© 2007 Approva Corporation. All rights reserved. Continuous Monitoring & Audit Taj Chadha Senior...

© 2007 Approva Corporation. All rights reserved.

Continuous Monitoring & Audit

Taj Chadha

Senior Director, Integration Solutions Practice


2

Introduction

Business Controls Challenge

Controls Solution

Real World Examples

Q & A

Agenda


3

About Approva

Approva provides continuous monitoring and audit

software that enables finance, business, IT and audit

to automate and strengthen business controls.

On-DemandTesting

Closed-LoopRemediation

PreventiveControls

Continuous,Exception-

BasedMonitoring


4

Selected Approva Customers

Manufacturing, Transportation & Public Sector

Technology, Telecom & Media Consumer Products & Retail

Pharmaceutical & BiotechEnergy & Chemicals


5

The Business Controls Challenge


6

Approva’s Controls Monitoring & Audit Solution


7

Approva’s Controls Monitoring & Audit Solution


8

The Siemens Experience

Moving from Manual to Automated Controls Monitoring


9

Identify and resolve segregation of duties (SoD) violations across all 3 SAP instances

Empower business users to identify role violations and take corrective action

Implement a complaint provisioning process to prevent new SoD violations

Standardize the design and testing of business controls across all 18 subsidiaries

Siemens PG’s CFO gave a 12-month deadline to Siemens PG’s CFO gave a 12-month deadline to identify & remediate all SOD violationsidentify & remediate all SOD violations

User Access Challenges


10

Siemens decided that automation was the only way to address SoD challenges

Approva identified 32,000 SoD violations

Approva’s out-of-the-box rules enabled business users to analyze and remediate violations

By automating controls monitoring Siemens was By automating controls monitoring Siemens was able to eliminate all SoD violations within 10 weeks!able to eliminate all SoD violations within 10 weeks!

Overcoming SoD Challenges


11

Significantly reduced audit preparation time

Eliminated 3,000 segregation of duties (SoD) violations in 4 months

Automation helped not just identify but also remediate user violations faster

Respond to auditors’ request faster than before (takes four days now versus two months earlier)

Key Benefits of SoD & Preventive Controls


12

SiemensPower Gen

Siemens AG

Siemens North America

Siemens Siemens internal audit internal audit

groups groups standardizing standardizing Approva rules Approva rules for consistent for consistent

auditsaudits

Siemens corporate Siemens corporate information office information office

has selected has selected Approva as aApprova as a

global governance global governance standardstandard

Auditors Auditors can access can access

most most required required controls controls

information information remotelyremotely

KPMG KPMG has also has also licensed licensed

Approva to Approva to conduct conduct auditsaudits

““Last year only 2 auditors came to visit and the meetings lastedLast year only 2 auditors came to visit and the meetings lastedless than an hour!” Controller, Siemens PowerGenless than an hour!” Controller, Siemens PowerGen

Source: Siemens Study, ASUG/Sapphire, Atlanta, March 2007

Siemens Energy &

Automation

Moving Towards Corporate-Wide Controls Auditing


13

Limited Brands

Monitoring Controls Across 20+ Applications


14

Brand1

Brand1

Brand2

Brand2

Brand3

Brand3

Brand4

Brand4

Brand5

Brand5

Limited Brands IT Environment

Applications


15

Key Business Challenges

• Identify & remediate segregation of duties (SoD) violations across 26 apps.

• Identify Information Owners and hold accountable for SoD violations.

• Meet aggressive (3 month) deadline for SOX 404 management’s assertion

• Transition applications to new SAP instance.

• Continue to manage components of legacy applications that remain in place.

• Create the capability to quickly add new applications as business needs change.


