GRC
HR
SCM
CRM
BI


Article

 

SAP Insider Compliance Update: Sarbanes-Oxley

by SAP and Partners | SAPinsider

April 1, 2004

by SAP and Partners SAPinsider - 2004 (Volume 5), April (Issue 2)
 

Compliance or Bust!
Three Strategies for Enlisting SAP Solutions in Your Corporate Compliance Efforts

Kraig Haberer,
Global Director of
Product Marketing,
mySAP Financials

>>INSIDE<<

Compliance and Beyond: How Document Delivery Systems Support Your Entire Financial Reporting Life Cycle

Make Sure Your Sarbanes-Oxley Reporting Is Accurate with Cypress Software

Can Your Corporate Tax Department Achieve the Transparency and Consistency that Sarbanes-Oxley Compliance Requires?

Look Beyond Sarbanes-Oxley to Maximize ROI from Compliance Initiatives

The Global Impact of Sarbanes-Oxley on Transactional Tax Services

Sarbanes-Oxley Compliance: A Bridge to Excellence

Distribute Accountability for Greater Accuracy: Involve All Levels of Your Organization to Improve Compliance Processes

SAP Authorizations and Sarbanes-Oxley: How to Monitor Internal Controls for Compliance

Robust Financial Reporting with SAP and Business Objects

Serious Solutions for Serious Compliance: The New Reality of Continuous Controls Compliance

Get Ready & Stay Ready: Leading Companies Automate Visibility into Internal Controls to Ensure Compliance, Maximize Revenue, and Manage Business Risk

Recently, a compliance manager wryly characterized his Sarbanes-Oxley Act (SOA) compliance project as having the following stages: denial, acceptance, panic, strategy, execution, and success. Fortunately for him — and for the rest of us — we are long past denial and panic, and are fully focused on compliance execution and success in 2004.

Like early settlers heading out into new territory, many companies are in the heads-down, “compliance or bust” frame of mind to ensure on-time and complete SOA compliance. But as organizations approach their compliance strategies, most are realizing that good corporate governance is not just a one-dimensional regulatory demand. Instead, they now envision a multi-dimensional business challenge, one that must account for a variety of regulations (see Figure 1) and a number of influencing forces. Among these influences are: social responsibility, fiscal responsibility, stakeholder demands, corporate objectives, and technology enablers.

As such, SAP customers must approach this exercise in compliance from both a business and a technology perspective. The goal is to enhance speed, accuracy, and transparency to ensure trusted accounting and create trusted financial statements. To do this, companies running SAP should focus on three strategies in 2004 to gain efficient and effective corporate governance:

  1. Leverage existing SAP investments

  2. Consolidate your system landscape

  3. Invest in performance management

First, Use What You’ve Got

According to the collective wisdom of existing SAP customers, industry analysts, and financial management consulting firms, the first strategy is to simply leverage your existing SAP investments. Not only is this one of the more effective strategies, it is also the cheapest!

With SAP solutions, you already have access to a whole host of built-in configurable, reporting, and security controls to jump-start your compliance efforts (for example, see the list of SAP solutions for SOA compliance in Figure 2). Make sure that your organization is taking advantage of elements like workflow, audit trails, edit checks and tolerances, and changed-document logs. In many cases, customers have found that these elements were turned off during implementation or were never activated in the production system, leaving valuable compliance resources underutilized.

Additionally, look to a new functionality in mySAP Financials — SAP Compliance Management for SOA — that includes capabilities for managing internal controls to assist you in SOA Section 404 compliance efforts. Developed in concert with the Big Four accounting firms, this internal controls management solution delivers scoping, documentation, assessment, remediation, and sign-off tools, enabling the CEO and the CFO to verify the soundness of internal control methodologies with confidence.

The added advantage of using existing SAP resources is that you can synchronize your compliance solutions with your underlying ERP transactional systems. This becomes especially important as you look at compliance beyond the first year. Yes, first-year compliance efforts have necessitated a tremendous workload and cost (some estimates put it at $2 million spent per each billion of revenue). But many companies have shifted their focus toward how to achieve efficient compliance in subsequent years, since companies must now comply every year for the rest of their corporate lives! Having an integrated approach minimizes the impact of any business changes, whether they involve processes, technology, or even personnel.

Then, Harmonize Your Systems

Many of the corporate “crises in confidence” over the last few years have stemmed from the fact that there was room for manual intervention in financial processes or in maintenance of company records, accounts, and reports. The less integrated a business is, the more risk is introduced into the process, whether from purposeful wrongdoing or simple oversight. A proper technology platform minimizes these risks and restores employee, executive, and investor confidence.

Think of the “telephone game” in which a story is passed from person to person down the line — the more people involved, the more skewed the story becomes. Companies with a heterogeneous system landscape with multiple ERP and point solutions face the same challenge in their own data quality.

Figure 1
A Timeline for Meeting Compliance Requirements

This is especially relevant for regulations like Sarbanes-Oxley because SOA isn’t just a financial initiative; it spans the enterprise, and in some cases the extraprise, literally touching every major business process operating in the company. In particular, most “trigger events” that would potentially affect internal controls originate outside of finance — for example, revenue recognition in the sales process or trade terms with key suppliers. In fact, according to AMR Research, a full 65% of companies addressing Sarbanes-Oxley are looking at consolidating systems in order to streamline compliance efforts.

Not surprisingly, this is the area where the CFO and the CIO pull together to combat the corporate governance challenge. Furthermore, harmonized system landscapes will allow companies to better react to subsequent regulations, both in the United States and abroad, including International Accounting Standards (IAS) and Basel II initiatives.

SOA Section Requirement SAP Solution
301
  • Process for anonymous complaints of employees to audit committee (“Whistle Blower”)

  • SAP Compliance Management for SOA

302
  • Certification of financial reports by CEO and CFO

  • SAP R/3 — Financials

  • SAP Strategic Enterprise Management

401
  • Financial reports to reflect all adjustments identified by the auditors

  • Disclosure of all off balance sheet transactions

  • Reconciliation of pro forma figures with GAAP figures

  • SAP R/3 — Financials

  • SAP Strategic Enterprise Management

404
  • Management has to prepare documentation of internal controls

  • Management has to assess the effectiveness of internal controls

  • Management has to prepare report on internal controls

  • Auditor has to report on the management’s assessment of internal controls

  • SAP Compliance Management for SOA

409
  • Obligation to rapidly report changes in financial condition, etc.

  • SAP Strategic Enterprise Management

Figure 2
Software-Relevant Sections of the Sarbanes-Oxley Act

Finally, Invest in Performance Management

The final strategy advocated by your peers and industry experts alike is to invest in business performance management (BPM). BPM initiatives include such things as planning and budgeting, legal and management consolidation, reporting and analysis, scorecarding, and other decision support activities. Traditionally, BPM systems have focused on making better decisions, but today these same systems can be employed to provide better business visibility and control during the process, not just after the fact.

