Upload
ritvier
View
221
Download
0
Embed Size (px)
Citation preview
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
1/50
SAP BusinessObject s
Governanc e, Risk , and
Compl ianc e (GRC) Solut ionsRisk-based Internal ControlEnsure Continuous Compliance
Name of Speaker, DepartmentTitle of speaker
May, 2009
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
2/50
SAP AG 2009. All rights reserved. / Page 2
In 2005, FDA issued 97 warning
letters to medical device firms;
80% of these included CAPA
citations
Number of Recalls by FDA
increased about 80% between
2000 and 2007
What s Happening in the Market p lace?
loss of confidence by investorsin the value of securitized
mortgages in the United States
resulted in a liquidity crisis that
prompted a substantial injection of
capital into financial markets...
On August 2, 2007, Mattel's Fisher-
Price subsidiary recalled almost one
million Chinese-made toys
Satyam was plunged into a crisis inJanuary 2009 after its founder, B.
Ramalinga Raju, said that the
company's profits had been
overstated for several years.
French President Nicolas Sarkozy
has announced plans to lend PSAPeugeot Citroen and Renault three
billion euros (3.9 billion dollars)
each and other measures in
exchange for a promise not to shut
French plants or sack French
workers.
In 2005, FDA issued 97 warning
letters to medical device firms;
80% of these included CAPA
citations
Number of Recalls by FDAincreased about 80% between 2000
and 2007
loss of confidence by investors inthe value of securitized mortgages
in the United States resulted in a
liquidity crisis that prompted a
substantial injection of capital into
financial markets...
On August 2, 2007, Mattel's Fisher-Price subsidiary recalled almost one
million Chinese-made toys
Satyam was plunged into a crisis inJanuary 2009 after its founder, B.
Ramalinga Raju, said that the
company's profits had been
overstated for several years.
French President Nicolas Sarkozy
has announced plans to lend PSA
Peugeot Citroen and Renault threebillion euros (3.9 billion dollars) each
and other measures in exchange for
a promise not to shut French plants
or sack French workers.
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
3/50
SAP AG 2009. All rights reserved. / Page 3
Agenda
1. Customer Challenges, Impact and Solution approach
2. Benefits to Customers Using Risk-based Internal Control
3. Risk-based Internal Control Overview
4. Summary and Next Steps
5. Appendix
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
4/50
SAP AG 2009. All rights reserved. / Page 4
Agenda
1. Customer Challenges, Impact and Solution approach
2. Benefits to Customers Using Risk-based Internal Control
3. Risk-based Internal Control Overview
4. Summary and Next Steps
5. Appendix
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
5/50
SAP AG 2009. All rights reserved. / Page 5
In t ernal Contr o ls TodayNo t ransparency, subopt imal dec is ion-making
!
Send out paper-baseddocumentation surveysfor completion
Create testplan
Receive testinstructions via email
Perform manualtests based onverbal instructions
Consolidate resultsfrom multiple sources
Save documentsand spreadsheetsto local file servers
?
??
What am Isupposed to do?
Why is thisimportant?
What do weneed to test?
Who shouldperform the test?
Where do westand?
How can weimprove?
Risk Management andCompliance Team
Control Testers andProcess Owners
Managementand Executives
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
6/50
SAP AG 2009. All rights reserved. / Page 6
What are t he Causes?
Today, com panies spend a lo t o f t ime and e f for t to m anage the i r
con t ro l s w i th i nsu f f i c ient resul t s t o be fu l ly con f ident i n the i r
governanc e and to increase t he i r per form ance
Excessive time, effortand cost for compliance
Lack of confidence andvisibility
Multiple compliancerequirements leadsto multiple risks
Manual control tests are timeand resource intensive
Audit process is inefficientand costly
Late detection ofdeficiencies and tedious
remediation process
Limited insight into controlenvironment
Crisis-driven businessexception management
Compliance and riskinformation are insufficient
for decision makers
Multiple and Silo solutionsthat are not scalable
Inability to leverage overallrisk and compliance efforts
Fragmented andreactionary management of
multiple compliance
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
7/50
SAP AG 2009. All rights reserved. / Page 7
What s the Impac t
SOX 404 compliance costs for avg companywere $1.7MFEI Survey 2007 indicated that for 168 companies withaverage revenues of $4.7 billion.
Average external audit fees have increased271%Foley & Lardner Survey (2007): between fiscal years 2001and 2006 for companies with under $1 billion in revenue.
GRC spending will expand to $32.1B in 2008(up 7.4% from 2007)
Source: AMR Research 2008
8.5%
CAGR
7.4% 4.6%($ Billions)
In this economic climate, companies can no longer focus solely on reactive spendingto meet each new regulationAs executives are becoming aware of how differentbusiness and IT risks affect their bottom line, their spending focus is shifting toward
approaching risk strategically, not just tactically.
