190 likes | 366 Views
Roles / Responsibilities and SOX404 Organisation. The DS SOX404 Organisation structure is based on the mandated key design principles for SOX404 Accountability. GRA: Effective SOX404 Process. Line: Compliant SOX404 Content. Accountabilities
E N D
The DS SOX404 Organisation structure is based on the mandated key design principles for SOX404 Accountability GRA: Effective SOX404 Process Line: Compliant SOX404 Content Accountabilities • ‘GRA’ owns the SOX404globalprocess per RDS SOX404 Methodology. • DS GRA Manager has single-point accountability for ensuring the SOX404 process: • Is robust; • Is applied consistently and accurately • Ensures completeness and transparency of the content via provision of Quality Assurance • Is appropriately supported (tools, structure, competencies) to ensure on-going sustainability; • Is fully integrated into business operations and assurance activities • DS GRA Manager is responsible for transitioning from Project to Embedded State Accountabilities • The ‘Line’ owns SOX404 content (actual controls narratives, evidence) • SOX404 signatories are accountable for ensuring that the content is: • Accurate: controls operating as designed, correctly assessed, appropriately remediated, accurately reported • Appropriate: effective controls mitigate SOX404 process risks & conform to SOX scope requirements. • Transparent: clear content meets quality standards; evidence is retained/maintained • Complete: all relevant business risks and considerations accounted for • Fully compliant with requirements of SOX404 global process and annual SOX cycle
Responsibilities of Key SOX404 Roles: ‘GRA’ Roles: Financial Controls Manager and team; Country/Cluster GRA Leads; CoB/F GRA Managers • Accountable for SOX404 Process - methodology SME • Create global synthesis: identify/address standardisation opportunities and systemic business/controls issues • Document/implement GSAP/Streamline SOX Controls • Own/monitor SOX change control process • Coordinate/Facilitate Management Assessment (deficiency evaluation) and support sign-off • Perform RESM/Support FARM • GreenLight Admin; RAP tracking; Reporting; Integrated planning of SOX Calendar and Audit • QA CoE to ensure compliance, standardisation and best practice applied across countries • Provide tools/guidance to address competency gaps and learning requirements • Support transition from SOX Project to embedded state ‘Line’ Roles: SOX Manager and team; Self Testing Team; Training Focal Point; DS Country Controllers; AoO CoB/F Leaders; Control Owners/Operators • Accountable for execution of the SOX404 Process –SOX Content (actual controls: narratives, evidence, status) • Plan, Prepare, Execute control self-testing • Conclude and report on Control status • Undertake Detailed Planning (changes, remediation) • Local GreenLight/EUC/SoD admin • Support Management Assessment: business/control knowledge for quantifications/mitigations; final approval • Undertake quarterly sign-off requirements • Execute change control and FARM requirements • Manage ISPs and Audit requirements • Operate controls as required and maintain evidence • Plan/execute learning requirements to address locally identified competency gaps • Develop and drive transition plans to achieve embedded state
EVP CoB CoB GRA Managers CoB GRA Managers CoB GRA Managers Control Owners Control Operators CoB Leaders CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers SOX SMEs SOX SME SOX SME CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers DS SOX404 Organisation: summary of ‘steady state’ design principles Exec. Dir DS Rob Routs DS VP Finance Ron Blakely ‘GRA’ ‘LINE’ DS VP Controller Jim Lobb DS GRA Manager Cheng Kwee Ho Regional Controller Regional Testing Execution Team Regional Training Focal Pt GRA Project Manager Functions GRA Manager IT GRA Manager Financial Controls Manager Risk Manager Controller Security Manager Planning, Monitoring Reporting Learning Manager Country/ Cluster GRA Leads CoB GRA Managers SOX Team Manager CoB GRA Managers CoB GRA Managers CoB GRA Managers SOX Team QA CoE GRA Lead Team SOX Factory GSAP CoB GRA Managers CoB GRA Managers CoB GRA Managers CoB GRA Managers Temporary Roles (<4yrs)