The idea is that if you have proper and effective internal management reporting, external reporting will follow suit. In many cases, companies with BPM in place have reported shorter financial closing times, more accurate and efficient budgeting cycles, better business insights and decisions, and better proactive, early-warning indicators to spot material operating or control issues.

If you haven’t already, you should definitely consider SAP’s BPM offerings, including Strategic Enterprise Management and Business Analytics. These solutions offer planning and budgeting, consolidation, performance management, risk management, and reporting capabilities to support not only your BPM initiatives, but also your compliance and control projects.

The Rewards

So what will come of your trek off into compliance? Early results show that effective corporate governance:

  • Restores investor confidence

  • Reduces the cost of compliance

  • Produces trusted financial statements

  • Creates a sound internal control environment

  • Improves business insight

Quicker and more complete disclosure has become a critical aspect of managing investor confidence and maintaining a company’s market value and ability to raise funds. mySAP Financials offers the functions necessary for secure and transparent accounting. However, SAP also recognizes that your finance functions are constantly evolving. So we are also continuing to invest in new solutions and work with software partners and customers to address today’s financial challenges, as well as tomorrow’s.

For more information on SAP’s corporate compliance strategy, see www.sap.com/solutions/ financials/trustedaccounting.asp. To learn more about SAP’s BPM initiatives, including Strategic Enterprise Management and Business Analytics, visit www.sap.com/solutions/financials/ keycapabilities.

back to top


Compliance and Beyond: How Document Delivery Systems Support Your Entire Financial Reporting Life Cycle


Jurgen Stephan
Vice President of Marketing,
Captaris

Designed to restore corporate accountability and bring back investor confidence, the Sarbanes-Oxley Act dramatically changes corporate governance and reporting requirements. For many organizations, complying with new government mandates on how to record, track, and disclose financial information can be a daunting task.

With Sarbanes-Oxley, publicly held corporations must implement systems, controls, and procedures that improve information security, ensure accuracy, and provide a reliable audit trail for corporate information to prevent fraud and provide financial transparency. Fortunately, organizations with SAP already have a foundation for reliable financial and business process reporting. However, you need to consider many systems and processes when developing your compliance strategies. Although often overlooked, how you disseminate, manage, and monitor your business information and financial reports can have a significant impact on compliance efforts as well as bottom-line business performance.

That’s why your document delivery and workflow procedures should be key considerations when developing your overall compliance strategy. By putting systems into place with SAP to automate document delivery and associated business processes, companies can better support the entire life cycle of financial reporting, reduce opportunities for fraud, and provide an essential audit trail for communications.

Support Sarbanes-Oxley Compliance with e-Document Delivery from SAP

E-document delivery is one important tool organizations can use to support Sarbanes-Oxley requirements. E-document delivery solutions integrate with SAP, workflow, and other business applications to automate business information delivery via fax, email, or over the Internet. Products such as Captaris’ RightFax help support Sarbanes-Oxley compliance efforts by providing secure and tamper-resistant electronic delivery, receipt, and tracking of your business information.

By adding an e-document delivery solution to your framework for Sarbanes-Oxley compliance, you can support compliance efforts in a variety of ways:

Safeguard Information Accuracy by Automating Document Delivery from SAP

Traditional delivery methods (postage, manual fax, courier services) are vulnerable to breaching the Sarbanes-Oxley Act. These processes require manual handling and expose documents to alteration or view by unknown or unauthorized individuals. What’s more, these methods are often unreliable and do not always provide timely, guaranteed, or confirmed delivery. By integrating e-document delivery capabilities with SAP, organizations can help safeguard information accuracy by automating document distribution processes. Financial reports, correspondence with auditors, and other corporate information can be automatically delivered with RightFax in real time, directly from SAP or any other application to the intended recipient’s fax or email inbox with notification of receipt. This eliminates the human factor when disseminating information and limits opportunities for information to be altered or represented fraudulently.

Provide a Centralized Communications Hub for Delivering Corporate Financial Information

With Sarbanes-Oxley, corporations must develop processes to maintain control over communications, documents, and workflows. RightFax offers a centralized server solution that integrates with SAP, as well as workflow, document management, imaging, archiving, and other IT systems to provide inbound and outbound document delivery via fax, email, or the Internet. By performing as a centralized hub for electronically disseminating corporate communications, RightFax streamlines processes to enable timely, controlled, and reliable distribution of business and financial information (see Figure 1).

Figure 1
Captaris RightFax — A Centralized Hub for Electronically Distributing Business Information

Streamline Business Workflow Processes

Sarbanes-Oxley has a significant impact on how you conduct, manage, and control business processes and information dissemination. By integrating workflow and e-document delivery capabilities with SAP, companies can build a strong framework to effectively respond to new compliance requirements. By combining the Captaris products Teamplate and RightFax with SAP, corporations can easily support the complete corporate compliance life cycle.

Leverage Secure and Encrypted Electronic Information Delivery from SAP

For an added level of security, certified and encrypted delivery features can be used to safeguard information delivery. RightFax provides encrypted and certified email delivery options that require passwords to access information, as well as electronic verification of receipt for better authentication. This can help you better monitor and control who, where, and when information is distributed and accessed. This also makes it easier to limit and trace any possible fraudulent activities.

Enable Tamper-Resistant Information Transmission

By integrating an e-document delivery solution with your SAP applications to automate document delivery, you can help ensure that documents retain original data integrity and are not altered during transmission. For example, with RightFax, information is transmitted as image-based, tamper-resistant PDF or TIFF documents via a secure Public Switched Telephone Network (PSTN), and is then stored electronically on the fax server.

Improve Information Tracking, Audit Trail, and Storage

With Sarbanes-Oxley, publicly held companies must maintain all communications, application data, and records between themselves and their public auditors.Therefore, it is vitally important to improve the efficiency and reliability of how companies manage and track digital documents — how they are delivered, who delivers and receives them, and how they are housed can cause significant consequences.

RightFax electronically processes inbound and outbound documents and can be configured to store incoming and outgoing faxes electronically in a secured network storage device, archiving system, or database. It can also track document transmission history, provide verification of delivery, assign access passwords, and route incoming documents to individuals’ fax or email inboxes. These features provide electronic storage and a deeper audit trail to help satisfy Sarbanes-Oxley digital document tracking and storage requirements.

