www.pwc.

ch/ra

Making Sense of Internal Control

How technology is used in practice to implement a control vision: seven examples

A PwC white paper for CIOs and Internal Control professionals

Contents
Introduction Control solutions in practice Seven examples of control solutions in practice 1 2 3 4 5 6 7
Alliander NV closing process and internal control management supported by Runbook Geberit AG SAP access control management supported by APM Atlantis Global Fortune 500 Company process and access control monitoring supported by Approva BizRights Kuoni Travel Holding AG Managing ICS supported by SAP GRC Process Control Pilatus Aircraft Ltd SAP access control monitoring supported by Mesaforte Serco Group plc SAP system auditing supported by Security Weaver Access & Process Control UK Defence Contractor access security supported by Oracle GRC

5 7

8 10 12 14 16 18 20

Observations/Acknowledgments Contacts

22 23

Contents

Paul de Jong Partner PwC

Companies report clear business benefits from implementing technology supporting their control vision.
In January 2010, PwC published the white paper: Making sense of internal control: How to align vision, organisation and technology to lower compliance costs and improve business efficiency. The white paper concluded that a bestin-class control system is the result of: a control vision supported by the business, well-defined ownership and accountability, and use of the right technologies.

With this white paper, we aim to further clarify the purpose and capabilities of control solutions. Note that given the number of actual implementations, we no longer call these solutions next generation. This paper is divided into two sections: Section one: Control solutions in practice provides seven examples of companies that have implemented control solutions and explains the implementation approach and daily usage. To obtain these examples we asked vendors in the Swiss market to provide us with reference customers. We interviewed these customers and documented their views and experiences. Section two: Observations highlights what PwC feels are the most important lessons to be drawn from these seven examples.

In this context, we introduced the term next generation control solutions for technology supporting best-in-class internal control systems. This technology is also known as GRC (Governance, Risk and Compliance) technology. The market for this technology is rapidly evolving. Vendors have propositions to improve compliance, risk management and internal control systems. However, our clients struggled with the differences between the solutions in the market and were looking for guidance on how to select and implement them. Our 2010 white paper led to many stimulating and challenging discussions with our clients. We also helped companies to choose and implement a next generation control solution. However, many companies remained uncertain on how and why to use control solutions within their organisation. This signalled a clear need for thought leadership that provided a deeper understanding of the current capabilities of control solutions.

The seven examples provide additional insight into the current capabilities of control solutions. We hope you find this information useful and enjoy reading it. On behalf of my colleagues at PricewaterhouseCoopers who helped make this white paper possible, I would like to thank the vendors and their customers for their openness and willingness to share their experiences. It was a pleasure for us to learn more about your solutions. We look forward to further sharing and collaborating in this space. Yours sincerely,

Paul de Jong Partner PricewaterhouseCoopers AG

Editorial 5

Control solutions in practice

This section features (in alphabetical order) seven companies that explain how and why they implement and use control solutions: Alliander (The Netherlands) uses Runbook for closing process and internal controls management Geberit (Switzerland) uses APM Atlantis for SAP access controls management Global Fortune 500 Company (Europe) uses Approva BizRights to manage access and process controls.

Kuoni Travel Holding (Switzerland) uses SAP GRC Process Control to manage the internal control system Pilatus Aircraft (Switzerland) uses Mesaforte to monitor SAP access controls. Serco Group (United Kingdom) uses Security Weaver Access and Process Control for SAP system auditing. UK Defence Contractor (United Kingdom) uses Oracle GRC for access security

The examples are offered only for the purpose of sharing experiences and the control solutions are not qualified in any way. Any control solution should be evaluated against company specific objectives and circumstances, ideally through a proof of concept.

Control solutions in practice

Business benefit: Documentation of business control framework and control assessments meets efficiency and transparency requirements.

Alliander NV
Closing process and internal control management supported by Runbook
This article is based on an interview with the Compliance Officer Risk and the Internal Audit Manager of Alliander NV.* Business Issue and Solution Selection Alliander operates a finance shared service centre to manage bookkeeping and accounting in SAP for approximately 25 group companies. Originally selected by its predecessor company NUON in 2006, Alliander uses Runbook to manage the period-end closing processes. The Period-End Close module is used to implement a workflow-based process for over 100 users by integrating the monthly closing schedule into SAP. The shared service centre monitors the progress of closing on a real-time basis and identifies any delays with Runbook. Runbooks Compliance Documentation module collects and archives all documentation relevant as evidence for financial reporting compliance. Both internal and external auditors use the resulting archive for audit purposes. The Compliance Officer Risk is responsible for the effectiveness of the internal control system to ensure Alliander is in control and in compliance with regulations (code-Tabaksblat, commissie Frijns). Allianders internal control system is described in a Business Control Framework which is applicable to all its companies. The Business Control Framework defines the controls to address financial reporting and financial operational risks. The controls cover

manual controls, access controls, programmed procedures and IT general controls. The effectiveness of these controls is assessed by management on a quarterly basis. In 2009, the Compliance Officer Risk found the current documentation of both the Business Control Framework and the controls assessments was no longer sufficient to satisfy the needs for efficiency, transparency and documentation. He searched for a software solution to better address these needs. In this in-house search (Alliander only uses proprietary software solutions, if they are fit for the purpose), he was made aware of the internal controls module of Runbook. As the software was already in use and the users were satisfied with the proof of concept, Alliander decided to extend the use of Runbook to documenting the Business Control Framework and the controls assessment results.

