Risk Based Internal Controls Ensure Continuous Compliance

8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance

1/50

SAP BusinessObject s

Governanc e, Risk , and

Compl ianc e (GRC) Solut ionsRisk-based Internal ControlEnsure Continuous Compliance

Name of Speaker, DepartmentTitle of speaker

May, 2009


2/50

SAP AG 2009. All rights reserved. / Page 2

In 2005, FDA issued 97 warning

letters to medical device firms;

80% of these included CAPA

citations

Number of Recalls by FDA

increased about 80% between

2000 and 2007

What s Happening in the Market p lace?

loss of confidence by investorsin the value of securitized

mortgages in the United States

resulted in a liquidity crisis that

prompted a substantial injection of

capital into financial markets...

On August 2, 2007, Mattel's Fisher-

Price subsidiary recalled almost one

million Chinese-made toys

Satyam was plunged into a crisis inJanuary 2009 after its founder, B.

Ramalinga Raju, said that the

company's profits had been

overstated for several years.

French President Nicolas Sarkozy

has announced plans to lend PSAPeugeot Citroen and Renault three

billion euros (3.9 billion dollars)

each and other measures in

exchange for a promise not to shut

French plants or sack French

workers.

In 2005, FDA issued 97 warning

letters to medical device firms;

80% of these included CAPA

citations

Number of Recalls by FDAincreased about 80% between 2000

and 2007

loss of confidence by investors inthe value of securitized mortgages

in the United States resulted in a

liquidity crisis that prompted a

substantial injection of capital into

financial markets...

On August 2, 2007, Mattel's Fisher-Price subsidiary recalled almost one

million Chinese-made toys

Satyam was plunged into a crisis inJanuary 2009 after its founder, B.

Ramalinga Raju, said that the

company's profits had been

overstated for several years.

French President Nicolas Sarkozy

has announced plans to lend PSA

Peugeot Citroen and Renault threebillion euros (3.9 billion dollars) each

and other measures in exchange for

a promise not to shut French plants

or sack French workers.


3/50


Agenda

1. Customer Challenges, Impact and Solution approach

2. Benefits to Customers Using Risk-based Internal Control

3. Risk-based Internal Control Overview

4. Summary and Next Steps

5. Appendix


4/50


Agenda





5. Appendix


5/50


In t ernal Contr o ls TodayNo t ransparency, subopt imal dec is ion-making

!

Send out paper-baseddocumentation surveysfor completion

Create testplan

Receive testinstructions via email

Perform manualtests based onverbal instructions

Consolidate resultsfrom multiple sources

Save documentsand spreadsheetsto local file servers

?

??

What am Isupposed to do?

Why is thisimportant?

What do weneed to test?

Who shouldperform the test?

Where do westand?

How can weimprove?

Risk Management andCompliance Team

Control Testers andProcess Owners

Managementand Executives


6/50


What are t he Causes?

Today, com panies spend a lo t o f t ime and e f for t to m anage the i r

con t ro l s w i th i nsu f f i c ient resul t s t o be fu l ly con f ident i n the i r

governanc e and to increase t he i r per form ance

Excessive time, effortand cost for compliance

Lack of confidence andvisibility

Multiple compliancerequirements leadsto multiple risks

Manual control tests are timeand resource intensive

Audit process is inefficientand costly

Late detection ofdeficiencies and tedious

remediation process

Limited insight into controlenvironment

Crisis-driven businessexception management

Compliance and riskinformation are insufficient

for decision makers

Multiple and Silo solutionsthat are not scalable

Inability to leverage overallrisk and compliance efforts

Fragmented andreactionary management of

multiple compliance


7/50


What s the Impac t

SOX 404 compliance costs for avg companywere $1.7MFEI Survey 2007 indicated that for 168 companies withaverage revenues of $4.7 billion.

Average external audit fees have increased271%Foley & Lardner Survey (2007): between fiscal years 2001and 2006 for companies with under $1 billion in revenue.

GRC spending will expand to $32.1B in 2008(up 7.4% from 2007)

Source: AMR Research 2008

8.5%

CAGR

7.4% 4.6%($ Billions)

In this economic climate, companies can no longer focus solely on reactive spendingto meet each new regulationAs executives are becoming aware of how differentbusiness and IT risks affect their bottom line, their spending focus is shifting toward

approaching risk strategically, not just tactically.

