Business Control and the influence of Sarbanes-Oxley 404 within KLM Cargo
APPENDICES
By Michiel Goedegebuur
Faculty of Management and Organisation KLM Cargo
• APPENDIX 1ORGANIZATION CHART KLM
• APPENDIX 2ORGANIZATION CHART KLMCARGO
• APPENDIX 3FINANCIAL MATERIALITY ASSERTIONS
• APPENDIX 4KLMCARGO BUSINESS CONTROL SELF-ASSESSMENT
• APPENDIX 5RESULTS ASSESSMENT 1
• APPENDIX 6RISK CONTROL MATRIX
• APPENDIX 7KLMCARGO SOX IMPACT SELF-ASSESSMENT
• APPENDIX 8SOX PMOSELF-ASSESSMENT
• APPENDIX 9RESULTS ASSESSMENT 2
Appendix 1 Organization Chart KLM
Executive Vice President
Michael Wisbrun
Jar Ops Postholder
Executive Vice President
Michael Wisbrun
Jar Ops Postholder
Margin Management
& Network Planning
Claudia Hölzel
Margin Management
& Network Planning
Claudia Hölzel
General Cargo
Bram Gräber
General Cargo
Bram Gräber
Personnel
& Organisation
Ronald Wouters
Personnel
& Organisation
Ronald Wouters
Cargo Development
Michael Wisbrun
Cargo Development
Michael Wisbrun
Controlling &
Accounting
Jeroen de Swart
Controlling &
Accounting
Jeroen de Swart
Verticals
Mariette Vos
Verticals
Mariette Vos Specialties
Andre Mulder
Specialties
Andre Mulder
k c
October 2004
Commercial
B. Gräber
Commercial
B. Gräber
Finance & Control
Jeroen de Swart
Finance & Control
Jeroen de Swart
Business Development Office
Edwin Borst
Business Development Office
Edwin Borst
Division JAR-OPS Quality
Herman Wittebrood
Division JAR-OPS Quality
Herman Wittebrood
World Wide Operations
Jan de Vegt Del. JAR-OPS Postholder
World Wide Operations
Jan de Vegt Del. JAR-OPS Postholder
Appendix 3 Financial Materiality Assertions
Existence An assertion that an asset or liability exists at a point in time. Controls exist that ensure only valid transactions, assets and liabilities are recorded, assets are appropriately safeguarded, and that periodic accountability is maintained.
Occurrence An assertion that a recorded transaction or event actually took place during the period. Controls exist to ensure fictitious or duplicate transactions are not included in the records.
Valuation An assertion that an asset or liability is recorded at an appropriate amount. An assertion that a transaction or event is recorded at the proper amount and revenue or expense is allocated to the proper period.
Completeness
& Accuracy An assertion that there are no unrecorded assets, liabilities, transactions or events, or undisclosed items. Controls exist to ensure actual transactions are not omitted from the records, all transactions are recorded in the correct accounts, all charges and credits in the underlying records are accumulated correctly and accumulated totals are correctly transferred to the G/L.
Rights &
Obligations An assertion that an asset or liability pertains to the organization at a point in time. Controls exist to ensure that the entity has legal title to recorded assets and rights to assets are only assigned with appropriate authorization, and only liabilities of the company are recorded.
Presentation &
Disclosure An assertion that an item is properly classified, described, and disclosed in the financial statements.
(KPMG 2004, p.3)
Purpose of Research: To give KLM Cargo management a better view on business control and the influence of Sarbanes-Oxley 404 in order to improve business control.
Purpose of 1st Self-assessment: Evaluating business control within KLM Cargo.
Instructions
• Completing the self-assessment will take on average 30 minutes.
• All questions begin with the words to which extent. Answering these questions can be on a 1-5 scale: 1 a very weak extent
2 a weak extent 3 a normal extent 4 a strong extent 5 a very strong extent na not applicable
dn don’t know: unable to judge
• Answering ‘na’ or ‘dn’ should be reduced to a minimum since an all-inclusive list of questions has been divided into six different groups of respondents.
1 Management 2 Process Participants 3 Controllers
4 IT staff 5 Internal Audit 6 Accounting staff
• Nobody will be referred to by name in the research paper, only reference to the groups above will be made.
• Please be as critical as possible: this will make it possible to improve business control within the organization of KLM Cargo in the near future.
• By answering the questions, you should consider the situation as it is. Future changes like the influence of Sarbanes-Oxley may not be incorporated in your answers. (Sarbanes- Oxley influence will be evaluated in the second assessment.)
• At the other side of this page, an empty sheet is given to add comments on a particular question or in general. (Examples, evidence, comments on questions etc.)
Explanation of expressions used in self-assessment
• Management = KLM Cargo management
• Internal auditor = Internal Audit KLM
• External auditor = KPMG
• Business units = General Cargo, Verticals and Specialties
• Business Control = The definition used within KLM instead of ‘internal control’.
We would highly appreciate your input on or before Monday 31 January 2005.
Question NR Comments (Examples, Evidence, Critical notes)
NRQUESTIONEXTENTMANPROCONITAUDACC ACONTROL ENVIRONMENTXXXXXX xxxxxx xxxxxx 1Integrity and Ethical ValuesXXXXXX 1aTo which extent does management show concern for integrity and ethical values?1 2 3 4 5 na dnxx 1bTo which extent is this communicated throughout the company?1 2 3 4 5 na dnxx 1cTo which extent does management take appropriate disciplinary action in response to departures from approved policies and procedures?1 2 3 4 5 na dnxxx 2Incentives and Temptationsxxx 2aTo which extent does management act to reduce incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts?1 2 3 4 5 na dnxxx 2bTo which extent do rewards (bonuses) foster an appropriate ethical tone? (Given to those who meet objectives and not to those who circumvent established policies, procedures, or controls.) 1 2 3 4 5 na dnxxx 2cTo which extent are incentives balanced?(bonuses-fixed loan-other incentives)1 2 3 4 5 na dnxx 2dTo which extent does management set realistic financial targets and expectations for operating personnel?1 2 3 4 5 na dnxx 3Providing and Communicating Moral Guidancexxxxx 3aTo which extent does management give appropriate attention to business control?1 2 3 4 5 na dnxxx 3bTo which extent is this importance of business controls communicated through the organization?1 2 3 4 5 na dnxx 3cTo which extent does management show concern about….x 3cIInventory of key applications/data and their owners?1 2 3 4 5 na dnx 3cIICommunication of data integrity ownership and responsibilities to appropriate business owners ?1 2 3 4 5 na dnx 4Commitment to Competencexxxxx 4aTo which extent are employees properly trained and capable of effectively performing the key jobs within KLM Cargo?1 2 3 4 5 na dnxx The Control Environment sets the tone of the organization, influencing the control consciousness of its people and providing discipline and structure.
