Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving SOX Remediation

Published byIsaac Horn Modified over 5 years ago

Similar presentations

Presentation on theme: "Improving SOX Remediation"— Presentation transcript:

1 Improving SOX Remediation
Through Automated Testing of Internal Controls November 4, 2005 Welcome & thanks for the meeting Make introductions Ask what they’d like to cover Tell them what you are going to cover

2 Agenda Background on Approva Compliance Process
Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures

3 Approva: Company Snapshot
Enterprise software company, founded in 2002 Headquartered in Reston, VA; R&D in Pune, India 190 Employees; over half in product development Raised $30M from leading venture capital firms Industry collaboration and partnerships

4 Approva – a growing list of blue chip customers
Manufacturing High Tech & Media Consumer Products & Retail Energy & Communications Pharmaceutical & Chemicals Owens Corning Publix Canada National Railway Vistakon

5 BizRights Solution Architecture
Compliance Fraud Analysis Business Improvement Data Integrity User Authorizations & Activity Configuration Settings & Master Records Transactions Executed Business Solutions Advanced Functionality BizRights Platform Dynamic Rules Analysis Exception Reporting C Simulation & Change Control C Automated Notification C Intelligent Data Extraction Automated Workflow

6 BizRights: Continuous Controls Intelligence
GR/IR mismatches Payments that exceed thresholds Duplicate payments Discounts not taken Payments, purchase orders, sales orders modified after approval Unusual movement types, number ranges, payment terms, tolerance settings, etc. Credit checks not turned on POs with unlimited over/under delivery Unusual credit limits Unusual changes to payment terms, bank details, etc. Transactions Everyday Activities Configuration Master Records, System Settings The BizRights product family helps you to address all three levels of compliance, through targeted rules, reports, and analysis. Approva’s product family was designed to address not just user roles and responsibilities, but also system settings and transactions. Users User Roles and Responsibilities Detect SoD conflicts within roles & users Detect the use of sensitive transactions Act as a compensating control for excluded users

7 The Compliance Process
Walk through the lifecycle, but focus on fact that the bottom chevrons deal with “value” and “continuous improvement” How can you achieve these things if you are spending all of your time and effort performing manual control procedures and extensive manual test plans Shift resources from issue identification to Isssue Reolution To Continuoas Improvement and Realizing Value Achieving Compliance should not be so intensive

8 What is your perspective on complexity?
ERP System Business Transactions and Master Data Purchase Requests Orders Process Payments Receive Goods Invoice Material Master Vendor Master Configuration Settings Access and Change Management Global System Settings Compliance Requirements? SOX FDA Privacy Control Environment? Multiple ERPs Multiple Apps Control Solutions? Identity Management Tools Portals Documentation Repositories Legacy Applications Briefly talk about the complexity oc corporate IT environments Multiple ERPs and Legacy Systems Most control environments include: Identity management tools, portals, ducument repositories, etc. Setting the table for “cross platform, etc” Document Repositories Portals Identity Management

9 Typical Control Structure
Typical ERP Control Design Control structure is not always integrated with ERP functionality, rather built around it Highly manual control processes Increased control ownership and accountability issues Testing of controls is a highly manual process Not all exceptions identified Time consuming and costly Control Enabler Configuration Application Security Reporting Self explanatory slide – talk to exisiting control structure, as well as testing methods are still highly manual. Even with ERP’s a lot of configuration decisions were made for business requirements, not controls requirements. Retrofit of controls after implementation is costly and sometimes impossible A lot of deficiencies are found because someone forgot to initial a report, or cant dig up the document they were supposed to sign off on. Auditors and consultants charge a lot of money Role of internal audit is truly “audit” – while many companies would like IA to enhance the business and add value… how can they if they spend all their time in “testing” mode General IT Controls Manual Controls

10 Control Effectiveness Life Cycle
Review control documentation to ensure adequate design Develop control test strategy Execute control testing Report exceptions, categorize deficiencies and conclude Remediate through modification of business processes, system settings, and possibly the controls themselves Run the process all over again

11 Testing Procedure Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etc Confirm system functionality through reviewing security design, configuration settings and related technical objects Review of business transactional data, such as invoices, PO’s, etc. But these approaches have their issues… Who’s going to build, modify and maintain the reports? Who’s going to run them? And what happens when they forget? Where’s your audit trail? ERP’s won’t tell you when someone’s changed a control ERP’s won’t tell you when the control is in place, and being circumvented anyway

