Compliance is complex: The rules and requirements can vary based upon your industry, the
products you produce, the processes you operate, and the places where you do business. And it is constantly changing. Speed and
reaction times are essential qualities needed to manage today's regulatory landscape.
Compliance is not a one-year or one-time phenomenon. This isn't Y2K. According to John Hagerty of AMR Research, US companies will spend an estimated $6.1 billion on software and professional services to address regulations that govern their enterprise. This figure represents a 10 percent increase in spending from 2004, and only a fraction of the $15 billion that will be spent on a global basis.1
Regulatory compliance and effective corporate governance are as important to your business as your ability to break into new markets, optimize supply chains, or support the expansion of your growing business. The risk and cost of poor compliance and governance should be evident simply by looking at recent history. So the question begs, what are you doing to prevent compliance disasters in your business? And what can you do better this year to reduce your risk of noncompliance or poor governance? Between changes in regulations (or even interpretations of regulations), increased compliance spending, and adjustments in your own business, gaining control over compliance presents a challenge. What you did right last year could be completely insufficient this year.
Avoid Bumps in the Road Ahead
Compliance is not going to get any easier, either, so there is business justification to improve your ability to manage future compliance challenges. The short-term investment you make in your controls, reporting, and security will save you in
the long term.
By being smart about compliance today — as you attack new regulations across a variety of areas — it becomes much more manageable, with marginal cost and marginal effort, as opposed to having to tackle compliance over and over and over again, which demands big budgets and big resources.
I believe that SAP can provide the tools you need to maintain compliance. We've had CFOs tell us that implementing SAP financial management processes and solutions has helped them prevent Sarbanes-Oxley from becoming an
issue. They tell us that they have sound controls and insight into their data, and can help their auditors understand how they've generated their finances — and they are able to do it quickly.
Whether you have SAP in whole or in part, here are five tips you can use to prevent compliance from unnecessarily draining your resources:
1. Add Compliance to Your Business Case Checklist
Whether you are in the market for an ERP system, looking to upgrade your current ERP installation, or implementing any piece of enterprise software, it is very important that you consider
compliance in your selection process. No matter the size of your company, compliance affects you and should be considered as one of the pillars for adopting an ERP system. For example:
- For small companies, our current regulatory climate poses a major inhibitor of growth. Look for ERP
and software solutions that will do most of the regulatory work for you as you expand. Avoid one-offs and other solutions that you will either have to replace or significantly upgrade as you grow. Make sure your major processes can be easily linked together and controlled. For example, you want to avoid major gaps or manual handoffs between sales and finance, or between accounting and financial reporting. The more seamless and integrated your processes are, the easier it is to control and mitigate risk.
- For medium-sized companies, especially those looking to expand internationally or that are pre-IPO, seek out compliance solutions that can address dramatic changes in your business processes and can be easily translated to handle rapid expansion. Look
for solutions that can operate in multiple geographies and support
local regulatory requirements.
- For larger public companies, especially those that have gone through the first Sarbanes-Oxley cycle and are licking the wounds, you don't want to be spending $10 million for compliance every year. Seek solutions that will enable you to make compliance part
of the fabric of what you do. Manage internal controls as if you had a general ledger for processes. Install a system to centrally collect, examine, and report your control measures, a system that is periodically updated, internally reviewed, and used for proactive mitigation of control
risks and gaps.
Given today's environment, compliance and corporate governance should be listed as a business requirement category in any enterprise software decision. By contemplating compliance requirements at the initial stages of your enterprise software project, you can reduce the possibility of gaps and issues that could arise once you are fully in production. We have never advocated upgrades
purely for the sake of upgrading, but since mySAP ERP and the mySAP Business Suite contain compliance
tools such as SAP Management of Internal Controls (MIC), these
compliance capabilities may result in a reduced total cost of compliance that would make upgrading worth it.
2. Don't Reinvent the Wheel
Take a look at the tools that you're using today — you may already have access to compliance capabilities within your existing system. For example, if you're using mySAP ERP Financials, you've already got SAP MIC. It's just a matter of turning it on and configuring it.
SAP's rich partner community plays an important role here, too. SAP Compliance Calibrator by Virsa Systems, for example, is a partner solution that provides an elegant tool for real-time monitoring of internal control violations and 24x7 examination of segregation of duties violations in order to thwart corporate fraud. The software reduces
IT and audit costs and makes possible high standards of corporate governance. Embedded directly in SAP systems,
the solution enhances the extensive compliance capabilities already found in mySAP ERP.
SAP has also been working actively with leading auditing firms like PricewaterhouseCoopers, who are providing SAP with best practices.
These auditing firms make available recommended control processes for a wide assortment of business functions, such as purchasing and procurement. These control processes can be uploaded into the SAP MIC tool and serve as a benchmark that you can use to evaluate the quality of controls and compare
how well your current business processes map against an auditor's best practice recommendations.
3. Keep Your Hand on the Controls
A central requirement of Sarbanes-Oxley Section 404 is the requirement to document, assess, and remediate internal controls. Within mySAP ERP, that
solution is MIC. Section 302 of Sarbanes-Oxley requires you to get signoffs down to the most molecular level — not only in finance, but in all your operations.
Keep in mind that if you are running a heterogeneous environment, you need a glue to hold your diverse systems together, and you have to be smart about how you link things. That is the ultimate end game. Our suggestion is to move
your platform to SAP NetWeaver. In today's regulatory landscape you will need complete access to information
at every corner, at every turn. You're not going to get that done by having four or five different systems running your processes. It's better to stick with one platform.
