Section 404 of Sarbanes-OxleySection 404 of Sarbanes-OxleyAn Oracle PerspectiveAn Oracle Perspective

Paul KirchPaul KirchKLA-Tencor CorporationKLA-Tencor Corporation

-

2(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

AgendaAgendaAgendaAgenda

Company Overview Sarbanes-Oxley Overview

Section 404 in “plain English” COSO framework

Project Timeline Business Processes Universe Separation of Duties

Defined Incompatibilities Guiding Principles and Implementation Applied

Lessons learned Next Steps

3(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

Company OverviewCompany OverviewCompany OverviewCompany Overview

One of NASDAQ “Top 50” Companies in 2002 Manufacturing company engaged in developing and manufacturing

capital equipment used in the manufacture and production of silicon wafers

Formed by a merger of KLA and Tencor Corporation in 1997 Major customers are principal silicon chip manufacturers worldwide

75-80% of revenue from overseas operations Sales offices in 15 countries around the world Major R&D locations in U.S and Israel

Merged company used Oracle as a platform for developing common manufacturing and financial processes

International operations upgraded to Oracle 11i in Spring, 2003 June 30 fiscal year end ensured that KLA-Tencor would be the first

Fortune 500 company audited under the new Sarbanes-Oxley standards In Spring, 2003 chip industry was just beginning to emerge from one of

the severest down cycles in the history of the industry

4(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

Section 404 in “Plain English”Section 404 in “Plain English”Section 404 in “Plain English”Section 404 in “Plain English”

Management must assert and auditors must attest that: All transactions that are either material by themselves or

cumulatively material to the company are authorized according to an agreed policy/procedure.

Assets of the company are adequately safeguarded. Procedures are in place to ensure that the reported financials

adequately disclose all transactions.

What is required: Establish a control framework (aka COSO) to map business

processes/objectives/risks/control activities. Document policies & procedures Self assessment of the adequacy of these Policies and Procedures Complete testing with internal auditor and external auditor

Who? 90% internal; anyone involved in a material business process. U.S/ Israel project involved 50 people Worldwide project involved 75 people

5(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

COSO FrameworkCOSO Framework

Control Activities

Policies/procedures that ensure management directives are carried out

•Range of activities including approvals, authorizations, verifications, recommendations performance reviews, asset security and segregation of duties.

Risk Assessment

•Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives forming the basis for determining control activities.

Monitoring

•Assessment of a control system’s performance over time.

•Combination of ongoing and separate evaluation.

•Management and supervisory activities.

•Internal audit activities

Information and Communication

•Pertinent information identified, capture and communicated in a timely manner

•Access to internal and externally generated information.

•Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Control Environment

•Sets tone of organization influencing control consciousness of its people.’

•Factors include integrity, ethical values, competence, authority, responsibility.

•Foundation for all other components of control.

6(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

SummerSummerSummerSummer Fall/WinterFall/WinterFall/WinterFall/Winter SpringSpringSpringSpring

Independent Auditor ReviewBoard Review

Independent Auditor Assessment

• Plan the project

• Review COSO Compliance

• Put Team in Place

• Define scope

• Assess the control environment

• Engage external consultants to assess impact on Oracle 10.7/11i

• Build a controls repository

• Document control objectives

• Document control activities and map to control objectives

• Complete self-assessment of actual performance of these controls

• Identify and remediate gaps

• Perform initial tests of operating effectiveness

• Implement SoD in Oracle 10.7 and Oracle 11i

• Perform ongoing testing

• Monitor

• Prepare assertion

• Prepare internal control report

Project TimelineProject TimelineProject TimelineProject Timeline

7(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

Customer Management• Technical Support

• Problem Resolution & Tracking

• Customer Service Install Base Management

Infrastructure & Other• Facilities Management• Physical Security• Physical Records Management• Corporate Communications

• Investor Relations• Public Relations

• Receiving• Distribution/Logistics• Telecommunications• Network Management

Legal• Contract Approval• Litigation Management• Intellectual Property• Whistle Blower

Corporate Development• Third-Party

Alliances/Partnerships• Mergers & Acquisitions

Sales & Marketing• Contract Sales

• Sales Ops Review• Finance Review• Legal Review• Engineering Review• Operations Review

• Ad-hoc Sales• Product Marketing• Product Development • Sales Commissions• Inventory Management

Manufacturing• Procurement

• Manufacturing Quality• Vendor Management (i.e,

competitive bidding, preferred suppliers)

• Quality Assurance• Health Assessments• Regulatory Compliance (i.e.,

Environmental)

Human Resources• Hiring

• Non-Standard Employee Agreements

• Employee Benefits Management• Termination (and restructuring)• Staffing Analysis (i.e., Manpower

Levels)• Compensation Review

(Executive)• Workers Compensation Mgmt/

Claims Processing• Employee Annual Review• Training & Development• Employee Communication

• Feedback• Survey

• Employee Loans

Information Systems• IT Strategy/Planning• Systems Implementation &

Integration• Project Management• Software Selection• Software Development

• IT Systems Maintenance (daily operations)

• Financial • HR• Business

• Network Administration• Security/Privacy

• Business Continuity Planning• Disaster Recovery Planning

• Record retention• Help Desk

Finance & Accounting• Accounts Payable• Accounts Receivable/Billing• Capital Exp Approval• Non-Capital Purchasing• Fixed Assets• Budgeting & Forecasting• Closing the Books/Accounting

• Account Reconciliation• Account Analysis• Accruals

• Internal Reporting• External Reporting• Tax• Travel & Expense Reporting• Treasury

• Debt/Financial Structure• Cash Management• FX/Derivatives/Hedging• Banking Relationships• Insurance

• Credit & Collections• Payroll

Management & Board• Board/Committee Meetings• Executive/Management Team

Meetings• Corporate Governance

• Authority/Approval Matrix• Disclosure Controls

Documentation Process

Financial processes are significant to either the financial statement amounts and controls or financial disclosures.

