160 likes | 276 Views
Presented at GRA Workshop – London 080906 Derrick Wright. SOX Factory Overview July 2006. SOX Factory Objectives. Background. Background
E N D
Presented at GRA Workshop – London 080906 Derrick Wright SOX Factory OverviewJuly 2006
SOX Factory Objectives Background • Background • The SOX factory was established in 2004 under the direction of F&SS to provide a central expertise to ensure consistency and standardization of SOX controls. Now forms part of GRA organisation. • Objectives • Ensure Streamline SOX controls design meets Shell standards and provides an adequate and sufficient SOX controls framework, including: • Control efficiency reviews; • Provide documentation for Streamline and DS1 projects SOX controls. • Mapping SOX controls for SSSC transition; • Ensure proper integration of legacy SOX controls and Streamline SOX controls as Streamline and GSAP are implemented; • Undertake SOX impact analysis on other Downstream One projects and design and document any needed SOX controls prior to implementation. Objectives
Why the “Factory” Approach Consistency • Design and implementation of global set of standard SOX controls • Interpretation of standards, methodology documentation approach • Can quickly propagate improvements in methodology • Reduces management strain on process teams • Leverage central support: economies of scale • Leverage expertise across process areas; shift resources within the Factory to meet work demands • Enables quality assurance and quality control cost effectively • Enables robust progress monitoring and prompt issue escalation Standardisation & Consistency Efficiency & Economies of Scale Expertise Quality Assurance
SOX Factory – Key Deliverables to Date (July 06) GSAP Global Controls GSAP Global Controls • 313 controls global defined GSAP SOX designed, documented • 34% reduction of automated controls accessed as redundant • Design of Greenlight structure to accommodate the Streamline model • Assisted in the building of the “to be” structures in Greenlight • Providing advice and active assistance and automated tool to resolve segregation of duties issues Implementation • Provided additional information including training materials and supporting information for Go Live • Set up implementation teams to work with “as is” SOX teams in transitioning to new global controls Sign Off • Obtained Ownership of global controls and global process owner sign off Smaller DS1 Projects • Assessed over 200 projects for SOX 404 impact analysis SODA Implementation Sign Off DS One Global Projects
SOX Factory Structure - Overview Downstream Governance, Risk & Assurance Manager Ho Cheng-Kwee Project Enabling Activities Linda Olivier KPMG SOX Factory Lead Derrick Wright (Shell) Stephen Spellman (KPMG) Project Management Office [TBD] Design Implementation Design, Document and Optimize GSAP R/1.3 Controls Ronald Jonker Design, Document and Optimize non-GSAP Controls Chris Tippel Embed and transition control operation and maintenance [TBD] Run, Maintain and Optimize GSAP R/1.2 Controls Chris Wright Implement GSAP R/1.3 Controls Clive Benham Implement non-GSAP Controls [Clive Benham]
SOX Factory Structure Beyond July 2006 • Project Management Office: [TBD] • Impact assessment & project tracking • Planning and monitoring • KPI Reporting • Professional Development • Resource Planning / Onboarding / Offboarding • Communication David Defroand KPMG Relationship Partner Ho Cheng-Kwee SOX Factory Leadership Derrick Wright Stephen Spellman • Project Enabling Activities: Linda Olivier • Cross work-stream challenge • Stakeholder Management (inc ‘As is’ community, central SOX, IAF, external audit, QC etc) Design Implementation Design, Document and Optimize GSAP R/1.3 Controls Ronald Jonker Run, Maintain and Optimize GSAP R/1.2 Controls Chris Wright Design, Document and Optimize non-GSAP Controls Chris Tippel Embed and transition control operation and maintenance [TBD] Implement GSAP R/1.3 Controls Clive Benham Implement non-GSAP Controls [Clive Benham] • Update existing controls • Design and document new controls • Optimize control efficiency • Update other relevant documentation • Update test scripts • Update Greenlight • Early thinking / challenge of controls for move to SSSC / Global functions • Process changes • Complete process and controls gaps • Design R/1.25 controls • Follow up o/s issues • Update other relevant documentation • Assess and support control operation • Update Greenlight • Complete, distribute & monitor completion of test scripts • Remediate controls: where design fails • Identify SOX impact of non-GSAP projects • Design and document new controls • Optimize control efficiency • Ensure integration with GSAP controls • Update other relevant documentation • Update test scripts • Update Greenlight • Develop, maintain and communicate standard Implementation Toolkit • Develop, confirm and execute implementation strategy and planning • Identify and confirm relevant dates and locations for implementation • Identify and train relevant control owners, control operators and other stakeholders • Identify, analyse and follow-up local requirements and gaps to global processes and global controls • Execute allocated test programmes • Report back on findings • Remediation support where fail is a consequence of business acceptance • Develop and roll-out (standard) strategy for embedding controls in AoOs • Develop and roll-out (standard) strategy for transition of control maintenance • Ensure SOX Factory and AoO / SSSC organisations are ready for transition of control maintenance FSS StBC / StRC PGS HM / LSC Control automation and efficiency challenge Change management: passes between the core activity streams. Incl. Change control and SOX impact assessment of GSAP change requests SODA Quality Control and Methodology: sits within the core activity streams Execute communication / stakeholder plan
SOX Factory Interaction with GRA Organisation • Background • GSAP/ StreamLine implementations • Country based risk assessments both GRAs and Sox Factory have played a role to date • Other DS1 projects impact assessments and subsequent implementations. • GRAs identifying systemic issues in the AoOs - medium to longer term feedback loop on the GSAP/ StreamLine and DS1 implementations. • Within AoOs, GRAs are key enablers for raising awareness and understanding of Sox Factory.
