Gathering the documentation needed to prove what did and didn’t happen during the course of a year for Sarbanes-Oxley audits can be an arduous process. IT departments need to reveal the full backstory of all the business conducted. That means producing reports demanded by auditors that show, for example, when and by what authority certain access privileges were granted or revoked, or which employees approved and invoiced new suppliers.
At Abiomed, a $73 million medical device company, the 12-member IT staff was always frantic at audit time, says CIO Sharon Kaiser. Like many companies, Abiomed documented changes to a business or IT process, but not all in one place, making it challenging to track approvals. When auditors from Deloitte and Touche conducted yearly reviews, they first had to identify all the changes made in the prior 12 months. Then they had to request additional reports from the IT group showing why those changes were made and who authorized them.
“Auditors look at risk and how you manage it. We have to make sure documentation is there to explain,” Kaiser says.
To streamline the annual audit, Abiomed’s IT department compiled quarterly Excel spreadsheets documenting its segregation of duties. They then printed the reports and gave them to functional managers to review and sign. But that sometimes took weeks or months, Kaiser says.
Last December, Abiomed installed ControlPanelGRC, a compliance automation tool for SAP shops produced by SymSoft, an offshoot of Symmetry. The tool allows Abiomed to associate the changes made to SAP with their backstories. For example, the tool documents changes made to Abiomed’s SAP installation, along with who requested each change and who from Abiomed’s change-review team approved it. When Deloitte and Touche shows up this year, the auditors will see both the SAP changes and this administrative information. No extra reports will be needed, Kaiser says.
With risks identified sooner and executives better able to decide how to proceed, Kaiser says compliance “is much more proactive than in the past.” She also expects to see monetary savings: “Auditors charge by the hour, and we do anticipate reducing auditor time.”
The SymSoft product is one of several tools that have evolved to automate compliance and monitoring since SOX went into effect. The newest, including the product Abiomed uses, are easier to configure and offer more dashboard reporting, says Chris McClean, an analyst at Forrester.
SymSoft flags potential SOX violations, such as when the same person adds a vendor to the SAP invoicing system and generates an invoice for that company. SOX demands that those actions be performed by different people or, if done by a single person, that the actions be approved by a manager. The software routes notification of such instances to Kaiser or other executives to review as they occur and stops the workflow until an appropriate party signs off on it.
SAP offers a governance module that can be bought separately from its ERP software but, according to Kaiser, it’s likely pricier than the SymSoft product. McClean says that’s because compliance tools native to SAP, Oracle and other ERP suites don’t always account for all the industry-specific rules some companies need to meet. “In some cases, these products need a substantial amount of additional configuration, which means a higher total cost,” he says.