1 / 138

OP US SOX 404 Project Update June 2, 2006 Jim Lobb and Andrew Redcliff

OP US SOX 404 Project Update June 2, 2006 Jim Lobb and Andrew Redcliff. Opening Remarks 10 min Where We Are Today 50 min Go Forward Plan 60 min

benito
Download Presentation

OP US SOX 404 Project Update June 2, 2006 Jim Lobb and Andrew Redcliff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OP US SOX 404 Project UpdateJune 2, 2006Jim Lobb and Andrew Redcliff

  2. Opening Remarks 10 min Where We Are Today 50 min Go Forward Plan 60 min Process Change Management 20 min Embedding Update 30 min Wrap-Up 10 min Agenda

  3. Purpose • Reach a common understanding of where we are today in achieving current plan for SOPUS and PQS. • We will cover all areas of SOX relating to US OP to include: • Go forward plans & doability • Issues, risks/mitigation • Agree communication of common understanding of status of US project

  4. Overview • You will see facts on where we are: • Design Effectiveness at Q1 sign-off • Operating Effectiveness status • PWC and IAF testing results and outcomes • Go forward plans for remediation and testing • What we need: • Clear understanding of status and forward plans • Summary communication we can all agree

  5. WHERE WE ARE TODAY

  6. Where we are today • DE Q1 Sign-off - Self Assessment – 6 not effective (failure rate 10%) • OE – Self Assessment Round I (Partial Sample) – 24 not effective (failure rate 21%) • How embedded we are • COB/COS interacts with Internal Audit, PWC, and reports remediation to Steering Committee. Project supports work effort • Knowledge Transfer – Super Workshops Q4 2005, SOX project progress accountability to CoB/CoS at 1/06, Training 50% complete • Q1Sign off without issue with AoO Sr. Leaders

  7. Action Items from January Review

  8. Action Items from January Review • 11 of 12 closed with 1 outstanding • Open • Neil Cordey to provide Business with long term impact of SOX 404 • Closed (summary of key points) • Manila ownership and testing plans resolved • Review EUC spreadsheets with PwC to see if others can be scoped out • Guidance on work needed on out-of-scope • Add resources to plan to allow for remediation from audits and QA • Confirm and add appropriate AEC testing scope and resources • Verify alignment of plan with Group & OP PMOs, IAF and PwC • Communicate impact of work to Business

  9. Design Effectiveness Self Assessment(Business, General and Embedded IT)

  10. 2006 Project Status – May 22nd Sign-off SOPUS and LUBES (excluding IT) Design Effective Work Achieving: Total Controls - 437 - 1 % Not Effective (3) - 98 % Effective (430) - 0% Remediated Not Retested (1) 0 - % Not Tested (0) - 1% No Transaction (3) IT Design Effective Work Achieving: Total Controls - 489 - 7 % Not Effective (36) - 74 % Effective (362) Not Tested (81) - 1 % Remediated Not Retested (3) - 17% - 1% No Transactions (7)

  11. Shell US - Design Effectiveness

  12. Manila Design/Design Effectiveness

  13. IT General Controls- Design Effectiveness

  14. IAF Audits/OutcomesDesign Effectiveness (Business, General and Embedded IT)

  15. IAF Audit Status- Business (excl IT) • As of Q1 signoff: • IAF reviewed 179 controls in the Round 1 audit and found 36 (20%) not effective • Round 1 audit was completed on 16 March • The Business has no outstanding issues to address • Design Remediation in Q2: • IAF reviewed 79 controls in the Round 2 audit and found 22 (28%) not effective • Round 2 audit was completed on 18 May • The Business is in the process of reviewing and addressing these 22 issues

  16. IAF Audit Status – IT General Controls • Internal Audit - Scope • Review of 2006 DE and OE Testing as available • SOPUS & Lubes C11, C12 & C13 Failure Rates ????

