Beruflich Dokumente
Kultur Dokumente
Discussion agenda
Page 2
15 minutes
15 minutes
10 minutes
10 minutes
30 minutes
30 minutes
Co-develop roadmap
10 minutes
Background
After careful consideration of timeline, risks, resources and other factors, the Air
Products team has decided to deploy logical separation through security to
segregate the SAP ECC system and ancillary systems to achieve Day One of the MT
spin
The IT team has encountered certain technical constraints to fully secure the
environment that, if not addressed, may result in material weaknesses in the controls
environment
Problem Statement
Develop a solution, in a cost effective manner and commensurate with the risk, to
demonstrate that only people who are authorized to write did write, for both the MT
and IG businesses
Page 3
Test Results
Accounting
80
37 pass
43 fail or warning
QM
Technician
105
56 pass
49 fail or warning
Buyer/
Sourcing
79
55 pass
24 fail or warning
Customer
Service Rep
52
34 pass
18 fail or warning
Page 4
Role
Tested
Results
Impact if not
mitigated
Impacted
organization
Significant
Air Products
deficiencies or
Material weaknesses
on Sep/2016 SOX
review
Fraud/error
Operational issues
Impact if not
mitigated
Impacted
organization
ICFR framework is
not ready for day 1
Misstatement
leading to violation
of debt covenants
New company is not
SOX compliant on
Sep/2017
Materials
Technology
Note: Other separation risk areas could be identified through a targeted risk assessment exercise.
Page 5
Standard transactions:
Organizational levels are used in most transactions
Some standard transactions lack organizational security
Custom transactions:
Some may be copied over from standard transactions and may inherit
security objects
Others that are completely custom may not have any objects
Security authorizations depends on the coders and what was used
Security objects may not be easy to find, depending on layers of source code
Page 6
Position
Project
accountant for
Materials
Technologies
Composite role
Project
Accountant
Single role
Transaction
Organizational value
Single Role:
Maintain project systems
Create work
breakdown structure
Company code
Create
Single Role:
Journal entry posting
Plant
Change
Cost center
Display
Controlling area
Delete
Display accounting
document
Profit center
Reverse
Single Role:
Settle projects
Single Role:
Display accounting
Page 7
Activity
Object
Accounting
Document:
Authorization for
Company Codes
(F_BKPF_BUK)
Field
Value
Company
code (BUKRS)
US10
Activity
(ACTVT)
Display (03)
11/21/15
11/21/15
133
13
11/21/15183
11/21/15
11/21/15
11/21/15
11/21/15 11/21/15
11/21/15 11/21/15
11/21/15
Page 8
46
13
To be Confirmed
41
Our experiences
Divestiture or Spin
Complexities
Sample scope
$17bn multinational
electricity and gas
utility company
separation of a stateowned utility
subsidiary to another
publicly listed utility
company
Automotive supplier
carved-out from a
Fortune 100
diversified industrial
company
Consumer packaged
goods company
underwent a series of
divestitures
Page 9
11/21/15
11/21/15/Basis
11/21/15
11/21/15
11/21/15
11/21/15
11/21/15
11/21/15
11/21/15
Page 10
Frequency
Enter
Time Sheet
Display
PM Orders
Change
Batch
Info.
Display
Material
Master
Change
Customer
Contact
Person
Process
Sales
Orders
Post
Entries in
General
Ledger
Change
Customer
Delivery
Change
PM Orders
Stock
Overview
Display
Proc.
Contract
Sample role /
transactions
from AP
testing log
Profit
Center
Reporting
Exclude
material
Low
(rating 1)
Low
(rating 1)
Page 11
Risk Impact
High
(rating 5)
High
Risk
ranking
Retire or find
process
alternative /
compensating
control
Custom solutions
or TSA
Minimal effort
needed
Monitoring
Compensating control
Low
Low
Page 12
Technical solutions
(User exits, include Auth.
Object into code)
Operational
importance
High
TSA
Define
objectives
Evaluate risks
and impact
Identify
solutions
Implement
solutions
Page 13
Tools
EY Security Assessment
Workbench
(see appendix)
Spin milestones
EY Global Audit
Methodology
Page 14
MICHAEL PORTER
Partner
Risk Transformation
Phone: +1 317 681 7223
E-mail: michael.porter@ey.com
Engagement Experience
Extensive experience in leading internal controls design and implementation of SAP controls and security for large companies including life sciences and global Fortune
100 companies. Primary responsibilities included providing security and internal control expertise with a focus on automating internal controls during business
transformations.
