Special Report


Special Feature: Corporate Governance and Compliance


July 1, 2005

5 Tips to Gain Control Over Compliance, Not Have Compliance Control You

Philip Say
Director of Solution Marketing,
mySAP ERP Financials,


Accelerating the Path to Continuous Compliance

How to Transform Sarbanes-Oxley Compliance into Continuous Profitable Advantage

Automate Segregation of Duties Monitoring for Cost-Effective Compliance

Exaserv Enables HIPAA 834 Compliance with One Interface, One Solution

Don't Let Your 404 Efforts Go to Waste! Add Value with Automated Tax Solutions from Vertex

Support Sustainable Compliance Through Continuous Controls Monitoring Technology

Ensuring Tax Payment Accuracy for Sarbanes-Oxley Compliance

Sarbanes-Oxley Software: Why Has a Simple Concept Been Made So Difficult?

From Sarbanes-Oxley to HIPAA: Legislative Trickle-Down and Other Reasons to Sweat

Compliance is complex: The rules and requirements can vary based upon your industry, the products you produce, the processes you operate, and the places where you do business. And it is constantly changing. Speed and reaction times are essential qualities needed to manage today's regulatory landscape.

Compliance is not a one-year or one-time phenomenon. This isn't Y2K. According to John Hagerty of AMR Research, US companies will spend an estimated $6.1 billion on software and professional services to address regulations that govern their enterprise. This figure represents a 10 percent increase in spending from 2004, and only a fraction of the $15 billion that will be spent on a global basis.1

Regulatory compliance and effective corporate governance are as important to your business as your ability to break into new markets, optimize supply chains, or support the expansion of your growing business. The risk and cost of poor compliance and governance should be evident simply by looking at recent history. So the question begs, what are you doing to prevent compliance disasters in your business? And what can you do better this year to reduce your risk of noncompliance or poor governance? Between changes in regulations (or even interpretations of regulations), increased compliance spending, and adjustments in your own business, gaining control over compliance presents a challenge. What you did right last year could be completely insufficient this year.

Avoid Bumps in the Road Ahead

Compliance is not going to get any easier, either, so there is business justification to improve your ability to manage future compliance challenges. The short-term investment you make in your controls, reporting, and security will save you in the long term.

By being smart about compliance today — as you attack new regulations across a variety of areas — it becomes much more manageable, with marginal cost and marginal effort, as opposed to having to tackle compliance over and over and over again, which demands big budgets and big resources.

I believe that SAP can provide the tools you need to maintain compliance. We've had CFOs tell us that implementing SAP financial management processes and solutions has helped them prevent Sarbanes-Oxley from becoming an issue. They tell us that they have sound controls and insight into their data, and can help their auditors understand how they've generated their finances — and they are able to do it quickly.

Whether you have SAP in whole or in part, here are five tips you can use to prevent compliance from unnecessarily draining your resources:

1. Add Compliance to Your Business Case Checklist

Whether you are in the market for an ERP system, looking to upgrade your current ERP installation, or implementing any piece of enterprise software, it is very important that you consider compliance in your selection process. No matter the size of your company, compliance affects you and should be considered as one of the pillars for adopting an ERP system. For example:

  • For small companies, our current regulatory climate poses a major inhibitor of growth. Look for ERP and software solutions that will do most of the regulatory work for you as you expand. Avoid one-offs and other solutions that you will either have to replace or significantly upgrade as you grow. Make sure your major processes can be easily linked together and controlled. For example, you want to avoid major gaps or manual handoffs between sales and finance, or between accounting and financial reporting. The more seamless and integrated your processes are, the easier it is to control and mitigate risk.

  • For medium-sized companies, especially those looking to expand internationally or that are pre-IPO, seek out compliance solutions that can address dramatic changes in your business processes and can be easily translated to handle rapid expansion. Look for solutions that can operate in multiple geographies and support local regulatory requirements.

  • For larger public companies, especially those that have gone through the first Sarbanes-Oxley cycle and are licking the wounds, you don't want to be spending $10 million for compliance every year. Seek solutions that will enable you to make compliance part of the fabric of what you do. Manage internal controls as if you had a general ledger for processes. Install a system to centrally collect, examine, and report your control measures, a system that is periodically updated, internally reviewed, and used for proactive mitigation of control risks and gaps.

Given today's environment, compliance and corporate governance should be listed as a business requirement category in any enterprise software decision. By contemplating compliance requirements at the initial stages of your enterprise software project, you can reduce the possibility of gaps and issues that could arise once you are fully in production. We have never advocated upgrades purely for the sake of upgrading, but since mySAP ERP and the mySAP Business Suite contain compliance tools such as SAP Management of Internal Controls (MIC), these compliance capabilities may result in a reduced total cost of compliance that would make upgrading worth it.

2. Don't Reinvent the Wheel

Take a look at the tools that you're using today — you may already have access to compliance capabilities within your existing system. For example, if you're using mySAP ERP Financials, you've already got SAP MIC. It's just a matter of turning it on and configuring it.

SAP's rich partner community plays an important role here, too. SAP Compliance Calibrator by Virsa Systems, for example, is a partner solution that provides an elegant tool for real-time monitoring of internal control violations and 24x7 examination of segregation of duties violations in order to thwart corporate fraud. The software reduces IT and audit costs and makes possible high standards of corporate governance. Embedded directly in SAP systems, the solution enhances the extensive compliance capabilities already found in mySAP ERP.

SAP has also been working actively with leading auditing firms like PricewaterhouseCoopers, who are providing SAP with best practices. These auditing firms make available recommended control processes for a wide assortment of business functions, such as purchasing and procurement. These control processes can be uploaded into the SAP MIC tool and serve as a benchmark that you can use to evaluate the quality of controls and compare how well your current business processes map against an auditor's best practice recommendations.

