GRC for the Little Guys: How Abiomed Solved its SOX Compliance Challenges
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

GRC for the Little Guys: How Abiomed Solved its SOX Compliance Challenges

on

  • 2,157 views

Like many smaller, regulated enterprises, medical device manufacturer Abiomed is required to operate its SAP systems according to the same standards as large publicly traded enterprises under ...

Like many smaller, regulated enterprises, medical device manufacturer Abiomed is required to operate its SAP systems according to the same standards as large publicly traded enterprises under Sarbanes-Oxley (SOX) legislation. With a small IT staff and numerous initiatives, Abiomed was able to turn "pain into gain" with several strategies that kept its Total Cost of Compliance within reason.
Join Sharon Kaiser, CIO at Abiomed and Dan Wilhelms, President of SymSoft to learn how Abiomed:

•Established a pro-active working relationship with its internal and external auditors
•Utilized new GRC software solutions
•Tactically used external resources to streamline costs and turn its compliance mandates into a strategic asset.

Statistics

Views

Total Views
2,157
Views on SlideShare
2,153
Embed Views
4

Actions

Likes
1
Downloads
106
Comments
0

2 Embeds 4

http://www.slideshare.net 3
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

GRC for the Little Guys: How Abiomed Solved its SOX Compliance Challenges Presentation Transcript

