february 12 th 2013, san francisco
TRANSCRIPT
February 12th 2013, San Francisco
11:00 -11:30 am Registration 11:30 -12:00 pm Lunch 12:00 -12:15 pm Welcome and Introductions Ed Byers 12:00 -12:25 pm ROI Audits – Overview and Hot Topics Farhan Zahid 12:25-12:50 pm Vendor and Sales Partner Compliance Sunil Gopal 12:50 -13:15 pm Software Asset Management Erwin Yuen
13:15 -13:30 pm Open Discussion and Seminar Wrap-Up
Ed Byers
Registration and Lunch
Logistics – Fire Exits and Restrooms
Phone calls
Interactive Session
Questions and Answers
Farhan Zahid
Common Issue: ◦ Current audits and internal audit activity focus on conformance. ◦ Management loses faith and focus in the audit program because it does
not address the issues important to management – Strategy, Performance and ROI.
Result: ◦ Internal Audit plans, reports and training focus on conformance as
opposed to performance. ◦ Audit program cannot improve because management will not provide the
attention, input and resources needed for it to perform at a higher level.
Evolution Need: ◦ Refocused vision, aligning plan/activities with business
performance/interests/strategy and improving the bottom line. ◦ Advanced, business risk training for trained auditors, greater collaboration
with management and valued results.
Where We Have Been
Where We Need To Be
By no means a comprehensive list
Will vary by environment ◦ May be greater/lesser risk and ROI depending on industry,
technology, business processes etc.
This list is based on what we see in the marketplace
Designed to get you thinking about your environments and if currently scheduled audit plan will really bring the value the business needs
List is in no particular order
Issue Emerging methods of payment processing (ISIS, GoogleWallet, PayPal).
ROI Potential Impacts potential revenue opportunities and competitive advantage Impact on revenue cycle processes, systems and controls
Recommendation Determine what changes are planned or underway to adopting new payment processing technologies. Determine impact on financial systems and processes (e.g. sales audit). Evaluate integration management. Identify new security and controls considerations and execute audit steps accordingly.
Issue Current system configurations, poor oversight processes and “gaming” the system allow for duplicate payments, ghost employees and or excessive overtime rates. Time and attendance often one of the largest expenses whilst being the least understood. ROI Potential Significant reductions in costs by preventing: ◦ Non-productive “gaming” of the system ◦ Pay practices that exceed written policies ◦ Under-reported time off ◦ Ghost/fraudulent employees ◦ Duplicate payments
Recommendation Understand the current labor population and payroll structure as well as the management, monitoring and reconciliation processes in place over payroll/time and attendance. Consider data analytics to identify ghost/duplicate employees and payments and anomalies in time-off and pay rates. Understand system configurations and upgrade history (if applicable). Align results with labor cost trends, and current cost savings/containment targets.
Issue Businesses having poor management processes over the procure to pay lifecycle resulting in poor vendor selection, legal/contractual weaknesses and duplicate payments.
ROI Potential Reduction in/refund of duplicate payments Addressing contractual issues that could lead to financial weakness is the
event of a service/performance issue Reduced fraud/conflicts of interest risks of unapproved vendors
Recommendation Gain an understanding of how vendor selection and contract management is operationalized throughout the organization and how compliance with policy is achieved. Evaluate the organization’s vendor selection, conflict of interest management and payment cycle management. Data analytics analysis over vendor master file, payment processing data to identify anomalies and duplicates.
Issue More and more boards of directors and non-marketing CEO's are demanding answers with regard to actual returns on investment and measurement. Marketing if often a large target in austerity measures but cuts are not always made in the most efficient manner. Poor investment in marketing campaigns are not tracked and resolved resulting in loss of revenues and business opportunities.
ROI Potential Identify which Internet marketing campaigns are turning a profit and which should
be eliminated Effective streamlining and reinvestment that will not be damaging to the business
Recommendation Identify key pages and campaigns that should be tracked, develop a tracking code that can be added to your campaigns/site and measure results against campaigns intended goals. Include analytics of key actions of interest, such as how many clicked on your advertisement campaign, purchased a product or service, filled out a contact request form, signed up for a newsletter, or any other desired actions. Compare and contract results between campaigns to understand what works best for the business. Also, consider other campaign opportunities that the business may not have considered.
Issue Many risk management processes and controls are outdated or not aligned with the business risk tolerance levels. Technologies are not always utilized to streamline processes resulting in many labor intensive processes still in place.