3. Keep Your Hand on the Controls

A central requirement of Sarbanes-Oxley Section 404 is the requirement to document, assess, and remediate internal controls. Within mySAP ERP, that solution is MIC. Section 302 of Sarbanes-Oxley requires you to get signoffs down to the most molecular level — not only in finance, but in all your operations.

Keep in mind that if you are running a heterogeneous environment, you need a glue to hold your diverse systems together, and you have to be smart about how you link things. That is the ultimate end game. Our suggestion is to move your platform to SAP NetWeaver. In today's regulatory landscape you will need complete access to information at every corner, at every turn. You're not going to get that done by having four or five different systems running your processes. It's better to stick with one platform.

4. Reporting, Reporting, Reporting

Be smart about your consolidated reporting. Do it so it is accurate, it's reconcilable, it's fast, and most importantly, it takes the cost out of the process.

If you are running Strategic Enterprise Management - Business Consolidations System (SEM-BCS), you have a distinct advantage in ensuring closed-loop control over financial statement generation. In addition, you can reduce compliance risk by accelerating the closing cycles of your business - you can close the books faster and more accurately, and allow more time for validation and signoff. More importantly, SEM-BCS will place you in a better position to report material changes to your business, an upcoming requirement of Sarbanes-Oxley Section 409.

Finally, get your closing process done quickly. Regardless of whether you have quarterly, monthly, or daily closes, make sure your reports are transparent, so that they will roll up easily and enable others to drill down. SAP SEM-BCS is the system that allows companies with diverse financial reporting structures to aggregate and normalize financial reports that cut across a global enterprise. Using SAP BW technology, companies are able to generate financial statements — that are balanced and reconciled correctly — that fit the individual reporting requirements by industry or local country standard.

5. Security, for Just in Case

Despite the best controls in the world, all it takes is one errant employee to undo a year's worth of precautions. It is important to have security controls in place to handle that exigency should it occur. Within SAP systems, there are numerous 'fingerprinting' technologies available that can enable you to do a forensic examination of transactions, identifying precisely who did what. SAP generates a log that identifies every user who's touching your transactions.

Framework for Effective Enterprise Governance and Compliance

There are multiple technologies you can use to sustain continuous compliance and governance. SAP gives you a wide assortment of components that, when used in combination, establish a robust framework for reporting controls, whistle blowing, audit management, documenting internal control tests, and real-time analysis and monitoring of internal controls and segregation of duties (SoD) violations (see Figure 1).

Figure 1
The Complete Stack for Sustaining Compliance

SAP is a good choice for companies with the right intentions for corporate compliance and enterprise governance. We carry a vast array of control mechanisms and industry-specific functionality to address a wide spectrum of regulatory issues and mandates that govern your enterprise. Compliance is not easy; however, SAP can help ease the effort and support your objectives with the right tools and technologies. More importantly, SAP can give you a long-term solution that supports your business as it expands and faces new compliance challenges.

For more information, visit And to learn more about SAP's partner program, please visit

1 "Spending in an Age of Compliance, 2005," AMR Research (March 17, 2005).

back to top

Accelerating the Path to Continuous Compliance

Mark L. Feldman, Ph.D.
Senior Vice President,
Strategy and Business Development,
Virsa Systems Inc.

A single finding of a material controls weakness in your company can lead to an adverse audit opinion, making it clear to all SAP customers that "good enough" is not enough for Sarbanes-Oxley compliance. You cannot comply just "enough" and simply hope that one errant employee isn't evading transparency or overriding controls. The penalties are just too high. Controls weaknesses can quickly translate to lower share prices and debt ratings, credit scrutiny, customer reticence, higher insurance premiums, activism by institutional investors, and shareholder litigation.

And what about the cost of compliance? Few things are more costly than the repetitive, time-consuming, mind-numbing, and error-prone manual checking and recording processes that characterize most Sarbanes-Oxley solutions today.

Real-time testing and monitoring of controls can eliminate the pain, reduce the cost, and accelerate the path to compliance. Automated alerts with access to integrated risk analysis, forensics, remediation, and audit trails round out a powerful solution set for continuous compliance — SAP Compliance Calibrator by Virsa Systems and Virsa's Continuous Compliance Suite.

SAP Compliance Calibrator by Virsa Systems

SAP Compliance Calibrator by Virsa Systems is now available directly from SAP. It automates real-time detection and prevention of ERP security and controls violations, delivering 24x7, continuous compliance with regulatory mandates, thwarting internal fraud, reducing IT and audit costs, and reinforcing high standards of governance.

SAP Compliance Calibrator by Virsa Systems focuses primarily on user authorization and access controls across the landscape, including critical transaction monitoring. It is used by over 160 SAP customers, including some of the world's largest and most technologically sophisticated multinational enterprises.

SAP Compliance Calibrator by Virsa Systems is Powered by SAP NetWeaver and complements SAP's Audit Information System (AIS) and Management of Internal Controls (MIC) solutions, providing SAP customers with a comprehensive and dynamic solution for regulatory compliance.

The Spirit (and Costs) of Sarbanes-Oxley

Tawdry tales and harsh realities of stolen assets, lost pensions, and $6,000 shower curtains led the US Congress to pass the Sarbanes-Oxley Act of 2002. Born of corporate scandals, the legislation is intended to restore investor trust in public markets, strengthen executive responsibility, and toughen corporate governance. This integrity is enforced through auditor independence, chief executive attestations of accurate financial data and effective controls, timely disclosure of material events, and support for whistle blowing. The penalties for noncompliance include jail time and heavy fines.

