remove the guesswork and anxiety from internal and external audit requests with proven tools and...
TRANSCRIPT
Remove the guesswork and anxiety from internal and external audit requests with proven tools and techniques
James Baird, Senior Consultant, DolphinMay 9, 2014
SAP Auditing 101
Disclaimer
Factors Driving Innovation in Audit
New Audit Requirements for 2014
Tools & Techniques for Audit Readiness
About Dolphin
More Info & Resources
Audit Glossary
In This Session …
This session is for informational purposes only.
Dolphin does not provide audit advice or counsel pertaining to this subject or any related legislation or compliance issue.
We always recommend that you consult your qualified audit professional.
Disclaimer
Disclaimer
Factors Driving Innovation in Audit
New Audit Requirements for 2014
Tools & Techniques for Audit Readiness
Dolphin Solutions for Audit
More Info & Resources
Audit Glossary
In This Session …
Majority of US audits deal with financial data Such as Sarbanes-Oxley (SOX), under the direction of PCAOB
Organizations also have to respond to audits from government and industry regulators, as well as internal bodies. PII: Personally Identifiable Information PIPEDA: Personal Information Protection & Electronic Documents
Act PHIA: Personal Health Information Act HIPPA: Health Information Protection Act (USA HIPAA) PCI DSS: Payment Card Industry Data Security
Increased Oversight: External, Internal, & Compliance Audits
Audits are becoming more complex as regulators request more information
Organizations must retain data for variable periods of time
Multi-national companies need to balance different retention requirements for different jurisdictions
Changing Regulations Keep Pace with Rapid Market Evolution
Health 30 years+
7 yearsFinancial
10 yearsAcademic ? yearsLegal
Examples
Strategy for Info Lifecycle mgt.
Survey of IT-related Audit Concerns 2013
Source: Gartner- Survey Analysis: IT Compliance and
Audit, 2013
Difficult and Costly Process
I need to get production data
From lots of systems: ERP, CRM, EDI,..
I need it in flat format, other
formats
It’s urgent
No, it’s urgent
I need to comply within SAP
I’ll need to check with the
team
Is the % PC sufficient?
This is a priorityI can do a query in 7 days
In one business week?
What Data?
SalesWhich tables?
I don’t knowWhich fields?
Don’t know & I will need more
data later
I’ll extract Sales Data and VBAP DAF is impatient
Anyway it’s not secure What do you
mean?
My director refused this
requestI’ll go back to my
director
AuditorsIT StaffThe more
time it takes
to complete
an audit . . .
the more it costs
Opps, spoke too soon. Not
possible. Sorry!
Disclaimer
Factors Driving Innovation in Audit
New Audit Requirements for 2014 *key word flexibility*
Tools & Techniques for Audit Readiness
Dolphin Solutions for Audit
More Info & Resources
Audit Glossary
In This Session …
Change: Auditors may need to increase controls to manage larger data volumes
Big Data increases the amount of data that will be subject to audit or legal concerns (PII, PCI…)
Encryption can come into play Organizations need better tools and an information lifecycle
strategy to manage security and compliance of Big Data
Impact of Big Data2014 Audit Changes You Need to Know
Source: Association of Chartered Certified Accountants, “Big Data: Its Power and Perils”, Nov. 2013
Change: Auditors may need to be able to explain automated controlling processes Auditors must understand which automated controls (i.e.,
Workflows, Approves, Logs, Notification and system validation) are in place
Process diagrams must show how automated controls interlink with the system and control frameworks (i.e., GRC). Must note where the control is; how it is used; and how it is being validated and/or audited
(per PCAOB direction)
Increased Oversight of Processes
Source: “What is an Integrated Audit?”, Harvard University, April 23, 2014 http://rmas.fad.harvard.edu/faq/what-integrated-audit
2014 Audit Changes You Need to Know
Change: Manual entries, in SAP, may be subject to tighter audits and controls placed against them
Increased oversight of manual entries to reduce impact on financial statements and detect incidents of fraud
Move to more controls and increase automation to: Reduce Human Error Eliminate Opportunities for Fraud
Imaging Products with built in controls help with this concern
Tighter Control of Manual Entries
Source: http://pcaobus.org/Standards/Auditing/Pages/AU316_61.aspx
2014 Audit Changes You Need to Know
Disclaimer
Factors Driving Innovation in Audit
New Audit Requirements for 2014
Tools & Techniques for Audit Readiness
Dolphin Solutions for Audit
More Info & Resources
Audit Glossary
In This Session …
Goals for Improving Audit Readiness
Lower Costs
Anticipate audit requirements and
flexible tool to reduce the fees
levied by consulting firms and penalties
from regulatory bodies.
Improve Controls
Implement an audit strategy that aligns the organization’s
information lifecycle with corporate and
legal retention requirements.
