Compliance Technology Solutions NASACT Presentation Material Robert Garagiola – AERS National Technology Practice January 31 st, 2007
Mar 27, 2015
ComplianceTechnology Solutions
NASACT Presentation MaterialRobert Garagiola – AERS National Technology Practice
January 31st, 2007
Copyright © 2007 Deloitte Development LLC. All rights reserved. 2
Current Situation
• The majority of companies have yet to implement sustainable technology to address governance, risk and compliance needs
– In year one, organizations were primarily focused on meeting the requirements of Section 404
– In year two, the focus was on refining the process and documentation
• Technology to enable governance, risk and compliance is now a focus
– The heroic efforts of small project teams are now being distributed into the organization’s day-to-day activities
– Minimizing the ongoing cost of compliance is a priority
– Duplicative efforts of multiple areas of compliance, ability to leverage compliance effort across multiple regulatory requirements.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 3
Technology Decisions Companies Face
• Enhancing the compliance program into a more sustainable repeatable process.– Transform the compliance process into part of day-to-day business life.
• Assessing costs/value in moving to another compliance management solution. – Is switching to a new solution feasible?
• Understanding the vendor landscape for the next generation of SOX technologies.– What options are available and how do those options best fit within the organization?
• Better enabling the compliance process given the cost to implement.– Where can new and existing technology be leveraged to support the compliance effort?
• Effective decentralization of the 404 compliance activities.
– Driving the accountability to individual process owners.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 4
Key Lessons Learned
Client Issue How technology can help Deloitte’s Offering
• Over-reliance on manual controls
–Expensive to execute
–Time consuming to test
• Reduce the cost, complexity and risk associated with managing manual and high risk controls.
• Enable automation for manual controls.
• Controls Rationalization
• Technology Implementation
• Excessive effort to maintain documentation.
• Facilitate the documentation, assessment and reporting of controls.
• Controls Rationalization
• Technology Implementation
• Excessive number of controls
–Increased time to document
–Longer testing cycles
• Reduce the number, cost, complexity and risk associated with controls.
• Streamline the process of controls documentation and testing.
• Controls Rationalization
• Technology Implementation
• Non-standardized processes and systems.
• Streamline processes and systems to ensure consistency and efficiency.
• Business Process Reengineering
• Technology Implementation
• Internal Control responsibilities not integrated into employee performance management.
• Enable workflow.
• Ensure accountability.
• Change Management
• Technology Implementation
404 Tool consideration
Copyright © 2007 Deloitte Development LLC. All rights reserved. 5
How it All Fits Together
The compliance framework illustrates the inter-relationships between the technology components of the compliance landscape that enable a sustainable compliance program.
Compliance Framework
Company-specific business requirements (i.e. industry, organization, structure), compliance requirements (i.e. SOX, A123, HIPAA, Basel II, FDA), and infrastructure landscape (i.e. ERP system, legacy applications, IT infrastructure) are all factored into the consideration of automated & monitoring controls technology.
Technology Infrastructure
Integrated Compliance Dashboard
Compliance Management
Control Testing
Manual Controls
Automated Controls
Controls Monitoring
Copyright © 2007 Deloitte Development LLC. All rights reserved. 6
Sarbanes-Oxley Section 404 – Internal Control Tools
• Vendors offer different approaches to implementing and managing internal controls in their products.
• Many of these products can provide product functionality that can support Sarbanes-Oxley sustained compliance efforts.
– Integration with ERPs and financial reporting systems
– Automation & monitoring of controls and system configuration settings
• The ERP vendors are expected to possess an advantage for companies that already use and support a vendor’s product
– Seamless integration with the organization's ERP can provide additional value to the compliance process.
• Companies need to assess a product’s migration capabilities to facilitate a smooth, accurate data transformation and upload.
• Companies must consider their technology environment and business requirements to determine the best fit.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 7
Sample Vendors
ERPs & Large Software Vendors
Specialty Vendors
• Leverage an existing platform & applications• Better leverage automated controls, continuous monitoring and workflow• Provide easier integration with core financial and other related applications• Track remediation efforts
• Leverage workflow, business process management, document management, compliance management, internal audit support, self-assessment and surveying capabilities• Integration with 3rd party technologies such as monitoring tools, document management tools, ERP’s• Other benefits – corporate governance, ERM, Basel II• Most significant market share• There are a multitude of other vendors that are either in the market or coming to the market that are recognized by industry analysts
Copyright © 2007 Deloitte Development LLC. All rights reserved. 8
Tool Selection Based on Two Strategic Areas
• Best fit with technical infrastructure to ease integration and support efforts– Determination of technical infrastructure requirements will help establish the degree of
interoperability with existing infrastructure and IT operations.
