CMM Capability Maturity Model
advertisement
Standards and Compliance Issues Including CMM, ISO, ITIL,& Sarbanes-Oxley Presented By: Lauren Eilers Michele Hummel Eno Veshi 1 Definitions: • Regulation= “a legal restriction promulgated by government administrative agencies through rulemaking supported by a threat of sanction or a fine”.1 • Standard= “a level of quality or excellence that is accepted as the norm or by which actual attainments are judged”.2 Why Regulate and Impose Standards? •Ensure quality & maintain competitiveness •Avoid disparate practices within same industry 1 en.wikipedia.org/wiki/Regulate 2 encarta.msn.com/dictionary_/standard.html 2 Why Regulate and Impose Standards? (Cont’d) • Increasing cost of IT – 1In U.S., “spend more than $250 billion each year on IT application development of approximately 175,000 projects… (and) a staggering 31.1% of projects will be canceled before they ever get completed… (and) 52.7% of projects will cost 189% of their original estimates”. (CHAOS report by Standishgroup:1994 reseasrch survey of IT executive managers, from large, medium, and small companies, across major industry segments. Total sample size: 365 respondents, representing 8,380 applications. ) • Increasing size of IT workforce – 10 million in 2000 to 10.5million in 2004 in U.S.2 (Study commissioned by ITAA, with 500 random people from organizations, who were involved in hiring workers; based on phone conversations from Feb. 24-Mar. 23, 2004) 1www.standishgroup.com/sample_research/chaos_1994_1.php 2www.itaa.org/workforce/studies/04wfstudy.pdf 3 Time Line • ISO- International Standards Organization • CMM- Capability Maturity Model • ITIL- Information Technology Infrastructure Library • SOX- Sarbanes-Oxley 4 ISO (International Standard Organization) http://www.iso.org/iso/en/ISOOnline.frontpage 5 International Standard Organization (ISO) • It is the world’s leading developer of International Standards. • It has 156 member countries. • Its portfolio holds more than 15,036 standards that are used in every sector of business, industry and technology. http://www.iso.org/ 6 ISO Partners • International Electrotechnical Commission (IEC) • International Telecommunication Union (ITU) • World Bank http://www.iso.org/ 7 ISO Path Forward • The environment – develop standards for meeting new requirements such as greenhouse gas verification, climate mitigation, and other aspects of sustainable development. • The service sectors – standards for personal financial services, market opinion, social research and tourism. • Security - maritime port security, freight transport, countering illegal trafficking • Good Managerial and Organizational Practice – develop social responsibility. http://www.iso.org/ 8 ISO Benefits • World wide recognition.( 156 members, developed, developing countries) • Level the playing field. • Disseminate new technologies and businesses. http://www.iso.org/ 9 CMM (Capability Maturity Model) • Created by the Software Engineering Institute, a research center founded by Congress in 1984 • A structure designed to direct IT organizations through software process improvement • Philosophy of “continuous process improvement” Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004 10 5 Levels of the Capability Maturity Model: Optimizing Managed Defined Repeatable Initial 18.4% 4.5% 32.9% 32.9% 2.2% 9.0% www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/ 2006marCMMI.pdf 11 CMMI Process Maturity Profile SEI CMMI v.1.1 Class A Appraisal Results 550 Number of Organizations 500 450 400 32.9% 350 32.9% 300 250 18.4% 200 150 100 9.0% 4.5% 2.2% 50 Not Given Initial Managed Defined Quantitatively Optimizing Managed Based on most recent appraisal of 1,106 organizations , from 3/2002 – 12/2005 & reported by 1/2006. Incl.s results for system engineering, software engineering, integrated prod & process developm, & supplier sourcing 12 www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2006marCMMI.pdf The Initial Level • Probability of producing quality software is low • No management practices • No documentation or evaluation • If reach quality, usually due to extreme efforts of a few people or to individual practices by a manager • Respond to crises Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001. Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004. . 13 The Repeatable Level • Requirements management begins: identification of project prerequisites & assignment to the appropriate area • Project management begins: responsibility, software development plan, implementation and analysis of project plan • Quality assurance begins: comparing actual progress on the project with the project plan • Software management begins: collection of data, identification of elements of success and application to new projects • Quality of projects able to be replicated Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001. Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004 . 14 The Defined Level • Defining and implementing proven practices throughout the organization • Increased productivity, efficiency and effectiveness using these practices • Emergence of training group to provide organization-wide knowledge • Emergence of a group called the Software Engineering Process Group, which continues development of software processes Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001 Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004. 15 The Managed Level • Increased management of software products and processes • Measurable goals set for quality of software products and processes • Collection and analysis of data from all current projects using a software process database • Increased predictability and decreased risk due to improved standardized practices used throughout the organization Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001 Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004. 16 The Optimizing Level • “Continuous process improvement” • Proactive consideration of potential problems and weaknesses • Work to prevent defects • Analysis of any defects or problems and making adjustments to prevent reoccurrence Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001 Griggs, M., and Sauter, V., "Quality Management in the Software Industry", University of Missouri Working Paper, 2004. 17 ITIL Standards (Information Technology Infrastructure Library) 18 What is ITIL? • ITSM (Service Management) – Managing IT services in support of one or more business units • ITIL (Infrastructure Library) – Developed to provide a set of Best Practices for Cost Effective IT Services • Adapted for delivery services. • Presents a comprehensive set of mgr. procedures with which an organization can manage its IT operations. ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 5 & 9 19 ITIL Main Reason for Creating ITIL Service Delivery The Technology Service Support ICT Infrastructure Management Service Management The Business Perspective The Business Planning to Implement Service Management Security Management Applications Management ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 9 20 Core ITSM Components Tactical- Medium Term Mgmt Cycles Service Delivery Service Level Management Capacity Management Availability Management Service Continuity Management Financial Management Service Management Service Support Incident Management Problem Management Operational- Short Term Mgmt Cycles Service Desk Release Management Configuration Management ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 23 21 ITIL Benefits • Reduces costs. • Improves IT services, increasing customer satisfaction. • Offers guidance, and standards. • Improves productivity. • Recognized worldwide. ITIL Foundations for IT Service Management, HP Training, Student Guide. Pg. 16-17 22 ITIL Qualifications • Foundation Certificate– Aimed to all personnel who wish to become familiar with IT management practices – Enables people to understand the terminology used within ITSM • Practitioner’s Certificate– Aimed at the personnel responsible for designing specific processes within the IT Service Management discipline – Focuses on depth in understanding and applying IT Service Management services • Manager’s Certificate– Aimed at those who need to demonstrate capability of managing ITIL-based solutions directed to the field of IT Services Management ITIL Foundations for IT Service Management, HP Training, Student Guide, Pg. 7-8 ITIL Practitioner’s Certificate in Change Management, http://www.ddls.com.au/VendCourseDet/ITL/60/ITILPrCM.htm ITIL Manager Certificate, http://www.itilsurvival.com/ITILManagerCertificate.html 23 Sarbanes Oxley Act http://www.economist.com/business/displayStory.cfm?story_id=3984019 24 What is Sarbanes-Oxley? • It is a US federal law commonly called Sox or SarbOx. • It gives additional powers and responsibilities to the U.S Securities and Exchange Program. • Why important? 210,453 US and 234,086 Int’l SEC registrants www.secinfo.com/$/SEC/Location.asp 25 History Behind Sarbanes Oxley Act • Stock market boom of the 1990s and crash in 2000 • Fraud, misconduct and manipulation of financial information led to financial scandals and huge losses by investors – Examples: Enron, WorldCom, Tyco • Act sponsored by Senator Paul S. Sarbanes (MD) and Representative Michael G. Oxley (OH) http://www.cartoonbank.com/product_details.asp?mscssid=J0NC8F3AST458KRV1WKPNH51641V5JX4&sitetype=1&did=4&sid=47897&pid=&ke yword=enron&section=notecards&title=undefined&whichpage=1&sortBy=popularID: 47897, Published in The New Yorker March 18, 200226 Goals of Sarbanes Oxley Act • Renew Investors’ Trust in Accounting and Auditing Professions • Corporate responsibility for financial reporting • Accurate reporting and release of information • Increased auditor independence www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006. 