2012 - controls awareness training - course booklet
TRANSCRIPT
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
1/28
Controls Awareness Training
Course Booklet2012
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
2/28
Table of Contents
Course Topics & Learning Objectives
Course Slides
Welcome, Class Introductions, Agenda Slides 1-4
Purpose & Function of Controls Slides 5-21
Core Controls Principles Slides 22-33
Control Standards Slides 34-42
Organizational Responsibil ities Slides 43-48
Application of CIMS Slides 49-61
Summary & Additional Resources Slides 62-67
Post Class Exercise
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
3/28
Controls Awareness TrainingCourse Topics & Learning Objectives
During this session, we will examine a series of topics designed to provide youwith a fundamental knowledge of ExxonMobils basic controls processes. A post-class exercise is also included to reinforce the training topics, encourage opendialogue with your supervisor, and challenge you to assess your role inExxonMobils controls environment.
Topics
Definition, purpose, and function of controls The seven core controls principles ExxonMobils Controls Framework, including System of Management
Control, Delegation of Authority Guide, Compliance Checks Controls Integrity Management System (CIMS) and its applications Additional resources
Learning Objectives
Understand the purpose and function of controls Develop familiarity with the core controls principles and their applications
Explain the purpose and describe each element of ExxonMobils ControlsFramework Recognize the CIMS elements and their application in daily activities Know where to locate additional resources and appropriate contacts Describe and understand your role in the controls process
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
4/28
Slide 2
Class Introductions
Name
Operating Function and Job Title
Length of Employment with ExxonMobil
Example of a Control Used in Your Personal Life
Slide 3
Agenda
Section 1: Purpose & Function of Controls
Section 2: Core Control Principles
Section 3: Control Standards
Section 4: Organizational Responsibilities
Section 5: Controls Integrity Management System (CIMS) Applications
Additional Sources of Information
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
5/28
Slide 4
Training Objectives
Develop an understanding of the following:
Purpose and function of controls
ExxonMobils Controls Framework & System of Management Control
Principles of control
Delegation of Authority Guide (DOAG)
Checks on the systems effectiveness
ExxonMobil Controls Integrity Management System (CIMS)
Be able to recognize applications of these tools and concepts inyour work position and ExxonMobil
Know where to go for assistance and further information
Describe and understand your role in the controls process
Slide 5
SECTION 1:PURPOSE & FUNCTION OF CONTROLS
Slide 6
Here is an Interesting Quote:
Rex Tillerson (Chairman & CEO)
"Every day, employees at ExxonMobil are committed tothe pursuit of operational excellence. We do this by
delivering safe, reliable operations, improving energyefficiency, and maintaining strong business controls .
Excerpt from 2008 Financial and Operating Overview
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
6/28
Slide 7
Key Concepts of Controls
What are controls? The systems and procedures devised by an organization to:
DirectRestrainGovernCheck
the performance of business activities
Systems and procedures include:PoliciesTrainingReporting responsibilitiesCommunicationAuthorities
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
Slide 8
Key Concepts of Controls
Why controls? Controls are designed to ensure:
Business is conducted in accordance with managements directivesEffectiveness and efficiency of operationsReliability of financial reportingAssets (including information) are safeguarded and their integrity maintainedCompliance with applicable laws and regulations
Legal requirements (Sarbanes-Oxley Act of 2002):Management to report on effectiveness of internal controls and financialreporting proceduresCompanys external auditors to report on and attest to managementsinternal controls
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
Slide 9
Severity
High Medium Low
High
I
IIIII
LowIV
ProbabilityRisk
Exposure
A
B
Controls and Risk ExposureSECTION 1: PURPOSE & FUNCTION OF CONTROLS
Risk results from a combination of: An exposure The probability of an undesirable outcome occurring
Controls are intended to mitigate the risk by lowering theprobability and/or the severity of an occurrence Point A in the red area reflects an unmitigated risk situation. Risk
exposure can decrease to point B in the green area by having theproper controls in place.
