Gaining Financial Integrity Through Improved Internal Controls
SAP Management ofInternal Controls Tool
PwC and SAP Sarbanes-Oxley 404
Web Conference SeriesMarch 2004
William R. Shipley, Partner, IT Advisory Services, PricewaterhouseCoopers LLP
Brian Parker, Senior Manager, IT Advisory Services, PricewaterhouseCoopers LLP
David Nelson, Product Management mySAP ERP Financials, SAP
Agenda – Management of Internal Controls (MIC)
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Sign-Off and Reporting
Questions and Additional Information
Sarbanes-Oxley Act
The Sarbanes-Oxley Act (SOA) was enacted by the US Congress on July 30, 2002 and applies to all companies registered with the Securities and Exchange Commission. Such a registered company is one that is traded on a stock market in the US (e.g. NYSE, Nasdaq, etc.). SOA establishes heightened requirements in the area of corporate governance, financial disclosures, and accountability for fraud. Specifically, it requires organizations to periodically evaluate and certify/report as to the effectiveness of their internal control. Other countries are expected to determine the need for and possibly also establish guidance or requirements (e.g. German government has issued a 10-Point Plan on corporate governance standards in February 2003)
The SEC defines Internal Control (applying a framework known as COSO) as a process that is carried out by an entity’s board of directors, management and other personnel, and designed to provide reasonable assurance regarding the achievement of control objectives in the following categories:
• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations
Sarbanes-Oxley Act – Software relevant Sections
Section Requirement
301 The audit committee shall establish procedures for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters
302 Management responsibility for effective disclosure controls and procedures over financial reporting, operations and complianceDisclosure of significant deficiencies in internal control to audit committee and external auditors
Certification of contents of SEC reports by CEO and CFO
401 Include in financial reports all material correcting adjustments that have been identified by the external auditors
Provide investors with a clear understanding of the company’s off-balance sheet arrangements and their material effects
404 Annual report should include a report by management on the effectiveness of internal control over financial reporting
Documentation of control design and effectiveness testingDisclosure of any material weaknessesAttestation by external auditors
Note: Further periodic disclosure requirements are covered under Section 302
409 Rapid and current information on material changes in the financial condition or operations, including trend and qualitative information for protection of investors and in the public interest
Section 302 – Requirements
Certification of Disclosure in Companies’ Quarterly and Annual ReportsManagement responsibility for effective disclosure controls and procedures over financial reporting, operations and complianceDisclosure of significant deficiencies in internal control to audit committee and external auditorsCertification of contents of SEC reports* by CEO and CFO
(*) filed annually and/or quarterly, depending on size and location of company
ActivityIdentify scope of the company’s disclosure controls and proceduresDocument business processes and process controls over all major activities within an entity (beyond solely processes impacting financial reporting)Assess internal control effectivenessIdentify and track resulting issues and remediation plansCascade the accountability for control evaluation and roll up the results (e.g. resulting in a dashboard confirming ability to sign certification)
Section 404 – Requirements
Management Report on Internal Control Over Financial ReportingAnnual report should include a report by management on the effectiveness of internal control over financial reporting
Documentation of control design of effectiveness testingDisclosure of any material weaknessesAttestation by external auditors
Note: Further periodic requirements are covered under Section 302
ActivityIdentify areas of scope relevant for evaluating the effectiveness of internal control over financial reportingDocument the design of significant controls Perform evaluation of control design and effectiveness Identify resulting control issues and monitor remediationDocument changes in processes and controls; surface any associated issuesPrepare internal control reportAttestation by external auditors
Agenda – Management of Internal Controls (MIC)
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Sign-Off and Reporting
Questions and Additional Information
COSO Framework for the Evaluation of Internal Controls
Committee of Sponsoring Organization (COSO)Initiated in 1988 by the US Congress
COSO was written in 1992
SEC refers to the COSO framework for the definition of internal controls
COSO is not a must-have in terms of SOA or for SEC – it is an example of an appropriate framework.
COSO goes beyond the “activity-based” definition of internal controls by SEC, by introducing 5 COSO Components
Monitoring
Information & Communication (of policies and rules)
Control Activities
Risk Assessment
Control Environment
COSO and SOA
Disclosure Controls & Procedures (Section 302)
Other aspects of compliance and operations pertaining to DC&P
LEGEND:
Internal Accounting
Controls
Financial Reporting
Compliance&
Regulatory
Operations
Contro
l
Enviro
nmen
t
Risk
Asses
smen
t
Control
Activit
ies
Infor
mation
&
Commun
icatio
nMonito
ring
Process 1
Process 2
Business Unit 2
Business Unit 1
• COSO: Leading Framework for SOA Compliance on Internal Control
• The SEC states: “The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements.”