John HagertyAMR Research

People

Technology

Services


8/50


Document control

and test plan

Attach referencedocument andspreadsheet

St reaml ine t he Compl iance Proc ess for

Ef fec t ive, Ef f ic ient Contr o ls and Transparency

Complet e, Enterpr is e-w ide, Risk-based Inter nal Cont ro l

Unified, Risk-basedcontrol management

across the enterprise

Real-time visibility oncontrol effectiveness

and key issue status

Reduced cost ofcompliance with

automated controlsand streamlined testing

Better managed riskthanks to robust

control managementand remediation

Risk Management andCompliance Team

Control Testers andProcess Owners

Managementand Executives

Follow guidedprocedure and

perform test

Report results andattach evidence


9/50


Savings Est im at es Using Risk -based Int ernal

Contr o l Case St udies*

* Benchmarks from SAPs Case Studies and Success Stories

Conservative EstimateLikely Scenario

$3.6M $4.5MPotential AnnualBenefits:

Mitigate risk through effective controls and remediation

Increase Fraud Prevention

Report and Monitor Key Controls

Resolve Exceptions through Remediation

Improve executive confidence with enterprise-wide control mgmt

Provide real-time visibility of control effectiveness

Unify Control Management across the EnterpriseEnforce accountability with Review, Certification, and Sign-off

Reduce cost and improve compliance

Automate Control Testing

Shorten Audit Cycles

Streamline Manual Evaluation, Issue Identification

$1.1M $1.3M

$0.5M $1.1M

$0.3M $0.8M

$0.3M $0.4M

$709k $951k

$175k $225k

$350k $450k$184k $276k

$1.8M $2.0M

$1.3M $1.3M

$0.4M $0.5M

$0.1M $0.2M

+

+

+


10/50


Agenda

1. Customer Challenges, Impact and Solution Approach




5. Appendix


11/50


Risk -based Int ernal Contro l in Pract ic e!!

A major retailer is confident in the robustness and flexibility of SAP

BusinessObjects Process Control to support their international expansionand provide them with enterprise-wide visibility on the status of compliance

A healthcare company completed their SAP BusinessObjects ProcessControl pilot in 2 weeks and maximizes the efficiency of theirimplementation through a user-driven deployment of the solution thatminimizes the reliance on IT resources

An oil and gas group minimizes user training thanks to the ease of use ofthe application and leverages SAP BusinessObjects Process Controlconfiguration capabilities to keep changes in their data and reports to aminimum

A pharmaceuticals company is planning to use SAP BusinessObjectsProcess Control for other compliance requirements in addition toSarbanes-Oxley

Another healthcare group significantly improves speed of resolution ofdeficiencies and gains better visibility on remediation cases for theircontrol owners


12/50


Al lergan Autom at es SOX Compl iance w i t h

SAP BusinessObjects Proc ess Cont rol

QUICK FACTS

Allergan Inc.

Location: Irvine, California

Industry: Life sciences

Products and services: Specialtypharmaceuticals and medicaldevices

Revenue: US$4.4 billion

Employees: Approximately 8,000

Web site: www.allergan.com

SAP solution and services: SAPBusinessObjects Process Controlapplication, SAP Consulting

SAP BusinessObjects ProcessControl does everything wethought it would do and even morethan we expected. The

implementation was veryfunctionality-driven, and wereexcited about expanding the use ofautomated controls in the future.

Bart BrockSr. Project ManagerAllergan Inc.

Challenges and opportunities Reduce risk of financial

misstatements and noncompliance

Automate testing and complianceprocesses to save time andefficiency

Objectives

Implement a robust solution formanagement Sarbanes-Oxley Act(SOX) compliance processesend-to-end, including auditing,monitoring, and testing of controls

Implementation highlights

Engaged PricewaterhouseCoppers(PwC) as lead system integrator

Formed synergistic team consistingof PwC, SAP Consulting, and

internal personnel

Why SAP Integrated with the SAP software that

runs the business

Positive experiences with SAPproducts

Availability of preferredimplementation practices

Benefits

Migrated all processes to the SAPBusinessObjects Process Controlapplication

Automated many controls

Achieved user-driven operationswith minimal IT involvement

Increased efficiency of SOXcompliance processes

Improved overall SOX compliance

capability


13/50


Agenda

1. Customer Challenges, Impact and Solution Approach

2. Benefits to Customers Using Risk-based Internal Control Benefits toCustomers Using SAP Strategy Management

3. Risk-based Internal Control Overview3.1 Align enterprise risk with compliance

3.2 Reduce cost with automated controls

3.3 Achieve compliance visibility


5. Appendix


14/50


SAP Solution Document new compliance initiatives using a

top-down risk-based approach

Develop assessment, testing and monitoringstrategy. Perform tests, report results and raiseissues

