Presentation on theme: "‘SOXing Up’ Business and IT Processes in a Global BPR Programme By Rakesh Dighe ACA, AMCT, CISA April 2007."— Presentation transcript:
‘SOXing Up’ Business and IT Processes in a Global BPR Programme By Rakesh Dighe ACA, AMCT, CISA April 2007
Legacy SOX Compliance Purpose of the Presentation GLOBAL BPR ROLL OUT HOW TO ENSURE CONTINUED SOX COMPLIANCE POST IMPLEMENTATION OF A GLOBAL BPR ROLL OUT AND LEVERAGE BENEFITS OF GLOBAL BPR FOR SOX?
Introduction ‘ Experience is the name everyone gives to their mistakes ’ Oscar Wilde
Business Context…. Before the Global BPR Roll Out: SOX requirements had been newly introduced Group was working hard to meet 1 st year of SOX attestation Group had already spent a great deal of time and money to ensure SOX compliance of LEGACY processes
What is SOX Section404? The Public Company Accounting Reform and Investors Protection Act of 2002 (The “Sarbanes Oxley” Act)
…..what is SOX s404? US legislation passed in 2002 following the Enron and WorldCom failures Objective “to protect investors by improving the accuracy and reliability of corporate disclosures” Imposes new legal requirements on all companies listed on US stock exchange Applicable to Client as “foreign private issuer” from end 2006
Global BPR Roll Out Supply Chain Management Sell to Business Customer Procure Goods And Services Sell To Retail Customer People processes Finance and Support Services
…….Global BPR Roll Out Current State (2004) 158 ERPs 120 Management Information (MI) Systems 1200 IT applications tightly connected to ERP (out of 6000+ applications) Multiple business processes Global SAP End-State (2012) <10 ERPs with standard SAP configuration and data supporting global business processes Standardised Global MI 100-200 IT applications tightly connected to Global SAP
Implication of Global BPR Roll Out on SOX Compliance Major IT Program (Global SAP) Restructuring& Globalization Business Process Standardization 2006 SOX Compliance
Business Requirement ‘ Global BPR Roll Out to ensure new Business and IT Processes were SOX compliant before roll out at any SOX in scope location ’. OR Global BPR Roll Out would not be allowed to go-live.
Global BPR Response Centralised ‘SOX Centre of Excellence’ to support the Global BPR Roll Outs Performance standard: No SOX failures as a result of Global BPR Roll Outs 1)SOX Impact Assessment Analysis of SOX- relevant Global BPR projects rolling out in SOX Sensitive Countries 2)SOX Design Documentation Design, Creation and Quality-Control of SOX Controls 3) SOX Implementations Support Coordinate and drive implementation of SOX controls for Global BPR projects
Key Challenges Identify ALL Global BPR projects with SOX impact (~1,000+) Minimise the impact on project go-live dates Ensure the impact on business efficiency from the controls is minimised Ensure Global BPR controls met all Group SOX standards Ensure the business understands and operates the controls in an effective manner. Complete the work with minimal involvement of Global BPR team staff
Project Benefits of SOX COE Provides consistency: interpretation of standards, documentation approach, etc. ONE GLOBALLY Defined Set of SOX Controls and common implementation approach to support Global BPR objectives Reduces management strain on Global BPR project teams Can quickly propagate improvements in methodology Leverage central support: economies of scale Enables robust progress monitoring and prompt issue escalation
Post Implementation Optimisation 3800 380 controls 10 in-scope entities Total Number Of Controls And Tests 2400 240 controls 10 in-scope entities 1140 140 global controls (60%) performed once 100 local controls at 10 in-scope entities 790 Efficiency Automation Shared service 140 global controls Performed once 50 regional controls 3 locations 50 local controls 10 locations Start point 1/12/05 Automated Testing Tools 50% tests automated 400
Conclusion Context of Compliance Projects: Tight timelines set by regulators Impact of non compliance is CRITICAL (reputation and regulatory risk) In the early stages, definition of regulation is subjective Suggested approach to compliance projects: Define a framework (there are no right or wrong answers) Exercise good project management After 1 st year of attestation, seek opportunities to optimise the framework and reduce cost of compliance