Compliance Technology Solutions NASACT Presentation Material Robert Garagiola – AERS National Technology Practice January 31 st, 2007

Copyright © 2007 Deloitte Development LLC. All rights reserved.1 Current Situation The majority of companies have yet to implement sustainable technology to address governance, risk and compliance needs –In year one, organizations were primarily focused on meeting the requirements of Section 404 –In year two, the focus was on refining the process and documentation Technology to enable governance, risk and compliance is now a focus –The heroic efforts of small project teams are now being distributed into the organizations day-to-day activities –Minimizing the ongoing cost of compliance is a priority –Duplicative efforts of multiple areas of compliance, ability to leverage compliance effort across multiple regulatory requirements.

Copyright © 2007 Deloitte Development LLC. All rights reserved.2 Technology Decisions Companies Face Enhancing the compliance program into a more sustainable repeatable process. –Transform the compliance process into part of day-to-day business life. Assessing costs/value in moving to another compliance management solution. –Is switching to a new solution feasible? Understanding the vendor landscape for the next generation of SOX technologies. –What options are available and how do those options best fit within the organization? Better enabling the compliance process given the cost to implement. –Where can new and existing technology be leveraged to support the compliance effort? Effective decentralization of the 404 compliance activities. –Driving the accountability to individual process owners.

Copyright © 2007 Deloitte Development LLC. All rights reserved.3 Key Lessons Learned Client IssueHow technology can helpDeloittes Offering Over-reliance on manual controls –Expensive to execute –Time consuming to test Reduce the cost, complexity and risk associated with managing manual and high risk controls. Enable automation for manual controls. Controls Rationalization Technology Implementation Excessive effort to maintain documentation. Facilitate the documentation, assessment and reporting of controls. Controls Rationalization Technology Implementation Excessive number of controls –Increased time to document –Longer testing cycles Reduce the number, cost, complexity and risk associated with controls. Streamline the process of controls documentation and testing. Controls Rationalization Technology Implementation Non-standardized processes and systems. Streamline processes and systems to ensure consistency and efficiency. Business Process Reengineering Technology Implementation Internal Control responsibilities not integrated into employee performance management. Enable workflow. Ensure accountability. Change Management Technology Implementation 404 Tool consideration

Copyright © 2007 Deloitte Development LLC. All rights reserved.4 How it All Fits Together The compliance framework illustrates the inter-relationships between the technology components of the compliance landscape that enable a sustainable compliance program. Compliance Framework Company-specific business requirements (i.e. industry, organization, structure), compliance requirements (i.e. SOX, A123, HIPAA, Basel II, FDA), and infrastructure landscape (i.e. ERP system, legacy applications, IT infrastructure) are all factored into the consideration of automated & monitoring controls technology. Technology Infrastructure Integrated Compliance Dashboard Compliance Management Control Testing Manual Controls Automated Controls Controls Monitoring

Copyright © 2007 Deloitte Development LLC. All rights reserved.5 Sarbanes-Oxley Section 404 – Internal Control Tools Vendors offer different approaches to implementing and managing internal controls in their products. Many of these products can provide product functionality that can support Sarbanes-Oxley sustained compliance efforts. –Integration with ERPs and financial reporting systems –Automation & monitoring of controls and system configuration settings The ERP vendors are expected to possess an advantage for companies that already use and support a vendors product –Seamless integration with the organization's ERP can provide additional value to the compliance process. Companies need to assess a product s migration capabilities to facilitate a smooth, accurate data transformation and upload. Companies must consider their technology environment and business requirements to determine the best fit.

