Download - SAP Advisory Services
Contents
EW Consultants India 2
• Risk & Challenges in an ERP system1
• History of Financial Frauds2
• About EW Consultants India3
• Our Services4
• Our Solution5
• Benefits to your organization6
Risk & Challenges in an ERP system
3For Discussion Purposes Only
Risk & Challenges in an ERP System
4For Discussion Purposes Only
Corporations across the world are highly concerned about the security of their EnterpriseResource Planning (ERP) systems such as SAP, from threats like fraud, intrusion, etc that affectsthe integrity of their business. They require their policies and procedures to be tightened andsystem to be secured.
There are some challenges that these corporations faces in their day to day business:
We should have considered SoD while granting
access
Does my ERP system has sufficient
password and user access security
controls
I don‟t know how the
vendor got paid twice?
ERP team is spending lot of unproductive
time on maintenance
Is my system prone to access
intrusions?
Auditor declared system controls to
be ineffective
Our ERP implementation
team never gave us the
controls
How do I design business controls in my
ERP?
What is the
Solution???
History of Financial Frauds
5For Discussion Purposes Only
History of Financial Frauds
6For Discussion Purposes Only
Source: www. wikipedia.org
Year Company Audit Firm Type of Fraud
2010 Lehman Brothers Ernst & YoungFailure to disclose Repo
105 transactions to investors
2009Satyam Computer
ServicesPWC Falsified accounts
2004 AIG PWCAccounting of structured financial
deals
2002 WorldCom Arthur Andersen Overstated cash flows
2002 Kmart PWC Misleading accounting practices
2001 Enron Arthur Andersen Corporate fraud and corruption
2000 Xerox KPMG Falsifying financial results
India’s Fraud Survey 2010
7For Discussion Purposes Only
Source: KPMG
2009 CSI Computer Crime Survey
8For Discussion Purposes Only
Per the 2009 CSI Computer Crime and Security Survey, “…change of greatest concern is thatfinancial fraud increased from only 12 percent of respondents to 19.5 percent of respondents. Thisis reason for concern because financial fraud consistently causes victim organizations huge
losses—almost $450,000 (` 2 Crs) per victim organization this year…”
About EW Consultants India
9For Discussion Purposes Only
About Us
We would like to introduce our self as a ERP Advisory consultant offering a wide suite of specialistservices to our clients ranging from ERP Risk advisory, ERP selection, corporate training andoutsourcing. We provide value added service to our clients in the most cost-effective manner.
We have a network of dedicated and highly qualified freelance professionals who have workedon ERP and IT Risk Advisory projects across 8 countries, including US and UK. Our team comprisesof Certified SAP professionals, CA, MBA and Engineers, from Big4 background, with extensiveexperience in rendering ERP advisory services. Along with SAP ECC system, our team has hand-on experiences working on tools such as SAP GRC Access Controls and Approva Bizright Access
Controls.
Our Service capabilities:
SAP Business Process Controls Audit
SAP Basis Security and Segregation of Duties Controls Audit
SAP Controls Audit Procedure Documentation
ERP Audit Project Management
Sarbanes Oxley (SOX) Compliance Assistance
ERP Product and Vendor Selection
ERP Audit Tools Development
ERP / Corporate Trainings
10For Discussion Purposes Only
Director Profile
11For Discussion Purposes Only
Industry Experience: over 7 years
Ernst & Young
EXL Service
SAPient Consulting
Qualifications:
MBA in Finance
SAP Certified Consultant
SAP Security trained (from SAP India)
SAP GRC Access Controls trained
(from SAP India)
Project Management trained (from
PMI)
Areas of Expertise:
SAP Risk & Controls Advisory
SAP Business Process Controls Audit
SAP Security & Segregation of Duties
Control Audit
ERP Trainings
ERP Audit Project Management
Sarbanes Oxley (SOX) Compliance
Assistance
ERP Product and Vendor Selection
ERP Audit Tools Development
Credentials
12
Industry Clients
Diversified Business Essar Group, India
Beverages Diageo Plc, UK; Dr Pepper Snapple Group Inc., USA
InsuranceChartis („AIG‟) UAE, Hong Kong, Malaysia, Indonesia, Thailand, Philippines, Vietnam, Taiwan
IT ServicesVOLT Information Sciences Inc., USA; Covansys Corp. Inc., USA;
Infosys Technologies, India
Energy Centrica Plc, UK; Enercon India Ltd; ONGC Ltd., India
FMCG and Consumer Goods
ITC Ltd, India Philips India Ltd.
Retail Pantaloon Retail India Ltd.; Welspun India Ltd.
