700 likes | 838 Views
US OP SOX 404 Steering Committee Presentation July 26, 2006. Embedding Update. Embedding Transition Activities. Embedding Team Deliverables Met 6/30 CORE TRAINING – 93% Complete 28 Business Trainers certified Embedding transition team in place All Close-Out Meetings complete in July
E N D
Embedding Transition Activities • Embedding Team Deliverables Met 6/30 • CORE TRAINING – 93% Complete • 28 Business Trainers certified • Embedding transition team in place • All Close-Out Meetings complete in July • Transition to Run and Maintain for training • Continue to track mandatory courses and HTBA e-learning attendance • Attendance records to transition to SOU records – 3Q 2006 • First Business Trainer coordinated course (PH/ME) scheduled for July 26 • Maintain Evidence & Self Testing to e-learning - 4Q 2006 launch • CMT SOX 404 Annual Cycle elearning module tracking errors and other glitches continue to be reported • Jeff Blackwell, US GRA Lead – onboard • Will present SOPUS model to GRA Workshop August 8 –10 • Knowledge Survey Status • 686 Participants, Average Score 87%, 68%>90, 3%<50 Readiness Index 4.4 (Out of 5.0) • Additional Lesson Learned • Embedding occurs in waves. The next wave is translating knowledge to consistent application. 2 06-28-06
Upcoming Key Activities/Action Required 4 06-28-06
Upcoming Key Activities/Action Required Cont’d 5 06-28-06
Business Controls At Risk by CoB 7 06-28-06
Business Controls At Risk by Major Themes 8 06-28-06
OP US SOX 404 System Controls Percentage of Outstanding SOD Conflicts (with no compensating controls) • New SoD Matrix Introduced 6/1/2006 • Lubes – excludes Canada • Magellan – excludes Stusco 10 06-28-06
High Risk Cases by User New SoD Matrix Introduced 6/1/2006 11 06-28-06
Remediation Schedule • Role changes (technical remediation) is almost complete – the numbers reflect this work to date • Workshops scheduled with BUSA/FROs and BUFP prioritized by counts, risks and availability • Schedule has been compressed to meet the deadlines of August 31st to fix all highs and September 30th for all other items • Biggest Risk is that new controls are needed to compensate for new SOD cases • Need commitment from Business to respond to requests and completion of compensating control / risk waiver forms 12 06-28-06
SOD Workshop Schedule 13 06-28-06
Q2 Sign-Off – Business Process Overview • AoO Sign-off Scheduled for August 22nd • Q2 Sign-off Process Identical to Q1 for: - Green light/Non-Greenlight assurance - Design effectiveness evaluation • Q2 Additional Requirements are: - Testing and evaluation of operating effectiveness - Confirmation of design and operating effectiveness for controls operated by ISPs and ESPs - Deficiency Evaluation for Financial Impact using Process Deficiency Workbook (includes ISP controls) 15 06-28-06
Q2 Sign-Off: Timeline Non GreenLight Sign-off Aug 1 – 18, 2006 Control Owner Review with BUPF - Aug 1 – 4 - SOX Sign - off Review Session Aug 7 – 11 - Control Owner to BU Process Owner CoB Senior Finance Managers or CoS De partment Leads Sign-off Aug 14 – 18 - SOX Sign - off Review Session CoB Senior Finance Managers or CoS Department Leads to GreenLight Signatories Regional GreenLight Sign- - off Aug 21 – 24, 2006 - Service Providers (SPS, Group IT, Treasury, SSSC) By Aug 21st (4099 SOP US IT, 4183 Lubes IT, 4476 SSSC Manila) - AoOs and Process Entities in the Business and Functions Aug 22nd (4099 SOP US, 4098 Deer Park, 4183 Lubes, 4420 FIFO) Morning – Classes of Business (Senior Business Leaders) Afternoon – Classes o f Service (Controllers ) - Region & Business Sign - off Aug 24th OP Downstream Leadership Team and OP Controller 16 06-28-06
Q2 Sign-Off: Business Activity/Status 17 06-28-06
Q2 Sign-Off – IT Relationship To Business Infrastructure & Application Controls (C11/C12) • The relationship between IT and the business described as a "Client/Service Provider". • IT owns and operates certain key SOX controls to ensure that the business can rely on the data generated by those systems affecting financial reporting • IT responsible for control operation, documentation, evidence and testing of these controls • IT will provide an assurance to Business for the purpose of Business signoff - this is achieved through the Functional Signoff to DS Controller. • IT will signoff before the Business to reflect the fact that the Business is relying on the assurance provided by IT End User Computing (C13) • Exception with respect to C13 End-User Computing. AoO Controller will signed off in GreenLight 18 06-28-06
Documentation & Remediation Testing What Is Deficiency Evaluation? In order for management to assess the effectiveness of internal control over financial reporting, deficient controls need to be evaluated and the Process Deficiency Workbook updated Scoping Effective Not Effective * Deficiency Evaluation Q4 Q3 Q2 Q1 * Defined in subsequent slides 20 06-28-06
Deficiency Evaluation - Overview - Start -Controls that are “not effective” in GreenLight List of key controls that are “not effective” (refer to previous slides for definition of “not effective”) Process supported by the PDW tool 1 Understanding of the nature, extent of the deficiency (for example is it limited to a particular location / class of transaction) and preliminary assessment - qualitative or quantitative Understand the deficiency and undertake preliminary qualitative / quantitative assessment 2 More likely to have a broad impact on financial statements Qualitative deficiency Quantitative deficiency Ineffective transaction controls will generally result in a potential misstatement that can be estimated from the account balance or transaction volume 3 3 Provide early warning of deficiencies that have a large financial impact or that are qualitatively very significant Determine need for Rapid Escalation 4 21 06-28-06