  • 1. GRC for the Little Guys. How Abiomed faces its compliance reporting challenges. Sharon Kaiser, CIO, Abiomed Dan Wilhelms, CEO, SymSoft Corporation Professional Solutions for Compliance Automation www.ControlPanelGRC.com
  • 2. Professional Solutions for Compliance Automation www.ControlPanelGRC.com
  • 3. Introducing Sharon Kaiser Dan Wilhelms CIO – Abiomed President – SymSoft Professional Solutions for Compliance Automation www.ControlPanelGRC.com
  • 4. Agenda • About Abiomed & SymSoft Corporation • What is Sarbanes-Oxley (SOX) compliance? • Why SMEs should care • Getting started with SOX: 5 things SMEs can do • Abiomed’s Situation • Abiomed’s Challenges • Organizational Compliance Goals • Solution Selected • Solution Implemented • Results • Best Practices • Questions Professional Solutions for Compliance Automation www.ControlPanelGRC.com 4
  • 5. About Abiomed • Abiomed (NASDAQ: ABMD) is a global technology leader focused on RECOVERING HEARTS AND SAVING LIVES • The company develops, manufactures and markets advanced medical technologies designed to assist or replace the pumping function of the failing heart • Abiomed Market Overview • Global leader for products in acute heart failure market • Ships more Ventricle Assist Devices (VADs) than any other company worldwide Professional Solutions for Compliance Automation www.ControlPanelGRC.com 5
  • 6. Who is Abiomed 2010 Impella® 2.5 >1700 patients and in • Medical Device manufacturer over 350 hospitals in the U.S. headquartered in Massachusetts 2009 Impella 5.0 available in U.S. for with additional mfg facility in broad clinical use Germany 2009 AB Portable™ driver FDA approved • Over 300+ employees and first patient discharge • Experts in Pumping Blood for over 2008 Impella 2.5 FDA cleared in U.S. for 25 years broad clinical use • World’s smallest heart pumps for 2005 Impella Available in Europe cardiologists and surgeons 2001 First AbioCor Artificial Heart • Over 200 patents or patents patient pending from over $200m in R&D ® 1992 First FDA approved VAD • Over 12,000 patients supported in over 40 countries worldwide 1987 First heart recovery patient 1981 Abiomed Founded Professional Solutions for Compliance Automation www.ControlPanelGRC.com HCS-P110-051509 6
  • 7. About SymSoft Corporation • Makers of Governance, Risk and Compliance (GRC) solutions for SAP environments • Spin-off of Milwaukee-based Symmetry Corporation • 14 years of technical implementation solutions for the SAP and Enterprise Security marketplace • One of the largest dedicated SAP Basis/security consulting organizations in the U.S. • 10 years of software development and marketing experience • Previous reseller of Virsa (now SAP GRC) • 200 SAP implementations • 90 outsourcing customers • SAP Certified Hosting Partner Professional Solutions for Compliance Automation www.ControlPanelGRC.com 7
  • 8. Agenda • About Abiomed & SymSoft Corporation • What is Sarbanes-Oxley (SOX) compliance? • Why SMEs should care • Getting started with SOX: 5 things SMEs can do • Abiomed’s Situation • Abiomed’s Challenges • Organizational Compliance Goals • Solution Selected • Solution Implemented • Results • Best Practices • Questions Professional Solutions for Compliance Automation www.ControlPanelGRC.com 8
  • 9. The Sarbanes-Oxley Act of 2002 • “Since when is it illegal to shaft innocent people for personal gain?” - 2002 Professional Solutions for Compliance Automation www.ControlPanelGRC.com 9
  • 10. About the Sarbanes-Oxley Act of 2002 • What is the intent of the Act? • Creation of a new standard for reporting of internal control effectiveness, design, and documentation • Creation of management accountability for internal controls • Which companies are required to comply? • Companies publically traded on U.S. stock exchanges • Regulated industries (e.g. food, pharmaceutical, hazmat) • Which sections are applicable to SAP operations? • Section 404 requires CEO, CFO, and auditors to confirm the design and effectiveness of internal controls Professional Solutions for Compliance Automation www.ControlPanelGRC.com 10
  • 11. Section 404 Compliance … “Establishing and maintaining an adequate internal control structure” … From Section 404 • Four parts to Section 404 compliance 1. Take an inventory of internal controls • Where are they sufficient and deficient? • Assess those controls against a framework to measure or rate their effectiveness 2. Document how the controls have been assessed • Policies and procedures will be used to remedy any control deficiencies 3. Test to ensure that the controls work as intended 4. Management must incorporate phase 1-3 activities into a formal report Professional Solutions for Compliance Automation www.ControlPanelGRC.com 11
  • 12. Differences Between Controls • What’s the difference between a preventative and a mitigating control? • Preventative controls prohibit inappropriate access • Authorizations, configuration, user-exits, and so on • Mitigating controls rely on other processes to identify inconsistencies • You’re allowed to do something potentially wrong, but we can track what you did • Alerts, periodic reporting, system monitoring Professional Solutions for Compliance Automation www.ControlPanelGRC.com 12
