EP Europe SOx 404 Self-Assessment

EP Europe SOx 404 Self-Assessment

“Testing: doing it efficient”

An analysis of theory and practice of efficient Sox 404 testing

Thesis by: Robert C. Winkel Student number 1179802

Faculty of Management and Organisation

University of Groningen (RuG)

EP Europe SOx 404 Self-Assessment

“Testing: doing it efficient”

An analysis of theory and practice of efficient Sox 404 testing

By: Robert C. Winkel Student number 1179802

Research location:

Nederlandse Aardolie Maatschappij BV (NAM) Schepersmaat 2

9405 TA Assen

University of Groningen (RuG)

Faculty of Management and Organisation Study Course: Accountancy

Landleven 5

9700 AV Groningen

University supervisors:

Drs. A. Smeenge RA Dr. J.H.M. van Kesteren

Company supervisors:

René Duinkerken RC Drs. Rob van Riemsdijk RA

The author is responsible for the contents of this thesis; the copyright of this thesis belongs to the author

Preface

In front of you lies a copy of my research thesis on SOx 404 self-testing within Shell Exploration and Production in Europe. With this thesis I conclude my studies of Accountancy at the faculty of Management and Organisations.

Sarbanes Oxley used to be a term floating around without having any meaning to me.

If my brain where a set of balloons, I would have had an empty SOx balloon. It would have had the word Sarbanes Oxley on it, but it would have been one of many empty ones lying around of which I did not know the true meaning. It was certain that, after the fall of Enron, WorldCom and other big companies, this Sarbanes Oxley thing would become very important and very interesting to Accountancy students as myself.

That is why, when I got the chance to participate and do my thesis with the EP Europe SOx Team, I accepted this big opportunity with both hands.

Welcome aboard, we will be cruising the SOx seas now. During the voyage I was wondering if I had brought enough balloons for me to fill as they were rapidly expanding and I did not want any of them to explode.

Luckily, I had the comfort of being with a good crew, who had already been exploring this SOx sea for some time and could share a lot of experience with me already. I am referring to the members of the SOx team, and their Captain Rob van Riemsdijk, who was one of my company supervisors, I had the pleasure of working with and whom I would like to thank. I was also fortunate that my second company supervisor René Duinkerken always showed a lot of interest and took his time to help me navigate through this research process. He was the one who could always guide me into the right direction and put things in perspective, when I had no idea where to go anymore.

I would also like to thank my thesis supervisors, Albert Smeenge and Jos van Kesteren, for their valuable comments and support so that I could continue finishing my research. The sea would not have been safe for an exploring sailor like myself without the help of a good coastguard.

Lastly, I wish to thank my family and friends and especially my girlfriend, Janneke, who has never given up on me and always cheered me up during the difficult moments while finishing this thesis.

My SOx balloons are filled. I hope you enjoy reading this thesis. It has certainly been a great experience for me.

Groningen, September 22nd 2005

Robert Winkel

Executive Summary

In 2004, as part of a globalisation process within Royal Dutch Shell plc. (Shell), the exploration and production activities were untied in five global regions. In Europe the new cross border organisation ‘Shell Exploration and Production in Europe’ (EP Europe) was formed. The Nederlandse Aardolie Maatschappij (NAM) B.V., a 50/50 joint venture between Shell and Exxon Mobil, is part of this new organisation.

In 2002 the Sarbanes Oxley act paragraph 404 (SOx 404), that required management from public listed companies to attest to their internal controls over financial reporting, was introduced. This meant that all US listed companies on the New York Stock Exchange as well as all foreign listed companies, like Shell, had to file for compliancy to the Securities Exchange Commission. Being part of Shell, all companies within the EP Europe organisation including NAM, had to comply with the SOx 404 law.

Although the companies within Shell already had sound internal controls in place, they did not yet have the documentation requirements that the SOx 404 rule demanded. Needing a framework to self-assess the internal controls over financial reporting for SOx, this resulted in a massive framework with many ‘key’ controls that needed to be tested.

This was the starting point of the current research project. Of the eight EP Europe locations, there were five that met the SOx 404 materiality criteria and thus needed to be tested, which meant testing more than 4000 controls. Considering the amount of work effort needed to make test scripts for all 4000 key controls, the EP Europe Sox team wanted to investigate if there could be some mixture between the methodology and the available audit theory that could lead to more efficiency in this testing process.

The following problem statement was used to analyse the possibility if there was a more efficient way to do the self-assessment.

Research objective:

The objective of this thesis is to contribute to the efficiency of the EP Europe self- assessment necessary for the SOx 404 compliance, using Group methodology to make test scripts fit for purpose, covering all SOx internal control requirements as laid down by the SEC and the PCAOB.

Central research question:

How can EP Europe make improvements, for creating more efficient test scripts that can facilitate the self-assessment, after comparing Audit theory with the Shell methodology?

The research involved the understanding of the processes within EP Europe and the

methodology behind making the test scripts. After the first SOx pilot testing, the

research had enough bases to come to an analysis between the audit theory and the

Shell methodology that was being used for the EP Europe testing process.

By comparing the audit theory and Shell methodology a number of differences and similarities were recognised. The comparison of both methods led to the identification of five areas for which recommendations for improvement were made: Framework, SOx controls, Audit approach, Efficiency of testing, and Sampling.

Firstly, the methodology framework was primarily process based, while the audit theory was mainly focussed on the financial statements themselves. Methodology led to a good documentation of internal controls, but led away the attention from the financial statements. The audit focus would have to expand to comply with the Sox 404 rule and really audit the internal controls over financial reporting instead of assessing control risk by pure judgement. EP Europe can benefit from re-analysing the framework and focus more on the financial statement risks instead of on all the controls that are active in a process.

The SOx controls were compared next. Methodology led to an extensive list of key controls, but prevented a good high level monitoring of the process. The audit theory was more focussed on the financial assertion of a control, but was less concentrated on the understanding of the process around it. To improve efficiency, EP Europe needs to re-assess their controls and identify the real key controls. They should also try to look at overarching controls that will reduce testing as well.

Thirdly, both methods had a strong auditors point of view. This was because in EP Europe, the testing for self-assessment was designed to resemble the way auditors tested. However, this way of testing did not anticipate on how the people in the business did their work. They are not accountants and not used to such audit type testing work. It is therefore recommended that the business in EP Europe gets enough management commitment to make the testing process more aligned with how the business execute the controls.