Copyright © 2007 Deloitte Development LLC. All rights reserved.6 Sample Vendors ERPs & Large Software Vendors Specialty Vendors Leverage an existing platform & applications Better leverage automated controls, continuous monitoring and workflow Provide easier integration with core financial and other related applications Track remediation efforts Leverage workflow, business process management, document management, compliance management, internal audit support, self-assessment and surveying capabilities Integration with 3 rd party technologies such as monitoring tools, document management tools, ERPs Other benefits – corporate governance, ERM, Basel II Most significant market share There are a multitude of other vendors that are either in the market or coming to the market that are recognized by industry analysts

Copyright © 2007 Deloitte Development LLC. All rights reserved.7 Tool Selection Based on Two Strategic Areas Best fit with technical infrastructure to ease integration and support efforts –Determination of technical infrastructure requirements will help establish the degree of interoperability with existing infrastructure and IT operations. Best fit with your business needs –Understand the key functionality necessary to meet business needs. –Evaluate how the tools offer a long term sustainable strategy to maintain and improve SOX compliance efforts. –Extendibility of this solution to aide other regulatory requirements outside of Sarbanes- Oxley. –Assess solutions ability to integrate with: Financial Management & HR systems Business Process Management & Risk Management programs Internal Audit tools Continuous Control Monitoring tools –Consider solutions ability to provide new functionality and process efficiencies to the compliance process effort. –Recognize the impact of cost and licensing options.

Copyright © 2007 Deloitte Development LLC. All rights reserved.8 Key Functionality and Other Benefits Key Functionality to consider in a 404 Tool –Setup and organization of the information –Ease of use –Document management capabilities –Surveying capabilities –Self assessments –Issue tracking –Control testing and remediation –Other capabilities: copy forward, audit trail, multilingual support –Workflow & Notification –Reporting and dashboards –Integration with other technologies Other Benefits offered by these tools beyond 404 –ERM –FDICIA/Basel II compliance –Corporate Governance

Copyright © 2007 Deloitte Development LLC. All rights reserved.9 Vendor Selection Project Approach To effectively select the compliance software vendor, a three phased approach is optimal: Phase I Planning and Requirements Definition Phase II Request for Information Development and Execution Phase III Final Analysis and Recommendation Execute project kickoff and determine roles and responsibilities Establish process flow and business needs. Build list of Subject Matter Resources. Finalize findings and document the requirements of the compliance program.. Research vendors and trim list to the most viable candidates. Develop and release RFI to vendor candidates Compile responses and trim the demo list to 2-3 vendors. Execute vendor demonstration process Score and compile results Finalize the selection process Present the compliance system recommendation Execute follow-up steps toward solution implementation

Copyright © 2007 Deloitte Development LLC. All rights reserved.10 Roadmap to an Improved Compliance Program The journey begins with an Internal Controls repository. Over time, the more effective program integrates complementary technology. Via integrated technology, the value of the program extends beyond compliance. Consider additional technology to realize: –More efficient documentation management –Better vision into the control environment through continuous monitoring –Shorter Testing Cycles General Computer Controls Internal Controls Repository Segregation Of Duties Automated Application Controls Continuous Monitoring Time Value Manual Controls Monitoring Automated

Copyright © 2007 Deloitte Development LLC. All rights reserved.11 How it All Fits Together The compliance framework illustrates the inter-relationships between the technology components of the compliance landscape that enable a sustainable compliance program. Compliance Framework Company-specific business requirements (i.e. industry, organization, structure), compliance requirements (i.e. SOX, A123, HIPAA, Basel II, FDA), and infrastructure landscape (i.e. ERP system, legacy applications, IT infrastructure) are all factored into the consideration of automated & monitoring controls technology. Technology Infrastructure Integrated Compliance Dashboard Compliance Management Control Testing Controls Monitoring Automated Controls Manual Controls

Copyright © 2007 Deloitte Development LLC. All rights reserved.12 The Evolution of Compliance: Where are you today? –Risk based approach –Rationalized controls –Management platform –Manually intensive testing procedures –Large sample sizes –Approach not driven by risk –Redundant controls –Manually-intensive processes and controls –Inefficient testing –Reactive approach to identifying & addressing control issues –Application controls –User access & SOD controls –Efficient operation of controls –Efficient testing of controls –Some automated testing capabilities –Reduced sample sizes –Continuous monitoring controls –Efficient operation of controls –Proactive approach to identifying & addressing control issues –Demonstrated effectiveness of controls –Sustainable compliance processes –ROI / Business value ManualStartAutomateMonitor Technology-enabled processes & controlsManual-based processes and controls Where is your compliance program today? As companies evolve their compliance environments, controls will transform from manually-intensive, less reliable, inefficient controls to technology-based (automated & monitoring), cost-effective, reliable controls that enable a sustainable compliance program.

