Embed Size (px)
DESCRIPTION
Value Creation Through China SOX Compliance Whitepaper by SAP
Citation preview
The Basic Standard for Enterprise Internal Control (China – SOX)
SAP Point of View: Value Creation through Compliance with The Basic Standard for Enterprise Internal Control (C-SOX) November, 2009
SAP Statement of Confidentiality and Exceptions
The contents of this document shall remain the confidential property of SAP and may not be communicated to any other party without the prior written approval of SAP. This document must not be reproduced in whole or in part. It must not be used other than for evaluation purposes only, except with the prior written consent of SAP and then only on condition that SAP’s and any other copyright notices are included in such reproduction. No information as to the contents or subject matter of this proposal or any part shall be given or communicated in any manner whatsoever to any third party without the prior written consent of SAP.
The furnishing of this document is subject to contract and shall not be construed as an offer or as constituting a binding agreement on the part of SAP to enter into any relationship. SAP provides this document as guidance only to estimate costs and time-scales of the predicted delivery project. This will be subject to confirmation prior to any contractual or delivery commitment by SAP.
SAP warrants that to the best of its knowledge those who prepared this response have taken all reasonable care in preparing it and believe its contents to be true as at the date of this document. SAP cannot however warrant the truth of matters outside of its control and accordingly does not warrant the truth of all statements set out in this document to extent that such statements derive from facts and matters supplied by other persons to SAP. The statements in this document are qualified accordingly.
Table of Contents
Executive Summary ........................................................................................................... 3
Overview of C-SOX ............................................................................................................ 4
Introduction to C-SOX ............................................................................................. 4 Implications of Compliance ...................................................................................... 7 Opportunity Areas for Compliance ........................................................................... 9 Adoption Trends Based on the US-SOX Experience ............................................. 12
What SAP Is Doing to Enable Compliance with C-SOX ................................................... 15
What Value Can SAP Bring in Enabling Effective Compliance Management? ...... 15 Key Capabilities of the SAP GRC Solution ............................................................ 20 Overview of the Benefits We Expect Organizations to Achieve by Using SAP Solutions ................................................................................................................ 25 The Advantage of SAP Solutions for GRC ............................................................ 27 Customer Success Stories .................................................................................... 28
Summary .......................................................................................................................... 30
References ....................................................................................................................... 31
Appendix .......................................................................................................................... 32
Reduction in SOX Compliance Costs .................................................................... 32
Executive Summary In China and around the world, businesses today face more regulation, a wider range of stakeholder expectations and more public scrutiny than ever before. Global opportunities and growth bring global corporate governance responsibilities. Capital markets, consumers, pressure groups, employees and governments are a few of those who rightfully hold companies to account for the way in which they define and execute their corporate strategies. As a result, Governance, Risk Management and Compliance (GRC) have never been higher on the Board’s list of priorities. With the release of a circular on The Basic Standard for Enterprise Internal Control (nicknamed China-SOX or C-SOX) in June 2008, this focus on compliance and risk management has reached a crescendo in China. Owing to the newness of these concepts, the current state of awareness and readiness to meet the requirements of this regulation has a lot of room for improvement in China. Many organizations around the world have responded to similar regulatory mandates like the US-SOX by implementing disconnected, tactical processes and point solutions that address a single regulation. However, these fragmented efforts can make compliance far more costly and complicated than it needs to be. An organization would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, it would need to find a way to manage countless GRC policies, decisions, and GRC data – data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain a complete view of organization risk. The successful, brand-defining corporate citizens of the future will be those that embed their response to key stakeholder demands into the fabric of their business. This can only be achieved by leaving behind the reactive, project-based approach to regulatory compliance that many companies have followed. By taking a strategic and holistic approach to GRC, companies can achieve competitive advantage and add significant value to their organisation. SAP offers a new approach for monitoring, identifying, and managing risk across the organization – regardless of whether you have already implemented SAP solutions in your organization or not. A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities – making it easy to compile data for a comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates. The paper lays out the vision for that holistic approach, showing how companies can integrate their Governance, Risk Management and Compliance initiatives and embed them into their daily business processes to go beyond just complying with C-SOX requirements. The goal is to transform GRC activities from a costly burden into a strategic management tool, enabling the company to respond flexibly and effectively to changing stakeholder demands and lay a strong foundation for business success. By embarking on an integrated strategy and employing a comprehensive GRC solution, organizations can proactively achieve two significant returns on your investment. First, they can confidently address all regulatory and business-related risks and achieve compliance at a lower cost. Second, while the competition is mired in tactical compliance management, an integrated GRC approach enables an organization to differentiate itself and achieve greater agility by optimizing its business processes and using risk intelligence for better decision making.
4
Overview of C-SOX
Introduction to C-SOX On 28 June 2008, the Ministry of Finance (MOF), the China Securities Regulatory Commission (CSRC), the National Audit Office (NAO), the China Banking Regulatory Commission (CBRC), and the China Insurance Regulatory Commission (CIRC) jointly released a circular on the release of The Basic Standard for Enterprise Internal Control (The Basic Standard) dated 22 May 2008. The release of The Basic Standard signifies a unified and recognised internal control framework to strengthen the internal controls of Chinese enterprises. The new rule requires listed companies to conduct self-evaluation of their internal controls, disclose an annual evaluation report and employ qualified agencies to audit the effectiveness of the controls. The Basic Standard is intended to bring stronger corporate governance to China's listed companies, and is often compared to the Sarbanes-Oxley in the US. Hence, the nickname "China SOX" or simply C-SOX. The Basic Standard outlines the regulatory requirements for Chinese enterprises to establish, evaluate and assess effectiveness of their internal controls, and for accounting firms to audit the effectiveness of Chinese enterprises' internal controls. The Basic Standard comprises seven chapters and describes the general provisions and the five control elements: internal environment, risk assessment, control activities, information and communication, and internal monitoring. All listed companies established within the territory of mainland China will be required to comply with The Basic Standard. Non-listed large and medium-sized Chinese enterprises are encouraged to adopt The Basic Standard. With a view to facilitating the implementation of The Basic Standard, on 27 June 2008 the MOF issued exposure drafts of the following three guidelines: Guidelines for Evaluation and Assessment of Effectiveness of Enterprise Internal Control Implementation Guidelines for Enterprise Internal Control Guidelines for Performing Assurance Engagements in relation to Assessing Effectiveness of Enterprise Internal
Control under CaiBanKuai [2008] No.7 dated 12 June 2008 The new regulation intends to increase the effectiveness of internal controls in listed Chinese companies, thus reducing risks for companies and their stakeholders.