Engineering and
Electrical Equipment
Larsen & Toubro Ltd., India; Havell‟s India Ltd.; Bharat Bijlee Ltd.,
India
Telecommunication VSNL Ltd., India
Pharmaceutical Duane Reade Inc, USA; Glenmark Pharmaceutical Ltd., India
Metals and Minerals ISPAT Industries Ltd., India; BALCO Ltd., India
For Discussion Purposes Only
Worked for Fortune 500 clients in over 8 countries including USA, UK, Hong Kong, India, etc
Our Services
13For Discussion Purposes Only
Our Services
14For Discussion Purposes Only
Best-fit solution ERP Product selection
ERP Implementation partner
selection
Project risk management
Business Blueprint Review
Identify and suggest controls as
part of BBP
Benchmark TO-BE process to
Leading practices
Pre Go-Live Readiness
Assessment
A quick check of the status of
critical master data,
organizational elements,
configurable controls, process
integrations, system and user
security before Go-Live
Verify if suggested controls are
designed and implemented
Quick Scan Review
A quick check to identify and
fix „High Risk‟ issues
SAP Business Controls Review
A detailed review of key
business processes having
financial implication
SAP Security Controls Review
A detailed review of Basis
security, access to critical
transactions and Segregation
of duties (SoD)
Audit Work Program Documentation
Preparation of detailed work
program that will enable the
Internal Audit team to conduct
rigorous audit of the SAP system
SAP Core team training
Preparing the SAP Core team
for supporting the SAP ECC
system
SAP End-user training
Preparing the SAP End-user
team for working on the SAP
ECC system
Auditing an ERP system training
Preparing the Internal audit
team for sustainable audit of
the SAP ECC system
Fundamentals of ERP system training
Preparing the organization for
an upcoming implementation
of the SAP ECC system
Before Go-live After Go-Live Corporate Training
Understand
business
process
Identify
potential
risks
Develop
control
framework
Document
audit
program
Conduct
test of
controls
Report
gaps &
suggest
solutions
Train
Internal
Audit team
Financial Accounting
Materials Management
Sales & Distribution
Basis Security &
User Administration
Our Value Chain Approach
15For Discussion Purposes Only
Our Solution
16For Discussion Purposes Only
Our Solution
17For Discussion Purposes Only
Assess
Obtain the existing business process documents or “Role & Responsibility” matrix to identify critical business functions (if available)
Understand the key requirements and
challenges related to user access with the process owners
Identify potential Segregation of duties (SoD) conflicts and design a SoD matrix based on the leading
industry practices
Obtain the access privilege information including users and system roles
Risk Assessment Document
Segregation of Duties Matrix
for functional transactions
Review
Perform a SoD conflict assessment based on the SoD matrix for the following parameters:
Conflict within Role assigned to a user
Conflict between Roles
Conflict arising due to direct assignment of access privileges to a user
Review the identified
conflicts with respect to the roles & responsibility matrix
Identified Segregation of
Duties conflicts
Recommend
Discuss the key observations
with the process owners /
project team
Recommend leading
industry solution to resolve
the identified conflicts
Assist in re-designing the
change management
procedure for user access to
build SoD controls
Segregation of Duties
Conflict Report with
recommendations
Ke
y A
ctivitie
sD
eliv
era
ble
s
Benefits to your Organization
18For Discussion Purposes Only
Benefits to your organization
Few of the benefits that your organization will derive from your SAP system, after our services:
19For Discussion Purposes Only
Secured ERP
system
Leading
practices
Compliance
support
Reduction in
time & cost
Streamlined
process
Secured and robust SAP environment from both internal andexternal threats such as unauthorized usage, fraud, intrusion, etc
Re-aligned user access/security practices and procedures mayhelp the management in effective utilization of ERP resources,leading to reduction of unproductive time and cost
Controls ready SAP system to meet any existing or upcomingstatutory compliance requirement
Benchmarking your SAP system to the leading industry SoD controlpractices to optimize your ROI
Efficient and effective change management process consideringprocedural changes to include concerning areas like SoD
Maximizing
configurable
controls
Leveraging the available automated controls using the existing SAPconfiguration and reducing the manual efforts
Annexure
20For Discussion Purposes Only
Case Study – Establishing Segregation of Duties (SOD)
21For Discussion Purposes Only
Situation
Our client invested heavily in SAP
across its business entities. Due to
large team size, access over their
key financial reporting application
(SAP) became unmanageable.
Also lack of proper controls was
becoming an increasing concern
for the company‟s auditors.