Deficiency Evaluation Status - Business 22 06-28-06
Internal Service Provider Relationship For the Q2 2006 Sign-Off and Evaluation of Deficiencies • All paste-linked controls will be evaluated by the ISP only to the extent it impacts the controls in scope for their own SOX processes. • The ISP is responsible for recording the remediation planned and should ensure that the reason the control has failed and other useful information is clearly shown in GreenLight in the test comment box. • The receiving entity is to evaluate the control deficiency as it impacts them and minimize the need for Internal Service Receivers to individually communicate with the ISP. • ISP paste-linked controls in GreenLight should be in line with the agreed interface matrix. 24 06-28-06
Internal Service Provider Relationship Therefore, AoO confirmation of ISP controls only requires you to: • Validate the ISP interface matrix has the correct controls paste linked in GreenLight with the DE and OE status from the service provider. • Evaluate the impact of service provider control deficiencies to your (as receiver) Financial Statements using the PDW process. 25 06-28-06
ISPO CONTROLS – Without IT 26 06-28-06
External Service Provider Relationship For all External Service Provider (ESP) relationship, • SAS 70 is required where ESP's activities have a significant impact on financial reporting and existing internal controls are not adequate to reasonably mitigate risks. • Before we seek assurance by means of securing SAS 70, we should first determine whether internal controls could be sufficiently enhanced. • If enhancing internal controls is not an appropriate option, an evaluation is necessary to determine whether management will arrange to conduct an audit or rely upon a Type II SAS 70 report provided by the service provider. • For Q2 sign-off, SAS70 type II reports, for DE and operating effectiveness, are in place where required 28 06-28-06
Q2 Sign-off - ESP/SAS 70 Recap Total ESP identified – 27 • Total with significant impact – 16 • Total without sufficient internal controls – 2 • CSC – Audit Rights have been exercised in IT • Avista Advantage, Inc. – SAS 70 Type II reports required 1 - SAS 70 Required with Avista Advantage, Inc • Process and Pay utilities on behalf of OP – Manufacturing, Retail, Lubes, and Motiva Distribution • Managed through SGEMS (Shell Group Energy Management Services) • Avista has provided 2005 SAS 70 already. • 2006 interim letter issued by CFO for November 2005 – July 2006 • 2006 Annual report will be available in November 2006. 29 06-28-06
What We Need From You • Encourage control owners with deficiencies and subject matter experts to attend 2 hour Mgmt Assessment & PDW workshop • Make available subject matter experts to participate as needed in the compensating control evaluation sessions • Understand how ISP ineffective controls (see PDW definition) impacts your business and begin thinking of compensating controls • Understand how IT applications that are at risks will impact your business and begin thinking of compensating controls • Review deficiencies reported through BCIs and evaluate impact on SOX controls and for rapid escalation • In the interest of time, be proactive with adding expected ineffective controls to the list for PDW evaluation 31 06-28-06
What We Need From You • Send feedback on Q2 sign-off letter by 7/26 • Ensure strict compliance with control review/sign-off dates for each signatory • Identify delegate if GreenLight Signatories not available to sign 32 06-28-06
Deficiency Evaluation - IT Evaluate the nature and consequence of deficiency 1 Group deficiencies 2 Find compensating controls 3 Red Escalation is a sensitive process. All Red escalation will be agreed first with OP US Business.
DE – US IT 35 06-28-06
OE – US IT 36 06-28-06
Summary IT Control DE Status – as of 07/20 • All C12 Controls DE • 6 C13 Controls Outstanding • 4 new controls to address MS Access • 2 annual controls 37 06-28-06
Summary IT Control OE Status – as of 07/20 * Total Does not include Remediated/ Not Retested 38 06-28-06
IT General Controls – Challenges Summary • Potential long lead-time remediation items (e.g., Backup & Restore) • Backup & Restore • 3 controls remain outstanding for DE & OE • All expected to be DE by Q2 Signoff • Work ongoing to make controls OE by Q2 Signoff • Password Security – 8 controls • Email to Application Owners to enforce ELIS training • All expected to be DE by Q2 Signoff • Some controls will not be OE by Q2 Signoff • Completion of OE by August 31 to align with PWC requirements • OE Raps being reviewed with BAM and meetings to be scheduled • Q2 Signoff, Deficiency Evaluations and testing completion all competing for the same resources • Begin focus on IT embedding • C12 is well positioned for embedding • Handover from project to OPSS on track after Q2 Signoff • C11 • Draft plan for Knowledge Transfer in final stages • Scheduled to begin mid-Aug pending Deficiency Eval progress 39 06-28-06
Motiva Agenda • Business Review/Controls At Risks • Internal Audit 41 06-28-06
Business Controls At Risk by CoB 43 06-28-06
ISPO CONTROLS – Without IT 44 06-28-06
Business Controls At Risk by Major Themes 45 06-28-06
Internal Audit Update 47 06-28-06