Professional Documents
Culture Documents
loss of confidence by investors loss of confidence by investors in Satyam was plunged into a crisis in in Satyam was plunged into a crisis in the value of securitized January 2009 after its founder, B. the mortgages insecuritized mortgages value of the United States January Ramalinga Raju, said that the B. 2009 after its founder, in the Unitedliquidity crisis that a resulted in a States resulted inRamalinga Raju, profits had been company's said that the prompted a substantial injection of overstated for several years. liquidity crisis that prompted acompany's profits had been capital into financial markets... substantial injection of capital overstated for several years. into French President Nicolas Sarkozy financial markets... French President Nicolas Sarkozy has announced plans to lend PSA has announced plans to lend PSA PeugeotPeugeot Citroen and Renault three Citroen and Renault three In 2005, FDA issued 97 warning billion (3.9 billion dollars) billion euros euros (3.9 billiondollars) each In 2005, FDA issued 97 warning letters to medical device firms; firms; each and other measures in letters to medical device and other measures in exchange for exchange for a promise not to shut 80% of these included CAPA 80% of these included CAPA a promise notplants or sack French plants French to shut French citations citations workers. or sack French workers. On 2, 2007, Mattel's FisherNumber of Recalls by FDA FDA On AugustAugust 2, 2007, Mattel's FisherRecalls by Number of Price subsidiary recalled almost one increased about 80% between Price subsidiary recalled almost one increased about 80% between 2000 million Chinese-made toys 2000 and 2007 million Chinese-made toys and 2007
Agenda
1. Customer Challenges, Impact and Solution approach 2. Benefits to Customers Using Risk-based Internal Control 3. Risk-based Internal Control Overview 4. Summary and Next Steps 5. Appendix
Agenda
1. Customer Challenges, Impact and Solution approach 2. Benefits to Customers Using Risk-based Internal Control 3. Risk-based Internal Control Overview 4. Summary and Next Steps 5. Appendix
?
Perform manual tests based on verbal instructions Consolidate results from multiple sources
Limited insight into control environment Crisis-driven business exception management Compliance and risk information are insufficient for decision makers
Manual control tests are time and resource intensive Audit process is inefficient and costly Late detection of deficiencies and tedious remediation process
Multiple and Silo solutions that are not scalable Inability to leverage overall risk and compliance efforts Fragmented and reactionary management of multiple compliance
Today, companies spend a lot of time and effort to manage their controls with insufficient results to be fully confident in their governance and to increase their performance
SAP AG 2009. All rights reserved. / Page 6
($ Billions)
8.5%
CAGR 7.4%
4.6%
People
Technology
Services
In this economic climate, companies can no longer focus solely on reactive spending to meet each new regulationAs executives are becoming aware of how different business and IT risks affect their bottom line, their spending focus is shifting toward approaching risk strategically, not just tactically.
