overview sod-erm-wf-bpm
DESCRIPTION
Presentation given at Syteline User Network Conference in Portland, Sept. 2012TRANSCRIPT
1
DynaFlow Profile Main Facts:
Established in 1997
Private company HQ in Canada (AM)
Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
Main mission:
To enable global companies to become “Simply in Control” by proactively managing enterprise risks, demonstrating compliance and automating and optimizing business processes.
Dedicated to provide its clients a fast ROI through a short and structured implementation
Professional Services:Implementation and Training
Compliance & Audit Support
Process Optimization
Solution Hosting Services
2
Financial (Oracle, etc)
ERP (SAP, Baan, Mapics, etc)
Process Modeling
Process & Knowledge Publishing
Business Controls Definition
Business Controls Checks
Process Automation
Automated Alerts &
Notifications
EmployeeProcess Dashboard
Modeler andAuditorDashboard
TransactionSystems
Ba
se
Dynamic KCI & Issues
Escalation
Process Optimization & Monitoring
ManagementDashboard
Dynamic KPI &
BI Analytics
BP
MR
ep
ort
ing
Office Apps (MS, Email, VPN, etc)
DynaFlow Solution Overview
DynaFlow: Makes it EZ for...
6
Regulation - The Hot Potato
SOX
J-SOX
L262/626
‘Euro-SOX’
SAS-70
Code Tabaksblat
Code Lippens
8th EU Directive
Clinger Cohen
21 CFR Part 11
IFRS
Basel-II
Loi sur La Sécurité Financière (LSF)
BilMoG
HIPAA FDA
ISO
Why is Compliance important?
Corporate & Executive Responsibility & Liability
Policy Interpretation
Implementation Cost
Overhead
Tightened Credit Lines
Premium Insurance Fees
Fear for Reputation Damage
Audit Cost
Regulation
Enterprise Risk Management (ERM/GRC)
The key pains & challenges: Extra burden “on top” of running the company Draining resources from critical projects Absence of clear and documented guidelines Absence of automation Cannot be postponed (scheduled audits) Cost (with NO tangible ROI)
The proposed approach & resolution: Leverage pre-defined knowledge via libraries Avoid multiple partial systems (and integration burden) Automate as much as possible tedious and large volume
tasks
GRC/ERM Support at all levels
Le
vels o
f GR
C m
od
el
Continuous monitoring as part of normal business process
Strategical
Tactical
Operational
• Policy / Regulations• Enterprise Risk Management (Strategic)• Integrated Compliance Frameworks• Consolidated Dashboards (Control Statements)
• Procedures• Process Risk Analysis (Tactical)• Process & Internal Control Design & Maintenance• Review (workflow)
• Monitoring Efficiency of Internal Controls• Embedded testing & test evidence• Document Management System• KPI/”In Control” reports
PurchasingWarehouseManagement Manufacturing
Sales &Distribution
• Review
• Test
ReviewAudit
RiskControl Matrix
Risk Control Framework
11
Risk Assessment
Continuous Monitoring
Business Risks
Remediation & Evidence
Business Controls
Control Testing
From Regulation to Compliance
SOX
HIPAA
BASEL II
Etc.
ERM
COSO-II
COBIT...
Regulations ImplementationFramework
Policy & ProcedureImplementation
Business Controls:- Information delivery- Resource acces and use- Risk mitigation- ...
Demonstratiopn of ComplianceDemonstratiopn
of ComplianceDemonstration of Compliance
EvidenceCollection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
DynaFlow simplification
SOX
HIPAA
BASEL II
Etc.
COSO-II
COBIT
......
Regulations ImplementationFramework
Policy & ProcedureImplementation
Business Controls:- Information delivery- Resource acces and use- Risk mitigation- ...
Demonstratiopn of ComplianceDemonstratiopn
of ComplianceDemonstration of Compliance
EvidenceCollection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
Business Control
Libraries
Business Risk Libraries
ComplianceProgram Mgmt.
ComplianceChange Mgmt.
ComplianceIssue Mgmt.
ComplianceAccess &SoD Mgmt.
AuditTrail
DocumentMgmt.
