1. dan aldridge ceo performa apps e-mail [email protected]@i-app.com website ...
TRANSCRIPT
1
• Dan Aldridge CEO Performa Apps • e-mail [email protected]• website www.inforln.com/wp
• linkedin Dan Aldridge• twitter @Danaldridge1
•
Contact Information
Agenda
Introduction DynaFlowGovernance Risk & Compliance / Enterprise Risk
ManagementSegregation of Duties for Baan / LN Impact on ERP implementation
Contact details:Aart de [email protected] +31 318 479712Mobile +31 654 392046
3
DynaFlow Profile Main Facts:
Established in 1997
Private company HQ in Canada
Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
Main mission:
To enable global companies to become “Simply in Control” by proactively managing enterprise risks, demonstrating compliance and automating and optimizing business processes.
Dedicated to provide its clients a fast ROI through a short and structured implementation
Professional Services:Implementation and Training
Compliance & Audit Support
Process Optimization
Solution Hosting Services
4
DynaFlow: Makes it EZ for...
6
Cooking the Books
7
http://www.cbsnews.com/video/watch/?id=859384n
Mr. Ebbers (WorldCom), Mr. Lay (Enron), Mr. Kozlowski (Tyco)
8
Regulation - The Hot Potato
9
SOX
C-SOX
J-SOX
‘Euro-SOX’
SAS-70
Code Tabaksblat
Code Lippens
8th EU Directive
Clinger Cohen21 CFR Part 11
IFRS
Basel-II
Loi sur La Sécurité Financière (LSF)
BilMoG
Governance, Risk Mngnt & Compliance
Governancedescribes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.
Risk managementis the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.
Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
10
GRC/ERM Support at all levels
Le
vels o
f GR
C m
od
el
Continuous monitoring as part of normal business process
Strategical
Tactical
Operational
• Policy• Enterprise Risk Management (Strategic)• Integrated Compliance Frameworks• Consolidated Dashboards (Control Statements)
• Procedures• Process Risk Analysis (Tactical)• Process & Internal Control Design & Maintenance• Review (workflow)
• Monitoring Efficiency of Internal Controls• Embedded testing & test evidence• Document Management System• KPI/”In Control” reports
• Policy• Enterprise Risk Management (Strategic)• Integrated Compliance Frameworks• Consolidated Dashboards (Control Statements)
PurchasingWarehouseManagement Manufacturing
Sales &Distribution
• Review
• Test
Compliance – Why is this important
Corporate & Executive Responsibility & Liability
Policy Interpretation
Implementation Cost
Overhead
Tightened Credit Lines
Premium Insurance Fees
Fear for Reputation Damage
Audit Cost
Regulation
From Regulation to Compliance
SOX
HIPAA
BASEL II
Etc.
ERM
COSO-II
COBIT...
Regulations ImplementationFramework
Policy & ProcedureImplementation
Business Controls:- Information delivery- Resource acces and use- Risk mitigation- ...
Demonstratiopn of ComplianceDemonstratiopn
of ComplianceDemonstration of Compliance
EvidenceCollection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
SOX Section 404 – Internal Control
Assessment of internal control
“The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.”
14
http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf
SOX Internal Control Requirements
15
DocumentationDetailed Process descriptionProcess flowchart (preferable)Business Risk AssessmentsRisk Control Matrix (RCM)
TestingAnnual walkthrough of each process. Testing of key controls.
Periodic ReviewsReview of process steps and controls Updating of all documentation
Annual External IC AuditEssentially external validations that yes you did 1 through 3 above. The auditor would use a predefined “checklists
Risk / Control Matrix
16
All n
on-P
O in
voice
s rec
eive
d at
mon
th e
nd a
re e
nter
ed
into
the
syst
em w
ithin
3 d
ays o
f mon
th-e
nd to
ens
ure
prop
er in
clusio
n in
to A
ccou
nts P
ayab
le.
For p
rodu
ction
invo
ices
, inv
oice
s can
onl
y be
ent
ered
into
the
syst
em fo
r aut
omati
c m
atch
ing
if a
valid
PO
and
rece
ipt a
re a
lread
y in
the
syst
em. T
he sy
stem
pop
ulat
es
the
invo
ice
pric
e an
d du
e da
te in
form
ation
from
the
PO
info
rmati
on.
All u
nmat
ched
PO
invo
ices
are
forw
arde
d to
pur
chas
ing
for f
ollo
w-u
p.