Company Name: Alliander NV Industry: energy distribution Headquarters: Arnhem, The Netherlands Business activity: gas and electricity networks in the Netherlands. Employees: 6,000 Revenues: EUR 1.4 billion

Solution Name: Runbook Vendor: Runbook Version: 4.0b (Service Pack 9) Modules: Period-End Close, Internal Controls, Compliance Documentation

Implementation The technical implementation of each Runbook module required only a few days, because Runbook is an ABAP based SAP certified software, which can be installed through regular SAP change management procedures. Company specific content, such as closing schedule or controls description, was directly installed with upload sheets (e.g. in Excel format) into Runbook. The functional implementation of the internal controls module of Runbook took Alliander an estimated 3 months. It was important to the Compliance Risk Officer to dedicate a sufficient amount of time to the design of roles and responsibilities for controls assessment,

Alliander NV

as well as to the translation of the Business Control Framework into Runbook control definition specifications. Runbook works with scenarios to describe and manage periodic processes. Alliander created Business Control Framework scenarios for every business unit in Runbook to represent the controls execution and controls assessment cycles. Two Runbook consultants supported the implementation with customising activities and by facilitating workshops to guide users on how to apply Runbook functionality in the Alliander setting. Alliander considered the support efficient, pragmatic and service-oriented, as demonstrated through continuing development of the Runbook software based on input from the user community. The Internal Controls module is used by 25 users (including Control Testers, Business Controllers, the Compliance Officer Risk and Internal Audit) to: document the controls design as described in the Business Control Framework, including the assignment of responsibilities for control execution, testing and sign-off, document evidence of the execution of these controls, monitor the execution of these controls, plan the testing of these controls, document the results of the testing of these controls, document remedial activities and their completion.

Alliander increased transparency and eased change management for internal controls.

and mainly consists of updating scenarios and uploading these to make them available for the next quarterly controls cycle.

Next Steps Alliander is considering the following in expanding the usage of Runbook for internal controls: Implementing results of Business Control Framework adjustment to cover operational and compliance risks and to reduce the number of controls per area. Extending the use of Runbooks internal controls reports towards monitoring progress on remediation activities. Integrating controls activities into period-end closing scenarios in Runbook. Enabling direct signing-off on controls by control owners (directors) in Runbook. Ensuring that internal audit is notified in the automated workflow when internal controls exceptions are recorded in Runbook.

Benefits Alliander sees the main benefits of using the Internal Controls module of Runbook as: improved accessibility and transparency of internal controls documentation, execution and assessment throughout the relevant parts of the organisation, ease in applying changes to the Business Control Framework and making these available to the Internal Controls community within Alliander, ability to assign roles, responsibilities and tasks and perform progress monitoring on the execution of these tasks during the controls cycle, increased control awareness and controls discipline in the organisation, quality of documentation of controls execution and controls assessment, greater efficiency of internal and external controls reviews.

Allianders shared service centre oversees the system management of Runbook. According to the Compliance Officer Risk, this requires two days a month for the Internal Controls module

Alliander NV

Business benefit: SAP security supports internal control requirements.

Geberit AG
SAP access control management supported by APM Atlantis
This article is based on an interview with the Head of Global IT of Geberit AG and the IT Analyst who supported the implementation of APM Atlantis.* Business Issue Geberit uses SAP as one of its core systems. Close to 50 internal SAP specialists manage 2 central SAP systems operated in 2 data centres, which support 2,500 users in 25 countries. Driven by the implementation of the internal control system (to comply with Swiss legislation as of 2008), Geberits IT department found the existing profile-based SAP authorisation concept did not adequately meet regulatory requirements such as documented approval of authorisation requests, segregation of duties, etc. The IT department, supported by the CFO and internal audit, started a project in 2008 with the aim of; Solution Name: APM Atlantis Vendor: Realtime AG Modules: Core, Composer, Transformer, Observer implementing transition to a rolebased SAP authorisation concept that considered segregation of duties requirements, defining and implementing clear organisational roles and responsibilities regarding the definition, composition, provision and approval of SAP roles, implementing IT general controls as an element of corporate governance, creating a repository and an approval workflow for the provisioning of SAP roles.