Improve Efficiency
Identify storage and retrieval strategies
(archiving) to reduce the time and effort required to extract
data and documents when responding to
audit requests.
Invest in flexible tools that can support financial and other audit reporting requirements, globally (France, Luxemburg, Brazil…) DART is primarily focused for financial audits Rules and audit guidelines change by country
Archiving data reduces costs associated with long term data retention Audit tools need to be able to extract archive data and change as
audit requirements change
Lower CostsImproving Audit Readiness
Classic Audit Process
Increase EfficiencyAu
dito
r Re
ques
ts D
ata
Timeline
3 weeks – Plan
Send
File
s to
Aud
itors
Gen
erat
e Fi
les
Que
stio
ns fr
om A
udito
rs
Urg
ent Re
spon
ses
to A
udito
rs
15 weeks – Actual
Improving Audit Readiness
Optimized Audit Process
Increase Efficiency
timeline
Audi
tor Re
ques
ts D
ata
3 weeks – Plan
Send
file
s to
Aud
itors
Gen
erat
e Fi
les
Que
stio
ns fr
om A
udito
rs
Resp
ond
Auth
orita
tivel
y to
Aud
itor
Extr
act ad
ditio
nal d
ata
for an
alys
is
Prep
are
Resp
onse
Improving data storage & retrieval reduces the time & effort to respond to
audit requests
15 weeks – Previous
& Actual
Improving Audit Readiness
Leverage SAP’s built-in capabilities to support audits: Logs, automated processes (i.e., workflows, business rules . . .) DART extracts SAP GRC Archiving to freeze and compress static data
Consider SAP Add-on solutions to enhance SAP audit capabilities: Flexible data retrieval Support for legal holds Manage data retention and purge according to retention policies
Increase EfficiencyTools and Techniques for Data Storage and Retrieval
Put an Information Lifecycle Strategy in place Combination of policies, procedures, and practice (execution and technology)
Take advantage of enhanced audit capabilities with SAP GRC SAP 5.3 was primarily for Access Controls GRC 10 &10.1 contain new features (i.e., risk, fraud, process controls . . . . ) Information lifecycle management is a key component of the GRC roadmap
Leverage SAP Add-ons to strengthen ILM strategy & GRC Automated data entry for financial and compliance Audit reporting Automated data retention and destruction
Improving ControlsInformation Lifecycle & SAP GRC
Disclaimer
Factors Driving Innovation in Audit
New Audit Requirements for 2014
Tools & Techniques for Audit Readiness
Dolphin Solutions for Audit
More Info & Resources
Audit Glossary
In This Session …
Get Results with Dolphin Audit Solutions
Lower Costs
Reduced cost of retaining large volumes of data for audits with aggressive archiving strategy and no loss of access.
- Large Volume Discount Retailer
Improve Controls
Fixed compliance gaps, identified by internal auditors and secured sensitive customer data in production and archive.
- Global Consumer Technology Company
Improve Efficiency
Reduced time required to respond to audit requests from 15 weeks to 3 weeks.
- Large International Beverage Company
SAP focused
Proven solutions for SAP customers, leveraging SAP technology, and certified by SAP
1/3 of all Fortune 100TM companies running SAP are Dolphin customers
Employee owned; private; independent of other stakeholders; organic growth;
Established in 1995
Hundreds of scalable, flexible and cost effective deployments across the globe
Dolphin Enterprise Solutions
More Information
PCAOB: http://pcaobus.org/Standards/Auditing/Pages/AU316_61.aspx
ISACA: https://
www.isaca.org/Pages/default.aspx?cid=1000270&Appeal=SEM&gclid=CIzUz6Lr570CFYdFMgod6XkALA
Gartner, “Survey Analysis: IT Compliance and Audit, 2013”:
http://www.gartner.com/document/2613715
Association of Chartered Certified Accountants, “Big Data: Its Power and
Perils”: http://www.accaglobal.com/bigdata
What is an Integrated Audit? http://
rmas.fad.harvard.edu/faq/what-integrated-audit
Financials & GRC 2014:
http://www.sap.com/pc/analytics/governance-risk-compliance/software/overview/highlights.html
Audit Glossary
PCAOB: Public Company Accounting Oversight Board
SOX: Sarbanes-Oxley
PII: Personally Identifiable Information
PIPEDA: Personal Information Protection and Electronic
Documents Act
PHIA: Personal Health Information Act
HIPPA: Health Information Protection Act (USA HIPAA)
PCI DSS: Payment Card Industry Data Security
Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service
names mentioned are the trademarks of their respective companies. Dolphin Enterprise Solutions Corporationis neither owned nor controlled by SAP.
Evaluate This Session
Provide feedback via this short survey
bit.ly/ASUG14
Provide event feedbackin the same survey