For the fourth element, the efficiency of testing, methodology subscribed to make test scripts for every SOx control. The methodology used to make the test scripts was good, but concentrated less on the testing of the financial assertions of the controls and was a very inefficient way to test all the controls. The EP Europe SOx 404 self- assessment can benefit from the efficiency of combining samples to test more than one control over various and the same register as well as using overarching controls to reduce the test effort. Eventually, the reduction of key controls will also lead to a more efficient testing process.

Lastly, a difference between both methods was the way each method described the way of sampling. In the event of testing with the Shell methodology the samples were based on the frequency of control, while the audit theory based their sampling on the population and exception rates. Although the samples used in the methodology were small they did not allow any exceptions, meaning a test would fail with one exception.

Sample exception rates are a good way to quantify test results and EP Europe might benefit from using this in combination with their zero defect policy. This implies that the self-testers will have to be trained to judge exception rates.

By using these five recommendations the EP Europe SOx testing will be able to be

Table of Contents

Preface

Executive summary

Introduction………7

Chapter 1 Shell and Exploration & Production in Europe………8

1.1 Royal Dutch/Shell Group .……….8

1.2 Research structure and Problem definition ………..9

1.2.1 Research objective ……….11

1.2.2 Research question ……….11

1.2.3 Research Model ……….11

1.2.4 Sub research questions ……….12

1.2.5 Research boundaries ……….13

1.3 Research methods ……….13

1.4 Theoretical framework ……….13

1.4.1 The COSO framework ……….14

1.4.2 Stakeholders analysis ……….16

1.4.3 Agency theory ……….16

1.4.4 Audit Sampling ……….16

1.4.4.1 Types of evidence ……….17

1.4.4.2 Acceptable audit risk……….20

Chapter 2 Sarbanes-Oxley Act.………22

2.1 What is SOx 404? ……….22

2.2 The role of the EP Europe SOx team ……….22

2.3 The role of Internal Audit ……….23

2.4 The role of External audit ……….23

2.5 The role of Management ……….23

2.6 The role of SEC and PCAOB ……….24

Chapter 3 SOx processes in EP Europe.………. 25

3.1 Group processes that need to be SOx compliant for EP Europe ………..25

3.2 Control Objectives Register ………..26

Chapter 4 SOx testing methods………29

4.1 PCAOB test method guidelines ……….29

4.2 Shell/Group test methodology ……….31

S3.3 Test methods ……….33

S3.4 Sample size ……….35

S3.5 Sample methods ……….36

S3.6-8 Test responsibility, Test script number and Test plan number .36 S3.9 Combination of Test scripts ……….36

4.3 Internal audit test method ……….37

4.3.1 Self-testing ……….37

4.3.2 Independent testing ……….38

4.4 External audit test method ……….38

Chapter 5 Comparison of Audit theory and Group Methodology………39

5.1 Introduction ……….39

5.1.1 Group Methodology ……….39

5.1.2 Audit Theory ……….40

5.2 Comparison between theory and test methodology ……….40

5.2.1 Planning of the test ……….40

5.2.1.1 Combining controls ……….42

5.2.1.2 Overarching controls ……….42

5.2.2 Execution and evaluation of test ……….43

Chapter 6 Conclusions and Recommendations..……….. .45

6.1 Introduction ……….45

6.2 Risk comparison and conclusion of both programmes ……….45

Epilogue………..48

Literature………. .49

List of Abbreviations……….. ..51 Appendices

Appendix A: Royal Dutch/Shell Group Structure ………...III

Appendix B: Empty Guideline Control Register example ………...IV

Appendix C: Generic Test Workbook script example ……….………..V

Appendix D: Test Work Paper example ………...VI

Appendix E: Deckers and Van Kollenburg (Table 7.2 p.105) ………...VII

Appendix F: Combination of controls D1.11.a.1 example …..……….VIII

Introduction

Recently the reserves issue has probably been the hottest item when people talked about Shell. At the end of 2003 and the beginning of 2004 Shell and the Securities of Exchange Commission (SEC) discovered that Shell’s reserves statements were not filed correctly. Shell used non-compliant accounting methods to record their reserves and thereby recording oil reserves that were not ‘proven’ yet. So to say, according to the SEC, Shell could not record these amounts yet. This eventually led to a proposed change in the Shell Group structure, combining the two holding companies Royal Dutch + Shell Transport And Trading into Royal Dutch Shell plc. ¹ . Transferring from two headquarters to just one, based in The Hague and just one CEO and CFO. Not only this, but Shell also had to correct their reserves in the following year. This not only meant a big set back for Shell, but also for the investors.

Somewhat caught in the slipstream of major accounting scandals that have occurred and new ones still being discovered, this would also have effect on the new Sarbanes Oxley rule Shell would have to attest to by the end of 2005. Although Shell has already been signing off to the SOx 302 rule, the following, SOx 404 rule, would be more radical and strenuous. The SOx 404 rule requires management to attest to their internal controls over financial reporting, in support of the 20-F filing. The external auditor will also need to vouch for this management’s assessment.

It has become clear that investors and shareholders, but also other stakeholders such as employees need such a rigorous system in order to protect themselves against the inclination that a corporate company signs off their annual report with the risk that undetected misstatements do not surface due to non compliant internal controls.

During the time of this research, SOx 404 is being implemented, rolled out and tested in the whole of Shell. This research’s scope will cover only one of Shell’s business segments, namely Shell Exploration & Production in Europe.

1

Unification of Royal Dutch (RD) and Shell Transport and Trading (STAT) into Royal Dutch Shell as of 20 July 2005

(Appendix A)

Chapter 1

In this chapter I will first give some information about the Royal Dutch/Shell Group and EP Europe in particular. Following that, I will start the problem definition of my research and elaborate on the further elements needed to successfully complete my thesis.

1.1 ROYAL DUTCH and SHELL TRANSPORT AND TRADING

In 1907 Royal Dutch and the Shell Transport and Trading Company formed an alliance, which we now know as Royal Dutch/Shell Group. In this alliance Royal Dutch owns a 60% share to 40%, which is held by Shell Trading. Shell currently operates in more than 140 countries and has over 112,000 employees, with a net income of approximately 12.5 billion us dollars.

Although only until recently, the Royal Dutch and Shell Transport and Trading operated as one Group but with separate headquarters. In 2005 they decided to merge the two companies into Royal Dutch Shell to be listed on the London Stock Exchange and with one headquarters that was to be in The Hague and also reduced the number of stock exchange listings (Amsterdam, London & New York).