DS GRA Organisation Head of Controls, Governance & Assurance Anno Scheltinga DS GRA Manager Cheng Kwee Ho IT for Shell GRA Manager Henk Reimers Financial Controls Manager Mike Reay Risk Manager Ian Crawford GRA Projects Manager Julie Amey Retail GRA Manager Dave Davis Lubes GRA Manager Trevor Walters Mfg GRA Manager Elaine Wyrick S & D GRA Manager Carlo Stiore B2B GRA Manager Rafi Basheer Chemicals GRA Manager Frits Schneider Functions GRA Manager Tim O’Brien IT GRA Manager TBA DS CIO Arjen Dorland SOX SMEs Scope/MA/ SOX Factory. Lead SOX SME QA/ GRA support Planning, Monitoring Reporting FC Learning Manager Myriam Novoa Security Manager (incl SoD) SOX Factory (GSAP) Lead/Team QA CoE Team UK GRA Lead TBA US GRA Lead Jeff Blackwell Germany GRA Lead TBA NL GRA Lead* TBA France/ Belux GRA Lead Jean Francois Pons MED/Nord/CEE GRA Lead Jean Paul Popesco Australia GRA Lead Pam Hermann Philippines GRA Lead Gerard Yap Singapore GRA Lead Raymond Tan Malaysia/ HK GRA Lead Iskandar Waharp LA GRA Manager** Andre Nolte SOPAF GRA Manager** Graham Legge John Stevens 18 FTEs excluding: • SOX Factory • QA CoE Team • Country GRA Team support Temporary Roles (<4yrs) *Also primus inter pares **Dual roles: Business and Country GRA Lead
DS SOX404 GRA Organisation: Country/Cluster GRA Leads/Team DS GRA Manager Cheng Kwee Ho IT for Shell GRA Manager Country/Cluster GRA Leads/(team) • RDS SOX404 Process SME • Support ‘local’ transition from SOX project to embedded state • Support Controller/Senior Business Leaders to operationalise SOX processes • Support on-going SOX404 compliance: • Support FARM • prepare/roll-out SOX planning (QA, SOX Calendar; Audit) • provide Quality Assurance to ensure conformity with methodology (via centrally managed virtual QA CoE) • create synthesis of deficiency reporting and tracking • facilitate/co-ordinate Management Assessment (deficiency evaluation and sign-off) • Support identification of DS systemic business and control issues to assist with determination of root causes and advise appropriate actions • Provide SME input into local learning and competency development strategy • Manage alignment of Group/DS requirements and local Line application • Drive the Country Risk assessment process Financial Controls Manager Risk Manager GRA Projects Manager Retail GRA Manager Lubes GRA Manager Mfg GRA Manager S & D GRA Manager B2B GRA Manager Chemicals GRA Manager Functions GRA Manager DS CIO IT GRA Manager SOX SME RESM/FARM/Mngt Ass. SOX SME QA/ GRA Lead support Planning, Monitoring Reporting FC Learning Manager Security Manager (incl SoD) SOX Factory (GSAP) Lead/Team QA CoE Team UK GRA Lead US GRA Lead Germany GRA Lead NL GRA Lead* France/ Belux GRA Lead MED/Nord/CEE GRA Lead Australia GRA Lead Philippines GRA Lead Singapore GRA Lead Malaysia/ HK GRA Lead LA GRA Manager** SOPAF GRA Manager** *Also primus inter pares: lead GRA for Europe **Dual roles: Business and Country GRA Lead
DS SOX404 GRA Organisation: CoB/Functions GRA Managers DS GRA Manager Cheng Kwee Ho IT for Shell GRA Manager Financial Controls Manager Risk Manager GRA Projects Manager Retail GRA Manager Lubes GRA Manager Mfg GRA Manager S & D GRA Manager B2B GRA Manager Chemicals GRA Manager Functions GRA Manager IT GRA Manager DS CIO CoB/Functions GRA Manager: SOX404 Role • Reports to DS GRA Manager • Identify and address systemic business and controls issues in CoB/F • Support CoB/F senior leaders in SOX Sign-off Process • Prepare/present SOX Management Information to CoB/F Senior Leaders/BAC • Working relationship with Financial Controls Manager/Team • Working relationship with Country/Cluster GRA Leads on an exception basis IT GRA Manager: SOX404 Role • Co-ordinate IT sign-off process and manage alignment with Business • Support DS IT SOX organisation (IT GRA Manager) • Liaise with Shell for IT CoE (IT GRA Manager) SOX SME RESM/FARM/Mngt Ass. SOX SME QA/ GRA Lead support Planning, Monitoring Reporting FC Learning Manager Security Manager (incl SoD) SOX Factory (GSAP) Lead/Team QA CoE Team UK GRA Lead US GRA Lead Germany GRA Lead NL GRA Lead France/ Belux GRA Lead MED/Nord/CEE GRA Lead Australia GRA Lead Philippines GRA Lead Singapore GRA Lead Malaysia/ HK GRA Lead LA GRA Manager SOPAF GRA Manager
