government and sox compliance for erp systems
TRANSCRIPT
1
•Dan Aldridge CEO Performa Apps
•e-mail [email protected]
•website www.inforln.com/wp
•linkedin Dan Aldridge
•twitter @Danaldridge1
•
Contact Information
Agenda
Introduction DynaFlow
Governance Risk & Compliance / Enterprise Risk
Management
Segregation of Duties for Baan / LN
Impact on ERP implementation
Contact details:Aart de Glint
Phone +31 318 479712
Mobile +31 654 392046
3
DynaFlow Profile
Main Facts:
Established in 1997
Private company HQ in Canada
Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
Main mission:
To enable global companies to become “Simply in Control” by proactively
managing enterprise risks, demonstrating compliance and automating and
optimizing business processes.
Dedicated to provide its clients a fast ROI through a short and structured
implementation
Professional Services:
Implementation and Training
Compliance & Audit Support
Process Optimization
Solution Hosting Services
4
DynaFlow: Makes it EZ for...
6
Cooking the Books
7
http://www.cbsnews.com/video/watch/?id=859384n
Mr. Ebbers (WorldCom), Mr. Lay (Enron), Mr. Kozlowski (Tyco)
8
Regulation - The Hot Potato
9
SOX
C-SOX
J-SOX
‘Euro-SOX’
SAS-70
Code Tabaksblat
Code Lippens
8th EU Directive
Clinger Cohen
21 CFR Part 11
IFRS
Basel-II
Loi sur La Sécurité Financière (LSF)
BilMoG
Governance, Risk Mngnt & Compliance
Governancedescribes the overall management approach through which senior executives direct and
control the entire organization, using a combination of management information and
hierarchical management control structures. Governance activities ensure that critical
management information reaching the executive team is sufficiently complete, accurate and
timely to enable appropriate management decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from management are
carried out systematically and effectively.
Risk managementis the set of processes through which management identifies, analyzes, and, where
necessary, responds appropriately to risks that might adversely affect realization of the
organization's business objectives. The response to risks typically depends on their perceived
gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks,
commercial/financial risks, information security risks etc.), external legal and regulatory
compliance risks are arguably the key issue in GRC.
Compliancemeans conforming with stated requirements. At an organizational level, it is achieved through
management processes which identify the applicable requirements (defined for example in
laws, regulations, contracts, strategies and policies), assess the state of compliance, assess
the risks and potential costs of non-compliance against the projected expenses to achieve
compliance, and hence prioritize, fund and initiate any corrective actions deemed
necessary.
10
GRC/ERM Support at all levels
Le
ve
ls o
f GR
C m
od
el
Continuous monitoring as part of normal business process
Strategical
Tactical
Operational
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
•Procedures
•Process Risk Analysis (Tactical)
•Process & Internal Control Design & Maintenance
•Review (workflow)
•Monitoring Efficiency of Internal Controls
•Embedded testing & test evidence
•Document Management System
•KPI/”In Control” reports
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
PurchasingWarehouse
ManagementManufacturing
Sales &
Distribution
•Review
•Test
Compliance – Why is this important
Corporate & Executive Responsibility & Liability
Policy Interpretation
Implementation Cost
Overhead
Tightened Credit Lines
Premium Insurance Fees
Fear for Reputation Damage
Audit Cost
Regulation
From Regulation to Compliance
SOX
HIPAA
BASEL II
Etc.
ERM
COSO-II
COBIT
...
Regulations Implementation
Framework
Policy & Procedure
Implementation
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Demonstratiopn
of ComplianceDemonstratiopn
of ComplianceDemonstration
of Compliance
Evidence
Collection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
SOX Section 404 – Internal Control
Assessment of internal control
“The most contentious aspect of SOX is Section 404,
which requires management and the external auditor to
report on the adequacy of the company's internal
control over financial reporting (ICFR). This is the
most costly aspect of the legislation for companies to
implement, as documenting and testing important
financial manual and automated controls requires
enormous effort.”
14
http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf
SOX Internal Control Requirements
15
Documentation
Detailed Process description
Process flowchart (preferable)
Business Risk Assessments
Risk Control Matrix (RCM)
Testing
Annual walkthrough of each process.
Testing of key controls.
Periodic Reviews
Review of process steps and controls
Updating of all documentation
Annual External IC Audit
Essentially external validations that yes you did 1 through 3 above.
The auditor would use a predefined “checklists
Risk / Control Matrix
16
All
no
n-P
O in
voic
es
rece
ive
d a
t m
onth
en
d a
re e
nte
red
into
th
e s
yste
m w
ith
in 3
da
ys o
f m
onth
-en
d to
en
sure
pro
per
incl
usi
on
into
Acc
ou
nts
Pay
able
.
