Controls Awareness Training

Course Booklet 2012

Table of Contents
Course Topics & Learning Objectives Course Slides
Welcome, Class Introductions, Agenda Purpose & Function of Controls Core Controls Principles Control Standards Organizational Responsibilities Application of CIMS Summary & Additional Resources
Slides 1-4 Slides 5-21 Slides 22-33 Slides 34-42 Slides 43-48 Slides 49-61 Slides 62-67

Post Class Exercise

Controls Awareness Training

Course Topics & Learning Objectives
During this session, we will examine a series of topics designed to provide you with a fundamental knowledge of ExxonMobils basic controls processes. A postclass exercise is also included to reinforce the training topics, encourage open dialogue with your supervisor, and challenge you to assess your role in ExxonMobils controls environment.

Topics Definition, purpose, and function of controls The seven core controls principles ExxonMobils Controls Framework, including System of Management Control, Delegation of Authority Guide, Compliance Checks Controls Integrity Management System (CIMS) and its applications Additional resources

Learning Objectives Understand the purpose and function of controls Develop familiarity with the core controls principles and their applications Explain the purpose and describe each element of ExxonMobils Controls Framework Recognize the CIMS elements and their application in daily activities Know where to locate additional resources and appropriate contacts Describe and understand your role in the controls process

Class Introductions
Name Operating Function and Job Title Length of Employment with ExxonMobil Example of a Control Used in Your Personal Life

Slide 2

Agenda
Section 1: Purpose & Function of Controls Section 2: Core Control Principles Section 3: Control Standards Section 4: Organizational Responsibilities Section 5: Controls Integrity Management System (CIMS) Applications Additional Sources of Information

Slide 3

Training Objectives
Develop an understanding of the following:
Purpose and function of controls ExxonMobils Controls Framework & System of Management Control
Principles of control Delegation of Authority Guide (DOAG) Checks on the systems effectiveness ExxonMobil Controls Integrity Management System (CIMS)

Be able to recognize applications of these tools and concepts in your work position and ExxonMobil Know where to go for assistance and further information Describe and understand your role in the controls process

Slide 4

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Slide 5

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Here is an Interesting Quote:

Rex Tillerson (Chairman & CEO)

"Every day, employees at ExxonMobil are committed to the pursuit of operational excellence. We do this by delivering safe, reliable operations, improving energy efficiency, and maintaining strong business controls.

Excerpt from 2008 Financial and Operating Overview

Slide 6

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Key Concepts of Controls

What are controls?
The systems and procedures devised by an organization to:
Direct Restrain Govern Check

the performance of business activities Systems and procedures include:

Policies Training Reporting responsibilities Communication Authorities

Slide 7

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Key Concepts of Controls

Why controls?
Controls are designed to ensure:
Business is conducted in accordance with managements directives Effectiveness and efficiency of operations Reliability of financial reporting Assets (including information) are safeguarded and their integrity maintained Compliance with applicable laws and regulations

Legal requirements (Sarbanes-Oxley Act of 2002):

Management to report on effectiveness of internal controls and financial reporting procedures Companys external auditors to report on and attest to managements internal controls

Slide 8

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Controls and Risk Exposure

Risk results from a combination of:
An exposure The probability of an undesirable outcome occurring

Controls are intended to mitigate the risk by lowering the probability and/or the severity of an occurrence
Point A in the red area reflects an unmitigated risk situation. Risk exposure can decrease to point B in the green area by having the proper controls in place.
Risk Exposure
High High I

Probability

Medium

Low

Severity

II III
Low IV

Slide 9

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Components of ExxonMobils Controls Framework

Corporate Policies System of Management Control Basic Standards (SMC)

CONTROL FRAMEWORK

+
PROPER EXECUTION

In-Line Controls (e.g. Delegation of Authority Guide (DOAG)) Compliance Checks (e.g. Internal Assessments) Controls Integrity Management System (CIMS)

=
EFFECTIVE CONTROL ENVIRONMENT

Slide 10

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

ExxonMobils SMC Basic Standards

System of Management Control (SMC)
Foundation document of ExxonMobils controls system Provides management with basic criteria, knowledge, and tools for establishing effective management controls
Includes core policies, basic control expectations and a structure for ensuring that controls are functioning System of Management Control
Basic Standards

