1 / 38

Dan Aldridge  CEO  Performa Apps e-mail   dan.aldridge@i-app.com website www.inforln.com/wp linkedin Dan Aldridge twitte

Contact Information. Dan Aldridge  CEO  Performa Apps e-mail   dan.aldridge@i-app.com website www.inforln.com/wp linkedin Dan Aldridge twitter  @Danaldridge1. Agenda. Introduction DynaFlow Governance Risk & Compliance / Enterprise Risk Management Segregation of Duties for Baan / LN

betrys
Download Presentation

Dan Aldridge  CEO  Performa Apps e-mail   dan.aldridge@i-app.com website www.inforln.com/wp linkedin Dan Aldridge twitte

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Contact Information Dan Aldridge  CEO  Performa Apps e-mail  dan.aldridge@i-app.com websitewww.inforln.com/wp linkedinDan Aldridge twitter  @Danaldridge1

  2. Agenda • Introduction DynaFlow • Governance Risk & Compliance / Enterprise Risk Management • Segregation of Duties for Baan / LN • Impact on ERP implementation • Contact details: Aart de Glint adeglint@dynaflow-solutions.com Phone +31 318 479712 Mobile +31 654 392046

  3. DynaFlow Profile • Main Facts: • Established in 1997 • Private company HQ in Canada • Partners in USA, France, Netherlands, Norway, India, Thailand and Australia • Main mission: • To enable global companies to become “Simply in Control” by proactively managing enterprise risks, demonstrating compliance and automating and optimizing business processes. • Dedicated to provide its clients a fast ROI through a short and structured implementation • Professional Services: • Implementation and Training • Compliance & Audit Support • Process Optimization • Solution Hosting Services

  4. DynaFlow: Makes it EZ for...

  5. Cooking the Books Mr. Ebbers (WorldCom), Mr. Lay (Enron), Mr. Kozlowski (Tyco) http://www.cbsnews.com/video/watch/?id=859384n

  6. Regulation - The Hot Potato Loi sur La Sécurité Financière (LSF) SAS-70 Basel-II BilMoG C-SOX SOX IFRS Code Tabaksblat ‘Euro-SOX’ 8th EU Directive Code Lippens Clinger Cohen 21 CFR Part 11 J-SOX

  7. Governance, Risk Mngnt & Compliance • Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively. • Risk management is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling,avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC. • Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

  8. GRC/ERM Support at all levels Levels of GRC model • Policy • Enterprise Risk Management (Strategic) • Integrated Compliance Frameworks • Consolidated Dashboards (Control Statements) Strategical • Procedures • Process Risk Analysis (Tactical) • Process & Internal Control Design & Maintenance • Review (workflow) Review Tactical • Monitoring Efficiency of Internal Controls • Embedded testing & test evidence • Document Management System • KPI/”In Control” reports Test Operational • Policy • Enterprise Risk Management (Strategic) • Integrated Compliance Frameworks • Consolidated Dashboards (Control Statements) Warehouse Management Sales & Distribution Manufacturing Purchasing Continuous monitoring as part of normal business process

  9. Compliance – Why is this important Regulation Corporate & Executive Responsibility & Liability Fear for Reputation Damage Tightened Credit Lines Premium Insurance Fees Policy Interpretation Implementation Cost Overhead Audit Cost

  10. From Regulation to Compliance Regulations ImplementationFramework Policy & Procedure Implementation Evidence Collection Business Risks SOX ERM COSO-II COBIT ... Demonstratiopn of Compliance Demonstratiopn of Compliance Business Controls: • Information delivery • Resource acces and use • Risk mitigation • ... Demonstration of Compliance HIPAA BASEL II Etc. establish document test People Processes Technology Facilities Data Audit

  11. SOX Section 404 – Internal Control Assessment of internal control “The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.” http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf

  12. SOX Internal Control Requirements Documentation • Detailed Process description • Process flowchart (preferable) • Business Risk Assessments • Risk Control Matrix (RCM) Testing • Annual walkthrough of each process. • Testing of key controls. Periodic Reviews • Review of process steps and controls • Updating of all documentation Annual External IC Audit • Essentially external validations that yes you did 1 through 3 above. • The auditor would use a predefined “checklists

  13. Risk / Control Matrix

  14. Enterprise Risk Management (ERM/GRC) The key pains & challenges: • Extra burden “on top” of running the company • Draining resources from critical projects • Absence of clear and documented guidelines • Absence of automation • Cannot be postponed (scheduled audits) • Cost (with NO tangible ROI) The proposed approach & resolution: • Leverage pre-defined knowledge via libraries • Avoid multiple partial systems (and integration burden) • Automate as much as possible tedious and large volume tasks

  15. How DynaFlow supports ERM/GRC • Business Risks & Business Controls Library • 2,500+ pre-defined Controls, Risks and relationships • Certified Best Practices / Benchmark • For all regional & industry specific regulations • (SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…) • To address all auditing/auditors requirements • Automated Business Control Execution • Testing Schedules with automated notification & testing • Real-time monitoring & alerts for testers and Mgmt • Evidence Collection & audit trail • Dynamic Risk and Business Control Monitoring • Key Performance & Risks Indicators Dashboard (+ mobile) • Audit Support • Combination of Solution, Libraries and Services

  16. Segregation of Duties (SoD) The key pains & challenges: • Now a Critical Business Control for ALL organizations • Involves large volume of data (i.e. Typical = 200,000+ authorizations in Baan alone) • Need to be done across Systems (ERP) and for ALL access types • Is a recurring process due to constant changes The proposed approach & resolution: • Automation, • automation • and automation!

