www.pwc.ch/ra

Making Sense of Internal ControlHow technology is used in practice to implement a control vision: seven examples

A PwC white paper for CIO’s and Internal Control professionals

Contents 3

Introduction 5

Control solutions in practice 7

Seven examples of control solutions in practice

1 Alliander NV closing process and internal control management supported by Runbook 8

2 Geberit AG SAP access control management supported by APM Atlantis 10

3 Global Fortune 500 Company process and access control monitoring supported by Approva BizRights 12

4 Kuoni Travel Holding AG Managing ICS supported by SAP GRC Process Control 14

5 Pilatus Aircraft Ltd SAP access control monitoring supported by Mesaforte 16

6 Serco Group plc SAP system auditing supported by Security Weaver Access & Process Control 18

7 UK Defence Contractor access security supported by Oracle GRC 20

Observations/Acknowledgments 22

Contacts 23

Contents

Editorial 5

In January 2010, PwC published the white paper: ‘Making sense of internal control: How to align vision, organisa-tion and technology to lower compliance costs and improve business efficiency’. The white paper concluded that a best- in-class control system is the result of:

• a control vision supported by the business,

• well-defined ownership and accountability, and

• use of the right technologies.

In this context, we introduced the term “next generation control solutions” for technology supporting best-in-class internal control systems. This technol-ogy is also known as GRC (Governance, Risk and Compliance) technology. The market for this technology is rapidly evolving. Vendors have propositions to improve compliance, risk management and internal control systems. However, our clients struggled with the differ-ences between the solutions in the market and were looking for guidance on how to select and implement them.

Our 2010 white paper led to many stimulating and challenging discussions with our clients. We also helped compa-nies to choose and implement a next generation control solution. However, many companies remained uncertain on how and why to use control solutions within their organisation. This signalled a clear need for thought leadership that provided a deeper understanding of the current capabilities of control solutions.

With this white paper, we aim to further clarify the purpose and capabilities of control solutions. Note that given the number of actual implementations, we no longer call these solutions ‘next generation’. This paper is divided into two sections:

• Section one: ‘Control solutions in practice’ provides seven examples of companies that have implemented control solutions and explains the implementation approach and daily usage. To obtain these examples we asked vendors in the Swiss market to provide us with reference customers. We interviewed these customers and documented their views and experiences.

• Section two: ‘Observations’ high-lights what PwC feels are the most important lessons to be drawn from these seven examples.

The seven examples provide additional insight into the current capabilities of control solutions. We hope you find this information useful and enjoy reading it. On behalf of my colleagues at Pricewa-terhouseCoopers who helped make this white paper possible, I would like to thank the vendors and their customers for their openness and willingness to share their experiences. It was a pleasure for us to learn more about your solutions. We look forward to further sharing and collaborating in this space.

Yours sincerely,

Paul de Jong Partner PricewaterhouseCoopers AG

Companies report clear business benefits from implementing technology supporting their control vision.

Paul de JongPartner PwC

Control solutions in practice 7

This section features (in alphabetical order) seven companies that explain how and why they implement and use control solutions:

• Alliander (The Nether-lands) uses Runbook for closing process and inter-nal controls management

• Geberit (Switzerland) uses APM Atlantis for SAP access controls management

• Global Fortune 500 Company (Europe) uses Approva BizRights to manage access and process controls.

• Kuoni Travel Holding (Switzerland) uses SAP GRC Process Control to manage the internal control system

• Pilatus Aircraft (Switzer-land) uses Mesaforte to monitor SAP access controls.

• Serco Group (United Kingdom) uses Security Weaver Access and Process Control for SAP system auditing.

• UK Defence Contractor (United Kingdom) uses Oracle GRC for access security

Control solutions in practice

The examples are offered only for the purpose of sharing experiences and the control solutions are not qualified in any way. Any control solution should be evaluated against company specific objectives and circumstances, ideally through a proof of concept.

This article is based on an interview with the Compliance Officer Risk and the Internal Audit Manager of Alliander NV.*

CompanyName: Alliander NV Industry: energy distribution Headquarters: Arnhem, The Netherlands Business activity: gas and electricity networks in the Netherlands. Employees: 6,000 Revenues: EUR 1.4 billion

SolutionName: Runbook Vendor: Runbook Version: 4.0b (Service Pack 9) Modules: Period-End Close, Internal Controls, Compliance Documentation

Business benefit: Documentation of business control framework and control assessments meets efficiency and transparency requirements.

Closing process and internal control management supported by Runbook

Alliander NV

Business Issue and Solution SelectionAlliander operates a finance shared service centre to manage bookkeeping and accounting in SAP for approxi-mately 25 group companies. Originally selected by its predecessor company NUON in 2006, Alliander uses Runbook to manage the period-end closing processes. The Period-End Close module is used to implement a workflow-based process for over 100 users by integrating the monthly closing schedule into SAP. The shared service centre monitors the progress of closing on a real-time basis and identifies any delays with Runbook. Runbook’s Compliance Documentation module collects and archives all docu-mentation relevant as evidence for financial reporting compliance. Both internal and external auditors use the resulting archive for audit purposes.