4. Reporting, Reporting, Reporting
Be smart about your consolidated reporting. Do it so it is accurate, it's reconcilable, it's fast, and most importantly, it takes the cost out of
If you are running Strategic Enterprise Management - Business Consolidations System (SEM-BCS),
you have a distinct advantage in ensuring closed-loop control over financial statement generation. In addition, you can reduce compliance
risk by accelerating the closing cycles of your business - you can close the books faster and more accurately, and allow more time for validation and signoff. More importantly, SEM-BCS will place you in a better position to report material changes to your
business, an upcoming requirement of Sarbanes-Oxley Section 409.
Finally, get your closing process done quickly. Regardless of whether you have quarterly, monthly, or daily closes, make sure your reports are transparent, so that they will roll up easily and enable others to drill down. SAP SEM-BCS is the system that allows companies with diverse financial reporting structures to aggregate and normalize financial reports that cut across a global enterprise. Using SAP BW technology, companies are
able to generate financial statements — that are balanced and reconciled correctly — that fit the individual reporting requirements by industry or local country standard.
5. Security, for Just in Case
Despite the best controls in the world, all it takes is one errant employee to undo a year's worth of precautions. It is important to have security controls in place to handle that exigency should it occur. Within SAP systems, there are numerous 'fingerprinting' technologies available that can enable you to do a forensic examination of transactions, identifying precisely who did what. SAP generates a log that identifies every user who's touching your transactions.
Framework for Effective Enterprise Governance and Compliance
There are multiple technologies you can use to sustain continuous compliance and governance.
SAP gives you a wide assortment of components that, when used in combination, establish a robust
framework for reporting controls, whistle blowing, audit management, documenting internal control
tests, and real-time analysis and monitoring of internal controls and segregation of duties (SoD)
violations (see Figure 1).
|The Complete Stack for Sustaining Compliance
SAP is a good choice for companies with the right intentions for corporate compliance and enterprise governance. We carry a vast array of control mechanisms and industry-specific functionality to address a wide spectrum of regulatory issues and mandates that govern your enterprise. Compliance is not easy; however, SAP can help ease the effort and support your objectives with the right tools and technologies. More importantly, SAP can give you a
long-term solution that supports your business as it expands and faces new compliance challenges.
1 "Spending in an Age of Compliance, 2005," AMR
Research (March 17, 2005).
back to top
Accelerating the Path to Continuous Compliance
Mark L. Feldman, Ph.D.
Senior Vice President,
Strategy and Business Development,
Virsa Systems Inc.
A single finding of a material controls weakness
in your company can lead to an adverse audit opinion,
making it clear to all SAP customers that "good enough"
is not enough for Sarbanes-Oxley compliance. You
cannot comply just "enough" and simply hope that
one errant employee isn't evading transparency or
overriding controls. The penalties are just too high.
Controls weaknesses can quickly translate to lower
share prices and debt ratings, credit scrutiny, customer
reticence, higher insurance premiums, activism by
institutional investors, and shareholder litigation.
And what about the cost of compliance? Few things are more costly than the repetitive, time-consuming, mind-numbing, and error-prone manual checking and recording processes
that characterize most Sarbanes-Oxley solutions today.
Real-time testing and monitoring of controls can eliminate the pain, reduce the cost, and accelerate the path to compliance. Automated alerts with access to integrated risk analysis,
forensics, remediation, and audit trails round out a powerful solution set
for continuous compliance — SAP Compliance Calibrator by Virsa Systems and Virsa's Continuous Compliance Suite.
SAP Compliance Calibrator by Virsa Systems
SAP Compliance Calibrator by Virsa Systems is now available directly from SAP. It automates real-time detection and prevention of ERP security and controls violations, delivering 24x7, continuous compliance with regulatory mandates, thwarting internal fraud, reducing IT and audit costs, and reinforcing high standards of governance.
SAP Compliance Calibrator by Virsa Systems focuses primarily on user authorization and access controls across the landscape, including critical transaction monitoring. It is used by over 160 SAP customers, including some of the world's largest and most technologically sophisticated multinational enterprises.
SAP Compliance Calibrator by Virsa Systems is Powered
by SAP NetWeaver and complements SAP's Audit Information
System (AIS) and Management of Internal Controls
(MIC) solutions, providing SAP customers with a comprehensive
and dynamic solution for regulatory compliance.
The Spirit (and Costs) of Sarbanes-Oxley
Tawdry tales and harsh realities of stolen assets, lost pensions, and $6,000 shower curtains led the US Congress to pass the Sarbanes-Oxley Act of 2002. Born of corporate scandals, the legislation is intended to restore investor trust in public markets, strengthen executive responsibility, and toughen corporate governance. This integrity is enforced through auditor independence, chief executive attestations of accurate financial data and effective controls, timely disclosure of material events, and support for whistle blowing. The penalties for noncompliance include jail time and heavy fines.
Widely perceived by public companies as collective penance for the misbehavior of their peers, the stringent Sarbanes-Oxley requirements have been met with mixed responses. No chief executive wants to go on record opposing good governance and investor protection legislation. However, many are willing to voice support for the spirit of Sarbanes-Oxley and decry the costs of maintaining and proving perpetual compliance. To that end, real-time, automated testing and monitoring of controls can not only accelerate the path to Sarbanes-Oxley compliance, but improve business operations, enhance shareholder confidence, and in the end,
help companies achieve better business performance.
