240 likes | 435 Views
Discussion Document SPOUS SOX COE. “USA Support to the Shell Journey to Sustainable SOX 404 Compliance”. Embedding Team November 2005 Houston. Outline. I. Summary of GRA thinking-to-date II. Questions to be answered before COE is defined III. What others are doing – Shell
E N D
Discussion DocumentSPOUS SOX COE “USA Support to the Shell Journey to Sustainable SOX 404 Compliance” Embedding Team November 2005 Houston
Outline • I. Summary of GRA thinking-to-date • II. Questions to be answered before COE is defined • III. What others are doing – Shell • IV. What others are doing – Survey • V. Next steps: COE • VI. Next steps: GRA • Appendices: • SOX 302 and 404 certification FAQ’s • Shell proposed sign-off cascade
I. GRA: The SOX Embedding Journey OP Controllers Conference_083105 N. Cordey_091205 Critical elements and priorities… Embedded in Hearts and Minds • Behaviors of all stakeholders aligned • Incentives aligned and consequence management performed Embedded in Daily Activities • Resources in place, ramp-down of temporary staff • Skills and capabilities levels raised • Tools in place • Functioning continuous improvement loops Embedded in Processes and Structure • Definition and implementation of - Processes - Roles and responsibilities - Org. structures • Integration of SOX compliance assurance with the GRA framework Initial Compliance Testing and Remediation • Attestation • External audit • Design effective tests • Self assessments • Remediation and re-testing • Internal audit Documentation effort • Processes • Controls • Test Scripts • Project Phase • (Delivery) • Outside of normal business structure • High temporary resource levels • Transition Period • (Transition) • Roles and structures in transition toward steady state • Retain higher level of staffing for oversight and support • Steady State • (Sustainability) • Normal element of day-to-day business
I. Integrating SOX in the GRA Framework OP Controllers Conference_083105 N. Cordey_091205 Presents process improvement opportunities and embeds SOX in the existing management and control framework… • Build on the SOX404 foundations to improve controls and business processes • Full alignment with Risk-based control framework Opportunity to achieve improved performance & risk management Enhance Risk Management Toolkit Build on Ability to Sense and Adapt to Emerging Risks • Integrate Risk Management across the organization, transform processes, delivering sustainable value • Global processes (with SOX-embedded controls) & standard systems contribute to smarter controls & improved Business Performance • Develop fit-for-purpose approach for AoOs currently out of SOX scope Continue to Address Integration Challenge Explicitly Address Behaviour and Corporate Culture • Absorb “Hearts & Minds” approach from HSE • Enable single framework based on RDS plc Set of Standards
OP Controllers Conference_083105 N. Cordey_091205 I. GRA: Key Design Principles COE can support those items below… • Reinforce common objective: Shell Group obtains and retains compliance • Provide consistency across businesses • Moving at the same pace towards the same goals, starting point may be different • Clear individual roles & responsibilities and reporting and escalation lines • Optimize low cost and high value add • Embed into existing/planned management framework, processes (incl. change processes) and support structures. • Reinforce business ownership of compliance • Position Centre to take strong role in ensuring compliance in global processes • Enable clarity and transparency including definitions, risks, and consequences • Enable sustainability and continuous improvement • SOX will be folded into GRA organization
I. GRA: High Level Annual SOX Processes OP Controllers Conference_083105 N. Cordey_091205 Key Processes Trigger Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation SOX Routine Processes IAF People Processes SOX Support Processes Maintain Methodology Provide tools