Analyze issues, perform necessary

remediation and certify results

Risk -based Int ernal Cont rolAl ign ing enterpr i se r i sk w i th c ont inuous compl iance

Risk Monitoring

DocumentCompliance

Initiatives

RemediateIssues and

Certify Results

Plan andPerform

Assessmentsand Tests

AccessAnalysis and

Response

Risk

Identification

Process ControlRisk Management Access Control

Risk-based Internal Control

SAP Differentiators

Increase efficiency by aligning enterprise riskwith multiple compliance initiatives

Reduce cost and the risk of non-compliance

through rapidly deployable automatedconfigurable controls

Ensure control effectiveness acrossheterogeneous application landscapesthough continuous monitoring


15/50


Align enterprise risk with compliance

Identify and prioritize compliance risks

Establish Control to mitigate compliancerisks

Document all Compliance initiatives via

centralized catalogs

Reduce cost with configurable controls

Create automated rules on-the-fly

Leverage Pre-delivered rules to test and analyze

Monitor controls proactively to identify exceptions

Ensure control effectiveness

Continuously monitor heterogeneous landscapes- SAP and non-SAP

Rapidly respond with Industry content

Confidently report, certify and sign-off

Aligning enterprise risk with continuous compliance

Risk -based Int ernal Cont rol

RiskMonitoring

DocumentCompliance

Initiatives

RemediateIssues and

Certify Results

Plan andPerform


AccessAnalysis and

Response

Risk

Identification




16/50


Key capabilities

Identify risks associated withregulations and policies

Identify impacted organizations andbusiness processes

Determine risk exposure atorganization level

Identify organizations and processesin-scope through materiality analysisor risk prioritization using enterpriserisk assessment

Assign processes and controlsto organizations

Optimize compliance resources by focusing on key risk areas

Identify TopCompliance

Risks

PerformHigh LevelScoping

DocumentRisks

Risk Exposure

Risk Analysis

Risk exposureRisk Exposure

Al ign Enterpr ise Risk w i t h Compl ianceIdent i fy and pr io r i t i ze compl iance r i sk


17/50


Key capabilities

Formulate risk responses toinadequately addressed risks

Review control proposals and create

proposed controls either byassignment or new control creation

Notify risk management of controlcreation status

Perform control-risk assessment todetermine required level of evidence

Raise issues for remediation

Al ign Enterpr ise Risk w i t h Compl ianceIdent i fy cont ro ls to mi t iga t e compl iance r i sk

Reduces cost of Compliance with Automated ControlsReduce enterprise risk with effective controls

Risk Analysis

Risk Exposure

PlanAssessmentsand Tests

IdentifyControls andMap to Risks

PlanAssessments

and Tests


18/50


Key capabilities

Master data catalogs leveragedacross multiple compliance initiatives

Simultaneous support for regulatory

requirements and internal policymandates

Shared controls testing andassessments

Configurable remediation plans foreach compliance initiatives

Al ign Enterpr ise Risk w i t h Compl ianceDocument a l l compl iance in i t ia t i ves via cent ra l i zed ca t a logs

Improve compliance efficiency by streamlining activities

Drill down capability toview/review the test and

assessment results


19/50




Establish Control to mitigate compliance risks





Leverage Pre-delivered rules to test andanalyze

Monitor controls proactively to identifyexceptions


Continuously monitor heterogeneous landscapes- SAP and non-SAP

Rapidly respond with Industry content




RiskMonitoring

DocumentCompliance

Initiatives

RemediateIssues and

Certify Results

Plan andPerform


AccessAnalysis and

Response

Risk

Identification




20/50


Key capabilities

Intuitive and flexible user interface tocreate unlimited monitoring criteriawithout programming

Configuration and masterdata audit-trail

Simple transactionmonitoring available

Tables/views acrossSAP Business Suite

EnterpriseApplication

DetectiveMonitoring

ProcessControl

ConfigurableControlsDesigner(monitor

threshold values,create deficiency

criteria etc.)

