Risk Based Internal Controls Ensure Continuous Compliance

SAP BusinessObjects Governance, Risk, and Compliance (GRC) Solutions
Risk-based Internal Control Ensure Continuous Compliance
Name of Speaker, Department

Title of speaker
May, 2009
Whats Happening in the Marketplace?
loss of confidence by investors loss of confidence by investors in Satyam was plunged into a crisis in in Satyam was plunged into a crisis in the value of securitized January 2009 after its founder, B. the mortgages insecuritized mortgages value of the United States January Ramalinga Raju, said that the B. 2009 after its founder, in the Unitedliquidity crisis that a resulted in a States resulted inRamalinga Raju, profits had been company's said that the prompted a substantial injection of overstated for several years. liquidity crisis that prompted acompany's profits had been capital into financial markets... substantial injection of capital overstated for several years. into French President Nicolas Sarkozy financial markets... French President Nicolas Sarkozy has announced plans to lend PSA has announced plans to lend PSA PeugeotPeugeot Citroen and Renault three Citroen and Renault three In 2005, FDA issued 97 warning billion (3.9 billion dollars) billion euros euros (3.9 billiondollars) each In 2005, FDA issued 97 warning letters to medical device firms; firms; each and other measures in letters to medical device and other measures in exchange for exchange for a promise not to shut 80% of these included CAPA 80% of these included CAPA a promise notplants or sack French plants French to shut French citations citations workers. or sack French workers. On 2, 2007, Mattel's FisherNumber of Recalls by FDA FDA On AugustAugust 2, 2007, Mattel's FisherRecalls by Number of Price subsidiary recalled almost one increased about 80% between Price subsidiary recalled almost one increased about 80% between 2000 million Chinese-made toys 2000 and 2007 million Chinese-made toys and 2007
SAP AG 2009. All rights reserved. / Page 2
Agenda
1. Customer Challenges, Impact and Solution approach 2. Benefits to Customers Using Risk-based Internal Control 3. Risk-based Internal Control Overview 4. Summary and Next Steps 5. Appendix
Agenda
Internal Controls Today
No transparency, suboptimal decision-making
Risk Management and Compliance Team
Control Testers and Process Owners

Receive test instructions via email
Management and Executives
Send out paper-based documentation surveys for completion
Save documents and spreadsheets to local file servers
?
Perform manual tests based on verbal instructions Consolidate results from multiple sources
Create test plan
What do we need to test? Who should perform the test?
What am I supposed to do? Why is this important?
Where do we stand? How can we improve?
What are the Causes?
Lack of confidence and visibility
Excessive time, effort and cost for compliance
Multiple compliance requirements leads to multiple risks
Limited insight into control environment Crisis-driven business exception management Compliance and risk information are insufficient for decision makers
Manual control tests are time and resource intensive Audit process is inefficient and costly Late detection of deficiencies and tedious remediation process
Multiple and Silo solutions that are not scalable Inability to leverage overall risk and compliance efforts Fragmented and reactionary management of multiple compliance
Today, companies spend a lot of time and effort to manage their controls with insufficient results to be fully confident in their governance and to increase their performance
Whats the Impact
SOX 404 compliance costs for avg company were $1.7M

FEI Survey 2007 indicated that for 168 companies with average revenues of $4.7 billion.
($ Billions)
8.5%
CAGR 7.4%
4.6%
People
Average external audit fees have increased 271%

Foley & Lardner Survey (2007): between fiscal years 2001 and 2006 for companies with under $1 billion in revenue.
Technology
Services
GRC spending will expand to $32.1B in 2008

(up 7.4% from 2007)
In this economic climate, companies can no longer focus solely on reactive spending to meet each new regulationAs executives are becoming aware of how different business and IT risks affect their bottom line, their spending focus is shifting toward approaching risk strategically, not just tactically.
John Hagerty AMR Research
Source: AMR Research 2008

Streamline the Compliance Process for Effective, Efficient Controls and Transparency
Complete, Enterprise-wide, Risk-based Internal Control
Risk Management and Compliance Team
Control Testers and Process Owners
Management and Executives
Document control and test plan Attach reference document and spreadsheet
Follow guided procedure and perform test Report results and attach evidence
Unified, Risk-based control management across the enterprise
Reduced cost of compliance with automated controls and streamlined testing
Better managed risk thanks to robust control management and remediation
Real-time visibility on control effectiveness and key issue status
Savings Estimates Using Risk-based Internal Control Case Studies*

