EZ-Process - InforLN.com ERP

advertisement
1
Contact Information
•Dan Aldridge CEO Performa Apps
•e-mail dan.aldridge@i-app.com
•website www.inforln.com/wp
•linkedin Dan Aldridge
•twitter @Danaldridge1
•
Agenda
 Introduction DynaFlow
 Governance Risk & Compliance / Enterprise Risk
Management
 Segregation of Duties for Baan / LN
 Impact on ERP implementation
 Contact details:
Aart de Glint
adeglint@dynaflow-solutions.com
Phone +31 318 479712
Mobile +31 654 392046
3
DynaFlow Profile
 Main Facts:
 Established in 1997
 Private company HQ in Canada
 Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
 Main mission:
 To enable global companies to become “Simply in Control” by proactively
managing enterprise risks, demonstrating compliance and automating and
optimizing business processes.
 Dedicated to provide its clients a fast ROI through a short and structured
implementation
 Professional Services:
 Implementation and Training
 Compliance & Audit Support
 Process Optimization
 Solution Hosting Services
4
DynaFlow: Makes it EZ for...
6
Cooking the Books
Mr. Ebbers (WorldCom), Mr. Lay (Enron), Mr. Kozlowski (Tyco)
http://www.cbsnews.com/video/watch/?id=859384n
7
8
Regulation - The Hot Potato
Loi sur La Sécurité Financière (LSF)
SAS-70
C-SOX
SOX
IFRS
‘Euro-SOX’
Code Lippens
21 CFR Part 11
9
Basel-II
BilMoG
Code Tabaksblat
8th EU Directive
Clinger Cohen
J-SOX
Governance, Risk Mngnt & Compliance
 Governance
describes the overall management approach through which senior executives direct and
control the entire organization, using a combination of management information and
hierarchical management control structures. Governance activities ensure that critical
management information reaching the executive team is sufficiently complete, accurate and
timely to enable appropriate management decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from management are
carried out systematically and effectively.
 Risk management
is the set of processes through which management identifies, analyzes, and, where
necessary, responds appropriately to risks that might adversely affect realization of the
organization's business objectives. The response to risks typically depends on their perceived
gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks,
commercial/financial risks, information security risks etc.), external legal and regulatory
compliance risks are arguably the key issue in GRC.
 Compliance
means conforming with stated requirements. At an organizational level, it is achieved through
management processes which identify the applicable requirements (defined for example in
laws, regulations, contracts, strategies and policies), assess the state of compliance, assess
the risks and potential costs of non-compliance against the projected expenses to achieve
compliance, and hence prioritize, fund and initiate any corrective actions deemed
necessary.
10
GRC/ERM Support at all levels
Levels of GRC model
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
Strategical
•Review
Tactical
•Test
Operational
Purchasing
Warehouse
Management
Manufacturing
•Procedures
•Process Risk Analysis (Tactical)
•Process & Internal Control Design & Maintenance
•Review (workflow)
•Monitoring Efficiency of Internal Controls
•Embedded testing & test evidence
•Document Management System
•KPI/”In Control” reports
Sales &
Distribution
Continuous monitoring as part of normal business process
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
Compliance – Why is this important
Regulation
Corporate & Executive Responsibility & Liability
Fear for Reputation Damage
Tightened Credit Lines
Premium Insurance Fees
Policy Interpretation
Implementation Cost
Overhead
Audit Cost
From Regulation to Compliance
Regulations
Implementation
Framework
Policy & Procedure
Implementation
Evidence
Collection
Business Risks
SOX
ERM
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
HIPAA
COSO-II
BASEL II
COBIT
...
Demonstratiopn
of Compliance
Demonstratiopn
of
Compliance
Demonstration
of Compliance
Etc.
establish
People
Processes
document
Technology
Audit
test
Facilities
Data
SOX Section 404 – Internal Control
Assessment of internal control
“The most contentious aspect of SOX is Section 404,
which requires management and the external auditor to
report on the adequacy of the company's internal
control over financial reporting (ICFR). This is the
most costly aspect of the legislation for companies to
implement, as documenting and testing important
financial manual and automated controls requires
enormous effort.”
http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf
14
SOX Internal Control Requirements
Documentation
Detailed Process description
Process flowchart (preferable)
Business Risk Assessments
Risk Control Matrix (RCM)
Testing
Annual walkthrough of each process.
Testing of key controls.
Periodic Reviews
Review of process steps and controls
Updating of all documentation
Annual External IC Audit
Essentially external validations that yes you did 1 through 3 above.
The auditor would use a predefined “checklists
15
RISK / CONTROL MATRIX
R007
R011
R042
R075
16
What ensures that purchases are recorded into the proper
accounting period?
What ensures that invoice prices, quantities and other valuation
information is correct?
What ensures that duplicate and/or fictitious purchases are not
recorded?
What ensures that perpetual inventory records reflect proper
quantities and amounts?
Risk
R079
What ensures that perpetual-to-physical inventory adjustments are
correctly calculated and recorded?