SOX Factory • Background Any Questions?Might have answers?
Streamline Controls Approach SOX Controls Centre of Excellence Who Implementation Team Design Team Impact Assessment For Streamline GSAP document SOX controls as required (2) For D1 Non Streamline Global Projects with SOX impact document SOX controls as required (1) SOx: Transition ‘as is’ SOx documentation to ‘to be’ SOx documentation (2) Business Controls: Handover ‘Key Controls’ in Group Compliance Monitoring Tool Objective ‘Early Warning’ of D1 Projects with SOX Impacts Output List of D1 Projects with SOX Impact: • Timeline for projects • Affected SOX Countries • Affected SOX Processes • Est Documentation effort • SOX documentation in GreenLight • Business Controls documentation in Group Controls Monitoring Tool • SOX & Business Implementation Toolkits • Migrate ‘as is’ SOX and Business Controls to ‘to be’ processes
Validate Change Validate Change Risk Controls Risk Controls F&SS Request SOx Training Request SOx Training Methodology Methodology Requirement Requirement Yes Review Review MAP BPML to MAP BPML to Document Streamline And understand Process Controls Document Streamline And understand SOx 404 Risks & SOx 404 Risks & Process CHANGE Streamline & Risk GAPS? Process CHANGE Streamline & Risk GAPS? Focal Point and Guideline Guideline REQUESTS Controls REQUESTS Controls SOx Factory No Controls Controls Documentation Documentation Update SOx Update SOx SOx Factory Traffic Lights Upload Control documentation on Greenlight Traffic Lights Document SOx 404 (with Input/Supervision of Rework documents Document SOx 404 Rework documents On Swim Lanes & Update SoD On Swim Lanes & Update SoD Controls Register Post QC Controls Register Process Controls Focal Points) Post QC Document SOx Document SOx Narratives Narratives QA Handholding & QA Team QA Handholding & Desktop QA Review SOx QC Review Desktop QA Review SOx QC Review Support Support Sign Off SOx Sign Off SOx Process Owner Controls Documents Documents Automation & Simplicity Challenge Streamline Methodology Overview
A.Management of Financial Activities E.Specialist E1. Tax Advice E2. Insurance OLA1. Organisation Level Assessment E3. Pensions OLA2 Organisation Level Assessment Group/Business/ Regional Level E4. Legal F.Specialist F1 Reserves F2 Hydrocarbon Streamline SOx in Scope Processes B. Manage Equity and Financing C. Record and Execute Transactions D. Manage Reporting & Analysis C1. Purchases and payables B1. Optimise capital structure D1. Manage financial close process C2. Inventory B2. Manage financing agreements B3. Support JV & PSC agreements C3. Commodity trading D2. Manage supplementary information and disclosures B4. Support acquisitions & divestments C4. Sales and receivables C5. Capital and fixed assets B5. Manage financial trading, liquidity, forex, interest rate risks D3. Manage Group and statutory reporting incl. legal C6a. Account for VAT/GST C6b. Account for excise duty B6. Manage liquidity risks B7. Forex and interest rate risk D4. Manage internal reporting C7. Account for direct tax B8. Third party borrowing C8. Cash management B9. Manage depositing C9. Payroll & benefits B10. Intra Group dividends C10. Manage supporting information B11. Manage funds acquisition C11. Maintain finance IT structure – business applications B12. Manage treasury settlements GSAP B13. Manage investment portfolio C12. Maintain finance IT structure – Infrastructure SOx IT B14. Manage parent companies capital C13. End-User computing GSAP
1) Impact Assessment Initial High Level Assessment SOX IMPACT (SI) • Initial high level assessment using questionnaire completed by project team. Gets at question, ‘Does my project impact SOX?’ • Based on project list maintained by Streamline PMO. • Follow-up validation and assessment. Completed by phone; includes detailing of processes and associated SOX controls impacted by the project • Assistance prioritised and scheduled based on requirements, using: • SOX risks impacted • SOX level of countries impacted • Current state of SOX documentation • Implementation schedule • Questionnaire completed by project manager • Desktop review by SOX impact assessment team (e.g.: project research, conference calls) • SOX design and implementation after initial assessment based upon priority/impact Validation & Assessment No SOX Impact (NSI) • Questionnaire completed by project manager • Desktop review by SOX impact assessment team (e.g.: project research, conference calls) • Global projects that are concluded as NSI require sign-off from: • Cheng-Kwee Ho (SC-DFC/G, Downstream Governance, Risk & Assurance Manager). • NSI Confirmation e-mail to project manager (copy to be provided to country controller) • Local projects the county controller will provide sign-off SOX Controls Assistance
2) SOX Global Design Design, Creation and Quality Control of SOX Controls • 4 deliverables • Document Process, controls, walkthrough and related information • Management demonstrate their understanding of the processes • Management demonstrate their awareness of the existing controls and effectiveness • External auditors use the documentation to understand the processes, controls and perform the Walkthrough. Control Register Flowchart Narratives SODA
Questions/Remarks Contact details: SOX Factory Leadership - KPMG Shell International Petroleum Company Limited Shell Centre, London SE1 7NA, United Kingdom Tel: +44 207934 8418 Other Tel: +44 7769 956991 Email: steve.spellman@shell.com • Contact details: • SOX Factory Leadership - Shell • Shell International Petroleum Company Limited • Grosvenor House, 72 Gordon St, Glasgow, UK • Tel: +44 141 649 7948 • London +44 207 934 5971 • Mobile + 44 7789920981 • Email: derrick.wright@shell.com • Stephen Spellman Derrick Wright