Business Processes UniverseBusiness Processes UniverseBusiness Processes UniverseBusiness Processes Universe

8(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

Separation of Duties (SoD) DefinedSeparation of Duties (SoD) Defined

Enter DataEnter Data

ApproveApprove

MaintainMaintain

InquiryInquiry

PayPay

Enter InvoicesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports

Enter InvoicesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports

Approve InvoicesUpdate Accounting EntriesPayables Transfer to GL Inquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports

Approve InvoicesUpdate Accounting EntriesPayables Transfer to GL Inquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports

Create Payments / Payments BatchesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports

Create Payments / Payments BatchesInquire Invoices, Payments, Accounting, Suppliers and BanksRun Standard Reports

Create Suppliers / Enter EmployeesInquire Invoices, Payments, Accounting, Suppliers and BanksSetup Banks / Setup Tax CodesOpen / Close AP PeriodsRun Standard Reports

Create Suppliers / Enter EmployeesInquire Invoices, Payments, Accounting, Suppliers and BanksSetup Banks / Setup Tax CodesOpen / Close AP PeriodsRun Standard Reports

Inquire Invoices / Inquire Payments / Inquire SuppliersView EmployeesRun Standard Reports

Inquire Invoices / Inquire Payments / Inquire SuppliersView EmployeesRun Standard Reports

ResponsibilitiesResponsibilities FunctionsFunctions

9(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

SoD IncompatibilitiesSoD IncompatibilitiesSoD IncompatibilitiesSoD Incompatibilities

Role/Job Function Application Responsibility Additional Incompatible Roles Approver Comments

Corporate Financial Reporting         Alex Zima  

Consolidations Accountant

Oracle General Ledger GL CONSOLIDATED MGR  

ALL other than VLSI Consolidations Accountant    

 Oracle General

Ledger GL ISRAEL MANAGER        

 

Oracle Receivables AR INQUIRY        

  Oracle Payables AP INQUIRY        

 

Oracle Manufacturing PO INQUIRY/REPORTING        

  Oracle Order EntryOE FINANCE

VIEW/REPORTING        

  KLA Manufacturing KMF GL ASIA GROUP        

Accounts Payables         Mike Arias  

AP Clerk Oracle Payables KFI AP Clerk

 

AP Manager, KFI AP Lead, KFI AP Disbursement, Information Systems Specialist    

  KLA Financials KFI AP B2B        

10(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

SoD Guiding Principles and ImplementationSoD Guiding Principles and ImplementationSoD Guiding Principles and ImplementationSoD Guiding Principles and Implementation

Single point in time review of existing functional responsibilities using E&Y defined Separation of Duties (DOD) matrix for both Oracle 10.7 and Oracle 11i (international) users

Detailed communications to end users regarding plan to end date or remove certain responsibilities that constituted a SOD violation, with emphasis on Finance functions (GL, AR, AP), Purchasing (largely PO Creation and Receiving), and Sales Administration (Order Entry and Shipping)

Detailed instructions to Corporate Help Desk on how to administer new requests for Oracle responsibilities

Key manager approval of all requests for Oracle applications access Alert to key IT managers whenever an employee record was created or

changed to alert them to the responsibilities currently assigned to that specific user

Communicate Sarbanes-Oxley corporate policies using KT Intranet On-going effort to improve process by refining requirements, working

with Corporate finance to determine “universe” of potential software vendors and desired functionality, and selecting a Sarbox 404 software vendor

11(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

SoD AppliedSoD AppliedSoD AppliedSoD Applied

12(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

Common Errors at other companies . . .Common Errors at other companies . . .Common Errors at other companies . . .Common Errors at other companies . . .

Did not involve external Big 4 accounting firms in design and planning process

No joint commitment from business and IT to meet certification requirements

Too much detail . . .Not scoped correctly All externally contracted work . . . Won’t have long

term benefits . . . No prioritization . . . Leave the hardest for last . . . Stand-alone documentation - not using what is

already in use . . . Not getting ahead early . . . Not enough short-term

milestones . . .

13(add group under View/Header...)KLA-Tencor Confidential –

Do Not Duplicate

Observations and Next StepsObservations and Next StepsObservations and Next StepsObservations and Next Steps

Sarbanes-Oxley 404 Compliance project completed on an ‘ad hoc’ basis using E&Y to define Separation of Duties issues

Project completed over the course of 4 months at a cost of $30,000; with 75% of time spent planning and 25% in actual execution

Oracle alerts put in place to monitor the assignment of new Oracle responsibilities to new and existing users

Company passed DT “pre-certification” and PwC “audit certification” without qualification, with several observations of conflicts noted

Observed conflicts due largely to assignment of conflicting responsibilities to IT personnel; in one case, conflict due to misunderstanding about exact role played by user in Corporation