mgmt of internal controls

7/29/2019 Mgmt of Internal Controls

1/29

Managem ent o f In t erna l Cont ro lsPain Point Solu t ions

mySAP ERP Solution Management

Sarbanes-Ox ley Ac t


2/29

SAP MIC bui lt to address SOA Pain PointsSAP MICs Integration Capabil ities

Summary and Roadmap


3/29

SAP MIC bui lt to address SOA Pain PointsSAP MICs Integration Capabil ities

Summary and Roadmap


4/29

SAP AG 2006, Mgmt of internal Controls (SOA 404 / 302), mySAP ERP SM / 4

Global Requirement s for In t ernal Contro l System s

Sarbanes-OxleyUSA

LSFFrance

CLERP 9Aus tralia

Tabaksblat

Netherlands

International impact on subsidiaries around the world

Documentation

Management

Testing

Coordination

Workflow

Support

Audit Trail

Aggregated

Reporting

Business Challenges for Internal Controls Management

Project

Management

Administrative

Costs

Software Support is Needed


5/29


Sarbanes-Oxley Act Sof tw are re levant Sect ions

Changes in a companys financial situation must be reported without delay409

Management must document internal controls

Management must assess the design of the internal contro ls

Management must test the effectiveness of internal contro ls

Aud itors must evaluate the management assessment of in ternal contro ls

404

Financial reports must contain all adjustments made by the auditor

Al l t ransactions affecting the balance sheet must be ref lected in the statements

The transition of p ro forma results to GAAP must be possible

401

Management is responsible for effective disclosure controls and procedures

over financial reporting, operations and compliance

Significant deficiencies in internal control must be disclosed to the audit

committee and external auditors

CEO and CFO must certify the contents of SEC reports

302

It must be possible for an employee to transmit anonymous complaints to the auditcommittee (Whistle Blower)

301

RequirementsSection


6/29


Continuous Improvement

Continuous Improvement

Scoping and

Set-Up

Document

Processes &

Controls

Sign-Off,

Prepare

Certifi cation /

Internal Control

Report

Assess

Control

Design &

Remediate

Issues

Test

Operating

Effective-

ness

Attest

and

Report

Management Auditor

CEO / CFO

Internal Control Manager

Org.Unit Manager

Process Group Owner / Process Owner

Control Owner

Evaluator Tester

Issue & Remediation Plan Owner

Internal & External Auditor

SAP MIC Phases and Roles


7/29


Scoping and

Set-Up

Document

Processes &

Controls

Sign-Off,

PrepareCertifi cation /

Internal Control

Report

AssessControl

Design &

RemediateIssues

TestOperating

Effective-

ness

Attestand

Report

Management Auditor

MIC support s SOA Com plianc e Projec t s

Review

Attes tat ion Reporting

Assignment of

Processes to BUs

BU-specific

Control

documentation

Documentation of

testing procedures

Documentation of

Management

Controls

Control and

Process Design

Assessments

Control Efficiency

Assessment

Management

Controls

Assessment

Identification of

Issues

Validation o fAssessments

Remediation of

Issues

Progress Tracking

and Analysis

Documentation o f

Testing Results

Identification of

Issues

Remediation of

Issues

Progress

Tracking and

Analysis

Identification of

Org. Units and

Processes i nscope

Org. Unit

Hierarchy

Central Process

Catalog

Assignment of

Processes to FSAccounts

Central Catalogof Control

Objectives and

Risks

Analysis

Overviews with

Drill-downFunctionality

Management

Reports

Workflow-triggered

Sign-off

supporting 404

Reporting / 302

Certification


8/29


SAP MIC: Design ed t o Addr ess SOA Pain Point s

Next

Customer

Pain

Points

I need a software tool that provides

structures in line with COSOs Internal

Controls - Integrated Framework

I need support for the

documentation process, including

using best practice templates todevelop documentation and

upload support for existing control

matrices

Some Org Units have standardized

processes, but other Org Units have

custom processes, and reportingconsistency must be maintained.