Several business segments form the heart of Shell. These are, Exploration &

Production (EP), Gas & Power (GP), Oil Products (OP), Chemicals (C), and other industry segments including Renewables, Hydrogen and Trading.

Because the scope of my research is limited to the European part of EP, I will not go into further detail, concerning the other operation companies. EP has companies active in over 34 countries, entailing 17,100 employees and earnings of 9.1 billion US dollars a year.

(Source: EP Europe presentation February 9, 2005)

EP is divided into five regions. These are, EP Europe (EPE), EP America (EPW), EP Asia (EPA), EP Middle East (EPM) EP Africa (EPG) and 2 globally directed units, Exploration and Business Development and a Corporate Centre.

The focus of my research is on the region Europe (EP Europe). EP Europe has eight areas of operation (AoO’s ² ). Each of these areas needs to be SOx compliant by the end of 2006. Shell counts approximately 1,200 AoO’s of which 200 need to be SOx compliant.

The AoO’s in EP Europe are: Aberdeen (UK), Assen (NL), Stavanger (NO), Ireland (IRE), Italy (ITA), Denmark (DK), Austria (A) and Germany (D). The AoO structure in EP Europe is as follows:

™ NL – NAM B.V.

™ UK – Shell Expro Ltd

™ NOR – Norske Shell AS

™ DK – Dansk Shell A/S

™ IRE – SEPIL Ltd

™ ITA – SEPI sa

™ D – Shell Erdgas Beteiligungen GmbH (SEB)

™ A – Rohölaufsuchungs- GmbH (RAG)

It is only since 2004 that these legal entities were put together organisationally as an AoO in EP Europe. The main achievement was to standardise the processes between the different locations, resulting into one management team, one business plan, one strategy, aligned policies, aligned procedures and an integrated support team.

The core operation of EP entails the exploration and production of crude oil, natural gas and natural gas liquids (condensates).

Some statistics for EP:

• 6,605 million barrels of crude oil and natural gas liquids proved reserves

• 44,920 billion standard cubic feet gas proved reserves

• 615 million barrels proved oil sand reserves

• 2,173 thousand barrels / day equity oil production

• 8,808 million standard cubic feet/day equity natural gas production available for sale

( Source: Annual Report 2004 )

1.2 Research structure and problem definition

In this part of my thesis I will set out the structure for my research, starting with the research background, followed by the research scope and objective whereas I will explain the theories and the methodology with which I will answer my central research question and sub questions.

Research background

The collapses of Enron, WorldCom and other corporate frauds in the USA, led to the legislation of the Sarbanes-Oxley Act. It’s objective: “to protect investors by improving the accuracy and reliability of the corporate disclosures.”

2

An Area of Operation or AoO is a reporting unit

The Sarbanes-Oxley Act applies to all US listed companies, including foreign registrants. As a ‘foreign private issuer’ in the US, Royal Dutch/Shell Group, will need to comply with SOx 302 and 404 as of 31 December 2005. Shell will need to remain compliant year after year. During the time this research was held the deadline for SOx 404 for foreign registrants was extended a year to the end of 2006 ³ . This however did not change anything to the tight schedule held by EP Europe and Shell to roll out SOx 404 in every relevant process that relates to annual accounts and 20F.

Though EP Europe has a generally sound system of internal controls surrounding financial reporting, they currently cannot meet the proposed rules. In most places there is no or not enough documentation that identifies the significant processes, associated risks and mitigating controls. To provide a clear documentation path, the EP Europe SOx team has designed a SOx control framework for all significant processes within EP Europe.

Research Scope

The SOx controls are embedded in control registers, which are part of the control framework. For each significant process a control register has been made. EP Europe has 20 control registers with an average of 30 key controls each. This means there are almost 600 controls to be tested during self-assessments per AoO locations. The self- assessment, or as from this moment will be referred to as self-testing/testing ⁴ , has taken place at the beginning of 2005. The first test run is to make sure that all SOx controls in place have been properly designed. If not, remediation action will follow and follow up testing after the remediation period will show if the control operates effectively. This needs to be done before internal and external auditors come to inspect the SOx controls in the second half of 2005. The internal auditors have to assure that the CEO and CFO declare that there are no deficiencies or material weaknesses that have not been covered by the SOx implementation. The external auditor will then inspect if SOx has been properly rolled out and if so vouch that EP Europe has a sound system of internal controls surrounding financial reporting and therefore is SOx compliant.

The EP Europe SOx team has requested to help develop test scripts, based on Shell Group methodology, fit for purpose for all the EP Europe relevant countries. Because EP Europe does not know how the internal and external auditors will do their Sox testing and the Shell Group has only given a guideline per control of how a control should be tested, they have asked me to come up with a more efficient way to test controls. In their opinion, the controls can be categorised in a more efficient way, possibly with the help of audit theory, so it will be possible that the self-assessment can cover all the 600 controls that need to be tested per location using a limited amount of test scripts, instead of having to test all 600 controls on separate scripts.

3

http://www.sec.gov/news/press/2005-25.htm EXTENSION OF COMPLIANCE DATES FOR NON-ACCELERATED FILERS AND FOREIGN PRIVATE ISSUERS REGARDING INTERNAL CONTROL OVER FINANCIAL REPORTING

REQUIREMENTS Under the latest extension, a company that is not required to file its annual and quarterly reports on an accelerated basis (non-accelerated filer) and a foreign private issuer filing its annual reports on Form 20-F or 40-F, must begin to comply with the internal control over financial reporting requirements for its first fiscal year ending on or after July 15, 2006.

This is a one-year extension from the previously established July 15, 2005, compliance date for non-accelerated filers and

Comparison

Following the issue as described on the previous page, a problem definition can be derived, which will be the central topic in this research. According to De Leeuw, the problem definition is divided in two segments, namely the research objective and central research question (De Leeuw, 1997). The central research question will shed light on the research objective. The central research question can be answered by dividing it into smaller, so-called sub research questions. A research model can be of help to illustrate how the central research question will be answered in this research.

1.2.1 Research objective

The objective of this thesis is to contribute to the efficiency of the EP Europe self- assessment necessary for the SOx 404 compliance, using Group methodology and Audit theory to make test scripts fit for purpose, covering all SOx internal control requirements as laid down by the SEC and the PCAOB.