Virsa's Continuous Compliance Suite
Virsa's Continuous Compliance Suite (see Figure 1) enhances SAP Compliance Calibrator by Virsa Systems, rounding out the solution by adding sophisticated products to help customers reduce the cost of compliance, better manage risk, and fundamentally run a better business. The Continuous Compliance Suite consists of:
- Access Enforcer — An automated user request, approval, and compliant provisioning solution that is Web-based and workflow-configurable with
proactive segregation of duties (SoD) compliance checking
- Role Expert — A role definition, documentation, and change control solution with automated compliance checking
- Firefighter — A solution for eliminating audit concerns over emergency IT support to production, allowing unconstrained access buffered by an audit trail
- Risk Terminator — A true preventive control for stopping SoD violations in their tracks; from inside
SAP, completely eliminate or alert potential violations
With real-time continuous compliance solutions from
Virsa Systems, the high cost of Sarbanes-Oxley compliance
is history. No more penance for the dark days of
|Virsa's Continuous Compliance Suite
Long-Term Benefits of Continuous Compliance
Companies that have embraced Sarbanes-Oxley in both spirit and practice are reaping significant rewards. Optimization of business processes is only the beginning. Indexes comparing the performance of companies with
high governance ratings versus low governance ratings reveal superior market performance by the former.
The implication: better control, more accurate data, better insight, better management, and better performance.
Companies are now touting their high governance ratings and positive Sarbanes-Oxley audit results. Institutional investors are rewarding them with share price premiums. Bankers, insurers, vendors, corporate customers, and prospective business partners are showing them preference. Sarbanes-Oxley compliance, with its quarterly validations, is fast becoming a more important indicator of a well-run business than ISO 9000.
Egregious human misbehavior made Sarbanes-Oxley a necessity. Continuous compliance eliminates the stigma and contributes to shareholder value. Simple, smart technology like SAP Compliance Calibrator by Virsa Systems and Virsa's Continuous Compliance Suite deliver the automated controls compliance that makes it possible.
About Virsa Systems Inc.
Virsa Systems Inc., an SAP Software Partner with certified integration, is the developer of real-time compliance and controls software for SAP systems. Purpose-built to maintain continuous compliance with stringent regulatory mandates such as Sarbanes-Oxley, Virsa's solutions for security, controls, and corporate governance automate risk assessment, eliminate false positives, and deliver real-time simulation and remediation capabilities. With its library of built-in, best practice rules, Virsa delivers accelerated implementation and fast remediation with low
cost of implementation for enterprise customers. Virsa is a privately held company with investments from Kleiner Perkins, LightSpeed Venture Partners, and SAP Ventures.
For more information on continuous compliance solutions for SAP customers, please visit www.virsa.com.
back to top
How to Transform Sarbanes-Oxley Compliance into Continuous Profitable Advantage
Prashanth V. Boccasam
CEO, Approva Corporation
Considering how many hours and dollars have gone into Sarbanes-Oxley compliance over the past year, turning those efforts into improved business efficiency and competitive advantage seems like the obvious next step. But is this transformation possible? How do you move sustained compliance costs from the expense column into the profitable investment column?
It's the same problem we all faced over pollution
and waste mandates several years ago. At first, compliance
was a required cost of doing business. But very quickly,
smarter companies found a way to not only meet the
letter of the law, but to use those compliance efforts
as an opportunity to develop more efficient and less
resource- and energy-intensive processes.
are spending enormous amounts of money
on compliance. They need a way of turning
their investment in Sarbanes-Oxley
into real, bottom-line value through business
process improvement. Companies that see, and
most importantly act on, the big picture
will use these mandates as a catalyst
for improving efficiency and reducing risk
across their organization."
- Rick Steinberg, co-author of the
COSO Internal Control Framework
To think beyond compliance and in terms of business insight, control, and process improvement — all the way down to the user and transaction levels — SAP customers are finding that controls management software solutions like Approva BizRights make efficiency, controls, and cost savings possible.
The Benchmarks of Efficient, High-Performing Compliance Solutions
Complying with Sarbanes-Oxley is a business expense for SAP customers. But so are ineffective controls, accounting errors, and inefficient business processes. To that end, Sarbanes-Oxley compliance projects should be able to improve your business at the same time. If you're going to overhaul your controls, you might as well make your processes perform better. Compliance, then, becomes a byproduct of how well you are running your financial systems.
Approva, an SAP Software Partner with certified
Powered by SAP NetWeaver integration and a member
of SAP's Global Security Alliance, enables SAP customers
to achieve benefits beyond compliance with BizRights,
an Enterprise Controls Management solution. To propel
more efficient business processes, compliance solutions — like
BizRights — must be:
There is simply no way you can monitor and evaluate every financial transaction within your company. Transaction
monitoring has to be automated. By setting up a system that automatically alerts you to unusual or suspicious
transactions when they occur, you are now ready to exercise control.
BizRights software allows you to set your own rules and parameters so that when any violations occur, an alert is automatically sent to the appropriate person. Since the monitoring and detection is automated, you can spend your time examining, evaluating, and improving your business processes.
Annual audits and reviews are performed far too infrequently to be effective tools against fraud, error, or duplication. Requests for investigations or security checks need to be handled within hours, not weeks.
Approva's BizRights software provides continuous
monitoring of all your company's business transactions,
so when auditors arrive, they aren't greeted by
Companies that are interested in testing and monitoring controls across multiple applications — including SAP and
non-SAP solutions — cannot rely on an architecture that resides exclusively inside of the SAP system and depends on access to SAP production systems for its software to function. Choosing a tool that runs inside of the SAP solution and that can only be used by SAP security-savvy professionals violates the very nature of independence that Sarbanes-Oxley promotes. Companies instead require an application that can monitor any ERP solution.
