340 likes | 536 Views
DRAFT FOR INTERNAL USAGE Not for further distribution. DISCUSSION DOCUMENT. DS SOX404 Embedding Global Pilot Telephone Conference. London 14 December, 2005. This document is confidential and is intended solely for the use and information of the client to whom it is addressed.
E N D
DRAFT FOR INTERNAL USAGE Not for further distribution DISCUSSION DOCUMENT DS SOX404 Embedding Global Pilot Telephone Conference London 14 December, 2005 This document is confidential and is intended solely for the use and information of the client to whom it is addressed.
Participants in the Pilot Conference Call • Julie Amey Chair – DS Central Embedding Lead • Ina Behrensmeyer EFP Germany • Cheryl Highwarden EFP USA • Marty Stetzer Embedding team USA • Jetsupa Thiengtham EFP East region • Mike Hadfield EFP Europe • Thomas Trautmann Embedding team Germany • Robert Oushoorn DS Central Embedding team • Ronald van Selm DS Central Embedding team
Objectives of the Conference Call • Share and discuss initial findings, analysis and learnings • Common organisational design themes • Additional SOX404 workload • Capture feedback on initial findings • Share and discuss emerging issues, e.g. outliers in workload estimations • Collectively try to resolve the emerging issues • Share and agree next steps • Embedding team • Pilots We will keep an issues log/parking lot during the call which we will revisit at the end
Agenda Organisation Design Resource requirements DS SOX404 Embedding - next steps
All pilots have provided feedback on organisation features, or RASCI-charts Emerging Findings • Most responsibilities from the suggested RASCI chart are accepted • However, there is hesitance to pass responsibilities and execution of certain SOX404 tasks to control owners already in 2006 • Therefore, all Pilots propose a resource pool for adapting controls and documentation, executing self-testing, and remediation initially assigned to Control Owners. Different terminology is used for these pools: 1) • Process Excellence Group (Germany) • Centre Of Excellence (USA) • SOX404 team (South Africa) • In large AoOs, covering multiple CoBs, the GRA focal point role may consist of several positions • However there is no agreement on reporting lines of these positions • US: reporting into CoBs • Australia and South-Africa: reporting into Control function • Based on project phase findings, many AoOs expect to need a separate QA function/position as part of resource pools (SOX404 Teams) 1) We suggest to use the term “SOX404 Team” going forward
Hard line reporting of the SOX404 Team to the GRA Focal Point would provide most control over the SOX404 compliance process SOX404 Transition Organisation – Preferred Option FOR DISCUSSION AoO CoB Leader AoO/Country Controller VP CoB VP CoB GRA Focal Point Control Owner (CoS) Control Owner Control Owner Control Owner Control Owner Expertise, Support/ Execution Control Owner Expertise, Support/ Execution Control Executor Control Executor SOX404 Team (including CoB FPs) Control Executor Control Executor Control Executor Control Executor Description • AoO GRA Focal Point leads SOX 404 Team including representatives allocated to the CoBs Issues: • Risk of reduced focus on SOX404 compliance in the CoBs • May require a transition period as a number of incumbents is in place reporting in the business • Risk of reduced access to CoB information/resources (1) For level 3 AoOs similar features may be designed on a cross-country or regional level
Reporting of CoB SOX Focal Points into the CoB will create a split in the SOX404 process responsibilities SOX404 Transition Organisation – Alternative Option FOR DISCUSSION AoO CoB Leader AoO/Country Controller VP CoB VP CoB GRA Focal Point Control Owner (CoS) Expertise, Support/ Execution Control Owner Control Owner Control Owner Control Owner Control Owner Expertise, Support/ Execution CoB SOX Focal Point Business Focal Point Business Focal Point Control Executor Control Executor Control Executor Control Executor Control Executor SOX404 Team Control Executor • The CoBs have dedicated CoB GRA focal points reporting in the AoO CoB. They operate in dotted a line network with AoO GRA Focal Point Description Issues: • Splits SOX404 process responsibilities between Finance/GRA and the Business - no single point accountability for the SOX404 process in the AoO • Risk of issues with CoB SOX Focal Points’ alignment with AoO SOX404 compliance process • Deviates from recent direction given by DS VP Finance to make CoB GRA Managers direct reports of the DS GRA Manager to ensure strong coordination within the GRA organisation (e.g. dotted line is not sufficient) • AoO GRA Focal point has less leverage over his extended team reducing effectiveness of resource allocation (1) For level 3 AoOs similar features may be designed on a cross-country or regional level
