How to reach SOX Compliance - The Alpro case
-
Upload
expertum-consulting-excellence -
Category
Business
-
view
357 -
download
1
Transcript of How to reach SOX Compliance - The Alpro case
Lamot, MechelenOctober 12, 2011
Your logo
How to reach SOX ComplianceThe Alpro case
Bart Van Hevel, Alpro
Chris Walravens, Expertum
Your logoAgenda
• Key facts about Alpro• What is SOx• Key facts about Expertum• Authorizations @ Alpro• Authorization Issues• Project approach• Success factors• Benefits for Alpro
Your logoKey Facts About Alpro
• Alpro founded in 1980 and part of Dean Foods since mid 2009
• Grown to € ~260 million in revenues in 2010
• Clear European market leader in non-dairy soy-based products
• 2 power brands: Alpro soya and Provamel
• 6 product categories
• 3 channels
• 3 wholly-owned commercial organisations in NL, UK and GE and more than 30 commercial partnerships in all other primary European markets
• 4 plants in BE, FR, UK and NL
• ~800 employees
Your logoAlpro Soya Brand
Your logoProvamel Brand
Your logoGradual Development Of New Categories
Drinks Desserts Yofu
Cream Meat-free Margarine
Your logoAlpro, A Division Of Dean Foods
National chilled DSD and plant footprint
National premium health & welness brands
US leader in national UHT
private label dairy
US
European leaderin branded soy
EU
Your logo4 Complementary Plants
UK Kettering (Birmingham)
BelgiumWevelgem (Kortrijk)
The NetherlandsLandgraaf (Maastricht)
FranceIssenheim (Colmar)
Your logoWhat is S0x?
US Sarbanes-Oxley Act of 2002 commonly called Sarbanes-Oxley, or SOx, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, WorldCom, …
Applicable to all companies listed on New York Stock Exchange
• Section 302: The CEO/CFO Dean Foods Must Certify Quarterly and Annually that :
• The SEC (Securities & Exchange Commission) report has been reviewed by the CEO/CFO• The report does not contain any misleading and/or untrue statements• Significant deficiencies and material weaknesses in internal control have been disclosed to the Audit Committee
and auditors, as well as any fraud (material or not) involving anyone with a significant role in internal control• Material weaknesses must be disclosed in the annual report to shareholders
Alpro needs to install a sub-certification process to Dean Foods CEO / CFO
• Section 404: Defines the rules for internal control and financial reporting
• Alpro management must assess effectiveness of internal control structure and procedures for financial reporting
Your logoOur Requirement…
Financial Statements
IT General Controls
Business Processes Reporting Processes
Inventory
Procure to Pay
Order to Cash
Company Level Controls
“Identify, implement and formalize adequate business & IT controls within Alpro Comm VA, for core processes that have a material impact on the financial statements, operating on December 31st, 2010”
…
Your logoOur Requirement…
Financial Statements
IT General Controls
Business Processes Reporting Processes
Inventory
Procure to Pay
Order to Cash
Company Level Controls
…
Business & IT controls in order to cover key risks in a process, resulting in:Manual, signed off reports / documents detective controlConfiguration controls (SAP – customizing) preventive controlAccess restriction / Segregation of Duty controls preventive control
Your logoExpertum
• Our Mission• Exceed client expectations by providing top-quality expertise
• Provide our people a safe environment for personal and professional growth
• Facts• Founded in April 2006 by 2 ex-SAP Belux employees
• Team of +50 SAP Experts and Project Managers
• Highly skilled and experienced SAP consultants in all SAP areas, combined with a
• Partnerships
For more info, visit our new website : www.expertum.net
Your logoAuthorizations @ Alpro
• Position based security• Use of the HR organizational structure
• For role assignments
• 2-layered concept• Composite roles for positions or functions
• Single & derived roles for functionality (at sub-process level)
• Starting point of the SOx authorizations project• Strong conceptual basis
• Prerequisite for a smooth and successful compliance project
Your logoAuthorization Issues
Financial Statements
IT General Controls
Business Processes Reporting Processes
Inventory
Procure to Pay
Order to Cash
Company Level Controls
Critical functionality Segregation of Duties Basis Component
Your logoAuthorization Issues
• Critical functionality (10)• Maintain accounting periods
• Asset retirement / scrapping
• Vendor master data
• Segregation of Duties (7)• Inventory count & post differences
• Price conditions & Sales orders
• Vendor master data & invoices
• Basis Component (10)• User & role administration
• Transport requests
• Debugging
Your logoProject Approach
Scope & Pre-audit
User list review Final auditApproval
& Go-liveImplement
& TestSolution approval
Solution & Impact
Root cause analysis
3 Months - 50 Mandays
• Processes & legal entities in scope
• Risk assessment & definition of controls
• Identification of issues to be remediated
• For each issue determine the list of (un)authorized users / roles
• Identify the (combination of) roles causing the unwanted access
• Propose possible solution(s) for each issue
• Always several options possible:
-User assignment-Composite role-Tcode in single role-Auth. object values
• Impact analysis on other users is essential for not disrupting business activities
• Verification of proposed solution with business users
• Approval of solution
• Business approval is essential, especially when changes in day-to-day organisation is changed
• Technical SAP authorizations knowledge essential
• Testing the solution both positive and negative
• Documentation essential because of SOx requirements
• Final approval of the implemented solution and adequacy of testing before go-live
• Transporting the changes into production and/or changing the user assignments
• Audit by external partner • Final SOx audit by external auditor
• Final check to see if the business processes are under control
Your logoSuccess Factors
• Very much business driven• C-level commitment
• High visibility in the organization
• Dedicated team• Divisional Controller (on business side)
• IT Manager (on IT side)
• Authorizations consultant (expert knowledge)
• Project leader (Business Process Manager)
• Smooth and fast decisions
• Ability to translate complex authorisation terminology into business language
• Efficient assessment of impact, resulting in no business disrupting actions
Your logoBenefits for Alpro
• Alpro Comm VA SOx compliant on December 31st, 2010:
0 deficiencies, an exceptional result !
• Provides Alpro management extra comfort on the main business processes and its impact on the financial reporting
Thank you!
Your logo