government and sox compliance for erp systems
TRANSCRIPT
![Page 1: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/1.jpg)
1
![Page 2: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/2.jpg)
•Dan Aldridge CEO Performa Apps
•e-mail [email protected]
•website www.inforln.com/wp
•linkedin Dan Aldridge
•twitter @Danaldridge1
•
Contact Information
![Page 3: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/3.jpg)
Agenda
Introduction DynaFlow
Governance Risk & Compliance / Enterprise Risk
Management
Segregation of Duties for Baan / LN
Impact on ERP implementation
Contact details:Aart de Glint
Phone +31 318 479712
Mobile +31 654 392046
3
![Page 4: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/4.jpg)
DynaFlow Profile
Main Facts:
Established in 1997
Private company HQ in Canada
Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
Main mission:
To enable global companies to become “Simply in Control” by proactively
managing enterprise risks, demonstrating compliance and automating and
optimizing business processes.
Dedicated to provide its clients a fast ROI through a short and structured
implementation
Professional Services:
Implementation and Training
Compliance & Audit Support
Process Optimization
Solution Hosting Services
4
![Page 5: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/5.jpg)
DynaFlow: Makes it EZ for...
![Page 6: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/6.jpg)
6
![Page 7: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/7.jpg)
Cooking the Books
7
http://www.cbsnews.com/video/watch/?id=859384n
Mr. Ebbers (WorldCom), Mr. Lay (Enron), Mr. Kozlowski (Tyco)
![Page 8: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/8.jpg)
8
![Page 9: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/9.jpg)
Regulation - The Hot Potato
9
SOX
C-SOX
J-SOX
‘Euro-SOX’
SAS-70
Code Tabaksblat
Code Lippens
8th EU Directive
Clinger Cohen
21 CFR Part 11
IFRS
Basel-II
Loi sur La Sécurité Financière (LSF)
BilMoG
![Page 10: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/10.jpg)
Governance, Risk Mngnt & Compliance
Governancedescribes the overall management approach through which senior executives direct and
control the entire organization, using a combination of management information and
hierarchical management control structures. Governance activities ensure that critical
management information reaching the executive team is sufficiently complete, accurate and
timely to enable appropriate management decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from management are
carried out systematically and effectively.
Risk managementis the set of processes through which management identifies, analyzes, and, where
necessary, responds appropriately to risks that might adversely affect realization of the
organization's business objectives. The response to risks typically depends on their perceived
gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks,
commercial/financial risks, information security risks etc.), external legal and regulatory
compliance risks are arguably the key issue in GRC.
Compliancemeans conforming with stated requirements. At an organizational level, it is achieved through
management processes which identify the applicable requirements (defined for example in
laws, regulations, contracts, strategies and policies), assess the state of compliance, assess
the risks and potential costs of non-compliance against the projected expenses to achieve
compliance, and hence prioritize, fund and initiate any corrective actions deemed
necessary.
10
![Page 11: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/11.jpg)
GRC/ERM Support at all levels
Le
ve
ls o
f GR
C m
od
el
Continuous monitoring as part of normal business process
Strategical
Tactical
Operational
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
•Procedures
•Process Risk Analysis (Tactical)
•Process & Internal Control Design & Maintenance
•Review (workflow)
•Monitoring Efficiency of Internal Controls
•Embedded testing & test evidence
•Document Management System
•KPI/”In Control” reports
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
PurchasingWarehouse
ManagementManufacturing
Sales &
Distribution
•Review
•Test
![Page 12: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/12.jpg)
Compliance – Why is this important
Corporate & Executive Responsibility & Liability
Policy Interpretation
Implementation Cost
Overhead
Tightened Credit Lines
Premium Insurance Fees
Fear for Reputation Damage
Audit Cost
Regulation
![Page 13: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/13.jpg)
From Regulation to Compliance
SOX
HIPAA
BASEL II
Etc.
ERM
COSO-II
COBIT
...