John HagertyAMR Research
People
Technology
Services
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
8/50
SAP AG 2009. All rights reserved. / Page 8
Document control
and test plan
Attach referencedocument andspreadsheet
St reaml ine t he Compl iance Proc ess for
Ef fec t ive, Ef f ic ient Contr o ls and Transparency
Complet e, Enterpr is e-w ide, Risk-based Inter nal Cont ro l
Unified, Risk-basedcontrol management
across the enterprise
Real-time visibility oncontrol effectiveness
and key issue status
Reduced cost ofcompliance with
automated controlsand streamlined testing
Better managed riskthanks to robust
control managementand remediation
Risk Management andCompliance Team
Control Testers andProcess Owners
Managementand Executives
Follow guidedprocedure and
perform test
Report results andattach evidence
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
9/50
SAP AG 2009. All rights reserved. / Page 9
Savings Est im at es Using Risk -based Int ernal
Contr o l Case St udies*
* Benchmarks from SAPs Case Studies and Success Stories
Conservative EstimateLikely Scenario
$3.6M $4.5MPotential AnnualBenefits:
Mitigate risk through effective controls and remediation
Increase Fraud Prevention
Report and Monitor Key Controls
Resolve Exceptions through Remediation
Improve executive confidence with enterprise-wide control mgmt
Provide real-time visibility of control effectiveness
Unify Control Management across the EnterpriseEnforce accountability with Review, Certification, and Sign-off
Reduce cost and improve compliance
Automate Control Testing
Shorten Audit Cycles
Streamline Manual Evaluation, Issue Identification
$1.1M $1.3M
$0.5M $1.1M
$0.3M $0.8M
$0.3M $0.4M
$709k $951k
$175k $225k
$350k $450k$184k $276k
$1.8M $2.0M
$1.3M $1.3M
$0.4M $0.5M
$0.1M $0.2M
+
+
+
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
10/50
SAP AG 2009. All rights reserved. / Page 10
Agenda
1. Customer Challenges, Impact and Solution Approach
2. Benefits to Customers Using Risk-based Internal Control
3. Risk-based Internal Control Overview
4. Summary and Next Steps
5. Appendix
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
11/50
SAP AG 2009. All rights reserved. / Page 11
Risk -based Int ernal Contro l in Pract ic e!!
A major retailer is confident in the robustness and flexibility of SAP
BusinessObjects Process Control to support their international expansionand provide them with enterprise-wide visibility on the status of compliance
A healthcare company completed their SAP BusinessObjects ProcessControl pilot in 2 weeks and maximizes the efficiency of theirimplementation through a user-driven deployment of the solution thatminimizes the reliance on IT resources
An oil and gas group minimizes user training thanks to the ease of use ofthe application and leverages SAP BusinessObjects Process Controlconfiguration capabilities to keep changes in their data and reports to aminimum
A pharmaceuticals company is planning to use SAP BusinessObjectsProcess Control for other compliance requirements in addition toSarbanes-Oxley
Another healthcare group significantly improves speed of resolution ofdeficiencies and gains better visibility on remediation cases for theircontrol owners
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
12/50
SAP AG 2009. All rights reserved. / Page 12
Al lergan Autom at es SOX Compl iance w i t h
SAP BusinessObjects Proc ess Cont rol
QUICK FACTS
Allergan Inc.
Location: Irvine, California
Industry: Life sciences
Products and services: Specialtypharmaceuticals and medicaldevices
Revenue: US$4.4 billion
Employees: Approximately 8,000
Web site: www.allergan.com
SAP solution and services: SAPBusinessObjects Process Controlapplication, SAP Consulting
SAP BusinessObjects ProcessControl does everything wethought it would do and even morethan we expected. The
implementation was veryfunctionality-driven, and wereexcited about expanding the use ofautomated controls in the future.
Bart BrockSr. Project ManagerAllergan Inc.