27 Renew Investors’ Trust in Accounting and Auditing Professions • Established the Public Company Accounting Oversight Board (101) • Separation of auditing from accounting • Limitation of services provided by auditors (201) • Financial Accounting Standards Board named as the accounting standard setter and supplied with an independent funding source • Retention of audit records by outside auditors • FAIR Funds for Investors established (308a) www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006 . www.sec.gov/news/testimony/022603tssmc.htm 28 Corporate Responsibility for Financial Reporting • CEOs and CFOs must evaluate controls and certify this information in quarterly and annual reports (302, 404) • More severe civil and criminal penalties for fraud and misconduct • New regulations related to insiders • No personal loans to director or executive director • CEO and CFO compensation and profit information released to the public • CIOs are responsible for Security, Accuracy, and Reliability of the systems that manage and report the financial data. www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006. 29 Accurate Reporting and Release of Information • New rules regarding disclosure • Annual management reports on internal controls over financial reporting: – – – – Financial data Material changes Effectiveness/ Security Material weaknesses • Auditor verification of internal controls over financial reporting: – “Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring” • SEC to review Exchange Act reports at least once every three years Haworth, Dwight A., and Pietron, Leah R., “Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799” Information Systems Management, Boston: Winter 2006. Vol. 23, Iss. 1, pp. 73-87. www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006. 30 Costs Associated with Implementation • Section 404- Requires Management and Independent auditors to issue separate assessments of a publicly held company’s internal control over financial recording • Requires two new public reports – A management report on the effectiveness of the company’s internal control over financial reporting – An independent auditor’s report that includes both an opinion on management report and it’s own opinion of the company’s control over financial reporting Sarbanes Oxley Compliance (http://sarbanes-oxley-101.com/SOX-404.htm) 31 Estimated Costs vs. Actual costs • First year compliance estimated at $1 million for $1 billion in revenue • Actual cost Average Company Annual Sales in US $ Average Cost of Section 404 Compliance for External Resources Only 0-250 Million $1.56 Million 250-500 Million $1.71 Million 500-750 Million $1.78 Million 750-1 Billion $2.03 Million 1-2 Billion $2.4 Million 2-7 Billion Insufficient Data 7-10 Billion $10 Million Sarbanes-Oxley Implementation Costs What Companies are Reporting in their SEC Filings, February 2005 (www.auditnet.org/articles/Sarbanes-Oxley_Implementation_Costs.pdf) 32 Costs to Decline in Year Two • CRA International conducted a survey of Sarbanes-Oxley Implementation Issues • Findings include – Average total Section 404 costs are to decline for both large and small companies in the second year • Smaller companies expect decline of 39% from $1.5 million to $900,000 • Larger companies expect decline of 42% from $7.3 million to $4.3 million – Audit fees account for minority of cost in first year • Smaller companies 35% of total cost • Larger companies 26% of total cost CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf) 33 Year-One Average per Company Section 404 Implementation Costs for Smaller Companies Average Section 404 Audit-Related Fees as a Percentage of Total Average Issuer Cost 35% 39% Decline 65% $1.5 Million Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost $0.9 Million Year 1 Year 2 Expected Change Year 1 to Year 2 CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf 34 Year-One Average per Company Section 404 Implementation Costs for Larger Companies Average Section 404 Audit-Related Fees as a Percentage of Total Average Issuer Cost 26% 42% Decline $7.3 Million 74% $4.3 Million Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost Year 1 Year 2 Expected Change Year 1 to Year 2 CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf) 35 Other Compliance Costs • • • • • • Software development and/or acquisition Increased general and administrative expenses Additional human resources and training Technological improvements and process improvements Projects to reorganize accounting and IT departments Additional expenses ranged from $1200 to $34,000,000, per study by Hall & Gaetanos of 50 random accelerated filers with SICC codes ranging from 2111- 9999 & direct mention of Sct 404 costs. Hall, Linda A., and Gaetanos, Christ, “Treatment of Section 404 Compliance Costs”, The CPA Journal, New York: Mar 2006. Vol.76, Iss.3, Pgs. 58-62. 