Скачать презентацию Section 404 of Sarbanes-Oxley An Oracle Perspective Paul Скачать презентацию Section 404 of Sarbanes-Oxley An Oracle Perspective Paul

61daa13c9d8c3aa3ac94f252c260a87e.ppt

  • Количество слайдов: 13

Section 404 of Sarbanes-Oxley An Oracle Perspective Paul Kirch l KLA-Tencor Corporation Section 404 of Sarbanes-Oxley An Oracle Perspective Paul Kirch l KLA-Tencor Corporation

Agenda Company Overview l Sarbanes-Oxley Overview l Section 404 in “plain English” COSO framework Agenda Company Overview l Sarbanes-Oxley Overview l Section 404 in “plain English” COSO framework Project Timeline l Business Processes Universe l Separation of Duties l Defined Incompatibilities Guiding Principles and Implementation Applied Lessons learned l Next Steps l 2 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

Company Overview One of NASDAQ “Top 50” Companies in 2002 l Manufacturing company engaged Company Overview One of NASDAQ “Top 50” Companies in 2002 l Manufacturing company engaged in developing and manufacturing capital equipment used in the manufacture and production of silicon wafers l Formed by a merger of KLA and Tencor Corporation in 1997 l Major customers are principal silicon chip manufacturers worldwide l 75 -80% of revenue from overseas operations Sales offices in 15 countries around the world Major R&D locations in U. S and Israel Merged company used Oracle as a platform for developing common manufacturing and financial processes l International operations upgraded to Oracle 11 i in Spring, 2003 l June 30 fiscal year end ensured that KLA-Tencor would be the first Fortune 500 company audited under the new Sarbanes-Oxley standards l In Spring, 2003 chip industry was just beginning to emerge from one of the severest down cycles in the history of the industry l 3 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

Section 404 in “Plain English” l Management must assert and auditors must attest that: Section 404 in “Plain English” l Management must assert and auditors must attest that: All transactions that are either material by themselves or cumulatively material to the company are authorized according to an agreed policy/procedure. Assets of the company are adequately safeguarded. Procedures are in place to ensure that the reported financials adequately disclose all transactions. l What is required: Establish a control framework (aka COSO) to map business processes/objectives/risks/control activities. Document policies & procedures Self assessment of the adequacy of these Policies and Procedures Complete testing with internal auditor and external auditor l Who? 90% internal; anyone involved in a material business process. U. S/ Israel project involved 50 people Worldwide project involved 75 people 4 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

COSO Framework Control Activities Monitoring §Policies/procedures that ensure management directives are carried out • COSO Framework Control Activities Monitoring §Policies/procedures that ensure management directives are carried out • Assessment of a control system’s performance over time. • Range of activities including approvals, authorizations, verifications, recommendations performance reviews, asset security and segregation of duties. • Combination of ongoing and separate evaluation. • Management and supervisory activities. • Internal audit activities Information and Communication • Pertinent information identified, capture and communicated in a timely manner • Access to internal and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. 5 Control Environment • Sets tone of organization influencing control consciousness of its people. ’ • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives forming the basis for determining control activities.

Project Timeline Summer • Plan the project • Review COSO Compliance • Put Team Project Timeline Summer • Plan the project • Review COSO Compliance • Put Team in Place • Define scope • Assess the control environment • Engage external consultants to assess impact on Oracle 10. 7/11 i Fall/Winter • Build a controls repository • Document control objectives • Document control activities and map to control objectives • Complete self-assessment of actual performance of these controls • Identify and remediate gaps • Perform initial tests of operating effectiveness • Implement So. D in Oracle 10. 7 and Oracle 11 i Independent Auditor Review Board Review Independent Auditor Assessment 6 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate Spring • Perform ongoing testing • Monitor • Prepare assertion • Prepare internal control report

Business Processes Universe Sales & Marketing • • • Contract Sales • Sales Ops Business Processes Universe Sales & Marketing • • • Contract Sales • Sales Ops Review • Finance Review • Legal Review • Engineering Review • Operations Review Ad-hoc Sales Product Marketing Product Development Sales Commissions Inventory Management Human Resources • • • 7 Hiring • Non-Standard Employee Agreements Employee Benefits Management Termination (and restructuring) Staffing Analysis (i. e. , Manpower Levels) Compensation Review (Executive) Workers Compensation Mgmt/ Claims Processing Employee Annual Review Training & Development Employee Communication • Feedback • Survey Employee Loans Manufacturing • • Procurement • Manufacturing Quality • Vendor Management (i. e, competitive bidding, preferred suppliers) Quality Assurance Health Assessments Regulatory Compliance (i. e. , Environmental) Information Systems • • Customer Management Finance & Accounting IT Strategy/Planning Systems Implementation & Integration • Project Management • Software Selection • Software Development IT Systems Maintenance (daily operations) • Financial • HR • Business Network Administration • Security/Privacy Business Continuity Planning • Disaster Recovery Planning Record retention Help Desk • • • • Accounts Payable Accounts Receivable/Billing Capital Exp Approval Non-Capital Purchasing Fixed Assets Budgeting & Forecasting Closing the Books/Accounting • Account Reconciliation • Account Analysis • Accruals Internal Reporting External Reporting Tax Travel & Expense Reporting Treasury • Debt/Financial Structure • Cash Management • FX/Derivatives/Hedging • Banking Relationships • Insurance Credit & Collections Payroll Management & Board • • • Board/Committee Meetings Executive/Management Team Meetings Corporate Governance • Authority/Approval Matrix • Disclosure Controls Documentation Process • • Technical Support • Problem Resolution & Tracking Customer Service Install Base Management Legal • • Contract Approval Litigation Management Intellectual Property Whistle Blower Corporate Development • • Third-Party Alliances/Partnerships Mergers & Acquisitions Infrastructure & Other • • Facilities Management Physical Security Physical Records Management Corporate Communications • Investor Relations • Public Relations Receiving Distribution/Logistics Telecommunications Network Management Financial processes are significant to either the financial statement amounts and controls or (add group under View/Header. . . )KLA-Tencor Confidential – financial disclosures. Do Not Duplicate

