Managing Risk with Controls Intelligence
Solutions Especially in an Economic
Downturn
Steve Boyce
VP, Alliances & Business Development
Approva Corporation
Nov 7, 2008
Game Plan
• The role of intelligent business controls in
driving performance
• What is Controls Intelligence?
• Best practices for implementing a controls
intelligence strategy
• Business benefits of controls monitoring
• Case studies & lessons learned
Key Drivers for GRC Investments
Source: The Governance, Risk Management, and Compliance Spending Report, 2008–2009, AMR Research
•
11/18/2008 © 2007 Approva Corporation. All rights reserved.
•
(c) OCEG
A Typical Large Organization Has Hundreds or
Thousands of Controls
OPERATIONAL
Purchasing Must
Adhere to Corporate
Procurement Policies
Business Processes
RISK
Third-Party
Contractors
Should Not Have
Access
to Proprietary
Applications
COMPLIANCE
An Employee Cannot
Backdate
a Journal Entry
After the End
of a Quarter
The Cost of Poor Controls Intelligence
GE to Adjust Accounting
Companies today…
NEC Details Major Fraud
in Bid to End Probe
“Fake orders
resulted
in
• Most
controls
are monitored manually.
“…Problems with revenue
$4 million
kickbacks.
recognition have cropped up in
• inCritical
controls go untested.
Meanwhile, internal
several GE units.”
•
Control
breakdowns
are
identified
long
after they occur.
investigations continue.”
• CFOs sign off on financials with imperfect information.
G.M. Says It Has Found Serious
Flaws in Accounting
“…performance was threatened
by “ineffective” controls over
financial reporting…”
Companies Have Three Main Types of Controls
Operations & Financial Reporting
Transactions, Fraud, Master Data Quality, Business Controls
Access to Applications
Segregation of Duties, Emergency Access, User Provisioning
Configuration of IT Systems & Processes
Change Management, Required Fields, Tolerances and Limits
A Controls Intelligence Strategy Must Address the
Entire Lifecycle of Controls
Controls
Intelligence
Lifecycle
Controls Intelligence System
Approva Provides Controls Intelligence Software that
enables you to:
Optimize
Operational
Controls
Automate
Compliance
Reduce
Risk & Fraud
Approva’s Risk & Controls Intelligence Platform
Risk Dashboard
Risk Analytics
Case
Management
Risk Monitoring
Certification Management
Approva Risk Management Solutions
Identifying & Preventing Fraud
Managing Cash Flows &
Managing Assets &
Working Capital
Inventory
Securing & Ensuring Accuracy of Master Data
Ensuring the Accuracy of
Financial Reports
Managing User Access & Segregation of Duties (SoD)
Compliant Provisioning
Certifying Access
Securing Sensitive Information
Ensuring Best Practice Process Configuration
Settings
Ensuring Best Practice System
Configuration Settings
Approva Risk & Controls Intelligence System
•
•
Risk Analytics
Continuous
Monitoring
•
•
Authoring
Proactive
Alerting
Baselining
Studios
•
•
Risk KPI
Monitors
Audit
Repository
What the Analysts Say About Approva
“We rate Approva's BizRights suite as strong positive because of its
breadth of capability in all categories of SOD control.”
“Approva should be on the shortlist of every organization taking a
comprehensive approach that requires strong support for all three
techniques, especially those organizations that need to support multiple
ERP platforms or those that prefer an independent vendor.”
Source: 2008 Gartner MarketScope on Segregation of Duty Within ERP and Financial Applications
by Paul E. Proctor, Neil MacDonald, 25 September 2008
Case Studies & Best Practices
Case Study 1: Automating Financial Controls
Business Challenge
Reducing Risk:
•
•
•
Concerned about risk in the financial close process.
Financial controls could not be cost-effectively
tested, monitored or enforced.
People were circumventing the process to make
manual journal entries & update the chart of
accounts.
Reducing Compliance Costs:
•
•
Financial controls required extensive effort by
Internal Audit to manually test on an ongoing basis.
