1 / 133

OP US SOX 404 Project Update June 2, 2006

OP US SOX 404 Project Update June 2, 2006. Opening Remarks 10 min Where We Are Today 50 min Go Forward Plan 50 min Process Change Management 10 min

ella-carpenter
Télécharger la présentation

OP US SOX 404 Project Update June 2, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OP US SOX 404 Project UpdateJune 2, 2006

  2. Opening Remarks 10 min Where We Are Today 50 min Go Forward Plan 50 min Process Change Management 10 min Embedding Update 20 min Wrap-Up and Q&A 40 min Agenda

  3. Purpose • Reach a common understanding of where we are today for SOPUS and PQS. • We will cover all areas of SOX relating to US OP to include: • Go forward plans and doability • Challenges and mitigation • Agree communication of common understanding of status of US project

  4. Overview • You will see facts on where we are: • Design Effectiveness at Q1 sign-off • Operating Effectiveness status • PWC and IAF testing results and outcomes • Go forward plans for remediation and testing • What we need: • You to understand our status and forward plans • Agreement on Summary Communication

  5. SOX FOCAL POINTS CoB/CoS/LCZ/IT SOX Governance & Accountability Steering Committee Meets Biweekly SOPUS Controller SOX Implementation & Systems Assurance Mgr Mgr Financial Accounting & Assurance IT Motiva CoB/CoS Fin Mgrs Manila Guidance & Direction Accountability & Results SOPUS PROJECT TEAM Remediation – CoB/CoS Testers – CoB/CoS Embedding Team

  6. WHERE WE ARE TODAY

  7. Where we are today - Design DE Q1 Sign-off • Controls Status • OP US Business Controls 98% Effective (437 controls) • Manila Business Controls 100% Effective (27 controls) • OP US IT Controls 74% Effective (489 controls) • Internal (IAF) Audits • SOPUS Business Round I Fair Opinion (126 reviewed) • Lubes Business Round I Fair Opinion (53 reviewed) • SOPUS IT no draft received (55 reviewed) • LUBES IT no draft received (85 reviewed) • Manila Fair Opinion (20 reviewed) • SOPUS Business Round II Fair Opinion (78 reviewed) • External (PwC) Audits • Business Near complete (392 reviewed) • Lubes IT Completed(106 reviewed) • SOPUS IT 50%(73 reviewed)

  8. Where we are today - Operational OE Status as of Q1 Sign-off • Self Assessment • OP US Business Round I 194 reviewed (180 - Partial Sample Basis) • Manila Controls 10 reviewed (Partial Sample Basis) • OP US IT 274 reviewed (Some Partial Sample Basis) • OP US Business AEC 166 reviewed (345 total) • Internal (IAF) Audits • SOPUS Business Round I 15 reviewed • Lubes Business Round I 7 reviewed • SOPUS/Lubes IT 54 reviewed • Manila not reviewed • SOPUS Business Round II 7 reviewed • External (PwC) Audits – will begin late June

  9. How Embedded We Are • COB/COS interacts with Internal Audit Function, PWC, and reports remediation to Steering Committee • Knowledge Transfer • Super workshops Q4 2005 • Status accountability at 1/06 • Training 60% complete • Average Knowledge Survey score (post training) 85% • Average Readiness score 4.3 out of 5.0 • Core courses converted to elearning • Q1Sign-off completed without issue by AoO and business leaders • ITGC – Global plan progressing

  10. Action Items from January Review

  11. Action Items from January Review • All actions closed (summary of key points) • Manila ownership and testing plans resolved • Review EUC spreadsheets with PwC to see if others can be scoped out • Guidance on work needed on out-of-scope • Add resources to plan to allow for remediation from audits and QA • Confirm and add appropriate AEC testing scope and resources • Verify alignment of plan with Group & OP PMOs, IAF and PwC • Communicate impact of work to Business

  12. Self Assessment Design Effectiveness (Business, General and Embedded IT)

  13. 2006 Project Status – May 22nd Sign-off SOPUS and LUBES (excluding IT) Design Effective Work Achieving: Total Controls - 437 - 1 % Not Effective (3) - 98 % Effective (430) - 0% Remediated Not Retested (1) 0 - % Not Tested (0) - 1% No Transaction (3) Manila27 Controls - 100% Design Effective IT Design Effective Work Achieving: Total Controls - 489 - 7 % Not Effective (36) - 74 % Effective (362) Not Tested (81) - 1% Remediated Not Retested (3) - 17% - 1% No Transactions (7)