Because BizRights software audits and monitors SAP controls yet resides outside of the application, it provides greater visibility, a more independent view into the application controls, and a more trustworthy audit. Residing outside of the ERP application also provides a foundation for cross-application analysis and monitoring, a feature that has been built into Approva BizRights architecture since the product's inception.
Every major audit firm has published guidelines
clearly stating that business controls must be the
responsibility of business managers. What's more, IT
security managers have told Approva that they will
not and cannot be held wholly responsible for a sustainable
controls compliance framework — that
business process owners must be
involved in the process and take responsibility
for the effectiveness of their controls framework.
An effective collaboration strategy requires software like BizRights, which encourages IT, accounting, finance, and audit professionals to work together. If managers are to turn compliance efforts into competitive business improvement opportunities, they must have software that presents these business exceptions in terms that are clear to all.
Running a complete controls analysis on large,
complex SAP systems within your SAP landscape creates
performance bottlenecks that impact production environments.
Several customer tests and evaluations have shown
that running a comprehensive, thorough analysis of
segregation of duties (SoD) issues, for example,
across all users and all roles inside of an SAP production
system can use 25 to 50 percent of the system resources
of that production environment. This resource drain
causes serious performance bottlenecks on the rest
of the SAP tasks, or forces the analysis to take
place only at night or on weekends.
That's why a robust, scalable architecture — like
Approva BizRights — built outside of the SAP
system and running continuously on an independent,
industry-standard platform provides a sustainable
compliance solution. SAP system resources are used
for minutes, not hours, and allow for a rapid extraction
of changed data. Analysis can be performed independent
of the SAP system, and requires no SAP security knowledge,
or even an SAP login, to view.
A Continuous, Effective Solution for SAP Customers
Approva BizRights provides an independent, collaborative,
and robust architecture that transforms Sarbanes-Oxley
compliance into improved business processes and competitive
advantage. And of course, as an SAP Software Partner
with certified Powered by SAP NetWeaver integration,
Approva maintains a close relationship with SAP.
The SAP Consulting management team, with its world-class
expertise in security management, chose Approva as
a member of its Global Security Alliance.
For copies of our white papers, or to learn more about how leading companies are leveraging
continuous visibility into their automated business processes and internal controls, visit
www.approva.net/leverage or email email@example.com.
Critical Questions to Ask When Assessing
Enterprise Control Software Solutions
Successful companies must ask three essential
questions when evaluating enterprise control
1. Does the solution meet the Sarbanes-Oxley
goal of ensuring audit independence in
certifying financial controls and results?
2. Can it analyze and monitor controls
and transactions across multiple ERP solutions — including
both SAP and non-SAP applications?
3. Is the solution scalable and robust
enough to analyze tens of thousands of
users and millions of transactions without
bringing your production environment to
When you can confidently answer "yes" to
these questions, you'll be able to see
the kind of results that dozens of Approva
customers have already achieved. Citing
a three-month payback on its BizRights
investment — based on the value of
IT employees who were freed from supporting
the replaced process, and on the reduced
requirements for internal applications
maintenance - one company's Group Manager
of SAP Security said, "We were impressed
by the detailed insight we can get from
our roles and authorizations. Thanks to
BizRights, we were able to more accurately
and confidently assess and manage risk.
BizRights is a valuable complement to our
SAP R/3 release 4.7 implementation."
back to top
Automate Segregation of Duties Monitoring for Cost-Effective Compliance
Marcel Huyskens, RE RA
It's now common knowledge that the Sarbanes-Oxley Act requires your CEO or CFO to certify internal controls for financial reporting, operations, and compliance on a quarterly basis. But even in year two of compliance projects, SAP customers are still struggling with the exact implications and requirements for their core SAP system.
What does Sarbanes-Oxley mean for you as an SAP customer? And how can you quickly pinpoint errant behavior while keeping compliance costs in check? SAP customers are turning to solution providers like CSI to help decipher Sarbanes-Oxley requirements and cost-effectively achieve compliance.
Breaking Down Sarbanes-Oxley for SAP Customers
A key Sarbanes-Oxley control is the segregation
of duties (SoD) requirements check. To effectively
achieve this control, you need to:
- Identify critical tasks and segregation of duties for financially significant functionality
- Periodically evaluate the actual SAP access rights for these critical tasks and segregation of duties
- Check, in cases where any inappropriate access was given, whether a user actually executed the functionality
Standard SAP functionality for user and role management — including the SAP User Information System and the SAP Audit Information System — is a good start for controlling SoD. However, customers seek additional functionality for efficiently defining and running queries for access rights, and for identifying roles and profiles granting excessive access.
No Need for Expensive SoD Monitoring Tools
To complement the SAP User Information System, a third-party solution like CSI Authorization Auditor, which is certified for integration with SAP NetWeaver, offers predefined content of over 350 queries and more than 7,000 potential SoD conflicts.
CSI Authorization Auditor enables a fully automated check on segregation of duties, delivering detailed and statistical reports (see Figure 1). The interactive screen output of queries enables you to quickly determine the source or cause of unexpected access rights.
|CSI Authorization Auditor Enables Highly Automated SoD Analysis
With CSI Authorization Auditor, analysis takes place on your PC, without disturbing the SAP system under review. The tool is release-independent, and your query criteria can be applied across all SAP systems (and clients), including SAP BW, SAP SEM, mySAP CRM, and SAP APO. The result is better evaluation, reporting, and analysis, which reduces the cost of Sarbanes-Oxley compliance for SAP customers.
