© 2007 Approva Corporation. All rights reserved. Continuous Monitoring & Audit Taj Chadha Senior Director, Integration Solutions Practice.

Slides:

Advertisements

Similar presentations

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Advertisements

Chapter 15: Packaged Software and Enterprise Resource Planning

SUNFIX Consulting Co., Ltd The Partner sign of success. Company Profile channel partner :

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

The Islamic University of Gaza

Sarbanes-Oxley Compliance Process Automation

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

Rick Killpack Senior Product Manager Identity and Security Novell, Inc. sample for a picture in the title slide SAP and Novell: Extending IT Governance.

1 © Copyright 2008 EMC Corporation. All rights reserved. Litigation Response Planning: eDiscovery Best Practices Stephen O’Leary Sr. eDiscovery and Compliance.

Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.

One Firm. One Team. Countless Opportunities. Baruch College Come out to network and learn more about a career with KPMG that is far beyond coding !

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

ENVIRONMENTAL DATA MANAGEMENT & SHALE GAS PROGRAMS INTERNATIONAL PETROLEUM ENVIRONMENTAL CONFERENCE NOVEMBER 14, 2013.

Continuous Monitoring as a tool for Fraud Detection Anton Bouwer CQS Technology Holdings

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

ACL Solutions for Continuous Auditing and Monitoring John Verver CA, CISA, CMC Vice President, Professional Services & Product Strategy ACL Services Ltd.

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Chapter 7 Database Auditing Models

Improving effectiveness of your tax operations 10 May 2012 CHARLOTTE RUSHTON MANAGING DIRECTOR, ASIA PACIFIC.

Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.

Integrated Security Solutions © 2006 TK Consulting, LP realtime Confidential March 11, 2007 APM Demo.

© 2014 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, th Continuous Assurance and Auditing Symposium Newark,

18 Chapter 18: Packaged Software and Enterprise Resource Planning Systems Analysis and Design in a Changing World, 3 rd Edition.

Segregation of Duties for Infor-Lawson Software 1.

©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

Implications of Information Technology for the Audit Process

Purpose: These slides are for use with customers by the Microsoft Dynamics NAV sales force and partners. How to use: Add these slides to the core customer.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

Module 9 Configuring Messaging Policy and Compliance.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Welcome & Introductions

Auditing Information Systems (AIS)

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

© 2009 IBM Corporation Maximize Cost Savings While Improving Visibility Into Lines of Business Wendy Tam, CDC Product Marketing Manager

Microsoft Dynamics AX Name Title Microsoft Corporation Financial Management.

Ellis Paul Technical Solution Specialist – System Center Microsoft UK Operations Manager Overview.

Oracle’s EPM System and Strategy

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

ONLINE KNOWLEDGE PRODUCT OF SAP GRC Online | classroom| Corporate Training | certifications | placements| support CONTACT US: MAGNIFIC TRAINING INDIA

Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.

© 2007 by Prentice HallManagement Information Systems, 10/e Raymond McLeod and George Schell 1 Information Auditing ► External auditors from outside the.

Global Service Resource Planning (SRP) SaaS Solutions Market Share, Global Trends, Analysis, Research, Report, Opportunities,

Review of IT General Controls

FOR MORE informative DECISIONS

Jabil Circuit: Monitoring Users with 95% Less Data Review with SAP® Access Violation Management by Greenlight Objectives Monitor segregation-of-duty (SoD)

Eli Lilly and Company: Responding to Global Health Needs While Strengthening Compliance with SAP® Process Control Company Eli Lilly and Company Headquarters.

Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,

Managing Business Access Conflicts

From Design to Cross Application Reporting

SAP Access Violation Management by Greenlight

The Impact of Information Technology on the Audit Process

Governance, Risk Management & Compliance (GRC) Market Share, Segmentation, Report 2024

QAD Enterprise Edition Segregation of Duties

The Impact of Information Technology on the Audit Process

Sarbanes-Oxley Act (404) An IT Viewpoint

SAP GRC EOH GRC Solutions Divisional divider Option 1.

