IT Controls Objectives

for SARBANES-OXLEY

By Stanley Chege

1
 Management Hypocrisy


Affected investors confidence and auditor independence…

More recently…
Delphi, Spiegel, Computer associates, Cendant, Citigroup

2
 SEC and PCAOB Guidance Dec 2006


SEC Chairman Christopher COX and PCAOB Chairman Mark Olson

 On Dec 20 2006 SEC published an interpretive guidance on section 404 for all
public companies.
 Top Down Risk based evaluation of Internal Controls over financial reporting
 Flexible based upon issuer-specific considerations of materiality and risk
 Scaleable to companies of varying size, including smaller public companies
 Retained auditor’s attestation report.
 PCAOB. Considering and using the work of others. More efficient, risk based
and scaled to the size and complexity of each company
 For Lafarge the number of critical controls to be tested by external auditors
were reduced

3
 SEC Guidance and Clarification…


An embedded governance approach:

 Governance policies that support the strategic goals of the company
 Consistent enforcement of compliance policies
 Exception-based reporting and automated audit processes, with less emphasis on
sampling
 Repeatable audit processes, concentrated on areas of highest risk
 Preventive controls aligned with threats
 Self-assessment capabilities within business units
 Distributed compliance responsibility across each business function, from front-line
workers to executive management
 Whistleblower procedures!

4
 1. Internal control approach and scope
Main orientations

 Sarbanes Oxley compliance for 2007
 Sensitive internal control environments to be closely monitored:
 North America
 China
 Impact of T-One / shared services

 Follow-up on areas of improvement reported to Group Audit Committee (IFRS

accounting, tax reporting)

 A simplified and more risk oriented approach (new SEC guidance)

 Stabilized framework

 Risk oriented approach

 Focus on Group priorities (e.g. safety, WCR, Capex…)
 Focus on specific areas of improvement at local level

 Number of controls to be tested reduced

 Formalization of an internal control plan by the BUs
 Summary of internal control activities of the BU to be approved by BU ExCom
 Stronger buy-in from BU management team and the Group

5
 
1. Internal control approach and scope
Main orientations
 Sarbanes Oxley compliance for 2007
 Sensitive internal control environments to be closely monitored:
 North America
 China
 Impact of T-One / shared services

 Follow-up on areas of improvement reported to Group Audit Committee (IFRS

accounting, tax reporting)

 A simplified and more risk oriented approach (new SEC guidance)

 Stabilized framework

 Risk oriented approach

 Focus on Group priorities (e.g. safety, WCR, Capex…)
 Focus on specific areas of improvement at local level

 Number of controls to be tested reduced

 Formalization of an internal control plan by the BUs
 Summary of internal control activities of the BU to be approved by BU ExCom
 Stronger buy-in from BU management team and the Group
6
 1. Internal control approach and scope 
Scope of BU

 Three categories of BUs

 Categories defined based on materiality / risk criteria :
 Critical BUs
 High BUs Impact on scope of controls to be tested
 Medium BUs
 More risk oriented approach, allowing to reduce testing workload for smaller
and less risky BUse validated by Finance Executive Committee

Critical High Medium

⇒ Total : 53 BU
BU: 26 BU: 8 BU: 11 Coverage ≅ 80% of Group Key indicators

Progressive approach: External auditors scope:

• Detailed SOA audit: most of critical BUs (list not
Progressive approach: Cement French Indies defined yet)
Cement CIS Cement Serbia
Cement China Cement Bengladesh • Internal control review (as part of audit of
A&C Spain Cement Zambia financial statements): high and medium BUs +
Cement Ecuador some critical BUs

7
 1. Internal control approach and scope

Scope of testing

 Design effectiveness of all controls to be confirmed by BUs

 Extent of testing

* should include processes impacted by

major changes and other areas considered
at risk by BU management

 Timing of tests
 3 phases as in previous year
 Phase 3 reduced to a minimum
8
 1. Internal control approach and scope 
Milestones

 Milestones
Audit Committee Compliance Committee Audit Committee
(July 31) (early Dec) (Mid Feb)

June Close Pre-closing Year-end close

March April May June July August September October November December January February

1 2 3 4

Instructions Pre-assessment Final Assessment

Preparation of BU Internal Control Plan

Update of documentation / Preparation of testing activities
Assessment of internal control environment
Testing of controls
Testing "window" for IT controls
Implementation of action plans on internal control

x Status update

 Instructions sent one month earlier than in 2006

 Aligning main testing phases with Group financial closing milestones
 Pre-closing date: outstanding - assumption: October pre-closing
 Phase 3: reduced to minimum

9
 

2. Internal control plan

 Summary of internal control activities for the year:
 Risk assessment and identification of internal control topics
 Group topics
 Local specific topics

 Internal Control monitoring and assessment

 Follow-up on action plans (on Group and local internal control topics)
 Testing
 Assessment of remaining deficiencies

 Preparation
 Support from Group Internal Control team
 Input from Zone Presidents / Divisions
 Validation by BU Executive Committee

 Will contribute to Group Internal Control plan requested by Group ExCom

 Will be followed-up through periodical status updates from BUs

10
 What does the SOA section 404 require ?


The SOA makes company executives explicitly responsible for

establishing, evaluating, and monitoring the effectiveness of their
company’s internal control structure

 Management (Group CEO, CFO) have to file an internal control

report with the annual report including :

• Management's statement of their responsibility for establishing and

maintaining adequate internal controls and procedures for financial
reporting.

