SAP Advisory Services

Contents

EW Consultants India 2

• Risk & Challenges in an ERP system1

• History of Financial Frauds2

• About EW Consultants India3

• Our Services4

• Our Solution5

• Benefits to your organization6

Risk & Challenges in an ERP system

3For Discussion Purposes Only

Risk & Challenges in an ERP System


Corporations across the world are highly concerned about the security of their EnterpriseResource Planning (ERP) systems such as SAP, from threats like fraud, intrusion, etc that affectsthe integrity of their business. They require their policies and procedures to be tightened andsystem to be secured.

There are some challenges that these corporations faces in their day to day business:

We should have considered SoD while granting

access

Does my ERP system has sufficient

password and user access security

controls

I don‟t know how the

vendor got paid twice?

ERP team is spending lot of unproductive

time on maintenance

Is my system prone to access

intrusions?

Auditor declared system controls to

be ineffective

Our ERP implementation

team never gave us the

controls

How do I design business controls in my

ERP?

What is the

Solution???

History of Financial Frauds


History of Financial Frauds


Source: www. wikipedia.org

Year Company Audit Firm Type of Fraud

2010 Lehman Brothers Ernst & YoungFailure to disclose Repo

105 transactions to investors

2009Satyam Computer

ServicesPWC Falsified accounts

2004 AIG PWCAccounting of structured financial

deals

2002 WorldCom Arthur Andersen Overstated cash flows

2002 Kmart PWC Misleading accounting practices

2001 Enron Arthur Andersen Corporate fraud and corruption

2000 Xerox KPMG Falsifying financial results

India’s Fraud Survey 2010


Source: KPMG

2009 CSI Computer Crime Survey


Per the 2009 CSI Computer Crime and Security Survey, “…change of greatest concern is thatfinancial fraud increased from only 12 percent of respondents to 19.5 percent of respondents. Thisis reason for concern because financial fraud consistently causes victim organizations huge

losses—almost $450,000 (` 2 Crs) per victim organization this year…”

About EW Consultants India


About Us

We would like to introduce our self as a ERP Advisory consultant offering a wide suite of specialistservices to our clients ranging from ERP Risk advisory, ERP selection, corporate training andoutsourcing. We provide value added service to our clients in the most cost-effective manner.

We have a network of dedicated and highly qualified freelance professionals who have workedon ERP and IT Risk Advisory projects across 8 countries, including US and UK. Our team comprisesof Certified SAP professionals, CA, MBA and Engineers, from Big4 background, with extensiveexperience in rendering ERP advisory services. Along with SAP ECC system, our team has hand-on experiences working on tools such as SAP GRC Access Controls and Approva Bizright Access

Controls.

Our Service capabilities:

SAP Business Process Controls Audit

SAP Basis Security and Segregation of Duties Controls Audit

SAP Controls Audit Procedure Documentation

ERP Audit Project Management

Sarbanes Oxley (SOX) Compliance Assistance

ERP Product and Vendor Selection

ERP Audit Tools Development

ERP / Corporate Trainings


Director Profile


Industry Experience: over 7 years

Ernst & Young

EXL Service

SAPient Consulting

Qualifications:

MBA in Finance

SAP Certified Consultant

SAP Security trained (from SAP India)

SAP GRC Access Controls trained

(from SAP India)

Project Management trained (from

PMI)

Areas of Expertise:

SAP Risk & Controls Advisory

SAP Business Process Controls Audit

SAP Security & Segregation of Duties

Control Audit

ERP Trainings

ERP Audit Project Management

Sarbanes Oxley (SOX) Compliance

Assistance

ERP Product and Vendor Selection

ERP Audit Tools Development

Credentials

12

Industry Clients

Diversified Business Essar Group, India

Beverages Diageo Plc, UK; Dr Pepper Snapple Group Inc., USA

InsuranceChartis („AIG‟) UAE, Hong Kong, Malaysia, Indonesia, Thailand, Philippines, Vietnam, Taiwan

IT ServicesVOLT Information Sciences Inc., USA; Covansys Corp. Inc., USA;

Infosys Technologies, India

Energy Centrica Plc, UK; Enercon India Ltd; ONGC Ltd., India

FMCG and Consumer Goods

ITC Ltd, India Philips India Ltd.

Retail Pantaloon Retail India Ltd.; Welspun India Ltd.