  17. Cross-Applications ERM & SoD

  18. Business Processes & Controls Integr. Compliance Mgmt Business Risks SoD Mgmt Business Controls SoD Conflict Rules Documents Access Mgmt SoD Business Conflicts Employees User Roles Process Diagram Applications Conflict Resolution Documents Document Mgmt

  19. EZ-Compliance SoD Scan Mapics Ceridian … Mapics Hyperion BPCS … Network Access Facility Access Security Badges …

  20. Master SoD Matrix

  21. Over 400+ SoD “zones” to be validated

  22. The LN / Baan SoD Rules Library • Introduced in 2005 • Required 2 years initial development, and is updated regularly • Content and design validated by CFO, Controllers, SOX Senior Consultants, Baan Specialists, etc... • Covers all Baan versions (Triton, Baan IV, ERP-5, LN) • Compliant to Baan Tools and DEM authorizations • Verify 22,000+ Baan session combinations for SoD violations (with violation rating) to validate 400+ SoD sensitive “zones” • Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton validated the Baan SoD Rules completeness and accuracy by successful certifying all EZ-Compliance clients to be SoD/SOX compliant.

  23. EZ-Compliance Automated SoD Scan SoD Library SoD Conflict Rules Import Employees Oracle LDAP Employee / Applications Access List SOX – SoD Conflicts List (1) (2) Conflict Scan Access Scan Roles Resolution Scan SoD Resolution Rules DEM (3) Import Business Controls Business Processes Visio Mitigated Conflicts List Mitigation Controls Import Business Risks Corp-wide Applications ERP

  24. SoD Conficting Areas Matrix Click to view detailed business functions & conflicts found

  25. The automated SoD cycle ERP Import Automated Weekly or Daily Automated Semi-Automated Automated Automated Result: 90%+ reduction of effort & cost

  26. How DynaFlow supports SoD • Access/Authorization Mgmt • Cross-systems authorizations (who is accessing what?) • Periodic Access Reviews • SoD Conflicts Identification • Detective validation (what accesses constitute risks?) • Preventive validation (what is the impact if we change …?) • SoD Conflicts Resolution • Automated resolution/mitigation using pattern rules • SoD Conflicts Monitoring & Alerts • Self-generated SoD Matrix with dynamic alerts • Key Performance & Risks Indicators Dashboard (+ mobile)

  27. Segregation of Duties (SoD) What you gain with DynaFlow: • Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...) • Bottled Best Practices: • Fully automated Segregation-of-Duties (SoD) Rules • Pre-Defined SoD Libraries available for Baan, SAP, Oracle, etc... • In line with external auditors to secure successful certification • Detective and also Preventative • Fully automated SoD validation • 90% reduction on implementation cost & effort • 50% reduction on auditing cost • 100% Successful SoD Audit • Simplified insight in all user authorizations

  28. Integrated Cycles Route Definition Analyzes Publish Process Knowledge Control Activity Review Certify Optimize Measure Action Automate Workflow Automation Monitor Execute Metrics Control Environment Risk Assessment Objectives Measure Regulations (eg. SOX, ISO, ITAR AS9100, HIPAA, ect)

  29. DynaFlow Value Proposition Route Definition Analyzes Publish Control Activity Review Certify Optimize Measure Action Automate Monitor Execute Control Environment Risk Assessment Objectives Measure

  30. DynaFlow Solution Overview Process Optimization & Monitoring Dynamic KCI & Issues Escalation Dynamic KPI & BI Analytics Management Dashboard Reporting Employee Process Dashboard Process & Knowledge Publishing Business Controls Checks Automated Alerts & Notifications Modeler and Auditor Dashboard Process Modeling Business Controls Definition Process Automation BPM Financial (Oracle, etc) Transaction Systems ERP (SAP, Baan, Mapics, etc) Base Office Apps (MS, Email, VPN, etc)

  31. Critical Capabilities Definition ERM & C Audit Management Supports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers, risk assessments, control testing, remediation management and reporting. Risk Management, General Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting, visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic risk analytics tools to provide a consolidated view of enterprise risk management. Risk Management, Stochastic Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these stochastic analysis needs organically or through an OEM partnership. Compliance Management Supports compliance professionals with the documentation, workflow, reporting and visualization of control objectives, controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level agreements, trading partner requirements and compliance with internal policies. Policy Management Includes a specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and controls in another; and distribution to and attestation by employees and business partners. GRC Content Includes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news feeds, standards and frameworks, draft testing and risk assessments, and draft policies. Business Analytics Supports the ability to analyze the impact of risks on business objectives, performance and processes. Gartner, Inc: 30 November 2010/ID Number: G00208665

  32. DynaFlow simplification Regulations ImplementationFramework Policy & Procedure Implementation Evidence Collection Business Risks Business Risk Libraries SOX COSO-II COBIT ...... Demonstratiopn of Compliance Demonstratiopn of Compliance Business Control Libraries Business Controls: • Information delivery • Resource acces and use • Risk mitigation • ... Compliance Program Mgmt. Web Portal Demonstration of Compliance HIPAA Compliance Change Mgmt. DocumentMgmt. BASEL II Compliance Issue Mgmt. Audit Trail Etc. establish document test Cross-ERP Integration &Mapping Compliance Access &SoD Mgmt. eBook Generation People Processes Technology Facilities Data Operational Risk Monitoring Audit

More Related