sox compliance through otm - otmsig.com
TRANSCRIPT
SOX Compliance Through OTM
Shashi Kshirsagar – KSAP Technologies
Mark Derickson – Toyota Logistics Services
• Introduction
• Toyota Logistics Services (TLS)
• KSAP Technologies
• SOX Objective
• What is SOX
• How is SOX Organized?
• OTM Role in SOX compliance
Agenda
TOYOTA Logistics Services (TLS) • TLS is responsible for inbound and out bound logistics of
finished vehicles to facilitate delivery of vehicles to the final
dealers (domestic/export) 8 NA plants 30+ Rail Heads 5 Vessel Ports 8233 Delivery Points 376 Active Itineraries 1089 Active Rates 36 contracted carriers
2.5 million orders & 10 million shipments per year
KSAP Technologies Inc. • Leading provider of End to End OTM services
• Toyota business partner since 2011 (?) providing functional and
technical consulting services.
Introduction
What is SOX?
Preventing Corporate Fraud
Preventing Corporate Fraud • In response to major accounting scandals, the Sarbanes Oxley (SOX) Act
became a law in 2002. This act provides guidelines to: • Prevent fraud
• Ensure accurate financial statements
• Protect shareholders through executive accountability
• The SOX act applies to SEC registered companies, including Toyota Motor Company (TMC). As the largest subsidiary of TMC, (considered a lead company), TMS must fully comply with SOX guidelines.
• An important SOX provision is the implementation of internal controls over financial reporting. Information Technology can be used to achieve business objectives and mitigate the risk of financial inaccuracy and fraud.
How is SOX Organized?
Documentation Structure
Application Controls are functions that ensure the completeness, accuracy, authorization and validity of transactions as process owners execute their business
Application
Controls
Business
Controls
Business controls are written procedures, reporting mechanisms, management reviews, and authorization requirements performed by an employee to ensure that management objectives are met
General
Computer
Controls
General Computer Controls are activities that provide reasonable assurance that the processing of financial information within the computer processing environment is free of risks associated with availability, integrity, security and reliability
OTM Role in SOX compliance
OTM SOX COMPLIANCE
This is how we use OTM for SOX control at Toyota
• Segregation of Duties • IS Users and Business Users
• Separation within Business Users
• Data Access control • Single Sign On Access
• Domain Grants
• Access Control list
• Role specific menus
• Screen sets with default filter criteria
• Financial Risk Analysis - Monitoring Control mechanism to avoid deficiency • Action checks
• Data Query Alerts
• Reports
Segregation of Duties
IS Users and Business Users
TLS Domain Structure
Public
TMS (Business Domain)
Static Objects
Rates
Carrier
FSC Rules
Locations
Items
Etc..
TLS (Business Domain)
Transactional Objects
Orders
Shipments
Invoices
Vouchers
Etc..
IS (Support Domain)
View Only Access
Static Objects
Transactional Objects
Read
Read
Read/Write
Code Deployment Automation
•Problem :
• Segregation of duties by domain requires business users to promote the code for monthly release.
•Risk :
•Manual deployments are inherently slow and error prone.
• Solution :
•Automate the OTM configuration deployment process to eliminate the errors due to manual code intervention.
Workflow Promotion Tool
Workflow Promotion Tool from KSAP is an “add on” to migrate Agents from QA environment to the PROD environment
Only ISADMIN users has access to Submit the WP request.
Only ISADMIN MANAGER has access to approve the code promotion
ISADMIN MANAGER get email notification
ISADMIN MANAGER has access to Promote the WP request
Segregation of Duties – Workflow Promotion
Segregation of Duties
Within Business Users
Role Specific Menu
Access Control List
Segregation of Duties- Rates
TRUCK USER has EDIT access to Rate Record but can not approve the rate.
