Gaining Financial Integrity Through Improved Internal Controls SAP Management of Internal Controls Tool PwC and SAP Sarbanes-Oxley 404 Web Conference Series March 2004 William R. Shipley, Partner, IT Advisory Services, PricewaterhouseCoopers LLP Brian Parker, Senior Manager, IT Advisory Services, PricewaterhouseCoopers LLP David Nelson, Product Management mysap ERP Financials, SAP
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
Sarbanes-Oxley Act The Sarbanes-Oxley Act (SOA) was enacted by the US Congress on July 30, 2002 and applies to all companies registered with the Securities and Exchange Commission. Such a registered company is one that is traded on a stock market in the US (e.g. NYSE, Nasdaq, etc.). SOA establishes heightened requirements in the area of corporate governance, financial disclosures, and accountability for fraud. Specifically, it requires organizations to periodically evaluate and certify/report as to the effectiveness of their internal control. Other countries are expected to determine the need for and possibly also establish guidance or requirements (e.g. German government has issued a 10-Point Plan on corporate governance standards in February 2003) The SEC defines Internal Control (applying a framework known as COSO) as a process that is carried out by an entity s board of directors, management and other personnel, and designed to provide reasonable assurance regarding the achievement of control objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
Sarbanes-Oxley Act Software relevant Sections Section Requirement 301 The audit committee shall establish procedures for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters 302 Management responsibility for effective disclosure controls and procedures over financial reporting, operations and compliance Disclosure of significant deficiencies in internal control to audit committee and external auditors Certification of contents of SEC reports by CEO and CFO 401 Include in financial reports all material correcting adjustments that have been identified by the external auditors Provide investors with a clear understanding of the company s off-balance sheet arrangements and their material effects 404 Annual report should include a report by management on the effectiveness of internal control over financial reporting Documentation of control design and effectiveness testing Disclosure of any material weaknesses Attestation by external auditors Note: Further periodic disclosure requirements are covered under Section 302 409 Rapid and current information on material changes in the financial condition or operations, including trend and qualitative information for protection of investors and in the public interest
Section 302 Requirements Certification of Disclosure in Companies Quarterly and Annual Reports Management responsibility for effective disclosure controls and procedures over financial reporting, operations and compliance Disclosure of significant deficiencies in internal control to audit committee and external auditors Certification of contents of SEC reports* by CEO and CFO (*) filed annually and/or quarterly, depending on size and location of company Activity Identify scope of the company s disclosure controls and procedures Document business processes and process controls over all major activities within an entity (beyond solely processes impacting financial reporting) Assess internal control effectiveness Identify and track resulting issues and remediation plans Cascade the accountability for control evaluation and roll up the results (e.g. resulting in a dashboard confirming ability to sign certification)
Section 404 Requirements Management Report on Internal Control Over Financial Reporting Annual report should include a report by management on the effectiveness of internal control over financial reporting Documentation of control design of effectiveness testing Disclosure of any material weaknesses Attestation by external auditors Note: Further periodic requirements are covered under Section 302 Activity Identify areas of scope relevant for evaluating the effectiveness of internal control over financial reporting Document the design of significant controls Perform evaluation of control design and effectiveness Identify resulting control issues and monitor remediation Document changes in processes and controls; surface any associated issues Prepare internal control report Attestation by external auditors
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
COSO Framework for the Evaluation of Internal Controls Committee of Sponsoring Organization (COSO) Initiated in 1988 by the US Congress COSO was written in 1992 SEC refers to the COSO framework for the definition of internal controls COSO is not a must-have in terms of SOA or for SEC it is an example of an appropriate framework. COSO goes beyond the activity-based definition of internal controls by SEC, by introducing 5 COSO Components Monitoring Information & Communication (of policies and rules) Control Activities Risk Assessment Control Environment
COSO and SOA COSO: Leading Framework for SOA Compliance on Internal Control The SEC states: The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management s annual internal control evaluation and disclosure requirements. Furthermore, the Institute of Internal Auditors Research Foundation indicates that 63% of publicly held companies use the COSO framework of internal control (February 2003) Business Unit 1 COSO Cube Operations Financial Reporting Internal Accounting Controls Business Unit 2 Process 2 Process 1 Compliance & Regulatory Monitoring Information & Communication Control Activities Risk Assessment Control Environment LEGEND: Disclosure Controls & Procedures (Section 302) Other aspects of compliance and operations pertaining to DC&P Internal control over financial reporting (Section 404)