Challenges and opportunities Reduce risk of financial
misstatements and noncompliance
Automate testing and complianceprocesses to save time andefficiency
Objectives
Implement a robust solution formanagement Sarbanes-Oxley Act(SOX) compliance processesend-to-end, including auditing,monitoring, and testing of controls
Implementation highlights
Engaged PricewaterhouseCoppers(PwC) as lead system integrator
Formed synergistic team consistingof PwC, SAP Consulting, and
internal personnel
Why SAP Integrated with the SAP software that
runs the business
Positive experiences with SAPproducts
Availability of preferredimplementation practices
Benefits
Migrated all processes to the SAPBusinessObjects Process Controlapplication
Automated many controls
Achieved user-driven operationswith minimal IT involvement
Increased efficiency of SOXcompliance processes
Improved overall SOX compliance
capability
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
13/50
SAP AG 2009. All rights reserved. / Page 13
Agenda
1. Customer Challenges, Impact and Solution Approach
2. Benefits to Customers Using Risk-based Internal Control Benefits toCustomers Using SAP Strategy Management
3. Risk-based Internal Control Overview3.1 Align enterprise risk with compliance
3.2 Reduce cost with automated controls
3.3 Achieve compliance visibility
4. Summary and Next Steps
5. Appendix
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
14/50
SAP AG 2009. All rights reserved. / Page 14
SAP Solution Document new compliance initiatives using a
top-down risk-based approach
Develop assessment, testing and monitoringstrategy. Perform tests, report results and raiseissues
Analyze issues, perform necessary
remediation and certify results
Risk -based Int ernal Cont rolAl ign ing enterpr i se r i sk w i th c ont inuous compl iance
Risk Monitoring
DocumentCompliance
Initiatives
RemediateIssues and
Certify Results
Plan andPerform
Assessmentsand Tests
AccessAnalysis and
Response
Risk
Identification
Process ControlRisk Management Access Control
Risk-based Internal Control
SAP Differentiators
Increase efficiency by aligning enterprise riskwith multiple compliance initiatives
Reduce cost and the risk of non-compliance
through rapidly deployable automatedconfigurable controls
Ensure control effectiveness acrossheterogeneous application landscapesthough continuous monitoring
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
15/50
SAP AG 2009. All rights reserved. / Page 15
Align enterprise risk with compliance
Identify and prioritize compliance risks
Establish Control to mitigate compliancerisks
Document all Compliance initiatives via
centralized catalogs
Reduce cost with configurable controls
Create automated rules on-the-fly
Leverage Pre-delivered rules to test and analyze
Monitor controls proactively to identify exceptions
Ensure control effectiveness
Continuously monitor heterogeneous landscapes- SAP and non-SAP
Rapidly respond with Industry content
Confidently report, certify and sign-off
Aligning enterprise risk with continuous compliance
Risk -based Int ernal Cont rol
RiskMonitoring
DocumentCompliance
Initiatives
RemediateIssues and
Certify Results
Plan andPerform
Assessmentsand Tests
AccessAnalysis and
Response
Risk
Identification
Process ControlRisk Management Access Control
Risk-based Internal Control
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
16/50
SAP AG 2009. All rights reserved. / Page 16
Key capabilities
Identify risks associated withregulations and policies
Identify impacted organizations andbusiness processes
Determine risk exposure atorganization level
Identify organizations and processesin-scope through materiality analysisor risk prioritization using enterpriserisk assessment
Assign processes and controlsto organizations
Optimize compliance resources by focusing on key risk areas
Identify TopCompliance
Risks
PerformHigh LevelScoping
DocumentRisks
Risk Exposure
Risk Analysis
Risk exposureRisk Exposure
Al ign Enterpr ise Risk w i t h Compl ianceIdent i fy and pr io r i t i ze compl iance r i sk
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
17/50
SAP AG 2009. All rights reserved. / Page 17
Key capabilities
Formulate risk responses toinadequately addressed risks
Review control proposals and create
proposed controls either byassignment or new control creation
Notify risk management of controlcreation status
Perform control-risk assessment todetermine required level of evidence
Raise issues for remediation
Al ign Enterpr ise Risk w i t h Compl ianceIdent i fy cont ro ls to mi t iga t e compl iance r i sk
Reduces cost of Compliance with Automated ControlsReduce enterprise risk with effective controls
Risk Analysis
Risk Exposure
PlanAssessmentsand Tests
IdentifyControls andMap to Risks
PlanAssessments
and Tests
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
18/50
SAP AG 2009. All rights reserved. / Page 18
Key capabilities
Master data catalogs leveragedacross multiple compliance initiatives
Simultaneous support for regulatory
requirements and internal policymandates
Shared controls testing andassessments
Configurable remediation plans foreach compliance initiatives
Al ign Enterpr ise Risk w i t h Compl ianceDocument a l l compl iance in i t ia t i ves via cent ra l i zed ca t a logs
Improve compliance efficiency by streamlining activities
Drill down capability toview/review the test and
assessment results
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
19/50
SAP AG 2009. All rights reserved. / Page 19
Align enterprise risk with compliance
Identify and prioritize compliance risks
Establish Control to mitigate compliance risks
Document all Compliance initiatives via
centralized catalogs
Reduce cost with configurable controls
Create automated rules on-the-fly
Leverage Pre-delivered rules to test andanalyze
Monitor controls proactively to identifyexceptions
Ensure control effectiveness
Continuously monitor heterogeneous landscapes- SAP and non-SAP
Rapidly respond with Industry content
Confidently report, certify and sign-off
Risk -based Int ernal Cont rol
Aligning enterprise risk with continuous compliance
RiskMonitoring
DocumentCompliance
Initiatives
RemediateIssues and
Certify Results
Plan andPerform
Assessmentsand Tests
AccessAnalysis and
Response
Risk
Identification
Process ControlRisk Management Access Control
Risk-based Internal Control
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
20/50
SAP AG 2009. All rights reserved. / Page 20
Key capabilities
Intuitive and flexible user interface tocreate unlimited monitoring criteriawithout programming
Configuration and masterdata audit-trail
Simple transactionmonitoring available
Tables/views acrossSAP Business Suite
EnterpriseApplication
DetectiveMonitoring
ProcessControl
ConfigurableControlsDesigner(monitor
threshold values,create deficiency
criteria etc.)