• Best fit with your business needs– Understand the key functionality necessary to meet business needs.– Evaluate how the tools offer a long term sustainable strategy to maintain and improve
SOX compliance efforts.– Extendibility of this solution to aide other regulatory requirements outside of Sarbanes-
Oxley.– Assess solution’s ability to integrate with:
• Financial Management & HR systems• Business Process Management & Risk Management programs • Internal Audit tools • Continuous Control Monitoring tools
– Consider solution’s ability to provide new functionality and process efficiencies to the compliance process effort.
– Recognize the impact of cost and licensing options.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 9
Key Functionality and Other Benefits
• Key Functionality to consider in a 404 Tool– Setup and organization of the information– Ease of use – Document management capabilities– Surveying capabilities– Self assessments– Issue tracking– Control testing and remediation– Other capabilities: copy forward, audit trail, multilingual support– Workflow & Notification– Reporting and dashboards– Integration with other technologies
• Other Benefits offered by these tools beyond 404– ERM– FDICIA/Basel II compliance– Corporate Governance
Copyright © 2007 Deloitte Development LLC. All rights reserved. 10
Vendor Selection Project Approach
To effectively select the compliance software vendor, a three phased approach is optimal:
Phase I
Planning and RequirementsDefinition
Phase II
Request for Information Development and Execution
Phase III
Final Analysis and Recommendation
• Execute project kickoff and determine roles and responsibilities• Establish process flow and business needs. • Build list of Subject Matter Resources. • Finalize findings and document the requirements of the compliance program.
.
• Research vendors and trim list to the most viable candidates. • Develop and release RFI to vendor candidates• Compile responses and trim the demo list to 2-3 vendors. • Execute vendor demonstration process• Score and compile results
• Finalize the selection process• Present the compliance system recommendation • Execute follow-up steps toward solution implementation
Copyright © 2007 Deloitte Development LLC. All rights reserved. 11
Roadmap to an Improved Compliance Program
• The journey begins with an Internal Controls repository.
• Over time, the more effective program integrates complementary technology.
• Via integrated technology, the value of the program extends beyond compliance.
• Consider additional technology to realize:
– More efficient documentation management
– Better vision into the control environment through continuous monitoring
– Shorter Testing Cycles
GeneralComputerControls
InternalControls
Repository
Segregation Of
Duties
AutomatedApplication
Controls
ContinuousMonitoring
Time
Valu
e
Manual
Controls
Monitorin
g
Automate
d
Copyright © 2007 Deloitte Development LLC. All rights reserved. 12
How it All Fits Together
The compliance framework illustrates the inter-relationships between the technology components of the compliance landscape that enable a sustainable compliance program.
Compliance Framework
Company-specific business requirements (i.e. industry, organization, structure), compliance requirements (i.e. SOX, A123, HIPAA, Basel II, FDA), and infrastructure landscape (i.e. ERP system, legacy applications, IT infrastructure) are all factored into the consideration of automated & monitoring controls technology.
Technology Infrastructure
Integrated Compliance Dashboard
Compliance Management
Control Testing
Controls Monitoring
Automated Controls
Manual Controls
Copyright © 2007 Deloitte Development LLC. All rights reserved. 13
The Evolution of Compliance: Where are you today?
– Risk based approach
– Rationalized controls
– Management platform
– Manually intensive testing procedures
– Large sample sizes
– Approach not driven by risk
– Redundant controls
– Manually-intensive processes and controls
– Inefficient testing
– “Reactive” approach to identifying & addressing control issues
– Application controls
– User access & SOD controls
– Efficient operation of controls
– Efficient testing of controls
– Some automated testing capabilities
– Reduced sample sizes
– Continuous monitoring controls
– Efficient operation of controls
– “Proactive” approach to identifying & addressing control issues
– Demonstrated effectiveness of controls
– Sustainable compliance processes
– ROI / Business value
ManualStart Automate Monitor
Technology-enabled processes & controlsManual-based processes and controls
Where is your compliance program today?