Identify Incidents • Locate & Refresh Evidence I. GRA: Key Elements and Additions that Affect COE OP Controllers Conference_083105 N. Cordey_091205 COE Focus Trigger Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation • Identify/Capture SOX relevant change to: • Processes • Environment • Assess risk • Support Qly 302 certification • QC • Change-driven (e.g., M&A, new site) and annual • Re-evaluate in-scope locations and key controls • Risk-based response plan • Identify affected controls/process • Adapt/implement controls/process • Update tools & documentation • Test design effectiveness • Terminate old Controls • QC • Develop and execute risk-based, integrated test plan • Enter data in Greenlight • Analyze, consolidate and report results • Execute roll-over testing when necessary • QC • Materiality-based prioritization • Process-level remediation • Higher level synthesis • Monitor and report progress • QC • Quantify, analyze and aggregate test results • Full quarterly review • Regular ongoing review and escalation of key issues • Report upward/ communicate downward • Quarterly sign-off Greenlight • Sign off at all hierarchical levels SOX Routine Processes IAF • Plan & Perform independent auditing • Populate Greenlight • Analyze and report results
II. Questions to be Answered How to get the Central Team and project team to... STOP Thinking about what they have done so far and START Thinking about where they want people to be? Should not consider the annual compliance reporting cycle to have the same complexity as the project – See the poster…
II. Questions to be Answered for COE More questions – Version1…. COE Strategy: • Will the COE be proactive in defining efficiency improvements to meet SOX compliance? COE Key Processes: • Presume unified SOX status reporting for SOPUS is one implied COE objective… Again will it be in a proactive mode or reactive? • Will the COE design, implement and monitor a best practice “Incident Management” system? • Will the COE take the initiative to to unifying 302 & 404 reporting? • What about streamlining SOX with other Shell compliance reporting (Hippa, OSHA,etc.)? COE Organization: • Can the roles/responsibilities of COE, Group and BU’s be defined around the work – first? • Ideally, the COE is small, assisting the BU’s. Do the BU’s have the SOX skills & understanding? COE Technology: • The multiple technologies used in the project are not fit for purpose. Can the COE lead and sponsor an effort to redesign and eliminate the current multiple technologies?
Understanding how to get where you want to go: Four change lever s need to be addressed to change behavior EPE behavior change - Input slide EPE behaviour change - Input slide 4 4 Role - modeling Communicating 4 4 Has the who, Have the “. . . I know what is “. . . I see my leaders what, why, when, formal leaders expected of me” behaving differently” and how been and the communicated informal throughout the opinion leaders organization? embraced the change by role - “I will change modeling? my behavior if . . .” 4 Have the formal and “… I have the skills “. . . the system 4 Have training informal policies and to behave in the reinforces the and procedures new way” desired culture” development (including programs compensation and been altered to appraisal) been 4 4 Developing talent Reinforcing with reflect the new changed to reinforce and skills formal desired skill the new desired mechanisms set? behaviors? III. What Others are Doing - Shell OP Controllers Conference_083105 N. Cordey_091205 EP Compliance Opportunity Statement... Preliminary HSE best practice examples
IV. What Others are Doing - Survey A document is available summarizing COE insights from multiple surveys…. Financial Executives Institute: 27 Fortune 500 companies during FY 2004 Ernst & Young: 15 global oil & gas company accelerated filers in May 2005 PricewaterhouseCoopers: 26 USA & European oil, gas & utility companies in the Spring, 2005 Protiviti: “Turning SOX projects into strategic business processes” Zavanta: “Surviving SOX: Four smart moves to reduce the compliance burden”
V. Next Steps: COE Align GRA, COE and BU around the work activities in parallel with responsibilities… OP Controllers Conference_083105 N. Cordey_091205 Proposed COE Activities Proposed BU Activities Key Process Elements – GRA/IAF (?) People Processes • Leadership agenda and tone at the top • Manage communication and information flow • Build skills and capabilities including recruitment, training, values & behaviors • Align with recognition systems and consequence management • Desk level quality • Maintain evidence • Input to assessment process • Annual SOX review plan Unify decisions on any streamlining of BU compliance processes Maintain Methodology and “Reporting Stability” SOX Support Processes • Assess regularly whether updates are required • Perform and communicate updates Apply lessons learned Provide tools • IT infrastructure • Greenlight • Other supporting IT • Guidelines and manuals Build system for incident tracking & mgt Define improvements to technology infrastructure