Copyright © 2007 Deloitte Development LLC. All rights reserved.13 The Evolution of Controls Manual ControlsAutomated ControlsControls Monitoring Automated and CM controls operate consistently Automated and CM controls require reduced human interaction The graph illustrates the Reliability & Efficiency benefits of Automated and Manual controls: Reliability Considerations As companies evolve their compliance environments, controls will transform from manually-intensive, less reliable, inefficient controls to technology-based (automated & monitoring), cost-effective, reliable controls that enable a sustainable compliance program. Operation: Automated & CM controls require reduced human interaction Testing: Automated and CM controls demonstrate effectiveness, and allow reduced sample sizes Efficiency Considerations An Illustrative Example Reliability Efficiency

Copyright © 2007 Deloitte Development LLC. All rights reserved.14 Moving up the Value Chain Improve Operations Improve Controls & Reduce Cost Optimize Processes Apply controls automation & monitoring techniques to achieve regulatory control objectives (e.g., SOX: financial reporting control objectives & risks) Apply controls automation & monitoring techniques to achieve operational control objectives (e.g., Merchandise Management) Apply technology to optimize processes (e.g., financial, operational, compliance, etc.) To move up the value chain, companies should leverage technology-enabled control capabilities used to achieve financial control objectives, to address operational control objectives and process improvement opportunities. Drive Sustainable Cost-Effective Compliance Drive Operational Improvement Drive Process Improvement Initial technology investment for compliance could be leveraged to improve operations and optimize processes.

Copyright © 2007 Deloitte Development LLC. All rights reserved.15 Design & Implement Technology Enabled Controls An Approach for Evolving Controls for Compliance Companies can use the following approach to leverage technology-enabled control capabilities. –Use a top down, risk-based approach to scope the environment –Consider integrating multiple compliance requirements –Create a benchmark of existing controls by entity and/or location –Identify inefficient and less effective controls –Inventory existing technology landscape Evaluate existing technology for automation & monitoring capabilities Identify technology solutions for inefficient and less effective controls Develop a prioritized set of technology-enabled control solutions* –Design technology-enabled controls for business & IT processes, including: Automated controls Monitoring controls –Implement technology-enabled controls –Develop risk-based test plans that leverage technology capabilities –Deploy updated training & communications –Update operations to support new technology *The strategy will form the basis of a roadmap for the evolution of controls for compliance. Assess Existing Control & Technology Environments Develop a Strategy for Compliance Technology* - Develop a strategy for leveraging technology-enabled controls, including consideration of the following:

Copyright © 2007 Deloitte Development LLC. All rights reserved.16 How it All Fits Together Compliance Framework *Representative List Only Technology Infrastructure Integrated Compliance Dashboard Compliance Management Control Testing Controls Monitoring Automated Controls Manual Controls There is a strong march of vendor solutions catering to automated and monitoring control capabilities, however none yet covers all areas. Axentis, IBM, Certus, Fujitsu, Oracle, Paisley, OpenPages, SAP ACL, Approva, Computer Associates, Fujitsu, HP, IBM, Logical Apps, Mercury, Oversight, Oracle/PeopleSoft, SAP/Virsa, Sun Microsystems, SAS, Symantec, webMethods Approva, Computer Associates, Courion, IBM, Fujitsu, HP, Logical Apps, Oracle/PeopleSoft, Oversight, SAP/Virsa, Sun Microsystems