DS SOX404 GRA Organisation: Financial Controls Manager/Team Financial Controls Manager and SMEs: Activities • Lead the Global SOX404 process in DS • Monitor and support Country/Cluster GRA Leads • Support DS/Global SOX Control Owners • Create a global synthesis for SOX404 controls to understand differences and standardisation opportunities • Implement new SOX Controls arising from GSAP project • Owner of SOX change control process (incorporating SOX impact assessment) Liase with/support CoB GRA; FCC; • Coordinate/Facilitate Management Assessment process and planning • Perform RESM/Support FARM • GreenLight Admin and Reporting; RAP Tracking and Reporting; SOX Calendar and Audit Planning FTEs for SOX Factory and QA CoE team TBD DS GRA Manager Cheng Kwee Ho IT for Shell GRA Manager Financial Controls Manager Risk Manager GRA Projects Manager Retail GRA Manager Lubes GRA Manager Mfg GRA Manager S & D GRA Manager B2B GRA Manager Chemicals GRA Manager Functions GRA Manager DS CIO IT GRA Manager SOX SME Scope/MA/ SOX Factory. Lead SOX SME QA/ GRA support Planning, Monitoring Reporting FC Learning Manager Security Manager (incl SoD) SOX Factory (GSAP) Lead/Team QA CoE Team Learning Manager • Delivery through Regional Training focal points in the Line • Liaise with Group to ensure alignment of direction • Work closely with QA team to identify/address competency gaps arising from QA findings Role/Term of SOX Factory and QA CoE Team (temp. roles) • SOX Factory in place to support GSAP roll-out (execution role) • Central QA team ensures standardisation/best practice across countries • Requirement for centralised QA will be reviewed on periodic basis • Virtual QA CoE team supports Country/Cluster GRA Lead to execute Quality Assurance Requirements (deployment/locality of team to be determined) UK GRA Lead US GRA Lead Germany GRA Lead NL GRA Lead France/ Belux GRA Lead MED/Nord/CEE GRA Lead Australia GRA Lead Philippines GRA Lead Singapore GRA Lead Malaysia/ HK GRA Lead LA GRA Manager SOPAF GRA Manager
The DS SOX404 Transition Organisation SOX404 Process Flows and RASCI Chart Draft Version July 2006
A common SOX404 global process for assurance has been developed and rolled out centrally SOX404 Global Process Triggered Periodic Retest 1 2 2 3 4 5 6 Plan remediation & remediate deficiencies Monitor change and assess impact Update controls & documentation Plan & perform self-testing Management assessment Assess scope 7 IAF The SOX404 Global Process comprises both triggered and periodic steps - each is made up of detailed SOX404 activities
5a Provide guidance on FARM accounts and controls No Is account or control significant? 8 Yes DRAFT SOX404 Processes: Assess Scope 2 Assess Scope 1 Group No Yes 3 Identify initial level 1 entities Approve RESM results? FCC 7 DS GRA Manager/ Financial Controls Manager 2a 4 Level 4 Level 1,2 No Yes Perform detailed RESM analysis Approve FARM results? What is the entity level risk? Global Level 3 Company Level Controls Assurance Company Level Controls Assurance Business Assurance Letter 2b Review RESM CoB/Functions GRA Manager GRA 2c Provide input into RESM assessment Country/Cluster GRA Lead Yes 6 Update Controls and Documentation No Approve FARM results? Controller Level 1 & 2 AoOs 5b SOX Manager/ Team Execute FARM assessment Line CoB/F Focal Point Support FARM assessment 5c ControlOwner
DRAFT SOX404 Processes: Update Controls and Documentation 3 Update Controls and Documentation 3b Periodically develop an integrated DS plan DS GRA Manager/ Financial Controls Manager Global CoB/Functions GRA Manager GRA 3a 1a Provide planning guidance Review and submit plan Country/ Cluster GRA Lead Yes No 2 Yes Approve plan? Controller Plan and perform self testing 4a 7 Yes No Manage AoO implementation plan Effective SOX Manager/ Team 1b 8a Develop AoO implementation plan Update GreenLight & apply change control 4c 5b 6b Support control design and implementation Update documentation • Test scripts • GreenLight Support design effectiveness tests Level 1 & 2 AoOs Line 1c CoB/F Focal Point Support implementation plan development 5a 4b 8b Update documentation 6a Support GreenLight updates & apply change control Design and Implement changes to controls Perform design effectiveness tests • Flowcharts • Procedures • Policies ControlOwner
DRAFT SOX404 Processes: Plan and Perform Self-Testing 4 Plan and Perform Self-Testing 3b DS GRA Manager/ Financial Controls Manager Periodically develop an integrated DS plan and inform FCC Global GRA CoB/Functions GRA Manager 3a Management Assessment Review & submit plan Country/Cluster GRA Lead Yes 2 Approve plan? No Yes Controller Yes 5b 4a Level 1 & 2 AoOs Perform self-testing* 1a Update GreenLight No Plan remediation and remediate deficiencies 6 Effective Develop AoO self-testing plan SOX Manager/ Team *Testing performed by regional test team Line 1b Support self-testing plan development 4b 5a Support self-testing Support GreenLight update and notification e-mail CoB/F Focal Point ControlOwner