The Compliance Officer Risk is responsi-ble for the effectiveness of the internal control system to ensure Alliander is in control and in compliance with regula-tions (‘code-Tabaksblat’, ‘commissie Frijns’). Alliander’s internal control system is described in a Business Control Framework which is applicable to all its companies. The Business Control Framework defines the controls to address financial reporting and financial operational risks. The controls cover

manual controls, access controls, programmed procedures and IT general controls. The effectiveness of these controls is assessed by management on a quarterly basis.

In 2009, the Compliance Officer Risk found the current documentation of both the Business Control Framework and the controls assessments was no longer sufficient to satisfy the needs for efficiency, transparency and documen-tation. He searched for a software solution to better address these needs. In this in-house search (Alliander only uses proprietary software solutions, if they are fit for the purpose), he was made aware of the internal controls module of Runbook. As the software was already in use and the users were satisfied with the proof of concept, Alliander decided to extend the use of Runbook to documenting the Business Control Framework and the controls assessment results.

ImplementationThe technical implementation of each Runbook module required only a few days, because Runbook is an ABAP based SAP certified software, which can be installed through regular SAP change management procedures. Company specific content, such as closing schedule or controls description, was directly installed with upload sheets (e.g. in Excel format) into Runbook.

The functional implementation of the internal controls module of Runbook took Alliander an estimated 3 months. It was important to the Compliance Risk Officer to dedicate a sufficient amount of time to the design of roles and responsibilities for controls assessment,

8 Alliander NV

Alliander NV 9

as well as to the ‘translation’ of the Business Control Framework into Runbook control definition specifica-tions. Runbook works with “scenarios” to describe and manage periodic processes. Alliander created Business Control Framework scenarios for every business unit in Runbook to represent the controls execution and controls assessment cycles.

Two Runbook consultants supported the implementation with customising activities and by facilitating workshops to guide users on how to apply Runbook functionality in the Alliander setting. Alliander considered the support efficient, pragmatic and service-oriented, as demonstrated through continuing development of the Runbook software based on input from the user commu-nity.

The Internal Controls module is used by 25 users (including Control Testers, Business Controllers, the Compliance Officer Risk and Internal Audit) to:

• document the controls design as described in the Business Control Framework, including the assign-ment of responsibilities for control execution, testing and sign-off,

• document evidence of the execution of these controls,

• monitor the execution of these controls,

• plan the testing of these controls,

• document the results of the testing of these controls,

• document remedial activities and their completion.

Alliander’s shared service centre oversees the system management of Runbook. According to the Compliance Officer Risk, this requires two days a month for the Internal Controls module

and mainly consists of updating scenar-ios and uploading these to make them available for the next quarterly controls cycle.

BenefitsAlliander sees the main benefits of using the Internal Controls module of Run-book as:

• improved accessibility and trans-parency of internal controls documentation, execution and assessment throughout the relevant parts of the organisation,

• ease in applying changes to the Business Control Framework and making these available to the Internal Controls community within Alliander,

• ability to assign roles, responsibili-ties and tasks and perform progress monitoring on the execution of these tasks during the controls cycle,

• increased control awareness and controls discipline in the organisation,

• quality of documentation of controls execution and controls assessment,

• greater efficiency of internal and external controls reviews.

Next StepsAlliander is considering the following in expanding the usage of Runbook for internal controls:

• Implementing results of Business Control Framework adjustment to cover operational and compliance risks and to reduce the number of controls per area.

• Extending the use of Runbook’s internal controls reports towards monitoring progress on remediation activities.

• Integrating controls activities into period-end closing scenarios in Runbook.

• Enabling direct signing-off on controls by control owners (directors) in Runbook.

• Ensuring that internal audit is notified in the automated workflow when internal controls exceptions are recorded in Runbook.

Alliander increased transparency and eased change management for internal controls.

This article is based on an interview with the Head of Global IT of Geberit AG and the IT Analyst who supported the implementation of APM Atlantis.*

CompanyName: Geberit AGIndustry: sanitary technologyHeadquarters: Rapperswil-Jona, SwitzerlandBusiness activity: Sales offices in 40 countries. Sales activities are concentrated on the major European markets, North America, China and South East AsiaEmployees: ca. 5,800Revenues: CHF 2.2 billion

SolutionName: APM AtlantisVendor: Realtime AGModules: Core, Composer, Transformer, Observer

Business benefit: SAP security supports internal control requirements.

