Automation The Key To Success Ppt V5 (4)


Published on

This is a webinar presentation I recently did for SAPInsider. If you have any questions or like to discuss further, just contact me using LinkedIn.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Automation The Key To Success Ppt V5 (4)

  1. 1. Automating SOX Compliance:Bringing Efficiencies & Effectiveness to Annual Compliance<br />Sandra C. Keaveny<br />Principal, DFSG Corporation<br />
  2. 2. Agenda<br />History of Compliance<br />Case Study<br />Challenges<br />Opportunities<br />Solution<br />Benefits<br />Next Steps<br />Questions<br />Conclusion<br />2<br />
  3. 3. Living in a Controlled Environment – Challenges and Costs<br />The Sarbanes-Oxley Act of 2002, commonly called Sarbanes-Oxley or SOX, is a United States federal lawenacted on July 30, 2002, as a reaction to a number of major corporate and accounting scandals including:<br /> those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.<br />The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company&apos;s internal control over financial reporting (ICFR). <br />This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.[25]<br />The FEI 2007 study indicated that, for 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).[10]<br />The 2006 study indicated that, for 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million (0.043% of revenue), down 23% from 2005.<br />3<br />
  4. 4. Living in a Controlled Environment – Challenges and Costs<br />SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems.<br />Cost for decentralized companies (i.e., those with multiple segments or divisions) were considerably more than centralized companies, those with centralized, more efficient systems.<br /> For example, the 2007 FEI survey indicated average compliance costs for decentralized companies were $1.9 million, while centralized company costs were $1.3 million.[28]<br />The number of controls defined can range significantly based on size, complexity, whether centralized or decentralized: <br />the average number of SOX controls ranges from 75-225, with a significant portion (over 60%) typically identified as manual controls.<br />Costs of evaluating controls can be dramatically reduced through automation, based on using their ERP software to control their business, <br />they can leverage application controls – however, these also are normally tested and documented by a business user, also annually<br />4<br />
  5. 5. Living in a Controlled Environment – The Automation Opportunity<br />The average number of hours required to manually test and document a single SOX control is approximately 6 - 8 hours and sometimes more, based on complexity.<br />This requires concentrated effort of defined business personnel, involving critical subject matter experts across all functional areas, regions and division, which takes significant time (days or weeks) from their normal business efforts.<br />In addition, the work paper documentation around testing of SOX controls requires detail and precision since they will be reviewed/audited by both internal and external auditors.<br />Accurate and complete work papers are critical.<br />
  6. 6. Living in a Controlled Environment – The Automation Opportunity<br />Each control must be tested with two considerations in mind: <br />Test of Design (TOD) –does the control as designed continue to represent how the business is operating and<br />Test of Effectiveness (TOE) – does this control work effectively based on its intent or design.<br />Evidence of both TOD and TOE must be shown for each control to prove they are working effectively<br />Because external auditors cannot rely on testing by the business owners, all critical controls must be re-tested by external auditors as well<br />This cost comes back to the company in terms of audit fees.<br />These tests need to be repeated on an annual basis, at minimum.<br />
  7. 7. Compliance Automation Case Study: Background<br />SAP® Compliance Case Study:<br />A $5 billion global manufacturer with operations in North America, Latin America, Asia-Pacific and Europe.<br />Approximately 15,000 employees. <br />Running on a global instance of SAP® ECC 6.0, with a distributed environment including SAP CRM, SAP APO, SAP NetWeaver®, BI, SAP SRM, two Portals…..<br />175 Sarbanes-Oxley controls, 80 of which are SAP application/ system controls – this is a higher ratio than most and considered a leading practice.<br />
  8. 8. Compliance Automation Case Study: Business Case<br />Case Study (continued)<br />Their external auditor has agreed that if they use a qualified third party to execute some of the testing, they can rely on their work and not have to re-test. <br />They have chosen to have all the system controls (80) tested by the third party to reduce both business effort and the cost of external audit retest.<br />The cost of the third party testing is approximately $250,000 annually.<br />Their external auditors have also agreed that if they can document that there has been no change to the transactions associated with the system controls, the company can reduce the number of tests that they need to execute each year<br />Allowing the full baseline of tests (not impacted by change) to be executed over three years (one third each year). <br />
  9. 9. Case Study: Automation Goals<br />Eliminate the cost of the third party by creating automated application controls that can be executed internally by one person – business review involvement only<br />Ensure that the automated control testing can be relied upon by the external auditor even though it is “executed” internally<br />Ensure work papers are automatically created and meet SOX test and auditor work paper standards<br />Provide an automated report that can easily and quickly indicate if no changes have occurred to SOX significant transactions over a defined period of time (one quarter to one year) or, if changes have occurred, what changed<br />Reduce business involvement while retaining high standards of compliance testing and documentation<br />Manage, monitor and communicate test execution and results with online dashboards and metrics.<br />
  10. 10. Case Study: Prep for Automated Build<br />10<br />
  11. 11. Case Study: How to Build and Execute Automated SOX Testing<br />11<br />
  12. 12. Case Study: Automation of an Application Control<br />12<br />