Widely perceived by public companies as collective penance for the misbehavior of their peers, the stringent Sarbanes-Oxley requirements have been met with mixed responses. No chief executive wants to go on record opposing good governance and investor protection legislation. However, many are willing to voice support for the spirit of Sarbanes-Oxley and decry the costs of maintaining and proving perpetual compliance. To that end, real-time, automated testing and monitoring of controls can not only accelerate the path to Sarbanes-Oxley compliance, but improve business operations, enhance shareholder confidence, and in the end, help companies achieve better business performance.

Virsa's Continuous Compliance Suite

Virsa's Continuous Compliance Suite (see Figure 1) enhances SAP Compliance Calibrator by Virsa Systems, rounding out the solution by adding sophisticated products to help customers reduce the cost of compliance, better manage risk, and fundamentally run a better business. The Continuous Compliance Suite consists of:

  • Access Enforcer — An automated user request, approval, and compliant provisioning solution that is Web-based and workflow-configurable with proactive segregation of duties (SoD) compliance checking

  • Role Expert — A role definition, documentation, and change control solution with automated compliance checking

  • Firefighter — A solution for eliminating audit concerns over emergency IT support to production, allowing unconstrained access buffered by an audit trail

  • Risk Terminator — A true preventive control for stopping SoD violations in their tracks; from inside SAP, completely eliminate or alert potential violations

With real-time continuous compliance solutions from Virsa Systems, the high cost of Sarbanes-Oxley compliance is history. No more penance for the dark days of corporate malfeasance.

Figure 1
Virsa's Continuous Compliance Suite

Long-Term Benefits of Continuous Compliance

Companies that have embraced Sarbanes-Oxley in both spirit and practice are reaping significant rewards. Optimization of business processes is only the beginning. Indexes comparing the performance of companies with high governance ratings versus low governance ratings reveal superior market performance by the former. The implication: better control, more accurate data, better insight, better management, and better performance.

Companies are now touting their high governance ratings and positive Sarbanes-Oxley audit results. Institutional investors are rewarding them with share price premiums. Bankers, insurers, vendors, corporate customers, and prospective business partners are showing them preference. Sarbanes-Oxley compliance, with its quarterly validations, is fast becoming a more important indicator of a well-run business than ISO 9000.

Egregious human misbehavior made Sarbanes-Oxley a necessity. Continuous compliance eliminates the stigma and contributes to shareholder value. Simple, smart technology like SAP Compliance Calibrator by Virsa Systems and Virsa's Continuous Compliance Suite deliver the automated controls compliance that makes it possible.

About Virsa Systems Inc.

Virsa Systems Inc., an SAP Software Partner with certified integration, is the developer of real-time compliance and controls software for SAP systems. Purpose-built to maintain continuous compliance with stringent regulatory mandates such as Sarbanes-Oxley, Virsa's solutions for security, controls, and corporate governance automate risk assessment, eliminate false positives, and deliver real-time simulation and remediation capabilities. With its library of built-in, best practice rules, Virsa delivers accelerated implementation and fast remediation with low cost of implementation for enterprise customers. Virsa is a privately held company with investments from Kleiner Perkins, LightSpeed Venture Partners, and SAP Ventures.

For more information on continuous compliance solutions for SAP customers, please visit

back to top

How to Transform Sarbanes-Oxley Compliance into Continuous Profitable Advantage

Prashanth V. Boccasam
CEO, Approva Corporation

Considering how many hours and dollars have gone into Sarbanes-Oxley compliance over the past year, turning those efforts into improved business efficiency and competitive advantage seems like the obvious next step. But is this transformation possible? How do you move sustained compliance costs from the expense column into the profitable investment column?

It's the same problem we all faced over pollution and waste mandates several years ago. At first, compliance was a required cost of doing business. But very quickly, smarter companies found a way to not only meet the letter of the law, but to use those compliance efforts as an opportunity to develop more efficient and less resource- and energy-intensive processes.

"Companies are spending enormous amounts of money on compliance. They need a way of turning their investment in Sarbanes-Oxley into real, bottom-line value through business process improvement. Companies that see, and most importantly act on, the big picture will use these mandates as a catalyst for improving efficiency and reducing risk across their organization."

- Rick Steinberg, co-author of the
COSO Internal Control Framework

To think beyond compliance and in terms of business insight, control, and process improvement — all the way down to the user and transaction levels — SAP customers are finding that controls management software solutions like Approva BizRights make efficiency, controls, and cost savings possible.

The Benchmarks of Efficient, High-Performing Compliance Solutions

Complying with Sarbanes-Oxley is a business expense for SAP customers. But so are ineffective controls, accounting errors, and inefficient business processes. To that end, Sarbanes-Oxley compliance projects should be able to improve your business at the same time. If you're going to overhaul your controls, you might as well make your processes perform better. Compliance, then, becomes a byproduct of how well you are running your financial systems.

Approva, an SAP Software Partner with certified Powered by SAP NetWeaver integration and a member of SAP's Global Security Alliance, enables SAP customers to achieve benefits beyond compliance with BizRights, an Enterprise Controls Management solution. To propel more efficient business processes, compliance solutions — like BizRights — must be:

There is simply no way you can monitor and evaluate every financial transaction within your company. Transaction monitoring has to be automated. By setting up a system that automatically alerts you to unusual or suspicious transactions when they occur, you are now ready to exercise control.

BizRights software allows you to set your own rules and parameters so that when any violations occur, an alert is automatically sent to the appropriate person. Since the monitoring and detection is automated, you can spend your time examining, evaluating, and improving your business processes.

