1 / 70

US OP SOX 404 Steering Committee Presentation September 20, 2006

US OP SOX 404 Steering Committee Presentation September 20, 2006. Agenda. Q3 Key Activities 5 min Business Review/Controls at Risk 15 min Segregation of Duties Update 10 min Management Assessment 10 min

bryce
Download Presentation

US OP SOX 404 Steering Committee Presentation September 20, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. US OP SOX 404Steering Committee Presentation September 20, 2006

  2. Agenda • Q3 Key Activities 5 min • Business Review/Controls at Risk 15 min • Segregation of Duties Update 10 min • Management Assessment 10 min • IT Project Update 10 min • Embedding 5 min • Other Business – Next Meeting 5 min 1 09-20-06

  3. Q3 Key ActivitiesBusiness Controls

  4. Key Activities for Q3 Sign-off 3 09-20-06

  5. Business Review/Controls at Risk

  6. Business Controls At Risk by CoB As of 9/14/2006 DE = 96% Effective OE = 79% Effective 5 09-20-06

  7. OP US SOX 404 – Shell US Without IT – DE 6 09-20-06

  8. OP US SOX 404 – Shell US Without IT – DE Details of Weekly Changes Report - 9/14/06 7 09-20-06

  9. Operating Effectiveness – Round III Testing • 79 existing controls and 15 new controls (estimate) require OE testing (94 total) • 15 Annual controls cannot be tested until 2007 • Plan dependent upon availability of control evidence which is driven by the operational effective date • Testing team plans to test all controls available for testing prior to October 23 Q3 cutoff 8 09-20-06

  10. ISPO CONTROLS – Without IT 9 09-20-06

  11. Segregation of Duties

  12. What remains Status as of August 31, 2006 Excludes Stusco (additional 267 for Stusco not included) Deerpark (65) excluded due to SOX relevance, 2nd priority because they are isolated 11 09-20-06

  13. How we will resolve the remaining • Excludes Stusco – Stusco users with SOD cases and access to 4099 company codes will be evaluated based on the same rigor to ensure system risks are mitigated (in September) • Deerpark excluded due to SOX relevance, 2nd priority because they are isolated • We will consider SODs remediated after Financial Director has signed the compensating control forms or risk waiver. New controls will be added in September 2006 and tested for Q3 sign off. 12 09-20-06

  14. Management AssessmentQ2Deficiency Evaluation Feedback

  15. Key Lessons from 2Q PDW and Audit • Improve control valuations • Provide gross balances that tie into SAP/FIRST (proof) • Provide valuations for each compensating control • Confirm compensating control provides supporting assertions • Keep stronger evidence • Start as soon as control failure known • Strengthen key direct company level controls e.g. MJEs, accruals, FIFO, Variance analysis on Accounts and LE to Actual with tolerances • Comprehensive review of all BCIs and non-SOX audits • Strengthen ISP reviews • Awareness of control effectiveness • Awareness of in-house compensating control “Painful to Fail” 14 09-20-06

  16. Management AssessmentQ3 Instructions

  17. Q3 Management Assessment - Overview • AoO Sign-off in GreenLight by October 24th • Q3 Changes From Q2 • All controls In-Scope (including compensating controls) must be fully DE & OE tested • No exception granted for: • Remediated/Not Retested • Quarterly • Annual Controls(Once a year controls – no exception)(Year end controls Q4/Q1 – granted exception) • Q3 Sign-off Process Identical to Q2 for: • GreenLight/Non-GreenLight assurance process • Design and operational effectiveness evaluation • Confirmation of design and operating effectiveness for controls operated by ISPs and ESPs • Deficiency Evaluation for Financial Impact using ProcessDeficiency Workbook (includes ISP controls) submitted by Nov 3rd 16 09-20-06

  18. Q3 Management Assessment – Key Activities 17 09-20-06

  19. Audits

  20. IAF Audit Status – Lubricants (Round II) • Fair Opinion(combined Business and IT audit) • Findings • High – Sales & Receivables - Verification of price changes is not effective when using a small review sample; Blocked sales orders released without being corrected; Customer Service Representatives can create sales orders and credits; Missing detective control for authorized customer master data changes • Medium – Jiffy Lube sales STATS tool not tested • Medium – Several business testing populations not correct or not verified • Medium – Lubes control references to SOPUS not accurate 19 09-20-06

