‘SOXing Up’ Business and IT Processes in a Global BPR Programme

By Rakesh Dighe ACA, AMCT, CISA

April 2007

Legacy SOX Compliance

Purpose of the Presentation

GLOBAL BPR ROLL OUT

HOW TO ENSURE CONTINUED SOX COMPLIANCE POST IMPLEMENTATION OF A GLOBAL BPR ROLL OUT AND

LEVERAGE BENEFITS OF GLOBAL BPR FOR SOX?

Introduction

‘Experience is the name everyone gives to their mistakes’

Oscar Wilde

Business Context….

Before the Global BPR Roll Out:

SOX requirements had been newly introduced

Group was working hard to meet 1st year of SOX attestation

Group had already spent a great deal of time and money to ensure SOX compliance of LEGACY processes

What is SOX Section404?

The Public Company Accounting Reform and Investors Protection Act

of 2002

(The “Sarbanes Oxley” Act)

…..what is SOX s404?

• US legislation passed in 2002 following the Enron and WorldCom failures

• Objective “to protect investors by improving the accuracy and reliability of corporate disclosures”

• Imposes new legal requirements on all companies listed on US stock exchange

Corporate & personal

accountability

Formal governance

arrangements

Cultureof

transparency

Financialreporting

rigour

Corporate & personal

accountability

Formal governance

arrangements

Cultureof

transparency

Financialreporting

rigour

Corporate & personal

accountability

Formal governance

arrangements

Cultureof

transparency

Financialreporting

rigour

Applicable to Client as “foreign private issuer” from end

2006

Global BPR Roll Out

Supply ChainManagement

Sell to Business Customer

Procure Goods And Services

Sell To RetailCustomer

Peopleprocesses

Finance and Support Services

…….Global BPR Roll Out

Current State (2004)

• 158 ERPs

• 120 Management Information (MI) Systems

• 1200 IT applications tightly connected to ERP (out of 6000+ applications)

• Multiple business processes

Global SAP End-State (2012)

• <10 ERPs with standard SAP configuration and data supporting global business processes

• Standardised Global MI

• 100-200 IT applications tightly connected to Global SAP

Implication of Global BPR Roll Out on SOX Compliance

Major IT Program Major IT Program (Global SAP) (Global SAP)

Restructuring& Restructuring& GlobalizationGlobalization

Business ProcessBusiness ProcessStandardizationStandardization

2006 SOX2006 SOXComplianceCompliance

Business Requirement

‘Global BPR Roll Out to ensure new Business and IT Processes were SOX compliant before roll out at any SOX in scope location’.

OR Global BPR Roll Out would not be allowed to go-live.

Global BPR Response

Centralised ‘SOX Centre of Excellence’ to support the Global BPR Roll Outs

Performance standard: No SOX failures as a result of Global BPR Roll Outs

1) SOX Impact Assessment

Analysis of SOX-relevant Global BPR projects rolling out in SOX Sensitive Countries

2) SOX Design Documentation

Design, Creation and Quality-Control of SOX Controls

3) SOX Implementations Support

Coordinate and drive implementation of SOX controls for Global BPR projects

Key Challenges

• Identify ALL Global BPR projects with SOX impact (~1,000+)

• Minimise the impact on project go-live dates

• Ensure the impact on business efficiency from the controls is minimised

• Ensure Global BPR controls met all Group SOX standards

• Ensure the business understands and operates the controls in an effective manner.

• Complete the work with minimal involvement of Global BPR team staff

Project Benefits of SOX COE

• Provides consistency: interpretation of standards, documentation approach, etc.

• ONE GLOBALLY Defined Set of SOX Controls and common implementation approach to support Global BPR objectives

• Reduces management strain on Global BPR project teams

• Can quickly propagate improvements in methodology

• Leverage central support: economies of scale

• Enables robust progress monitoring and prompt issue escalation

Post Implementation Optimisation

3800

380 controls10 in-scope entities

TotalNumberOf ControlsAnd Tests

2400

240 controls10 in-scope entities

1140

140 global controls (60%)performed once100 local controls at10 in-scope entities

790

EfficiencyAutomation Shared

service

140 global controlsPerformed once50 regional controls3 locations50 local controls10 locations

Start point1/12/05

AutomatedTestingTools

50% testsautomated

400

Conclusion

Context of Compliance Projects:

• Tight timelines set by regulators

• Impact of non compliance is CRITICAL (reputation and regulatory risk)

• In the early stages, definition of regulation is subjective

Suggested approach to compliance projects:

• Define a framework (there are no right or wrong answers)

• Exercise good project management

• After 1st year of attestation, seek opportunities to optimise the framework and reduce cost of compliance