This document provides information about DynaFlow, a company that provides software to help organizations manage governance, risk, and compliance (GRC). It discusses DynaFlow's profile, services, and how its software supports GRC/ERM activities like risk management, compliance, segregation of duties, and internal controls. The software includes pre-defined controls and risks libraries, automated control testing, dashboards for monitoring risks and controls, and integration with various enterprise applications.
2. Contact Information
•Dan Aldridge CEO Performa Apps
•e-mail dan.aldridge@i-app.com
•website www.inforln.com/wp
•linkedin Dan Aldridge
•twitter @Danaldridge1
•
3. Agenda
Introduction DynaFlow
Governance Risk & Compliance / Enterprise Risk
Management
Segregation of Duties for Baan / LN
Impact on ERP implementation
Contact details:
Aart de Glint
adeglint@dynaflow-solutions.com
Phone +31 318 479712
Mobile +31 654 392046
3
4. DynaFlow Profile
Main Facts:
Established in 1997
Private company HQ in Canada
Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
Main mission:
To enable global companies to become “Simply in Control” by proactively
managing enterprise risks, demonstrating compliance and automating and
optimizing business processes.
Dedicated to provide its clients a fast ROI through a short and structured
implementation
Professional Services:
Implementation and Training
Compliance & Audit Support
Process Optimization
Solution Hosting Services
4
9. Regulation - The Hot Potato
9
Loi sur La Sécurité Financière (LSF)
SAS-70
SOX
C-SOX
J-SOX
‘Euro-SOX’
Code Tabaksblat
Code Lippens
8th EU Directive
Clinger Cohen
21 CFR Part 11
IFRS
Basel-II
BilMoG
10. Governance, Risk Mngnt & Compliance
Governance
describes the overall management approach through which senior executives direct and
control the entire organization, using a combination of management information and
hierarchical management control structures. Governance activities ensure that critical
management information reaching the executive team is sufficiently complete, accurate and
timely to enable appropriate management decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from management are
carried out systematically and effectively.
Risk management
is the set of processes through which management identifies, analyzes, and, where
necessary, responds appropriately to risks that might adversely affect realization of the
organization's business objectives. The response to risks typically depends on their perceived
gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks,
commercial/financial risks, information security risks etc.), external legal and regulatory
compliance risks are arguably the key issue in GRC.
Compliance
means conforming with stated requirements. At an organizational level, it is achieved through
management processes which identify the applicable requirements (defined for example in
laws, regulations, contracts, strategies and policies), assess the state of compliance, assess
the risks and potential costs of non-compliance against the projected expenses to achieve
compliance, and hence prioritize, fund and initiate any corrective actions deemed
necessary.
10
11. GRC/ERM Support at all levels
Levels of GRC model
Strategical
Tactical
Operational
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
•Procedures
•Process Risk Analysis (Tactical)
•Process & Internal Control Design & Maintenance
•Review (workflow)
•Monitoring Efficiency of Internal Controls
•Embedded testing & test evidence
•Document Management System
•KPI/”In Control” reports
Continuous monitoring as part of normal business process
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
Purchasing
Warehouse
Management
Manufacturing
Sales &
Distribution
•Review
•Test
12. Compliance – Why is this important
Regulation
Corporate & Executive Responsibility & Liability
Fear for Reputation Damage
Tightened Credit Lines
Premium Insurance Fees
Policy Interpretation
Implementation Cost
Overhead
Audit Cost
13. From Regulation to Compliance
Regulations Implementation
SOX
HIPAA
BASEL II
Etc.
Framework
ERM
COSO-II
COBIT
...
Policy & Procedure
Implementation
Business Risks
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Evidence
Collection
Demonstratiopn
Demofo Cnosmtraptliioapnnc e
Demofo Cnosmtraptliioann ce
of Compliance
establish document test
People Processes Technology Facilities Data
Audit
14. SOX Section 404 – Internal Control
Assessment of internal control
“The most contentious aspect of SOX is Section 404,
which requires management and the external auditor to
report on the adequacy of the company's internal
control over financial reporting (ICFR). This is the
most costly aspect of the legislation for companies to
implement, as documenting and testing important
financial manual and automated controls requires
enormous effort.”