R093
What ensures that inventory counts, compilations and descriptions
are accurate?
Auditor Assertion
ACP-C01
Completeness
PC
Completeness,
E/O, M/V
Existence/
Occurrence
Existence/
Occurrence
Completeness,
Measurement/
Valuation
Measurement/
Valuation
ACP-C04
ACP-C16
PC
PC
PC
PC
Cycle
coun
ts t
quan
tity o ha t re sult
utsid
in a d
r evie
e lim
iffer
w ed
its se
t by c ence from
ar e r e ; it ems w
o
p
ith a
c oun
var an m pa ny po e rpet ua l
te d.
li
ce de
em ed cy ar e
to be
m ate
rial
A ll pu
r ch
includ ase or der
s and
ing le
non-P
dge
ac cor
O inv
da nce r ac coun
oice s
tc
w ith
ar e re
com p oding, a n
vie
d a re
a ny p
a ut ho we d,
olicy.
rize d
in
Fo r p
r od
into t uc tion inv
oic es
he
, inv
r ece ip system fo
r auto oice s ca n
t ar e
m atic
only
alr ea
the in
be e n
dy in
mat c
voic
t
inform e pric e a the sys tem hing if a v er ed
nd du
alid P
ation
O and
e dat . The syst
.
e
e info
r ma t m popula
t
ion fr
A ll un
om t h e s
ma
e PO
for fo tc he d PO
invoic
llowup.
es a re
for wa
r ded
to pu
rc ha s
ing
A ll no
n-P
into t O invoice
s re ce
he sy
stem
iv
prope
within e d at m o
r inclu
nt h e
3 da y
sion in
nd a r
s of
e ent
to Ac
e
coun m ont h-e n
ts Pay
d t o e re d
able.
nsure
Risk / Control Matrix
PUR-C11
INV-C18
PC
DC
DC
DC
PC = Preventive Control
DC = Detective Control
Enterprise Risk Management (ERM/GRC)
The key pains & challenges:






Extra burden “on top” of running the company
Draining resources from critical projects
Absence of clear and documented guidelines
Absence of automation
Cannot be postponed (scheduled audits)
Cost (with NO tangible ROI)
The proposed approach & resolution:
 Leverage pre-defined knowledge via libraries
 Avoid multiple partial systems (and integration burden)
 Automate as much as possible tedious and large volume
tasks
How DynaFlow supports ERM/GRC
 Business Risks & Business Controls Library
 2,500+ pre-defined Controls, Risks and relationships
 Certified Best Practices / Benchmark
 For all regional & industry specific regulations
 (SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…)
 To address all auditing/auditors requirements
 Automated Business Control Execution
 Testing Schedules with automated notification & testing
 Real-time monitoring & alerts for testers and Mgmt
 Evidence Collection & audit trail
 Dynamic Risk and Business Control Monitoring
 Key Performance & Risks Indicators Dashboard (+ mobile)
 Audit Support
 Combination of Solution, Libraries and Services
18
19
Segregation of Duties (SoD)
The key pains & challenges:
 Now a Critical Business Control for ALL organizations
 Involves large volume of data
(i.e. Typical = 200,000+ authorizations in Baan alone)
 Need to be done across Systems (ERP) and for ALL
access types
 Is a recurring process due to constant changes
The proposed approach & resolution:
 Automation,
 automation
 and automation!
Cross-Applications ERM & SoD
Business Processes & Controls Integr.
Compliance Mgmt
Business
Risks
SoD Mgmt
Documents
Business
Controls
SoD
Conflict
Rules
Applications
SoD
Business
Conflicts
Access Mgmt
Employees
User
Roles
Process
Diagram
Documents
Document Mgmt
Conflict
Resolution
EZ-Compliance SoD Scan
Mapics
Hyperion
BPCS
…
Network Access
Facility Access
Security Badges
…
Mapics
Ceridian
…
Master SoD Matrix
24
Over 400+ SoD “zones” to be validated
25
The LN / Baan SoD Rules Library
 Introduced in 2005
 Required 2 years initial development, and is updated
regularly
 Content and design validated by CFO, Controllers, SOX
Senior Consultants, Baan Specialists, etc...
 Covers all Baan versions (Triton, Baan IV, ERP-5, LN)
 Compliant to Baan Tools and DEM authorizations
 Verify 22,000+ Baan session combinations for SoD violations
(with violation rating) to validate 400+ SoD sensitive “zones”
 Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton
validated the Baan SoD Rules completeness and accuracy
by successful certifying all EZ-Compliance clients to be
SoD/SOX compliant.
