More Related Content Similar to Risk, Control & Compliance with INFOR Approva (20) Risk, Control & Compliance with INFOR Approva1. © 2014 Consider Solutions All rights reserved.
Solutions for World Class Finance
2014 GRC Series
Managing Risk, Control & Compliance
With
INFOR Approva Continuous Monitoring
20th February 2014
2. Solutions for World Class Finance
Welcome
2 © 2014 Consider Solutions All rights reserved
Today‟s Speakers:
Dan French
CEO
Consider
Steve Rooney
Consulting Practice Leader
Consider
Steve Buchner
Senior Manager, IT
Sonova
3. Solutions for World Class Finance
Business Streams
‐ Financial Control & Compliance
‐ Risk Assurance
‐ Finance Process Optimization
3 © 2014 Consider Solutions All rights reserved
solutions for world class finance
5. Solutions for World Class Finance
Today‟s Discussion
Introductions & Objectives
Visibility over Financial Processes & Controls
GRC – 3 Lenses of Insight
High Impact Capabilities with INFOR Approva CM
‐ Segregation of Duties
‐ Process Configuration Monitoring
‐ Certification/Attestation
‐ Transaction Exception Monitoring
The Sonova GRC Journey
Entry Points for Deeper Insight
Q&A
5 © 2014 Consider Solutions All rights reserved
6. Solutions for World Class Finance
Objectives
Share insights & experiences in Governance, Risk &
Compliance (GRC)
Illustrate Process Optimization potential of GRC
Introduce latest capabilities, use-cases & lessons
learned for INFOR Approva CM
Learn from the Sonova journey
Offer tips for the journey to maximize the value
6 © 2014 Consider Solutions All rights reserved
7. Solutions for World Class Finance
Risk and Control challenges
7 © 2014 Consider Solutions All rights reserved
Segregation of duties
Duplicate payments
Employee reimbursements
Unauthorized purchases
Fraud prevention
Overpayments
Checks and approvals
Compliance with policy
Regulations
Standardization
Fraud
Detection/Prevention
68%
ERM 50%
SOX 404 40%
Compliance 38%
Regulatory
Compliance
29%
What drives these
challenges?
Lack of staff
Manual processes
Human errors
Access to data
Visibility to issues
Mergers and acquisitions
Integrated systems
Decentralized operations
Outsourcing
Source: KPMG Continuous Monitoring &
Continuous Auditing Survey
8. Solutions for World Class Finance
IIA 2013 Pulse of the Profession - Outlook
8 © 2014 Consider Solutions All rights reserved
Risk management
effectiveness 5%
Other 12%
Strategic/business Risk
4%
Fraud 4%
IT (general)
12%
Compliance
14%
Sarbanes-Oxley
12%
Financial (general)
13%
Operational 24%
Source: The Institute of Internal Auditors
9. Solutions for World Class Finance
Financial Accounting - Risk and Control
9 © 2014 Consider Solutions All rights reserved
10. Solutions for World Class Finance
Ineffective controls erode performance
10 © 2014 Consider Solutions All rights reserved
What actually does happen
=Processes are ignored
or circumvented
Policies cannot be cost-
effectively enforced
Fraud &
Waste
Sub-optimal Cash
Mgmt
Ineffective
Process
Delays and
Rework
Audit/Compliance
Costs
Unnecessary
Risk
- - - - - - - - - - - - Performance Impact - - - - - - - - - - - - - >
What should happen
11. Solutions for World Class Finance
3 Lenses for Visibility
Financial Control & Compliance
‐ ICFR
‐ SOX
‐ Data Governance
‐ Control Self Assessment
Risk Assurance
‐ Fraud
‐ Error
‐ FCPA
Finance Process Optimization
‐ Eliminating Waste
‐ Driving Simplification & Standardization
‐ Optimizing Cash Flow
11 © 2014 Consider Solutions All rights reserved
12. Solutions for World Class Finance
Continuous Monitoring:
Four Layers & Three Lenses . . .
12 © 2014 Consider Solutions All rights reserved
Transactions (CCM-T)
“Where are the exceptions? __________?”
Master Data (CCM-MD)
“Is the underlying data accurate and controlled?”
Access to Applications (CCM-SOD)
“Can anyone __________?”
Configuration of IT Systems & Processes (CCM-AC)
“Do our systems allow anyone to __________?”
