Conteliga Implementation

Controls are defined in the Control Framework and approved by management. Conteliga is supporting the implementation, automation and monitoring of controls. Conteliga provides furthermore several control repositories for the fast implementation and challenge of controls.

Control Framework

Internal Control is a process to provide reasonable assurance over the effectiveness & efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations like SOX, Euro-SOX or the Suisse Auditing Law.

Companies need to define a control and risk management framework aligned with entity individual strategies and objectives to answer to such requirements. An efficient (automated) risk-based implementation of controls is not possible without Internal Control Systems. The big challenge for companies is the implementation of an integrated control system supporting cross application and cross-functional control monitoring in real time.

Risk and Control Assessment

Risks result from a 'protection requirement analysis' of physical or informational company assets and are classified considering thread, likelihood and financial impact. Regulation requirements focus on financial reporting risks.

Management needs to define clear financial reporting objectives to enable the identification of risks and to select appropriate risk responses like avoidance, acceptance or reduction of risk. The result is a set of actions aligning risks with entity individual risk tolerances.

The Conteliga tool concept is explicitly considering this approach by providing a risk-based solution linking risks to set of controls. Risks can be classified considering risk criticality, likelihood or financial impact.

Key Controls & Key Application

Controls are all measures that protect company assets. They are derived from the agreed set of actions resulting from the risk assessment and classified considering costs and effectiveness in addressing risks. The determination of key controls and key applications depends on the risk criticality. The challenge is to translate the set of actions in concrete controls considering the company organization, business processes and the impacted system landscape.

The Conteliga tool concept allows the definition of all types of controls like access & authorization controls, process controls, segregation of duties controls, general computing controls and system configuration controls in a cross application and cross functional environment.

Infomation & Communication

The enterprise wide communication of the company corporate governance, internal control and security directives is a necessity to enable personnel to take over their internal control responsibilities. It leads to a proper understanding of internal control objectives and processes at all levels throughout the organization. Documentation, procedures, handbooks and operating instructions are valid but cost effective instruments.

The Conteliga tool concept offers ownership models to support and automate internal control processes. Approval and alerting workflows facilitate the communication of controls and risks status in an efficient and audit traceable way.

Monitoring

Continuous monitoring of controls is an indicator to ensure that internal control is operating effectively. Monitoring is effective when internal control weaknesses are identified, communicated and corrected in a timely manner. From a regulator point of view, ongoing monitoring is an important instrument for management to determine whether financial reporting continue to function over time.

Conteliga provides process related risk-based reporting and alerting functionalities in real time considering criticality of risks, ownership models and escalation paths.

Control Implementation

The control implementation phase enables responsible personnel to understand existing end-to-end processes and related risks, drives the definition of ownership models towards clear responsibilities and accountabilities and pushes the "cleaning" of existing incompliances.

The Conteliga technical framework is supporting this phase by delivering immediate simulation results with real data. These results are used to challenge the set actions and to mitigate residual risks by implementing compensating controls or redefining organizational responsibilities.

SoD Rule Set

Conteliga provides a generic multi dimensional SoD rules framework. SoD rules can be set between authorization objects, transactions and roles or even between groups of transactions or roles. This reduces significantly the number of SoD rules and simplifies the administration and maintenance effort.

Conteliga supports the definition of cross application SoD rules like conflicts between SAP roles and Oracle profiles. This creates a simple and transparent end-to-end cross application access control monitoring. Any change on the SoD rule sets is tracked, a complete change history profided.

The Conteliga technical framework delivers several control repositories, e.g. for sensitive user access, general computing controls or SAP configuration settings. Control repositories fasten the mitigation of residual risks and help to challenge controls definition against market best practices.

Simulation Rules & Authorization

Conteliga monitors enterprise wide SoD conflicts and user access to sensitive transactions or profiles in a heterogeneous system landscape. It highlights SoD conflicts by demand and provides scheduled or ad hoc simulations on user and role level. Simulations can be integrated in workflows and linked to alerting engines like the simulation of SoD conflicts within the user provisioning workflow for example.

Conteliga monitors general and specific IT computing controls and configurable system settings with a transparent baseline concept. Changes to this baseline are tracked, a change history is created. When unauthorized or inappropriate changes occur alertings are automatically sent to the risk or control owner

Naming Conventions & Code Analyser

A proper defined naming convention on role level decreases maintenance costs and creates transparency for business owners. Conteliga offers a generic solution to define individual naming conventions for any development object like roles, tables, programs or transactions. Naming conventions can be enforced for any SAP transport. This increases significantly the maintainability of SAP applications.

The Conteliga Code Analyzer helps to detect potential compliance violations in customized ABAP developments, e.g. if a customized program provides access to sensitive transactions or to sensitive authorization objects.

User Tracing & Tracking

Conteliga traces, monitors and logs every transaction and SQL-Statement executed during a user session for marked or privileged users. Executed sensitive transactions are highlighted in the log report. The results of the user tracing can be integrated in automatic approval and alerting workflows.

Conteliga collects the data of unused or hardly used transactions, roles or user accounts for all users and supports role optimization activities for an efficient license management and reverse business engineering activities.