• Furthermore, the Institute of Internal Auditors Research Foundation indicates that 63% of publicly held companies use the COSO framework of internal control (February 2003)
Internal control over financial reporting (Section 404)
COSO Cube
COSO – Categories of Control Objectives
Category of Control Objective
Operational Financial Compliance & Regulatory
Control Objectives
EffectivenessEfficiency
CompletenessAccuracyValidityRestricted Access
TaxEnvironmentalHealthSafety
SOA Section 302 Relevance
Yes Yes Yes
SOA Section 404 Relevance
Marginal Yes Marginal
Agenda – Management of Internal Controls (MIC)
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Questions and Additional Information
Sign-Off and Reporting
MIC Solution Detail
Documentation of Internal Controls
Controls
Management Controls
Assessment and Remediation
Control Design Assessment
Control Efficiency Assessment
Process Design Assessment
Management Controls Assessment
Identification of Issues
Validation of Assessments
Remediation of Issues
Progress Tracking and Analysis
Testing & Remediation
Documentation of Testing Results
Identification of Issues
Remediation of Issues
Progress Tracking and Analysis
Scoping & Project Set-up
Identification of Org. Units and Processes in scope
Org. Unit Hierarchy
Central Process Catalog
Assignment of Processes to FS Accounts
Central Catalog of Control Objectives and Risks
Assignment of Processes to BU‘s
Reporting & Sign-off
Analysis Overviews with Drill-down Functionality
Management Reports
Workflow-triggered Sign-off supporting 404 Reporting / 302 Certification
Basis 6.20 / SAP WebAS
SOA Section 404 TimelineLegend: ManagementAddressing Requirements in Year 1
External Auditor
I. Project Set-Up and Scoping
Financial Year-End Close
Auditor attest to 404 Report
Description of
• Processes
• Control objectives
• Risks
• Controls
Define management requirements
Assessment of control design and efficiency within the process
Definition of project structure
Scoping
Assessment of control design and efficiency at control level
Management testing of control effectiveness
Identify Mgmt. controls
Org. Unit review and sign-off
Roll-up for sign-off
404 Report Filing Deadline
Prepare 404 Report
II. Documentation
of Internal Control
IV.Testing &
Remediation of Internal Control Effectiveness
V. Sign-Off & Reporting
III.Mgmt. Assessment and Remediation of
Internal Control Design & Efficiency
Control design & efficiency remediation
Process design & efficiency remediation
Control effectiveness remediation
External auditors perform process walkthroughs
External auditors guidance
External auditors review of remediation plans
External auditors testing of internal control and review of 404 Report
SOA Section 404 TimelineLegend: ManagementAddressing Requirements in Year n
External Auditor
Financial Year-End Close
Auditor attest to 404 Report
Review/ revise project structure, as needed
Management testing of control effectiveness
Org. Unit review and sign-off
Roll-up for sign-off
404 Report Filing Deadline
Prepare 404 Report
I. Open Year n III. Testing & Remediation of Internal Control Effectiveness
II. Quarterly Control Assessment Review
(Year n - Q1, Q2, Q3)
Control effectiveness remediation
IV. Sign-Off & Reporting
External auditors perform process walkthroughs
External auditors testing of internal control and review of 404 Report
Review/ revise scoping, as needed
Review/ revise description of processes, control objectives, risks and controls
Ongoing monitoring for change and process/control issues; update documentation; report to Management
Q1 Evaluation of Change in IC
Q2, Q3, Q4 Evaluation of Change in IC
Repeat steps for Q2, Q3, Q4
Review/ revise assessment of control design and efficiency at control level
Review/ revise assessment of control design and efficiency within the process
Process Review & Sign-Off
Roll-Up for Sign-Off
Freeze data from Year n Q1 and set up new version for next Quarter
Review/ revise Mgmt. controls
Agenda – Management of Internal Controls (MIC)
Initial Documentation of Internal Controls
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Assessment and Remediation of IC
Test and Remediation of IC
Sign-Off and Reporting
Questions and Additional Information
Organizational Units
No restrictions to building Org.Unit hierarchies with unlimited amounts of levels
Org.Unit hierarchy can be automatically created from
HR ORG
BW hierarchies(SEM-BCS, FI, EC-PCA, ...)
Corporate
Legal Entity LE1
Legal Entity LE2
Business Unit BU1
Business Unit BU2
...
Shared Services
IT
HR
Organizational Hierarchy
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Central Process Catalog (BU-independent Process Hierarchy)
Process Hierarchy
Corporate and Business Units define one central catalog of processes - w/o process steps.
Only those processes are included that have a material impact on financial reporting (Section 404) or disclosure controls and procedures (Section 302)
Processes
R & D
Marketing
Procurement
Production
Sales & Distribution
Finance
Human Resources
IT
Legal & Regulatory
Supplier selection
Bid and contract Mgmt.
Financial Accounting
Financial Reporting
A/R...
Sales
Examples of process groups
Process P1: Order Processing...
Central Process Catalog
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Impact of Processes on Financial Accounts
Processes
Sales & Distribution
Sales
Process hierarchy Financial Statement Accounts
Process P1: Order Processing...
Accounts Receivable
Balance Sheet...
...
...
...
Assets Liabilities
...
Profit / Loss Statement
...
Inventory
...
...
...
Revenue
...
...
Cash Flow Statement
...
...
...
...
Processes can impact one or several FS accounts
Processes in the central catalog of processes will be linked to the relevant financial statement accounts or account groups (intervals).
