|Compliance and Beyond: How Document Delivery
Systems Support Your Entire Financial Reporting Life Cycle
Vice President of Marketing,
Designed to restore corporate accountability and bring back investor
confidence, the Sarbanes-Oxley Act dramatically changes corporate governance
and reporting requirements. For many organizations, complying with new
government mandates on how to record, track, and disclose financial information
can be a daunting task.
With Sarbanes-Oxley, publicly held corporations must implement systems,
controls, and procedures that improve information security, ensure accuracy,
and provide a reliable audit trail for corporate information to prevent
fraud and provide financial transparency. Fortunately, organizations with
SAP already have a foundation for reliable financial and business process
reporting. However, you need to consider many systems and processes when
developing your compliance strategies. Although often overlooked, how
you disseminate, manage, and monitor your business information and financial
reports can have a significant impact on compliance efforts as well as
bottom-line business performance.
That’s why your document delivery and workflow procedures should
be key considerations when developing your overall compliance strategy.
By putting systems into place with SAP to automate document delivery and
associated business processes, companies can better support the entire
life cycle of financial reporting, reduce opportunities for fraud, and
provide an essential audit trail for communications.
Support Sarbanes-Oxley Compliance with e-Document Delivery from
E-document delivery is one important tool
organizations can use to support Sarbanes-Oxley
requirements. E-document delivery solutions
integrate with SAP, workflow, and other business
applications to automate business information
delivery via fax, email, or over the Internet.
Products such as Captaris’ RightFax help
support Sarbanes-Oxley compliance efforts by
providing secure and tamper-resistant electronic
delivery, receipt, and tracking of your business
By adding an e-document delivery solution to your framework for Sarbanes-Oxley
compliance, you can support compliance efforts in a variety of ways:
Safeguard Information Accuracy by Automating Document Delivery from SAP
Traditional delivery methods (postage, manual
fax, courier services) are vulnerable to breaching
the Sarbanes-Oxley Act. These processes require
manual handling and expose documents to alteration
or view by unknown or unauthorized individuals.
What’s more, these methods are often
unreliable and do not always provide timely, guaranteed, or confirmed
delivery. By integrating e-document delivery capabilities with SAP, organizations
can help safeguard information accuracy by automating document distribution
processes. Financial reports, correspondence with auditors, and other
corporate information can be automatically delivered with RightFax in
real time, directly from SAP or any other application to the intended
recipient’s fax or email inbox with
notification of receipt. This eliminates
the human factor when disseminating information
and limits opportunities for information
to be altered or represented fraudulently.
Provide a Centralized Communications Hub for Delivering Corporate
With Sarbanes-Oxley, corporations must develop processes to maintain
control over communications, documents, and workflows. RightFax offers
a centralized server solution that integrates with SAP, as well as workflow,
document management, imaging, archiving, and other IT systems to provide
inbound and outbound document delivery via fax, email, or the Internet.
By performing as a centralized hub for electronically disseminating corporate
communications, RightFax streamlines processes to enable timely, controlled,
and reliable distribution of business and financial information (see Figure
|Captaris RightFax — A Centralized Hub for Electronically
Distributing Business Information
Streamline Business Workflow Processes
Sarbanes-Oxley has a significant impact on how you conduct, manage, and
control business processes and information dissemination. By integrating
workflow and e-document delivery capabilities with SAP, companies can
build a strong framework to effectively respond to new compliance requirements.
By combining the Captaris products Teamplate and RightFax with SAP, corporations
can easily support the complete corporate compliance life cycle.
Leverage Secure and Encrypted Electronic Information Delivery from SAP
For an added level of security, certified and encrypted delivery features
can be used to safeguard information delivery. RightFax provides encrypted
and certified email delivery options that require passwords to access
information, as well as electronic verification of receipt for better
authentication. This can help you better monitor and control who, where,
and when information is distributed and accessed. This also makes it easier
to limit and trace any possible fraudulent activities.
Enable Tamper-Resistant Information Transmission
By integrating an e-document delivery solution with your SAP applications
to automate document delivery, you can help ensure that documents retain
original data integrity and are not altered during transmission. For example,
with RightFax, information is transmitted as image-based, tamper-resistant
PDF or TIFF documents via a secure Public Switched Telephone Network (PSTN),
and is then stored electronically on the fax server.
Improve Information Tracking, Audit Trail, and Storage
With Sarbanes-Oxley, publicly held companies
must maintain all communications, application
data, and records between themselves and their
public auditors.Therefore, it is vitally important
to improve the efficiency and reliability of
how companies manage and track digital documents — how
they are delivered, who delivers and receives
them, and how they are housed can cause significant
RightFax electronically processes inbound and outbound documents and
can be configured to store incoming and outgoing faxes electronically
in a secured network storage device, archiving system, or database. It
can also track document transmission history, provide verification of
delivery, assign access passwords, and route incoming documents to individuals’
fax or email inboxes. These features provide electronic storage and a
deeper audit trail to help satisfy Sarbanes-Oxley digital document tracking
and storage requirements.
E-Document Delivery Features to Ask About for SAP and
Repercussions for noncompliance with the Sarbanes-Oxley Act can
be devastating to executives and corporations alike. As a result,
it is essential to understand how to wisely choose a business information
delivery solution for SAP. Consider the following when looking for
Certified and time-tested integrations with SAP:
Your e-document delivery solution will provide better reliability
and will be easier to install, use, and manage if it has SAP-certified
and proven integrations.
