This document provides information about DynaFlow, a company that provides software to help organizations manage governance, risk, and compliance (GRC). It discusses DynaFlow's profile, services, and how its software supports GRC/ERM activities like risk management, compliance, segregation of duties, and internal controls. The software includes pre-defined controls and risks libraries, automated control testing, dashboards for monitoring risks and controls, and integration with various enterprise applications.

1. 1

2. Contact Information
•Dan Aldridge CEO Performa Apps
•e-mail dan.aldridge@i-app.com
•website www.inforln.com/wp
•linkedin Dan Aldridge
•twitter @Danaldridge1
•

3. Agenda
 Introduction DynaFlow
Governance Risk & Compliance / Enterprise Risk
Management
Segregation of Duties for Baan / LN
 Impact on ERP implementation
Contact details:
Aart de Glint
adeglint@dynaflow-solutions.com
Phone +31 318 479712
Mobile +31 654 392046
3

4. DynaFlow Profile
 Main Facts:

Established in 1997

Private company HQ in Canada

Partners in USA, France, Netherlands, Norway, India, Thailand and Australia
 Main mission:

To enable global companies to become “Simply in Control” by proactively
managing enterprise risks, demonstrating compliance and automating and
optimizing business processes.

Dedicated to provide its clients a fast ROI through a short and structured
implementation
 Professional Services:

Implementation and Training

Compliance & Audit Support

Process Optimization

Solution Hosting Services
4

5. DynaFlow: Makes it EZ for...

6. 6

7. Cooking the Books
7
Mr. Ebbers (WorldCom), Mr. Lay (Enron), Mr. Kozlowski (Tyco)
http://www.cbsnews.com/video/watch/?id=859384n

8. 8

9. Regulation - The Hot Potato
9
Loi sur La Sécurité Financière (LSF)
SAS-70
SOX
C-SOX
J-SOX
‘Euro-SOX’
Code Tabaksblat
Code Lippens
8th EU Directive
Clinger Cohen
21 CFR Part 11
IFRS
Basel-II
BilMoG

10. Governance, Risk Mngnt & Compliance
Governance
describes the overall management approach through which senior executives direct and
control the entire organization, using a combination of management information and
hierarchical management control structures. Governance activities ensure that critical
management information reaching the executive team is sufficiently complete, accurate and
timely to enable appropriate management decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from management are
carried out systematically and effectively.
Risk management
is the set of processes through which management identifies, analyzes, and, where
necessary, responds appropriately to risks that might adversely affect realization of the
organization's business objectives. The response to risks typically depends on their perceived
gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks,
commercial/financial risks, information security risks etc.), external legal and regulatory
compliance risks are arguably the key issue in GRC.
Compliance
means conforming with stated requirements. At an organizational level, it is achieved through
management processes which identify the applicable requirements (defined for example in
laws, regulations, contracts, strategies and policies), assess the state of compliance, assess
the risks and potential costs of non-compliance against the projected expenses to achieve
compliance, and hence prioritize, fund and initiate any corrective actions deemed
necessary.
10

11. GRC/ERM Support at all levels
Levels of GRC model
Strategical
Tactical
Operational
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
•Procedures
•Process Risk Analysis (Tactical)
•Process & Internal Control Design & Maintenance
•Review (workflow)
•Monitoring Efficiency of Internal Controls
•Embedded testing & test evidence
•Document Management System
•KPI/”In Control” reports
Continuous monitoring as part of normal business process
•Policy
•Enterprise Risk Management (Strategic)
•Integrated Compliance Frameworks
•Consolidated Dashboards (Control Statements)
Purchasing
Warehouse
Management
Manufacturing
Sales &
Distribution
•Review
•Test

12. Compliance – Why is this important
Regulation
Corporate & Executive Responsibility & Liability
Fear for Reputation Damage
Tightened Credit Lines
Premium Insurance Fees
Policy Interpretation
Implementation Cost
Overhead
Audit Cost