Potential Annual Benefits: $3.6M $4.5M
Mitigate risk through effective controls and remediation Increase Fraud Prevention Report and Monitor Key Controls Resolve Exceptions through Remediation
$1.1M $0.5M $0.3M $0.3M
$1.3M $1.1M $0.8M $0.4M
Reduce cost and improve compliance Automate Control Testing Shorten Audit Cycles Streamline Manual Evaluation, Issue Identification
$1.8M $1.3M $0.4M $0.1M
$2.0M $1.3M $0.5M $0.2M
Improve executive confidence with enterprise-wide control mgmt Provide real-time visibility of control effectiveness Unify Control Management across the Enterprise Enforce accountability with Review, Certification, and Sign-off Conservative Estimate Likely Scenario
$709k $175k $350k $184k
$951k $225k $450k $276k
* Benchmarks from SAPs Case Studies and Success Stories

Agenda
1. Customer Challenges, Impact and Solution Approach 2. Benefits to Customers Using Risk-based Internal Control 3. Risk-based Internal Control Overview 4. Summary and Next Steps 5. Appendix
Risk-based Internal Control in Practice!!
A major retailer is confident in the robustness and flexibility of SAP BusinessObjects Process Control to support their international expansion and provide them with enterprise-wide visibility on the status of compliance A healthcare company completed their SAP BusinessObjects Process Control pilot in 2 weeks and maximizes the efficiency of their implementation through a user-driven deployment of the solution that minimizes the reliance on IT resources An oil and gas group minimizes user training thanks to the ease of use of the application and leverages SAP BusinessObjects Process Control configuration capabilities to keep changes in their data and reports to a minimum A pharmaceuticals company is planning to use SAP BusinessObjects Process Control for other compliance requirements in addition to Sarbanes-Oxley Another healthcare group significantly improves speed of resolution of deficiencies and gains better visibility on remediation cases for their control owners
Allergan Automates SOX Compliance with SAP BusinessObjects Process Control

QUICK FACTS
Challenges and opportunities

Allergan Inc. Location: Irvine, California Industry: Life sciences Products and services: Specialty pharmaceuticals and medical devices Revenue: US$4.4 billion Employees: Approximately 8,000 Web site: www.allergan.com SAP solution and services: SAP BusinessObjects Process Control application, SAP Consulting Reduce risk of financial misstatements and noncompliance Automate testing and compliance processes to save time and efficiency
Why SAP
Integrated with the SAP software that runs the business Positive experiences with SAP products Availability of preferred implementation practices
Objectives
Implement a robust solution for management Sarbanes-Oxley Act (SOX) compliance processes end-to-end, including auditing, monitoring, and testing of controls
Benefits
Migrated all processes to the SAP BusinessObjects Process Control application Automated many controls Achieved user-driven operations with minimal IT involvement Increased efficiency of SOX compliance processes Improved overall SOX compliance capability
Implementation highlights
SAP BusinessObjects Process Control does everything we thought it would do and even more than we expected. The implementation was very functionality-driven, and were excited about expanding the use of automated controls in the future.
Bart Brock
Sr. Project Manager Allergan Inc.
Engaged PricewaterhouseCoppers (PwC) as lead system integrator Formed synergistic team consisting of PwC, SAP Consulting, and internal personnel
Agenda
1. Customer Challenges, Impact and Solution Approach 2. Benefits to Customers Using Risk-based Internal Control Benefits to Customers Using SAP Strategy Management 3. Risk-based Internal Control Overview
3.1 Align enterprise risk with compliance 3.2 Reduce cost with automated controls 3.3 Achieve compliance visibility
4. Summary and Next Steps 5. Appendix
Risk-based Internal Control
Aligning enterprise risk with continuous compliance
SAP Solution
Document new compliance initiatives using a top-down risk-based approach
Risk Management Process Control
Document Compliance Initiatives
Access Control
Develop assessment, testing and monitoring strategy. Perform tests, report results and raise issues Analyze issues, perform necessary remediation and certify results
Risk Identification
Risk Monitoring
Plan and Perform Assessments and Tests
Access Analysis and Response
SAP Differentiators
Increase efficiency by aligning enterprise risk with multiple compliance initiatives Reduce cost and the risk of non-compliance through rapidly deployable automated configurable controls Ensure control effectiveness across heterogeneous application landscapes though continuous monitoring
Remediate Issues and Certify Results
Align enterprise risk with compliance