Easily adapt to changing business and compliance needs

Reduce Cost w i t h Conf igurable Cont ro lsCreate autom ated ru les on-the- f ly

Transaction(e.g. PO,

Invoice etc.)

Master DataControls(e.g. vendor

paymentterms etc.)

ConfigurationControls

(e.g. invoicetolerance etc.)


21/50


Key capabilities

Automate control testing, monitoringacross SAP and non-SAP systemswith out-of-the-box rules

More than 200 delivered scripts forautomated control testing*

Additional testing automation usingstandard SAP queries/reports

User definable multi-step test plansand flexible assessment surveys

*Exact number depends on your industry

Reduce Cost w i t h Conf igurable Contr o lsLeverage pre-del ivered r u les

Reduces cost of Compliance with Automated ControlsImprove compliance responsiveness with packaged rules

#Controls

OrderCapture

OrderFulfillment

Billing &Returns

RevenueRecognitionOrder to Cash

DemandPlanning

OperationalProcurement

InventoryManagement

PayablesManagementProcure to Pay

BudgetingPlanning

Sub LedgerTransactions

FinancialClose

Consolidation& ReportingReconcile to Report

ApplicationImplementation

ChangeControl

ApplicationSecurity

NetworkSupportIT Basis

WorkforcePlanning

Hiring Compensation EmployeeRelationsHR

CashManagement

RiskManagement

PortfolioManagement

Inter-companyFinanceTreasury

Asset

Acquisition

Asset

Depreciation

Asset

Disposition

Asset

ManagementFixed Assets

DesignControl

CAPAMaterialControls

Post MarketSupportFDA

23

28

18

18

1

5

14

15


22/50


Key capabilities

Rapidly detect andanalyze exceptions

Proactively notify

key stakeholders

Automated workflow todesignate ownership

Close loop by continuously monitoring compliance violations

Reduce Cost w i t h Conf igurable Cont ro lsMoni to r cont ro ls p roac t i ve ly to ident i fy except ions


23/50




Establish Control to mitigate compliance risks





Leverage Pre-delivered rules to test and analyze

Monitor controls proactively to identify exceptions


Continuously monitor heterogeneous

landscapes SAP and non-SAP Rapidly respond with Industry content



RiskMonitoring

DocumentCompliance

Initiatives

RemediateIssues and

Certify Results

Plan andPerform


AccessAnalysis and

Response

Risk

Identification





24/50


Key capabilities

Rapidly detect andanalyze exceptions

Supports both SAP and Non-SAP

Partner support (Greenlight)

Multi-App Query Tool Define Custom controls

Reduce risk with operational transparency enterprise-wide

Legacy & Custom

Pre-defined Controls

Process control xPAC by Greenlight (SOA Architecture)

Process / control hierarchy Automatic testing Rule engine

SAP BusinessObjects Process Control

Issue remediation Real-time reporting Scheduler

Custom Controls(Multi-App Query Tool)

Legacy Custom

Ensure Contro l Ef fec t ivenessCont inuously moni tor heterogeneous landscapes


25/50


Key capabilities

Perform assessments and testsof access-related risks

Review automated access test

results Determine/perform appropriate

remediation

Gain visibility by continuously monitoring security and access related controls

Ensure Contro l Ef fec t ivenessCont inuous ly Mon i to r Acc ess Management Compl iance

Access-relatedRisk

PlanAssessments and Tests

AccessRemediation


26/50


Key capabilities

Crystal Reports andXcelsius dashboards

Cross-compliance and

initiative-specific reporting Existing report templates can

be leveraged across anycompliance initiatives

Drill down provided in selectdashboards and reports

SAP BusinessObjec t s Proc ess Contr ol 3.0Compl iance report ing and analy t ics

Improve compliance performance and predictability

Drill down capability toview/review the test and

assessment results

Key reportspre-delivered


27/50


Ac h ieve Compl ianc e V is ib i li t yRapid ly respond w i th indust ry c ontent

Key capabilities

Life Sciences Industry

Risk drivers, KRIs, risk events,impact and risk responses for

Promotional Spend

Off-Label Promotion

Product Quality

Pricing Compliance

Oil & Gas Industry

Risk drivers, KRIs, risk events,impact and risk responses for

Foreign Corrupt Practices Act (FCPA)

Occupational Health & Safety (OSHA)