Broad rules of the road for running the business Sufficiently broad to allow flexibility to local conditions Management required to establish systems/procedures to meet/exceed standards Compliance is mandatory; exceptions must be reported and reviewed by Audit
Slide 11

ExxonMobil

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

In-Line Controls
Employees should understand the purpose and operation of the specific controls associated with their specific job responsibilities These controls are called In-Line Controls You should be aware that:
Using SMC as a guide, control mechanisms are introduced as procedures to govern day-to-day activities In-line Controls are designed and owned by process owners and are an integral part of each employee's activities

Two types of In-Line Controls

Preventative Controls Detective Controls

Slide 12

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

In-Line Controls: Preventative and Detective

Preventative Controls
Occur before the transaction or event has been completed Examples include:
Access controls (e.g., building access, computer system access) Credit checks Job handover checklists

Detective Controls
Occur after the transaction or event has been completed Examples include:
Review of control reports Reconciliation of accounts Analysis of operating results

Always execute detective controls in a timely fashion to minimize losses and corrective efforts
Slide 13

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Controls in Practice
Credit
To ensure we extend credit only to credit worthy customers

Payroll
To ensure employees are paid accurately, on time, and with the proper deductions

Product
To ensure our products always have the right quality and proper quantity when we sell them to our customers

Slide 14

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Responsibility for Controls

Line Management
Ultimate responsibility and ownership for all actions taken within its area of responsibility including the design, operation and maintenance of cost effective control mechanisms

Controllers
Provide guidance and support to line management in the design, implementation and maintenance of the overall controls system. Controllers has an oversight responsibility to ensure that the controls system is functioning effectively

All Employees
Act as business owners, taking overall responsibility for the effectiveness of controls within their scope of responsibility
Slide 15

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

General Guidelines for Controls

You should understand a few general guidelines that apply to all controls All controls must be:
Documented Communicated Understood (existence, meaning, and use) by all those concerned Supported by processes to ensure compliance Supported by management

Slide 16

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Control Breakdowns
What can cause control breakdowns?
Need for controls not recognized Inadequate instruction/ training Insufficient capital or human resources provided Improper priorities assigned Attitudes of employees, supervisors & managers Human error Management unaware of problem Supervisors not monitoring ongoing process Manager not informed

Slide 17

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

It Cant Happen to Us, Right?

Financial Irregularities Other

Discrimination

Data Privacy FCPA Violations Antitrust Activities

Slide 18

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Unit Internal Assessments

The primary purpose of a Unit Internal Assessment (UIA) is to test the integrity of a Units business process controls system, the effectiveness of execution of controls, and compliance with the Controls Integrity Management System (CIMS)
Each UIA occurs at the mid point of the audit cycle

The UIA tests compliance with management defined control practices documented in business specific controls catalog Consider a control concern exposure scenario and ask the question: What could go wrong and what is the impact (i.e. inherent risk)?
Use a controls catalog to determine the control steps:
What should be done to manage the risk? What are the mitigating steps? How can control concerns be prevented or detected or the impact reduced?

Use a controls catalog to determine the control tests:

How do you verify if its working?
Slide 19

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Controls Catalog

Slide 20

SECTION 1: PURPOSE & FUNCTION OF CONTROLS

Summary
Controls are all the methods to direct, restrain, govern, and check that business activities are conducted in accordance with managements directives The System of Management Control (SMC) Basic Standards is the foundation document of ExxonMobils controls system Line management, employees, and contractors have specific roles and responsibilities for designing, implementing, and maintaining cost-effective controls

Thoughts to Consider:
Who is in your line management? Who is the Controller/Controls Advisor for your group?
Slide 21

SECTION 2: CORE CONTROL PRINCIPLES SMC Section 020-005

Slide 22

SECTION 2: CORE CONTROLS PRINCIPLES (020-005)

SMC Section 020

Four sections to the System of Management Control (SMC)
020: Introduction 030: Foundation & Framework 040: Administrative & Operating Controls 050: Internal Accounting Controls

SMC Section 020 includes these areas:

020-001: Document preface 020-002: SMC organization and structure 020-003: Brief discussion on the control environment
Factors involved in controls Results of a poor controls environment Methods of disseminating controls information

