonbank.com/product_details.asp?mscssid=J0NC8F3AST458KRV1WKPNH51641V5JX4&sitetype=1&did=4&sid=47897&pid=&keyword=enron&section=notecards&title=undefined&whichpage=1&sortBy=popularID: 47897, Published in The New Yorker March 18, 2002

27. Goals of Sarbanes Oxley Act • Renew Investors’ Trust in Accounting and Auditing Professions • Corporate responsibility for financial reporting • Accurate reporting and release of information • Increased auditor independence www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006.

28. Renew Investors’ Trust in Accounting and Auditing Professions • Established the Public Company Accounting Oversight Board (101) • Separation of auditing from accounting • Limitation of services provided by auditors (201) • Financial Accounting Standards Board named as the accounting standard setter and supplied with an independent funding source • Retention of audit records by outside auditors • FAIR Funds for Investors established (308a) www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006. www.sec.gov/news/testimony/022603tssmc.htm

29. Corporate Responsibility for Financial Reporting • CEOs and CFOs must evaluate controls and certify this information in quarterly and annual reports (302, 404) • More severe civil and criminal penalties for fraud and misconduct • New regulations related to insiders • No personal loans to director or executive director • CEO and CFO compensation and profit information released to the public • CIOs are responsible for Security, Accuracy, and Reliability of the systems that manage and report the financial data. www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006.

30. Accurate Reporting and Release of Information • New rules regarding disclosure • Annual management reports on internal controls over financial reporting: • Financial data • Material changes • Effectiveness/ Security • Material weaknesses • Auditor verification of internal controls over financial reporting: • “Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring” • SEC to review Exchange Act reports at least once every three years Haworth, Dwight A., and Pietron, Leah R., “Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799” Information Systems Management, Boston: Winter 2006. Vol. 23, Iss. 1, pp. 73-87. www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006.

31. Costs Associated with Implementation • Section 404- Requires Management and Independent auditors to issue separate assessments of a publicly held company’s internal control over financial recording • Requires two new public reports • A management report on the effectiveness of the company’s internal control over financial reporting • An independent auditor’s report that includes both an opinion on management report and it’s own opinion of the company’s control over financial reporting Sarbanes Oxley Compliance (http://sarbanes-oxley-101.com/SOX-404.htm)

32. Estimated Costs vs. Actual costs • First year compliance estimated at $1 million for $1 billion in revenue • Actual cost Sarbanes-Oxley Implementation Costs What Companies are Reporting in their SEC Filings, February 2005 (www.auditnet.org/articles/Sarbanes-Oxley_Implementation_Costs.pdf)

33. Costs to Decline in Year Two • CRA International conducted a survey of Sarbanes-Oxley Implementation Issues • Findings include • Average total Section 404 costs are to decline for both large and small companies in the second year • Smaller companies expect decline of 39% from $1.5 million to $900,000 • Larger companies expect decline of 42% from $7.3 million to $4.3 million • Audit fees account for minority of cost in first year • Smaller companies 35% of total cost • Larger companies 26% of total cost CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf)

34. Year-One Average per Company Section 404 Implementation Costs for Smaller Companies Average Section 404 Audit-Related Fees as a Percentage of Total Average Issuer Cost 39% Decline $1.5 Million Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost $0.9 Million Expected Change Year 1 to Year 2 CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf

35. Year-One Average per Company Section 404 Implementation Costs for Larger Companies Average Section 404 Audit-Related Fees as a Percentage of Total Average Issuer Cost 42% Decline $7.3 Million $4.3 Million Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost Expected Change Year 1 to Year 2 CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf)

36. Other Compliance Costs • Software development and/or acquisition • Increased general and administrative expenses • Additional human resources and training • Technological improvements and process improvements • Projects to reorganize accounting and IT departments • Additional expenses ranged from $1200 to $34,000,000, per study by Hall & Gaetanos of 50 random accelerated filers with SICC codes ranging from 2111- 9999 & direct mention of Sct 404 costs. Hall, Linda A., and Gaetanos, Christ, “Treatment of Section 404 Compliance Costs”, The CPA Journal, New York: Mar 2006. Vol.76, Iss.3, Pgs. 58-62.