Easily adapt to changing business and compliance needs
Reduce Cost w i t h Conf igurable Cont ro lsCreate autom ated ru les on-the- f ly
Transaction(e.g. PO,
Invoice etc.)
Master DataControls(e.g. vendor
paymentterms etc.)
ConfigurationControls
(e.g. invoicetolerance etc.)
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
21/50
SAP AG 2009. All rights reserved. / Page 21
Key capabilities
Automate control testing, monitoringacross SAP and non-SAP systemswith out-of-the-box rules
More than 200 delivered scripts forautomated control testing*
Additional testing automation usingstandard SAP queries/reports
User definable multi-step test plansand flexible assessment surveys
*Exact number depends on your industry
Reduce Cost w i t h Conf igurable Contr o lsLeverage pre-del ivered r u les
Reduces cost of Compliance with Automated ControlsImprove compliance responsiveness with packaged rules
#Controls
OrderCapture
OrderFulfillment
Billing &Returns
RevenueRecognitionOrder to Cash
DemandPlanning
OperationalProcurement
InventoryManagement
PayablesManagementProcure to Pay
BudgetingPlanning
Sub LedgerTransactions
FinancialClose
Consolidation& ReportingReconcile to Report
ApplicationImplementation
ChangeControl
ApplicationSecurity
NetworkSupportIT Basis
WorkforcePlanning
Hiring Compensation EmployeeRelationsHR
CashManagement
RiskManagement
PortfolioManagement
Inter-companyFinanceTreasury
Asset
Acquisition
Asset
Depreciation
Asset
Disposition
Asset
ManagementFixed Assets
DesignControl
CAPAMaterialControls
Post MarketSupportFDA
23
28
18
18
1
5
14
15
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
22/50
SAP AG 2009. All rights reserved. / Page 22
Key capabilities
Rapidly detect andanalyze exceptions
Proactively notify
key stakeholders
Automated workflow todesignate ownership
Close loop by continuously monitoring compliance violations
Reduce Cost w i t h Conf igurable Cont ro lsMoni to r cont ro ls p roac t i ve ly to ident i fy except ions
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
23/50
SAP AG 2009. All rights reserved. / Page 23
Align enterprise risk with compliance
Identify and prioritize compliance risks
Establish Control to mitigate compliance risks
Document all Compliance initiatives via
centralized catalogs
Reduce cost with configurable controls
Create automated rules on-the-fly
Leverage Pre-delivered rules to test and analyze
Monitor controls proactively to identify exceptions
Ensure control effectiveness
Continuously monitor heterogeneous
landscapes SAP and non-SAP Rapidly respond with Industry content
Confidently report, certify and sign-off
Risk -based Int ernal Cont rol
RiskMonitoring
DocumentCompliance
Initiatives
RemediateIssues and
Certify Results
Plan andPerform
Assessmentsand Tests
AccessAnalysis and
Response
Risk
Identification
Process ControlRisk Management Access Control
Risk-based Internal Control
Aligning enterprise risk with continuous compliance
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
24/50
SAP AG 2009. All rights reserved. / Page 24
Key capabilities
Rapidly detect andanalyze exceptions
Supports both SAP and Non-SAP
Partner support (Greenlight)
Multi-App Query Tool Define Custom controls
Reduce risk with operational transparency enterprise-wide
Legacy & Custom
Pre-defined Controls
Process control xPAC by Greenlight (SOA Architecture)
Process / control hierarchy Automatic testing Rule engine
SAP BusinessObjects Process Control
Issue remediation Real-time reporting Scheduler
Custom Controls(Multi-App Query Tool)
Legacy Custom
Ensure Contro l Ef fec t ivenessCont inuously moni tor heterogeneous landscapes
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
25/50
SAP AG 2009. All rights reserved. / Page 25
Key capabilities
Perform assessments and testsof access-related risks
Review automated access test
results Determine/perform appropriate
remediation
Gain visibility by continuously monitoring security and access related controls
Ensure Contro l Ef fec t ivenessCont inuous ly Mon i to r Acc ess Management Compl iance
Access-relatedRisk
PlanAssessments and Tests
AccessRemediation
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
26/50
SAP AG 2009. All rights reserved. / Page 26
Key capabilities
Crystal Reports andXcelsius dashboards
Cross-compliance and
initiative-specific reporting Existing report templates can
be leveraged across anycompliance initiatives
Drill down provided in selectdashboards and reports
SAP BusinessObjec t s Proc ess Contr ol 3.0Compl iance report ing and analy t ics
Improve compliance performance and predictability
Drill down capability toview/review the test and
assessment results
Key reportspre-delivered
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
27/50
SAP AG 2009. All rights reserved. / Page 27
Ac h ieve Compl ianc e V is ib i li t yRapid ly respond w i th indust ry c ontent
Key capabilities
Life Sciences Industry
Risk drivers, KRIs, risk events,impact and risk responses for
Promotional Spend
Off-Label Promotion
Product Quality
Pricing Compliance
Oil & Gas Industry
Risk drivers, KRIs, risk events,impact and risk responses for
Foreign Corrupt Practices Act (FCPA)