Solution Selection and Scope To achieve these goals, Geberit decided to deploy one tool for SAP role creation and management and a separate tool for SAP user management and role provisioning. For role-creation and management, Geberit considered the balance between the granularity of the roles versus complexity and maintenance effort. Given the large number of relatively similar sales companies and production sites in SAP, it was important for Geberit to be able to efficiently replicate roles across operating companies. Out of four potential solutions, Geberit selected APM Atlantis because of these decisive factors: APM Atlantis utilises the standard SAP role maintenance functionality (PFCG), and compliments this with role inheritance functionality that enables efficient replication of roles across operating companies and organisational units in SAP, APM Atlantis is an ABAP-programme integrated into SAP, which enables on-line role monitoring, the programme was offered at a significantly lower price than other tools.

Company Name: Geberit AG Industry: sanitary technology Headquarters: Rapperswil-Jona, Switzerland Business activity: Sales offices in 40 countries. Sales activities are concentrated on the major European markets, North America, China and South East Asia Employees: ca. 5,800 Revenues: CHF 2.2 billion

For SAP user management and role provisioning, Geberit developed a Lotus Notes application in-house. Lotus Notes is widely used in Geberit (ca. 3,300 users) and was considered the easiest platform to support the approval workflow for SAP user and roles.

Implementation The project for the design and implementation of the SAP authorisation project lasted 2 years. The project was

10

Geberit AG

done internally with the involvement of 4 SAP Basis specialists, 8 SAP module administrators, the Head of Global IT, internal audit and a key user for each operating company. The project was organised in 5 phases 1. Approach and tool selection: Definition of organisational roles for SAP role definition, approval and provisioning. As-is analysis: Reveal the SAP transactions and reports that users were employing as a basis for the role definition based on information used in the context of SAP license management. Role definition: Design business process oriented or function based roles that are segregation of duties compliant and reusable. Role implementation: Translate the conceptual roles into SAP roles. Master roles were created in APM Atlantis and used to construct derived roles which were extended to be replicated across operating companies and organisational units. All single roles were designed and tested in APM Atlantis to be in compliance with Geberits segregation of duties matrix. This matrix was based on the standard rule set from APM Atlantis and customised according to guidance from auditors. Approval and provisioning: Assign the new roles through the new approval workflow to users in SAP. The role changes were sent from Lotus Notes in text files and imported into SAP semi-automatically. The users and roles in SAP are periodically reconciled with the approved users and roles in the Lotus Notes database.

2.

Geberit uses a best of breed solution that combines an off-the-shelf SAP access control tool for access monitoring and role management with a custom Lotus Notes application for user and role provisioning to meet the companys goals efficiently.
According to Geberit, the technical implementation and configuration (rule set adaptation) of APM Atlantis took less than 3 weeks. SAP role definition and implementation using APM Atlantis during the project required some 0.6 FTE and is expected to take 0.3 FTE in operations afterwards. Geberit expects only minor efforts to be required for the maintenance of APM Atlantis (e.g. technical upgrades, rule set changes). The creation of roles in APM Atlantis is performed by the SAP module administrators in the SAP test environment. During and after creation, APM Atlantis tests the role definition against the segregation of duties matrix. The role is subject to approval by the process owner. The allocation of the role to a specific user is subject to approval by the data owner. The SAP Basis administrator provisions and assigns roles to users upon approval. One IT person outside of the SAP competence centre creates monitoring reports and supports the further development of the authorisation concept. increased transparency of roles and responsibilities for SAP authorisations, data owners are able to monitor the access rights to their data, improved communication with users regarding access to SAP, clean up of users in SAP, increased control awareness in the IT department, reduced errors in the provisioning of access rights.

3.

4.

Next Steps The Head of Global IT expects that with usage, the efficiency of user and access management will further increase. Next steps will include; Using APM Atlantis for the periodic review of segregation of duties conflicts in the SAP production environment, Further optimising general IT controls, Increasing the use of SAP functionality for internal controls in the business processes.

5.

Benefits Although the project is not yet entirely completed, Geberit has realised several benefits including;

Geberit AG

11

Business benefits: Consistent controls across group entities and regions.

Global Fortune 500 Company

This article is based on an interview with the company.

Establishing effective and efficient controls implemented as end-to-end monitoring processes Supporting the effective and efficient processes of assessing controls according to SOX 404 requirements.

Process and access control monitoring supported by Approva BizRights

Solution Selection The company was looking for a solution to address the business issues. The main drivers for selecting the Approva BizRights solution were: Flexibility in the reporting structure and design of rules used for controls Support for multiple types of controls (i.e. monitoring of restricted access controls, configuration controls, master data controls and transactional controls) Performance on large SAP instances supporting multi-national operations.