For
pro
duct
ion
invo
ices
, in
voic
es
can
on
ly b
e e
nter
ed
into
th
e s
yste
m f
or
auto
mat
ic m
atch
ing
if a
val
id P
O a
nd
rece
ipt
are
alre
ady
in t
he
sys
tem
. Th
e sy
stem
po
pu
late
s
the
invo
ice
pri
ce a
nd
du
e d
ate
info
rma
tio
n f
rom
the
PO
info
rmat
ion
.
All
un
ma
tche
d P
O in
voic
es a
re fo
rwar
ded
to
pu
rcha
sin
g
for
follo
w-u
p.
All
pu
rch
ase
ord
ers
and
no
n-P
O in
voic
es
are
revi
ewe
d,
incl
ud
ing
led
ger
acco
un
t co
din
g, a
nd
are
aut
ho
rize
d in
acco
rda
nce
wit
h c
om
pany
po
licy.
Cyc
le c
ou
nts
th
at
resu
lt in
a d
iffe
ren
ce f
rom
pe
rpet
ual
qu
anti
ty o
uts
ide
lim
its
set
by
com
pany
po
licy
are
revi
ewed
; ite
ms
wit
h a
var
ance
de
emed
to
be
mat
eri
al
are
reco
un
ted
.
Risk
RISK / CONTROL MATRIX
Auditor Assertion ACP-C01 ACP-C04 ACP-C16 PUR-C11 INV-C18
R007What ensures that purchases are recorded into the proper
accounting period?Completeness PC
R011What ensures that invoice prices, quantities and other valuation
information is correct?
Completeness,
E/O, M/VPC PC
R042What ensures that duplicate and/or fictitious purchases are not
recorded?
Existence/
OccurrencePC PC
R075What ensures that perpetual inventory records reflect proper
quantities and amounts?
Existence/
OccurrencePC DC
R079What ensures that perpetual-to-physical inventory adjustments are
correctly calculated and recorded?
Completeness,
Measurement/
Valuation
DC
R093What ensures that inventory counts, compilations and descriptions
are accurate?
Measurement/
ValuationDC
PC = Preventive Control
DC = Detective Control
Risk
Enterprise Risk Management (ERM/GRC)
The key pains & challenges: Extra burden “on top” of running the company
Draining resources from critical projects
Absence of clear and documented guidelines
Absence of automation
Cannot be postponed (scheduled audits)
Cost (with NO tangible ROI)
The proposed approach & resolution: Leverage pre-defined knowledge via libraries
Avoid multiple partial systems (and integration burden)
Automate as much as possible tedious and large volume
tasks
How DynaFlow supports ERM/GRC
18
Business Risks & Business Controls Library
2,500+ pre-defined Controls, Risks and relationships
Certified Best Practices / Benchmark
For all regional & industry specific regulations
(SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…)
To address all auditing/auditors requirements
Automated Business Control Execution
Testing Schedules with automated notification & testing
Real-time monitoring & alerts for testers and Mgmt
Evidence Collection & audit trail
Dynamic Risk and Business Control Monitoring
Key Performance & Risks Indicators Dashboard (+ mobile)
Audit Support
Combination of Solution, Libraries and Services
19
Segregation of Duties (SoD)
The key pains & challenges: Now a Critical Business Control for ALL organizations
Involves large volume of data
(i.e. Typical = 200,000+ authorizations in Baan alone)
Need to be done across Systems (ERP) and for ALL
access types
Is a recurring process due to constant changes
The proposed approach & resolution: Automation,
automation
and automation!
Cross-Applications ERM & SoD
Process
DiagramEmployees
User
RolesApplications
Access Mgmt
Business
Controls
Business
Risks
Compliance Mgmt
Business Processes & Controls Integr.
SoD
Business
Conflicts
Conflict
Resolution
SoD
Conflict
Rules
SoD Mgmt
Documents
Document Mgmt
Documents
EZ-Compliance SoD Scan
Mapics
Hyperion
BPCS
…
Network Access
Facility Access
Security Badges
…
Mapics
Ceridian
…
Master SoD Matrix
24
Over 400+ SoD “zones” to be validated
25
The LN / Baan SoD Rules Library
26
Introduced in 2005
Required 2 years initial development, and is updated
regularly
Content and design validated by CFO, Controllers, SOX
Senior Consultants, Baan Specialists, etc...
Covers all Baan versions (Triton, Baan IV, ERP-5, LN)
Compliant to Baan Tools and DEM authorizations
Verify 22,000+ Baan session combinations for SoD violations
(with violation rating) to validate 400+ SoD sensitive “zones”
Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton
validated the Baan SoD Rules completeness and accuracy
by successful certifying all EZ-Compliance clients to be
SoD/SOX compliant.