Occupational Health & Safety (OSHA)
FAS 133
Logistics
Accelerates industry compliance with pre-defined industry content
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
28/50
SAP AG 2009. All rights reserved. / Page 28
Agenda
1. Customer Challenges, Impact and Solution approach
2. Benefits to Customers Using Risk-based Internal Control
3. Risk-based Internal Control Overview
4. Summary and Next Steps
5. Appendix
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
29/50
SAP AG 2009. All rights reserved. / Page 29
Risk-based Int ernal Cont ro l Benef i t s
Optimize compliance resources by focusing on key risk areas
Reduce enterprise risk with effective controls
Improve compliance efficiency by streamlining activities
Easily adapt to changing business and compliance needs
Improve compliance responsiveness with packaged rules
Close loop by continuously monitoring compliance violations
Reduce risk with operational transparency enterprise-wide
Comprehensive content for industry-specific compliance
Improve compliance performance and predictability
#2 Reduce cost with configurable controls
#1 Align enterprise risk with compliance initiatives
RiskMonitoring
DocumentComplianceInitiatives
RemediateIssues and
CertifyResults
Plan andPerform
Assessmentsand Tests
AccessAnalysis and
Response
RiskIdentification
Process ControlRisk Management Access Control
Risk-based Internal Control
#3 Ensure control effectiveness throughcontinuous monitoring
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
30/50
SAP AG 2009. All rights reserved. / Page 30
SAP GRC Proc ess Cont rol 3.0Extend ing opera t iona l e f f i c ienc ies ac ross en terpr i se
FDA
JSOX
PerformAssessments
Automated ControlsFramework
TestManual
Controls
Certify, Signoffand e-signature
(302, 404, 21CFRPart11)
Remediate IssuesMonitor exceptions
IT Infrastructure
Business Processes
Evaluate
Monitor Perform CAPA
Scope
Signoff
SOX
Enterprise
Integration
RiskManagement
Access Control
Oracle
PSFT
DB2
3rd party apps
Cisco SONA
Event Systems
Enterprise
Productivity
Enterprisesearch structured andunstructured
AdobeInteractiveForms
Analyticsand
Reporting
Crystal Reports
Xcelsius
Dashboard
BI Reports
Datasheets
Control Environment:Process-Control-Objective-Risk
FIN SCM SRM MFG HR
Doc
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
31/50
SAP AG 2009. All rights reserved. / Page 31
For More Informat ion
See www.SAP.com/GRC for:
SAP BusinessObjects Process
Control information
Customer case studies
Online self-running demo Information on all other
SAP BusinessObjects Governance,
Risk, and Compliance (GRC) solutions
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
32/50
SAP AG 2009. All rights reserved. / Page 32
Thank you!
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
33/50
SAP AG 2009. All rights reserved. / Page 33
Copyr ight 2009 SAP AG
All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned andassociated logos displayed are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This documentcontains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy,and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, orother items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties ofmerchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-part y Web pages nor provide any warranty whatsoever relating to third-par ty Web pages
Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden.
Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte knnen Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwhnte SAP-Produkte und Servicessowie die dazugehrigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Lndern weltweit. Alle anderen in diesem Dokument erwhntenNamen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte knnen lnderspezifische Unterschiede aufweisen.
Die in diesem Dokument enthaltenen Informationen s ind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderenVereinbarung mit SAP. Dieses Dokument enthlt nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP-Produkts und ist fr SAP nicht bindend, einen bestimmtenGeschftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP bernimmt keine Verantwortung fr Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht dieRichtigkeit oder Vollstndigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewhr, wederausdrcklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschlielich, hinsichtlich der Gewhrleistung der Marktgngigkeit und der Eignung fr einen bestimmten Zwecksowie fr die Gewhrleistung der Nichtverletzung geltenden Rechts.
SAP bernimmt keine Haftung fr Schden jeglicher Art, einschlielich und ohne Einschrnkung fr direkte, spezielle, indirekte oder Folgeschden im Zusammenhang mit der Verwendungdieser Unterlagen. Diese Einschrnkung gilt nicht bei Vorsatz oder grober Fahrlssigkeit.
Die gesetzliche Haftung bei Personenschden oder die Produkthaftung bleibt unberhrt. Die Informationen, auf die Sie mglicherweise ber die in diesem Material enthaltenen Hotlinkszugreifen, unterliegen nicht dem Einfluss von SAP, und SAP untersttzt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewhrleistungen oder Zusagen berInternetseiten Dritter ab.
Alle Rechte vorbehalten.
