The regulations, such as the Sarbanes-Oxley Act, require companies to document their business processes, identify risks and define controls to mitigate them, and regularly demonstrate the effectiveness of those controls.

To comply with these regulations and to protect the integrity of the business data, the organizations need to go beyond the static documentation of internal controls to actively ensuring that they are effectively guarding against fraud and errors, while streamlining business processes to reduce costs and inefficiencies.

Sarbanes–Oxley (SOX) 2002 Act History

• Known as the “Public Company Accounting Reform and Investor Protection Act”.
• Issued in as a response to a number of major corporate and accounting scandals Enron, Tyco International, WorldCom.
• Since then SOX-type laws have been subsequently enacted in Japan, Germany, France, Italy, Australia, Israel, India, South Africa, and Turkey.
• Sections 3. Corporate Responsibility (accuracy and validity of FS) and 4. Enhanced Financial Disclosures (off balance sheet) are directly related to system functions.

The most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt

Signed with comments from the US president Into Law

Compliance and SOX. What’s it all about?

Expects	Greater scrutiny Shareholder protection Legal responsibility from the finance system (people, processes, and technology)
Demands	Increased visibility and control Decreased cycle times Improved forecasting accuracy and timeliness
Rewards	Reduced costs Greater transparency Increased accuracy

Controls Already Delivered by SAP

Inherent Controls Integrated balanced posting Real time online data and Document Principle Monitor questionable postings for review and approval System retained transaction, program change, and configuration history Internal controls structure monitoring

Configurable Controls Edit checks and tolerances Required and system populated fields Defaulted and predefined master data Reason codes User defined error/warning messages Automatic integrated posting following predefined posting keys Workflow

Reporting Controls Timely closing process monitoring capabilities Delivered standard reports contained in easily accessible report tree Context sensitive help XBRL reporting capability System supplied auditing capabilities Audit trails Changed document log Document flow

Security Controls (via SAP GRC) Flexible user access and permissions to programs, transactions, tables, and fields Both coarse and fine-grain authorization management including segregation of duties via comprehensive authorization mechanism Detection and prevention of unauthorized access Includes a Delivered toolkit to promote efficient, effective creation and maintenance of user profiles and assignments

SAP Governance, Risk, and Compliance (GRC)

SAP GRC helps organizations enhance their governance, risk and compliance (GRC) processes. The product suite contains a set of tools which allow risk and compliance teams to effectively, proactively, and pervasively manage risks and controls within a single platform.

SAP GRC is an advanced set of technology solution that enables you to turn your policies and procedures into automated processes, ensuring that policies do not simply exist on paper but are automatically implemented as part of your workflow.

• Access Control (AC)
• Process Control (PC)
• Risk Management (RM)

Are three integrated modules allowing pervasive risk management across business processes and user access activities by enhancing key automated monitoring and risk reporting capabilities.

Vinci Solutions help organizations evaluate and implement GRC solutions.

Understanding how the technology you have supports compliance will enable you to be proactive in dealing with regulatory issues.

The implementation process includes:

• Technical installation of the products;
• Configuration and deployment of the complete GRC suite, including:
  • Analyze and Manage Access Risks,
  • Provision and Manage Users,
  • Design and Manage Roles, and
  • Centralized Emergency Access;
• Workshops with key business process owners to adjust delivered Segregation of Duties (SoD) risk levels to reflect company's unique requirements;
• Adjustments of SAP transactions included in the different Segregation of Duties definitions;
• Integration custom SAP transactions into company's SoD rule set;
• Project management and coordination among executive management, IT, business teams, and auditors to obtain input on Segregation of Duties risk levels, and the workflow approval process;
• Training on SAP Governance, Risk and Compliance and Best Practices;
• Access risk mitigation across multiple ERPs;
• Performing Segregation of Duties simulations for role-level and user-level changes to determine the impact of removing sensitive or conflicting transactions.