Engineering and

Electrical Equipment

Larsen & Toubro Ltd., India; Havell‟s India Ltd.; Bharat Bijlee Ltd.,

India

Telecommunication VSNL Ltd., India

Pharmaceutical Duane Reade Inc, USA; Glenmark Pharmaceutical Ltd., India

Metals and Minerals ISPAT Industries Ltd., India; BALCO Ltd., India

For Discussion Purposes Only

Worked for Fortune 500 clients in over 8 countries including USA, UK, Hong Kong, India, etc

Our Services


Our Services


Best-fit solution ERP Product selection

ERP Implementation partner

selection

Project risk management

Business Blueprint Review

Identify and suggest controls as

part of BBP

Benchmark TO-BE process to

Leading practices

Pre Go-Live Readiness

Assessment

A quick check of the status of

critical master data,

organizational elements,

configurable controls, process

integrations, system and user

security before Go-Live

Verify if suggested controls are

designed and implemented

Quick Scan Review

A quick check to identify and

fix „High Risk‟ issues

SAP Business Controls Review

A detailed review of key

business processes having

financial implication

SAP Security Controls Review

A detailed review of Basis

security, access to critical

transactions and Segregation

of duties (SoD)

Audit Work Program Documentation

Preparation of detailed work

program that will enable the

Internal Audit team to conduct

rigorous audit of the SAP system

SAP Core team training

Preparing the SAP Core team

for supporting the SAP ECC

system

SAP End-user training

Preparing the SAP End-user

team for working on the SAP

ECC system

Auditing an ERP system training

Preparing the Internal audit

team for sustainable audit of

the SAP ECC system

Fundamentals of ERP system training

Preparing the organization for

an upcoming implementation

of the SAP ECC system

Before Go-live After Go-Live Corporate Training

Understand

business

process

Identify

potential

risks

Develop

control

framework

Document

audit

program

Conduct

test of

controls

Report

gaps &

suggest

solutions

Train

Internal

Audit team

Financial Accounting

Materials Management

Sales & Distribution

Basis Security &

User Administration

Our Value Chain Approach


Our Solution


Our Solution


Assess

Obtain the existing business process documents or “Role & Responsibility” matrix to identify critical business functions (if available)

Understand the key requirements and

challenges related to user access with the process owners

Identify potential Segregation of duties (SoD) conflicts and design a SoD matrix based on the leading

industry practices

Obtain the access privilege information including users and system roles

Risk Assessment Document

Segregation of Duties Matrix

for functional transactions

Review

Perform a SoD conflict assessment based on the SoD matrix for the following parameters:

Conflict within Role assigned to a user

Conflict between Roles

Conflict arising due to direct assignment of access privileges to a user

Review the identified

conflicts with respect to the roles & responsibility matrix

Identified Segregation of

Duties conflicts

Recommend

Discuss the key observations

with the process owners /

project team

Recommend leading

industry solution to resolve

the identified conflicts

Assist in re-designing the

change management

procedure for user access to

build SoD controls

Segregation of Duties

Conflict Report with

recommendations

Ke

y A

ctivitie

sD

eliv

era

ble

s

Benefits to your Organization


Benefits to your organization

Few of the benefits that your organization will derive from your SAP system, after our services:


Secured ERP

system

Leading

practices

Compliance

support

Reduction in

time & cost

Streamlined

process

Secured and robust SAP environment from both internal andexternal threats such as unauthorized usage, fraud, intrusion, etc

Re-aligned user access/security practices and procedures mayhelp the management in effective utilization of ERP resources,leading to reduction of unproductive time and cost

Controls ready SAP system to meet any existing or upcomingstatutory compliance requirement

Benchmarking your SAP system to the leading industry SoD controlpractices to optimize your ROI

Efficient and effective change management process consideringprocedural changes to include concerning areas like SoD

Maximizing

configurable

controls

Leveraging the available automated controls using the existing SAPconfiguration and reducing the manual efforts

Annexure


Case Study – Establishing Segregation of Duties (SOD)


Situation

Our client invested heavily in SAP

across its business entities. Due to

large team size, access over their

key financial reporting application

(SAP) became unmanageable.

Also lack of proper controls was

becoming an increasing concern

for the company‟s auditors.

