Orange County Convention Center Orlando, Florida May 15-18, 2011 Lessons from McKesson s Approach to Maintaining a Mature, Cost-Effective Sarbanes-Oxley Program Vickie Pilotti Kelly Worley Ben Wienand ]
Overview SAP Security Introductions McKesson Overview Share our SOX Compliance Program journey through people, technology and processes Key Learning Q&A 2
Learning Points Journey through McKesson s SOX compliance program evolution Walk through a step-by-step approach to building out a longterm roadmap Identify how to create a holistic view of a SOX controls environment Walk away with short- and long-term ideas for opportunities to improve and streamline compliance processes Understand what McKesson is doing to further enhance its SOX program 3
McKesson Overview Largest healthcare services company in the world Fortune 14 -$108 Billion in revenue (FY10) More than 43,000 employees dedicated to healthcare Oldest U.S. healthcare company Established in 1833 177 years driving innovation in healthcare Only company offering solutions at every point of care Deep clinical, IT, and process expertise SAP processes are ISO 27001: 2005 certified 4
McKesson Overview We deliver 1/3 of all medicines used each day in North America 90% of retail pharmacies use our claims processing network 50% of hospitals use our software, automation, and services 20% of physicians use our software, supplies, and services 90% of public and private payors use our software, programs, and services 5
McKesson s Journey Organization/People Technology Process 6
SAP Security 7
SAP Security: The People The SAP Security Team is comprised of just four core team members and one manager:
Early SOX Compliance Program: Technology Phase 2: Compliant User Provisioning Phase 1: Risk and Remediation Phase 3: Super User Privilege Management Introduction McKesson selected SAP GRC tool in 2005 Selected 3 out of 4 modules We created a three phase plan of implementation 9
Early SOX Compliance Program: Technology Phase 2: Compliant User Provisioning Phase 1: Risk and Remediation Phase 3: Super User Privilege Management Phase 1 Allows one central repository for Segregation of Duties rules (SOD) Ties mitigating controls to Risks Provides details of risk for remediation 10
Early SOX Compliance Program: Phase 1 Benefit to McKesson Risk and Remediation Categorization of rules Ability to create custom rules Prioritized reporting of SOD s Identification of self conflictive role McKesson does not guarantee you will receive the same result 11
Early SOX Compliance Program: Technology Phase 2: Compliant User Provisioning Phase 1: Risk and Remediation Phase 3: Super User Privilege Management Phase 2 Automated user provisioning Works in conjunction with Risk & Remediation Minimizes risks 12
Early SOX Compliance Program: Phase 2 Benefit to McKesson Compliant User Provisioning Reduction of provisioning cycle time Enforced risk mitigation prior to provisioning Moved to Self Service Detailed audit logs McKesson does not guarantee you will receive the same result 13
Early SOX Compliance Program: Technology Phase 2: Compliant User Provisioning Phase 1: Risk and Remediation Phase 3: Super User Privilege Management Phase 3 Restricted access to sensitive transactions Ability to monitor sensitive access Reports changes made to system 14
Early SOX Compliance Program: Phase 3 Benefit to McKesson Audit simplification Super User Privilege Management Notification to owners process intervention Greater accountability change McKesson does not guarantee you will receive the same result 15
Enhancing the Program How to go from tool implementation to a comprehensive and fully integrated Compliance Program 16
You Need a Road with a Solid Vision 17
Envision Where You Want To Be Figure out your pain points Determine where you want to go Plot a course to get there Use high-level objectives Begin at 30,000 ft 18
Business Value/Decreased Cost of Ownership [ Create a High-Level Plan Phase 5: Evaluate results, and continue to build upon the improved model Q4 FY12 Phase 1: Build foundation Document all current processes and control mechanisms Q4 FY10 Phase 2: Identify process and control improvements. Set baseline metrics. GRAPHIC Roadmap, route 66 Q1 FY11 Phase 3: Gain alignment with stakeholders Q1/Q2 FY11 Phase 4: Begin implementing improvements based on priority and benefit vs. cost and return Q2 FY11 Sustainable Compliance 19