E-Document Delivery Features to Ask About for SAP and Sarbanes-Oxley

Repercussions for noncompliance with the Sarbanes-Oxley Act can be devastating to executives and corporations alike. As a result, it is essential to understand how to wisely choose a business information delivery solution for SAP. Consider the following when looking for a solution:

Certified and time-tested integrations with SAP: Your e-document delivery solution will provide better reliability and will be easier to install, use, and manage if it has SAP-certified and proven integrations.

A single platform for multiple applications: To gain the most value in an e-document delivery solution, look for one that extends beyond SAP. It should provide seamless and reliable integrations with all the applications you use including email, CRM, document management, workflow, and multifunction devices. This single platform will make it simpler to manage, track, and control information dissemination across the organization and better support Sarbanes-Oxley efforts.

Workflow tools: To get the most from an e-document delivery solution, make sure it will seamlessly integrate with your workflow processes. Does the vendor provide workflow tools to help map business processes and monitor, manage, and distribute financial information? For an optimal solution, find out about the vendor experience with e-document delivery and process automation, as well as with SAP.

Security and management: Since the communications originating from SAP are vital to running your business and providing the supporting documentation required to meet compliance guidelines, you should make sure the system has robust security and management features to ensure that documents are not altered and that confidentiality and data integrity is retained. For added protection, look for encrypted and certified delivery options.

Audit trail, tracking, and reporting: With Sarbanes-Oxley, records of your business communications must be maintained and processes must be in place to ensure their accuracy. As a result, you need to ensure the solution provides reliable tools to track, monitor, and manage communications. What kinds of notifications are available with the solution? Can you receive status confirmations in your email or back to SAPoffice? Can notifications be customized to include a variety of information? Are there flexible reporting tools available? Look for solutions with comprehensive and flexible tools for reporting and audit trails.

Proven reliability: What is the solution’s record when it comes to reliability? Does it have a solid track record with SAP? How many installations does the solution provider have with SAP? Look for automatic back-up, fault tolerance, remote management, solid integrations with SAP, and a reputation for strong technical support.

Flexible integration options: To expedite implementation and meet tight Sarbanes-Oxley compliance deadlines, you want solutions that are quick and easy to deploy. Look for solutions that integrate with SAP via SAPconnect, SAPscript, or SAP SmartForms. In addition, look for technologies such as Java, XML, or Facsimile Command Language that provide powerful, flexible tools for integrating or customizing solutions to meet your needs.

The Business Value Beyond Supporting Sarbanes-Oxley Compliance

The business value of integrating e-document delivery capabilities with SAP reaches far beyond supporting Sarbanes-Oxley compliance. In fact, the document delivery solutions you put in place can have enormous impact on your company’s bottom-line performance as well. E-document delivery and workflow solutions like those from Captaris can also be used with SAP and other business applications to bring efficiencies into your information delivery processes to control costs, reduce business cycle times, and enhance customer service. The result: improved business performance and more confident investors.

About Captaris

Captaris is a provider of business information delivery solutions that integrate, process, and automate the flow of messages, data, and documents. Captaris produces a suite of proven products and services, in partnership with leading enterprise technology companies, delivered through a global distribution network. Captaris has installed over 80,000 systems in 44 countries, with 93 of the Fortune 100 using the company’s award-winning products and services to reduce costs and increase the performance of critical business information investments.

Captaris RightFax

RightFax is a leading enterprise fax and e-document delivery solution for SAP. With SAP-certified integrations, RightFax helps companies reduce costs, improve efficiency, and streamline business processes by automating the flow of information and document delivery from SAP R/3 and mySAP Business Suite applications.

Captaris Teamplate

Teamplate is a global leader in rapid business process automation for Microsoft environments. Teamplate offers significant advantages over past workflow automation approaches by providing rapid, understandable, affordable, and robust solutions that scale. Used to streamline the interaction between business people and enterprise software applications, Teamplate workflow solutions are implemented by managers in any functional area of a business.

For more information, visit www.captaris.com or call +1 520 320-7000.

back to top


Make Sure Your Sarbanes-Oxley Reporting Is Accurate with Cypress Software


Jim King
Vice President,
Compliance Solutions,
Cypress Corporation

Much of the information you need for Sarbanes-Oxley reporting and validation is contained in a dizzying array of documents and reports generated by both SAP and non-SAP systems — purchase orders, payment authorizations, invoices, emails, checks, ledgers, bills of lading, inventory, time cards, faxes, statements, and so on. But how do you ensure that this content is accessible and accurate enough to reliably serve as the foundation of your compliance reporting?

The Compliance Problem: Verification Across All Sources

SAP customers have ample means to automate internal controls based on data from disparate databases and systems, but they don’t have the same leverage with document content. Integrating and leveraging document content between SAP and non-SAP systems can be difficult, if not impossible, because organizations create millions of documents every year in incompatible formats and then store them throughout the company. These barriers prevent you from using actual document content to help ensure financial accuracy, detect fraud and irregularities, and allay any fears of attesting to incorrect compliance information.

The Cypress Solution: Closing the Document Gap

The Cypress Sarbanes-Oxley Validation System (see Figure 1) complements the SAP Sarbanes-Oxley management solution by adding a new dimension of internal control: document-centric testing and validation. Cypress assembles documents and reports from SAP and non-SAP systems in a common repository, extracts key page content (totals, overtime hours, journal entries), then applies simple business rules to validate the accuracy of your reports.

Figure 1
Cypress Help Pinpoint Document-Based Reporting Discrepencies

For instance, Cypress can automatically combine sales invoices and sales journals created by SAP with shipping documents created by a legacy system, and validate totals across all three documents. Exceptions are instantly forwarded to the appropriate employees for action. Just consider how much more effective your internal controls would be if you could automatically verify:

  • Accounting distributions for capital expenditures based on quantity and payment information on POs, invoices, and checks

  • Cash disbursements by ensuring totals, vendor names, and vendor addresses on invoices or check requests match corresponding checks and wire transfers
  • Payroll disbursements by detecting fictitious or terminated employees, or ubstantiating claimed overtime

    For details on how Cypress’s Sarbanes-Oxley Validation System can automate these and other document-based verification tasks, contact Cypress Corporation at +1 248 852-0066, or visit www.cypress-software.com.

back to top


Can Your Corporate Tax Department Achieve the Transparency and Consistency that Sarbanes-Oxley Compliance Requires?


Dave Leifer
Director,
Emerging Tax Compliance,
Vertex Inc.

In the wake of Sarbanes-Oxley legislation and with compliance deadlines looming, your enterprise’s ability to effectively track financial data is absolutely critical. As you focus on compliance efforts, though, don’t overlook your corporate tax department — it, especially, will feel the impact of Sarbanes-Oxley.

