1 / 60

OP IT SOX Compliance Delivery Team Where Are We and How Do We Move Forward? 20 & 21 June, 2005

OP IT SOX Compliance Delivery Team Where Are We and How Do We Move Forward? 20 & 21 June, 2005. Objectives Introduction Delivery Team Ways of Working Scope, Deliverables & Status Review Issues C13 Detailed Discussion Security Detailed Discussion C12 Detailed Discussion

varuna
Download Presentation

OP IT SOX Compliance Delivery Team Where Are We and How Do We Move Forward? 20 & 21 June, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OP IT SOX ComplianceDelivery TeamWhere Are We and How DoWe Move Forward?20 & 21 June, 2005

  2. Objectives Introduction Delivery Team Ways of Working Scope, Deliverables & Status Review Issues C13 Detailed Discussion Security Detailed Discussion C12 Detailed Discussion BAM Detailed Discussion Small/Less Complex Sites Wrap Up Agenda

  3. Provide Scope, Deliverables and Status for each of the Delivery Areas Confirm agreement with Focal Points on Scope and Deliverables Review gaps for each Delivery Area Discuss Delivery Teams’ plans for closing the gaps Agree with Focal Points where joint action is needed to close the gaps Objectives

  4. Bill’s LT agrees former Global Workstreams are highest priority today Cheryl assigned to provide assistance 2 weeks ago. First week spent transitioning Operations role Second week spent preparing for Workshop New Leaders in place 1 week Week spent trying to get TOR’s finalized and Status prepared for Workshop Don’t have all the answers today (or probably even all the questions) Team is committed to working with the FP’s to provide what’s needed as soon as possible and to providing regular status tracking Introduction

  5. OP IT SOX Compliance Delivery Team Lead Cheryl Nowlin John Mclean Delivery Deployment Pm MaryEllen Browning • SDLC Global Process • Security • Ongoing Projects • C11.16 Ed Kim • C12 Melissa Frala • BAM Global Processes • C13 • SoE/SoD • Backup & Restore Jan Willem Schuijtvlot Edward Bouwman Bruce Turnbull Kees Vork Rudra Patil Wim Teunissen Rivhu Khan Siddharth Soni Vamsi Dhar David Deason John Trueman Barry Chu Martin Playle Andy Mitton

  6. A weekly report will be issued showing status against Delivery Team deliverables and key milestones Format will be as shown in pre-read Questions regarding status or issues with the Delivery Areas should be directed to the 3 leaders Ed Kim MaryEllen Browning Melissa Frala Delivery Team requests for Focal Points will continue to go through the Integration PMs Some Delivery team members will continue to contact the focal points directly where agreed and directed by the leaders and Integration PMs This helps the team focus on delivering the work Other requests from the Focal Points today? Ways of Working Together

  7. Backup & Restore In Scope • Interpretation & clarification of CoE team guidance regarding Backup & Restore (B&R) • Development of the approach for OP regarding B&R based upon CoE guidance • Creation of Guidance tool set to assist in categorising applications to determine B&R requirements • Consultation to OP regarding B&R • Creating SOX compliant process with the help of the zones where non exists Out of Scope • Assistance to IT Focal Point in performing risk assessment for each application. • Creating SOX compliant process if none exists. - Remove Deliverables • OP Guidance • B&R Intervals • B&R Risk assessment • SOX Compliant Control (DE QA) • Control Register Text • Narrative • Flowchart • Test Scripts Register Sub-Processes Red Zone • C11.14 a, b, c

  8. Backup & Restore Status Key Risks • No SOX compliant process available • EA feedback delayed • OP Decision delayed Mitigation • If no process available, Delivery team will work with Zones to identify process • Move forward without feedback or decision from OP Key Assumptions • Minimal time spent with IT Focal Points to review process. • Assistance not required to perform risk assessment for each application. • SOX compliant process is available by 24 June.

