mgmt of internal controls
TRANSCRIPT
-
7/29/2019 Mgmt of Internal Controls
1/29
Managem ent o f In t erna l Cont ro lsPain Point Solu t ions
mySAP ERP Solution Management
Sarbanes-Ox ley Ac t
-
7/29/2019 Mgmt of Internal Controls
2/29
SAP MIC bui lt to address SOA Pain PointsSAP MICs Integration Capabil ities
Summary and Roadmap
-
7/29/2019 Mgmt of Internal Controls
3/29
SAP MIC bui lt to address SOA Pain PointsSAP MICs Integration Capabil ities
Summary and Roadmap
-
7/29/2019 Mgmt of Internal Controls
4/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 4
Global Requirement s for In t ernal Contro l System s
Sarbanes-OxleyUSA
LSFFrance
CLERP 9Aus tralia
Tabaksblat
Netherlands
International impact on subsidiaries around the world
Documentation
Management
Testing
Coordination
Workflow
Support
Audit Trail
Aggregated
Reporting
Business Challenges for Internal Controls Management
Project
Management
Administrative
Costs
Software Support is Needed
-
7/29/2019 Mgmt of Internal Controls
5/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 5
Sarbanes-Oxley Act Sof tw are re levant Sect ions
Changes in a companys financial situation must be reported without delay409
Management must document internal controls
Management must assess the design of the internal contro ls
Management must test the effectiveness of internal contro ls
Aud itors must evaluate the management assessment of in ternal contro ls
404
Financial reports must contain all adjustments made by the auditor
Al l t ransactions affecting the balance sheet must be ref lected in the statements
The transition of p ro forma results to GAAP must be possible
401
Management is responsible for effective disclosure controls and procedures
over financial reporting, operations and compliance
Significant deficiencies in internal control must be disclosed to the audit
committee and external auditors
CEO and CFO must certify the contents of SEC reports
302
It must be possible for an employee to transmit anonymous complaints to the auditcommittee (Whistle Blower)
301
RequirementsSection
-
7/29/2019 Mgmt of Internal Controls
6/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 6
Continuous Improvement
Continuous Improvement
Scoping and
Set-Up
Document
Processes &
Controls
Sign-Off,
Prepare
Certifi cation /
Internal Control
Report
Assess
Control
Design &
Remediate
Issues
Test
Operating
Effective-
ness
Attest
and
Report
Management Auditor
CEO / CFO
Internal Control Manager
Org.Unit Manager
Process Group Owner / Process Owner
Control Owner
Evaluator Tester
Issue & Remediation Plan Owner
Internal & External Auditor
SAP MIC Phases and Roles
-
7/29/2019 Mgmt of Internal Controls
7/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 7
Scoping and
Set-Up
Document
Processes &
Controls
Sign-Off,
PrepareCertifi cation /
Internal Control
Report
AssessControl
Design &
RemediateIssues
TestOperating
Effective-
ness
Attestand
Report
Management Auditor
MIC support s SOA Com plianc e Projec t s
Review
Attes tat ion Reporting
Assignment of
Processes to BUs
BU-specific
Control
documentation
Documentation of
testing procedures
Documentation of
Management
Controls
Control and
Process Design
Assessments
Control Efficiency
Assessment
Management
Controls
Assessment
Identification of
Issues
Validation o fAssessments
Remediation of
Issues
Progress Tracking
and Analysis
Documentation o f
Testing Results
Identification of
Issues
Remediation of
Issues
Progress
Tracking and
Analysis
Identification of
Org. Units and
Processes i nscope
Org. Unit
Hierarchy
Central Process
Catalog
Assignment of
Processes to FSAccounts
Central Catalogof Control
Objectives and
Risks
Analysis
Overviews with
Drill-downFunctionality
Management
Reports
Workflow-triggered
Sign-off
supporting 404
Reporting / 302
Certification
-
7/29/2019 Mgmt of Internal Controls
8/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 8
SAP MIC: Design ed t o Addr ess SOA Pain Point s
Next
Customer
Pain
Points
I need a software tool that provides
structures in line with COSOs Internal
Controls - Integrated Framework
I need support for the
documentation process, including
using best practice templates todevelop documentation and
upload support for existing control
matrices
Some Org Units have standardized
processes, but other Org Units have
custom processes, and reportingconsistency must be maintained.