A single platform for multiple applications:
To gain the most value in an e-document delivery solution, look
for one that extends beyond SAP. It should provide seamless and
reliable integrations with all the applications you use including
email, CRM, document management, workflow, and multifunction devices.
This single platform will make it simpler to manage, track, and
control information dissemination across the organization and better
support Sarbanes-Oxley efforts.
Workflow tools: To get the most from an e-document
delivery solution, make sure it will seamlessly integrate with your
workflow processes. Does the vendor provide workflow tools to help
map business processes and monitor, manage, and distribute financial
information? For an optimal solution, find out about the vendor
experience with e-document delivery and process automation, as well
as with SAP.
Security and management: Since the communications originating
from SAP are vital to running your business and providing the supporting
documentation required to meet compliance guidelines, you should
make sure the system has robust security and management features
to ensure that documents are not altered and that confidentiality
and data integrity is retained. For added protection, look for encrypted
and certified delivery options.
Audit trail, tracking, and reporting: With Sarbanes-Oxley,
records of your business communications must be maintained and processes
must be in place to ensure their accuracy. As a result, you need
to ensure the solution provides reliable tools to track, monitor,
and manage communications. What kinds of notifications are available
with the solution? Can you receive status confirmations in your
email or back to SAPoffice? Can notifications be customized to include
a variety of information? Are there flexible reporting tools available?
Look for solutions with comprehensive and flexible tools for reporting
and audit trails.
Proven reliability: What is the solution’s
record when it comes to reliability? Does it have a solid track
record with SAP? How many installations does the solution provider
have with SAP? Look for automatic back-up, fault tolerance, remote
management, solid integrations with SAP, and a reputation for strong
Flexible integration options: To expedite implementation
and meet tight Sarbanes-Oxley compliance deadlines, you want solutions
that are quick and easy to deploy. Look for solutions that integrate
with SAP via SAPconnect, SAPscript, or SAP SmartForms. In addition,
look for technologies such as Java, XML, or Facsimile Command Language
that provide powerful, flexible tools for integrating or customizing
solutions to meet your needs.
The Business Value Beyond Supporting Sarbanes-Oxley Compliance
The business value of integrating e-document
delivery capabilities with SAP reaches far
beyond supporting Sarbanes-Oxley compliance.
In fact, the document delivery solutions you
put in place can have enormous impact on your
company’s bottom-line performance as
well. E-document delivery and workflow solutions
like those from Captaris can also be used with
SAP and other business applications to bring
efficiencies into your information delivery
processes to control costs, reduce business
cycle times, and enhance customer service.
The result: improved business performance and
more confident investors.
Captaris is a provider of business information
delivery solutions that integrate, process,
and automate the flow of messages, data, and
documents. Captaris produces a suite of proven
products and services, in partnership with
leading enterprise technology companies, delivered
through a global distribution network. Captaris
has installed over 80,000 systems in 44 countries,
with 93 of the Fortune 100 using the company’s
award-winning products and services to reduce
costs and increase the performance of critical
business information investments.
RightFax is a leading enterprise fax and e-document delivery solution
for SAP. With SAP-certified integrations, RightFax helps companies reduce
costs, improve efficiency, and streamline business processes by automating
the flow of information and document delivery from SAP R/3 and mySAP Business
Teamplate is a global leader in rapid business process automation for
Microsoft environments. Teamplate offers significant advantages over past
workflow automation approaches by providing rapid, understandable, affordable,
and robust solutions that scale. Used to streamline the interaction between
business people and enterprise software applications, Teamplate workflow
solutions are implemented by managers in any functional area of a business.
For more information, visit www.captaris.com
or call +1 520 320-7000.
back to top
Your Corporate Tax Department Achieve the
Transparency and Consistency that
Sarbanes-Oxley Compliance Requires?
Emerging Tax Compliance,
In the wake of Sarbanes-Oxley legislation and with compliance deadlines
looming, your enterprise’s ability to effectively track financial
data is absolutely critical. As you focus on compliance efforts, though,
don’t overlook your corporate tax department — it, especially,
will feel the impact of Sarbanes-Oxley.
After all, with the enhanced scrutiny brought about by Sarbanes-Oxley,
there is new pressure for every calculation to be accurate. But, traditionally,
much of a tax department’s work is done manually, so it is particularly
susceptible to human error. What’s more, calls for standardization
and transparency mean that calculations by one individual one day must
match the recalculations by another employee the next day. Errors and
inconsistent processes open a company to discrepancies that can undermine
compliance efforts. Tax technology can help you remedy this.
Ensure Consistent Processes and Data Tracking
Tax technology applications are designed
to automate processes and record every modification
to financial data so you can track processes
and changes and make adjustments as needed.
Activities are accomplished better and faster — and
with additional controls in place.
In addition to providing documentation of internal, operational controls
and processes, tax technology also supports consistency in systems, standards,
and across-the-board reporting. Every area of a company — from the
loading dock to the mailroom to IT to customer service — has tax
implications, and every role in these departments requires a field of
data for a tax solution. For common activities in sales, processing, or
purchasing departments, tax technology more or less guarantees that this
data will be captured and that the process will be the same time and time
What Should SAP Customers Look for in Tax Technology?
One key to transparency is using tools with
robust documentation capabilities and standardized
processes. Companies that rely on their SAP
system to share financial data with a custom-built,
in-house tax system —
especially one that also must generate and manage tax transaction information
— should seriously consider converting
to an automated tax technology system.
