180 likes | 425 Views
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005. Agenda. Background on Approva Compliance Process Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures. Approva: Company Snapshot.
E N D
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005
Agenda • Background on Approva • Compliance Process • Methods for Testing Effectiveness of Internal Controls • Applying Automation to the Testing Procedures
Approva: Company Snapshot • Enterprise software company, founded in 2002 • Headquartered in Reston, VA; R&D in Pune, India • 190 Employees; over half in product development • Raised $30M from leading venture capital firms • Industry collaboration and partnerships
BizRights Solution Architecture Compliance Fraud Analysis Business Improvement Data Integrity User Authorizations & Activity Configuration Settings & Master Records Transactions Executed Business Solutions Advanced Functionality BizRights Platform Dynamic Rules Analysis Exception Reporting C Simulation & Change Control Automated Email Notification C C Intelligent Data Extraction Automated Workflow
Configuration Master Records, System Settings Users User Roles and Responsibilities BizRights: Continuous Controls Intelligence • GR/IR mismatches • Payments that exceed thresholds • Duplicate payments • Discounts not taken • Payments, purchase orders, sales orders modified after approval • Unusual movement types, number ranges, payment terms, tolerance settings, etc. • Credit checks not turned on • POs with unlimited over/under delivery • Unusual credit limits • Unusual changes to payment • terms, bank details, etc. Transactions Everyday Activities • Detect SoD conflicts within roles & users • Detect the use of sensitive transactions • Act as a compensating control for excluded users
ERP System ERP System Global System Settings Global System Settings Global System Settings Configuration Settings Configuration Settings Configuration Settings Material Master Material Master Material Master Vendor Master Vendor Master Vendor Master Purchase Purchase Purchase Purchase Purchase Purchase Receive Receive Receive Process Process Process Process Process Process Requests Requests Requests Orders Orders Orders Goods Goods Goods Invoice Invoice Invoice Payments Payments Payments Business Transactions and Master Data Business Transactions and Master Data Business Transactions and Master Data Legacy Applications Access and Change Management Access and Change Management Access and Change Management What is your perspective on complexity? • Compliance Requirements? • SOX • FDA • Privacy • Control Environment? • Multiple ERPs • Multiple Apps • Control Solutions? • Identity Management Tools • Portals • Documentation Repositories Document Repositories Portals Identity Management
Typical Control Structure Typical ERP Control Design • Control structure is not always integrated with ERP functionality, rather built around it • Highly manual control processes • Increased control ownership and accountability issues • Testing of controls is a highly manual process • Not all exceptions identified • Time consuming and costly Control Enabler Configuration Application Security Reporting General IT Controls Manual Controls
Control Effectiveness Life Cycle • Review control documentation to ensure adequate design • Develop control test strategy • Execute control testing • Report exceptions, categorize deficiencies and conclude • Remediate through modification of business processes, system settings, and possibly the controls themselves • Run the process all over again
Testing Procedure • Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etc • Confirm system functionality through reviewing security design, configuration settings and related technical objects • Review of business transactional data, such as invoices, PO’s, etc. But these approaches have their issues… • Who’s going to build, modify and maintain the reports? • Who’s going to run them? And what happens when they forget? • Where’s your audit trail? • ERP’s won’t tell you when someone’s changed a control • ERP’s won’t tell you when the control is in place, and being circumvented anyway
Sample Test – Configurable Control • To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed: • Verify IMG settings are properly configured and set to proper tolerances • Verify access to the IMG is restricted • Sample 1 transaction to verify effectiveness of control • Issues / Observation • Time to test is significantly lower than manual controls • Configuration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000) • Retro-fit is typically expensive (re-implementation is some cases) • Manual work-arounds are common (e.g. still need signature above 50,000) • Automation Opportunities • Identify exceptions within existing control configuration (e.g. automatic notification for all PO’s over 50,000, but below 500,000)
Sample Test – SOD Compensating Control • When testing SOD’s, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed: • Once deficiency is noted, review compensating controls for adequacy • Review evidence that compensating control has been operating effectively • Typically, this is relying on final reviews of payable reports by a manager • Issues / Observation • Manual testing is time consuming • Compensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run) • Very common and hard to prove if not specifically designed to monitor SOD • Automation Opportunities • Identify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc
Sample Test – Manual Report Reviews • To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed: • Verify the data that is listed on the report is valid • Select a sample of reports (sample determined by frequency of occurrence) • Verify that the employee reviewed the report • Initials and date on the report • E-mail to follow up on a change • Additional change reports that verify action taken • Issues / Observations • Time to test is high – usually several hours and very iterative • Review requires looking at all changes • Documentation retention a major issue - typically results in a deficiency • Automation Opportunities • Proactively notify a control owner for high risk changes
Control Structure w/ Automated Testing and Monitoring Typical ERP Control Design • Significantly increase the efficiency and effectiveness of control processes • Monitor only critical data changes • Enhance or refine configuration tolerances • Preventative access control features • Automatic notification of control violations • Workflow and audit trail • Testing of controls is a highly automated process • All exceptions identified • Control configuration and system setting reporting replaces manual test procedures • Comprehensive SOD and Sensitive access analysis Control Enabler Configuration Application Security Reporting General IT Controls Manual Controls Continuous Controls Testing
BizRights The BizRights’ Model Control rules and functionality focused on business processes, configuration and system setting data Process Insights Global System Settings Verify System Parameters Configuration Settings Verify IMG Configuration Settings Enhance Existing Controls Data Extraction, Workflow and Analysis Capabilities – Application Independent!!! Business Transactions and Master Data Identify Exceptional Transactions Material Master Vendor Master Automate Manual Controls Authorizations Insights Sensitive Transactions Purchase Requests Purchase Orders Receive Goods Process Invoice Process Payments Segregation Of Duties Analysis What If Analysis Access Management Closed Loop Remediation Approval Work Flow Control rules and functionality focused on security processes and data
BizRights Automated Compliance BizRights Typical ERP Control Design Control Enabler Control Enabler Testing Mechanism • Enhance Existing Controls • Identify Exceptional Trx’s • Configuration Settings • System Parameters Configuration • What If Analysis • Access Approval Workflow • Segregation of Duties • Sensitive Transactions Application Security • Exception Based Reporting • Closed Loop Remediation • Verification of Remediation Reporting • Automate Manual Controls • Electronic Audit Trail Manual Controls • Baseline system settings • Proactively identify changes • System parameters • Security and change process IT Controls
Summary & Key Take Aways • Common goal is to achieve sustainable compliance that can improve the business • Turn compliance activities from a cost into an asset • Manual testing of controls consumes too much time & cost • Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations Don’t Just Comply…Transform Your Business