SUPPLEMENTARY APPENDICESWorten (Electronics and entertainment) Worten Mobile (Mobile Telecommunications) 15 Appendix H

A Work Project, presented as part of the requirements for the Award of a Master Degree in

Finance from the NOVA – School of Business and Economics.

SUPPLEMENTARY APPENDICES

of the Work Project

DESIGN AND IMPLEMENTATION OF AN ASSURANCE MAP AT SONAE RETAIL

BUSINESS

ANA SOFIA MURTEIRA PIMENTA DE CASTRO (1033)

A Project carried out on the Master in Finance Program, under the supervision of:

Associate Professor Maria João Major

JANUARY, 2016

2

Appendix A – Illustration of the Three Lines of Defence Model

Source: IIA, 2013.

3

Appendix B– Chronological Plan of the Internship

Tasks Month Setembro Outubro Novembro Dezembro Janeiro

Week 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2

Phase 1: Search and analysis

of concepts related with the

subject and the organizational

context.

Phase 2: Definition of project

objectives

Phase 3: Development of

Business Processes List

Phase 4: Identification of

assurance sources at the

company

Phase 5: Establishment of

evaluation criteria for the

assurance level

Phase 6: Inquiries preparation

Phase 7: Development of the

framework model

Phase 8: Operationalization of

the map through the inquiries

application - Inquiries 3rd Line

of Defence



application - Inquiries 1st Line

of Defence



application - Inquiries 2rd Line

of Defence

Phase 9: Definition of KPIs

per process

Phase 10: Analysis of results

and improvement of model

framework

Creation of a User Guide

Literature Analysis and

Working Project

4

Appendix C – Schematic illustration of the Methodology and Sources of Evidence

• Phase 1: Search and analysis of concepts related with the subjetc and the organizational context.

• Phase 2: Definition of project objectives.

Previous

Analysis

• Phase 3: Development of Business Processes List.

• Phase 4: Identification of assurance sources at the company.

• Phase 5: Establishment of evaluation criteria for the assurance level.

• Phase 6: Inquiries preparation.

• Phase 7: Development of the framework model.

Design

• Phase 8: Operationalization of the map through the inquiries application.

Implementation

• Phase 9: Analysis of results and improvement of model framework.

Posterior Analysis

Documentary analysis

Meetings

Unstructured interviews

Participant observation


Meetings




Meetings


Semi- structured

interviews

Inquiries



Meetings



5

Appendix D – List of consulted documents

Title Author Publisher Type Topic

Assurance Mapping – Charting the

Course for Effective Risk Oversight

Anthony Reyes; Natham

Ives

Audit

Executive

Center

External

Document

Assurance

Mapping

Risk and Compliance management

through assurance mapping

Ailbhe Moynihan Deloitte External

Document

Assurance

Mapping

Implementing combined assurance:

Insights from multiple case studies

Loïc Decaux and Gerrit

Sarens

Managerial

Auditing

Journal

External

Document

Combined

Assurance

King Code of Governance Principles

for South Africa 2009

Institute of Directors in

Southern Africa and the

King Committee on

governance

Institute of

Directors

Southern

Africa

External

Document

Corporate

Governance;

Combined

Assurance

Internal Audit - Handbook Sonae Internal

Document

Internal audit

procedures

Practice Advisory 2050-2:Assurance

Maps

The Institute of Internal

Auditors

External

Document

Assurance

Mapping

IIA Position Paper: The Three Lines

of Defense in Effective Risk

Management and Control


Auditors

External

Document

Model of Three

Lines of

Defense

Integrated Auditing – Practice Guide The Institute of Internal

Auditors

External

Document

Integrated

Auditing

International Standards for the

professional Practice of Internal

Auditing


Auditors

External

Document

Internal Audit

Assurance & Auditing Services: Christine Jubb; Larry E. Cengage External Internal and

6

Concepts for a Changing

Environment

Rittenberg; Karla M.

Johnstone; Audrey

Gramling

Learning Book External Audit

The Essential Handbook of Internal

Auditing

K H Spencer Pickett John Wiley

& Sons, Ltd

External

Book

Internal Audit

What do we know about audit

quality?