NRQUESTIONEXTENTMANPROCONITAUDACC 4bTo which extent are there procedures for identifying the training needs of all personnel using IT services? 1 2 3 4 5 na dnx 4cTo which extent are there procedures for identifying the training needs of all personnel using IT services? 1 2 3 4 5 na dnx 4dTo which extent is IT staff made aware of their responsibility regarding business control? 1 2 3 4 5 na dnx 4eTo which extent does management rely on technical specialists or outside consultants? 1 2 3 4 5 na dnx 4fTo which extent is divisional staffing (knowledge/experience) appropriate, within the following functions/ departments:xxxxx 4fIaccounting;1 2 3 4 5 na dnxxxx 4fII information systems;1 2 3 4 5 na dnxxxx 4fIIIfinancial reporting1 2 3 4 5 na dnxxxxx 4gTo which extent has personnel turnover in KLM Cargo not impacted people to effectively perform its tasks?1 2 3 4 5 na dnxxxx 4hTo which extent does management demonstrate a commitment to provide sufficient accounting and financial personnel to keep pace with the growth and/or complexity of the business? ( for example in the synergy phase with Air France)1 2 3 4 5 na dnxx 5Board of Directors /Internal Auditorxxxxx 5aTo which extent is the internal auditor independent from KLM Cargo management, such that necessary and often probing questions are raised? 1 2 3 4 5 na dnxxx 5bTo which extent is the KLM Board of Directors independent from KLM Cargo management, such that necessary and often probing questions are raised?1 2 3 4 5 na dnx 5cTo which extent does the internal auditor give adequate consideration to understanding management’s processes for monitoring business risks affecting the organization? 1 2 3 4 5 na dnxx 5dTo which extent does the KLM Board of Directors give adequate consideration to understanding management’s processes for monitoring business risks affecting the organization?1 2 3 4 5 na dnx
NRQUESTIONEXTENTMANPROCONITAUDAC 5eTo which extent does the internal auditor represent an informed, vigilant, and effective overseer ofxxxx 5eIthe financial reporting process?1 2 3 4 5 na dnxx 5eIIKLM Cargo's business controls?1 2 3 4 5 na dnxx 5eIIIinformation systems processing and related computer controls?1 2 3 4 5 na dnx 5fTo which extent does the internal auditor adequately remain a direct line of communication with KLM's external auditors?1 2 3 4 5 na dnx 5gTo which extent does the internal auditor have a charter outlining its duties and responsibilities?1 2 3 4 5 na dnxx 5hTo which extent does the internal auditor have adequate resources and authority to discharge its responsibilities?1 2 3 4 5 na dnx 6Management's Philosphy and Operating Stylexxxx 6aTo which extent does management’s financial reporting philosophy tend to be adequately conservative? (accounting estimates)1 2 3 4 5 na dnxxxx 6bTo which extent does management correct identified business control deficiencies on a timely basis?1 2 3 4 5 na dnxxx 7Organizational Structure and Assignment of Authority and Responsibilityxxxxx 7aTo which extent is the management structure appropriate in view of the xxx 7aIsize of KLM Cargo?1 2 3 4 5 na dnxxx 7aIIcomplexity of the operations? 1 2 3 4 5 na dnxxx 7aIIIKLM Cargo locations worldwide?1 2 3 4 5 na dnxxx 7bTo which extent does IT personnel have sufficient authority to exercise the role and responsibility assigned to them?1 2 3 4 5 na dnxxx 7cTo which extent are there appropriate policies for such matters as xx 7cIaccepting new business?1 2 3 4 5 na dnxx 7cIIconflicts of interest ?1 2 3 4 5 na dnxx 7cIIIsecurity practices?1 2 3 4 5 na dnxx 7dTo which extent are there adequate policies and procedures for authorization and approval of transactions at the appropriate level?1 2 3 4 5 na dnxxx
NRQUESTIONEXTENTMANPROCONITAUDACC 7eTo which extent is the assignment of responsibilities clear?1 2 3 4 5 na dnxxxx 7fTo which extent does management review and make modifications to the organizational structure in light of changed conditions? (synergy phase with Air France) 1 2 3 4 5 na dnxxxxx 7gTo which extent is there adequate supervision and monitoring of decentralized operations? 1 2 3 4 5 na dnxxx 7hTo which extent is there an appropriate segregation of assessing, recording and authorisation of assets?1 2 3 4 5 na dnxxxx 8Human Resource Policies and Practicesxxxxx 8aTo which extent are there effective policies and procedures applicable to all functional areas (e.g., accounting, marketing, information systems) concerning…. 8aIhiring personnel1 2 3 4 5 na dnx 8aIItraining and motivating personnel1 2 3 4 5 na dnx 8aIIIevaluating personnel1 2 3 4 5 na dnx 8aIVpromoting and transferring personnel1 2 3 4 5 na dnx 8aVIterminating personel1 2 3 4 5 na dnx 8bTo which extent are HR policies and procedures clear and are they issued, updated, and revised on a timely basis? 1 2 3 4 5 na dnx 8cTo which extent are there written job descriptions, reference manuals or other forms of communication to inform personnel of their duties?1 2 3 4 5 na dnxxxx 8dTo which extent does management have adequate information toxx 8dImonitor employee satisfaction on a regular basis?1 2 3 4 5 na dnxx 8dIIevaluate job performance?1 2 3 4 5 na dnxx BRISK ASSESMENTxxxxxx Risk Assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. xxxxxx 9Risk Identificationxxxxx
NRQUESTIONEXTENTMANPROCONITAUDAC 9aTo which extent are objectives at management level communicated through the organization? 1 2 3 4 5 na dnxxxx 9aI…to which extent are these objectives supported by strategic plans?1 2 3 4 5 na dnxxxx 9aII…to which extent are these objectives and strategic plans monitored?1 2 3 4 5 na dnxxxx 9bTo which extent is there an adequate mechanism for identifying business risks, including those resulting from: 1 2 3 4 5 na dnxxxxx 9bIentering new markets or lines of business1 2 3 4 5 na dnxxxx 9bIIchanges in the market demand1 2 3 4 5 na dnxxxx 9bIIIprivacy and data protection compliance requirements1 2 3 4 5 na dnxxxxx 9bIVchanges in the regulatory environment1 2 3 4 5 na dnxxxx 9bVchanges in the economic environment1 2 3 4 5 na dnxxxxx 9bVInew entrants and competitors1 2 3 4 5 na dnxxx 9cTo which extent does the KLM Cargo strategic plan include IT or is there a separate IT strategic plan that addresses the technology needs of the entity (to effectively and efficiently meet its strategic plan)?1 2 3 4 5 na dnxx 9dTo which extent are business unit objectives linked with KLM Cargo wide objectives and strategic plans?1 2 3 4 5 na dnxxxx 10Risk Analysisxxxx 10aTo which extent does the internal auditor (or another group within the company) perform an effective periodic (at least annual) risk assessment?1 2 3 4 5 na dnxxxx 10bTo which extent does KLM Cargo management review the risk assessment and consider actions to mitigate the significant risks identified?1 2 3 4 5 na dnxxx 10cTo which extent does the identification and analysis (impact/likelihood) of risks take place at business unit level?1 2 3 4 5 na dnxxx 10cIIn which extent is this aligned with management level risk assessment?1 2 3 4 5 na dnxxx 11Managing Changexxxxx