  9. Which Zones waiting on a Backup & Restore Solution? Backup & Restore Workshop Update • SOPLA will have process for 30 June • SOPUS will have QA’d process by 30 June (specific to CSC) • Today have looked in Greenlight for QA’d, deemed-effective process – None • Action – David Deason - Speak to reps from other Businesses

  10. Status is “Red” No SOX compliant solution is available Action Plan Speak to reps from other Businesses – use as fallback D. Deason to obtain SOX compliant solution by working with the zones Names from Zones – Cristina Walker, Bonnie Piernot Decision – Go with Cristina or Bonnie’s solution Target Date for input from other businesses and deciding whether we can rely on Cristina or Bonnie’s process – 30 June Prepare OP guidance including Risk Assessment Target Date is 24 June Obtain OP Decision Target Date is 8 July Decision – We won’t wait on OP Decision to Move forward with guidance Backup & Restore Action Plan

  11. SoE/SoD (Tier 2/3) In Scope • Interpretation & clarification of CoE team guidance regarding SoE/SoD • Development of the approach for OP regarding SoE/SoD based upon CoE guidance • Creation of Risk & Mapping tools to assist in categorising applications to determine SoE/SoD requirements • Consultation to OP regarding SoE/SoD • Delivery of Control Register Text, Narrative, Flowchart & Test scripts Out of Scope • Assistance to IT Focal Point in performing risk assessment for each application. Deliverables • Application Inventory Template • Segregation Scenarios • Segregation Guidance • Risk Assessment Worksheet • Environment Mapping Worksheet • Compensating Controls List • Sign-Off Template • SOX Compliant Control (DE QA) • Control Register Text • Narrative • Flowchart • Test Scripts Register Sub-Processes • Blue Zone • C11.6 a (SoE) • C11.6 b (SoD)

  12. In scope for IT is SoD for IT support staff (Change Mgmt) – BAM In scope for IT is C11.6a (SoE) Any other SoD items are business owned SoE/SoD IT Scope

  13. SoE/SoD (Tier 2/3) Status Key Assumptions • Zones do not require assistance with Control Register Text, Narrative or Flowchart. • Minimal time spent with IT Focal Points to review process. • Assistance not required to perform risk assessment for each application. • Risk assessment was the only portion of SOX compliant control that was required by IT FPs Key Risks • External Audit feedback delayed • OP Decision delayed Mitigation • Move forward without feedback or decision from OP

  14. Which Zones waiting on SoE/SoD? SoE/SoD Workshop Update • Cristina to check on SOPLA Process • Bonnie to check for SOPUS • Check with Ernie • Decision – Delivery team will provide SOX Documentation (Control Register Text, Flowchart, Narrative, Generic Test Scripts) • Decision – Backup & Restore takes priority over SoE/SoD work

  15. Status is “Red” pending feedback from External Auditors (EA) and OP Decision Meeting with External Auditors delayed to 23 June Status of OP decision Prepare Decision package – to be prioritized with B&R work Submit to OP Decision makers – to be prioritized with B&R work Decision: Begin rollout of SoE/SoD guidance to IT FPs without EA or OP decision Low Risk that Decision is delayed Low Risk for major changes, but if major changes requested, then rework may be required Action - David - Resend final docs (link) to all by Friday, 24 June Action: David to work with Cristina/Bonnie/Ernie to determine when their processes will be QA’d and to provide date for when the SOX Documentation can be made available. This is lower priority than B&R SoE/SoD Action Plan

  16. SDLC In Scope Coordination and facilitation with SDLC owner (PEC) and CoE Team to ensure: • Responsibility for delivering a SOX compliant solution by working with PEC and escalating when needed • SOX required documentation is created, including register (standardized text for remediated controls), narratives and flowcharts • Design Effectiveness QA of all processes for SOX compliance is passed • Generic test scripts are created for processes • Plans are in place for training of all appropriate staff on processes In scope is large/small/emergency changes/routine changes Out of Scope • Development of training material (PEC responsible) • Embedding of process in the organization (OP SDLC Process Owner is responsible) • Enforcing usage of SDLC (OP SDLC Process Owner is responsible) • Training staff (PEC & OP SDLC Process Owner are responsible) Deliverables • Presentation of Guidance on SDLC controls • Process • Control Register Text • Flowchart • Narrative • Test scripts Register Sub-Processes Red Zone • C11.9 a,b Blue Zone • C11.1a,b • C11.4 a,b • C12.1 a,b • C12.5 a,b