©SAP AG 2009
5
Key Drivers for the Introduction of C-SOX Regulations
Fig. 1: Key Drivers for Compliance
Governance, risk, and compliance (GRC) issues are hot topics today, thanks to a myriad of high-profile stories about companies that failed to meet regulatory requirements governing finance, environmental compliance, and other areas. In each case, executives have been held accountable, stock prices have dropped, and brand image has suffered. GRC issues are also a top priority because business leaders increasingly understand that seemingly small operational control weaknesses can significantly impair corporate performance. These obstacles might range from a supplier inventory shortage that impacts revenue, to a faulty or counterfeit product that erodes brand and increases costs, to a leakage of confidential data that damages reputation and creates a compliance liability. For this reason, many countries have adopted legislation and strengthen internal controls, such as the U.S. "Sarbanes-Oxley Act", “JSOX” in Japan and so on. What are some the key drivers of all this attention to compliance which have led to the introduction of C-SOX regulations in China as well? Heightened media attention, information transparency: thanks to the Internet it takes only seconds for information to
get in the hands of millions. This leads to increased awareness about compliance globally. Customer and shareholder power shift: With requisite to maintain customer loyalty, customers now have much
stronger influence over companies than before. Consumer and special interest groups more active participants - are driving co-creation in both digital-based (e.g., media & migrating from producer to facilitator of content) and physical goods industries (e.g., consumer packaged goods customers defining new products). With increasing evidence of environmental and social issue on financial performance, so comes the interest of shareholders. Increasing shareholder activism - from governance issues such as executive pay to labour policies.
Business concerns over operational and financial risk: Increasing business volatility (e.g., supply chains, labour issues, etc) and increasing regulation are driving need for proactive risk management
©SAP AG 2009
6
Risk management imperative and government regulations: With globalization there’s exposure to unprecedented risks, often contradictory regulatory oversight, and new forms of stakeholder activism. The distributed nature of business expands the risk profile organizations need to manage — particularly the legal and regulatory environment.
Regulations are streaming out of governments nonstop; since 1981, the US federal government alone has introduced more than 100,000 new rules and regulations
Business-led IT: IT now has a new prominence. Organizations must now not only run effective operations, but must deliver an infrastructure which mitigates threats and promotes profitable growth.
Sustainability: Sustainability is becoming critical to company’s brand value. In addition, there are rapidly increasing litigation, fines and settlement for non-compliance.
Key Elements of the C-SOX Regulations
Fig. 2: COSO Enterprise Risk Management Framework
The Basic Standard comprises seven chapters and describes the general provisions and the five control elements. These are internal environment, risk assessment, control activities, information and communication, and internal monitoring. The backbone of Basic Standard for Enterprise Internal Control is the COSO risk framework, which establishes a broad definition of internal control extending to all parts of an organization. It lists five key control elements: 1. Internal environment - the foundation for all other components of internal control 2. Risk assessment - identification and analysis of risks for the achievement of company objectives 3. Control activities - policies and procedures that help ensure that directives are executed 4. Information and communication tools - systems to store and exchange information in support of business objectives 5. Internal monitoring - process of assessing the quality of internal controls The purpose of assessing the internal controls and corporate governance is to obtain sufficient knowledge of the control environment to understand the management's attitudes, awareness and actions concerning the factors of the control environment. The Basic Standard for Enterprise Internal Control requires that listed companies: Include the five control elements when establishing and implementing effective internal control (Chapter 1 Article 5) Establish and implement internal control policies (Chapter 1 Article 6) Establish a suitable business management information technology system with embedded controls (Chapter 1 Article
7) Set clear policies on the rewards and disciplines related to the proper implementation of internal control.
Effectiveness of internal control implementation should be treated as a key element of performance appraisals for department and staff levels (Chapter 1 Article 8)
Perform self-assessment of the effectiveness of its internal control on a periodic basis and issue control self-assessment reports (Chapter 6 Article 46)
©SAP AG 2009
7
Implications of Compliance China's current business landscape is in a rapid development, with the main focus of organizations being to consider how to expand enterprise scale and improve operating income, to speed up cash flow and other daily business operations level. Most business managers till now have not focused on putting the management of corporate internal controls in place. There have been instances of implementation of internal control, but more in the foreign trade business, overseas business and financial capital-related business. For day to day business of domestic production, sales, procurement, personnel, IT, etc., there may be risks but the emphasis is not enough today. In recent years, with the SASAC's "central enterprise-wide risk management guidelines" for central enterprises have increased focus on this area. Together with the United States and Hong Kong-listed companies which are required to follow the "Sarbanes-Oxley Act" and "Hong Kong-listed companies internal control and risk management guidelines," the understanding of risk and internal control aspects in many domestic enterprises has gradually improved. But only awareness is not enough. Real corporate action, as well as the ability to obtain an external advisory body for guidance to enable enterprises to truly establish a complete and scientific risk management system of internal controls is expected to take some time to be accomplished. All listed companies established within the territory of mainland China will be required to comply with the Basic Standard. It will have a direct impact on over 900 companies listed on the Shanghai Stock Exchange and about 800 companies listed on the Shenzhen Stock Exchange, so it will be broadly felt in the entire Chinese corporate environment. Also, unlisted large and medium–sized Chinese companies are encouraged to adopt the standard. According to Alex Raymond, the founder of Vast Talent, it is estimated that over 2,000 listed and state-owned companies will need to comply with the Basic Standard in 2010.