  13. 13. Case Study: To Automate, Start with the Manual Control Test<br />A portion of the manual version of the TOD for that control:<br />Test of Design (TOD):<br /> The screen layout is formed by a combination of the transaction code, activity, document type, and item category/document category. Each of these has a corresponding entry in the Field Selection column. <br />Creating a standard NB purchase order for a standard item would have the following field selections: <br />AKTH - Activity<br />ME21N - Transaction<br />NBF - DocumentType<br />PT0F - Item category/Document category<br />The standard SAP implements Fields configured as ‘required entry’ over Fields configured as ‘optional entry’ (AKTH) when entering a purchase order.<br /> <br />
  14. 14. Case Study: Review Work Paper Documentation Required<br />14<br />
  15. 15. Case Study: Timing of Manual Test of TOD<br />Manual time to execute the test:<br />Number of screens/fields to validate: 75<br />Run the test: 4 hours<br />Document the results: 8 hours <br />If this test is executed by business, may still need to retested by external auditor<br />If this is done by third party, incur the cost of testing and documentation – must be repeated each year.<br />
  16. 16. Case Study: Automated Testing Executed the Same Way<br />16<br />
  17. 17. Case Study: Automated Test Captures All Failures<br />17<br />
  18. 18. Case Study: Automated Test Shows Each Step and Screen<br />18<br />
  19. 19. Case Study: Differences Between Manual and Automated Testing<br />Automated time to execute the test:<br />Number of screens/fields to validate: 75<br />Run the test: 30 minutes<br />Document the results: 0 hours, since test automatically reports results in work paper ready format<br />No business intervention in getting tests done. One person can execute both tests and results, which can then be reviewed/confirmed with business and auditors<br />19<br />
  20. 20. Case Study: Results Are Reported Like Work Papers<br />20<br />
  21. 21. Case Study: Screen Shot Detail with Results of Automated SOX Tests<br />
  22. 22. Case Study: When Failures Occur, Know What and When<br />22<br />
  23. 23. Case Study: Failure Results Documented<br />23<br />
  24. 24. Case Study: Detecting and Managing Failures<br />With automated testing, you can configure the test to stop at any failure and document which step in the process caused the failure.<br />This documentation can then be provided to the developers to fix and prepare for retest<br />The automated test can then be pointed<br />First to the test environment to validate and<br />Second, to the production environment for further validation if fix passes initial test<br />All this repeated testing can be executed by one person with all documentation fully detailed<br />24<br />
  25. 25. Case Study: Leveraging TOD Automation to Build the TOE<br />By automating the test of design first, the additional build showing the effectiveness of the test or TOE, even using multiple sets of data, is quick and efficient. Let’s look at an example.<br />Manual time – Total of 8 hours<br />Number of screens/fields to validate: 75<br />Run the test: 4 hours<br />Document the results: 4 hours<br />Automated time to execute the test (TOE):<br />Number of screens/fields to validate: 75<br />Run the test: 10 minutes<br />Document the results: 0 hours, since test automatically reports results in work paper ready format<br />25<br />
  26. 26. Case Study: Using Dashboards to Manage Build/Execution of Tests<br />26<br />
  27. 27. Case Study: Using Dashboards to Manage Testing Across Projects<br />27<br />
  28. 28. Additional Tools to Further Optimize Management of SOX Controls<br />Certify Live Compare™ Transaction Change Report<br />This report, run against your SAP production environment, will define what transactions have changed over a period of time and provide clear documentation for your auditors of what needs to be tested from a TOD and TOE perspective (show example)<br />Worksoft Certify® SOX-specific SAP role<br />By creating a specific SAP role for use with Worksoft Certify testing, you can lock and unlock this role based on when testing is needed and further control your production access and environment <br />
  29. 29. Live Compare: Identifying What’s Changed<br />29<br />Programs that are the same (unchanged) are not included. The icons report programs that are new (the little “1”) icon and different. New programs are those that have been created since the last comparison.<br />
  30. 30. Live Compare: Identifying How It Has Changed<br />This shows side-by-side comparison of what changed within the transaction and targets where to look<br />30<br />
  31. 31. Benefits of Using Automated Approach to SOX Controls Testing<br />You can quickly assess your production environment and determine and validate what has remained the same and what has changed <br />You can use expedited testing, leveraging automated TODs for all application controls, to further define what needs extended testing/validation<br />All your documentation for both TODs and TOEs is automatically created as part of the Worksoft Certify® test runs; no need for additional documentation<br />The results of all your automated test efforts are presented in an easily readable format that both internal and external audit/SOX teams can use and review<br />One person can execute all automated testing, significantly reducing the time and effort normally required by both business and audit teams to obtain results<br />
  32. 32. Benefits of Using Automated Approach to SOX Controls Testing<br />Because these tests need to run against your production environment, by using the automated test build, you can specifically control what is executed and when it is stopped<br />Eliminating any potential opportunity of executing more than what’s needed or planned <br />Per external audit agreement, the external audit team can rely on these results without third party intervention, thereby eliminating third party costs and significantly reducing external audit costs associated with executing these tests manually<br />Only need to review results versus re-executing critical application control tests<br />
  33. 33. Time for Q & A<br />Questions????<br />
  34. 34. Next Steps in Achieving Automation Efficiencies<br />The tools being used here to achieve efficiencies in compliance are also being used successfully across development, testing and production environments to bring further efficiencies to the daily management of SAP systems.<br />If you want to further explore these opportunities or have additional, specific questions that you’d like to address further, please contact:<br />34<br />
  35. 35. Contact Us<br />35<br />Certified for SAP NetWeaver®<br />Phone: 866.836.1773<br />Email:<br /><br />KEAVES712@YAHOO.COM<br />