Control Automation

The control automation phase generates cost advantages by reducing operational costs for maintenance or helpdesk support. Automation means the replacement of manual, detective control activities with automated, preventive controls.

The Conteliga technical framework is built to support automation of controls and processes in a very early stage of a GRC project. Experience showed that the implementation of workflows automating the user access provisioning, password reset or extended user access management is creating stakeholder acceptance and overall project support.

Enterprise Role Management

Conteliga enforces compliance to SoD rule-sets, naming conventions and design standards on role level at design time. Transports of incompliant development objects (like roles) from the development system to the test or production system are systematically blocked. The direct creation of roles or user access in the production environment triggers an escalation workflow.

This preventive strategy facilitates role compliance monitoring and ensures compliance on role level without the use of time consuming role creation wizards. Such wizards could be activated, for example in case the responsibility of the role creation is shifted to the business. Technical experts only use time using role creation wizzards.

Automated User Provisioning

Conteliga offers an approval workflow for the creation of user access at run time. Authorized access requestors can assign roles via search functionalities or via copying role assignments of other users. The user access request is challenged against the SoD rule-sets and needs to be confirmed by the process owners. After approval roles are automatically provisioned, an audit track is created.

Conteliga interacts with SAP HR module in order to use this information for the deputy management or automated request initiations for employees leaving the company ('leavers') or changing the department within the same company ('movers').

Automated Mitigation Controls

Conteliga has an SAP integrated workflow engine. This engine allows the definition and implementation of individual workflows e.g. for annual review and validation activities or the definition and execution monitoring of compensating controls.

The Conteliga workflow engine can also be used to define individual workflows for process automation like the invoice approval or process control like the master data management. The scheduling of workflows for regular approvals is possible, standard reports and alerting functionalities are available. The use of the SAP content server as well as interfaces for other content management platforms like 'Documentum' or SAP Business Warehouse is supported.

Compliant Privilege Management

Conteliga provides a solution for a compliant management of extended user access. Changes down to field level are automatically tracked in an audit log, the use of sensitive transactions is highlighted. After the extended access session an audit log is sent to the process owners for sign off. In case of inconsistencies or inappropriate use of extended user accesses emergency workflows can be triggered.

This solution fastens emergency response and reduces time to perform critical tasks for business users. Conteliga provides a strategy that enables users to work with their own ID. Multiple use of emergency accesses is possible without losing compliance.

Continuous Control

The continuous controls phase activates ongoing reporting and monitoring functionalities. The focus is the challenge of the control effectiveness and the identification of control weaknesses with the goal of providing hints about the achievement of the organization's objectives and of simplifying audit preparation activities.

The Conteliga technical framework supports several monitoring and reporting strategies like the sending of control failure reports or the creation of 'ad hoc' reports by demand. It is possible to integrate the risk or control reporting in existing SAP integrated reporting systems like SAP BW. Conteligasupports also SAP DynPro for browser based reporting solutions.

Management Reports & Dashboards

Conteliga offers owner specific reporting solutions summarizing and aggregating control failures or risk occurances per control type and impacted business processes. Reports can be generated in different formats like 'pdf' or 'Excel' and either be scheduled, created by demand or in case of real control failure / risk occurance. It is possible to customize report owners and receivers and to control the access to this information via the standard SAP security model. A report history is provided.

Conteliga supports furthermore the definition of individual management and security dashboards. This needs customizing effort during a GRC project and is depending on the existing SAP environment.

Alerting Monitor Control Execution

Controls can be defined cross application and down to the level of field values. Conteliga provides an alerting engine which can easily be integrated in any workflow and for any type of control. Example Procure-to-Pay process: Alerting of changes of the total amount of an already approved purchase order by more than 5%. An exception report is created and automatically sent to the process owner for demand of approval.

It is also possible to monitor control executions like the timely upload of evidences or execution of regular validation tasks. In case of disregarding such tasks, emergency alerts are sent for follow up.

Internal Audit Monitor Governance

The main objective of Conteliga is the reduction of cost for compliance, support of the enterprise wide communication and information of control directives and an efficient ongoing monitoring of the defined directives. Documentation, procedures, handbooks and operating instructions are valid but cost effective instruments enforcing manual controls.

During a GRC project such directives, procedures, handbooks can be integrated in Conteliga. This approach ensures a centralization of control and security directives, automation and monitoring of controls execution within a clear defined ownership model. Individual dashboards for Internal Control, Internal Security or for external Auditors can be developped and implemented.

Individual Drill Down Reports

For further analysis Conteliga provides drill down reports which roots to causes of control failures. Such reports help process owners to undertstand business processes and control faillures and to improve control automations by exluding "false positives". Experienced showed that in particular for segragtion of duties controls such drill down reports are a necessity.

Conteliga supports also the customizing and development of further individual drill down reports during a GRC project if demanded.

© Conteliga GmbH 2013 | Berninastr. 8 | CH-5430 Wettingen
Tel.: +41 78 73 79 303 | contact@conteliga.com
www.conteliga.com