SAP access control management supported by APM Atlantis

Geberit AG

Business IssueGeberit uses SAP as one of its core systems. Close to 50 internal SAP specialists manage 2 central SAP systems operated in 2 data centres, which support 2,500 users in 25 coun - tries. Driven by the implementation of the internal control system (to comply with Swiss legislation as of 2008), Geberit’s IT department found the existing profile-based SAP authorisation concept did not adequately meet regulatory requirements such as documented approval of authorisation requests, segregation of duties, etc. The IT department, supported by the CFO and internal audit, started a project in 2008 with the aim of;

• implementing transition to a role- based SAP authorisation concept that considered segregation of duties requirements,

• defining and implementing clear organisational roles and responsi-bilities regarding the definition, composition, provision and approval of SAP roles,

• implementing IT general controls as an element of corporate govern-ance,

• creating a repository and an approval workflow for the provi-sioning of SAP roles.

Solution Selection and ScopeTo achieve these goals, Geberit decided to deploy one tool for SAP role creation and management and a separate tool for SAP user management and role provi-sioning.

For role-creation and management, Geberit considered the balance between the granularity of the roles versus complexity and maintenance effort. Given the large number of relatively similar sales companies and production sites in SAP, it was important for Geberit to be able to efficiently replicate roles across operating companies. Out of four potential solutions, Geberit selected APM Atlantis because of these decisive factors:

• APM Atlantis utilises the standard SAP role maintenance functionality (PFCG), and compliments this with ‘role inheritance’ functionality that enables efficient ‘replication’ of roles across operating companies and organisational units in SAP,

• APM Atlantis is an ABAP-pro-gramme integrated into SAP, which enables on-line role monitoring,

• the programme was offered at a significantly lower price than other tools.

For SAP user management and role provisioning, Geberit developed a Lotus Notes application in-house. Lotus Notes is widely used in Geberit (ca. 3,300 users) and was considered the easiest platform to support the approval workflow for SAP user and roles.

ImplementationThe project for the design and imple-mentation of the SAP authorisation project lasted 2 years. The project was

10 Geberit AG

Geberit AG 11

done internally with the involvement of 4 SAP Basis specialists, 8 SAP module administrators, the Head of Global IT, internal audit and a key user for each operating company.

The project was organised in 5 phases

1. Approach and tool selection: Definition of organisational roles for SAP role definition, approval and provisioning.

2. As-is analysis: Reveal the SAP transactions and reports that users were employing as a basis for the role definition based on information used in the context of SAP license management.

3. Role definition: Design business process oriented or function based roles that are segregation of duties compliant and reusable.

4. Role implementation: Translate the conceptual roles into SAP roles. Master roles were created in APM Atlantis and used to construct derived roles which were extended to be replicated across operating companies and organisational units. All single roles were designed and tested in APM Atlantis to be in compliance with Geberit’s segrega-tion of duties matrix. This matrix was based on the standard rule set from APM Atlantis and customised according to guidance from auditors.

5. Approval and provisioning: Assign the new roles through the new approval workflow to users in SAP. The role changes were sent from Lotus Notes in text files and imported into SAP semi-automati-cally. The users and roles in SAP are periodically reconciled with the approved users and roles in the Lotus Notes database.

According to Geberit, the technical implementation and configuration (rule set adaptation) of APM Atlantis took less than 3 weeks. SAP role definition and implementation using APM Atlantis during the project required some 0.6 FTE and is expected to take 0.3 FTE in operations afterwards. Geberit expects only minor efforts to be required for the maintenance of APM Atlantis (e.g. technical upgrades, rule set changes).

The creation of roles in APM Atlantis is performed by the SAP module adminis-trators in the SAP test environment. During and after creation, APM Atlantis tests the role definition against the segregation of duties matrix. The role is subject to approval by the process owner. The allocation of the role to a specific user is subject to approval by the data owner. The SAP Basis administra-tor provisions and assigns roles to users upon approval. One IT person outside of the SAP competence centre creates monitoring reports and supports the further development of the authorisa-tion concept.

BenefitsAlthough the project is not yet entirely completed, Geberit has realised several benefits including;

• increased transparency of roles and responsibilities for SAP authorisa-tions,

• data owners are able to monitor the access rights to their data,

• improved communication with users regarding access to SAP,

• clean up of users in SAP,

• increased control awareness in the IT department,

• reduced errors in the provisioning of access rights.

Next StepsThe Head of Global IT expects that with usage, the efficiency of user and access management will further increase. Next steps will include;

• Using APM Atlantis for the periodic review of segregation of duties conflicts in the SAP production environment,

• Further optimising general IT controls,

• Increasing the use of SAP function-ality for internal controls in the business processes.

Geberit uses a best of breed solution that combines an off-the-shelf SAP access control tool for access monitoring and role manage-ment with a custom Lotus Notes application for user and role provisioning to meet the company’s goals efficiently.

12 Global Fortune 500 Company

This article is based on an interview with the company.

CompanyName: Global Fortune 500 CompanyIndustry: consumer goodsHeadquarters: EuropeBusiness: Manufacture and sale of consumer goodsEmployees: over 50,000Revenues: over USD 20 billion

SolutionName: Approva BizRightsVendor: Consider SolutionsVersion: 4.1Modules: Authorisation Insight, Process Insight, Configuration Insight

Application EnvironmentSAP ERP

Business benefits: Consistent controls across groupentities and regions.