We would like to discuss your hesitation to give Control Owners responsibility for adapting, self-testing, and remediating controls • It is our understanding that the hesitation to give responsibilities to the Control Owners already in 2006 stems from doubts about their current technical ability to perform the associated tasks at the required quality levels…. • …and responsibility should rest with ‘SOX404 Centres of Excellence’ under the direction of the GRA Focal Points • However, you do think that in time this issue will be resolved through training • It is our opinion that giving responsibility to the Control Owners for maintaining and adapting, self-testing, and remediating controls is not the same as entrusting them with the execution of these tasks • Execution can be performed by the ‘SOX404 Centres of Excellence’ until the Control Owners have increased their proficiency levels • The main risks we see in not giving responsibility to the Control Owners are that real embedding for these key stakeholders is delayed, and that sub-optimal staffing decisions may result from this temporary situation
Agenda Organisation Design Resource requirements DS SOX404 Embedding - next steps
All AoOs have returned first estimates of resourcing requirements based on the Resource Calculator, FAQs and discussions with us • It is the AoO’s responsibility to resource the organisation so as to be able to shoulder the SOX404 responsibilities and activities and deliver positive attestation over 2006 • The EFPs need to ensure approval for the resourcing decisions from the right level of local authority • The DS Central SOX404 Embedding team provides • Structure for framing thinking and discussions on resourcing requirements • Support in building AoO/EFP’s ‘case’ for approval • Synthesis, analysis, challenge, benchmarks, answers to questions • … but no approval per se for resourcing decisions • Therefore it was crucial that the AoOs give their own estimates of resource requirements – within the prescribed central structure and frameworks • First analysis has been performed to create a first cut of what the overall resourcing implications are for DS of the SOX legislation
The bottom-up estimates indicate a workload of ~ 264 FTEs generated for SOX404 in DS SOX404-related workload (AoO Workload Only – Excludes controls executed on a regional or global basis) Preliminary conclusions : • Resource Calculator has served to frame the thinking on additional resource requirements • The additional resource need as calculated versus what is expected is lower for the level 1 AoOs. However, • Sanity checks still to be performed • AoOs still to be challenged on assumptions and estimates as they feel uncomfortable on what will be handed over • Reality of AoOs capacity to absorb workload to be challenged • Permanent/Temporary positions account for approximately 168 FTEs (64%) • This bottom-up estimate by the AoOs is significantly higher than initially estimated by the Central Model (66.9 FTEs1)) • This difference is mainly caused by • Higher workload assumptions per workstep • EFPs estimate higher workloads for QA • Workloads generated by SOX404 implications on other projects (e.g. DS1, GSAP, Streamline) Preliminary – not yet challenged 100% 26% East Regional Pool 42 15% Workload in FTE 57 16% 22% 48% 22% • Most of the absorbed workload is in Germany (SDO – 18.5 FTE) and in France (SPS – 4.5 FTE) • US needs to reiterate with individual CoB on workloads • Permanent staff is distributed across countries • Estimates made for Belgium /Luxemburg (3 FTE) • Singapore (4 FTE), Philippines (2.5 FTE) and East Regional Pool (8 FTE) require most of the temporary staff • AoOs still need to clarify how the interim staff is resourced • Pooling of resources needs be considered for frag-mented workload especially in Europe • Total estimated workload based on data from 38 AoOs out of 40 • FTEs includes work required for CLC controls • Excluding project work • Need to challenge AoOs on their assumptions and estimates (1) Like for like comparison, i.e. excluding Chemicals and IT Global Note : Further detail in the Appendix
Resource Calculator output Colour Added resources by AoO Grey The estimated workload per in-scope control shows a wide spread over the AoOs Estimated workload for in-scope work per in-scope control (hrs) (1) AoO Risk Level 188 Preliminary – First cut 152 143 75 Level 1 74 64 47 39 29 Level 2 24 20 93 44 43 Level 3A 40 35 25 22 20 32 8 Level 3B 6 6 6 (1) Excluding EAST Regional Pool of 13 FTE and 7 other Level 3B AoOs that have no in-scope controls (2) Shell Hellas has only in-scope controls despite being a Level 3B
To help the AoOs in making realistic resourcing estimates and facilitate obtaining approval we will ‘constructively challenge’ the outliers Example Questions used for the ‘Constructive Challenge’ sessions For Discussion • Absorbed workload • What are the typical activities that can be absorbed and how sustainable is this? • What tasks will not be performed anymore to enable absorption of SOX404 activities? • What are the detailed reasons for estimating additional FTEs over Resource Calculator results? • Supervisory/Management FTEs ? • Additional training requirements ? Slower training delivery ? • Additional conservatism regarding performance time of certain SOX404 activities ? • Impact from SOX404 other projects and initiatives ? • What positions are typically covered by the additional FTE estimates over and above the Resource Calculator results? How are these FTEs allocated to the RASCI-charts? • What activities are typically in the fragmented FTEs ? • Peak demand over limited time? • How do you propose to address this ?
