SOX Compliance Through OTM

Shashi Kshirsagar – KSAP Technologies

Mark Derickson – Toyota Logistics Services

• Introduction

• Toyota Logistics Services (TLS)

• KSAP Technologies

• SOX Objective

• What is SOX

• How is SOX Organized?

• OTM Role in SOX compliance

Agenda

TOYOTA Logistics Services (TLS) • TLS is responsible for inbound and out bound logistics of

finished vehicles to facilitate delivery of vehicles to the final

dealers (domestic/export) 8 NA plants 30+ Rail Heads 5 Vessel Ports 8233 Delivery Points 376 Active Itineraries 1089 Active Rates 36 contracted carriers

2.5 million orders & 10 million shipments per year

KSAP Technologies Inc. • Leading provider of End to End OTM services

• Toyota business partner since 2011 (?) providing functional and

technical consulting services.

Introduction

What is SOX?

Preventing Corporate Fraud

Preventing Corporate Fraud • In response to major accounting scandals, the Sarbanes Oxley (SOX) Act

became a law in 2002. This act provides guidelines to: • Prevent fraud

• Ensure accurate financial statements

• Protect shareholders through executive accountability

• The SOX act applies to SEC registered companies, including Toyota Motor Company (TMC). As the largest subsidiary of TMC, (considered a lead company), TMS must fully comply with SOX guidelines.

• An important SOX provision is the implementation of internal controls over financial reporting. Information Technology can be used to achieve business objectives and mitigate the risk of financial inaccuracy and fraud.

How is SOX Organized?

Documentation Structure

Application Controls are functions that ensure the completeness, accuracy, authorization and validity of transactions as process owners execute their business

Application

Controls

Business

Controls

Business controls are written procedures, reporting mechanisms, management reviews, and authorization requirements performed by an employee to ensure that management objectives are met

General

Computer

Controls

General Computer Controls are activities that provide reasonable assurance that the processing of financial information within the computer processing environment is free of risks associated with availability, integrity, security and reliability

OTM Role in SOX compliance

OTM SOX COMPLIANCE

This is how we use OTM for SOX control at Toyota

• Segregation of Duties • IS Users and Business Users

• Separation within Business Users

• Data Access control • Single Sign On Access

• Domain Grants

• Access Control list

• Role specific menus

• Screen sets with default filter criteria

• Financial Risk Analysis - Monitoring Control mechanism to avoid deficiency • Action checks

• Data Query Alerts

• Reports

Segregation of Duties

IS Users and Business Users

TLS Domain Structure

Public

TMS (Business Domain)

Static Objects

Rates

Carrier

FSC Rules

Locations

Items

Etc..

TLS (Business Domain)

Transactional Objects

Orders

Shipments

Invoices

Vouchers

Etc..

IS (Support Domain)

View Only Access

Static Objects

Transactional Objects

Read

Read

Read/Write

Code Deployment Automation

•Problem :

• Segregation of duties by domain requires business users to promote the code for monthly release.

•Risk :

•Manual deployments are inherently slow and error prone.

• Solution :

•Automate the OTM configuration deployment process to eliminate the errors due to manual code intervention.

Workflow Promotion Tool

Workflow Promotion Tool from KSAP is an “add on” to migrate Agents from QA environment to the PROD environment

Only ISADMIN users has access to Submit the WP request.

Only ISADMIN MANAGER has access to approve the code promotion

ISADMIN MANAGER get email notification

ISADMIN MANAGER has access to Promote the WP request

Segregation of Duties – Workflow Promotion

Segregation of Duties

Within Business Users

Role Specific Menu

Access Control List

Segregation of Duties- Rates

TRUCK USER has EDIT access to Rate Record but can not approve the rate.

