Compliance Technology Solutions NASACT Presentation Material Robert Garagiola – AERS National Technology Practice January 31 st, 2007.

ComplianceTechnology Solutions

NASACT Presentation MaterialRobert Garagiola – AERS National Technology Practice

January 31st, 2007

Copyright © 2007 Deloitte Development LLC. All rights reserved. 2

Current Situation

• The majority of companies have yet to implement sustainable technology to address governance, risk and compliance needs

– In year one, organizations were primarily focused on meeting the requirements of Section 404

– In year two, the focus was on refining the process and documentation

• Technology to enable governance, risk and compliance is now a focus

– The heroic efforts of small project teams are now being distributed into the organization’s day-to-day activities

– Minimizing the ongoing cost of compliance is a priority

– Duplicative efforts of multiple areas of compliance, ability to leverage compliance effort across multiple regulatory requirements.


Technology Decisions Companies Face

• Enhancing the compliance program into a more sustainable repeatable process.– Transform the compliance process into part of day-to-day business life.

• Assessing costs/value in moving to another compliance management solution. – Is switching to a new solution feasible?

• Understanding the vendor landscape for the next generation of SOX technologies.– What options are available and how do those options best fit within the organization?

• Better enabling the compliance process given the cost to implement.– Where can new and existing technology be leveraged to support the compliance effort?

• Effective decentralization of the 404 compliance activities.

– Driving the accountability to individual process owners.


Key Lessons Learned

Client Issue How technology can help Deloitte’s Offering

• Over-reliance on manual controls

–Expensive to execute

–Time consuming to test

• Reduce the cost, complexity and risk associated with managing manual and high risk controls.

• Enable automation for manual controls.

• Controls Rationalization

• Technology Implementation

• Excessive effort to maintain documentation.

• Facilitate the documentation, assessment and reporting of controls.



• Excessive number of controls

–Increased time to document

–Longer testing cycles

• Reduce the number, cost, complexity and risk associated with controls.

• Streamline the process of controls documentation and testing.



• Non-standardized processes and systems.

• Streamline processes and systems to ensure consistency and efficiency.

• Business Process Reengineering


• Internal Control responsibilities not integrated into employee performance management.

• Enable workflow.

• Ensure accountability.

• Change Management


404 Tool consideration


How it All Fits Together

The compliance framework illustrates the inter-relationships between the technology components of the compliance landscape that enable a sustainable compliance program.

Compliance Framework

Company-specific business requirements (i.e. industry, organization, structure), compliance requirements (i.e. SOX, A123, HIPAA, Basel II, FDA), and infrastructure landscape (i.e. ERP system, legacy applications, IT infrastructure) are all factored into the consideration of automated & monitoring controls technology.

Technology Infrastructure

Integrated Compliance Dashboard

Compliance Management

Control Testing

Manual Controls

Automated Controls

Controls Monitoring


Sarbanes-Oxley Section 404 – Internal Control Tools

• Vendors offer different approaches to implementing and managing internal controls in their products.

• Many of these products can provide product functionality that can support Sarbanes-Oxley sustained compliance efforts.

– Integration with ERPs and financial reporting systems

– Automation & monitoring of controls and system configuration settings

• The ERP vendors are expected to possess an advantage for companies that already use and support a vendor’s product

– Seamless integration with the organization's ERP can provide additional value to the compliance process.

• Companies need to assess a product’s migration capabilities to facilitate a smooth, accurate data transformation and upload.

• Companies must consider their technology environment and business requirements to determine the best fit.


Sample Vendors

ERPs & Large Software Vendors

Specialty Vendors

• Leverage an existing platform & applications• Better leverage automated controls, continuous monitoring and workflow• Provide easier integration with core financial and other related applications• Track remediation efforts

• Leverage workflow, business process management, document management, compliance management, internal audit support, self-assessment and surveying capabilities• Integration with 3rd party technologies such as monitoring tools, document management tools, ERP’s• Other benefits – corporate governance, ERM, Basel II• Most significant market share• There are a multitude of other vendors that are either in the market or coming to the market that are recognized by industry analysts


Tool Selection Based on Two Strategic Areas

• Best fit with technical infrastructure to ease integration and support efforts– Determination of technical infrastructure requirements will help establish the degree of

interoperability with existing infrastructure and IT operations.