13. From Regulation to Compliance
Regulations Implementation
SOX
HIPAA
BASEL II
Etc.
Framework
ERM
COSO-II
COBIT
...
Policy & Procedure
Implementation
Business Risks
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Evidence
Collection
Demonstratiopn
Demofo Cnosmtraptliioapnnc e
Demofo Cnosmtraptliioann ce
of Compliance
establish document test
People Processes Technology Facilities Data
Audit

14. SOX Section 404 – Internal Control
Assessment of internal control
“The most contentious aspect of SOX is Section 404,
which requires management and the external auditor to
report on the adequacy of the company's internal
control over financial reporting (ICFR). This is the
most costly aspect of the legislation for companies to
implement, as documenting and testing important
financial manual and automated controls requires
enormous effort.”
14
http://www.heritage.org/CDA/upload/SOX-CDA-edited-3.pdf

15. SOX Internal Control Requirements
15
Documentation

Detailed Process description

Process flowchart (preferable)

Business Risk Assessments

Risk Control Matrix (RCM)
Testing

Annual walkthrough of each process.

Testing of key controls.
Periodic Reviews

Review of process steps and controls

Updating of all documentation
Annual External IC Audit

Essentially external validations that yes you did 1 through 3 above.

The auditor would use a predefined “checklists

16. Risk / Control Matrix
16
All non-PO invoices received at month end are entered
into the system within 3 days of month-end to ensure
proper inclusion into Accounts Payable.
For production invoices, invoices can only be entered
into the system for automatic matching if a valid PO and
receipt are already in the system. The system populates
the invoice price and due date information from the PO
information.
All unmatched PO invoices are forwarded to purchasing
for follow-up.
All purchase orders and non-PO invoices are reviewed,
including ledger account coding, and are authorized in
accordance with company policy.
Cycle counts that result in a difference from perpetual
quantity outside limits set by company policy are
reviewed; items with a varance deemed to be material
are recounted.
RISK / CONTROL MATRIX
Risk
Auditor Assertion ACP-C01 ACP-C04 ACP-C16 PUR-C11 INV-C18
R007
What ensures that purchases are recorded into the proper
accounting period?
Completeness PC
R011
What ensures that invoice prices, quantities and other valuation
information is correct?
Completeness,
E/O, M/V
PC PC
R042
What ensures that duplicate and/or fictitious purchases are not
recorded?
Existence/
Occurrence
PC PC
R075
What ensures that perpetual inventory records reflect proper
quantities and amounts?
Existence/
Occurrence
PC DC
R079
What ensures that perpetual-to-physical inventory adjustments are
correctly calculated and recorded?
Completeness,
Measurement/
Valuation
DC
R093
What ensures that inventory counts, compilations and descriptions
are accurate?
Measurement/
Valuation
DC
PC = Preventive Control
DC = Detective Control

17. Enterprise Risk Management (ERM/GRC)
The key pains & challenges:
 Extra burden “on top” of running the company
 Draining resources from critical projects
 Absence of clear and documented guidelines
 Absence of automation
 Cannot be postponed (scheduled audits)
 Cost (with NO tangible ROI)
The proposed approach & resolution:
 Leverage pre-defined knowledge via libraries
 Avoid multiple partial systems (and integration burden)
 Automate as much as possible tedious and large volume
tasks

18. How DynaFlow supports ERM/GRC
18
 Business Risks & Business Controls Library
 2,500+ pre-defined Controls, Risks and relationships
 Certified Best Practices / Benchmark
 For all regional & industry specific regulations
 (SOX, Basel-II, L262, FDA, HIPAA, IFSR, ISO, etc…)
 To address all auditing/auditors requirements
 Automated Business Control Execution
 Testing Schedules with automated notification & testing
 Real-time monitoring & alerts for testers and Mgmt
 Evidence Collection & audit trail
 Dynamic Risk and Business Control Monitoring
 Key Performance & Risks Indicators Dashboard (+ mobile)
 Audit Support
 Combination of Solution, Libraries and Services

19. 19

20. Segregation of Duties (SoD)
The key pains & challenges:
 Now a Critical Business Control for ALL organizations
 Involves large volume of data
(i.e. Typical = 200,000+ authorizations in Baan alone)
 Need to be done across Systems (ERP) and for ALL
access types
 Is a recurring process due to constant changes
The proposed approach & resolution:
 Automation,
 automation
 and automation!

