GRC for the Little Guys: How Abiomed Solved its SOX Compliance Challenges

Professional Solutions for Compliance Automation

www.ControlPanelGRC.com

GRC for the Little Guys.

How Abiomed faces its compliance reporting challenges.Sharon Kaiser, CIO, Abiomed

Dan Wilhelms, CEO, SymSoft Corporation




www.ControlPanelGRC.comwww.ControlPanelGRC.com


Dan WilhelmsPresident – SymSoft

Introducing

Sharon Kaiser CIO – Abiomed



Agenda

• About Abiomed & SymSoft Corporation• What is Sarbanes-Oxley (SOX) compliance?• Why SMEs should care• Getting started with SOX: 5 things SMEs can do• Abiomed’s Situation• Abiomed’s Challenges• Organizational Compliance Goals• Solution Selected• Solution Implemented• Results• Best Practices• Questions

4



About Abiomed

• Abiomed (NASDAQ: ABMD) is a global technology leader focused on RECOVERING HEARTS AND SAVING LIVES

• The company develops, manufactures and markets advanced medical technologies designed to assist or replace the pumping function of the failing heart

• Abiomed Market Overview• Global leader for products in acute heart failure market• Ships more Ventricle Assist Devices (VADs) than any

other company worldwide

5



Who is Abiomed

• Medical Device manufacturer headquartered in Massachusetts with additional mfg facility in Germany

• Over 300+ employees• Experts in Pumping Blood for over

25 years• World’s smallest heart pumps for

cardiologists and surgeons • Over 200 patents or patents

pending from over $200m in R&D • Over 12,000 patients supported in

over 40 countries worldwide

6

1987 First heart recovery patient

1981 Abiomed Founded

1992 First FDA approved VAD

2001 First AbioCor Artificial Heart patient

2009 AB Portable™ driver FDA approved and first patient discharge

2009 Impella 5.0 available in U.S. for broad clinical use

2008 Impella 2.5 FDA cleared in U.S. for broad clinical use

2005 Impella Available in Europe

2010 Impella® 2.5 >1700 patients and in over 350 hospitals in the U.S.

®

HCS-P110-051509



About SymSoft Corporation

• Makers of Governance, Risk and Compliance (GRC) solutions for SAP environments

• Spin-off of Milwaukee-based Symmetry Corporation• 14 years of technical implementation solutions

for the SAP and Enterprise Security marketplace• One of the largest dedicated SAP Basis/security consulting

organizations in the U.S.• 10 years of software development and marketing experience• Previous reseller of Virsa (now SAP GRC)• 200 SAP implementations• 90 outsourcing customers• SAP Certified Hosting Partner

7



Agenda


8



The Sarbanes-Oxley Act of 2002

• “Since when is it illegal to shaft innocent people for personal gain?” - 2002

9



About the Sarbanes-Oxley Act of 2002

• What is the intent of the Act?• Creation of a new standard for reporting of internal control

effectiveness, design, and documentation• Creation of management accountability for internal

controls• Which companies are required to comply?

• Companies publically traded on U.S. stock exchanges• Regulated industries (e.g. food, pharmaceutical, hazmat)

• Which sections are applicable to SAP operations?• Section 404 requires CEO, CFO, and auditors to confirm

the design and effectiveness of internal controls

10



Section 404 Compliance

• Four parts to Section 404 compliance 1. Take an inventory of internal controls

• Where are they sufficient and deficient?• Assess those controls against a framework to measure or

rate their effectiveness2. Document how the controls have been assessed

• Policies and procedures will be used to remedy any control deficiencies

3. Test to ensure that the controls work as intended4. Management must incorporate phase 1-3 activities into

a formal report

11

… “Establishing and maintaining an adequate internal control structure” … From Section 404



Differences Between Controls

• What’s the difference between a preventative and a mitigating control?• Preventative controls prohibit inappropriate access

• Authorizations, configuration, user-exits, and so on• Mitigating controls rely on other processes to identify

inconsistencies• You’re allowed to do something potentially wrong, but we

can track what you did• Alerts, periodic reporting, system monitoring

12



What Are Segregation of Duty (SOD) Controls?

• Primary control of Section 404 intended to prevent or decrease the risk of errors or irregularities

• Requires the assignment of conflicting “duties” to different employees

• Generally involve transactions that permit data modification

• Examples:• Creation of vendor and purchase order could result in

purchase orders being issued to fictitious vendors• Creation of purchase order and ability to receive goods

could result in goods being procured for personal instead of business reasons

13



What Are Excessive Access Controls?

• Primary control of Section 404 intended to prevent or decrease the risk of errors or irregularities

• Authorization to sensitive transactions or authorizations that are not required for normal job function

• Authorization to sensitive system functions that could impact data confidentiality, availability, and integrity

• Generally permit data modification• Examples:

• Customer service representatives should not be able to create vendors

• End users should not have S_ADMI_FCD with value of “RSET” because they could delete data without archiving

14



The “New” World with Management Involvement

15



Agenda


16



Why Should You Care About SOX Compliance?