FAS 133

Logistics

Accelerates industry compliance with pre-defined industry content


28/50


Agenda





5. Appendix


29/50


Risk-based Int ernal Cont ro l Benef i t s

Optimize compliance resources by focusing on key risk areas

Reduce enterprise risk with effective controls

Improve compliance efficiency by streamlining activities

Easily adapt to changing business and compliance needs

Improve compliance responsiveness with packaged rules

Close loop by continuously monitoring compliance violations

Reduce risk with operational transparency enterprise-wide

Comprehensive content for industry-specific compliance


#2 Reduce cost with configurable controls

#1 Align enterprise risk with compliance initiatives

RiskMonitoring

DocumentComplianceInitiatives

RemediateIssues and

CertifyResults

Plan andPerform


AccessAnalysis and

Response

RiskIdentification



#3 Ensure control effectiveness throughcontinuous monitoring


30/50


SAP GRC Proc ess Cont rol 3.0Extend ing opera t iona l e f f i c ienc ies ac ross en terpr i se

FDA

JSOX

PerformAssessments

Automated ControlsFramework

TestManual

Controls

Certify, Signoffand e-signature

(302, 404, 21CFRPart11)

Remediate IssuesMonitor exceptions

IT Infrastructure

Business Processes

Evaluate

Monitor Perform CAPA

Scope

Signoff

SOX

Enterprise

Integration

RiskManagement

Access Control

Oracle

PSFT

DB2

3rd party apps

Cisco SONA

Event Systems

Enterprise

Productivity

Enterprisesearch structured andunstructured

AdobeInteractiveForms

Analyticsand

Reporting

Crystal Reports

Xcelsius

Dashboard

BI Reports

Datasheets

Control Environment:Process-Control-Objective-Risk

FIN SCM SRM MFG HR

Doc


31/50


For More Informat ion

See www.SAP.com/GRC for:

SAP BusinessObjects Process

Control information

Customer case studies

Online self-running demo Information on all other

SAP BusinessObjects Governance,

Risk, and Compliance (GRC) solutions


32/50


Thank you!


33/50


Copyr ight 2009 SAP AG

All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned andassociated logos displayed are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This documentcontains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy,and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, orother items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties ofmerchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-part y Web pages nor provide any warranty whatsoever relating to third-par ty Web pages

Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden.

Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte knnen Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwhnte SAP-Produkte und Servicessowie die dazugehrigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Lndern weltweit. Alle anderen in diesem Dokument erwhntenNamen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte knnen lnderspezifische Unterschiede aufweisen.

Die in diesem Dokument enthaltenen Informationen s ind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderenVereinbarung mit SAP. Dieses Dokument enthlt nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP-Produkts und ist fr SAP nicht bindend, einen bestimmtenGeschftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP bernimmt keine Verantwortung fr Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht dieRichtigkeit oder Vollstndigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewhr, wederausdrcklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschlielich, hinsichtlich der Gewhrleistung der Marktgngigkeit und der Eignung fr einen bestimmten Zwecksowie fr die Gewhrleistung der Nichtverletzung geltenden Rechts.

SAP bernimmt keine Haftung fr Schden jeglicher Art, einschlielich und ohne Einschrnkung fr direkte, spezielle, indirekte oder Folgeschden im Zusammenhang mit der Verwendungdieser Unterlagen. Diese Einschrnkung gilt nicht bei Vorsatz oder grober Fahrlssigkeit.

Die gesetzliche Haftung bei Personenschden oder die Produkthaftung bleibt unberhrt. Die Informationen, auf die Sie mglicherweise ber die in diesem Material enthaltenen Hotlinkszugreifen, unterliegen nicht dem Einfluss von SAP, und SAP untersttzt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewhrleistungen oder Zusagen berInternetseiten Dritter ab.

Alle Rechte vorbehalten.


34/50


DemonstrationRisk-based Internal Control


35/50



CFO

Duty Reduction andTrade Compl iance

Enterprise RiskManagement

Access Management

Strategy / Planning

Business Operations

Internal Audit

Risk Management

RiskPlanning

Head of Compliance/Internal Audit

Head ofRisk Management

TradePolicy

Planning

Vice President Tax /Head of Compliance

Head of Internal Audit/ Chief

Security Officer

Risk-Based InternalControls

RiskResponse

RiskMonitoring

RiskIdentification

RiskAnalysis

Access Planning

AccessAnalysis

andResponse

AccessMonitoring

AccessAnalysis

andResponse

AccessMonitoring

Document ComplianceInitiatives

Plan andPerform


RemediateIssues

and CertifyResults


36/50


Central

Framework

FDAMandates /sub-

mandates

Policies

User Roles &

Authorizations

Organization

Structures

Processes,

Risks & Controls

SOxMandates (Sox 302,

404)