  17. IAF Comments • Timothy Jackson to come and comment if possible

  18. PWC Audit/OutcomesDesign Effectiveness (Business, General and Embedded IT)

  19. PWC Audit Status- Business (excl IT) As of Q1 signoff: • PwC reviewed 389 controls and found 21 (6%) not effective • All 21 issues have been addressed Design Remediation in Q2: • PwC submits new findings weekly • The Business has only 3 issues outstanding to be addressed

  20. PwC Audit Status – IT General Controls • External Audit - Scope • 2006 DE Testing • Lubes C11 & C12 – completed • SOPUS C11, C12 & C13 – in process Need number outstanding added

  21. PwC Comments/Slides • How about in this slot for Jason and PwC to speak

  22. Design EffectivenessQA Review (Business, General and Embedded IT)

  23. Central Quality Assurance Review • CQA – Observations on Key Accomplishments to Date • Super workshops and 2005 testing program successful in early identification of major design remediation needs • Business/Control ownership is high • US Business and project teams have been very proactive • Round 1 - early testing has provided a jump start to 2006 program • EY testing team strategy will provide high grade test scripts and work papers that can be followed in 2007 and beyond.

  24. DE Sign-off Point • Up until this point we have: • Finished the 2005 Work Program by the February 9th plan date • Completed a solid project plan for 2006 to include alignment with Group/OP PMOs, PWC and Internal Auditing • RESM/FARM/Efficiency Review completed on scope • Class of Transaction Maps for walkthroughs completed • Round I of internal audits resulted in three fair opinions for design effectiveness assessment • Well underway with embedding SOX 404 in the business • Q1 Sign-off in the US was a success

  25. Operating Effectiveness Self Assessment(Business, General and Embedded IT)

  26. Shell US - Operating Effectiveness SOPUS and LUBES (excluding IT) Operating Effective Work Complete, Achieving: Total Operating Effective Controls - 437 - 5% Not Effective (23) - 3% Effective (14) - 8% Remediated Not Retested (35) - 81% Not Tested (352) - 3% No Transaction (13) IT Design Effective Work Complete, Achieving: Total Operating Effective Controls - 489 - - 13 % Effective (64) 7 % Not Effective (35) 12 Not Tested (317) - % Remediated Not Retested (60) - 65% - 3% No Transactions (13)

  27. Shell US - Operating Effectiveness

  28. OP US SOX 404 Operating Effectiveness Test Summary - Round I • The remediation required to address most of these exceptions would require less than one day’s effort to design and implement. • The exceptions generally fall into the following categories: • Lack of evidence that control operated • Control not operated per control description consistently across all samples • Critical timing not addressed in ACD and not consistently met in operation

  29. OP US SOX 404 Controls – Company Level Controls Round I Testing • 160 Total IT dependent and Manual Company Level Controls for 4183(33), 4099 (107), 4098 (20) which includes the following: • 23 Annual, 8 No transactions and 26 Manufacturing Controls that will not be tested in Round I • 103 Total Controls available to be tested in Round I

  30. OP US SOX 404 Controls – Transactional Controls Round I Testing • 187 Total IT dependent and Manual Transactional Controls for 4183 (22), 4099 (163) and 4420 (2) which includes the following: • 5 Annual Controls, 7 No transactions controls, 18 Manufacturing Controls and 20 Remediated / Not Retested controls which will not be tested in Round I • 137 Total Controls to be tested in Round I

  31. IT EMBEDDED CONTROLS

  32. SOD Summary • Significantly below Group standard and target for KPI #1; “World Class status” • Current SOD items only relate to change “noise” that we tightly monitor • Working on “New scope” items based on “cheesewedge” updates • Working on “cross app SOD” analysis despite no Group guidance