Company Name: Global Fortune 500 Company Industry: consumer goods Headquarters: Europe Business: Manufacture and sale of consumer goods Employees: over 50,000 Revenues: over USD 20 billion

Business Issue The company has established internal controls over financial reporting in compliance with Sarbanes-Oxley section 404 (SOX 404). The project was initiated to address the following challenges: Ensuring consistent and transparent internal controls across regions and affiliates and alignment with corporate standards Defining a framework of complementary controls to address risks in increasingly complex business and information systems processes Reducing the complexity of monitoring controls for end users, leveraging expert skills and competencies in central support teams

Solution Name: Approva BizRights Vendor: Consider Solutions Version: 4.1 Modules: Authorisation Insight, Process Insight, Configuration Insight Application Environment SAP ERP

Implementation The global and cross-regional implementation was achieved within two years, excluding the initial selection and evaluation process. The core team consisted of about ten members and was extended with additional specialists during development phases, in addition to temporary involvement of end-users. Business ownership was ensured by the internal controls function.

12

Global Fortune 500 Company

Overall, the project objectives have been achieved and initial benefits were realised during the initial year after roll-out. The complexity arising from the cross-functional scope of the project was underestimated in certain aspects. In order to fully realise the benefits, additional efforts were required to consolidate technical and functional processes.

The company is now able to effectively and efficiently monitor and assess controls across the group.

Solution Scope The overall control framework implemented with the solution follows a top-down approach based on three tiers: a global template, which serves as the basis for regional templates. Local controls are then defined based on regional templates. The solution covers monitoring of access controls, privileged access activities, and an initial set of process controls, including configurable controls, controls around master data and business transactions. Beyond monitoring, the project deliverables included control design, exception reporting, and tracking corrective actions. In the area of access controls, the solution is used to monitor access to sensitive transactions, identify and correct conflicts in segregation of duties (SOD), as well as to perform preventative SOD checks in the access provisioning process. Process controls are implemented in the following areas: IT general controls and privileged access activity, finance, fixed assets, purchasing, production inventory, receivables, treasury, and payroll.

As part of the end-to-end process, the solution also supports the retention of standardised control evidence in a document repository implemented via Microsoft SharePoint. The scope of the solution covers around 700 users, comprising business and information system control owners as well as internal and external auditors across multiple markets. Maintenance and support of the solution is ensured via a strongly centralised model including functional and technical support.

Reduced effort for assessment of controls by internal and external auditors.

Next Steps Future project phases will enhance the coverage of process controls and introduce advanced fraud detection methods. In addition, the current solutions are planned to be extended to additional risk areas, such as operational or compliance controls.

Benefits The company realised benefits in multiple areas after the implementation of the solution: Improved enforcement of corporate standards across regions and markets Enhanced consistency of controls including small affiliates with limited skills and resources Increased transparency of controls via a defined top-down framework Reduced complexity in performing local controls, better leverage of expert skills in central teams

Global Fortune 500 Company

13

Business benefit: Efficient monitoring of internal controls and management of internal control documentation.

Kuoni Travel Holding AG

This article is based on an interview with the Group Compliance Officer ICS of Kuoni Travel Holding AG.**

Managing ICS supported by SAP GRC Process Control

Business Issue After having created an internal control system (in compliance with Swiss legislation as of 2008), Kuoni faced two interesting challenges related to compliance: 1. Many processes and related documentation changed regularly. These documents were maintained in Excel/PowerPoint and required a significant investment to update and an audit trail could not be maintained. Many of Kuonis controls are manual and the business is required to perform them regularly, but timely monitoring of control execution was not possible.

Solution Selection Kuoni Group began a search for an automated solution to help manage the issues mentioned above. A vendor search was conducted that included ten vendors. Kuoni selected SAP GRC Process Controls for the following reasons: Functionality: Standard functionality could be used to load control information from Kuonis control documentation in Excel into the tool. User Friendliness: Users worldwide must be able to use the tool to updated control documentation and upload control evidence. According to the interviewee, the tool was easy to use for the business. Cost considerations.

Company Name: Kuoni Travel Holding AG Industry: travel and tourism Headquarters: Zurich, Switzerland Business activity: leisure travel and destination management businesses in over 40 countries. Employees: 9,070 (in 2009) Revenues: CHF 3,894 million (in 2009) Solution Name: SAP GRC Process Control Vendor: SAP AG Version: 3.0

2.

Kuoni uses Microsoft Dynamics as its core ERP system.

Solution Scope The project to improve the visibility and tracking of manual control testing lasted six months. This project included the implementation of SAP GRC Process Controls and all training associated with the new tool and procedures. The project was supported by Kuoni IT and an external consultant knowledgeable in SAP GRC Process Controls. During the first three months efforts were focused on getting the system configured and the ICS documents uploaded into the tool. Once this was completed, the remaining three months were focused on the roll-out and the training of staff involved in compliance throughout the world.