Look for a documented, defensible automated tax system, with superior
internal controls that meet the standards of Sarbanes-Oxley as well as
other regulations, that can calculate and store data as well as report
it to a government entity.
Ensure your technology provider will play a proactive role to make certain
that numbers and data are correct. Check that the technology can examine
five years of records in all directions and locate potential financial
Be sure to determine that the system integrates with your SAP financial
applications, CRM, and front-office applications.
And finally, choose a proven provider. Sarbanes-Oxley has given rise
to many vendors jumping on the corporate compliance bandwagon. Remember,
you will be held accountable for any flaws in business process audits
and documentation, so you’ll want to work with a trusted vendor.
By implementing automated tax technology, SAP customers not only increase
the efficiency of tax preparation and reporting, they can create an information
trail that can hold up under an audit in order to mitigate risk in corporate
|Vertex Inc. is a provider of tax technology solutions,
serving more than 10,000 customers worldwide. For more information
about Vertex and its solutions, visit www.vertexinc.com.
back to top
|Look Beyond Sarbanes-Oxley to Maximize
ROI from Compliance Initiatives
In the race to achieve Sarbanes-Oxley compliance, companies have
two fundamental choices. They can view the new mandate as a costly
but necessary evil and do the minimum necessary to achieve compliance.
Or they can choose to see the Sarbanes-Oxley framework as an opportunity
to improve overall risk management and business performance.
Clearly, compliance with the Sarbanes-Oxley Act makes perfect
sense in the short-term. But to achieve long-term ROI from compliance
initiatives, organizations must take a broader view of operational
risk. Forward-thinking companies will recognize the need
to not only comply with the regulations that affect them today,
but also to lay the groundwork for the future — with a strategic
approach to evaluating and implementing technology across the enterprise.
The Cost of Compliance
The impending June 2004 deadline to achieve Sarbanes-Oxley compliance
has created a sense of urgency around IT spending similar to that
of the Y2K crisis. According to Gartner, Fortune 1000 firms will
spend at least $2 million on Sarbanes-Oxley compliance through 2005
But unlike Y2K, Sarbanes-Oxley is not a one-time event —
it’s an ongoing process. To ensure ongoing compliance, businesses
must update and recertify their data quarterly. Sarbanes-Oxley requirements
are also expected to evolve over time as new provisions are added.
Risk Management Comes Into Focus — and Broadens
At the same time, accountability for
measuring risk — simply
put, looking at the impact and likelihood of negative events — is
expanding in scope.
The lessons from Enron, WorldCom, and other corporate crises have
underscored the need for strong corporate governance and an enterprise-wide
approach to risk management — a concept given new credibility
by Sarbanes-Oxley. Chief risk officers (CROs) are increasing in
prominence. And new positions are being created: chief governance
officers, chief assurance officers, and VPs of risk and assurance
management — all of them given increased visibility and responsibility
in recent months.
Once the sole domain of corporate risk managers, measuring and
managing risk is now everyone’s business. But where and how
should you focus your attention to identify and reduce risk?
Enterprise risk management (ERM) generally breaks
down into three basic types of risk:
- Credit risk: The risk associated with the
possibility that a borrower will default on any monies that are
- Operational risk: The risk of loss resulting
from inadequate or failed internal processes, people, and systems,
or from external events. Sarbanes-Oxley compliance is a subset
of operational risk (see Figure 1).
- Market risk: The risk of loss arising from
movement in market prices.
|Three Components of Enterprise Risk Management
To help organizations discuss and evaluate their overall ERM efforts,
the Committee of Sponsoring Organizations of the Treadway Commission
(COSO; see www.coso.org),
a private-sector group dedicated to improving financial management,
launched a landmark initiative. As part of this initiative, COSO
designed an ERM framework for action, targeting eight key components
(see sidebar). The framework is an invaluable tool for organizations
looking to get their risk management processes on track.
Because of the pervasive need for risk management across an organization,
businesses need to view compliance initiatives as long-term investments,
not quick fixes. Forward-looking companies are not just looking
at the steps to compliance or the cost of compliance, but also at
its potential benefits.
of an ERM Framework
- Internal environment: Evaluate risk
management philosophy, board of directors, integrity and
ethical values, commitment to competence, operating style,
risk appetite, organizational structure, assignment of authority
and responsibility, and human resource policies and practices.
- Objective setting: Determine strategic
and other objectives, risk appetite, and risk tolerance.
- Event identification: Investigate factors
influencing strategy and objectives, methodologies and techniques,
event interdependencies, event categories, risks, and opportunities.
- Risk assessment: Assess inherent and
residual risk, likelihood and impact, methodologies, techniques,
- Risk response: Identify risk responses,
evaluate possible risk responses, select responses, and
- Control activities: Integrate with risk
response and identify control activities.
- Information and communication: Develop
and implement integrated, strategic systems to disseminate
- Monitoring: Evaluate risk on an ongoing
Rewards of Risk Management
An enterprise-wide focus can yield significant benefits including:
- Greater accountability by making each area manager
responsible for documenting and evaluating financial controls
in his or her own area. People closest to each business unit manage
the data, which improves accuracy and completeness.
- Comprehensive risk identification and management so
control measures and action plans can be initiated to resolve
problems — and so progress can be easily tracked.
