Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | cornelius-mckinney |
View: | 217 times |
Download: | 2 times |
© 2007 Approva Corporation. All rights reserved.
Continuous Monitoring & Audit
Taj Chadha
Senior Director, Integration Solutions Practice
© 2007 Approva Corporation. All rights reserved.
2
Introduction
Business Controls Challenge
Controls Solution
Real World Examples
Q & A
Agenda
© 2007 Approva Corporation. All rights reserved.
3
About Approva
Approva provides continuous monitoring and audit
software that enables finance, business, IT and audit
to automate and strengthen business controls.
On-DemandTesting
Closed-LoopRemediation
PreventiveControls
Continuous,Exception-
BasedMonitoring
© 2007 Approva Corporation. All rights reserved.
4
Selected Approva Customers
Manufacturing, Transportation & Public Sector
Technology, Telecom & Media Consumer Products & Retail
Pharmaceutical & BiotechEnergy & Chemicals
© 2007 Approva Corporation. All rights reserved.
8
The Siemens Experience
Moving from Manual to Automated Controls Monitoring
© 2007 Approva Corporation. All rights reserved.
9
Identify and resolve segregation of duties (SoD) violations across all 3 SAP instances
Empower business users to identify role violations and take corrective action
Implement a complaint provisioning process to prevent new SoD violations
Standardize the design and testing of business controls across all 18 subsidiaries
Siemens PG’s CFO gave a 12-month deadline to Siemens PG’s CFO gave a 12-month deadline to identify & remediate all SOD violationsidentify & remediate all SOD violations
User Access Challenges
© 2007 Approva Corporation. All rights reserved.
10
Siemens decided that automation was the only way to address SoD challenges
Approva identified 32,000 SoD violations
Approva’s out-of-the-box rules enabled business users to analyze and remediate violations
By automating controls monitoring Siemens was By automating controls monitoring Siemens was able to eliminate all SoD violations within 10 weeks!able to eliminate all SoD violations within 10 weeks!
Overcoming SoD Challenges
© 2007 Approva Corporation. All rights reserved.
11
Significantly reduced audit preparation time
Eliminated 3,000 segregation of duties (SoD) violations in 4 months
Automation helped not just identify but also remediate user violations faster
Respond to auditors’ request faster than before (takes four days now versus two months earlier)
Key Benefits of SoD & Preventive Controls
© 2007 Approva Corporation. All rights reserved.
12
SiemensPower Gen
Siemens AG
Siemens North America
Siemens Siemens internal audit internal audit
groups groups standardizing standardizing Approva rules Approva rules for consistent for consistent
auditsaudits
Siemens corporate Siemens corporate information office information office
has selected has selected Approva as aApprova as a
global governance global governance standardstandard
Auditors Auditors can access can access
most most required required controls controls
information information remotelyremotely
KPMG KPMG has also has also licensed licensed
Approva to Approva to conduct conduct auditsaudits
““Last year only 2 auditors came to visit and the meetings lastedLast year only 2 auditors came to visit and the meetings lastedless than an hour!” Controller, Siemens PowerGenless than an hour!” Controller, Siemens PowerGen
Source: Siemens Study, ASUG/Sapphire, Atlanta, March 2007
Siemens Energy &
Automation
Moving Towards Corporate-Wide Controls Auditing
© 2007 Approva Corporation. All rights reserved.
13
Limited Brands
Monitoring Controls Across 20+ Applications
© 2007 Approva Corporation. All rights reserved.
14
Brand1
Brand1
Brand2
Brand2
Brand3
Brand3
Brand4
Brand4
Brand5
Brand5
Limited Brands IT Environment
Applications
© 2007 Approva Corporation. All rights reserved.
15
Key Business Challenges
• Identify & remediate segregation of duties (SoD) violations across 26 apps.
• Identify Information Owners and hold accountable for SoD violations.
• Meet aggressive (3 month) deadline for SOX 404 management’s assertion
• Transition applications to new SAP instance.
• Continue to manage components of legacy applications that remain in place.
• Create the capability to quickly add new applications as business needs change.
© 2007 Approva Corporation. All rights reserved.