After all, with the enhanced scrutiny brought about by Sarbanes-Oxley, there is new pressure for every calculation to be accurate. But, traditionally, much of a tax department’s work is done manually, so it is particularly susceptible to human error. What’s more, calls for standardization and transparency mean that calculations by one individual one day must match the recalculations by another employee the next day. Errors and inconsistent processes open a company to discrepancies that can undermine compliance efforts. Tax technology can help you remedy this.

Ensure Consistent Processes and Data Tracking

Tax technology applications are designed to automate processes and record every modification to financial data so you can track processes and changes and make adjustments as needed. Activities are accomplished better and faster — and with additional controls in place.

In addition to providing documentation of internal, operational controls and processes, tax technology also supports consistency in systems, standards, and across-the-board reporting. Every area of a company — from the loading dock to the mailroom to IT to customer service — has tax implications, and every role in these departments requires a field of data for a tax solution. For common activities in sales, processing, or purchasing departments, tax technology more or less guarantees that this data will be captured and that the process will be the same time and time again.

What Should SAP Customers Look for in Tax Technology?

One key to transparency is using tools with robust documentation capabilities and standardized processes. Companies that rely on their SAP system to share financial data with a custom-built, in-house tax system — especially one that also must generate and manage tax transaction information — should seriously consider converting to an automated tax technology system.

Look for a documented, defensible automated tax system, with superior internal controls that meet the standards of Sarbanes-Oxley as well as other regulations, that can calculate and store data as well as report it to a government entity.

Ensure your technology provider will play a proactive role to make certain that numbers and data are correct. Check that the technology can examine five years of records in all directions and locate potential financial triggers.

Be sure to determine that the system integrates with your SAP financial applications, CRM, and front-office applications.

And finally, choose a proven provider. Sarbanes-Oxley has given rise to many vendors jumping on the corporate compliance bandwagon. Remember, you will be held accountable for any flaws in business process audits and documentation, so you’ll want to work with a trusted vendor.

By implementing automated tax technology, SAP customers not only increase the efficiency of tax preparation and reporting, they can create an information trail that can hold up under an audit in order to mitigate risk in corporate compliance initiatives.

Vertex Inc. is a provider of tax technology solutions, serving more than 10,000 customers worldwide. For more information about Vertex and its solutions, visit www.vertexinc.com.

back to top


Look Beyond Sarbanes-Oxley to Maximize ROI from Compliance Initiatives


Tim Welu
CEO,
Paisley Consulting

In the race to achieve Sarbanes-Oxley compliance, companies have two fundamental choices. They can view the new mandate as a costly but necessary evil and do the minimum necessary to achieve compliance. Or they can choose to see the Sarbanes-Oxley framework as an opportunity to improve overall risk management and business performance.

Clearly, compliance with the Sarbanes-Oxley Act makes perfect sense in the short-term. But to achieve long-term ROI from compliance initiatives, organizations must take a broader view of operational risk. Forward-thinking companies will recognize the need to not only comply with the regulations that affect them today, but also to lay the groundwork for the future — with a strategic approach to evaluating and implementing technology across the enterprise.

The Cost of Compliance

The impending June 2004 deadline to achieve Sarbanes-Oxley compliance has created a sense of urgency around IT spending similar to that of the Y2K crisis. According to Gartner, Fortune 1000 firms will spend at least $2 million on Sarbanes-Oxley compliance through 2005 (0.9 probability).1

But unlike Y2K, Sarbanes-Oxley is not a one-time event — it’s an ongoing process. To ensure ongoing compliance, businesses must update and recertify their data quarterly. Sarbanes-Oxley requirements are also expected to evolve over time as new provisions are added.

Risk Management Comes Into Focus — and Broadens Its Scope

At the same time, accountability for measuring risk — simply put, looking at the impact and likelihood of negative events — is expanding in scope.

The lessons from Enron, WorldCom, and other corporate crises have underscored the need for strong corporate governance and an enterprise-wide approach to risk management — a concept given new credibility by Sarbanes-Oxley. Chief risk officers (CROs) are increasing in prominence. And new positions are being created: chief governance officers, chief assurance officers, and VPs of risk and assurance management — all of them given increased visibility and responsibility in recent months.

Once the sole domain of corporate risk managers, measuring and managing risk is now everyone’s business. But where and how should you focus your attention to identify and reduce risk?

Enterprise risk management (ERM) generally breaks down into three basic types of risk:

  • Credit risk: The risk associated with the possibility that a borrower will default on any monies that are owed.

  • Operational risk: The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. Sarbanes-Oxley compliance is a subset of operational risk (see Figure 1).

  • Market risk: The risk of loss arising from movement in market prices.

Figure 1
Three Components of Enterprise Risk Management

To help organizations discuss and evaluate their overall ERM efforts, the Committee of Sponsoring Organizations of the Treadway Commission (COSO; see www.coso.org), a private-sector group dedicated to improving financial management, launched a landmark initiative. As part of this initiative, COSO designed an ERM framework for action, targeting eight key components (see sidebar). The framework is an invaluable tool for organizations looking to get their risk management processes on track.

Because of the pervasive need for risk management across an organization, businesses need to view compliance initiatives as long-term investments, not quick fixes. Forward-looking companies are not just looking at the steps to compliance or the cost of compliance, but also at its potential benefits.

8 Components of an ERM Framework

  1. Internal environment: Evaluate risk management philosophy, board of directors, integrity and ethical values, commitment to competence, operating style, risk appetite, organizational structure, assignment of authority and responsibility, and human resource policies and practices.

  2. Objective setting: Determine strategic and other objectives, risk appetite, and risk tolerance.

  3. Event identification: Investigate factors influencing strategy and objectives, methodologies and techniques, event interdependencies, event categories, risks, and opportunities.

  4. Risk assessment: Assess inherent and residual risk, likelihood and impact, methodologies, techniques, and correlations.

  5. Risk response: Identify risk responses, evaluate possible risk responses, select responses, and view portfolio.

  6. Control activities: Integrate with risk response and identify control activities.

  7. Information and communication: Develop and implement integrated, strategic systems to disseminate risk information.

  8. Monitoring: Evaluate risk on an ongoing basis.

Rewards of Risk Management

An enterprise-wide focus can yield significant benefits including:

  • Greater accountability by making each area manager responsible for documenting and evaluating financial controls in his or her own area. People closest to each business unit manage the data, which improves accuracy and completeness.

  • Comprehensive risk identification and management so control measures and action plans can be initiated to resolve problems — and so progress can be easily tracked.

  • Enhanced fraud protection with systematic data management that ensures multiple reviews and verification.

  • Greater precision in reporting to management.

  • Empowered employees with more localized knowledge and a greater understanding of the impact of their roles on corporate results.

