According to the PCAOB, the number of publicly traded companies reporting material weaknesses in internal control over financial reporting directly as a result of the Sarbanes-Oxley (SOX)Act will significantly rise in 2005. CPA firms are under pressure to maintain higher standards as their role changes from consultant to examiner. Public companies have a limited window of time to grasp the imposing requirements and to implement the necessary changes to comply with the regulations.

MindSource provides the critical resources and the IT, regulatory, and enterprise security expertise to meet business compliance objectives. Our suite of compliance services includes Sarbanes-Oxley 404/IT External Audits, Sarbanes-Oxley 404/IT Internal Readiness, SAS 70 Audit Services, and Gramm-Leach-Bliley (GLB) compliance services.

SOX 404/IT External Audit

SOX Section 404 establishes rules to ensure that members of senior management of all publicly traded companies address their responsibility for implementing internal controls over financial reporting. Each company must assess the effectiveness of its controls and annually report the results to the SEC. Because the reliability of financial reporting is heavily dependent on a well-controlled IT environment, IT management is a vital component of SOX 404 conformance.

MindSource collaborates with accounting firms to provide external audit services. We utilize our deep IT expertise and the COBIT framework to conduct the required 404/IT audit for external attestation. Our team evaluates and tests IT general and application controls to determine whether or not we can attest to management’s assertion as to the design and operating effectiveness of internal controls over the financial reporting process.

SOX 404/IT Internal Readiness

Complying with SOX is a time-consuming and documentation-intensive task, requiring substantial planning. Underestimating the requirements for this effort can lead to misallocation of financial and human resources and increased risk of noncompliance.

MindSource leverages significant external audit experience to deliver 404/IT Internal Readiness services. Our process includes the application of accepted standards, best practices, and control frameworks, including COBIT , ITIL, ISO 17799, and COSO to achieve effective, efficient, and compliant internal controls. A typical 404/IT engagement begins with Project Scoping and follows with the iterative audit and controls testing process.

Project Scoping and Gap Analysis

Project Scoping is critical to SOX compliance efforts; planning saves time, effort, and money. A high-level analysis identifies compliance gaps and sets forth plans for implementing internal controls and remediating deficiencies. The steps include the following:

• Discovering internal control programs and financial reporting processes and performing a risk analysis to determine the key controls
• Mapping IT systems that support internal controls and the financial reporting process from data capture to final statement publication
• Identifying and documenting areas of deficiency in control design and operating effectiveness of key control domains
• Developing remediation strategies

SOX 404/IT Internal Audit/Controls Testing

Because SOX requires management to assess the effectiveness of internal controls on an annual basis, the internal audit function is critical to achieving compliance. MindSource leverages deep knowledge of compliance and the COBIT IT control framework to evaluate and test IT controls. This process includes:

• Taking a risk analysis-based approach to identify the key IT general controls
• Assessing the control design and enumerating gaps, closely monitoring documentation deficiencies
• Testing the operating effectiveness of key IT controls, noting all exceptions, significant deficiencies, and material weaknesses

Documentation

Using a trusted third party to manage and perform documentation can reduce the cost of compliance and take pressure off of internal resources. According to AMR Research, documentation is among the top 2005 SOX spending priorities. Creating, modifying, and storing documents typically occupy more man-hours than all other compliance activities.

Our experts collaborate with your team to identify and create documentation of systems, policies, and procedures to achieve compliance requirements and to optimize IT planning and implementation. Areas of documentation focus include:

• Corporate governance, as it relates to the IT function
• IT and Security Policies
• Detailed Operating and Control Procedures
• Standard Forms for all IT general control domains, including Access control, Program development, Program change control and Computer operations
• Network Maps and Process Diagrams

Security Assessment

Having periodic independent security assessments conducted is an IT best practice generally accepted to be a required control measure to achieve SOX 404 IT compliance. MindSource offers a comprehensive suite of enterprise security assessment services to ensure that clients meet their compliance needs.

Compliance Remediation Services

With a broad range of enterprise-class IT infrastructure implementation experience, MindSource acts as a trusted partner for developing and deploying security and infrastructure initiatives. Our team performs these functions by deploying best-of-breed systems within your system development life cycle (SDLC) to achieve SOX compliance and other business objectives.

SAS 70 IT Readiness

SOX 404 requires that public companies not only demonstrate control over their own internal processes, but that they also ensure control over processes outsourced to critical service providers.

The AICPA has developed an auditing standard for service providers to certify the efficacy of their own internal controls and to communicate this to the management and auditors of their clients or prospective clients. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a certified audit of a service provider’s control activities over information technology and related processes. Public companies seeking to comply with SOX 404 are increasingly demanding SAS 70 reports from their service providers.

MindSource provides SAS 70 IT readiness services including project scoping, gap analysis, documentation, and remediation to prepare our clients for their SAS 70 audit.

GLB Audit

The Gramm-Leach-Bliley (GLB) Act of 1999 establishes guidelines for financial institutions to safeguard customer information. It mandates “administrative, technical, and physical measures to protect the security, confidentiality, and integrity of customer information.” Compliance is required not only for financial institutions, but also for their service providers. Because threat conditions and IT operating environments are constantly changing, GLB requires regular independent third-party assessments of information systems.

MindSource has provided GLB Audit services to the financial sector since 2002. Our team evaluates compliance with the mandated security requirements and provides actionable recommendations to remediate compliance deficiencies. In addition, our enterprise security and IT experts deliver a comprehensive analysis of company information security risks, covering all aspects of information security infrastructure. This very valuable tool helps to develop a best practices security environment.