Annual audits and reviews are performed far too infrequently to be effective tools against fraud, error, or duplication. Requests for investigations or security checks need to be handled within hours, not weeks.

Approva's BizRights software provides continuous monitoring of all your company's business transactions, so when auditors arrive, they aren't greeted by any surprises.

Companies that are interested in testing and monitoring controls across multiple applications — including SAP and non-SAP solutions — cannot rely on an architecture that resides exclusively inside of the SAP system and depends on access to SAP production systems for its software to function. Choosing a tool that runs inside of the SAP solution and that can only be used by SAP security-savvy professionals violates the very nature of independence that Sarbanes-Oxley promotes. Companies instead require an application that can monitor any ERP solution.

Because BizRights software audits and monitors SAP controls yet resides outside of the application, it provides greater visibility, a more independent view into the application controls, and a more trustworthy audit. Residing outside of the ERP application also provides a foundation for cross-application analysis and monitoring, a feature that has been built into Approva BizRights architecture since the product's inception.

Every major audit firm has published guidelines clearly stating that business controls must be the responsibility of business managers. What's more, IT security managers have told Approva that they will not and cannot be held wholly responsible for a sustainable controls compliance framework — that business process owners must be involved in the process and take responsibility for the effectiveness of their controls framework.

An effective collaboration strategy requires software like BizRights, which encourages IT, accounting, finance, and audit professionals to work together. If managers are to turn compliance efforts into competitive business improvement opportunities, they must have software that presents these business exceptions in terms that are clear to all.

Running a complete controls analysis on large, complex SAP systems within your SAP landscape creates performance bottlenecks that impact production environments. Several customer tests and evaluations have shown that running a comprehensive, thorough analysis of segregation of duties (SoD) issues, for example, across all users and all roles inside of an SAP production system can use 25 to 50 percent of the system resources of that production environment. This resource drain causes serious performance bottlenecks on the rest of the SAP tasks, or forces the analysis to take place only at night or on weekends.

That's why a robust, scalable architecture — like Approva BizRights — built outside of the SAP system and running continuously on an independent, industry-standard platform provides a sustainable compliance solution. SAP system resources are used for minutes, not hours, and allow for a rapid extraction of changed data. Analysis can be performed independent of the SAP system, and requires no SAP security knowledge, or even an SAP login, to view.

A Continuous, Effective Solution for SAP Customers

Approva BizRights provides an independent, collaborative, and robust architecture that transforms Sarbanes-Oxley compliance into improved business processes and competitive advantage. And of course, as an SAP Software Partner with certified Powered by SAP NetWeaver integration, Approva maintains a close relationship with SAP. The SAP Consulting management team, with its world-class expertise in security management, chose Approva as a member of its Global Security Alliance.

For copies of our white papers, or to learn more about how leading companies are leveraging continuous visibility into their automated business processes and internal controls, visit or email

3 Critical Questions to Ask When Assessing Enterprise Control Software Solutions

Successful companies must ask three essential questions when evaluating enterprise control software solutions:

1. Does the solution meet the Sarbanes-Oxley goal of ensuring audit independence in certifying financial controls and results?

2. Can it analyze and monitor controls and transactions across multiple ERP solutions — including both SAP and non-SAP applications?

3. Is the solution scalable and robust enough to analyze tens of thousands of users and millions of transactions without bringing your production environment to its knees?

When you can confidently answer "yes" to these questions, you'll be able to see the kind of results that dozens of Approva customers have already achieved. Citing a three-month payback on its BizRights investment — based on the value of IT employees who were freed from supporting the replaced process, and on the reduced requirements for internal applications maintenance - one company's Group Manager of SAP Security said, "We were impressed by the detailed insight we can get from our roles and authorizations. Thanks to BizRights, we were able to more accurately and confidently assess and manage risk. BizRights is a valuable complement to our SAP R/3 release 4.7 implementation."

back to top

Automate Segregation of Duties Monitoring for Cost-Effective Compliance

Marcel Huyskens, RE RA
CSI Netherlands

It's now common knowledge that the Sarbanes-Oxley Act requires your CEO or CFO to certify internal controls for financial reporting, operations, and compliance on a quarterly basis. But even in year two of compliance projects, SAP customers are still struggling with the exact implications and requirements for their core SAP system.

What does Sarbanes-Oxley mean for you as an SAP customer? And how can you quickly pinpoint errant behavior while keeping compliance costs in check? SAP customers are turning to solution providers like CSI to help decipher Sarbanes-Oxley requirements and cost-effectively achieve compliance.

Breaking Down Sarbanes-Oxley for SAP Customers

A key Sarbanes-Oxley control is the segregation of duties (SoD) requirements check. To effectively achieve this control, you need to:

  • Identify critical tasks and segregation of duties for financially significant functionality

  • Periodically evaluate the actual SAP access rights for these critical tasks and segregation of duties

  • Check, in cases where any inappropriate access was given, whether a user actually executed the functionality

Standard SAP functionality for user and role management — including the SAP User Information System and the SAP Audit Information System — is a good start for controlling SoD. However, customers seek additional functionality for efficiently defining and running queries for access rights, and for identifying roles and profiles granting excessive access.

No Need for Expensive SoD Monitoring Tools

To complement the SAP User Information System, a third-party solution like CSI Authorization Auditor, which is certified for integration with SAP NetWeaver, offers predefined content of over 350 queries and more than 7,000 potential SoD conflicts. CSI Authorization Auditor enables a fully automated check on segregation of duties, delivering detailed and statistical reports (see Figure 1). The interactive screen output of queries enables you to quickly determine the source or cause of unexpected access rights.