NRQUESTIONEXTENTMANPROCONITAUDACC 11aTo which extent are effective mechanisms in place to identify and anticipate to changes that may have a dramatic and pervasive effect on KLM Cargo or that may affect achievement of management or business unit level objectives?1 2 3 4 5 na dnxxxx 11aIIn which extent are there dedicated groups or individuals responsible for this?1 2 3 4 5 na dnxxxx 11bTo which extent are forecasts updated timely during the year to reflect changing conditions? 1 2 3 4 5 na dnxxx 11cTo which extent does the accounting department have an adequate process in place to identify and address changes in GAAP?1 2 3 4 5 na dnxxx 11dTo which extent does management work effectively with the external auditor to determine if they are addressing complex changes in GAAP appropriately?1 2 3 4 5 na dnxxx 11eTo which extent are there effective processes to ensure the accounting department is made aware of changes in the operating environment, so they can review the changes and determine what, if any, effect the change may have on the accounting practices? 1 2 3 4 5 na dnxxxx 11fTo which extent are there effective processes to ensure the accounting department (and internal audit) is aware of significant transactions with related parties so they can determine whether such transactions are appropriately accounted for and disclosed? 1 2 3 4 5 na dnxxx CControl Activitiesxxxxxx Control Activities are the policies and procedures that help ensure management directives are carried out.xxxxxx 12Policies & Procedures 12aTo which extent is there timely and appropriate documentation and recording of transactions? 1 2 3 4 5 na dnxxxxx 12bTo which extent do necessary policies and procedures exist with respect to each of the business units within KLM Cargo?1 2 3 4 5 na dnxx 12cIn which extent are key controls, applied for by policy, applied?1 2 3 4 5 na dnxx 12dTo which extent are policies and procedures periodically reviewed to determine if they continue to be appropriate? 1 2 3 4 5 na dnxxx
NRQUESTIONEXTENTMANPROCONITAUDAC 12eTo which extent do dedicated members of management have ownership of the policies and procedures?1 2 3 4 5 na dnxxx 13Management Objectivesxxxx 13aTo which extent does management have clear objectives in terms of budget, profit, and other financial and operating goals?1 2 3 4 5 na dnxxxx 13bTo which extent is the budgetary system working effectively?1 2 3 4 5 na dnxxx 13cTo which extent are planning and reporting systems in place to identify variances from planned performance and communicate such variances to the appropriate level of management? 1 2 3 4 5 na dnxxx 13dTo which extent does management review key performance indicators regularly and identifies significant variances?1 2 3 4 5 na dnx 14Segregation of dutiesxxxx 14aTo which extent are duties logically divided or segregated (whether manually or through appropriate set up of IT applications) among different people?1 2 3 4 5 na dnxxx 14aITo which extent function IT operations separate from systems and programming?1 2 3 4 5 na dnx 14bTo which extent are organizational charts reviewed periodically to ensure proper segregation of duties exist?1 2 3 4 5 na dnxx 14cTo which extent are appropriate approvals required prior to allowing an individual access to specific computer applications and databases?1 2 3 4 5 na dnxx 14cITo which extent are system privileges and access controls to the different applications and databases reviewed at least twice a year?1 2 3 4 5 na dnxx 15Access to and safeguarding of assetsxxxxx 15aTo which extent has management established procedures to prevent unauthorized access to, or destruction of, documents, records (including computer programs and data files)and assets? 1 2 3 4 5 na dnxx 15bTo which extent are access security software, operating systems software, and application software used effectively to control both centralized and decentralized access to: 15bIData1 2 3 4 5 na dnxxxx
NRQUESTIONEXTENTMANPROCONITAUDACC 15bIIFunctional capabilities of programs (e.g. execute, update, modify parameters, read only). 1 2 3 4 5 na dnxxxx 15cTo which extent is (physical) security over information technology assets (both IT department and users) adequate given the nature of the KLM Cargo's businesses?1 2 3 4 5 na dnxxx 15dTo which extent are critical computer data backed up daily and stored off-site?1 2 3 4 5 na dnx 15eTo which extent is there a dedicated security officer function that effectively monitors IT processing activities?1 2 3 4 5 na dnxxx 15fTo which extent does KLM Cargo conduct periodic reviews/audits of IT security?1 2 3 4 5 na dnxxx DInformation & Communicationxxxxxx Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.xxxxxx 16Information Systemsxxxxxx 16aTo which extent are management’s objectives in terms of budget, profit, and other financial and operating goals cascaded effectively in the organization?1 2 3 4 5 na dnxx 16bTo which extent is information provided to the right people in sufficient detail and timely to enable them to carry out their responsibilities efficiently and effectively?1 2 3 4 5 na dnxxxxx 16cTo which extent do information systems provide management with adequate reports on the KLM Cargo's performance relative to established objectives, including relevant external and internal information?1 2 3 4 5 na dnxxx 16dTo which extent does IT management have effective information capture, processing and reporting controls (completeness, accuracy, validity and authorization) to support the quality and integrity of financial information?1 2 3 4 5 na dnxxx 16eTo which extent is KLM Cargo able to prepare accurate and timely financial reports, including interim reports?1 2 3 4 5 na dnxx 16fTo which extent are you satisfied with the information systems processing, including reliability and timeliness of reports?1 2 3 4 5 na dnxxx 16gTo which extent is there a sufficient level of coordination between the accounting and information systems processing functions/departments?1 2 3 4 5 na dnxxx 17System Developmentxxxx