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
7/28
Slide 10
SECTION 1: PURPOSE & FUNCTION OF CONTROLSComponents of ExxonMobils Controls Framework
Corporate Policies
System of Management Control - Basic Standards (SMC)
Controls Integrity Management System (CIMS)
Compliance Checks
In-Line Controls CONTROL
FRAMEWORK
+PROPER
EXECUTION
=EFFECTIVE
CONTROL
ENVIRONMENT
(e.g. Delegation of Authority Guide (DOAG))
(e.g. Internal Assessments)
Slide 11
ExxonMobils SMC Basic Standards
System of Management Control (SMC) Foundation document of ExxonMobils controls system Provides management with basic criteria, knowledge, and tools for
establishing effective management controls
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
System ofManagementControl
Basic Standards
ExxonMobil
Includes core policies, basic controlexpectations and a structure for ensuringthat controls are functioning
Broad rules of the road for running thebusiness
Sufficiently broad to allow flexibilityto localconditions
Management required to establishsystems/procedures to meet/exceedstandards
Compliance is mandatory; exceptions mustbe reported and reviewed by Audit
Slide 12
In-Line Controls
Employees should understand the purpose and operation ofthe specific controls associated with their specific jobresponsibilities
These controls are called In-Line Controls
You should be aware that: Using SMC as a guide, control mechanisms are introduced as
procedures to govern day-to-day activities In-line Controls are designed and owned by
process owners and are an integral part ofeach employee's activities
Two types of In-Line Controls Preventative Controls Detective Controls
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
8/28
Slide 13
SECTION 1: PURPOSE & FUNCTION OF CONTROLSIn-Line Controls: Preventative and Detective
Preventative Controls Occur before the transaction or event has been completed Examples include:
Access controls (e.g., building access, computer systemaccess)Credit checksJob handover checklists
Detective Controls Occur after the transaction or event has been completed Examples include:
Review of control reportsReconciliation of accountsAnalysis of operating results
Always execute detective controls in a timely fashion tominimize losses and corrective efforts
Slide 14
Controls in Practice
Credit To ensure we extend credit only to credit worthy customers
Payroll To ensure employees are paid accurately, on time, and with the proper
deductions
Product To ensure our products always have the right quality and proper
quantity when we sell them to our customers
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
Slide 15
Responsibility for Controls
Line Management Ultimate responsibility and ownership for all actions taken within its area
of responsibility including the design, operation and maintenance of costeffective control mechanisms
Controllers Provide guidance and support to line management in the design,
implementation and maintenance of the overall controls system. Controllers has an oversight responsibility to ensure that the controls
system is functioning effectively
All Employees Act as business owners, taking overall responsibility for the
effectiveness of controls within their scope of respon sibility
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
9/28
Slide 16
SECTION 1: PURPOSE & FUNCTION OF CONTROLSGeneral Guidelines for Controls
You should understand a few general guidelines that apply toall controls
All controls must be: Documented
Communicated
Understood (existence, meaning, and use) by all those concerned
Supported by processes to ensure compliance
Supported by management
Slide 17
Control Breakdowns
What can cause control breakdowns?
Need for controls not recognized
Inadequate instruction/ training
Insufficient capital or human resources provided
Improper priorities assigned
Attitudes of employees, supervisors & managers
Human error
Management unaware of problem
Supervisors not monitoring ongoing processManager not informed
SECTION 1: PURPOSE & FUNCTION OF CONTROLS
Slide 18
Financial Irregularities
Antitrust ActivitiesFCPA Violations
Data Privacy
Other
Discrimination
It Cant Happen to Us, Right?SECTION 1: PURPOSE & FUNCTION OF CONTROLS
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
10/28
Slide 19
The primary purpose of a Unit Internal Assessment (UIA) is totest the integrity of a Units business process controls system,the effectiveness of execution of controls, and compliance withthe Controls Integrity Management System (CIMS) Each UIA occurs at the mid point of the audit cycle
The UIA tests compliance with management defined controlpractices documented in business specific controls catalog
Consider a control concern exposure scenario and ask thequestion: What could go wrong and what is the impact (i.e. inherent risk)?
Use a controls catalog to determine the control steps:What should be done to manage the risk?What are the mitigating steps?How can control concerns be prevented or detected or the impact reduced?
Use a controls catalog to determine the control tests:How do you v erify if its working?
Unit Internal AssessmentsSECTION 1: PURPOSE & FUNCTION OF CONTROLS
Slide 20
Controls CatalogSECTION 1: PURPOSE & FUNCTION OF CONTROLS
Slide 21
SECTION 1: PURPOSE & FUNCTION OF CONTROLSSummary
Controls are all the methods to direct, restrain, govern, and checkthat business activities are conducted in accordance withmanagements directives
The System of Management Control (SMC) Basic Standards isthe foundation document of ExxonMobils controls system
Line management, employees, and contractors have specificroles and responsibilities for designing, implementing, andmaintaining cost-effective controls
Thoughts to Consider: Who is in your line management? Who is the Controller/Controls Advisor for your group?