Figure 1
CSI Authorization Auditor Enables Highly Automated SoD Analysis

With CSI Authorization Auditor, analysis takes place on your PC, without disturbing the SAP system under review. The tool is release-independent, and your query criteria can be applied across all SAP systems (and clients), including SAP BW, SAP SEM, mySAP CRM, and SAP APO. The result is better evaluation, reporting, and analysis, which reduces the cost of Sarbanes-Oxley compliance for SAP customers.

For more information on CSI Authorization Auditor, please visit

back to top

Frank Meertens
Partner, Exaserv Inc.

Exaserv Enables HIPAA 834 Compliance with One Interface, One Solution

To reduce administrative costs, improve efficiency of health care systems, and guarantee security and privacy of individuals, the Health Insurance Portability and Accountability Act (HIPAA) includes 'Administrative Simplification' provisions requiring health and human services organizations to adopt national standards for electronic health care transactions. HIPAA 834 regulations require compliance from any health plans, health care clearinghouses, and health care providers that transmit health information electronically.

To comply with HIPAA regulations, many SAP customers face added development, testing, and maintenance effort to work with each of their providers, customers, and vendors - adding substantial time and monetary costs to an already ambitious compliance project. Imagine the difference it could make for your company to have one interface for all of your vendors — streamlining and reducing the cost of your HIPAA 834 compliance efforts.

Features of the HIPAA Interface Tool

A single interface for all health care vendors

Flexibility while complying with HIPAA regulations

Clean and simple design with extensive reporting

First test file ready within 24 hours

Consolidated configuration and customizing screen

Straightforward configuration tables

Schema-controlled interface

One Interface for All Health Care Providers

Exaserv Inc., a Human Capital Management (HCM) solution provider, has developed a HIPAA interface that complements and adapts to your mySAP ERP HCM environment. The Exaserv tool is fully operational out of the box, and is 100 percent compliant with HIPAA 834 guidelines and ASC X12 standards.1 The tool uses HIPAA's uniform national standards for electronic health care transactions to its advantage, enabling SAP customers to transmit plan enrollment and participation files to all of your health insurance providers through one unified interface.

This single interface can communicate with any health care vendor in the United States — from your major health care providers to your smaller vendors — thereby reducing or eliminating cumbersome paperwork to maintain health care plan enrollments. Additionally, this interface will eliminate the burden of technical challenges when you change vendors.

Flexible and Forward-Thinking HIPAA Compliance

The data exchange scope that has been incorporated into the delivered Exaserv tool includes sponsor, vendor, and third-party details, as well as subscriber demographics and health plan participation details (for active employees, retirees, COBRA participants, surviving dependents, etc.), in line with the current HIPAA 834 transaction set. And you can rely on Exaserv to keep up with any enhancements or changes to the HIPAA guidelines, thereby relieving your internal resources from having to keep pace with the still-developing scope of the HIPAA 834 transaction set.

The Exaserv interface tool also has the flexibility to allow customers to easily add, omit, move, or control any segments of the outbound EDI (electronic data interchange). The tool comes with easy-to-configure tables to map your mySAP ERP HCM settings to the HIPAA guideline format. This ensures quick and easy implementation, as well as minimal efforts in adapting the interface to any future changes made in mySAP ERP HCM as your organization's business demands fluctuate.

For more information on simplifying your HIPAA compliance needs, please visit

1 In 1979, the American National Standards Institute (ANSI) chartered the Accredited Standards Committee (ASC) X12 to develop uniform standards for inter-industry electronic exchange of business transactions: electronic data interchange (EDI).

back to top

Michael Guelker
Tax Services,
Vertex Inc.

Don't Let Your 404 Efforts Go to Waste! Add Value with Automated Tax Solutions from Vertex

As an SAP customer, by now you've become well-informed about the Sarbanes-Oxley Act — in particular Section 404 — and its requirements of effective, transparent internal controls. Complying with Section 404 is one of the most involved processes companies are facing today, and many SAP customers consider the associated time and costs draining, especially in terms of the company's overall business goals.

Your compliance efforts, however, can do far more than prepare you for Section 404 compliance. With technology solutions from Vertex, an SAP Software Partner with certified integration, SAP customers can comply with the regulatory statutes of Sarbanes-Oxley while also integrating a comprehensive and cost-effective tax solution.

Increased Attention on Tax Departments

An informal survey of Vertex's SAP customer base shows the following results related to Sarbanes-Oxley Section 404:

  • Nearly half of the respondents agreed that senior financial managers or executives have gotten more involved in the tax department operations and procedures as a result of Sarbanes-Oxley

  • Over half of the respondents have introduced process automation initiatives as a result of the Act

  • About a quarter of the respondents stated that the tax department's relationship with the Audit Committee has changed due to Section 404

  • About one-third of the respondents said their tax department's relationship with the Internal Audit Department has changed as a result of the Act

With the increased focus on tax, you have substantial momentum for making the necessary process and automation changes your tax department needs. It is possible to use your 404 efforts for something other than an audit guide for your outside auditors!

Vertex Tax Automation Solutions

SAP customers expending additional resources toward complying with Sarbanes-Oxley can simultaneously extend the benefits of compliance by automating tax processes with Vertex solutions. Vertex O Series, for example, a Web-enabled tax calculation solution, manages the tax compliance process by calculating sales and use taxes and keeping detailed records of each transaction and how the system determined the tax decision. Automating this tax compliance process gives SAP customers the ability to record each sales and use transaction, and provides companies with the tools to track and review their system usage and setup.