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
34/50
SAP AG 2009. All rights reserved. / Page 34
DemonstrationRisk-based Internal Control
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
35/50
SAP AG 2009. All rights reserved. / Page 35
Risk -based Int ernal Cont rol
CFO
Duty Reduction andTrade Compl iance
Enterprise RiskManagement
Access Management
Strategy / Planning
Business Operations
Internal Audit
Risk Management
RiskPlanning
Head of Compliance/Internal Audit
Head ofRisk Management
TradePolicy
Planning
Vice President Tax /Head of Compliance
Head of Internal Audit/ Chief
Security Officer
Risk-Based InternalControls
RiskResponse
RiskMonitoring
RiskIdentification
RiskAnalysis
Access Planning
AccessAnalysis
andResponse
AccessMonitoring
AccessAnalysis
andResponse
AccessMonitoring
Document ComplianceInitiatives
Plan andPerform
Assessmentsand Tests
RemediateIssues
and CertifyResults
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
36/50
SAP AG 2009. All rights reserved. / Page 36
Central
Framework
FDAMandates /sub-
mandates
Policies
User Roles &
Authorizations
Organization
Structures
Processes,
Risks & Controls
SOxMandates (Sox 302,
404)
Policies
User Roles &
Authorizations
J-SOxMandates /sub-
mandates
Policies
User Roles &
Authorizations
Example: Framework for a Life Science /Pharmaceutical US based Global Company
Al ign St r a tegy and Risk w i th Compl iance
Document a l l Compl iance in i t ia t ives v ia Cent ra l ized cat a logs
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
37/50
SAP AG 2009. All rights reserved. / Page 37 SAP 2008 / Page 37
Corporate
Parent Org 1 Parent Org 2
USA India Vancouver Hong Kong
Org Owners perform AODanalysis at the org level andSOX PMO performs thefinal AOD analysis at thecorporate level.
At a Corporate or Local Level
Al ign St r a tegy and Risk w i th Compl iance
Document a l l Compl iance in i t ia t ives v ia Cent ra l ized cat a logs
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
38/50
SAP AG 2009. All rights reserved. / Page 38 SAP 2008 / Page 38
Customizable User
Menus
Global and ComplianceInitiative-Specific MenuContent
Role-Based User Content
Example: Global Compliance Office:Regulation/Policy Admin
Al ign St r a tegy and Risk w i th Compl iance
Document a l l Compl iance in i t ia t ives v ia Cent ra l ized cat a logs
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
39/50
SAP AG 2009. All rights reserved. / Page 39
Align Strat egy and Risk .
Risk In t e l l igent Report i ng & Cer t i f i c a t ion
Purchasing
Procure to Pay
US Finance
US
Corporate Signers
CEO/CFO
1
2
3
4
5
6
Each subprocess ownersigns off
Process owner signs off
Lowest location signs off
Higher location signs off
Corporate signer(s) sign off
CEO/CFO sign off
AccountsPayable
Supportsection 302certification
Freeze keyinformationthat hasbeen signed-off
Hierarchical,bottom-upprogression
Close the loop between strategy and execution with a top-down Risk-based approach Sign-off with Confidence though Formalized Certification
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
40/50
SAP AG 2009. All rights reserved. / Page 40
Risk-Adjusted Contro l s ManagementSAP BusinessObjects Process Control
End-to-End, Enterprise-wide Business Process Control
21
Identify the risksassociated with new
regulations or policies anddocument the associatedcompliance structureusing a top-down risk-based approach.
Unify controlmanagement across theenterprise through asingle system of recordthat can adapt to
changing business needs.
Enable enterpriseenvironment formonitoring businesssystems and timelydetection of issues andrisks.
Align the planning andscheduling of testing in
accordance with thecompliance calendar.Conduct the tests, reportthe test results and raiseissues for remediation.
Automate control testingand monitoring acrossheterogeneousenvironments.
Shorten audit cyclesthrough the optimizationof compliance activities.
Resolve exceptions moreefficiently with workflow-driven issue identificationand remediation.
Review the results of yourcompliance activities,
remediate identified issuesand certify your resultsthrough sign-off and audit
Provide real-time visibilityof control effectivenessand remediation of keyissues, eliminatingsurprises.
Enforce accountability withreview, certification, andsign-off of processes.
Use comprehensivereports and dashboards tomonitor control activity andissue status.
3
Document ComplianceInitiatives
Plan and PerformAssessments and
Tests
Remediate Issuesand Certify Results
Either remove or placeAfter the ROI slide
Before introduce productFlow = RBIC ROI Processes
- How we do it differently (product)
S2
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
41/50
Slide 40
S2 (1) This slide doesnt flow well from the previous slide - Suggest it follow the 4 steps outlined in the previous slide and not be product specific.