Regulations Implementation
Framework
Policy & Procedure
Implementation
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Demonstratiopn
of ComplianceDemonstratiopn
of ComplianceDemonstration
of Compliance
Evidence
Collection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
![Page 14: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/14.jpg)
SOX Section 404 – Internal Control
Assessment of internal control
“The most contentious aspect of SOX is Section 404,
which requires management and the external auditor to
report on the adequacy of the company's internal
control over financial reporting (ICFR). This is the
most costly aspect of the legislation for companies to
implement, as documenting and testing important
financial manual and automated controls requires
enormous effort.”
14
http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf
![Page 15: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/15.jpg)
SOX Internal Control Requirements
15
Documentation
Detailed Process description
Process flowchart (preferable)
Business Risk Assessments
Risk Control Matrix (RCM)
Testing
Annual walkthrough of each process.
Testing of key controls.
Periodic Reviews
Review of process steps and controls
Updating of all documentation
Annual External IC Audit
Essentially external validations that yes you did 1 through 3 above.
The auditor would use a predefined “checklists
![Page 16: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/16.jpg)
Risk / Control Matrix
16
All
no
n-P
O in
voic
es
rece
ive
d a
t m
onth
en
d a
re e
nte
red
into
th
e s
yste
m w
ith
in 3
da
ys o
f m
onth
-en
d to
en
sure
pro
per
incl
usi
on
into
Acc
ou
nts
Pay
able
.
For
pro
duct
ion
invo
ices
, in
voic
es
can
on
ly b
e e
nter
ed
into
th
e s
yste
m f
or
auto
mat
ic m
atch
ing
if a
val
id P
O a
nd
rece
ipt
are
alre
ady
in t
he
sys
tem
. Th
e sy
stem
po
pu
late
s
the
invo
ice
pri
ce a
nd
du
e d
ate
info
rma
tio
n f
rom
the
PO
info
rmat
ion
.
All
un
ma
tche
d P
O in
voic
es a
re fo
rwar
ded
to
pu
rcha
sin
g
for
follo
w-u
p.
All
pu
rch
ase
ord
ers
and
no
n-P
O in
voic
es
are
revi
ewe
d,
incl
ud
ing
led
ger
acco
un
t co
din
g, a
nd
are
aut
ho
rize
d in
acco
rda
nce
wit
h c
om
pany
po
licy.
Cyc
le c
ou
nts
th
at
resu
lt in
a d
iffe
ren
ce f
rom
pe
rpet
ual
qu
anti
ty o
uts
ide
lim
its
set
by
com
pany
po
licy
are
revi
ewed
; ite
ms
wit
h a
var
ance
de
emed
to
be
mat
eri
al
are
reco
un
ted
.
Risk
RISK / CONTROL MATRIX
Auditor Assertion ACP-C01 ACP-C04 ACP-C16 PUR-C11 INV-C18
R007What ensures that purchases are recorded into the proper
accounting period?Completeness PC
R011What ensures that invoice prices, quantities and other valuation
information is correct?
Completeness,
E/O, M/VPC PC
R042What ensures that duplicate and/or fictitious purchases are not
recorded?
Existence/
OccurrencePC PC
R075What ensures that perpetual inventory records reflect proper
quantities and amounts?
Existence/
OccurrencePC DC
R079What ensures that perpetual-to-physical inventory adjustments are
correctly calculated and recorded?
Completeness,
Measurement/
Valuation
DC
R093What ensures that inventory counts, compilations and descriptions
are accurate?