  17. SDLC Status Assumptions • PEC will remediate Stage Gates and train all affected staff. • AD&P and BAM resources will need to be trained on PEC Stage Gates. • PEC Stage Gates will pass QA. • Generic test scripts for C11 and C12 are sufficient and require no modification for implementation by zones. • Training strategy already being used by PEC for PMs is sufficient for support staff. Key Risks • PEC Stage Gates assessment by auditors is still under review by CoE and re-remediation may be required. • Implementation (training) is not completed on time. Constraint • Implementation (training) must be completed by 30 Sept in order to meet the year-end Group deadline.

  18. Status is “Red” due to delay in achieving alignment with PEC and CoE regarding roles and responsibilities lack of SOx compliant process (Stage Gates is still in DE QA) Are there other SOx compliant processes out there? No Action Plan: Identification of OP Owner by 01July Take an OP decision – PEC Stage Gates or not by 08July Prepare Decision package next week Submit to OP Decision makers week after next Continue coordination with PEC and CoE to understand impact of Stage Gates as the SDLC Push for delivery of Stagegates with PEC and escalate when necessary. SDLC Action Plan

  19. Ongoing Projects Out of Scope • Roll out within OP (to be done by PEC and/or AD&P owner) • identification of OP on-going projects • implementation of guidance • training of AD&P staff • Guidance for projects without IT component (business process only projects) • Assurance that the project itself is SOX compliant In Scope • Coordination and facilitation with CoE and SDLC process owners from PEC and OP to ensure: • COE Guidance is developed • Training for PMs is available • SDLC (PEC Stage Gates) documentation is updated Register Sub-Processes None Deliverables • Presentation of Guidance on on-going projects to IT Focal Points

  20. On-going Projects Status Assumptions • AD&P can identify all projects/PMs which are impacted • All SOX relevant OP IT projects are managed by AD&P (no projects run by AoO’s on their own) and therefore no alignment with AoO’s required • PEC has overall ownership of this process • AD&P has ownership of the roll out within OP • On-going projects are not subject to external audit but must ensure SOX compliancy at go-live Key Risks • OP Ownership not agreed by 27June putting OP roll-out approach and plan at risk. • Extent of updates to SDLC not yet known.

  21. Status is “Red” due to delay in achieving alignment with PEC and CoE regarding roles and responsibilities dependency on SDLC solution Expectations for Ongoing Projects Team For projects running now (apps/infrastructure), want to ensure that changes updated in Greenlight for SOX Registers Action Plan: MaryEllen to create plan for the following: Create Inventory of projects that are SOX Relevant by providing 1 page request showing how to decide if SOX relevant that will be returned These projects must come into OP IT SOX Scope – must develop a process to do this Define what must be done by each project: MEB get from Ronald & Henk list of what needs to be updated. Package as OP Approach and get COE feedback and OP Decision Part of Decision is agreement with OP that SOX team can stop projects from going live if not comfortable that SOX work is done Who will sign off before project goes live – go no go? Jointly decide for each project who will make SOX Documentation updates On-going Projects Action Plans

  22. Who will answer questions from PMs on what needs to be done? Delivery team to drive ADP to provide this support Actual update of documentation done by FP’s, but project (or ADP) must supply resource – project must drive asking for assistance Delivery team provide light assistance, but project must ensure appropriate staffing How do we handle ongoing change requests (SAP) that are not projects. Bill – provide OP change management process for changes from now to 2006 – add to Delivery team scope operationalizing this statement No process in place today that controls the changes to business registers - Parking Lot item When are new projects expected to follow SDLC? The date was end of June this year. Now what is the date? COE should tell us what IAF is expecting – MaryEllen action On-going Projects - Issues

  23. C11.16 In Scope • Interpretation & clarification of CoE team guidance regarding Data Authentication and Integrity Out of Scope • N/A Complete! Register Sub-Processes • Blue Zone • C11.16.a Deliverables • Instructions for completing control register text based on CoE guidance.

