Professional Documents
Culture Documents
Scott Goolik, Chief Technology Officer SymSoft Corporation Jamison Tomasek, Internal Audit Director Courier Corporation
Agenda
About Courier Corporation & SymSoft Sarbanes-Oxley 2010 Overview Three Ways to Strengthen Your Controls
1. Reduce sensitive authorizations 2. Establish security change controls and documentation 3. Establish change controls for correction transports
Questions
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3
Your Presenters
Scott Goolik Chief Technology Officer SymSoft Corporation 14 years in SAP security and controls including Big 4 auditing firms Lead architect of the ControlPanelGRC solution
Jamison Tomasek CPA Internal Audit Director Courier Corporation Five years with Courier Corporation Worked as Sarbanes Oxley consultant Ten years Progress Software Deloitte & Touche LLP
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Dover
REA
Creative Homeowner
Requires CEO, CFO to confirm the design and effectiveness of internal controls and for the auditor to issue an opinion
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
8
Improved understanding of business processes Better IT integration with the business is good SOX can be used as a tool by IT Segregation of Duties is really fraud prevention Prepares you for other compliance regulation
PCI Data Privacy Customer Requirements
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
15
Ensure logons used for background processing are of the System type
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
18
We gave IT users access to the Firecall roles This allows IT to run the special transactions for access
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
22
Tip
User maintenance tasks are restricted to the security team Implement segregation of duty/excessive access checks, if possible
All Roles that will be assigned in production need an owner to approve and validate changes
Transporting changes from development to quality assurance Approval from Role owner to send (tested) change to production
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
27
Note
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
28
Change review board concept can be used to ensure all business owners are aware of pending changes Workflow (SAP-based or non-SAP) can help route requests around for approval
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
37
Basis staff availability to execute transports Visibility of error reports Documentation of work done, issues, related work
Great notes, but cant be found 2 weeks later
DEV gold
SCC1
DEV test
QAS 100
Production
10 Initial Request
25 QAS Migration
27 IT Validation
37 Final IT Prep
40 PM Approval
50 Prod Approval
55 Prod Migration
57 Prod Validation
90 Task Complete
IT Sr. Mgmt
Phases:
Review & forward or reject
IT Project Mgr
Business Users
IT developer
Release Transport
Transport errors highlighted with error codes, too Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Documentation, continued
Key Learnings
Smaller companies subject to SEC requirements and other regulated enterprises face special challenges in addressing audit and compliance concerns; however these challenges can be met and conquered. Creativity and newly available solutions can reduce the cost and complexity of compliance. Preparing for audits can be made more efficient and less intrusive, all while yielding more complete results.
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
46
For ControlPanelGRC case studies, articles, and archived webinars please visit www.controlpanelgrc.com
Thank You!
Professional Solutions for Compliance Automation www.ControlPanelGRC.com