Identify and prioritize compliance risks Establish Control to mitigate compliance risks Document all Compliance initiatives via centralized catalogs Reduce cost with configurable controls
Create automated rules on-the-fly Leverage Pre-delivered rules to test and analyze Monitor controls proactively to identify exceptions

Risk Management Process Control Access Control
Risk Identification
Document Compliance Initiatives Plan and Perform Assessments and Tests
Risk Monitoring
Ensure control effectiveness

Continuously monitor heterogeneous landscapes - SAP and non-SAP Rapidly respond with Industry content Confidently report, certify and sign-off
Align Enterprise Risk with Compliance

Identify and prioritize compliance risk
Optimize compliance resources by focusing on key risk areas
Key capabilities
Risk Analysis
Identify risks associated with regulations and policies Identify impacted organizations and business processes Determine risk exposure at organization level Identify organizations and processes in-scope through materiality analysis or risk prioritization using enterprise risk assessment Assign processes and controls to organizations
Document Risks Identify Top Compliance Risks Perform High Level Scoping Risk Exposure
Exposure Risk exposure

Identify controls to mitigate compliance risk
Reduce enterprise risk with effective controls Reduces cost of Compliance with Automated Controls
Key capabilities
Formulate risk responses to inadequately addressed risks Review control proposals and create proposed controls either by assignment or new control creation Notify risk management of control creation status Perform control-risk assessment to determine required level of evidence Raise issues for remediation
Plan Assessments and Tests Identify Controls and Map to Risks Plan Assessments and Tests
Risk Analysis
Risk Exposure
Document all compliance initiatives via centralized catalogs
Improve compliance efficiency by streamlining activities
Key capabilities
Master data catalogs leveraged across multiple compliance initiatives Simultaneous support for regulatory requirements and internal policy mandates Shared controls testing and assessments Configurable remediation plans for each compliance initiatives
Drill down capability to view/review the test and assessment results

Identify and prioritize compliance risks Establish Control to mitigate compliance risks Document all Compliance initiatives via centralized catalogs

Risk Identification
Reduce cost with configurable controls

Create automated rules on-the-fly Leverage Pre-delivered rules to test and analyze Monitor controls proactively to identify exceptions Ensure control effectiveness
Continuously monitor heterogeneous landscapes - SAP and non-SAP Rapidly respond with Industry content Confidently report, certify and sign-off
Risk Monitoring
Reduce Cost with Configurable Controls

Create automated rules on-the-fly
Easily adapt to changing business and compliance needs
Key capabilities
Intuitive and flexible user interface to create unlimited monitoring criteria without programming Configuration and master data audit-trail Simple transaction monitoring available Tables/views across SAP Business Suite
Configuration Controls
(e.g. invoice tolerance etc.)
Process Control Configurable Controls Designer

(monitor threshold values, create deficiency criteria etc.)
Master Data Controls

(e.g. vendor payment terms etc.)
Enterprise Application
Transaction
(e.g. PO, Invoice etc.)
Detective Monitoring

Leverage pre-delivered rules
Improve cost of Compliance with Automated Controls Reducescompliance responsiveness with packaged rules
Key capabilities
Automate control testing, monitoring across SAP and non-SAP systems with out-of-the-box rules More than 200 delivered scripts for automated control testing* Additional testing automation using standard SAP queries/reports User definable multi-step test plans and flexible assessment surveys
Order to Cash
Order Capture Order Fulfillment Billing & Returns Revenue Recognition
# Controls
23 28 18 18 15 1 5 14
Procure to Pay
Demand Planning
Operational Procurement
Inventory Management
Payables Management
Reconcile to Report
Budgeting Planning
Sub Ledger Transactions
Financial Close
Consolidation & Reporting
IT Basis
Application Implementation
Change Control
Application Security
Network Support
HR
Workforce Planning
Hiring
Compensation
Employee Relations
Treasury
Cash Management
Risk Management
Portfolio Management
Inter-company Finance
Fixed Assets
Asset Acquisition
Asset Depreciation
Asset Disposition
Asset Management
FDA
Design Control
CAPA
Material Controls
Post Market Support
*Exact number depends on your industry