ROI Potential Streamlining of controls and risk management processes Reduced administration, oversight and processing resources required Potential SOC1/SOC2 preparation allowing for business partnership opportunities/competitive advantage
Recommendation Establish a baseline of understanding regarding current risk tolerance, capabilities and maturity level of risk management processes. Consider options such as management self assessment, automated results collections tools and existing technologies the business has to hand. Also consider training and experience that may not be utilized in the firm.
Issue Deployment of IT assets are often not tracked efficiently or monitored on an ongoing basis. Also, moving more to mobile devices (considered “desirable” items); many offer tracking capabilities but the technology is neither activated or considered.
ROI Potential Reduction in asset loss/theft, misuse and obsolescence Improved monitoring, incident resolution, budgeting, planning and asset life cycle management. Long term performance improvement and cost reduction
Recommendation Understand current trends and cultures around IT assets (“desirable” items, systems, devices and technologies currently deployed or planned). Consider associated risks such as corporate/customer data. Consider asset lifecycles, security and performance requirements, current support/suppliers, # items per person, labeling and tracking processes, inventory reconciliations, bulk inventory, timeliness of processes.
Issue Detail costs and expenses often not reviewed, monitored or challenged appropriately. Management find ways to get costs/expenses through the net. ROI Potential Identifying cost reduction opportunities and inappropriate expenses Improved culture towards cost and expense management
Recommendation Understand current approaches, approval limits and approaches to managing and monitoring costs and expenses; identify typical costs and expenses that may be subject to abuse or poor monitoring controls. Consider expenses for staff, directors/partners, IT, maintenance, construction/large projects and Pcard systems.
Need to understand which items may be relevant in your business and technical environment
Ensure that risk assessment and audit universe address relevant items that are aligned with business performance
Don’t walk the plank alone – communicate with management and the audit committee
Use data analytics where possible to streamline audits and give solid ROIs……..harder to argue with the numbers
Plan resource requirements ◦ Be careful not to underestimate ◦ Factors such as training and amount of business input need to be
assessed conservatively
Sunil Gopal
Throughout the value chain there are critical third party relationships These third parties can be split into two main categories
Third parties touch every part of your business
Distributors and
Licensees
JV and alliance partners Outsourcing
partners
Suppliers
Advertising agencies
End customers
The behaviour of third parties across the value chain can have significant impact on:
Brand
Revenue
Reputation
Operational control
Customer safety
Customer satisfaction
Vendor– away from the end customer
Revenue – closer to the end customer
Third parties along the value chain
Warranty service
providers
Manufacturing partners
Dealerships
Introduction to Vendor Compliance In our experience, vendors often charge more than contractually agreed for goods and services, representing a
significant opportunity for you to recover costs In addition, vendor policies, processes or approaches towards areas such as data security, business continuity,
anti bribery and corruption, sourcing, working practices and conditions, can negatively impact your business
Among many benefits, vendor compliance programs can generate financial recoveries AND provide assurance over key business partner risks
Non-compliance is driven by high-risk clauses which can result in over charges, regardless of industry
Rate changes based on spend
or volume
Rebates and discounts
Rates for subcontracted
services
Services incentives /
credits
Pass through of expenses and
costs
Application of management
fees
Case studies 1. Credit checking 2. Marketing 3. Call center
1.Identify vendors Identify high value, high risk vendors Risk levels determined by (i) existence of high risk
clauses, (ii) analysis of spend profile (irregular spend patterns indicating potentially poor financial controls)
Typical Approaches for Vendor Compliance 2. Determine availability of data For vendors progressed from stage 1, investigate the
internal availability of data to recalculate invoices
Progress these vendors to the next stage
Vendors for which internal data is available. Progress these vendors to the next stage
Vendors for which internal data is not available. Request data from vendors and, progress these vendors to the next stage 3. Perform analytics
Code “business rules” / contract clauses selected for review
Format invoice data to enable analysis comparison to business rule
Generate exception reports to discuss with vendors
Make financial recoveries
Exception reports
Contracts
Run D-SCAN
Customize contract
parameters
Format data
Customizedqueries
Vendor invoice transaction data
Labor, materials, equipment charges, etc.
