for SARBANES-OXLEY
By Stanley Chege
1
Management Hypocrisy
2
SEC and PCAOB Guidance Dec 2006
On Dec 20 2006 SEC published an interpretive guidance on section 404 for all
public companies.
Top Down Risk based evaluation of Internal Controls over financial reporting
Flexible based upon issuer-specific considerations of materiality and risk
Scaleable to companies of varying size, including smaller public companies
Retained auditor’s attestation report.
PCAOB. Considering and using the work of others. More efficient, risk based
and scaled to the size and complexity of each company
For Lafarge the number of critical controls to be tested by external auditors
were reduced
3
SEC Guidance and Clarification…
4
1. Internal control approach and scope
Main orientations
Sarbanes Oxley compliance for 2007
Sensitive internal control environments to be closely monitored:
North America
China
Impact of T-One / shared services
5
1. Internal control approach and scope
Main orientations
Sarbanes Oxley compliance for 2007
Sensitive internal control environments to be closely monitored:
North America
China
Impact of T-One / shared services
7
1. Internal control approach and scope
Scope of testing
Extent of testing
Timing of tests
3 phases as in previous year
Phase 3 reduced to a minimum
8
1. Internal control approach and scope
Milestones
Milestones
Audit Committee Compliance Committee Audit Committee
(July 31) (early Dec) (Mid Feb)
1 2 3 4
x Status update
9
Preparation
Support from Group Internal Control team
Input from Zone Presidents / Divisions
Validation by BU Executive Committee
10
What does the SOA section 404 require ?
11
Internal control is…
12
Internal Controls Department
Regional ICC/Correspondent
Nicolas Mathon
13
IT is included in the project scope…
… as one of the 8 Group mega-processes that significantly
impact the quality of financial reporting of Lafarge
IS/IT internal control standards are in line with the new IS/IT
security policy
14
… and also as a support function…
Examples include :
Monitoring of access rights to the different application systems and
sensitive date files : supplier & customer master files,…
Set up of exception reports to monitor internal control of support
processes :
Track invoices without POs,
Identify potential double payments,
Select all credit notes exceeding a threshold,
…
15
What does it mean for IS/IT Managers?
… IS/IT Managers of all of the BUs included in the project scope will be
involved as :
“Process Owners” of the IS / IT Mega-Process, responsible for
documentation and evaluation of level of compliance of IS/IT process vs
group internal control standards,
Support to the process-owners of other mega-processes
16
SOA is a challenge for the IT Community…
17
… and a great opportunity…
TO IMPROVE…
18
COSO
19
20
21
Controls Automation and continuous monitoring
While successful audit results are the primary metric companies use to
measure, the ROI of their IT controls and compliance investments, they
also expect to realize measurable business benefits.
Of those companies
surveyed, 70% say they are
using “successful audit
results” to measure the
overall return on their IT
controls and compliance
investments.
Source: Approva Corporation 2006 Compliance Survey (www.approva.net/survey). Note: Numbers may not add to 100% due to rounding.
22
Controls Automation and continuous monitoring
32% of companies
surveyed who test more
than 20 different
applications believe
investor confidence in
their company has
increased since SOX
was introduced in 2002.
Source: Approva Corporation 2006 Compliance Survey (www.approva.net/survey). Note: Numbers may not add to 100% due to rounding.
23
Controls Automation and continuous monitoring
Source: Approva Corporation 2006 Compliance Survey (www.approva.net/survey). Note: Numbers may not add to 100% due to rounding.
24
Africa Region SOX Status
25
Africa Region SOX Status
IT-C050 Profiles
IT-C070 User accounts and maintenance
IT-C080 Password management
IT-C090 IT Segregation of duties
IT-C200 Change Management
IT-C210 Testing of Changes
IT-C280 Backup
IT-C290 Testing of backup
26
Finally
Sepehr Kousha
27