- Enhanced fraud protection with systematic data management
that ensures multiple reviews and verification.
- Greater precision in reporting to management.
- Empowered employees with more localized knowledge
and a greater understanding of the impact of their roles on corporate
Companies that implement sound risk management practices will have
good internal controls and will likely exceed Sarbanes-Oxley’s
mandates. By identifying, understanding, and managing underlying
risks, organizations have an opportunity to improve both top- and
bottom-line results. And, by integrating compliance initiatives
with operational processes such as auditing, businesses can further
Strategic Technology Investments Provide Long-Term Value
As businesses grapple with an array of
compliance challenges, many look to
technology to ease the burden. A new
generation of tools has emerged to
help streamline the compliance process.
Industry experts believe that a short-term “panic”
mentality surrounding Sarbanes-Oxley will dramatically increase
the cost of compliance and will not provide long-term returns. According
to Gartner, enterprises that choose one-off solutions to each regulatory
challenge will spend ten times more on their compliance projects
than organizations that take action in advance (0.9 probability).2
Be mindful that Sarbanes-Oxley compliance is only one component
of an overall ERM strategy. By taking a broader view, organizations
can use the compliance process to create value and improve business
results. Choosing a solution that addresses immediate compliance
needs while also providing a platform for long-term risk management
is the key to minimizing costs and maximizing benefits from Sarbanes-Oxley
and other emerging regulations.
Consulting offers software for Sarbanes-Oxley
compliance, operational risk management,
and audit automation including Risk
Navigator and Focus Control Assurance
Software. For more information, call
+1 888 288-0283, email firstname.lastname@example.org,
or visit www.paisleyconsulting.com.
1 Debra Logan, You’ll
Have to Spend to Attain Sarbanes-Oxley
Inc., Oct. 3, 2003.
2 Debra Logan, Rich Mogull,
Lane Leskela, Sarbanes-Oxley Vendor Evaluation Framework,
Gartner, Inc., Oct. 8, 2003.
back to top
Global Impact of Sarbanes-Oxley on Transactional
Vice President of Government Affairs and Tax,
Sarbanes-Oxley touches on the responsibilities and functions of corporate
executives, auditors, and audit committees — all of which have implications
for U.S. companies as well as for international companies whose shares
are publicly traded on U.S. exchanges.
Consider the global impact of Sarbanes-Oxley on transactional tax services
(sales, use, and VAT) provided by public accounting firms. Law and regulations
suggest that it is problematic for the independent auditor to simultaneously:
provide bookkeeping or other services related to the client’s accounting
records or financial statements; design or implement financial information
systems; perform internal audit outsourcing services or management functions;
or provide legal or expert services unrelated to the audit.1
However, the law goes on to say:
“A registered public accounting firm may engage in any non-audit
service, including tax services, that is not described in any of the (above)
stated services... only if the activity is approved in advance by the
audit committee of the issuer.”2
Some have argued that this language authorizes the audit committee to
give blanket approval for tax services performed by auditors. However,
by qualifying it (“only if...”), the law in fact
neither prohibits nor approves these activities in such a blanket fashion.
How, then, does a company’s audit committee decide whether to authorize
its current auditor to provide transaction tax services for them? There
are two ways of reaching this answer: (1) reasoning by analogy, and (2)
reasoning by application of basic principles.
An analogical approach would observe that the express prohibition of
bookkeeping services, for example, is equally applicable to transaction
tax bookkeeping services.
An application of basic principles would consider Senator Sarbanes’s
that underscore the Act:
- An auditor cannot function in the role of management
- An auditor cannot audit his or her own work
- An auditor cannot serve in an advocacy role for his or her own client
Thus, if a company contracted for assistance with VAT bookkeeping services
with the foreign branch of the domestic firm that performed the independent
auditor function for SEC reporting, the auditor would be auditing his
or her own work. This non-audit service would be prohibited. Similarly,
when considering contracting with a technology intensive transaction tax
service provider, companies must be cautious. If the research embedded
within the technology is derived from the accounting firm performing the
audit then, in effect, the auditors could be construed to be auditing
their own work. Such a relationship could require audit committee approval
before the engagement commences.
For more information, contact the author at email@example.com,
or visit www.taxware.com.
1 17 CFR Sec. 210.2-01(c)(4)(x).
2 Sarbanes-Oxley, Section
3 Senate Report 107-205, 107th
Cong., 2d Sess., July 3, 2002.
Jon Abolins is the Vice President of Government Affairs and Tax for Taxware,
where he is responsible for all tax decisions in all company programs.
In this key function, Mr. Abolins applies his knowledge of tax law to
products that address all transaction-based taxes (i.e., sales and use,
gross receipts, excise, VAT, and so on). Mr. Abolins frequently gives
lectures and presentations at conferences and seminars to entities such
as the Conference Board and Harvard Law School’s International Tax
Program. He also speaks at sales and use tax or e-commerce tax automation
policy meetings to such entities as the United States Congress, the Streamlined
Sales Tax Initiative, the Federation of Tax Administrators, the National
Governors’ Association, the U.S. Conference of Mayors, the National
Conference of State Legislatures, and the Multistate Tax Commission. Mr.