  • 13. What Are Segregation of Duty (SOD) Controls? • Primary control of Section 404 intended to prevent or decrease the risk of errors or irregularities • Requires the assignment of conflicting “duties” to different employees • Generally involve transactions that permit data modification • Examples: • Creation of vendor and purchase order could result in purchase orders being issued to fictitious vendors • Creation of purchase order and ability to receive goods could result in goods being procured for personal instead of business reasons Professional Solutions for Compliance Automation www.ControlPanelGRC.com 13
  • 14. What Are Excessive Access Controls? • Primary control of Section 404 intended to prevent or decrease the risk of errors or irregularities • Authorization to sensitive transactions or authorizations that are not required for normal job function • Authorization to sensitive system functions that could impact data confidentiality, availability, and integrity • Generally permit data modification • Examples: • Customer service representatives should not be able to create vendors • End users should not have S_ADMI_FCD with value of “RSET” because they could delete data without archiving Professional Solutions for Compliance Automation www.ControlPanelGRC.com 14
  • 15. The “New” World with Management Involvement Professional Solutions for Compliance Automation www.ControlPanelGRC.com 15
  • 16. Agenda • About Abiomed & SymSoft Corporation • What is Sarbanes-Oxley (SOX) compliance? • Why SMEs should care • Getting started with SOX: 5 things SMEs can do • Abiomed’s Situation • Abiomed’s Challenges • Organizational Compliance Goals • Solution Selected • Solution Implemented • Results • Best Practices • Questions Professional Solutions for Compliance Automation www.ControlPanelGRC.com 16
  • 17. Why Should You Care About SOX Compliance? • Documentation • Documented business processes work better • Documentation provides training for new employees • Increases efficiency by identifying processes required for completion • Reduction in errors • Users are restricted to authorized functions and therefore cannot accidentally change or delete data • Example: Accidental modification to vendor address impacts delivery of AP payments Professional Solutions for Compliance Automation www.ControlPanelGRC.com 17
  • 18. Why Should You Care About SOX Compliance? • Cost of errors • Inappropriate access can lead to invalid transaction processing • Example: Incorrectly scrapped materials may be re-manufactured to ensure availability for customer resale • Loss of customers • Incorrect documents can be sent to partners via invalid transaction processing • Example: Accidental modification of customer address impacts delivery location for sales orders • Fraud happens • Fraud can impact all levels of an organization • Example: Warehouse employee could receive goods and then hide them by adjusting the physical inventory count Professional Solutions for Compliance Automation www.ControlPanelGRC.com 18
  • 19. Why Should You Care About SOX Compliance? • Protection of trade secrets • Excessive access can allow users to download information related to proprietary processes or methodologies that are not required in their job function • Example: Employees with excessive authorization could download company recipes before accepting a new position at a competitor • Preserve confidential information • Excessive access can allow users to view sensitive company data, including customer pricing, material costs, or employee master data • Example: Employee with inappropriate access could review their performance appraisal before it has been completed Professional Solutions for Compliance Automation www.ControlPanelGRC.com 19
  • 20. Getting Started with SOX • Focus more on documenting and maintaining your business processes • Develop formal requirements for documentation and controls for business processes • Think about how to measure and control the execution of your business processes • Start at “what could go wrong” and work back to reports that can identify instances • Implement controls and recommendations detailed in “The 5 Things SMEs Can Do” Professional Solutions for Compliance Automation www.ControlPanelGRC.com 20
  • 21. 5 Things SMEs Can Do • Monitor security • Implement parameters for logons and passwords • Reduce sensitive authorizations • Establish security change controls and documentation • Implement periodic user maintenance processes Professional Solutions for Compliance Automation www.ControlPanelGRC.com 21
  • 22. Agenda • About Abiomed & SymSoft Corporation • What is Sarbanes-Oxley (SOX) compliance? • Why SMEs should care • Getting started with SOX: 5 things SMEs can do • Abiomed’s Situation • Abiomed’s Challenges • Organizational Compliance Goals • Solution Selected • Solution Implemented • Results • Best Practices • Questions Professional Solutions for Compliance Automation www.ControlPanelGRC.com 22
  • 23. Abiomed’s Situation • Abiomed is a small company but publicly traded, requiring compliance with the Sarbanes-Oxley act • Risk management is a high priority for Abiomed’s controller • After years of bottoms-up SOX controls, we wanted to focus on more top-down, broader risk based controls • We needed something affordable that could help in three major areas: • Cost Reduction and Efficiencies • Risks and Mitigation • Compliance & Reporting Professional Solutions for Compliance Automation www.ControlPanelGRC.com 23
