70 likes | 94 Views
Learn about Xilinx Inc.'s SOX compliance journey, challenges faced, and strategies used to enhance segregation of duties. Discover key suggestions and approaches for effective SOD management.
E N D
Xilinx: SOX slides for NorCal OAUG Kavita Khatwani Jan 24th 2006 Xilinx Confidential
Company background • Name of Company: Xilinx Inc. • Size (numbers): 3100 • IT: • Size: 200 • Distribution: • Application version: 11.5.9 • Modules: Financials (AP, AR, FA, GL, PO), Order Management, Mfg, Planning, Inventory, HR, CRM, Installed Base, Contracts • Consulting Company used to assist with the SOX compliance project: PwC (Price Waterhouse Coopers) Xilinx Confidential
SOD in Year1 • How did you resolve issues of Segregation of Duties? • Before the 404 requirement • ERP audit/s driven by IA (partnership with external consulting group) post upgrade to 11i identified a few Sod issues which were addressed • Negligible work done on an ongoing basis to identify and fix Sod issues • After • 5 person team (~3 full time equivalent) in year1 to drive the SoD piece of evaluation, analysis and remediation • PwC assistance taken to identify all Sod conflicts • 4 month extensive effort • Driver: Business SOX Program manager • Pain shared by: IT Xilinx Confidential
SOD challenges • Where were the most challenging moments in this task? • Smaller sites had people performing roles that were strong SOD issues • Big list of super users within the application • IT individuals to business support functions with Admin responsibilities (update) were identified as SOD issue • Late scramble on SOD remediation as the issues flooded to IT very late in the fiscal year • Test plans and testing for SOD issues from business, required a lot of hand holding from IT Xilinx Confidential
Suggestions to reduce effort • What would you suggest for the people/users who are still struggling at this task? • Get to know your environment!! • Develop your own matrix of SoD and use it • Be aware of the ‘Processes’ tab issue (AZN_PR_XXX submenus in Inv, GL, AP, PO & AR) • Build a process to catch SoD issues prior to them being created in your environment • Plan for moving from People dependent detective controls to System dependent Preventive controls Xilinx Confidential
SOD approach Develop SOD matrix/mapping across applications Identify sec404 relevant IT applications in scope for SOD Rationalize the risk (H,M,L) on SOD issues Identify SOD issues in your environment Develop processes to PREVENT more SOD creation Remediate them based on risk profile Mid -Long term Short term Xilinx Confidential
Automation of Controls System Based Preventive Control System Based Detective Control Reliable People Based Preventive Control People Based Detective Control Desirable Xilinx Confidential