(Source: A Preview of New Corporate Governance Regulations in China in Response to the Financial Crisis, Alex Raymond, 2009)
Fig. 3: C-SOX Requirements and Their Corresponding Impact on Organizations
©SAP AG 2009
8
Companies listed on either of the two major Chinese stock exchanges (Shanghai and Shenzhen) must conduct self-evaluations of their internal controls, report on an annual basis and hire qualified auditors to review the effectiveness of their internal controls. Implementing C-SOX is a change management initiative that can have a significant positive impact on the company. However, in order to do so, companies must take certain steps and make sure they have a clear strategy. Starting the C-SOX compliance process does not have to be difficult. A high level of visibility and support from the executive team will provide the urgency needed to start rolling out training programs and gathering internal resources. Putting these foundations in place early removes time pressure from the compliance project and will give the company a strong basis in risk management and internal controls going forward. In particular, making the effort to develop a culture of risk awareness will pay off through better existing processes, reduction of errors, and increased employee engagement. Companies that begin now will see improving margins, increases in efficiency and growing market respect.
©SAP AG 2009
9
Opportunity Areas for Compliance China's current outstanding problems with internal control is that despite the seemingly well-established internal controls, the actual control of the company lacks the necessary constraints due to deficiencies in corporate governance structure. This has eventually led to the internal control becoming a mere scrap of paper in the strategic and operational objectives of achieving serious deficiencies in risk control. As the internal control and risk management concept of universal access is implemented, as well as regulatory agencies vigorously carry out "the basic norms of internal control“, substantial increase in emphasis on compliance is expected. Deloitte Survey Reveals Listed Chinese Companies’ Heightened Awareness and Knowledge of Internal Controls but Obstacles to Implementation Remain
Fig. 4: Increased Awareness about Internal Controls in Chinese Companies
Have listed companies in China enhanced their understanding and readiness for sound internal control systems in the last 12 months? An annual survey by Deloitte indicated that while 44% of the respondents said they have already established a sound internal control system, over half of the respondents (56%) still have either no internal control systems in place or their systems are not up to par despite their heightened awareness and understanding of regulatory requirements for internal controls. This is the second survey by Deloitte to track the awareness and readiness of listed companies in the Chinese Mainland for internal controls. Conducted in May 2008 among senior executives and board representatives from a range of large and small listed companies of various industries, a total of 126 responses were received, compared to 86 in the 2007 survey. Danny Lau, National Leader of Enterprise Risk Services of Deloitte China, said: “The regulatory authorities have issued a lot of rules and guidelines on internal control in recent years with the aim to improve the management quality of Chinese companies and to increase their awareness and understanding of internal controls. However, our second
©SAP AG 2009
10
survey indicates that Chinese companies are facing the internal control paradox: the heightened awareness of regulatory requirements is not met by an increased level of commitment to implement internal control system.”
Fig. 5: Difficulties in Implementing Internal Controls Remain
The trepidation of Chinese listed companies in implementing internal controls can be explained by the survey findings that the majority of respondents (91%) said they encountered some obstacles when implementing internal control. These include the lack of a practical internal control framework or model (84%), the lack of stringent supervision and monitoring systems, and the failure to include internal control in performance evaluation (63%). Another 57% believed that lack of attention, support and guidance from senior management is another major obstacle. Allan Xie, Partner of Enterprise Risk Services of Deloitte China, said: "The survey also examined the long-term internal control management mechanisms of listed companies. Same as last year, 72% of the respondents believe they do not have an effective mechanism for continuous monitoring of internal controls. Although no improvement is shown in this area, 96% of the respondents recognize the importance of an internal control management mechanism. Many respondents cited that assessment by external auditors would definitely help perfect their internal control systems." Companies with an internal control system in place can also enhance their effectiveness to meet business objectives. Mr Xie said that the survey further demonstrates the benefits of creating strong internal controls. “Over 76% of the respondents said the implementation of an internal control system has improved efficiency in producing financial reports while at the same time increasing their credibility. This feedback reflects the increasingly sophisticated attitude and dedication of Chinese listed companies to stay competitive by enhancing their governance and operation through internal controls.”
©SAP AG 2009
11
Possible Benefits and Opportunities from C-SOX
Fig. 6: Possible Benefits and Current Shortfalls from C-SOX
It is often seen that business executives grumble when new government regulations, like China’s Basic Standard for Enterprise Internal Control (C-SOX), are released. They are worried about the extra time and cost of implementing the regulation and the burdens that this will put on the company. While government regulation can be a costly exercise, what about the benefits? In China, where according to popular perception, governance, risk and compliance practices are generally behind those in more advanced economies, companies should expect substantial benefits from implementing this new regulation. Despite the investment required to establish the required compliance measures for C-SOX, there are various benefits that Chinese companies expect from C-SOX compliance: More attention to risk management: When employees are more aware of how to manage and prevent risks, the
overall risk profile of the company goes down - this includes financial and operational risk categories. More predictable business: Companies that have steady, predictable business are valued more highly by investors,
customers and suppliers. C-SOX compliance makes you more predictable by imposing disciplines and giving you the tools to make the business steadier.
Increased trust: Investing in the process of C-SOX compliance means that the market will perceive your company as more trustworthy because you are willing to make your operations more transparent.
Lower employee turnover: The average cost of replacing an employee is 150 percent of the employee’s annual salary. Therefore, there is a big incentive to reduce turnover and lower your costs. Companies that are C-SOX compliant have better processes and more engaged employees, which may reduce the voluntary departure rate.
Improved supplier relationships: Suppliers are a critical part of your supply chain, and they will appreciate your investments in processes and systems that give them a clearer view and more access into your business. This means more just-in-time delivery, lower inventory costs, and more bargaining power with your vendors.
More business opportunities: C-SOX compliance is a competitive advantage and customers will want to do business with an open, ethical and well-run company. Expect to see higher win rates and more profitable customer relationships once your China SOX implementation is underway.
©SAP AG 2009
12
Better corporate governance: This is the sum of the benefits of compliance. Better corporate governance lowers risks for all stakeholders, improves the image of the company, and allows for better decision-making and more efficiency in the company. This will be reflected not just in the board of directors, but in all employees.