Measurement/
ValuationDC
PC = Preventive Control
DC = Detective Control
Risk
![Page 17: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/17.jpg)
Enterprise Risk Management (ERM/GRC)
The key pains & challenges: Extra burden “on top” of running the company
Draining resources from critical projects
Absence of clear and documented guidelines
Absence of automation
Cannot be postponed (scheduled audits)
Cost (with NO tangible ROI)
The proposed approach & resolution: Leverage pre-defined knowledge via libraries
Avoid multiple partial systems (and integration burden)
Automate as much as possible tedious and large volume
tasks
![Page 18: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/18.jpg)
How DynaFlow supports ERM/GRC
18
Business Risks & Business Controls Library
2,500+ pre-defined Controls, Risks and relationships
Certified Best Practices / Benchmark
For all regional & industry specific regulations
(SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…)
To address all auditing/auditors requirements
Automated Business Control Execution
Testing Schedules with automated notification & testing
Real-time monitoring & alerts for testers and Mgmt
Evidence Collection & audit trail
Dynamic Risk and Business Control Monitoring
Key Performance & Risks Indicators Dashboard (+ mobile)
Audit Support
Combination of Solution, Libraries and Services
![Page 19: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/19.jpg)
19
![Page 20: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/20.jpg)
Segregation of Duties (SoD)
The key pains & challenges: Now a Critical Business Control for ALL organizations
Involves large volume of data
(i.e. Typical = 200,000+ authorizations in Baan alone)
Need to be done across Systems (ERP) and for ALL
access types
Is a recurring process due to constant changes
The proposed approach & resolution: Automation,
automation
and automation!
![Page 21: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/21.jpg)
Cross-Applications ERM & SoD
![Page 22: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/22.jpg)
Process
DiagramEmployees
User
RolesApplications
Access Mgmt
Business
Controls
Business
Risks
Compliance Mgmt
Business Processes & Controls Integr.
SoD
Business
Conflicts
Conflict
Resolution
SoD
Conflict
Rules
SoD Mgmt
Documents
Document Mgmt
Documents
![Page 23: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/23.jpg)
EZ-Compliance SoD Scan
Mapics
Hyperion
BPCS
…
Network Access
Facility Access
Security Badges
…
Mapics
Ceridian
…
![Page 24: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/24.jpg)
Master SoD Matrix
24
![Page 25: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/25.jpg)
Over 400+ SoD “zones” to be validated
25
![Page 26: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/26.jpg)
The LN / Baan SoD Rules Library
26
Introduced in 2005
Required 2 years initial development, and is updated
regularly
Content and design validated by CFO, Controllers, SOX
Senior Consultants, Baan Specialists, etc...
Covers all Baan versions (Triton, Baan IV, ERP-5, LN)
Compliant to Baan Tools and DEM authorizations
Verify 22,000+ Baan session combinations for SoD violations
(with violation rating) to validate 400+ SoD sensitive “zones”
Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton
validated the Baan SoD Rules completeness and accuracy
by successful certifying all EZ-Compliance clients to be
SoD/SOX compliant.
![Page 27: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/27.jpg)
EZ-Compliance Automated SoD Scan
Employees
Roles
Corp-wide
Applications
Business
Controls
Business
Processes
Import
Visio
DEM
Employee /
Applications
Access
List
Access
Scan
(1)
SoD
Conflict
Rules
SOX – SoD
Conflicts
List
Conflict
Scan
(2)
Resolution
Scan(3)
SoD
Resolution
Rules
Mitigated
Conflicts
List
Business
Risks
SoD
Library
Oracle
Mitigation
Controls
Import
LDAP
Import
ERP
![Page 28: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/28.jpg)
SoD Conficting Areas Matrix
28
Click to view
detailed business
functions &
conflicts found
![Page 29: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/29.jpg)
The automated SoD cycle
Import of updated authorizations from
all Enterprise Applications
Identification of SoD conflicts & related business
risks
Resolution of conflicts with
known patterns
Notification of new conflicts to internal audit team and/or process owners
Investigation, resolution and mitigation of
SoD risks
ERP
Import
Weekly
or
Daily
Result: 90%+ reduction of effort & cost
![Page 30: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/30.jpg)
How DynaFlow supports SoD
30
Access/Authorization Mgmt
Cross-systems authorizations (who is accessing what?)
Periodic Access Reviews
SoD Conflicts Identification
Detective validation (what accesses constitute risks?)
Preventive validation (what is the impact if we change …?)
SoD Conflicts Resolution
Automated resolution/mitigation using pattern rules
SoD Conflicts Monitoring & Alerts
Self-generated SoD Matrix with dynamic alerts
Key Performance & Risks Indicators Dashboard (+ mobile)
![Page 31: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/31.jpg)
Segregation of Duties (SoD)
What you gain with DynaFlow: Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...)