  14. OP US Design Effectiveness – COB/COS Excluding Motiva & Manila

  15. OP US - Design Effectiveness

  16. ITGC - Design Effectiveness

  17. Summary of Where We Are - IT 2006 IT Scorecard • All controls DE tested……………………………………substantially complete • 81 marked not tested • 37 undergoing scope reassessment (2 already determined out of scope) • 23 controls had no sample data available to perform DE testing (no transactions) • 21 DE assessed and not tested due to known remediation actions; DE testing postponed until remediation actions complete; 5 now DE (should be not effective) • Remediation Action plans in place for all non-DE controls and non-tested controls • 36 marked as not effective • 7 to be marked out of scoped following scope review • 14 remediation is complete with expectation to be marked DE by 30-June • 15 remediation in progress with expectation to be marked DE by 30-June • Controls completed early in 2005 have been reviewed and updated resulting in a stronger IT control framework

  18. IAF Audits/OutcomesDesign Effectiveness (Business, General and Embedded IT)

  19. IAF Audit Status - Business (excl IT) As of Q1 signoff: • IAF reviewed 179 controls in the Round I audits and found 36 (20%) not design effective • Round 1 audit was completed on 16 March • The Business has completed action on findings Design Remediation in Q2: • IAF reviewed 78 controls in the Round II audit and found 21 (28%) not design effective • Round 2 audit was completed on 18 May • The Business is in the process of reviewing and addressing these 21 findings

  20. IAF Audit Status - Manila As of Q1 signoff: • IAF reviewed 20 controls in the Round I audit and found 3 (15%) not effective • Round 1 audit was completed on 3 May • All findings have been addressed Design Remediation in Q2: • No additional audits scheduled

  21. IAF Audit Status – IT General Controls As of Q1 signoff: • Completed agreed actions for 2005 audit comments • In April IAF reviewed 140 controls and found 29 (21%) not effective • Audit was completed on 28 April • IT has not received formal report • Response to preliminary comments in progress • 13 controls updated • 4 comments required no change • 12 responses in progress Audit plans for Q2/Q3: • IAF will return for 2nd round of audit on June 26

  22. PWC Audit/OutcomesDesign Effectiveness (Business, General and Embedded IT)

  23. PWC Audit Status- Business (excl IT) As of Q1 signoff: • PwC reviewed 392 controls and found 24 (6%) not design effective • 21 issues have been addressed • 3 issues will be resolved in Q2 Design Remediation in Q2: • PwC submits new findings weekly • The Business is in the process of addressing the 3 outstanding issues

  24. PWC Audit Status - Manila As of Q1 signoff: • No PwC design testing performed Design Remediation in Q2: • If needed, PwC anticipates visit in late July

  25. PWC Audit Status- IT General Controls As of Q1 signoff: • Completed agreed actions for 2005 audit comments • PwC reviewed 106 Lubes controls for DE and found no design deficiencies Audit plans in Q2/Q3: • PwC completing SOPUS audit now (50% complete – no conclusion yet) • PWC will return end of July/August for OE audit

  26. QA Review Design Effectiveness(Business, General and Embedded IT)

  27. Central Quality Assurance Review CQA – Observations on Key Accomplishments to Date • Super workshops and 2005 testing program successful in early identification of major design remediation needs • Business/Control ownership is high • US Business and project teams have been very proactive • Round I - early testing has provided a jump start to 2006 program • E&Y testing team strategy has provided high grade test scripts and work papers that can be followed for Round II testing, and in 2007 and beyond.

  28. Q1 Design Effectiveness Sign-off

  29. Q1 Sign-off – May 22nd At this point we have: • Finished the 2005 Work Program by the February 9th plan date • Completed a solid project plan for 2006 to include alignment with Group/OP PMOs, PwC and Internal Auditing • ITGC “deep dive” review of framework and substantially completed DE testing • RESM/FARM/Efficiency Review completed on 2006 scope • Class of Transaction Maps for walkthroughs completed • Internal audits resulted in four Fair opinions for design effectiveness assessment • Well underway with embedding SOX 404 in the business • Q1 Sign-off in OP US was a success

  30. Self Assessment Operating Effectiveness (Business, General and Embedded IT)

  31. OP US - Operating Effectiveness SOPUS and LUBES (excluding IT) Operating Effectiveness Work Complete, Achieving: Total Controls - 437 - 5% Not Effective (23) - 3% Effective (14) - 8% Remediated Not Retested (35) - 81% Not Tested (352) - 3% No Transaction (13) Manila Operating Effectiveness Work Complete, Achieving: Total Controls - 27 - 7% Remediated Not Retested (2) - 93% Not Tested (25) IT Operating Effectiveness Work Complete, Achieving: Total Controls - 489 - - 13 % Effective (64) 7 % Not Effective (35) 12 Not Tested (317) - % Remediated Not Retested (60) - 65% - 3% No Transactions (13)