John Hagerty AMR Research
Streamline the Compliance Process for Effective, Efficient Controls and Transparency
Complete, Enterprise-wide, Risk-based Internal Control
Document control and test plan Attach reference document and spreadsheet
Follow guided procedure and perform test Report results and attach evidence
Mitigate risk through effective controls and remediation Increase Fraud Prevention Report and Monitor Key Controls Resolve Exceptions through Remediation
Reduce cost and improve compliance Automate Control Testing Shorten Audit Cycles Streamline Manual Evaluation, Issue Identification
Improve executive confidence with enterprise-wide control mgmt Provide real-time visibility of control effectiveness Unify Control Management across the Enterprise Enforce accountability with Review, Certification, and Sign-off Conservative Estimate Likely Scenario
Agenda
1. Customer Challenges, Impact and Solution Approach 2. Benefits to Customers Using Risk-based Internal Control 3. Risk-based Internal Control Overview 4. Summary and Next Steps 5. Appendix
A major retailer is confident in the robustness and flexibility of SAP BusinessObjects Process Control to support their international expansion and provide them with enterprise-wide visibility on the status of compliance A healthcare company completed their SAP BusinessObjects Process Control pilot in 2 weeks and maximizes the efficiency of their implementation through a user-driven deployment of the solution that minimizes the reliance on IT resources An oil and gas group minimizes user training thanks to the ease of use of the application and leverages SAP BusinessObjects Process Control configuration capabilities to keep changes in their data and reports to a minimum A pharmaceuticals company is planning to use SAP BusinessObjects Process Control for other compliance requirements in addition to Sarbanes-Oxley Another healthcare group significantly improves speed of resolution of deficiencies and gains better visibility on remediation cases for their control owners
Why SAP
Integrated with the SAP software that runs the business Positive experiences with SAP products Availability of preferred implementation practices
Objectives
Implement a robust solution for management Sarbanes-Oxley Act (SOX) compliance processes end-to-end, including auditing, monitoring, and testing of controls
Benefits
Migrated all processes to the SAP BusinessObjects Process Control application Automated many controls Achieved user-driven operations with minimal IT involvement Increased efficiency of SOX compliance processes Improved overall SOX compliance capability
Implementation highlights
SAP BusinessObjects Process Control does everything we thought it would do and even more than we expected. The implementation was very functionality-driven, and were excited about expanding the use of automated controls in the future.
Bart Brock
Sr. Project Manager Allergan Inc.
SAP AG 2009. All rights reserved. / Page 12
Engaged PricewaterhouseCoppers (PwC) as lead system integrator Formed synergistic team consisting of PwC, SAP Consulting, and internal personnel
Agenda
1. Customer Challenges, Impact and Solution Approach 2. Benefits to Customers Using Risk-based Internal Control Benefits to Customers Using SAP Strategy Management 3. Risk-based Internal Control Overview
3.1 Align enterprise risk with compliance 3.2 Reduce cost with automated controls 3.3 Achieve compliance visibility
SAP Solution
Document new compliance initiatives using a top-down risk-based approach
Risk-based Internal Control
Risk Management Process Control
Document Compliance Initiatives
Access Control
Develop assessment, testing and monitoring strategy. Perform tests, report results and raise issues Analyze issues, perform necessary remediation and certify results
Risk Identification
Risk Monitoring
SAP Differentiators
Increase efficiency by aligning enterprise risk with multiple compliance initiatives Reduce cost and the risk of non-compliance through rapidly deployable automated configurable controls Ensure control effectiveness across heterogeneous application landscapes though continuous monitoring
Risk Identification
Risk Monitoring
Key capabilities
Risk Analysis
Identify risks associated with regulations and policies Identify impacted organizations and business processes Determine risk exposure at organization level Identify organizations and processes in-scope through materiality analysis or risk prioritization using enterprise risk assessment Assign processes and controls to organizations
Document Risks Identify Top Compliance Risks Perform High Level Scoping Risk Exposure
Reduce enterprise risk with effective controls Reduces cost of Compliance with Automated Controls
Key capabilities
Formulate risk responses to inadequately addressed risks Review control proposals and create proposed controls either by assignment or new control creation Notify risk management of control creation status Perform control-risk assessment to determine required level of evidence Raise issues for remediation
Plan Assessments and Tests Identify Controls and Map to Risks Plan Assessments and Tests
Risk Analysis
Risk Exposure
Key capabilities
Master data catalogs leveraged across multiple compliance initiatives Simultaneous support for regulatory requirements and internal policy mandates Shared controls testing and assessments Configurable remediation plans for each compliance initiatives
Drill down capability to view/review the test and assessment results
Risk Identification
Risk Monitoring
Key capabilities
Intuitive and flexible user interface to create unlimited monitoring criteria without programming Configuration and master data audit-trail Simple transaction monitoring available Tables/views across SAP Business Suite
Configuration Controls
(e.g. invoice tolerance etc.)
Enterprise Application
Transaction
(e.g. PO, Invoice etc.)