Business IssueThe company has established internal controls over financial reporting in compliance with Sarbanes-Oxley section 404 (SOX 404). The project was initi-ated to address the following chal-lenges:

• Ensuring consistent and transpar-ent internal controls across regions and affiliates and alignment with corporate standards

• Defining a framework of comple-mentary controls to address risks in increasingly complex business and information systems processes

• Reducing the complexity of moni-toring controls for end users, leveraging expert skills and competencies in central support teams

• Establishing effective and efficient controls implemented as end-to-end monitoring processes

• Supporting the effective and efficient processes of assessing controls according to SOX 404 requirements.

Solution SelectionThe company was looking for a solution to address the business issues. The main drivers for selecting the Approva BizRights solution were:

• Flexibility in the reporting structure and design of rules used for controls

• Support for multiple types of controls (i.e. monitoring of restricted access controls, configu-ration controls, master data controls and transactional controls)

• Performance on large SAP instances supporting multi-national opera-tions.

ImplementationThe global and cross-regional imple-mentation was achieved within two years, excluding the initial selection and evaluation process. The core team consisted of about ten members and was extended with additional specialists during development phases, in addition to temporary involvement of end-users. Business ownership was ensured by the internal controls function.

Process and access control monitoring supported by Approva BizRights

Global Fortune 500 Company

Global Fortune 500 Company 13

Overall, the project objectives have been achieved and initial benefits were realised during the initial year after roll-out. The complexity arising from the cross-functional scope of the project was underestimated in certain aspects. In order to fully realise the benefits, additional efforts were required to consolidate technical and functional processes.

Solution ScopeThe overall control framework imple-mented with the solution follows a top-down approach based on three tiers: a global template, which serves as the basis for regional templates. Local controls are then defined based on regional templates.

The solution covers monitoring of access controls, privileged access activities, and an initial set of process controls, including configurable controls, controls around master data and business transactions. Beyond monitoring, the project deliverables included control design, exception reporting, and tracking corrective actions.

In the area of access controls, the solution is used to monitor access to sensitive transactions, identify and correct conflicts in segregation of duties (SOD), as well as to perform preventa-tive SOD checks in the access provision-ing process.

Process controls are implemented in the following areas: IT general controls and privileged access activity, finance, fixed assets, purchasing, production inven-tory, receivables, treasury, and payroll.

As part of the end-to-end process, the solution also supports the retention of standardised control evidence in a document repository implemented via Microsoft SharePoint.

The scope of the solution covers around 700 users, comprising business and information system control owners as well as internal and external auditors across multiple markets.

Maintenance and support of the solution is ensured via a strongly centralised model including functional and techni-cal support.

BenefitsThe company realised benefits in multiple areas after the implementation of the solution:

• Improved enforcement of corporate standards across regions and markets

• Enhanced consistency of controls including small affiliates with limited skills and resources

• Increased transparency of controls via a defined top-down framework

• Reduced complexity in performing local controls, better leverage of expert skills in central teams

• Reduced effort for assessment of controls by internal and external auditors.

Next StepsFuture project phases will enhance the coverage of process controls and introduce advanced fraud detection methods. In addition, the current solutions are planned to be extended to additional risk areas, such as opera-tional or compliance controls.

The company is now able to effectively and efficiently monitor and assess controls across the group.

14 Kuoni Travel Holding AG

This article is based on an interview with the Group Compliance Officer ICS of Kuoni Travel Holding AG.**

CompanyName: Kuoni Travel Holding AGIndustry: travel and tourismHeadquarters: Zurich, SwitzerlandBusiness activity: leisure travel and destination management businesses in over 40 countries.Employees: 9,070 (in 2009)Revenues: CHF 3,894 million (in 2009)

SolutionName: SAP GRC Process ControlVendor: SAP AGVersion: 3.0

Business benefit: Efficient monitoring of internal controlsand management of internal control documentation.

Managing ICS supported by SAP GRC Process Control

Kuoni Travel Holding AG

Business IssueAfter having created an internal control system (in compliance with Swiss legislation as of 2008), Kuoni faced two interesting challenges related to compliance:

1. Many processes and related documentation changed regularly. These documents were maintained in Excel/PowerPoint and required a significant investment to update and an audit trail could not be maintained.

2. Many of Kuoni’s controls are manual and the business is required to perform them regularly, but timely monitoring of control execution was not possible.

Kuoni uses Microsoft Dynamics as its core ERP system.

Solution SelectionKuoni Group began a search for an automated solution to help manage the issues mentioned above. A vendor search was conducted that included ten vendors. Kuoni selected SAP GRC Process Controls for the following reasons:

• Functionality: Standard functional-ity could be used to load control information from Kuoni’s control documentation in Excel into the tool.

• User Friendliness: Users worldwide must be able to use the tool to updated control documentation and upload control evidence. According to the interviewee, the tool was easy to use for the business.

• Cost considerations.