14

Kuoni Travel Holding AG

Kuoni found that there are many different features of the process control tool that can be implemented. These features range from the testing and reporting of automated controls/ configuration to managements signoff of the internal control system. At Kuoni, the scope of implementation was limited to only uploading internal control system documentation from each country and setting up testing procedures and issue resolution within the tool. SAP GRC Process Controls works for Kuoni by sending automated emails, based on control frequency, to control performers at each site. These control performers will log into the tool, upload the control evidence into process controls, marking the control execution complete. At Kuoni, the Group Compliance Officer ICS is responsible for the ICS and all testing/resolution. Any exceptions found during testing automatically generate an issue, which is assigned and resolved utilising workflow functionality. Four times a year, the Group Compliance Officer ICS reports to the audit committee on the status of the internal control system, noting any exceptions that are significant deficiencies or material weaknesses.

Kuoni improved the visibility and tracking of manual control testing.

Implementation Kuoni noted two main challenges during the implementation that still remain today. The first is the lack of qualified consultants in the Swiss market that have experience with SAP GRC Process Control. The SAP GRC Process Control tool is still growing in the Swiss market and there are only few people with the experience needed to facilitate speedy and efficient implementation. The second challenge is the dependency on internal IT support caused by the process controls tool at Kuoni. According to the Group Compliance Officer ICS, the purchase of the process controls tool should be driven by the business, but it is important to plan for necessary IT resources to ensure continuous long-term technical support can be provided for the tool.

Benefits and Next Steps The process control tool is implemented and operating over entities that cover 75% of Kuonis total revenue. Each year, scoping is done to ensure that at least 75% of revenue is covered by the internal control system. It is planned to raise the total percentage of entities covered by continuing to implement the process control tool at other sites. There are no plans to utilise the tools additional functionality related to automated control testing at this time. The overall impression Kuoni has of the SAP GRC Process Controls tool is positive. The Group Compliance Officer ICS concludes that SAP GRC has greatly streamlined the implementation and testing of Kuonis internal control system.

Kuoni Travel Holding AG

15

Business benefit: SAP role design supports segregation of duties requirements.

Pilatus Aircraft Ltd.

SAP access control monitoring supported by Mesaforte
This article is based on an interview with the Senior Vice President Audits & Compliance, the Head of Accounting and a staff member of the Accounting department of Pilatus Aircraft Ltd.* Business Issue During the implementation of the internal control system to comply with Swiss legislation as of 2008, Pilatus found the quality of SAP ERP access controls to be critical for successful application of segregation of duties in, and between, core processes. Pilatus anticipated the project would require considerable effort to bring SAP access rights to the aspired level of quality, as management had previously not focused on this area. The company also considered it a necessity to have an automated tool to monitor access rights.

Company Name: Pilatus Aircraft Ltd. Industry: aircraft manufacturing Headquarters: Stans, Switzerland Business activity: global, subsidiaries in Australia and the USA Employees: 1,400 (Group) Revenues: CHF 688m (Group) Solution Name: Mesaforte Vendor: Wikima4 AG Version: 2.1 Modules: Standard, Role Mining

Implementation The project to improve SAP access rights for approximetely 500 users of SAP ERP and implement Mesaforte to monitor the quality of these access rights took a year and a half. The effort during this time consisted of 0.2 FTE adapting and cleaning up the access rights in SAP and a weekly 2 to 4 hour workshop, e.g., for role definition and selection of applicable segregation of duties rules. Of the total time spent, 90% was dedicated to cleaning up and adapting access rights in SAP (get clean) and 10% to the implementation of Mesaforte. Due to the old profile-based access right set-up, users had accumulated access to too many SAP transactions, which needed to be removed. Pilatus defined new conflictfree roles and combined these into conflictfree combinations of roles to replace the profiles. Thanks to the available SAP competencies, Pilatus was able to handle most of the project with internal resources. Wikima4 provided Mesaforte-training, supported the installation of the tool and contributed input on the standard rule set during weekly workshops. An external consultant with extensive knowledge of the Pilatus business processes supported the development of roles and required segregation of duties, and managed the clean up activities. The project was more challenging than initially anticipated as a first assessment of the SAP access rights revealed 20,000 segregation of duties conflicts. In addition, a significant number of exceptions were discovered close to the end of the project (after a Mesaforte upgrade, which enabled access rights review at object-level) and required resolution.

Solution Selection Out of several SAP access rights monitoring tools, Pilatus selected Wikima4s Mesaforte for the following reasons: Ease of use of the software Relatively low license fee and implementation costs Geographical proximity of the software vendor.