1.2.2 Central research question

How can EP Europe make improvements, for creating more efficient test scripts that can facilitate the self-assessment, after comparing Audit theory with the Shell methodology?

At the beginning of this research, Shell was still busy developing testing methodology. Generic test scripts, which are based on guideline controls, were used as an example for the AoO specific test scripts that needed to be made fit for purpose based on the actual control description. Methodology guidelines on how to combine certain controls were yet to be developed and it was assumed this issue would become obvious during the self-testing process. Because there is a strict time schedule for the testing to get ready, EP Europe has to come up with their own way to combine controls.

1.2.3 Research Model

This research model gives a graphical illustration of how the research is being done.

Note that the reporting square is not part of the research and therefore dotted.

Efficiency

Desktop Test script (1)

Fieldwork Testing (2) SOx404

PCAOB

Remediation

Methodology Audit Theory

Reporting Mngt SA ( 3)

Control registers

1.2.4 Sub research questions

The following sub questions will help to get an answer to the central research question. Per sub question a short outline will be given of what the question means to achieve in answering the central question.

1. What is Sarbanes-Oxley?

In this sub question, the Sarbanes-Oxley Act 2002, will be explained and the role of the different parties that are involved in the rule. The sub-question will be sub categorised in:

™ What is SOx 404?

™ What is the role of the EP Europe SOx team?

™ What is the role of the internal auditor(s)?

™ What is the role of the external auditor(s)?

™ What is the role of management?

™ What is the role of SEC and PCAOB?

2. Which processes need to be SOx compliant for EP Europe?

This sub question will explain briefly how the scooping of the EP Europe processes took place, how they are related to SOx and how they are developed into control objective registers to form the final control framework necessary for the self- assessment of the financial reporting over internal control.

3. How will the different parties that are connected to the EP Europe SOx self- assessment do their testing?

Testing can be rather subjective, because it depends on several factors namely the design of the control and test and the judgement of the tester, making it difficult to know when and if the testing was sufficient. Therefore, the SEC has appointed a commission called the Public Company Accounting Oversight Board (PCAOB, pronounced: peek-a-boo) to develop specific guidelines for external auditors to which the self-testing needs to comply. This is not only important for the companies who are implementing SOx, but also for the investors who can use this as a reference. On the other end, relevant theory can provide insights on how to test as well as looking at the methods used by internal and external auditors.

The following sub categorisation can be made to answer the third sub question:

™ What are the PCAOB guidelines (Audit Standards No.2) concerning the financial reporting over internal control and financial statements? What is the difference between testing financial reporting over internal control and control over financial statements according to the PCAOB?

™ How will Group test?

™ How will internal audit test?

™ How will external audit test?

4. What are the differences and similarities between the Audit theory and the Group methodology and how can these be used to improve the efficiency of testing?

In this chapter the differences and similarities between the audit theory and Group methodology will be set out against each other. The different testing stages will be examined, such as the desktop and the fieldwork part. The last part of testing comprises the reporting to the management but due to the irrelevance of this for this thesis it will only be discussed briefly.

What are the pros and cons in both programmes? Assuming there is no best way to test internal controls, there must be an alternative. In the conclusion of this research I will deliver a proposal of recommendations that can be used in order to make the testing process more effective and efficient.

1.2.5 Research Boundaries

The scope of this research will focus on the Exploration & Production Europe region within the Royal Dutch Shell Group. The research will primarily be conducted at the NAM B.V. in Assen.

The research takes place during a period of six months.

1.3 Research Methodology

There are several forms of data collection that can be used for doing research. These are: desk research, interview, surveys and observations.

The first three sub questions will be answered with the help of desk research. This can be achieved by utilising internal documents and the available specific literature and articles concerning testing. By working alongside with the EP Europe SOx team and doing research, every step in the process of this research is a continuous learning exercise that will help improve and contribute to self-assessments and research.

Sub question four will bring all these learning elements and theory together. An analysis of the outcomes, with the help of theories and several interviews surrounding the self-testing that has been done, will deliver conclusions for improving the self- assessment process.

This is not a guide to SOx testing, but it can be helpful for further research, to fellow accountancy students and companies where SOx applies.

1.4 Theoretical Framework

In my theoretical framework the following theories will be explained and examined.

Firstly, the importance and the working of the COSO framework will be outlined.

This is followed by a brief explanation of the stakeholder’s analysis and the agency theory, which will be discussed further in chapter 2.

Lastly, the importance of audit sampling will be explained. In this paragraph the

different ways to get audit evidence will be discussed as will the purpose of control

risk.

The five components are:

- Control Environment - Risk Assessment - Control Activities

- Information & Communication - Monitoring

1.4.1 The COSO Framework

COSO stands for the Committee of Sponsoring Organisations of the Treadway Commission. COSO’s 1992 report: Internal controls – Integrated Framework is the world’s most widely recognised framework for evaluating an organisation’s system of internal controls.

COSO defines internal control as: a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations 2. Reliability of financial reporting

3. Compliance with applicable laws and regulations

The framework consists of five interrelated components, which are derived from the way management runs a business and are integrated with the management process.

The components can be applied to all entities, however small and mid-size companies may implement them differently than large companies, due to the fact they have less formal and less structured controls. Nevertheless the controls are still effective.

(Source: COSO)

Control Environment:

As the primary component of the COSO model, control environment is the foundation on which the other four components stand. Setting the tone of an organisation, meaning the way the organisation organises their internal controls. Management will need to set the example and make sure the people within the organisation become conscious of the internal controls. Basically what SOx 404 is causing organisations to be, is become more control conscious. Therefore a change in mindset of the people within the organisation is necessary for SOx to succeed.

Risk Assessment:

Risks often come from external and internal sources. For an entity to be able to assess

these risks, they must have established objectives within the different organisational

levels. Shell has developed a Group Risk and Internal Control policy to help identify

these risks. Risk assessment is the identification and analysis of relevant risks to

achievement of the objectives, forming a basis for determining how the risks should

be managed. Because economic, industry, regulatory and operating conditions are

continually changing, it is important that the risks involved with these changes are

assessed on a timely basis. SOx forces organisations to re-evaluate their risk policy

and to make sure that every risk is accounted for. For the components control

environment and risk assessment this not only complies with the financial reporting

objective, but also takes into account the operations and regulatory side within an organisation. This is illustrated in the figure below.