  24. C13 Out of Scope • Actual remediation activities for each AoO, including development of test script for logic testing or control register testing • QA of AoO deliverables (SOX Documentation, including test scripts) • Overseeing and tracking C13 remediation • Scoping of EUCs • Flowcharts/narratives (not required for SOX Compliancy) In Scope • Interpretation & clarification of CoE team guidance regarding End User Computing (EUCs), including spreadsheets, Access databases and end user reports. • Development of the Remediation approach for OP regarding EUCs based upon CoE guidance • Template implementation plan • Policies and Procedures document for EUC Administration • Template C13 Register Deliverables • Template C13 Remediation Project Plan • Inventory of EUC Repositories Form • EUC summary document Form • EUC Test Forms and Guidance • EUC Policy Document • C13 Register template and test scripts • Forms and Templates for EUC Remediation • Examples of Remediated Spreadsheets, Access DBs and End User Defined Queries Register Sub-Processes Red Zone Business Register • C13.x (all) Red Zone • Blue Zone Business Register • C13 Blue Zone

  25. C13 Status Key Risks • MS Access guidance not yet available • OP approach for physical remediation is unknown • Scope of EUCs not yet finalised • Roles and Responsibilities for EUCs not agreed • Transition to support cannot happen because support organization has not been identified.

  26. Status is Red due to: Lack of agreement from Central QA to C13 register – now resolved and COE will QA Expected date? Melissa action to get expected date. Decision Move forward with Register without QA? NO Not priority at this point High risk that changes will occur C13 Action Plan

  27. Decisions from Frank’s LT meeting last week Business is responsible for C13 Frank agreed IT should help, but to what degree has not been decided. Need to regroup. Action: Delivery team to work with OP Business Team to draft a TOR to include: Scope rightsizing - Priority Current Delivery Team scope – Need to Finish Roles & Responsibilities between business & IT Factory concept – Not needed per FPs in Workshop Hoteling and other COE tool status – Need to know if changes current approach Only available in Oct/Nov? East Zone learnings What is Red Zone for C13 (Risked based approach for C13 in regards to remediation) – Not priority C13 Remediation – Where Are We?

  28. Documentation of Spreadsheets – IT continue driving work with business? Yes Needs to shift to business and business should pull – include in TOR If resources being requested now, should we continue? Bill – don’t turn off any work Continue with current plans while Delivery assess impact of tools and how the transition to business will work - will react to changes when known Who will do Self-Testing? Add to TOR a statement – IT believes Business responsibility C13 – What Should the Zones Be Doing?

  29. C13 – Zone Requirements

  30. Draft guidance submitted last Friday Once document is available, we’ll send out to IT FPs for feedback Decision – Move forward 30 June with guidance without COE approval? No High risk for changes Anyone need guidance for End User Defined Queries? No one has need today, so out of our scope today. If come into scope, we’ll manage change C13 - Access Guidance Status

  31. OP C13 Scope Validation – Review Approach Objective • To perform due diligence on OP’s inventory of EUCs to ensure consistent assumptions/interpretations have been applied to determine relevance to SOX scope against the current methodology guidelines. Current Guidelines • Is an EUC mentioned in the Actual Control Description in the business register (C1-10 etc)? • If yes, EUC is in scope for SOX and needs to be entered into the EUC Inventory. • Is the EUC a control for the process? • If yes, then the EUC is in scope for C13 remediation. • If no, and the EUC is merely a carrier of information that could possibly be ruled out of scope for C13 remediation but still needs to be listed in the EUC Inventory with a reason given for why it is out of scope. Approach • Validation Due Diligence Team consists of Rick Cicalo, Geoff Booth and Martin Playle • AoO’s under review were Belgium, Sweden, Italy and Lubes (Pennzoil). Lubes was not reviewed due to the AoO currently conducting a review of the list of EUC’s in scope. • Output from the IT Taskforce used. • A sample of EUC’s in each Taskforce Application List collectively reviewed by the Validation Team against current guidelines and GreenLight descriptions. • Review results collated in a word document and sent to each AoO for responses.