Solution ScopeThe project to improve the visibility and tracking of manual control testing lasted six months. This project included the implementation of SAP GRC Process Controls and all training associated with the new tool and procedures. The project was supported by Kuoni IT and an external consultant knowledgeable in SAP GRC Process Controls. During the first three months efforts were focused on getting the system configured and the ICS documents uploaded into the tool. Once this was completed, the remaining three months were focused on the roll-out and the training of staff involved in compliance throughout the world.

Kuoni Travel Holding AG 15

Kuoni found that there are many different features of the process control tool that can be implemented. These features range from the testing and reporting of automated controls/configuration to management’s signoff of the internal control system. At Kuoni, the scope of implementation was limited to only uploading internal control system documentation from each country and setting up testing proce-dures and issue resolution within the tool.

SAP GRC Process Controls works for Kuoni by sending automated emails, based on control frequency, to “control performers” at each site. These control performers will log into the tool, upload the control evidence into process controls, marking the control execution complete. At Kuoni, the Group Compli-ance Officer ICS is responsible for the ICS and all testing/resolution. Any exceptions found during testing auto-matically generate an issue, which is assigned and resolved utilising work-flow functionality. Four times a year, the Group Compliance Officer ICS reports to the audit committee on the status of the internal control system, noting any exceptions that are significant deficien-cies or material weaknesses.

ImplementationKuoni noted two main challenges during the implementation that still remain today. The first is the lack of qualified consultants in the Swiss market that have experience with SAP GRC Process Control. The SAP GRC Process Control tool is still growing in the Swiss market and there are only few people with the experience needed to facilitate speedy and efficient imple-mentation. The second challenge is the dependency on internal IT support caused by the process controls tool at Kuoni. According to the Group Compli-ance Officer ICS, the purchase of the process controls tool should be driven by the business, but it is important to plan for necessary IT resources to ensure continuous long-term technical support can be provided for the tool.

Benefits and Next StepsThe process control tool is implemented and operating over entities that cover 75% of Kuoni’s total revenue. Each year, scoping is done to ensure that at least 75% of revenue is covered by the internal control system. It is planned to raise the total percentage of entities covered by continuing to implement the process control tool at other sites. There are no plans to utilise the tool’s addi-tional functionality related to auto-mated control testing at this time.

The overall impression Kuoni has of the SAP GRC Process Controls tool is positive. The Group Compliance Officer ICS concludes that SAP GRC has greatly streamlined the implementation and testing of Kuoni’s internal control system.

Kuoni improved the visibility and tracking of manual control testing.

16 Pilatus Aircraft Ltd

This article is based on an interview with the Senior Vice President Audits & Compliance, the Head of Accounting and a staff member of the Accounting department of Pilatus Aircraft Ltd.*

CompanyName: Pilatus Aircraft Ltd.Industry: aircraft manufacturingHeadquarters: Stans, SwitzerlandBusiness activity: global, subsidiaries in Australia and the USAEmployees: 1,400 (Group)Revenues: CHF 688m (Group)

SolutionName: MesaforteVendor: Wikima4 AGVersion: 2.1Modules: Standard, Role Mining

Business benefit: SAP role design supportssegregation of duties requirements.

Business IssueDuring the implementation of the internal control system to comply with Swiss legislation as of 2008, Pilatus found the quality of SAP ERP access controls to be critical for successful application of segregation of duties in, and between, core processes. Pilatus anticipated the project would require considerable effort to bring SAP access rights to the aspired level of quality, as management had previously not focused on this area. The company also consid-ered it a necessity to have an automated tool to monitor access rights.

Solution SelectionOut of several SAP access rights moni-toring tools, Pilatus selected Wikima4’s Mesaforte for the following reasons:

• Ease of use of the software

• Relatively low license fee and implementation costs

• Geographical proximity of the software vendor.

ImplementationThe project to improve SAP access rights for approximetely 500 users of SAP ERP and implement Mesaforte to monitor the quality of these access rights took a year and a half. The effort during this time consisted of 0.2 FTE adapting and cleaning up the access rights in SAP and a weekly 2 to 4 hour workshop, e.g., for role definition and selection of applica-ble segregation of duties rules. Of the total time spent, 90% was dedicated to cleaning up and adapting access rights in SAP (‘get clean’) and 10% to the implementation of Mesaforte. Due to the old profile-based access right set-up, users had accumulated access to too many SAP transactions, which needed to be removed. Pilatus defined new ‘conflictfree’ roles and combined these into ‘conflictfree’ combinations of roles to replace the profiles.

Thanks to the available SAP competen-cies, Pilatus was able to handle most of the project with internal resources. Wikima4 provided Mesaforte-training, supported the installation of the tool and contributed input on the standard rule set during weekly workshops. An external consultant with extensive knowledge of the Pilatus business processes supported the development of roles and required segregation of duties, and managed the clean up activities. The project was more challenging than initially anticipated as a first assessment of the SAP access rights revealed 20,000 segregation of duties conflicts. In addition, a significant number of exceptions were discovered close to the end of the project (after a Mesaforte upgrade, which enabled access rights review at object-level) and required resolution.