System of Management Control

Basic Standards ExxonMobil

020-004: Relationship to financial and accounting controls 020-005: Principles of control 020-006: Organizational responsibilities
Slide 23

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

Building Blocks of ExxonMobils SMC

System of Management Control (SMC)
Four sections form the building blocks of ExxonMobils SMC
020-006: Organizational Responsibilities 030: Foundation and Framework 040: Administrative & Operating Controls 050: Internal Accounting Controls

Section 020-005 identifies seven core controls principles

All of ExxonMobils controls are based on these core principles
Slide 24

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

ExxonMobils 7 Pillars of Control

Slide 25

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

1. Decentralization of Management
Each organizational unit is expected to:
Exercise the maximum practicable management responsibility and authority within its area of operations Be fully accountable for results

ExxonMobil's philosophy is that all employees should be empowered to get the job done following the broad direction provided by the Corporation
C O N T R O L

Slide 26

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

2. Segregation of Duties & Responsibilities

Custodianship and accounting for assets should be separated No single function, department or employee should have exclusive knowledge or control over any one transaction or group of transactions Generally one must separate:
Authorization Recording of transaction Custody Independent verification

Access to systems and specific system privileges can be used to achieve adequate segregation, therefore passwords should not be disclosed

Slide 27

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

3. Documentation
Commonly documented items:
Operating procedures, business events, and transactions

Why is documenting these items important?

Establishes approval & verification responsibilities Aids in proper accounting & reporting Aids in analysis and recall process Reduces chance of error Assures compliance with
Contracts Agreements Regulations Procedures
Slide 28

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

4. Supervision and Review

Systematic and thoughtful supervision / review of work / performance helps to ensure that control procedures are understood and followed Managers / Supervisors use controls to ensure:
Results are in line with plans and objectives Deadlines are kept Policies and procedures are followed

Consult Manager / Supervisor to request clarification or voice concerns

Slide 29

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

5. Timeliness
Records, reports and reviews should be prepared or performed on a timely and scheduled basis Timeliness permits prompt detection and repair of process problems

Slide 30

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

6. Relevance to Risk
Design or extent of controls should be proportional to the nature of the risk Cost of controls should be related to the benefits Controls must also consider the following implications:
Policy Political Ethical Environmental Safety

Slide 31

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

7. Minimum Interdependence of Controls

Management controls should be structured to ensure deficiencies in one control component will not compromise the effectiveness of other controls in the total system
If one control does not work, it should not compromise other controls Each control should work on its own Therefore, if an error manages to get through one control, other controls should still be able to detect it

Slide 32

SECTION 2: CORE CONTROL PRINCIPLES (020-005)

Summary
Following the seven core controls principles used by ExxonMobil will produce an effective controls environment What are the seven core controls principles?
1. 2. 3. 4. 5. 6. 7. Decentralization of Management Segregation of Duties and Responsibilities Documentation Supervision and Review Timeliness Relevance to Risk Independence of Controls

Slide 33

SECTION 3: CONTROL STANDARDS SMC Sections 040 & 050

Slide 34

SECTION 3: CONTROL STANDARDS (040 & 050)

Building Blocks of ExxonMobils SMC

Section 040 details:
The basic standards required for administrative and operating activities such as delegation of authority, planning, financing, contracting, etc.

Delegation of Authority Personnel Administration Long-term strategic planning Near-term Business Planning & Performance Monitoring Capital Investment Financing & Investment Foreign Exchange Operations Contracting Systems, Computing & Networks Safeguarding Information Other Operating Controls Derivative Instruments

Slide 35

SECTION 3: CONTROL STANDARDS (040 & 050)

Building Blocks of ExxonMobils SMC

Section 050 details:
The basic standards established to ensure the integrity and objectivity of the accounting records The basic standards established to ensure the objectives of authorization, accounting, and asset safeguarding are met

Financial Accounting Banking & Cash Funds Cash Disbursements Materials Accountability Revenues Cash Receipts Credit & Collection Property, Plant & Equipment Payroll & Employee Benefits

Slide 36

SECTION 3: CONTROL STANDARDS (040 & 050)