Policies

User Roles &

Authorizations

J-SOxMandates /sub-

mandates

Policies

User Roles &

Authorizations

Example: Framework for a Life Science /Pharmaceutical US based Global Company

Al ign St r a tegy and Risk w i th Compl iance

Document a l l Compl iance in i t ia t ives v ia Cent ra l ized cat a logs


37/50

SAP AG 2009. All rights reserved. / Page 37 SAP 2008 / Page 37

Corporate

Parent Org 1 Parent Org 2

USA India Vancouver Hong Kong

Org Owners perform AODanalysis at the org level andSOX PMO performs thefinal AOD analysis at thecorporate level.

At a Corporate or Local Level




38/50


Customizable User

Menus

Global and ComplianceInitiative-Specific MenuContent

Role-Based User Content

Example: Global Compliance Office:Regulation/Policy Admin




39/50


Align Strat egy and Risk .

Risk In t e l l igent Report i ng & Cer t i f i c a t ion

Purchasing

Procure to Pay

US Finance

US

Corporate Signers

CEO/CFO

1

2

3

4

5

6

Each subprocess ownersigns off

Process owner signs off

Lowest location signs off

Higher location signs off

Corporate signer(s) sign off

CEO/CFO sign off

AccountsPayable

Supportsection 302certification

Freeze keyinformationthat hasbeen signed-off

Hierarchical,bottom-upprogression

Close the loop between strategy and execution with a top-down Risk-based approach Sign-off with Confidence though Formalized Certification


40/50


Risk-Adjusted Contro l s ManagementSAP BusinessObjects Process Control

End-to-End, Enterprise-wide Business Process Control

21

Identify the risksassociated with new

regulations or policies anddocument the associatedcompliance structureusing a top-down risk-based approach.

Unify controlmanagement across theenterprise through asingle system of recordthat can adapt to

changing business needs.

Enable enterpriseenvironment formonitoring businesssystems and timelydetection of issues andrisks.

Align the planning andscheduling of testing in

accordance with thecompliance calendar.Conduct the tests, reportthe test results and raiseissues for remediation.

Automate control testingand monitoring acrossheterogeneousenvironments.

Shorten audit cyclesthrough the optimizationof compliance activities.

Resolve exceptions moreefficiently with workflow-driven issue identificationand remediation.

Review the results of yourcompliance activities,

remediate identified issuesand certify your resultsthrough sign-off and audit

Provide real-time visibilityof control effectivenessand remediation of keyissues, eliminatingsurprises.

Enforce accountability withreview, certification, andsign-off of processes.

Use comprehensivereports and dashboards tomonitor control activity andissue status.

3

Document ComplianceInitiatives

Plan and PerformAssessments and

Tests

Remediate Issuesand Certify Results

Either remove or placeAfter the ROI slide

Before introduce productFlow = RBIC ROI Processes

- How we do it differently (product)

S2


41/50

Slide 40

S2 (1) This slide doesnt flow well from the previous slide - Suggest it follow the 4 steps outlined in the previous slide and not be product specific.

(2) This can achieved by outlining capabilities in RM and PC 30 and integrations with AC

(3) This applies to next slide #29I811750; 17-12-2008


42/50


Reduce Cost w i th Autom ated Cont ro ls

Create aut omat ed ru les on-t he-f ly

ConstructAd-hoc TestRe-useCustom Test

SelectPre-delivered Test

Pre-delivered processcontrol tests withflexible rule criteria

SOD analysis andreporting

Plug-and-play yourexisting test scripts

Create control tests on-the-fly with SAP querytools

Order to CashOrder

Captu

re

Order

Fulfill

ment

Billin

g and

Retur

ns

Procure to PayDema

nd

Plann

ing

Opera

tional

Procu

reme

nt

Reconcile to ReportBudg

eting

Plann

ing

Subled

ger

Transa

ctions

Finan

cial

Close

IT BasisAppli

cation

Secur

ity

Chan

ge

Contr

ol

Reve

nue

Reco

gnitio

nInvent

ory

Mana

geme

nt

Payab

les

Mana

geme

nt

Consolidat

ion

and

Repor

ting

Automated Controls

Tee-up


43/50


Master Rule|_____________________________|

Rule Parameters

|__________________________________________________________|

Rule Frequencies|__________________________________________________|

Automated Rule 1|________________________________________________________|

Automated Rule 2

|________________________________________________________|

Reduce cos t w i th conf igurab le cont ro ls

Leverage Pre-del ivered Rules

Program

Org. A Org. B Account Range Single Account Absolute Value __H __M __L % __H __M __L