NRQUESTIONEXTENTMANPROCONITAUDAC 17aTo which extent are information systems aligned with KLM Cargo's strategic plan and objectives?1 2 3 4 5 na dnxxx 17bTo which extent are there appropriate policies for developing and modifying accounting systems and controls (including changes to and use of computer programs and/or data files)? 1 2 3 4 5 na dnxxx 17cTo which extent are significant applications or transactions, that are executed /processed by service organizations, well controlled? (monitoring of risks/controls at service organization?) 1 2 3 4 5 na dnxxx 18ICT Resourcesxxxxx 18aTo which extent are the IT strategies, challenges and risks formally communicated to: xxxx 18aIprocess owners;1 2 3 4 5 na dnxxxx 18aIImanagement;1 2 3 4 5 na dnxxxx 18bTo which extent can IT management commit appropriate human and financial resources to develop the necessary information systems?1 2 3 4 5 na dnxx 18cTo which extent is management or the internal auditor involved in monitoring information systems projects and resource priorities?1 2 3 4 5 na dnxxx 18dTo which extent are systems conversions well controlled?1 2 3 4 5 na dnxxx 18eTo which extent are significant IT events reported to KLM Cargo management on a timely basis?1 2 3 4 5 na dnxx 18fTo which extent does user involvement take place in developing ICT applications, including design of business control checks and balances?1 2 3 4 5 na dnxxxxx 18fIIn which extent is user satisfaction monitored by the IT department?1 2 3 4 5 na dnxx 19Continuity planningxx 19aTo which extent is there a business continuity plan that incorporates the disaster recovery plan and end-user department needs for timely recovery of critical business functions, systems, processes and data?1 2 3 4 5 na dnxx 19aIIn which extent is this plan tested annually?1 2 3 4 5 na dnxx 19aIIIn which extent is this plan updated for changed conditions?1 2 3 4 5 na dnxx
NRQUESTIONEXTENTMANPROCONITAUDACC 19bTo which extent are data center facilities equipped with adequate environmental controls to maintain systems and data?(fire suppression, interrupted power supply,airco equipment) 1 2 3 4 5 na dnxx 19cTo which extent is there an adequate disaster recovery plan for the significant components of the IT infrastructure?1 2 3 4 5 na dnxx 19cIIn which extent is this plan tested annually?1 2 3 4 5 na dnx 19cIIIn which extent is this plan updated for changed conditions?1 2 3 4 5 na dnxx 20Communication of responsibilitiesxxxxx 20aTo which extent does management clearly communicate the lines of authority and responsibility (including lines of reporting) within the company?1 2 3 4 5 na dnxxxx 20bTo which extent are policies and procedures communicated throughout the organization? 1 2 3 4 5 na dnxxxx 20bITo which extent is this the case for decentralised (foreign) operations?1 2 3 4 5 na dnxx 20cTo which extent does the IT organization chart clearly reflect areas of responsibility and lines of reporting and communication?1 2 3 4 5 na dnxx 20dTo which extent is there an adequate process for employees to communicate suspected improprieties to management?1 2 3 4 5 na dnxxxxx 20dITo which extent are these improprieties reviewed, investigated and resolved in a timely manner?1 2 3 4 5 na dnxxxxx 21Execution on informationxxx 21aTo which extent can critical information be distributed to relevant persons when necessary? 1 2 3 4 5 na dnxx 21bTo which extent is there an effective process for tracking communications from customers, vendors, regulators, and other external parties?1 2 3 4 5 na dnxx 21bITo which extent is there a mechanism in place to respond appropriately and timely to these communications?1 2 3 4 5 na dnxx EMonitoringxxxxxx Monitoring covers the external oversight of business control by management or other parties.xxxxxx
NRQUESTIONEXTENTMANPROCONITAUDACC 22Business Control Evaluationsxxxxx 22aTo which extent are there reviews to existing control processes (ongoing and periodic evaluations) to ensure that the controls are being applied as expected?1 2 3 4 5 na dnxxxxx 22bTo which extent are procedures in place to monitor when controls are overridden?1 2 3 4 5 na dnxxxxx 22cTo which extent are policies/procedures in place to assure that corrective action is taken on a timely basis when control exceptions occur?1 2 3 4 5 na dnxxxxx 23Follow up of evaluationsxx 23aTo which extent does management respond timely and appropriately to the findings and recommendiations of the external auditors regarding business control and policies and procedures within KLM Cargo?1 2 3 4 5 na dnxx 23bTo which extent does Cargo management adequately and timely address findings and recommendations from regulators?1 2 3 4 5 na dnxx 23cTo which extent do other (quasi-)audit functions (e.g. ISO) report to management issues impacting business control within KLM Cargo?1 2 3 4 5 na dnxx 24Internal Audit Functionxxx 24aTo which extent are the level of staffing, training, and specialized skills of the internal auditor adequate given the environment?1 2 3 4 5 na dnxx 24bTo which extent is the internal auditor independent (in terms of authority and reporting relationships) of the activities audited?1 2 3 4 5 na dnxxx 24cTo which extent do internal auditors have direct access to Cargo management?1 2 3 4 5 na dnxx 24dTo which extent are adequate quality assurance reviews of the internal audit function held regularly by an external party such as KLM's external auditors?1 2 3 4 5 na dnxx 24eTo which extent is the scope of the internal audit activities appropriate given the nature, size and structure of the company? 1 2 3 4 5 na dnxx 24eIand concerning balance between financial and operational audits?1 2 3 4 5 na dnxx 24eIIand concerning coverage and rotation of decentralized operations?1 2 3 4 5 na dnxx 24fTo which extent is the scope of planned internal audit activities adequately reviewed in advance with: 1 2 3 4 5 na dnxx 24fICargo management1 2 3 4 5 na dnxx 24fIIKLM's independent auditors1 2 3 4 5 na dnxx 24gTo which extent do internal auditors have the authority to examine any aspect of KLM Cargo's operations?1 2 3 4 5 na dnxx
Appendix 5 Results Assessment 1 RESTRICTED VERSION
Appendix 6 Risk Control Matrix
Ste p
Risk Nr.
