Colorado University October 3, 2007 06/12/2018 Colorado University October 3, 2007

ERP Enterprise Risk Management Overview 06/12/2018 Topics Introduction A bit about me PwC Overview ERP Enterprise Risk Management Overview Risk & Controls Team Approach

06/12/2018 PwC Overview 06 December 2018

06/12/2018 PwC Overview The PwC network of firms is composed of more than 140,000 partners and staff in 149 countries and territories around the world In the US, PwC LLP employs 30,000 partners and staff We provide industry-focused Assurance, Tax and Advisory services for 424 of the companies in the Fortune Global 500. We also serve smaller companies, private entities, not-for-profit organizations and the public sector. Priority sectors include: financial services, technology, consumer products, pharmaceuticals, entertainment and media Globally, PwC holds the leading position as auditor to the Fortune 500, auditing 31% of the Fortune 500 06 December 2018

Large Scale Technology Implementations Our Service Lines PwC Operations Corporate Strategy Large Scale Technology Implementations PwC’s Lines of Service Helping Clients Manage the Enterprise Performance Improvement: Identify, measure & close gaps that affect the ability to create and sustain value Risk Management: companies develop, align, assess and implement security solutions and controls that seek to mitigate risk and vulnerabilities Transactions: Evaluate & assist in the implementation of acquisitions, divestitures and strategic alliances as well as gain access to global capital markets Assurance Traditional Audit & Attest Services Advisory Tax 06 December 2018

ERP Enterprise Risk Management Overview 06/12/2018 ERP Enterprise Risk Management Overview Risk & Controls Team Approach 06 December 2018

What are the key areas of risk for an Enterprise Project? Broadly, the risks that must be addressed can be grouped into four areas. Project controls help manage risk during the solution development and delivery process. Controls to mitigate the other areas of risk must be implemented within the delivered solution. Business Process Risk The risk that the business experiences real losses attributable to the implemented system Application (Configurable) Controls Information Security - Access Controls (Application Level) Manual/Reporting Controls Project Risk The risk of project failure (e.g. project cancelled or delayed) or the project delivers an unusable system. Financial/ Budgetary controls Stage gating controls Governance controls (PMO, project leadership, steering committees etc.) Quality – Project deliverables Quality – Process Design & Def Project Business Process Technology Infrastructure Data Integrity Risk The risk that converted, interfaced, and/or input data does not support processing requirements/business needs. Data Conversion / Transformation Cleansing & Remediation Data Integrity Controls Information Security – Access Controls (System Level) Technology Infrastructure Risk The risk that the supporting infrastructure does not meet established confidentiality, integrity, and availability requirements Information Security – Threat & Vulnerability management Configuration management Systems Remediation & change control Data Compliance Risk 06 December 2018

How Are Enterprise Project Risks Typically Addressed? 06/12/2018 How Are Enterprise Project Risks Typically Addressed? Steering Committee Primary Objective: Make key decisions, provide leadership, and provide resources needed to resolve significant issues. Project Leadership & PMO Primary Objective: Deliver complete system solution on time, on budget, on scope, on quality with fully realized benefits. Optimize Process Functionality, Technology, & Organization Project Constituencies Typical Functional Teams Primary Objective: Deliver complete and functioning business process solutions. Change & Education Teams Primary Objective: Ensure acceptance and adoption of system solution and that benefits are sustained. Technology Teams Primary Objective: Deliver a robust and reliable supporting technology infrastructure Data Transformation Teams Primary Objective: Ensure the accuracy and integrity of converted, interfaced, input and processed data. Typical projects are structured around the fundamental areas of process/functional, technology, data, change, and overall project management. Within this structure each team’s primary objective is to optimize its area given the business requirements. Risk and controls, however, is ancillary to these objectives and is often overlooked or at best, not given the attention it requires. For projects that are lower in risk, complexity, and impact this issue may be addressed through periodic audit and review and re-work/re-design where risk and control issues have been identified. For projects that are higher risk, this typical approach is inefficient and effective and can result in significant re-work or even project failure Therefore, the question of “Who owns risk and controls?” must be addressed. Optimize Risk & Controls Team Primary Objective: Ensure business process, technology, and data related risks are managed, controls are designed and documented, and business process, system, and data integrity are preserved Controls, Security, & Compliance High Risk Projects Enterprise 06 December 2018

Why use a Risk & Controls Team? Without a Risk & Controls Team With a Risk & Controls Team Weak Controls Tight Inefficient & Expensive Ineffective & Misleading Finance Team GTM Supply Chain Technology Teams Balanced & Cost Effective Controls Weak Controls Tight Inefficient & Expensive Ineffective & Misleading Finance Team GTM Supply Chain Technology Teams Balanced & Cost Effective Controls Inconsistent approach/knowledge of risk and internal controls lead to the design and implementation of inefficient and ineffective control measures Dedicated and centralized risk and controls approach leads to balanced and cost effective control solutions across teams. 06 December 2018

What Does a Risk & Controls Team Do What Does a Risk & Controls Team Do? Tasks & Responsibilities Integrate with SDLC Solution Delivery Phases (SDLC) Project Preparation Business Blueprint Realization Final Preparation Go Live and Support Project Feasibility Project Closure Risk & Controls Team (High-level summary) Develop controls strategy and approach Develop risk and controls team structure and roles & responsibilities Collaborate on controls and security standards Select audit and controls tools Define control objectives, requirements and related risks Design balanced control solutions (inherent, configurable, manual, access, reporting, interface) across business process areas Design/implement application and infrastructure access controls in alignment with control objectives (role-based/policy-based/user-based access control measures Complete Sarbanes Oxley documentation Collaborate on Backup and Recovery Plan and Business Continuity Plan Define and design infrastructure security and controls configuration Define and design data integrity and control measures Develop control and security test cases, strategies and plans and execute Finalize Sarbanes Oxley documentation Develop controls and security cutover plan & execution Finalize controls and security acceptance testing Facilitate Sarbanes Oxley testing Validate production implementation of controls Collaborate on project closure and lessons learned analysis 06 December 2018

Example Risk and Controls – General Ledger Incorrect or inappropriate journal postings may result in erroneous financial reporting. Journal entry postings from sub-ledgers are automatically posted to designated GL accounts based on system parameters. (Automated) The system is set up to identify different types of journal postings (e.g. automated vs manual) and assign different sequential numbering. (Automated) Financial transactions may not be posted in the appropriate accounting period. The Accounting calendar is properly set up in the system to ensure accurate period closing. (Automated) Access to open and close posting periods is restricted to appropriate personnel. (Security) Unauthorized or inappropriate manual journal postings may result in erroneous financial reporting Access to post or reverse manual journal entries is restricted to appropriate Accounting personnel. (Security) A formal Journal Entry Request is reviewed and approved prior to entry into the system. Manual journal postings and reversals is reviewed by management. (Manual) 06 December 2018