VI. Next Steps: GRA Embedding Workstreams OP Controllers Conference_083105 N. Cordey_091205 • Assess impact of PCAOB/SEC guidance on deliverables (scoping, testing methodology, ie more emphasis on company level controls, monitoring and supervisory controls) • Finalize deliverables (job descriptions + processes) • Draft and execute plan for implementation of “Architecture” • Create a network of embedding managers across Businesses and Functions • Execute gap assessment (quantity and quality of staff) • Start recruitment and training • Finalize recruitment strategy • Progress behavioral agenda Sept 05 Communications Q4 05
VI. Next Steps: GRA Organization OP Controllers Conference_083105 N. Cordey_091205 Embedding of Controls Structures… • Roles, responsibilities, and tools will be largely the same. • The Business Sectors are pursuing common approaches to embedding organizational control structures. • There will be organizational support for controls at the Global, Regional, and Local levels. • Exact organization control structures will be embedded into the business sector structures and will vary somewhat with those structures. Group-CFO Steady State – EP view Group GRA Internal Audit EVPF EP GRA Regional VPF Regional GRA Finance Mgr.OU OU GRA Focal point
VI. Next Steps: GRA Embedded State OP Controllers Conference_083105 N. Cordey_091205 Proposed downstream structure August 2005… CIO CFO RDS FCC GRA Mgr DS EVP FN&IT&CP 1) 2) DS Controller DS CIO CoB/S, GB VPs FN DS Acc. Policy Advisor DS SOX 404 Compl. Mgr DS GRA Manager CoB/S, GB GRA Mgrs DS IT Compl. Mgr Regional Controllers Regional Acc. Policy Advisors Regional SOX Focal Points Regional GRA Focal Points Local Controllers Local Acc. Policy FPs Local SOX FPs Local GRA FPs Process Owners Process Executors Control Owners Control Executors
Embedding - Transition Must Consider Two Components of Sarbanes-Oxley Act… • Requires quarterly certification by the CEO / CFO of all companies filing periodic reports under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 regarding the completeness and accuracy of such reports as well as the nature and effectiveness of internal controls supporting the quality of information included in such reports. • Requires an annual report by management regarding internal controls and procedures for financial reporting, and an attestation as to the accuracy of that report by the company’s auditors. Section 302 Section 404 PwC Client Presentation 2/5/2003
The way we would like them to work The way people work Do you want this pattern? Or this one? Leverage Sarbanes SOX Requirements Use Section 302 quarterly statements as progress check points… Ready for 404 Attestation % Compliant 100% User Department: Level of Effort 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
GRA Cascaded Controls Structure OP Controllers Conference_083105 N. Cordey_091205 FCC Group GRA Group Business/Function GRA Manager Business/Function Region/CoB GRA Manager Region/CoB Local GRA Focal point AoO Network
Sign-Off Cascade OP Controllers Conference_083105 N. Cordey_091205 Part of the Management Assessment Process… FRCC Business EP/OP/Chem/G&P/GS/Trading/ Renewables Functions Controller/Treasury/Tax HR/CIO/S&D Corp Affairs/Legal Region/Class of Business, If appropriate Region/ Business Internal Service Providers in Functions Pensions / SPS / FCA / SSSC Group Service Providers Group Reporting Treasury AoO Functions in AoO IT Taxation Sign off cascade Confirmation to internal users via GreenLight Access
Management Assessment Process Overview* OP Controllers Conference_083105 N. Cordey_091205 SOX 404 Assessment External auditors attestation RDS Plc. Certifying Officers CEO & CFO Financial Reporting Controls Committee “FRCC” • Review, evaluate, challenge • Advise EC on assessment Business / Function (via Region/CoB as appropriate) • Interpret / evaluate deficiencies • Summarise / categorise • Report to central evaluation team • Periodic sign-off • Assurance • Review / validate reports from businesses/functions • Analyse / aggregate • Advise FRCC Central SOX 404 Evaluation Team Other controls data: • External audits • Internal Audits • BCIs Reporting of • Controls deficiencies / remediation (GreenLight) • Periodic sign-off • Assurance GreenLight data OU / AoO *to be tested in pilot starting 15/9 Primary Reporting and Dialogue Information