Vendor transactions
46
7
89
1317
25
Introduction to Sales Partner Compliance
Sales partners typically self report metrics that drive payments to and from the parties Inaccuracies in self reporting can lead to over payments to
partners, or reduced revenue from partners With respect to over payments to distributors and resellers, the
Deloitte white paper “When Channel Incentives Backfire” estimates that high tech companies are losing an estimated $1.4 billion in lost profits each year. With respect to reduced revenue, some studies show that
around 80% of franchisees, licensees, and dealers have underpaid royalties.
Your company
End customers
Distributors / Licensees
Service providers
Resellers
Overpayments Reduced revenue
Volume rebates Price protection MDF Trade ins Eligibility based discounts
Net selling prices Deductions Trigger points FX rates Gray market sales
Issues are often caused by a lack of understanding of key requirements
Third Party Inspection Programs
Key drivers include: Key benefits include:
A collaborative approach
Evidence based results
Review of key contractual terms
Open and honest approach
Testing through data analysis
Corporate Governance
requirements
Increased visibility
Desire for an open relationship
Targeted investment
Improved relationships
Opportunities for business growth
An independent view of compliance
A number of companies have successfully implemented programs which focus on reviewing all business partners according to a consistent and methodical approach. The common elements of program include: Launch program: gaining an understanding of the internal processes, systems and data that will support the
inspection, as well as performing a risk assessment of third party business partners Pilot inspection: testing and refining the approach during an initial project, or series of projects Third party inspections: taking lessons learnt from the launch programme and pilot review stages to assess
the contract compliance and completeness and accuracy of the self reporting of selected business partners
Launch programme
Third Party inspection
Pilot inspection
Key Success Factors to Third Party Inspections Relationships The third parties inspected are your business partners, so ensuring that the approach is independent, fair and consistent is important. It is important to seek to add value to both parties, and enhance business relationships.
Audit clauses There may be a requirement to engage with the third party to secure data. In this case, the audit clause is critical since it defines what information can and cannot be requested.
Accessing confidential information Confidential data may be required during the a typical project, and so third parties may be reluctant to share information directly with you. Having a standard NDAs drafted and a vendor ready to help can speed up the process.
Messaging Performing one off projects can lead third parties feeling victimized. Messaging projects as part of wide compliance or governance efforts can help reduce this feeling.
© 2012 Deloitte Global Services Limited
Speaking with you today Sunil Gopal, Senior Manager [email protected] 408 704 4023 Contract Risk and Compliance, Deloitte, San Jose
27
Erwin Yuen
What is Software Asset Management (SAM)?
DRAFT – for discussion purposes only
“According to Information Infrastructure Library (ITIL), SAM is defined as all of the infrastructure and processes necessary for the effective management, control and protection of the software assets throughout their lifecycle.
Risk – Legal
Risk – Software Review
Software Asset Management
Cost Optimization
Risk – Legal
Asset Management
Risk – Software Review
Organizational Governance
Security
Reduce Cost
Compliance
Efficiency
Policies
Why SAM reviews?
DRAFT – for discussion purposes only
Staying in Compliance is a Challenge
Software Licensing is Complex
Did someone say ROI? • No refund policy but shelf-ware support
cost is where software companies make their money
• Never get into the Install versus use argument with a software vendor
• Some software vendors issue new licensing briefs four times a year and Software as a Service (SaaS ) does not mean you don’t have to worry about SAM
• Virtualization technology used to improve efficiency and scalability can cost you millions of dollars
• Most software have no restrictions on over-deployment
• Who and where your users are logging in from could cost you 3-4X more in software cost
SAM Reviews – How do I get started?
DRAFT – for discussion purposes only
Risk Assessment
Baseline Benchmark
Risk Assessment • Determine key risk factors: Spend $, likelihood of a
software audit, licensing model complexity • Start small and learn and build from your successes • Partner with stakeholders, procurement & IT – educate
them!
Baseline • Understand the contracts and the procurement process • Know what you own and support up front • Partner with IT – Tools and available data is key • Reconcile deployment to entitlement and determine
exposure – Don’t forget over-licensing scenarios/shelf-ware
Benchmark • How does your company stack up against industry
standards or other companies • How mature is your companies SAM process • Track license usage and deployment • Drive best practices and process changes
© 2012 Deloitte Global Services Limited
Speaking with you today Erwin Yuen, Specialist Leader [email protected] 408 704 2261 Contract Risk and Compliance, Deloitte, San Jose
33
February 12th 2013, San Francisco