Improving SOX Remediation Through Automated Testing of Internal

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005

Agenda Background on Approva Compliance Process Methods for Testing Effectiveness of Internal Controls Applying Automation to the Testing Procedures

Approva: Company Snapshot Enterprise software company, founded in 2002 Headquartered in Reston, VA; R&D in Pune, India 190 Employees; over half in product development Raised $30 M from leading venture capital firms Industry collaboration and partnerships

Approva – a growing list of blue chip customers Manufacturing High Tech & Media Consumer Products & Retail Energy & Communications Pharmaceutical & Chemicals

Biz. Rights Solution Architecture Compliance Fraud Analysis Business Improvement Data Integrity User Authorizations & Activity Configuration Settings & Master Records Transactions Executed Business Solutions Advanced Functionality Biz. Rights Platform Dynamic Rules Analysis Exception. C Reporting Simulation & Change Control C Automated Email Notification C Intelligent Data Extraction Automated Workflow

Biz. Rights: Continuous Controls Intelligence Transactions Configuration Users Everyday Activities • GR/IR mismatches • Payments that exceed thresholds • Duplicate payments • Discounts not taken • Payments, purchase orders, sales orders modified after approval Master Records, System Settings • Unusual movement types, number ranges, payment terms, tolerance settings, etc. • Credit checks not turned on • POs with unlimited over/under delivery • Unusual credit limits • Unusual changes to payment terms, bank details, etc. User Roles and Responsibilities • Detect So. D conflicts within roles & users • Detect the use of sensitive transactions • Act as a compensating control for excluded users

The Compliance Process

What is your perspective on complexity? Compliance Requirements? • SOX ERP System Global System Settings Configuration Settings • FDA • Privacy Material Master Control Environment? • Multiple ERPs • Multiple Apps Purchase Requests Purchase Orders Vendor Master Receive Goods Process Invoice Process Payments Business Transactions and Master Data Access and Change Management Legacy Applications Control Solutions? • Identity Management Tools • Portals • Documentation Repositories Document Repositories Portals Identity Management

Typical Control Structure Typical ERP Control Design Control Enabler Configuration Application Security Reporting General IT Controls Manual Controls Control structure is not always integrated with ERP functionality, rather built around it Highly manual control processes Increased control ownership and accountability issues Testing of controls is a highly manual process Not all exceptions identified Time consuming and costly

Control Effectiveness Life Cycle Review control documentation to ensure adequate design Develop control test strategy Execute control testing Report exceptions, categorize deficiencies and conclude Remediate through modification of business processes, system settings, and possibly the controls themselves Run the process all over again

Testing Procedure Review of paper documentation, such as journal entry reports, manual invoices, manual reconciliations, system logs, etc Confirm system functionality through reviewing security design, configuration settings and related technical objects Review of business transactional data, such as invoices, PO’s, etc. But these approaches have their issues… Who’s going to build, modify and maintain the reports? Who’s going to run them? And what happens when they forget? Where’s your audit trail? ERP’s won’t tell you when someone’s changed a control ERP’s won’t tell you when the control is in place, and being circumvented anyway

Sample Test – Configurable Control To test the effectiveness of a configurable control, such as the PO approval limits (release strategy), the following steps are performed: Verify IMG settings are properly configured and set to proper tolerances Verify access to the IMG is restricted Sample 1 transaction to verify effectiveness of control Issues / Observation Time to test is significantly lower than manual controls Configuration and tolerances typically set to business requirements, not control requirements (e. g. 500, 000, as opposed to 50, 000) Retro-fit is typically expensive (re-implementation is some cases) Manual work-arounds are common (e. g. still need signature above 50, 000) Automation Opportunities Identify exceptions within existing control configuration (e. g. automatic notification for all PO’s over 50, 000, but below 500, 000)

Sample Test – SOD Compensating Control When testing SOD’s, it is very common to have a business need to violate an SOD rule, such as creation and payment of a PO in a small division. The following steps are typically performed: Once deficiency is noted, review compensating controls for adequacy Review evidence that compensating control has been operating effectively – Typically, this is relying on final reviews of payable reports by a manager Issues / Observation Manual testing is time consuming Compensating controls must be specific to the activity (e. g. the review must be to specifically check for SOD violations, not accuracy of pay run) Very common and hard to prove if not specifically designed to monitor SOD Automation Opportunities Identify when a PO is created and paid, not only by the same user, but can be more specific to the same vendor, date, etc

Sample Test – Manual Report Reviews To test whether an employee reviewed a weekly report that lists the changes to the customer master, the following steps are performed: Verify the data that is listed on the report is valid Select a sample of reports (sample determined by frequency of occurrence) Verify that the employee reviewed the report – Initials and date on the report – E-mail to follow up on a change – Additional change reports that verify action taken Issues / Observations Time to test is high – usually several hours and very iterative Review requires looking at all changes Documentation retention a major issue - typically results in a deficiency Automation Opportunities Proactively notify a control owner for high risk changes

Control Structure w/ Automated Testing and Monitoring Typical ERP Control Design Control Enabler Configuration Application Security Reporting General IT Controls Manual Controls Continuous Controls Testing Significantly increase the efficiency and effectiveness of control processes Monitor only critical data changes Enhance or refine configuration tolerances Preventative access control features Automatic notification of control violations Workflow and audit trail Testing of controls is a highly automated process All exceptions identified Control configuration and system setting reporting replaces manual test procedures Comprehensive SOD and Sensitive access analysis

Control rules and functionality focused on business processes, configuration and system setting data The Biz. Rights’ Model Process Insights Global System Settings Verify System Parameters Verify IMG Configuration Settings Enhance Existing Controls Identify Exceptional Transactions Automate Manual Controls Sensitive Transactions Segregation Of Duties Analysis Configuration Settings Data Extraction, Workflow and Analysis Capabilities – Material Master Application Independent!!!Vendor Master Purchase Requests Purchase Orders Receive Goods Process Invoice Business Transactions and Master Data What If Analysis Closed Loop Remediation Approval Work Flow Authorizations Insights Process Payments Access Management Control rules and functionality focused on security processes and data

Biz. Rights Automated Compliance Biz. Rights Typical ERP Control Design Control Enabler Testing Mechanism Configuration • Enhance Existing Controls • Identify Exceptional Trx’s • Configuration Settings • System Parameters Application Security • What If Analysis • Access Approval Workflow • Segregation of Duties • Sensitive Transactions Reporting • Exception Based Reporting • Closed Loop Remediation • Verification of Remediation Manual Controls • Automate Manual Controls • Electronic Audit Trail IT Controls • Baseline system settings • Proactively identify changes • System parameters • Security and change process

Summary & Key Take Aways Common goal is to achieve sustainable compliance that can improve the business Turn compliance activities from a cost into an asset Manual testing of controls consumes too much time & cost Automated testing will reduce overall cost and allow more time for remediation and mitigation of control violations Don’t Just Comply…Transform Your Business