Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005
Agenda Background on Approva Compliance Process Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures Background on Approva Compliance Process Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures
Approva: Company Snapshot Enterprise software company, founded in 2002 Headquartered in Reston, VA; R&D in Pune, India 190 Employees; over half in product development Raised $30M from leading venture capital firms Industry collaboration and partnerships Enterprise software company, founded in 2002 Headquartered in Reston, VA; R&D in Pune, India 190 Employees; over half in product development Raised $30M from leading venture capital firms Industry collaboration and partnerships
Approva – a growing list of blue chip customers Manufacturing High Tech & MediaConsumer Products & Retail Energy & CommunicationsPharmaceutical & Chemicals
BizRights Solution Architecture C Automated Workflow Exception Reporting Dynamic Rules Analysis Intelligent Data Extraction BizRights Platform Business Improvement Data Integrity Fraud Analysis Compliance User Authorizations & Activity Configuration Settings & Master Records Transactions Executed Business Solutions Advanced Functionality C C Automated Notification Simulation & Change Control
BizRights: Continuous Controls Intelligence Transactions Everyday Activities Configuration Master Records, System Settings Users User Roles and Responsibilities GR/IR mismatches Payments that exceed thresholds Duplicate payments Discounts not taken Payments, purchase orders, sales orders modified after approval Unusual movement types, number ranges, payment terms, tolerance settings, etc. Credit checks not turned on POs with unlimited over/under delivery Unusual credit limits Unusual changes to payment terms, bank details, etc. Detect SoD conflicts within roles & users Detect the use of sensitive transactions Act as a compensating control for excluded users
The Compliance Process
What is your perspective on complexity? Portals Identity Management Document Repositories Legacy Applications Compliance Requirements? SOX FDA Privacy Control Environment? Multiple ERPs Multiple Apps Control Solutions? Identity Management Tools Portals Documentation Repositories ERP System Business Transactions and Master Data Purchase Requests Purchase Orders Process Payments Receive Goods Process Invoice Material MasterVendor Master Configuration Settings Access and Change Management Global System Settings ERP System Business Transactions and Master Data Purchase Requests Purchase Orders Process Payments Receive Goods Process Invoice Material MasterVendor Master Configuration Settings Access and Change Management Global System Settings Business Transactions and Master Data Purchase Requests Purchase Orders Process Payments Receive Goods Process Invoice Material MasterVendor Master Configuration Settings Access and Change Management Global System Settings
Typical Control Structure Control structure is not always integrated with ERP functionality, rather built around it Highly manual control processes Increased control ownership and accountability issues Testing of controls is a highly manual process Not all exceptions identified Time consuming and costly Typical ERP Control Design Control Enabler Configuration Application Security Reporting Manual Controls General IT Controls
Control Effectiveness Life Cycle Review control documentation to ensure adequate design Develop control test strategy Execute control testing Report exceptions, categorize deficiencies and conclude Remediate through modification of business processes, system settings, and possibly the controls themselves Run the process all over again
Testing Procedure Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etc Confirm system functionality through reviewing security design, configuration settings and related technical objects Review of business transactional data, such as invoices, POs, etc. Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etc Confirm system functionality through reviewing security design, configuration settings and related technical objects Review of business transactional data, such as invoices, POs, etc. But these approaches have their issues… Whos going to build, modify and maintain the reports? Whos going to run them? And what happens when they forget? Wheres your audit trail? ERPs wont tell you when someones changed a control ERPs wont tell you when the control is in place, and being circumvented anyway
Sample Test – Configurable Control To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed: Verify IMG settings are properly configured and set to proper tolerances Verify access to the IMG is restricted Sample 1 transaction to verify effectiveness of control Issues / Observation Time to test is significantly lower than manual controls Configuration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000) Retro-fit is typically expensive (re-implementation is some cases) Manual work-arounds are common (e.g. still need signature above 50,000) Automation Opportunities Identify exceptions within existing control configuration (e.g. automatic notification for all POs over 50,000, but below 500,000) To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed: Verify IMG settings are properly configured and set to proper tolerances Verify access to the IMG is restricted Sample 1 transaction to verify effectiveness of control Issues / Observation Time to test is significantly lower than manual controls Configuration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000) Retro-fit is typically expensive (re-implementation is some cases) Manual work-arounds are common (e.g. still need signature above 50,000) Automation Opportunities Identify exceptions within existing control configuration (e.g. automatic notification for all POs over 50,000, but below 500,000)