I need to roll out a tool to a

large number of users but

have little IT support

I need to prove to my auditors

that the financial statementassertions are covered by

effective control s

Management needs

information about the

current state of controls


9/29


In MIC, Control Activities are documented andevaluated at the process level with COSO attributes

The other 4 COSO components are documentedand evaluated at aggregate levels such asorganizational units and are called ManagementControls

Management control assessments and testing andsupported using survey-like functionality

SAP MIC Suppor ts t he COSO Framew ork

I need a software tool that

provides structures in line with

COSOs Internal Controls -

Integrated Framework

Customer Pain Point

Sample MIC Management Contro l Assessment Survey

Back

Note: MIC also support s the COBIT framework


10/29


Process flow

SAP Provides Sample Process Docum entat ion

SAP will document several scenarios to serve as process documentationexamples, including

Process description and flow

Process Control Objective Risk Control tables for the process

Over 50 SOA-relevant controls available in the SAP system (R/3, mySAP ERP)and their attributes

P2P documentedin cooperation with:

Purchase Requisition

(*) Note: this process documentation is not a cookbook- each implementation should be accompanied by careful review of internal controls.

Policies and Procedures

Master Data Maintenance

Purchase Order

Goods Receipt

Invoice Processing

Payment Processing

Purchase Requisition

Example Scenario: Purchase to Pay

Control detail


documentation process,

including using best practice

templates to developdocumentation

Customer Pain Point

Back


11/29


Note: Deloitte and PricewaterhouseCoopers

documentation is currently available

Auditor ControlAuditor Control DatabaseDatabaseDownload1

Best Pract ice Document at ion Can Be Uploaded

3

Convers ion t o

sequent ia l f i le

(SAP Acc ess

ConversionTool )

Upload 4

SAP MIC

Convers ion t o

SAP s t ruc t ure

(Converter Tool )2


documentation process,

including using best practice

templates and upload supportfor existing control matrices

Customer Pain Point

Back

Tai lor da t a

to mee t t he

company spec i f i c

requ i rements

Global Best PracticesGlobal Best Practices


12/29


Company-wide Central Process Catalog

Centra l ized / Decent ra l ized Docum entat ion

Template Process Steps

St ep 1 Co nt ro l 2 Co nt ro l 3

Control 1 Step 2 Step 3

Process Group 1: Sales and Distribution

Process Group 2:

Process Group 1.2:

Process 5: ..

Process 6: ..

Text

Text

Text

Text

Process Group 1.1: Sales

Process 1: Contract Negot.

Process 2: Order Process.

Process 3: CRM

Process 4: Sales Support

Some Org Units havestandardized processes, but

other Org Units have custom

processes, and reportingconsistency must be

maintained.

Customer Pain Point

Copy and adapt

Reference

Document Org unit-specific steps

X

Bus Unit 1

This process is not relevant in BU 1

St ep 1 Con tr ol 2 Con tr ol 3

Co nt ro l 1 St ep 2 Step 3

Control 1 Control2 Step 3 P1

P2

P3


Since process names are consistent, cross-business unit comparabilit y is maintained

The Central Process Catalog contains all relevantprocesses

Each business unit chooses the processes from thecatalog that are relevant in the unit

Back


13/29


Cascading Ass ignm ent of Bus iness Users

Role Business User Sample Tasks

Group

....

BU

....

BU

Process Group PG1

Process P1

Control C1 ... ...

IC Manager Mr.A Schedule tasks

Maintain hierarchies

Assign Org. Unit managerTop-down

assignment

of business

users:

Org.Unit Manager Ms.B Assign processes to BU

Assign process group owner

Process Group Owner Mr.C Validate process assessments

Assign process owner

Process Owner Ms.DValidate control assessments

Assessment of control designat process level

Assign control owner

I need to roll out a tool to a

large number of users but

have little IT support

Customer Pain Point MICs 100+tasks can be grouped into Roles that are activated at a

particular level (for example, Corporate, Org Unit, Process, Control)

The role assignment cascade is kicked off at the Corporate level

At each level, managers assign people in their teams to fill lower-level roles Back


14/29


Financial Statement

Assertions

Revenues

Liabilities

Fixed Assets

Inventory

Receivables

Balance Sheet

Liabilities & Equity

Assets

Profit & Loss Statement

Net Income

Current Assets

Cash Flow Statement

FS Account Groups

Existence or Occurrence

Completeness

Valuation or Allocation

Rights & Obligations

Presentation and Disclosure

Existence or OccurrenceCompleteness

Valuation or Allocation

Rights & Obligations

Presentation and Disclosure

Control activities within a

business process addressFS assertions relevant forsignificant financialstatement account groups

affected by the process.

