1 / 7

SOX404

Presented at GRA Workshop – London 080906 Andrew Whittaker (?). SOX404. Version 1.0. Deficiency Evaluation Workflow. July 2006. Why do we do a Deficiency Evaluation?.

otto
Download Presentation

SOX404

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented at GRA Workshop – London 080906 Andrew Whittaker (?) SOX404 Version 1.0 Deficiency Evaluation Workflow July 2006

  2. Why do we do a Deficiency Evaluation? • To enable the Board of Royal Dutch Shell plc to determine whether there are significant deficiencies or material weaknesses in the internal control over financial reporting • Such determination can only be made at plc level BUT is dependent on individual AoO level deficiency evaluations

  3. Why is Management Assessment (MA) so Important? • MA is conclusion of all our SOX work to date • Risk Assessment • Scoping • Documentation and Testing • Quantification of deficiencies is the litmus test for SOX compliance (Material Weakness / Significant Deficiency) • Judgment is required, therefore risk of inconsistent application and bias towards under or over statement of deficiencies • The integrity and robustness of the MA process is critical to achieving a positive attestation regarding SOX compliance. Failures in the MA process will jeopardise all of the investment made towards ensuring high quality process documentation, control descriptions and testing.

  4. Deficiency Evaluation Workflow Primary Reporting anddialogue Information Required for SOX 404 Attestation Financial Control Team (FCC) Attestation mid August to mid Sept Validate, Aggregate, Advice EVP COB DLT (EDDS) Review and understand deficiency. Implement corrective action. Awareness, commitment to corrective action. DFC Level Review Review deficiencies, Compensating D4 controls, challenge larger exposures, Final Arbiter COB VP Finance Direction of cascade Review, Validate and Challenge deficiencies once accepted, assumes ownership of exposure. Regional Controllers mid July to mid August COB/F GRA Review Deficiencies, Challenge, Arbiter Legend Review deficiencies, validate w local COB Leader AoO Identify deficiencies, Quantify, Aggregate & Report, AND own the resulting exposure Start

  5. Guiding Principles • Deficiency evaluation is an unbiased quantification of the potential exposure. • Deficiency evaluations are quantified in accordance with the SOX 404 methodology. • Rationale for quantification of deficiencies must be documented using the MA template. • Once deficiency evaluations have been properly vetted with the COB/F and entered in the PDW they are deemed to be accepted by the COB/F.

  6. At AoO Level Local COB/F Leader PDW Review deficiencies, understands and accepts the quantification, owns remediation AND exposure Primary Reporting anddialogue Information Control Owner Accepts deficiency evaluation AND owns exposure Regional Controller COB/F GRA Review Deficiencies, Challenge, Arbiter Review deficiencies, validate w local COB Leader AoO Controller Review larger deficiencies, Arbiter, consider compensating controls Direction of cascade Local COB/F Finance Lead Understands deficiency and quantification, applies knowledge of business, challenge where appropriate, commitment to corrective action. Legend Deficiency Quantified (Compensating Controls?) MA trained resource. Input from Control Owner MA Facilitator* *MA facilitator = AoO/Cluster GRA or alternate if not appointed yet.

  7. Roles and Responsibilities of the MA Facilitator* • Ensure quantification of deficiencies are appropriately documented, populated and aggregated (no double and triple counting) in the PDW. • Manage report generation out of the PDW. • Identify potential REDs for escalation. • Ensure COB/F stakeholders are engaged in the MA process AND confirm their acceptance of evaluations. • Ensure compensating controls have been considered and are appropriate (ie: mitigate same risk, in GL, Effective, etc). • Ensure quantified deficiencies are fairly stated. No systematic bias towards understatement. *MA facilitator = AoO/Cluster GRA or alternate if not appointed yet.

More Related