Led the SAP internal controls, GRC and security team for a major US water utility. The implementation included designing automated SAP controls, segregation of
duties controls as well as implementing SAP GRC Access Controls and Process Controls.
Leading team implementing GRC 10.1 at global company integrating Access Controls and Process Controls as well as leading the global design of controls to increase
the percentage of automated controls to help the company lower the total cost of compliance.
Extensive experience in performing service organization reporting engagements (formerly SAS 70s) as well as serving as Engagement Partner and Pre-Issuance
Quality review Partner on multiple SAS 70s covering various industries including utilities, manufacturing and financial services.
Served as the Midwest Regions Third Party Reporting Practice Leader. Responsibilities include leading the largest Third Party Reporting business within E&Y North
America, providing training and quality oversight for engagements and for helping companies determine the appropriate Third Party Reporting solution to meet their
needs. Experience includes SAS 70/SOC 1 reports, AT 101 custom criteria reports and Agreed-Upon Procedures Reports.
Serves as the ITRA Practice Leader for the state of Indiana. Responsibilities include providing quality client service for global companies and other priority accounts,
managing the day to day operations of the E&Y Indiana ITRA practice including sales growth and recruiting as well as providing IT risk management leadership in the
marketplace.
Experience in leading third party reporting classroom training as well as in teaching ERP internal controls classes to large companies and in the Ernst & Young National
Education Center.
Extensive experience performing pre and post implementation reviews for companies implementing ERP systems to identify risks and mitigating ERP controls.
Experience in various ERP packages but specializing in SAP including implementing SAP GRC Access Control and Process Control v10.
Experience in leading the security testing activities for a global SAP implementation. Activities included developing a security testing plan and managing a team to
execute the plan to test the effectiveness of the security design.
BRIAN ZIEGLER
Senior Manager
Risk Transformation SAP Security
Phone: +1 773 726 4729
E-mail: brian.ziegler@ey.com
Project Management
Liaised with two site accounting managers in major automotive manufacturing plants to resolve accounting and month end close processes
Served as project manager for multifunctional SAP support model, helping with HR, SD, FI/CO, ETM, PS and MM resources with responsibility for over $2 million in
annualized billings
Served for three years as on-site functional Sales and Distribution liaison
Assisted client with managed service transaction spin by performing logical separation of security roles, reviewing risk and assisting on appropriateness of transaction
service agreement, non-disclosure agreement and overall security design
Developed functional design documents, technical design documents, led off-shore and on-shore teams of initial and full life cycle implementations
Developed scalable security models that could be leveraged for cross functional implementations and designed for sustainability
Managed productions support defects and role design changes for large scale (20,000 users) implementation
Strong experience in a variety of functions, including Finance, Supply Chain, Human Resources, and Business Planning and Consolidations
Evaluated SoD rule sets for false positives and false negatives, tailoring the rule set to appropriately identify and remediate or mitigate appropriate risks
Assisted custom transaction review procedures and added custom transactions to rule sets
Developed training materials for a large community (1000+) of end users in GRC 10.0 User Access Management
EDWARD CAMPBELL
Senior Manager
Risk - Internal Audit
Phone: +1 610 613 8081
E-mail: ed.campbell@ey.com
Engagement experience
For two multi-billion dollar Chemicals/Industrial Products companies Ed led Internal Audit transformation activities by advising on changes to IA vision, people model,
delivery model and IA enabling technologies. He was responsible for developing and defining short term and long term internal audit plans, performing company-wide risk
assessments and special projects. Ed has broad Internal Audit experiences in teaming with Subject Matter Resources to execute diverse risk based reviews including
Sustainability Assurance, Anti-bribery/Anti-Corruption, Data Quality Assessments, IT security assessments, Attack and Penetration, Social Engineering, Cloud Computing,
multi-stage system development lifecycle reviews.