SOX404 Processes: Plan Remediation and Remediate Deficiencies DRAFT 5 Plan Remediation and Remediate Deficiencies IAF Internal Audit 5a 3 DS GRA Manager/ Financial Controls Manager Inform DS Assurance Committee and FCC Periodically develop an integrated DS and CoB/F plan and summary of deficiencies Analyze and Address Root Causes Global 4 5b Review CoB/F plan and summary of deficiencies Inform CoB/F Assurance Committee CoB/Functions GRA Manager GRA 2b 1a Review progress of RAP Provide guidelines for RAP Country/ Cluster GRA Lead Management Assessment 2a No Yes Approve plan? Controller 1b Develop AoO RAP SOX Manager/ Team Update Controls and Documentation Level 1 & 2 AoOs Line 1c Support RAP development CoB/F Focal Point ControlOwner
DRAFT SOX404 Processes: Management Assessment 6 Management Assessment No Yes 11 DS EVPF and CEO Sign Attestation 10 Approve 7 Group Reporting Process 1e Synthesise into a DS and CoB/F summary Identify DS level deficiencies that require escalation DS GRA Manager/ Financial Controls Manager Inform DS Assurance Committee 9a Escalation Process Global GRA 8 9b CoB/Functions GRA Manager Review CoB/F plan and summary of deficiencies Inform CoB/F Assurance Committee 1a 1d 2a Drive MA process / Issue guidelines Facilitate Deficiency Quantification process Finalise summary report/ PDW for final sign-off Country/ Cluster GRA Lead No 4a 3 Yes Sign-off Approve PDW CoB Leaders 1b Level 1 & 2 AoOs Quantify AoO deficiencies and impact of compensating controls Plan remediation and remediate deficiencies Yes 6 5 Sign-off Approve Controller No Line 2b 1c SOX Manager/ Team Provide support 4b Support deficiency quantification and compensating control identification Support Sign-off CoB/F Focal Point 2c 4c Provide support Support Sign-off ControlOwner
DRAFT The embedding team has worked with key stakeholders to define the SOX 404 activities and responsibilities Transition Organisation RASCI-chart1 Roles Activity R = Responsible to do it or get it done A = Accountable, signs off on internal controls over financial reporting (ICOFR) for area of responsibility S = Provides Support to the responsible party C = Must be Consulted on activities and results I = Must be Informed about activities and results (1) Additional Stakeholders will be consulted outside the SOX404 process (e.g. Local Leadership Team, Evidence Generators)
GRA and Regional Training Focal Point: Key Roles and Responsibilities GRA Regional Training Focal Point • Advise the RTFP on their local embedding/training objectives. • Work together with RTFP to develop & execute training plan. • Based on QA findings provides inputs to DSFC Learning and RTFP on the effectiveness of the Learning strategy. • Provides inputs to RTFP to ensure consistency and best practice in SOX404 activities. • Ensure that issues that arise during the implementation of the learning strategy are escalated at the adequate level • Plan and co-ordinate the execution of Knowledge Transfer and Training strategy. • Assess the training needs for stakeholders within their region. • Understanding the SOX404 curriculum and identifying requirements for local customisation and development of examples and case studies. • Monitoring the participation and effectiveness of the training delivered across the region. • Leverage lessons learned and assist with sharing best practices across DS.
SOX Factory Interaction with GRA Organisation • Background • GSAP/ StreamLine implementations • Country based risk assessments both GRAs and Sox Factory have played a role to date • Other DS1 projects impact assessments and subsequent implementations. • GRAs identifying systemic issues in the AoOs - medium to longer term feedback loop on the GSAP/ StreamLine and DS1 implementations. • Within AoOs, GRAs are key enablers for raising awareness and understanding of Sox Factory.
Change control and your role • Ensure the discipline is enforced – SOX impacts MUST be assessed – at the right level and the right time • Ensure project lists are maintained – look out for changes that could impact SOX • Anticipate future requirements • Development of change control disciplines – particularly at the operational level