Companies that implement sound risk management practices will have good internal controls and will likely exceed Sarbanes-Oxley’s mandates. By identifying, understanding, and managing underlying risks, organizations have an opportunity to improve both top- and bottom-line results. And, by integrating compliance initiatives with operational processes such as auditing, businesses can further enhance ROI.

Strategic Technology Investments Provide Long-Term Value

As businesses grapple with an array of compliance challenges, many look to technology to ease the burden. A new generation of tools has emerged to help streamline the compliance process.

Industry experts believe that a short-term “panic” mentality surrounding Sarbanes-Oxley will dramatically increase the cost of compliance and will not provide long-term returns. According to Gartner, enterprises that choose one-off solutions to each regulatory challenge will spend ten times more on their compliance projects than organizations that take action in advance (0.9 probability).2

Be mindful that Sarbanes-Oxley compliance is only one component of an overall ERM strategy. By taking a broader view, organizations can use the compliance process to create value and improve business results. Choosing a solution that addresses immediate compliance needs while also providing a platform for long-term risk management is the key to minimizing costs and maximizing benefits from Sarbanes-Oxley and other emerging regulations.

Paisley Consulting offers software for Sarbanes-Oxley compliance, operational risk management, and audit automation including Risk Navigator and Focus Control Assurance Software. For more information, call +1 888 288-0283, email sales@paisleyconsulting.com, or visit www.paisleyconsulting.com.


1 Debra Logan, You’ll Have to Spend to Attain Sarbanes-Oxley Compliance, Gartner, Inc., Oct. 3, 2003.

2 Debra Logan, Rich Mogull, Lane Leskela, Sarbanes-Oxley Vendor Evaluation Framework, Gartner, Inc., Oct. 8, 2003.

back to top


The Global Impact of Sarbanes-Oxley on Transactional Tax Services


Jon Abolins
Vice President of Government Affairs and Tax,
Taxware

Sarbanes-Oxley touches on the responsibilities and functions of corporate executives, auditors, and audit committees — all of which have implications for U.S. companies as well as for international companies whose shares are publicly traded on U.S. exchanges.

Consider the global impact of Sarbanes-Oxley on transactional tax services (sales, use, and VAT) provided by public accounting firms. Law and regulations suggest that it is problematic for the independent auditor to simultaneously: provide bookkeeping or other services related to the client’s accounting records or financial statements; design or implement financial information systems; perform internal audit outsourcing services or management functions; or provide legal or expert services unrelated to the audit.1

However, the law goes on to say:

“A registered public accounting firm may engage in any non-audit service, including tax services, that is not described in any of the (above) stated services... only if the activity is approved in advance by the audit committee of the issuer.”2

Some have argued that this language authorizes the audit committee to give blanket approval for tax services performed by auditors. However, by qualifying it (“only if...”), the law in fact neither prohibits nor approves these activities in such a blanket fashion.

How, then, does a company’s audit committee decide whether to authorize its current auditor to provide transaction tax services for them? There are two ways of reaching this answer: (1) reasoning by analogy, and (2) reasoning by application of basic principles.

An analogical approach would observe that the express prohibition of bookkeeping services, for example, is equally applicable to transaction tax bookkeeping services.

An application of basic principles would consider Senator Sarbanes’s “simple principles”3 that underscore the Act:

  1. An auditor cannot function in the role of management
  2. An auditor cannot audit his or her own work
  3. An auditor cannot serve in an advocacy role for his or her own client

Thus, if a company contracted for assistance with VAT bookkeeping services with the foreign branch of the domestic firm that performed the independent auditor function for SEC reporting, the auditor would be auditing his or her own work. This non-audit service would be prohibited. Similarly, when considering contracting with a technology intensive transaction tax service provider, companies must be cautious. If the research embedded within the technology is derived from the accounting firm performing the audit then, in effect, the auditors could be construed to be auditing their own work. Such a relationship could require audit committee approval before the engagement commences.

For more information, contact the author at jona@taxware.com, or visit www.taxware.com.


1 17 CFR Sec. 210.2-01(c)(4)(x).

2 Sarbanes-Oxley, Section 201(a).

3 Senate Report 107-205, 107th Cong., 2d Sess., July 3, 2002.


Jon Abolins is the Vice President of Government Affairs and Tax for Taxware, where he is responsible for all tax decisions in all company programs. In this key function, Mr. Abolins applies his knowledge of tax law to products that address all transaction-based taxes (i.e., sales and use, gross receipts, excise, VAT, and so on). Mr. Abolins frequently gives lectures and presentations at conferences and seminars to entities such as the Conference Board and Harvard Law School’s International Tax Program. He also speaks at sales and use tax or e-commerce tax automation policy meetings to such entities as the United States Congress, the Streamlined Sales Tax Initiative, the Federation of Tax Administrators, the National Governors’ Association, the U.S. Conference of Mayors, the National Conference of State Legislatures, and the Multistate Tax Commission. Mr. Abolins is a member of the Organization for Economic Cooperation and Development’s Consumption Tax Technical Advisory Group.

back to top


Sarbanes-Oxley Compliance: A Bridge to Excellence


Lee Dittmar
Lead Consulting
Principal, Sarbanes-Oxley Initiative,
Deloitte

Public companies are scrambling to deal with the mandates of the Sarbanes-Oxley Act. This is an unfortunate consequence of the strong medicine prescribed by the U.S. Congress to improve corporate governance and restore investor confidence. Many companies have found that the sheer volume of work, which has exceeded early estimates and expectations, has necessitated a compliance process that favors speed over deliberation. In the rush to action, however, two important concepts could be left behind: context and perspective. Having reaped the benefit of experience from over 500 readiness projects, we at Deloitte have learned many lessons, and here’s the most important: Compliance is not the end game.

Compliance is critical. But companies will garner even greater rewards by using Sarbanes-Oxley compliance work as a bridge to better business performance. If you use readiness and compliance efforts to take a hard look at business processes and systems, you will find opportunities to improve information quality, reduce risks, and cut costs — sometimes dramatically. That is why Deloitte recommends that companies approach Sarbanes-Oxley on three levels (see sidebar):

  • Full compliance — Compliance is essential. Sarbanes-Oxley is complex (11 titles, 60 sections) and implementation rules are still coming. Be sure to address all applicable requirements.

  • Sustainability — Design, build, and maintain the organizational, process, and system infrastructure necessary to sustain compliance and provide high-quality financial information.

  • Improvement — Continuously seek to eliminate unnecessary complexity in data, processes, and systems. Unnecessary complexity exists where the costs and/or risks exceed the benefits.

Deloitte’s Recommended Approach to Sarbanes-Oxley
The foundation is compliance, but the journey should continue through sustainability and improvement. Improved corporate governance oversees the entire effort aimed at maintaining the confidence of capital markets.