36 Global Effects of SOX • SOX is in Direct violation of Europe’s Data Protection Act of 1998 – UK Companies must get employee permission to disclose certain information, permission is not guaranteed, so it is impossible to complete item 8.1 of SOX agreeing to provide information at any time in the future • Some firms threatening to de-list from US Stock Exchange Fran Howarth., Bloor Research 1-11-05 (http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/html) 37 Global Effects of SOX • SOX regulations costs for UK businesses directly comparable to US costs for compliance – $1 million per $1 billion in revenue – Second and third year costs should decrease 30-40% SOX Compliance Costs U.K. Firms, Nikki Swartz. Information Management Journal Lenexa: Jan/Feb 2006. Vol. 40, Iss 1, p. 19 (1 pp) 38 Case Studies Utility Company http://www.solutia.com/pages/corporate/ & http://www.pwcglobal.com/gx/eng/main/home/index.html 39 Background of Utility Company • • • • • • • One of the nation’s top utility company. Has over 9,300 employees. Revenue = 6.78 B ( 2005 ) Gross Profit = 2.28 B Net Profit = 628 M Serves 2.3 M electric customers Serves 900,000 natural gas customers. http://www.finance.yahoo.com 40 Energy Delivery Dept. • Our interviewee: Mr. Jerry Pisarek, Business Performance Controller. • Dept. is responsible for the transmission and the delivery of energy. • System used TRIS (Time Reporting Information System) – payroll accumulation system) From the interview with Mr. Jerry Pisarek ( march 2006) 41 IS Department • 3,500 employees. • Cost of meeting Sarbanes-Oxley requirements is $3-5 million annually. • TRIS Department CEO Director of Finance Director of IT Employee Request for Security Clearance From the interview with Mr. Jerry Pisarek ( March 2006 ) Business Performance Specialist Direct Supervisor of Employee 42 Effects of SOX at the Utility Co. • Request in writing to access information. • Before SOX, Performance Controller approves/denies request. • After SOX, Performance Controller makes the decision, but needs the upper management to approve it. From the interview with Mr. Jerry Pisarek, ( March 2006 ) 43 Solutia Background/Overview • • • • Specialty Chemicals Company. $2.7 billion in annual sales(2004). $1.9billion in assets. More than 5,700 employees located at 60 manufacturing sites throughout 27 countries. http://www.solutia.com/pages/corporate/ 44 Solutia’s Product Line: • Performance Films for: - car windows - computer screens • Specialty products such as - avionic hydraulic fluid. - heat-transfer fluids. - plastic products. http://www.solutia.com/pages/corporate/about/overview.asp 45 Solutia’s Product Line: (cont’d) • Integrated Nylon used to make: - wear-resistant carpets. - vibrant upholstery fabrics. - tires http://www.solutia.com/pages/corporate/about/overview.asp 46 Solutia’s IT Department • Our interviewee – Lori Kirk, Information Security Manager. • Hierarchy in IT department: VP Business Operations CIO VP IT CEO IS Manager • IT annual budget is $29M. • IT Department has approx. 100 employees. Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006 47 Implementation of SOX at Solutia (2003 – 12/31/2004) • Planning (2003) • Awareness(2003) • Intensive Documentation(2004) • Testing(2004) Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006 48 Solutia and Maintaining Compliance • Update narrative and control activity documents. • Test quarterly the control environments. • Annual management testing (internal). • Annual external audit. Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006 49 Impact of SOX at Solutia • • Higher costs. Time consuming. - 25% of time on average. - 75% of time in the fourth quarter. • More detailed documentation. Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006 50 PricewaterhouseCoopers (PwC) Background/Overview • ~30,000 employees in U.S., 110,000 worldwide • ~3000 firm partners in U.S. • Clients are primarily mid to large-sized companies, mostly audit clients, and usually from the financial services, consumer or industrial products and services, technology or entertainment sectors Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006. http://www.pwcglobal.com/gx/eng/main/home/index.html 51 Interview with Mark Meiner, Business Development Director at PwC • SOX affected all 3 areas of PwC: assurance/audit, tax, advisory (business processes) • Costs: audit costs increased by 50% for most clients; est. 25% of costs due to documentation of control systems, 225 clients noted 275 control deficiencies each–- est. 25% of new/revised controls contributed to costs of year 1 • SOX created need for increased software development and increased IT budgets: tools to track SOX projects, IT tools to automate the way control structures are reviewed, controls to monitor access to the IT applications Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006. Current Developments for Audit Committees 2006, PricewaterhouseCoopers, 2006. 