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
11/28
Slide 22
SECTION 2: CORE CONTROL PRINCIPLES
SMC Section 020-005
Slide 23
SMC Section 020SECTION 2: CORE CONTROLS PRINCIPLES (020-005)
Four sections to the System of Management Control (SMC)- 020: Introduction- 030: Foundation & Framework- 040: Administrative & Operating Controls- 050: Internal Accounting Controls
SMC Section 020 includes these areas: 020-001: Document preface 020-002: SMC organization and structure 020-003: Brief discussion on the control environment
Factors involved in controlsResults of a poor controls environmentMethods of disseminating controls information
020-004: Relationship to financial and accounting controls 020-005: Principles of control 020-006: Organizational responsibilities
System ofManagementControl
BasicStandardsExxonMobil
Slide 24
Building Blocks of ExxonMobils SMC
System of Management Control (SMC) Four sections form the building blocks of ExxonMobils SMC
SECTION 2: CORE CONTROL PRINCIPLES (020-005)
020-006: Organizational Responsibilities
030: Foundation and Framework
040: Administrative & Operating Controls
050: Internal Accounting Controls
Section 020-005 identifies seven core controls principles All of ExxonMobils controls are based on these core principles
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
12/28
Slide 25
SECTION 2: CORE CONTROL PRINCIPLES (020-005)ExxonMobils 7 Pillars of Control
Slide 26
C
O
N
T
R
O
L
SECTION 2: CORE CONTROL PRINCIPLES (020-005)1. Decentralization of Management
Each organizational unit is expected to: Exercise the maximum practicable management responsibility and
authority within its area of operations Be fully accountable for results
ExxonMobil's philosophy is that all employees should beempowered to get the job done following the broad directionprovided by the Corporation
Slide 27
SECTION 2: CORE CONTROL PRINCIPLES (020-005)2. Segregation of Duties & Responsibilities
Custodianship and accounting for assets should be separated
No single function, department or employee should haveexclusive knowledge or control over any one transaction orgroup of transactions
Generally one must separate: Authorization Recording of transaction Custody Independent verification
Access to systems and specific system privileges can be usedto achieve adequate segregation, t herefore passwords shouldnot be disclosed
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
13/28
Slide 28
SECTION 2: CORE CONTROL PRINCIPLES (020-005)3. Documentation
Commonly documented items:
Operating procedures, business events, and transactions
Why is documenting these items important?
Establishes approval & verification responsibilities
Aids in proper accounting & reporting
Aids in analysis and recall process
Reduces chance of error
Assures compliance withContractsAgreementsRegulationsProcedures
Slide 29
SECTION 2: CORE CONTROL PRINCIPLES (020-005)4. Supervision and Review
Systematic and thoughtful supervision / review of work /performance helps to ensure that control procedures areunderstood and followed
Managers / Supervisors use controls to ensure: Results are in line with plans and objectives Deadlines are kept Policies and procedures are followed
Consult Manager / Supervisor to requestclarification or voice concerns
Slide 30
5. Timeliness
Records, reports and reviews should be prepared or performedon a timely and scheduled basis
Timeliness permits prompt detection and r epair of processproblems
SECTION 2: CORE CONTROL PRINCIPLES (020-005)
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
14/28
Slide 31
SECTION 2: CORE CONTROL PRINCIPLES (020-005)6. Relevance to Risk
Design or extent of controls should be proportional to thenature of the risk
Cost of controls should be related t o the benefits
Controls must also consider the following implications: Policy Political Ethical Environmental Safety
Slide 32
7. Minimum Interdependence of Controls
Management controls should be structured to ensuredeficiencies in one control component will not compromise theeffectiveness of other controls in the t otal system
SECTION 2: CORE CONTROL PRINCIPLES (020-005)
If one control does not work, itshould not compromise othercontrols
Each control should work on its own
Therefore, if an error manages toget through one control, othercontrols should still be able todetect it
Slide 33
SECTION 2: CORE CONTROL PRINCIPLES (020-005)Summary
Following the seven core controls principles used byExxonMobil will produce an effective controls environment
What are the seven core controls principles?1. Decentralization of Management2. Segregation of Duties and Responsibilities3. Documentation4. Supervision and Review5. Timeliness6. Relevance to Risk7. Independence of Controls
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
15/28
Slide 34
SECTION 3: CONTROL STANDARDS
SMC Sections 040 & 050
Slide 35
Building Blocks of ExxonMobils SMCSECTION 3: CONTROL STANDARDS (040 & 050)
Section 040 details: The basic standards required for administrative and operating activities
such as delegation of authority, planning, financing, contracting, etc.