I need to roll out a tool to a
large number of users but
have little IT support
I need to prove to my auditors
that the financial statementassertions are covered by
effective control s
Management needs
information about the
current state of controls
-
7/29/2019 Mgmt of Internal Controls
9/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 10
In MIC, Control Activities are documented andevaluated at the process level with COSO attributes
The other 4 COSO components are documentedand evaluated at aggregate levels such asorganizational units and are called ManagementControls
Management control assessments and testing andsupported using survey-like functionality
SAP MIC Suppor ts t he COSO Framew ork
I need a software tool that
provides structures in line with
COSOs Internal Controls -
Integrated Framework
Customer Pain Point
Sample MIC Management Contro l Assessment Survey
Back
Note: MIC also support s the COBIT framework
-
7/29/2019 Mgmt of Internal Controls
10/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 11
Process flow
SAP Provides Sample Process Docum entat ion
SAP will document several scenarios to serve as process documentationexamples, including
Process description and flow
Process Control Objective Risk Control tables for the process
Over 50 SOA-relevant controls available in the SAP system (R/3, mySAP ERP)and their attributes
P2P documentedin cooperation with:
Purchase Requisition
(*) Note: this process documentation is not a cookbook- each implementation should be accompanied by careful review of internal controls.
Policies and Procedures
Master Data Maintenance
Purchase Order
Goods Receipt
Invoice Processing
Payment Processing
Purchase Requisition
Example Scenario: Purchase to Pay
Control detail
I need support for the
documentation process,
including using best practice
templates to developdocumentation
Customer Pain Point
Back
-
7/29/2019 Mgmt of Internal Controls
11/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 12
Note: Deloitte and PricewaterhouseCoopers
documentation is currently available
Auditor ControlAuditor Control DatabaseDatabaseDownload1
Best Pract ice Document at ion Can Be Uploaded
3
Convers ion t o
sequent ia l f i le
(SAP Acc ess
ConversionTool )
Upload 4
SAP MIC
Convers ion t o
SAP s t ruc t ure
(Converter Tool )2
I need support for the
documentation process,
including using best practice
templates and upload supportfor existing control matrices
Customer Pain Point
Back
Tai lor da t a
to mee t t he
company spec i f i c
requ i rements
Global Best PracticesGlobal Best Practices
-
7/29/2019 Mgmt of Internal Controls
12/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 13
Company-wide Central Process Catalog
Centra l ized / Decent ra l ized Docum entat ion
Template Process Steps
St ep 1 Co nt ro l 2 Co nt ro l 3
Control 1 Step 2 Step 3
Process Group 1: Sales and Distribution
Process Group 2:
Process Group 1.2:
Process 5: ..
Process 6: ..
Text
Text
Text
Text
Process Group 1.1: Sales
Process 1: Contract Negot.
Process 2: Order Process.
Process 3: CRM
Process 4: Sales Support
Some Org Units havestandardized processes, but
other Org Units have custom
processes, and reportingconsistency must be
maintained.
Customer Pain Point
Copy and adapt
Reference
Document Org unit-specific steps
X
Bus Unit 1
This process is not relevant in BU 1
St ep 1 Con tr ol 2 Con tr ol 3
Co nt ro l 1 St ep 2 Step 3
Control 1 Control2 Step 3 P1
P2
P3
Process Group 1.1: Sales
Since process names are consistent, cross-business unit comparabilit y is maintained
The Central Process Catalog contains all relevantprocesses
Each business unit chooses the processes from thecatalog that are relevant in the unit
Back
-
7/29/2019 Mgmt of Internal Controls
13/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 14
Cascading Ass ignm ent of Bus iness Users
Role Business User Sample Tasks
Group
....
BU
....
BU
Process Group PG1
Process P1
Control C1 ... ...
IC Manager Mr.A Schedule tasks
Maintain hierarchies
Assign Org. Unit managerTop-down
assignment
of business
users:
Org.Unit Manager Ms.B Assign processes to BU
Assign process group owner
Process Group Owner Mr.C Validate process assessments
Assign process owner
Process Owner Ms.DValidate control assessments
Assessment of control designat process level
Assign control owner
I need to roll out a tool to a
large number of users but
have little IT support
Customer Pain Point MICs 100+tasks can be grouped into Roles that are activated at a
particular level (for example, Corporate, Org Unit, Process, Control)
The role assignment cascade is kicked off at the Corporate level
At each level, managers assign people in their teams to fill lower-level roles Back
-
7/29/2019 Mgmt of Internal Controls
14/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 15
Financial Statement
Assertions
Revenues
Liabilities
Fixed Assets
Inventory
Receivables
Balance Sheet
Liabilities & Equity
Assets
Profit & Loss Statement
Net Income
Current Assets
Cash Flow Statement
FS Account Groups
Existence or Occurrence
Completeness
Valuation or Allocation
Rights & Obligations
Presentation and Disclosure
Existence or OccurrenceCompleteness
Valuation or Allocation
Rights & Obligations
Presentation and Disclosure
Control activities within a
business process addressFS assertions relevant forsignificant financialstatement account groups
affected by the process.
