Evolution of the Siemens Experience in its Effort

Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth Continuous Auditing & Reporting Symposium Meeting 11/4/2005

Agenda Operational Audit Overview of Siemens Benefits of Continuous Auditing Overview of Siemens SAP Audit Plan CA at Siemens – Current Activities CA at Siemens – Planned Activities Outlook and Next Steps Questions and Discussion

Operational Audit Overview of Siemens About 430, 000 employees worldwide (70, 000 thereof in the United States) Sales of EUR 75 billion in 2004 Siemens has a large audit department executing financial and operational audits throughout the company Siemens has selected SAP as their standard ERP system IT Audit Pool conducts all system related audits for the majority of Operating Companies here in the US including a SAP Certification Audit

Operational Audit Benefits of CA at Siemens Simplification of execution of SAP audits Continuous monitoring of the compliance level of mandatory System Parameter settings. Improved Governance (Fraud Detection, SOX Compliance, Monitoring, etc. ) Move toward real-time reporting for management and for the investment community. Improve the skill level and quality of work life of auditing personnel. Reduces compliance and assurance costs (labor, travel, outside assurance, etc. )

Value Proposition Operational Audit COST: • Consider a large multinational corporation with 400 auditors (internal & external), each with a fully absorbed (sal. /fee, benefits, travel, etc. ) $200, 000/yr cost for a total annual compliance cost of $80 million dollars. Assume further that the proposed continuous auditing model cost $1 million dollars to develop and implement and only reduced manual compliance effort by 25% in the firm. The annual net estimated savings or cost avoidance of this project for the firm defined above would be: $19 Million dollars (Or nearly $100 million dollars over 5 years)!

Operational Audit Overview of Siemens SAP Audit Plan Typical SAP audit takes about 75 person days covering SAP modules FI, FI-AA, BA, Computer Outsourcing, SD and MM Overall about 200 audit action sheets (AAS) Audit Action plan (AAS) was developed in cooperation with KPMG About 25 percent can be automated without additional formalization or re-engineering of the controls

Operational Audit SAP Audit Action Sheet Part 1

Operational Audit SAP Audit Action Sheet Part 2 Pseudo code developed from Rutgers CAR-Lab to automate Audit sheet

Two Types of Audit Systems Operational Audit Independent System (Monitoring and Controlling Layer) ACL Approva Biz. Rights Virsa Oversight E-Audit (Siemens) Rutgers CAR-Lab SAP model Embedded Audit System SAP Audit Information System

Operational Audit CA at Siemens – Current Activities Utilization of Approva Biz. Rights for monitoring of Segregation of Duties (2 major Div. ) Purchase to Pay Process using ACL’s Direct Link and CCM CA model on 3 large SAP systems Introduced at the beginning of 2005 Significant payoff right away (duplicate invoice payments, etc. ) Providing real procurement cycle data to Rutgers CAR-Lab for statistical modeling to identify possible anomalies.

Operational Audit CA at Siemens – Current Activities Utilization of GL module from Approva Biz. Rights Introduced in October 2005 for Monitoring of Month End Closing, to be completed in mid 2006 for the GL Module. Payoff –(Helping with Month End Closing, Ensuring transactions are complete with proper authorizations) Implementation of travel and expense (T&E) module from ACL Planned introduction by the end of 2005 Expected benefits – Reduce Fraud (T&E is one the most prevalent areas for fraud).

Operational Audit CA at Siemens - Planned Activities Preventative / configurable controls strategy: • Utilize research from Rutgers CAR-Lab to reengineer our SAP audit plan to make it more formalizable / automatable. • Support and promote the use and enhancement of CA tools (Siemens & Third party) at Siemens Operating & Regional Companies. • Demo and provide feedback to Siemens companies on emerging CA tools and technology.

Operational Audit CA at Siemens - Planned Activities • • Utilization of SAP AIS module for execution of SAP audits • Allows business to run reports themselves as needed (e. g. Top 10 Security Issues) • IT Audit Pool has customized AIS to include automatable audit sheets as predefined reports Estimated reduction of SAP audit time of about 25%

Operational Audit Outlook and Next Steps Further leverage Rutgers CAR-Lab research in cooperation with External Auditors to Expand CA scope at Siemens. Utilization of SAP AIS module at more Operating Companies as standard tool. Audit Pool will work with Operating Companies to identify and promote existing solutions as best practices. Audit Pool plans on piloting CA software solutions as a part of a regular SAP audits.

Operational Audit Questions? Thank You! Rolf Haardörfer Siemens Corporation IT Audit Pool