risk, control & compliance with infor approva

© 2014 Consider Solutions All rights reserved.

Solutions for World Class Finance

2014 GRC Series

Managing Risk, Control & Compliance

With

INFOR Approva Continuous Monitoring

20th February 2014


Welcome

2 © 2014 Consider Solutions All rights reserved

Today‟s Speakers:

Dan French

CEO

Consider

Steve Rooney

Consulting Practice Leader

Consider

Steve Buchner

Senior Manager, IT

Sonova


Business Streams

‐ Financial Control & Compliance

‐ Risk Assurance

‐ Finance Process Optimization


solutions for world class finance


Clients



Today‟s Discussion

Introductions & Objectives

Visibility over Financial Processes & Controls

GRC – 3 Lenses of Insight

High Impact Capabilities with INFOR Approva CM

‐ Segregation of Duties

‐ Process Configuration Monitoring

‐ Certification/Attestation

‐ Transaction Exception Monitoring

The Sonova GRC Journey

Entry Points for Deeper Insight

Q&A



Objectives

Share insights & experiences in Governance, Risk &

Compliance (GRC)

Illustrate Process Optimization potential of GRC

Introduce latest capabilities, use-cases & lessons

learned for INFOR Approva CM

Learn from the Sonova journey

Offer tips for the journey to maximize the value



Risk and Control challenges


Segregation of duties

Duplicate payments

Employee reimbursements

Unauthorized purchases

Fraud prevention

Overpayments

Checks and approvals

Compliance with policy

Regulations

Standardization

Fraud

Detection/Prevention68%

ERM 50%

SOX 404 40%

Compliance 38%

Regulatory

Compliance29%

What drives these challenges?

Lack of staff

Manual processes

Human errors

Access to data

Visibility to issues

Mergers and acquisitions

Integrated systems

Decentralized operations

Outsourcing

Source: KPMG Continuous Monitoring &Continuous Auditing Survey


IIA 2013 Pulse of the Profession - Outlook


Risk management effectiveness 5%

Other 12%

Strategic/business Risk 4%

Fraud 4%IT (general)

12%

Compliance 14%

Sarbanes-Oxley 12%

Financial (general)13%

Operational 24%

Source: The Institute of Internal Auditors


Financial Accounting - Risk and Control



Ineffective controls erode performance


What actually does happen

=Processes are ignored or circumvented

Policies cannot be cost-effectively enforced

Fraud &

Waste

Sub-optimal Cash

Mgmt

Ineffective

Process

Delays and

Rework

Audit/Compliance

Costs

Unnecessary

Risk

- - - - - - - - - - - - Performance Impact - - - - - - - - - - - - - >

What should happen


3 Lenses for Visibility

Financial Control & Compliance

‐ ICFR

‐ SOX

‐ Data Governance

‐ Control Self Assessment

Risk Assurance

‐ Fraud

‐ Error

‐ FCPA

Finance Process Optimization

‐ Eliminating Waste

‐ Driving Simplification & Standardization

‐ Optimizing Cash Flow



Continuous Monitoring:Four Layers & Three Lenses . . .


Transactions (CCM-T)

“Where are the exceptions? __________?”

Master Data (CCM-MD)

“Is the underlying data accurate and controlled?”

Access to Applications (CCM-SOD)

“Can anyone __________?”

Configuration of IT Systems & Processes (CCM-AC)

“Do our systems allow anyone to __________?”

“Did Do”

“Can Do”

Financial

Control &

Compliance

Risk

Assurance

Finance

Process

Optimization


Infor Approva CM components

Application security and user access monitoring modules

Authorizations (User Access) – “Can do”

User Activity – “Did do”

Access Manager (Provisioning) – “Can do”

Process transaction and master data monitoring modules

Procure to Pay – “Did do”

General Ledger – “Did do”

Order to Cash – “Did do”

Process Insight Studio - “Did do”

System and configuration monitoring modules

Configuration Insight - “Can do”

Certification (Attestation) Manager



360° view of Control & Risk Exceptions


Track Results

Identify Exceptions

View Context

Investigate

Take Actions


Applications

PeopleSoft Financials

PeopleSoft HRMS

Reconnet

Solomon

Catalyst BBW

Baan

LN

JD Edwards Financials

JDA

Lawson S3

Island Pacific

PKMS Receiving

JBA

IFS

MS Dynamics / Navision

Spirit MAST

MFG Pro

Sun Systems

Essbase

Ariba Buyer & Sourcing

Applications

SAP

3.1h

3.1i

4.0B

4.5B

4.6B

4.6C

4.7

ECC 5.0 & 6.0

SAP BW/BI

3.0B

3.1

3.5

Oracle - eBusiness Suite v11/12

Peoplesoft

HRMS 8.8

FI 8.8

Hyperion

HFM 3.0

HFM 4.0

Applications Monitored

15


Financial Control & Compliance Lens

Focus on Internal Controls over Financial Reporting (ICFR)