Docum ent Coverage of F inanc ia l Stat ement Asser t ions
Process: Order Processing
has a material impact on financial accountgroups such as Inventory and Revenues
Process Step
PS2
Process Step
PS3=Control
Process Step
PS1=Control
- FS Assertion is relevant for an FS Account Group
I need to prove to my auditors
that the financial statement
assertions are covered by
effective controls
Customer Pain Point
Back
-
7/29/2019 Mgmt of Internal Controls
15/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 16
4 Flex ib le Robust Repor t ing Opt ions
Management needs
information about the current
state of controls
Customer Pain Point
* This dashboard was created with existing SAP BW 3.5.3 and MIC functionality; cu stomizing effort is required for implementation.
30 out-of the box Online Reports1
Documentation Print Reports3
Back
Custom BW reporting* and Visual
Composer dashboards2
MIC Reporting Add-On with Excel Support
(custom specific development on request only)4
-
7/29/2019 Mgmt of Internal Controls
16/29
SAP MIC bui lt to address SOA Pain PointsMICs Integration Capabilities
Summary Roadmap
-
7/29/2019 Mgmt of Internal Controls
17/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 18
Impor t o f Aut omat ed Cont ro l Test ing Resul ts
Many companies use dedicated control testing applications to test contro l effectiveness. These
results are automaticall y pushed into MIC via an XI interface.
2) Results pushed to MIC
User Violation DetailedReport Time: Feb 1, 2005 12:59 PM
User Rule Priority Exception
John B lack Create Mas ter Data + Tr igger payment High 1 Violat ion
1) Dedicated tool performs analysis of control effectiveness in ERP system
Example: Test of a Segregation of Duties (SOD) control
XI
Test logs created
Remediation
workflows triggered
Lowered TCO
Business Benefits
Lower cost of compliance
-
7/29/2019 Mgmt of Internal Controls
18/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 19
SAP Aut om at io n of MIC Cont ro ls
ReportPDF
ExternalSOD
Toolset my SAP ERP
Contro lExecut ion
my SAP CRM
.
XI
ScheduleJ ob
ExecuteReport
Post t oMIC
DatabaseReport
Generated
MIC
-
7/29/2019 Mgmt of Internal Controls
19/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 20
Audi t Inform at ion Syst em (A IS) L ink
AIS can be used to perform control effect iveness test ing within the SAP t ransactional
system. A direct link from MIC to AIS will streamline testing activities.
MIC Test Log
Test procedure:
Perform G/L Account
Analysis i n AIS
Enter AIS
Findings:
Reconcil iation delays
exist: see document
100003716/2003 fo r more
info
Tester
enters AIS
via link in
MIC
Tester
documents
results in
MIC
Tester executes repor t
Lowered TCO
Business Benefits
Lower cost of compliance
-
7/29/2019 Mgmt of Internal Controls
20/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 21
Central Process Catalog
XI Upload of Mast er Dat a/Cent ral Cat alogs
Process Group 1: Sales and Distribution
Process Group 2:
Process Group 1.2:
Process 5: ..
Process 6: ..
Process Group 1.1: Sales
Process 1: Contract Negot.
Process 2: Order Process.
Process 3: CRM
Process 4: Sales Support
PC4You North America
PC4You USA - East
PC4You USA - West
PC4You Canada
PC4You Mexico
PC4You Corporate
PC4You EMEA
..
Org Unit Hierarchy
Legacy SOX
System / MS Excel
XI Interface
populates
SAP MIC
withexisting
data
SAP MIC
Many companies have initial SOX/contro l documentation in PC-based tools or MS
Excel. Via an XI interface, this data can be uploaded into MIC.