(2) This can achieved by outlining capabilities in RM and PC 30 and integrations with AC
(3) This applies to next slide #29I811750; 17-12-2008
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
42/50
SAP AG 2009. All rights reserved. / Page 41 SAP 2007 / Page 41
Reduce Cost w i th Autom ated Cont ro ls
Create aut omat ed ru les on-t he-f ly
ConstructAd-hoc TestRe-useCustom Test
SelectPre-delivered Test
Pre-delivered processcontrol tests withflexible rule criteria
SOD analysis andreporting
Plug-and-play yourexisting test scripts
Create control tests on-the-fly with SAP querytools
Order to CashOrder
Captu
re
Order
Fulfill
ment
Billin
g and
Retur
ns
Procure to PayDema
nd
Plann
ing
Opera
tional
Procu
reme
nt
Reconcile to ReportBudg
eting
Plann
ing
Subled
ger
Transa
ctions
Finan
cial
Close
IT BasisAppli
cation
Secur
ity
Chan
ge
Contr
ol
Reve
nue
Reco
gnitio
nInvent
ory
Mana
geme
nt
Payab
les
Mana
geme
nt
Consolidat
ion
and
Repor
ting
Automated Controls
Tee-up
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
43/50
SAP AG 2009. All rights reserved. / Page 42 SAP 2007 / Page 42
Master Rule|_____________________________|
Rule Parameters
|__________________________________________________________|
Rule Frequencies|__________________________________________________|
Automated Rule 1|________________________________________________________|
Automated Rule 2
|________________________________________________________|
Reduce cos t w i th conf igurab le cont ro ls
Leverage Pre-del ivered Rules
Program
Org. A Org. B Account Range Single Account Absolute Value __H __M __L % __H __M __L
Daily Weekly Bi Weekly Annual FortnightlyMonthly Semi AnnualWeekly QuarterlyQuarterly
ProgramProgram
Org. A Org. B Account Range Single Account Absolute Value __H __M __L % __H __M __L
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
44/50
SAP AG 2009. All rights reserved. / Page 43
RISK EVENT
Employee/AgentInvolved in Illegal
Arrangement(FCPA)
Managing Enterpr ise Risks
2.2.1 Foreign Corrupt Practices Act Compliance Risk
Conduct business withforeign state-run entities
Operate in over-seas high-risk markets
Use of 3rd partyrepresentatives to facilitate
overseas business
DRIVERS
Regulatory Compliance (S39)
BUSINESS PROCESS # of payments to foreign officials
characterized as contributions,consulting payments ormiscellaneous expenses
KPIs
Financial Earnings(SEC & DOJ violations, fines,
penalties, remediation)
Financial Revenue (Ineligibilityof doing business with foreign
entity)
Reputation(Disclosures, investigation,
prosecution, oversight)
IMPACTS
Responses
Preventive responsesreduce probability of event
Recovery responsesreduce impact of event
PC/AC ControlTransfer AcceptAvoidReduce
Code of Conduct and FCPAor anti-corruption policies inplace.
Anti-corruption training inplace
Whistleblower l ine
SOD Separate Vendor Maintenance fromInvoice Approval (AC)
Monitor employees that are overdue forethics/FCPA training (PC)
Monitor suspicious payment attributes such asround payments, one time vendor, etc. (PC)
Avoid businessin high riskmarkets prone toabuse
Maintain legaland penaltyreserve
Contractualprotections withagents
Key Risk Indicators# of reviews conducted for due diligenceon all foreign business partners and third-party representatives (manual)% employees with foreign official contactwho have had FCPA training (SAP HCM)Expense % of total compensation forsales agents responsible for internationalaccounts (SAP - Payroll)
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
45/50
SAP AG 2009. All rights reserved. / Page 44
Achieve Compl iance V is ib i l i ty
Rapid ly respond w i t h Indust ry c ontent
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
46/50
SAP AG 2009. All rights reserved. / Page 45
Sales culture makescontrolling and trackingexpenses difficult
Increasing governmentregulation over promotional
expenses
PhrMA and AMAguidelines on CME and
sales contacts
DRIVERS
RISK EVENT
Inappropriateenticements or kick-backs in exchange
for preferentialtreatment
Field Sales & Marketing
BUSINESS PROCESSKey Performance Indicators Financial impact of fines and penalties Average sales rep expenses
Legal/ Regulatory(Significant fines levied by DOJ
and other bodies)
Legal/ Regulatory(Corporate integrity agreements
increase scrutiny and costs)
Reputation(Reputation suffers from poorpublicity)
IMPACTS
Responses
Preventive responsesreduce probability of event
Recovery responsesreduce impact of event
PC/AC ControlTransfer AcceptAvoidReduce
Tracking and reporting payments made tophysicians via accounts payable or salesrepresentatives travel and expenseaccounts.
Monitoring types of payments made tocustomers/physicians
Monitoring amounts and thresholds paid tocustomers/ physicians
Establish and enforcepolicies & proceduresaround spending (types &thresholds)
Training on types ofspending allowed
Review of physiciancontracts for compliance
Increasing regulation and scrutiny under the Anti-Kickback Statute, Foreign Corrupt Practices Act (FCPA) and similar federal and state regulationsrequires companies to limit their promotional spending on physicians, with different rules in different states. Voluntary PhrMA code and AMAguidance also provide limits in this increasingly complex space. Tracking methods and controls are limited and poorly integrated with IT
environments.