Manual queries had to be written, updated and
executed. Results had to be manually reviewed.
Improving Efficiency:
•
Too much time was being wasted researching
financial anomalies for audits.
© 2008 Approva Corporation. All rights reserved.
Profile
•
•
•
•
Fortune 100 retailer
$76B in Revenue
96,000 Employees
PeopleSoft
Financial
Management
System (FMS) v8.4
“Misrepresenting our
financial results would have
had disastrous implications
but it just wasn’t feasible to
continuously monitor every
control.”
Financial Controls Case Study: Approva’s Approach
Outsourcing
Partners
Unauthorized
Transactions
Reversed
Transactions
Unusual Debits &
Credits
Finance /
CFO
•
•
Internal
Audit
CIO/ IT
Risk
Management
Human
Resources
External
Audit
Entries Avoiding
Mgmt Review
Approva is used to monitor financial
configuration and transaction-related controls.
Automatic alerts identify control exceptions so
they can be addressed immediately.
Backdated
Journal Entries
© 2008 Approva Corporation. All rights reserved.
Revenue Entries
After Period
Close
Transactions
With Missing
Fields
Unauthorized
Master Data
Changes
Unusual Trending
in Key Accounts
Financial Controls Case Study: Benefits
Business Benefits
Reduced Risk
•
•
Reduced
Compliance
Costs
•
Improved
Productivity
•
•
Reduced risk of fraud and financial misstatement due to
comprehensive and continuous monitoring of key financial
controls.
Elimination of errors resulting from people circumventing
existing financial controls and policies.
Reduced time required for internal audit team to test controls
and respond to external audit requests.
Reduced travel and expense costs for internal audit team.
Improved utilization & retention of internal audit and finance staff
resulting from elimination of low-value tasks.
“We were able to design and implement our automated financial
controls within 3 months of the project kickoff.”
Case Study 2: Controls Monitoring Across 26+
Applications
Business Challenge
• Identify & remediate user access
violations across 26 applications.
• Hold business users accountable for
user access violations.
• Manage controls for SAP golive and legacy applications.
• Create the capability to quickly add
new applications as business needs
change.
© 2007 Approva Corporation. All rights reserved.
Limited Brands: Complex IT Environment
Brand 2
Brand 3
Brand 1
26+ Applications
Brand 4
Brand 5
Case Study 2: Limited Brands
Business Benefits
• Established sustainable process for monitoring and remediating
user access (i.e. SoD) violations for 26+ app’s
• Empowered business users to independently remediate and
manage access control violations
• Established accountability with business users for SoD
violations
• Created a framework to quickly incorporate additional
applications into Approva for SoD monitoring
© 2007 Approva Corporation. All rights reserved.
Case Study 3: P-Card Transaction Monitoring
Profile
Client Objectives
•
•
•
Monthly reconciliation activity taking too much manual
time and effort
Manual audit was ineffective in meeting board oversight
goals
Goal to grow the program, driving more value
•
•
Benefits
•
•
•
•
•
•
Grew P-Card spend from $24M to $104M annually, and
increased card holders from 246 to 2,500
o Increased dollar rebate (~10 Basis Points)
P-Card program is effectively enforcing corporate
policies and maintaining compliance, encouraged by
board to continue to grow P-Card usage
Reduced audit preparation time through automation
Automated reconciliation; reduced time and errors
Avoided retraining users when switching banks. Able to
capture most advantageous rebate offers.
Caught and stopped instances of misuse and was able
to document issues and resolve quickly
© 2008 Approva Corporation. All rights reserved.
•
•
•
•
One of the largest school
districts in the US
~$50 Billion annual spend
o Started with $24M
through
P-Cards, grown to
$104M
Started with ~250
cardholders, grown to 2,500
and 300K transactions
5 full time P-Card program
administrators
SAP and Legacy Mainframe
GL systems
Citibank Payment Card
Top Challenges With P-Card Programs Include
Managing Exceptions and Administration Tasks
Challenges Faced with P-Card Programs
“Controls are the most pressing issue
to increase spend and number of P-Card users”
Source: Aberdeen Group, August 2007
© 2006 Approva Corporation. All rights reserved.