“Did Do”
“Can Do”
Financial
Control &
Compliance
Risk
Assurance
Finance
Process
Optimization
13. Solutions for World Class Finance
Infor Approva CM components
Application security and user access monitoring modules
Authorizations (User Access) – “Can do”
User Activity – “Did do”
Access Manager (Provisioning) – “Can do”
Process transaction and master data monitoring
modules
Procure to Pay – “Did do”
General Ledger – “Did do”
Order to Cash – “Did do”
Process Insight Studio - “Did do”
System and configuration monitoring modules
Configuration Insight - “Can do”
Certification (Attestation) Manager
13 © 2014 Consider Solutions All rights reserved
14. Solutions for World Class Finance
360° view of Control & Risk Exceptions
14 © 2014 Consider Solutions All rights reserved
Track Results
Identify Exceptions
View Context
Investigate
Take Actions
15. Solutions for World Class Finance
Applications
PeopleSoft Financials
PeopleSoft HRMS
Reconnet
Solomon
Catalyst BBW
Baan
LN
JD Edwards Financials
JDA
Lawson S3
Island Pacific
PKMS Receiving
JBA
IFS
MS Dynamics / Navision
Spirit MAST
MFG Pro
Sun Systems
Essbase
Ariba Buyer & Sourcing
Applications
SAP
3.1h
3.1i
4.0B
4.5B
4.6B
4.6C
4.7
ECC 5.0 & 6.0
SAP BW/BI
3.0B
3.1
3.5
Oracle - eBusiness Suite v11/12
Peoplesoft
HRMS 8.8
FI 8.8
Hyperion
HFM 3.0
HFM 4.0
Applications Monitored
15
16. Solutions for World Class Finance
Financial Control & Compliance Lens
Focus on Internal Controls over Financial Reporting
(ICFR)
Identifying control exceptions
‐ Manage & monitor who has what access to your financial
systems
Segregation of Duties
Sensitive Access
User Access Certification
Emergency & Elevated Access
Compliant User Access Provisioning
‐ Embedded (configured) Controls Monitoring
‐ Transaction Exception Monitoring
Automated Compensating Controls
Process Assurance
16 © 2014 Consider Solutions All rights reserved
17. Solutions for World Class Finance
Access Control Cycle - Best Practice Approach
17 © 2014 Consider Solutions All rights reserved
Establish Policies
for SOD, Sensitive
Access, Configura
tion Changes
Identify and
Analyze Possible
Threats
Remediate
Threats and
Establish
Compensating
Controls
Analyze Ongoing
User Access
Changes to Prevent
New Risks
Automate
Provisioning of
Change Requests
Periodically
Review & Certify
User Access
18. Solutions for World Class Finance
Managing Segregation of Duties..
..Is a Tradeoff
18 © 2014 Consider Solutions All rights reserved
Freedom to Get the
Job Done
User Access
Risks
19. Solutions for World Class Finance
Infor Approva ... SOD Rules …
19 © 2014 Consider Solutions All rights reserved
SAP SOD Rule
Lawson SOD Rule
20. Solutions for World Class Finance
SOD Violation example
20 © 2014 Consider Solutions All rights reserved
21. Solutions for World Class Finance
Activity of User
21 © 2014 Consider Solutions All rights reserved
22. Solutions for World Class Finance
Automated compensating control
22 © 2014 Consider Solutions All rights reserved
23. Solutions for World Class Finance
Gartner Comment
23 © 2014 Consider Solutions All rights reserved
24. Solutions for World Class Finance
Risk Assurance Lens
Risk monitoring beyond ICFR
Identifying business exceptions
‐ Error
‐ Waste
‐ Fraud
Transaction Exception Monitoring addressing . . .
Purchase to Pay
Order to Cash
Record to Report
Travel & Entertainment
HR & Payroll
FCPA
. . . .
24 © 2014 Consider Solutions All rights reserved
“The typical organization loses 5%
of its revenues to fraud & waste each year”
25. Solutions for World Class Finance
Potential Risks ...
25 © 2014 Consider Solutions All rights reserved
Procurement:
‐ Duplicate Payments
‐ Goods delivered without a PO
‐ Non-standard payment terms
‐ Invoice value greater than received
‐ Duplicate Invoices
Sales:
– Price Reductions
– Undelivered orders
– Exceptional customer credits/returns
– Non standard payment terms
Fixed Assets:
– Inappropriate asset depreciation
periods
– Misclassified capital equipment
Travel Expenses:
– Duplicate claims
– Ineligible items claims
General Ledger:
– JE postings into prior periods already closed
– Unusually large JEs
– Manual payments
– Manual journal entries requiring review and approval
26. Solutions for World Class Finance
Example Exception Rule … Conditions for
Duplicate Payment
26 © 2014 Consider Solutions All rights reserved
27. Solutions for World Class Finance
Exception Detail
27 © 2014 Consider Solutions All rights reserved
28. Solutions for World Class Finance
PO where Vendor Name from PO Matches with
OFAC SDN List
28 © 2014 Consider Solutions All rights reserved
29. Solutions for World Class Finance
Gartner Comment
29 © 2014 Consider Solutions All rights reserved
Approva has prebuilt integration links to multiple ERP vendors. It provides good
workflow for exception management, robust reporting and intuitive rule building.