  33. OP US SOX 404 System Controls – KPI 1 Ratio of Unmitigated SOD Conflicts per Active User • Purpose of KPIs as defined by the Central team - Shows progress towards: a) benchmark for SOX compliance b) the quality of the application controls framework for robustness and ease of maintenance • KPI #1 target - Ratio should be below 1.0 before compensating control or risk waivers • Notes: • New SOX Matrix introduced in May 2005 • Does not include compensating controls

  34. OP US SOX 404 System Controls – KPI 2 Percentage of Outstanding SOD Conflicts (with no compensating controls) • A few new conflicts on 5/15 report caused by user group changes; corrections already in the works with security • Lubes – excludes Canada • Magellan – excludes Stusco

  35. SOX KPI 3 – Critical Access • New metric per SOX guidance issued November 2005 • KPI #3 – access that should never be granted in production system; Target is zero. • Lubes cleanup is pending IT support role cleanup to be finished by May 31st by the ISIP project

  36. (Recommend to remove this slide) New conflicts on 5/15 caused by user group changes; corrections in the works with security

  37. End User Computing

  38. SOPUS C13 Design Effectiveness Status 18 total controls for C13 • 1 = Not Applicable* • 1 = ISP** • 2 = Not Tested due to No Transaction • 14 = DE Tested and Fully Compliant * C13.1.b Risk Assessment, OP-wide decision that all in-scope EUCs are considered high-risk, therefore no assessment is required and all EUCs are subject to full rigor of C13 Register. ** C13.8.a.1 Files backed-up as part of normal server operations by GITI Independent testing completed by OP Central C13 resource with results and supporting documentation formally approved by QA.

  39. EUC Status by Register Note: For additional detail, i.e. specific control references and EUC descriptions… see associated “SOPUS EUC Inventory_mmddyy.xls”

  40. Application Embedded Controls

  41. AEC Testing Schedule Control Count Time Change to line graphs like John Christ’s OE testing charts

  42. IAF Audit/Outcomes Operating Effectiveness (Business, General and Embedded IT)

  43. IAF Audit Status- Business (excl IT) • As of Q1 Signoff: • IAF Round 1 audit was completed on 16 March • Independent Operational Testing • IAF reviewed 22 controls in the Round 1 audit and found 6 (27%) not effective • The Business has 3 outstanding issues to address • Self Assessment Testing • IAF reviewed 39 self test AEC and Business work papers • 20 controls test script not appropriate • 10 controls test conclusion not appropriate • All test scripts have been reviewed and addressed • Operational Remediation in Q2: • IAF Round 2 audit was completed on 18 May • Independent Operational Testing • IAF reviewed 7 controls in the Round 2 audit and found 1 (14%) not effective • The Business is in the process of reviewing and addressing this 1 issue

  44. PwC Audit/OutcomesOperating Effectiveness (Business, General and Embedded IT)

  45. PWC Audit Status - Business (excl IT) As of Q1 Signoff: • No PwC Operational testing performed Operational Remediation in Q2: • PwC operational testing is expected to begin July

  46. PWC Audit Status - IT General Controls • Internal Audit scheduled June 26 • PwC scheduled end of July

  47. Summary of Where We Are • Finished the 2005 Work Program by the February 9th plan date • Completed a solid project plan for 2006 to include alignment with PWC and Internal Auditing • RESM/FARM/Efficiency Review completed on scope • Class of Transaction Maps for walkthroughs completed • Reviews by internal audit resulted in two fair opinions for design effectiveness assessment • Well underway with embedding SOX 404 in the business • Q1 Sign-off in the US was a success • Currently on-target for completion of each major milestone

  48. 2006 FORWARD PLAN(Business & IT Controls)

  49. Going Forward • Supplement OE sample size June – August (Round II) • Q2 sign-off • Remediate Round II of OE self assessment findings • Remediate Round II of IAF exceptions • Remediate PwC OE testing findings • Q4 roll forward testing/Quarterly Annual in Jan 07 • Complete training, analyse test score, retrain weaker comprehension areas

  50. Outstanding Remediation(Business, General and Embedded IT Controls)

More Related