16
SOX Compliance & Sustainability
SQL Database
Crystal Reports
App #10App #10
App #11App #11
App #12App #12
App #13App #13
App #14App #14
App #15App #15
App #17App #17
App #16App #16
App #1
App #1
App #2
App #2
App #3
App #3
App #4
App #4
App #5
App #5
App #6
App #6
App #8
App #8
App #9
App #9
App #7
App #7
Flat files mapped roles & users to common format and stored in SQL database
Crystal Reports produced output to Excel
Weekly process required 2-3 hours
Manage false positives
Microsoft Excel
LBI Conflict Matrix
Defined high level categories of financial functionality within LBI
Defined Matrix of conflicting duties for high level categories
Mapped legacy application functionality to LBI high level categories
© 2007 Approva Corporation. All rights reserved.
17
Data Flow Between Applications, SQL & Approva
SQL Database
App #7
App #7
App #9
App #9
App #10App #10
App #11App #11
App #12App #12
App #13App #13
App #15App #15
App #14App #14
App #1
App #1
App #2
App #2
App #3
App #3
App #5
App #5
App #6
App #6
App #4
App #4
Unique User ID DB
CBEUAdapters
Integration With Project Insight
Implemented Approva rule set.
Integrated LBI legacy conflict matrix & Approva rule set.
Developed custom Approva BEU adapters for
LBI legacy applications
Developed custom SQL database to create a
common ID for an individual’s disparate IDs
across applications
© 2007 Approva Corporation. All rights reserved.
18
Extended controls monitoring to include new SAP modules and non-SAP applications
App #17
App #17
IBM Data Stage ETL Tool
IBM Data Stage ETL Tool
SQL Database
App #7
App #7
App #9
App #9
App #10App #10
App #11App #11
App #12App #12
App #13App #13
App #15App #15
App #14App #14
App #1
App #1
App #2
App #2
App #3
App #3
App #5
App #5
App #6
App #6
App #4
App #4
Unique User ID DB
CBEUAdapters
App #16App #16
App #18
App #18
BEUAdapters
Created Repeatable Process
© 2007 Approva Corporation. All rights reserved.
19
Honeywell
Going beyond SoD to General Computing Controls
© 2007 Approva Corporation. All rights reserved.
20 Many Internal & External ChallengesMany Internal & External Challenges
AuditAudit
OutsourcingOutsourcing
App SecurityApp Security
Physical SecurityPhysical Security
Customization Customization
• Segregation of Duty (SOD)• BASIS Monitoring• Excessive Access
• Hand-off Integrity • Partner security/nationality compliance• Validation
• Backdoors • Secure SDLC• Third Party Integration
• DR/BCP• Global DC Design
• Instance Integrity • Customized roles and T-codes
Aero Security Challenges
© 2007 Approva Corporation. All rights reserved.
21
Compliance with government laws, Honeywell policies Compliance with government laws, Honeywell policies and customer contractual requirementsand customer contractual requirements
• Secure technical data from foreign nationals
• Control the shipment of licensable products
• Policies and procedures• Internal controls
• Prevent or detect employees from perpetrating and concealing actions which could damage the firm’s financial standing or reputation
• US citizen• Operational security requirements• Need-To-Know
• Not entered into SAP
ITARITAR
Business reqsBusiness reqs
Sarbanes-OxleySarbanes-Oxley
Customer reqsCustomer reqs
Classified dataClassified data
Beyond SOX Compliance
© 2007 Approva Corporation. All rights reserved.
22
Monitor system settings and flags, log file settings, and other key elements to quickly identify high-risk IT settings
Enforce security & password policy, analyze system parameters (including those from SAP’s RSPARAM report) to monitor critical security policies, such as password length and expirations
Monitor and report on changes to SAP clients, including transport landscapes, transport destinations and program change history. Managers can be alerted when transports occurs outside of normal windows, such as one-off or repetitive role changes
General Computing Controls Monitoring
© 2007 Approva Corporation. All rights reserved.
23
High-level violation trend
~1106 user violations as of
10/03
~3600 user violations as of 9/27
© 2007 Approva Corporation. All rights reserved.
24
Success Story
“Under the Hood at Honeywell”
Business Finance Magazine, Oct 2007
“We've greatly reduced the amount of time we spend on manual work, reallocated our people to other activities, such as developing security around our new business intelligence modules," says Lish, who estimates that the new compliance monitoring processes and technology have helped his team boost its productivity by 20 percentboost its productivity by 20 percent..
Lish has also reduced his function's reliance on outside consultants now that his staffers spend less time on manual compliance monitoring and analysis. Through August, Lish had reduced his consultant spend by reduced his consultant spend by $200,000$200,000 compared to the same period in 2006.”