• Documentation• Documented business processes work better• Documentation provides training for new employees• Increases efficiency by identifying processes required

for completion

• Reduction in errors• Users are restricted to authorized functions and

therefore cannot accidentally change or delete data• Example: Accidental modification to vendor address

impacts delivery of AP payments

17




• Cost of errors• Inappropriate access can lead to invalid transaction processing

• Example: Incorrectly scrapped materials may be re-manufactured to ensure availability for customer resale

• Loss of customers• Incorrect documents can be sent to partners via invalid

transaction processing• Example: Accidental modification of customer address impacts

delivery location for sales orders

• Fraud happens• Fraud can impact all levels of an organization

• Example: Warehouse employee could receive goods and then hide them by adjusting the physical inventory count

18




• Protection of trade secrets• Excessive access can allow users to download

information related to proprietary processes or methodologies that are not required in their job function

• Example: Employees with excessive authorization could download company recipes before accepting a new position at a competitor

• Preserve confidential information• Excessive access can allow users to view sensitive

company data, including customer pricing, material costs, or employee master data

• Example: Employee with inappropriate access could review their performance appraisal before it has been completed

19



Getting Started with SOX

• Focus more on documenting and maintaining your business processes• Develop formal requirements for documentation and

controls for business processes

• Think about how to measure and control the execution of your business processes• Start at “what could go wrong” and work back to reports

that can identify instances

• Implement controls and recommendations detailed in “The 5 Things SMEs Can Do”

20



5 Things SMEs Can Do

• Monitor security • Implement parameters for logons and passwords• Reduce sensitive authorizations• Establish security change controls and

documentation• Implement periodic user maintenance processes

21



Agenda


22



Abiomed’s Situation

• Abiomed is a small company but publicly traded, requiring compliance with the Sarbanes-Oxley act

• Risk management is a high priority for Abiomed’s controller

• After years of bottoms-up SOX controls, we wanted to focus on more top-down, broader risk based controls

• We needed something affordable that could help in three major areas:• Cost Reduction and Efficiencies• Risks and Mitigation• Compliance & Reporting

23



Abiomed’s Challenges

• Being such a small company, we were constantly struggling with identifying and managing our SOD (segregation of duties) issues on a global basis – US and Europe

• Most of our IT general controls were managed manually and tested manually

• Information was available, but limited and hard to obtain making compliance reporting labor intensive, both for IT and for our business partners

• We have a very limited IT staff that has to be knowledgeable of, and stay on top of, IT SOX controls on a daily basis

• A substantial amount of IT time is required, in a short period of time, to prepare for and support the SOX audits

24



Goal 1. Cost Reductions and Efficiencies

• Objectives:• Reduce the time, expense, and distractions associated with

audits and allow more time on higher value work• Automate data gathering, monitoring and reporting• Automate and streamline user and role maintenance in SAP

• Challenges:• Some audit requests required data reconstruction • Audit test data requests had to be pulled manually and were

highly labor intensive• Quarterly SOD reports had to be compiled and distributed

manually, requiring constant and repeated follow-up to obtain approvals

25



Goal 2. Risks and Mitigation

• Objectives:• Eliminate potential audit risks due to complex user access

requirements• Consolidate data and processes• Provide more efficient and timely review of SAP emergency

access and super roles• Challenges:

• Some functional owners didn’t understand the content of the SOD reports or the purpose of their review - or even initial approval of role requests

• Change management transports required routing and approval from multiple business owners

• Emergency access review was conducted monthly by manual review – too late to really question or prevent abuse

26



Goal 3. Compliance & Reporting

• Objectives:• Ensure Abiomed is meeting requirements• Automate monitoring and reporting• Move to exception based reporting• Provide on-line, on-demand reporting and review

capability• Provide more information, with higher value and less work

• Challenges:• Native compliance reporting in SAP difficult to obtain,

usually requiring reformatting and manual compilation• Data was for the most part available, but hard to find,

extract and report

27



Solution Selected: Why SymSoft was Chosen

• Read a lot of press on governance and risk mitigation solutions

• Didn’t feel Abiomed could internally justify ‘any’ purchase• Too many competing requests for funds in a growing

business required to support R&D and manufacturing• Symmetry had done a webinar to our controller and

sold the benefits of SymSoft months earlier• SymSoft later made a reasonable offer that we just

couldn’t turn down• We decided to leverage our existing partnership with

Symmetry and evolve to the next level with SymSoft

28



Agenda


29



Solution Implemented

• One Solution – “2nd Generation” SymSoft ControlPanelGRC – met Abiomed’s needs; multiple components; written in ABAP

• Risk Analyzer – SOD and sensitive authorization analysis• Usage Analyzer – Tracking & reporting of actual system usage• Transport Manager – Automates change request process via

workflow, with audit trail• User and Role Manager – Automated workflows to optimize security

administration• Emergency Access Manager – Temporary authorization and tracking

to troubleshoot production issues• AutoAuditor – Automated execution and delivery of compliance

reports• Batch Manager – Central scheduling and monitoring of batch jobs

30



Drill Down: Risk Analyzer

• Comes with a set of pre-defined business rules that can be customized based on Abiomed’s specific needs

• Allows real-time review of SOD and sensitive authorization risks

• Routes new role requests to a designated functional owner identifying any potential risk identified by the Rulebook

• Real life Abiomed example: Prior to a recent audit, I needed to identify and provide information regarding an identified risk:• Does any user have the ability to create a sales order and the

ability to change a customer’s credit limit?

