1 / 37

IT_AEC_EUC_SoD_SAS70 FROM: US OP SOX 404 Steering Committee Presentation May 3, 2006

IT_AEC_EUC_SoD_SAS70 FROM: US OP SOX 404 Steering Committee Presentation May 3, 2006. Workstream Update (IT Registers – C. Nowlin). IT Design Effectiveness. IT Design Effectiveness – By Process. DE Not Effective Highlights. Most Not Effective controls will be Effective by Signoff

azriel
Download Presentation

IT_AEC_EUC_SoD_SAS70 FROM: US OP SOX 404 Steering Committee Presentation May 3, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT_AEC_EUC_SoD_SAS70FROM: US OP SOX 404Steering Committee Presentation May 3, 2006

  2. Workstream Update(IT Registers – C. Nowlin)

  3. IT Design Effectiveness 2 05-03-06

  4. IT Design Effectiveness – By Process 3 05-03-06

  5. DE Not Effective Highlights • Most Not Effective controls will be Effective by Signoff • C11 & C12 Backup & Restore controls (30 controls) • Working to clarify requirements for Disaster Recovery components of Backup & Restore controls • 8 of these could be outstanding at Signoff • C11 Security – Password Requirements (10 controls) • Working to clarify options for applications that can’t enforce ITCI requirements (global issue) • These 10 could be outstanding at Signoff • An additional 10 to 20 controls could still be in remediation at Signoff • Working to ensure quality RAPs are in place and being managed 4 05-03-06

  6. AEC Testing Status 5 05-03-06

  7. Audit Status (Nowlin/Manwaring)

  8. Audit Update - IT (C11/C12) Controls Audit • IAF began audit on 12-April • IAF 1st Readout on 20-April • 50%-60% of C12 & C13 reviewed (SOPUS & Lubes) • All initial IAF findings rated N2 (quick fix required to documentation) • IAF close out meeting scheduled for 3-May (combined with Business audit) • PWC began audit on 17-April • PWC Focus: • Lubes Trident & LDW • Lubes C11 • Lubes C12 • PWC 1st Readout scheduled for week of 1-May 7 05-03-06

  9. 2006 Plan - SOX Business Project 2006 Plan - SOX Business Project Current Status Current Status Start Date Start Date End Date End Date DE Audit by COT Audit - SOPUS Round II Complete In-Progress 6 March 10 April 28 April 9 Jun (rev) Audit - Manila Round I Complete 10 April 21 April Audits Status – Business Controls IAF Round I SOPUS • Design: completed 43 of 47 documentation corrections (E1 &N2) • Design: completed 10 of 21 findings (N3-N5) • Operational: completed 2 of 5 findings/comments Manila – 2 findings of 20 controls reviewed • Remediation already completed Round II • SOPUS – Closing meeting today • IAF will develop preliminary report • Business will analyze findings • Will not impact 1Q sign-off PwC • AoO 4099 Total design effectiveness: 198 controls reviewed – 23 findings – 14 Completed • Last week completed AoO 4099 Order to Cash: 26 Controls reviewed – 4 Findings 8 05-03-06

  10. 2006 SAS 70 Review

  11. SAS 70 Process Review • For all External Service Provider (ESP) relationship, SAS 70 is required where ESP's activities have a significant impact on financial reporting and existing internal controls are not adequate to reasonably mitigate risks • Before we seek assurance by means of securing SAS 70, determine whether internal controls could be sufficiently enhanced • If enhancing internal controls is not an appropriate option, an evaluation is necessary to determine whether management will arrange to conduct an audit or rely upon a Type II SAS 70 report provided by the service provider 10 05-03-06

  12. Summary of External Service Provider SAS70 Review 11 05-03-06

  13. SAS 70 - ESP Identified in OPUS/Motiva 12 05-03-06

  14. SAS 70 Process Risks Potential Risks Current ESP inventory compiled with input from SOX Documentation Teams and Business Unit SOX Focal Points • Assessment of sufficiency of internal controls over ESP operated controls may be subjective, and not truly mitigate risks. • ESP’s potentially impacting SOX controls may not have been explicitly identified in SOX documentation or identified by Business. Recommended Action Items • Business Review with Fiscal Directors of identified ESP’s with significant financial impacts but not in documentation. • PMO and Central QA review of sufficiency of internal controls mitigating ESP risks. 13 05-03-06