Jere R. Francis The British

Accounting

Review

External

Paper

Audit quality of

publicly listed

companies

The Transformation of Internal

Auditing

Gaurav Kapoor; Michael

Brozzetti

The CPA

Journal

External

Paper

Internal Audit

Perceptions of factors affecting audit

quality in the post- SOX UK

regulatory environment

Viviam Beattie; Stella

Fearnley; Tony Hines

Accounting

and

Business

Research

External

Paper

Internal and

External Audit

Internal Auditing Henry B. Fernald Accounting

Review

External

Paper

Internal Audit

Internal Audit: A comfort provider to

the audit committee

Gerrit Sarens; Ignace De

Beelde; Patricia Everaert

The British

Accounting

Review

External

Paper

Relationship

between

Internal Audit

and Audit

Committee

Audit committee quality, auditor

independence, and internal control

weaknesses

Yan Zhang; Jian Zhou;

Nan Zhou

Journal if

Accounting

and Public

Policy

External

Paper

Relationship

between audit

committee

quality, auditor

independence,

and internal

control

7

A Post-Sox Examination of Factors

associated with the size of internal

audit functions

Urton L. Anderson;

Margaret H. Christ, Karla

M. Johnstone; Larry E.

Rittenberg

Accounting

Horizons

External

Paper

Internal Audit

size SOX

The Relationship between Internal

Audit and Senior Management: A

Qualitative Analysis of Expectations

and Perceptions

Gerrit Sarens; Ignace De

Beelde

Internationa

l Journal of

Auditing

External

Paper

Relationship

between

internal

auditing and

top managers

The CAE as CEO Dennis Drent Internal

Auditor

External

Document

The CAE role

The Black Hole of Assurance Andrew Chambers Internal

Auditor

External

Document

Assurance

Partners in Assurance Tony Jackson Internal

Auditor

External

Document

Assurance

Optimized Integrated Assurance Dan Clemens Internal

Auditor

External

Document

Integrated

Assurance

From Compliance to the Bottom

Line

Scott Wisniewski Internal

Auditor

External

Document

Assurance

Mapping

Guidance on the 8th EU Company

Law Directive – Article 41

FERMA /ECCIA External

Document

Internal Audit;

Internal

Control

A Strategy for Providing Assurance Michael Parkinson Internal

Auditor

External

Document

Assurance

A Risk-oriented Approach Hans Beumer Internal

Auditor

External

Document

Internal Audit;

Risk

Management

2015 The Year Ahead Russell A. Jackson Internal

Auditor

External

Document

Internal Audit

The dispositive of risk management: Christian Huber; Tobias Managemen External Risk

8

Reconstructing risk management

after the financial crisis

Scheytt t

Accounting

Research

Paper Management

G20/OECD Principles of Corporate

Governance

Organization for

Economic Co-operation

and Development

External

Docuemnt

Corporate

Governance

Corporate Governance, Risk

Management and the Financial

Crisis: An Information Processing

View

Michael Pirson; Shann

Turnbull

Corporate

Governance

: An

Internationa

l Review

External

Paper

Corporate

Governance

Sonae Financial Report’14 -

Management Report

Sonae Internal

Document

Sonae

Sonae Financial Report’14 –

Financial Statements

Sonae Internal

Document

Sonae

Sonae Financial Report’14 –

Corporate Governance Report

Soane Internal

Document

Sonae

Brochura – Sonae Improving Life Sonae Internal

Document

Sonae

9

Appendix E - List of meeting and interviews

Date Duration Type Objective/ Subject Participants

14/09 30 min Meeting Introduction to the

company and

department.

Director of Internal Auditing;

Coordinator of Continuous

Auditing team; Coordinator of

Compliance and Process auditing

(Sonae SR) team

14/09 30 min Unstructured

Interview

Assurance Mapping.

Coordinator of Compliance and

Process auditing (Sonae SR)

21/09 2h Unstructured

Interview

Assurance Mapping and

Project’s objectives.

Internal Audit Specialist


Interview

Development of the

Business Processes

List.




Interview

Development of the

Business Processes

List.


Process auditing (Sonae MC)


Interview

Project’s objectives and

plan.