26
EZ-Compliance Automated SoD Scan
Import
Employees
LDAP
(1)
Access
Scan
Employee /
Applications
Access
List
SoD
Conflict
Rules
(2)
Conflict
Scan
SoD
Library
Oracle
SOX – SoD
Conflicts
List
Roles
DEM
Import
Visio
Business
Processes
SoD
Resolution
Rules
Business
Controls
Mitigation
Controls
Import
ERP
Corp-wide
Applications
Business
Risks
Resolution (3)
Scan
Mitigated
Conflicts
List
SoD Conficting Areas Matrix
Click to view
detailed business
functions &
conflicts found
28
The automated SoD cycle
ERP
Import
Import of updated
authorizations from
all Enterprise
Applications
Investigation,
resolution and
mitigation of
SoD risks
Weekly
or
Identification of
SoD conflicts &
related business
risks
Daily
Notification of new
conflicts to internal
audit team and/or
process owners
Resolution of
conflicts with
known patterns
Result: 90%+ reduction of effort & cost
How DynaFlow supports SoD
 Access/Authorization Mgmt
 Cross-systems authorizations (who is accessing what?)
 Periodic Access Reviews
 SoD Conflicts Identification
 Detective validation (what accesses constitute risks?)
 Preventive validation (what is the impact if we change …?)
 SoD Conflicts Resolution
 Automated resolution/mitigation using pattern rules
 SoD Conflicts Monitoring & Alerts
 Self-generated SoD Matrix with dynamic alerts
 Key Performance & Risks Indicators Dashboard (+ mobile)
30
Segregation of Duties (SoD)
What you gain with DynaFlow:
 Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...)
 Bottled Best Practices:
 Fully automated Segregation-of-Duties (SoD) Rules
 Pre-Defined SoD Libraries available for Baan, SAP, Oracle,
etc...
 In line with external auditors to secure successful
certification
 Detective and also Preventative
 Fully automated SoD validation
 90% reduction on implementation cost & effort
 50% reduction on auditing cost
 100% Successful SoD Audit
 Simplified insight in all user authorizations
32
Integrated Cycles
Define
Capture
Document
Process
Knowledge
Optimize
Validate
Objectives
Action
Metrics
Integrate
Structure
Publish
Measure
Monitor
Execute
Publish
Analyzes
Review
Certify
Control
Activity
Regulations
(eg. SOX, ISO, ITAR
AS9100, HIPAA, ect)
Risk
Assessment
33
Route
Definition
Control
Environment
Automate
Workflow
Automation
Measure
Optimize
DynaFlow Value Proposition
Define
Capture
Document
Optimize
Validate
Objectives
Route
Definition
Integrate
Structure
Publish
Action
Measure
Monitor
Execute
Optimize
Automate
Publish
Analyzes
Review
Certify
Risk
Assessment
34
Control
Activity
Control
Environment
Measure
BPM
Reporting
DynaFlow Solution Overview
Management
Dashboard
Employee
Process
Dashboard
Modeler and
Auditor
Dashboard
Process
Optimization
& Monitoring
Dynamic KCI
& Issues
Escalation
Dynamic KPI
&
BI Analytics
Process &
Knowledge
Publishing
Business
Controls
Checks
Automated
Alerts &
Notifications
Process
Modeling
Business
Controls
Definition
Process
Automation
Base
Financial (Oracle, etc)
Transaction
Systems
ERP (SAP, Baan, Mapics, etc)
Office Apps (MS, Email, VPN, etc)
Critical Capabilities Definition ERM & C
Audit Management
Supports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers,
risk assessments, control testing, remediation management and reporting.
Risk Management, General
Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting,
visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that
is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic
risk analytics tools to provide a consolidated view of enterprise risk management.
Risk Management, Stochastic
Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized
capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term
asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these
stochastic analysis needs organically or through an OEM partnership.
Compliance Management
Supports compliance professionals with the documentation, workflow, reporting and visualization of control objectives,
controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC
management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support
other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level
agreements, trading partner requirements and compliance with internal policies.
Policy Management
Includes a specialized form of document management that enables the policy life cycle from creation to review, change
and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and
controls in another; and distribution to and attestation by employees and business partners.
GRC Content
Includes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news
feeds, standards and frameworks, draft testing and risk assessments, and draft policies.
Business Analytics
Supports the ability to analyze the impact of risks on business objectives, performance and processes.
36
Gartner, Inc: 30 November 2010/ID Number: G00208665
DynaFlow simplification
Regulations
Implementation
Framework
Policy & Procedure
Implementation
Evidence
Collection
Business Risks
Business Risk Libraries
SOX
HIPAA
BASEL II
COSO-II
Business
Control
COBIT
Libraries
......
Etc.
Cross-ERP
Integration
People & Processes
Mapping
Compliance
Business
Controls:
Program
Mgmt.
- Information delivery
- Resource
acces and use
Compliance
- Risk mitigation
Change Mgmt.
- ...
Compliance
Mgmt.
establish Issue
document
test
Web Portal
Demonstratiopn
of Compliance
Demonstratiopn
of
Compliance
Demonstration
of Compliance
Document
Mgmt.
Audit
Trail
Compliance
Access &SoD Mgmt.
Technology
Facilities
Operational Risk
Monitoring
Audit
eBook
Generation
Data
38
Download