SAP access control monitoring supported by Mesaforte

Pilatus Aircraft Ltd.

Solution ScopeMesaforte was implemented at Pilatus to monitor segregation of duties con-flicts, critical transactions and profile parameters in business processes such as Procure to Pay and Order to Cash as well as in IT processes related to IT general controls. In total, some 120 risk areas were monitored exclusively with Mesaforte standard rules. Pilatus selected the applicable rules from the standard rule set and additional rules were not customised.

Mesaforte is used at Pilatus to monitor the SAP access rights in production on a daily basis. New roles are assessed for segregation of duties compliance in the test system by the SAP access rights administrator in the Commercial IT department. All identified conflicts are handled by an officer in Accounting, which is outside of the IT department. Conflicting roles will not be moved into production unless a compensating measure is in place and approved by the compliance officer. Both the com-pensating measure and the formal approval are documented with the reported conflict in Mesaforte and supported through a justification dialogue.

Mesaforte updates a SAP controls management cockpit on a daily basis. In this cockpit, the current status regarding segregation of duties con-flicts, unexpected values in profile parameters as well as security incidents (e.g., repeated failed log-in attempts of specific users) are graphically summa-rised as a dashboard. The cockpit has drill-down functionality for further analysis. For each monitored item, the applicable rule, the actual value and the expected value are displayed. In addition, an access rights change log is available for audit purposes.

System administration of Mesaforte requires only minimal effort from Pilatus. Upgrades are provided through FTP and are installed in 2 to 4 hours.

BenefitsPilatus is satisfied with the Mesaforte software. The primary benefits gained from the use of the tool are;

• increased transparency over complex SAP access rights, sup-ported by an easily understandable cockpit,

• reduced effort to ensure compliance with required segregation of duties,

• increased fraud mitigation by “putting a bolt on the doors”.

Next StepsAs the next steps Pilatus is considering:

• increasing the efficiency in SAP user and access rights through automated user and access rights provisioning, to be enabled by SAP identity management in connection with the rule set in Mesaforte,

• automating more compensating controls directly in SAP. Pilatus has already programmed some analyses in SAP to monitor risks in order management and in customer data.

Pilatus Aircraft monitors access rights, profile parameters and security incidents on a daily basis.

Pilatus Aircraft Ltd 17

18 Serco Group plc

This article is based on an interview with the Functional Lead for Controls, Security & Identity Management and a Controls, Security & Identity manage-ment Consultant of Serco Group plc.*

CompanyName: Serco Group plcIndustry: international service companyHeadquarters: Hook, EnglandBusiness activity: services to government and private clients in over 30 countriesEmployees: 70,000Revenues: GBP 4.3 billion

SolutionName: Security WeaverVendor: Security WeaverVersion: 2.1Modules: Separation Enforcer (SE), Emergency Repair (ER), Secure Enter-prise (EN), Process Auditor (PA)

Business benefit: Efficient management and auditing of SAP access security.

SAP system auditing supported by Security Weaver Access & Process Control

Serco Group plc

Business IssueSerco’s GRC project was initiated after an internal campaign. All parties involved recognised a need for a more robust and formalised internal control system. The use of a tool to automate the management of these controls was quickly raised as a key requirement.

Solution SelectionIn 2008, a decision was made and a budget allocated to the CIO for a company-wide security project includ-ing identity management, data security and encryption and Governance, Risk and Compliance (GRC). One of Serco’s core systems is SAP with approximately 8,000 users. Serco reviewed the avail-able solutions for GRC and narrowed their selection to three leading candi-dates. A series of vendor presentations, workshops and meetings resulted in a detailed selection process from which Security Weaver emerged as the best fit for Serco. After successfully completing a proof-of-concept, and providing a strong case to senior management, the decision was made. Serco selected Security Weaver using the following criteria:

• Ease of use: familiar navigation from a technical and end user perspective (including ease of implementation).

• Performance: measured on the speed of the application running real-time analyses with limited impact on the IT systems.

• Total cost of ownership: including licenses, hardware, installation, training, implementation, opera-tion, support, maintenance, disaster recovery and back-up costs.

• Strategic: alignment with Serco’s strategy, business requirements and existing partnerships.

• Risk profile; including assessments of the vendor viability, product maturity and customer base.

• Integration: with Identity Manage-ment, HCM and non-SAP applica-tions.

• Flexibility: adjustable to Serco’s structure, systems and general requirements.

• Scalability: to cope with high volumes of data and ease of upgrading.

• Functionality: to facilitate the process to i) get clean ii) stay clean iii) stay in control.

The key success factors for Security Weaver at Serco were the simplicity of the tool (and its deployment), the relatively low TCO, the familiarity of the technical platform (SAP-ABAP), the flexibility of Security Weaver to accommodate requirements, 24-h support and virtually unlimited report-ing potential by making the tables used fully transparent.