37. Global Effects of SOX • SOX is in Direct violation of Europe’s Data Protection Act of 1998 • UK Companies must get employee permission to disclose certain information, permission is not guaranteed, so it is impossible to complete item 8.1 of SOX agreeing to provide information at any time in the future • Some firms threatening to de-list from US Stock Exchange Fran Howarth., Bloor Research 1-11-05 (http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/html)

38. Global Effects of SOX • SOX regulations costs for UK businesses directly comparable to US costs for compliance • $1 million per $1 billion in revenue • Second and third year costs should decrease 30-40% Costs SOX Compliance Costs U.K. Firms, Nikki Swartz. Information Management Journal Lenexa: Jan/Feb 2006. Vol. 40, Iss 1, p. 19 (1 pp)

39. Case Studies Utility Company http://www.solutia.com/pages/corporate/ & http://www.pwcglobal.com/gx/eng/main/home/index.html

40. Background of Utility Company • One of the nation’s top utility company. • Has over 9,300 employees. • Revenue = 6.78 B ( 2005 ) • Gross Profit = 2.28 B • Net Profit = 628 M • Serves 2.3 M electric customers • Serves 900,000 natural gas customers. http://www.finance.yahoo.com

41. Energy Delivery Dept. • Our interviewee: Mr. Jerry Pisarek, Business Performance Controller. • Dept. is responsible for the transmission and the delivery of energy. • System used TRIS (Time Reporting Information System) – payroll accumulation system) From the interview with Mr. Jerry Pisarek ( march 2006)

42. IS Department • 3,500 employees. • Cost of meeting Sarbanes-Oxley requirements is $3-5 million annually. • TRIS Department CEO Business Performance Specialist Director of Finance Director of IT Employee Request for Security Clearance Direct Supervisor of Employee From the interview with Mr. Jerry Pisarek ( March 2006 )

43. Effects of SOX at the Utility Co. • Request in writing to access information. • Before SOX, Performance Controller approves/denies request. • After SOX, Performance Controller makes the decision, but needs the upper management to approve it. From the interview with Mr. Jerry Pisarek, ( March 2006 )

44. Solutia Background/Overview • Specialty Chemicals Company. • $2.7 billion in annual sales(2004). • $1.9billion in assets. • More than 5,700 employees located at 60 manufacturing sites throughout 27 countries. http://www.solutia.com/pages/corporate/

45. Solutia’s Product Line: • Performance Films for: - car windows - computer screens • Specialty products such as - avionic hydraulic fluid. - heat-transfer fluids. - plastic products. http://www.solutia.com/pages/corporate/about/overview.asp

46. Solutia’s Product Line: (cont’d) • Integrated Nylon used to make: - wear-resistant carpets. - vibrant upholstery fabrics. - tires http://www.solutia.com/pages/corporate/about/overview.asp

47. Solutia’s IT Department • Our interviewee – Lori Kirk, Information Security Manager. • Hierarchy in IT department: • IT annual budget is $29M. • IT Department has approx. 100 employees. VP Business Operations CEO CIO VP IT IS Manager Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006

48. Implementation of SOX at Solutia(2003 – 12/31/2004) • Planning (2003) • Awareness(2003) • Intensive Documentation(2004) • Testing(2004) Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006

49. Solutia and Maintaining Compliance • Update narrative and control activity documents. • Test quarterly the control environments. • Annual management testing (internal). • Annual external audit. Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006

50. Impact of SOX at Solutia • Higher costs. • Time consuming. - 25% of time on average. - 75% of time in the fourth quarter. • More detailed documentation. Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006