As companies evolve their compliance environments, controls will transform from manually-intensive, less reliable, inefficient controls to technology-based (automated & monitoring), cost-effective, reliable controls that enable a sustainable compliance program.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 14
The Evolution of Controls
Manual Controls Automated Controls Controls Monitoring
• Automated and CM controls operate consistently
• Automated and CM controls require reduced human interaction
The graph illustrates the Reliability & Efficiency benefits of Automated and Manual controls:
Reliability Considerations
As companies evolve their compliance environments, controls will transform from manually-intensive, less reliable, inefficient controls to technology-based (automated & monitoring), cost-effective, reliable controls that enable a sustainable compliance program.
• Operation: Automated & CM controls require reduced human interaction
• Testing: Automated and CM controls demonstrate effectiveness, and allow reduced sample sizes
Efficiency Considerations
An Illustrative Example
Reliab
ilit
y
Efficiency
Copyright © 2007 Deloitte Development LLC. All rights reserved. 15
Moving up the Value Chain
Improve Operations
Improve Controls &
Reduce Cost
Optimize Processes
Apply controls automation & monitoring techniques to achieve regulatory control objectives (e.g., SOX: financial reporting control objectives & risks)
Apply controls automation & monitoring techniques to achieve operational control objectives (e.g., Merchandise Management)
Apply technology to optimize processes (e.g., financial, operational, compliance, etc.)
To move up the value chain, companies should leverage technology-enabled control capabilities used to achieve financial control objectives, to address operational control objectives and process improvement opportunities.
Drive Sustainable
Cost-Effective Compliance
Drive Operational
Improvement
Drive Process Improvement
Initial technology investment for compliance could be leveraged to improve operations and optimize processes.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 16
Design & Implement Technology Enabled Controls
An Approach for Evolving Controls for Compliance
Companies can use the following approach to leverage technology-enabled control capabilities.
– Use a top down, risk-based approach to scope the environment
– Consider integrating multiple compliance requirements
– Create a benchmark of existing controls by entity and/or location
– Identify inefficient and less effective controls
– Inventory existing technology landscape
• Evaluate existing technology for automation & monitoring capabilities
• Identify technology solutions for inefficient and less effective controls
• Develop a prioritized set of technology-enabled control solutions*
– Design technology-enabled controls for business & IT processes, including:
•Automated controls
•Monitoring controls
– Implement technology-enabled controls
– Develop risk-based test plans that leverage technology capabilities
– Deploy updated training & communications
– Update operations to support new technology
*The strategy will form the basis of a roadmap for the evolution of controls for compliance.
Assess Existing Control & Technology Environments
Develop a Strategy for Compliance Technology*
- Develop a strategy for leveraging technology-enabled controls, including consideration of the following:
Copyright © 2007 Deloitte Development LLC. All rights reserved. 17
How it All Fits Together
Compliance Framework
*Representative List Only
Technology Infrastructure
Integrated Compliance Dashboard
Compliance Management
Control Testing
Controls Monitoring
Automated Controls
Manual Controls
There is a strong march of vendor solutions catering to automated and monitoring control capabilities, however none yet covers all areas.