Vertex O Series is certified to run on SAP Web Application Server, which is part of the SAP NetWeaver integration and application platform. SAP users can now confidently install and deploy Vertex O Series, which is both Certified for SAP NetWeaver and Powered by SAP NetWeaver, on the SAP Web Application Server. By deploying a tax compliance solution like Vertex O Series, SAP customers will not only automate your tax department's processes, but will also be one step closer to complete Sarbanes-Oxley 404 compliance.

It is possible to use your 404 efforts for something other than an audit guide for your outside auditors!

Beyond Compliance

Customers using Vertex tax solutions with certified integration to your SAP applications can extend your 404 efforts far beyond your company's short-term compliance goals. To learn more about Vertex tax technology services and solutions, please visit or email us at

back to top

Michael Cooke, CA CISA
Continuous Monitoring Technology,
ACL Services Ltd.

Support Sustainable Compliance Through Continuous Controls Monitoring Technology

If there's one lesson learned from this past year, it's that compliance is an evolving process that requires a long-term solution. Year one Sarbanes-Oxley efforts not only placed a tremendous strain on internal resources, but also far exceeded budget forecasts. An A.R.C. Morgan study shows that first-year total compliance costs are estimated at US $3 to 3.2 million per $1 billion in sales — three times the predicted $1 million for every $1 billion in annual revenue.1

This level of effort cannot be sustained, yet the need for compliance isn't going away. As a result, compliance teams are seeking ways to achieve sustainability by automating appropriate compliance activities. SAP customers are turning to testing and monitoring solutions — such as Continuous Controls Monitoring (CCM) solutions from ACL, an SAP Software Partner with certified integration — to achieve sustainable compliance.

Focusing the Compliance Technology Investment

All experts, from the Big 4 to industry analysts, have identified that leveraging technology to automate monitoring and testing processes is essential for repeatability, sustainability, and cost effectiveness. In fact, AMR Research recently stated that key technologies that automate internal controls testing can reduce the cost of Sarbanes-Oxley compliance by upwards of 25 percent.2

ACL Continuous Controls Monitoring solutions can lead SAP customers to these substantial cost savings. ACL CCM automates controls testing and monitoring within business processes across the enterprise (purchase-to-payment, order-to-cash, G/L, payroll, and others). CCM reduces the burden of compliance on internal resources and allows organizations to introduce process efficiencies and improve bottom-line results.

ACL Continuous Controls Monitoring

ACL CCM draws upon our 18-year heritage in providing analytic technology used by the majority of the world's largest organizations. It embeds technology that drives audit best practices into your business operations — a key factor in achieving compliance sustainability. CCM continually tests all transactions — not just samples — to identify inefficiencies, fraud, and errors to save money, improve recoveries, and stop leakage. Highlights include:

  • Continuous testing and monitoring of all transactions across all systems, including ERP, SCM, and HR solutions, as well as custom-built applications. ACL's Direct Link, which is Certified for SAP NetWeaver, provides direct and seamless access to mySAP ERP data

  • Automated, predefined control tests, mapped to the COSO Internal Control Framework, with the flexibility to adjust parameters as requirements change

  • Timely identification of control exceptions, providing quantified exposure of business risk

  • A unified view of the control environment and control weaknesses, with the ability to drill down to specific exceptions and resolve problems before external reporting or material impact

By embedding ACL CCM within business operations, SAP customers can set the stage for an automated, sustainable approach to regulatory compliance. This heightened visibility and consistency in controls testing and monitoring across the enterprise is not only an effective means of good governance, it's also good business.

To learn how ACL CCM solutions can help you develop a sustainable compliance strategy, download our Webinar presentation, SOX Decisions for 2005: Focusing Your Technology Investment, featuring guest speaker AMR Research analyst John Hagerty, at

1 "Sarbanes-Oxley Implementation Costs — What companies are reporting in their SEC Filings," A.R.C. Morgan (February 24, 2005).

2 SOX Decisions for 2005: Step Up Technology Investments," John Hagerty, AMR Research (January 14, 2005).

back to top

Eric Christian
Chief Technology Officer,
Ensuring Tax Payment Accuracy for Sarbanes-Oxley Compliance

Many SAP customers are sighing with relief after their initial audits following the first year of Sarbanes-Oxley Act compliance. While year one was about documentation and testing, now the focus is on sustainable compliance management, including consistent accuracy of accounting figures.

The challenge of Sarbanes-Oxley still looms for corporate tax departments, which conduct significant amounts of work manually or with simplified tax calculators, resulting in inconsistent and inaccurate tax determination, often without an audit trail. Tax departments also face monthly compliance deadlines with countless local, regional, state, and national tax jurisdictions.

To meet these pressing governance challenges, SAP customers are turning to consolidated tax management solutions — such as the Sabrix Solution — to provide accuracy and an audit trail essential to financial compliance.

Accuracy in Tax: The Impact on Compliance

Almost every corporate function has some impact on tax, with the most common activities being sales and purchasing. Companies need a consolidated approach to transaction tax management for tax and IT professionals to manage compliance for sales, use, and international value-added taxes (VAT).

For accurate regulatory and tax compliance, SAP customers should consider using an integrated solution with multivariate precision that accepts and evaluates customer-selected transaction data elements from SAP applications. Multivariate precision provides the ability to dynamically apply any number of data attributes in any combination for consistent accuracy in the determination, calculation, and recording of tax.

Real-World Scenarios for Compliance

A simple purchasing transaction illustrates the value of multivariate precision. Consider a purchase of computer monitors for research and development (R&D) and administrative purposes. Many states allow an exemption for the monitors purchased for R&D use, while the monitors used for administrative purposes are taxable. The variables used to determine if the purchase is exempt include the material number, the department code, and the cost center. All variables must be considered to arrive at the appropriate determination.