Daily Weekly Bi Weekly Annual FortnightlyMonthly Semi AnnualWeekly QuarterlyQuarterly

ProgramProgram

Org. A Org. B Account Range Single Account Absolute Value __H __M __L % __H __M __L


44/50


RISK EVENT

Employee/AgentInvolved in Illegal

Arrangement(FCPA)

Managing Enterpr ise Risks

2.2.1 Foreign Corrupt Practices Act Compliance Risk

Conduct business withforeign state-run entities

Operate in over-seas high-risk markets

Use of 3rd partyrepresentatives to facilitate

overseas business

DRIVERS

Regulatory Compliance (S39)

BUSINESS PROCESS # of payments to foreign officials

characterized as contributions,consulting payments ormiscellaneous expenses

KPIs

Financial Earnings(SEC & DOJ violations, fines,

penalties, remediation)

Financial Revenue (Ineligibilityof doing business with foreign

entity)

Reputation(Disclosures, investigation,

prosecution, oversight)

IMPACTS

Responses

Preventive responsesreduce probability of event

Recovery responsesreduce impact of event

PC/AC ControlTransfer AcceptAvoidReduce

Code of Conduct and FCPAor anti-corruption policies inplace.

Anti-corruption training inplace

Whistleblower l ine

SOD Separate Vendor Maintenance fromInvoice Approval (AC)

Monitor employees that are overdue forethics/FCPA training (PC)

Monitor suspicious payment attributes such asround payments, one time vendor, etc. (PC)

Avoid businessin high riskmarkets prone toabuse

Maintain legaland penaltyreserve

Contractualprotections withagents

Key Risk Indicators# of reviews conducted for due diligenceon all foreign business partners and third-party representatives (manual)% employees with foreign official contactwho have had FCPA training (SAP HCM)Expense % of total compensation forsales agents responsible for internationalaccounts (SAP - Payroll)


45/50


Achieve Compl iance V is ib i l i ty

Rapid ly respond w i t h Indust ry c ontent


46/50


Sales culture makescontrolling and trackingexpenses difficult

Increasing governmentregulation over promotional

expenses

PhrMA and AMAguidelines on CME and

sales contacts

DRIVERS

RISK EVENT

Inappropriateenticements or kick-backs in exchange

for preferentialtreatment

Field Sales & Marketing

BUSINESS PROCESSKey Performance Indicators Financial impact of fines and penalties Average sales rep expenses

Legal/ Regulatory(Significant fines levied by DOJ

and other bodies)

Legal/ Regulatory(Corporate integrity agreements

increase scrutiny and costs)

Reputation(Reputation suffers from poorpublicity)

IMPACTS

Responses

Preventive responsesreduce probability of event

Recovery responsesreduce impact of event

PC/AC ControlTransfer AcceptAvoidReduce

Tracking and reporting payments made tophysicians via accounts payable or salesrepresentatives travel and expenseaccounts.

Monitoring types of payments made tocustomers/physicians

Monitoring amounts and thresholds paid tocustomers/ physicians

Establish and enforcepolicies & proceduresaround spending (types &thresholds)

Training on types ofspending allowed

Review of physiciancontracts for compliance

Increasing regulation and scrutiny under the Anti-Kickback Statute, Foreign Corrupt Practices Act (FCPA) and similar federal and state regulationsrequires companies to limit their promotional spending on physicians, with different rules in different states. Voluntary PhrMA code and AMAguidance also provide limits in this increasingly complex space. Tracking methods and controls are limited and poorly integrated with IT

environments.

