Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005
18
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005
description
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005. Agenda. Background on Approva Compliance Process Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures. Approva: Company Snapshot. - PowerPoint PPT Presentation
Transcript of Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005
Improving SOX RemediationThrough Automated Testing of
Internal ControlsNovember 4, 2005
AgendaAgenda
Background on ApprovaCompliance Process Methods for Testing Effectiveness of Internal ControlsApplying Automation to the Testing Procedures
Background on ApprovaCompliance Process Methods for Testing Effectiveness of Internal ControlsApplying Automation to the Testing Procedures
Approva: Company SnapshotApprova: Company Snapshot
Enterprise software company, founded in 2002
Headquartered in Reston, VA; R&D in Pune, India
190 Employees; over half in product development
Raised $30M from leading venture capital firms
Industry collaboration and partnerships
Enterprise software company, founded in 2002
Headquartered in Reston, VA; R&D in Pune, India
190 Employees; over half in product development
Raised $30M from leading venture capital firms
Industry collaboration and partnerships
Approva – a growing list of blue chip customersApprova – a growing list of blue chip customers
Manufacturing
High Tech & Media Consumer Products & Retail
Energy & Communications Pharmaceutical & Chemicals
BizRights Solution ArchitectureBizRights Solution Architecture
C
Automated Workflow
Exception ReportingDynamic Rules Analysis
Intelligent Data Extraction
BizRights Platform
Business Improvement Data IntegrityFraud AnalysisCompliance
User Authorizations & Activity
Configuration Settings & Master Records
Transactions Executed
Business Solutions
Advanced Functionality
CC Automated Email NotificationSimulation & Change Control
BizRights: Continuous Controls IntelligenceBizRights: Continuous Controls Intelligence
TransactionsEveryday Activities
ConfigurationMaster Records, System Settings
Users User Roles and Responsibilities
• GR/IR mismatches• Payments that exceed thresholds • Duplicate payments• Discounts not taken• Payments, purchase orders, sales orders modified after approval
• Unusual movement types, number ranges, payment terms, tolerance settings, etc.
• Credit checks not turned on• POs with unlimited over/under delivery• Unusual credit limits• Unusual changes to payment terms, bank details, etc.
• Detect SoD conflicts within roles & users• Detect the use of sensitive transactions• Act as a compensating control for excluded users
The Compliance ProcessThe Compliance Process
What is your perspective on complexity?What is your perspective on complexity?
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
PortalsIdentity
ManagementDocument
Repositories
Legacy Applications
Compliance Requirements?• SOX• FDA• Privacy
Control Environment?• Multiple ERPs• Multiple Apps
Control Solutions?• Identity Management Tools• Portals• Documentation Repositories
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
ERP System
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
Business Transactions and Master Data
Purchase Requests
PurchaseOrders
Process Payments
Receive Goods
Process Invoice
Material Master Vendor Master
Configuration Settings
Access and Change Management
Global System Settings
Typical Control StructureTypical Control Structure
Control structure is not always integrated with ERP functionality, rather built around it
Highly manual control processesIncreased control ownership and accountability issues
Testing of controls is a highly manual process
Not all exceptions identifiedTime consuming and costly
Control structure is not always integrated with ERP functionality, rather built around it
Highly manual control processesIncreased control ownership and accountability issues
Testing of controls is a highly manual process
Not all exceptions identifiedTime consuming and costly
Typical ERP Control Design
Control Enabler
Configuration
Application Security
Reporting
Manual Controls
General IT Controls
Control Effectiveness Life Cycle
Review control documentation to ensure adequate design
Develop control test strategy
Execute control testing
Report exceptions, categorize deficiencies and conclude
Remediate through modification of business processes,
system settings, and possibly the controls themselves
Run the process all over again
Testing ProcedureTesting Procedure
Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etcConfirm system functionality through reviewing security design, configuration settings and related technical objectsReview of business transactional data, such as invoices, PO’s, etc.
Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etcConfirm system functionality through reviewing security design, configuration settings and related technical objectsReview of business transactional data, such as invoices, PO’s, etc.
