1. DCT Internal Control Update At-A-Glance
March 28, 2008
While the changes in the DCT SOX program may reduce annual
SOX time commitment from certain CET Owners, your
accountability for controls within the CET is unchanged. As part of
the LRA process, each of the Segment/Function DCT VPs and the
DCT GVP/CIO (Dana Deasy) make quarterly assertions on our
controls. They will continue to look to each of the S/F Control
Leads and CET Owners for assurance that they can do so. With
your help, we look forward to another outstanding year.
A Message From Your ICDT Lead
GC (Group Control) has released the updated AGC and ITGC
control frameworks for 2008. Changes are relatively minor. They
include simplified wording of Control Objectives, the addition of
one AGC Key Control Activity and deletion of another. These
updates will automatically be incorporated in FCM when it comes
online in April.
CET Owners are expected to refresh their control documentation
in FCM to reflect the updated framework and throughout the year
as changes occur. As such, CETs can continue to be updated
prior to the FCM framework changes. Any changes made will be
saved and available when the changes to the framework are
loaded into FCM. Watch for communication from your S/F
Control Lead regarding specific 2008 Control Framework timing
and annual refresh processes.
The upcoming web cast titled “What’s New in 2008” will review
the framework changes and refresh requirements. Go to
Announcements on the DCT CET Owners SharePoint site for
dates and times of upcoming web casts, updates on the Control
Framework, and release of the revised Control Dictionaries.
2008 Control Framework is Now Avail-
able!
Significant Changes in BP’s Overall
Management Assessment Process
Everyone involved in the DCT SOX program has worked to
establish effective internal controls over our applications and
infrastructure. We will leverage this work in 2008 to simplify and
improve the efficiency of our SOX compliance approach.
Historically, BP’s Management Assessment process has relied on
Self Assessment and assertion by CET Owners to the design and
operating effectiveness of their controls. This was the most
challenging and time consuming CET Owner accountability. As a
benefit, it has established a broad-based understanding of the Key
Control Activities and compliance requirements.
No More Self Assessment by CET Owners
Beginning in 2008, our Management Assessment process will no
longer require CET Owners to perform a Self Assessment with
detail testing. Instead, the detail testing required for SOX
compliance will be performed centrally by the Control Advisory &
Review (CAR) team, which is part of our Group Control (GC) group
in the Finance organization.
CAR is expected to perform testing on 100% of our AGC and ITGC
CETs (historically only 1/3 have been tested). CAR will be testing
all of the Key Control Activities covered by these CETs in DCT. This
shift in responsibility will entail CET Owner support of reviews by
the CAR team, and continued support of any reviews by our
external auditor (E&Y) or Internal Audit that might be required.
No More Annual Assertion by CET Owners
CET Owners will no longer be required to complete an annual
assertion as to the design and operating effectiveness of their
controls. Instead, they will perform a sign-off confirming that they
have performed their key accountabilities. These include:
• Maintenance of control documentation
• Reporting and remediating all known gaps
• Performing any monitoring that is required by their Segment/
Function Internal Control team
• Retain evidence of control performance
• Provide S/F Control Lead with ongoing assurance controls are
performing as designed.
(Note that Monitoring is not required by DCT for SOX compliance,
but the DCT Segments/Functions may use monitoring for other
purposes, and your S/F Control Lead will clarify the approach, what
you are required to document, and what evidence you must retain
to provide assurance on your controls.)
What's New in 2008 CET Owner Webcasts will be held on April
10 and 17. They will highlight what is new in the DCT SOX
program in 2008. (1.5 hour webcasts held at 3 times to
accommodate Europe, Africa, the Middle East, the Americas and
Asia Pac)
Topics to include:
• Control Framework and FCM changes
• Self-Assessment changes – no more Self Assessment
• CAR Review changes – increase in coverage
• Change in approach for assertion/sign-off
This will be the only course offered focusing on what’s new in
SOX for DCT. Therefore, it is highly recommended that every
AGC and ITGC CET be represented at the “What’s New”
webcasts. If the CET Owner is unable to attend, a delegate or
support person should attend on behalf of the CETO. Please
contact DCTSoxComms@bp.com if you did not receive an
invitation.
What’s New in 2008 DCT SOX Web-
cast!!!!
• April 10 and April 17th… “What’s New in 2008” webcasts for
DCT CET Owners.
• By April 30, FCM available with 2008 Control Framework.
• By May 15th, update your CET in FCM.
• When requested, support Control Review, and possible audit
by E&Y.
• Throughout the year identify, report and remediate any gaps
throughout the year.
• Q4 webcast on “Sign off Guidance”.
• No later than Dec. 1, complete sign-off in FCM.
2008 Key Dates for CET Owners