Evolution%20of%20the%20Siemens%20Experience%20in%20its%20Effort%20to%20Test%20IT%20Controls%20on%20a%20Continuous%20Basis

1
Evolution of the Siemens Experience in its Effort
to Test IT Controls on a Continuous Basis
Tenth Continuous Auditing Reporting Symposium
Meeting 11/4/2005
Rolf Haardörfer IT Audit Professional Siemens
Corporation
2
Agenda
Operational Audit

• Overview of Siemens
• Benefits of Continuous Auditing
• Overview of Siemens SAP Audit Plan
• CA at Siemens Current Activities
• CA at Siemens Planned Activities
• Outlook and Next Steps
• Questions and Discussion

3
Overview of Siemens
Operational Audit

• About 430,000 employees worldwide (70,000 thereof
  in the United States)
• Sales of EUR 75 billion in 2004
• Siemens has a large audit department executing
  financial and operational audits throughout the
  company
• Siemens has selected SAP as their standard ERP
  system
• IT Audit Pool conducts all system related audits
  for the majority of Operating Companies here in
  the US including a SAP Certification Audit

4
Benefits of CA at Siemens
Operational Audit

• Simplification of execution of SAP audits
• Continuous monitoring of the compliance level of
  mandatory System Parameter settings.
• Improved Governance (Fraud Detection, SOX
  Compliance, Monitoring, etc.)
• Move toward real-time reporting for management
  and for the investment community.
• Improve the skill level and quality of work life
  of auditing personnel.
• Reduces compliance and assurance costs (labor,
  travel, outside assurance, etc.)

5
Value Proposition
Operational Audit

• COST
• Consider a large multinational corporation with
  400 auditors (internal external), each with a
  fully absorbed (sal./fee, benefits, travel, etc.)
  200,000/yr cost for a total annual compliance
  cost of 80 million dollars. Assume further
  that the proposed continuous auditing model
  cost 1 million dollars to develop and implement
  and only reduced manual compliance effort by 25
  in the firm. The annual net estimated savings or
  cost avoidance of this project for the firm
  defined above would be
• 19 Million dollars (Or nearly 100 million
  dollars over 5 years)!

6
Overview of Siemens SAP Audit Plan
Operational Audit

• Typical SAP audit takes about 75 person days
  covering SAP modules FI, FI-AA, BA, Computer
  Outsourcing, SD and MM
• Overall about 200 audit action sheets (AAS)
• Audit Action plan (AAS) was developed in
  cooperation with KPMG
• About 25 percent can be automated without
  additional formalization or re-engineering of the
  controls

7
SAP Audit Action SheetPart 1
Operational Audit
8
SAP Audit Action SheetPart 2
Operational Audit
9
Two Types of Audit Systems
Operational Audit
Independent System (Monitoring and Controlling
Layer)
Embedded AuditSystem

• ACL
• Approva BizRights
• Virsa
• Oversight
• E-Audit (Siemens)
• Rutgers CAR-Lab SAP model

• SAP Audit Information System

10
CA at Siemens Current Activities
Operational Audit

• Utilization of Approva BizRights for monitoring
  of Segregation of Duties (2 major Div.)
• Purchase to Pay Process using ACLs Direct Link
  and CCM CA model on 3 large SAP systems
• Introduced at the beginning of 2005
• Significant payoff right away (duplicate invoice
  payments, etc.)
• Providing real procurement cycle data to Rutgers
  CAR-Lab for statistical modeling to identify
  possible anomalies.

11
CA at Siemens Current Activities
Operational Audit

• Utilization of GL module from Approva BizRights
• Introduced in October 2005 for Monitoring of
  Month End Closing, to be completed in mid 2006
  for the GL Module.
• Payoff (Helping with Month End Closing, Ensuring
  transactions are complete with proper
  authorizations)
• Implementation of travel and expense (TE) module
  from ACL
• Planned introduction by the end of 2005
• Expected benefits Reduce Fraud (TE is one the
  most prevalent areas for fraud).

12
CA at Siemens - Planned Activities
Operational Audit

• Preventative / configurable controls strategy
• Utilize research from Rutgers CAR-Lab to
  re-engineer our SAP audit plan to make it more
  formalizable / automatable.
• Support and promote the use and enhancement of CA
  tools (Siemens Third party) at Siemens
  Operating Regional Companies.
• Demo and provide feedback to Siemens companies on
  emerging CA tools and technology.

13
CA at Siemens - Planned Activities
Operational Audit

• Utilization of SAP AIS module for execution of
  SAP audits
• Allows business to run reports themselves as
  needed (e.g. Top 10 Security Issues)
• IT Audit Pool has customized AIS to include
  automatable audit sheets as predefined reports
• Estimated reduction of SAP audit time of about 25

14
Outlook and Next Steps
Operational Audit

• Further leverage Rutgers CAR-Lab research in
  cooperation with External Auditors to Expand CA
  scope at Siemens.
• Utilization of SAP AIS module at more Operating
  Companies as standard tool.
• Audit Pool will work with Operating Companies to
  identify and promote existing solutions as best
  practices.
• Audit Pool plans on piloting CA software
  solutions as a part of a regular SAP audits.

15
Questions?
Operational Audit
Thank You! Rolf Haardörfer Siemens Corporation
IT Audit Pool