Monitor controls proactively to identify exceptions
Close loop by continuously monitoring compliance violations
Key capabilities
Rapidly detect and analyze exceptions Proactively notify key stakeholders Automated workflow to designate ownership

Identify and prioritize compliance risks Establish Control to mitigate compliance risks Document all Compliance initiatives via centralized catalogs

Risk Identification
Reduce cost with configurable controls

Create automated rules on-the-fly Leverage Pre-delivered rules to test and analyze Monitor controls proactively to identify exceptions
Risk Monitoring
Ensure control effectiveness

Continuously monitor heterogeneous landscapes SAP and non-SAP Rapidly respond with Industry content Confidently report, certify and sign-off
Ensure Control Effectiveness
Continuously monitor heterogeneous landscapes
Reduce risk with operational transparency enterprise-wide
Key capabilities
SAP BusinessObjects Process Control
Rapidly detect and analyze exceptions Supports both SAP and Non-SAP
Process / control hierarchy Automatic testing Rule engine
Issue remediation Real-time reporting Scheduler
Process control xPAC by Greenlight (SOA Architecture)
Partner support (Greenlight)
Pre-defined Controls
Custom Controls
(Multi-App Query Tool)
Legacy & Custom
Multi-App Query Tool

Legacy Custom
Define Custom controls
Ensure Control Effectiveness
Continuously Monitor Access Management Compliance
Gain visibility by continuously monitoring security and access related controls
Key capabilities
Perform assessments and tests of access-related risks Review automated access test results Determine/perform appropriate remediation
Access-related Risk
Plan Assessment s and Tests
Access Remediation
SAP BusinessObjects Process Control 3.0

Compliance reporting and analytics
Improve compliance performance and predictability
Key capabilities
Crystal Reports and Xcelsius dashboards Cross-compliance and initiative-specific reporting Existing report templates can be leveraged across any compliance initiatives Drill down provided in select dashboards and reports
Key reports pre-delivered
Achieve Compliance Visibility

Rapidly respond with industry content
Accelerates industry compliance with pre-defined industry content
Key capabilities
Life Sciences Industry
Risk drivers, KRIs, risk events, impact and risk responses for Promotional Spend Off-Label Promotion Product Quality Pricing Compliance
Oil & Gas Industry

Risk drivers, KRIs, risk events, impact and risk responses for Foreign Corrupt Practices Act (FCPA) Occupational Health & Safety (OSHA) FAS 133 Logistics
Agenda
Risk-based Internal Control Benefits
#1 Align enterprise risk with compliance initiatives

Optimize compliance resources by focusing on key risk areas Reduce enterprise risk with effective controls Improve compliance efficiency by streamlining activities
#2 Reduce cost with configurable controls

Risk Identification
Easily adapt to changing business and compliance needs Improve compliance responsiveness with packaged rules Close loop by continuously monitoring compliance violations
Risk Monitoring
Document Compliance Initiatives Plan and Perform Assessments and Tests Remediate Issues and Certify Results
#3 Ensure control effectiveness through continuous monitoring

Reduce risk with operational transparency enterprise-wide Comprehensive content for industry-specific compliance Improve compliance performance and predictability
SAP GRC Process Control 3.0
Extending operational efficiencies across enterprise
Signoff
Enterprise Integration
Enterprise Productivity
FDA JSOX
Certify, Signoff and e-signature
(302, 404, 21CFRPart11)
Access Control Oracle PSFT DB2 3rd party apps Cisco SONA
Monitor
Monitor exceptions
Perform CAPA
Remediate Issues
SOX
Risk Management
Enterprise search structured and unstructured Adobe Interactive Forms
Automated Controls Framework
Evaluate
Test Manual Controls
Perform Assessments
Business Processes
FIN SCM SRM MFG HR
Analytics and Reporting

