Managing Risk with Controls Intelligence Solutions Especially in an Economic Downturn Steve Boyce VP, Alliances & Business Development Approva Corporation Nov 7, 2008

Game Plan The role of intelligent business controls in driving performance What is Controls Intelligence? Best practices for implementing a controls intelligence strategy Business benefits of controls monitoring Case studies & lessons learned

© 2007 Approva Corporation. All rights reserved. Key Drivers for GRC Investments Source: The Governance, Risk Management, and Compliance Spending Report, 2008–2009, AMR Research 11/18/2008 (c) OCEG

Business Processes A Typical Large Organization Has Hundreds or Thousands of Controls RISK Third-Party Contractors Should Not Have Access to Proprietary Applications OPERATIONAL Purchasing Must Adhere to Corporate Procurement Policies COMPLIANCE An Employee Cannot Backdate a Journal Entry After the End of a Quarter

The Cost of Poor Controls Intelligence Most controls are monitored manually. Critical controls go untested. Control breakdowns are identified long after they occur. CFOs sign off on financials with imperfect information. Companies today… NEC Details Major Fraud “Fake orders resulted in $4 million in kickbacks. Meanwhile, internal investigations continue.” G.M. Says It Has Found Serious Flaws in Accounting “…performance was threatened by “ineffective” controls over financial reporting…” GE to Adjust Accounting in Bid to End Probe “…Problems with revenue recognition have cropped up in several GE units.”

Companies Have Three Main Types of Controls Operations & Financial Reporting Transactions, Fraud, Master Data Quality, Business Controls Access to Applications Segregation of Duties, Emergency Access, User Provisioning Configuration of IT Systems & Processes Change Management, Required Fields, Tolerances and Limits

Controls Intelligence Lifecycle A Controls Intelligence Strategy Must Address the Entire Lifecycle of Controls Controls Intelligence System

Reduce Risk & Fraud Automate Compliance Optimize Operational Controls Approva Provides Controls Intelligence Software that enables you to:

Risk Dashboard Case Management Authoring Studios Approva’s Risk & Controls Intelligence Platform Approva Risk & Controls Intelligence System Risk Analytics Continuous Monitoring Risk KPI Monitors Audit Repository Proactive Alerting Baselining Approva Risk Management Solutions Identifying & Preventing Fraud Managing Cash Flows & Working Capital Managing Assets & Inventory Ensuring the Accuracy of Financial Reports Securing & Ensuring Accuracy of Master Data Compliant ProvisioningCertifying Access Securing Sensitive Information Ensuring Best Practice System Configuration Settings Ensuring Best Practice Process Configuration Settings Managing User Access & Segregation of Duties (SoD) Risk Analytics Risk MonitoringCertification Management

What the Analysts Say About Approva “We rate Approva's BizRights suite as strong positive because of its breadth of capability in all categories of SOD control.” “Approva should be on the shortlist of every organization taking a comprehensive approach that requires strong support for all three techniques, especially those organizations that need to support multiple ERP platforms or those that prefer an independent vendor.” Source: 2008 Gartner MarketScope on Segregation of Duty Within ERP and Financial Applications by Paul E. Proctor, Neil MacDonald, 25 September 2008

Case Studies & Best Practices

Case Study 1: Automating Financial Controls Fortune 100 retailer $76B in Revenue 96,000 Employees PeopleSoft Financial Management System (FMS) v8.4 Profile Business Challenge Reducing Risk: Concerned about risk in the financial close process. Financial controls could not be cost-effectively tested, monitored or enforced. People were circumventing the process to make manual journal entries & update the chart of accounts. Reducing Compliance Costs: Financial controls required extensive effort by Internal Audit to manually test on an ongoing basis. Manual queries had to be written, updated and executed. Results had to be manually reviewed. Improving Efficiency: Too much time was being wasted researching financial anomalies for audits. “Misrepresenting our financial results would have had disastrous implications but it just wasn’t feasible to continuously monitor every control.” © 2008 Approva Corporation. All rights reserved.

Approva is used to monitor financial configuration and transaction-related controls. Automatic alerts identify control exceptions so they can be addressed immediately. Financial Controls Case Study: Approva’s Approach © 2008 Approva Corporation. All rights reserved. Finance / CFO Internal Audit CIO/ IT Risk Management Human Resources External Audit Outsourcing Partners Reversed Transactions Unusual Debits & Credits Backdated Journal Entries Revenue Entries After Period Close Entries Avoiding Mgmt Review Unauthorized Master Data Changes Unusual Trending in Key Accounts Transactions With Missing Fields Unauthorized Transactions

Financial Controls Case Study: Benefits Business Benefits Reduced time required for internal audit team to test controls and respond to external audit requests. Reduced travel and expense costs for internal audit team. “We were able to design and implement our automated financial controls within 3 months of the project kickoff.” Reduced Risk Reduced Compliance Costs Improved Productivity Improved utilization & retention of internal audit and finance staff resulting from elimination of low-value tasks. Reduced risk of fraud and financial misstatement due to comprehensive and continuous monitoring of key financial controls. Elimination of errors resulting from people circumventing existing financial controls and policies.