Director of Internal Auditing

09/10 30 min Unstructured Assurance Map – Director of Internal Auditing

10

Interview framework


Interview

Gap Analysis Internal Audit Specialist


Interview

Review of Third Line

of Assurance Inquiry


Auditing team

14/10 2h Meeting Project’s Presentation

and Plan Validation



Auditing team; Coordinators of


(Sonae SR and Sonae MC team);

Director of Information Systems

Audi; Director of Food Safety

Audit and Coordinator of

Procedures team


Interview

Identifying Internal

Controls for Zippy

Internal Audit Specialist


Interview

Identifying Internal

Controls for Zippy

Coordinators of Compliance and

Process auditing (Sonae MC team)


Interview

Review of Inquiries for

the First and Second

Line of Defences


Process auditing (Sonae MC and

SR team)

11


Interview

Review of

Questionnaire for the

Third Line of Defence

(Procedures team)


Process auditing (Sonae MC);

Coordinator of Procedures team

20/11 1h Meeting Project’s Presentation –

DC Casa, Bazar e

Têxtil

Director of Internal Audit;


Process auditing (Sonae MC and

Sonae SR); Director of DC Bazar,

Director of DC Casa e Têxtil;

Director of stock management

26/11 30 min Semi-

Structured

Interview

Assessing Assurance

Level for the First Line

of Defence

Director of DC Bazar; Coordinators

of Compliance and Process auditing

(Sonae SR)

27/11 30 min Semi-

Structured

Interview

Assessing Assurance


of Defence

Director of DC Casa e Têxtil;


Process auditing (Sonae MC)

2/12 30 min Semi-

Structured

Interview

Assessing Assurance

Level for the Second

Line of Defence - DGR

Director of DGR; Coordinators of


(Sonae MC)

7/12 45 min Semi-

Structured

Assessing Assurance


Manager of Zippy; Coordinators of


12

Interview of Defence – Zippy (Sonae SR)

7/12 30 min Semi-

Structured

Interview

Assessing Assurance


Line of Defence - DSA

Manager of DSA; Coordinator of

Continuous Audit

7/12 1 hour Meeting Validation of the new

list of processes



Auditing; Coordinators of


(Sonae SR and Sonae MC);

Director of Information Systems

Audit; Director of Food Safety

Audit; Director of Procedures and

Coordinator of Procedures

10/12 30 min Semi-

Structured

Interview

Assessing Assurance


Line of Defence – DQI

Director and Manager of DQI

18/12 30 min Semi-

Structured

Interview

Assessing Assurance


Line of Defence - DL

Manager of Legal Department;



13

Appendix F – Structure of Sonae Group

*Participation held through Sonaecom.

Adapted from: Sonae, 2014b

Efanor

Sonae Capital

(63%) Sonae

(53%)

Core Businesses

Sonae MC

(100%)

Sonae SR

(100%)

Related Businesses

Sonae RP

(100%)

Sonae IM

(16 to 89.9%)

Core Partnerships

Sonae Sierra

(50%)

NOS *

(24.4%)

Sonae Indústria

(69%)

14

Appendix G – List of business units of Sonae’s core businesses

Adapted from: Sonae, 2014a

Sonae MC

Continente

(Hipermarkets)

Continente Bom Dia

(Convenience Supermarkets)

Continente Modelo

(Supermarkets)

Bom Bocado and Bagga

(Coffee Shops)

Meu Super

(Proximity stores)

Note!

(Bookshops and stationer)

Well's

(Health care)

Pet & Plants and ZU

(Garden and Domestic animals)

Sonae SR

Zippy

(Clothing and footwear for babies and children)

MO

(Clothing, footwear and accessories)

Sport Zone

(Sports clothing and equipment)

Worten

(Electronics and entertainment)

Worten Mobile

(Mobile Telecommunications)

15

Appendix H – DAGP Organization Chart

Source: Adapted from internal documents.

Chief Audit Executive

Compliance and Process Audit

Continuous Auditing Team

Retail Audit Team

Food Retail Team

Specialized Retail Team -

Portugal

Specialized Retail Team -

Spain

Sonae Capital Team

Food Safety Audit Team

Information System Audit

Team

Procedures Management

Team

Secretary

16

Appendix I - Brief Description of DAGP’s Areas

Process and Compliance Audit

The main responsibilities of this area include execution of audits to assess the compliance with

legislation and procedures, the execution of process audits to evaluate risks and promote efficient

risk management, helping the organization to achieve its objectives.