Abolins is a member of the Organization for Economic Cooperation and Development’s
Consumption Tax Technical Advisory Group.
back to top
|Sarbanes-Oxley Compliance: A Bridge to Excellence
Principal, Sarbanes-Oxley Initiative,
Public companies are scrambling to deal with the mandates of the Sarbanes-Oxley
Act. This is an unfortunate consequence of the strong medicine prescribed
by the U.S. Congress to improve corporate governance and restore investor
confidence. Many companies have found that the sheer volume of work, which
has exceeded early estimates and expectations, has necessitated a compliance
process that favors speed over deliberation. In the rush to action, however,
two important concepts could be left behind: context and perspective.
Having reaped the benefit of experience from over 500 readiness projects,
we at Deloitte have learned many lessons, and here’s the most important:
Compliance is not the end game.
Compliance is critical. But companies will garner even greater rewards
by using Sarbanes-Oxley compliance work as a bridge to better business
performance. If you use readiness and compliance efforts to take a hard
look at business processes and systems, you will find opportunities to
improve information quality, reduce risks, and cut costs — sometimes
dramatically. That is why Deloitte recommends that companies approach
Sarbanes-Oxley on three levels (see sidebar):
- Full compliance — Compliance is essential.
Sarbanes-Oxley is complex (11 titles, 60 sections) and implementation
rules are still coming. Be sure to address all applicable requirements.
- Sustainability — Design, build, and maintain
the organizational, process, and system infrastructure necessary to
sustain compliance and provide high-quality financial information.
- Improvement — Continuously seek to eliminate
unnecessary complexity in data, processes, and systems. Unnecessary
complexity exists where the costs and/or risks exceed the benefits.
||Deloitte’s Recommended Approach to Sarbanes-Oxley
The foundation is compliance, but the journey should continue through
sustainability and improvement. Improved corporate governance oversees
the entire effort aimed at maintaining the confidence of capital markets.
For SAP customers, the impacts and implications of Sarbanes-Oxley lead
to questions such as:
can my company use SAP to enable sustainable
can we improve financial information from
can SAP systems accelerate the closing process?
do we reduce complexity to minimize the risk
of financial reporting problems?
do SAP’s new solutions fit into the
does Sarbanes-Oxley affect upgrade strategies
Fully addressing these challenges and opportunities requires expertise
from many disciplines, including accounting, assurance, financial reporting,
controls, risk management, information technology, corporate governance,
education and training, program leadership, project management, tax reporting,
and process experience. Deloitte integrates these disciplines to provide
our clients with the services they require to meet corporate governance
While compliance is critical, it is just one step toward a greater reward.
Deloitte’s three-level compliance perspective is explained in the
new publication Deloitte’s Point of View: Sarbanes-Oxley Compliance:
A Bridge to Excellence. For more information about this publication,
please visit www.deloitte.com/sarbox.
back to top
Accountability for Greater Accuracy:Involve
All Levels of Your Organization to Improve
Senior Manager, Solutions Marketing,
The goal of Sarbanes-Oxley is to build trust in the accuracy of financial
statements among regulators, customers, and shareholders. Financial reports
must be consistently accurate, timely, and detailed. Day in and day out,
companies must use financial check-and-balance controls to minimize the
risk of overstating revenue or understating expenses.
But how do organizations maintain consistent financial reporting, especially
over the long haul? The process starts with planning and documenting a
roadmap of best practice financial controls. Then, automating
the steps prescribed by these controls gets firms closer to consistency.
Distributing financial reports to an expanded user base for wider
validation ensures greater accuracy. None of these steps will mean much,
though, without full adoption of reports by users who can easily
incorporate this information into their current check-and-balance workflows.
Automation: Once financial controls are in place, companies can
automate review processes by providing secure, role-based access to reports
for financial reconciliation, thereby reducing the risk of manual errors.
Distribution: By extending financial reconciliation beyond
the finance department, companies can distribute the accountability for
accurate reporting directly to those employees who are responsible for
spending and tracking revenue, such as departmental and cost center managers
and their staff.
Adoption: Providing an intuitive Web interface and user
experience with useful, accessible, and workable information ensures successful
adoption across your enterprise. As more managers make the review process
part of their daily routine, the accuracy of the validation process is
Finance departments already use Actuate’s Enterprise Reporting
Application Platform to integrate mySAP, SAP R/3, and SAP BW
financial data with transactional, operational, supply chain, and other
SAP and non-SAP information sources, providing a comprehensive and up-to-date
view of the financial landscape (see Figure 1). With
Actuate, the finance department can leverage one-click compliance dashboards,
be alerted about material events and their effects, drill down to view
an individual invoice or line item, and work in fully functional Excel
spreadsheets with ready-to-use analytics and “what if” query
capabilities — all requiring zero training to use.
|Sarbanes-Oxley focused Enterprise Reporting Applications
built with Actuate integrate data from SAP and non-SAP sources and
make it available to users across the organization
The real benefit for financial managers is that with Enterprise Reporting
Applications built with Actuate, all users across the extended
enterprise — not just the analysts who understand OLAP tools —
can verify financial statements on a daily basis, with access to instantly
usable Web reports, dashboards, Excel spreadsheets, analytics, and SAP
Enterprise Portal content. Such broad validation of revenue and expenses
improves stakeholder confidence, regulatory compliance, and operational
For more information about how Actuate maximizes the value of all your
enterprise information, visit www.actuate.com/sapsox.