  32. C13 Scope Validation Status Slide • A number of EUCs identified that may need to be brought back into scope – business reviewing reports. • No changes to scope have been processed • Rick Cicalo agreed with Frank that wider scale review should be conducted • Terms of Reference has been drafted for this work • Deciding EUC scope is a business responsibility, NOT IT. Project will report to Rick • Additional resources required not yet identified, but, they need to be business skilled not IT skilled.

  33. Security In Scope • Review of existing SOX compliant controls for use as basis for OP SOX compliant control • Recommendation of SOX compliant control for OP usage • Ensuring alignment between ITCI documentation and the recommended SOX compliant control • Creating SOX compliant process with the help of the zones where non exists Out of Scope • Actual remediation of any IT controls Deliverables • SOX Compliant Control (DE QA) • Control Register Text • Narrative • Flowchart • Test Scripts Register Sub-Processes Red Zone • C11.11 a,b,c,d,e,f,g,h,i,j • C11.12 a,b,c,d,e,f • C12.11 a,b,c,d,e,f,g,h,i,j • C12.12 a,b,c,d,e,f, • C12.16 a,b,c,d,e,f,g,h • C12.21 a,b • C12.23 a,b,c,d

  34. Security Status Implementation Packets for all controls sent 17 June: • Contain summary of all learnings including ITCI references and some existing practical examples. • Plan forward to be discussed in Security Discussion Assumptions • OP IT SOX Compliance Security team will not engage in developing / updating Group Security Policies (ITCI Documents, local procedures, etc) • SOX Compliant Processes exist Key Risks • No SOX Compliant Process exists Mitigation • Forward to be discussed and agreed in 20 June Workshop

  35. Agreement on a go forward approach for Security controls We are Red because there are no complete SOx compliant solutions available Complete: Greenlight has been assesed Complete: Pauwl Lunow’s team has been consulted to provide other examples of QA’ed processes On-going: work with Seamus Reilly to identify other processes available globally (across all businesses) Delivery Security Objectives

  36. Security Workshop To Be Held Leave with Process and Documentation for all Security Controls – submit process and documentation day workshop ends Include QA in Workshop to lessen risk Include GITI Need to secure strong, senior facilitator for workshops – include recommendation in TOR Planning Date: Assuming Security is Top Priority – 31 July , minus test scripts (4 weeks later) Location? – The Hague 4 July Cristina send info MEB schedule follow up with Cristina Action: MaryEllen create “TOR” for workshop to ensure alignment by Tuesday Action: Focal Point send names to MEB end of Wednesday Action: MEB send placeholder meeting notice Thursday Security Action Plan

  37. C12 In Scope • Oversight of all controls on C12 for OP SOX Compliance Delivery Team • Coordination and facilitation of all issues related to C12 control register • Coordination and facilitation between OP and GITI/ISIP/PEC related to C12 remediation • Delivery of SOX compliant processes for in scope sub-processes (see below) Out of Scope • Embedding of process in the OP organization • Remediation of controls • Implementation of SOX compliant processes Register Sub-Processes Deliverables • SOX Compliant Control • Control Register Text • Narrative • Flowchart • Test Scripts • Inventory of required C12 remediation activities in zones • Action plan to address C12 issues

  38. C12 Status Assumptions • Planning assumption is GITI is handling GITI remediation • GITI will, therefore, provide SOX compliant processes for C12 controls • The C12 workstream will use those as the basis for SOX compliant controls for C12 Key Risks • Lack of readily available SOX compliant controls for C12 • Sizeable rework required for adapting existing C12 controls for use by AoOs • Unable to adapt/modify existing C12 controls into a common standard for use by all AoOs without modification

  39. C12 Status

  40. C12 Discussion C12 Areas of Discussion: • C12 Inventory Overview • Delivery of C12 SOX Compliant Processes • Outstanding C12 Issues