An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager

Microsoft Data Insights Summit

KEY INITIATIVE Internal Control and Technical Accounting

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

© 2007 Approva Corporation. All rights reserved. Continuous Monitoring & Audit Taj Chadha Senior Director, Integration Solutions Practice

© 2007 Approva Corporation. All rights reserved. 2 Introduction Business Controls Challenge Controls Solution Real World Examples Q & A Agenda

© 2007 Approva Corporation. All rights reserved. 3 About Approva Approva provides continuous monitoring and audit software that enables finance, business, IT and audit to automate and strengthen business controls. On-Demand Controls Testing Preventativ e Controls Preventativ e Controls Exception Based Reporting Exception Based Reporting On-Demand Testing Closed-Loop Remediation Preventive Controls Continuous, Exception- Based Monitoring

© 2007 Approva Corporation. All rights reserved. 4 Selected Approva Customers Manufacturing, Transportation & Public Sector Technology, Telecom & Media Consumer Products & Retail Pharmaceutical & Biotech Energy & Chemicals

© 2007 Approva Corporation. All rights reserved. 5 The Business Controls Challenge

© 2007 Approva Corporation. All rights reserved. 6 Approva’s Controls Monitoring & Audit Solution

© 2007 Approva Corporation. All rights reserved. 7 Approva’s Controls Monitoring & Audit Solution

© 2007 Approva Corporation. All rights reserved. 8 The Siemens Experience Moving from Manual to Automated Controls Monitoring

© 2007 Approva Corporation. All rights reserved. 9  Identify and resolve segregation of duties (SoD) violations across all 3 SAP instances  Empower business users to identify role violations and take corrective action  Implement a complaint provisioning process to prevent new SoD violations  Standardize the design and testing of business controls across all 18 subsidiaries Siemens PG’s CFO gave a 12-month deadline to identify & remediate all SOD violations User Access Challenges

© 2007 Approva Corporation. All rights reserved. 10  Siemens decided that automation was the only way to address SoD challenges  Approva identified 32,000 SoD violations  Approva’s out-of-the-box rules enabled business users to analyze and remediate violations By automating controls monitoring Siemens was able to eliminate all SoD violations within 10 weeks! Overcoming SoD Challenges

© 2007 Approva Corporation. All rights reserved. 11  Significantly reduced audit preparation time  Eliminated 3,000 segregation of duties (SoD) violations in 4 months  Automation helped not just identify but also remediate user violations faster  Respond to auditors’ request faster than before (takes four days now versus two months earlier) Key Benefits of SoD & Preventive Controls

© 2007 Approva Corporation. All rights reserved. 12 Siemens Power Gen Siemens AG Siemens North America Siemens internal audit groups standardizing Approva rules for consistent audits Siemens corporate information office has selected Approva as a global governance standard Auditors can access most required controls information remotely KPMG has also licensed Approva to conduct audits “Last year only 2 auditors came to visit and the meetings lasted less than an hour!” Controller, Siemens PowerGen Source: Siemens Study, ASUG/Sapphire, Atlanta, March 2007 Siemens Energy & Automation Moving Towards Corporate-Wide Controls Auditing

© 2007 Approva Corporation. All rights reserved. 13 Limited Brands Monitoring Controls Across 20+ Applications

© 2007 Approva Corporation. All rights reserved. 14 Brand 1 Brand 1 Brand 2 Brand 2 Brand 3 Brand 3 Brand 4 Brand 4 Brand 5 Brand 5 Limited Brands IT Environment Applications

© 2007 Approva Corporation. All rights reserved. 15 Key Business Challenges Identify & remediate segregation of duties (SoD) violations across 26 apps. Identify Information Owners and hold accountable for SoD violations. Meet aggressive (3 month) deadline for SOX 404 management’s assertion Transition applications to new SAP instance. Continue to manage components of legacy applications that remain in place. Create the capability to quickly add new applications as business needs change.