Food Safety Audit

The main responsibilities of this area include the execution of audits to assess the food safety

risks and compliance with food safety legislation and procedures; identifying potential food

safety hazards and associated risks to consumer health; and provide internal independent

guidance. Therefore, this area promotes the efficiency of food safety risk management and the

effectiveness of process controls in order to achieve safe food.

Information Systems Audit

This area is focused on providing assurance to the company related with the control and

governance of the information systems that support the business processes of Sonae, by way of a

systematic evaluation, improvement action recommendations and by helping the definition of

control requirements.

Procedures Management

Procedures management area has the mission of implementing procedures for the processes of

Sonae in order to promote standardization and simplification across all the processes of the

company. Moreover, this team is responsible to ensure that procedures are known and easily

available for the collaborators involved.

Source: Adapted from internal documents.

17

Appendix J – Exemplification of the CAE Inquiry

Question 1) Weights of each defence line and department

Instruction: Please indicate the percentage weights that each defence line/ department should have in order to

evaluate the global assurance provided.

Question 2) Involvement of the Second Line of Defence with each Business Process

Instruction: For each business process, please cross (“x”) the departments that should have involvement (i.e.

control, validation, support or planning activities) with that process.1

1The CAE inquiry lists all business process. In this example, only the process of Sourcing Goods is exhibited.

Defence

Lines/

Departments

First

Line of

Defence

Second Line of Defence Third Line of Defence

Global

Assurance

DL

DP

CG

BIT

DA

JG

C

DQ

I

DF

T

DA

F

DP

A

D S

A

DG

R

DA

GP

-

GP

DA

GP

-

AP

C-A

C

DA

GP

-

AP

C-M

C

DA

GP

-

AP

C-S

R

DA

GP

-

AS

I

DA

GP

-

AS

A

Weight

Process

Sub-process

DL DPCG BIT DAJGC DQI DFT DAF DPA D SA

So

urc

ing

of

Go

od

s Procurement

Evaluation and Selection

Negotiation

Contract Management

Revision of Suppliers

CAE INQUIRY

The present inquiry is directed to the CAE.

Scope: The present inquiry is part of the Assurance Map, a project developed in DAGP, which aims at

creating a map that reports the assurance of the business processes of the company.

Purpose: Determine weights of each defence line; determine which departments of the second line of

defence should have control over each process.

Inquiry’s duration: 10 to 15 minutes

Please, answer to the following question in the shading spaces.

18

Appendix L – List of Criteria to assess the Assurance Level

First Line of Defence

1. Effectiveness of Internal Controls

2. IT Support Systems

3. Internal procedures, rules and regulation

4. Employee’s knowledge about the process

5. Material losses production breaks and other incidents

Second Line of

Defence ( except DGR

and DAGP-GP)

1. Effectiveness of Internal Controls


3. Internal procedures, rules and regulation

DGR 1. Existence of a risk analysis

2. Seniority of the analysis

3. Implementation of mitigation actions

DAGP-GP

1. Existence of procedures

2. Seniority of procedure’s revision

3. Need for additional revision

4. Scope of procedure

Third Line of Defence

1. Existence of Audit

2. Seniority of the Audit

3. Scope of the Audit

4. Number of critical findings not yet solved

19

Appendix K – Inquiry for the First Line of Defence2

Respondent

Name

Position

Date

Involvement with the process and sub processes

Please answer if your commercial department as any involvement in each of the following sub-

processes.

Process Sub processes Involvement?

Sourcing of

Goods

Procurement


Negotiation

Contract Management


1. Employee’s Knowledge about the process

Q1.1) Which is the employee’s rotation rate in your department, of the employees who work for the Sourcing of

Goods process?

Q1.2) Which is the rate of people, working for the process Sourcing of Goods, who had specific training for the

process?

(Continued)

2 This inquiry is adapted for the process of Sourcing of Goods.

FIRST LINE OF DEFENCE’S INQUIRY



Purpose: Evaluate the level of assurance provided by the Commercial Department X for the process of

Sourcing of Goods



20


For each of the following sub processes, please indicate if there is any IT support system or it

the support is done manually.