  41. C12 Inventory Overview * Port Dickson: Migration to GI -> GITI? Bukom Refinery? ** Sweden, Norway and Denmark are Unclear. *** No sites are mentioned in overview. **** In corporation with CSC. # No information on C12 available. Ed has action to confirm this data with all Focal Points

  42. C12 SOX Compliant Processes Definition of Best Practice: • SOX Compliant processes for all C12 controls Best Practice includes: • Control Register Text • Narratives • Flowcharts (where required) • Test Scripts

  43. C12 SOX Compliant Processes Initial plan/approach: • Wait for GITI documents and use those as basis for Best Practice documents for the zones Current reality: • GITI processes still waiting to receive DE QA • GITI processes deemed unsuitable for OP sites Revised approach: • Review EP Dubai documents for OP use • Assessed by C12 focal points to be useful for OP (as base)

  44. C12 SOX Compliant Processes Current status of Dubai documents: • Work has already started to modify/improve Dubai documents for use by OP • Modification/Improvements to Dubai documents have been divided amongst East and EU C12 focal points and Central C12 team • Red zone controls are expected to be ready by 30 June to be sent to the sites • Blue zone controls will follow later, with the last control being made available in August, assuming no additional influx of resources

  45. C12 SOX Compliant Processes Current options: • Option 1: Use the EP Dubai documents as they are OR • Option 2: Modify EP Dubai documents by: • Add comments and implementation guide • Send to the zones for implementation on select pilot sites • Collect feedback from pilot sites and improve documents • Communicate any improvement and experience to other sites Note: - work already started on Option 2

  46. C12 SOX Compliant Processes Questions to ITFPs: • Which Option (1 or 2) should be pursed? Option 2 will be pursued and processed as a Change Control for Delivery team • If decision is to purse Option 2 – is proposed process okay (ie pilot sites)? Yes What about timing? Need to consider ways to bring dates in

  47. BAM Global Processes – I/P, C/R, SLA In Scope Coordination and facilitation with BAM to ensure: • SOX required documentation is created, including register (standardized text for remediated controls), narratives and flowcharts • Design Effectiveness QA of all processes for SOX compliance is passed • Generic test scripts are created for processes • Plans are in place for training of all appropriate staff on processes Coordination with BAM Programme Manager to ensure alignment and resolve issues Liaison between BAM and IT Focal Points Out of Scope • Development of SOX compliant solution and training material • Managing BAM project plans for each process • Embedding of process in the organization • Enforcing usage of processes • Training staff • Facilitation or coordination of Step-out requests Register Sub-Processes Red Zone • C11.2.a,b,c,d,e,f,g,h • C11.3.a,b,c,d • C11.7.a,b,c • C11.8.a,b,c Blue Zone • C11.4.c,d • C11.5.a,b • C11.6.b,c,d,e,f,g • C11.10.a,b,c,d,e • C11.13.a,b,c Deliverables • Ensure that BAM provides Control register text, flowcharts, narratives for sub-processes noted on left • For non-BAM applications, provide the BAM processes to the AoO for local implementation.

  48. BAM Status Key Assumptions • IT FPs not accountable for implementation of BAM global processes • IT FPs only activity related to BAM processes is to update C11 register w/ documentation provided by BAM • All Global processes will be implemented for in-scope SOX applications by 30 September Key Risks • Global Processes are not implemented by 30 September

  49. SLA documentation is “Red” because process has not passed QA. Action: MrF – Determine action plan to finalize QA for SLA What is priority of C/R & I/P documentation out to IT FPs? Send to all other AoO’s by 30th and process feedback. Then send to East and EU What other status information is needed? Action: Melissa work with Laura to ensure BAM rollout status begins to go out to FP’s on regular basis Action: Jim provide BAM focal points for each country What kind of info are you being asked for? No issues Other Issues? Action – address SLA scope issue BAM

  50. Delivery Team Role BAM Continue to go directly to you and your teams? Yes Do you want to use Delivery when questions for BAM? No – go directly to BAM Delivery role is escalation if FP’s don’t get answers from BAM BAM to get SOX info and updates from IT Focal Point meeting Delivery serve as escalation after FP Meeting BAM – Delivery Team Role

More Related