14
http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf
15. SOX Internal Control Requirements
15
Documentation
Detailed Process description
Process flowchart (preferable)
Business Risk Assessments
Risk Control Matrix (RCM)
Testing
Annual walkthrough of each process.
Testing of key controls.
Periodic Reviews
Review of process steps and controls
Updating of all documentation
Annual External IC Audit
Essentially external validations that yes you did 1 through 3 above.
The auditor would use a predefined “checklists
16. Risk / Control Matrix
16
All non-PO invoices received at month end are entered
into the system within 3 days of month-end to ensure
proper inclusion into Accounts Payable.
For production invoices, invoices can only be entered
into the system for automatic matching if a valid PO and
receipt are already in the system. The system populates
the invoice price and due date information from the PO
information.
All unmatched PO invoices are forwarded to purchasing
for follow-up.
All purchase orders and non-PO invoices are reviewed,
including ledger account coding, and are authorized in
accordance with company policy.
Cycle counts that result in a difference from perpetual
quantity outside limits set by company policy are
reviewed; items with a varance deemed to be material
are recounted.
RISK / CONTROL MATRIX
Risk
Auditor Assertion ACP-C01 ACP-C04 ACP-C16 PUR-C11 INV-C18
R007
What ensures that purchases are recorded into the proper
accounting period?
Completeness PC
R011
What ensures that invoice prices, quantities and other valuation
information is correct?
Completeness,
E/O, M/V
PC PC
R042
What ensures that duplicate and/or fictitious purchases are not
recorded?
Existence/
Occurrence
PC PC
R075
What ensures that perpetual inventory records reflect proper
quantities and amounts?
Existence/
Occurrence
PC DC
R079
What ensures that perpetual-to-physical inventory adjustments are
correctly calculated and recorded?
Completeness,
Measurement/
Valuation
DC
R093
What ensures that inventory counts, compilations and descriptions
are accurate?
Measurement/
Valuation
DC
PC = Preventive Control
DC = Detective Control
17. Enterprise Risk Management (ERM/GRC)
The key pains & challenges:
Extra burden “on top” of running the company
Draining resources from critical projects
Absence of clear and documented guidelines
Absence of automation
Cannot be postponed (scheduled audits)
Cost (with NO tangible ROI)
The proposed approach & resolution:
Leverage pre-defined knowledge via libraries
Avoid multiple partial systems (and integration burden)
Automate as much as possible tedious and large volume
tasks
18. How DynaFlow supports ERM/GRC
18
Business Risks & Business Controls Library
2,500+ pre-defined Controls, Risks and relationships
Certified Best Practices / Benchmark
For all regional & industry specific regulations
(SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…)
To address all auditing/auditors requirements
Automated Business Control Execution
Testing Schedules with automated notification & testing
Real-time monitoring & alerts for testers and Mgmt
Evidence Collection & audit trail
Dynamic Risk and Business Control Monitoring
Key Performance & Risks Indicators Dashboard (+ mobile)
Audit Support
Combination of Solution, Libraries and Services
20. Segregation of Duties (SoD)
The key pains & challenges:
Now a Critical Business Control for ALL organizations
Involves large volume of data
(i.e. Typical = 200,000+ authorizations in Baan alone)
Need to be done across Systems (ERP) and for ALL
access types
Is a recurring process due to constant changes
The proposed approach & resolution:
Automation,
automation
and automation!
26. The LN / Baan SoD Rules Library
Introduced in 2005
Required 2 years initial development, and is updated
26
regularly
Content and design validated by CFO, Controllers, SOX
Senior Consultants, Baan Specialists, etc...
Covers all Baan versions (Triton, Baan IV, ERP-5, LN)
Compliant to Baan Tools and DEM authorizations
Verify 22,000+ Baan session combinations for SoD violations
(with violation rating) to validate 400+ SoD sensitive “zones”
Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton
validated the Baan SoD Rules completeness and accuracy
by successful certifying all EZ-Compliance clients to be
SoD/SOX compliant.