12 Sample Test – Configurable Control
To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed: Verify IMG settings are properly configured and set to proper tolerances Verify access to the IMG is restricted Sample 1 transaction to verify effectiveness of control Issues / Observation Time to test is significantly lower than manual controls Configuration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000) Retro-fit is typically expensive (re-implementation is some cases) Manual work-arounds are common (e.g. still need signature above 50,000) Automation Opportunities Identify exceptions within existing control configuration (e.g. automatic notification for all PO’s over 50,000, but below 500,000)

13 Sample Test – SOD Compensating Control
When testing SOD’s, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed: Once deficiency is noted, review compensating controls for adequacy Review evidence that compensating control has been operating effectively Typically, this is relying on final reviews of payable reports by a manager Issues / Observation Manual testing is time consuming Compensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run) Very common and hard to prove if not specifically designed to monitor SOD Automation Opportunities Identify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc

14 Sample Test – Manual Report Reviews
To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed: Verify the data that is listed on the report is valid Select a sample of reports (sample determined by frequency of occurrence) Verify that the employee reviewed the report Initials and date on the report to follow up on a change Additional change reports that verify action taken Issues / Observations Time to test is high – usually several hours and very iterative Review requires looking at all changes Documentation retention a major issue - typically results in a deficiency Automation Opportunities Proactively notify a control owner for high risk changes

15 Control Structure w/ Automated Testing and Monitoring
Typical ERP Control Design Significantly increase the efficiency and effectiveness of control processes Monitor only critical data changes Enhance or refine configuration tolerances Preventative access control features Automatic notification of control violations Workflow and audit trail Testing of controls is a highly automated process All exceptions identified Control configuration and system setting reporting replaces manual test procedures Comprehensive SOD and Sensitive access analysis Control Enabler Configuration Application Security Reporting Pretty straight forward slide Shift from manual to automated Less time testing and doing control procedures, means more time fixing problems and enhancing the business General IT Controls Manual Controls Continuous Controls Testing

16 BizRights The BizRights’ Model
Control rules and functionality focused on business processes, configuration and system setting data Process Insights BizRights Global System Settings Verify System Parameters Configuration Settings Verify IMG Configuration Settings Enhance Existing Controls Data Extraction, Workflow and Analysis Capabilities – Application Independent!!! Business Transactions and Master Data Identify Exceptional Transactions Material Master Vendor Master Automate Manual Controls Authorizations Insights Sensitive Transactions Purchase Requests Purchase Orders Receive Goods Process Invoice Process Payments Segregation Of Duties Analysis Its all about the data! We can extract all types of data Our analysis and rules engine can be easily configured by ANYONE to apply control requirments to the data Our platform has tons of functionality What If Analysis Access Management Closed Loop Remediation Approval Work Flow Control rules and functionality focused on security processes and data

17 BizRights Automated Compliance
Typical ERP Control Design BizRights Control Enabler Control Enabler Testing Mechanism Configuration Enhance Existing Controls Identify Exceptional Trx’s Configuration Settings System Parameters Application Security What If Analysis Access Approval Workflow Segregation of Duties Sensitive Transactions Reporting Exception Based Reporting Closed Loop Remediation Verification of Remediation High Level Examples of how BR can be used Manual Controls Automate Manual Controls Electronic Audit Trail IT Controls Baseline system settings Proactively identify changes System parameters Security and change process

18 Summary & Key Take Aways
Common goal is to achieve sustainable compliance that can improve the business Turn compliance activities from a cost into an asset Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations Don’t Just Comply…Transform Your Business

Download ppt "Improving SOX Remediation"

Similar presentations

Audit Considerations for your 11i implementation Richard Byrom Oracle Applications Consultant UKOUG November 2004.

Audit Considerations for your 11i implementation Richard Byrom Oracle Applications Consultant UKOUG November 2004.
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.
Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
SAP Travel OnDemand Travel and Expense Management

SAP Travel OnDemand Travel and Expense Management
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.

Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.
Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.

Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, 2002 5 th Continuous Assurance and Auditing Symposium Newark,

Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, th Continuous Assurance and Auditing Symposium Newark,
Segregation of Duties for Infor-Lawson Software 1.

Segregation of Duties for Infor-Lawson Software 1.
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.

Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.
Chapter 10 THE ACQUISITION CYCLE— PURCHASE INVOICES AND PAYMENTS.

Chapter 10 THE ACQUISITION CYCLE— PURCHASE INVOICES AND PAYMENTS.
Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.

Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.

Similar presentations

Ads by Google