Identifying control exceptions

‐ Manage & monitor who has what access to your financial systems

Segregation of Duties

Sensitive Access

User Access Certification

Emergency & Elevated Access

Compliant User Access Provisioning

‐ Embedded (configured) Controls Monitoring


Automated Compensating Controls

Process Assurance



Access Control Cycle - Best Practice Approach


Establish Policies

for SOD, Sensitive

Access, Configura

tion Changes

Identify and

Analyze Possible

Threats

Remediate

Threats and

Establish

Compensating

Controls

Analyze Ongoing

User Access

Changes to Prevent

New Risks

Automate

Provisioning of

Change Requests

Periodically

Review & Certify

User Access


Managing Segregation of Duties.. ..Is a Tradeoff


Freedom to Get the Job Done

User Access Risks


Infor Approva ... SOD Rules …


SAP SOD Rule

Lawson SOD Rule


SOD Violation example



Activity of User



Automated compensating control



Gartner Comment



Risk Assurance Lens

Risk monitoring beyond ICFR

Identifying business exceptions

‐ Error

‐ Waste

‐ Fraud

Transaction Exception Monitoring addressing . . .

Purchase to Pay

Order to Cash

Record to Report

Travel & Entertainment

HR & Payroll

FCPA

. . . .


“The typical organization loses 5%

of its revenues to fraud & waste each year”


Potential Risks ...


Procurement:‐ Duplicate Payments

‐ Goods delivered without a PO

‐ Non-standard payment terms

‐ Invoice value greater than received

‐ Duplicate Invoices

Sales:– Price Reductions

– Undelivered orders

– Exceptional customer credits/returns

– Non standard payment terms

Fixed Assets:– Inappropriate asset depreciation

periods

– Misclassified capital equipment

Travel Expenses:– Duplicate claims

– Ineligible items claims

General Ledger:– JE postings into prior periods already closed

– Unusually large JEs

– Manual payments

– Manual journal entries requiring review and approval


Example Exception Rule … Conditions for Duplicate Payment



Exception Detail



PO where Vendor Name from PO Matches with OFAC SDN List



Gartner Comment


Approva has prebuilt integration links to multiple ERP vendors. It provides good

workflow for exception management, robust reporting and intuitive rule building.

Magic Quadrantfor

Continuous Controls Monitoring


Finance Process Optimization Lens

Focus on Process Efficiency & Standardization

Identifying „out of envelope‟ exceptions

Key Exception Indicators (KEIs)


Performance & Cash sapping practices

Non-standard processes

“Evolved” working practices

Local variants

Policy avoidance



We TRY to control standardization . . .


GR is created against PO

Purchasing creates PO for Shipment

Truck drops off shipment, but no PO exists

Warehouse calls up Purchasing to create a PO

ERP is configured to only allow GR if PO exists, however…


What can impact process performance... „Key Exception Indicators‟


Procure to Pay:‐ Multi-touch POs

‐ PO mismatches a PR

‐ “Pro-forma” POs

‐ Vendor records missing key data

‐ Invoice mismatches to PO / GR

‐ Goods delivered without a PO

‐ Duplicate Vendor records

General Ledger:– Posted documents not cleared for extended period

– Duplicated effort - Journal entries with missing key data

– Duplicate GL accounts

Order to Cash:– Multi-touch Orders

– “Pro-forma” invoices

– Undelivered Sales Orders

– Sales Orders without Customer PO

– Changes to Payment Terms

– Customer records with missing data

– Duplicate Customer records


Case Study 1: Invoice Processing


Desired process

‐ Purchase Order to initiate and approve purchase

‐ Touch-less Invoice/Payment approval on match

KPIs

‐ First time match rate

‐ Invoice processing cost/effort

What can go wrong (Key Exception Indicator)