Building Blocks of ExxonMobils SMC

Familiarize yourself with the control standards in these sections that apply to your specific work processes Our primary focus will be on authority delegation, a critical subject area of SMC Section 040

SMC 040

SMC 050

Corporate Plan Process

Earnings Reviews Corporate Accounting Manual

GFCM Dictionary

Functional Accounting Instructions

Capital Budget Manual / Process Financial Forecasts

Slide 37

SECTION 3: CONTROL STANDARDS (040 & 050)

Delegation of Authority Guide (DOAG)

The Delegation of Authority Guide (DOAG) is one of the key inline controls within ExxonMobil

The DOAG prescribes:

The delegated authorities for specific business transactions so that business is conducted in accordance with managements directives

Overriding Principles:
No organization or individual is to exercise more authority than that which has been delegated Authority is granted to positions, not individuals Authority is limited to expenditures and transactions made within ones area of responsibility for which stewardship exists

Slide 38

SECTION 3: CONTROL STANDARDS (040 & 050)

Legal Authority and DOAG Authority

BOTH legal authority and DOAG authority must be obtained to conduct some business transactions:
Legal : Defined by local incorporated entity Operational : DOAG defined by local Board of Directors

Person legally approving (signing) is responsible to ensure they have legal authority and all DOAG approvals are in place
DOAG Authority
Granted by: Entitys Board of Directors Includes review and endorsement requirements May require shareholder final review of some transactions Must be in place to transact business in accordance with entitys System of Management Control (SMC)
Slide 39

Legal Authority
Granted by: Local legal/statutory definitions Corporate By-Laws Board Resolutions Powers of Attorney Must be in place to sign documents and legally transact business on behalf of an entity

SECTION 3: CONTROL STANDARDS (040 & 050)

Delegation of Authority Guide (DOAG)

DOAG details:
Delegation of authority through 12 profiles assigned to job positions across all functional / service organizations and affiliated companies Individuals granted authority are authorized to review only those activities / transactions that fall directly within their stewardship / accountability

DOAG parts:
Overview Preamble Profile Assignments Transaction Schedules General Use Schedule (corporate) Specific Use Schedule (by function) Local Extension (unique country) Glossary
Slide 40

SECTION 3: CONTROL STANDARDS (040 & 050)

Transaction Schedules

Schedules - always start with most specific:

Local Extensions (unique country transactions - LE noted) Specific Use Schedules (functional-specific transactions) General Use Schedule (corporate common transactions)

Organized by Key Transaction Categories:

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Organization and Corporate Matters Budget Contracts, Agreements, Leases, and Commitments Disbursements Disposition and Write-down of Assets Customer Related Transactions Litigation and Claims Emergency Response to Third Parties Release of Information to Third Parties Other Matters
Slide 41

SECTION 3: CONTROL STANDARDS (040 & 050)

How to Use the DOAG

Define delegation or decision to be made Check transaction schedules in correct order to find the transaction
Always start with the most specific (LE, SUS, then GUS)

Check Restricted column to be sure your Department has authority to final review this transaction Determine which job position has authority to approve Read and satisfy any restrictions or comments Check Endorsements column and get written ones, if needed

Use the procedure in the DOAG Overview to remind yourself of all appropriate steps!
Slide 42

SECTION 4: ORGANIZATIONAL RESPONSIBILITIES SMC Section 020-006

Slide 43

SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)

Building Blocks of ExxonMobils SMC

SMC Section 020-006 defines the groups responsible for the creation and proper functioning of controls within ExxonMobil
Collectively, this forms the Checks on Systems Effectiveness Employees at all levels of the Corporation are in a position to observe and participate in ExxonMobils control system

Slide 44

SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)

Responsible Groups
Management
Responsible for complying with policies and procedures

Internal Audit
Provide independent appraisals of a control system and test the systems effectiveness

Audit Committee
Advise Board of Directors on the effectiveness of control systems Monitor the work of internal and external auditors

Board of Directors
Ultimately responsible to the shareholders for the controls environment Appoint (subject to ratification by shareholders) external auditors to render an opinion on ExxonMobils consolidated financial statement

External Audit
Next slide discusses in more detail
Slide 45

SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)

External Audit & SOX

PricewaterhouseCoopers (PwC) is ExxonMobils external auditor
Obligated to report any material weaknesses discovered in internal accounting controls which could have potentially material impacts on financial statements

Sarbanes-Oxley 404 (SOX) is an additional element of the external audit

SOX represents a distinct part of the larger external financial audit
No separate SOX opinion issued

Selected key internal controls over financial reporting are reviewed to evaluate their functionality
ie: entity level controls , Period End Financial Reporting (PERF)

Focused generally on the same countries annually (U.S., Canada, Germany, Benelux, Japan, Singapore)

Other countries have enacted SOX-like legislation

France, Italy, Korea, Japan, Switzerland
Slide 46

SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)

Compliance Checks: Representation Letter

An annual process requiring managers at multiple levels of the organization to confirm in a letter to their supervisors that:
Transactions, including receipts and expenditures, are executed in accordance with management's general or specific authorizations All material information has been disclosed to the appropriate levels of management in a timely manner Unauthorized acquisition, use or disposition of assets that could have a material effect on the financial statements are prevented or detected in a timely manner

This letter also serves as support for the Corporation's yearend representation letters to the Board Audit Committee and various filings and certifications to the SEC

Slide 47

SECTION 4: ORGANIZATIONAL RESPONSIBILITIES (020-006)

Compliance Checks
Other elements of ExxonMobils compliance program include:
Audit & Controls reviews Process to communicate policies to new employees Annual Business Conduct Program Business Practice Reviews (every 4 years) Irregularities Reporting (8010) Influence all business partners to conduct business with highest integrity

Red Book Exception Reporting Controls Integrity Management System (CIMS)

Well discuss CIMS in the next section

Slide 48

SECTION 5: APPLICATION OF CIMS

Slide 49

SECTION 5: APPLICATION OF CIMS

Controls Integrity Management System (CIMS)

CIMS defined:
A comprehensive management system structured to promote the ongoing integrity of controls in our day-to-day business

Objective of CIMS:
To provide management with the tools they need to fulfill their responsibility for establishing and maintaining a cost effective control environment

Benefit of CIMS:
The SMC provides the broad parameters for an effective control environment; CIMS provides a consistent process to efficiently introduce appropriate controls and to sustain them over time

Slide 50

SECTION 5: APPLICATION OF CIMS

Seven Elements of CIMS

Element 1
Management Leadership Commitment and Accountability

Element 7
Controls Integrity Assessment

Element 2
Risk Assessment

Element 6
Reporting and Resolution of Control Weakness

Controls Integrity Management System

Element 3
Business Process Management and Improvement

Element 5
Management of Change

Element 4
Personnel and Training

Slide 51

SECTION 5: APPLICATION OF CIMS

Components of CIMS Elements Each Element is Supported by Five System Components

OBJECTIVES

STANDARDS

PROCEDURES

Purpose and business relevance of each element

Basic minimum requirements of each Element of CIMS which must be met.

Suggested series of steps which, when executed properly, fulfill the Standards. Alternative procedures acceptable if Standards are met.

EXPECTED RESULTS

5 VERIFICATION AND FEEDBACK MECHANISM A process exists to: Monitor performance Improve effectiveness

Desired outcomes from effective system execution Senior management ensures effective System execution

Slide 52

SECTION 5: APPLICATION OF CIMS Element 1: Management Leadership, Commitment, & Accountability Management Establishes the Framework for an Effective Controls Environment
Foster an environment encouraging prompt notification of concerns

Internal Assessments, Audit & Control Reviews Number & severity of irregularities Business Practices Review sessions

Verification & Feedback

Standards

Communicate, staff, plan, and steward controls framework

All employees recognize the importance and value of controls CIMS framework in place and functioning Sustained satisfactory audit results

Demonstrate through day-to-day activities

Expected Results

Procedures

Engage management at all levels Reinforce the importance of controls

How does your management support the controls environment?

Slide 53

SECTION 5: APPLICATION OF CIMS

Element 2: Risk Assessment

Consistent and Comprehensive Methods are Used to Assess Risk & Identify Effective Controls
Use a consistent & approved method to assess the level of risk and control requirements

Risk assessment documentation Risk assessments of new or changed processes

Verification & Feedback

Standards

Involve the right people in the risk assessment process

Risk assessments are consistent and comprehensive Clear ownership and accountability for controls in high-risk business processes

Use the CIMS or other approved risk assessment tool to classify risk

Expected Results

Procedures

Identify, document, and assign ownership for high risk business processes

Why is the risk assessment process important?

Slide 54

SECTION 5: APPLICATION OF CIMS

Element 3: Business Process Management & Improvement

Appropriate Control Steps are Integrated into Business Processes & Control Improvements are Continuously Sought
Implement controls consistent with the SMC-Basic Standards

Controls performance indicators Business performance indicators

Verification & Feedback

Standards

Maintain controls catalogs & selfassessment templates for high risk business processes

Approved, global processes are used Controls responsibilities are defined, understood, and effectively executed Improvements sought

Document controls steps and procedures in controls catalogs

Expected Results

Procedures

Utilize global common processes and practices where appropriate

What are some examples of control steps in your work processes?

Slide 55

SECTION 5: APPLICATION OF CIMS

Element 4: Personnel & Training

Personnel have Sufficient Controls Knowledge & Experience to Fulfill the Control Requirements of their Position

% of employees receiving SMC, SBC, and formal controls training Use of a job handover process

Identify and provide controls training consistent with job requirements

Verification & Feedback

Standards

Periodically review and assess controls training needs

Personnel know and understand the controls requirements of their positions, especially those with controls functions in high-risk business processes

Attend general controls training! Utilize job hand-over process for individuals moved to a new position Highlight controls responsibilities in controls catalogs

Expected Results

Procedures

Do you know and understand your controls requirements?

Slide 56

SECTION 5: APPLICATION OF CIMS

Element 5: Management of Change

A Systematic Change Management Approach is in Place

% of personnel moves for which a job hand-over checklist was completed Existence of change management plans developed and approved in advance

Evaluate the impact of change on controls and related risks

Verification & Feedback

Standards

Maintain controls during the change Communicate and document impacts

Appropriate business controls are in place during and after the change Monitoring process exists to confirm that the change was properly implemented

Establish R&R for managing change Identify potential changes that may impact business controls Define, document, approve, and manage the change

Expected Results

Procedures

What are some consequences of poor change management?

Slide 57

SECTION 5: APPLICATION OF CIMS

Element 6: Reporting & Resolution of Control Weaknesses

Control Weaknesses, Irregularities, & Business Practice Issues are Promptly Communicated to Management & Addressed
Formal process exists to record, report, and resolve controls weaknesses

Audit & internal assessment gaps not closed within 6 months Number of repeat audit comments & irregularities

Verification & Feedback

Standards

Issues and action plans are documented Steward resolution timeliness

Prompt identification, reporting, and resolution of control weaknesses Sharing of lessons learned and corrective actions

Expected Results

Procedures

Reporting tool used to track and report control weaknesses, action plans, and resolution Report on business control plans and controls performance indicators

What is your role in reporting and resolving control weaknesses?

Slide 58

SECTION 5: APPLICATION OF CIMS

Element 7: Controls Integrity Assessment

A Structured Approach is Used to Assess Compliance with CIMS
Number of internal assessments completed according to plan Identification and closure of control gaps CIMS assessment scores

Internal assessments and audits are part of the assessment process

Verification & Feedback

Standards

CIMS scoring mechanism is used to measure CIMS compliance and monitor progress

Internal assessments evaluate compliance with agreed business controls and include CIMS assessment Internal assessments are adequately documented

Develop & maintain plan for regular internal assessments at mid-point of audit

Expected Results

Procedures

Conduct CIMS assessment and scoring concurrent with internal assessment

Do you have experience participating in an internal assessment?