Key Risk Indicators Training Hours per (sales) Employee ( SAP
IV.J.5)
Avg. Sales Rep Expenses (SAP S9)
Budget to Actual differences in CSR expenses(SAP S9, S38)
Achieve Compl iance V is ib i l i ty
Rapid ly respond w i t h Indust ry c ontent
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
47/50
SAP AG 2009. All rights reserved. / Page 46
Cont inuous ly Moni tor Heterogeneous appl ica t ions
Rapid ly respond w i th Indust ry cont ent
IssueOwner
(QC
Manager)
Approverof CAPA
plan(QA
manager)
Approverof CAPA
planexecution
(QAmanager)
CAPA planSuccessfullyCompleted &
Closed
CAPAplan
Cancelled
1. Performs DiscrepancyEvaluation
2. Assigns CAPA plan
3. Performs Root CauseAnalysis
4. Lists Corrective Actions
5. Lists Preventive Actions
6. Lists Contingencies(optional)
7. Assigns CAPA remediatorCAPA plan
8. Submits CAPA plan forapproval
FDAcontrol
(manualor
automated)
identifiesan
issue,due to
deficiencies in a
businessprocess
1. Completes CorrectiveActions first
2. Completes PreventiveActions next
3. After completion, submitsfor approval
Option I: Send the CAPA back to IssueOwner for Rework
Option II: Approves theCAPA plan
Option II: Send the
CAPA back to CAPAremediator for Re-
execution
Option I:Approves
CAPAexecution
Optionally,verifies
effectivenessof the CAPA
plan execution(by retestingthe control)
2Approval
Options
3Approval
Options
OptionIII:
CancelsCAPAplan
CAPAremediator
(s)
Ensure Continuous Compliance
Key capabilities High degree of GMPcompliance
Standardized, enterprise-wide FDA/Non-FDAcompliance processes
CAPA workflow for best
practice issue remediation
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
48/50
SAP AG 2009. All rights reserved. / Page 47
Key capabilities
Crystal reports and Xcelsiusdashboards
Cross compliance and initiativespecific reporting
Existing report templates can beleveraged across any complianceinitiatives
Drill down provided in selectdashboards and reports
Drill down capabilityto view/review thetest and assessmentresults
Achieve c ompl iance v is ib i l i t y
Conf ident l y repor t , c er t i fy and s ign-of f
Improve compliance performance and predictability
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
49/50
SAP AG 2009. All rights reserved. / Page 48
Key capabilities
Supports several key process areas,applications and types of functions
Build your own using guidedprocedure to monitor any fieldcombinations
Map SAP queries, reports,variants and programs into ACF
Monitor apps on 3rd party systemssuch as ORCL, PSFT and DB2
Drive response to events alternative to scheduled rules
Reduce Cos t w i th Aut omat ed Cont ro lsCreate autom ated ru les on-the- f ly
Reduces cost of Compliance with Automated ControlsARF provides an infrastructure that enables building new automated rules in aneasy and repeatable manner, effectively addressing unique business needs
AutomatedRules
Framework
BI QueryIntegration
ConfigurableRules
LeverageExisting
Queries AndReports
Delivered Rule
Content
ComplexProcessingVia ABAP
Rules
Monitor 3rdParty
Applications
1
2
3
4
5
6
AutomatedRules
Framework
BI QueryIntegration
ConfigurableRules
LeverageExisting
Queries andReports
Delivered Rule
Content
ComplexProcessing viaABAP Rules
Monitor 3rdParty
Applications
1
2
3
4
5
6
(1) Change Logs:
Reliably re-create configuration andmaster data settings for controltimeframe (e.g. previous quarter), andexamine changes made
Examples:
Master Data: Changes to critical
Vendor Master data fields (e.g. paymentterms, credit limits, etc)
Configuration: Changes to POtolerance settings (e.g. receipttolerances)
(2) Value Check s:
Check for specified value(s) in masterdata, configuration, and transactions
Examples:
Master Data: Identify vendors withpayment terms in excess of 30 days
Configuration: Monitor for PO receipt
tolerance setting in excess of 10% ofPO quantity
Transaction: Monitor for POs in excessof $1M (e.g. Additional approvalrequirements)
8/4/2019 Risk Based Internal Controls Ensure Continuous Compliance
50/50
Key capabilities
Framework for Automated Testing andMonitoring of FDA business processes
FDA Content: SAP-provided automatedcontrols for multiple business processes
End-to-end CAPA process for remediatingissues raised from manual as well asautomated monitoring and testing ofcontrols
Compliance with 21 CFR Part 11:E-signatures
Effectiveness monitoring mechanism
FDA-specific reporting and trend analysis
FDA Exam ple: Achieve Compl ianc e Vis ib i l i t yOperat ional Compl ianc e
Accelerates industry compliance with pre-defined industry content
Compliance data
management:process hierarchy,
FDA controls, orgs
FDA-SpecificReporting
Monitoring
Testing Assessments
CAPAExecutionApprover
CAPA Remediation Process
IssueOwner
CAPA PlanApprover
Remediator
Audit Trail E-Signature