Adoption Trends Based on the US-SOX Experience The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called Sarbanes-Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." The legislation set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Adoption Trend of US-SOX
According to an annual survey entitled “Oversight Systems Financial Executive Report on Sarbanes-Oxley” conducted with a number of corporate finance leaders by Oversight Systems from 2004 – 2008:
■ 86 percent were favourable in their opinions of the shareholder value imparted by SOX in 2008
■ 74 percent said their company benefited from SOX in 2004
■ 79 percent reported “significantly stronger” or “somewhat stronger” internal controls as a result of SOX in 2004
■ 46 percent said SOX compliance benefits the company by ensuring accountability in 2004
©SAP AG 2009
13
Analyzing the Benefits of US-SOX
(Source: 2008 Oversight Systems Financial Executive Report on Sarbanes-Oxley)
Fig. 7: Benefits of SOX-Compliance
A significant body of academic research and opinion exists regarding the costs and benefits of US-SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings. Conclusions from several of these studies are summarized below: FEI Survey (Annual): Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs.
These costs have continued to decline relative to revenues since 2004. The 2007 study indicated that, for 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue). The 2006 study indicated that, for 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million (0.043% of revenue), down 23% from 2005. Survey scores related to the positive effect of SOX on investor confidence, reliability of financial statements, and fraud prevention continue to rise.
Iliev (2007): This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced -- rightly or wrongly -- stock valuations of small firms. Lower earnings often cause the share price to decrease.
Skaife/Collins/Kinney/Lefond (2006): This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).
Lord & Benoit Report (2006): Do the Benefits of 404 Exceed the Cost? A study of a population of nearly 2,500 companies indicated that those with no material weaknesses in their internal controls, or companies that corrected them in a timely manner, experienced much greater increases in share prices than companies that did not. The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs.
Positive influence on maintaining investor confidence (and long-term share price) through increased transparency and fewer surprises.
More timely and reliable financial reporting. Enhancement of processes and the underlying control structure to drive operational effectiveness and cost
efficiencies. Improved corporate governance process. Elimination of outdated, redundant and ineffective processes and controls.
©SAP AG 2009
14
Praise for US-SOX has come in from various quarters:
“I am surprised that the Sarbanes-Oxley Act, so rapidly developed and enacted, has functioned as well as it has...the act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use.”
Former Federal Reserve Chairman Alan Greenspan
“Sarbanes-Oxley helped restore trust in U.S. markets by increasing accountability, speeding up reporting, and making audits more independent.”
Former SEC Chairman Christopher Cox Evidence from companies that implemented SOX in the US suggests that there are many more operational, financial and strategic benefits to be had from investment in compliance processes. Since the Basic Standard for Enterprise Internal Control is new in China, the rate of improvement can be expected to be dramatic.
©SAP AG 2009
15
What SAP Is Doing to Enable Compliance with C-SOX
What Value Can SAP Bring in Enabling Effective Compliance Management? Current Pain Points with Managing Compliance
Fig. 8: Isolated and Fragmented Approach to Managing Compliance
At the corporate level, as well as departmental or regional levels, there is a general uncertainty around the meaning and scope of the disciplines of governance, risk management, and compliance. Here is how one analyst, John Hagerty from AMR Research, defines these terms: Governance manages the strategic directives a company wants to follow. Risk management assesses the areas of exposure and potential impacts. Compliance is the tactical action to mitigate risk.
(Source: “SAP Snaps Up Virsa Systems to Enhance Compliance Story,” AMR Research, April 3, 2006.) Therefore, the 3 disciplines are tightly interrelated. However, no matter what the definition of “Governance,” “Risk Management” and “Compliance” is, today’s philosophy is marked by multiple levels of fragmentation that compound the cost of addressing risk and managing compliance. It is also marked by little or no investment in an enterprise governance policy. In most organizations, compliance is typically handled as a series of disconnected, tactical, one-off projects that are usually initiated out of fear – fear because the cost of noncompliance can be insurmountable. In addition to fines, businesses are at risk of bearing the cost of litigation and remediation, and they also risk negative impact on their brand, reputation, and market valuation. Let’s look at the four levels of fragmentation that today’s organizations suffer from: Organization Systems Regions Internal GRC disciplines
©SAP AG 2009
16
Organizational Fragmentation In many organizations, implementing policies, identifying and measuring risks, and supporting regulatory mandates takes place at the departmental level. The organizational fragmentation resulting from disconnected, departmental activities can result in inconsistent policies, difficulty in predicting risk, a lack of enterprise transparency, and duplication of effort. System Fragmentation Most businesses lack GRC information integrity. Governing principles and policies, risk measurement, and compliance with regulatory mandates are typically supported by departmental IT systems. Without centralized governance, systems may use different metrics, standards, and methodologies for analyzing risk and compliance information. Regional Fragmentation In most cases, policies and risks are generally defined and measured at the local level, without proper consideration for their impact on the global, multinational, national, or regional mandates with which an organization must also comply. Growing Number of Isolated and Fragmented Governance, Risk, and Compliance Initiatives
Fig. 9: Interrelationship between Governance, Risk and Compliance Management
With the growing number of G, R and C initiatives, the problem of fragmentation becomes apparent. Horizontal mandates address areas such as financial reporting, security, privacy, records retention issues, import-export regulations, environmental standards, occupational safety, and credit risk exposure across all types of businesses. Vertical mandates address additionally an exhaustive number of industry-specific areas. Without an aligned and integrated perspective on governance to guide risk profiling and mitigation, organizations can’t effectively monitor compliance and risk and adjust business processes to meet changing requirements, market trends, and regulatory mandates and optimize risk/return portfolios. It is true that each discipline is important in its own right, but – as recognized by SAP, leading analyst firms, and business consultants and more and more forward-looking customers– governance, risk, and compliance must function interdependently as part of an integrated strategy. Only with an organizational view of GRC information and a unified solution for managing GRC across the enterprise can organizations manage with confidence, improve business predictability, and drive higher performance.