© 2007 Approva Corporation. All rights reserved. Case Study 2: Controls Monitoring Across 26+ Applications Business Challenge Identify & remediate user access violations across 26 applications. Hold business users accountable for user access violations. Manage controls for SAP go- live and legacy applications. Create the capability to quickly add new applications as business needs change.

Limited Brands: Complex IT Environment Brand 1 Brand 2 Brand 3 Brand 4 Brand Applications

© 2007 Approva Corporation. All rights reserved. Case Study 2: Limited Brands Established sustainable process for monitoring and remediating user access (i.e. SoD) violations for 26+ app’s Empowered business users to independently remediate and manage access control violations Established accountability with business users for SoD violations Created a framework to quickly incorporate additional applications into Approva for SoD monitoring Business Benefits

Case Study 3: P-Card Transaction Monitoring © 2008 Approva Corporation. All rights reserved. Monthly reconciliation activity taking too much manual time and effort Manual audit was ineffective in meeting board oversight goals Goal to grow the program, driving more value One of the largest school districts in the US ~$50 Billion annual spend o Started with $24M through P-Cards, grown to $104M Started with ~250 cardholders, grown to 2,500 and 300K transactions 5 full time P-Card program administrators SAP and Legacy Mainframe GL systems Citibank Payment Card Client Objectives Benefits Grew P-Card spend from $24M to $104M annually, and increased card holders from 246 to 2,500 o Increased dollar rebate (~10 Basis Points) P-Card program is effectively enforcing corporate policies and maintaining compliance, encouraged by board to continue to grow P-Card usage Reduced audit preparation time through automation Automated reconciliation; reduced time and errors Avoided retraining users when switching banks. Able to capture most advantageous rebate offers. Caught and stopped instances of misuse and was able to document issues and resolve quickly Profile

Top Challenges With P-Card Programs Include Managing Exceptions and Administration Tasks © 2006 Approva Corporation. All rights reserved. “Controls are the most pressing issue to increase spend and number of P-Card users” Challenges Faced with P-Card Programs Source: Aberdeen Group, August 2007 Challenge score based on survey respondents

Approva P-Card Insight: Key Product Features © 2008 Approva Corporation. All rights reserved. Monitor and provide proactive alerts on P-Card program exceptions using complex analytics Provide executive level dashboards on key risk and performance indicators Sophisticated workflow with escalation for exception resolution with associated audit trail Automatically reconcile transactions with purchases Augment bank transactions with level II and III data P-Card Insight Workflow & Escalation Automatic Reconciliation Complex Analytics Dashboards and Reporting Proactive Alerts Audit Trail

© 2007 Approva Corporation. All rights reserved. P-Card Insight Product Features (I) Complex workflows with escalations for sophisticated management of exceptions by user, auditor, or manager Contextual business information provided Can interact with end user via or BizRights interface Ability to have transactions and purchases flagged as automatically reconciled so no manual intervention required Force manual reconciliation based upon business rules (threshold based on dollar amount, specific type of purchases, user, manager etc.) Customizable reporting and dashboard Dozens of pre-built reports Drill down and drill through to find root cause of violations Multiple level of reports, from graphical to summary to detail Workflow & Escalation Automatic Reconciliation Dashboards & Reporting Key Product Capabilities and Highlights

© 2007 Approva Corporation. All rights reserved. P-Card Insight Product Features (II) Ability to schedule for automated and proactive report delivery Workflow tasks proactively ed to inbox of user Best practice library of controls Trending analytics to search for anomalies Ability to analyze data from multiple systems within same rule Complete capture of historical data Audit trail maintained for all operations in the system PCI DSS Level 1/SAS 70 Type II Certified Secure platform that can be used as a control Complex Analytics Audit Trail Key Product Capabilities and Highlights Proactive Alerts

Approva P-Card Insight Benefits © 2006 Approva Corporation. All rights reserved. Reduced Cash Loss / Waste Improved Process Efficiency Reduced Risk Increased procurement saving Reduced Cost of Monitoring and audit preparation Vendor Consolidation Bank Neutrality Cardholder convenience Increased Rebate Eliminate non-preferred vendor spend Increased Discounts Identify leakage Increased program assurance Culture of Enforcement Proactive identification of exceptions Improve financial and budget controls

Controls Intelligence Benefits Customer Benefit from Improved Controls Intelligence CATEGORYTYPE OF BENEFIT

In Summary Start With the Core Risk But Have a Plan to Expand Capture “low hanging fruit” by automating manual controls Focus on your top risks but ensure your solution can scale Validate your approach and solution with your auditor Consider Both Financial and IT Controls Implement both preventive and detective controls Consider the impact of IT, access and transaction-related controls Trust but verify controls that come with your core applications Business Users Should Own the Controls Make sure your solution can speak to business users in their language Empower business users to develop their own controls Free up IT and internal audit staff to focus on value added tasks 1 2 3

Selected Approva Customers © 2007 Approva Corporation. All rights reserved. Technology, Telecom & Media Consumer Products & Retail Energy & Chemicals Pharmaceutical & BiotechEntertainment Manufacturing, Transportation & Public Sector

Contact Information Steve Boyce VP, Alliances & Business Development Approva Corporation