31



The Risk was Already Defined in Abiomed’s Rulebook

32



Was Able to Identify Functions Identified for the Risk

33



Was then Able to Locate Users That Could Violate Risk

34



Can Even Identify if a User has Executed the Risk

35



Answering Goal 1. Cost Reduction and Efficiencies

• Automated processing of change request transports for review and approval• Abiomed has a specific requirement that 3 functional

owners must review and approve any transport to production

• Configurable workflow to route requests to appropriate parties for review and approval

• Extensive change request tracking and reporting that allows easy access to details for our auditors

• Acceleration of day-to-day SAP security administration via workflow and automatic provisioning

36



Return on Investment – Specific Results

• Reduced the time, expense, and distractions associated with manual audits• Actual 50% reduction in time spent by 3rd party pre-auditors• Reduction in internal staff time spent supporting ad hoc requests

from external audit• Reduction in time spent analyzing and mitigating SOD issues

• Significantly reduced time spent on compiling, distributing and following-up on Abiomed quarterly SOD reports• One week prep time condensed to two hour review time by IT

resource• Review and approval by 7 functional owners received within one

week time period versus 5 months with paper process• Workflow distribution• Electronic approval documented and captured

37



Answering Goal 2. Risks and Mitigation

• Real-time risk analysis and mitigation of authorizations for SOD and sensitive authorization risks

• Pre-defined and customizable Rulebook to meet Abiomed’s specific needs

• Automatic monitoring of transaction execution and alerts to compliance owners

• Integrated role management via workflows that provide risk analysis, owner approval and facilitated request processing

• Immediate notification for emergency access with activity monitoring and reporting

38



Risk Mitigation – Specific Results

• Receive immediate notification of activation of Emergency Access (Firecall) activity• Previously, IT management team would meet monthly and

review prior month’s firecall activity• Reviews are now done upon close of emergency access

and any questions and potential mitigation activities can be timely

• During audit preparation, Risk Analyzer identified user with the ability to create a sales order and the ability to change a customer’s credit limit (previous example)• Was able to address and mitigate before actual audit

started

39



Answering Goal 3: Compliance and Reporting

• Scheduling and automatic execution of predefined or custom compliance reports, routed to predefined users for review• Sensitive role and profile assignments• Mitigating control assignments• Invalid logon attempts or initial passwords• User and role changes over a time period

• Management of batch jobs providing central scheduling and monitoring of batch processes• Provides documentation and monitoring of batch jobs• Notifies appropriate owners of job success or failure, with

the appropriate details

40



Compliance & Reporting – Specific Results

• Receive reports that are required to support defined audit controls, either from an event trigger or via a time requirement

• For example, the first of each month, IT management receives the following reports for review and analysis:• System Environment Report• Critical Authorizations Report• Inactive Logons• Non-Employee Logons• Users with SAP_ALL

41



What Abiomed Learned

• There are reasonably priced GRC solutions on the market to meet a small company’s requirements

• First, identify your goals and what you actually need• Find the solution that fits your goals and don’t overbuy

• Deployment was quick and painless – almost a non-event• Be prepared and plan the transition – change in processes? training

requirements?• Understand what you are getting and determine what functionality

you will use and how

• The controller and his team are all over risk mitigation – get the business involved and don’t make this an IT solution only

• SOX Audits don’t have to be quite so time consuming and painful!

42



Best Practices

• Don’t tolerate energy sapping manual processes – look for a solution

• Seek to “embed compliance” – automate capture of audit data at the time of execution

• Enable ad hoc, on-demand audit reporting• Look for tools that will streamline routine IT operations

• More time supporting initiatives, less time “keeping the lights on”• Embrace GRC – view it as a tool for innovation, not as a

necessary evil• Understand management’s need for GRC data

• What does the CFO lose sleep over?

43



Key Learnings

• Smaller publically traded and other regulated enterprises face special challenges in addressing audit and compliance concerns

• Creativity and newly available solutions can reduce the cost and complexity of compliance

• Efforts in preparing for audits can be streamlined and become less intrusive

44



Questions & Answers

For more information please contact:Kevin DunnePhone: 414-292-3113Email: [email protected]





Thank You!

Technology

GRC for the Little Guys: How Abiomed Solved its SOX Compliance Challenges