Examples of IT support systems: Front Office, Purchases, Sales Price Management, Stock Management.

Examples Manual support:paper, Excel, Word.

Process Sub process Type of Support

Sourcing

of Goods

Procurement


Negotiation

Contract Management


3. Procedures, rules and regulation

For each sub process, please specify if there are procedures and rules established.

Additionally, indicate the rate of people involved in the process of Sourcing of Goods who

knows and apply the procedures.

Process Sub process

Procedures or

Rules?

Rate of people applying

the processes

Sourcing

of Goods

Procurement


Negotiation

Contract Management


4. Internal Controls

In the following table, evaluate, for each sub process, the following internal controls.

Please state the effectiveness rate, the type of control and its frequency3.

Effectiveness rate: Non-existent, elevate, moderate, weak or very weak.

Type of Control: Manual, semi-automatic or automatic.

Frequency: In each transaction, daily, weekly, monthly, trimestral, biannual, annual, greater than annual.

(Continued)

3 This question is repeated for every sub process under analysis.

21

Sub-process Control Effectiveness

Rate

Type of

Control

Frequency

of Control

Procurement

Existence of evidence

justifying the need of

procuring a new supplier.

Search of a minimum of 3

suppliers.

5. General Evaluation

Q5.1) For each sub process, please indicate if the existent controls, procedures, rules and IT

supportive systems are sufficient or insufficient to prevent potential errors or risks

Process Sub-process Answer

Sourcing of

Goods

Procurement


Negotiation

Contract Management


Q5.2) For each sub process, indicate I, in the last year, in your department, have occurred any

material loss, production break or other incident related with the process of Sourcing of Goods.

If your answer is yes, indicate if it was a relevant loss monetarily.

Process Sub process

Losses, breaks or

incidents?

Relevance of the

loss/break /incident

Sourcing

of Goods

Procurement


Negotiation

Contract Management


22

Appendix M – Inquiry for the Second Line of Defence (except DGR and DAGP-GP)4

Respondent

Name

Position

Date


Please answer if your department as any involvement in each of the following sub-processes of

business unit Y.


Sourcing of

Goods

Procurement


Negotiation

Contract Management


1. Internal Controls

In the following table write the controls existent in you department, for each sub process of

business unit Y. Then, please state the effectiveness rate, the type of control and its frequency5.

Effectivenss rate: Non-existent, elevate, moderate, weak or very weak.

Type of Control: Manual, semi-automatic or automatic.

Frequency: In each transaction, daily, weekly, monthly, trimestral, biannual, annual, greater than annual.

(Continued)


5 This question is repeated for every sub process under analysis.

SECOND LINE OF DEFENCE’S INQUIRY



Purpose: Evaluate the level of assurance provided by the Supportive Department X for the process of

Sourcing of Goods of the business unit Y.



23

Sub-process Control Effectiveness

Rate

Type of

Control

Frequency

of Control

Procurement


For each of the following sub processes, please indicate if there is any IT support system in your

department or it the support is done manually.

Examples of IT support systems: Front Office, Purchases, Sales Price Management, Stock Management.

Examples Manual support:paper, Excel, Word.

Process Sub process Type of Support

Sourcing

of Goods

Procurement


Negotiation

Contract Management



For each sub process, please specify if there are procedures and rules established in your department.

Additionally, indicate the rate of people involved in the process of Sourcing of Goods who knows and apply the procedures.

Process Sub process

Procedures or

Rules?

Rate of people applying

the processes

Sourcing

of Goods

Procurement


Negotiation

Contract Management


4. General Evaluation

For each sub process, please indicate if the existent controls, procedures, rules and IT supportive

systems are sufficient or insufficient to prevent potential errors or risks

Process Sub-process Answer

Sourcing of

Goods

Procurement


Negotiation

Contract Management


24

Appendix N – Inquiry for Second Line of Defence - DGR6

Respondent

Name

Position

Date


Please answer if your department as any involvement in each of the following sub-processes of

business unit Y.


Sourcing of

Goods

Procurement


Negotiation

Contract Management


Instructions: Please, fulfil the following table, answering to each of the 3 questions, for each of

the sub processes of the process Sourcing of Goods of the business unit Y.