Key Issues
Identification and elimination
of existing SOD conflicts
Restricting and re-designing
user access per roles and
responsibilities
Stream line the process of
user-role administration
Outcome
SOD has been established for all
the key business modules of SAP across entities based on the SOD matrix developed for the client
Assisted in establishing a control mechanism for granting access to SAP System
Ensured a consistent and streamlined approach to ongoing compliance
Identified and removed a substantial number of inappropriate user access across business entities
Approach
RemediationSOD Conflict AnalysisEstablish an SOD Matrix
Output
We helped a top Indian FMCG implement robust SOD controls over their SAP system across business entities
Established inventory list of all
transactions at the process
level per module
Identified critical transaction
from the above list
Mapped each critical
transaction with SAP roles and
permission list
Established an SOD matrix
based on the conflicts
between critical transactions
Analyzed SAP roles and users
based on the SOD Matrix to
identify any existing conflicts
Conflicts were identified at the
following levels:
SAP Roles
Users assigned to conflicting roles
Critical authorization objects and values within transaction codes with special emphasis on “*” value
Identified access privileges in
SAP that needs to be
segregated to eliminate existing
conflicts
Mitigating controls were
identified for conflicts that
could not be eliminated
Presented findings to Executive
Committee
SOD Conflict Matrix - Record to Report
Cre
ate
GL
Acc
ou
nt
Ch
ange
GL
Acc
ou
nt
Cre
ate
Jo
urn
al E
ntr
y
Ap
pro
ve J
ou
rnal
En
try
Po
st J
ou
rnal
En
try
Ch
ange
Do
cum
en
t
Mai
nta
in A
cco
un
tin
g P
eri
od
Pay
me
nt
Entr
y
Vo
uch
er
Entr
y/B
atch
Cre
atio
n
LHS/ RHS Activity Group A B C D E F G H I
Create GL Account A X X X X X X
Change GL Account B X X X X
Create Journal Entry C X X X
Approve Journal Entry D X X X
Post Journal Entry E X X X X
Change Document F X X
Maintain Accounting Period G X X X
Payment Entry H X X
Voucher Entry/Batch Creation I X
SOD Conflict Matrix for Record to Report Process
Case Study – SAP Configurable Controls
22For Discussion Purposes Only
Situation
Our client was in the first year of SOXcompliance and was facingdifficulties in identification of SAPapplication controls. Due to lack onin-house capabilities this process was
delayed and auditors raisedconcerns to meet deadlines.
Key Issues
No defined risk and controls framework
Multiple SAP instances operating on global geographies with different SAP versions
Company recently undergone transformation with major staff movements
Outcome Identification of SAP
configurable controls and their mapping with existing SOX RCM
Detailed documentation of control test scripts with step-by-step procedures to facilitate
Sustainable SAP configurable controls audit process for SOX compliance
Gap report detailing the issue and remediation solution
Facilitated the client to leverage
on automated control and reduce reliance on manual controls, thereby optimizing cost of compliance
Approach
Obtain high level understanding of
SAP architecture covering in-scope modules, functional features, key interfaces and customizations.
Review current business process documents including existing process narratives and controls documentation to assimilate information on controls
Map key SOX application controls for SAP based on process
understanding, available controls libraries and industry best practices
Conduct system review to verify
existence of identified controls
Validate the controls implementation and assess design effectiveness of controls
Highlight gaps within tested controls to management and provide guidance for improvement opportunities
Update/detail existing control
descriptions including specific configurations relating to workflows, authorizations, SODs and access specific considerations
Create control test plan strategy
based on control type, audit tool /report availability and artifact requirements
Identify key testable attributes of each control based on acceptable configuration settings and management defined criteria
Document detailed audit procedures to test the design
and operating effectiveness of the identified controls including artifact requirements
DocumentationValidationIdentification
Output
We helped a leading US beverages company in identification, validation and documentation of SAP Configurable controls
Sample Deliverables
Sample Deliverables - Dashboard
23For Discussion Purposes Only
Sample Deliverables - Report
24For Discussion Purposes Only
Sample Deliverables - Deliverables
25For Discussion Purposes Only
SOD Conflict Matrix - Record to Report
Cre
ate
GL
Acc
ou
nt
Ch
ange
GL
Acc
ou
nt
Cre
ate
Jo
urn
al E
ntr
y
Ap
pro
ve J
ou
rnal
En
try
Po
st J
ou
rnal
En
try
Ch
ange
Do
cum
en
t
Mai
nta
in A
cco
un
tin
g P
eri
od
Pay
me
nt
Entr
y
Vo
uch
er
Entr
y/B
atch
Cre
atio
n
LHS/ RHS Activity Group A B C D E F G H I
Create GL Account A X X X X X X
Change GL Account B X X X X
Create Journal Entry C X X X
Approve Journal Entry D X X X
Post Journal Entry E X X X X
Change Document F X X
Maintain Accounting Period G X X X
Payment Entry H X X
Voucher Entry/Batch Creation I X
SOD Conflict Matrix for Record to Report Process
Sample Deliverables - Deliverables
26For Discussion Purposes Only
End of Presentation. Thanks.
27For Discussion Purposes Only
For enquires and more please contact:
Gourav Ladha
Director, EW Consultants India
MBA, SAP Certified
Mobile #: +91-971-295-295-5
Website: www.ewcindia.co.in
Email: [email protected]