  15. Workstream Update(IT Registers – C. Nowlin)

  16. IT Operating Effectiveness 15 05-03-06

  17. Operational Effectiveness - US IT 16 05-03-06

  18. SAS 70 Review Process

  19. SAS 70 Decision Model – SOX 404 Methodology 18 05-03-06

  20. 2006 Systems Assurance

  21. Application Embedded Controls

  22. What is an Application Embedded control? What is an Application Embedded control?

  23. What is an AEC • Describing this has been one of the most challenging things I have ever done. Most of the time a get a blank stare. • It’s not part of Cheryl Highwarden’s embedding team. • It’s the “IT part” of the business control that is performed by the system or data generated by the system that is critical to the control (IT dependent). • Also, system access and system segregations of duties are also considered “embedded controls” 22 05-03-06

  24. Examples of AECs • The system performs the 3-way match between the PO, goods receipt, and the invoice (based on configured tolerances). • The system generates a list of invoices greater than $10K (IT Dependent) • Restricted access - Access to the general ledger is restricted to the “Accounting Department” • Restricted access with system SOD - Access to the general ledger is restricted to those who do not have access to change or update master data, process purchase orders and invoices and process sales orders and sales invoices, or perform any cash management or payroll function • Manual vs. system access – manager approves the new vendors but does not have access to vendor master updates (this is tested by the Business testing team) 23 05-03-06

  25. Focus of the AEC Team is Operational Testing Challenges we face: • The ACD does not always contain the proper level of detail to perform the testing and sometimes the business doesn’t always know how the system works • The reality is that because some of the systems are 10 years old we have experienced knowledge gaps • Therefore, the AEC teams usually need to gather more information from the control owner, BUFP, or IT support to understand what the system is actually doing (how it is configured or programmed) • Usually this leads to slight revisions to the ACD or the narrative • What we ask of the control writing team is to be clear and ask the question: “What is the IT dependency in the control”? 24 05-03-06

  26. Who Owns the AECs or System Controls Do you agree with these statements? • The business is responsible for mitigating the financial statement risks • The business is responsible for defining the IT requirements • The business is responsible for testing and validated the IT functionality that was required (during implementation project or for a change request) • The business owns the data in the system (segregation of duties between managing the system and owning the data) • The business wrote the controls that describe what IT embedded controls they are relying on to mitigate the risk (either completely automated via system or IT dependent) 25 05-03-06

  27. Who Owns the AECs or System Controls • Therefore, the business owns all parts of the controls in the C & D registers including the AEC parts • Note: IT will perform testing of AEC for SOX purposes but business will need to agree to results • Areas for Improvement – define the clear ownership of the key elements of the AEC control. For example, who owns account assignment configuration 26 05-03-06

  28. ECU Testing

  29. EUC Testing Status by Register 28 05-03-06

  30. What is an EUC – End user computing tool? What is an EUC – End user computing tool?

  31. EUCs • End user computing tools like Excel and Access can be extremely powerful for accountants, they can also become extremely complex and prone to errors if not used correctly • That could lead to a material misstatement, therefore we have identified the approximately 30 EUCs used in the business controls that due to the complexity and usage are considered EUCs that need to be remediated. • Remediation involves documented how it’s used, organizing the inputs and outputs, locking the formulas, testing the functionality, and storage in a central repository • This is a lot of work and takes all the fun out of using Excel but reduces the risk of error 30 05-03-06

  32. Enron Shell Group Approved EUC Compensating Control The Alternative is Re-performance of the Calculation If Key Lay only had a good 10-key he could have saved the company 31 05-03-06

  33. Segregation of Duties

  34. OP US SOX 404 System Controls- KPI • Purpose of KPIs as defined by the Central team - Shows progress towards: a) benchmark for SOX compliance b) the quality of the application controls framework for robustness and ease of maintenance • KPI #1 target - Ratio should be below 1.0 before compensating control or risk waivers • Notes: • New SOX Matrix introduced in May • Does not include changes in progress or compensating controls 33 05-03-06

  35. OP US SOX 404 System Controls- KPI 2 • Lubes – excludes Canada • Magellan – excludes Stusco 34 05-03-06

  36. SOX KPI 3 – Critical Access • New metric per SOX guidance issued November 2005 • KPI #3 – access that should never be granted in production system; Target is zero. 35 05-03-06

  37. Risk Case Counts 36 05-03-06

More Related