WCGW
Co ntrol Nr. s
tandard Standard Control ('what')
Co ntrol Nr. S
pecific KLM Specific Control
Department / Role Director Re sp onsible
Manager or Task
Owne r
IT Dependent?
M,A, I
Sy stem / Applica tion
Name
RISKSCONTROLSRESPONSIBILITYIT
Co ntr ol Ty pe P/D
Control Frequency
Occurrence Exist en ce /
Occurence Value/Mea sure
Completeness
Rights /Oblig.
Present/Dis c.
Key Co ntro l?
Design Effective?
Control Improvement Opportunities
If ineffective design, effective mitigating control.
If still ineffective, Control Ussue Ref.
SPECIFICSFINANCIAL STATEMENT ASSERTIONSEVALUATION
Appendix 7 KLM Cargo Sox impact Self-Assessment
Purpose of Research: To give KLM Cargo management a better view on business control and the influence of Sarbanes-Oxley 404 in order to improve business control.
Purpose of 2nd Self-assessment: Evaluating expected Sox impact.
Introduction
You have been part of a Sox team, describing processes, risks and controls in conformity with Sox requirements. This may have resulted or will result in some direct changes in business controls within your process. In an indirect way, the process of achieving Sox compliance has impact on other subjects than initially intended by Sox. This 2nd self-assessment is necessary to measure the direct and indirect expected Sox impact on business control within KLM Cargo processes.
The 1st self-assessment has created a view on business control effectiveness and the weaker and stronger subjects of business control within KLM Cargo. The 2nd self-assessment must provide insight in the way Sox is expected to address business control within KLM Cargo and especially the weaker aspects.
Instructions
• Completing the self-assessment will take a maximum of 30 minutes.
• The same questions are in scope as in the first assessment: all questions answered with a
’dn’ in the 1st assessment have been eliminated per self-assessment.
• All questions begin with the words the expected Sox impact. This impact must be seen in light of the specific subject of business control within KLM Cargo and can be filled in as:
- A negative impact 0 No impact
+ Minimal improvement ++ Reasonable improvement +++ Substantial improvement
NB - Indirect Sox impact can belong to all categories except the ‘0’ category.
- Since ‘dn’s’ have been filtered in conformity with the 1st self-assessment answers and the same subjects are in scope, this category has been eliminated.
• All expected future changes within the processes of KLM Cargo, directly or indirectly a result of any Sox related action, must be incorporated into your answers.
• At the other side of this page, an empty sheet is given to add comments on a particular question or in general. (Examples, evidence, comments on question etc.)
We would highly appreciate your input on or before Thursday 24 March 2005.
• In the first assessment your additional explanation, examples, evidence and critical notes seemed very valuable. Please feel free to fill in these columns:
Question NR Comments (Explanation, Examples, Evidence, Critical notes)
NR QUESTION IMPACT A
1
1a The expected Sox impact on management's concern for integrity and ethical values = - 0 + ++ +++
1b The expected Sox impact on management's communication of integrity and ethical
values throughout the organization = - 0 + ++ +++
1c
The expected Sox impact on on management taking appropriate disciplinary action in response to departures from approved policies and
procedures = - 0 + ++ +++
2
2a
The expected Sox impact on management acting to reduce incentives or temptations that might prompt personnel to engage in dishonest, illegal, or
unethical acts = - 0 + ++ +++
2b The expected Sox impact on rewards (bonuses) fostering an appropriate ethical tone = - 0 + ++ +++
2c The expected Sox impact on the balance of incentives (bonuses-fixed loan - other
incentives) = - 0 + ++ +++
2d The expected Sox impact on management setting realistic financial targets and
expectations for operating personnel = - 0 + ++ +++
3
3a The expected Sox impact on management giving appropriate attention to business
control = - 0 + ++ +++
3b The expected Sox impact on the management's communication of the importance of
business controls = - 0 + ++ +++
3c The expected Sox impact on management showing concern about….
3cI inventory of key applications/data and their owners = - 0 + ++ +++
3cII data integrity ownership and responsibilities to
appropriate business owners = - 0 + ++ +++
4
4a The expected Sox impact on proper training of employees and effective execution of key
jobs = - 0 + ++ +++
4b The expected Sox impact on procedures identifying the training needs of all personnel
using IT services = - 0 + ++ +++
4c The expected Sox impact on defining, documenting and understanding the roles and
responsibilities of the IT organization = - 0 + ++ +++
4d The expected Sox impact on IT staff made aware of their responsibility regarding
business control = - 0 + ++ +++
4e The expected Sox impact on management relying on technical specialists or outside
consultants = - 0 + ++ +++
4f The expected Sox impact on appropriate divisional staffing (knowledge/experience) within:
4fI accounting = - 0 + ++ +++
4fII information systems = - 0 + ++ +++
4fIII financial reporting = - 0 + ++ +++
4g The expected Sox impact on personnel turnover not impacting people to effectively
perform its tasks = - 0 + ++ +++
The Control Environment sets the tone of the organization, influencing the control consciousness of its people and providing discipline and structure.
