Internal Control and SOX Compliance - procedure elements for your SSC

There is no such thing as a perfect control system. There are certain elements which may negatively impact on its effectiveness, such as staff size limitations, system configuration, human error, misunderstandings, fatigue, or stress.

Internal Control system is to reduce these risks through ongoing review and validation of controls design and effectives.

The main elements of this procedure, frequency of execution and responsibility are set out below:

Procedure Element	Description	Responsibility
Financial Risk Map, Risk Evaluation	Annual high level assessment of financial reporting risks mapped and calculated at the Company level.	Vice-President and General Auditor presents to Audit and Finance Committee.
Self-Assessment of Control Design and Effectiveness	Ongoing preparation and update of Process Documentation. Ongoing supervision and validation of quality of control activities. Update as per changes, e.g. organisational changes, system set-up.	Process Owners supported by the Internal Control & Compliance, especially where processes are newly brought into scope or where there are significant changes to processes.
Internal Control Review	Periodic walkthrough of the Process Documentation to identify presence and proper design of controls.  Eventually missing controls and weaknesses are identified and remediation actions agreed.	Internal Control & Compliance
Attestation	Finance Directors attest to the existence and effectiveness of internal controls over their In-scope Processes as a component of the year end close process.  This attestation is based on attestations from Process and Sub-Process Owners based on their Process Test of Design and Documentation, Control Test of Design and knowledge of the functioning of the process throughout the year.	Local CFOs make attestation based on Process Owners input, Internal Control & Compliance facilitates the attestation process
Control Test of Effectiveness	Testing of the operating effectiveness of controls are conducted on a sample basis. Test of operating effectiveness is carried out on Key Controls on an annual basis and Non-Key Controls on a three year rotation.	Internal Audit Internal Control & Compliance coordinates and facilitates audit process
Deficiencies Report	Weaknesses identified on controls are assigned to respective Process Owner actions with a target date for implementation. All Significant and Material Weaknesses are reported to the Audit and Finance Committee.	Process Owners and Internal Audit Internal Control & Compliance is informed on the report
Corrective Actions	Remediation actions are conducted in order to close the action within a due date.	Process Owner Internal Control & Compliance monitors action Internal Audit evaluates action closer
External Audit Exchange Act report	External Auditor performs independent tests on internal controls. Internal Control report is signed-off by CEO and publish to the market.	CEO and CFO External Auditor