Key Issues

Identification and elimination

of existing SOD conflicts

Restricting and re-designing

user access per roles and

responsibilities

Stream line the process of

user-role administration

Outcome

SOD has been established for all

the key business modules of SAP across entities based on the SOD matrix developed for the client

Assisted in establishing a control mechanism for granting access to SAP System

Ensured a consistent and streamlined approach to ongoing compliance

Identified and removed a substantial number of inappropriate user access across business entities

Approach

RemediationSOD Conflict AnalysisEstablish an SOD Matrix

Output

We helped a top Indian FMCG implement robust SOD controls over their SAP system across business entities

Established inventory list of all

transactions at the process

level per module

Identified critical transaction

from the above list

Mapped each critical

transaction with SAP roles and

permission list

Established an SOD matrix

based on the conflicts

between critical transactions

Analyzed SAP roles and users

based on the SOD Matrix to

identify any existing conflicts

Conflicts were identified at the

following levels:

SAP Roles

Users assigned to conflicting roles

Critical authorization objects and values within transaction codes with special emphasis on “*” value

Identified access privileges in

SAP that needs to be

segregated to eliminate existing

conflicts

Mitigating controls were

identified for conflicts that

could not be eliminated

Presented findings to Executive

Committee

SOD Conflict Matrix - Record to Report

Cre

ate

GL

Acc

ou

nt

Ch

ange

GL

Acc

ou

nt

Cre

ate

Jo

urn

al E

ntr

y

Ap

pro

ve J

ou

rnal

En

try

Po

st J

ou

rnal

En

try

Ch

ange

Do

cum

en

t

Mai

nta

in A

cco

un

tin

g P

eri

od

Pay

me

nt

Entr

y

Vo

uch

er

Entr

y/B

atch

Cre

atio

n

LHS/ RHS Activity Group A B C D E F G H I

Create GL Account A X X X X X X

Change GL Account B X X X X

Create Journal Entry C X X X

Approve Journal Entry D X X X

Post Journal Entry E X X X X

Change Document F X X

Maintain Accounting Period G X X X

Payment Entry H X X

Voucher Entry/Batch Creation I X

SOD Conflict Matrix for Record to Report Process

Case Study – SAP Configurable Controls


Situation

Our client was in the first year of SOXcompliance and was facingdifficulties in identification of SAPapplication controls. Due to lack onin-house capabilities this process was

delayed and auditors raisedconcerns to meet deadlines.

Key Issues

No defined risk and controls framework

Multiple SAP instances operating on global geographies with different SAP versions

Company recently undergone transformation with major staff movements

Outcome Identification of SAP

configurable controls and their mapping with existing SOX RCM

Detailed documentation of control test scripts with step-by-step procedures to facilitate

Sustainable SAP configurable controls audit process for SOX compliance

Gap report detailing the issue and remediation solution

Facilitated the client to leverage

on automated control and reduce reliance on manual controls, thereby optimizing cost of compliance

Approach

Obtain high level understanding of

SAP architecture covering in-scope modules, functional features, key interfaces and customizations.

Review current business process documents including existing process narratives and controls documentation to assimilate information on controls

Map key SOX application controls for SAP based on process

understanding, available controls libraries and industry best practices

Conduct system review to verify

existence of identified controls

Validate the controls implementation and assess design effectiveness of controls

Highlight gaps within tested controls to management and provide guidance for improvement opportunities

Update/detail existing control

descriptions including specific configurations relating to workflows, authorizations, SODs and access specific considerations

Create control test plan strategy

based on control type, audit tool /report availability and artifact requirements

Identify key testable attributes of each control based on acceptable configuration settings and management defined criteria

Document detailed audit procedures to test the design

and operating effectiveness of the identified controls including artifact requirements

DocumentationValidationIdentification

Output

We helped a leading US beverages company in identification, validation and documentation of SAP Configurable controls

Sample Deliverables

Sample Deliverables - Dashboard


Sample Deliverables - Report


Sample Deliverables - Deliverables


SOD Conflict Matrix - Record to Report

Cre

ate

GL

Acc

ou

nt

Ch

ange

GL

Acc

ou

nt

Cre

ate

Jo

urn

al E

ntr

y

Ap

pro

ve J

ou

rnal

En

try

Po

st J

ou

rnal

En

try

Ch

ange

Do

cum

en

t

Mai

nta

in A

cco

un

tin

g P

eri

od

Pay

me

nt

Entr

y

Vo

uch

er

Entr

y/B

atch

Cre

atio

n

LHS/ RHS Activity Group A B C D E F G H I

Create GL Account A X X X X X X

Change GL Account B X X X X

Create Journal Entry C X X X

Approve Journal Entry D X X X

Post Journal Entry E X X X X

Change Document F X X

Maintain Accounting Period G X X X

Payment Entry H X X

Voucher Entry/Batch Creation I X

SOD Conflict Matrix for Record to Report Process

Sample Deliverables - Deliverables


End of Presentation. Thanks.


For enquires and more please contact:

Gourav Ladha

Director, EW Consultants India

MBA, SAP Certified

Mobile #: +91-971-295-295-5

Website: www.ewcindia.co.in

Email: [email protected]

Technology

SAP Advisory Services