COSO Categories of Control Objectives Category of Control Objective Control Objectives Operational Financial Compliance & Regulatory Effectiveness Efficiency Completeness Accuracy Validity Restricted Access Tax Environmental Health Safety SOA Section 302 Relevance SOA Section 404 Relevance Yes Yes Yes Marginal Yes Marginal
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
MIC Solution Detail Scoping & Project Set-up Identification of Org. Units and Processes in scope Org. Unit Hierarchy Central Process Catalog Assignment of Processes to FS Accounts Central Catalog of Control Objectives and Risks Assignment of Processes to BU s Documentation of Internal Controls Controls Management Controls Assessment and Remediation Control Design Assessment Control Efficiency Assessment Process Design Assessment Management Controls Assessment Identification of Issues Validation of Assessments Remediation of Issues Progress Tracking and Analysis Testing & Remediation Documentation of Testing Results Identification of Issues Remediation of Issues Progress Tracking and Analysis Reporting & Sign-off Analysis Overviews with Drill-down Functionality Management Reports Workflow-triggered Sign-off supporting 404 Reporting / 302 Certification Basis 6.20 / SAP WebAS
SOA Section 404 Timeline Addressing Requirements in Year 1 Legend: Management External Auditor I. Project Set-Up and Scoping II. Documentation of Internal Control III. Mgmt. Assessment and Remediation of Internal Control Design & Efficiency IV. Testing & Remediation of Internal Control Effectiveness Financial Year-End Close V. Sign-Off & Reporting 404 Report Filing Deadline Define management requirements Definition of project structure Scoping Description of Processes Control objectives Risks Controls Assessmen t of control design and efficiency at control level Control design & efficiency remediation Assessmen t of control design and efficiency within the process Identify Mgmt. controls Management testing of control effectiveness Control effectiveness remediation Org. Unit review and sign-off Rollup for signoff Prepare 404 Report Auditor attest to 404 Report Process design & efficiency remediation External auditors guidance External auditors perform process walkthroughs External auditors testing of internal control and review of 404 Report External auditors review of remediation plans
SOA Section 404 Timeline Addressing Requirements in Year n I. Open Year n II. Quarterly Control Assessment Review (Year n - Q1, Q2, Q3) III. Testing & Remediation of Internal Control Effectiveness Legend: Management External Auditor IV. Sign-Off & Reporting Financial Year- End Close 404 Report Filing Deadline Review/ revise project structure, as needed Review/ revise scoping, as needed Review/ revise description of processes, control objectives, risks and controls Review/ revise assessment of control design and efficiency at control level Review/ revise assessment of control design and efficiency within the process Review/ revise Mgmt. controls Q1 Evaluation of Change in IC Process Review & Sign- Off Roll-Up for Sign- Off Freeze data from Year n Q1 and set up new version for next Quarter Q2, Q3, Q4 Evaluation of Change in IC Repeat steps for Q2, Q3, Q4 Management testing of control effectiveness Control effectiveness remediation Org. Unit review and sign-off Roll-up for sign-off Prepare 404 Report External auditors testing of internal control and review of 404 Report Auditor attest to 404 Report Ongoing monitoring for change and process/control issues; update documentation; report to Management External auditors perform process walkthroughs
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
Organizational Units No restrictions to building Org.Unit hierarchies with unlimited amounts of levels Corporate Legal Entity LE1 Business Unit BU1 Org.Unit hierarchy can be automatically created from HR ORG BW hierarchies (SEM-BCS, FI, EC-PCA, ) Business Unit BU2 Legal Entity LE2 Shared Services IT HR
Organizational Hierarchy Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Central Process Catalog (BU-independent Process Hierarchy) Processes Examples of process groups R & D Procurement Supplier selection Bid and contract Mgmt. Production Marketing Sales & Distribution Sales Process Hierarchy Corporate and Business Units define one central catalog of processes - w/o process steps. Only those processes are included that have a material impact on financial reporting (Section 404) or disclosure controls and procedures (Section 302) Finance Human Resources Financial Accounting A/R Financial Reporting Process P1: Order Processing IT Legal & Regulatory
Central Process Catalog Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Impact of Processes on Financial Accounts Processes Sales & Distribution Sales Process hierarchy Financial Statement Accounts Balance Sheet Assets Liabilities Accounts Receivable Process P1: Order Processing Inventory Profit / Loss Statement Revenue Process P2: Processes can impact one or several FS accounts Processes in the central catalog of processes will be linked to the relevant financial statement accounts or account groups (intervals). Cash Flow Statement