Sample Test – SOD Compensating Control When testing SODs, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed: Once deficiency is noted, review compensating controls for adequacy Review evidence that compensating control has been operating effectively –Typically, this is relying on final reviews of payable reports by a manager Issues / Observation Manual testing is time consuming Compensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run) Very common and hard to prove if not specifically designed to monitor SOD Automation Opportunities Identify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc When testing SODs, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed: Once deficiency is noted, review compensating controls for adequacy Review evidence that compensating control has been operating effectively –Typically, this is relying on final reviews of payable reports by a manager Issues / Observation Manual testing is time consuming Compensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run) Very common and hard to prove if not specifically designed to monitor SOD Automation Opportunities Identify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc
Sample Test – Manual Report Reviews To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed: Verify the data that is listed on the report is valid Select a sample of reports (sample determined by frequency of occurrence) Verify that the employee reviewed the report –Initials and date on the report – to follow up on a change –Additional change reports that verify action taken Issues / Observations Time to test is high – usually several hours and very iterative Review requires looking at all changes Documentation retention a major issue - typically results in a deficiency Automation Opportunities Proactively notify a control owner for high risk changes To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed: Verify the data that is listed on the report is valid Select a sample of reports (sample determined by frequency of occurrence) Verify that the employee reviewed the report –Initials and date on the report – to follow up on a change –Additional change reports that verify action taken Issues / Observations Time to test is high – usually several hours and very iterative Review requires looking at all changes Documentation retention a major issue - typically results in a deficiency Automation Opportunities Proactively notify a control owner for high risk changes
Control Structure w/ Automated Testing and Monitoring Significantly increase the efficiency and effectiveness of control processes Monitor only critical data changes Enhance or refine configuration tolerances Preventative access control features Automatic notification of control violations Workflow and audit trail Testing of controls is a highly automated process All exceptions identified Control configuration and system setting reporting replaces manual test procedures Comprehensive SOD and Sensitive access analysis Typical ERP Control Design Control Enabler Configuration Application Security Reporting Manual Controls General IT Controls Continuous Controls Testing
Process Insights Authorizations Insights Business Transactions and Master Data The BizRights Model Purchase Requests Purchase Orders Process Payments Receive Goods Process Invoice Material MasterVendor Master Segregation Of Duties Analysis Configuration Settings What If Analysis Approval Work Flow Sensitive Transactions Enhance Existing Controls Identify Exceptional Transactions Verify IMG Configuration Settings Verify System Parameters Closed Loop Remediation Automate Manual Controls Access Management Global System Settings Data Extraction, Workflow and Analysis Capabilities – Application Independent!!! Control rules and functionality focused on security processes and data Control rules and functionality focused on business processes, configuration and system setting data
Typical ERP Control Design BizRights Testing MechanismControl Enabler BizRights Automated Compliance Control Enabler Configuration Enhance Existing Controls Identify Exceptional Trxs Configuration Settings System Parameters Application Security What If Analysis Access Approval Workflow Segregation of Duties Sensitive Transactions Reporting Exception Based Reporting Closed Loop Remediation Verification of Remediation Manual Controls Automate Manual ControlsElectronic Audit Trail IT Controls Baseline system settings Proactively identify changes System parameters Security and change process
Summary & Key Take Aways Common goal is to achieve sustainable compliance that can improve the business Turn compliance activities from a cost into an asset Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations Common goal is to achieve sustainable compliance that can improve the business Turn compliance activities from a cost into an asset Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations Dont Just Comply…Transform Your Business