CONTROL ENVIRONMENT
Providing and Communicating Moral Guidance
Commitment to Competence Integrity and Ethical Values
Incentives and Temptations
4h sufficient accounting and financial personnel to keep pace
with the growth and/or complexity of the business = - 0 + ++ +++
5
5a
The expected Sox impact on independency of the internal auditor from KLM Cargo management (such that necessary and often probing
questions are raised) = - 0 + ++ +++
5b
The expected Sox impact on the independency of the KLM Board of Directors from KLM Cargo management (such that necessary and often
probing questions are raised) = - 0 + ++ +++
5c
The expected Sox impact on the internal auditor giving adequate consideration to understanding management’s processes for monitoring
business risks affecting the organization = - 0 + ++ +++
5d
The expected Sox impact on KLM Board of Directors giving adequate consideration to understanding management’s processes for monitoring
business risks affecting the organization = - 0 + ++ +++
5e The expected Sox impact on the internal auditor representing an informed, vigilant, and effective overseer of
5eI the financial reporting process = - 0 + ++ +++
5eII KLM Cargo's business controls = - 0 + ++ +++
5eIII information systems processing and related computer
controls = - 0 + ++ +++
5f The expected Sox impact on the internal auditor adequately maintaining a direct line of
communication with KLM's external auditors = - 0 + ++ +++
5g The expected Sox impact on the internal auditor having a charter outlining its duties and
responsibilities = - 0 + ++ +++
5h The expected Sox impact on the internal auditor having adequate resources and authority
to discharge its responsibilities = - 0 + ++ +++
6
6a The expected Sox impact on management’s adequate conservative financial reporting
philosophy (accounting estimates) = - 0 + ++ +++
6b The expected Sox impact on management correcting identified business control
deficiencies on a timely basis = - 0 + ++ +++
7
7a The expected Sox impact on an appropriate management structure in view of the
7aI size of KLM Cargo = - 0 + ++ +++
7aII complexity of the operations = - 0 + ++ +++
7aIII KLM Cargo locations worldwide = - 0 + ++ +++
7b The expected Sox impact on IT personnel having sufficient authority to exercise the role
and responsibility assigned to them = - 0 + ++ +++
7c The expected Sox impact on appropriate policies for such matters as
7cI accepting new business = - 0 + ++ +++
7cII conflicts of interest = - 0 + ++ +++
7cIII security practices = - 0 + ++ +++
7d The expected Sox impact on adequate policies and procedures for authorization and
approval of transactions at the appropriate level = - 0 + ++ +++
Board of Directors /Internal Auditor
Management's Philosphy and Operating Style
Organizational Structure and Assignment of Authority and Responsibility
7e The expected Sox impact on the clear assignment of responsibilities = - 0 + ++ +++
7f The expected Sox impact on management reviewing and making modifications to the
organizational structure in light of changed conditions = - 0 + ++ +++
7g The expected Sox impact on adequate supervision and monitoring of decentralized
operations = - 0 + ++ +++
7h The expected Sox impact on an appropriate segregation of assessing, recording and
authorisation of assets = - 0 + ++ +++
8
8a
The expected Sox impact on effective policies and procedures applicable to all functional areas (e.g., accounting, marketing, information systems) concerning…
8aI hiring personnel = - 0 + ++ +++
8aII training and motivating personnel = - 0 + ++ +++
8aIII evaluating personnel = - 0 + ++ +++
8aIV promoting and transferring personnel = - 0 + ++ +++
8aV dismiss personnel = - 0 + ++ +++
8b The expected Sox impact on the clear issuing, updating and revising of HR policies and
procedures on a timely basis = - 0 + ++ +++
8c The expected Sox impact on written job descriptions, reference manuals or other forms
of communication to inform personnel of their duties = - 0 + ++ +++
8d The expected Sox impact on management having adequate information to: =
8dI monitor employee satisfaction on a regular basis = - 0 + ++ +++
8dII evaluate job performance = - 0 + ++ +++
B
9
9a The expected Sox impact on the communication of management level objectives
throughout the organization = - 0 + ++ +++
9aI The expected Sox impact on the support of these objectives by strategic plans = - 0 + ++ +++
9aII The expected Sox impact on the monitoring of these objectives and strategic plans = - 0 + ++ +++
9b The expected Sox impact on an adequate mechanism identifying business risks,
including those resulting from: = - 0 + ++ +++
9bI entering new markets or lines of business = - 0 + ++ +++
9bII changes in the market demand = - 0 + ++ +++
9bIII privacy and data protection compliance requirements = - 0 + ++ +++
9bIV changes in the regulatory environment = - 0 + ++ +++
9bV changes in the economic environment = - 0 + ++ +++
9bVI new entrants and competitors = - 0 + ++ +++
9c
The expected Sox impact on KLM Cargo's strategic plan including IT or a separate IT strategic plan that addresses the technology needs of the organization (to effectively and efficiently meet its strategic
plan) = - 0 + ++ +++
9d The expected Sox impact on the extent business unit objectives are linked with KLM
Cargo wide objectives and strategic plans = - 0 + ++ +++
Human Resource Policies and Practices
RISK ASSESMENT
Risk Assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
Risk Identification
10a
The expected Sox impact on the internal auditor (or another division within the organization) performing an effective periodic (at least
annual) risk assessment = - 0 + ++ +++
10b
The expected Sox impact on KLM Cargo management reviewing the risk assessment and considering actions to mitigate the significant risks
identified = - 0 + ++ +++
10c The expected Sox impact on the identification and analysis (impact/likelihood) of risks
taking place at business unit level = - 0 + ++ +++
10cI The expected Sox impact on the alignment with management level risk assessment = - 0 + ++ +++
11
11a
The expected Sox impact on effective mechanisms identifying and anticipating to changes that may have a dramatic and pervasive effect on KLM Cargo or that may affect achievement of management
or business unit level objectives = - 0 + ++ +++
11aI The expected Sox impact on dedicated groups or individuals responsible for this
process = - 0 + ++ +++
11b The expected Sox impact on timely updated forecasts during the year, reflecting
changing conditions = - 0 + ++ +++
11c The expected Sox impact on the accounting department having an adequate process in
place to identify and address changes in GAAP = - 0 + ++ +++
11d
The expected Sox impact on management working effectively with the external auditor, determining whether they are addressing complex changes
in GAAP appropriately = - 0 + ++ +++
11e
The expected Sox impact on effective processes ensuring the accounting department is aware of changes in the operating environment, so they can review the changes and determine what, if any, effect the
change may have on the accounting practices = - 0 + ++ +++
11f
The expected Sox impact on effective processes ensuring the accounting department (and internal audit) is aware of significant transactions with related parties so they can determine whether such
transactions are appropriately accounted for and disclosed = - 0 + ++ +++
C
12
12a The expected Sox impact on timely and appropriate documentation and recording of
transactions = - 0 + ++ +++
12b The expected Sox impact on the existence of necessary policies and procedures with
respect to each of the business units within KLM Cargo = - 0 + ++ +++
12c The expected Sox impact on the execution of key controls, which are applied for by
policy = - 0 + ++ +++
12d The expected Sox impact on the periodic review of policies and procedures determining
if they continue to be appropriate = - 0 + ++ +++
12e The expected Sox impact on dedicated members of management having ownership of the
policies and procedures = - 0 + ++ +++
Managing Change
Control Activities
Control Activities are the policies and procedures that help ensure management directives are carried out.