Reduced implementation t ime
Reduced migration costs / TCO
Business Benefits
Reduced cost of compliance
-
7/29/2019 Mgmt of Internal Controls
21/29
SAP MIC bui lt to address SOA Pain PointsMICs Integration Capabili ties
Summary and Roadmap
-
7/29/2019 Mgmt of Internal Controls
22/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 23
Bus iness Benef its o f SAP MIC
CheaperReduces the cost of communications and administration
regarding internal control management
Faster
SAP Workflow sends tasks to the appropriate users to
get the testing process concluded in time for public
filings
SaferCentralizes control-related documentation; creates an audit
trail using time-dependent controls and processes
Easier
Enables a fast cascading of responsibi lities via the role
and task concept; eliminates navigation, taking user from
the start page directly to controls
Smarter
Provides management with reporting about the current
state of internal controls including drill-down
-
7/29/2019 Mgmt of Internal Controls
23/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 24
SAP Analyt ic s Support ing Corporat e Governanc e
Overview Project Progress Control Design Assessment
Process Design Assessment Issue Analysis
-
7/29/2019 Mgmt of Internal Controls
24/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 25
Appl ic at ion Pr e-Re quis i t es
These systems are used for data sources: mySAP ERP 2005 (Ramp-up in October 2005) SP02
or mySAP ERP 2004 FINBASIS 300 SP11 (planned availability in December 2005)
These modules are used as data sources: a back-end application SAP Management of Internal Controls (MIC) as part of mySAP
ERP (must be implemented before this particualar analytic app can be deployed)
This particu lar analytic application is fully Remote Function Call (RFC)-based (no BW installation necessary), reading data directly from therespect ive back-end application (SAP MIC). The following advantagesresult from this approach:
Direct MIC data access (no BI-extraction necessary). The use of MICs built-in buffering capability is recommended to optimize performance
Long texts available long texts relating to controls, issues or other objectsare critical in the corporate governance context. It is now possible to displaythese texts in an analytic app as the BW limitation (max. 60 characters)does not apply here
Authorization / Personalization maintained in the back-end application (SAPMIC) applies in the analytic app as well (no double authorizationmaintenance or personalization necessary)
-
7/29/2019 Mgmt of Internal Controls
25/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 26
A sam ple of MIC Cu st om ers
-
7/29/2019 Mgmt of Internal Controls
26/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 27
Customer Sta temen ts
SAP's Management of Internal Controls is a very scalable application that provides globalsupport for E.ONs Sarbanes-Oxley 404 project. With more than 100 organizational unitsand more than 1000 users involved in the assessments of internal controls in ourSarbanes-Oxley 404 project, we rely on SAP's stability and scalability to ensure that
we meet our reporting deadlines."Michael Hoefer, Head of IT-Audit 2, E.ON Audit Services
SAP SOA-MIC is an easy to use documentation tool that Biomet uses for fullcompliance with the requirements of the Sarbanes Oxley Act 2002. Thesimplicity to use was confirmed during our first training session held last week.We therefore expect further training cost s to be limited.
SAP SOA-MIC workflow functionality used in assessments and testing fullyfacilitates and supports our approach to the implementation of SOA at Biomet.
This workflow and related 'real time tasking' are a great feature of MIC, one thatI have not witnessed yet in other tools currently available.
Christiaan Koreman, Internal Audit, BiometMerck
We have found SAP's Management of Internal Controls to be a useful system thatprovides a logical structure for organizing our Sarbanes-Oxley documentation.The role and task concept gives process owners the ability to perform roleassignment and maintenance without requiring involvement from our ISdepartment. However, the most important benefit of MIC to THQ is thatcontrol/process assessments, testing and sign-off activities are scheduled, and thenworkflow tasks are sent to each responsible person. Since our internal controlswere originally documented in Excel, we have been able to take advantage of theupload functionality and transfer this documentation into the system quickly.
Al Hunt, Director of Internal Audit, THQ
-
7/29/2019 Mgmt of Internal Controls
27/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 28
Analys t Feedbac k on SA P: The Ri s ing Fo rc e for Com pl ianc e?
Forrester Compliance Wave Report, March,
2005* #1 Product Strategy and Vision
#1 Technical Strategy and Vision
#1 Resource Investment in Compliance
#1 Customer Support Strategy
#1 Market Presence Delivery Footprint
#2 Strategic All iances
#2 Financial Viability
#2 Integration
Source: The Forrester Wave: Sarbanes-Oxley Compliance Software, Q1 2005 (April 7, 2005); Markham and Hamerman.
-
7/29/2019 Mgmt of Internal Controls
28/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 31
More In format ion
Online Information
SAP Portal (alias /SOA
Media Library ) SAP Article Sarbanes-Oxley Act: SAPs Management of Internal
Controls
SAP Education FIN910: Management of Internal Controls: 5-day training course for
project team members, consultants, and auditors Online Knowledge Products for MIC
For more information, email [email protected]
mailto:[email protected]:[email protected] -
7/29/2019 Mgmt of Internal Controls
29/29
SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 32
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information containedherein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
J ava is a registered trademark of Sun Microsystems, Inc.
J avaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intendedstrategies, developments, and functionalities of the SAPproduct and is not intended to be binding upon SAP to any particular course of business, product strategy,and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of theinformation, text, graphics, links,or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to theimplied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of
these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information thatyou may access through the use of hotlinks contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
Copyrigh t 2006 SAP AG. All Right s Reserved