Control Activities:

Control activities help ensure management that directives are carried out. This is achieved by policies, procedures and work instructions within the organisation. Shell has a large database, which is called ‘Corporate Management System’ (CMS), that contains all policies and procedures and other control information. The controls described in the CMS help mitigate the risks. SOx makes the organisation go a step further and locate and underline the controls involved with the financial reporting.

Therefore it is necessary, when implementing SOx, to create control registers and flowcharts including narratives that are based on information from CMS and interviews. Control activities occur throughout the organisation, at all levels and in all functions. They include a range of activities as diverse as approvals, authorisations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Information and Communication:

Information and communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Systems produce reports and other back-up information that can be identified as evidence in a SOx self-assessment. It is important that people know their role in the internal control system. This means communication from top to bottom and bottom up must be very clear. SOx is a typical law that needs to be empowered by the top level of an organisation to the lower levels so that they understand the importance of executing all the SOx key controls

Monitoring:

Monitoring is a process that assesses the quality of internal control performance over

time. The SOx attestation by management is a yearly ongoing event. SOx needs to be

incorporated into the day-to-day work of people. To monitor the quality of the internal

control a periodic self-assessment will take place. Shell has also developed a

management tool to monitor that SOx controls are being executed.

When self-assessing SOx you are actually evaluating your internal controls. Therefore COSO, which is used to evaluate internal control, can form a good framework as to assessing internal control for the SOx self-assessment.

1.4.2 Stakeholders analysis

A stakeholder can be described as someone who has a particular interest in an entity or organisation. A stakeholder is in constant need of information. An organisation has to take care of their stakeholders, because they are important to it’s existence.

1.4.3 Agency Theory

The agency theory describes the relation between the agent and the principal. This is often a three-way relation, the third being the monitor. The principal (stakeholder) assigns the agent (board of directors) to deliver an audit report. This is done to close the information gap between both, as most of the time there is a-symmetric information distribution. The monitor (auditor) makes sure that the information provided by the agent is sound.

In this process there are also agency costs involved. These are separated in bonding costs, monitoring costs and residual loss. The bonding costs are the cost made by the agent in order to satisfy the principal. The monitoring costs are the costs incurred by the principal to audit the agent. Residual loss is the loss incurred by the principal, because the agent made sub optimal organisational decisions.

1.4.4 Audit Sampling

Audit sampling is when an auditor or tester decides to select less than 100 percent of the population for testing, for the purpose of making inferences about the population.

When doing tests of control or substantive tests of transactions auditors may use the methods statistical or nonstatistical audit sampling according to Arens, Elder and Beasley.

Both methods involve three steps: 1 planning the sample; 2 select the sample and perform the tests and 3 evaluate the results. The difference however is that statistical sampling allows the quantification of the sampling risk in the planning and evaluation of the test. Sampling risk is the risk an incorrect conclusion is made due to the fact that the sampling is not representative to the population. For the sample to be representative there may not be a difference between the sampled and non sampled items. Methods to reduce sampling risk are increasing the sample size or selecting a more appropriate method of selecting. Another risk that occurs when sampling is nonsampling risk. This happens when audit tests do not uncover existing exceptions in the sample. This can be the result of doing the test in the wrong direction.

Nonsampling risk can be avoided by careful design, supervision or review of the audit procedure.

In the case of the EP Europe SOx 404 self-assessment, Shell Group methodology uses

a combination of statistical and nonstatistical sampling. Whereas the statistical part is

limited to prescribed sample sizes, that depend on the frequency of the control. As a

rule Group has decided to fail the whole test if there is a single exception and only

accept the test if there are no exceptions found, ignoring the possibility of sampling or

nonsampling risk. The selection of the sample can also be done using two methods

namely probabilistically or the nonprobabilistically. An example of a probabilistic

example would be a directed sample selection. When using directed sample selection the tester or auditor uses a judgemental criteria in selecting the sample.

The work methods of both statistical and nonstatistical sampling are primarily the same. Shell audit sampling is based more on nonstatistical sampling because the tester does not need to calculate his or her planned sample size using special table. The work method for both methods is as described below (Arens, Elder & Beasley 2003):

Plan the sample:

1. State the objective of the audit test 2. Decide whether audit sampling applies 3. Define attributes and exception conditions 4. Define the population

5. Define the sampling unit

6. Specify the tolerable exception rate

7. Specify acceptable risk of assessing control risk too low 8. Estimate the population exception rate

9. Determine the initial sample size

Select sample and perform the audit procedures:

10. Select the sample

11. Perform the audit procedures Evaluate the results:

12. Generalize from the sample to the population 13. Analyse exceptions

14. Decide the acceptability of the population 1.4.4.1 Types of evidence

There are different types of evidence that can be used during audit sampling. Arens, Elder and Beasley identify seven types of evidencing, which are stated below.

Deckers and Van Kollenburg also identify seven types, which are almost the same. In the following section below I have put both methods together.

Arens: Deckers and Van Kollenburg:

Documentation Verificatie (Inspect/Examine) Physical Examination Inventarisatie

Observation Waarneming ter plekke (Observation) Inquiries of the Client Inwinnen van inlichtingen (Enquire/Inquire) Confirmation Het verkrijgen van bevestiging van derden Reperformance Uitvoeren/herhalen van (Reperformance) Analytical procedures Cijfer beoordeling

Although both theories are almost the same, there is however a slight difference in

naming. Arens identifies ‘documentation’ as Deckers identifies ‘verification’. The

same goes for ‘analytical procedures’ and ‘cijferbeoordeling’, whereas the latter is a

method that can be used as an analytical procedure.

When choosing your type of test and the method or type of evidence needed, Arens gives the following matrix:

Type of Evidence

Type of Test

Physica l E x ami n ati on Confi rmat ion Docum ent a tion Observat ion Inqui ries of th e C li en t R e p erforma n ce Anal yti c al pr o cedur es

Procedures to obtain an

understanding of internal control X X X X

Tests of controls X X X X

Substantive tests of transactions X X X

Analytical procedures X X X

Test of details of balances X X X X X

(Source: Arens, Elder and Beasley Auditing and Assurance: an integrated approach p343 Table 12-2.)

The matrix shows that the use of evidence methods such as reperformance or inquiries of the client are compatible in every type of test, whereas documentation can be used in almost every test except in analytical procedures.

Deckers and Van Kollenburg not only identify the quantitative aspect of control information, but also the importance of three qualitative aspects:

1. Relevancy of control information ⁵ 2. Reliability of control information 3. Date or time of control information Relevancy of control information

Having stacks of control information to cover your quantitative aspect does not mean it is relevant or reliable. That is why these qualitative aspects are also very important.