Axentis, IBM, Certus, Fujitsu, Oracle, Paisley, OpenPages, SAP
Axentis, IBM, Certus, Fujitsu, Oracle, Paisley, OpenPages, SAP
ACL, Approva, Computer Associates, Fujitsu, HP, IBM, Logical Apps, Mercury, Oversight, Oracle/PeopleSoft, SAP/Virsa, Sun Microsystems, SAS, Symantec, webMethods
ACL, Approva, Computer Associates, Fujitsu, HP, IBM, Logical Apps, Mercury, Oversight, Oracle/PeopleSoft, SAP/Virsa, Sun Microsystems, SAS, Symantec, webMethods
Approva, Computer Associates, Courion, IBM, Fujitsu, HP, Logical Apps, Oracle/PeopleSoft, Oversight, SAP/Virsa, Sun Microsystems
Approva, Computer Associates, Courion, IBM, Fujitsu, HP, Logical Apps, Oracle/PeopleSoft, Oversight, SAP/Virsa, Sun Microsystems
Copyright © 2007 Deloitte Development LLC. All rights reserved. 18
Controls Monitoring
Category Features Benefits
Transaction Monitoring
• Identify suspicious transactions • Identify inappropriate flows (e.g., duplicate payments)
• Provide evidence of control operation / quickly identify issues
Master Data Monitoring
• Monitor changes to master data files (e.g., Supplier Master) for suspicious activity
• Identify and address suspicious changes to master data
• Detect stale master file records
Access Control Monitoring
• Monitor changes to user access / roles
• Detect unauthorized modifications to user access / roles
• Monitor access to sensitive transactions and data
Segregation of Duties Monitoring
• Identify SOD violations• Detect executed transactions
that violate SOD rules
• Prevent SOD conflicts that increase the risk of fraud & error
Configuration • Detect changes to system configurations that may increase risks of fraud & error
• Demonstrate the continued effectiveness of application controls
Manual Process & Control Monitoring
• Ensure the initiation and completion of manual business & IT processes & controls
• Provide an audit trail for manual processes• Increase effectiveness & efficiency of manual
business & IT processes and controls
IT General Controls
• Security / access controls• Change management controls• IT Operations controls
• Enable increased reliance on automated business process controls
Copyright © 2007 Deloitte Development LLC. All rights reserved. 19
Duplicate invoices identified up to 31 days after payments. Cash from duplicate payments are collected within 90 days.
All duplicate payments are reviewed and authorized in real time, prior to impacting operations and financial results.
Sample Size: Minimum (1)
Coverage: 100% coverage
Self Testing: Effectiveness of controls demonstrated by monitoring capability
All configuration changes and potential duplicate payments are reviewed by management in real time.
Configuration: management is alerted of changes in real time.
Transactions: invoices entered are monitored for suspected duplicates based on multiple criteria in real time.
Case Study: Duplicate Payments/Invoices
Duplicate payments are identified after cash flows out of the business.
Operational Considerations
Most duplicate payments are prevented.
Monthly review of payment register reports to identify and resolve issues.
Manual Control Procedure Automated Control Procedure Controls Monitoring
System is configured to provide alerts to users when exact duplicate invoices are detected.
Business Value Realized
80% of duplicate payments are prevented, which provides a positive impact on cash flows.
Sample Size: Maximum (25)
Coverage: Points along the audit period
Self Testing: Low Objectivity
Testing Considerations
Sample Size: Minimum (1)
Coverage: A point in time
Self Testing: Low Objectivity
Copyright © 2007 Deloitte Development LLC. All rights reserved. 20
Sample Size: Minimum (1)Coverage: 100% coverageSelf Testing: Effectiveness of controls demonstrated by monitoring capability
Configuration: management is alerted of changes in real time.Transactions: Business transactions are monitored to detect SOD violation in real time.All changes are recorded for audit purposes.
Improved definition and grasp of organizational roles & responsibilities, and visibility into organizational structure.
Workflow driven authorization process is more efficient and reliable, and preventive access controls reduce risks.
Sample Size: Maximum (25)Coverage: Points along the audit periodSelf Testing: Low Objectivity
The manual process is not integrated across applications. SOD considerations are limited and narrowly focused.
Case Study: User Access / SOD
Timely insight into organizational changes and identification of potential errors and fraud.
Limited control of user access and SOD based upon job responsibilities.
Business Value Realized
Operational Considerations
Transactions violating access and SOD rules are detected and addressed timely.
Testing Considerations
Sample Size: Minimum (1)Coverage: A point in timeSelf Testing: Low Objectivity
Manual Process & Controls Automated Process & Controls Controls Monitoring
Use of workflow tools, and enforce access & SOD requirements via configured and preventive controls. Establish and maintain a repository of rules for enhanced decision making.
The user access authorization process is manually intensive, disconnected, and lengthy. Access creep is common due to changing roles & responsibilities.
Copyright © 2007 Deloitte Development LLC. All rights reserved. 21
Closing Thoughts
• CCM can enhance the effectiveness of controls and increase efficiencies
– Reduces cost and reliance on external resources, increasing control reliability
– Allows Internal Audit and line staff to perform their assigned roles and responsibilities
– Provides real-time information for proactive and preventive measures
– Leverages real-time information and compliance investment for value generation
– Improves on data and control quality through sustainable and repeatable process
• Controls monitoring is a key component of the compliance evolution
• Technology can and should play a central role in controls automation and monitoring
• A good first step is to develop a roadmap that can begin quickly during the next fiscal year