Magic Quadrant
for
Continuous Controls
Monitoring
30. Solutions for World Class Finance
Finance Process Optimization Lens
Focus on Process Efficiency & Standardization
Identifying „out of envelope‟ exceptions
Key Exception Indicators (KEIs)
‐ Transaction Exception Monitoring
Performance & Cash sapping practices
Non-standard processes
“Evolved” working practices
Local variants
Policy avoidance
30 © 2014 Consider Solutions All rights reserved
31. Solutions for World Class Finance
We TRY to control standardization . . .
31 © 2014 Consider Solutions All rights reserved
GR is created
against PO
Purchasing
creates
PO for
Shipment
Truck drops off
shipment,
but no PO
exists
Warehouse
calls up
Purchasing to
create a PO
ERP is configured to only allow GR if PO exists, however…
32. Solutions for World Class Finance
What can impact process performance
... „Key Exception Indicators‟
32 © 2014 Consider Solutions All rights reserved
Procure to Pay:
‐ Multi-touch POs
‐ PO mismatches a PR
‐ “Pro-forma” POs
‐ Vendor records missing key data
‐ Invoice mismatches to PO / GR
‐ Goods delivered without a PO
‐ Duplicate Vendor records
General Ledger:
– Posted documents not cleared for extended period
– Duplicated effort - Journal entries with missing key data
– Duplicate GL accounts
Order to Cash:
– Multi-touch Orders
– “Pro-forma” invoices
– Undelivered Sales Orders
– Sales Orders without Customer PO
– Changes to Payment Terms
– Customer records with missing data
– Duplicate Customer records
33. Solutions for World Class Finance
Case Study 1: Invoice Processing
33 © 2014 Consider Solutions All rights reserved
Desired process
‐ Purchase Order to initiate and approve purchase
‐ Touch-less Invoice/Payment approval on match
KPIs
‐ First time match rate
‐ Invoice processing cost/effort
What can go wrong (Key Exception Indicator)
‐ Duplicate Invoices, duplicate vendors, imprecise POs
Discovery
‐ 3% duplicate invoices causing re-work and cash loss
Root Cause
‐ Different vendor records set up by different groups for same
vendor
‐ Supplier resending invoices if payment not received
‐ Invoices not matching PO … needing manual review
34. Solutions for World Class Finance
Case Study 2: Purchase Order Processing
34 © 2014 Consider Solutions All rights reserved
Desired process
‐ Purchase Request to approve expenditure
‐ Purchase Order to initiate and approve purchase
KPIs
‐ Maximize spend under PO
‐ PO processing cost
What can go wrong (Key Exception Indicator)
‐ Multiple touch POs, changes to PO Pricing & Terms
Discovery
‐ 11% POs change activity
Root Cause
‐ Pro-forma POs, Master Data inaccuracy
35. Solutions for World Class Finance
Case Study 3: Receivables / Collections
35 © 2014 Consider Solutions All rights reserved
Desired process
‐ Short cycle order to customer invoice to payment
KPIs
‐ Days Sales Outstanding (DSO)
What can go wrong (Key Exception Indicator)
‐ Sales Order to Delivery to Invoice delay
Discovery
‐ Excellent cash collection metric undermined by use of Pro-
forma invoices to confirm customer payment
Root Cause
‐ DSO KPI, Invoicing errors
36. Solutions for World Class Finance
Example Exception Rule …
PO raised on or after GR
36 © 2014 Consider Solutions All rights reserved
37. Solutions for World Class Finance
Exception Detail
37 © 2014 Consider Solutions All rights reserved
38. Solutions for World Class Finance
Duplicate Vendors – same tax ID
38 © 2014 Consider Solutions All rights reserved
39. Solutions for World Class Finance
5 Critical Success Factors
1. Stakeholder Alignment
• Engagement, Ownership, Sustaining
2. Clarity
• Objectives, Measures, Progress
3. Process
• Project, Program, Process
4. People, Skills & Knowledge
• Train, Develop, Refresh
5. Tools
• Clarity, Focus, Precision
39 © 2014 Consider Solutions All rights reserved
40. © 2014 Consider Solutions All rights reserved.