Key Risk Indicators Training Hours per (sales) Employee ( SAP

IV.J.5)

Avg. Sales Rep Expenses (SAP S9)

Budget to Actual differences in CSR expenses(SAP S9, S38)

Achieve Compl iance V is ib i l i ty

Rapid ly respond w i t h Indust ry c ontent


47/50


Cont inuous ly Moni tor Heterogeneous appl ica t ions

Rapid ly respond w i th Indust ry cont ent

IssueOwner

(QC

Manager)

Approverof CAPA

plan(QA

manager)

Approverof CAPA

planexecution

(QAmanager)

CAPA planSuccessfullyCompleted &

Closed

CAPAplan

Cancelled

1. Performs DiscrepancyEvaluation

2. Assigns CAPA plan

3. Performs Root CauseAnalysis

4. Lists Corrective Actions

5. Lists Preventive Actions

6. Lists Contingencies(optional)

7. Assigns CAPA remediatorCAPA plan

8. Submits CAPA plan forapproval

FDAcontrol

(manualor

automated)

identifiesan

issue,due to

deficiencies in a

businessprocess

1. Completes CorrectiveActions first

2. Completes PreventiveActions next

3. After completion, submitsfor approval

Option I: Send the CAPA back to IssueOwner for Rework

Option II: Approves theCAPA plan

Option II: Send the

CAPA back to CAPAremediator for Re-

execution

Option I:Approves

CAPAexecution

Optionally,verifies

effectivenessof the CAPA

plan execution(by retestingthe control)

2Approval

Options

3Approval

Options

OptionIII:

CancelsCAPAplan

CAPAremediator

(s)

Ensure Continuous Compliance

Key capabilities High degree of GMPcompliance

Standardized, enterprise-wide FDA/Non-FDAcompliance processes

CAPA workflow for best

practice issue remediation


48/50


Key capabilities

Crystal reports and Xcelsiusdashboards

Cross compliance and initiativespecific reporting

Existing report templates can beleveraged across any complianceinitiatives

Drill down provided in selectdashboards and reports

Drill down capabilityto view/review thetest and assessmentresults

Achieve c ompl iance v is ib i l i t y

Conf ident l y repor t , c er t i fy and s ign-of f



49/50


Key capabilities

Supports several key process areas,applications and types of functions

Build your own using guidedprocedure to monitor any fieldcombinations

Map SAP queries, reports,variants and programs into ACF

Monitor apps on 3rd party systemssuch as ORCL, PSFT and DB2

Drive response to events alternative to scheduled rules

Reduce Cos t w i th Aut omat ed Cont ro lsCreate autom ated ru les on-the- f ly

Reduces cost of Compliance with Automated ControlsARF provides an infrastructure that enables building new automated rules in aneasy and repeatable manner, effectively addressing unique business needs

AutomatedRules

Framework

BI QueryIntegration

ConfigurableRules

LeverageExisting

Queries AndReports

Delivered Rule

Content

ComplexProcessingVia ABAP

Rules

Monitor 3rdParty

Applications

1

2

3

4

5

6

AutomatedRules

Framework

BI QueryIntegration

ConfigurableRules

LeverageExisting

Queries andReports

Delivered Rule

Content

ComplexProcessing viaABAP Rules

Monitor 3rdParty

Applications

1

2

3

4

5

6

(1) Change Logs:

Reliably re-create configuration andmaster data settings for controltimeframe (e.g. previous quarter), andexamine changes made

Examples:

Master Data: Changes to critical

Vendor Master data fields (e.g. paymentterms, credit limits, etc)

Configuration: Changes to POtolerance settings (e.g. receipttolerances)

(2) Value Check s:

Check for specified value(s) in masterdata, configuration, and transactions

Examples:

Master Data: Identify vendors withpayment terms in excess of 30 days

Configuration: Monitor for PO receipt

tolerance setting in excess of 10% ofPO quantity

Transaction: Monitor for POs in excessof $1M (e.g. Additional approvalrequirements)


50/50

Key capabilities

Framework for Automated Testing andMonitoring of FDA business processes

FDA Content: SAP-provided automatedcontrols for multiple business processes

End-to-end CAPA process for remediatingissues raised from manual as well asautomated monitoring and testing ofcontrols

Compliance with 21 CFR Part 11:E-signatures

Effectiveness monitoring mechanism

FDA-specific reporting and trend analysis

FDA Exam ple: Achieve Compl ianc e Vis ib i l i t yOperat ional Compl ianc e

Accelerates industry compliance with pre-defined industry content

Compliance data

management:process hierarchy,

FDA controls, orgs

FDA-SpecificReporting

Monitoring

Testing Assessments

CAPAExecutionApprover

CAPA Remediation Process

IssueOwner

CAPA PlanApprover

Remediator

Audit Trail E-Signature

Documents

Risk Based Internal Controls Ensure Continuous Compliance