back to top
|SAP Authorizations and Sarbanes-Oxley: How
to Monitor Internal Controls for Compliance
Werner van Haelst
The Sarbanes-Oxley Act forces management to periodically evaluate and
confirm their company’s internal control system. Companies that
heavily rely on their SAP environment should ask questions like “Are
we in control?” and “Are our internal business processes and
data still reliable?” To answer these questions, companies must
take a methodical, risk-analysis approach to measuring the success of
business process controls, whether these are:
- Inherent controls built into their SAP software
- Configurable controls, including those set up with SAP customizing
tools and those defined via the SAP authorization concept
- Manual controls, including those for reporting tools
When assessing our clients’ SAP control environments, Control
Solutions International (CSI) has found that the most cost-efficient approach
focuses on the areas of the internal control system where the risk of
impact on the financial reporting is high, or where SAP customizing and
authorization concepts are poorly configured, leaving transactions, tables,
documents, master data, and resources potentially open to unauthorized
Based on assessments of clients across a range of industries, CSI has
found that authorization concepts are often inadequately
implemented, despite the fact that they are critical anchor points for
an SAP internal control framework.
So, with a vast universe of authorization concepts currently at work
in your SAP system, how do you determine which authorizations are high-risk?
For this, you need subject matter expertise on SAP internal control issues,
complementary tooling on top of SAP standards, and Sarbanes-Oxley compliance
To meet these needs, CSI has developed and successfully deployed a step-by-step
methodology for evaluating SAP authorizations based on internationally
recognized internal control frameworks such as COSO and CobiT, as well
as on the Sarbanes-Oxley definition of internal control.
The CSI methodology is fully supported by the CSI Authorization Auditor,
a tool that allows you to quickly identify authorization risk areas. Using
parameters such as inherent risk to SAP functionality1,
impact (based on CobiT information criteria), and relationship to financial
statements (based on SAP module and submodule), it allows you to assess
the relevance of the various pieces of SAP functionality to various compliance
frameworks. For relevant functions, the Segregation of Duties evaluation
capabilities in the Authorization Auditor (see Figure 1)
highlight conflict chains at the business process level and across SAP
systems, and report the results back to users in different reports.
|CSI Authorization Auditor Monitors Control Risks
The methodology is transparent, easy to understand, and flexible enough
to tailor to a variety of organizations with industry- or organization-specific
risk patterns. With this transparent and practical CSI methodology, organizations
receive insight into Sarbanes-Oxley-relevant risks and issues in their
current SAP authorization concept for improved and tightened internal
controls for their business processes.
Control Solutions International (CSI) specializes in implementing and
assessing SAP control environments. For more information on CSI’s
services, training, and tools, visit www.csi4sap.com,
or contact Mark Russo, CSI America (firstname.lastname@example.org);
Johan Hermans, CSI Belgium (email@example.com);
or Marcel Huyskens, CSI Netherlands (firstname.lastname@example.org).
1 Defined as risks regarding
development, system administration, master data, transaction data, and
back to top
|Robust Financial Reporting with SAP and Business
Are you inundated by companies touting costly products and services that
promise to solve all your Sarbanes-Oxley, Basel II, and other financial,
compliance, and regulatory issues?
Fortunately SAP customers have found there’s an effective, cost-efficient
way to leverage their existing reporting and analysis capabilities while
meeting their financial reporting and compliance needs.
In close partnership with SAP, Business Objects offers powerful, user-friendly
reporting solutions — uniquely integrated with SAP R/3 and SAP BW
— that maximize and extend your existing financial reporting systems.
Now SAP and Business Objects are offering enterprise reporting solutions
that leverage the analysis and data warehousing capabilities of SAP Business
Intelligence. These solutions are also endorsed and aligned with the SAP
Comprehensive Reporting for SAP BW
Integrated with SAP BW 3.0, Crystal Enterprise provides 100+ report templates,
plus the ability to create 10 custom reports (see three examples in Figure
1). The Crystal Enterprise bundled solution may be all you need
to satisfy your current reporting and analysis needs.
For even greater functionality, SAP and Business Objects developed Crystal
Enterprise — Enhanced SAP Edition. This enables you to create comprehensive,
custom reports from all your financial and enterprise data (not
just SAP BW), and then securely distribute those reports to everyone who
needs them. End-users can even create and customize financial reports
on their own, without tapping into IT or ABAP resources.
|Sample Financial Reports Based on SAP BW and SAP R/3
Data Created Using Crystal Enterprise — Enhanced SAP Edition
Reporting for SAP R/3
Business Objects also offers reporting capabilities
that are tightly integrated with SAP R/3
to help you save time, money, and resources
through easy user-driven report creation.
The Standard in Business Intelligence
With its acquisition of Crystal Decisions in December 2003, Business Objects
has become a clear market leader in business intelligence. Business Objects
offers a complete range of reporting and financial analysis solutions
that leverage the information stored in an array of corporate databases,
enterprise resource planning (ERP) systems, and customer relationship
management (CRM) systems.
For More Information
To learn more, contact either your Business Objects representative (at
+1 800 877-2340 or +1 604 681-3435) or your SAP sales representative.
You can also visit the joint SAP-Business Objects Web site at www.businessobjects.com/sap.
back to top
|Serious Solutions for Serious Compliance
The New Reality of Continuous
L. Feldman, Ph.D.
Chief Marketing Officer,
Welcome to the new era of compliance and control. Regulatory pressure
has never been greater. Internal pressure has never been more serious.
The penalties have never been more severe. The pressure is real.
