1 / 13

Section 404 of Sarbanes-Oxley An Oracle Perspective Paul Kirch KLA-Tencor Corporation

-. Section 404 of Sarbanes-Oxley An Oracle Perspective Paul Kirch KLA-Tencor Corporation. Agenda. Company Overview Sarbanes-Oxley Overview Section 404 in “plain English” COSO framework Project Timeline Business Processes Universe Separation of Duties Defined Incompatibilities

truda
Download Presentation

Section 404 of Sarbanes-Oxley An Oracle Perspective Paul Kirch KLA-Tencor Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. - Section 404 of Sarbanes-OxleyAn Oracle PerspectivePaul KirchKLA-Tencor Corporation

  2. Agenda • Company Overview • Sarbanes-Oxley Overview • Section 404 in “plain English” • COSO framework • Project Timeline • Business Processes Universe • Separation of Duties • Defined • Incompatibilities • Guiding Principles and Implementation • Applied • Lessons learned • Next Steps (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  3. Company Overview • One of NASDAQ “Top 50” Companies in 2002 • Manufacturing company engaged in developing and manufacturing capital equipment used in the manufacture and production of silicon wafers • Formed by a merger of KLA and Tencor Corporation in 1997 • Major customers are principal silicon chip manufacturers worldwide • 75-80% of revenue from overseas operations • Sales offices in 15 countries around the world • Major R&D locations in U.S and Israel • Merged company used Oracle as a platform for developing common manufacturing and financial processes • International operations upgraded to Oracle 11i in Spring, 2003 • June 30 fiscal year end ensured that KLA-Tencor would be the first Fortune 500 company audited under the new Sarbanes-Oxley standards • In Spring, 2003 chip industry was just beginning to emerge from one of the severest down cycles in the history of the industry (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  4. Section 404 in “Plain English” • Management must assert and auditors must attest that: • All transactions that are either material by themselves or cumulatively material to the company are authorized according to an agreed policy/procedure. • Assets of the company are adequately safeguarded. • Procedures are in place to ensure that the reported financials adequately disclose all transactions. • What is required: • Establish a control framework (aka COSO) to map business processes/objectives/risks/control activities. • Document policies & procedures • Self assessment of the adequacy of these Policies and Procedures • Complete testing with internal auditor and external auditor • Who? • 90% internal; anyone involved in a material business process. • U.S/ Israel project involved 50 people • Worldwide project involved 75 people (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  5. COSO Framework • Control Activities • Policies/procedures that ensure management directives are carried out • Range of activities including approvals, authorizations, verifications, recommendations performance reviews, asset security and segregation of duties. • Monitoring • Assessment of a control system’s performance over time. • Combination of ongoing and separate evaluation. • Management and supervisory activities. • Internal audit activities • Information and Communication • Pertinent information identified, capture and communicated in a timely manner • Access to internal and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. • Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives forming the basis for determining control activities. • Control Environment • Sets tone of organization influencing control consciousness of its people.’ • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  6. Project Timeline Summer Spring Fall/Winter • Perform ongoing testing • Monitor • Prepare assertion • Prepare internal control report • Plan the project • Review COSO Compliance • Put Team in Place • Define scope • Assess the control environment • Engage external consultants to assess impact on Oracle 10.7/11i • Build a controls repository • Document control objectives • Document control activities and map to control objectives • Complete self-assessment of actual performance of these controls • Identify and remediate gaps • Perform initial tests of operating effectiveness • Implement SoD in Oracle 10.7 and Oracle 11i Independent Auditor Review Board Review Independent Auditor Assessment (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  7. Business Processes Universe • Sales & Marketing • Contract Sales • Sales Ops Review • Finance Review • Legal Review • Engineering Review • Operations Review • Ad-hoc Sales • Product Marketing • Product Development • Sales Commissions • Inventory Management • Manufacturing • Procurement • Manufacturing Quality • Vendor Management (i.e, competitive bidding, preferred suppliers) • Quality Assurance • Health Assessments • Regulatory Compliance (i.e., Environmental) • Finance & Accounting • Accounts Payable • Accounts Receivable/Billing • Capital Exp Approval • Non-Capital Purchasing • Fixed Assets • Budgeting & Forecasting • Closing the Books/Accounting • Account Reconciliation • Account Analysis • Accruals • Internal Reporting • External Reporting • Tax • Travel & Expense Reporting • Treasury • Debt/Financial Structure • Cash Management • FX/Derivatives/Hedging • Banking Relationships • Insurance • Credit & Collections • Payroll • Customer Management • Technical Support • Problem Resolution & Tracking • Customer Service Install Base Management • Legal • Contract Approval • Litigation Management • Intellectual Property • Whistle Blower • Information Systems • IT Strategy/Planning • Systems Implementation & Integration • Project Management • Software Selection • Software Development • IT Systems Maintenance (daily operations) • Financial • HR • Business • Network Administration • Security/Privacy • Business Continuity Planning • Disaster Recovery Planning • Record retention • Help Desk • Human Resources • Hiring • Non-Standard Employee Agreements • Employee Benefits Management • Termination (and restructuring) • Staffing Analysis (i.e., Manpower Levels) • Compensation Review (Executive) • Workers Compensation Mgmt/ Claims Processing • Employee Annual Review • Training & Development • Employee Communication • Feedback • Survey • Employee Loans • Corporate Development • Third-Party Alliances/Partnerships • Mergers & Acquisitions • Infrastructure & Other • Facilities Management • Physical Security • Physical Records Management • Corporate Communications • Investor Relations • Public Relations • Receiving • Distribution/Logistics • Telecommunications • Network Management • Management & Board • Board/Committee Meetings • Executive/Management Team Meetings • Corporate Governance • Authority/Approval Matrix • Disclosure Controls Documentation Process • Financial processes are significant to either the financial statement amounts and controls or financial disclosures. (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  8. Separation of Duties (SoD) Defined Functions Responsibilities Enter Invoices Inquire Invoices, Payments, Accounting, Suppliers and Banks Run Standard Reports Enter Data Approve Invoices Update Accounting Entries Payables Transfer to GL Inquire Invoices, Payments, Accounting, Suppliers and Banks Run Standard Reports Approve Create Payments / Payments Batches Inquire Invoices, Payments, Accounting, Suppliers and Banks Run Standard Reports Pay Create Suppliers / Enter Employees Inquire Invoices, Payments, Accounting, Suppliers and Banks Setup Banks / Setup Tax Codes Open / Close AP Periods Run Standard Reports Maintain Inquire Invoices / Inquire Payments / Inquire Suppliers View Employees Run Standard Reports Inquiry (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  9. SoD Incompatibilities (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  10. SoD Guiding Principles and Implementation • Single point in time review of existing functional responsibilities using E&Y defined Separation of Duties (DOD) matrix for both Oracle 10.7 and Oracle 11i (international) users • Detailed communications to end users regarding plan to end date or remove certain responsibilities that constituted a SOD violation, with emphasis on Finance functions (GL, AR, AP), Purchasing (largely PO Creation and Receiving), and Sales Administration (Order Entry and Shipping) • Detailed instructions to Corporate Help Desk on how to administer new requests for Oracle responsibilities • Key manager approval of all requests for Oracle applications access • Alert to key IT managers whenever an employee record was created or changed to alert them to the responsibilities currently assigned to that specific user • Communicate Sarbanes-Oxley corporate policies using KT Intranet • On-going effort to improve process by refining requirements, working with Corporate finance to determine “universe” of potential software vendors and desired functionality, and selecting a Sarbox 404 software vendor (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  11. SoD Applied (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  12. Common Errors at other companies . . . • Did not involve external Big 4 accounting firms in design and planning process • No joint commitment from business and IT to meet certification requirements • Too much detail . . .Not scoped correctly • All externally contracted work . . . Won’t have long term benefits . . . • No prioritization . . . Leave the hardest for last . . . • Stand-alone documentation - not using what is already in use . . . • Not getting ahead early . . . Not enough short-term milestones . . . (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

  13. Observations and Next Steps • Sarbanes-Oxley 404 Compliance project completed on an ‘ad hoc’ basis using E&Y to define Separation of Duties issues • Project completed over the course of 4 months at a cost of $30,000; with 75% of time spent planning and 25% in actual execution • Oracle alerts put in place to monitor the assignment of new Oracle responsibilities to new and existing users • Company passed DT “pre-certification” and PwC “audit certification” without qualification, with several observations of conflicts noted • Observed conflicts due largely to assignment of conflicting responsibilities to IT personnel; in one case, conflict due to misunderstanding about exact role played by user in Corporation (add group under View/Header...)KLA-Tencor Confidential – Do Not Duplicate

More Related