Detective Monitoring
Improve cost of Compliance with Automated Controls Reducescompliance responsiveness with packaged rules
Key capabilities
Automate control testing, monitoring across SAP and non-SAP systems with out-of-the-box rules More than 200 delivered scripts for automated control testing* Additional testing automation using standard SAP queries/reports User definable multi-step test plans and flexible assessment surveys
Order to Cash
Order Capture Order Fulfillment Billing & Returns Revenue Recognition
# Controls
23 28 18 18 15 1 5 14
Procure to Pay
Demand Planning
Operational Procurement
Inventory Management
Payables Management
Reconcile to Report
Budgeting Planning
Financial Close
IT Basis
Application Implementation
Change Control
Application Security
Network Support
HR
Workforce Planning
Hiring
Compensation
Employee Relations
Treasury
Cash Management
Risk Management
Portfolio Management
Inter-company Finance
Fixed Assets
Asset Acquisition
Asset Depreciation
Asset Disposition
Asset Management
FDA
Design Control
CAPA
Material Controls
Key capabilities
Rapidly detect and analyze exceptions Proactively notify key stakeholders Automated workflow to designate ownership
Risk Identification
Key capabilities
SAP BusinessObjects Process Control
Rapidly detect and analyze exceptions Supports both SAP and Non-SAP
Pre-defined Controls
Custom Controls
(Multi-App Query Tool)
Key capabilities
Perform assessments and tests of access-related risks Review automated access test results Determine/perform appropriate remediation
Access-related Risk
Access Remediation
Key capabilities
Crystal Reports and Xcelsius dashboards Cross-compliance and initiative-specific reporting Existing report templates can be leveraged across any compliance initiatives Drill down provided in select dashboards and reports
Drill down capability to view/review the test and assessment results
Key capabilities
Life Sciences Industry
Risk drivers, KRIs, risk events, impact and risk responses for Promotional Spend Off-Label Promotion Product Quality Pricing Compliance
Agenda
1. Customer Challenges, Impact and Solution approach 2. Benefits to Customers Using Risk-based Internal Control 3. Risk-based Internal Control Overview 4. Summary and Next Steps 5. Appendix
Easily adapt to changing business and compliance needs Improve compliance responsiveness with packaged rules Close loop by continuously monitoring compliance violations
Risk Monitoring
Document Compliance Initiatives Plan and Perform Assessments and Tests Remediate Issues and Certify Results
Signoff
Enterprise Integration
Enterprise Productivity
FDA JSOX
Certify, Signoff and e-signature
(302, 404, 21CFRPart11)
Access Control Oracle PSFT DB2 3rd party apps Cisco SONA
Monitor
Monitor exceptions
Perform CAPA
Remediate Issues
SOX
Risk Management
Evaluate
Perform Assessments
Business Processes
FIN SCM SRM MFG HR
IT Infrastructure
Doc
Scope
Event Systems
Thank you!
The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden. Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte knnen Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwhnte SAP-Produkte und Services sowie die dazugehrigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Lndern weltweit. Alle anderen in diesem Dokument erwhnten Namen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte knnen lnderspezifische Unterschiede aufweisen. Die in diesem Dokument enthaltenen Informationen sind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderen Vereinbarung mit SAP. Dieses Dokument enthlt nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP-Produkts und ist fr SAP nicht bindend, einen bestimmten Geschftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP bernimmt keine Verantwortung fr Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht die Richtigkeit oder Vollstndigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewhr, weder ausdrcklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschlielich, hinsichtlich der Gewhrleistung der Marktgngigkeit und der Eignung fr einen bestimmten Zweck sowie fr die Gewhrleistung der Nichtverletzung geltenden Rechts. SAP bernimmt keine Haftung fr Schden jeglicher Art, einschlielich und ohne Einschrnkung fr direkte, spezielle, indirekte oder Folgeschden im Zusammenhang mit der Verwendung dieser Unterlagen. Diese Einschrnkung gilt nicht bei Vorsatz oder grober Fahrlssigkeit. Die gesetzliche Haftung bei Personenschden oder die Produkthaftung bleibt unberhrt. Die Informationen, auf die Sie mglicherweise ber die in diesem Material enthaltenen Hotlinks zugreifen, unterliegen nicht dem Einfluss von SAP, und SAP untersttzt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewhrleistungen oder Zusagen ber Internetseiten Dritter ab. Alle Rechte vorbehalten.