Where was McKesson going? Auditing and Self-Assessments Change Leadership Research Control Efficiency Collaboration Training/Education for: Role Owners and Managers Risk Owners Stakeholders and Sponsors Tools GRC Expansion Archer Custom Web applications Conferences Forums External discussions Process Lean efficiency and automation Accountability Easily auditable Collaboration Control Efficiency Governance Process & Design Consistency Executive Level Business Sponsorship 20
Refine the plan into a tactical roadmap Q4 FY10 Q1 FY11 Q2 FY11 Q3 FY11 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Process Process and Control Definition ZTEMP Process Monthly SoD Process Implementation of new processes, i.e., FF Reauthentication, SoD Rule Set Review, etc. User ID Standardization Fire Fighter Improvements for Program and Table Access Research GRC and Other Compliance Tools CUA, Password Self-Service, YROLE, Portal, IDM, SSO, Cross-system SoD s Ongoing External Research Tools Tool Scoping and Implementation? Education/ Change Leadership Definition and Scoping Implementation and continuous improvement 21 21
Align with Partners and Key Stakeholders Build solid partnerships with Internal Risk Agencies and Stakeholders Align cross agency objectives Understand what it is you re both trying to achieve 22
Building the Program Step by Step Control numbers tie back directly to the SOX workbooks Missing processes can either be left blank or noted otherwise (i.e., in another color)
Step by Step (cont.) A RACI chart was then crafted to identify the various process components, and who was responsible and accountable for each 24
Step by Step (cont.) Each process was then documented in a flowchart 25
Step by Step (cont.) End Result A solid foundational structure 26
New End State End Result All controls are active, in place, and green! 27
Additional Program Details The core controls within our program revolve around the validation of access and master data elements Philosophy is that all relevant data maintained within GRC should be validated at least once per year: User Access Risk Owners Role Owners Rule Set Etc. We refer to this as our Re-authentication Cycle, and it makes up 26% of our controls Helps to ensure data and access integrity, as well as validate the incoming process is working as intended 28
We had our house, but something was missing Auditing and Self-Assessments Change Leadership Research Control Efficiency Collaboration Training/Education for: Role Owners and Managers Risk Owners Stakeholders and Sponsors Tools GRC Expansion Archer Custom Web applications Conferences Forums External discussions Process Lean efficiency and automation Accountability Easily auditable Collaboration Control Efficiency Governance Process & Design Consistency Executive Level Business Sponsorship 29
Program Model Overhaul We redesigned our program model to accurately reflect our goals and long-term vision 30
Inclusion of Key Metrics We also recognized the need for key metrics to measure our success, and designed a SOX reporting dashboard Other metrics tracked separately include costs of the program and cost trend graphs 31
Updated Roadmap This revised thought process led to an update of the roadmap to again reflect the continuous improvement concept 32
Ideal End State The ultimate goal and end state is to: Eliminate the need for self-audits through the use of tools and technology Example: Implementation of Process Controls Achieve full automation of our SOX Compliance Program Not so we can kick our feet up, but so we can remain strategic, rather than tactical 33
Key Learning Leverage the strength of your people, technology and processes Build solid partnerships with Internal Risk Agencies and Stakeholders Build a compliance document to obtain a holistic view of your controls, being sure to tie back to applicable processes Construct a roadmap or strategic document Design an evaluation process to improve service efficiencies and automation Get ISO 27001:2005 certified! This adds additional process support and rigor to your program as well as external validation of your efforts that the customers can see. 34
Questions? Questions? 35
Contact Information Vickie Pilotti Sr. Manager SAP User Services Phone: 415-983-9157 Vickie.Pilotti@McKesson.com Kelly Worley SAP Security Manager Phone: 415-732-1226 Kelly.Worley@McKesson.com Ben Wienand SAP Compliance Manager Phone: 415-983-7691 Benjamin.Wienand@McKesson.com 36
Thank you for participating. ] Please remember to complete and return your evaluation form following this session. For ongoing education in this area of focus, visit www.asug.com. SESSION CODE: 1008