But these approaches have their issues…Who’s going to build, modify and maintain the reports?Who’s going to run them? And what happens when they forget?Where’s your audit trail?ERP’s won’t tell you when someone’s changed a controlERP’s won’t tell you when the control is in place, and being circumvented anyway
Sample Test – Configurable ControlSample Test – Configurable Control
To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed:
Verify IMG settings are properly configured and set to proper tolerancesVerify access to the IMG is restrictedSample 1 transaction to verify effectiveness of control
Issues / ObservationTime to test is significantly lower than manual controlsConfiguration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000)Retro-fit is typically expensive (re-implementation is some cases)Manual work-arounds are common (e.g. still need signature above 50,000)
Automation OpportunitiesIdentify exceptions within existing control configuration (e.g. automatic notification for all PO’s over 50,000, but below 500,000)
To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed:
Verify IMG settings are properly configured and set to proper tolerancesVerify access to the IMG is restrictedSample 1 transaction to verify effectiveness of control
Issues / ObservationTime to test is significantly lower than manual controlsConfiguration and tolerances typically set to business requirements, not control requirements (e.g. 500,000, as opposed to 50,000)Retro-fit is typically expensive (re-implementation is some cases)Manual work-arounds are common (e.g. still need signature above 50,000)
Automation OpportunitiesIdentify exceptions within existing control configuration (e.g. automatic notification for all PO’s over 50,000, but below 500,000)
Sample Test – SOD Compensating ControlSample Test – SOD Compensating Control
When testing SOD’s, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed:
Once deficiency is noted, review compensating controls for adequacyReview evidence that compensating control has been operating effectively
– Typically, this is relying on final reviews of payable reports by a manager
Issues / ObservationManual testing is time consumingCompensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run)Very common and hard to prove if not specifically designed to monitor SOD
Automation OpportunitiesIdentify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc
When testing SOD’s, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed:
Once deficiency is noted, review compensating controls for adequacyReview evidence that compensating control has been operating effectively
– Typically, this is relying on final reviews of payable reports by a manager
Issues / ObservationManual testing is time consumingCompensating controls must be specific to the activity (e.g. the review must be to specifically check for SOD violations, not accuracy of pay run)Very common and hard to prove if not specifically designed to monitor SOD
Automation OpportunitiesIdentify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc
Sample Test – Manual Report ReviewsSample Test – Manual Report ReviewsTo test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed:
Verify the data that is listed on the report is validSelect a sample of reports (sample determined by frequency of occurrence)Verify that the employee reviewed the report
– Initials and date on the report– E-mail to follow up on a change– Additional change reports that verify action taken
Issues / ObservationsTime to test is high – usually several hours and very iterativeReview requires looking at all changesDocumentation retention a major issue - typically results in a deficiency
Automation OpportunitiesProactively notify a control owner for high risk changes
To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed:
Verify the data that is listed on the report is validSelect a sample of reports (sample determined by frequency of occurrence)Verify that the employee reviewed the report
– Initials and date on the report– E-mail to follow up on a change– Additional change reports that verify action taken
Issues / ObservationsTime to test is high – usually several hours and very iterativeReview requires looking at all changesDocumentation retention a major issue - typically results in a deficiency
Automation OpportunitiesProactively notify a control owner for high risk changes
Control Structure w/ Automated Testing and MonitoringControl Structure w/ Automated Testing and Monitoring
Significantly increase the efficiency and effectiveness of control processes
Monitor only critical data changesEnhance or refine configuration tolerancesPreventative access control featuresAutomatic notification of control violationsWorkflow and audit trail
Testing of controls is a highly automated process
All exceptions identifiedControl configuration and system setting reporting replaces manual test proceduresComprehensive SOD and Sensitive access analysis
Significantly increase the efficiency and effectiveness of control processes
Monitor only critical data changesEnhance or refine configuration tolerancesPreventative access control featuresAutomatic notification of control violationsWorkflow and audit trail
Testing of controls is a highly automated process
All exceptions identifiedControl configuration and system setting reporting replaces manual test proceduresComprehensive SOD and Sensitive access analysis
Typical ERP Control Design
Control Enabler
Configuration
Application Security
Reporting
Manual Controls
General IT Controls
ContinuousControlsTesting
Process Insights
Authorizations Insights
Business Transactions and Master Data
The BizRights’ ModelThe BizRights’ Model
Purchase Requests
PurchaseOrders
Process Payment
s
Receive Goods
Process Invoice
Material Master Vendor Master
Segregation Of Duties Analysis
Configuration Settings
What If Analysis
Approval Work Flow
Sensitive Transactions
Enhance Existing Controls
Identify Exceptional Transactions
Verify IMG Configuration Settings
Verify System Parameters
Closed Loop Remediation
Automate Manual Controls
Access Management
Global System Settings
Data Extraction, Workflow and Analysis Capabilities – Application Independent!!!
Control rules and functionality focused on security processes and data
Control rules and functionality focused on business processes, configuration and system setting data
Typical ERP Control Design
BizRights
Testing MechanismControl Enabler
BizRights Automated ComplianceBizRights Automated Compliance
Control Enabler
Configuration• Enhance Existing Controls• Identify Exceptional Trx’s
• Configuration Settings• System Parameters
Application Security
•What If Analysis•Access Approval Workflow
•Segregation of Duties•Sensitive Transactions
Reporting•Exception Based Reporting•Closed Loop Remediation
•Verification of Remediation
Manual Controls
•Automate Manual Controls •Electronic Audit Trail
IT Controls• Baseline system settings• Proactively identify changes
• System parameters• Security and change process
Summary & Key Take AwaysSummary & Key Take Aways
Common goal is to achieve sustainable compliance that can improve the business
Turn compliance activities from a cost into an asset
Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations
Common goal is to achieve sustainable compliance that can improve the business
Turn compliance activities from a cost into an asset
Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations
Don’t Just Comply…Transform Your Business
