Improving SOX Remediation

1 / 18
About This Presentation
Title:

Improving SOX Remediation

Description:

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005 Agenda Background on Approva Compliance Process Methods for Testing ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 19
Provided by: IanW73
Learn more at: http://raw.rutgers.edu

less

Transcript and Presenter's Notes

Title: Improving SOX Remediation


1
Improving SOX Remediation Through Automated
Testing of Internal Controls November 4, 2005
2
Agenda
  • Background on Approva
  • Compliance Process
  • Methods for Testing Effectiveness of Internal
    Controls
  • Applying Automation to the Testing Procedures

3
Approva Company Snapshot
  • Enterprise software company, founded in 2002
  • Headquartered in Reston, VA RD in Pune, India
  • 190 Employees over half in product development
  • Raised 30M from leading venture capital
    firms
  • Industry collaboration and partnerships

4
Approva a growing list of blue chip customers
Manufacturing Manufacturing

High Tech Media Consumer Products Retail

Energy Communications Pharmaceutical Chemicals

5
BizRights Solution Architecture
Compliance
Business Improvement
Fraud Analysis
Data Integrity
User Authorizations Activity
Configuration Settings Master Records
Transactions Executed
Business Solutions
Advanced Functionality
BizRights Platform
Exception Reporting
Dynamic Rules Analysis
C
Automated Email Notification
Simulation Change Control
C
C
Intelligent Data Extraction
Automated Workflow
6
BizRights Continuous Controls Intelligence
  • GR/IR mismatches
  • Payments that exceed thresholds
  • Duplicate payments
  • Discounts not taken
  • Payments, purchase orders, sales orders modified
    after approval
  • Unusual movement types, number ranges, payment
    terms, tolerance settings, etc.
  • Credit checks not turned on
  • POs with unlimited over/under delivery
  • Unusual credit limits
  • Unusual changes to payment
  • terms, bank details, etc.

Transactions
Everyday Activities
  • Detect SoD conflicts within roles users
  • Detect the use of sensitive transactions
  • Act as a compensating control for excluded users

7
The Compliance Process
8
What is your perspective on complexity?
  • Compliance Requirements?
  • SOX
  • FDA
  • Privacy
  • Control Environment?
  • Multiple ERPs
  • Multiple Apps
  • Control Solutions?
  • Identity Management Tools
  • Portals
  • Documentation Repositories

Portals
Identity Management
Document Repositories
9
Typical Control Structure
Typical ERP Control Design
  • Control structure is not always integrated with
    ERP functionality, rather built around it
  • Highly manual control processes
  • Increased control ownership and accountability
    issues
  • Testing of controls is a highly manual process
  • Not all exceptions identified
  • Time consuming and costly

Control Enabler
Configuration
Application Security
Reporting
General IT Controls
Manual Controls
10
Control Effectiveness Life Cycle
  • Review control documentation to ensure adequate
    design
  • Develop control test strategy
  • Execute control testing
  • Report exceptions, categorize deficiencies and
    conclude
  • Remediate through modification of business
    processes, system settings, and possibly the
    controls themselves
  • Run the process all over again

11
Testing Procedure
  • Review of paper documentation, such as journal
    entry reports, manual invoices, manual
    reconciliations, system logs, etc
  • Confirm system functionality through reviewing
    security design, configuration settings and
    related technical objects
  • Review of business transactional data, such as
    invoices, POs, etc.
  • But these approaches have their issues
  • Whos going to build, modify and maintain the
    reports?
  • Whos going to run them? And what happens when
    they forget?
  • Wheres your audit trail?
  • ERPs wont tell you when someones changed a
    control
  • ERPs wont tell you when the control is in
    place, and being circumvented anyway

12
Sample Test Configurable Control
  • To test the effectiveness of a configurable
    control, such as the PO approval limits (release
    strategy), the following steps are performed
  • Verify IMG settings are properly configured and
    set to proper tolerances
  • Verify access to the IMG is restricted
  • Sample 1 transaction to verify effectiveness of
    control
  • Issues / Observation
  • Time to test is significantly lower than manual
    controls
  • Configuration and tolerances typically set to
    business requirements, not control requirements
    (e.g. 500,000, as opposed to 50,000)
  • Retro-fit is typically expensive
    (re-implementation is some cases)
  • Manual work-arounds are common (e.g. still need
    signature above 50,000)
  • Automation Opportunities
  • Identify exceptions within existing control
    configuration (e.g. automatic notification for
    all POs over 50,000, but below 500,000)