21. Cross-Applications ERM & SoD

22. Business Processes & Controls Integr.
Process
Diagram
Employees
User
Roles
Business
Risks
Applications
Access Mgmt
Business
Controls
Compliance Mgmt
SoD Mgmt
SoD
Conflict
Rules
SoD
Business
Conflicts
Conflict
Resolution
Documents
Documents
Document Mgmt

23. EZ-Compliance SoD Scan
Mapics
Hyperion
BPCS
…
Network Access
Facility Access
Security Badges
…
Mapics
Ceridian
…

24. Master SoD Matrix
24

25. Over 400+ SoD “zones” to be validated
25

26. The LN / Baan SoD Rules Library
 Introduced in 2005
 Required 2 years initial development, and is updated
26
regularly
 Content and design validated by CFO, Controllers, SOX
Senior Consultants, Baan Specialists, etc...
 Covers all Baan versions (Triton, Baan IV, ERP-5, LN)
 Compliant to Baan Tools and DEM authorizations
 Verify 22,000+ Baan session combinations for SoD violations
(with violation rating) to validate 400+ SoD sensitive “zones”
 Auditors such as E&Y, KPMG, D&T, PWC, Grant Thornton
validated the Baan SoD Rules completeness and accuracy
by successful certifying all EZ-Compliance clients to be
SoD/SOX compliant.

27. EZ-Compliance Automated SoD Scan
Employees
Roles
Corp-wide
Applications
Business
Controls
Business
Processes
Import
DEM
Visio
Employee /
Applications
Access
List
(1)
Access
Scan
SoD
Conflict
Rules
SOX – SoD
Conflicts
List
(2)
Conflict
Scan
Resolution
Scan
(3)
SoD
Resolution
Rules
Mitigated
Conflicts
List
Business
Risks
SoD
Library
Oracle
Mitigation
Controls
Import
LDAP
Import
ERP

28. SoD Conficting Areas Matrix
Click to view
detailed business
functions &
conflicts found
28

29. The automated SoD cycle
Import of updated
authorizations from
all Enterprise
Applications
Identification of
SoD conflicts &
related business
risks
Resolution of
conflicts with
known patterns
Investigation,
resolution and
mitigation of
SoD risks
Notification of new
conflicts to internal
audit team and/or
process owners
ERP
Import
Weekly
or
Daily
Result: 90%+ reduction of effort & cost

30. How DynaFlow supports SoD
30
 Access/Authorization Mgmt
 Cross-systems authorizations (who is accessing what?)
 Periodic Access Reviews
 SoD Conflicts Identification
 Detective validation (what accesses constitute risks?)
 Preventive validation (what is the impact if we change …?)
 SoD Conflicts Resolution
 Automated resolution/mitigation using pattern rules
 SoD Conflicts Monitoring & Alerts
 Self-generated SoD Matrix with dynamic alerts
 Key Performance & Risks Indicators Dashboard (+ mobile)

31. Segregation of Duties (SoD)
What you gain with DynaFlow:
 Cross-ERP Integration (SAP, Oracle, Baan, Mapics, ...)
 Bottled Best Practices:
 Fully automated Segregation-of-Duties (SoD) Rules
 Pre-Defined SoD Libraries available for Baan, SAP, Oracle,
etc...
 In line with external auditors to secure successful
certification
 Detective and also Preventative
 Fully automated SoD validation
 90% reduction on implementation cost & effort
 50% reduction on auditing cost
 100% Successful SoD Audit
 Simplified insight in all user authorizations