• Best fit with your business needs– Understand the key functionality necessary to meet business needs.– Evaluate how the tools offer a long term sustainable strategy to maintain and improve

SOX compliance efforts.– Extendibility of this solution to aide other regulatory requirements outside of Sarbanes-

Oxley.– Assess solution’s ability to integrate with:

• Financial Management & HR systems• Business Process Management & Risk Management programs • Internal Audit tools • Continuous Control Monitoring tools

– Consider solution’s ability to provide new functionality and process efficiencies to the compliance process effort.

– Recognize the impact of cost and licensing options.


Key Functionality and Other Benefits

• Key Functionality to consider in a 404 Tool– Setup and organization of the information– Ease of use – Document management capabilities– Surveying capabilities– Self assessments– Issue tracking– Control testing and remediation– Other capabilities: copy forward, audit trail, multilingual support– Workflow & Notification– Reporting and dashboards– Integration with other technologies

• Other Benefits offered by these tools beyond 404– ERM– FDICIA/Basel II compliance– Corporate Governance


Vendor Selection Project Approach

To effectively select the compliance software vendor, a three phased approach is optimal:

Phase I

Planning and RequirementsDefinition

Phase II

Request for Information Development and Execution

Phase III

Final Analysis and Recommendation

• Execute project kickoff and determine roles and responsibilities• Establish process flow and business needs. • Build list of Subject Matter Resources. • Finalize findings and document the requirements of the compliance program.

.

• Research vendors and trim list to the most viable candidates. • Develop and release RFI to vendor candidates• Compile responses and trim the demo list to 2-3 vendors. • Execute vendor demonstration process• Score and compile results

• Finalize the selection process• Present the compliance system recommendation • Execute follow-up steps toward solution implementation


Roadmap to an Improved Compliance Program

• The journey begins with an Internal Controls repository.

• Over time, the more effective program integrates complementary technology.

• Via integrated technology, the value of the program extends beyond compliance.

• Consider additional technology to realize:

– More efficient documentation management

– Better vision into the control environment through continuous monitoring

– Shorter Testing Cycles

GeneralComputerControls

InternalControls

Repository

Segregation Of

Duties

AutomatedApplication

Controls

ContinuousMonitoring

Time

Valu

e

Manual

Controls

Monitorin

g

Automate

d



The compliance framework illustrates the inter-relationships between the technology components of the compliance landscape that enable a sustainable compliance program.


Company-specific business requirements (i.e. industry, organization, structure), compliance requirements (i.e. SOX, A123, HIPAA, Basel II, FDA), and infrastructure landscape (i.e. ERP system, legacy applications, IT infrastructure) are all factored into the consideration of automated & monitoring controls technology.




Control Testing

Controls Monitoring

Automated Controls

Manual Controls


The Evolution of Compliance: Where are you today?

– Risk based approach

– Rationalized controls

– Management platform

– Manually intensive testing procedures

– Large sample sizes

– Approach not driven by risk

– Redundant controls

– Manually-intensive processes and controls

– Inefficient testing

– “Reactive” approach to identifying & addressing control issues

– Application controls

– User access & SOD controls

– Efficient operation of controls

– Efficient testing of controls

– Some automated testing capabilities

– Reduced sample sizes

– Continuous monitoring controls

– Efficient operation of controls

– “Proactive” approach to identifying & addressing control issues

– Demonstrated effectiveness of controls

– Sustainable compliance processes

– ROI / Business value

ManualStart Automate Monitor

Technology-enabled processes & controlsManual-based processes and controls

Where is your compliance program today?

As companies evolve their compliance environments, controls will transform from manually-intensive, less reliable, inefficient controls to technology-based (automated & monitoring), cost-effective, reliable controls that enable a sustainable compliance program.