For more information on CSI Authorization Auditor, please visit www.csi4sap.com.
back to top
Partner, Exaserv Inc.
Exaserv Enables HIPAA 834 Compliance with One Interface, One Solution
To reduce administrative costs, improve efficiency of health care systems, and guarantee security and privacy of individuals, the Health Insurance Portability and Accountability Act (HIPAA) includes 'Administrative Simplification' provisions requiring health and human services organizations to adopt national standards for electronic health care transactions. HIPAA 834 regulations require compliance from any health plans, health
care clearinghouses, and health care providers that transmit health information electronically.
To comply with HIPAA regulations, many SAP customers
face added development, testing, and maintenance
effort to work with each of their providers, customers,
and vendors - adding substantial time and monetary
costs to an already ambitious compliance project.
Imagine the difference it could make for your company
to have one interface for all of your vendors — streamlining
and reducing the cost of your HIPAA 834 compliance
Features of the HIPAA Interface Tool
A single interface for all health care vendors
Flexibility while complying with HIPAA regulations
Clean and simple design with extensive reporting
First test file ready within 24 hours
Consolidated configuration and customizing screen
Straightforward configuration tables
One Interface for All Health Care Providers
Exaserv Inc., a Human Capital Management (HCM) solution provider, has developed a HIPAA interface that complements and adapts to your mySAP ERP HCM environment. The Exaserv tool is fully operational out of the box, and is 100 percent compliant with HIPAA 834 guidelines and ASC X12 standards.1 The tool uses HIPAA's uniform national standards for electronic health care transactions to its advantage, enabling SAP customers to transmit plan enrollment and participation files
to all of your health insurance providers through one unified interface.
This single interface can communicate with any health
care vendor in the United States — from your
major health care providers to your smaller vendors
— thereby reducing or eliminating cumbersome paperwork
to maintain health care plan enrollments. Additionally,
this interface will eliminate the burden of technical
challenges when you change vendors.
Flexible and Forward-Thinking HIPAA Compliance
The data exchange scope that has been incorporated into the delivered Exaserv tool includes sponsor, vendor, and third-party details, as well as subscriber demographics and health
plan participation details (for active employees, retirees, COBRA participants, surviving dependents, etc.), in line with the current HIPAA 834 transaction set. And you can rely on Exaserv to keep up with any enhancements or changes to the HIPAA guidelines, thereby relieving your internal resources from having to keep pace with the still-developing scope of the HIPAA 834 transaction set.
The Exaserv interface tool also has the flexibility to allow customers to easily add, omit, move, or control any segments of the outbound EDI (electronic data interchange). The tool comes with easy-to-configure tables to map your mySAP ERP HCM settings to the HIPAA guideline format. This ensures quick and easy implementation, as well as minimal efforts in adapting the interface to any future changes made in mySAP ERP HCM as your organization's business demands fluctuate.
For more information on simplifying your HIPAA compliance needs, please visit www.exaserv.com.
1 In 1979, the American National Standards Institute (ANSI) chartered the Accredited Standards Committee (ASC) X12 to develop uniform standards for inter-industry electronic exchange of business transactions: electronic data interchange (EDI).
back to top
Don't Let Your 404 Efforts Go to Waste!
Add Value with Automated Tax Solutions from Vertex
As an SAP customer, by now you've become well-informed about the Sarbanes-Oxley Act — in particular Section 404 — and its requirements of effective, transparent internal controls. Complying with Section 404 is one of the most involved processes companies are facing today, and many SAP customers consider the associated time and costs draining, especially in terms of the company's overall business goals.
Your compliance efforts, however, can do far more than prepare you for Section 404 compliance. With technology solutions from Vertex, an SAP Software Partner with certified integration, SAP customers can comply with the regulatory statutes of Sarbanes-Oxley while also integrating a comprehensive and cost-effective tax solution.
Increased Attention on Tax Departments
An informal survey of Vertex's SAP customer base
shows the following results related to Sarbanes-Oxley
- Nearly half of the respondents agreed that senior financial managers or executives have gotten more involved in the tax department operations and procedures as a result of Sarbanes-Oxley
- Over half of the respondents have introduced process automation initiatives as a result of the Act
- About a quarter of the respondents stated that the tax department's relationship with the Audit Committee has changed due to Section 404
- About one-third of the respondents said their tax department's relationship with the Internal Audit Department has changed as a result of the Act
With the increased focus on tax, you have substantial momentum for making the necessary process and automation changes your tax department needs. It is possible to use your 404 efforts for something other than an audit guide for your outside auditors!
Vertex Tax Automation Solutions
SAP customers expending additional resources toward complying with Sarbanes-Oxley can simultaneously extend the benefits of compliance by automating tax processes with Vertex solutions. Vertex O Series, for example, a Web-enabled tax calculation solution, manages the tax compliance process
by calculating sales and use taxes and keeping detailed records of each transaction and how the system determined the tax decision. Automating this
tax compliance process gives SAP customers the ability to record each sales and use transaction, and provides companies with the tools to track and review their system usage and setup.
Vertex O Series is certified to run on SAP Web Application
Server, which is part of the SAP NetWeaver integration
and application platform. SAP users can now confidently
install and deploy Vertex O Series, which
is both Certified for SAP NetWeaver and Powered
by SAP NetWeaver, on the SAP Web Application Server.
By deploying a tax compliance solution like Vertex
O Series, SAP customers will not only automate your
tax department's processes, but will also be one
step closer to complete Sarbanes-Oxley 404 compliance.
It is possible to use your 404 efforts for something other than an audit guide for your outside auditors!