Policies & Procedures
13
13a The expected Sox impact on management having clear objectives in terms of budget,
profit, and other financial and operating goals = - 0 + ++ +++
13b The expected Sox impact on the effective working of the budgetary system = - 0 + ++ +++
13c
The expected Sox impact on the exent planning and reporting systems are in place identifying variances from planned performance and communicate such variances to the appropriate level of
management = - 0 + ++ +++
13d The expected Sox impact on management reviewing key performance indicators
regularly and identifying significant variances = - 0 + ++ +++
14
14a
The expected Sox impact on the logical division or segregation of duties (whether manually or through appropriate set up of IT applications)
among different people = - 0 + ++ +++
14aI The expected Sox impact on IT operations functioning separately from systems and
programming? = - 0 + ++ +++
14b The expected Sox impact on the periodic review of organizational charts ensuring proper
segregation of duties exist = - 0 + ++ +++
14c The expected Sox impact on required appropriate approvals prior allowing an individual
access to specific computer applications and databases = - 0 + ++ +++
14cI The expected Sox impact on the review of system privileges and access controls to the
different applications and databases = - 0 + ++ +++
15
15a
The expected Sox impact on management establishing procedures to prevent unauthorized access to, or destruction of, documents, records (including computer programs and data files)and
assets = - 0 + ++ +++
15b
The expected Sox impact on the effective use of access security software, operating systems software, and application software to control both centralized and decentralized access to: =
15bI Data = - 0 + ++ +++
15bII Functional capabilities of programs (e.g. execute, update,
modify parameters, read only) = - 0 + ++ +++
15c
The expected Sox impact on the adequate security over information technology assets (both IT department and users) given the nature of the KLM
Cargo's businesses = - 0 + ++ +++
15d The expected Sox impact on the daily backup of critical computer data and the extent
this is stored off-site = - 0 + ++ +++
15e The expected Sox impact on the extent a dedicated security officer function is in place
monitoring effectively IT processing activities = - 0 + ++ +++
15f The expected Sox impact on conducting periodic reviews/audits of IT security = - 0 + ++ +++
D
16
Management Objectives
Segregation of duties
Access to and safeguarding of assets
Information & Communication
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.
Information Systems
16a organization in terms of budget, profit, and other financial
and operating goals = - 0 + ++ +++
16b
The expected Sox impact on the timely provision of information to the right people in sufficient detail to enable them to carry out their
responsibilities efficiently and effectively = - 0 + ++ +++
16c
The expected Sox impact on information systems providing management with adequate reports on the KLM Cargo's performance relative to established objectives, including relevant external and
internal information = - 0 + ++ +++
16d
The expected Sox impact on IT management having an effective information capture, processing and reporting controls (completeness, accuracy, validity and authorization) to support the quality and
integrity of financial information = - 0 + ++ +++
16e The expected Sox impact on the accurate and timely preparation of financial reports,
including interim reports = - 0 + ++ +++
16f The expected Sox impact on the satisfaction with the information systems processing,
including reliability and timeliness of reports = - 0 + ++ +++
16g The expected Sox impact on the sufficient coordination between the accounting and
information systems processing functions/departments = - 0 + ++ +++
17
17a The expected Sox impact on the alignment of information systems with KLM Cargo's
strategic plan and objectives = - 0 + ++ +++
17b
The expected Sox impact on the existence of appropriate policies for developing and modifying accounting systems and controls (including
changes to and use of computer programs and/or data files) = - 0 + ++ +++
17c
The expected Sox impact on controlling significant applications or transactions executed /processed by service organizations (monitoring of
risks/controls at service organization) = - 0 + ++ +++
18
18a The expected Sox impact on the communication of IT strategies, challenges and risks formally communicated to:
18aI process owners = - 0 + ++ +++
18aII management = - 0 + ++ +++
18b
The expected Sox impact on IT management committing appropriate human and financial resources to develop the necessary information
systems = - 0 + ++ +++
18c
The expected Sox impact on the involvement of management or the internal auditor in monitoring information systems projects and resource
priorities = - 0 + ++ +++
18d The expected Sox impact on good control of the systems conversions = - 0 + ++ +++
18e The expected Sox impact on the reporting of significant IT events to KLM Cargo
management on a timely basis = - 0 + ++ +++
18f
The expected Sox impact on the existence of user involvement in developing IT applications (including design of business control checks
and balances) = - 0 + ++ +++
System Development
IT Resources
18fI The expected Sox impact on the monitoring of user satisfaction by the IT department = - 0 + ++ +++
19
19a
The expected Sox impact on the existence of a business continuity plan incorporating a disaster recovery plan and end-user department needs for timely recovery of critical business functions, systems,
processes and data = - 0 + ++ +++
19aI The expected Sox impact on the (annually) testing of this plan? = - 0 + ++ +++
19aII The expected Sox impact on the updating of this plan for changed conditions = - 0 + ++ +++
19b
The expected Sox impact on data center facilities being equipped with adequate environmental controls to maintain systems and data?(fire
suppression, interrupted power supply,airco equipment) = - 0 + ++ +++
19c The expected Sox impact on the existence of an adequate disaster recovery plan for the
significant components of the IT infrastructure = - 0 + ++ +++
19cI The expected Sox impact on the (annually) testing of this plan? = - 0 + ++ +++
19cII The expected Sox impact on the updating of this plan for changed conditions = - 0 + ++ +++
20
20a
The expected Sox impact on management clearly communicating the lines of authority and responsibility (including lines of reporting) within the