Ed has led and performed Internal and External Audit support during pre/post transaction events for large national and multi-national companies. As part of the external
audit team Ed has led technology and control reviews supporting retro-active financial statement carve-out audits, as well as, data analytics in support of SEC filings. Ed
has also performed in this role, reviews of acquisition company controls for the purposes of ICFR readiness. On multiple Internal Audit clients Ed has performed security,
data, and other system reviews, as well as, business process controls and project governance audits for company spin-offs and separation (future SEC registrant)
transactions.
Ed is a leader in our Financial Audit IT Integration (FAIT) competency. Ed has deep experiences in supporting our External Financial Audit teams work around technology
risk and our ICFR opinion. Ed has supported the development of our FAIT transformation program and methodology. He is a quality leader supporting our Internal Quality
programs, including our PCAOB inspection process. Ed has also led teams through risk and control identification, process flow documentation, and understanding the flow
of information in business processes as an internal controls specialist (internal project). As part of the financial audit process, Ed has conducted hundreds of reviews of
internal controls for compliance under Section 404 of the Sarbanes-Oxley Act. Federal Government projects also include performing audits using the FISCAM
methodology.
Ed has experience in the planning, execution and implementation of data analytics program, as well as, data governance and data quality assessments. For a fortune 500
global consumer products company, Ed developed a framework for the application of data analytics in the internal audit process. For a utilities company in the water and
wastewater industry, managed a data quality assessment across six key business processes as part of a company-wide Business Transformation.
Performed independent verification and third-party reporting procedures through Service Organization Reporting reviews for a patient Bill Review and Case Management
Service Company, as well as state level Medicaid processors. Responsibilities include evaluating the design of and testing the operational effectiveness of transaction
processing, application specific controls, access (physical and logical) controls, and program change controls.
SONNY ORIGITANO
Senior Manager
Transaction Advisory Services IT spins and divestitures
Phone: +1 312 879 2852
E-mail: sonny.origitano@ey.com
Engagement experience
Led the IT workstream through a $14.2 billion dollar global transaction separating a business unit in the life sciences industry including TSA development and costing and
separation strategy and planning for day 1 operations.
Supported Fortune 200 CPG organization through multiple separations of business units, including strategy and execution in preparation for Day One. Developed onetime cost estimates, TSAs and work plans to support Day One. Worked closely with IT and Internal Audit to identify and resolve security issues during the TSA period on
SAP.
Assisted the Enterprise Shared Service organization consisting of Marketing, Finance, IT and HR in Life Sciences through the separation of their global joint venture
platform. Supported the development of TSAs, the day 1 operating model and transition planning to the buyer.
Supported Fortune 200 Global Resource organization through the divestiture of their Diamond Mine asset including TSA development and separation strategy for day 1
operations. Collaborated with resources globally to identify and implement solutions in support of the transaction.
Assisted Private Equity acquisition of design and retail footwear carveout from Fortune 500 CPG company including development of financial model for one time expense
and run rate operations as a stand alone organization as well as operational issues for TSA consideration.
Assisted Fortune 500 CPG company through the carve-out and separation of a business unit. Led the IT and marketing workstream through cost identification, TSA
development, operational preparation and execution of the pre-Day One projects. Assisted the seller in identifying and recovering more than $3M in TSA and pre-Day One
cost efforts.
Page 19
Description
of SpinCo
Number
of
Duratio
SpinCo
Countrie
n
Revenue Logically
s
Separate
Nutritional
products
59
$3 -4B
Professional
6-9
Wound Care
Months
Business
34
$1-2B
Performance
15
Chemicals
Months
50+
$5 - 6B
70
$4 - 5B
100+
$2B
Animal
health
business
Pharmaceuti
6
cal business Months
Day 1 Support
Model
Clone
(w/o
data)
New
TSA
SpinCo
owned
Notes
Approach
A $17B multinational electricity and gas utility company wanted to carve out a part of
the business. EYs intimate knowledge of the clients controls environment and
compliance requirements, supplemented by deep relationships, led into further
assisting with a state-owned utility separation project. At the beginning of this project
another vendor was selected to provide recommendations.
After two months with little progress, the client opted to choose EY instead and gave
six months to complete the project.
The state gave the utility company a very short separation timeline.