©SAP AG 2009
17
The Impact of Fragmentation in GRC Management
Fig. 10: Impact of Fragmentation beyond Cost
Clearly, the fragmented approach is marked by inefficient processes and highly resource-intensive work. It is time-consuming, error-prone and fragile - and therefore high risk. Most organizations focus on the most obvious impact: GRC Cost. From a pure cost perspective, the status quo is simply too expensive to sustain. The financial impact of fragmented GRC efforts with respect to human capital, services, and technology costs has not been calculated, but the cost of compliance efforts has been well documented by analysts. The cost of compliance is not just money. It is distraction from core competency of companies. It is in resources; it is in delayed or cancelled projects due to reallocation of resources; it is ultimately in lost time and opportunity. An organization that is caught up in this kind of issues loses time that your competitors may have to move ahead. The business loses its competitive advantage. Another consequence of GRC fragmentation is the impact on Share Price Performance. Moving from manual to automated processes to integrate the various G, R and C activities is not only costly, but also high risk. On the one hand side, using “manual processes” inhibits repeatability, esp. for recurring activities (e.g. “who remembers how we did that last year?”) On the other hand, it also increases the element of human error. How can management sign-off with confidence if the underlying process is fragile and error-prone? For example, in the area of “SOX” any auditor can tell you that manual controls are the ones that have to be test extensively to ensure SOX-compliance (which is reflected in the high “services” cost element above). Error-prone and fragile manual efforts reduce business transparency and predictability. No wonder that often management lacks confidence to sign-off on financial reporting and other key processes. Ultimately, this translates into lacking confidence by the investment community. Well-managed GRC translates into superior share price performance.
©SAP AG 2009
18
And finally, there are Missed Opportunities due to lacking GRC insight. Of even greater significance is the lost opportunity that results from a tactical, fragmented approach to managing GRC. Without a comprehensive and cohesive GRC strategy, you are deprived of a powerful tool for effectively navigating today’s highly regulated business environments. A GRC strategy can also be a critical driver of revenue and competitive advantage because organizations can accurately assess the risk of various business decisions. Objective decision making requires identifying, capturing, measuring, and evaluating all enterprise events – whether they are positive (opportunities) or negative (risks) – and keeping them in perspective in terms of materiality, interdependency, and alignment with your strategic business objectives. GRC Adoption Cycle and Integrated GRC Management
Fig. 11: GRC Adoption Cycle
Let us take a look at the journey many organizations are facing today: Of course, each organization is in its own unique situation. It therefore charts its own GRC course to meet its business requirements. But, it will generally move through four phases to reach GRC maturity. First is the blissful unawareness phase. Initially, the organization is unaware of GRC interdependencies and focuses only on the obvious and most critical mandatory compliance issues. Companies are often early start-ups and small, private businesses that are more concerned about staying afloat, obtaining funding, or ensuring a prototype is well accepted by prospective customers than they are about their GRC activities.. The majority of organizations fall into the reactive, fragmented implementation phase. These companies respond to local regulatory compliance issues by engaging in disjointed GRC approaches. For these companies, the pressures of local regulatory compliance issues, corporate governance demands, and dynamic business models are too much, and they answer with fragmented approaches to these issues. The number of independent project teams they maintain dealing with a specific regulation, business risk, or other governance issue steadily grows. However, also in evidence is an increasing awareness among executive management that something must be done about their fragmented governance, risk, and compliance initiatives. Once executive management determines that something must be done about GRC fragmentation, the organization can then move to the consolidation phase. At this point, the organization is ready to initiate a strategic change based on one consistent enterprise-wide GRC framework. They contribute to a well-balanced enterprise-wide view of all compliance and risk issues and indicate where the enterprise-wide “hotspots” are. (Many financial institutions represent examples of organizations in the consolidation phase). Finally, when the business has successfully transformed the way GRC is embedded in the business processes, they are moving into the operational excellence phase. Typical characteristics of GRC operational excellence include a balanced GRC view across all processes, projects, and objects; GRC is absorbed at all organizational levels across the
©SAP AG 2009
19
enterprise; and a common language and set of metrics for use with all initiatives has been established. Based on this comprehensive and integrated GRC foundation, your organization can leverage GRC to effectively drive competitive advantage, based on business transparency and predictability. Organizations today need a different approach if they want to increase the maturity of their GRC efforts and move towards operational excellence. They need an approach that simplifies GRC - not isolated disciplines of G, R and C. An approach that dramatically reduces the cost of governance, risk and compliance, provides complete compliance and risk visibility, and easily adapts to change. They need an approach that embeds GRC into the way they do business, into every business process. In summary, they need an integrated approach to GRC. Unified Approach to Governance, Risk and Compliance (GRC) Management with SAP
Fig. 12: Unified GRC Management
SAP solutions for GRC software is the first and only holistic GRC framework that: Provides a common methodology, vocabulary, and measurement and aggregation scales for use across your
enterprise. Allows an organization to work directly with the departments that are currently operating in a fragmented way,
leveraging existing work. The GRC framework merges this information into a larger and eventually enterprise-wide GRC framework - as you move towards phases 3 and 4 of the GRC maturity model.
By providing a single, integrated GRC framework, SAP Solutions for GRC delivers a framework that establishes a common methodology, vocabulary, and measurement and aggregation scales for use across your enterprise – across processes, regions, organizations and systems. SAP Solutions for GRC will deliver a rich horizontal solution set: It will include a process controls solution, that allows corporations to not only document business controls across their diverse business processes, but also will allow them to manage all of their control activities, both manual and automated controls- by utilizing information from the horizontal SAP Solutions for GRC such as Access Control, Global Trade Services, Environment, Health and Safety applications, etc., as well as the underlying enterprise applications.