All p
urch
ase
orde
rs a
nd n
on-P
O in
voice
s are
revi
ewed
,
inclu
ding
ledg
er a
ccou
nt c
odin
g, a
nd a
re a
utho
rized
in
acco
rdan
ce w
ith co
mpa
ny p
olicy
.
Cycle
coun
ts th
at re
sult
in a
diff
eren
ce fr
om p
erpe
tual
quan
tity
outs
ide
limits
set b
y co
mpa
ny p
olicy
are
revi
ewed
; ite
ms w
ith a
var
ance
dee
med
to b
e m
ater
ial
are
reco
unte
d.
Risk
RISK / CONTROL MATRIX
Auditor Assertion ACP-C01 ACP-C04 ACP-C16 PUR-C11 INV-C18
R007What ensures that purchases are recorded into the proper accounting period?
Completeness PC
R011What ensures that invoice prices, quantities and other valuation information is correct?
Completeness, E/O, M/V
PC PC
R042What ensures that duplicate and/or fictitious purchases are not recorded?
Existence/ Occurrence
PC PC
R075What ensures that perpetual inventory records reflect proper quantities and amounts?
Existence/ Occurrence
PC DC
R079What ensures that perpetual-to-physical inventory adjustments are correctly calculated and recorded?
Completeness, Measurement/
ValuationDC
R093What ensures that inventory counts, compilations and descriptions are accurate?
Measurement/ Valuation
DC
PC = Preventive Control
DC = Detective Control
Risk
Enterprise Risk Management (ERM/GRC)
The key pains & challenges: Extra burden “on top” of running the company Draining resources from critical projects Absence of clear and documented guidelines Absence of automation Cannot be postponed (scheduled audits) Cost (with NO tangible ROI)
The proposed approach & resolution: Leverage pre-defined knowledge via libraries Avoid multiple partial systems (and integration burden) Automate as much as possible tedious and large volume
tasks
How DynaFlow supports ERM/GRC
18
Business Risks & Business Controls Library 2,500+ pre-defined Controls, Risks and relationships Certified Best Practices / Benchmark For all regional & industry specific regulations
(SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…) To address all auditing/auditors requirements
Automated Business Control Execution Testing Schedules with automated notification & testing Real-time monitoring & alerts for testers and Mgmt Evidence Collection & audit trail
Dynamic Risk and Business Control Monitoring Key Performance & Risks Indicators Dashboard (+ mobile)
Audit Support Combination of Solution, Libraries and Services
19
Segregation of Duties (SoD)
The key pains & challenges: Now a Critical Business Control for ALL organizations Involves large volume of data
(i.e. Typical = 200,000+ authorizations in Baan alone) Need to be done across Systems (ERP) and for ALL
access types Is a recurring process due to constant changes
The proposed approach & resolution: Automation, automation and automation!
Cross-Applications ERM & SoD
ProcessDiagram
EmployeesUserRoles
Applications
Access Mgmt
BusinessControls
BusinessRisks
Compliance Mgmt
Business Processes & Controls Integr.
SoDBusinessConflicts
ConflictResolution
SoDConflictRules
SoD Mgmt
Documents
Document Mgmt
Documents
EZ-Compliance SoD Scan
MapicsHyperionBPCS…Network AccessFacility AccessSecurity Badges…
MapicsCeridian…
Master SoD Matrix
24
Over 400+ SoD “zones” to be validated
25
The LN / Baan SoD Rules Library
26
Introduced in 2005 Required 2 years initial development, and is updated
regularly Content and design validated by CFO, Controllers, SOX
Senior Consultants, Baan Specialists, etc... Covers all Baan versions (Triton, Baan IV, ERP-5, LN) Compliant to Baan Tools and DEM authorizations Verify 22,000+ Baan session combinations for SoD
violations (with violation rating) to validate 400+ SoD sensitive “zones”
Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton validated the Baan SoD Rules completeness and accuracy by successful certifying all EZ-Compliance clients to be SoD/SOX compliant.
