180 likes | 355 Views
SPOUS SOX COE USA Support to the Shell Journey to Sustainable SOX 404 Compliance. Outline. Summary of GRA thinking-to-date Questions to be answered before COE is designed What others are doing – Shell What others are doing – Survey Next steps – GRA Next steps - COE
E N D
SPOUS SOX COE USA Support to the Shell Journey to Sustainable SOX 404 Compliance
Outline Summary of GRA thinking-to-date Questions to be answered before COE is designed What others are doing – Shell What others are doing – Survey Next steps – GRA Next steps - COE Appendix: Sign-off cascade
The SOX embedding journey – critical elements and priorities Embedded in Hearts and Minds OP Controllers Conference_083105 N. Cordey_091205 Embedded in Daily Activities • Behaviors of all stakeholders aligned • Incentives aligned and consequence management performed Embedded in Processes and Structure • Resources in place, ramp-down of temporary staff • Skills and capabilities levels raised • Tools in place • Functioning continuous improvement loops Initial Compliance • Definition and implementation of - Processes - Roles and responsibilities - Org. structures • Integration of SOX compliance assurance with the GRA framework Testing and Remediation • Attestation • External audit • Design effective tests • Self assessments • Remediation and re-testing • Internal audit Documentation effort • Processes • Controls • Test Scripts • Project Phase • (Delivery) • Outside of normal business structure • High temporary resource levels • Transition Period • (Transition) • Roles and structures in transition toward steady state • Retain higher level of staffing for oversight and support • Steady State • (Sustainability) • Normal element of day-to-day business
Opportunity to achieve improved performance & risk management Integrating SOX activities in the GRA framework presents process improvement opportunities and embeds SOX in the existing management and control framework OP Controllers Conference_083105 N. Cordey_091205 Enhance Risk Management Toolkit • Build on the SOX404 foundations to improve controls and business processes • Full alignment with Risk-based control framework Build on Ability to Sense and Adapt to Emerging Risks • Integrate Risk Management across the organization, transform processes, delivering sustainable value • Global processes (with SOX-embedded controls) & standard systems contribute to smarter controls & improved Business Performance • Develop fit-for-purpose approach for AoOs currently out of SOX scope Continue to Address Integration Challenge Explicitly Address Behaviour and Corporate Culture • Absorb “Hearts & Minds” approach from HSE • Enable single framework based on RDS plc Set of Standards
OP Controllers Conference_083105 N. Cordey_091205 Key Design Principles – COE can Support • Reinforce common objective: Shell Group obtains and retains compliance • Provide consistency across businesses • Moving at the same pace towards the same goals, starting point may be different • Clear individual roles & responsibilities and reporting and escalation lines • Optimise low cost and high value add • Embed into existing/planned management framework, processes (incl. change processes) and support structures. • Reinforce business ownership of compliance • Position Centre to take strong role in ensuring compliance in global processes • Enable clarity and transparency including definitions, risks, and consequences • Enable sustainability and continuous improvement • SOX will be folded into GRA organization
OP Controllers Conference_083105 N. Cordey_091205 High level annual SOX processes Key Processes Trigger Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation SOX Routine Processes IAF People Processes SOX Support Processes Maintain Methodology Provide tools
Identify Incidents • Locate & Refresh Evidence OP Controllers Conference_083105 N. Cordey_091205 COE Focus Key elements of the routine processes…. Trigger Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation • Risk-based response plan • Identify affected controls/process • Adapt/implement controls/process • Update tools & documentation • Test design effectiveness • Terminate old Controls • QC • Identify/Capture SOX relevant change to: • Processes • Environment • Assess risk • Support Qly 302 certification • QC • Change-driven (e.g., M&A, new site) and annual • Re-evaluate in-scope locations and key controls • Develop and execute risk-based, integrated test plan • Enter data in Greenlight • Analyze, consolidate and report results • Execute roll-over testing when necessary • QC • Materiality-based prioritization • Process-level remediation • Higher level synthesis • Monitor and report progress • QC • Quantify, analyze and aggregate test results • Full quarterly review • Regular ongoing review and escalation of key issues • Report upward/ communicate downward • Quarterly sign-off Greenlight • Sign off at all hierarchical levels SOX Routine Processes IAF • Plan & Perform independent auditing • Populate Greenlight • Analyse and report results
… and support processes Proposed COE Responsibilities Proposed BU Responsibilities Key Process Elements – GRA/IAF (?) People Processes • Leadership agenda and tone at the top • Manage communication and information flow • Build skills and capabilities including recruitment, training, values & behaviors • Align with recognition systems and consequence management Desk level quality Maintain evidence Input to assessment process Annual SOX review plan Unify decisions on any streamlining of BU compliance processes SOX Support Processes Maintain Methodology and “Reporting Stability” • Assess regularly whether updates are required • Perform and communicate updates Apply lessons learned Provide tools • IT infrastructure • Greenlight • Other supporting IT • Guidelines and manuals System for incident tracking & mgt Define improvements to technology infrastructure
EP Compliance Opportunity Statement OP Controllers Conference_083105 N. Cordey_091205 Preliminary HSE best practice examples Understanding how to get where you want to go: Four change lever s need to be addressed to change behaviour EPE behaviour change - Input slide EPE behaviour change - Input slide Role - modelling Communicating 4 4 Has the who, Have the 4 “. . . I see my leaders “. . . I know what is 4 what, why, when, formal leaders behaving differently” expected of me” and how been and the communicated informal throughout the opinion leaders organisation? embraced the change by role - “I will change modelling? my behaviour if . . .” Have the formal and 4 “… I have the skills “. . . the system Have training 4 informal policies and to behave in the reinforces the and procedures new way” desired culture” development (including programmes compensation and been altered to appraisal) been Developing talent Reinforcing with 4 4 reflect the new changed to reinforce and skills formal desired skill the new desired mechanisms set? behaviours?