company = - 0 + ++ +++
20b The expected Sox impact on the communication of policies and procedures throughout
the organization = - 0 + ++ +++
20bI The expected Sox impact on the communication of policies and procedures throughout
the organization for decentralized (foreign) operations = - 0 + ++ +++
20c The expected Sox impact on the IT organization chart clearly reflecting areas of
responsibility and lines of reporting and communication = - 0 + ++ +++
20d The expected Sox impact on the existence of an adequate process for employees to
communicate suspected improprieties to management = - 0 + ++ +++
20dI The expected Sox impact on the timely review, investigation and resolving of these
improprieties = - 0 + ++ +++
21
21a The expected Sox impact on the distribution of critical information to relevant persons
when necessary = - 0 + ++ +++
21b
The expected Sox impact on the effectiveness of the process for tracking communications from customers, vendors, regulators, and
other external parties = - 0 + ++ +++
21bI The expected Sox impact on a mechanism in place to respond appropriately and timely
to these communications = - 0 + ++ +++
E
22
22a The expected Sox impact on reviews to existing control processes (ongoing and periodic
evaluations) ensuring the controls are applied as expected = - 0 + ++ +++
22b The expected Sox impact on procedures in place monitoring when controls are
overridden = - 0 + ++ +++
Continuity planning
Business Control Evaluations Communication of responsibilities
Execution on information
Monitoring
Monitoring covers the external oversight of business control by management or other parties.
22c taken on a timely basis when control exceptions occur = - 0 + ++ +++
23
23a
The expected Sox impact on the timely and appropriately responding of management to the findings and recommendations of the external auditors regarding business control and policies and procedures
within KLM Cargo = - 0 + ++ +++
23b The expected Sox impact on management adequately and timely addressing findings and
recommendations from regulators = - 0 + ++ +++
23c
The expected Sox impact on the reporting of other (quasi-)audit functions (e.g. ISO) to management on issues impacting business control within
KLM Cargo = - 0 + ++ +++
24
24a The expected Sox impact on the level of staffing, training, and specialized skills of the
internal auditor, given the environment = - 0 + ++ +++
24b
The expected Sox impact on the independence of the internal auditor (in terms of authority and reporting relationships) of the activities
audited = - 0 + ++ +++
24c The expected Sox impact on the direct acces of internal auditors to Cargo management = - 0 + ++ +++
24d
The expected Sox impact on holding regular adequate quality assurance reviews of the internal audit function by an external party such as KLM's
external auditors = - 0 + ++ +++
24e The expected Sox impact on an appropriate scope of internal audit activities given the
nature, size and structure of the company = - 0 + ++ +++
24eI The expected Sox impact on balance between financial and operational audits = - 0 + ++ +++
24eII The expected Sox impact on coverage and rotation of decentralized operations = - 0 + ++ +++
24f The expected Sox impact on the adequate review of the scope of planned internal audit activities in advance with:
24fI Cargo management = - 0 + ++ +++
24fII KLM's independent auditors = - 0 + ++ +++
24g The expected Sox impact on the authority of internal auditors to examine any aspect of
KLM Cargo's operations = - 0 + ++ +++
Follow up of evaluations
Internal Audit Function
Appendix 8 Sox PMO Self-Assessment
Purpose of Research: To give KLM Cargo management a better view on business control and the influence of Sarbanes-Oxley 404 in order to improve business control.
Purpose of 2nd Self-assessment: Evaluating expected Sox impact.
Introduction Sox PMO
As a final requirement for my graduation at the ‘Rijskuniversiteit Groningen’, I am writing my research paper on Sox and the expected influence on business (internal) control within KLM Cargo. A first self-assessment has been distributed to 19 Sox participants within the organization of KLM Cargo. The 100% response rate contributed to some interesting conclusions about business control within KLM Cargo. Especially points of improvement have been highlighted. A second self-assessment is distributed to the same 19 Sox actors focusing on the expected Sox impact on business control (especially on the improvement spots) within the KLM Cargo processes.
Within the Sox teams processes, risks and controls have been described in conformity with Sox requirements. This may have resulted or will result in some direct changes in business controls within the processes. In an indirect way, the process of achieving Sox compliance could have impact on other subjects than initially intended by Sox.
As an important second source for evaluating expected Sox impact, the Sox PMO could provide the ‘expert’ knowledge. Knowing the ‘ins and outs’ of Sox, the Sox PMO can give insight into the degree Sox generally would address particular subjects of business control.
The Sox PMO should only look at expected Sox impact, not on the present status of the specific business control subject. (e.g. When the status of ‘management showing concern about data integrity ownership and responsibilities to business owners’ within KLM is perfect and you think Sox addresses this subject in a strong extent, the latter is the trigger for filling in the expected impact. Maybe Sox will only slightly improve this subject, since it is already perfect, but what is important is that you consider the expected Sox impact ‘an sich’.)
Instructions
• Completing the self-assessment will take approximately 30 minutes.
• All questions begin with the words the expected Sox impact. This impact must be seen in light of Sox impact on the specific subject of business control in general:
- A negative impact 0 No impact
+ Minimal impact ++ Reasonable impact +++ Substantial impact
• Direct and indirect Sox impact should be incorporated into your answers.
• Definitions used
Management = Higher management within the divisions (e.g. KLM
Cargo top management)
Divisions = Cargo, Passenger Business, Engineering & Maintenance
• Extra explanation has proved to be valuable! Below you can provide additional explanation, evidence, examples or critical notes for a particular question or in general.
Question NR Comments (Examples, Evidence, Critical notes)
I would highly appreciate your input on or before Thursday 24 March 2005.