For SAP customers, the impacts and implications of Sarbanes-Oxley lead to questions such as:

How can my company use SAP to enable sustainable compliance?

How can we improve financial information from SAP systems?

How can SAP systems accelerate the closing process?

How do we reduce complexity to minimize the risk of financial reporting problems?

How do SAP’s new solutions fit into the compliance equation?

How does Sarbanes-Oxley affect upgrade strategies and plans?

Fully addressing these challenges and opportunities requires expertise from many disciplines, including accounting, assurance, financial reporting, controls, risk management, information technology, corporate governance, education and training, program leadership, project management, tax reporting, and process experience. Deloitte integrates these disciplines to provide our clients with the services they require to meet corporate governance standards.

While compliance is critical, it is just one step toward a greater reward. Deloitte’s three-level compliance perspective is explained in the new publication Deloitte’s Point of View: Sarbanes-Oxley Compliance: A Bridge to Excellence. For more information about this publication, please visit www.deloitte.com/sarbox.

back to top


Distribute Accountability for Greater Accuracy:Involve All Levels of Your Organization to Improve Compliance Processes


Todd Paoletti
Senior Manager, Solutions Marketing,
Actuate Corporation

The goal of Sarbanes-Oxley is to build trust in the accuracy of financial statements among regulators, customers, and shareholders. Financial reports must be consistently accurate, timely, and detailed. Day in and day out, companies must use financial check-and-balance controls to minimize the risk of overstating revenue or understating expenses.

But how do organizations maintain consistent financial reporting, especially over the long haul? The process starts with planning and documenting a roadmap of best practice financial controls. Then, automating the steps prescribed by these controls gets firms closer to consistency. Distributing financial reports to an expanded user base for wider validation ensures greater accuracy. None of these steps will mean much, though, without full adoption of reports by users who can easily incorporate this information into their current check-and-balance workflows.

Automation: Once financial controls are in place, companies can automate review processes by providing secure, role-based access to reports for financial reconciliation, thereby reducing the risk of manual errors.

Distribution: By extending financial reconciliation beyond the finance department, companies can distribute the accountability for accurate reporting directly to those employees who are responsible for spending and tracking revenue, such as departmental and cost center managers and their staff.

Adoption: Providing an intuitive Web interface and user experience with useful, accessible, and workable information ensures successful adoption across your enterprise. As more managers make the review process part of their daily routine, the accuracy of the validation process is improved.

Finance departments already use Actuate’s Enterprise Reporting Application Platform to integrate mySAP, SAP R/3, and SAP BW financial data with transactional, operational, supply chain, and other SAP and non-SAP information sources, providing a comprehensive and up-to-date view of the financial landscape (see Figure 1). With Actuate, the finance department can leverage one-click compliance dashboards, be alerted about material events and their effects, drill down to view an individual invoice or line item, and work in fully functional Excel spreadsheets with ready-to-use analytics and “what if” query capabilities — all requiring zero training to use.

Figure 1
Sarbanes-Oxley focused Enterprise Reporting Applications built with Actuate integrate data from SAP and non-SAP sources and make it available to users across the organization

The real benefit for financial managers is that with Enterprise Reporting Applications built with Actuate, all users across the extended enterprise — not just the analysts who understand OLAP tools — can verify financial statements on a daily basis, with access to instantly usable Web reports, dashboards, Excel spreadsheets, analytics, and SAP Enterprise Portal content. Such broad validation of revenue and expenses improves stakeholder confidence, regulatory compliance, and operational performance.

For more information about how Actuate maximizes the value of all your enterprise information, visit www.actuate.com/sapsox.

back to top


SAP Authorizations and Sarbanes-Oxley: How to Monitor Internal Controls for Compliance


Jan Smolders
Senior Consultant, CSI


Werner van Haelst
Principal, CSI

The Sarbanes-Oxley Act forces management to periodically evaluate and confirm their company’s internal control system. Companies that heavily rely on their SAP environment should ask questions like “Are we in control?” and “Are our internal business processes and data still reliable?” To answer these questions, companies must take a methodical, risk-analysis approach to measuring the success of business process controls, whether these are:

  • Inherent controls built into their SAP software

  • Configurable controls, including those set up with SAP customizing tools and those defined via the SAP authorization concept

  • Manual controls, including those for reporting tools

When assessing our clients’ SAP control environments, Control Solutions International (CSI) has found that the most cost-efficient approach focuses on the areas of the internal control system where the risk of impact on the financial reporting is high, or where SAP customizing and authorization concepts are poorly configured, leaving transactions, tables, documents, master data, and resources potentially open to unauthorized use.

Based on assessments of clients across a range of industries, CSI has found that authorization concepts are often inadequately implemented, despite the fact that they are critical anchor points for an SAP internal control framework.

So, with a vast universe of authorization concepts currently at work in your SAP system, how do you determine which authorizations are high-risk? For this, you need subject matter expertise on SAP internal control issues, complementary tooling on top of SAP standards, and Sarbanes-Oxley compliance monitoring functions.

To meet these needs, CSI has developed and successfully deployed a step-by-step methodology for evaluating SAP authorizations based on internationally recognized internal control frameworks such as COSO and CobiT, as well as on the Sarbanes-Oxley definition of internal control.

The CSI methodology is fully supported by the CSI Authorization Auditor, a tool that allows you to quickly identify authorization risk areas. Using parameters such as inherent risk to SAP functionality1, impact (based on CobiT information criteria), and relationship to financial statements (based on SAP module and submodule), it allows you to assess the relevance of the various pieces of SAP functionality to various compliance frameworks. For relevant functions, the Segregation of Duties evaluation capabilities in the Authorization Auditor (see Figure 1) highlight conflict chains at the business process level and across SAP systems, and report the results back to users in different reports.

Figure 1
CSI Authorization Auditor Monitors Control Risks

The methodology is transparent, easy to understand, and flexible enough to tailor to a variety of organizations with industry- or organization-specific risk patterns. With this transparent and practical CSI methodology, organizations receive insight into Sarbanes-Oxley-relevant risks and issues in their current SAP authorization concept for improved and tightened internal controls for their business processes.

Control Solutions International (CSI) specializes in implementing and assessing SAP control environments. For more information on CSI’s services, training, and tools, visit www.csi4sap.com, or contact Mark Russo, CSI America (mrusso@us-csi.com); Johan Hermans, CSI Belgium (jhermans@be-csi.com); or Marcel Huyskens, CSI Netherlands (mhuyskens@nl-csi.com).


1 Defined as risks regarding development, system administration, master data, transaction data, and display access.

back to top


Robust Financial Reporting with SAP and Business Objects


Gordon Breese
Vice President
SAP Alliance,
Business Objects

Are you inundated by companies touting costly products and services that promise to solve all your Sarbanes-Oxley, Basel II, and other financial, compliance, and regulatory issues?

