‘soxing up’ business and it processes in a global bpr programme by rakesh dighe aca, amct, cisa...
TRANSCRIPT
‘SOXing Up’ Business and IT Processes in a Global BPR Programme
By Rakesh Dighe ACA, AMCT, CISA
April 2007
Legacy SOX Compliance
Purpose of the Presentation
GLOBAL BPR ROLL OUT
HOW TO ENSURE CONTINUED SOX COMPLIANCE POST IMPLEMENTATION OF A GLOBAL BPR ROLL OUT AND
LEVERAGE BENEFITS OF GLOBAL BPR FOR SOX?
Introduction
‘Experience is the name everyone gives to their mistakes’
Oscar Wilde
Business Context….
Before the Global BPR Roll Out:
SOX requirements had been newly introduced
Group was working hard to meet 1st year of SOX attestation
Group had already spent a great deal of time and money to ensure SOX compliance of LEGACY processes
What is SOX Section404?
The Public Company Accounting Reform and Investors Protection Act
of 2002
(The “Sarbanes Oxley” Act)
…..what is SOX s404?
• US legislation passed in 2002 following the Enron and WorldCom failures
• Objective “to protect investors by improving the accuracy and reliability of corporate disclosures”
• Imposes new legal requirements on all companies listed on US stock exchange
Corporate & personal
accountability
Formal governance
arrangements
Cultureof
transparency
Financialreporting
rigour
Corporate & personal
accountability
Formal governance
arrangements
Cultureof
transparency
Financialreporting
rigour
Corporate & personal
accountability
Formal governance
arrangements
Cultureof
transparency
Financialreporting
rigour
Applicable to Client as “foreign private issuer” from end
2006
Global BPR Roll Out
Supply ChainManagement
Sell to Business Customer
Procure Goods And Services
Sell To RetailCustomer
Peopleprocesses
Finance and Support Services
…….Global BPR Roll Out
Current State (2004)
• 158 ERPs
• 120 Management Information (MI) Systems
• 1200 IT applications tightly connected to ERP (out of 6000+ applications)
• Multiple business processes
Global SAP End-State (2012)
• <10 ERPs with standard SAP configuration and data supporting global business processes
• Standardised Global MI
• 100-200 IT applications tightly connected to Global SAP
Implication of Global BPR Roll Out on SOX Compliance
Major IT Program Major IT Program (Global SAP) (Global SAP)
Restructuring& Restructuring& GlobalizationGlobalization
Business ProcessBusiness ProcessStandardizationStandardization
2006 SOX2006 SOXComplianceCompliance
Business Requirement
‘Global BPR Roll Out to ensure new Business and IT Processes were SOX compliant before roll out at any SOX in scope location’.
OR Global BPR Roll Out would not be allowed to go-live.
Global BPR Response
Centralised ‘SOX Centre of Excellence’ to support the Global BPR Roll Outs
Performance standard: No SOX failures as a result of Global BPR Roll Outs
1) SOX Impact Assessment
Analysis of SOX-relevant Global BPR projects rolling out in SOX Sensitive Countries
2) SOX Design Documentation
Design, Creation and Quality-Control of SOX Controls
3) SOX Implementations Support
Coordinate and drive implementation of SOX controls for Global BPR projects
Key Challenges
• Identify ALL Global BPR projects with SOX impact (~1,000+)
• Minimise the impact on project go-live dates
• Ensure the impact on business efficiency from the controls is minimised
• Ensure Global BPR controls met all Group SOX standards
• Ensure the business understands and operates the controls in an effective manner.
• Complete the work with minimal involvement of Global BPR team staff
Project Benefits of SOX COE
• Provides consistency: interpretation of standards, documentation approach, etc.
• ONE GLOBALLY Defined Set of SOX Controls and common implementation approach to support Global BPR objectives
• Reduces management strain on Global BPR project teams
• Can quickly propagate improvements in methodology
• Leverage central support: economies of scale
• Enables robust progress monitoring and prompt issue escalation
Post Implementation Optimisation
3800
380 controls10 in-scope entities
TotalNumberOf ControlsAnd Tests
2400
240 controls10 in-scope entities
1140
140 global controls (60%)performed once100 local controls at10 in-scope entities
790
EfficiencyAutomation Shared
service
140 global controlsPerformed once50 regional controls3 locations50 local controls10 locations
Start point1/12/05
AutomatedTestingTools
50% testsautomated
400
Conclusion
Context of Compliance Projects:
• Tight timelines set by regulators
• Impact of non compliance is CRITICAL (reputation and regulatory risk)
• In the early stages, definition of regulation is subjective
Suggested approach to compliance projects:
• Define a framework (there are no right or wrong answers)
• Exercise good project management
• After 1st year of attestation, seek opportunities to optimise the framework and reduce cost of compliance