Title: Improving SOX Remediation
1Improving SOX Remediation Through Automated
Testing of Internal Controls November 4, 2005
2Agenda
- Background on Approva
- Compliance Process
- Methods for Testing Effectiveness of Internal
Controls - Applying Automation to the Testing Procedures
3Approva Company Snapshot
- Enterprise software company, founded in 2002
- Headquartered in Reston, VA RD in Pune, India
- 190 Employees over half in product development
- Raised 30M from leading venture capital
firms - Industry collaboration and partnerships
4Approva a growing list of blue chip customers
Manufacturing Manufacturing
High Tech Media Consumer Products Retail
Energy Communications Pharmaceutical Chemicals
5BizRights Solution Architecture
Compliance
Business Improvement
Fraud Analysis
Data Integrity
User Authorizations Activity
Configuration Settings Master Records
Transactions Executed
Business Solutions
Advanced Functionality
BizRights Platform
Exception Reporting
Dynamic Rules Analysis
C
Automated Email Notification
Simulation Change Control
C
C
Intelligent Data Extraction
Automated Workflow
6BizRights Continuous Controls Intelligence
- GR/IR mismatches
- Payments that exceed thresholds
- Duplicate payments
- Discounts not taken
- Payments, purchase orders, sales orders modified
after approval - Unusual movement types, number ranges, payment
terms, tolerance settings, etc. - Credit checks not turned on
- POs with unlimited over/under delivery
- Unusual credit limits
- Unusual changes to payment
- terms, bank details, etc.
Transactions
Everyday Activities
- Detect SoD conflicts within roles users
- Detect the use of sensitive transactions
- Act as a compensating control for excluded users
7The Compliance Process
8What is your perspective on complexity?
- Compliance Requirements?
- SOX
- FDA
- Privacy
- Control Environment?
- Multiple ERPs
- Multiple Apps
- Control Solutions?
- Identity Management Tools
- Portals
- Documentation Repositories
Portals
Identity Management
Document Repositories
9Typical Control Structure
Typical ERP Control Design
- Control structure is not always integrated with
ERP functionality, rather built around it - Highly manual control processes
- Increased control ownership and accountability
issues - Testing of controls is a highly manual process
- Not all exceptions identified
- Time consuming and costly
Control Enabler
Configuration
Application Security
Reporting
General IT Controls
Manual Controls
10Control Effectiveness Life Cycle
- Review control documentation to ensure adequate
design - Develop control test strategy
- Execute control testing
- Report exceptions, categorize deficiencies and
conclude - Remediate through modification of business
processes, system settings, and possibly the
controls themselves - Run the process all over again
11Testing Procedure
- Review of paper documentation, such as journal
entry reports, manual invoices, manual
reconciliations, system logs, etc - Confirm system functionality through reviewing
security design, configuration settings and
related technical objects - Review of business transactional data, such as
invoices, POs, etc.
- But these approaches have their issues
- Whos going to build, modify and maintain the
reports? - Whos going to run them? And what happens when
they forget? - Wheres your audit trail?
- ERPs wont tell you when someones changed a
control - ERPs wont tell you when the control is in
place, and being circumvented anyway
12Sample Test Configurable Control
- To test the effectiveness of a configurable
control, such as the PO approval limits (release
strategy), the following steps are performed - Verify IMG settings are properly configured and
set to proper tolerances - Verify access to the IMG is restricted
- Sample 1 transaction to verify effectiveness of
control - Issues / Observation
- Time to test is significantly lower than manual
controls - Configuration and tolerances typically set to
business requirements, not control requirements
(e.g. 500,000, as opposed to 50,000) - Retro-fit is typically expensive
(re-implementation is some cases) - Manual work-arounds are common (e.g. still need
signature above 50,000) - Automation Opportunities
- Identify exceptions within existing control
configuration (e.g. automatic notification for
all POs over 50,000, but below 500,000)
13Sample Test SOD Compensating Control
- When testing SODs, it is very common to have a
business need to violate an SOD rule, such as
creation and payment of a PO in a small division.
The following steps are typically performed - Once deficiency is noted, review compensating
controls for adequacy - Review evidence that compensating control has
been operating effectively - Typically, this is relying on final reviews of
payable reports by a manager - Issues / Observation
- Manual testing is time consuming
- Compensating controls must be specific to the
activity (e.g. the review must be to specifically
check for SOD violations, not accuracy of pay
run) - Very common and hard to prove if not specifically
designed to monitor SOD - Automation Opportunities
- Identify when a PO is created and paid, not only
by the same user, but can be more specific to the
same vendor, date, etc
14Sample Test Manual Report Reviews
- To test whether an employee reviewed a weekly
report that lists the changes to the customer
master, the following steps are performed - Verify the data that is listed on the report is
valid - Select a sample of reports (sample determined by
frequency of occurrence) - Verify that the employee reviewed the report
- Initials and date on the report
- E-mail to follow up on a change
- Additional change reports that verify action
taken - Issues / Observations
- Time to test is high usually several hours and
very iterative - Review requires looking at all changes
- Documentation retention a major issue - typically
results in a deficiency - Automation Opportunities
- Proactively notify a control owner for high risk
changes
15Control Structure w/ Automated Testing and
Monitoring
Typical ERP Control Design
- Significantly increase the efficiency and
effectiveness of control processes - Monitor only critical data changes
- Enhance or refine configuration tolerances
- Preventative access control features
- Automatic notification of control violations
- Workflow and audit trail
- Testing of controls is a highly automated process
- All exceptions identified
- Control configuration and system setting
reporting replaces manual test procedures - Comprehensive SOD and Sensitive access analysis
Control Enabler
Configuration
Application Security
Reporting
General IT Controls
Manual Controls
Continuous Controls Testing
16The BizRights Model
Control rules and functionality focused on
business processes, configuration and system
setting data
Process Insights
Global System Settings
Verify System Parameters
Configuration Settings
Verify IMG Configuration Settings
Enhance Existing Controls
Data Extraction, Workflow and Analysis
Capabilities Application Independent!!!
Business Transactions and Master Data
Material Master
Vendor Master
Identify Exceptional Transactions
Automate Manual Controls
Authorizations Insights
Purchase Requests
Purchase Orders
Process Payments
Receive Goods
Process Invoice
Sensitive Transactions
Segregation Of Duties Analysis
What If Analysis
Access Management
Closed Loop Remediation
Approval Work Flow
Control rules and functionality focused on
security processes and data
17BizRights Automated Compliance
Typical ERP Control Design
BizRights
Testing Mechanism
Control Enabler
Control Enabler
Configuration
- Enhance Existing Controls
- Identify Exceptional Trxs
- Configuration Settings
- System Parameters
Application Security
- What If Analysis
- Access Approval Workflow
- Segregation of Duties
- Sensitive Transactions
Reporting
- Exception Based Reporting
- Closed Loop Remediation
- Verification of Remediation
Manual Controls
IT Controls
- Baseline system settings
- Proactively identify changes
- System parameters
- Security and change process
18Summary Key Take Aways
- Common goal is to achieve sustainable compliance
that can improve the business - Turn compliance activities from a cost into an
asset - Manual testing of controls consumes too much time
cost - Automated testing will reduce overall cost and
allow more time for remediation and mitigation of
control violations
Dont Just ComplyTransform Your Business