© 2007 Approva Corporation. All rights reserved. 16 SOX Compliance & Sustainability SQL Database Crystal Reports App #10 App #11 App #12 App #13 App #14 App #15 App #17 App #16 App #1 App #2 App #3 App #4 App #5 App #6 App #8 App #9 App #7  Flat files mapped roles & users to common format and stored in SQL database  Crystal Reports produced output to Excel  Weekly process required 2-3 hours  Manage false positives Microsoft Excel LBI Conflict Matrix  Defined high level categories of financial functionality within LBI  Defined Matrix of conflicting duties for high level categories  Mapped legacy application functionality to LBI high level categories

© 2007 Approva Corporation. All rights reserved. 17 Data Flow Between Applications, SQL & Approva SQL Database App #7 App #9 App #10 App #11 App #12 App #13 App #15 App #14 App #1 App #2 App #3 App #5 App #6 App #4 Unique User ID DB CBEU Adapters Integration With Project Insight Implemented Approva rule set. Integrated LBI legacy conflict matrix & Approva rule set. Developed custom Approva BEU adapters for LBI legacy applications Developed custom SQL database to create a common ID for an individual’s disparate IDs across applications

© 2007 Approva Corporation. All rights reserved. 18 Extended controls monitoring to include new SAP modules and non-SAP applications App #17 App #17 IBM Data Stage ETL Tool SQL Database App #7 App #9 App #10 App #11 App #12 App #13 App #15 App #14 App #1 App #2 App #3 App #5 App #6 App #4 Unique User ID DB CBEU Adapters App #16 App #18 App #18 BEU Adapters Created Repeatable Process

© 2007 Approva Corporation. All rights reserved. 19 Honeywell Going beyond SoD to General Computing Controls

© 2007 Approva Corporation. All rights reserved. 20 Many Internal & External Challenges Audit Outsourcing App Security Physical Security Customization Segregation of Duty (SOD) BASIS Monitoring Excessive Access Hand-off Integrity Partner security/nationality compliance Validation Backdoors Secure SDLC Third Party Integration DR/BCP Global DC Design Instance Integrity Customized roles and T-codes Aero Security Challenges

© 2007 Approva Corporation. All rights reserved. 21 Compliance with government laws, Honeywell policies and customer contractual requirements Secure technical data from foreign nationals Control the shipment of licensable products Policies and procedures Internal controls Prevent or detect employees from perpetrating and concealing actions which could damage the firm’s financial standing or reputation US citizen Operational security requirements Need-To-Know Not entered into SAP ITAR Business reqs Sarbanes-Oxley Customer reqs Classified data Beyond SOX Compliance

© 2007 Approva Corporation. All rights reserved. 22  Monitor system settings and flags, log file settings, and other key elements to quickly identify high-risk IT settings  Enforce security & password policy, analyze system parameters (including those from SAP’s RSPARAM report) to monitor critical security policies, such as password length and expirations  Monitor and report on changes to SAP clients, including transport landscapes, transport destinations and program change history. Managers can be alerted when transports occurs outside of normal windows, such as one-off or repetitive role changes General Computing Controls Monitoring

© 2007 Approva Corporation. All rights reserved. 23 High-level violation trend ~1106 user violations as of 10/03 ~3600 user violations as of 9/27

© 2007 Approva Corporation. All rights reserved. 24 Success Story “Under the Hood at Honeywell” Business Finance Magazine, Oct 2007 boost its productivity by 20 percent. “We've greatly reduced the amount of time we spend on manual work, reallocated our people to other activities, such as developing security around our new business intelligence modules," says Lish, who estimates that the new compliance monitoring processes and technology have helped his team boost its productivity by 20 percent. reduced his consultant spend by $200,000 Lish has also reduced his function's reliance on outside consultants now that his staffers spend less time on manual compliance monitoring and analysis. Through August, Lish had reduced his consultant spend by $200,000 compared to the same period in 2006.”