For starters, the Sarbanes-Oxley Act mandates documented certification
of the accuracy of reported financial and non-financial information, and
of the effectiveness of disclosure controls and procedures. Then, it ratchets
up the pressure by requiring assessment of the adequacy
of internal controls and procedures for financial reporting.
Next, it tightens the vise by requiring external auditors, under Section
404, to attest to the company’s compliance. Further, the severity
is underscored with the threat of criminal penalties for non-compliance.
Finally, with the deadline for Section 404 compliance now looming, IT
is fast becoming a tool of corporate governance. It must provide solutions
that match the true complexity and seriousness of the task at hand.
Benefits of Enterprise
- Greater control, visibility, and efficiency throughout the
- Seamless integration between enterprise applications and
- Customizable dashboard with instant visibility and multiple
- Reports and tracking on remediation activities
- Continuous monitoring of enterprise applications for deficiencies
- Rules-based simulation to proactively identify and address
- Built-in workflow notifications and exception reporting
- Assessment of controls with test documentation and notification
The Problem: Static, Disconnected Solutions
Most compliance solutions are incomplete.
They simply document controls and have over
40% overlap in functionality, providing little
synergy toward ongoing compliance. In an attempt
to demonstrate compliance, the IT department
will sling together a mix of business process
mapping tools, documentation tools, and homegrown
spreadsheets. These are halfway measures. They
are best suited for static structures, not
ongoing processes. They lack true integration,
require manual intervention, and miss the most
important elements of continuous compliance — ongoing
monitoring and proactive assessment of controls
to prevent violations before they occur.
Controls compliance is a moving target. That’s why ongoing assessment
of controls is vital to confident certification. The most effective way
to stay clean is with a continuous monitoring and alert system that proactively
flags and prevents control violations and maintains continuous compliance.
This requires real-time capability to leverage the built-in control mechanisms
in ERP systems and catch and report predefined deficiencies as they occur.
the numerous regulatory compliance initiatives, most firms are challenged
on how best to consolidate requirements and leverage IT. For Sarbanes-Oxley,
one of the most important considerations for sourcing an internal
controls solution is the extent to which the assessment process
can be effectively supported. Since many of the controls are inherent
in ERP solutions, connectivity to ERP should be a foremost requirement.”
— John Van Decker,
The Solution: Integrated, Automated, and Continuous Assessment
Virsa Systems’ Enterprise Control Manager
(ECM) is purpose-built to meet these requirements.
Unlike other solutions, it continuously monitors
and reports on activities in enterprise applications,
and it automates the most time-consuming task
related to Sarbanes-Oxley compliance: controls
assessment. ECM Dashboard has an Executive Cockpit with
a high-level overview of compliance status. Plus, it has unlimited drill-down
capabilities to facilitate further analysis, pinpoint the root cause of
control violations, and perform remediation activities in real time.
- ECM is a unique solution that
automates the assessment of Sarbanes-Oxley compliance for
your enterprise systems.
- ECM enables optimal corporate governance by enforcing
Sarbanes-Oxley, HIPAA, Basel II, and Patriot Act compliance
under a single architecture.
- ECM requires very little training and is easy for senior
executives, auditors, and other key players to use.
- Virsa provides a complete solution of products, support,
and related services.
- Virsa recruits, retains, and invests in its high-quality
staff, providing an expert team to help customers meet all
of their compliance needs.
- Virsa gets continuous feedback from its clients and incorporates
this customer insight into future product enhancements.
- ECM provides high ROI with complete automation of control
- Virsa solutions offer continuous compliance, minimizing
ongoing compliance costs and fraud risks.
- ECM implementation is fast and straightforward. It can
rapidly adapt to your changing business needs.
ECM is an open-platform solution that seamlessly integrates
with your SAP enterprise applications, as well as with Oracle, Siebel,
PeopleSoft, J.D. Edwards, and others (see Figure 1).
This simplifies the extraction of data from enterprise applications and
enables ECM’s built-in workflow notification processes to automatically
inform process owners whenever a deficiency is detected. Thus, timely
deficiency reporting, resolution documentation, and audit trails
are available to strengthen compliance and satisfy auditors.
|Enterprise Control Manager Architecture
Virsa Systems’ superiority in controls compliance is evident in
ECM’s powerful simulation capabilities. By seamlessly
integrating with your internal change control process, ECM enables you
to determine in advance the impact of contemplated changes to Sarbanes-Oxley
compliance. Moreover, it generates an audit trail of the change control
process, providing external auditors with comprehensive evidence of compliance.
The power of ECM, though, is especially evident in its simplicity, ease
of use, and effortless customizability.
security and compliance controls with a cost-effective enterprise
solution to address regulatory requirements.
From its fast configuration to its continuous compliance functionality
and its easy application to regulatory compliance requirements, Virsa
Enterprise Control Manager offers a highly effective enterprise solution
for corporate governance, security, and controls compliance, a solution
that is purpose-built for tough regulatory environments — today
For more information, please contact us at +1 510 651-5990, email Info@virsasystems.com,
or visit www.virsasystems.com.
back to top
Ready & Stay
Ready: Leading Companies Automate Visibility
into Internal Controls to Ensure Compliance,
and Manage Business Risk
Over the past several decades, companies around the world have implemented
enterprise applications such as SAP R/3 to automate their business processes.