Customers using Vertex tax solutions with certified integration to your SAP applications can extend your 404 efforts far beyond your company's
short-term compliance goals. To learn more about Vertex tax technology services and solutions, please visit www.vertexinc.com or email us at
back to top
Michael Cooke, CA CISA
Continuous Monitoring Technology,
ACL Services Ltd.
Support Sustainable Compliance Through Continuous Controls Monitoring Technology
If there's one lesson learned from this past year,
it's that compliance is an evolving process that
requires a long-term solution. Year one Sarbanes-Oxley
efforts not only placed a tremendous strain on internal
resources, but also far exceeded budget forecasts.
An A.R.C. Morgan study shows that first-year total
compliance costs are estimated at US $3 to 3.2 million
per $1 billion in sales — three times the predicted $1 million for every $1 billion in
This level of effort cannot be sustained, yet the need for compliance isn't going away. As a result, compliance teams are seeking ways to achieve sustainability by automating appropriate compliance activities. SAP customers are turning to testing and monitoring solutions — such as Continuous Controls Monitoring (CCM) solutions from
ACL, an SAP Software Partner with certified integration — to achieve sustainable compliance.
Focusing the Compliance Technology Investment
All experts, from the Big 4 to industry analysts, have identified that leveraging technology to automate monitoring
and testing processes is essential for repeatability, sustainability, and cost effectiveness. In fact, AMR Research recently stated that key technologies that automate internal controls testing can reduce the cost of Sarbanes-Oxley compliance by upwards of 25 percent.2
ACL Continuous Controls Monitoring solutions can lead SAP customers to these substantial cost savings. ACL CCM automates controls testing and monitoring within business processes across the enterprise (purchase-to-payment,
order-to-cash, G/L, payroll, and others). CCM reduces the burden of compliance on internal resources and allows organizations to introduce process efficiencies and improve bottom-line results.
ACL Continuous Controls Monitoring
ACL CCM draws upon our 18-year heritage in providing analytic technology used by the majority of the world's largest organizations. It embeds technology that drives audit best practices into your business operations — a key factor in achieving compliance sustainability. CCM continually tests all
transactions — not just samples — to identify inefficiencies, fraud, and errors to save money, improve recoveries, and stop leakage. Highlights include:
- Continuous testing and monitoring of all
transactions across all systems,
including ERP, SCM, and HR solutions, as well
as custom-built applications. ACL's Direct
Link, which is Certified for SAP NetWeaver,
provides direct and seamless access to mySAP
- Automated, predefined control tests, mapped
to the COSO Internal Control Framework, with the
flexibility to adjust parameters as requirements
- Timely identification of control exceptions,
providing quantified exposure of business risk
- A unified view of the control environment and control
weaknesses, with the ability to drill down to specific
exceptions and resolve problems before external reporting
or material impact
By embedding ACL CCM within business operations, SAP customers can set the stage for an automated, sustainable approach to regulatory compliance. This heightened visibility
and consistency in controls testing and monitoring across the enterprise is not only an effective means of good governance, it's also good business.
To learn how ACL CCM solutions can help you develop a sustainable compliance strategy, download our Webinar presentation, SOX Decisions
for 2005: Focusing Your Technology Investment, featuring guest speaker AMR Research analyst John Hagerty,
1 "Sarbanes-Oxley Implementation Costs — What companies are reporting in their SEC Filings," A.R.C.
Morgan (February 24, 2005).
2 SOX Decisions for
2005: Step Up Technology Investments," John
Hagerty, AMR Research (January 14, 2005).
back to top
Chief Technology Officer,
Ensuring Tax Payment Accuracy for Sarbanes-Oxley Compliance
Many SAP customers are sighing with relief after their initial audits following the first year of Sarbanes-Oxley Act compliance. While year one was about documentation and testing, now the focus is on sustainable compliance management, including consistent
accuracy of accounting figures.
The challenge of Sarbanes-Oxley still looms for corporate tax departments, which conduct significant amounts of work manually or with simplified tax calculators, resulting in inconsistent and inaccurate tax determination, often without an audit trail. Tax departments also face monthly compliance deadlines with countless local, regional, state, and national tax jurisdictions.
To meet these pressing governance challenges, SAP customers are turning to consolidated tax management solutions — such as the Sabrix Solution — to provide accuracy and an audit trail essential to financial compliance.
Accuracy in Tax: The Impact on Compliance
Almost every corporate function has some impact on tax, with the most common activities being sales and purchasing. Companies need a
consolidated approach to transaction tax management for tax and IT professionals to manage compliance for sales, use, and international value-added taxes (VAT).
For accurate regulatory and tax compliance, SAP customers should consider using an integrated solution with multivariate
precision that accepts and evaluates customer-selected transaction data elements from SAP applications. Multivariate precision provides the ability to dynamically apply any number of data attributes in any combination for consistent accuracy in the determination, calculation, and recording of tax.
Real-World Scenarios for Compliance
A simple purchasing transaction illustrates the value of multivariate precision. Consider a purchase of computer monitors for research and development (R&D) and administrative purposes. Many states allow an exemption for the monitors purchased for R&D use, while the monitors used for administrative purposes are taxable. The variables used to determine if the purchase is exempt include the material number, the department code, and the cost center. All
variables must be considered to arrive at the appropriate determination.
This simple rule can be configured using existing SAP tools; however, this approach forces the SAP configuration team — instead of the tax professional — to manage rule configuration. Under Sarbanes-Oxley, the tax department must control tax decisions and document where and how tax decisions are performed. Having non-tax professionals — and systems not controlled by the tax department — managing tax decisions makes SAP customers vulnerable to a higher degree of scrutiny during the annual compliance audit.