©SAP AG 2009
20
Access Controls – addressing compliant provisioning of resources and ensuring proper segregation of duties at all times. This is set of applications for monitoring, testing, and enforcing access and authorization controls across the enterprise. Designed to help organizations comply with Sarbanes-Oxley and other regulatory mandates, the software enables businesses to rapidly identify and remove access and authorization risk from IT systems and embed preventive controls into business processes to stop future violations from occurring. Process Controls – helps you embed a rich set of rationalized, automated controls into cross enterprise business processes so you can significantly reduce manual control activities. In addition, it helps ensure that your organization meets compliance mandates. Risk Management – The risk management application will add another dimension to the horizontal layer by providing strategic risk intelligence to optimize the risk/return portfolio and will give organizations greater confidence and predictability over the future. The risk management solution will drive business predictability by identifying risks cross-organization by impact and probability. Global Trade Services – securing and expediting cross-border transactions. The SAP Global Trade Services application ensures full regulatory compliance, expedites customs clearance, mitigates financial risk of global transactions, and takes full advantage of international trade agreements. Environment, Health and Safety Management – supporting environmental and social responsibility initiatives. The SAP EH&S solutions manage various environmental aspects such as hazardous materials storage or dangerous goods transportation, as well as occupational health aspects in an integrated fashion. SAP solutions for GRC promote operational excellence by unifying organizational goals, control initiatives, opportunity discovery, and loss mitigation across the extended organization. A unified approach to GRC overcomes the challenges of driving development of organizational goals, compliance to regulations and management of risks across disconnected systems, jurisdictions and functions, leading to improved organizational performance. The SAP GRC technology foundation enables GRC processes across SAP and non-SAP systems and works with SAP partner content, technology, and applications to provide an effective, unparalleled GRC solution.
Key Capabilities of the SAP GRC Solution
Fig. 13: SAP BusinessObjects Governance, Risk, and Compliance Solutions
By managing governance, risk, and compliance across the extended enterprise, one can evaluate and align processes and strategies within the company and extend them to partners, suppliers, and customers, truly representing the enterprise’s full reach. SAP BusinessObjects GRC solutions help to manage GRC processes across SAP and non-SAP
©SAP AG 2009
21
applications and seamlessly integrate with SAP partner content, technology, and applications to provide effective, unparalleled GRC solutions. Enterprise Risk Management
Proper risk management improves decision making and creates value. But companies often tackle risk reactively within departmental silos and overlook critical interactions between risks. And because risk management is often regarded as a theoretical exercise with no practical methodology, frontline managers aren’t equipped to properly analyze risk-reward trade-offs and carry out appropriate responses that are backed by quantitative metrics. The SAP BusinessObjects Risk Management application addresses these issues by enabling you to implement proactive, collaborative processes to balance opportunities with financial, legal, and operational risks at all levels of the enterprise. The software provides a best-practice framework for enterprise risk identification, collaborative risk analysis, predefined risk responses, and continuous risk monitoring and reporting so that you can effectively anticipate and respond to changing business conditions. Key risk indicators enable one to monitor the overall risk portfolio and to alert management immediately when high-impact and high-probability risks exceed company-specific thresholds. Managers can analyze risks in terms of severity and likelihood of impact, and they can monitor GRC activities and time frames at the most granular level – information that is automatically aggregated to create higher-level views and risk networks. All risk-related activities are monitored through executive-level dashboards and reports that deliver visibility into key risk metrics and policy compliance.
©SAP AG 2009
22
Business Process Control
SAP BusinessObjects Process Control helps an organization embed a rich set of rationalized, automated controls into cross enterprise business processes so you can significantly reduce manual control activities. In addition, it helps ensure that the organization meets compliance mandates in a timely, cost-effective fashion while optimizing operational efficiency and reducing risk. One also gains complete visibility into business process controls to help ensure that they are operating as designed and that you can trust the data provided to regulatory bodies. SAP BusinessObjects Process Control applies a risk-based approach to setting up the control environment and identifying the most effective and efficient controls needed to achieve compliance. One can create a library of all process documentation, risks, and controls across the enterprise and centralize enterprise control management, eliminating the need to integrate separate tools for documentation, testing, remediation, and control monitoring. One can also test controls for key risks using a combination of monitoring for automated controls, testing for manual controls, and self-assessments. This powerful combination works together to help you establish controls that promote desired employee behaviour and optimize business processes. It helps ensure that your organization meets compliance mandates on time and in a cost-effective manner, and that risks are effectively mitigated.
©SAP AG 2009
23
Access Control
Proper segregation of duties (SoD) and access control across business processes and transactions are among the most effective safeguards to protect against fraud and other financial and operational risks and are prerequisites for sound corporate oversight. They are also among the most difficult controls to deploy and sustain effectively, given the thousands of users, roles, and business processes that all require access and authorization evaluation, testing, and remediation. Furthermore, organizations with cross-application requirements, multiple instances of enterprise resource planning (ERP) software, or ERP software from different vendors require a cross-application and cross enterprise solution to effectively resolve SoD risks. On a business process level, only business process owners have the operational insights necessary to fully understand the relationship between user, business role, and function needed to complete each business task. At the same time, IT experts manage the system layer and define technical profiles and authorization objects needed to execute transactions within each system. The immense task and otherwise labor-intensive process of managing proper user and role access can only be accomplished when business process owners and IT experts collaborate. The problem is that communication between the two groups is typically disjointed and unsuccessful because there is no bridge linking business process language with IT capabilities. The SAP BusinessObjects Access Control application, which monitors, tests, and enforces access and authorization controls across the extended enterprise, closes this gap. SAP BusinessObjects Access Control enables all corporate compliance stakeholders – including business managers, auditors, and IT security managers – to collaboratively manage proper SoD enforcement. This helps to identify and remediate potential risks like conflicting authorizations within a single user’s access profile. Most important, it also helps to identify actual risks, such as business functions that are executed in conflict with SoD mandates. Designed to help one comply with financial reporting and regulatory mandates, SAP BusinessObjects Access Control automates many of the processes for access and authorization management, enabling one to rapidly identify and remove access and authorization risk from IT systems and to embed preventive controls into business processes to
©SAP AG 2009
24
stop future SoD violations from occurring. The result is a dramatic reduction in the time, risk, and cost associated with compliance.
Fig. 14: All C-SOX Requirements Enabled with SAP Solutions
The most comprehensive, integrated portfolio of GRC applications from SAP is fully capable of satisfying all the requirements of C-SOX. These applications help to maximize strategic and operational performance by providing visibility across risk and compliance activities and reducing GRC costs, while managing risks across the extended enterprise.
