Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005 Welcome & thanks for the meeting Make introductions Ask what they’d like to cover Tell them what you are going to cover

Agenda Background on Approva Compliance Process Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures

Approva: Company Snapshot Enterprise software company, founded in 2002 Headquartered in Reston, VA; R&D in Pune, India 190 Employees; over half in product development Raised $30M from leading venture capital firms Industry collaboration and partnerships

Approva – a growing list of blue chip customers Manufacturing High Tech & Media Consumer Products & Retail Energy & Communications Pharmaceutical & Chemicals Owens Corning Publix Canada National Railway Vistakon

BizRights Solution Architecture Compliance Fraud Analysis Business Improvement Data Integrity User Authorizations & Activity Configuration Settings & Master Records Transactions Executed Business Solutions Advanced Functionality BizRights Platform Dynamic Rules Analysis Exception Reporting C Simulation & Change Control C Automated Email Notification C Intelligent Data Extraction Automated Workflow

BizRights: Continuous Controls Intelligence GR/IR mismatches Payments that exceed thresholds Duplicate payments Discounts not taken Payments, purchase orders, sales orders modified after approval Unusual movement types, number ranges, payment terms, tolerance settings, etc. Credit checks not turned on POs with unlimited over/under delivery Unusual credit limits Unusual changes to payment terms, bank details, etc. Transactions Everyday Activities Configuration Master Records, System Settings The BizRights product family helps you to address all three levels of compliance, through targeted rules, reports, and analysis. Approva’s product family was designed to address not just user roles and responsibilities, but also system settings and transactions. Users User Roles and Responsibilities Detect SoD conflicts within roles & users Detect the use of sensitive transactions Act as a compensating control for excluded users

The Compliance Process Walk through the lifecycle, but focus on fact that the bottom chevrons deal with “value” and “continuous improvement” How can you achieve these things if you are spending all of your time and effort performing manual control procedures and extensive manual test plans Shift resources from issue identification to Isssue Reolution To Continuoas Improvement and Realizing Value Achieving Compliance should not be so intensive

What is your perspective on complexity? ERP System Business Transactions and Master Data Purchase Requests Orders Process Payments Receive Goods Invoice Material Master Vendor Master Configuration Settings Access and Change Management Global System Settings Compliance Requirements? SOX FDA Privacy Control Environment? Multiple ERPs Multiple Apps Control Solutions? Identity Management Tools Portals Documentation Repositories Legacy Applications Briefly talk about the complexity oc corporate IT environments Multiple ERPs and Legacy Systems Most control environments include: Identity management tools, portals, ducument repositories, etc. Setting the table for “cross platform, etc” Document Repositories Portals Identity Management

Typical Control Structure Typical ERP Control Design Control structure is not always integrated with ERP functionality, rather built around it Highly manual control processes Increased control ownership and accountability issues Testing of controls is a highly manual process Not all exceptions identified Time consuming and costly Control Enabler Configuration Application Security Reporting Self explanatory slide – talk to exisiting control structure, as well as testing methods are still highly manual. Even with ERP’s a lot of configuration decisions were made for business requirements, not controls requirements. Retrofit of controls after implementation is costly and sometimes impossible A lot of deficiencies are found because someone forgot to initial a report, or cant dig up the document they were supposed to sign off on. Auditors and consultants charge a lot of money Role of internal audit is truly “audit” – while many companies would like IA to enhance the business and add value… how can they if they spend all their time in “testing” mode General IT Controls Manual Controls

Control Effectiveness Life Cycle Review control documentation to ensure adequate design Develop control test strategy Execute control testing Report exceptions, categorize deficiencies and conclude Remediate through modification of business processes, system settings, and possibly the controls themselves Run the process all over again

Testing Procedure Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etc Confirm system functionality through reviewing security design, configuration settings and related technical objects Review of business transactional data, such as invoices, PO’s, etc. But these approaches have their issues… Who’s going to build, modify and maintain the reports? Who’s going to run them? And what happens when they forget? Where’s your audit trail? ERP’s won’t tell you when someone’s changed a control ERP’s won’t tell you when the control is in place, and being circumvented anyway

Sample Test – Configurable Control To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed: Verify IMG settings are properly configured and set to proper tolerances Verify access to the IMG is restricted Sample 1 transaction to verify effectiveness of control Issues / Observation Time to test is significantly lower than manual controls Configuration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000) Retro-fit is typically expensive (re-implementation is some cases) Manual work-arounds are common (e.g. still need signature above 50,000) Automation Opportunities Identify exceptions within existing control configuration (e.g. automatic notification for all PO’s over 50,000, but below 500,000)

Sample Test – SOD Compensating Control When testing SOD’s, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed: Once deficiency is noted, review compensating controls for adequacy Review evidence that compensating control has been operating effectively Typically, this is relying on final reviews of payable reports by a manager Issues / Observation Manual testing is time consuming Compensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run) Very common and hard to prove if not specifically designed to monitor SOD Automation Opportunities Identify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc

Sample Test – Manual Report Reviews To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed: Verify the data that is listed on the report is valid Select a sample of reports (sample determined by frequency of occurrence) Verify that the employee reviewed the report Initials and date on the report E-mail to follow up on a change Additional change reports that verify action taken Issues / Observations Time to test is high – usually several hours and very iterative Review requires looking at all changes Documentation retention a major issue - typically results in a deficiency Automation Opportunities Proactively notify a control owner for high risk changes

Control Structure w/ Automated Testing and Monitoring Typical ERP Control Design Significantly increase the efficiency and effectiveness of control processes Monitor only critical data changes Enhance or refine configuration tolerances Preventative access control features Automatic notification of control violations Workflow and audit trail Testing of controls is a highly automated process All exceptions identified Control configuration and system setting reporting replaces manual test procedures Comprehensive SOD and Sensitive access analysis Control Enabler Configuration Application Security Reporting Pretty straight forward slide Shift from manual to automated Less time testing and doing control procedures, means more time fixing problems and enhancing the business General IT Controls Manual Controls Continuous Controls Testing

BizRights The BizRights’ Model Control rules and functionality focused on business processes, configuration and system setting data Process Insights BizRights Global System Settings Verify System Parameters Configuration Settings Verify IMG Configuration Settings Enhance Existing Controls Data Extraction, Workflow and Analysis Capabilities – Application Independent!!! Business Transactions and Master Data Identify Exceptional Transactions Material Master Vendor Master Automate Manual Controls Authorizations Insights Sensitive Transactions Purchase Requests Purchase Orders Receive Goods Process Invoice Process Payments Segregation Of Duties Analysis Its all about the data! We can extract all types of data Our analysis and rules engine can be easily configured by ANYONE to apply control requirments to the data Our platform has tons of functionality What If Analysis Access Management Closed Loop Remediation Approval Work Flow Control rules and functionality focused on security processes and data

BizRights Automated Compliance Typical ERP Control Design BizRights Control Enabler Control Enabler Testing Mechanism Configuration Enhance Existing Controls Identify Exceptional Trx’s Configuration Settings System Parameters Application Security What If Analysis Access Approval Workflow Segregation of Duties Sensitive Transactions Reporting Exception Based Reporting Closed Loop Remediation Verification of Remediation High Level Examples of how BR can be used Manual Controls Automate Manual Controls Electronic Audit Trail IT Controls Baseline system settings Proactively identify changes System parameters Security and change process

Summary & Key Take Aways Common goal is to achieve sustainable compliance that can improve the business Turn compliance activities from a cost into an asset Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations Don’t Just Comply…Transform Your Business