Reporting Accuracy and Seamless SAP System Integration
The integration of a consolidated tax management solution, such as the Sabrix Solution,1 with your SAP system ensures consistent and accurate reporting. This fine level of accuracy can also improve cash flow by ensuring correct tax amounts are collected and accrued. Planning for the long term will prevent this often forgotten area of finance from having unforeseen and unwanted impacts on corporate reporting and compliance.
Sabrix is an SAP Software Partner with certified integration, and is a leading provider of enterprise tax applications integrated with international tax research for more than 130 countries. For more information, visit www.sabrix.com.
1 The Sabrix Solution is certified by SAP for connection to SAP R/3 4.6 including support for SAP R/3 Enterprise, mySAP CRM 4.0, and mySAP Mobile Client 4.0 for US Sales and Use Tax and Canadian VAT/GST. The Sabrix Solution is also certified for
integration within the Powered by SAP NetWeaver framework (SAP Web Application Server 6.40 and SAP Enterprise Portal 6.0).
back to top
Robin-Jan de Lange
Sarbanes-Oxley Software: Why Has a Simple Concept Been Made So Difficult?
It's remarkable that Section 404 of the Sarbanes-Oxley Act, a 168-word paragraph containing a concept so simple, has evolved into an industry-wide belief that compliance can only be achieved using dedicated resources for adapting rule libraries with hundreds of thousands of line items and for analyzing even longer results lists, causing a spike in overhead costs and a genuine concern about the long-term sustainability of these solutions.
SAP customers should instead look for proactive, sustainable, turnkey products — like SOD Detective, D2C Role Map Server, and Security Cockpit from D2C — that lower your total cost of compliance and allow you to focus beyond Sarbanes-Oxley and on your business.
Early Adopters vs. Rule Breakers
Think it is safe to go with a leading compliance firm? Ask Enron. As of yet, the vast majority of companies still have not decided on a specific commercial Sarbanes-Oxley solution.
The reason for the market's reluctance is profound: The translation from Section 404's simple concept and easy-to-understand requirements into most current software products has resulted in a lackluster prevailing methodology. Companies are waiting for a solutions provider with a proactive and sustainable approach to compliance.
The Exponential Growth of Rule Libraries
A main component of Sarbanes-Oxley compliance, the concept of Segregation of Duties (SoD) is simple: Prevent fraud in the system by ensuring certain business functions are segregated over multiple persons in your organization. Developing an adequate SoD matrix is a mixture of common sense and experience.
It's in the translation of these business requirements to the IT system that much of the confusion is introduced. Somehow, from a simple matrix, a rule library is created containing thousands upon
thousands of queries. Drawbacks to this query-based approach include:
- Lack of transparency between SoD requirements and the rule library
- Extensive, labor-intensive customizations
- Long analysis runtimes
- Challenging upkeep, given the dynamic nature of SAP systems
- Concern about whether all scenarios are covered, leaving backdoors open to commit fraud
- Unworkable, lengthy results lists
When evaluating third-party solutions, SAP customers should be sure to choose an effective, sustainable offering that
is efficient in its use of resources, presenting concise results through powerful technology.
Real Time vs. "Right Time"
Recently the idea of "real-time" compliance has
sparked a lively discussion about the merits of inside
versus outside SAP deployment. First of all, real-time
most often means "too late." When business owners
receive a workflow message alerting them to an identified
SoD violation, this is a reactive methodology.
SAP customers should instead focus on proactive solutions.
D2C's Role Map Server, for example, will detect a
violation upon submission for approval, enabling
business owners to deal with SoD issues before assignment
and authorization, instead of in an emergency situation.
Sustainable Offerings from D2C
SAP customers are waiting for a paradigm shift in the approach to Sarbanes-Oxley compliance. Demand solutions that have powerful graphical screens with drill-down capability; allow user-friendly, drag-and-drop configuration; and are based on a patent-pending methodology that is powerful, sustainable, and exhaustive. For more information, please visit www.soddetective.com.
back to top
SECUDE IT Security, LLC
From Sarbanes-Oxley to HIPAA: Legislative Trickle-Down and Other Reasons to Sweat
The long reach of US legislation is now well known in conjunction with the Sarbanes-Oxley Act, which requires CEOs and CFOs of all companies listed on the US stock exchanges to personally vouch for the audit procedures of both their subsidiaries and their partners. Assigning this level of responsibility forces foreign business partners not normally under US jurisdiction to comply with the law if they want to continue doing business with US-listed companies. Given the multinational nature of many large corporations, and the increased tendency to outsource significant parts of business processes, Sarbanes-Oxley has swiftly transformed local legislation into a global nightmare.
The Long Arm of the Law
Unfortunately, the same legislative trickle-down can apply to other laws as well. The primary focus of HIPAA, for example, is to protect sensitive medical information. But to do so, the law forces a heavy security burden on any corporation that has a health plan - in other words, pretty much everyone. Although some companies, such as software billing vendors, may not be covered by HIPAA directly, they may still face indirect consequences.
Companies that decide to outsource parts of health care management overseas — even if they just outsource simple record keeping — are not exempt from HIPAA security standards. The security and confidentiality of any health-related documents must be maintained, and an overseas company may be forced into HIPAA compliance, just as in the case
of Sarbanes-Oxley compliance.