When testing something for completeness using the type of evidence verification, one will not be able to achieve this control objective if it is tested in the wrong direction.

This, for example, can happen when you want to check your revenue on completeness. By only looking at sales notes, using the audit evidence method verification, you are only verifying the existence or occurrence assertion, which is irrelevant to the objective you want to achieve, which is completeness.

In the following table on the next page the relation between financial assertions and

the types of control information will be shown.

Relevancy of control evidence or information*

Type of Evidence

Financial Assertions

* Existence

or Occurrence

Completeness Valuation Rights &

Obligations

Presentation &

Disclosure

Verification ⁶ + + + + +

Physical Ex ++ +/- +/- - -

Observation + +/- +/- - -

Inquiries +/- +/- +/- +/- +/-

Confirmation ++ +/- +/- + +/-

Reperformance +/- +/- + - +/-

Analysis +/- ++ + - +

++ = very relevant; + = relevant; +/- = little relevant; - = irrelevant

(Source: Deckers and Van Kollenburg p.122, table 8.2)

Reliability of control information

The reliability of the control evidence can best be illustrated with the matrix used by Deckers and Van Kollenburg:

Reliability of control evidence or information*

Type of Evidence

Criteria of Reliability

* Independency

informant

Quality of AO/IC

Observation on the spot

Qualification informant

Objectivity of information

Form of information Verification v v - v + +

Physical Ex + v + + + +

Observation + v + + +/- -

Inquiries - n/a - v v v

Confirmation + n/a - v/+ + +

Reperformance + v + + + +

Analysis +/- v - + v/- +

+ = high; +/- = medium; - = low; v = varies due to circumstances; n/a = not applicable

(Source: Deckers and Van Kollenburg p.122, table 8.1)

Date or time of control information

The date of control information applies to the moment when it was gathered as well as the period to which it applies too. When doing the self-assessment within EP Europe the timing of testing some controls that occur annually, quarterly or at a certain period is very important for the result.

6

Verification and Documentation are used separately, but meaning the same.

1.4.4.2 Acceptable Audit Risk

Another important tool used by an accountant is the acceptable audit risk. Before the start of a test or an audit, the auditor must get an understanding of the internal control processes in order to assess an acceptable audit risk.

Types of risk:

Planned detection risk (Detectie of ontdekkings risico)

PDR is a measure of the risk that audit evidence for a segment will fail to detect misstatements exceeding a tolerable amount, should such misstatement exist. The PDR is dependent on the other 3 risks. It can only change if the auditor or tester decides to change one of the other risks. Secondly, PDR has an inverse relation with the necessary amount of substantive testing that is needed. If an auditor determines that the amount of evidence is high, the PDR will be assessed as low.

Inherent risk (Inherent risico)

IR is a measure of the auditor’s assessment of the likelihood that there are material misstatements (errors or fraud) in a segment before considering the effectiveness of internal control. IR is inversely related to PDR.

Control risk (Interne beheersingsrisico)

CR is a measure of the auditor’s assessment of the likelihood that misstatements exceeding a tolerable amount in a segment will not be prevented or detected by the client’s internal controls.

Acceptable audit risk (Aanvaardbaar Accoutantscontrolerisico)

AAR is a measure of how willing the auditor is to accept that the financial statements may be materially misstated after the audit is completed and an unqualified opinion has been issued.

Arens’ formula: :Acceptable Audit Risk: Deckers’ formula :

AAR = IR x CR x PDR ACR = IR x ICR x DR

In the table below the relation between the assessed control risk and the extent of procedures is shown, on a high and a low level of control. The four types of procedures that can be used for test of controls are stated here as shown in the table on page 17 of this paper. The procedures to test effectiveness of controls in support of a reduced assessed control risk are called test of controls.

Relationship of Assessed control risk and extent of procedures Assessed Control Risk Type of Procedure/Method High Level: Obtaining an

understanding only

Lower Level: Tests of Control

Inquiry Yes-extensive Yes-some

Documentation Yes-with transaction wt* Yes-using sampling Observation Yes-with transaction wt Yes-at multiple times

Reperformance No Yes-using sampling

(Source: Arens, Elder and Beasley, Table 10-3) (*wt stands for walkthrough)

If a company has a good set of internal controls, an auditor will probably assess the acceptable audit risk higher so that the need for audit evidence can be lower as well.

The other extreme option is that the auditor has to assess the company’s AAR low because internal control cannot be fully trusted and thus the audit evidence needed will be a lot more. Both situations are depicted with their relations with the other factors in the table below as situation 1 and 3.

The other situations are hovering between the situation of 1 and 3. The ultimate goal when implementing SOx would be to get a company into a situation 1 position.

Relationships of Risks to Evidence

Situation AAR Inherent risk ICR PDR Audit evidence

1 High/Low* Low Low High Low

2 Low Low Low Medium Medium

3 Low High High Low High

4 Medium Medium Medium Medium Medium

5 Low Low Medium Medium Medium

(Source: Arens, Elder and Beasley, Table 9-6) *Arens states ’ high’ while Deckers states ’ low’

Deckers only estimates the acceptable audit risk for every situation low, very low or extremely low (see appendix E). Arens however uses the grading of high and medium in the AAR column. This is the theoretical correct way. Deckers mentions that the grading is a very subjective thing and that could be the cause of the difference in both models, the latter presumably being Deckers own opinion. Deckers may assume a cautious approach and thus saying you always have to grade the AAR as low, because this risk is hard to quantify and so you must be careful in calculating the acceptable audit risk too high.

I agree with Deckers that under all circumstances you need assess your audit risk as

low. The idea of not needing as much audit evidence when internal controls are in

place, contrary to more evidence when they are not in place is sound as long as you

keep in mind that when there are misstatements your judgement should change and

you will have to increase the audit evidence. I do not agree however that you can

assess your AAR high and also do with less audit evidence. That would imply that an

error in the evidence in situation 3 would be worse than in situation 1, just because the

auditor relies more on the internal controls.

Chapter 2 Sarbanes-Oxley Act

2.1 What is SOx 404?

As written in the Sarbanes Oxley Act 2002, section 404 literally states:

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS

.