Helped the utility design SAP security roles in Finance, Supply Chain, and Human
Resources using a logical separation
Assisted in standing up an appropriate level of security to separate financial and
employee security data while adhering to contractual terms of the logical separation
Met the States mandate of standing up a logical separation on the spin date
Secured separation of employee and financial data, protecting confidence in finance,
human resources, and supply chain
Results
Page 21
Provided roles and user profiles for over 2000 users using both SAP and identity
management profiles for the new entity until they could be moved to a separate SAP
instance
A Fortune 100 diversified industrial company wanted to carve out one of their loss
making product line. The company had a single instance of SAP with open access
without limitations by organization structures (company codes, profit centers, plants,
etc.). The deal had the following complexity.
Very short window for closing the transaction
Users were spread across North America and Europe
No prior experience of divestitures in the IT organization
Approach
Proposed logical separation of the NewCo in SAP with the following changes in
security / access of NewCo users
Identified transactions, reports and roles used by the users in NewCo on a regular
basis
Assisted client teams in designing and testing new profiles for users which limited
access to just the NewCo data
Worked with SSC teams to create a process to run reports or transactions where
access could not be modified
Results
Page 22
Operation separation was completed in nine months (security separation took 4-5
months) with the deal being closed on time
Users did not experience much change in their daily operations as they could use
existing reports and transactions
Parent company was able to restrict the access of its data by NewCo users on Day
one
New process to run reports and transactions with SSC facilitated in overcoming any
issues with the new profiles
Approach
Results
Page 23
The consumer goods company was divesting a business unit running on a single global
instance of SAP. The buyer was an Oracle environment with different Oracle
configurations supporting their business.
The goal for SAP security on day 1, was to allow the consumer goods company to
continue to operate the business as usual, while allowing the divested entity to
operate under the TSA. Additionally, the consumer goods company wanted to
secure data from access by the divested entity
Internal Audit and the PMO partnered to assist in identifying the impact to existing
controls as a result of the divestiture across Finance, Information Technology,
Human Resources and Purchasing
It was determined that new user IDs were not required for the divested employees
as SAP User Groups were leveraged. New security roles were built as needed and
roles and reports were modified to remove access to non-divested data
Internal Audit drafted a risk profile with 51 identified risks and confirmed that
management had defined mitigating actions for each risk.
As a result, Information Technology created a non-disclosure agreement for the
buyer who will have access to certain applications and specifically one role that
allows display of invoices across company codes
Page 24
Page 25
Page 26
Task Catalog
Task
Purchasing
Create and Change Purchase Orders
Transaction
Code
Transaction Description
ME21
Create Purchase Order
Purchasing
ME21N
Create Purchase
based role
model accelerator
is Order
the
foundation
for model
a flexible
model byis
EYs
task
based role
accelerator
Create and Change Purchase
Orders
ME22 actions
Change
Purchase Order
security
and
thedefining
foundation
for aaround
flexible
model
by
process
steps that
users
perform
defining
security
around
actions
andwithin
Create and Change Purchase
Orderssteps
ME22N
Change
Purchase Order
business
processes,
resulting
inwithin
a role
process
that users
perform
structure
that canresulting
be understood
by the
business
processes,
in a role
Create and Change Purchase
Orders
Maintain
Purchase Order
user
community.
structure
that can be ME24
understood
by the
Supplement
user
community.
This
model is designed
Create and Change Purchase
Requisitions
ME51 for rapid
Create Purchase Requisition
deployment
using roles
This
model is designed
for that
rapiddo not have
SoD
conflicts
and
can
be readily
deployment
using
roles
that
do Create
not mapped
have
Create and Change Purchase
Requisitions
ME51N
Purchase Requisition
to
positions.
SoD conflicts and can be readily mapped
to positions.
Create and Change Purchase
Requisitions
ME52
Change Purchase Requisition
Purchasing
ME52N
Purchasing
ME31
Create Contract
Purchasing
ME31K
Create Contract
Purchasing
ME32
Change Contract
Purchasing
ME32K
Change Contract
Purchasing
Purchasing
Purchasing
Purchasing
Purchasing
Purchasing
Page 27
Page 28
Company code
Controlling (CO)
Shipping point
Purchasing organization
Plant
Plant
Plant
Plant
Personnel organization
Warehouse number
Page 29