Delegation of AuthorityPersonnel AdministrationLong-term strategic planningNear-term Business Planning &Performance MonitoringCapital Investment
Financing & InvestmentForeign Exchange OperationsContractingSystems, Computing & NetworksSafeguarding InformationOther Operating ControlsDerivative Instruments
Slide 36
Building Blocks of ExxonMobils SMCSECTION 3: CONTROL STANDARDS (040 & 050)
Section 050 details: The basic standards established to ensure the integrity and objectivity of
the accounting records The basic standards established to ensure the objectives of
authorization, accounting, and asset safeguarding are met
Financial Accounting
Banking & Cash Funds
Cash Disbursements
Materials Accountability
Revenues
Cash Receipts
Credit & Collection
Property, Plant & Equipment
Payroll & Employee Benefits
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
16/28
Slide 37
Building Blocks of ExxonMobils SMCSECTION 3: CONTROL STANDARDS (040 & 050)
Familiarize yourself with the control standards in thesesections that apply to your specific work processes
Our primary focus will be on authority delegation, a criticalsubject area of SMC Section 040
CorporatePlan
Process
Capital BudgetManual / Process
FinancialForecasts
EarningsReviews
CorporateAccountingManual
Functional Accounting Instructions
GFCM Dictionary
SMC 050SMC 040
Slide 38
Delegation of Authority Guide (DOAG)
The Delegation of Authority Guide (DOAG) is one of the key in-line controls w ithin ExxonMobil
The DOAG prescribes: The delegated authorities for specific business transactions so that
business is conducted in accordance with manag ements directives
Overriding Principles:
No organization or individual is to exercise more authority than thatwhich has been delegated Authority is granted to positions, not individuals Authority is limited to expenditures and transactions made within ones
area of responsibility for which stewardship exists
SECTION 3: CONTROL STANDARDS (040 & 050)
Slide 39
Legal Authority and DOAG Authority
BOTH legal authority and DOAG authority must be obtained toconduct some business transactions: Legal : Defined by local incorporated entity Operational : DOAG defined by local Board of Directors
Person legally approving (signing) is responsible to ensure theyhave legal authority and all DOAG approvals are in place
Legal AuthorityGranted by:
Local legal/statutory definitions
Corporate By-Laws
Board Resolutions
Powers of Attorney Must be in place to sign documents andlegally transact business on behalf of anentity
DOAG AuthorityGranted by:
Entitys Board of Directors Includes review and endorsement
requirements May require shareholder final review of
some transactions Must be in place to transact business inaccordance with entitys S ystem ofManagement Control (SMC)
SECTION 3: CONTROL STANDARDS (040 & 050)
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
17/28
Slide 40
Delegation of Authority Guide (DOAG)
DOAG details: Delegation of authority through 12 profiles assigned to job positions
across all functional / service organizations and affiliated compa nies Individuals granted authority are authorized to review only those
activities / transactions that fall directly within their stewardship / accountability
DOAG parts: Overview Preamble Profile Assignments Transaction Schedules
General Use Schedule (corporate)Specific Use Schedule (by function)Local Extension (unique country)
Glossary
SECTION 3: CONTROL STANDARDS (040 & 050)
Slide 41
Transaction SchedulesSECTION 3: CONTROL STANDARDS (040 & 050)
Schedules - always start with most specific:
Local Extensions (unique country transactions - LE noted) Specific Use Schedules (functional-specific transactions) General Use Schedule (corporate common transactions)
Organized by Key Transaction Categories:
1. Organization and Corporate Matters2. Budget3. Contracts, Agreements, Leases, and Commitments4. Disbursements5. Disposition and Write-down of Assets6. Customer Related Transactions7. Litigation and Claims8. Emergency Response to Third Parties9. Release of Information to Third Parties
10. Other Matters
Slide 42
How to Use the DOAG
Define delegation or decision to be made
Check transaction schedules in correct order to find thetransaction Always start with the most specific (LE, SUS, then GUS)
Check Restricted column to be sure your Department hasauthority to final review this transaction
Determine which job position has authority to approve
Read and satisfy any r estrictions or comments
Check Endorsements column and get written ones, if needed
Use the procedure in the DOAG Overview to remind yourself of all appropriate steps!