  32. OP US Operating Effectiveness – COB/COS Excluding Motiva & Manila

  33. OP US - Operating Effectiveness

  34. TE1/TE2 N3 N4 Total SOPUS 123 19 7 149 Lubes 23 3 3 29 Deer Park 2 0 0 2 82% 12% 6% 100% OP US Operating Effectiveness Test Summary - Round I • The remediation required to address most of these exceptions would require less than one day’s effort to design and implement. • The exceptions generally fall into the following categories: • Lack of evidence that control operated • Control not operated as per control description consistently across all samples • Critical timing not addressed in ACD and not consistently met in operation N3 – fundamental document change N4 – no evidence retained

  35. OP US Operating Effectiveness – Round I Testing • 437 Total System, IT Dependent and Manual Controls • 347 IT dependent and Manual Controls (excludes System) • 28 Annual Controls, 15 No transactions controls, 44 Manufacturing Controls and 20 Remediated / Not Retested controls which will not be tested in Round I • 240 Total Controls to be tested in Round I

  36. ITGC Operating Effectiveness

  37. IT General Controls – C12 OE Note: Plan being rebaselined to incorporate May/June Sample requirements

  38. IT EMBEDDED CONTROLS

  39. Segregation of Duties

  40. SOD Summary of Current Status • “World Class status” - based on current group standards we meet or exceed all the KPI targets • Current SOD items only relate to normal change activity that we tightly monitor • Working on “New scope” items based on “cheesewedge” updates • Working on “cross application SOD” analysis while awaiting Group guidance

  41. OP US SOX 404 System Controls – KPI 1 Ratio of Unmitigated SOD Conflicts per Active User • Purpose of KPIs as defined by the Central team - Shows progress towards: a) benchmark for SOX compliance b) the quality of the application controls framework for robustness and ease of maintenance • KPI #1 target - Ratio should be below 1.0 before compensating control or risk waivers • Notes: • New SOX Matrix introduced in May 2005 • Does not include compensating controls

  42. OP US SOX 404 System Controls – KPI 2 Percentage of Outstanding SOD Conflicts (with no compensating controls) • A few new conflicts on 5/15 report caused by user group changes; corrections already in the works with security • Lubes – excludes Canada • Magellan – excludes Stusco

  43. SOX KPI 3 – Critical Access • New metric per SOX guidance issued November 2005 • KPI #3 – access that should never be granted in production system; Target is zero. • Lubes cleanup is pending IT support role cleanup to be finished by May 31st by the ISIP project

  44. End User Computing

  45. C13 Register Controls - EUC SOPUS and LUBES (excluding IT) Operating Effectiveness Work Complete, Achieving: Independent testing completed by OP Central C13 resource with results and supporting documentation formally approved by QA. Total Controls - 16 - 14 Tested and Fully Compliant - 2 Not Tested due to No Transactions

  46. EUC Status by Register

  47. Application Embedded Controls

  48. AEC Testing Schedule 375 350 345 325 310 300 280 275 250 250 Target 225 220 Number of Controls 200 180 175 Actual 166 160 150 123 129 125 120 100 All AEC 90 Controls 86 75 60 50 45 30 25 14 10 0 0 0 04/10/06 04/17/06 04/24/06 05/01/06 05/08/06 05/15/06 05/22/06 05/29/06 06/05/06 06/12/06 06/19/06 06/26/06 07/03/06 Week

  49. IAF Audit/Outcomes Operating Effectiveness (Business, General and Embedded IT)

  50. IAF Audit Status - Business (excl IT) As of Q1 Signoff: • IAF Independent Operational Testing • IAF reviewed 22 controls in the Round I audit and found 6 (27%) not operational effective • The Business has 3 outstanding issues to address • IAF Review of Operational Self Test Work Papers • IAF reviewed 39 AEC and Business self testing work papers in the Round II audit and found 30 control issues (77%) • All findings have been reviewed and addressed Operational Remediation in Q2: • IAF Independent Operational Testing • IAF reviewed 7 controls in the Round II audit and found 1 (14%) not operational effective • IAF Review of Operational Self Test Work Papers • IAF reviewed 14 AEC and Business self testing work papers in the Round II audit and found 8 control issues (57%)

More Related