The Evolution of Controls

Manual Controls Automated Controls Controls Monitoring

• Automated and CM controls operate consistently

• Automated and CM controls require reduced human interaction

The graph illustrates the Reliability & Efficiency benefits of Automated and Manual controls:

Reliability Considerations

As companies evolve their compliance environments, controls will transform from manually-intensive, less reliable, inefficient controls to technology-based (automated & monitoring), cost-effective, reliable controls that enable a sustainable compliance program.

• Operation: Automated & CM controls require reduced human interaction

• Testing: Automated and CM controls demonstrate effectiveness, and allow reduced sample sizes

Efficiency Considerations

An Illustrative Example

Reliab

ilit

y

Efficiency


Moving up the Value Chain

Improve Operations

Improve Controls &

Reduce Cost

Optimize Processes

Apply controls automation & monitoring techniques to achieve regulatory control objectives (e.g., SOX: financial reporting control objectives & risks)

Apply controls automation & monitoring techniques to achieve operational control objectives (e.g., Merchandise Management)

Apply technology to optimize processes (e.g., financial, operational, compliance, etc.)

To move up the value chain, companies should leverage technology-enabled control capabilities used to achieve financial control objectives, to address operational control objectives and process improvement opportunities.

Drive Sustainable

Cost-Effective Compliance

Drive Operational

Improvement

Drive Process Improvement

Initial technology investment for compliance could be leveraged to improve operations and optimize processes.


Design & Implement Technology Enabled Controls

An Approach for Evolving Controls for Compliance

Companies can use the following approach to leverage technology-enabled control capabilities.

– Use a top down, risk-based approach to scope the environment

– Consider integrating multiple compliance requirements

– Create a benchmark of existing controls by entity and/or location

– Identify inefficient and less effective controls

– Inventory existing technology landscape

• Evaluate existing technology for automation & monitoring capabilities

• Identify technology solutions for inefficient and less effective controls

• Develop a prioritized set of technology-enabled control solutions*

– Design technology-enabled controls for business & IT processes, including:

•Automated controls

•Monitoring controls

– Implement technology-enabled controls

– Develop risk-based test plans that leverage technology capabilities

– Deploy updated training & communications

– Update operations to support new technology

*The strategy will form the basis of a roadmap for the evolution of controls for compliance.

Assess Existing Control & Technology Environments

Develop a Strategy for Compliance Technology*

- Develop a strategy for leveraging technology-enabled controls, including consideration of the following:




*Representative List Only




Control Testing

Controls Monitoring

Automated Controls

Manual Controls

There is a strong march of vendor solutions catering to automated and monitoring control capabilities, however none yet covers all areas.

Axentis, IBM, Certus, Fujitsu, Oracle, Paisley, OpenPages, SAP

Axentis, IBM, Certus, Fujitsu, Oracle, Paisley, OpenPages, SAP

ACL, Approva, Computer Associates, Fujitsu, HP, IBM, Logical Apps, Mercury, Oversight, Oracle/PeopleSoft, SAP/Virsa, Sun Microsystems, SAS, Symantec, webMethods

ACL, Approva, Computer Associates, Fujitsu, HP, IBM, Logical Apps, Mercury, Oversight, Oracle/PeopleSoft, SAP/Virsa, Sun Microsystems, SAS, Symantec, webMethods

Approva, Computer Associates, Courion, IBM, Fujitsu, HP, Logical Apps, Oracle/PeopleSoft, Oversight, SAP/Virsa, Sun Microsystems

Approva, Computer Associates, Courion, IBM, Fujitsu, HP, Logical Apps, Oracle/PeopleSoft, Oversight, SAP/Virsa, Sun Microsystems


Controls Monitoring

Category Features Benefits

Transaction Monitoring

• Identify suspicious transactions • Identify inappropriate flows (e.g., duplicate payments)