SAP customers addressing compliance concerns must
be careful to choose security partners who have sufficient
expertise and understand not only local legislative
and regulatory matters, but the growing morass of
international red tape. Security is an international
SECUDE is an international IT security vendor with headquarters in Zurich, Switzerland, and with rapidly expanding Sales and Service branches in the US, Germany, United Arab Emirates, Spain, the Netherlands, and Switzerland. We know what it takes to do business internationally.
The Long-Term Implications of HIPAA
The April 20, 2005, deadline for large companies to comply with HIPAA's security aspects has come and gone, and many SAP customers are breathing an initial sigh of relief. However, compliance is not a one-time phenomenon, and companies must look to third-party vendors like SECUDE, an SAP Software Partner with certified integration, to help them address the long-term effects of HIPAA compliance.
The Centers for Medicare and Medicaid Services
(CMS) note, "security is not a one-time project,
but rather an ongoing, dynamic process that will
create new challenges as covered entities" organizations
and technologies change."1 This
is both a hint and a warning that companies who fail
to regularly audit and update their security procedures
face noncompliance. The penalties? Stiff fines, or
worse, criminal prosecution. Although many companies
either do not recognize the potential for prosecution,
or simply view HIPAA as less of a priority than Sarbanes-Oxley,
the US Department of Health and Human Services' Office
for Civil Rights is empowered by HIPAA to refer noncompliance
cases for criminal prosecution.
A Closer Look at HIPAA: Understanding the Ambiguous
HIPAA's security rules make an ambiguous distinction between those compliance aspects that are required, such as authentication, and those that are addressable, including integrity controls such as digital signatures. But as CMS points out, "Addressable does not mean optional."2
Addressable controls are crucial in that they are often the most continually evolving technological aspects. Heavy research and development (R&D) efforts are underway by both governments and the private sector, and groundbreaking papers that alter the landscape of encryption technology are constantly being released. This new research changes the answer to questions such as, "What is an acceptable level of encryption?"
For example, a potential problem in SHA1 — a commonly used hash function that forms the basis for many encryption algorithms - was announced on February 13, 2005, by the research team of Wang, Yin, and Yu.3 For the public at large, this problem (the discovery of collisions within 269 hash operations) has very little immediate impact. Your encryption is still safe, but only for now.
Research breakthroughs such as the SHA1 problem demonstrate that encryption schemes are constantly evolving. Security companies race to improve their encryption algorithms as hackers, governments, and the just plain curious strive to break them. Without constant vigilance, HIPAA-compliant solutions today will be wide-open legal liabilities tomorrow. Companies need to work with a
security partner like SECUDE, dedicated to keeping up with the latest advances in cryptography.
Digital Certificates: Don't Panic!
those companies who store protected health information
(PHI) in SAP systems, the encryption and data integrity
requirements of HIPAA can be addressed by securing
network traffic through the Secure Network Communication
(SNC) module. This module was created in 1997 through
a development partnership between SAP AG and the
Fraunhofer Institute in Darmstadt, Germany. In
the aftermath, the Fraunhofer Institute spun off
the technical expertise gained from the partnership
into a separate company: SECUDE GmbH. With the
use of SECUDE's products, the SNC module can be
utilized to ensure the robust encryption of network
traffic through the use of digital certificates.
Digital certificates tend to trigger beads of
sweat from the accounting department because
of their close association with Public
Key Infrastructure (PKI). However, the
two are not synonymous, and you don't need to
implement a prohibitively expensive PKI to achieve
robust encryption. SECUDE offers solutions specifically
designed to achieve this high encryption
generate digital certificates on the
fly to allow strong encryption and data integrity
controls based on very flexible authentication
methods such as RSA SecurID tokens or
Microsoft ADS — and all without PKI.
signon&secure offers similarly robust
encryption through the SNC module
for PKI. In 1998, it was the first
such solution to be certified by SAP,
and it is even in use by SAP today.
What's more, both of these product solutions
allow for single sign-on (SSO) to all SAP
applications. For the average SAP implementation
of 6-12 modules, each with their
own user name and password, this can offer
a substantial return on investment (ROI)
by reducing help desk costs, increasing
productivity, and improving the user experience.
This ROI is so significant that an investment
in SECUDE securelogin or SECUDE signon&secure can pay for
itself within one year of implementation.4 With
the added benefits of HIPAA compliance,
SAP customers cannot ignore the value.
For more on SSO and to see our ROI
calculator, please access SECUDE's
SSO white paper at www.secude.com.
SECUDE, a Partner for the Future
To secure legislative compliance today and for the future, companies need to stop shopping for a security vendor and start looking for a security partner. A good security partner should have the following attributes:
- A strong commitment to R&D
- An ongoing partnership with SAP
- A deep understanding of international legislation
- A wide, flexible product range in addition to customized projects
SECUDE's strong, continuing partnership with SAP helps to ensure that SECUDE solutions are not just hype-filled, one-shot products bound
to be obsolete by the end of the year. Our intense R&D effort is dedicated to allowing a smooth transition to ever-evolving technologies in a cost-sensitive manner. We can use our expertise to help you determine the appropriate level of security required by various worldwide legislations and craft a solution out of our various products lines, such as SAP Security, Single Sign-On, Client Security, and Identity Management.
For more information about IT security solutions from SECUDE, please visit www.secude.com.
1 Security 101 for Covered Entities (CMS, November 2004), www.cms.hhs.gov/hipaa/hipaa2/education/default.asp#SecurityEd
3 For more information, visit http://theory.csail.mit.edu/~yiqun/shanote.pdf
4 For more on SSO and to see our ROI calculator, please access SECUDE's SSO white paper at www.secude.com.