section 404 of sarbanes-oxley an oracle perspective paul kirch kla-tencor corporation -
Post on 29-Dec-2015
221 Views
Preview:
TRANSCRIPT
Section 404 of Sarbanes-OxleySection 404 of Sarbanes-OxleyAn Oracle PerspectiveAn Oracle Perspective
Paul KirchPaul KirchKLA-Tencor CorporationKLA-Tencor Corporation
-
2(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
AgendaAgendaAgendaAgenda
Company Overview Sarbanes-Oxley Overview
Section 404 in “plain English” COSO framework
Project Timeline Business Processes Universe Separation of Duties
Defined Incompatibilities Guiding Principles and Implementation Applied
Lessons learned Next Steps
3(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
Company OverviewCompany OverviewCompany OverviewCompany Overview
One of NASDAQ “Top 50” Companies in 2002 Manufacturing company engaged in developing and manufacturing
capital equipment used in the manufacture and production of silicon wafers
Formed by a merger of KLA and Tencor Corporation in 1997 Major customers are principal silicon chip manufacturers worldwide
75-80% of revenue from overseas operations Sales offices in 15 countries around the world Major R&D locations in U.S and Israel
Merged company used Oracle as a platform for developing common manufacturing and financial processes
International operations upgraded to Oracle 11i in Spring, 2003 June 30 fiscal year end ensured that KLA-Tencor would be the first
Fortune 500 company audited under the new Sarbanes-Oxley standards In Spring, 2003 chip industry was just beginning to emerge from one of
the severest down cycles in the history of the industry
4(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
Section 404 in “Plain English”Section 404 in “Plain English”Section 404 in “Plain English”Section 404 in “Plain English”
Management must assert and auditors must attest that: All transactions that are either material by themselves or
cumulatively material to the company are authorized according to an agreed policy/procedure.
Assets of the company are adequately safeguarded. Procedures are in place to ensure that the reported financials
adequately disclose all transactions.
What is required: Establish a control framework (aka COSO) to map business
processes/objectives/risks/control activities. Document policies & procedures Self assessment of the adequacy of these Policies and Procedures Complete testing with internal auditor and external auditor
Who? 90% internal; anyone involved in a material business process. U.S/ Israel project involved 50 people Worldwide project involved 75 people
5(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
COSO FrameworkCOSO Framework
Control Activities
Policies/procedures that ensure management directives are carried out
•Range of activities including approvals, authorizations, verifications, recommendations performance reviews, asset security and segregation of duties.
Risk Assessment
•Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives forming the basis for determining control activities.
Monitoring
•Assessment of a control system’s performance over time.
•Combination of ongoing and separate evaluation.
•Management and supervisory activities.
•Internal audit activities
Information and Communication
•Pertinent information identified, capture and communicated in a timely manner
•Access to internal and externally generated information.
•Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.
Control Environment
•Sets tone of organization influencing control consciousness of its people.’
•Factors include integrity, ethical values, competence, authority, responsibility.
•Foundation for all other components of control.
6(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
SummerSummerSummerSummer Fall/WinterFall/WinterFall/WinterFall/Winter SpringSpringSpringSpring
Independent Auditor ReviewBoard Review
Independent Auditor Assessment
• Plan the project
• Review COSO Compliance
• Put Team in Place
• Define scope
• Assess the control environment
• Engage external consultants to assess impact on Oracle 10.7/11i
• Build a controls repository
• Document control objectives
• Document control activities and map to control objectives
• Complete self-assessment of actual performance of these controls
• Identify and remediate gaps
• Perform initial tests of operating effectiveness
• Implement SoD in Oracle 10.7 and Oracle 11i
• Perform ongoing testing
• Monitor
• Prepare assertion
• Prepare internal control report
Project TimelineProject TimelineProject TimelineProject Timeline
7(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
Customer Management• Technical Support
• Problem Resolution & Tracking
• Customer Service Install Base Management
Infrastructure & Other• Facilities Management• Physical Security• Physical Records Management• Corporate Communications
• Investor Relations• Public Relations
• Receiving• Distribution/Logistics• Telecommunications• Network Management
Legal• Contract Approval• Litigation Management• Intellectual Property• Whistle Blower
Corporate Development• Third-Party
Alliances/Partnerships• Mergers & Acquisitions
Sales & Marketing• Contract Sales
• Sales Ops Review• Finance Review• Legal Review• Engineering Review• Operations Review
• Ad-hoc Sales• Product Marketing• Product Development • Sales Commissions• Inventory Management
Manufacturing• Procurement
• Manufacturing Quality• Vendor Management (i.e,
competitive bidding, preferred suppliers)
• Quality Assurance• Health Assessments• Regulatory Compliance (i.e.,
Environmental)
Human Resources• Hiring
• Non-Standard Employee Agreements
• Employee Benefits Management• Termination (and restructuring)• Staffing Analysis (i.e., Manpower
Levels)• Compensation Review
(Executive)• Workers Compensation Mgmt/
Claims Processing• Employee Annual Review• Training & Development• Employee Communication
• Feedback• Survey
• Employee Loans
Information Systems• IT Strategy/Planning• Systems Implementation &
Integration• Project Management• Software Selection• Software Development
• IT Systems Maintenance (daily operations)
• Financial • HR• Business
• Network Administration• Security/Privacy
• Business Continuity Planning• Disaster Recovery Planning
• Record retention• Help Desk
Finance & Accounting• Accounts Payable• Accounts Receivable/Billing• Capital Exp Approval• Non-Capital Purchasing• Fixed Assets• Budgeting & Forecasting• Closing the Books/Accounting
• Account Reconciliation• Account Analysis• Accruals
• Internal Reporting• External Reporting• Tax• Travel & Expense Reporting• Treasury
• Debt/Financial Structure• Cash Management• FX/Derivatives/Hedging• Banking Relationships• Insurance
• Credit & Collections• Payroll
Management & Board• Board/Committee Meetings• Executive/Management Team
Meetings• Corporate Governance
• Authority/Approval Matrix• Disclosure Controls
Documentation Process
Financial processes are significant to either the financial statement amounts and controls or financial disclosures.