SECTION 3: CONTROL STANDARDS (040 & 050)
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
18/28
Slide 43
SECTION 4: ORGANIZATIONALRESPONSIBILITIES
SMC Section 020-006
Slide 44
Building Blocks of ExxonMobils SMCSECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)
SMC Section 020-006 defines the groups responsible for thecreation and proper functioning of controls within ExxonMobil Collectively, this forms the Checks on Systems Effectiveness Employees at all levels of the Corporation are in a position to observe
and participate in ExxonMobils control system
Slide 45
SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)Responsible Groups
Management Responsible for complying with policies and procedures
Internal Audit Provide independent appraisals of a control system and test the
systems effectiveness
Audit Committee Advise Board of Directors on the effectiveness of control systems Monitor the work of internal and external auditors
Board of Directors Ultimately responsible to the shareholders for the controls environment Appoint (subject to ratification by shareholders) external auditors to
render an opinion on ExxonMobils consolidated financial statement
External Audit Next slide discusses in more detail
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
19/28
Slide 46
SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)External Audit & SOX
PricewaterhouseCoopers ( PwC) is ExxonMobils external auditor Obligated to report any material weaknesses discovered in internal
accounting controls which could have potentially material impacts o nfinancial statements
Sarbanes-Oxley 404 (SOX) is an additional element of theexternal audit SOX represents a distinct part of the larger external financial audit
No separate SOX opinion issued
Selected key internal controls over financial reporting are reviewed toevaluate their functionality
ie: entity level controls , Period End Financial Reporting (PERF)
Focused generally on the same countries annually (U.S., Canada,Germany, Benelux, Japan, Singapore)
Other countries have enacted SOX-like legislation France, Italy, Korea, Japan, Switzerland
Slide 47
Compliance Checks: Representation Letter
An annual process requiring managers at multiple levels of theorganization to confirm in a letter to their supervisors that: Transactions, including receipts and expenditures, are executed in
accordance with management's genera l or specific authorizations All material information has been disclosed to the appropriate levels of
management in a timely manner Unauthorized acquisition, use or disposition of assets that could have a
material effect on the financial statements are prevented or detected ina timely manner
This letter also serves as support for the Corporation's year-end representation letters to the Board Audit Committee andvarious filings and certifications to the SEC
SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)
Slide 48
Compliance Checks
Other elements of ExxonMobils compliance program include: Audit & Controls reviews Process to communicate policies to new employees Annual Business Conduct Program Business Practice Reviews (every 4 years) Irregularities Reporting (8010) Influence all business partners to conduct business with highest integrity
Red Book Exception Reporting
Controls Integrity Management System (CIMS) Well discuss CIMS in the next section
SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
20/28
Slide 49
SECTION 5: APPLICATION OF CIMS
Slide 50
SECTION 5: APPLICATION OF CIMSControls Integrity Management System (CIMS)
CIMS defined: A comprehensive management system structured to promote the
ongoing integrity of controls in our da y-to-day business
Objective of CIMS: To provide management with the tools they need to fulfill their
responsibility for establishing and maintaining a cost effective con trolenvironment
Benefit of CIMS: The SMC provides the broad parameters for an effective control
environment; CIMS provides a consistent process to efficiently introduceappropriate controls and to sustain them over time
Slide 51
SECTION 5: APPLICATION OF CIMSSeven Elements of CIMS
Element 1Management
Leadership Commitmentand Accountability
ControlsIntegrity
ManagementSystem
Element 4Personnel
and Training
Element 5Management
of Change
Element 3Business Process
Managementand Improvement
Element 6Reporting andResolution of
Control Weakness
Element 2Risk
Assessment
Element 7Controls Integrity
Assessment
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
21/28
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
22/28
Slide 55
Standards
ProceduresExpectedResults
Verification& Feedback
SECTION 5: APPLICATION OF CIMSElement 3: Business Process Management & Improvement
Controlsperformanceindicators
Businessperformanceindicators
Approved, globalprocesses are used
Controlsresponsibilities aredefined, understood,and effectivelyexecuted
Improvements sought
Document controlssteps and proceduresin controls catalogs
Utilize globalcommon processesand practices whereappropriate
Implement controlsconsistent with theSMC-Basic Standards
Maintain controlscatalogs & self-assessmenttemplates for highrisk businessprocesses
Appropriate Control Steps are Integrated into Business Process es &Control Improvements are Continuously Sought
What are some examples of control steps in your work processes?
Slide 56
Standards
ProceduresExpectedResults
Verification& Feedback
SECTION 5: APPLICATION OF CIMSElement 4: Personnel & Training
% of employeesreceiving SMC, SBC,and formal controlstraining
Use of a job hand-over process
Personnel know andunderstand thecontrols requirementsof their positions,especially those withcontrols functions inhigh-risk businessprocesses
Attend generalcontrols training!
Utilize job hand-overprocess forindividuals moved toa new position
Highlight controlsresponsibilities incontrols catalogs
Identify and providecontrols trainingconsistent with jobrequirements
Periodically reviewand assess controlstraining needs
Personnel have Sufficient Controls Knowledge & Experience to Fulfill the Control Requirements of their Position
Do you know and understand your controls requirements?
Slide 57
Standards
ProceduresExpectedResults
Verification& Feedback
SECTION 5: APPLICATION OF CIMSElement 5: Management of Change
% of personnelmoves for which ajob hand-overchecklist wascompleted
Existence of changemanagement plansdeveloped andapproved in advance
Appropriate businesscontrols are in placeduring and after thechange
Monitoring processexists to confirm thatthe change wasproperly implemented
Establish R&R formanaging change
Identify potentialchanges that mayimpact businesscontrols
Define, document,approve, and managethe change
Evaluate the impactof change oncontrols and relatedrisks
Maintain controlsduring the change
Communicate anddocument impacts
A Systematic Change Management Approach is in Place
What are some consequences of poor change management?
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
23/28
Slide 58
Standards
ProceduresExpectedResults
Verification& Feedback
SECTION 5: APPLICATION OF CIMSElement 6: Reporting & Resolution of Control Weaknesses
Audit & internalassessment gapsnot closed within 6months
Number of repeataudit comments &irregularities
Prompt identification,reporting, andresolution of controlweaknesses
Sharing of lessonslearned andcorrective actions
Reporting tool usedto track and reportcontrol weaknesses,action plans, andresolution
Report on businesscontrol plans andcontrols performanceindicators
Formal processexists to record,report, and resolvecontrols weaknesses
Issues and actionplans aredocumented
Steward resolutiontimeliness
Control Weaknesses, Irregularities, & Business Practice Issues are Promptly Communicated to Management & Addressed
What is your role in reporting and resolving control weaknesses?
Slide 59
Standards
ProceduresExpectedResults
Verification& Feedback
SECTION 5: APPLICATION OF CIMSElement 7: Controls Integrity Assessment
Number of internalassessmentscompleted accordingto plan
Identification andclosure of controlgaps
CIMS assessmentscores
Internal assessmentsevaluate compliancewith agreed businesscontrols and includeCIMS assessment
Internal assessmentsare adequatelydocumented
Develop & maintainplan for regularinternal assessmentsat mid-point of audit
Conduct CIMSassessment andscoring concurrentwith internalassessment
Internal assessmentsand audits are part ofthe assessmentprocess
CIMS scoringmechanism is usedto measure CIMScompliance andmonitor progress
A Structured Approach is Used to Assess Compliance with CIMS
Do you have experience participating in an internal assessment?
Slide 60
CIMS Compliance Activities
How do you participate in CIMS compliance activities? Completion of this training module
Participation in periodic Unit Internal Assessments (UIA)
Use of job hand-over checklist
Attendance at Business Practice Reviews
Effectively and permanently closing identified control gaps
SECTION 5: APPLICATION OF CIMS
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
24/28
Slide 61
SECTION 5: APPLICATION OF CIMSSummary
CIMS is a structured and common process for establishingeffective controls, compliance monitoring, and the timely
resolution of control weaknesses What are the seven CIMS elements?