16

Pilatus Aircraft Ltd

Solution Scope Mesaforte was implemented at Pilatus to monitor segregation of duties conflicts, critical transactions and profile parameters in business processes such as Procure to Pay and Order to Cash as well as in IT processes related to IT general controls. In total, some 120 risk areas were monitored exclusively with Mesaforte standard rules. Pilatus selected the applicable rules from the standard rule set and additional rules were not customised. Mesaforte is used at Pilatus to monitor the SAP access rights in production on a daily basis. New roles are assessed for segregation of duties compliance in the test system by the SAP access rights administrator in the Commercial IT department. All identified conflicts are handled by an officer in Accounting, which is outside of the IT department. Conflicting roles will not be moved into production unless a compensating measure is in place and approved by the compliance officer. Both the compensating measure and the formal approval are documented with the reported conflict in Mesaforte and supported through a justification dialogue. Mesaforte updates a SAP controls management cockpit on a daily basis. In this cockpit, the current status regarding segregation of duties conflicts, unexpected values in profile parameters as well as security incidents (e.g., repeated failed log-in attempts of specific users) are graphically summarised as a dashboard. The cockpit has drill-down functionality for further analysis. For each monitored item, the applicable rule, the actual value and the expected value are displayed. In addition, an access rights change log is available for audit purposes.

Pilatus Aircraft monitors access rights, profile parameters and security incidents on a daily basis.

System administration of Mesaforte requires only minimal effort from Pilatus. Upgrades are provided through FTP and are installed in 2 to 4 hours.

Next Steps As the next steps Pilatus is considering: increasing the efficiency in SAP user and access rights through automated user and access rights provisioning, to be enabled by SAP identity management in connection with the rule set in Mesaforte, automating more compensating controls directly in SAP. Pilatus has already programmed some analyses in SAP to monitor risks in order management and in customer data.

Benefits Pilatus is satisfied with the Mesaforte software. The primary benefits gained from the use of the tool are; increased transparency over complex SAP access rights, supported by an easily understandable cockpit, reduced effort to ensure compliance with required segregation of duties, increased fraud mitigation by putting a bolt on the doors.

Pilatus Aircraft Ltd

17

Business benefit: Efficient management and auditing of SAP access security.

Serco Group plc

SAP system auditing supported by Security Weaver Access & Process Control
This article is based on an interview with the Functional Lead for Controls, Security & Identity Management and a Controls, Security & Identity management Consultant of Serco Group plc.* Business Issue Sercos GRC project was initiated after an internal campaign. All parties involved recognised a need for a more robust and formalised internal control system. The use of a tool to automate the management of these controls was quickly raised as a key requirement.

Performance: measured on the speed of the application running real-time analyses with limited impact on the IT systems. Total cost of ownership: including licenses, hardware, installation, training, implementation, operation, support, maintenance, disaster recovery and back-up costs. Strategic: alignment with Sercos strategy, business requirements and existing partnerships. Risk profile; including assessments of the vendor viability, product maturity and customer base. Integration: with Identity Management, HCM and non-SAP applications. Flexibility: adjustable to Sercos structure, systems and general requirements. Scalability: to cope with high volumes of data and ease of upgrading. Functionality: to facilitate the process to i) get clean ii) stay clean iii) stay in control.

Company Name: Serco Group plc Industry: international service company Headquarters: Hook, England Business activity: services to government and private clients in over 30 countries Employees: 70,000 Revenues: GBP 4.3 billion

Solution Name: Security Weaver Vendor: Security Weaver Version: 2.1 Modules: Separation Enforcer (SE), Emergency Repair (ER), Secure Enterprise (EN), Process Auditor (PA)

Solution Selection In 2008, a decision was made and a budget allocated to the CIO for a company-wide security project including identity management, data security and encryption and Governance, Risk and Compliance (GRC). One of Sercos core systems is SAP with approximately 8,000 users. Serco reviewed the available solutions for GRC and narrowed their selection to three leading candidates. A series of vendor presentations, workshops and meetings resulted in a detailed selection process from which Security Weaver emerged as the best fit for Serco. After successfully completing a proof-of-concept, and providing a strong case to senior management, the decision was made. Serco selected Security Weaver using the following criteria: Ease of use: familiar navigation from a technical and end user perspective (including ease of implementation).

The key success factors for Security Weaver at Serco were the simplicity of the tool (and its deployment), the relatively low TCO, the familiarity of the technical platform (SAP-ABAP), the flexibility of Security Weaver to accommodate requirements, 24-h support and virtually unlimited reporting potential by making the tables used fully transparent.