  • 24. Abiomed’s Challenges • Being such a small company, we were constantly struggling with identifying and managing our SOD (segregation of duties) issues on a global basis – US and Europe • Most of our IT general controls were managed manually and tested manually • Information was available, but limited and hard to obtain making compliance reporting labor intensive, both for IT and for our business partners • We have a very limited IT staff that has to be knowledgeable of, and stay on top of, IT SOX controls on a daily basis • A substantial amount of IT time is required, in a short period of time, to prepare for and support the SOX audits Professional Solutions for Compliance Automation www.ControlPanelGRC.com 24
  • 25. Goal 1. Cost Reductions and Efficiencies • Objectives: • Reduce the time, expense, and distractions associated with audits and allow more time on higher value work • Automate data gathering, monitoring and reporting • Automate and streamline user and role maintenance in SAP • Challenges: • Some audit requests required data reconstruction • Audit test data requests had to be pulled manually and were highly labor intensive • Quarterly SOD reports had to be compiled and distributed manually, requiring constant and repeated follow-up to obtain approvals Professional Solutions for Compliance Automation www.ControlPanelGRC.com 25
  • 26. Goal 2. Risks and Mitigation • Objectives: • Eliminate potential audit risks due to complex user access requirements • Consolidate data and processes • Provide more efficient and timely review of SAP emergency access and super roles • Challenges: • Some functional owners didn’t understand the content of the SOD reports or the purpose of their review - or even initial approval of role requests • Change management transports required routing and approval from multiple business owners • Emergency access review was conducted monthly by manual review – too late to really question or prevent abuse Professional Solutions for Compliance Automation www.ControlPanelGRC.com 26
  • 27. Goal 3. Compliance & Reporting • Objectives: • Ensure Abiomed is meeting requirements • Automate monitoring and reporting • Move to exception based reporting • Provide on-line, on-demand reporting and review capability • Provide more information, with higher value and less work • Challenges: • Native compliance reporting in SAP difficult to obtain, usually requiring reformatting and manual compilation • Data was for the most part available, but hard to find, extract and report Professional Solutions for Compliance Automation www.ControlPanelGRC.com 27
  • 28. Solution Selected: Why SymSoft was Chosen • Read a lot of press on governance and risk mitigation solutions • Didn’t feel Abiomed could internally justify ‘any’ purchase • Too many competing requests for funds in a growing business required to support R&D and manufacturing • Symmetry had done a webinar to our controller and sold the benefits of SymSoft months earlier • SymSoft later made a reasonable offer that we just couldn’t turn down • We decided to leverage our existing partnership with Symmetry and evolve to the next level with SymSoft Professional Solutions for Compliance Automation www.ControlPanelGRC.com 28
  • 29. Agenda • About Abiomed & SymSoft Corporation • What is Sarbanes-Oxley (SOX) compliance? • Why SMEs should care • Getting started with SOX: 5 things SMEs can do • Abiomed’s Situation • Abiomed’s Challenges • Organizational Compliance Goals • Solution Selected • Solution Implemented • Results • Best Practices • Questions Professional Solutions for Compliance Automation www.ControlPanelGRC.com 29
  • 30. Solution Implemented • One Solution – “2nd Generation” SymSoft ControlPanelGRC – met Abiomed’s needs; multiple components; written in ABAP • Risk Analyzer – SOD and sensitive authorization analysis • Usage Analyzer – Tracking & reporting of actual system usage • Transport Manager – Automates change request process via workflow, with audit trail • User and Role Manager – Automated workflows to optimize security administration • Emergency Access Manager – Temporary authorization and tracking to troubleshoot production issues • AutoAuditor – Automated execution and delivery of compliance reports • Batch Manager – Central scheduling and monitoring of batch jobs Professional Solutions for Compliance Automation www.ControlPanelGRC.com 30
  • 31. Drill Down: Risk Analyzer • Comes with a set of pre-defined business rules that can be customized based on Abiomed’s specific needs • Allows real-time review of SOD and sensitive authorization risks • Routes new role requests to a designated functional owner identifying any potential risk identified by the Rulebook • Real life Abiomed example: Prior to a recent audit, I needed to identify and provide information regarding an identified risk: • Does any user have the ability to create a sales order and the ability to change a customer’s credit limit? Professional Solutions for Compliance Automation www.ControlPanelGRC.com 31
  • 32. The Risk was Already Defined in Abiomed’s Rulebook Professional Solutions for Compliance Automation www.ControlPanelGRC.com 32
  • 33. Was Able to Identify Functions Identified for the Risk Professional Solutions for Compliance Automation www.ControlPanelGRC.com 33
  • 34. Was then Able to Locate Users That Could Violate Risk Professional Solutions for Compliance Automation www.ControlPanelGRC.com 34
  • 35. Can Even Identify if a User has Executed the Risk Professional Solutions for Compliance Automation www.ControlPanelGRC.com 35