Crystal Reports Xcelsius Dashboard BI Reports Datasheets
IT Infrastructure
Doc
Scope
Event Systems
Control Environment: Process-Control-Objective-Risk
For More Information
See www.SAP.com/GRC for:

SAP BusinessObjects Process Control information Customer case studies Online self-running demo Information on all other SAP BusinessObjects Governance, Risk, and Compliance (GRC) solutions
Thank you!
Copyright 2009 SAP AG All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden. Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte knnen Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwhnte SAP-Produkte und Services sowie die dazugehrigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Lndern weltweit. Alle anderen in diesem Dokument erwhnten Namen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte knnen lnderspezifische Unterschiede aufweisen. Die in diesem Dokument enthaltenen Informationen sind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderen Vereinbarung mit SAP. Dieses Dokument enthlt nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP-Produkts und ist fr SAP nicht bindend, einen bestimmten Geschftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP bernimmt keine Verantwortung fr Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht die Richtigkeit oder Vollstndigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewhr, weder ausdrcklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschlielich, hinsichtlich der Gewhrleistung der Marktgngigkeit und der Eignung fr einen bestimmten Zweck sowie fr die Gewhrleistung der Nichtverletzung geltenden Rechts. SAP bernimmt keine Haftung fr Schden jeglicher Art, einschlielich und ohne Einschrnkung fr direkte, spezielle, indirekte oder Folgeschden im Zusammenhang mit der Verwendung dieser Unterlagen. Diese Einschrnkung gilt nicht bei Vorsatz oder grober Fahrlssigkeit. Die gesetzliche Haftung bei Personenschden oder die Produkthaftung bleibt unberhrt. Die Informationen, auf die Sie mglicherweise ber die in diesem Material enthaltenen Hotlinks zugreifen, unterliegen nicht dem Einfluss von SAP, und SAP untersttzt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewhrleistungen oder Zusagen ber Internetseiten Dritter ab. Alle Rechte vorbehalten.
Demonstration
CFO Head of Risk Management Enterprise Risk Management Head of Compliance/ Internal Audit Risk-Based Internal Controls Head of Internal Audit / Chief Security Officer Access Management Vice President Tax / Head of Compliance Duty Reduction and Trade Compliance Trade Policy Planning
Strategy / Planning Risk Planning Risk Management Risk Identification Risk Analysis Document Compliance Initiatives Plan and Remediate Perform Issues Assessments and Certify and Tests Results
Access Planning Access Analysis and Response
Internal Audit
Business Operations
Risk Response
Risk Monitoring
Access Monitoring
Access Monitoring
Document all Compliance initiatives via Centralized catalogs
Align Strategy and Risk with Compliance
Organization Structures
Central Framework
Processes, Risks & Controls
SOx
Mandates (Sox 302, 404) Policies User Roles & Authorizations
J-SOx
Mandates /submandates Policies User Roles & Authorizations
FDA
Mandates /submandates Policies User Roles & Authorizations
Example: Framework for a Life Science /Pharmaceutical US based Global Company

Corporate
Org Owners perform AOD analysis at the org level and SOX PMO performs the final AOD analysis at the corporate level.
Parent Org 1
Parent Org 2
USA
India
Vancouver
Hong Kong
At a Corporate or Local Level

SAP AG 2009. All37 2008 / Page rights reserved. / Page 37

Customizable User Menus
Global and Compliance Initiative-Specific Menu Content Role-Based User Content
Example: Global Compliance Office: Regulation/Policy Admin

Align Strategy and Risk . Risk Intelligent Reporting & Certification

6
CEO/CFO
CEO/CFO sign off Support section 302 certification Freeze key information that has been signedoff Hierarchical, bottom-up progression
5
Corporate Signers
Corporate signer(s) sign off
US
Higher location signs off
US Finance
Lowest location signs off
2 1
Procure to Pay
Process owner signs off
Purchasing
Accounts Payable
Each subprocess owner signs off
Close the loop between strategy and execution with a top-down Risk-based approach Sign-off with Confidence though Formalized Certification
Risk-Adjusted Controls Management

