How to reach SOX Compliance - The Alpro case

Lamot, MechelenOctober 12, 2011

Your logo

How to reach SOX ComplianceThe Alpro case

Bart Van Hevel, Alpro

Chris Walravens, Expertum

Your logoAgenda

• Key facts about Alpro• What is SOx• Key facts about Expertum• Authorizations @ Alpro• Authorization Issues• Project approach• Success factors• Benefits for Alpro

Your logoKey Facts About Alpro

• Alpro founded in 1980 and part of Dean Foods since mid 2009

• Grown to € ~260 million in revenues in 2010

• Clear European market leader in non-dairy soy-based products

• 2 power brands: Alpro soya and Provamel

• 6 product categories

• 3 channels

• 3 wholly-owned commercial organisations in NL, UK and GE and more than 30 commercial partnerships in all other primary European markets

• 4 plants in BE, FR, UK and NL

• ~800 employees

Your logoAlpro Soya Brand

Your logoProvamel Brand

Your logoGradual Development Of New Categories

Drinks Desserts Yofu

Cream Meat-free Margarine

Your logoAlpro, A Division Of Dean Foods

National chilled DSD and plant footprint

National premium health & welness brands

US leader in national UHT

private label dairy

US

European leaderin branded soy

EU

Your logo4 Complementary Plants

UK Kettering (Birmingham)

BelgiumWevelgem (Kortrijk)

The NetherlandsLandgraaf (Maastricht)

FranceIssenheim (Colmar)

Your logoWhat is S0x?

US Sarbanes-Oxley Act of 2002 commonly called Sarbanes-Oxley, or SOx, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, WorldCom, …

Applicable to all companies listed on New York Stock Exchange

• Section 302: The CEO/CFO Dean Foods Must Certify Quarterly and Annually that :

• The SEC (Securities & Exchange Commission) report has been reviewed by the CEO/CFO• The report does not contain any misleading and/or untrue statements• Significant deficiencies and material weaknesses in internal control have been disclosed to the Audit Committee

and auditors, as well as any fraud (material or not) involving anyone with a significant role in internal control• Material weaknesses must be disclosed in the annual report to shareholders

Alpro needs to install a sub-certification process to Dean Foods CEO / CFO

• Section 404: Defines the rules for internal control and financial reporting

• Alpro management must assess effectiveness of internal control structure and procedures for financial reporting

Your logoOur Requirement…

Financial Statements

IT General Controls

Business Processes Reporting Processes

Inventory

Procure to Pay

Order to Cash

Company Level Controls

“Identify, implement and formalize adequate business & IT controls within Alpro Comm VA, for core processes that have a material impact on the financial statements, operating on December 31st, 2010”

…

Your logoOur Requirement…

Financial Statements

IT General Controls

Business Processes Reporting Processes

Inventory

Procure to Pay

Order to Cash

Company Level Controls

…

Business & IT controls in order to cover key risks in a process, resulting in:Manual, signed off reports / documents detective controlConfiguration controls (SAP – customizing) preventive controlAccess restriction / Segregation of Duty controls preventive control

Your logoExpertum

• Our Mission• Exceed client expectations by providing top-quality expertise

• Provide our people a safe environment for personal and professional growth

• Facts• Founded in April 2006 by 2 ex-SAP Belux employees

• Team of +50 SAP Experts and Project Managers

• Highly skilled and experienced SAP consultants in all SAP areas, combined with a

• Partnerships

For more info, visit our new website : www.expertum.net

Your logoAuthorizations @ Alpro

• Position based security• Use of the HR organizational structure

• For role assignments

• 2-layered concept• Composite roles for positions or functions

• Single & derived roles for functionality (at sub-process level)

• Starting point of the SOx authorizations project• Strong conceptual basis

• Prerequisite for a smooth and successful compliance project

Your logoAuthorization Issues

Financial Statements

IT General Controls

Business Processes Reporting Processes

Inventory

Procure to Pay

Order to Cash

Company Level Controls

Critical functionality Segregation of Duties Basis Component

Your logoAuthorization Issues

• Critical functionality (10)• Maintain accounting periods

• Asset retirement / scrapping

• Vendor master data

• Segregation of Duties (7)• Inventory count & post differences

• Price conditions & Sales orders

• Vendor master data & invoices

• Basis Component (10)• User & role administration

• Transport requests

• Debugging

Your logoProject Approach

Scope & Pre-audit

User list review Final auditApproval

& Go-liveImplement

& TestSolution approval

Solution & Impact

Root cause analysis

3 Months - 50 Mandays

• Processes & legal entities in scope

• Risk assessment & definition of controls

• Identification of issues to be remediated

• For each issue determine the list of (un)authorized users / roles

• Identify the (combination of) roles causing the unwanted access

• Propose possible solution(s) for each issue

• Always several options possible:

-User assignment-Composite role-Tcode in single role-Auth. object values

• Impact analysis on other users is essential for not disrupting business activities

• Verification of proposed solution with business users

• Approval of solution

• Business approval is essential, especially when changes in day-to-day organisation is changed

• Technical SAP authorizations knowledge essential

• Testing the solution both positive and negative

• Documentation essential because of SOx requirements

• Final approval of the implemented solution and adequacy of testing before go-live

• Transporting the changes into production and/or changing the user assignments

• Audit by external partner • Final SOx audit by external auditor

• Final check to see if the business processes are under control

Your logoSuccess Factors

• Very much business driven• C-level commitment

• High visibility in the organization

• Dedicated team• Divisional Controller (on business side)

• IT Manager (on IT side)

• Authorizations consultant (expert knowledge)

• Project leader (Business Process Manager)

• Smooth and fast decisions

• Ability to translate complex authorisation terminology into business language

• Efficient assessment of impact, resulting in no business disrupting actions

Your logoBenefits for Alpro

• Alpro Comm VA SOx compliant on December 31st, 2010:

0 deficiencies, an exceptional result !

• Provides Alpro management extra comfort on the main business processes and its impact on the financial reporting

Thank you!

Your logo