User informs TRUCK MANAGER to approve the rates
Action Check Control
Action Check prevents user to EDIT the rates if Rate Record is ‘Active’
TRUCK MANAGER has Read Only access to Rate Record but can approve the rates
Segregation of Duties- Rates
OTM Configuration Items Financial Risk OTM Update Controls OTM Audit Controls Process Controls
User Configuration
Users
Roles
Menus
Screens
Action Checks
Preferences
Indirect
(these elements
provide Update
Controls) and
Approval
Amounts
- Menus
- User Roles
+Admin
- OTM tables
(insert user & date,
last update user &
date)
- Users Management
Tool
- Menus, Roles, Action
Checks only Admin
can update
Rate Configuration
Rates
Rate Factors (FSC)
Accessorials
Rate Distance
High
- User Roles
+Rail / RailMngr
+Truck / TruckMngr
+TransportUser /
Transport Manager
+Admin
- Menus/Screenset
- Domain
- Action Checks
- Email Alerts
- OTM tables
- Vouchers with
new/modified rates
Report
- SOX Rate Entry and
Approval Process
Financial Risk Analysis
OTM Configuration
Items Financial Risk OTM Update Controls OTM Audit Controls Process Controls
Route Configuration
Itineraries
Locations
Items
Medium
- User Roles
+Planner
+Admin
- Menus/Screenset
- Domain (Locations &
Items)
- OTM tables
- Vouchers with
new/modified rates
Report
- SOP Worksheet
for Route & Rate
Changes
- Routing and
rates go together
Automation
Configuration
Workflows
Custom Actions
Events
Saved Queries
Business Number
Rules
Payment Rules
Scheduled
Processes
Properties
Medium (timing
of payment)
- Menus
- User Roles
+Admin
- OTM tables
- Data Queries
- Clear Quest,
testing and TLS
Approvals for
major items
(workflows,
properties)
- TLS Approval for
low risk items
(scheduled
processes)
- Workflow
Promotion tool
Transactional Data
Orders
Shipments
Invoices
Vouchers
Transmissions
Medium
- User Roles
+RailMngr
+TruckMngr
+ Planner
- Menus/Screenset
- User Approval limits
- Invoice Notes
- Vouchers with
new/modified rates
Report
- SOX Approval Report
Only Managers
can approve
invoices out of
tolerance up to
certain limit
Financial Risk Analysis
DATA QUERIES - High control and visibility.
SAVED_QUERY_XID CONTACT SUBJECT Trigger SOX Required Action
MONITOR-SOX USER UPDATES SOX_CONTACTS User changes in TLS Domain
- Adding Users in the TLS Domain - Updating TLS Users
- Before adding or updating user, document authorization in SOX folder
MONITOR-SOX_AGENT_AUDIT_TRACKER
SOX_CONTACTS
Workflow changes in production
- Updating/creating new Agent
- Before adding or updating workflows, make sure there is a clear case ticket open for it and that it is either part of a BFI or release ticket
MONITOR-SERVPROV PEOPLESOFT DATA UPDATE
SOX_CONTACTS
PEOPLESOFT CARRIER DATA MONITOR
-New carrier with Alias information - Update to Alias information
- Before adding or updating Service Providers, make sure there is an authorization documented
DATA QUERIES - Might raise questions if rates are audited.
SAVED_QUERY_XID CONTACT SUBJECT Trigger SOX Required Action
MONITOR-ACTIVE RAIL RATE NOT UPDATED BY MANAGER
TTMS_RAIL_GROUP_ALERT
SOX - RATES ACTIVATED BY SOMEONE DIFFERENT THAN A MANAGER
- Someone different than the Manager
was the last user to update an Active
rate
Follow rate deployment process User enters rate and Manager
approves
MONITOR-ACTIVE TRUCK RATE NOT UPDATED BY MANAGER
TTMS_HIGHWAY_TRANSPORTATION_ALERT
SOX - RATES ACTIVATED BY SOMEONE DIFFERENT THAN A MANAGER
MONITOR-ACTIVE VESSEL RATE NOT UPDATED BY MANAGER
TTMS_MARINE_ALERT
SOX - RATES ACTIVATED BY SOMEONE DIFFERENT THAN A MANAGER
Q & A
Thank You !!