Achieving SOX Compliance and More

Achieving SOX Compliance and More

Get more IT value from your compliance efforts

20 September 2005 (14-21)
Location: Sofitel Diegem (Diegem near Brussels (Belgium))
Presented in English by
Price: 540 EUR (excl. 21% VAT)

This event is history, please check out the List of Upcoming Seminars, or send us an email

Check out our related in-house workshops:

 Learning Objectives

Why this seminar ?

Whereas the number of companies in Belgium that need to be Sarbanes-Oxley (SOX) compliant is fairly limited, there is a cascading effect to organisations providing services to affected organisations. There is also an air of expectation around the reaction of European member states to the European Commission's 8th directive and revisions to European Company Law, which contributes to an increased focus on corporate governance.

When businesses evaluate their internal controls, they quickly realise there are significant dependencies on IT processes and controls. Previously security has often been seen as the outer defense layer protecting the companies' assets, but there is a growing awareness that information security and IT controls have a greater significance in the context of Corporate Governance.

Internal control is often regarded as a matter for auditors, and IT organisations do not always realise the significance of day-to-day activities in the context of controls over financial reporting. For organisations requiring to be SOX-compliant, it is important to ensure there is a well-established and commonly recognised framework around which IT controls can be structured.

Furthermore, there is a continuing pressure on IT functions to demonstrate their value and to improve their alignment with the business. Leading companies appreciate that more mature, well controlled IT functions perform better and allow them to focus on adding value to the business. In this way, achieving SOX compliance can bring IT functions closer to the operational excellence expected from them.

What questions are addressed by this seminar ?

  • What is Sarbanes-Oxley (SOX) ?
  • What is a SAS 70 report? What is the difference between a type 1 and a type 2 SAS 70?
  • How to become SOX compliant ? What activities, tools and skills does this entail ?
  • What does IT governance mean ?
  • What are COSO and COBIT, and how do they relate to ISO 17799 and ITIL ?
  • What is internal control, how does one establish strong controls and what does it take to make them audit proof ?
  • Are there ways to implement controls over end user computing ?

Of course, if you have specific questions, do not hesitate to send them to !

Who should attend this seminar ?

  • IT managers in general
  • Compliance and IT governance project managers
  • Managers of IT functions such as operations, development and security
  • Internal auditors
  • ...
  • Everyone who's interested in SOX, compliance, IT governance, COBIT, ...

 Full Programme

13.30h - 14.00h
Registration and coffee/tea
14.00h - 14.45h
Internal control (Ingvar Van Droogenbroeck, PwC)
  • Definition of internal control
  • Auditing (and audit comfort)
  • Corporate governance vs IT governance vs internal control vs security
14.45h - 15.30h
SOX Explained
(Judy Canning, PwC)
  • Background (incl. who is who, e.g. PCAOB & SEC)
  • SOX 302 and 404 (incl. what the actual filing looks like)
  • Timeline (draft legislation, approval, implementation deadlines)
15.30h - 16.00h
Coffee/Tea Break
16.00h - 17.10h
(Dirk Steuperaert, PwC)
  • History
  • Positioning COBIT (vs ITIL and ISO 17799)
  • CobiT & Sarbanes-Oxley
  • The framework and its structure (and product suite)
17.10h - 18.00h
(Ingvar Van Droogenbroeck, PwC)
  • Relevance of IT
  • The road to compliance (incl.typical pitfalls, tips & tricks)
18.00h - 19.15h
19.15h - 20.00h
SOX & IT: Continued
(Ingvar Van Droogenbroeck, PwC)
  • Assuming control over end user computing and user access rights (identity management)
  • Leveraging internal control for operational excellence
  • Third party service providers and attestation / SAS 70
20.00h - 20.45h
Case Study: SOX @ Winterthur Europe Insurance
(Yves Suffeleers, Business Workflow & Process Manager, Winterthur Europe Insurance)
  • Overview of the SOX project at Winterthur
  • Critical success factors in a SOX project
  • Lessons learned from this project
20.45h - 21.00h
Summary, Conclusions & Wrap-up: What have we learned today ?
(Ingvar Van Droogenbroeck, Dirk Steuperaert, Judy Canning, PwC)
End of this seminar


Dirk Steuperaert (IT In Balance)
IT In Balance

Dirk Steuperaert is since early 2008 an independent consultant (IT In Balance BVBA). He provides training and advice on IT Governance and IT Risk Management issues.

Before this, Dirk worked for over 10 years with PricewaterhouseCoopers Belgium. He performed and lead multiple IT audits and IT Governance assignments.

Dirk started his career in IT with SWIFT, the global funds transfer network. Later he switched to IT Audit in SWIFT, in a large Belgian bank and with an international clearing house.

Dirk has been heavily involved in international ISACA activities during the last five years, including:

  • Member of the COBIT Steering Committee (ISACA's international committee overseeing and steering all COBIT developments) between 2004 and 2008.
  • Member of the Risk IT Task Force as project manager of the development team and lead developer.
  • Project Manager and Lead Developer of ISACA's COBIT 5 Framework.

Dirk is a well-appreciated instructor for COBIT, IT Governance and IT Risk related topics.

Dirk holds a master in engineering degree, a master in computer Auditing degree and holds the CISA, CGEIT and CRISC certifications.

Ingvar Van Droogenbroeck (PricewaterhouseCoopers)

Ingvar Van Droogenbroeck is a director in PricewaterhouseCoopers' Belgian practice. He works in the Assurance (audit) practice and co-leads our Systems & Process Assurance group. He primarily focuses on SAS 70 work and controls assurance for Sarbanes Oxley as well as financial audit purposes.

Ingvar graduated as a Commercial Engineer, specialised in computer science from the Katholieke Universiteit Leuven in 1990. Following a first job as an analyst-programmer with Comparex and after his (compulsory) military service as a software engineer, Ingvar started his career with Price Waterhouse as a financial auditor in 1991. As intended, he joined the computer audit group as from 1992, which then became part of the Global Risk Management Solutions department (GRMS). In this position he acted as consultant for the completion of various assignments, most of them in the domain of computer security. Having left us in 1994 to join Euroclear as Systems Liaison for their Financial Division, Ingvar returned as a manager in 1996.

He managed a variety of clients and consulting as well as audit support assignments, gradually specialising in IT services. He became director and has since focused on security and technology services as well as the Information, Communication & Financial Services industry sectors.

Ingvar has practical experience of a wide range of computer systems, from IBM mainframes, Digital/VAX machines, Unix and Windows NT servers to personal computers. He is also familiar with the security issues facing networked and client-server environments. Furthermore, he has significant experience in telecommunications business processes and the IT processes required to manage heterogeneous IT environments. Due to his leading role on the SWIFT security audit and through many other assignments and audits in the area of information security policies and procedures, Ingvar has a profound knowledge of information security standards and assurance.

Judith Canning (PricewaterhouseCoopers)

Judy Canning is a Director in the systems and process assurance practice in Brussels. Judy is a UK Chartered Accountant who has been involved for some 10 years in internal control projects.

More recently, she has headed up the PwC Belgian practice's efforts in connection with Sarbanes Oxley and the internal controls regulations. She has been working on various projects to advise clients in the areas of business processes and IT, and has been running workshops to facilitate discussions in relation to compliance matters with various companies.

During 2004 there has been considerable experience gained in the attestation process and what is required to achieve compliance.

Judy continues to follow developments in the European regulations in respect of internal control, and is advising clients on controls best practices.

Questions about this ? Interested but you can't attend ? Send us an email !