Germany estimates incremental workload of 32.4 FTEs Resource EstimateGermany (FTEs) Preliminary Comments • Germany proposes a Process Excellence Group to take on SOX404 tasks • Directly linked to Management • Reports to German CFO • Larger AoOs will have one Process Excellence Group each • Smaller AoOs will have shared Process Excellence Groups • Germany recommends to set up similar organization on global level SDO SDG COMMENTS ON DIFFERENCE • Link or impact from projects outside SOX404 (DS-1, Streamline, SOX404 project phase) • Increased effort for managerial tasks (e.g. Stakeholder Mgmt and Communication, Performance Tracking and Budgeting) • Extra-time for additional reporting requirements • For 2006 only on temporary and/or ad hoc project mode • Will this be absorbed in existing positions? • What are the permanent staff positions? • Central Greenlight input-team 1.5 FTE • What are the other positions? • What are these positions? • What activities are in this category
SOPUS estimates an incremental workload of 90 FTEs Resource EstimateUS (1) (FTEs) Preliminary Comments • GRA Managers proposed in the CoBs with support of SOX focal points • SOX Centre of Excellence Managers proposed to support the management assessment process • 800-900 desk level workers for “evidence” maintenance ~55 FTE • 2-3 FTE to maintain/update technology • 0.5 FTE to monitor both projects and triggered events • Other positions to be detailed COMMENTS ON DIFFERENCE • Management Assessment is more than a simple annual “sign-off” process and will require 0.5 FTE • 4 hours of training/year developed for desk-level staff will require 2 FTEs for SOPUS in the early years • Presume methodology maintenance will be a Central Team function and have not estimated related FTEs • Want to know how split is calculated between the process/control owners and the GRA function for different steps of the process (1) Including all US AoOs – Equilon, FIFO, PQS, Manila Shared Service and Deer Park
Australia estimates an incremental workload of 20.4 FTEs Resource Estimate (FTEs)Australia (1) Preliminary Comments • Pooling of QA resources considered in the region • Pooling of CLC testing considered in the region • Complexity of executing SOx processes "High" due to the fact that a large number of controls are common across multiple LoBs and across multiple locations • LoB focal points proposed to take responsibility for adapting controls, perform walkthrough self-testing and remediation of LoB specific controls • AoO GRA Manager • Test Manager • Process leaders (2) • GL administrator • EFP • Process Documentation Leaders • Local QA • Set-up of SoD Vanilla Template • Roll-over SoD work • SCD work • Document Retention set-up work • LoB focal points COMMENTS ON DIFFERENCE • Interim staff is driving the difference (1) Excluding EAST Regional Pool of 13 FTE
South Africa estimates an incremental workload of 7.2 FTEs Resource Estimate (FTEs)South Africa Preliminary Comments • To meet peak-demand for test resources, whilst maintaining quality and independence, plan on outsourcing part of self-testing capacity (like in 2004 and 2005, 2.6 FTE fragmented) • As SOPAF has no CoB structure, one GRA Focal Point is deemed sufficient • Number of "in-scope" controls is expected to come down following the completion of "Efficiency Review" (based on PwC's Controls Assurance Review). This will reduce the number of fragmented resources required • Control owners and control operators • SOX404 Team Lead (1 FTE) • SOX404 Team Members (2 FTEs) • IT SOX404 Focal Point (1 FTE) • Mainly test resources
Agenda Organisation Design Resource requirements DS SOX404 Embedding - next steps
Immediate Next Steps Central Embedding Team • Based on your inputs today • Finalize consolidation and analysis of workload figures • Consolidate and finalise organisational features (eg. further detailing and application (locally and/or regionally) of the concept ‘SOX404 Centre of Excellence’ • Develop agreed DS RASCI chart • … • Resourcing Planning • Provide definitions of ‘Key Positions’ and how to identify these • Provide generic job descriptions for the SOX404 content of key roles • Follow up on outstanding issues with Leadership where required Pilots/ AoOs • Continue work on Resourcing Planning • Combine RASCI chart with FTE estimates to clearly identify positions that need to be resourced • Use the South Africa example as a model to develop the resourcing plans • Provide the outstanding OD&R deliverables • Obtain clarity on the appropriate level of authority for resoucing decisions • … • …
Appendix Pilot Organisation and RASCI Charts Germany SOPUS Australia South Africa