Web Portal
Cross-ERP Integration
&Mapping Operational Risk
Monitoring
eBookGeneration
Key elements
14
Business Risks & Business Controls Library Risk Control Matrix (RCM) 2,500+ pre-defined Controls,
Risks and relationships For all regional & industry specific regulations
(SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…) To address all auditing/auditors requirements
Automated Business Control Execution Testing Schedules with automated notification & testing Real-time monitoring & alerts for testers and Mgmt Evidence Collection & audit trail
Dynamic Risk and Business Control Monitoring Key Performance & Risks Indicators Dashboard (+ mobile)
Audit Support Combination of Solution, Libraries and Services
Enterprise Risk Management (ERM/GRC)
Benifits: Full-featured GRC/ERM Platform One solution for all the global corporate entities Cross-ERP Integration (Baan, Mapics, Syteline, SAP,
Oracle,...) Bottled Best Practices:
Libraries for several regulations (industry & country) Pre-defined Business Controls ready-to-go
Fully automated Business Controls testing Full-circle Electronic Evidence Internationalized (interface and content) Tightly integrated with Workflow Automation
16
Segregation of Duties (SoD)
The key pains & challenges: Now a Critical Business Control for ALL organizations Involves large volume of data
(i.e. Typical = thousands of authorizations in ERP alone) Need to be done across Systems (ERP) and for ALL
access types Is a recurring process due to constant changes
The proposed approach & resolution: Automation, automation and automation!
Cross-Applications ERM & SoD
ProcessDiagram
EmployeesUserRoles
Applications
Access Mgmt
BusinessControls
BusinessRisks
Compliance Mgmt
Business Processes & Controls Integration
SoDBusinessConflicts
ConflictResolution
SoDConflictRules
SoD Mgmt
Documents
Document Mgmt
Documents
Master SoD Matrix
20
Totaling 485+ SoD “zones” to be validated
21
EZ-Compliance SoD Scan
MapicsHyperionBPCS…Network AccessFacility AccessSecurity Badges…
MapicsCeridian…
The automated SoD cycle
• Import of updated authorizations
from all Enterprise
Applications
• Identification of SoD
conflicts & related
business risks
• Resolution of conflicts with
known patterns
• Notification of new conflicts to
internal audit team and/or
process owners
• Investigation, resolution
and mitigation of
SoD risks
Automated
Automated
Automated
Automated
Semi-Automated
Import
Weeklyor
Daily
Result: 90%+ reduction of effort & cost
Self-generated matrix with SoD Health indicators
24
Click to view detailed business functions & conflicts found
Key elements
25
Access/Authorization Mgmt Cross-systems authorizations (who is accessing what?) Periodic Access Review
SoD Conflicts Identification Detective validation (what accesses constitute risks?) Preventive validation (what is the impact if we change …?)
SoD Conflicts Resolution Automated resolution/mitigation using pattern rules
SoD Conflicts Monitoring & Alerts Self-generated SoD Matrix with dynamic alerts Key Performance & Risks Indicators Dashboard (+ mobile)
----- Enterprise Risk Management (ERM)
Business Risks monitoring Business Controls automated testing
Segregation of Duties (SoD)
Benifits: Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...) Bottled Best Practices:
Fully automated Segregation-of-Duties (SoD) Rules Pre-Defined SoD Libraries available for Baan, Syteline,
SAP, Oracle, etc... In line with external auditors to secure successful
certification Detective and also Preventative Fully automated SoD validation
90% reduction on implementation cost & effort 50% reduction on auditing cost 100% Successful SoD Audit
Simplified insight in all user authorizations
DynaFlow: Makes it EZ for...
28
EZ-Dashboard KPRI Monitoring
29
EZ-Dashboard KPRI Monitoring
30
31
Customer / Project Profile: Olympus Winter & Ibe stands for innovative products in
medical technology since its foundation in 1954. Their endoscope systems are recognized and esteemed throughout the world.
3,200 employees Revenue: $5.6b USD (2007) Baan IV user External Auditors: KPMG
“We have selected EZ-Compliance because it is the only business solution available able to scan Baan authorizations and identify all related J-SOX Segregation of Duties (SoD) conflicts within the first day of implementation. Its ability to automate this scan daily/weekly without human intervention will not only help us secure our J-SOX audit certification, it will eliminate tedious manual effort and save Olympus significant SoD monitoring and J-SOX audit cost".
(Head of IT, Olympus Winter & Ibe GmbH)
Segregation of Duties (SoD)
Largest provider of stored energy solutions for industrial applications in the world
7,800 employees / 21 manufacturing and distribution facilities
Over 10,000 customers worldwide Revenue: $977M (2007) Baan IV user External Auditors: E&Y
“We reduced our SoD validation time & effort by 90%, and increased user authorizations and SoD data accuracy by 100% compared with the manual approach of before”,
“Without EZ-Compliance, we believe that passing our SOX/SoD audit would have been difficult, time consuming and not humanly possible in the time allotted”
(Manager Business Applications, EnerSys)
Customer / Project Profile:
Zebra Technologies delivers innovative and reliable specialty digital printing solutions for business improvement and security applications in 100 countries around the world.