52 Interview with Mark Meiner, Business Development Director at PwC (cont’d) • First year of SOX compliance: companies rushed to become compliant, many had underestimated the time and cost to do this • Second year of compliance: how will companies “do it better” in year 2 --- more efficient and less costly • Benefits of SOX: – With audit clients: gave companies a greater awareness of their control structures and how they mitigate risk across the enterprise – With non-audit clients: started them thinking about some of the issues Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006. 53 Time Line Completed ISO- International Standards Organization A global organization used to determine general industry standards across all industries CMM- Capability Maturity Model Sequential path towards increasing quality, used by companies as guidelines or to document quality level ITIL- Information Technology Infrastructure Library ITIL is not a standard, it is a framework for best practice to be adopted and adapted to fit each individual company SOX- Sarbanes-Oxley SOX created new documentation requirements for all publicly held companies, in order to create greater financial disclosure as well as increase security against fraudulent activity 54 Any Questions??? Sarbanes-Oxley Blues Deface an Enron Exec 55 Source Information CRA International (www.law.berkeley.edu/centers/bclbe/symposia/postenron/sox%20404%20survey%20update.pdf) Current Developments for Audit Committees 2006, PricewaterhouseCoopers, 2006 Freedman, Rick, “More on Standards-Based IT Consulting”, Consulting to Management, Burlingame: Jun 2005. Vol. 16, Iss. 2; pgs. 43-46. Griggs, M., and Sauter, V., “Quality Management in the Software Industry” , University of Missouri Working Paper, 2004. Hall, Linda A., and Gaetanos, Christ, “Treatment of Section 404 Compliance Costs”, The CPA Journal, New York: Mar 2006. Vol.76, Iss.3, Pgs. 58-62. Herbsleb, James, Zubrow, David, et al., “Software Quality and the Capability Maturity Model”, Association for Computing Machinery. Communications of the ACM. New York: Jun 1997. Vol.40, Iss. 6; pgs. 30-41. Howarth, Fran, Anti Sarbanes-Oxley mood rises in Europe,., Bloor Research 1-11-05 (http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/html) ISO, Detailed Information about the International Standards Organization ( www.iso.org/) ITIL Practitioner’s Certificate in Change Management, (http://www.ddls.com.au/VendCourseDet/ITL/60/ITILPrCM.htm), viewed April 11, 2006 ITIL Manager Certificate, (http://www.itilsurvival.com/ITILManagerCertificate.html), viewed April 11, 2006 Keller, Eric, “The Last Mile of Finance” Strategic Finance, March 2006. 56 Sources Continued: Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006. Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006. Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001. Pisarek, Jerry, Business Performance Specialist, Utility Company, interviewed in person by Lauren Eilers, Michele Hummel and Eno Veshi, March 12, 2006. Price Waterhouse Coopers Logo- (http://www.pwcglobal.com/gx/eng/main/home/index.html), viewed 4/10/2006 Sarbanes-Oxley Implementation Costs What Companies are Reporting in their SEC Filings, February 2005 (www.auditnet.org/articles/Sarbanes-Oxley_Implementation_Costs.pdf) Sarbanes Oxley Compliance (http://sarbanes-oxley-101.com/SOX-404.htm) Solutia, Company Profile ( www. Solutia.com/) Solutia Logo- http://www.solutia.com/pages/corporate, viewed 4/10/2006 Swartz, Nikki, SOX Compliance Costs U.K. Firms,. Information Management Journal Lenexa: Jan/Feb 2006. Vol. 40, Iss 1, p. 19 (1 pp) Utility Company overall information ( www.finance.yahoo.com ) Wagner, Stephen, and Dittmar, Lee, “The Unexpected Benefits of Sarbanes-Oxley” Harvard Business Review, April 2006, Vol. 84, Iss. 4. ww.secinfo.com/$/SEC/Location.asp, viewed on March 1, 2006. 57 Sources Cont’d en.wikipedia.org/wiki/Regulate, viewed on April 7, 2006. en.wikipedia.org/wiki/Sarbanes_Oxley, viewed on March 28, 2006 www.encarta.msn.com/dictionary_/standard.html, viewed on April 7, 2006. www.itaa.org/workforce/studies/04wfstudy.pdf, viewed on April 7, 2006. www.secinfo.com/$/SEC/Location.asp, viewed on March 1, 2006. www.sec.gov/news/press/2003-89a.htm, viewed on March 27, 2006. www.sec.gov/news/studies/sox308creport.pdf, viewed on March 1, 2006. www.sec.gov/news/testimony/090903tswhd.htm, viewed on March 27, 2006. www.sec.gov/news/testimony/022603tssmc.htm, viewed on March 1, 2006. www.sec.gov/news/press/2003-89a.htm, viewed on March 11, 2006. www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2006marCMMI.pdf www.sox-online.com/sox_humor.html, viewed on March 28 & April 11, 2006. www.standishgroup.com/sample_research/chaos_1994_1.php, viewed on April 7, 2006. 58
