| PCK Technical Services LLC provides innovative solutions to help companies respond to internal/external audit findings and meet audit/compliance requirements via the following services:
- Analysis and remediation plan development for Sarbanes-Oxley, SAS70 and other types of audits and regulatory requirements
- Business/IT control gap analysis, identification, implementation, testing, review, auditing, monitoring, tracking, and reporting
- Documentation/content management system/library analysis and/or development
- Process modeling and engineering for all IT areas including SDLC, change/release management, logical security/provisioning, physical security, data management, network operations
- Project planning/ management and stakeholder meeting facilitation
- Risk management and system security control environment analysis
- SOD, RACI model, and roles and responsibilities review and/or development
- Subject matter expert business/technical interviews
- System interface/data mapping and architecture diagramming
- Technical research and writing/editing for all types of IT documentation development (e.g., policies, procedures, business/functional/user requirements, disaster recovery/business continuity plans, asset management plans, record management and retention plans, content assessment plans, system/UAT test plans and summaries, go live and version control documents)
- Training materials (e.g., user guides, manuals, help files) creation and delivery
As detailed below, PCK Technical Services LLC has provided services to several organizations to help them comply with the Sarbanes-Oxley Act of 2002 (specifically Section 404, general application controls and general computer controls), SAS70, and other types of IT audit/compliance requirements, standards and frameworks:
- (All) Reviewed resources, existing internal documentation, audit findings/controls assessment, best practices/industry standards, CobiT, COSO and other references.
- (All) Conducted interviews and meetings with senior management, system project managers, system developers/leads, business users, and personnel in application development, QA, operations, help desk, training and other departments.
- (All) Walked through systems and existing documentation, performed gap analysis, and identified and documented all inbound or outbound system interfaces, data flows, data classifications, encryption levels, SLAs and automated/batch processes (including Visio process diagrams).
- (Triad) Documented application development services and operations documentation for six systems involving indirect lending, direct lending, servicing, accounting, general ledger and data warehousing.
- (Triad) Created operation run guides for batch processes, report run guides, user guides, development guides, and other system documentation.
- (Triad) Created a set of standardized system documentation that allows auditors to review all system-related documents via hyperlinks. The system description document included a system overview, interface details (frequencies and encryption information), file/table names, data descriptions (e.g., manual input forms/processes, screen displays, data files, data dictionaries, database structures/relationships, field names/descriptions, data transfer procedures, functional specifications, batch interface processes, application entry guidelines, output reports), program source code libraries, and system control documentation. The system processing document (operations) included processing instructions and timing, post-processing data control procedures (review procedures and verification tests/procedures), and output files and reports.
- (Aames) Identified and documented inbound/outbound interfaces for over 30 systems (legacy and third-party) including table/field/file names, frequencies, technical specifications, flow diagrams and job names.
- (Encore) Created legacy system (Empower) interface Operations and Help Desk guides to comply with the Sarbanes-Oxley Act of 2002 including system infrastructure, process flows, data transfer/mapping details, system installation, backup, recovery, maintenance and monitoring, user accounts, escalation, and troubleshooting/contact information.
- (IBM LBPS) Identified legacy system (PULSE) interfaces/data mapping details for all downstream and upstream applications to meet ASCA certification requirements; created infrastructure/architecture diagrams at the application, server and network levels.
- (IBM LBPS) Performed IT controls gap analysis and identification for implementation, testing and review.
- (Triad) Implemented corporate change control/change management procedures for related docs utilizing Visual Source Safe or other internal processes.
- (Triad) Helped create a standardized set of system management and project management documentation for application/system/database implementation, enhancements, risk assessment, maintenance and support.
- (All) Reviewed resources, existing internal documentation, audit findings/controls assessment, best practices/industry standards, CobiT, COSO and other references.
- (All) Created standard operating procedure and other templates, numbering/naming conventions and standards for future documentation.
- (All) Reviewed environment, organization, systems, team roles and responsibilities, job descriptions, corporate intranet, network directories/folders and files.
- (State Street/Aames) Conducted interviews with management, technology leads and staff in the IT departments such as Application Development, DBA, Network Administration (system access/user administration), Network Operations/NOC (including system monitoring, escalation, backups, shutdown/startup, disaster recovery), Network Engineering (infrastructure installation, configuration, maintenance and security, data center operations), Help Desk (hardware/software procurement, installation, support and asset management), and QA/CM (change control and configuration management including change requests, testing, approvals, emergency change requests, application migration/security between test, development and production environments, and risk assessment).
- (Aames) Conducted interviews with management and staff in corporate departments including Accounting, Admin. Services, Appraisal QC, Capital Markets, Credit, Funding, HR, Internal Audit, Legal, Loan Management, Loan Services, Operations, Quality Assurance, Sales and Treasury.
- (Fannie Mae) Worked with directors and managers of several business centers across various regions of Fannie Mae's single family business to identify, receive and coordinate source materials/content from subject matter experts in functional areas including business development, marketing, underwriting, customer management, risk management, counterparty management, servicing, legal and others.
- (IBM LBPS) Conducted interviews with management, technology leads and staff in the IT/technology departments such as Application Development, QA/Testing, Service Desk, Security Provisioning, Data Center Operations, Technology Risk Management, Help Desk and others.
- (State Street/Aames/Fannie Mae) Created operational policies and procedures including procedures to support business continuity and disaster recovery plans.
- (IBM LBPS) Performed process modeling activities to create diagrams, steps, narratives, roles and responsibilities, control points, and other details for logical security (e.g., logical access, health checking, patch management) and data management processes.
- (IBM LBPS) Performed IT controls gap analysis, identification, and implementation.
- (Kaiser Permanente IT) Conducted IT controls auditing, management, tracking, monitoring and reporting for national change/release management activities.
- (State Street/Aames/Fannie Mae) Researched and provided central documentation library/management system recommendations and/or temporary Access/VB database solution.
- (Aames/Fannie Mae) Provided project management services for ongoing documentation review, edit and approval process.
|