ImplementationThe GRC system went live in July 2010 with Separation Enforcer, only 2 weeks after the transports were provided following the final contract signing. The decision was made to start with the

Serco Group plc 19

standard segregation of duties (SoD) ruleset as Serco’s SAP system implemen-tation was practical and add additional transactions/functions/rules as required. Also, instead of deactivating some of the non-applicable standard rules, Serco chose to implement global mitigating controls, applying the rationale that if a SoD function or transaction was not applicable at Serco (at the time), no user should have roles providing such access. If these functions should subsequently be made available through an enhance-ment to the system, the rules would automatically pick them up.

The treasury management module of SAP was one of the pilots for Separation Enforcer for which no standard ruleset existed. Serco re-used the segregation of duties matrices developed in plain English by the business and the IT group translated it into the technical language of Security Weaver. Serco noted that their internal and external auditors were impressed by the rapidity and quality of this implementation. The success of this pilot provided the platform for extending the SoD work to cover the other business processes.

Serco had originally planned for Security Weaver to fly over a small implementation team to set up the modules and deliver training. However, being a SAP competency centre, they were able to complete the installation and configuration internally using a consultant from their off-shore support partner with some help from a member of the Serco CSI (Controls, Security & Identity Management) team. Security Weaver supported this approach with regular WebEx sessions (from San Diego) to validate the set up and assist where required. To quote Serco, “the biggest surprise was to realise that the implementation was actually quicker than what was mentioned in the marketing material”.

The number of significant segregation of duties conflicts raised by the tool was limited (<1,000) and the remediation activity has been addressed as part of the business-as-usual activities of the SAP CSI team. The business users are key stakeholders and responsible for running the reports on a regular basis and requesting remediation actions to be initiated as needed.

Solution ScopeToday Serco is running Separation Enforcer and Emergency Repair fully with some limited use of Secure Enterprise and Process Auditor. The next steps are to leverage the Secure Enterprise module to interrogate more non-SAP systems and manage cross-system SoD controls, and expand the use of the Process Auditor module to address business process controls. The SAP team is working with the business to plan and execute the controls roadmap. The ultimate objective for Serco is to ensure Management and Internal Audit can fully rely on Security Weaver to control the daily business activities.

BenefitsThe project improved the visibility and tracking of all control testing. It sup-ports the audit work and provides additional oversight (and comfort) to management. It also provided better efficiency and control around excep-tional access management as well as validating access levels. One bonus benefit, which was not envisaged, was an unpublicised module (Role Deriver) that transformed the mass maintenance of complex roles (a particular challenge with Serco’s organisational structure) – this was one of the surprising wins (reducing a 4 hour build to 30 minutes). The next steps of the project are to unleash new areas where the tools will be used to streamline and improve business processes with Process Auditor.

Next stepsSerco is very positive about the project and their experience. They feel confi-dent that Security Weaver was a good choice for them. The fact that they had no significant challenges in implement-ing and rolling out the tool thus far is a clear indication and an incentive for Serco to expand their use of the tool to non-SAP systems and expand the scope by implementing other modules to fully leverage the potential.

Serco business users are responsible for monitoring access rights and requesting remediation actions.

This article is based on an interview with Oracle GRC project team members at the company.**

CompanyName: UK Defence ContractorIndustry: public servicesHeadquarters: Aldermaston, UK

SolutionName: Oracle GRCVendor: OracleVersion: 7.3Modules: Application Access Controls Governor (AACG), Preventive Controls Governor (PCG) 7.3

Business benefit: Segregation of duties issues resolved and preventative automated controls implemented.

Business IssueA UK Defence Contractor had imple-mented a number of manual compensat-ing controls in its business processes to address risks resulting from segregation of duties issues that were noted during internal and external audits.

They were looking for solutions to replace the manual compensating controls, enable the implementation of preventative automated controls and to remove segregation of duties (SoD) conflicts.

Solution SelectionWhilst some of the goals could be addressed by introducing Form Person-alisations and custom code, the com-pany’s general policy is to not introduce customisations into its Oracle E-Business Suite (EBS) R11 implementation.

For the company, Form Personalisations using GRC was a faster process and offered additional functionality. GRC also appeared to be beneficial in upgrading as the Personalisations can be easily transferred, with only minor adjustments. However, there were some disadvantages for the company to consider as normal Form Personalisa-tions have a greater degree of flexibility. Overall, the company considered GRC to be easier to use.

Oracle GRC provided the company with a tool to implement input validation (form rules) and workflow-based controls (flow rules) to further support the access controls provided through Application Access Controls Governor (AACG). The company selected Oracle GRC for the following reasons:

• Proven, robust access control functionality

• Support of future Oracle EBS releases

• Fully supported by the vendor Oracle

• Existing strategic partnership with Oracle

Solution ScopeApplication Access Controls Governor and Preventive Controls Governor were implemented to manage access rights and to automate controls.

As part of the project, 28 access policies and 14 form or flow rules were imple-mented.

Access policies are currently used in monitor mode, i.e., periodic manual monitoring of access is performed to detect issues. Once the solution is upgraded, preventative mode will be enabled enforcing access policies during the provisioning process, eliminating manual monitoring.

