Remove the guesswork and anxiety from internal and external audit requests with proven tools and techniques

James Baird, Senior Consultant, DolphinMay 9, 2014

SAP Auditing 101

Disclaimer

Factors Driving Innovation in Audit

New Audit Requirements for 2014

Tools & Techniques for Audit Readiness

About Dolphin

More Info & Resources

Audit Glossary

In This Session …

This session is for informational purposes only.

Dolphin does not provide audit advice or counsel pertaining to this subject or any related legislation or compliance issue.

We always recommend that you consult your qualified audit professional.

Disclaimer

Disclaimer

Factors Driving Innovation in Audit

New Audit Requirements for 2014

Tools & Techniques for Audit Readiness

Dolphin Solutions for Audit

More Info & Resources

Audit Glossary

In This Session …

Auditing in the News

Increased Oversight

Difficult & Costly

Process

Majority of US audits deal with financial data Such as Sarbanes-Oxley (SOX), under the direction of PCAOB

Organizations also have to respond to audits from government and industry regulators, as well as internal bodies. PII: Personally Identifiable Information PIPEDA: Personal Information Protection & Electronic Documents

Act PHIA: Personal Health Information Act HIPPA: Health Information Protection Act (USA HIPAA) PCI DSS: Payment Card Industry Data Security

Increased Oversight: External, Internal, & Compliance Audits

Audits are becoming more complex as regulators request more information

Organizations must retain data for variable periods of time

Multi-national companies need to balance different retention requirements for different jurisdictions

Changing Regulations Keep Pace with Rapid Market Evolution

Health 30 years+

7 yearsFinancial

10 yearsAcademic ? yearsLegal

Examples

Strategy for Info Lifecycle mgt.

Survey of IT-related Audit Concerns 2013

Source: Gartner- Survey Analysis: IT Compliance and

Audit, 2013

Difficult and Costly Process

I need to get production data

From lots of systems: ERP, CRM, EDI,..

I need it in flat format, other

formats

It’s urgent

No, it’s urgent

I need to comply within SAP

I’ll need to check with the

team

Is the % PC sufficient?

This is a priorityI can do a query in 7 days

In one business week?

What Data?

SalesWhich tables?

I don’t knowWhich fields?

Don’t know & I will need more

data later

I’ll extract Sales Data and VBAP DAF is impatient

Anyway it’s not secure What do you

mean?

My director refused this

requestI’ll go back to my

director

AuditorsIT StaffThe more

time it takes

to complete

an audit . . .

the more it costs

Opps, spoke too soon. Not

possible. Sorry!

Disclaimer

Factors Driving Innovation in Audit

New Audit Requirements for 2014 *key word flexibility*

Tools & Techniques for Audit Readiness

Dolphin Solutions for Audit

More Info & Resources

Audit Glossary

In This Session …

Change: Auditors may need to increase controls to manage larger data volumes

Big Data increases the amount of data that will be subject to audit or legal concerns (PII, PCI…)

Encryption can come into play Organizations need better tools and an information lifecycle

strategy to manage security and compliance of Big Data

Impact of Big Data2014 Audit Changes You Need to Know

Source: Association of Chartered Certified Accountants, “Big Data: Its Power and Perils”, Nov. 2013

Change: Auditors may need to be able to explain automated controlling processes Auditors must understand which automated controls (i.e.,

Workflows, Approves, Logs, Notification and system validation) are in place

Process diagrams must show how automated controls interlink with the system and control frameworks (i.e., GRC). Must note where the control is; how it is used; and how it is being validated and/or audited

(per PCAOB direction)

Increased Oversight of Processes

Source: “What is an Integrated Audit?”, Harvard University, April 23, 2014 http://rmas.fad.harvard.edu/faq/what-integrated-audit

2014 Audit Changes You Need to Know

Change: Manual entries, in SAP, may be subject to tighter audits and controls placed against them

Increased oversight of manual entries to reduce impact on financial statements and detect incidents of fraud

Move to more controls and increase automation to: Reduce Human Error Eliminate Opportunities for Fraud

Imaging Products with built in controls help with this concern

Tighter Control of Manual Entries

Source: http://pcaobus.org/Standards/Auditing/Pages/AU316_61.aspx

2014 Audit Changes You Need to Know

Disclaimer

Factors Driving Innovation in Audit

New Audit Requirements for 2014

Tools & Techniques for Audit Readiness

Dolphin Solutions for Audit

More Info & Resources

Audit Glossary

In This Session …

What Do I Do Now?

Tools & Techniques for Improving Audit Readiness

Goals for Improving Audit Readiness

Lower Costs

Anticipate audit requirements and

flexible tool to reduce the fees

levied by consulting firms and penalties

from regulatory bodies.

Improve Controls

Implement an audit strategy that aligns the organization’s

information lifecycle with corporate and

legal retention requirements.