Bottled Best Practices:
Fully automated Segregation-of-Duties (SoD) Rules
Pre-Defined SoD Libraries available for Baan, SAP, Oracle,
etc...
In line with external auditors to secure successful
certification
Detective and also Preventative
Fully automated SoD validation
90% reduction on implementation cost & effort
50% reduction on auditing cost
100% Successful SoD Audit
Simplified insight in all user authorizations
![Page 32: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/32.jpg)
32
![Page 33: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/33.jpg)
Integrated Cycles
33
Document
Integrate Structure
Publish
Optimize
Validate
Define
Capture
Process
Knowledge
Review Certify
Risk Assessment
Control Environment
Control Activity
Publish
Regulations
(eg. SOX, ISO, ITAR
AS9100, HIPAA, ect)
Automate
Measure
Optimize
Route Definition
Workflow
AutomationExecuteMonitorAction
Objectives
Measure
Analyzes
Metrics
![Page 34: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/34.jpg)
DynaFlow Value Proposition
34
Document
Integrate Structure
Publish
Optimize
Validate
Define
Capture
Review Certify
Risk Assessment
Control Environment
Control Activity
Publish
Automate
Measure
Optimize
Route Definition
ExecuteMonitorAction
Objectives
Measure
Analyzes
![Page 35: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/35.jpg)
Financial (Oracle, etc)
ERP (SAP, Baan, Mapics, etc)
Process
Modeling
Process &
Knowledge
Publishing
Business
Controls
Definition
Business
Controls
Checks
Process
Automation
Automated
Alerts &
Notifications
Employee
Process
Dashboard
Modeler and
Auditor
Dashboard
Transaction
Systems
Base
Dynamic KCI
& Issues
Escalation
Process
Optimization
& Monitoring
Management
Dashboard
Dynamic KPI
&
BI Analytics
BP
MR
ep
ort
ing
Office Apps (MS, Email, VPN, etc)
DynaFlow Solution Overview
![Page 36: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/36.jpg)
Critical Capabilities Definition ERM & C
36
Audit ManagementSupports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers,
risk assessments, control testing, remediation management and reporting.
Risk Management, General Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting,
visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that
is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic
risk analytics tools to provide a consolidated view of enterprise risk management.
Risk Management, Stochastic Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized
capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term
asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these
stochastic analysis needs organically or through an OEM partnership.
Compliance ManagementSupports compliance professionals with the documentation, workflow, reporting and visualization of control objectives,
controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC
management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support
other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level
agreements, trading partner requirements and compliance with internal policies.
Policy Management Includes a specialized form of document management that enables the policy life cycle from creation to review, change
and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and
controls in another; and distribution to and attestation by employees and business partners.
GRC ContentIncludes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news
feeds, standards and frameworks, draft testing and risk assessments, and draft policies.
Business Analytics Supports the ability to analyze the impact of risks on business objectives, performance and processes.
Gartner, Inc: 30 November 2010/ID Number: G00208665
![Page 37: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/37.jpg)
DynaFlow simplification
SOX
HIPAA
BASEL II
Etc.
COSO-II
COBIT
......
Regulations Implementation
Framework
Policy & Procedure
Implementation
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Demonstratiopn
of ComplianceDemonstratiopn
of ComplianceDemonstration
of Compliance
Evidence
Collection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
Business
Control
Libraries
Business Risk Libraries
Compliance
Program Mgmt.
Compliance
Change Mgmt.
Compliance
Issue Mgmt.
Compliance
Access &SoD Mgmt.
Audit
Trail
Document
Mgmt.
Web Portal
Cross-ERP
Integration
&
MappingOperational Risk
Monitoring
eBook
Generation
![Page 38: Government and SOX Compliance for ERP Systems](https://reader031.vdocuments.us/reader031/viewer/2022020208/55a578d41a28abad698b4600/html5/thumbnails/38.jpg)
38