(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting;

and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

It is hard to imagine that these few lines of words can cause a massive burden for all companies involved. After scandals such as Enron and WorldCom, not only the certified public accountants, but also management of organisations are fully aware of the consequences an insufficient set of internal controls will have on everyone’s reputation. Let us then look at what the roles are of the parties involved. First, let’s take a look at the EP Europe SOx team role, followed by the roles of the internal and external auditors. Lastly, the roles of management and the SEC and PCAOB will be discussed.

2.2 The role of the EP Europe SOx Team

The role of the EP Europe SOx Team is basically to roll out SOx 404 for the whole of EP Europe before the end of 2005 by a self-assessment. Shell has determined the key SOx controls within the processes based on the 20F financial statements and the Shell financial control book. These generic based controls were then given to the EP Europe SOx team for making their framework. Each team member was assigned a number of processes to map these in a framework. This framework contained the processes with the description of the actual controls, including flowcharts and narratives.

(Source: Shell SOx 404 Engagement Pack)

Refine

& Test Planning &

Definition

Pilot and Roll Out Planning

Document and Evaluate

Test &

Remediate

30/ 04/ 04 30/ 06/ 04 31/ 12/ 04 30/ 06/ 05 31/ 12/ 05

Assess ment Dry

Run

2.3 The role of the internal auditors

The role of internal auditors is to make an own independent assessment of the internal controls as tested by the EP Europe SOx team. It is still unclear what will happen when internal auditors find a deficiency or vice versa. What will happen if internal audit assesses a ‘green’ control, as tested by the EP Europe team, as ‘red’ meaning non compliant? And what is the case if the EP Europe team failed a key control and internal audit approves this control? Who’s assessment will be leading? The same can be mentioned when external audit sets out to test.

2.4 The role of the external auditors

The external auditor vouches for the management assessment and gives a final judgement on the SOx 404 management assessment. It is possible that the external auditor approves the 20F, but fails the self-assessment because there are significant deficiencies found in the internal controls. To form a good opinion on the assessment done by the company’s management, external auditors will need to evaluate the management’s assessment process and also test and evaluate design and operating effectiveness of internal control over financial reporting. Although the PCAOB has given guidelines as to how internal control should be tested, it is hard to predict how external auditors will go to work. Eventually the SEC will evaluate if the SOx criteria are met. In this case not only the company wants to set a good example towards their shareholders and stakeholders, but also the external auditor has a seemingly doubtful reputation to keep up with, after the many scandals that have highlighted the media the last few years.

2.5 The role of Management

Management is required to file an internal control report with the annual 20F report. It is stated by the PCAOB guidelines that it is not necessary that management be involved in the whole process, as long as they can attest to the working of all their internal controls over financial reporting. Management commitment is of great importance in the process of getting SOx 404 compliant. Without good management commitment, it will be hard to commit the employee’s into making the self- assessment be a success. The self-assessment is important for a lot of stakeholders of EP Europe and Royal Dutch Shell plc., especially for those who are financially involved.

There are several important stakeholders EP Europe needs to take into account. There are internal stakeholders like employees and there are external stakeholders such as:

shareholders, auditors, government, and investors. All these stakeholders want to

know about the external and internal plans and operations of EP Europe, which is

mostly stated in annual reports or press releases. Now that SOx 404 obliges

management to report on the effectiveness of all their internal controls, the

information gap between agent (management) and principal (shareholders)

diminishes. There is always an a-symmetric balance of information between an

organisation (agent) and their stakeholders (principals). This can be illustrated by the

agency theory. The model below shows the relation between the parties involved in

the audit and SOx process. In a normal situation (1) the shareholders ask the

management to audit their financial reporting, monitored (1) and executed (3) by

external auditors. The new SOx rule encompasses another (2) agency relation, namely

the SEC playing the role of principal and management and accountant acting as

SEC 1

4

2 Accountant

US Gov.

EPE/Accountant

SEC (Sox) SEC

Accountant

Shareholders PCAOB

Shareholder

20F Sox

3

Example Agent

Monitor Principal

Royal Dutch Shell

agents, screened by the PCAOB. As watchdog of the US stock exchange, SEC can be seen as an agent (4), monitored by the US government. Both shareholder and government can be seen as the principal in this relation. When the SOx implementation is taken into account, there is a relation with management acting as a principal, asking their employees if all controls are working concordantly to SOx, whereas a special SOx team sees to it that this is executed. When testing, the SOx team acts as the principal, asking and testing the employees/process owners about their controls. Internal audit will then act out as the monitor.

2.6 The role of SEC & PCAOB?

As all registered firms have to file their 20F forms, including their SOx self- assessment, it is the SEC’s responsibility to see to it that everything is filed according to SEC regulations and PCAOB audit guidelines. The SEC has commissioned the PCAOB to set up guidelines for the SOx self-assessment. All self-assessments need to comply with these guidelines. If a company does not mention a misstatement where there definitely is one, severe corporate punishments may follow. One of the most recent examples of such punishment carried out, is the imprisonment of formal CEO Bernie Ebbers of WorldCom, who got sentenced for 25 years!

EPE (20F)

Chapter 3 SOx processes in EP Europe

In this chapter, an overview of the relevant EP Europe SOx processes will be given.

There are a lot of processes within Shell. Some of these processes can be tested on a group level and thus do not have to be tested per AoO. Therefore the processes for EP Europe are narrowed down to 20. For each of the processes, a process analyst from the EP Europe SOx team has created a control register containing all the relevant SOx key controls.

3.1 Group processes that need to be SOx compliant for EP Europe

There are a lot of processes within EP Europe. According to SOx, every process that has something to do with the financial reporting over internal control needs to be self- assessed by the management. As can be seen in the picture below, the SOx scooping process started by looking at the financial statements and business risks.

(Source: Shell Methodology Handbook)

The significant accounts represent the accounts that can cause a material deficiency in the financial reporting. The level of materiality is divided in four levels. Level one being the highest and most important and level four being the least significant. The level of coverage should not be less than 95% of the overall financial statement amounts taking into account Levels 1, 2 and 3. Although level 4 AoO’s are not individually significant for SOx, they will need to be reviewed periodically to make sure there are no changes indicating that they are significant.