ImplementationThe initial focus of the project was the identification of access rules and preventative controls to address the risks currently mitigated by manual controls. This identification process was performed through workshops.

20 UK Defence Contractor

Access security supported by Oracle GRC

UK Defence Contractor

UK Defence Contractor 21

Based on the identified SoD rules, which were specifically built as part of the project and not based on a standard rule set, a conflict analysis was run. It resulted in a number of conflicts, which were remediated during the course of the project and reduced to a manageable number.

As part of the preventative controls com-ponent of the project, approximately 40 controls were identified and prioritised. Some were implemented during the initial phase of the project; others have been developed and implemented post go-live by the internal company team who were trained to use the software during the project. A number of form rules that were identified in the work-shops could not be developed using PCG as the tool as it is not yet compatible with HTML forms. Alternatives using flow rules were developed for some of these, however, some remain outstand-ing. Oracle is currently developing the technology to make it compatible with these forms.

The overall project length was seven months, which included four months from inception to go-live and three months of post go-live support.

The project staff included the following company resources and roles:

• Project steering committee with business process owners for finance, HR and procure to pay and the head of architecture (two hours per month/three sessions)

• Project manager (2 days per week)

• Apps DBA (1 day per week )

• Functional consultants (workshops and four day GRC training course, one consultant full time throughout the project)

• Business users to attend workshops at the start of the project; four half day workshops.

• The following external consulting resources were involved:

• One project manager (part time)

• Two functional consultants (full time)

• One technical consultant (part time)

• One training consultant (part time)

In addition, internal audit was involved throughout the project. They provided sign off that the policies and rules implemented addressed a number of control risks identified during their audits.

BenefitsThe company felt that both the strategic objectives of eliminating manual compensating controls and resolving SoD conflicts were achieved by the project.

They also described additional benefits with some of the implemented rules; the user provisioning rules, for example, resulted in a 40% reduction in the system administration effort.

Next StepsThe comany is considering implement-ing additional GRC modules and functionality to realise additional benefits.

As mentioned above when PCG is upgraded to version 7.3.1, it is planned to enable preventative mode to enforce SoD rules during provisioning, eliminat-ing the current process of periodic detective review of access.

The company is also considering the functional advantages of Enterprise Transactions Controls Governor (ETCG) and Configuration Controls Governor (CCG). They see potential benefit in CCG’s ability to streamline the configu-ration controls process. This would allow them to retire the BR100 docu-ments (Business Requirements Map-ping/Applications Setup Definition), which are considered a complex set of documents to maintain.

The company replaced manual controls and reduced system administration efforts.

22 Observations/Acknowledgments

White paperMaking Sense of Internal Control

How technology is used in practice to implement a control vision: seven examples

Published by Pricewater-houseCoopers AG

SponsorJürgen Müller

Partner-in-chargePaul de Jong

Managing editorRobert Schiffner

EditorsPaul de Jong Antoine Wüthrich Raymond Mastre Robert Schiffner Stefan Schäuble

AcknowledgmentsWe thank all the contributing organisations for their great support.

ReviewersAaron Werth Joe Walsh Jürgen Müller

Special thanks toJonathan Bolton, Sandra Scheffmann

The seven examples in this paper show the broad diversity of existing control solutions. Through our interviews, we found the following common denomi-nators which we offer as key take-aways:

• The need to manage and optimise automated controls is a key driver in investing in control solutions.

• Most companies start with implementing control solutions for a specific business issue and attempt to realise

benefits prior to imple-menting additional functionality. Consider-ing the average effort for the implementation of control solutions, this appears to be a sensible approach.

• The implementation of control solutions is a business challenge rather than an IT challenge. The effort for the technical implementa-tion of a solution is small compared to the effort of designing and imple-menting change at the

Observations

organisational level (including the definition of roles and responsibili-ties) as well as on the process level (e.g., defining business rules, remediating processes, controls and security issues).

• Companies should involve people with a strong understanding of governance and compli-ance requirements, business and IT pro-cesses, systems, and what specific control solutions can and cannot do.

• All companies report clear business benefits from using control solutions and plan to expand their use into other functional areas.

If you would like to get a more detailed understanding of control solutions and how they are relevant to your business, we are ready to share our experience and insights with you in person.

Contacts 23

For a deeper conversation about this topic and how it may affect your business, please contact:

Contacts

* The experiences and opinions expressed in this article are solely the view of the interviewees and do not represent an endorsement or evaluation of the solution by PwC. PwC was not involved in the implementation of any financial information or control system.

** The experiences and opinions expressed in this article are solely the view of the interviewees and do not represent an endorsement or evaluation of the solution by PwC.

Jürgen MüllerPartner

Risk Assurance Leader Switzerland

+41 58 792 81 41 juergen.t.mueller@ch.pwc.com

Paul de JongPartner Risk Assurance +41 58 792 76 58 paul.l.de.jong@ch.pwc.com

www.pwc.ch/ra