• Management’s conclusions on the design and operational

effectiveness of company’s internal controls and procedures for
financial reporting based on their evaluation at the end of the fiscal year

 In addition, the company's independent auditors have to attest and

report on the management's evaluation of internal control over financial
reporting.

11
 Internal control is…


… a process, effected by an entity’s Board of Directors, Management, and

other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories :
 reliability of financial reporting,
 compliance with laws and regulations,
 performance of operations FOCUS of SOA section 404

Specific objectives of IT internal control, in relation with

reliability of financial reporting are to ensure :
 data integrity
 availability of data and key applications
 confidentiality of information

12
 Internal Controls Department


ARMIS Supporting 10 BUS

Group Internal Controls Department

Isabelle Rabol

Regional ICC/Correspondent
Nicolas Mathon

Regional IT Internal Controller

BPOs

BU Executive Committee BU Audit Committee

BU Project Manager = ICC

BPOs

Fixed Assets, Finance, HR, Inventories, IS & IT ( IT Managers and ARMIS),

t cej or P s UB
noi t asi na gr O

Revenues, Treasury & Financing, Expenditure

13
 IT is included in the project scope…

… as one of the 8 Group mega-processes that significantly
impact the quality of financial reporting of Lafarge

 IS/IT mega-process includes the following processes :

 Logical & Physical security management,
 Systems development & maintenance,
 Continuity of IS operations,
 Application system controls

 Examples of related internal control standards are :

 A business owner is assigned for each application system,
 Changes to applications / systems are documented
 Data are regularly backed-up
 Integrity of interfaces is controlled

 IS/IT internal control standards are in line with the new IS/IT
security policy

14
 … and also as a support function…


… for the 7 other mega-processes included in the project scope :

Finance, HR, Expenditures, Fixed assets, Inventories, Revenues, Treasury


Examples include :
 Monitoring of access rights to the different application systems and
sensitive date files : supplier & customer master files,…
 Set up of exception reports to monitor internal control of support
processes :
 Track invoices without POs,
 Identify potential double payments,
 Select all credit notes exceeding a threshold,
 …

15
 What does it mean for IS/IT Managers?


… IS/IT Managers of all of the BUs included in the project scope will be
involved as :
 “Process Owners” of the IS / IT Mega-Process, responsible for
documentation and evaluation of level of compliance of IS/IT process vs
group internal control standards,
 Support to the process-owners of other mega-processes

 Documentation & Evaluation have to be done through RVR

 BUS with access to RVR are LSA, Bamburi Cement, Chilanga, Wapco,
Ashaka and Cimencam.

16
 SOA is a challenge for the IT Community…


 Group IS / IT internal control standards have been defined in

accordance with international recommended practices
regarding SOA and are in line with the new Group IS / IT
security policy,
 Group IS / IT security policy is in some aspects more
demanding compared to SOX guidelines,
 They have to be implemented in continuously
 And will require a close monitoring of the planning of system
changes (new ERPs implementation, specifically)

17
 … and a great opportunity…


TO IMPROVE…

… the robustness and security of our IT networks and applications,

… the efficiency of our processes through the implementation of IS solutions to

correct internal control deficiencies

18
 COSO


19
 

20
 

21
 Controls Automation and continuous monitoring


While successful audit results are the primary metric companies use to
measure, the ROI of their IT controls and compliance investments, they
also expect to realize measurable business benefits.

Of those companies
surveyed, 70% say they are
using “successful audit
results” to measure the
overall return on their IT
controls and compliance
investments.

46% of those surveyed say

they are measuring business
process improvements
resulting from their
compliance investments.

Source: Approva Corporation 2006 Compliance Survey (www.approva.net/survey). Note: Numbers may not add to 100% due to rounding.
22
 Controls Automation and continuous monitoring


A substantial number of companies are making a connection between

investor confidence and SOX.

32% of companies
surveyed who test more
than 20 different
applications believe
investor confidence in
their company has
increased since SOX
was introduced in 2002.

Source: Approva Corporation 2006 Compliance Survey (www.approva.net/survey). Note: Numbers may not add to 100% due to rounding.

23
 Controls Automation and continuous monitoring


Source: Approva Corporation 2006 Compliance Survey (www.approva.net/survey). Note: Numbers may not add to 100% due to rounding.
24
 Africa Region SOX Status


The following are areas that AFRICA BUs have

excelled in:

 IT-C150 Data Centre Access Controls

 IT-C160 Data Centre environmental
controls.
 IT-C220 Separation of test and production
 IT-C100 Management of Third Parties
 IT-C110 Network Access

25
 Africa Region SOX Status


The following are areas that BUs can improve on:

 IT-C050 Profiles
 IT-C070 User accounts and maintenance
 IT-C080 Password management
 IT-C090 IT Segregation of duties
 IT-C200 Change Management
 IT-C210 Testing of Changes
 IT-C280 Backup
 IT-C290 Testing of backup

26
 Finally


To Lead is to guide, influence or persuade.

You manage things-- systems, processes and
technology.
You lead people

Sepehr Kousha

27