SAP AG 2009. All rights reserved. / Page 33
Demonstration
Risk-based Internal Control
CFO Head of Risk Management Enterprise Risk Management Head of Compliance/ Internal Audit Risk-Based Internal Controls Head of Internal Audit / Chief Security Officer Access Management Vice President Tax / Head of Compliance Duty Reduction and Trade Compliance Trade Policy Planning
Strategy / Planning Risk Planning Risk Management Risk Identification Risk Analysis Document Compliance Initiatives Plan and Remediate Perform Issues Assessments and Certify and Tests Results
Internal Audit
Business Operations
Risk Response
Risk Monitoring
Access Monitoring
Access Monitoring
Organization Structures
Central Framework
SOx
Mandates (Sox 302, 404) Policies User Roles & Authorizations
J-SOx
Mandates /submandates Policies User Roles & Authorizations
FDA
Mandates /submandates Policies User Roles & Authorizations
Corporate
Org Owners perform AOD analysis at the org level and SOX PMO performs the final AOD analysis at the corporate level.
Parent Org 1
Parent Org 2
USA
India
Vancouver
Hong Kong
CEO/CFO sign off Support section 302 certification Freeze key information that has been signedoff Hierarchical, bottom-up progression
5
Corporate Signers
US
US Finance
2 1
Procure to Pay
Purchasing
Accounts Payable
Close the loop between strategy and execution with a top-down Risk-based approach Sign-off with Confidence though Formalized Certification
SAP AG 2009. All rights reserved. / Page 39
Align the planning and scheduling of testing in accordance with the compliance calendar. Conduct the tests, report the test results and raise issues for remediation. Automate control testing and monitoring across heterogeneous environments. Shorten audit cycles through the optimization of compliance activities. Resolve exceptions more efficiently with workflowdriven issue identification and remediation.
Review the results of your compliance activities, remediate identified issues and certify your results Either through sign-off and audit
remove or place After the ROI slide Provide real-time visibility of control effectivenessBefore introduce product Flow and remediation of key = RBIC ROI Processes issues, eliminatingHow we do it differently (product) surprises. Enforce accountability with review, certification, and sign-off of processes. Use comprehensive reports and dashboards to monitor control activity and issue status.
Slide 40 S2 (1) This slide doesnt flow well from the previous slide - Suggest it follow the 4 steps outlined in the previous slide and not be product specific. (2) This can achieved by outlining capabilities in RM and PC 30 and integrations with AC (3) This applies to next slide #29
I811750; 17-12-2008
Automated Controls
Select
Pre-delivered Test
Re-use
Custom Test
Construct
Ad-hoc Test
Pre-delivered process control tests with flexible rule criteria SOD analysis and reporting
Tee-up
Order Captu re Dema nd Plann ing Budg eting Plann ing Appli cation Secur ity
Order Fulfill ment Opera tional Procu reme Subled nt ger Transa ctions Chan ge Contr ol
Billin g and Retur ns Invent ory Mana geme nt Finan cial Close
Reve nue Reco gnitio Payab n les Mana Cons geme olidat nt ion and Repor ting
Managing Enterprise Risks 2.2.1 Foreign Corrupt Practices Act Compliance Risk
BUSINESS PROCESS
Regulatory Compliance (S39)
KPIs
# of payments to foreign officials characterized as contributions, consulting payments or miscellaneous expenses
DRIVERS
Operate in over-seas highrisk markets Use of 3rd party representatives to facilitate overseas business Conduct business with foreign state-run entities
RISK EVENT
IMPACTS
Financial Earnings (SEC & DOJ violations, fines, penalties, remediation) Financial Revenue (Ineligibility of doing business with foreign entity) Reputation (Disclosures, investigation, prosecution, oversight)
Responses
Reduce
Code of Conduct and FCPA
Avoid
Avoid business
Transfer
Contractual
Accept
PC/AC Control
SOD Separate Vendor Maintenance from
