100 likes | 257 Views
The DS SOX404 Transition Organisation SOX404 Process Flows and RASCI Chart Draft Version. July 2006. A common SOX404 global process for assurance has been developed and rolled out centrally. Responsibility of SOX Factory. SOX404 Global Process. Triggered. Periodic. Retest. Off cycle. 1.
E N D
The DS SOX404 Transition Organisation SOX404 Process Flows and RASCI Chart Draft Version July 2006
A common SOX404 global process for assurance has been developed and rolled out centrally Responsibility of SOX Factory SOX404 Global Process Triggered Periodic Retest Off cycle 1 2 3 4 5 6 Plan remediation & remediate deficiencies Monitor change and assess impact Update controls & documentation Plan & perform self-testing Management assessment Assess scope 7 IAF The SOX404 Global Process comprises both triggered and periodic steps - each is made up of detailed SOX404 activities
SOX404 Processes: Monitor Change and Assess Impact 1 Monitor changes and assess impact on SOX controls Global Local D1 Wave 1 Country Project Managers • Baseline D1 project list • validated by: • Project name • Process owner • Project manager • Country • Go live date • Baseline D1 project list • validated by: • Project name • Process owner • Project manager • Go live date D1 Integration Process Team • Review SOX Questionnaire & deployment plan submitted by project manger New Global project registered on REV C masterlist of D1 PMO D1 Wave 1 Country Project Managers • New Local / Pathfinder project registered • SOX questionnaire sent to Local/ PF project manager SOX impact assessment performed SOX sensitive country? SOX impact?? Yes Analyse questionnaire Yes Yes F&SS SOX Factory No No Central list updated: SOX impact / No SOX impact Project processed by SOX factory GRA Manager Review & issue formal “No SOX impact” note
5a Provide guidance on FARM accounts and controls No Is account or control significant? 8 Yes SOX404 Processes: Assess Scope 2 Assess Scope 1 Group No Yes 3 Identify initial level 1 entities Approve RESM results? FCC 7 DS GRA Manager/ Financial Controls Manager 2a 4 Level 4 Level 1,2 No Yes Perform detailed RESM analysis Approve FARM results? What is the entity level risk? Global Level 3 Company Level Controls Assurance Company Level Controls Assurance Business Assurance Letter 2b Review RESM CoB/Functions GRA Manager GRA 2c Provide input into RESM assessment Country/Cluster GRA Lead Yes 6 Update Controls and Documentation No Approve FARM results? Controller Level 1 & 2 AoOs 5b SOX Manager/ Team Execute FARM assessment Line CoB/F Focal Point Support FARM assessment 5c ControlOwner
SOX404 Processes: Update Controls and Documentation 3 Update Controls and Documentation 3b Periodically develop an integrated DS plan DS GRA Manager/ Financial Controls Manager Global CoB/Functions GRA Manager GRA 3a 1a Provide planning guidance Review and submit plan Country/ Cluster GRA Lead Yes No 2 Yes Approve plan? Controller Plan and perform self testing 4a 7 Yes No Manage AoO implementation plan Effective SOX Manager/ Team 1b 8a Develop AoO implementation plan Update GreenLight & apply change control 4c 5b 6b Support control design and implementation • Update documentation • Test scripts • GreenLight Support design effectiveness tests Level 1 & 2 AoOs Line 1c CoB/F Focal Point Support implementation plan development 5a 4b 8b Update documentation 6a Support GreenLight updates & apply change control Design and Implement changes to controls Perform design effectiveness tests • Flowcharts • Procedures • Policies ControlOwner
SOX404 Processes: Plan and Perform Self-Testing 4 Plan and Perform Self-Testing 3b DS GRA Manager/ Financial Controls Manager Periodically develop an integrated DS plan and inform FCC Global GRA CoB/Functions GRA Manager 3a Management Assessment Review & submit plan Country/Cluster GRA Lead Yes 2 Approve plan? No Yes Controller Yes 5b 4a Level 1 & 2 AoOs Perform self-testing* 1a Update GreenLight No Plan remediation and remediate deficiencies 6 Effective Develop AoO self-testing plan SOX Manager/ Team *Testing performed by regional test team Line 1b Support self-testing plan development 4b 5a Support self-testing Support GreenLight update and notification e-mail CoB/F Focal Point ControlOwner
SOX404 Processes: Plan Remediation and Remediate Deficiencies 5 Plan Remediation and Remediate Deficiencies IAF Internal Audit 5a 3 DS GRA Manager/ Financial Controls Manager Inform DS Assurance Committee and FCC Periodically develop an integrated DS and CoB/F plan and summary of deficiencies Analyze and Address Root Causes Global 4 5b Review CoB/F plan and summary of deficiencies Inform CoB/F Assurance Committee CoB/Functions GRA Manager GRA 2b 1a Review progress of RAP Provide guidelines for RAP Country/ Cluster GRA Lead Management Assessment 2a No Yes Approve plan? Controller 1b Develop AoO RAP SOX Manager/ Team Update Controls and Documentation Level 1 & 2 AoOs Line 1c Support RAP development CoB/F Focal Point ControlOwner
SOX404 Processes: Management Assessment 6 Management Assessment No Yes 11 DS EVPF and CEO Sign Attestation 10 Approve 7 Group Reporting Process 1e Synthesise into a DS and CoB/F summary Identify DS level deficiencies that require escalation DS GRA Manager/ Financial Controls Manager Inform DS Assurance Committee 9a Escalation Process Global GRA 8 9b CoB/Functions GRA Manager Review CoB/F plan and summary of deficiencies Inform CoB/F Assurance Committee 1a 1d 2a Drive MA process / Issue guidelines Facilitate Deficiency Quantification process Finalise summary report/ PDW for final sign-off Country/ Cluster GRA Lead No 4a 3 Yes Sign-off Approve PDW CoB Leaders 1b Level 1 & 2 AoOs Quantify AoO deficiencies and impact of compensating controls Plan remediation and remediate deficiencies Yes 6 5 Sign-off Approve Controller No 2b Line 1c SOX Manager/ Team Provide support 4b Support deficiency quantification and compensating control identification Support Sign-off CoB/F Focal Point 2c 4c Provide support Support Sign-off ControlOwner
SOX404 Processes: Independent Audit (IAF) 7 Independent Audit (IAF) 2a Perform Audit: 1a 3a Prepare final audit report Develop SOX404 Audit Plan • Test documentation: compare GreenLight Data with sample selection of DS documents • Test evidence of control execution Internal Auditor 1b Provide input into Audit Plan DS GRA Manager/ Financial Controls Manager 4a Review audit report Global GRA CoB/Functions GRA Manager 1c 4b Provide input into Audit Plan Country/Cluster GRA Lead Review audit report 2b Provide documents and evidence as requested Plan remediation and remediate deficiencies 3b Review and agree on audit results 1d Provide input into Audit Plan Controller Level 1 & 2 AoOs SOX Manager/ Team 4c Review audit report 2c Line Provide documents and evidence as requested CoB/F Focal Point 2d Provide documents and evidence as requested ControlOwner
The embedding team has worked with key stakeholders to define the SOX 404 activities and responsibilities Transition Organisation RASCI-chart1 Roles Activity R = Responsible to do it or get it done A = Accountable, signs off on internal controls over financial reporting (ICOFR) for area of responsibility S = Provides Support to the responsible party C = Must be Consulted on activities and results I = Must be Informed about activities and results (1) Additional Stakeholders will be consulted outside the SOX404 process (e.g. Local Leadership Team, Evidence Generators)