Most publicly traded companies would likely agree that certifying internal controls in accordance with the Sarbanes-Oxley (SOX) Act’s mandates can be a painstaking process. Yet, as Brazilian oil and gas powerhouse Petrobras discovered, businesses can capitalize on this effort and transform their SOX investment from a cost center into a profit center.
Many businesses still take a traditional approach to SOX testing — once a year, independent auditors manually extract data from companies’ back-end systems and scrutinize it for non-conformities in relation to the control self-assessments that business process owners have registered. If the auditors find a problem, management has to scramble to get it fixed.
Alfred Bacon, Senior Consultant of Internal Controls at Petrobras, encourages companies to move away from this traditional method and make compliance testing continuous and automated. “That way, you ensure your process is working perfectly all year round and avoid any end-of-year surprises,” says Bacon. “By layering the cost of the controls and increasing the amount of testing, you’ll improve your company’s baseline because you’ll pick up on things you didn’t see before.”
Petrobras Sees the Benefits of Automated SOX Testing
The Internal Audit team at Petrobras always had to extract its test data from SAP ERP to perform its periodic analysis and then pass on the results to the external auditors in the SOX certification process. But the team knew there had to be a better way. “We wanted to build testing into our existing SAP system so that we could get this data extracted and analyzed automatically,” says Bacon. “When I discovered SAP BusinessObjects Process Control, I saw that it had over 100 scripts for automated testing built in.”
The company’s internal auditors are very interested in the solution because of its capabilities to diminish their SOX testing efforts. With the move to automated testing, auditors will only have to look at exceptions, freeing them up for other activities that could yield real financial results.
“A tool like SAP BusinessObjects Process Control improves your credibility to your independent auditors and helps get line-of-business managers to assume responsibility for controls effectiveness,” says Bacon.
Aside from using SAP BusinessObjects Process Control for automated testing, Petrobras also wants to use the tool to automate control monitoring in many of its manual business processes, even if they’re not directly SOX-related.
According to Bacon, local laws and regulations similar to SOX are popping up every day. Just this year, the Brazilian stock exchange commission introduced new SOX-like legislation that places stringent demands on management. “Petrobras is ready for this new mandate because SAP BusinessObjects Process Control supports not only SOX, but our local legislation, too,” Bacon says.
The Importance of Setting Internal Controls
SAP BusinessObjects Process Control is a system for looking at a company’s internal controls — the risks, the control objectives, and the control activities — from a very structured view point. The application associates controlled activities in your business processes to the company hierarchy, and everything is documented in a system log that your internal controls team continuously monitors to ensure all users are properly authorized.
The managers of each business area — including IT, accounting, and finance — establish standard controls for each business process. For example:
- Only authorized users can access critical systems (IT control)
- Managers must approve expenses over $500 (accounting control)
- Managers are assigned a $20,000 purchase limit (finance control)
Breaking down a purchase to get around a spending limit is a typical violation — one that Bacon says will be easy to spot once the automated control tests have been set up and put into production. “With SAP BusinessObjects Process Control, auditors can look at all of a manager’s purchases in a certain time period and see if he or she has made several purchases with the same supplier — and if those purchases exceed the manager’s spending limit,” he says.
Reporting with SAP BusinessObjects Process Control
Business users can publish reports directly from SAP BusinessObjects Process Control or SAP NetWeaver Business Warehouse (SAP NetWeaver BW) — with access restricted according to company hierarchy and role privileges.
According to Bacon, the advantage of running reports from SAP BusinessObjects Process Control is that process owners or auditors can run daily or nightly reports if they so choose. They can also set exception limits inside the tool, which trigger automated workflow processes. The application then automatically pulls data from SAP NetWeaver BW to generate the report and sends an approval request to a manager.
“If a certain situation arises, the tool can automatically send a message to a high-level manager, who can immediately look into the situation and catch the person in the act,” Bacon says. “Normally, the problem wouldn’t be detected until an internal auditor runs a script, which usually would happen long after the event.”
In addition to routine internal reports, Petrobras is required to run annual reports for SOX certification sign-off. Like most companies, Petrobras has an audit committee that the Internal Controls group answers to on a monthly basis. “When the audit committee meets, we present the state of the internal controls to them, and we base our presentation on the reports we run directly from SAP BusinessObjects Process Control,” Bacon says.
Ensuring Segregation of Duties with
SAP BusinessObjects Access Control
An internal control that auditors routinely scrutinize is segregation of duties (SoD) — that is, making sure that one person doesn’t have the authority to execute a complete business process without involving anyone else — which lowers the probability of errors or possible fraud going undetected.
“Because Petrobras is a very large oil company, certain things — like contracts — require sign off from various management levels, sometimes all the way up to the executive level,” Bacon says. “SAP BusinessObjects Access Control is a tool for ensuring company-wide segregation of duties at the business process level so that no one person can make a big mistake or defraud the company without somebody else knowing.”
Bacon was the main backer of the SAP BusinessObjects Access Control project that Petrobras is currently implementing. “With this tool, we now have a vision of our segregation of duties situation that we couldn’t have any other way.” The company is already using the tool’s Risk Analysis and Remediation and Superuser Privilege Management capabilities, and the full SAP BusinessObjects Access Control suite is scheduled to go live at Petrobras in March 2010.
“Because Petrobras is a very large oil company, certain things — like contracts — require sign-off from various management levels, sometimes all the way up to the executive level.”
— Alfred Bacon, Senior Consultant of Internal Controls, Petrobras
Identifying Conflicting or Unnecessary Profiles
SAP BusinessObjects Access Control monitors profiles — such as “purchase approver” or “purchase requestor” — so that when someone requests a new profile, the solution tests that profile against the user’s current profiles for any SoD violations. According to Bacon, when you first get started with SAP BusinessObjects Access Control on a live SAP ERP system that has been up and running for some time, you may find lots of profiles that weren’t built with SoD in mind. “In our case, because we had about 6,000 or 7,000 profiles in production, it took a lot of work to get them all clean,” Bacon says.
Cleaning up the profiles involves generating violation reports and then sifting through all of the profiles to find the problems — for example, a user who is authorized to both request and approve a purchase order. Running the tool’s Risk Analysis and Remediation capability against a set of authorizations in SAP ERP provides a background report and shows all the conflicting profiles — thus making it easier to clean the profiles.
In the future, Bacon hopes that his company’s control monitoring process will continue to become simpler and more automated. In an ideal world, Petrobras will have very few control issues to deal with — and when conflicts do arise, the Internal Controls team will be able to send them directly to managers for remediation.
The Advantages of Electronic Sign-Off
SOX compliance requires the CFO and CEO to sign a statement that they examined and tested the company’s internal controls and that the controls are all working satisfactorily. By requiring an electronic sign-off procedure, management must acknowledge their responsibility for correct functioning of internal controls. Most executives ask the lower management to document that the controls are working properly, so if problems arise later they can show the board they took all the necessary precautions before they signed the statement.
According to Bacon, while you can manually test using error-prone spreadsheets, you may be requested to show your documentation later, so he considers that method to be risky. “We wanted a tool that would allow us to go for electronic sign-off all the way from the bottom to the top,” he says. “That was one of the reasons we choose SAP BusinessObjects GRC solutions.”