27. EZ-Compliance Automated SoD Scan
Employees
Roles
Corp-wide
Applications
Business
Controls
Business
Processes
Import
DEM
Visio
Employee /
Applications
Access
List
(1)
Access
Scan
SoD
Conflict
Rules
SOX – SoD
Conflicts
List
(2)
Conflict
Scan
Resolution
Scan
(3)
SoD
Resolution
Rules
Mitigated
Conflicts
List
Business
Risks
SoD
Library
Oracle
Mitigation
Controls
Import
LDAP
Import
ERP
28. SoD Conficting Areas Matrix
Click to view
detailed business
functions &
conflicts found
28
29. The automated SoD cycle
Import of updated
authorizations from
all Enterprise
Applications
Identification of
SoD conflicts &
related business
risks
Resolution of
conflicts with
known patterns
Investigation,
resolution and
mitigation of
SoD risks
Notification of new
conflicts to internal
audit team and/or
process owners
ERP
Import
Weekly
or
Daily
Result: 90%+ reduction of effort & cost
30. How DynaFlow supports SoD
30
Access/Authorization Mgmt
Cross-systems authorizations (who is accessing what?)
Periodic Access Reviews
SoD Conflicts Identification
Detective validation (what accesses constitute risks?)
Preventive validation (what is the impact if we change …?)
SoD Conflicts Resolution
Automated resolution/mitigation using pattern rules
SoD Conflicts Monitoring & Alerts
Self-generated SoD Matrix with dynamic alerts
Key Performance & Risks Indicators Dashboard (+ mobile)
31. Segregation of Duties (SoD)
What you gain with DynaFlow:
Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...)
Bottled Best Practices:
Fully automated Segregation-of-Duties (SoD) Rules
Pre-Defined SoD Libraries available for Baan, SAP, Oracle,
etc...
In line with external auditors to secure successful
certification
Detective and also Preventative
Fully automated SoD validation
90% reduction on implementation cost & effort
50% reduction on auditing cost
100% Successful SoD Audit
Simplified insight in all user authorizations
35. DynaFlow Solution Overview
Business
Controls
Checks
Financial (Oracle, etc)
ERP (SAP, Baan, Mapics, etc)
Process &
Knowledge
Publishing
Process
Modeling
Business
Controls
Definition
Automated
Alerts &
Notifications
Process
Automation
Employee
Process
Dashboard
Modeler and
Auditor
Dashboard
Transaction
Systems
Base
Dynamic KCI
& Issues
Escalation
Process
Optimization
& Monitoring
Management
Dashboard
Dynamic KPI
&
BI Analytics
BPM Reporting
Office Apps (MS, Email, VPN, etc)
36. Critical Capabilities Definition ERM & C
36
Audit Management
Supports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers,
risk assessments, control testing, remediation management and reporting.
Risk Management, General
Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting,
visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that
is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic
risk analytics tools to provide a consolidated view of enterprise risk management.
Risk Management, Stochastic
Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized
capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term
asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these
stochastic analysis needs organically or through an OEM partnership.
Compliance Management
Supports compliance professionals with the documentation, workflow, reporting and visualization of control objectives,
controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC
management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support
other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level
agreements, trading partner requirements and compliance with internal policies.
Policy Management
Includes a specialized form of document management that enables the policy life cycle from creation to review, change
and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and
controls in another; and distribution to and attestation by employees and business partners.
GRC Content
Includes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news
feeds, standards and frameworks, draft testing and risk assessments, and draft policies.
Business Analytics
Supports the ability to analyze the impact of risks on business objectives, performance and processes.
Gartner, Inc: 30 November 2010/ID Number: G00208665
37. DynaFlow simplification
Regulations Implementation
SOX
HIPAA
BASEL II
Etc.
Framework
COSO-II
COBIT
......
Policy & Procedure
Implementation
Business Risks
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Evidence
Collection
Web Portal
Demonstratiopn
Demofo Cnosmtraptliioapnnc e
Demofo Cnosmtraptliioann ce
of Compliance
establish document test
People Processes Technology Facilities Data
Audit
Business
Control
Libraries
Business Risk Libraries
Compliance
Program Mgmt.
Compliance
Change Mgmt.
Compliance
Issue Mgmt.
Compliance
Access &SoD Mgmt.
Document
Mgmt.
Audit
Trail
Cross-ERP
Integration
&
Mapping
Operational Risk
Monitoring
eBook
Generation