Germany SOX “Process Excellence Group” • Integration in Organisation • Unit directly linked to Management • Reports to German CFO • Tasks • Maintain SOX knowledge • Maintain GreenLight, responsibility for content stays with the business (can’t be done by control owners due to high qualtity requirements) • Provide support to projects and control owners • Link projects to related SOX business • Support projects in analysing SOX impact • Coordinate regular SAT exercises • Take over QA functionality • Issue and maintain SOX related working guidelines • Coordinate SOX related Audits CFOGermany SOX Process Excellence Group Finance Unit Finance Unit
Germany SOX “Process Excellence Group” CFOGermany Lead of Department Testing / Audit SOXBusiness Methodology SOXIT Data Input Team • Coordinate regular SAT exercises • Coordinate SOX related Audits • Maintain SOX knowledge • Issue and maintain SOX related working guidelines - Update GreenLight Remediation Quality Assurance SOX Support/ Training Remediation Quality Assurance SOX Support/ Training • Take over QA functionality • Provide support to projects and control owners • Support projects in analysing SOX impact • Training of organisation • Provide support to projects and control owners • Support projects in analysing SOX impact • Training of organisation • Take over QA functionality • Coordinate Remediation work • Coordinate Remediation work
Germany SOX “Process Excellence Group” Recommendation • Implement a permanent unit “SOX Process Excellence Group” • One unit per AoO for larger AoOs, clustered units for smaller AoOs • Set up similar organization on global level • To be kicked off now, keep SOX knowledge of Shell staff to populate these groups
SOX Germany – Our Platform: Who makes this happen? Management Ownership (SOX on each Agenda) Supervisory Board Tone from the Top “Country Controller” Project Cost: 2005: ~5.0 m€ 2006: ~2.3 m€ SOX Core Project Team ~7 IT (5 Shell) ~8 Task- force ~30 Testing* ~13 QA* ~9 Shell- Staff *excl. IT Testing/QA (Globa Business effort not included CoB/CoS Finance Manager & Controller ~ 35 dedicated SOX Focal Points in all CoB / CoS~ 10 SOX Process Focal Points (bi-weekly ½ day Project Meetings and Engagement Session) KEY Ambassadors of SOX in the Businesses ~ 120 Control Owner THE SOX Fundament– embedded in the businesses; steered and supported by SOX Project Core Team
Appendix Pilot Organisation and RASCI Charts Germany SOPUS Australia South Africa
SOPUS Proposed COE/GRA/Finance Organization Aligning SOPUS COE with the Downstream One finance structure… GRA: In class of business 2006 Transition CoB Finance VP”s SOPUS Controller AoO’s Retail Distribution SOPUS Supply Manufacturing B2B MOTIVA Deputy Controller Supply C&D “SOX COE Mgr (SOX coordination and reporting responsibility cuts across AoO’s) • BAM’s/GRA Managers • SOX Focal Points • Compliance • HSE • Finance • Governance • Info Mgmt COE “Compliance office” SOX project cleanup Reassess scope Training Group reporting Change control Independent testing Systems Assurance
SOPUS COE - Supporting the GRA Principles COE can support those items below… • Reinforce common objective: Shell Group obtains and retains compliance • Provide consistency across businesses • Moving at the same pace towards the same goals, starting point may be different • Clear individual roles & responsibilities and reporting and escalation lines • Optimize low cost and high value add • Embed into existing/planned management framework, processes (incl. change processes) and support structures. • Reinforce business ownership of compliance • Position Centre to take strong role in ensuring compliance in global processes • Enable clarity and transparency including definitions, risks, and consequences • Enable sustainability and continuous improvement • SOX will be folded into GRA organization OP Controllers Conference_083105 N. Cordey_091205
SOPUS Key Elements and Additions that Affect COE OP Controllers Conference_083105 N. Cordey_091205 COE Focus Trigger Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation • Identify/Capture SOX relevant change to: • Processes • Environment • Assess risk • Support Qly 302 certification • QC • Change-driven (e.g., M&A, new site) and annual • Re-evaluate in-scope locations and key controls • Risk-based response plan • Identify affected controls/process • Adapt/implement controls/process • Update tools & documentation • Test design effectiveness • Terminate old Controls • QC • Develop and execute risk-based, integrated test plan • Enter data in Greenlight • Analyze, consolidate and report results • Execute roll-over testing when necessary • QC • Materiality-based prioritization • Process-level remediation • Higher level synthesis • Monitor and report progress • QC • Quantify, analyze and aggregate test results • Full quarterly review • Regular ongoing review and escalation of key issues • Report upward/ communicate downward • Quarterly sign-off Greenlight • Sign off at all hierarchical levels SOX Routine Processes • Identify & Monitor Incidents • Business IT: AEC, EUC, SOD • Locate & Refresh Evidence IAF • Plan & Perform independent auditing • Populate Greenlight • Analyze and report results