‐ Duplicate Invoices, duplicate vendors, imprecise POs

Discovery

‐ 3% duplicate invoices causing re-work and cash loss

Root Cause

‐ Different vendor records set up by different groups for same vendor

‐ Supplier resending invoices if payment not received

‐ Invoices not matching PO … needing manual review


Case Study 2: Purchase Order Processing


Desired process

‐ Purchase Request to approve expenditure

‐ Purchase Order to initiate and approve purchase

KPIs

‐ Maximize spend under PO

‐ PO processing cost


‐ Multiple touch POs, changes to PO Pricing & Terms

Discovery

‐ 11% POs change activity

Root Cause

‐ Pro-forma POs, Master Data inaccuracy


Case Study 3: Receivables / Collections


Desired process

‐ Short cycle order to customer invoice to payment

KPIs

‐ Days Sales Outstanding (DSO)


‐ Sales Order to Delivery to Invoice delay

Discovery

‐ Excellent cash collection metric undermined by use of Pro-forma invoices to confirm customer payment

Root Cause

‐ DSO KPI, Invoicing errors


Example Exception Rule … PO raised on or after GR



Exception Detail



Duplicate Vendors – same tax ID



5 Critical Success Factors

1. Stakeholder Alignment

• Engagement, Ownership, Sustaining

2. Clarity

• Objectives, Measures, Progress

3. Process

• Project, Program, Process

4. People, Skills & Knowledge

• Train, Develop, Refresh

5. Tools

• Clarity, Focus, Precision




Steve Buchner

Sr. Mgr. IT Operations

Sonova

Phonak Hearing Systems

40


Sonova, Phonak & Unitron



Catalyst – Initial Audit Findings

2009 Audit Finding - “unrestricted SAP User access rights for critical transactions”

Authorization concept existed but lacked SOD analysis as well as necessary controls monitoring tool



Getting Started

Sought out help from PwC (2010)

‐ Developed SOD Ruleset

‐ Developed new SAP Role Concept (SOD compliant)

Tool Selection – choose a GRC tool (2010)

‐ Selected Approva (BizRights)

‐ Selected Consider as implementation partner

Beginning the Journey (2010 – present)

‐ Implementing new role concept

‐ Began analysis and remediation process with Consider



Experiences along the Road


The right security concept is the foundation

Once in place -> next effort is transition responsibility to business for who gets access to what!


Challenges

Inefficient Security Design

‐ Too many Authorizations

‐ Too many Roles

‐ Duplicate Transactions

‐ Increased Exposure to Risk

Security resources empowered with too much user access decision-making responsibility

‐ Lack of Knowledge

‐ Lack of Time

Minimal Documentation and Automation for the User Provisioning Process

Lack of Control Framework (Segregation of Duties Matrix)



Transitioning Ownership from IT to Finance



Global Rollout

With the help of Consider - In 2013 kicked off rollout of SAP Role Concept to 12 countries

User SOD Remediation via Approva One followed after and remains in progress



The Access Provisioning Portal

User Remediation Complete => Keep system clean

With Consider implementing self service provisioning portal

‐ User access requests routed to appropiate approver

IT is removed from the user provisioning process!



The Road Ahead

Complete the current efforts

Implement Certification Manager for yearly access reviews

Extend monitoring beyond SAP




Entry Points for Deeper Insight

20th February 2014



Best Practice Rules informed and adopted by Big 4

Business friendly for process adoption

Multi-Application Monitoring Capability

Control Attestation/Certification Capability

Ease of Integration into IT Landscape

Continuous Improvement focus

3 Lenses of GRC Success

Cost-Effective



Entry Points for Deeper InsightSoD Needs Assessment & Planning Workshop


Analysis of current ERP SoD status

Industry best practice

Organisation specific policies

Assessment & benchmarking

Recommendations

Outline Plan

Workshop Review

Build the „Case for Action‟


Entry Points for Deeper InsightQuickScan™ - Diagnostics for quick wins . . .


Scoped process & organisation target

Agreed risk and/or performance themes

Agreed ownership to manage and resolve transaction exceptions

Ongoing analysis of all relevant system data and transactions

Matching 100% of transactions and data against exception rules

Work flow for addressing and resolving exceptions

Process for continuous improvement

Rapid Execution, Rapid Return


Any Questions?

Enjoy the journey!

For any questions or a „deeper dive‟ . . . .

[email protected]

Blogerati can visit . . .

www.consider.biz/thinking/

@consider_ations

#worldclassfinance


mailto:[email protected]

http://www.consider.biz/thinking/



2014 GRC Series

Managing Risk, Control & Compliance

With


20th February 2014