Next Steps: GRA Embedding workstreams OP Controllers Conference_083105 N. Cordey_091205 • Assess impact of PCAOB/SEC guidance on deliverables • (scoping, testing methodology, ie more emphasis on company • level controls, monitoring and supervisory controls) • Finalize deliverables (job descriptions + processes) • Draft and execute plan for implementation of “Architecture” • Create a network of embedding managers across • Businesses and Functions • Execute gap assessment (quantity and quality of staff) • Start recruitment and training • Finalize recruitment strategy • Progress behavioral agenda Sept 05 Communications Q4 05
Next Steps: Organisation – Embedding of Controls Structures • Roles, responsibilities, and tools will be largely the same. • The Business Sectors are pursuing common approaches to embedding organizational control structures. • There will be organizational support for controls at the Global, Regional, and Local levels. • Exact organization control structures will be embedded into the business sector structures and will vary somewhat with those structures. Steady State – EP view OP Controllers Conference_083105 N. Cordey_091205 Group-CFO Group GRA EVPF Internal Audit EP GRA Regional VPF Regional GRA Finance Mgr.OU OU GRA Focal point
Next Steps: Embedded State – Downstream CIO CFO RDS FCC GRA Mgr DS EVP FN&IT&CP 1) 2) DS Controller DS CIO CoB/S, GB VPs FN CoB/S, GB GRA Mgrs DS IT Compl. Mgr DS Acc. Policy Advisor DS SOX 404 Compl. Mgr DS GRA Manager Regional Controllers Regional Acc. Policy Advisors Regional SOX Focal Points Regional GRA Focal Points OP Controllers Conference_083105 N. Cordey_091205 Local Controllers Local Acc. Policy FPs Local SOX FPs Local GRA FPs Process Owners Process Executors Control Owners Control Executors
GRA Cascaded controls structure….. OP Controllers Conference_083105 N. Cordey_091205 FCC Group GRA Group Business/ Function Region/ CoB AoO Business/Function GRA Manager Region/CoB GRA Manager Local GRA Focal point Network
Sign Off Cascade…. part of the Management Assessment Process OP Controllers Conference_083105 N. Cordey_091205 FRCC Business EP/OP/Chem/G&P/GS/Trading/ Renewables Functions Controller/Treasury/Tax HR/CIO/S&D Corp Affairs/Legal Region/Class of Business, If appropriate Region/ Business Internal Service Providers in Functions Pensions / SPS / FCA / SSSC GroupService Providers Group Reporting Treasury AoO Functions in AoO IT Taxation Sign off cascade Confirmation to internal users via GreenLight Access
RDS Plc. Certifying Officers CEO & CFO SOX 404 Assessment External auditors attestation • Reporting of • Controls deficiencies / remediation (GreenLight) • Periodic sign-off • Assurance OU / AoO Management Assessment Process Overview* OP Controllers Conference_083105 N. Cordey_091205 Financial Reporting Controls Committee “FRCC” • Review, evaluate, challenge • Advise EC on assessment • Review / validate reports from businesses/functions • Analyse / aggregate • Advise FRCC Business / Function (via Region/CoB as appropriate) Central SOX 404 Evaluation Team • Interpret / evaluate deficiencies • Summarise / categorise • Report to central evaluation team • Periodic sign-off • Assurance • Other controls data: • External audits • Internal Audits • BCIs *to be tested in pilot starting 15/9 GreenLight data Primary Reporting and Dialogue Information