Process Sub process Q1) Was the

risk analysed? Q2) When was the last risk analysis? Answers : “Less than a year” , “Between

1 and 3 years” or “More than3 years”

Q3) Was any mitigation action

implemented? (i.e. Prevent,

Accept, r

Reduce or Transfer Risk)

Sourcing

of

Goods

Procurement

Evaluation

and Selection

Negotiation

Contract

Management

Revision of

Suppliers


INQUIRY FOR DGR



Purpose: Evaluate the level of assurance provided by DGR for the process of Sourcing of Goods of the

business unit Y.



25

Appendix O – Inquiry for Second Line of Defence – DAGP-GP7

Respondent

Name

Position

Date


Q1.1) Please indicate if there is any procedure, rule or regulation for each sub process of business

unit Y. If your answer is yes, please indicate the date of last revision and scope of the procedure.

Process Sub processes Procedures, rules, regulation? Date of last

Revision

Scope of

the

procedure

Sourcing of

Goods

Procurement

Evaluation and

Selection

Negotiation

Contract Management


Q1.2) Please indicate, for each procedure identified in the table above, if a new revision of it is

required.

Process Sub processes Need of new revision?

Sourcing of

Goods

Procurement

Evaluation and

Selection

Negotiation

Contract Management



INQUIRY FOR DAGP - GP



Purpose: Evaluate the level of assurance provided by DAGP -GP for the process of Sourcing of Goods

of the business unit Y.



26

Appendix P – Inquiry for Third Line of Defence8

Respondent

Name

Position

Date


Q1.1) Please indicate, for each sub process of business unit Y, if it was audited

If your answer is yes, please indicate the date and scope of the audit.

Process Sub processes Was it audited? Date of audit Scope of

audit

Sourcing of

Goods

Procurement

Evaluation and

Selection

Negotiation

Contract Management


Q1.2) Please indicate, for each sub process audited, the number of critical findings not yet solved.

Process Sub processes Critical Findings not solved

Sourcing of

Goods

Procurement

Evaluation and

Selection

Negotiation

Contract Management



INQUIRY FOR DAGP - GP



Purpose: Evaluate the level of assurance provided by DAGP -GP for the process of Sourcing of Goods

of the business unit Y.



Appendix Q – Assurance Map’s excel template

Legend

Level of Assurance Assurance Value

Adequate 𝑥 > 0,75

Moderated 0,5 < 𝑥 ≤ 0,75

Reduced 0,25 < 𝑥 ≤ 0,5

Inadequate 𝑥 ≤ 0,25

Non applicable

Assurance Map Zippy PT

DL DQI D SA DGR DAGP-GPDAGP-

APC-AC

DAGP-

APC- SR

DAGP-

ASI

DAGP-

ASA

Purchases Goods Purchase Sourcing Procurement

Purchases Goods Purchase Sourcing Evaluation and Selection

Purchases Goods Purchase Sourcing Negotiation

Purchases Goods Purchase Sourcing Contract Manager

Purchases Goods Purchase Sourcing Revision of Suppliers

1st Line

of

Defence

2nd Line of Defence 3rd Line of DefenceGlobal

Assurance

Value Chain

Category

Group of

ProcesseProcess Activity

28

Appendix R – List of Internal Controls

Sub-process Internal Control

Procurement

Existence of documentation justifying the need to search

for a new supplier.

Search of a minimum of three suppliers in the market.

Suppliers that are unique in the market are properly

approved.


Definition of criteria for the choice of suppliers.

Preparation of evaluation report for potential suppliers.

Preparation of risk report for potential suppliers.

Approval of the selected supplier by the Commercial

Director or Business Unit Director.

Negotiation Existence of evidence of adjudication to the supplier.

Contract Management

The contract is sign for both the supplier and Sonae.

The filing of contracts and related documents is safe and

restrict.

The creation and revision of contracts is restricted.

Revision of Suppliers Existence of evidence of revision and maintenance of

current suppliers.

Documents

SUPPLEMENTARY APPENDICESWorten (Electronics and entertainment) Worten Mobile (Mobile Telecommunications) 15 Appendix H