Financial Statements

Significant accounts

Financial Statement Assertions Significant processes Risk assessment

Significant Controls Evaluate control design

Test control operation

Assess control effectiveness Identify and correct

deficiencies

Report assessment

SOX 404 Methodology

Materiality Scope

Quantitative measures Qualitative measures

Document SOX 404 controls Process flow chart

Test controls Document testing

Document evidence of control performance

Document changes to controls

Document assessment Business

Risks

‘traffic lights’ assessment Retest corrected controls

Report deficiencies as they are identified

Process steps Outputs Process themes

The relevant processes per AoO ⁸ can be illustrated in the figure below:

Process nr Process description # of

controls NL UK NO IE ITA DK

A01 Organisational

Level Assessment 41 37 37 37 37 37 32

B03 Support Joint

Venture and Product Sharing

Contracts

26 21 21 21 21 21 8

B04 Support Acquisitions and

Divestments

5 5 5 5 - - -

B10 Intra Group

dividends 3 3 3 3 - 3 3

C01 Purchases and

Payables 25 23 23 23 23 23 12

C02 Inventory (HC) 27 16 - - 13

C02 Inventory

(Materials) 27 19 19 19 - - -

C04 Sales &

Receivables Crude 28 15 10 6 - 19 8

C04 S&R Gas NGL 28 - 16 14 - - 9

C04 S&R Self Billing 28 - 15 - - - -

C04 S&R Tariff

Account. 28 - 16 - - - -

C05 Fixed Assets 31 31 31 31 31 31 21

C06a Indirect Tax 10 6 6 6 6 7 4

C06c MOR (NL only) 10 10 - - - - -

C08 Cash Management 21 19 19 19 19 19 17

C09 Payroll & Benefits 16 4 2 3 7 2 -

C10 Manage Supporting

Documentation 7 7 7 7 7 7 5

C11 General IT controls 63 63 63 63 - 63 23

C13 End User

Computing 18 18 18 18 - 18 18

D01 Manage Financial

Close 45 36 36 36 36 36 27

D02 Manage Supplementary

information and disclosure

12 6 6 6 6 6 12

D04 Manage Internal

Reporting 4 - 4 - - - -

F01 Reserves

Accounting 58 30 30 30 30 30 30

F02 Hydrocarbon

Accounting (HCA) 34 29 29 29 - 29 -

Although most registers will only slightly differ per AoO, there are some registers that are very AoO specific. This particularly applies to the tax, payroll & benefits and sales and receivable registers.

The co m p on ents o f the fina ncia l sta tem ents a r e p r op er ly cla ssified , d escr ib ed a nd d isclosed .

Presenta tion a nd Disclosure

Assets a r e th e r ig hts of th e co m p a ny a nd lia b ilities its ob lig a tions a t a g iv en d a te.

Rights a nd Obliga tions

All tr a nsa ctions a nd other ev ents a nd cir cum sta nces tha t occu r r ed d ur ing the p er iod h a v e b een a ccur a tely r ecor d ed o r consid er ed . All tr a n sa ctio ns a nd other ev ents a nd

cir cum sta nces th a t sho uld b e includ ed in th e f ina n cia l sta tem ents a r e a ccur a tely inclu d ed . Ther e a r e no unr ecor d ed a ssets, lia b ilities or tr a nsa ctions, or und isclo sed ev en ts.

Completeness

Assets, lia b ilities, eq uity , r ev enues a n d ex p enses tha t ha v e b een a ccur a tely r ecor d ed in th e f ina n cia l sta tem ents a t a p p r op r ia te a m ounts in a ccor d a nce w ith r elev a nt a cco unting p r in cip les.

Va lua tion or M ea surement

Va lid a ssets a nd lia b ilities ex ist a t a g iv en d a te a nd r ecor d ed tr a nsa ction s occu r r ed d ur ing a g iv en p er iod . Reco r d ed tr a nsa ctions r ep r esen t eco nom ic ev en ts tha t a ctua lly occur r ed d ur ing a g iv en p er iod .

Ex istence (BS) or Occurrence (P& L)

Ex pla na tion Fina ncia l Sta tement

The co m p on ents o f the fina ncia l sta tem ents a r e p r op er ly cla ssified , d escr ib ed a nd d isclosed .

Presenta tion a nd Disclosure

Assets a r e th e r ig hts of th e co m p a ny a nd lia b ilities its ob lig a tions a t a g iv en d a te.

Rights a nd Obliga tions

All tr a nsa ctions a nd other ev ents a nd cir cum sta nces tha t occu r r ed d ur ing the p er iod h a v e b een a ccur a tely r ecor d ed o r consid er ed . All tr a n sa ctio ns a nd other ev ents a nd

cir cum sta nces th a t sho uld b e includ ed in th e f ina n cia l sta tem ents a r e a ccur a tely inclu d ed . Ther e a r e no unr ecor d ed a ssets, lia b ilities or tr a nsa ctions, or und isclo sed ev en ts.

Completeness

Assets, lia b ilities, eq uity , r ev enues a n d ex p enses tha t ha v e b een a ccur a tely r ecor d ed in th e f ina n cia l sta tem ents a t a p p r op r ia te a m ounts in a ccor d a nce w ith r elev a nt a cco unting p r in cip les.

Va lua tion or M ea surement

Va lid a ssets a nd lia b ilities ex ist a t a g iv en d a te a nd r ecor d ed tr a nsa ction s occu r r ed d ur ing a g iv en p er iod . Reco r d ed tr a nsa ctions r ep r esen t eco nom ic ev en ts tha t a ctua lly occur r ed d ur ing a g iv en p er iod .

Ex istence (BS) or Occurrence (P& L)

Ex pla na tion Fina ncia l Sta tement

In the next paragraph the basic structure used in EP Europe for the control objective registers will be described. The control register is built out of a guideline part and an actual part. The guideline is used as a reference for the filling of the actual part of the control register.

3.2 Control objectives register

The control objectives register ⁹ is based on a process flowchart including a narrative description of the process steps and initially developed in a spreadsheet. When a control register has been designed effective it will be uploaded to the online Greenlight SOx control database, for future purposes.

The guideline part of the register is build out of several columns in the control register spreadsheet ¹⁰ . These are:

™ Number: this depicts the number of the register

™ Sub process: description of the sub process

™ Control objective: states the objective of the control

™ Financial Statement Assertion: existence (BS, balance sheet) or occurrence (P&L, profit & loss) completeness, valuation or measurement, rights and obligations, presentation and disclosure.

(Source: Shell Methodology handbook)

™ Financial Statement Risk: states the risk related to the financial statement that needs to be controlled

™ Guideline control: description of control given by the Group

9

Control objectives register and control register will regularly be used throughout the thesis and mean the same

10

See example in Appendix B: Empty Guideline Control Register