16

SOX Compliance & Sustainability

SQL Database

Crystal Reports

App #10App #10

App #11App #11

App #12App #12

App #13App #13

App #14App #14

App #15App #15

App #17App #17

App #16App #16

App #1

App #1

App #2

App #2

App #3

App #3

App #4

App #4

App #5

App #5

App #6

App #6

App #8

App #8

App #9

App #9

App #7

App #7

Flat files mapped roles & users to common format and stored in SQL database

Crystal Reports produced output to Excel

Weekly process required 2-3 hours

Manage false positives

Microsoft Excel

LBI Conflict Matrix

Defined high level categories of financial functionality within LBI

Defined Matrix of conflicting duties for high level categories

Mapped legacy application functionality to LBI high level categories


17

Data Flow Between Applications, SQL & Approva

SQL Database

App #7

App #7

App #9

App #9

App #10App #10

App #11App #11

App #12App #12

App #13App #13

App #15App #15

App #14App #14

App #1

App #1

App #2

App #2

App #3

App #3

App #5

App #5

App #6

App #6

App #4

App #4

Unique User ID DB

CBEUAdapters

Integration With Project Insight

Implemented Approva rule set.

Integrated LBI legacy conflict matrix & Approva rule set.

Developed custom Approva BEU adapters for

LBI legacy applications

Developed custom SQL database to create a

common ID for an individual’s disparate IDs

across applications


18

Extended controls monitoring to include new SAP modules and non-SAP applications

App #17

App #17

IBM Data Stage ETL Tool

IBM Data Stage ETL Tool

SQL Database

App #7

App #7

App #9

App #9

App #10App #10

App #11App #11

App #12App #12

App #13App #13

App #15App #15

App #14App #14

App #1

App #1

App #2

App #2

App #3

App #3

App #5

App #5

App #6

App #6

App #4

App #4

Unique User ID DB

CBEUAdapters

App #16App #16

App #18

App #18

BEUAdapters

Created Repeatable Process


19

Honeywell

Going beyond SoD to General Computing Controls


20 Many Internal & External ChallengesMany Internal & External Challenges

AuditAudit

OutsourcingOutsourcing

App SecurityApp Security

Physical SecurityPhysical Security

Customization Customization

• Segregation of Duty (SOD)• BASIS Monitoring• Excessive Access

• Hand-off Integrity • Partner security/nationality compliance• Validation

• Backdoors • Secure SDLC• Third Party Integration

• DR/BCP• Global DC Design

• Instance Integrity • Customized roles and T-codes

Aero Security Challenges


21

Compliance with government laws, Honeywell policies Compliance with government laws, Honeywell policies and customer contractual requirementsand customer contractual requirements

• Secure technical data from foreign nationals

• Control the shipment of licensable products

• Policies and procedures• Internal controls

• Prevent or detect employees from perpetrating and concealing actions which could damage the firm’s financial standing or reputation

• US citizen• Operational security requirements• Need-To-Know

• Not entered into SAP

ITARITAR

Business reqsBusiness reqs

Sarbanes-OxleySarbanes-Oxley

Customer reqsCustomer reqs

Classified dataClassified data

Beyond SOX Compliance


22

Monitor system settings and flags, log file settings, and other key elements to quickly identify high-risk IT settings

Enforce security & password policy, analyze system parameters (including those from SAP’s RSPARAM report) to monitor critical security policies, such as password length and expirations

Monitor and report on changes to SAP clients, including transport landscapes, transport destinations and program change history. Managers can be alerted when transports occurs outside of normal windows, such as one-off or repetitive role changes

General Computing Controls Monitoring


23

High-level violation trend

~1106 user violations as of

10/03

~3600 user violations as of 9/27


24

Success Story

“Under the Hood at Honeywell”

Business Finance Magazine, Oct 2007

“We've greatly reduced the amount of time we spend on manual work, reallocated our people to other activities, such as developing security around our new business intelligence modules," says Lish, who estimates that the new compliance monitoring processes and technology have helped his team boost its productivity by 20 percentboost its productivity by 20 percent..

Lish has also reduced his function's reliance on outside consultants now that his staffers spend less time on manual compliance monitoring and analysis. Through August, Lish had reduced his consultant spend by reduced his consultant spend by $200,000$200,000 compared to the same period in 2006.”

Date post:	14-Dec-2015
Category:	Documents
Upload:	cornelius-mckinney
View:	217 times
Download:	2 times

© 2007 Approva Corporation. All rights reserved. Continuous Monitoring & Audit Taj Chadha Senior...

Documents