Business Processes UniverseBusiness Processes UniverseBusiness Processes UniverseBusiness Processes Universe
8(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
Separation of Duties (SoD) DefinedSeparation of Duties (SoD) Defined
Enter DataEnter Data
ApproveApprove
MaintainMaintain
InquiryInquiry
PayPay
Enter InvoicesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports
Enter InvoicesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports
Approve InvoicesUpdate Accounting EntriesPayables Transfer to GL Inquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports
Approve InvoicesUpdate Accounting EntriesPayables Transfer to GL Inquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports
Create Payments / Payments BatchesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports
Create Payments / Payments BatchesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports
Create Suppliers / Enter EmployeesInquire Invoices, Payments, Accounting, Suppliers and BanksSetup Banks / Setup Tax CodesOpen / Close AP PeriodsRun Standard Reports
Create Suppliers / Enter EmployeesInquire Invoices, Payments, Accounting, Suppliers and BanksSetup Banks / Setup Tax CodesOpen / Close AP PeriodsRun Standard Reports
Inquire Invoices / Inquire Payments / Inquire SuppliersView EmployeesRun Standard Reports
Inquire Invoices / Inquire Payments / Inquire SuppliersView EmployeesRun Standard Reports
ResponsibilitiesResponsibilities FunctionsFunctions
9(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
SoD IncompatibilitiesSoD IncompatibilitiesSoD IncompatibilitiesSoD Incompatibilities
Role/Job Function Application Responsibility Additional Incompatible Roles Approver Comments
Corporate Financial Reporting Alex Zima
Consolidations Accountant
Oracle General Ledger GL CONSOLIDATED MGR
ALL other than VLSI Consolidations Accountant
Oracle General
Ledger GL ISRAEL MANAGER
Oracle Receivables AR INQUIRY
Oracle Payables AP INQUIRY
Oracle Manufacturing PO INQUIRY/REPORTING
Oracle Order EntryOE FINANCE
VIEW/REPORTING
KLA Manufacturing KMF GL ASIA GROUP
Accounts Payables Mike Arias
AP Clerk Oracle Payables KFI AP Clerk
AP Manager, KFI AP Lead, KFI AP Disbursement, Information Systems Specialist
KLA Financials KFI AP B2B
10(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
SoD Guiding Principles and ImplementationSoD Guiding Principles and ImplementationSoD Guiding Principles and ImplementationSoD Guiding Principles and Implementation
Single point in time review of existing functional responsibilities using E&Y defined Separation of Duties (DOD) matrix for both Oracle 10.7 and Oracle 11i (international) users
Detailed communications to end users regarding plan to end date or remove certain responsibilities that constituted a SOD violation, with emphasis on Finance functions (GL, AR, AP), Purchasing (largely PO Creation and Receiving), and Sales Administration (Order Entry and Shipping)
Detailed instructions to Corporate Help Desk on how to administer new requests for Oracle responsibilities
Key manager approval of all requests for Oracle applications access Alert to key IT managers whenever an employee record was created or
changed to alert them to the responsibilities currently assigned to that specific user
Communicate Sarbanes-Oxley corporate policies using KT Intranet On-going effort to improve process by refining requirements, working
with Corporate finance to determine “universe” of potential software vendors and desired functionality, and selecting a Sarbox 404 software vendor
11(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
SoD AppliedSoD AppliedSoD AppliedSoD Applied
12(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
Common Errors at other companies . . .Common Errors at other companies . . .Common Errors at other companies . . .Common Errors at other companies . . .
Did not involve external Big 4 accounting firms in design and planning process
No joint commitment from business and IT to meet certification requirements
Too much detail . . .Not scoped correctly All externally contracted work . . . Won’t have long
term benefits . . . No prioritization . . . Leave the hardest for last . . . Stand-alone documentation - not using what is
already in use . . . Not getting ahead early . . . Not enough short-term
milestones . . .
13(add group under View/Header...)KLA-Tencor Confidential –
Do Not Duplicate
Observations and Next StepsObservations and Next StepsObservations and Next StepsObservations and Next Steps
Sarbanes-Oxley 404 Compliance project completed on an ‘ad hoc’ basis using E&Y to define Separation of Duties issues
Project completed over the course of 4 months at a cost of $30,000; with 75% of time spent planning and 25% in actual execution
Oracle alerts put in place to monitor the assignment of new Oracle responsibilities to new and existing users
Company passed DT “pre-certification” and PwC “audit certification” without qualification, with several observations of conflicts noted
Observed conflicts due largely to assignment of conflicting responsibilities to IT personnel; in one case, conflict due to misunderstanding about exact role played by user in Corporation
top related