Copyright © 2007 Deloitte Development LLC. All rights reserved.17 Controls Monitoring CategoryFeaturesBenefits Transaction Monitoring Identify suspicious transactions Identify inappropriate flows (e.g., duplicate payments) Provide evidence of control operation / quickly identify issues Master Data Monitoring Monitor changes to master data files (e.g., Supplier Master) for suspicious activity Identify and address suspicious changes to master data Detect stale master file records Access Control Monitoring Monitor changes to user access / roles Detect unauthorized modifications to user access / roles Monitor access to sensitive transactions and data Segregation of Duties Monitoring Identify SOD violations Detect executed transactions that violate SOD rules Prevent SOD conflicts that increase the risk of fraud & error Configuration Detect changes to system configurations that may increase risks of fraud & error Demonstrate the continued effectiveness of application controls Manual Process & Control Monitoring Ensure the initiation and completion of manual business & IT processes & controls Provide an audit trail for manual processes Increase effectiveness & efficiency of manual business & IT processes and controls IT General Controls Security / access controls Change management controls IT Operations controls Enable increased reliance on automated business process controls

Copyright © 2007 Deloitte Development LLC. All rights reserved.18 Duplicate invoices identified up to 31 days after payments. Cash from duplicate payments are collected within 90 days. All duplicate payments are reviewed and authorized in real time, prior to impacting operations and financial results. Sample Size: Minimum (1) Coverage: 100% coverage Self Testing: Effectiveness of controls demonstrated by monitoring capability All configuration changes and potential duplicate payments are reviewed by management in real time. Configuration: management is alerted of changes in real time. Transactions: invoices entered are monitored for suspected duplicates based on multiple criteria in real time. Case Study: Duplicate Payments/Invoices Duplicate payments are identified after cash flows out of the business. Operational Considerations Most duplicate payments are prevented. Monthly review of payment register reports to identify and resolve issues. Manual Control ProcedureAutomated Control ProcedureControls Monitoring System is configured to provide alerts to users when exact duplicate invoices are detected. Business Value Realized 80% of duplicate payments are prevented, which provides a positive impact on cash flows. Sample Size: Maximum (25) Coverage: Points along the audit period Self Testing: Low Objectivity Testing Considerations Sample Size: Minimum (1) Coverage: A point in time Self Testing: Low Objectivity

Copyright © 2007 Deloitte Development LLC. All rights reserved.19 Sample Size: Minimum (1) Coverage: 100% coverage Self Testing: Effectiveness of controls demonstrated by monitoring capability Configuration: management is alerted of changes in real time. Transactions: Business transactions are monitored to detect SOD violation in real time. All changes are recorded for audit purposes. Improved definition and grasp of organizational roles & responsibilities, and visibility into organizational structure. Workflow driven authorization process is more efficient and reliable, and preventive access controls reduce risks. Sample Size: Maximum (25) Coverage: Points along the audit period Self Testing: Low Objectivity The manual process is not integrated across applications. SOD considerations are limited and narrowly focused. Case Study: User Access / SOD Timely insight into organizational changes and identification of potential errors and fraud. Limited control of user access and SOD based upon job responsibilities. Business Value Realized Operational Considerations Transactions violating access and SOD rules are detected and addressed timely. Testing Considerations Sample Size: Minimum (1) Coverage: A point in time Self Testing: Low Objectivity Manual Process & ControlsAutomated Process & ControlsControls Monitoring Use of workflow tools, and enforce access & SOD requirements via configured and preventive controls. Establish and maintain a repository of rules for enhanced decision making. The user access authorization process is manually intensive, disconnected, and lengthy. Access creep is common due to changing roles & responsibilities.

Copyright © 2007 Deloitte Development LLC. All rights reserved.20 Closing Thoughts CCM can enhance the effectiveness of controls and increase efficiencies –Reduces cost and reliance on external resources, increasing control reliability –Allows Internal Audit and line staff to perform their assigned roles and responsibilities –Provides real-time information for proactive and preventive measures –Leverages real-time information and compliance investment for value generation –Improves on data and control quality through sustainable and repeatable process Controls monitoring is a key component of the compliance evolution Technology can and should play a central role in controls automation and monitoring A good first step is to develop a roadmap that can begin quickly during the next fiscal year