User informs TRUCK MANAGER to approve the rates

Action Check Control

Action Check prevents user to EDIT the rates if Rate Record is ‘Active’

TRUCK MANAGER has Read Only access to Rate Record but can approve the rates

Segregation of Duties- Rates

OTM Configuration Items Financial Risk OTM Update Controls OTM Audit Controls Process Controls

User Configuration

Users

Roles

Menus

Screens

Action Checks

Preferences

Indirect

(these elements

provide Update

Controls) and

Approval

Amounts

- Menus

- User Roles

+Admin

- OTM tables

(insert user & date,

last update user &

date)

- Users Management

Tool

- Menus, Roles, Action

Checks only Admin

can update

Rate Configuration

Rates

Rate Factors (FSC)

Accessorials

Rate Distance

High

- User Roles

+Rail / RailMngr

+Truck / TruckMngr

+TransportUser /

Transport Manager

+Admin

- Menus/Screenset

- Domain

- Action Checks

- Email Alerts

- OTM tables

- Vouchers with

new/modified rates

Report

- SOX Rate Entry and

Approval Process

Financial Risk Analysis

OTM Configuration

Items Financial Risk OTM Update Controls OTM Audit Controls Process Controls

Route Configuration

Itineraries

Locations

Items

Medium

- User Roles

+Planner

+Admin

- Menus/Screenset

- Domain (Locations &

Items)

- OTM tables

- Vouchers with

new/modified rates

Report

- SOP Worksheet

for Route & Rate

Changes

- Routing and

rates go together

Automation

Configuration

Workflows

Custom Actions

Events

Saved Queries

Business Number

Rules

Payment Rules

Scheduled

Processes

Properties

Medium (timing

of payment)

- Menus

- User Roles

+Admin

- OTM tables

- Data Queries

- Clear Quest,

testing and TLS

Approvals for

major items

(workflows,

properties)

- TLS Approval for

low risk items

(scheduled

processes)

- Workflow

Promotion tool

Transactional Data

Orders

Shipments

Invoices

Vouchers

Transmissions

Medium

- User Roles

+RailMngr

+TruckMngr

+ Planner

- Menus/Screenset

- User Approval limits

- Invoice Notes

- Vouchers with

new/modified rates

Report

- SOX Approval Report

Only Managers

can approve

invoices out of

tolerance up to

certain limit

Financial Risk Analysis

DATA QUERIES - High control and visibility.

SAVED_QUERY_XID CONTACT SUBJECT Trigger SOX Required Action

MONITOR-SOX USER UPDATES SOX_CONTACTS User changes in TLS Domain

- Adding Users in the TLS Domain - Updating TLS Users

- Before adding or updating user, document authorization in SOX folder

MONITOR-SOX_AGENT_AUDIT_TRACKER

SOX_CONTACTS

Workflow changes in production

- Updating/creating new Agent

- Before adding or updating workflows, make sure there is a clear case ticket open for it and that it is either part of a BFI or release ticket

MONITOR-SERVPROV PEOPLESOFT DATA UPDATE

SOX_CONTACTS

PEOPLESOFT CARRIER DATA MONITOR

-New carrier with Alias information - Update to Alias information

- Before adding or updating Service Providers, make sure there is an authorization documented

DATA QUERIES - Might raise questions if rates are audited.

SAVED_QUERY_XID CONTACT SUBJECT Trigger SOX Required Action

MONITOR-ACTIVE RAIL RATE NOT UPDATED BY MANAGER

TTMS_RAIL_GROUP_ALERT

SOX - RATES ACTIVATED BY SOMEONE DIFFERENT THAN A MANAGER

- Someone different than the Manager

was the last user to update an Active

rate

Follow rate deployment process User enters rate and Manager

approves

MONITOR-ACTIVE TRUCK RATE NOT UPDATED BY MANAGER

TTMS_HIGHWAY_TRANSPORTATION_ALERT

SOX - RATES ACTIVATED BY SOMEONE DIFFERENT THAN A MANAGER

MONITOR-ACTIVE VESSEL RATE NOT UPDATED BY MANAGER

TTMS_MARINE_ALERT

SOX - RATES ACTIVATED BY SOMEONE DIFFERENT THAN A MANAGER

Q & A

Thank You !!