SAP BusinessObjects Process Control
End-to-End, Enterprise-wide Business Process Control
1 2 3
S2 Remediate Issues and Certify Results
Document Compliance Plan and Perform Assessments and Initiatives Tests

Identify the risks associated with new regulations or policies and document the associated compliance structure using a top-down riskbased approach. Unify control management across the enterprise through a single system of record that can adapt to changing business needs. Enable enterprise environment for monitoring business systems and timely detection of issues and risks.
Align the planning and scheduling of testing in accordance with the compliance calendar. Conduct the tests, report the test results and raise issues for remediation. Automate control testing and monitoring across heterogeneous environments. Shorten audit cycles through the optimization of compliance activities. Resolve exceptions more efficiently with workflowdriven issue identification and remediation.
Review the results of your compliance activities, remediate identified issues and certify your results Either through sign-off and audit
remove or place After the ROI slide Provide real-time visibility of control effectivenessBefore introduce product Flow and remediation of key = RBIC ROI Processes issues, eliminatingHow we do it differently (product) surprises. Enforce accountability with review, certification, and sign-off of processes. Use comprehensive reports and dashboards to monitor control activity and issue status.
Slide 40 S2 (1) This slide doesnt flow well from the previous slide - Suggest it follow the 4 steps outlined in the previous slide and not be product specific. (2) This can achieved by outlining capabilities in RM and PC 30 and integrations with AC (3) This applies to next slide #29
I811750; 17-12-2008
Reduce Cost with Automated Controls
Automated Controls
Select
Pre-delivered Test
Re-use
Custom Test
Construct
Ad-hoc Test
Pre-delivered process control tests with flexible rule criteria SOD analysis and reporting
Plug-and-play your existing test scripts
Create control tests onthe-fly with SAP query tools
Order to Cash Procure to Pay Reconcile to Report IT Basis

Tee-up
Order Captu re Dema nd Plann ing Budg eting Plann ing Appli cation Secur ity
Order Fulfill ment Opera tional Procu reme Subled nt ger Transa ctions Chan ge Contr ol
Billin g and Retur ns Invent ory Mana geme nt Finan cial Close
Reve nue Reco gnitio Payab n les Mana Cons geme olidat nt ion and Repor ting
Reduce cost with configurable controls Leverage Pre-delivered Rules

Master Rule |_____________________________|
Program
Rule Parameters |__________________________________________________________|

Org. A Org. B Account Range Single Account Absolute Value __H __M __L % __H __M __L
Rule Frequencies |__________________________________________________|

Daily Weekly Bi Weekly Monthly Quarterly Semi Annual Annual Fortnightly
Automated Rule 1 |________________________________________________________| Automated Rule 2 |________________________________________________________|
Managing Enterprise Risks 2.2.1 Foreign Corrupt Practices Act Compliance Risk
BUSINESS PROCESS
Regulatory Compliance (S39)
KPIs
# of payments to foreign officials characterized as contributions, consulting payments or miscellaneous expenses
DRIVERS
Operate in over-seas highrisk markets Use of 3rd party representatives to facilitate overseas business Conduct business with foreign state-run entities
RISK EVENT
IMPACTS
Financial Earnings (SEC & DOJ violations, fines, penalties, remediation) Financial Revenue (Ineligibility of doing business with foreign entity) Reputation (Disclosures, investigation, prosecution, oversight)
Employee/Agent Involved in Illegal Arrangement (FCPA)
Key Risk Indicators

# of reviews conducted for due diligence on all foreign business partners and thirdparty representatives (manual) % employees with foreign official contact who have had FCPA training (SAP HCM) Expense % of total compensation for sales agents responsible for international accounts (SAP - Payroll)
Preventive responses reduce probability of event
Recovery responses reduce impact of event
Responses
Reduce
Code of Conduct and FCPA
Avoid
Avoid business
Transfer
Contractual
Accept
PC/AC Control
SOD Separate Vendor Maintenance from
or anti-corruption policies in place. Anti-corruption training in place Whistleblower line

in high risk markets prone to abuse
Maintain legal
protections with agents
and penalty reserve
Invoice Approval (AC)

Monitor employees that are overdue for
ethics/FCPA training (PC)