1. Management Leadership, Commitment, & Accountability2. Risk Assessment3. Business Process Management & Improvement4. Personnel & Training5. Management of Change6. Reporting & Resolution of Control Weaknesses7. Controls Integrity Assessment
Slide 62
Key Messages
Controls are designed to mitigate risk (financial, regulatory,reputation) and assure orderly and predictable execution ofmanagement plans
Controls should always be practical and their purpose shouldbe clearly understood by those who execute t hem
Controls should always be cost effective ; the cost ofintroducing and maintaining a control should not exceed thebenefit to be derived or exposure to be mitigated
More controls do not necessarily result in better control; weneed to periodically evaluate the continued relevance ofcontrols in place
Bottom line is : Controls must make business sense
SUMMARY
Slide 63
SUMMARYComponents of ExxonMobils Controls Framework
Corporate Policies
System of Management Control - Basic Standards (SMC)
Controls Integrity Management System (CIMS)
Compliance Checks
In-Line Controls CONTROL
FRAMEWORK
+PROPER
EXECUTION
=EFFECTIVE
CONTROL
ENVIRONMENT
(e.g. Delegation of Authority Guide (DOAG))
(e.g. Internal Assessments)
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
25/28
Slide 64
Your Roles and Responsibilities
Know your business objectives
Know and understand the controls and processes which applyto you and your job
Know your risk areas
Follow policies and procedures dont make changes withoutreview and approval
Dont sign/approve unless completely satisfied
If in doubt, ask or report!
SUMMARY
Slide 65
Additional Resources
Policy Booklets (SMC, SBC, CIMS, Manuals)
Corporate Controllers Intranet
Departmental Line Management Supervisor Manager
Controls Advisor
Controller
Area Audit Manager
SUMMARY
Slide 66
Intranet ResourcesSUMMARY
Corporate Controllers Intranet
DOAG
SMC
CIMS
MPI
SOX
Rep Letter
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
26/28
Slide 67
Intranet ResourcesSUMMARY
Corporate Controllers Intranet
Standards ofBusinessConduct
BusinessPractices
Review
BACK UP
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
27/28
Slide 70
Sample Profile List - UpstreamSECTION 3: CONTROL STANDARDS (040 & 050)
Exploration Development -Project
Production Gas & PowerMarketing
Res earch Bus . Serv.
1 Corp Corp Corp Corp Corp Corp
2 President President President President President -3 Exec. V.P. Exec. V.P. Exec. V.P. - - -
4 V.P. V.P. V.P. V.P. V.P. V.P.
5 Op er at ions Mgr P roj ec tExecutive
Pro du ct io n Mgr O pera ti on sManager
R&E D iv. Mgr U /S Treas urer
6 Business AnalysisMgr
P roj ec t Mgr Pr oduc ingOperations Mgr
BusinessAnalysis Mgr
Research Mgr GroupController
7 P ro je ct Mgr P ro je ct En gi ne er O pe ra ti on s Mg r Ma na ge rs CommercialResources
- CountryController -
Large
8 CommercialTransactions Mgr
SHE ProjectManager
OperationsSuperintendent
Supervisors CommercialResources
R &E S up er vi so r C oun tr yController
Small
9 Business UnitSupervisor
ProjectSuperintendent
L an d Sup ervi so r Sup pl y A dv is ors Tra in in gSupervisor
RevenueAccounting Mgr
10 - Lead Engineer Field Supervisor - Shop Supervisor AccountingSupervisor
11 - Engineer Tech Staff - Team Lead Advisor
12 Admin Asst Admin Asst Admin Asst Admin Asst - Admin Asst
-
7/27/2019 2012 - Controls Awareness Training - Course Booklet
28/28
Controls Awareness TrainingPost-Session Exercise
This exercise should be completed as soon as possible after you return from class. Youshould work it with your supervisor or a person designated by your supervisor (such as aControls Advisor). The exercise should take approximately one hour, and this exercise isdesigned to help you apply the control concepts learned in class to your current assignment.
Post-Class Exercises:
1. In your current job, when might you need to access the following items? ExxonMobil's System of Management Controls: Basic Standards (Red Book) Delegation of Authority Guide (DOAG) Applicable Accounting Manuals
2. What departmental guidelines or procedures does your workgroup have in place forcontrols? In your current assignment, how are you involved?
Company Plan Process Representation Letter Process Business Practice Reviews Risk & Self Assessment Processes "Red Book" Exception Reporting Irregularities reporting
3. For a major business task that you perform, walk through the control principles involved. If aControls Template or Catalog exists for the process, review the control principles.
4. What is an example of something you might need to look up in the DOAG? Show yourunderstanding of how to look it up by explaining the process you would follow?