©SAP AG 2009
25
Overview of the Benefits We Expect Organizations to Achieve by Using SAP Solutions The GRC framework and software solutions lay out a strategic and comprehensive approach for successful and confident business management. Together, they provide a new level of transparency and confidence across the enterprise and beyond – delivering value to the board, line-of-business management, and external stakeholders who can affect your organization’s cost of capital, market capitalization, etc. The following table provides a summary of the types of benefits an organization can expect to achieve using SAP GRC solutions. These benefits are directional in nature. Access to operational details and data will be required to develop more specific benefits.
Fig. 15: Potential Benefits to an Organization from using SAP GRC solutions Source: Benefits achieved from previous customer experience, SAP Benchmarking data and SAP Analysis The key strategic and operational benefits for your organization from SAP Solutions for GRC include the following: Increased Shareholder Value: Good governance is reflected in many intangibles, including brand and reputation,
and it translates directly into share price premiums. Institutional investors and rating agencies look closely at an organization’s capability for understanding and managing GRC. Insurers have also rewarded those organizations with lower insurance renewals or extended qualitative coverage and policy limits.
Optimized Risk-Return Portfolios: The GRC framework and software solutions provide the transparency and insight business decision makers need to select (and reject) projects based on risk impact and probability relative to potential return.
Reduced GRC Costs: Transitioning to an integrated GRC approach significantly reduces the number of people – and the amount of time – required to control and address risk. For compliance in particular, you can trust accurate compliance processes, which are enabled by the GRC software solutions. SAP Solutions for GRC overcome the 4 degrees of fragmentation mentioned earlier. A unified approach overcomes the duplication of efforts that come with it. Transitioning to a unified GRC approach also means GRC becomes part of the core business process. It is embedded, not an additional and separate process. The integrated approach provides the potential to automate routine GRC tasks and transition to a GRC management by exception. Consequently, unified SAP Solutions for GRC significantly lower cost, free resources and give your business the agility to innovate and grow.
Improved Business Performance and Predictability: The GRC framework enables transparency across your enterprise and beyond. It gives management a systematic process for anticipating and controlling risks, and the tools to proactively determine proper actions and critical tasks, reducing unacceptable performance variability.
Increased Business Sustainability: Compliance with thousands of mandates locally, regionally, and globally is a fact of business life today. Because the GRC framework does not rely upon an infinite pool of compliance and risk-trained employees, GRC provides a clear path to sustainable compliance and risk management, even as mandates increase and business models and processes become more complex.
©SAP AG 2009
26
Greater Business Agility: As the business environment continues to change at an ever increasing pace, comprehensive and integrated GRC helps your organization become better at identifying material business risks and their interdependencies. It helps management evaluate assumptions in the current business model and assess the effectiveness of the strategies for new business models. By enabling decision makers to identify and assess alternative future scenarios, GRC leads to greater business agility and promotes competitive differentiation.
Prevention of Fraud: Manual processes are still the most widespread reason to result in wrongdoing. The lack of a system-based approach and automated processes results in lack of transparency, up to date information and the ability to put in place effective preventive controls. Starting with effective and efficient management of access and authorizations to IT systems and enforcing proper segregation of duties across the enterprise, companies prevent improper system access and create transparency. By further automating business processes that contribute to the financial reporting process and embedding effective and automated process controls, companies can greatly improve fraud prevention and detection.
Fig. 16: SAP Customer Survey Results of Benefits to Organizations from using SAP GRC solutions The results of a customer survey conducted by SAP to find out the benefits accrued to companies with revenues between $1B to $5B whose US SOX Section 404 compliance savings are being measured showed that organizations achieved on an average 41% savings in internal audit cost and 28% saving in external audit fee.
©SAP AG 2009
27
The Advantage of SAP Solutions for GRC
Fig. 17: Structure of SAP GRC Solutions
Integrated GRC Framework What organizations have to contend with are many separate solutions that address part of the financial compliance process. This results in many points of costly custom integration, making it difficult to respond to evolving requirements and to have the transparency needed. SAP’s offering to the market is an alternative to that piecemeal approach – a holistic integrated foundation for Governance, Risk, and Compliance. SAP is the first company to commit to an integrated framework. SAP’s business process expertise, industry knowledge, and global presence uniquely position its SAP Solutions for GRC as the most comprehensive framework to address governance, risk and compliance management in a unified approach overcoming the fragmentation described before and delivering a simple, yet global GRC foundation. SAP Solutions for GRC is unrivalled both in horizontal breadth as well as vertical depth of the solution. In addition, SAP is the only vendor to offer complete coverage across EPM, GRC, Business Intelligence and Information Management with best of breed solutions to address the full cycle and allowing us to uniquely allow customers to provide Unified Information, make Collaborative Decisions and Optimize their business network. Industry-Specific GRC Capabilities The framework also embeds industry-specific solutions. Think for example of the high-tech manufacturing industry. There is typically a complex supply chain process and there are specific environmental requirements in the high-tech industry, restricting the use of toxic substances in products. Regulations include the “Reduction of Hazardous Substances” (RoHS) and “Waste Electric and Electrical Equipment (WEEE) directives. Any high-tech manufacturer will be held responsible for environmental compliance with RoHS/WEEE of its high-tech products regardless whether the manufacturer himself or his suppliers in the extended enterprise provided the components. SAP Solutions for GRC can manage this particular “high-tech supply chain process” as part of the overarching framework. Embedded Into the Business Process
©SAP AG 2009
28
One of the unique advantages of SAP Solutions for GRC is that they are not separate from the core process. Rather, GRC is part of every process. Through the open enterprise SOA architecture, key controls of the SAP Solutions for GRC can be inserted into the core business processes to ensure that governance is enforced, risks are properly monitored and controlled and compliance is maintained as part of the core business processes. The focus is on building and extending the existing processes with horizontal and vertical GRC solutions that are embedded into the core business process. Heterogeneity Powered by SAP NetWeaver To get to a unified approach towards GRC, the framework has to support a heterogeneous environment including leading enterprise software applications such as Oracle, PeopleSoft, and SAP etc. Through its SAP NetWeaver business process platform the SAP GRC framework bridges across these systems. In addition, SAP NetWeaver also provides a rich set of reusable technology components such as security, workflow, content management and integration middleware. These common building blocks across all GRC solutions help avoid fragmentation and duplication of efforts on the IT side.