13
Sample Test SOD Compensating Control
  • When testing SODs, it is very common to have a
    business need to violate an SOD rule, such as
    creation and payment of a PO in a small division.
    The following steps are typically performed
  • Once deficiency is noted, review compensating
    controls for adequacy
  • Review evidence that compensating control has
    been operating effectively
  • Typically, this is relying on final reviews of
    payable reports by a manager
  • Issues / Observation
  • Manual testing is time consuming
  • Compensating controls must be specific to the
    activity (e.g. the review must be to specifically
    check for SOD violations, not accuracy of pay
    run)
  • Very common and hard to prove if not specifically
    designed to monitor SOD
  • Automation Opportunities
  • Identify when a PO is created and paid, not only
    by the same user, but can be more specific to the
    same vendor, date, etc

14
Sample Test Manual Report Reviews
  • To test whether an employee reviewed a weekly
    report that lists the changes to the customer
    master, the following steps are performed
  • Verify the data that is listed on the report is
    valid
  • Select a sample of reports (sample determined by
    frequency of occurrence)
  • Verify that the employee reviewed the report
  • Initials and date on the report
  • E-mail to follow up on a change
  • Additional change reports that verify action
    taken
  • Issues / Observations
  • Time to test is high usually several hours and
    very iterative
  • Review requires looking at all changes
  • Documentation retention a major issue - typically
    results in a deficiency
  • Automation Opportunities
  • Proactively notify a control owner for high risk
    changes

15
Control Structure w/ Automated Testing and
Monitoring
Typical ERP Control Design
  • Significantly increase the efficiency and
    effectiveness of control processes
  • Monitor only critical data changes
  • Enhance or refine configuration tolerances
  • Preventative access control features
  • Automatic notification of control violations
  • Workflow and audit trail
  • Testing of controls is a highly automated process
  • All exceptions identified
  • Control configuration and system setting
    reporting replaces manual test procedures
  • Comprehensive SOD and Sensitive access analysis

Control Enabler
Configuration
Application Security
Reporting
General IT Controls
Manual Controls
Continuous Controls Testing
16
The BizRights Model
Control rules and functionality focused on
business processes, configuration and system
setting data
Process Insights
Global System Settings
Verify System Parameters
Configuration Settings
Verify IMG Configuration Settings
Enhance Existing Controls
Data Extraction, Workflow and Analysis
Capabilities Application Independent!!!
Business Transactions and Master Data
Material Master
Vendor Master
Identify Exceptional Transactions
Automate Manual Controls
Authorizations Insights
Purchase Requests
Purchase Orders
Process Payments
Receive Goods
Process Invoice
Sensitive Transactions
Segregation Of Duties Analysis
What If Analysis
Access Management
Closed Loop Remediation
Approval Work Flow
Control rules and functionality focused on
security processes and data
17
BizRights Automated Compliance
Typical ERP Control Design
BizRights
Testing Mechanism
Control Enabler
Control Enabler
Configuration
  • Enhance Existing Controls
  • Identify Exceptional Trxs
  • Configuration Settings
  • System Parameters

Application Security
  • What If Analysis
  • Access Approval Workflow
  • Segregation of Duties
  • Sensitive Transactions

Reporting
  • Exception Based Reporting
  • Closed Loop Remediation
  • Verification of Remediation

Manual Controls
  • Automate Manual Controls
  • Electronic Audit Trail

IT Controls
  • Baseline system settings
  • Proactively identify changes
  • System parameters
  • Security and change process

18
Summary Key Take Aways
  • Common goal is to achieve sustainable compliance
    that can improve the business
  • Turn compliance activities from a cost into an
    asset
  • Manual testing of controls consumes too much time
    cost
  • Automated testing will reduce overall cost and
    allow more time for remediation and mitigation of
    control violations

Dont Just ComplyTransform Your Business
Write a Comment
User Comments (0)