Case Study: A Risk-Based Audit At Chevron

This "case study" is the latest in a series of articles aimed at helping public companies understand how other organizations are using technology to comply with new regulations and standards. These are not advertisements or marketing vehicles for the companies mentioned; Compliance Week's editorial staff speaks with the public company that has deployed the technology, and the article is written without the input—and in many cases the knowledge—of the vendor.

DETAILS

THE COMPANY

Company

Chevron Corp.

HQ

San Ramon, CA

Employees

59,000

Industry

Oil

'05 Rev.

$185 billion

'05 Net

$14.1 billion

THE CHALLENGE

Chevron Corp., one of the largest oil and energy businesses in the world, had to adapt its enterprise risk management systems to identify key controls for Sarbanes-Oxley and test those controls as necessary, depending on their risk values.

SOLUTION CHOSEN

Brabeion Software (a spinoff from PwC), which gave Chevron a library of best practices for controls, against which Chevron could measure its own policies and detect which controls had a higher risk of weaknesses.

Click Here For Other Case Studies At Public Cos.

With $185 billion in revenue and 59,000 employees in 180 countries, energy giant Chevron Corp. is no stranger to the need for risk management. So when the Sarbanes-Oxley Act came along with its calls for a risk-based approach to assessing internal control over financial reporting, Chevron executives knew just what to do—because they had instituted just such a risk-based system years ago.

The roots of Chevron’s risk management system go back to 2001, when the company acquired fellow energy business Texaco Corp. Chevron smoothed the way for that transaction by first establishing an enterprise-wide process to define and prioritize policies, standards and controls related to compliance and securities issues. Using an IT risk management framework developed by PricewaterhouseCoopers (Chevron’s outside auditor), penetration audits had identified vulnerabilities and compliance holes that cried out for a system-wide IT risk management solution.

Consequently, says Jay White, a Chevron “global information protection architect,” when SOX appeared with its internal control assessments deadline in 2004, the company had an enterprise software solution able to “turn on a dime” since it had already identified the company’s key controls and processes. Essentially, Chevron had only to enter SOX compliance requirements and its IT solution told it how to comply.

For example, White says, Chevron’s enterprise standards require strong authentication and authorization to access information; SOX requires limiting access to financial information to select users. “So we aligned the two and quickly determined we were complaint with SOX in this area,” White says.

Chevron evaluates which controls, processes and accounts to examine using two criteria: application criticality, where an application’s unavailability may affect the integrity of financial reporting; and how a set of data should be classified and treated (for example, how long it should be stored), which might have a material bearing on financial statements. With those guidelines in place, White says, Chevron can assess the risk of various internal controls, establish the scope of internal control audits, and determine the amount of management testing needed.

Alignment And External Auditors

To conduct the actual risk assessments for internal controls, Chevron tapped Brabeion Software—a spinoff from PwC that provides risk management tools and a library of the best practices in security, controls and standards, bundled together as the Enterprise Security Architecture System. The software helps Chevron executives like White identify where the company’s existing controls don’t match up to best practices. PwC maintains an alliance with Brabeion to update the content of its library.

Cynics might question the ties between Brabeion and PwC, but the arrangement aligns all parties and addresses what many consider a chief source of SOX costs: open-ended audit boundaries.

“Before ESAS, Chevron did not have a single source of documented standards and best practices,” White says. “ESAS provided a tool to facilitate Chevron’s documentation of best practices by linking Chevron standards with regulatory requirements with key technologies used to facilitate compliance.”

Once Chevron identifies controls that don’t match best practices and what policies or procedures it would need to close that gap, executives then add the company’s risk appetite to identify processes and controls that generate or affect material accounts—and which therefore should get high priority for testing purposes or perhaps be strengthened if the risks are too great.

Cynics might question the ties between Brabeion and PwC, but White sees the relationship as a plus because it aligns the external auditor’s incentives with making sure Chevron’s IT systems are effective and up-to-date. Indeed, the arrangement addresses what many consider a chief source of SOX costs: open-ended audit boundaries. White says PwC has not pushed to expand audit boundaries beyond those identified by the Brabeion software.

According to White, the improvements in process efficiencies in meeting Section 404 translate into significant cost avoidance. “Chevron was able to leverage existing value-added controls unlike most organizations that had to develop controls from scratch,” he says. As a result of Chevron’s aggressive approach, “the controls had already been tested for business value.”

Chevron now wants to develop an IT solution for monitoring compliance on continuous basis. This is expected to provide a more granular look at compliance, tackling issues such as privacy, intellectual property and import-export rules. “It’s a plug-and-play approach to compliance,” White says. Although the project is large and estimated to cost in the millions, he expects the effort to pay for itself through cost-savings within two years.

Costs And Benefits

In hindsight, White says, the two biggest hurdles in implementing the process were organizational and cultural. Given Chevron’s enormous size and complexity, Section 404 created “a tremendous challenge in both getting consensus and rolling out the process in a timely fashion.”

Implementing the top-down, standards-based approach Brabeion offered did conflict with Chevron’s traditional culture of decentralized decision-making. To achieve support for the new system, the company first created a “standards review board” with representatives from each business unit in the company. That vanguard then introduced the new approach to the whole of Chevron.

One unanticipated benefit of that process, White says, was increased awareness and clarity around the roles and responsibilities of employees. Today policy standards are “ingrained in the decision-making of Chevron’s employees, such that when they work with vendors there is a clear mandate that the solution must be compliant with Chevron’s information protection policies and standards, and those standards are SOX compliant,” he says.

Unexpected costs surfaced as well. In addition to tremendous documentation effort, White says, “the time required to make a decision establishing or changing a standard is extended, due to the [company-wide] governance, which engages the entire enterprise.” Chevron’s sheer scale and complexity make a top-down approach much slower than the company’s decentralized, employee-empowered method, he says.

As the deadline for non-accelerated filers now looms in 2007, what lessons can smaller public companies glean from Chevron’s experience? White admits he has a hard time imagining a company smaller than $5 billion in market capitalization capable of developing the process Chevron undertook; it is that resource-intensive.

Still, White says that small companies can benefit from the existing software tools that have been tested by large and small enterprises. They provide an aggregation of the best risk-based compliance practices, around which managements can build their own processes. And of course, large or small, Chevron’s experience indicates that there is a benefit in companies taking a proactive approach.