EZ-Compliance Automated SoD Scan
Employees
Roles
Corp-wideApplications
BusinessControls
BusinessProcesses
Import
Visio
DEM
Employee / ApplicationsAccess List
AccessScan
(1)
SoDConflict
Rules
SOX – SoDConflictsList
ConflictScan
(2)
ResolutionScan
(3)SoDResolution
Rules
MitigatedConflictsList
BusinessRisks
SoDLibrary
Oracle
MitigationControls
Import
LDAP
Import
ERP
SoD Conficting Areas Matrix
28
Click to view detailed business functions & conflicts found
The automated SoD cycle
• Import of updated
authorizations from all
Enterprise Applications
• Identification of SoD
conflicts & related
business risks
• Resolution of conflicts with
known patterns
• Notification of new conflicts
to internal audit team
and/or process owners
• Investigation, resolution and mitigation of
SoD risks
Automated
Automated
Automated
Automated
Semi-Automated
ERPImport
Weeklyor
Daily
Result: 90%+ reduction of effort & cost
How DynaFlow supports SoD
30
Access/Authorization Mgmt Cross-systems authorizations (who is accessing what?) Periodic Access Reviews
SoD Conflicts Identification Detective validation (what accesses constitute risks?) Preventive validation (what is the impact if we change …?)
SoD Conflicts Resolution Automated resolution/mitigation using pattern rules
SoD Conflicts Monitoring & Alerts Self-generated SoD Matrix with dynamic alerts Key Performance & Risks Indicators Dashboard (+ mobile)
Segregation of Duties (SoD)
What you gain with DynaFlow: Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...) Bottled Best Practices:
Fully automated Segregation-of-Duties (SoD) Rules Pre-Defined SoD Libraries available for Baan, SAP, Oracle,
etc... In line with external auditors to secure successful
certification Detective and also Preventative Fully automated SoD validation
90% reduction on implementation cost & effort 50% reduction on auditing cost 100% Successful SoD Audit
Simplified insight in all user authorizations
32
Integrated Cycles
33
• Document
• Integrate Structure
• Publish• Optimize• Validate
• Define• Capture Process
Knowledge
Review Certify
Risk Assessment
Control Environment
Control Activity
Publish
Regulations(eg. SOX, ISO, ITARAS9100, HIPAA, ect)
Automate
Measure
Optimize
Route Definition
WorkflowAutomationExecuteMonitorAction
Objectives
Measure
Analyzes
Metrics
DynaFlow Value Proposition
34
• Document
• Integrate Structure
• Publish• Optimize• Validate
• Define• Capture
Review Certify
Risk Assessment
Control Environment
Control Activity
Publish
Automate
Measure
Optimize
Route Definition
ExecuteMonitorAction
Objectives
Measure
Analyzes
Financial (Oracle, etc)
ERP (SAP, Baan, Mapics, etc)
Process Modeling
Process & Knowledge Publishing
Business Controls Definition
Business Controls Checks
Process Automation
Automated Alerts &
Notifications
EmployeeProcess Dashboard
Modeler andAuditorDashboard
TransactionSystems
Ba
se
Dynamic KCI & Issues
Escalation
Process Optimization & Monitoring
ManagementDashboard
Dynamic KPI &
BI Analytics
BP
MR
ep
ort
ing
Office Apps (MS, Email, VPN, etc)
DynaFlow Solution Overview
Critical Capabilities Definition ERM & C
36
Audit ManagementSupports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers, risk assessments, control testing, remediation management and reporting.
Risk Management, General Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting, visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic risk analytics tools to provide a consolidated view of enterprise risk management.
Risk Management, Stochastic Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these stochastic analysis needs organically or through an OEM partnership.
Compliance ManagementSupports compliance professionals with the documentation, workflow, reporting and visualization of control objectives, controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level agreements, trading partner requirements and compliance with internal policies.
Policy Management Includes a specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and controls in another; and distribution to and attestation by employees and business partners.
GRC ContentIncludes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news feeds, standards and frameworks, draft testing and risk assessments, and draft policies.
Business Analytics Supports the ability to analyze the impact of risks on business objectives, performance and processes.
Gartner, Inc: 30 November 2010/ID Number: G00208665
DynaFlow simplification
SOX
HIPAA
BASEL II
Etc.
COSO-II
COBIT
......
Regulations ImplementationFramework
Policy & ProcedureImplementation
Business Controls:- Information delivery- Resource acces and use- Risk mitigation- ...
Demonstratiopn of ComplianceDemonstratiopn
of ComplianceDemonstration of Compliance
EvidenceCollection
Audit
People Processes Technology Facilities Data
establish document test
Business Risks
Business Control
Libraries
Business Risk Libraries
ComplianceProgram Mgmt.
ComplianceChange Mgmt.
ComplianceIssue Mgmt.
ComplianceAccess &SoD Mgmt.
AuditTrail
DocumentMgmt.
Web Portal
Cross-ERP Integration
&Mapping Operational Risk
Monitoring
eBookGeneration
38