Maintain legal
BUSINESS PROCESS
Field Sales & Marketing
Key Performance Indicators Financial impact of fines and penalties Average sales rep expenses
IMPACTS
Inappropriate enticements or kickbacks in exchange for preferential treatment Preventive responses reduce probability of event Recovery responses reduce impact of event
Legal/ Regulatory (Significant fines levied by DOJ and other bodies) Legal/ Regulatory (Corporate integrity agreements increase scrutiny and costs)
Training Hours per (sales) Employee ( SAP IV.J.5) Avg. Sales Rep Expenses (SAP S9) Budget to Actual differences in CSR expenses (SAP S9, S38)
Responses
Reduce
Establish and enforce policies & procedures around spending (types & thresholds) Training on types of spending allowed Review of physician contracts for compliance
Avoid
Transfer
Accept
PC/AC Control
Tracking and reporting payments made to physicians via accounts payable or sales representatives travel and expense accounts. Monitoring types of payments made to customers/physicians Monitoring amounts and thresholds paid to customers/ physicians Tracking sales representatives trainings
Option I: Send the CAPA back to Issue Owner for Rework Performs Discrepancy Evaluation Assigns CAPA plan Performs Root Cause Analysis Lists Corrective Actions Lists Preventive Actions Lists Contingencies (optional) Assigns CAPA remediator CAPA plan Option II: Approves the Submits CAPA plan for CAPA plan approval
6. 7. 8.
Completes Corrective Actions first 2. Completes Preventive Actions next 3. After completion, submits for approval
1.
Optionally, verifies effectiveness of the CAPA plan execution (by retesting the control)
Option II: Send the CAPA back to CAPA remediator for Reexecution
Key capabilities
Crystal reports and Xcelsius dashboards Cross compliance and initiative specific reporting Existing report templates can be leveraged across any compliance initiatives Drill down provided in select dashboards and reports
Drill down capability to view/review the test and assessment results
ARF provides of Compliance with Automated Controls Reduces cost an infrastructure that enables building new automated rules in an easy and repeatable manner, effectively addressing unique business needs
Key capabilities
Supports several key process areas, applications and types of functions Build your own using guided procedure to monitor any field combinations Map SAP queries, reports, variants and programs into ACF Monitor apps on 3rd party systems such as ORCL, PSFT and DB2 Drive response to events alternative to scheduled rules
1
Configurable Rules
6
Delivered Rule Content
2
Leverage Existing Queries And and Reports
(2) Value Checks: (1) Change Logs: Automated Check for specified value(s) in master Reliably re-create configuration and Rules data, configuration, and transactions 3 master data settings for control 5 Framework timeframe (e.g. previous quarter), and Complex Examples: 3rd Monitor Complex examine changes made Party Processing Master Applications Data: Identify vendors with Processing via Via ABAP Examples: 4 payment terms in excess of 30 days ABAP Rules Rules Master Data: Monitor to PO receipt Configuration: Changes for critical BI Vendor Master data fields (e.g. tolerance setting in excessQuerypayment of 10% of Integration terms, credit limits, etc) PO quantity Configuration: Changes POs in Transaction: Monitor for to PO excess tolerance settings (e.g. receipt of $1M (e.g. Additional approval tolerances) requirements)
Key capabilities
Framework for Automated Testing and Monitoring of FDA business processes FDA Content: SAP-provided automated controls for multiple business processes End-to-end CAPA process for remediating issues raised from manual as well as automated monitoring and testing of controls Compliance with 21 CFR Part 11: E-signatures Effectiveness monitoring mechanism FDA-specific reporting and trend analysis
FDA-Specific Reporting Audit Trail E-Signature Monitoring
Testing
Assessments