• Provide evidence of control operation / quickly identify issues

Master Data Monitoring

• Monitor changes to master data files (e.g., Supplier Master) for suspicious activity

• Identify and address suspicious changes to master data

• Detect stale master file records

Access Control Monitoring

• Monitor changes to user access / roles

• Detect unauthorized modifications to user access / roles

• Monitor access to sensitive transactions and data

Segregation of Duties Monitoring

• Identify SOD violations• Detect executed transactions

that violate SOD rules

• Prevent SOD conflicts that increase the risk of fraud & error

Configuration • Detect changes to system configurations that may increase risks of fraud & error

• Demonstrate the continued effectiveness of application controls

Manual Process & Control Monitoring

• Ensure the initiation and completion of manual business & IT processes & controls

• Provide an audit trail for manual processes• Increase effectiveness & efficiency of manual

business & IT processes and controls

IT General Controls

• Security / access controls• Change management controls• IT Operations controls

• Enable increased reliance on automated business process controls


Duplicate invoices identified up to 31 days after payments. Cash from duplicate payments are collected within 90 days.

All duplicate payments are reviewed and authorized in real time, prior to impacting operations and financial results.

Sample Size: Minimum (1)

Coverage: 100% coverage

Self Testing: Effectiveness of controls demonstrated by monitoring capability

All configuration changes and potential duplicate payments are reviewed by management in real time.

Configuration: management is alerted of changes in real time.

Transactions: invoices entered are monitored for suspected duplicates based on multiple criteria in real time.

Case Study: Duplicate Payments/Invoices

Duplicate payments are identified after cash flows out of the business.

Operational Considerations

Most duplicate payments are prevented.

Monthly review of payment register reports to identify and resolve issues.

Manual Control Procedure Automated Control Procedure Controls Monitoring

System is configured to provide alerts to users when exact duplicate invoices are detected.

Business Value Realized

80% of duplicate payments are prevented, which provides a positive impact on cash flows.

Sample Size: Maximum (25)

Coverage: Points along the audit period

Self Testing: Low Objectivity

Testing Considerations

Sample Size: Minimum (1)

Coverage: A point in time

Self Testing: Low Objectivity


Sample Size: Minimum (1)Coverage: 100% coverageSelf Testing: Effectiveness of controls demonstrated by monitoring capability

Configuration: management is alerted of changes in real time.Transactions: Business transactions are monitored to detect SOD violation in real time.All changes are recorded for audit purposes.

Improved definition and grasp of organizational roles & responsibilities, and visibility into organizational structure.

Workflow driven authorization process is more efficient and reliable, and preventive access controls reduce risks.

Sample Size: Maximum (25)Coverage: Points along the audit periodSelf Testing: Low Objectivity

The manual process is not integrated across applications. SOD considerations are limited and narrowly focused.

Case Study: User Access / SOD

Timely insight into organizational changes and identification of potential errors and fraud.

Limited control of user access and SOD based upon job responsibilities.

Business Value Realized

Operational Considerations

Transactions violating access and SOD rules are detected and addressed timely.

Testing Considerations

Sample Size: Minimum (1)Coverage: A point in timeSelf Testing: Low Objectivity

Manual Process & Controls Automated Process & Controls Controls Monitoring

Use of workflow tools, and enforce access & SOD requirements via configured and preventive controls. Establish and maintain a repository of rules for enhanced decision making.

The user access authorization process is manually intensive, disconnected, and lengthy. Access creep is common due to changing roles & responsibilities.


Closing Thoughts

• CCM can enhance the effectiveness of controls and increase efficiencies

– Reduces cost and reliance on external resources, increasing control reliability

– Allows Internal Audit and line staff to perform their assigned roles and responsibilities

– Provides real-time information for proactive and preventive measures

– Leverages real-time information and compliance investment for value generation

– Improves on data and control quality through sustainable and repeatable process

• Controls monitoring is a key component of the compliance evolution

• Technology can and should play a central role in controls automation and monitoring

• A good first step is to develop a roadmap that can begin quickly during the next fiscal year