This simple rule can be configured using existing SAP tools; however, this approach forces the SAP configuration team — instead of the tax professional — to manage rule configuration. Under Sarbanes-Oxley, the tax department must control tax decisions and document where and how tax decisions are performed. Having non-tax professionals — and systems not controlled by the tax department — managing tax decisions makes SAP customers vulnerable to a higher degree of scrutiny during the annual compliance audit.

Reporting Accuracy and Seamless SAP System Integration

The integration of a consolidated tax management solution, such as the Sabrix Solution,1 with your SAP system ensures consistent and accurate reporting. This fine level of accuracy can also improve cash flow by ensuring correct tax amounts are collected and accrued. Planning for the long term will prevent this often forgotten area of finance from having unforeseen and unwanted impacts on corporate reporting and compliance.

Sabrix is an SAP Software Partner with certified integration, and is a leading provider of enterprise tax applications integrated with international tax research for more than 130 countries. For more information, visit

1 The Sabrix Solution is certified by SAP for connection to SAP R/3 4.6 including support for SAP R/3 Enterprise, mySAP CRM 4.0, and mySAP Mobile Client 4.0 for US Sales and Use Tax and Canadian VAT/GST. The Sabrix Solution is also certified for integration within the Powered by SAP NetWeaver framework (SAP Web Application Server 6.40 and SAP Enterprise Portal 6.0).

back to top

Robin-Jan de Lange
SOX Compliance,
D2C Solutions

Randall Engalla
Vice President,
Software Solutions,
D2C Solutions
Sarbanes-Oxley Software: Why Has a Simple Concept Been Made So Difficult?

It's remarkable that Section 404 of the Sarbanes-Oxley Act, a 168-word paragraph containing a concept so simple, has evolved into an industry-wide belief that compliance can only be achieved using dedicated resources for adapting rule libraries with hundreds of thousands of line items and for analyzing even longer results lists, causing a spike in overhead costs and a genuine concern about the long-term sustainability of these solutions.

SAP customers should instead look for proactive, sustainable, turnkey products — like SOD Detective, D2C Role Map Server, and Security Cockpit from D2C — that lower your total cost of compliance and allow you to focus beyond Sarbanes-Oxley and on your business.

Early Adopters vs. Rule Breakers

Think it is safe to go with a leading compliance firm? Ask Enron. As of yet, the vast majority of companies still have not decided on a specific commercial Sarbanes-Oxley solution.

The reason for the market's reluctance is profound: The translation from Section 404's simple concept and easy-to-understand requirements into most current software products has resulted in a lackluster prevailing methodology. Companies are waiting for a solutions provider with a proactive and sustainable approach to compliance.

The Exponential Growth of Rule Libraries

A main component of Sarbanes-Oxley compliance, the concept of Segregation of Duties (SoD) is simple: Prevent fraud in the system by ensuring certain business functions are segregated over multiple persons in your organization. Developing an adequate SoD matrix is a mixture of common sense and experience.

It's in the translation of these business requirements to the IT system that much of the confusion is introduced. Somehow, from a simple matrix, a rule library is created containing thousands upon thousands of queries. Drawbacks to this query-based approach include:

  • Lack of transparency between SoD requirements and the rule library

  • Extensive, labor-intensive customizations

  • Long analysis runtimes

  • Challenging upkeep, given the dynamic nature of SAP systems

  • Concern about whether all scenarios are covered, leaving backdoors open to commit fraud

  • Unworkable, lengthy results lists

When evaluating third-party solutions, SAP customers should be sure to choose an effective, sustainable offering that is efficient in its use of resources, presenting concise results through powerful technology.

Real Time vs. "Right Time"

Recently the idea of "real-time" compliance has sparked a lively discussion about the merits of inside versus outside SAP deployment. First of all, real-time most often means "too late." When business owners receive a workflow message alerting them to an identified SoD violation, this is a reactive methodology. SAP customers should instead focus on proactive solutions. D2C's Role Map Server, for example, will detect a violation upon submission for approval, enabling business owners to deal with SoD issues before assignment and authorization, instead of in an emergency situation.

Sustainable Offerings from D2C

SAP customers are waiting for a paradigm shift in the approach to Sarbanes-Oxley compliance. Demand solutions that have powerful graphical screens with drill-down capability; allow user-friendly, drag-and-drop configuration; and are based on a patent-pending methodology that is powerful, sustainable, and exhaustive. For more information, please visit

back to top

Tristan Kromer
Vice President,
From Sarbanes-Oxley to HIPAA: Legislative Trickle-Down and Other Reasons to Sweat

The long reach of US legislation is now well known in conjunction with the Sarbanes-Oxley Act, which requires CEOs and CFOs of all companies listed on the US stock exchanges to personally vouch for the audit procedures of both their subsidiaries and their partners. Assigning this level of responsibility forces foreign business partners not normally under US jurisdiction to comply with the law if they want to continue doing business with US-listed companies. Given the multinational nature of many large corporations, and the increased tendency to outsource significant parts of business processes, Sarbanes-Oxley has swiftly transformed local legislation into a global nightmare.

The Long Arm of the Law

Unfortunately, the same legislative trickle-down can apply to other laws as well. The primary focus of HIPAA, for example, is to protect sensitive medical information. But to do so, the law forces a heavy security burden on any corporation that has a health plan - in other words, pretty much everyone. Although some companies, such as software billing vendors, may not be covered by HIPAA directly, they may still face indirect consequences.