32. 32

33. Integrated Cycles
33
Document
Integrate
Structure
Publish
Define
Capture
Optimize
Validate
Process
Knowledge
Review
Certify
Risk
Assessment
Control
Activity
Control
Environment
Publish
Regulations
(eg. SOX, ISO, ITAR
AS9100, HIPAA, ect)
Automate
Measure
Optimize
Route
Definition
Workflow
Objectives
Metrics
Action Measure
Monitor Execute Automation
Analyzes

34. DynaFlow Value Proposition
34
Document
Integrate
Structure
Publish
Define
Capture
Optimize
Validate
Review
Certify
Risk
Assessment
Control
Activity
Control
Environment
Publish
Automate
Measure
Optimize
Route
Definition
Objectives
Action Measure
Monitor Execute
Analyzes

35. DynaFlow Solution Overview
Business
Controls
Checks
Financial (Oracle, etc)
ERP (SAP, Baan, Mapics, etc)
Process &
Knowledge
Publishing
Process
Modeling
Business
Controls
Definition
Automated
Alerts &
Notifications
Process
Automation
Employee
Process
Dashboard
Modeler and
Auditor
Dashboard
Transaction
Systems
Base
Dynamic KCI
& Issues
Escalation
Process
Optimization
& Monitoring
Management
Dashboard
Dynamic KPI
&
BI Analytics
BPM Reporting
Office Apps (MS, Email, VPN, etc)

36. Critical Capabilities Definition ERM & C
36
Audit Management
Supports internal auditors in planning and scheduling audit-related tasks, time management, managing work papers,
risk assessments, control testing, remediation management and reporting.
Risk Management, General
Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting,
visualization, and remediation of risks. Analytics are mostly qualitative with a limited loss event analysis capability that
is not dependent on stochastic analysis. It does not include stochastic analysis, but it may collect data from stochastic
risk analytics tools to provide a consolidated view of enterprise risk management.
Risk Management, Stochastic
Involves stochastic analysis, such as Monte Carlo simulation. Examples include banks that require highly specialized
capabilities for Basel II capital calculations and companies that must support project risk assessments of long-term
asset investments, such as mining and oil and gas. Only a few EGRC platform vendors directly support these
stochastic analysis needs organically or through an OEM partnership.
Compliance Management
Supports compliance professionals with the documentation, workflow, reporting and visualization of control objectives,
controls and associated risks, surveys and self-assessments, testing, and remediation. At a minimum, EGRC
management not only will include financial reporting compliance (Sarbanes-Oxley compliance), but also can support
other types of compliance, such as ISO 9000, Payment Card Industry, industry-specific regulations, service-level
agreements, trading partner requirements and compliance with internal policies.
Policy Management
Includes a specialized form of document management that enables the policy life cycle from creation to review, change
and archiving of policies; mapping of policies to mandates and business objectives in one direction, and risks and
controls in another; and distribution to and attestation by employees and business partners.
GRC Content
Includes many different kinds of content relative to GRC activities. Examples include regulatory analysis and news
feeds, standards and frameworks, draft testing and risk assessments, and draft policies.
Business Analytics
Supports the ability to analyze the impact of risks on business objectives, performance and processes.
Gartner, Inc: 30 November 2010/ID Number: G00208665

37. DynaFlow simplification
Regulations Implementation
SOX
HIPAA
BASEL II
Etc.
Framework
COSO-II
COBIT
......
Policy & Procedure
Implementation
Business Risks
Business Controls:
- Information delivery
- Resource acces and use
- Risk mitigation
- ...
Evidence
Collection
Web Portal
Demonstratiopn
Demofo Cnosmtraptliioapnnc e
Demofo Cnosmtraptliioann ce
of Compliance
establish document test
People Processes Technology Facilities Data
Audit
Business
Control
Libraries
Business Risk Libraries
Compliance
Program Mgmt.
Compliance
Change Mgmt.
Compliance
Issue Mgmt.
Compliance
Access &SoD Mgmt.
Document
Mgmt.
Audit
Trail
Cross-ERP
Integration
&
Mapping
Operational Risk
Monitoring
eBook
Generation

38. 38