Process & Control Documentation Linking Processes to FS Accounts Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Control Objectives and Risks Control Objectives and Risks are defined in a central catalog by Corporate and BUs Processes R & D Sales & Distribution Sales Process P1: Order Processing Control Objective CO1 Risk R1 Risk R2 Control Objectives A Control Objective is a statement that captures the purpose of controls within the process. Several control objectives are likely to be defined for each process. Following the COSO framework, control objectives may be categorized as Financial, Operational or Compliance related. Risk A risk is a potential event that adversely impacts the desired outcome of control objectives. Control Objectives and Risks are used for a BU specific Risk Assessment and Control Evaluation. Corporate wide: P-CO-R Process Control Objective Risk BU-specific: P-CO-R-C Process Control Objective Risk - Control
Central Catalog: Process Control Objective - Risk Process Control Objective Control Objective Category Sales Sales Orders are properly authorized Financial Reporting Risk Accepting orders from unauthorized or insolvent customers Commitment to unauthorized prices or terms Customers receive quality service throughout the ordering process Operations Customer finds process difficult to understand Employees lack the necessary customer service skills
Central Process Catalog: P-CO-R Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Process assignment to Business Units Assignment of processes to BUs Corporate Legal Entity LE1 BUs choose from the central process catalog those processes that are applicable and in scope for their BU. Business Unit BU1 Procurement Sales & Distribution Sales By assigning a process to a BU, the relating Process Groups are automatically inherited from the central process catalog. Process P1: Order Processing
Process assignment to Business Units Processes are assigned to Org. Units from the central process catalog Pop-up with Central Process Catalog for process selection Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
Control Design Assessment Workflow 1) Personalized, User-specific Start Page with a ToDo List Perform Assessment of Control Design Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
Control Design Assessment Workflow 2) Detail Screen, where the assessment is to be performed Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.
MIC Role Concept SAP delivers a catalog of available tasks that can be performed in the MIC Application: 31 Assess control design 32 Validate design issue 33 View control design assessment SAP provides ready-to-use Roles CFO Assistant BU Manager Process Group Owner Assigned tasks: View org.structure Assign process group owners Assess management controls View operational & management reports The Power User may define additional Roles and edit/delete existing ones
Role Concept: Assigning Names to Roles Corporate Legal Entity LE1 Business User of BU1 enters the names for each role in his area of responsibility Assignment of Roles at the Org. Unit Level Business Unit BU1 Procurement Entity: Title: Role: Name: PG Procurement PG Owner John Smith Sales & Distribution PG Sales & Distr. PG Owner Joe Black Sales Benefits: Process P1 1) Central maintenance of roles, their tasks and authorizations Poweruser creates User-IDs 2) Assignment of persons to roles can be set-up and modified by business users at all levels following a cascading delegation principle 3) This roles / task concept generates automatically the appropriate workflow tasks
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
Analysis Trees and Reports PG-P-PS for Testing
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
Sign-Off by Org Unit Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change. The sign-off indicates that all information contained in the tool, e.g. processes and controls identified, control ratings, etc. are adequate and up-to-date. Issues and remediation plans may still be open at the stage of sign-off. Sign-off s with outstanding red ratings require comments and may prevent the CEO and CFO from submitting a clean 302 Certification / 404 Report. They would need to disclose those outstanding points to SEC / public.
Reporting: Process Group Process Process Step View Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change. What ratings exist for certain controls? Are controls in the right place (missing / redundant) within the process? Are there issues associated with these controls / processes / process groups? Who is responsible for a given control / processes / process groups?
Reporting: Process Control Objective Risk Control View Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change. Which control objectives and risks are not addressed? What is the state of internal controls addressing individual risks within a given process?
Agenda Management of Internal Controls (MIC) SOA Sections 302 and 404 COSO Framework for the Evaluation of Internal Controls Timeline for SOA MIC Project Initial Documentation of Internal Controls Assessment and Remediation of IC Test and Remediation of IC Sign-Off and Reporting Questions and Additional Information
Q & A Questions?
Instructor Contact and Additional Information SAP Solution Management David Nelson david.e.nelson@sap.com Andrea Anderson andrea.anderson@sap.com PwC William Shipley william.shipley@us.pwc.com Brian Parker brian.parker@us.pwc.com
Copyright 2002 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX, S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation. ORACLE is a registered trademark of ORACLE Corporation. INFORMIX -OnLine for SAP and Informix Dynamic ServerTM are registered trademarks of Informix Software Incorporated. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mysap Business Suite Logo and mysap.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.