Docum ent Coverage of F inanc ia l Stat ement Asser t ions

Process: Order Processing

has a material impact on financial accountgroups such as Inventory and Revenues

Process Step

PS2

Process Step

PS3=Control

Process Step

PS1=Control

- FS Assertion is relevant for an FS Account Group

I need to prove to my auditors

that the financial statement

assertions are covered by

effective controls

Customer Pain Point

Back


15/29


4 Flex ib le Robust Repor t ing Opt ions

Management needs

information about the current

state of controls

Customer Pain Point

* This dashboard was created with existing SAP BW 3.5.3 and MIC functionality; cu stomizing effort is required for implementation.

30 out-of the box Online Reports1

Documentation Print Reports3

Back

Custom BW reporting* and Visual

Composer dashboards2

MIC Reporting Add-On with Excel Support

(custom specific development on request only)4


16/29

SAP MIC bui lt to address SOA Pain PointsMICs Integration Capabilities

Summary Roadmap


17/29


Impor t o f Aut omat ed Cont ro l Test ing Resul ts

Many companies use dedicated control testing applications to test contro l effectiveness. These

results are automaticall y pushed into MIC via an XI interface.

2) Results pushed to MIC

User Violation DetailedReport Time: Feb 1, 2005 12:59 PM

User Rule Priority Exception

John B lack Create Mas ter Data + Tr igger payment High 1 Violat ion

1) Dedicated tool performs analysis of control effectiveness in ERP system

Example: Test of a Segregation of Duties (SOD) control

XI

Test logs created

Remediation

workflows triggered

Lowered TCO

Business Benefits

Lower cost of compliance


18/29


SAP Aut om at io n of MIC Cont ro ls

ReportPDF

ExternalSOD

Toolset my SAP ERP

Contro lExecut ion

my SAP CRM

.

XI

ScheduleJ ob

ExecuteReport

Post t oMIC

DatabaseReport

Generated

MIC


19/29


Audi t Inform at ion Syst em (A IS) L ink

AIS can be used to perform control effect iveness test ing within the SAP t ransactional

system. A direct link from MIC to AIS will streamline testing activities.

MIC Test Log

Test procedure:

Perform G/L Account

Analysis i n AIS

Enter AIS

Findings:

Reconcil iation delays

exist: see document

100003716/2003 fo r more

info

Tester

enters AIS

via link in

MIC

Tester

documents

results in

MIC

Tester executes repor t

Lowered TCO

Business Benefits

Lower cost of compliance


20/29


Central Process Catalog

XI Upload of Mast er Dat a/Cent ral Cat alogs

Process Group 1: Sales and Distribution

Process Group 2:

Process Group 1.2:

Process 5: ..

Process 6: ..


Process 1: Contract Negot.

Process 2: Order Process.

Process 3: CRM

Process 4: Sales Support

PC4You North America

PC4You USA - East

PC4You USA - West

PC4You Canada

PC4You Mexico

PC4You Corporate

PC4You EMEA

..

Org Unit Hierarchy

Legacy SOX

System / MS Excel

XI Interface

populates

SAP MIC

withexisting

data

SAP MIC

Many companies have initial SOX/contro l documentation in PC-based tools or MS

Excel. Via an XI interface, this data can be uploaded into MIC.

Reduced implementation t ime

Reduced migration costs / TCO

Business Benefits

Reduced cost of compliance


21/29

SAP MIC bui lt to address SOA Pain PointsMICs Integration Capabili ties

Summary and Roadmap


22/29


Bus iness Benef its o f SAP MIC

CheaperReduces the cost of communications and administration

regarding internal control management

Faster

SAP Workflow sends tasks to the appropriate users to

get the testing process concluded in time for public

filings

SaferCentralizes control-related documentation; creates an audit

trail using time-dependent controls and processes

Easier

Enables a fast cascading of responsibi lities via the role

and task concept; eliminates navigation, taking user from

the start page directly to controls

Smarter

Provides management with reporting about the current

state of internal controls including drill-down


23/29


SAP Analyt ic s Support ing Corporat e Governanc e

Overview Project Progress Control Design Assessment

Process Design Assessment Issue Analysis


24/29


Appl ic at ion Pr e-Re quis i t es

These systems are used for data sources: mySAP ERP 2005 (Ramp-up in October 2005) SP02

or mySAP ERP 2004 FINBASIS 300 SP11 (planned availability in December 2005)