Slide 59

SECTION 5: APPLICATION OF CIMS

CIMS Compliance Activities

How do you participate in CIMS compliance activities?
Completion of this training module Participation in periodic Unit Internal Assessments (UIA) Use of job hand-over checklist Attendance at Business Practice Reviews Effectively and permanently closing identified control gaps

Slide 60

SECTION 5: APPLICATION OF CIMS

Summary
CIMS is a structured and common process for establishing effective controls, compliance monitoring, and the timely resolution of control weaknesses What are the seven CIMS elements?
1. 2. 3. 4. 5. 6. 7. Management Leadership, Commitment, & Accountability Risk Assessment Business Process Management & Improvement Personnel & Training Management of Change Reporting & Resolution of Control Weaknesses Controls Integrity Assessment

Slide 61

SUMMARY

Key Messages
Controls are designed to mitigate risk (financial, regulatory, reputation) and assure orderly and predictable execution of management plans Controls should always be practical and their purpose should be clearly understood by those who execute them Controls should always be cost effective; the cost of introducing and maintaining a control should not exceed the benefit to be derived or exposure to be mitigated More controls do not necessarily result in better control; we need to periodically evaluate the continued relevance of controls in place

Bottom line is : Controls must make business sense

Slide 62

SUMMARY

Components of ExxonMobils Controls Framework

Corporate Policies System of Management Control Basic Standards (SMC)

CONTROL FRAMEWORK

+
PROPER EXECUTION

In-Line Controls (e.g. Delegation of Authority Guide (DOAG)) Compliance Checks (e.g. Internal Assessments) Controls Integrity Management System (CIMS)

=
EFFECTIVE CONTROL ENVIRONMENT

Slide 63

SUMMARY

Your Roles and Responsibilities

Know your business objectives Know and understand the controls and processes which apply to you and your job Know your risk areas Follow policies and procedures dont make changes without review and approval Dont sign/approve unless completely satisfied If in doubt, ask or report!

Slide 64

SUMMARY

Additional Resources
Policy Booklets (SMC, SBC, CIMS, Manuals) Corporate Controllers Intranet Departmental Line Management
Supervisor Manager

Controls Advisor Controller Area Audit Manager

Slide 65

SUMMARY

Intranet Resources
Corporate Controllers Intranet

DOAG SMC CIMS MPI SOX Rep Letter

Slide 66

SUMMARY

Intranet Resources
Corporate Controllers Intranet

Standards of Business Conduct

Business Practices Review

Slide 67

BACK UP

SECTION 3: CONTROL STANDARDS (040 & 050)

Sample Profile List - Upstream

Exploration 1 2 3 4 5 6 7 Corp President Exec. V.P. V.P. Operations Mgr Business Analysis Mgr Project Mgr Development Project Corp President Exec. V.P. V.P. Project Executive Project Mgr Project Engineer Production Corp President Exec. V.P. V.P. Production Mgr Producing Operations Mgr Operations Mgr Gas & Power Marketing Corp President V.P. Operations Manager Business Analysis Mgr Managers Commercial Resources Supervisors Commercial Resources Supply Advisors Admin Asst Research Corp President V.P. R&E Div. Mgr Research Mgr Bus. Serv. Corp V.P. U/S Treasurer Group Controller Country Controller Large Country Controller Small Revenue Accounting Mgr Accounting Supervisor Advisor Admin Asst

Commercial Transactions Mgr Business Unit Supervisor Admin Asst

SHE Project Manager Project Superintendent Lead Engineer Engineer Admin Asst

Operations Superintendent Land Supervisor Field Supervisor Tech Staff Admin Asst

R&E Supervisor

9 10 11 12

Training Supervisor Shop Supervisor Team Lead -

Slide 70

Controls Awareness Training Post-Session Exercise

This exercise should be completed as soon as possible after you return from class. You should work it with your supervisor or a person designated by your supervisor (such as a Controls Advisor). The exercise should take approximately one hour, and this exercise is designed to help you apply the control concepts learned in class to your current assignment. Post-Class Exercises: 1. In your current job, when might you need to access the following items? ExxonMobil's System of Management Controls: Basic Standards (Red Book) Delegation of Authority Guide (DOAG) Applicable Accounting Manuals

2. What departmental guidelines or procedures does your workgroup have in place for controls? In your current assignment, how are you involved? Company Plan Process Representation Letter Process Business Practice Reviews Risk & Self Assessment Processes "Red Book" Exception Reporting Irregularities reporting

3. For a major business task that you perform, walk through the control principles involved. If a Controls Template or Catalog exists for the process, review the control principles.

4. What is an example of something you might need to look up in the DOAG? Show your understanding of how to look it up by explaining the process you would follow?