...
Process P2: ...
Process & Control Documentation – Linking Processes to FS Accounts
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Control Objectives and Risks
Control Objectives and Risks are defined in a central catalog by Corporate and BUs
Processes
R & D
Sales & Distribution
Sales
Process P1: Order Processing
Control ObjectivesA Control Objective is a statement that captures the purpose of controls within the process. Several control objectives are likely to be defined for each process. Following the COSO framework, control objectives may be categorized as Financial, Operational or Compliance related.Control Objective CO1
Risk R1 RiskA risk is a potential event that adversely impacts the desired outcome of control objectives.
Risk R2
Control Objectives and Risks are used for a BU specific Risk Assessment and Control Evaluation.
Corporate wide: P-CO-R Process – Control Objective – Risk
BU-specific: P-CO-R-C Process – Control Objective – Risk - Control
Central Catalog: Process – Control Objective - Risk
Process Control Objective Control Objective Category
Risk
Accepting orders from unauthorized or insolvent customers
Sales Orders are properly authorized
Financial Reporting
Commitment to unauthorized prices or terms
Customer finds process difficult to understand
Customers receive quality service throughout the ordering process Employees lack the necessary
customer service skills
......
...
... ...
Operations
Sales
Central Process Catalog: P-CO-R
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Process assignment to Business Units
Assignment of processes to BUs
BUs choose from the central process catalog those processes that are applicable and in scope for their BU.
Corporate
Legal Entity LE1
Business Unit BU1
Sales & Distribution
Sales
Process P1: Order Processing
Procurement
...
By assigning a process to a BU, the relating Process Groups are automatically inherited from the central process catalog.
Process assignment to Business Units
Processes are assigned to Org. Units from the central process catalog
Pop-up with Central Process Catalog for process selection
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Agenda – Management of Internal Controls (MIC)
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Sign-Off and Reporting
Questions and Additional Information
Control Design Assessment – Workflow
1) Personalized, User-specific Start Page with a ToDo List
Perform Assessment of Control Design
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Control Design Assessment – Workflow
2) Detail Screen, where the assessment is to be performed
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
MIC Role Concept
SAP delivers a catalog of available tasks that can beperformed in the MIC Application:
...31 Assess control design32 Validate design issue33 View control design assessment...
SAP provides ready-to-use Roles
CFO Assistant
BU Manager
Process Group Owner
...
Assigned tasks:View org.structureAssign process group ownersAssess management controlsView operational & management reports
The Power User may define additional Roles and edit/delete existingones
Role Concept: Assigning Names to Roles
Business User of BU1 enters the names for each role in his area of responsibility
Entity:
PG
Title:
Procurement
PG Sales & Distr.
Assignment of Roles at the Org. Unit Level
Role: Name:
PG Owner
PG Owner
John Smith
Joe Black
Corporate
Legal Entity LE1
Business Unit BU1
Sales & Distribution
Sales
Process P1
Procurement
...
Poweruser creates User-IDsBenefits:1) Central maintenance of roles, their tasks and authorizations2) Assignment of persons to roles can be set-up and modified by business users at all
levels – following a cascading delegation principle3) This roles / task concept generates automatically the appropriate workflow tasks
Agenda – Management of Internal Controls (MIC)
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Sign-Off and Reporting
Questions and Additional Information
Analysis Trees and Reports – PG-P-PS for Testing
Agenda – Management of Internal Controls (MIC)
SOA Sections 302 and 404
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Sign-Off and Reporting
Questions and Additional Information
Sign-Off by Org Unit
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
The sign-off indicates that all information contained in the tool, e.g. processes and controls identified, control ratings, etc. are adequate and up-to-date.
Issues and remediation plans may still be open at the stage of sign-off. Sign-off’s with outstanding red ratings require comments and may prevent the CEO and CFO from submitting a clean 302 Certification / 404 Report. They would need to disclose those outstanding points to SEC / public.
Reporting: Process Group – Process – Process Step View
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
• What ratings exist for certain controls?
• Are controls in the right place (missing / redundant) within the process?
• Are there issues associated with these controls / processes / process groups?
• Who is responsible for a given control / processes / process groups?
Reporting: Process – Control Objective – Risk – Control View
Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
• Which control objectives and risks are not addressed?
• What is the state of internal controls addressing individual risks within a given process?
Agenda – Management of Internal Controls (MIC)
COSO Framework for the Evaluation of Internal Controls
Timeline for SOA MIC Project
Initial Documentation of Internal Controls
Assessment and Remediation of IC
Test and Remediation of IC
Questions and Additional Information
SOA Sections 302 and 404
Sign-Off and Reporting
Q & A
Questions?
Instructor Contact and Additional Information
SAP Solution Management David Nelson – [email protected] Anderson – [email protected]
PwC William Shipley – [email protected] Parker – [email protected]
Copyright 2002 SAP AG. All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.ORACLE® is a registered trademark of ORACLE Corporation.INFORMIX®-OnLine for SAP and Informix® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA® is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAPEarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP Business Suite Logo andmySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.