Implementation The GRC system went live in July 2010 with Separation Enforcer, only 2 weeks after the transports were provided following the final contract signing. The decision was made to start with the

18

Serco Group plc

standard segregation of duties (SoD) ruleset as Sercos SAP system implementation was practical and add additional transactions/functions/rules as required. Also, instead of deactivating some of the non-applicable standard rules, Serco chose to implement global mitigating controls, applying the rationale that if a SoD function or transaction was not applicable at Serco (at the time), no user should have roles providing such access. If these functions should subsequently be made available through an enhancement to the system, the rules would automatically pick them up. The treasury management module of SAP was one of the pilots for Separation Enforcer for which no standard ruleset existed. Serco re-used the segregation of duties matrices developed in plain English by the business and the IT group translated it into the technical language of Security Weaver. Serco noted that their internal and external auditors were impressed by the rapidity and quality of this implementation. The success of this pilot provided the platform for extending the SoD work to cover the other business processes. Serco had originally planned for Security Weaver to fly over a small implementation team to set up the modules and deliver training. However, being a SAP competency centre, they were able to complete the installation and configuration internally using a consultant from their off-shore support partner with some help from a member of the Serco CSI (Controls, Security & Identity Management) team. Security Weaver supported this approach with regular WebEx sessions (from San Diego) to validate the set up and assist where required. To quote Serco, the biggest surprise was to realise that the implementation was actually quicker than what was mentioned in the marketing material.

Serco business users are responsible for monitoring access rights and requesting remediation actions.

The number of significant segregation of duties conflicts raised by the tool was limited (<1,000) and the remediation activity has been addressed as part of the business-as-usual activities of the SAP CSI team. The business users are key stakeholders and responsible for running the reports on a regular basis and requesting remediation actions to be initiated as needed.

Solution Scope Today Serco is running Separation Enforcer and Emergency Repair fully with some limited use of Secure Enterprise and Process Auditor. The next steps are to leverage the Secure Enterprise module to interrogate more non-SAP systems and manage crosssystem SoD controls, and expand the use of the Process Auditor module to address business process controls. The SAP team is working with the business to plan and execute the controls roadmap. The ultimate objective for Serco is to ensure Management and Internal Audit can fully rely on Security Weaver to control the daily business activities.

Benefits The project improved the visibility and tracking of all control testing. It supports the audit work and provides additional oversight (and comfort) to management. It also provided better efficiency and control around exceptional access management as well as validating access levels. One bonus benefit, which was not envisaged, was an unpublicised module (Role Deriver) that transformed the mass maintenance of complex roles (a particular challenge with Sercos organisational structure) this was one of the surprising wins (reducing a 4 hour build to 30 minutes). The next steps of the project are to unleash new areas where the tools will be used to streamline and improve business processes with Process Auditor.

Next steps Serco is very positive about the project and their experience. They feel confident that Security Weaver was a good choice for them. The fact that they had no significant challenges in implementing and rolling out the tool thus far is a clear indication and an incentive for Serco to expand their use of the tool to non-SAP systems and expand the scope by implementing other modules to fully leverage the potential.

Serco Group plc

19

Business benefit: Segregation of duties issues resolved and preventative automated controls implemented.

UK Defence Contractor
This article is based on an interview with Oracle GRC project team members at the company.**

Access security supported by Oracle GRC

Business Issue A UK Defence Contractor had implemented a number of manual compensating controls in its business processes to address risks resulting from segregation of duties issues that were noted during internal and external audits. They were looking for solutions to replace the manual compensating controls, enable the implementation of preventative automated controls and to remove segregation of duties (SoD) conflicts.

Oracle GRC provided the company with a tool to implement input validation (form rules) and workflow-based controls (flow rules) to further support the access controls provided through Application Access Controls Governor (AACG). The company selected Oracle GRC for the following reasons: Proven, robust access control functionality Support of future Oracle EBS releases Fully supported by the vendor Oracle Existing strategic partnership with Oracle

Company Name: UK Defence Contractor Industry: public services Headquarters: Aldermaston, UK Solution Name: Oracle GRC Vendor: Oracle Version: 7.3 Modules: Application Access Controls Governor (AACG), Preventive Controls Governor (PCG) 7.3

Solution Scope Application Access Controls Governor and Preventive Controls Governor were implemented to manage access rights and to automate controls. As part of the project, 28 access policies and 14 form or flow rules were implemented. Access policies are currently used in monitor mode, i.e., periodic manual monitoring of access is performed to detect issues. Once the solution is upgraded, preventative mode will be enabled enforcing access policies during the provisioning process, eliminating manual monitoring.

Solution Selection Whilst some of the goals could be addressed by introducing Form Personalisations and custom code, the companys general policy is to not introduce customisations into its Oracle E-Business Suite (EBS) R11 implementation. For the company, Form Personalisations using GRC was a faster process and offered additional functionality. GRC also appeared to be beneficial in upgrading as the Personalisations can be easily transferred, with only minor adjustments. However, there were some disadvantages for the company to consider as normal Form Personalisations have a greater degree of flexibility. Overall, the company considered GRC to be easier to use.