Over time, the emphasis has shifted from a technology-centric to a business-centric
approach to implementing solutions. Companies recognize that the challenge
has evolved beyond simply automating processes and ensuring operational
efficiency. Today, leading companies understand that they must maximize
revenue and minimize business risk — while ensuring compliance with
key government regulations in an automated business process environment.
to gain continuous visibility into automated business processes
and internal controls is critical to successful management execution.
We recommend to our clients that they deploy a solution such as
BizRights to help them better manage operational
risk while assuring that they are in compliance with increasing
— Partner, “Big
Four” Audit Firm
A difficult economic climate, coupled with
the increased scrutiny of corporate governance,
puts the focus on eliminating surprises, both
operational and financial — surprises
that can translate into negative financial
impact and the threat of jail time for the
CEO or CFO. How can companies eliminate surprises
within automated business processes? Increasing
visibility enterprise-wide is perhaps the single
greatest way. Whether it relates to cost, or
revenue, or operations, the ability to identify
problems as they are developing is critical
to consistently eliminating surprises.
With the passage of the Sarbanes-Oxley Act of 2002, risks resulting
from a lack of proactive visibility have increased exponentially. And
unlike the challenges of Y2K, compliance with Sarbanes-Oxley is an ongoing
process — not a one-time event. This has led corporations, as well
as their audit firms, to increase the focus on assessing and aligning
corporate processes and internal controls to ensure ongoing compliance.
Management (and their auditors) can no longer assume that the lack of
problems is an indication that appropriate internal controls are in place.
As a result, companies have identified the need for improved visibility
into internal controls in their SAP and non-SAP business processes, both
as a requirement of Sarbanes-Oxley and as a means of monitoring compliance
and business risk across the enterprise.
“We view compliance
as a business enabler that should involve IT, Finance, Business
Units, and Internal Audit. Approva helped us implement a business-friendly
approach that enables collaboration across our business, letting
us better manage our internal controls and ensure compliance.”
— Manager, Internal
Efforts to manage business risk, compliance, and internal controls within
enterprise applications must focus on three areas:
1. System users: What are users capable of doing? What
sensitive transaction can they execute? What sensitive data can they see?
Do Separation of Duties conflicts exist between user roles and profiles?
2. System settings: What application configuration
settings are inappropriate for my business? Are there any “open
windows or unlocked doors”?
3. Transactions executed: What sensitive transactions
were processed in the last hour/day/week that I should know about?
In the words of one Big Four auditor, “Companies need to know
not only what their users can do, but also what their users are actually
doing. And they need to know this all the time, not just after we complete
a controls review.”
Gaining Continuous Visibility
So how do you gain continuous visibility into business processes and internal
controls? How do you continuously identify, document, test, manage, and
monitor your internal controls? How do you ensure you are in compliance,
this year and in the future?
“In the past,
we’ve had no automated process to help efficiently identify
Separation of Duties violations and unnecessary access to sensitive
transactions and authorizations. We were impressed by the detailed
insight we can get into our roles and authorizations. With Approva’s
Business Controls Workbench, users can create and monitor business
rules without having to become an SAP Basis Security and application
— Manager, Application
The first step is to recognize that continuous visibility into automated
business processes requires an automated solution. The traditional approach
of manual efforts supplemented by rudimentary tools is no longer thorough
enough, scalable, or cost-effective.
Second, this problem is not simply the responsibility of a single individual
or department. Effectively addressing the challenge requires the involvement
of IT, Internal Audit, Finance, and the business units themselves.
The third step is to thoroughly evaluate options for gaining continuous
visibility into automated business processes. Many leading companies have
chosen Approva’s BizRights, an enterprise software
solution that helps manage business risk, ensure regulatory compliance,
and increase operational efficiency. By continuously monitoring user authorization
data, configurations settings, and business transactions within SAP R/3,
BizRights helps companies identify and remediate internal
control violations. When exceptions are detected, BizRights
proactively notifies the appropriate decision-makers so the problem can
be quickly resolved.
The BizRights Continuous Controls Monitoring solution
(see Figure 1) provides an integrated, comprehensive,
and easy-to-use monitoring and prevention solution for business users,
auditors, and security professionals alike:
|Managing Business Controls with BizRights
- Business Controls Workbench, including predefined
rules and compensating controls
- Business-friendly user interface to enable involvement
from business units, Finance, and Internal Audit
- 360° Insight analysis capabilities to test and
analyze roles and transactions at the authorization object level in
- Workflow capability to allow for automation of approvals
- Flexible reporting to provide both real-time analysis
and long-term documentation
- Continuous monitoring to
ensure ongoing compliance, particularly
as your SAP user base grows
- System-independent solution that can be used across
the enterprise, without impacting the performance of the ERP system
Deployed in a matter of days, BizRights helps:
As an added benefit, companies are finding
that implementing an automated internal
controls solution helps ease the process
of upgrading their ERP software and rolling
it out to additional users. The solution
provides the capability of “cleaning” the
system prior to upgrading to the new version.
When deploying the ERP system more broadly
across the organization, it is now easier
to manage and monitor a larger user base,
and to more effectively reduce risk.
- Reduce the ongoing cost of audit and compliance
- Reduce the amount of manual labor to gather
and analyze information
- Consolidate internal controls documentation
to a central repository
- Reduce the burden on IT by allowing business
units to monitor their own business exceptions
and internal control violations
To find out more about how leading companies are gaining continuous
visibility into their automated business processes and internal controls
by deploying an automated solution, please contact Approva at email@example.com
or visit us at www.approva.net.
back to top