2,200 employees Revenue: $977M (2007) Baan IV & Oracle user External Auditors: E&Y
“Significant time and effort was required to review and streamline the authorizations we give to our employees globally. We appreciate greatly the ability of EZ-Compliance to enable visibility of our authorizations via a simple to use Portal and to fully automate the tedious manual work to monitor current and new SoD conflicts. A true time and cost saving for us”.
(Senior Internal Auditor for Zebra, Zebra Technologies)
Customer / Project Profile:
Customer / Project Profile: Market leader in design, manufacturing and distribution of
furnishings, office furniture systems and related services 4300 employees (HQ in Zeeland, MI) Distributors in 40 countries worldwide Baan IVc user Revenue: $2.0b (2008) External Auditors: E&Y
“We now have an enterprise-wide process documentation tool that we use to integrate DEM process definition, ISO instructions and training manuals, thus enabling Herman Miller to develop and deploy effectively process improvements across the organization. In addition, EZ-Publisher has enabled us to further expand our use of Baan DEM by documenting business processes for non-Baan departments/users.”
Process Mgmt Manager, Herman Miller
Business Process Mgmt (BPM/DEM)
Global in vitro diagnostics company specializing in the area of pre-transfusion diagnostics
Headquartered in Atlanta Georgia, USA 610 employees Revenue of $282M USD in 2008 External Auditors: Grant Thornton
“Unlike many software solutions that usually leave me with a mixed feeling when assessing them, EZ-Compliance stood out as one that delivers impressive results with limited setup. The ability to scan in only minutes thousands of authorizations records, from Baan or other corporate applications across several Immucor business units, enables us to perform the SoD scan as often as desired. It is clear for us at Immucor that EZ-Compliance will save us time”.
(Project Manager & Certified Six Sigma Black Belt, Immucor)
Customer / Project Profile:
Customer / Project Profile: World-wide provider of innovative tools and services to the
clinical diagnostics and life science research markets Serves 85,000+ research and industry customers worldwide Founded in 1952, HQ in California 6700 employees $1.5 billion USD in 2007 External Auditors: Deloitte & Touche
“In only 4 days, not only was EZ-Compliance installed and the training completed, all our Baan authorizations (>120,000 records) were loaded and scanned, resulting in the immediate identification of our SoD conflicts. A real eyes opener for us! In addition, several hundreds of our Bio-Rad Business Controls and Conflict Rules were also loaded within the same 4 days!... Impressive“
(Head of Internal Audit, Bio-Rad)
Enterprise Risk Management (ERM/GRC)
Customer / Project Profile: Olympus Winter & Ibe stands for innovative products in
medical technology since its foundation in 1954. Their endoscope systems are recognized and esteemed throughout the world.
3,200 employees Revenue: $5.6b USD (2007) Baan IV user External Auditors: KPMG
“We have selected EZ-Compliance because it is the only business solution available able to scan Baan authorizations and identify all related J-SOX Segregation of Duties (SoD) conflicts within the first day of implementation. Its ability to automate this scan daily/weekly without human intervention will not only help us secure our J-SOX audit certification, it will eliminate tedious manual effort and save Olympus significant SoD monitoring and J-SOX audit cost".
(Head of IT, Olympus Winter & Ibe GmbH)
Segregation of Duties (SoD)
Founded in the Netherlands in 1979., HYVA is committed to the development, production, marketing and distribution of components for the commercial vehicle industry.
1,000 employees Revenue: $255M (2006) Baan ERP-5 & LN user
“For HYVA, the SaaS lease model enables a flexible subscription with limited upfront investment while maximizing business value from day one. We confirmed our EZ-Compliance selection to DynaFlow and a few days later, we received the login info to connect to the EZ-Compliance SaaS server for us to directly start investigating and resolving the SoD conflicts identified. Exactly the efficiency we were looking for.”
(Business Process Analyst, HYVA)
Customer / Project Profile:
Manufacturer of ductile iron pressure pipe for potable water transmission and wastewater collection
Part of Amsted Industries 9,200 employees Revenue of $2.8bn in 2007. External Auditors: PWC
“The definition of the approval routes, the configuration of the routing rules and the training of the end-users (all able to be done by non-IT personnel) took less time than anticipated. This was made possible because approval patterns and related user notifications can be defined, changed or implemented in production within only minutes”
(Purchasing Manager, Griffin Pipe)
Customer / Project Profile: