1 / 72

US OP SOX 404 Steering Committee Presentation August 9, 2006

US OP SOX 404 Steering Committee Presentation August 9, 2006. Agenda. Project Status Update Business Review 15 min Segregation of Duties 5 min Management Assessment Overview 15 min IT Project Update 15 min Audit 5 min

kasen
Download Presentation

US OP SOX 404 Steering Committee Presentation August 9, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. US OP SOX 404Steering Committee Presentation August 9, 2006

  2. Agenda Project Status Update • Business Review 15 min • Segregation of Duties 5 min • Management Assessment Overview 15 min • IT Project Update 15 min • Audit 5 min • Embedding 5 min • Other Business – Next Meeting 0 min 1 08-09-06

  3. Upcoming Key Activities

  4. Upcoming Key Activities/Action Required 3 08-09-06

  5. Upcoming Key Activities/Action Required Cont’d 4 08-09-06

  6. Business Review/Controls at Risk

  7. Business Controls At Risk by CoB As of 8/3/2006 6 08-09-06

  8. Operating Effectiveness – Round II Testing • 453 Total System, IT Dependent and Manual Controls • 368 IT dependent and Manual Controls (excludes System) • 31 Annual Controls and 15 No transactions controls which will not be tested in Round II • 322 Total Controls to be tested in Round II (Plan developed as of June 2, 2006) • Plan is 35 controls per week in Round II vs. 27 controls per week in Round I • Team is currently on-schedule 7 08-09-06

  9. ISPO CONTROLS – Without IT 8 08-09-06

  10. Segregation of Duties

  11. OP US SOX 404 System Controls • New SoD Matrix Introduced 6/1/2006 • Lubes – excludes Canada • Magellan – excludes Stusco 10 08-09-06

  12. High Risk Cases by User New SoD Matrix Introduced 6/1/2006 11 08-09-06

  13. All Risk Cases by User New SoD Matrix Introduced 6/1/2006 12 08-09-06

  14. Management AssessmentSign-off Process

  15. Q2 Sign-Off – Business Process Overview • AoO Sign-off Scheduled for August 22nd • Q2 Sign-off Process Identical to Q1 for: - Green light/Non-Greenlight assurance - Design effectiveness evaluation • Q2 Additional Requirements are: - Testing and evaluation of operating effectiveness • Confirmation of design and operating effectiveness for controls operated by ISPs and ESPs Note: Deficiency Evaluation for Financial Impact using Process Deficiency Workbook (includes ISP controls) to be completed by September 4th . Review preliminary results with GreenLight Signatories prior to August 22nd Sign-off 14 08-09-06

  16. Q2 Sign-Off: Key Dates 15 08-09-06

  17. Q2 Sign-Off: Other Key Dates 16 08-09-06

  18. Q2 Sign-Off: Business Activity/Status 17 08-09-06

  19. Q2 Sign-off - ESP/SAS 70 Recap • Total ESP identified – 27 • Total with significant impact – 16 • Total without sufficient internal controls – 2 • CSC – Audit Rights have been exercised in IT • Avista Advantage, Inc. – SAS 70 Type II reports required • 1 - SAS 70 Required with Avista Advantage, Inc • Response Outstanding from Aviation 18 08-09-06

  20. Management AssessmentDeficiency Evaluation Process

  21. Q2 Deficiency Evaluation Status - Business 20 08-09-06

  22. Q2 PDW Evaluation Status on 9 August Business and IT Meetings are held for each control deemed by SOX Remediation Team and / or Testing Team to be not effective prior to 8/11 Draft PDW templates turned in to OP Central Team August 2nd • 4099 Supply C3.2.2.a.1, C3.3.h.1 and C3.3.h.2 • 4183 Lubes C2.1.f.1 and C2.1.f.2 • Current Status – waiting on OP and FCC feedback on documentation (expected this week) Next Steps • August 15 1-5 P.M. Business Review – time set aside if needed for issue resolution • August 17 1-5 P.M. Business Review – time set aside if needed for issue resolution • August 24 Challenge Session with Steering Committee • September 4 Final file due to the OP Central Team 21 08-09-06

  23. Summary/Expectations

  24. Summary/Expectations • Review deficiencies reported through BCIs and evaluate impact on SOX controls • Rapid escalation of deficiencies and SOX impact • Continue to follow expectations on Key Activities/Actions Required (Charts 3&4) • Overall Good Work – Need to Keep it Up However there are a few exceptions: • Finish providing information of SAS 70 • Need co-operation with Lynn Sievers on PDW • Everyone says that all controls will be effective at sign-off • Must start on Controls at Risk lists • Continue to focus on ISP Interface • Ensure correctness - especially check Manila (as it has been identified as possible issue) 23 08-09-06

  25. IT Workstream Update

  26. US IT - DE 25 08-09-06

  27. US IT - DE Q2 Status – as of 08/04 • All C12 Controls DE • 6 C13 Controls Outstanding • 4 new controls to address MS Access • 2 annual controls * Excludes No Transactions 26 08-09-06

  28. US IT - OE 27 08-09-06

  29. US IT - OE Q2 Status – as of 08/04 * Excludes No Transactions 28 08-09-06

  30. US IT - GC Deficiency Evaluation Status • ITGC Process Owner Signoff Started Aug 7 – GL Frozen • ITGC Meetings completed for all Applications week of 31 July • ITGC results presented to Business team 7 August in preparation for Business Deficiency Evaluation meetings 29 08-09-06

  31. AEC Testing Status 30 08-09-06

  32. US IT General Controls – Challenges Summary • Completion of OE by August 31 to align with PWC requirements • All controls for applications in PwC scope will be complete by August 31 • Begin focus on IT Embedding • IT Embedding workshop held week of July 31st • Project will stay in place through Q4 signoff • Line organizations will be engaged with project team during Q3 & Q4 signoffs • C11 • Knowledge Transfer planned to be complete by end of August 31 08-09-06

  33. Audit Update

  34. Internal Audit Status Status on 9 August Internal (IAF) Audit – Round III • Overall rating: Fair * Combined Business and IT report issued. • Business is currently in the process of analyzing the findings. 33 08-09-06

  35. IAF Audit Update – IT GC • IAF Audit started 26 June and completed July 14 • Draft audit report received • One medium finding regarding review of self assessment testing • Common issues noted: • Tests did not contain enough detail to meet re-performance standards • Test did not contain descriptions of the sampling methods • Test did not include the names of documents used in the execution of the test • IAF returns August 21 • Audit scope includes DE and OE for Lubes C11 and AEC only 34 08-09-06

  36. PwC Audit Update – OE Testing • No findings to date on the D1/D2 controls which have samples available for testing 35 08-09-06

  37. PWC Audit Update – IT GC • PWC • Lubes DE audit complete and no design deficiencies found • SOPUS DE audit complete and no significant deficiencies found • OE audit begins 7 August 36 08-09-06

  38. Embedding Update

  39. After Action Review (AAR) Summary From COB/COSs: • “Surprised at how little people knew – especially after all the time spent on SOX” • Customized case study examples had big impact and critical to audience acceptance and understanding (1 COB did not agree) • SOX Owner's-Manual course (presented to management) • Subject Matter Expert (SME) in class added value • Attendees pleased with content and length of courses • Delivery of courses in one day increased continuity • Training reinforced ownership to Control Owners • Training & awareness improved generation of evidence and documentation • Classes were a year too late – business was starving for information since October 2004 • SOX staff roles understood only after the training 38 08-09-06

  40. After Action Review (AAR) Summary-cont’d From EMBEDDING: • Where Focal Points took initiative to prepare attendee and provide strong leadership and support for SOX events… …A best practice • G-J Smitskamp/Leadership visibility, encouragement and attendance at courses role-modeled importance of SOX and had positive “ripple effect” across SOPUS • Great SME support, positive overall trainee attitudes (which come from the leaders) • Responsive, engaged focal points. A pleasure to work with… 39 08-09-06

  41. After Action Review (AAR) Summary-cont’d Items which may require further action…. From COB/COSs: • Training requirement met, but concern that people did not see the value of training and may have underestimated the legal aspect… • Online training resources would be helpful to meet remote training needs • Knowledge Survey was scary; don’t know why it was necessary; Not comfortable that results are given to my boss, yet I don’t know how I did • Need to understand future training requirements, i.e., new employees/updates From EMBEDDING: • Based on AAR input, need to validate ongoing role of SOX Focal Point • Agree with observation of need for annual refresher training – e.g. elearning Add’l Lesson Learned Embedding occurs in waves. The next wave is translating knowledge to consistent application. 40 08-09-06

  42. Other Business

  43. Motiva Business

  44. Motiva Agenda • Business Review/Controls At Risks • Internal Audit 43 08-09-06

  45. Business Review/Controls At Risks

  46. Business Controls At Risk by CoB As of 8/3/2006 45 08-09-06

  47. ISPO CONTROLS – Without IT 46 08-09-06

  48. Internal Audit Update

  49. Internal Audit Update • Sample Selected Includes: • - 16 Controls to Review Self-Assessment Testing • Consists of 9 IT Dependent (each has a Manual and a System control), 3 System, 4 Manual = 25 Controls to Review Documentation • 16 Controls for Independent Testing • Consists of 9 IT Dependent, 1 System, 6 Manual = 25 Controls • Estimate 50% of Work Effort Complete at This Time • First Discussion of Audit Results Scheduled for August 9 • Testing is Targeted for Completion August 18 48 08-09-06

  50. APPENDIX

More Related