Implementation The initial focus of the project was the identification of access rules and preventative controls to address the risks currently mitigated by manual controls. This identification process was performed through workshops.

20

UK Defence Contractor

Based on the identified SoD rules, which were specifically built as part of the project and not based on a standard rule set, a conflict analysis was run. It resulted in a number of conflicts, which were remediated during the course of the project and reduced to a manageable number. As part of the preventative controls component of the project, approximately 40 controls were identified and prioritised. Some were implemented during the initial phase of the project; others have been developed and implemented post go-live by the internal company team who were trained to use the software during the project. A number of form rules that were identified in the workshops could not be developed using PCG as the tool as it is not yet compatible with HTML forms. Alternatives using flow rules were developed for some of these, however, some remain outstanding. Oracle is currently developing the technology to make it compatible with these forms. The overall project length was seven months, which included four months from inception to go-live and three months of post go-live support. The project staff included the following company resources and roles: Project steering committee with business process owners for finance, HR and procure to pay and the head of architecture (two hours per month/three sessions) Project manager (2 days per week) Apps DBA (1 day per week ) Functional consultants (workshops and four day GRC training course, one consultant full time throughout the project)

The company replaced manual controls and reduced system administration efforts.

Business users to attend workshops at the start of the project; four half day workshops. The following external consulting resources were involved: One project manager (part time) Two functional consultants (full time) One technical consultant (part time) One training consultant (part time)

Next Steps The comany is considering implementing additional GRC modules and functionality to realise additional benefits. As mentioned above when PCG is upgraded to version 7.3.1, it is planned to enable preventative mode to enforce SoD rules during provisioning, eliminating the current process of periodic detective review of access. The company is also considering the functional advantages of Enterprise Transactions Controls Governor (ETCG) and Configuration Controls Governor (CCG). They see potential benefit in CCGs ability to streamline the configuration controls process. This would allow them to retire the BR100 documents (Business Requirements Mapping/Applications Setup Definition), which are considered a complex set of documents to maintain.

In addition, internal audit was involved throughout the project. They provided sign off that the policies and rules implemented addressed a number of control risks identified during their audits.

Benefits The company felt that both the strategic objectives of eliminating manual compensating controls and resolving SoD conflicts were achieved by the project. They also described additional benefits with some of the implemented rules; the user provisioning rules, for example, resulted in a 40% reduction in the system administration effort.

UK Defence Contractor

21

Observations

The seven examples in this paper show the broad diversity of existing control solutions. Through our interviews, we found the following common denominators which we offer as key take-aways: The need to manage and optimise automated controls is a key driver in investing in control solutions. Most companies start with implementing control solutions for a specific business issue and attempt to realise

benefits prior to implementing additional functionality. Considering the average effort for the implementation of control solutions, this appears to be a sensible approach. The implementation of control solutions is a business challenge rather than an IT challenge. The effort for the technical implementation of a solution is small compared to the effort of designing and implementing change at the

organisational level (including the definition of roles and responsibilities) as well as on the process level (e.g., defining business rules, remediating processes, controls and security issues). Companies should involve people with a strong understanding of governance and compliance requirements, business and IT processes, systems, and what specific control solutions can and cannot do.

All companies report clear business benefits from using control solutions and plan to expand their use into other functional areas.

If you would like to get a more detailed understanding of control solutions and how they are relevant to your business, we are ready to share our experience and insights with you in person.

Acknowledgments We thank all the contributing organisations for their great support.
White paper Making Sense of Internal Control How technology is used in practice to implement a control vision: seven examples Published by PricewaterhouseCoopers AG Partner-in-charge Paul de Jong Managing editor Robert Schiffner Reviewers Aaron Werth Joe Walsh Jrgen Mller

Sponsor Jrgen Mller

Editors Paul de Jong Antoine Wthrich Raymond Mastre Robert Schiffner Stefan Schuble

Special thanks to Jonathan Bolton, Sandra Scheffmann

22

Observations/Acknowledgments

The experiences and opinions expressed in this article are solely the view of the interviewees and do not represent an endorsement or evaluation of the solution by PwC. PwC was not involved in the implementation of any financial information or control system.

** The experiences and opinions expressed in this article are solely the view of the interviewees and do not represent an endorsement or evaluation of the solution by PwC.

Contacts

For a deeper conversation about this topic and how it may affect your business, please contact:

Jrgen Mller Partner Risk Assurance Leader Switzerland +41 58 792 81 41 juergen.t.mueller@ch.pwc.com

Paul de Jong Partner Risk Assurance +41 58 792 76 58 paul.l.de.jong@ch.pwc.com

Contacts

23

www.pwc.ch/ra