Appendix Pilot Organisation and RASCI Charts Germany SOPUS Australia South Africa
SOX404 RASCI-Chart for Australia AoO Controller CoBLeader R: Responsible to do it or get it done A: Accountable, signs off on internal controls over financial reporting (ICOFR) for area of responsibility S: Provides support to the responsible party C: Must be consulted on activities and results I: Must be informed about activities and results
Appendix Pilot Organisation and RASCI Charts Germany SOPUS Australia South Africa
SOX404 RASCI Chart for South Africa based on generic template Comments • As per guidance from the OD&R team the generic RASCI chart has been adapted to reflect local reality • Main differences are: • Inclusion of a SOX404 Team that takes responsibility for performing design and operational testing as well as the QA of any changes (generic cart assigns this role to control owners); • Split scope assessment into RESM (central accountability) and FARM (local accountability); • Added external assessment as a separate activity • Added QA of proposed changes as a separate activity • Added the performance of annual walkthroughs as a separate activity • These adjustments have been submitted to and discussed with the OD&R Team and we are now awaiting confirmation that the proposed RASCI-chart is accepted and compliant with the Big Rules • In the back-up slides, there is a detailed activity lists in the Appendix (pages 17-28) covering all AoO SOX404 activities AoO Controller CoBLeader
Only part of the calculated total SOX404 Workload FTE is translated into incremental full time positions Part of Total Workload Absorbed By Existing Positions (0.6 FTE’s) These are the FTE’s relating to the remediation of deficiencies, which is the responsibility of the control owners and operators Comments • The total workload is as per the calculator, corrected for 0.1 (making the SOX404 SME a 100% FTE) and 0.9 (reflecting a higher anticipated workload related to testing) • Resource requirements and break-down subject to review and functional sign-off by OD&R team • In order to meet peak-demand for test resources, whilst maintaining quality and independence, we plan on outsourcing part of our self-testing capacity (like in 2004 and 2005) Of the Total Workload, identify the part that can be absorbed by existing AoO positions Total SOX404 Workload(7.2 FTE’s) Total Full Time New AoO Positions (4.0 FTE’s) Permanent Positions: expected to be in place for >4 years, but subject to review after initial 4 years These would include: SOX404 SME/GRA FP: 1.0 FTE SOX404 Team: 2.0 FTE’s IT Focal Point: 1.0 FTE Full Time Total Incremental Workload (6.6 FTE’s) Part Time Positions (2.6 FTE’s) Part-time Positions: These would include: Test resources: 2.6 FTE’s Fragmented
A robust Resourcing Strategy ensures an organisation in place which can deliver the SOX404 requirements in 2006 and beyond Results of AoO Resource Analysis Actions for Resourcing Strategy Status Support required from OD&R Team • Understand HR requirements for changing existing and creating new roles • Obtain generic SOX404 job descriptions prepared by Central SOX404 Embedding team • Engage with KT&T(1) Team to understand deliverables and toolkit support available • Clarity on reporting lines of SOX404 Team/SME • Clarity on existence of a sole/preferred supplier of resources to support design and operational testing • SOX404 responsibilities are being included in GPA’s, but also need to be reflected in job descriptions • KT&T Plan not yet started • Update job descriptions of existing AoO roles to cover SOX404 responsibilities • Allocate individuals to appropriate stakeholder category as required by KT&T1) plan Total Workload Absorbed By Existing AoO Roles Total Workload Full Time New AoO Roles • All 4 FTE-roles have been identified; job descriptions outstanding • Recruitment plan not yet started • Existing project team will stay in place until new resources are on board. • Conflicting messages iro reporting lines • Identify key roles for immediate focus and prepare job descriptions • Prepare recruitment plan (all steps necessary for OR) and timeline • Identify Interim resources available to cover until completion of recruitment plan • Determine reporting lines Total Workload Part Time Roles • Inventorise roles and responsibilities of part-time roles • Determine whether Group has one preferred supplier, or whether AoO’s can go for local tender • Set and execute Procurement Strategy • Roles and responsibilities to be drafted • No clarity on existence of a sole/preferred supplier • Procurement Strategy dependent on second bullet; not yet started (1) Knowledge Transfer & Training