Solutions for World Class Finance
Steve Buchner
Sr. Mgr. IT Operations
Sonova
Phonak Hearing Systems
40
41. Solutions for World Class Finance
Sonova, Phonak & Unitron
41 © 2014 Consider Solutions All rights reserved
42. Solutions for World Class Finance
Catalyst – Initial Audit Findings
2009 Audit Finding - “unrestricted SAP User access
rights for critical transactions”
Authorization concept existed but lacked SOD
analysis as well as necessary controls monitoring tool
42 © 2014 Consider Solutions All rights reserved
43. Solutions for World Class Finance
Getting Started
Sought out help from PwC (2010)
‐ Developed SOD Ruleset
‐ Developed new SAP Role Concept (SOD compliant)
Tool Selection – choose a GRC tool (2010)
‐ Selected Approva (BizRights)
‐ Selected Consider as implementation partner
Beginning the Journey (2010 – present)
‐ Implementing new role concept
‐ Began analysis and remediation process with Consider
43 © 2014 Consider Solutions All rights reserved
44. Solutions for World Class Finance
Experiences along the Road
44 © 2014 Consider Solutions All rights reserved
The right security concept is the foundation
Once in place -> next effort is transition
responsibility to business for who gets access to
what!
45. Solutions for World Class Finance
Challenges
Inefficient Security Design
‐ Too many Authorizations
‐ Too many Roles
‐ Duplicate Transactions
‐ Increased Exposure to Risk
Security resources empowered with too much user
access decision-making responsibility
‐ Lack of Knowledge
‐ Lack of Time
Minimal Documentation and Automation for the User
Provisioning Process
Lack of Control Framework (Segregation of Duties
Matrix)
45 © 2014 Consider Solutions All rights reserved
46. Solutions for World Class Finance
Transitioning Ownership from IT to Finance
46 © 2014 Consider Solutions All rights reserved
47. Solutions for World Class Finance
Global Rollout
With the help of Consider - In 2013 kicked off rollout
of SAP Role Concept to 12 countries
User SOD Remediation via Approva One followed
after and remains in progress
47 © 2014 Consider Solutions All rights reserved
48. Solutions for World Class Finance
The Access Provisioning Portal
User Remediation Complete => Keep system clean
With Consider implementing self service provisioning
portal
‐ User access requests routed to appropiate approver
IT is removed from the user provisioning process!
48 © 2014 Consider Solutions All rights reserved
49. Solutions for World Class Finance
The Road Ahead
Complete the current efforts
Implement Certification Manager for yearly access
reviews
Extend monitoring beyond SAP
49 © 2014 Consider Solutions All rights reserved
50. © 2014 Consider Solutions All rights reserved.
Solutions for World Class Finance
Entry Points for Deeper Insight
20th February 2014
51. Solutions for World Class Finance
INFOR Approva Continuous Monitoring
Best Practice Rules informed and adopted by Big 4
Business friendly for process adoption
Multi-Application Monitoring Capability
Control Attestation/Certification Capability
Ease of Integration into IT Landscape
Continuous Improvement focus
3 Lenses of GRC Success
Cost-Effective
51 © 2014 Consider Solutions All rights reserved
52. Solutions for World Class Finance
Entry Points for Deeper Insight
SoD Needs Assessment & Planning Workshop
52 © 2014 Consider Solutions All rights reserved
Analysis of current ERP SoD status
Industry best practice
Organisation specific policies
Assessment & benchmarking
Recommendations
Outline Plan
Workshop Review
Build the „Case for Action‟
53. Solutions for World Class Finance
Entry Points for Deeper Insight
QuickScan™ - Diagnostics for quick wins . . .
53 © 2014 Consider Solutions All rights reserved
Scoped process & organisation target
Agreed risk and/or performance themes
Agreed ownership to manage and
resolve transaction exceptions
Ongoing analysis of all relevant system
data and transactions
Matching 100% of transactions and data
against exception rules
Work flow for addressing and resolving
exceptions
Process for continuous improvement
Rapid Execution, Rapid Return
54. Solutions for World Class Finance
Any Questions?
Enjoy the journey!
For any questions or a „deeper dive‟ . . . .
dfrench@consider.biz
Blogerati can visit . . .
www.consider.biz/thinking/
@consider_ations
#worldclassfinance
54 © 2014 Consider Solutions All rights reserved
55. © 2014 Consider Solutions All rights reserved.
Solutions for World Class Finance
2014 GRC Series
Managing Risk, Control & Compliance
With
INFOR Approva Continuous Monitoring
20th February 2014