Challenge score based
on survey respondents
Approva P-Card Insight: Key Product Features
P-Card Insight
Workflow & Escalation
•
Automatic
Reconciliation
Complex Analytics
•
•
•
•
Monitor and provide proactive alerts on P-Card program
exceptions using complex analytics
Provide executive level dashboards on key risk and
performance indicators
Sophisticated workflow with escalation for exception
resolution with associated audit trail
Automatically reconcile transactions with purchases
Augment bank transactions with level II and III data
© 2008 Approva Corporation. All rights reserved.
Dashboards and
Reporting
Proactive Alerts
Audit Trail
P-Card Insight Product Features (I)
Key Product Capabilities and Highlights
•
Workflow
& Escalation
•
•
•
•
Automatic
Reconciliation
•
•
•
•
Dashboards
& Reporting
© 2007 Approva Corporation. All rights reserved.
Complex workflows with escalations for sophisticated
management of exceptions by user, auditor, or manager
Contextual business information provided
Can interact with end user via email or BizRights interface
Ability to have transactions and purchases flagged as
automatically reconciled so no manual intervention required
Force manual reconciliation based upon business rules
(threshold based on dollar amount, specific type of purchases,
user, manager etc.)
Customizable reporting and dashboard
Dozens of pre-built reports
Drill down and drill through to find root cause of violations
Multiple level of reports, from graphical to summary to detail
P-Card Insight Product Features (II)
Key Product Capabilities and Highlights
Proactive
Alerts
•
•
Ability to schedule for automated and proactive report delivery
Workflow tasks proactively emailed to inbox of user
•
•
•
Best practice library of controls
Trending analytics to search for anomalies
Ability to analyze data from multiple systems within same rule
Complex
Analytics
•
•
•
•
Complete capture of historical data
Audit trail maintained for all operations in the system
PCI DSS Level 1/SAS 70 Type II Certified
Secure platform that can be used as a control
Audit
Trail
© 2007 Approva Corporation. All rights reserved.
Approva P-Card Insight Benefits
Reduced Cash
Loss / Waste
Improved
Process
Efficiency
Reduced Risk
© 2006 Approva Corporation. All rights reserved.
• Increased procurement saving
• Reduced Cost of Monitoring and audit
preparation
• Vendor Consolidation
• Bank Neutrality
• Cardholder convenience
•
•
•
•
•
•
•
•
Increased Rebate
Eliminate non-preferred vendor spend
Increased Discounts
Identify leakage
Increased program assurance
Culture of Enforcement
Proactive identification of exceptions
Improve financial and budget controls
Controls Intelligence Benefits
CATEGORY
TYPE OF
BENEFIT
Customer
Benefit from Improved
Controls
Intelligence
In Summary
1
Start With the Core Risk But Have a Plan to Expand
2
Consider Both Financial and IT Controls
3
Business Users Should Own the Controls
• Capture “low hanging fruit” by automating manual controls
• Focus on your top risks but ensure your solution can scale
• Validate your approach and solution with your auditor
• Implement both preventive and detective controls
• Consider the impact of IT, access and transaction-related
controls
• Trust but verify controls that come with your core applications
• Make sure your solution can speak to business users in their
language
• Empower business users to develop their own controls
• Free up IT and internal audit staff to focus on value added
tasks
Selected Approva Customers
Manufacturing, Transportation & Public Sector
Technology, Telecom & Media
Energy & Chemicals
© 2007 Approva Corporation. All rights reserved.
Consumer Products & Retail
Pharmaceutical & Biotech
Entertainment
Contact Information
Steve Boyce
VP, Alliances & Business Development
Approva Corporation
steve.boyce@approva.net
703.956.8366
www.approva.net