  21. IAF Audit Status – Lubricants (Round II) • Design Effectiveness • Business & AEC – 40 are effective, 6 are N3 or N5 • IT (C11) – 50 are effective • Operationally Effectiveness • Business & AEC – 9 are effective, 2 are N3 • IT (C11) – 16 are effective, 1 is N3 • Review of Project Testing • Business & AEC – 5 are effective, 6 are TN2, 2 are TN3 • IT (C11) – 10 are effective, 4 are TN2, 3 are TN3 20 09-20-06

  22. Q3 Key ActivitiesIT General Controls

  23. DE Status – as of 09/14 22 09-20-06

  24. OE Status – as of 09/14 23 09-20-06

  25. Q3/Q4 Plans 24 09-20-06

  26. Summary/Expectations

  27. Summary/Expectations • Make All Controls Effective • Remediated / Not Retested • New ACD’s to design walk-through & test (FIFO, SOD) • Deficiency evaluation – challenges by FCC & IAF • Limit new controls (No changes preferable) – Follow change approvals • Focus on ISPO Interface Matrix & Pastelink • New monthly ACD’s must operate in September to be tested for Q3. • Relevant BCI’s and non-SOX audits considered for impact to key controls in Greenlight – load test record & fail control until remediated. 26 09-20-06

  28. Embedding Update

  29. Embedding Status • SOX Giveaways to Permanent Organization • Confirming numbers with Focal Points • EUC C13 Training – 4 courses scheduled • September 21, 26 (2), 28 • Audience approximately 50+ attendees • Knowledge Survey • Retakes are in progress and scheduled to be complete 9/22 • Scores on retakes 70% and below went out to individuals 9/15 • Daily updates being sent on unsuccessful retakes • Everyone will receive scores after 9/22 deadline 28 09-20-06

  30. End of SOPUS Presentation

  31. Motiva Business

  32. Motiva Agenda • Business Review/Controls At Risks • Internal Audit 31 09-20-06

  33. Business Review/Controls At Risks

  34. Business Controls At Risk by CoB As of 9/14/2006 DE = 95% Effective OE = 85% Effective 33 09-20-06

  35. OP US SOX 404 – Motiva Without IT – DE 34 09-20-06

  36. OP US SOX 404 – Motiva Without IT – DE Details of Weekly Changes Report - 9/14/06 35 09-20-06

  37. Operating Effectiveness – Round III Testing • 20 Motiva controls require OE testing • 3 controls cannot be tested until 2007 • 11 of the remaining 17 controls are quarterly awaiting confirmation for 2nd quarter test • Testing substantially complete by 10/20/06 36 09-20-06

  38. ISPO CONTROLS – Without IT 37 09-20-06

  39. Internal Audit Update

  40. Motiva Internal Audit Update VERBAL UPDATE – LINDA LARSON 39 09-20-06

  41. End of MOTIVA Presentation

  42. APPENDIX

  43. Project Action Items

  44. Action Item Log Overview • Open Action Items • 1 open item remains • Closed Items • 3 closed items from last meeting • 157 items have been closed 43 09-20-06

  45. Open Action Items 44 09-20-06

  46. Closed Action Items 45 09-20-06

  47. 2006 Staff Count & Project Cost

  48. ‘06 Estimates – Comparison – Staff (Without IT) '06 Actual Staff Count by Month '06 January 85 ’06 June 77 '06 February 84 ‘07 July 72 ’06 March 84 ’08 August 62 ’06 April 76 ’06 May 80 '06 Year-End Staff Count Planned '06 T&R 20 FTE '06 LE 20% + Remediation 45 FTE '06 LE 40% Remediation 48 FTE 47 09-20-06

  49. ‘06 Estimates – Comparison – Staff – With Regional IT '06 Actual Staff Count by Month '06 January 108 ’06 June 104 '06 February 107 ‘07 July 102 ’06 March 102 ’08 August 91 ’06 April 98 ’06 May 103 48 09-20-06

  50. ‘06 Estimates – Comparison – Staff – With Total IT '06 Actual Staff Count by Month '06 January 133 ’06 June 132 '06 February 132 ‘07 July 130 ’06 March 130 ’08 August 114 ’06 April 127 ’06 May 133 49 09-20-06

More Related