Companies that decide to outsource parts of health care management overseas — even if they just outsource simple record keeping — are not exempt from HIPAA security standards. The security and confidentiality of any health-related documents must be maintained, and an overseas company may be forced into HIPAA compliance, just as in the case of Sarbanes-Oxley compliance.

SAP customers addressing compliance concerns must be careful to choose security partners who have sufficient expertise and understand not only local legislative and regulatory matters, but the growing morass of international red tape. Security is an international concern.

SECUDE is an international IT security vendor with headquarters in Zurich, Switzerland, and with rapidly expanding Sales and Service branches in the US, Germany, United Arab Emirates, Spain, the Netherlands, and Switzerland. We know what it takes to do business internationally.

The Long-Term Implications of HIPAA

The April 20, 2005, deadline for large companies to comply with HIPAA's security aspects has come and gone, and many SAP customers are breathing an initial sigh of relief. However, compliance is not a one-time phenomenon, and companies must look to third-party vendors like SECUDE, an SAP Software Partner with certified integration, to help them address the long-term effects of HIPAA compliance.

The Centers for Medicare and Medicaid Services (CMS) note, "security is not a one-time project, but rather an ongoing, dynamic process that will create new challenges as covered entities" organizations and technologies change."1 This is both a hint and a warning that companies who fail to regularly audit and update their security procedures face noncompliance. The penalties? Stiff fines, or worse, criminal prosecution. Although many companies either do not recognize the potential for prosecution, or simply view HIPAA as less of a priority than Sarbanes-Oxley, the US Department of Health and Human Services' Office for Civil Rights is empowered by HIPAA to refer noncompliance cases for criminal prosecution.

A Closer Look at HIPAA: Understanding the Ambiguous

HIPAA's security rules make an ambiguous distinction between those compliance aspects that are required, such as authentication, and those that are addressable, including integrity controls such as digital signatures. But as CMS points out, "Addressable does not mean optional."2

Addressable controls are crucial in that they are often the most continually evolving technological aspects. Heavy research and development (R&D) efforts are underway by both governments and the private sector, and groundbreaking papers that alter the landscape of encryption technology are constantly being released. This new research changes the answer to questions such as, "What is an acceptable level of encryption?"

For example, a potential problem in SHA1 — a commonly used hash function that forms the basis for many encryption algorithms - was announced on February 13, 2005, by the research team of Wang, Yin, and Yu.3 For the public at large, this problem (the discovery of collisions within 269 hash operations) has very little immediate impact. Your encryption is still safe, but only for now.

Research breakthroughs such as the SHA1 problem demonstrate that encryption schemes are constantly evolving. Security companies race to improve their encryption algorithms as hackers, governments, and the just plain curious strive to break them. Without constant vigilance, HIPAA-compliant solutions today will be wide-open legal liabilities tomorrow. Companies need to work with a security partner like SECUDE, dedicated to keeping up with the latest advances in cryptography.

Digital Certificates: Don't Panic!

For those companies who store protected health information (PHI) in SAP systems, the encryption and data integrity requirements of HIPAA can be addressed by securing network traffic through the Secure Network Communication (SNC) module. This module was created in 1997 through a development partnership between SAP AG and the Fraunhofer Institute in Darmstadt, Germany. In the aftermath, the Fraunhofer Institute spun off the technical expertise gained from the partnership into a separate company: SECUDE GmbH. With the use of SECUDE's products, the SNC module can be utilized to ensure the robust encryption of network traffic through the use of digital certificates.

Digital certificates tend to trigger beads of sweat from the accounting department because of their close association with Public Key Infrastructure (PKI). However, the two are not synonymous, and you don't need to implement a prohibitively expensive PKI to achieve robust encryption. SECUDE offers solutions specifically designed to achieve this high encryption level:

SECUDE securelogin can generate digital certificates on the fly to allow strong encryption and data integrity controls based on very flexible authentication methods such as RSA SecurID tokens or Microsoft ADS — and all without PKI.

SECUDE signon&secure offers similarly robust encryption through the SNC module for PKI. In 1998, it was the first such solution to be certified by SAP, and it is even in use by SAP today. What's more, both of these product solutions allow for single sign-on (SSO) to all SAP applications. For the average SAP implementation of 6-12 modules, each with their own user name and password, this can offer a substantial return on investment (ROI) by reducing help desk costs, increasing productivity, and improving the user experience. This ROI is so significant that an investment in SECUDE securelogin or SECUDE signon&secure can pay for itself within one year of implementation.4 With the added benefits of HIPAA compliance, SAP customers cannot ignore the value.

For more on SSO and to see our ROI calculator, please access SECUDE's SSO white paper at

SECUDE, a Partner for the Future

To secure legislative compliance today and for the future, companies need to stop shopping for a security vendor and start looking for a security partner. A good security partner should have the following attributes:

  • A strong commitment to R&D

  • An ongoing partnership with SAP

  • A deep understanding of international legislation

  • A wide, flexible product range in addition to customized projects

SECUDE's strong, continuing partnership with SAP helps to ensure that SECUDE solutions are not just hype-filled, one-shot products bound to be obsolete by the end of the year. Our intense R&D effort is dedicated to allowing a smooth transition to ever-evolving technologies in a cost-sensitive manner. We can use our expertise to help you determine the appropriate level of security required by various worldwide legislations and craft a solution out of our various products lines, such as SAP Security, Single Sign-On, Client Security, and Identity Management.

For more information about IT security solutions from SECUDE, please visit

1 Security 101 for Covered Entities (CMS, November 2004),
2 Ibid.
For more information, visit

For more on SSO and to see our ROI calculator, please access SECUDE's SSO white paper at

by SAP and Partners SAPinsider - 2005 (Volume 6), July (Issue 3)

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!