Improve Efficiency

Identify storage and retrieval strategies

(archiving) to reduce the time and effort required to extract

data and documents when responding to

audit requests.

Invest in flexible tools that can support financial and other audit reporting requirements, globally (France, Luxemburg, Brazil…) DART is primarily focused for financial audits Rules and audit guidelines change by country

Archiving data reduces costs associated with long term data retention Audit tools need to be able to extract archive data and change as

audit requirements change

Lower CostsImproving Audit Readiness

Classic Audit Process

Increase EfficiencyAu

dito

r Re

ques

ts D

ata

Timeline

3 weeks – Plan

Send

File

s to

Aud

itors

Gen

erat

e Fi

les

Que

stio

ns fr

om A

udito

rs

Urg

ent Re

spon

ses

to A

udito

rs

15 weeks – Actual

Improving Audit Readiness

Optimized Audit Process

Increase Efficiency

timeline

Audi

tor Re

ques

ts D

ata

3 weeks – Plan

Send

file

s to

Aud

itors

Gen

erat

e Fi

les

Que

stio

ns fr

om A

udito

rs

Resp

ond

Auth

orita

tivel

y to

Aud

itor

Extr

act ad

ditio

nal d

ata

for an

alys

is

Prep

are

Resp

onse

Improving data storage & retrieval reduces the time & effort to respond to

audit requests

15 weeks – Previous

& Actual

Improving Audit Readiness

Leverage SAP’s built-in capabilities to support audits: Logs, automated processes (i.e., workflows, business rules . . .) DART extracts SAP GRC Archiving to freeze and compress static data

Consider SAP Add-on solutions to enhance SAP audit capabilities: Flexible data retrieval Support for legal holds Manage data retention and purge according to retention policies

Increase EfficiencyTools and Techniques for Data Storage and Retrieval

Put an Information Lifecycle Strategy in place Combination of policies, procedures, and practice (execution and technology)

Take advantage of enhanced audit capabilities with SAP GRC SAP 5.3 was primarily for Access Controls GRC 10 &10.1 contain new features (i.e., risk, fraud, process controls . . . . ) Information lifecycle management is a key component of the GRC roadmap

Leverage SAP Add-ons to strengthen ILM strategy & GRC Automated data entry for financial and compliance Audit reporting Automated data retention and destruction

Improving ControlsInformation Lifecycle & SAP GRC

Disclaimer

Factors Driving Innovation in Audit

New Audit Requirements for 2014

Tools & Techniques for Audit Readiness

Dolphin Solutions for Audit

More Info & Resources

Audit Glossary

In This Session …

Dolphin Audit Solution Capabilities

Get Results with Dolphin Audit Solutions

Lower Costs

Reduced cost of retaining large volumes of data for audits with aggressive archiving strategy and no loss of access.

- Large Volume Discount Retailer

Improve Controls

Fixed compliance gaps, identified by internal auditors and secured sensitive customer data in production and archive.

- Global Consumer Technology Company

Improve Efficiency

Reduced time required to respond to audit requests from 15 weeks to 3 weeks.

- Large International Beverage Company

SAP focused

Proven solutions for SAP customers, leveraging SAP technology, and certified by SAP

1/3 of all Fortune 100TM companies running SAP are Dolphin customers

Employee owned; private; independent of other stakeholders; organic growth;

Established in 1995

Hundreds of scalable, flexible and cost effective deployments across the globe

Dolphin Enterprise Solutions

More Information

PCAOB: http://pcaobus.org/Standards/Auditing/Pages/AU316_61.aspx

ISACA: https://

www.isaca.org/Pages/default.aspx?cid=1000270&Appeal=SEM&gclid=CIzUz6Lr570CFYdFMgod6XkALA

Gartner, “Survey Analysis: IT Compliance and Audit, 2013”:

http://www.gartner.com/document/2613715

Association of Chartered Certified Accountants, “Big Data: Its Power and

Perils”: http://www.accaglobal.com/bigdata

What is an Integrated Audit? http://

rmas.fad.harvard.edu/faq/what-integrated-audit

Financials & GRC 2014:

http://www.sap.com/pc/analytics/governance-risk-compliance/software/overview/highlights.html

For more information:

Jim.lancaster@dolphin-corp.com

www.dolphin-corp.com

513.600.9718

Contact Information

Audit Glossary

PCAOB: Public Company Accounting Oversight Board

SOX: Sarbanes-Oxley

PII: Personally Identifiable Information

PIPEDA: Personal Information Protection and Electronic

Documents Act

PHIA: Personal Health Information Act

HIPPA: Health Information Protection Act (USA HIPAA)

PCI DSS: Payment Card Industry Data Security

Disclaimer

SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service

names mentioned are the trademarks of their respective companies. Dolphin Enterprise Solutions Corporationis neither owned nor controlled by SAP.

Evaluate This Session

Provide feedback via this short survey

bit.ly/ASUG14

Provide event feedbackin the same survey