Separation of Duties (So. D) Defined Responsibilities Enter Data Approve Pay Maintain Inquiry 8 Separation of Duties (So. D) Defined Responsibilities Enter Data Approve Pay Maintain Inquiry 8 Functions Enter Invoices Inquire Invoices, Payments, Accounting, Suppliers and Banks Run Standard Reports Approve Invoices Update Accounting Entries Payables Transfer to GL Inquire Invoices, Payments, Accounting, Suppliers and Banks Run Standard Reports Create Payments / Payments Batches Inquire Invoices, Payments, Accounting, Suppliers and Banks Run Standard Reports Create Suppliers / Enter Employees Inquire Invoices, Payments, Accounting, Suppliers and Banks Setup Banks / Setup Tax Codes Open / Close AP Periods Run Standard Reports Inquire Invoices / Inquire Payments / Inquire Suppliers View Employees Run Standard Reports (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

So. D Incompatibilities Role/Job Function Application Responsibility Additional Incompatible Roles Approver Comments Corporate Financial So. D Incompatibilities Role/Job Function Application Responsibility Additional Incompatible Roles Approver Comments Corporate Financial Reporting Alex Zima Consolidations Accountant Oracle General Ledger GL CONSOLIDATED MGR ALL other than VLSI Consolidation s Accountant Oracle General Ledger GL ISRAEL MANAGER Oracle Receivables AR INQUIRY Oracle Payables AP INQUIRY Oracle Manufacturi ng PO INQUIRY/REPORTING Oracle Order Entry OE FINANCE VIEW/REPORTING KLA Manufacturing KMF GL ASIA GROUP Accounts Payables Mike Arias AP Clerk Oracle Payables KFI AP Clerk AP Manager, KFI AP Lead, KFI AP Disbursement , Information Systems Specialist 9 KLA Financials KFI AP B 2 B (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

So. D Guiding Principles and Implementation l l l l 10 Single point in So. D Guiding Principles and Implementation l l l l 10 Single point in time review of existing functional responsibilities using E&Y defined Separation of Duties (DOD) matrix for both Oracle 10. 7 and Oracle 11 i (international) users Detailed communications to end users regarding plan to end date or remove certain responsibilities that constituted a SOD violation, with emphasis on Finance functions (GL, AR, AP), Purchasing (largely PO Creation and Receiving), and Sales Administration (Order Entry and Shipping) Detailed instructions to Corporate Help Desk on how to administer new requests for Oracle responsibilities Key manager approval of all requests for Oracle applications access Alert to key IT managers whenever an employee record was created or changed to alert them to the responsibilities currently assigned to that specific user Communicate Sarbanes-Oxley corporate policies using KT Intranet On-going effort to improve process by refining requirements, working with Corporate finance to determine “universe” of potential software vendors and desired functionality, and selecting a Sarbox 404 software vendor (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

So. D Applied 11 (add group under View/Header. . . )KLA-Tencor Confidential – Do So. D Applied 11 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

Common Errors at other companies. . . l Did not involve external Big 4 Common Errors at other companies. . . l Did not involve external Big 4 accounting firms in design and planning process l No joint commitment from business and IT to meet certification requirements l Too much detail. . . Not scoped correctly l All externally contracted work. . . Won’t have long term benefits. . . No prioritization. . . Leave the hardest for last. . . l Stand-alone documentation - not using what is already in use. . . l Not getting ahead early. . . Not enough short-term milestones. . . l 12 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate

Observations and Next Steps l Sarbanes-Oxley 404 Compliance project completed on an ‘ad hoc’ Observations and Next Steps l Sarbanes-Oxley 404 Compliance project completed on an ‘ad hoc’ basis using E&Y to define Separation of Duties issues Project completed over the course of 4 months at a cost of $30, 000; with 75% of time spent planning and 25% in actual execution l Oracle alerts put in place to monitor the assignment of new Oracle responsibilities to new and existing users l Company passed DT “pre-certification” and Pw. C “audit certification” without qualification, with several observations of conflicts noted l Observed conflicts due largely to assignment of conflicting responsibilities to IT personnel; in one case, conflict due to misunderstanding about exact role played by user in Corporation l 13 (add group under View/Header. . . )KLA-Tencor Confidential – Do Not Duplicate