Monitor suspicious payment attributes such as
round payments, one time vendor, etc. (PC)
Achieve Compliance Visibility Rapidly respond with Industry content
Achieve Compliance Visibility Rapidly respond with Industry content

Increasing regulation and scrutiny under the Anti-Kickback Statute, Foreign Corrupt Practices Act (FCPA) and similar federal and state regulations requires companies to limit their promotional spending on physicians, with different rules in different states. Voluntary PhrMA code and AMA guidance also provide limits in this increasingly complex space. Tracking methods and controls are limited and poorly integrated with IT environments.
BUSINESS PROCESS
Field Sales & Marketing
RISK EVENT DRIVERS

Increasing government regulation over promotional expenses PhrMA and AMA guidelines on CME and sales contacts Sales culture makes controlling and tracking expenses difficult
Key Performance Indicators Financial impact of fines and penalties Average sales rep expenses
IMPACTS
Inappropriate enticements or kickbacks in exchange for preferential treatment Preventive responses reduce probability of event Recovery responses reduce impact of event
Legal/ Regulatory (Significant fines levied by DOJ and other bodies) Legal/ Regulatory (Corporate integrity agreements increase scrutiny and costs)
Reputation (Reputation suffers from poor publicity)
Key Risk Indicators
Training Hours per (sales) Employee ( SAP IV.J.5) Avg. Sales Rep Expenses (SAP S9) Budget to Actual differences in CSR expenses (SAP S9, S38)
Responses
Reduce
Establish and enforce policies & procedures around spending (types & thresholds) Training on types of spending allowed Review of physician contracts for compliance
Avoid
Transfer
Accept
PC/AC Control
Tracking and reporting payments made to physicians via accounts payable or sales representatives travel and expense accounts. Monitoring types of payments made to customers/physicians Monitoring amounts and thresholds paid to customers/ physicians Tracking sales representatives trainings
Continuously Monitor Heterogeneous applications
Rapidly respond with Industry content

Ensure Continuous Compliance Key capabilities
High degree of GMP compliance Standardized, enterprisewide FDA/Non-FDA compliance processes CAPA workflow for best practice issue remediation
FDA control (manual or automat ed) identifies an issue, due to deficienc ies in a business process
1. 2. 3. 4. 5.
Option I: Send the CAPA back to Issue Owner for Rework Performs Discrepancy Evaluation Assigns CAPA plan Performs Root Cause Analysis Lists Corrective Actions Lists Preventive Actions Lists Contingencies (optional) Assigns CAPA remediator CAPA plan Option II: Approves the Submits CAPA plan for CAPA plan approval
3 Appr oval Optio ns Approver of CAPA plan (QA manager)
Issue Owner (QC Manager)
6. 7. 8.
Option III: Cancels CAPA plan
CAPA remediator (s)
Completes Corrective Actions first 2. Completes Preventive Actions next 3. After completion, submits for approval
1.
Approver of CAPA plan execution (QA manager)
Optionally, verifies effectiveness of the CAPA plan execution (by retesting the control)
2 Appr oval Optio ns
CAPA plan Cancel led
Option II: Send the CAPA back to CAPA remediator for Reexecution
Option I: Approves CAPA execution
CAPA plan Successfully Completed & Closed

Confidently report, certify and sign-off

Improve compliance performance and predictability
Achieve compliance visibility
Key capabilities
Crystal reports and Xcelsius dashboards Cross compliance and initiative specific reporting Existing report templates can be leveraged across any compliance initiatives Drill down provided in select dashboards and reports
Reduce Cost with Automated Controls

ARF provides of Compliance with Automated Controls Reduces cost an infrastructure that enables building new automated rules in an easy and repeatable manner, effectively addressing unique business needs
Key capabilities
Supports several key process areas, applications and types of functions Build your own using guided procedure to monitor any field combinations Map SAP queries, reports, variants and programs into ACF Monitor apps on 3rd party systems such as ORCL, PSFT and DB2 Drive response to events alternative to scheduled rules
1
Configurable Rules
6
Delivered Rule Content
2
Leverage Existing Queries And and Reports
(2) Value Checks: (1) Change Logs: Automated Check for specified value(s) in master Reliably re-create configuration and Rules data, configuration, and transactions 3 master data settings for control 5 Framework timeframe (e.g. previous quarter), and Complex Examples: 3rd Monitor Complex examine changes made Party Processing Master Applications Data: Identify vendors with Processing via Via ABAP Examples: 4 payment terms in excess of 30 days ABAP Rules Rules Master Data: Monitor to PO receipt Configuration: Changes for critical BI Vendor Master data fields (e.g. tolerance setting in excessQuerypayment of 10% of Integration terms, credit limits, etc) PO quantity Configuration: Changes POs in Transaction: Monitor for to PO excess tolerance settings (e.g. receipt of $1M (e.g. Additional approval tolerances) requirements)
FDA Example: Achieve Compliance Visibility