Fortunately SAP customers have found there’s an effective, cost-efficient way to leverage their existing reporting and analysis capabilities while meeting their financial reporting and compliance needs.

In close partnership with SAP, Business Objects offers powerful, user-friendly reporting solutions — uniquely integrated with SAP R/3 and SAP BW — that maximize and extend your existing financial reporting systems. Now SAP and Business Objects are offering enterprise reporting solutions that leverage the analysis and data warehousing capabilities of SAP Business Intelligence. These solutions are also endorsed and aligned with the SAP NetWeaver strategy.

Comprehensive Reporting for SAP BW

Integrated with SAP BW 3.0, Crystal Enterprise provides 100+ report templates, plus the ability to create 10 custom reports (see three examples in Figure 1). The Crystal Enterprise bundled solution may be all you need to satisfy your current reporting and analysis needs.

For even greater functionality, SAP and Business Objects developed Crystal Enterprise — Enhanced SAP Edition. This enables you to create comprehensive, custom reports from all your financial and enterprise data (not just SAP BW), and then securely distribute those reports to everyone who needs them. End-users can even create and customize financial reports on their own, without tapping into IT or ABAP resources.

Figure 1
Sample Financial Reports Based on SAP BW and SAP R/3 Data Created Using Crystal Enterprise — Enhanced SAP Edition

Reporting for SAP R/3

Business Objects also offers reporting capabilities that are tightly integrated with SAP R/3 to help you save time, money, and resources through easy user-driven report creation.

The Standard in Business Intelligence

With its acquisition of Crystal Decisions in December 2003, Business Objects has become a clear market leader in business intelligence. Business Objects offers a complete range of reporting and financial analysis solutions that leverage the information stored in an array of corporate databases, enterprise resource planning (ERP) systems, and customer relationship management (CRM) systems.

For More Information

To learn more, contact either your Business Objects representative (at +1 800 877-2340 or +1 604 681-3435) or your SAP sales representative. You can also visit the joint SAP-Business Objects Web site at www.businessobjects.com/sap.

back to top


Serious Solutions for Serious Compliance
The New Reality of Continuous Controls Compliance


Mark L. Feldman, Ph.D.
Chief Marketing Officer,
Virsa Systems

Welcome to the new era of compliance and control. Regulatory pressure has never been greater. Internal pressure has never been more serious. The penalties have never been more severe. The pressure is real.

For starters, the Sarbanes-Oxley Act mandates documented certification of the accuracy of reported financial and non-financial information, and of the effectiveness of disclosure controls and procedures. Then, it ratchets up the pressure by requiring assessment of the adequacy of internal controls and procedures for financial reporting. Next, it tightens the vise by requiring external auditors, under Section 404, to attest to the company’s compliance. Further, the severity is underscored with the threat of criminal penalties for non-compliance. Finally, with the deadline for Section 404 compliance now looming, IT is fast becoming a tool of corporate governance. It must provide solutions that match the true complexity and seriousness of the task at hand.

Benefits of Enterprise Control Manager

  • Greater control, visibility, and efficiency throughout the organization
  • Seamless integration between enterprise applications and
    compliance reporting
  • Customizable dashboard with instant visibility and multiple views
  • Reports and tracking on remediation activities
  • Continuous monitoring of enterprise applications for deficiencies
  • Rules-based simulation to proactively identify and address potential deficiencies
  • Built-in workflow notifications and exception reporting
  • Assessment of controls with test documentation and notification capabilities

The Problem: Static, Disconnected Solutions

Most compliance solutions are incomplete. They simply document controls and have over 40% overlap in functionality, providing little synergy toward ongoing compliance. In an attempt to demonstrate compliance, the IT department will sling together a mix of business process mapping tools, documentation tools, and homegrown spreadsheets. These are halfway measures. They are best suited for static structures, not ongoing processes. They lack true integration, require manual intervention, and miss the most important elements of continuous compliance — ongoing monitoring and proactive assessment of controls to prevent violations before they occur.

Controls compliance is a moving target. That’s why ongoing assessment of controls is vital to confident certification. The most effective way to stay clean is with a continuous monitoring and alert system that proactively flags and prevents control violations and maintains continuous compliance. This requires real-time capability to leverage the built-in control mechanisms in ERP systems and catch and report predefined deficiencies as they occur.

“Given the numerous regulatory compliance initiatives, most firms are challenged on how best to consolidate requirements and leverage IT. For Sarbanes-Oxley, one of the most important considerations for sourcing an internal controls solution is the extent to which the assessment process can be effectively supported. Since many of the controls are inherent in ERP solutions, connectivity to ERP should be a foremost requirement.”

— John Van Decker, Vice President,
META Group

The Solution: Integrated, Automated, and Continuous Assessment

Virsa Systems’ Enterprise Control Manager (ECM) is purpose-built to meet these requirements. Unlike other solutions, it continuously monitors and reports on activities in enterprise applications, and it automates the most time-consuming task related to Sarbanes-Oxley compliance: controls assessment. ECM Dashboard has an Executive Cockpit with a high-level overview of compliance status. Plus, it has unlimited drill-down capabilities to facilitate further analysis, pinpoint the root cause of control violations, and perform remediation activities in real time.

Virsa's Offerings
Solution Services Value
  • ECM is a unique solution that
    automates the assessment of Sarbanes-Oxley compliance for your enterprise systems.
  • ECM enables optimal corporate governance by enforcing Sarbanes-Oxley, HIPAA, Basel II, and Patriot Act compliance under a single architecture.
  • ECM requires very little training and is easy for senior executives, auditors, and other key players to use.
  • Virsa provides a complete solution of products, support, and related services.
  • Virsa recruits, retains, and invests in its high-quality staff, providing an expert team to help customers meet all of their compliance needs.
  • Virsa gets continuous feedback from its clients and incorporates this customer insight into future product enhancements.
  • ECM provides high ROI with complete automation of control assessments.
  • Virsa solutions offer continuous compliance, minimizing ongoing compliance costs and fraud risks.
  • ECM implementation is fast and straightforward. It can rapidly adapt to your changing business needs.

ECM is an open-platform solution that seamlessly integrates with your SAP enterprise applications, as well as with Oracle, Siebel, PeopleSoft, J.D. Edwards, and others (see Figure 1). This simplifies the extraction of data from enterprise applications and enables ECM’s built-in workflow notification processes to automatically inform process owners whenever a deficiency is detected. Thus, timely deficiency reporting, resolution documentation, and audit trails are available to strengthen compliance and satisfy auditors.