  • 36. Answering Goal 1. Cost Reduction and Efficiencies • Automated processing of change request transports for review and approval • Abiomed has a specific requirement that 3 functional owners must review and approve any transport to production • Configurable workflow to route requests to appropriate parties for review and approval • Extensive change request tracking and reporting that allows easy access to details for our auditors • Acceleration of day-to-day SAP security administration via workflow and automatic provisioning Professional Solutions for Compliance Automation www.ControlPanelGRC.com 36
  • 37. Return on Investment – Specific Results • Reduced the time, expense, and distractions associated with manual audits • Actual 50% reduction in time spent by 3rd party pre-auditors • Reduction in internal staff time spent supporting ad hoc requests from external audit • Reduction in time spent analyzing and mitigating SOD issues • Significantly reduced time spent on compiling, distributing and following-up on Abiomed quarterly SOD reports • One week prep time condensed to two hour review time by IT resource • Review and approval by 7 functional owners received within one week time period versus 5 months with paper process • Workflow distribution • Electronic approval documented and captured Professional Solutions for Compliance Automation www.ControlPanelGRC.com 37
  • 38. Answering Goal 2. Risks and Mitigation • Real-time risk analysis and mitigation of authorizations for SOD and sensitive authorization risks • Pre-defined and customizable Rulebook to meet Abiomed’s specific needs • Automatic monitoring of transaction execution and alerts to compliance owners • Integrated role management via workflows that provide risk analysis, owner approval and facilitated request processing • Immediate notification for emergency access with activity monitoring and reporting Professional Solutions for Compliance Automation www.ControlPanelGRC.com 38
  • 39. Risk Mitigation – Specific Results • Receive immediate notification of activation of Emergency Access (Firecall) activity • Previously, IT management team would meet monthly and review prior month’s firecall activity • Reviews are now done upon close of emergency access and any questions and potential mitigation activities can be timely • During audit preparation, Risk Analyzer identified user with the ability to create a sales order and the ability to change a customer’s credit limit (previous example) • Was able to address and mitigate before actual audit started Professional Solutions for Compliance Automation www.ControlPanelGRC.com 39
  • 40. Answering Goal 3: Compliance and Reporting • Scheduling and automatic execution of predefined or custom compliance reports, routed to predefined users for review • Sensitive role and profile assignments • Mitigating control assignments • Invalid logon attempts or initial passwords • User and role changes over a time period • Management of batch jobs providing central scheduling and monitoring of batch processes • Provides documentation and monitoring of batch jobs • Notifies appropriate owners of job success or failure, with the appropriate details Professional Solutions for Compliance Automation www.ControlPanelGRC.com 40
  • 41. Compliance & Reporting – Specific Results • Receive reports that are required to support defined audit controls, either from an event trigger or via a time requirement • For example, the first of each month, IT management receives the following reports for review and analysis: • System Environment Report • Critical Authorizations Report • Inactive Logons • Non-Employee Logons • Users with SAP_ALL Professional Solutions for Compliance Automation www.ControlPanelGRC.com 41
  • 42. What Abiomed Learned • There are reasonably priced GRC solutions on the market to meet a small company’s requirements • First, identify your goals and what you actually need • Find the solution that fits your goals and don’t overbuy • Deployment was quick and painless – almost a non-event • Be prepared and plan the transition – change in processes? training requirements? • Understand what you are getting and determine what functionality you will use and how • The controller and his team are all over risk mitigation – get the business involved and don’t make this an IT solution only • SOX Audits don’t have to be quite so time consuming and painful! Professional Solutions for Compliance Automation www.ControlPanelGRC.com 42
  • 43. Best Practices • Don’t tolerate energy sapping manual processes – look for a solution • Seek to “embed compliance” – automate capture of audit data at the time of execution • Enable ad hoc, on-demand audit reporting • Look for tools that will streamline routine IT operations • More time supporting initiatives, less time “keeping the lights on” • Embrace GRC – view it as a tool for innovation, not as a necessary evil • Understand management’s need for GRC data • What does the CFO lose sleep over? Professional Solutions for Compliance Automation www.ControlPanelGRC.com 43
  • 44. Key Learnings • Smaller publically traded and other regulated enterprises face special challenges in addressing audit and compliance concerns • Creativity and newly available solutions can reduce the cost and complexity of compliance • Efforts in preparing for audits can be streamlined and become less intrusive Professional Solutions for Compliance Automation www.ControlPanelGRC.com 44
  • 45. Questions & Answers For more information please contact: Kevin Dunne Phone: 414-292-3113 Email: kdunne@sym-corp.com Professional Solutions for Compliance Automation www.ControlPanelGRC.com
  • 46. Professional Solutions for Compliance Automation www.ControlPanelGRC.com
  • 47. Thank You! Professional Solutions for Compliance Automation www.ControlPanelGRC.com