Operational Compliance
Accelerates industry compliance with pre-defined industry content
Key capabilities
Framework for Automated Testing and Monitoring of FDA business processes FDA Content: SAP-provided automated controls for multiple business processes End-to-end CAPA process for remediating issues raised from manual as well as automated monitoring and testing of controls Compliance with 21 CFR Part 11: E-signatures Effectiveness monitoring mechanism FDA-specific reporting and trend analysis
FDA-Specific Reporting Audit Trail E-Signature Monitoring
Compliance data management:

process hierarchy, FDA controls, orgs
Testing
Assessments
Issue CAPA Plan Remediator CAPA Owner Approver Execution Approver
CAPA Remediation Process

Risk Based Internal Controls Ensure Continuous Compliance

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Based Internal Controls Ensure Continuous Compliance

Uploaded by

Copyright:

Available Formats

SAP BusinessObjects Governance, Risk, and Compliance (GRC) Solutions

Risk-based Internal Control Ensure Continuous Compliance

Name of Speaker, Department

Whats Happening in the Marketplace?

SAP AG 2009. All rights reserved. / Page 2

SAP AG 2009. All rights reserved. / Page 3

SAP AG 2009. All rights reserved. / Page 4

Internal Controls Today

No transparency, suboptimal decision-making

Risk Management and Compliance Team

Control Testers and Process Owners

Management and Executives

Send out paper-based documentation surveys for completion

Save documents and spreadsheets to local file servers

Create test plan

What do we need to test? Who should perform the test?

What am I supposed to do? Why is this important?

Where do we stand? How can we improve?

SAP AG 2009. All rights reserved. / Page 5

What are the Causes?

Lack of confidence and visibility

Excessive time, effort and cost for compliance

Multiple compliance requirements leads to multiple risks

Whats the Impact

SOX 404 compliance costs for avg company were $1.7M

Average external audit fees have increased 271%

GRC spending will expand to $32.1B in 2008

Source: AMR Research 2008

Risk Management and Compliance Team

Control Testers and Process Owners

Management and Executives

Unified, Risk-based control management across the enterprise

Reduced cost of compliance with automated controls and streamlined testing

Better managed risk thanks to robust control management and remediation

Real-time visibility on control effectiveness and key issue status

SAP AG 2009. All rights reserved. / Page 8

Savings Estimates Using Risk-based Internal Control Case Studies*

$1.1M $0.5M $0.3M $0.3M

$1.3M $1.1M $0.8M $0.4M

$1.8M $1.3M $0.4M $0.1M

$2.0M $1.3M $0.5M $0.2M

$709k $175k $350k $184k

$951k $225k $450k $276k

* Benchmarks from SAPs Case Studies and Success Stories

SAP AG 2009. All rights reserved. / Page 10

Risk-based Internal Control in Practice!!

SAP AG 2009. All rights reserved. / Page 11

Allergan Automates SOX Compliance with SAP BusinessObjects Process Control

Challenges and opportunities

4. Summary and Next Steps 5. Appendix

SAP AG 2009. All rights reserved. / Page 13

Risk-based Internal Control

Aligning enterprise risk with continuous compliance

Plan and Perform Assessments and Tests

Access Analysis and Response

Remediate Issues and Certify Results

SAP AG 2009. All rights reserved. / Page 14

Risk-based Internal Control

Aligning enterprise risk with continuous compliance

Align enterprise risk with compliance

Risk-based Internal Control

Document Compliance Initiatives Plan and Perform Assessments and Tests

Access Analysis and Response