These modules are used as data sources: a back-end application SAP Management of Internal Controls (MIC) as part of mySAP

ERP (must be implemented before this particualar analytic app can be deployed)

This particu lar analytic application is fully Remote Function Call (RFC)-based (no BW installation necessary), reading data directly from therespect ive back-end application (SAP MIC). The following advantagesresult from this approach:

Direct MIC data access (no BI-extraction necessary). The use of MICs built-in buffering capability is recommended to optimize performance

Long texts available long texts relating to controls, issues or other objectsare critical in the corporate governance context. It is now possible to displaythese texts in an analytic app as the BW limitation (max. 60 characters)does not apply here

Authorization / Personalization maintained in the back-end application (SAPMIC) applies in the analytic app as well (no double authorizationmaintenance or personalization necessary)


25/29


A sam ple of MIC Cu st om ers


26/29


Customer Sta temen ts

SAP's Management of Internal Controls is a very scalable application that provides globalsupport for E.ONs Sarbanes-Oxley 404 project. With more than 100 organizational unitsand more than 1000 users involved in the assessments of internal controls in ourSarbanes-Oxley 404 project, we rely on SAP's stability and scalability to ensure that

we meet our reporting deadlines."Michael Hoefer, Head of IT-Audit 2, E.ON Audit Services

SAP SOA-MIC is an easy to use documentation tool that Biomet uses for fullcompliance with the requirements of the Sarbanes Oxley Act 2002. Thesimplicity to use was confirmed during our first training session held last week.We therefore expect further training cost s to be limited.

SAP SOA-MIC workflow functionality used in assessments and testing fullyfacilitates and supports our approach to the implementation of SOA at Biomet.

This workflow and related 'real time tasking' are a great feature of MIC, one thatI have not witnessed yet in other tools currently available.

Christiaan Koreman, Internal Audit, BiometMerck

We have found SAP's Management of Internal Controls to be a useful system thatprovides a logical structure for organizing our Sarbanes-Oxley documentation.The role and task concept gives process owners the ability to perform roleassignment and maintenance without requiring involvement from our ISdepartment. However, the most important benefit of MIC to THQ is thatcontrol/process assessments, testing and sign-off activities are scheduled, and thenworkflow tasks are sent to each responsible person. Since our internal controlswere originally documented in Excel, we have been able to take advantage of theupload functionality and transfer this documentation into the system quickly.

Al Hunt, Director of Internal Audit, THQ


27/29


Analys t Feedbac k on SA P: The Ri s ing Fo rc e for Com pl ianc e?

Forrester Compliance Wave Report, March,

2005* #1 Product Strategy and Vision

#1 Technical Strategy and Vision

#1 Resource Investment in Compliance

#1 Customer Support Strategy

#1 Market Presence Delivery Footprint

#2 Strategic All iances

#2 Financial Viability

#2 Integration

Source: The Forrester Wave: Sarbanes-Oxley Compliance Software, Q1 2005 (April 7, 2005); Markham and Hamerman.


28/29


More In format ion

Online Information

SAP Portal (alias /SOA

Media Library ) SAP Article Sarbanes-Oxley Act: SAPs Management of Internal

Controls

SAP Education FIN910: Management of Internal Controls: 5-day training course for

project team members, consultants, and auditors Online Knowledge Products for MIC

For more information, email [email protected]
mailto:[email protected]:[email protected]


29/29


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information containedherein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

J ava is a registered trademark of Sun Microsystems, Inc.

J avaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intendedstrategies, developments, and functionalities of the SAPproduct and is not intended to be binding upon SAP to any particular course of business, product strategy,and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of theinformation, text, graphics, links,or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to theimplied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of

these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information thatyou may access through the use of hotlinks contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Copyrigh t 2006 SAP AG. All Right s Reserved

mgmt of internal controls

Documents