Customer Success Stories More than 2,000 customers worldwide have chosen SAP GRC to manage their compliance requirements. Here is a snapshot of a few sample GRC customers from across industries.
©SAP AG 2009
29
Some examples of substantial benefits achieved by customers by using GRC applications from SAP are illustrated below:
©SAP AG 2009
30
Summary We see that today’s business climate is complex and increasingly difficult to predict. Stakes are rising in a global market in which competition is fierce and brand loyalty is fickle. Across all industries, companies are grappling with high expectations and margin pressures. And at the same time, businesses face unprecedented numbers of legal, regulatory, and business partner mandates, as well as value chain requirements that affect nearly every aspect of their operations. Looking forward, you can expect more of the same – and at a potentially significant cost to your bottom line unless you plan now. The question is, given today’s highly regulated environment, how can you control risk, manage effectively, drive performance, and ultimately inspire greater stakeholder confidence? With C-SOX regulations looming large on organizations in China, these issues have gained greater than ever importance for executives in China today. To address these requirements, forward-thinking organizations globally are taking a broader, more integrated approach to managing interrelated strategic planning activities and business risks. Essentially, this approach is an evolution toward an integrated program of governance, risk, and compliance (GRC) management and away from the current fire drill method of channelling precious resources and management attention to address specific regulatory mandates independently and in isolation from each other. Technology is a key enabler in achieving this vision. This paper outlines how SAP can support companies along each stage of the path towards integrated GRC. Both on the level of GRC management activities and on the business process level, it becomes clear how technology can provide immediate benefits – for example by updating the Board on the progress of various GRC initiatives by means of an integrated reporting functionality. Further quick wins can be achieved by integrating compliance requirements into workflows within the ERP system, or by using technology to support the development of an efficient and effective user authorisation management. Technology is also a key driver in realising the strategic GRC vision, for example by providing an integrated platform for a range of key GRC information such as stakeholder requirements, mapped in turn to relevant risks, policies, procedures and controls. Equipped with the transparency provided by such a platform, companies are able to realise synergies between GRC activities, replacing the burden of duplicative compliance and reporting with a holistic GRC approach that directly supports performance objectives. Organizations that have moved to an integrated approach have been able to realize a new level of confidence and transparency regarding compliance. In addition, businesses have realized significant benefits including optimized risk-return portfolio, reduced GRC costs, improved business performance and predictability, increased business sustainability and greater business agility.
©SAP AG 2009
31
References “Enterprise Risk Management – Integrated Framework”, Committee of Sponsoring Organizations of the Treadway
Commission (COSO), 2004 “The Basic Standard for Enterprise Internal Control”, KPMG Risk Advisory Services, Internal Audit, Risk and
Compliance Services “The 2008 Oversight Systems Financial Executive Report on Sarbanes-Oxley”, www.oversightsystems.com “2007 Oversight Systems Financial Executive Report on Sarbanes-Oxley”, www.oversightsystems.com “Six Criteria For China SOX Compliance”, Alex Raymond, www.ezinearticles.com “ The Basic Norms of Internal Control – Content and Feature Analysis”, MA Masayoshi, www.chinaacc.com “ China SOX – Making Information Management More Pressing”, Jiangyan, www.erpworld.net “ China SOX Internal Control to Enhance Awareness of Enterprise Risk”, www.erpworld.net “China SOX Compliance: Top 10 Business Benefits”, Alex Raymond, www.vasttalent.com “China's Basic Standard For Enterprise Internal Control - Your Path to Compliance”, Alex Raymond,
www.vasttalent.com Deloitte China Survey on Listed Companies Internal Control 2009, www.deloitte.com www.wikipedia.org FEI 2007 Survey of SOX 404 Costs, www.fei.com FEI 2006 Survey of SOX 404 Costs, www.fei.com Foley and Lardner 2007 Study, www.foley.com “The Effect of SOX Section 404: Costs, Earnings Quality and Stock Prices”, Peter Illiev, 2007 “The Effect of Internal Control Deficiencies on Firm Risk and Cost of Capital”, Skaife/Collins/Kinney/LaFond, 2006 Lord and Benoit Report, 2006, www.section404.org China Boardroom Update, KPMG, August 2008 China Internal Control Regulation Update Newswire, PricewaterHouseCoopers “A Preview of New Corporate Governance Regulations in China in Response to the Financial Crisis”, Alex Raymond,
www.vasttalent.com “Foundations of GRC: Streamlining Compliance”, Michael Rasmussen, 2009, Corporate Integrity “Governance, Risk Management and Compliance: Sustainability and Integration supported by Technology”,
PriceWaterHouseCoopers “2008 GRC Drivers, Trends, & Market Directions”, Corporate Integrity “Increasing Business Agility: An Integrated Approach to Governance, Risk, and Compliance Management”, SAP
Executive Insight “SAP BusinessObjects Governance, Risk, and Compliance Solutions”, SAP Solution Overview “An Integrated Approach to Managing Governance, Risk, and Compliance”, SAP Whitepaper
©SAP AG 2009
32
Appendix
Reduction in SOX Compliance Costs
(Source: 2007 Oversight Systems Financial Executive Report on Sarbanes-Oxley)
Fig. 16: Compliance Costs in 2006 vs.2005
Within its third year of introduction in 2006, the cost of implementing SOX regulations started coming under control. When comparing 2006 SOX costs with 2005 figures, financial executives reported spending less. Comparing 2006 and 2005 SOX spending to year-one spending, only nine percent of executives reported spending an equal or greater amount on 2006 SOX – nearly half as many as in 2005 (17 percent). And there was a double-digit increase in the number of companies that spent less than half of first-year costs in 2006 (29 percent) as compared to 2005 (19 percent).
©SAP AG 2009
© 2009 by SAP AG. (PM00/00) All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP China 12th Floor, Tower 2, China Central Place No. 79 Jianguo Road, Chaoyang District Beijing, 100025, China www.sap.com/china
![SOX Compliance a Practical Approach to App Auditor[1]](https://img.pdfslide.net/doc/110x75/577ce0641a28ab9e78b338de/sox-compliance-a-practical-approach-to-app-auditor1.jpg)