Figure 1
Enterprise Control Manager Architecture

Virsa Systems’ superiority in controls compliance is evident in ECM’s powerful simulation capabilities. By seamlessly integrating with your internal change control process, ECM enables you to determine in advance the impact of contemplated changes to Sarbanes-Oxley compliance. Moreover, it generates an audit trail of the change control process, providing external auditors with comprehensive evidence of compliance. The power of ECM, though, is especially evident in its simplicity, ease of use, and effortless customizability.

ECM combines security and compliance controls with a cost-effective enterprise solution to address regulatory requirements.

From its fast configuration to its continuous compliance functionality and its easy application to regulatory compliance requirements, Virsa Enterprise Control Manager offers a highly effective enterprise solution for corporate governance, security, and controls compliance, a solution that is purpose-built for tough regulatory environments — today and tomorrow.

For more information, please contact us at +1 510 651-5990, email Info@virsasystems.com, or visit www.virsasystems.com.

back to top


Get Ready & Stay Ready: Leading Companies Automate Visibility into Internal Controls to Ensure Compliance, Maximize Revenue, and Manage Business Risk


Prashanth V. Boccasam
CEO,
Approva Corporation

Over the past several decades, companies around the world have implemented enterprise applications such as SAP R/3 to automate their business processes. Over time, the emphasis has shifted from a technology-centric to a business-centric approach to implementing solutions. Companies recognize that the challenge has evolved beyond simply automating processes and ensuring operational efficiency. Today, leading companies understand that they must maximize revenue and minimize business risk — while ensuring compliance with key government regulations in an automated business process environment.

“The ability to gain continuous visibility into automated business processes and internal controls is critical to successful management execution. We recommend to our clients that they deploy a solution such as BizRights to help them better manage operational risk while assuring that they are in compliance with increasing government regulations.”

— Partner, “Big Four” Audit Firm

Today’s Challenges

A difficult economic climate, coupled with the increased scrutiny of corporate governance, puts the focus on eliminating surprises, both operational and financial — surprises that can translate into negative financial impact and the threat of jail time for the CEO or CFO. How can companies eliminate surprises within automated business processes? Increasing visibility enterprise-wide is perhaps the single greatest way. Whether it relates to cost, or revenue, or operations, the ability to identify problems as they are developing is critical to consistently eliminating surprises.

With the passage of the Sarbanes-Oxley Act of 2002, risks resulting from a lack of proactive visibility have increased exponentially. And unlike the challenges of Y2K, compliance with Sarbanes-Oxley is an ongoing process — not a one-time event. This has led corporations, as well as their audit firms, to increase the focus on assessing and aligning corporate processes and internal controls to ensure ongoing compliance. Management (and their auditors) can no longer assume that the lack of problems is an indication that appropriate internal controls are in place. As a result, companies have identified the need for improved visibility into internal controls in their SAP and non-SAP business processes, both as a requirement of Sarbanes-Oxley and as a means of monitoring compliance and business risk across the enterprise.

“We view compliance as a business enabler that should involve IT, Finance, Business Units, and Internal Audit. Approva helped us implement a business-friendly approach that enables collaboration across our business, letting us better manage our internal controls and ensure compliance.”

— Manager, Internal Audit

Efforts to manage business risk, compliance, and internal controls within enterprise applications must focus on three areas:

1. System users: What are users capable of doing? What sensitive transaction can they execute? What sensitive data can they see? Do Separation of Duties conflicts exist between user roles and profiles?

2. System settings: What application configuration settings are inappropriate for my business? Are there any “open windows or unlocked doors”?

3. Transactions executed: What sensitive transactions were processed in the last hour/day/week that I should know about?

In the words of one Big Four auditor, “Companies need to know not only what their users can do, but also what their users are actually doing. And they need to know this all the time, not just after we complete a controls review.”

Gaining Continuous Visibility

So how do you gain continuous visibility into business processes and internal controls? How do you continuously identify, document, test, manage, and monitor your internal controls? How do you ensure you are in compliance, this year and in the future?

“In the past, we’ve had no automated process to help efficiently identify Separation of Duties violations and unnecessary access to sensitive transactions and authorizations. We were impressed by the detailed insight we can get into our roles and authorizations. With Approva’s Business Controls Workbench, users can create and monitor business rules without having to become an SAP Basis Security and application expert.”

— Manager, Application Security

The first step is to recognize that continuous visibility into automated business processes requires an automated solution. The traditional approach of manual efforts supplemented by rudimentary tools is no longer thorough enough, scalable, or cost-effective.

Second, this problem is not simply the responsibility of a single individual or department. Effectively addressing the challenge requires the involvement of IT, Internal Audit, Finance, and the business units themselves.

The third step is to thoroughly evaluate options for gaining continuous visibility into automated business processes. Many leading companies have chosen Approva’s BizRights, an enterprise software solution that helps manage business risk, ensure regulatory compliance, and increase operational efficiency. By continuously monitoring user authorization data, configurations settings, and business transactions within SAP R/3, BizRights helps companies identify and remediate internal control violations. When exceptions are detected, BizRights proactively notifies the appropriate decision-makers so the problem can be quickly resolved.

The BizRights Continuous Controls Monitoring solution (see Figure 1) provides an integrated, comprehensive, and easy-to-use monitoring and prevention solution for business users, auditors, and security professionals alike:

Figure 1
Managing Business Controls with BizRights
  • Business Controls Workbench, including predefined rules and compensating controls

  • Business-friendly user interface to enable involvement from business units, Finance, and Internal Audit

  • 360° Insight analysis capabilities to test and analyze roles and transactions at the authorization object level in SAP

  • Workflow capability to allow for automation of approvals and notifications

  • Flexible reporting to provide both real-time analysis and long-term documentation

  • Continuous monitoring to ensure ongoing compliance, particularly as your SAP user base grows

  • System-independent solution that can be used across the enterprise, without impacting the performance of the ERP system itself

Deployed in a matter of days, BizRights helps:

  • Reduce the ongoing cost of audit and compliance

  • Reduce the amount of manual labor to gather and analyze information

  • Consolidate internal controls documentation to a central repository

  • Reduce the burden on IT by allowing business units to monitor their own business exceptions and internal control violations
As an added benefit, companies are finding that implementing an automated internal controls solution helps ease the process of upgrading their ERP software and rolling it out to additional users. The solution provides the capability of “cleaning” the system prior to upgrading to the new version. When deploying the ERP system more broadly across the organization, it is now easier to manage and monitor a larger user base, and to more effectively reduce risk.

To find out more about how leading companies are gaining continuous visibility into their automated business processes and internal controls by deploying an automated solution, please contact Approva at info@approva.net or visit us at www.approva.net.

back to top


An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