EZ-Compliance Automated SoD Scan
Employees
Roles
Corp-wide
Applications
Business
Controls
Business
Processes
Import
Visio
DEM
Employee /
Applications
Access
List
Access
Scan
(1)
SoD
Conflict
Rules
SOX – SoD
Conflicts
List
Conflict
Scan
(2)
Resolution
Scan(3)
SoD
Resolution
Rules
Mitigated
Conflicts
List
Business
Risks
SoD
Library
Oracle
Mitigation
Controls
Import
LDAP
Import
ERP
SoD Conficting Areas Matrix
28
Click to view
detailed business
functions &
conflicts found
The automated SoD cycle
Import of updated authorizations from
all Enterprise Applications
Identification of SoD conflicts & related business
risks
Resolution of conflicts with
known patterns
Notification of new conflicts to internal audit team and/or process owners
Investigation, resolution and mitigation of
SoD risks
ERP
Import
Weekly
or
Daily
Result: 90%+ reduction of effort & cost
How DynaFlow supports SoD
30
Access/Authorization Mgmt
Cross-systems authorizations (who is accessing what?)
Periodic Access Reviews
SoD Conflicts Identification
Detective validation (what accesses constitute risks?)
Preventive validation (what is the impact if we change …?)
SoD Conflicts Resolution
Automated resolution/mitigation using pattern rules
SoD Conflicts Monitoring & Alerts
Self-generated SoD Matrix with dynamic alerts
Key Performance & Risks Indicators Dashboard (+ mobile)
Segregation of Duties (SoD)
What you gain with DynaFlow: Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...)
Bottled Best Practices:
Fully automated Segregation-of-Duties (SoD) Rules
Pre-Defined SoD Libraries available for Baan, SAP, Oracle,
etc...
In line with external auditors to secure successful
certification
Detective and also Preventative
Fully automated SoD validation
90% reduction on implementation cost & effort
50% reduction on auditing cost
100% Successful SoD Audit
Simplified insight in all user authorizations
32
Integrated Cycles
33
Document
Integrate Structure
Publish
Optimize
Validate
Define
Capture
Process
Knowledge
Review Certify
Risk Assessment
Control Environment
Control Activity
Publish
Regulations
(eg. SOX, ISO, ITAR
AS9100, HIPAA, ect)
Automate
Measure
Optimize
Route Definition
Workflow
AutomationExecuteMonitorAction
Objectives
Measure
Analyzes
Metrics
DynaFlow Value Proposition
34
Document
Integrate Structure
Publish
Optimize
Validate
Define
Capture
Review Certify
Risk Assessment
Control Environment
Control Activity
Publish
Automate
Measure
Optimize
Route Definition
ExecuteMonitorAction
Objectives
Measure
Analyzes
Financial (Oracle, etc)
ERP (SAP, Baan, Mapics, etc)
Process
Modeling
Process &
Knowledge
Publishing
Business
Controls
Definition
Business
Controls
Checks
Process
Automation
Automated
Alerts &
Notifications
Employee
Process
Dashboard
Modeler and
Auditor
Dashboard
Transaction
Systems
Base
Dynamic KCI
& Issues
Escalation
Process
Optimization
& Monitoring
Management
Dashboard
Dynamic KPI
&
BI Analytics
BP
MR
ep
ort
ing
Office Apps (MS, Email, VPN, etc)
DynaFlow Solution Overview
Critical Capabilities Definition ERM & C
36
Audit ManagementSupports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers,
risk assessments, control testing, remediation management and reporting.
Risk Management, General Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting,
visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that
is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic
risk analytics tools to provide a consolidated view of enterprise risk management.
Risk Management, Stochastic Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized
capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term
asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these
stochastic analysis needs organically or through an OEM partnership.
Compliance ManagementSupports compliance professionals with the documentation, workflow, reporting and visualization of control objectives,
controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC
management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support
other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level
agreements, trading partner requirements and compliance with internal policies.
Policy Management Includes a specialized form of document management that enables the policy life cycle from creation to review, change
and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and
controls in another; and distribution to and attestation by employees and business partners.
GRC ContentIncludes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news
feeds, standards and frameworks, draft testing and risk assessments, and draft policies.
Business Analytics Supports the ability to analyze the impact of risks on business objectives, performance and processes.
Gartner, Inc: 30 November 2010/ID Number: G00208665
DynaFlow simplification
SOX
HIPAA
BASEL II
Etc.
COSO-II
COBIT
......
Regulations Implementation
Framework
Policy & Procedure
Implementation
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Demonstratiopn
of ComplianceDemonstratiopn
of ComplianceDemonstration
of Compliance
Evidence
Collection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
Business
Control
Libraries
Business Risk Libraries
Compliance
Program Mgmt.
Compliance
Change Mgmt.
Compliance
Issue Mgmt.
Compliance
Access &SoD Mgmt.
Audit
Trail
Document
Mgmt.
Web Portal
Cross-ERP
Integration
&
MappingOperational Risk
Monitoring
eBook
Generation
38