How we greatly simplified and automated our SOX/SOD Compliancy
|Name of Customer||Zebra Technologies|
|Customer Industry||Digital printing solutions|
Zebra Technologies delivers innovative and reliable specialty digital printing solutions for business improvement and security applications in 100 countries around the world.
Zebra Technologies Corporation shares are traded at the NASDAQ stock market and therefore the company is subject to the Sarbanes-Oxley regulations. To successfully pass their SOX audit, the Segregation of Duties (SOD) validation was a critical requirement to satisfy. This one requires organizations such as Zebra to know at all times what enterprise/office solutions can be accessed by all employees and to identify any conflicting accesses that can generate a business risk for the company.
For Zebra, such a task brings many challenges. First, this validation was made more complex by the fact that the company operates the Baan ERP application across multiple logistical Baan databases, all of them including Zebra customizations. These environments total more than 350,000 employee authorizations to be SOD validated on a frequent basis; an impossible task to be done manually! Finally, Zebra also plans to migrate from the currently operated Baan platform to Oracle within the next 12-16 months, requiring the selection of a solution that will not only deliver a quick ROI with Baan, but also able to support the transition to Oracle.
After a thorough investigation and selection process, Zebra selected Dynaflow as the solution provider for its Compliance Management and automated SOD validation solution. Dynaflow was the only provider that met all Zebra selection criteria. Not only was Dynaflow Compliance a proven solution already in use in similar organizations globally operating Baan, its ability to import and scan various ERP/Office applications for SOD conflicts is a perfect match to assist Zebra in its Baan-2-Oracle roadmap.
Dynaflow Compliance imports the Baan DEM models in use at Zebra. These process- and activity authorizations are combined with employee accounts to create an integral picture of the authorizations on the employee level. These individual authorizations are then dynamically compared with the Baan SOD Conflicting Session library, also provided by Dynaflow. Within minutes, Zebra is able to locate specific employees and sessions posing Segregation of Duties risks from an audit point of view. The first scans performed in April 2007 revealed more than 10,000 SOD conflicts across the different Zebra divisions.
Great benefit for Zebra, Dynaflow Compliance is not only able to identify automatically these conflicts, but also to categorize them based on Zebra internal policies and SOD importance ranking. Therefore, all accesses and conflicts associated to Super-Users, to read-only sessions, to non-critical sessions (totaling more than 60% for Zebra) were automatically categorized for the internal audit team to focus at more severe conflicts needing close attention and proper mitigation.
The first phase of the implementation targeted 5 of the 9 Zebra companies of the most active divisions. The performed scans not only appeared of key importance for the SOD validation, but also are of great value for employee roles and menus clean-up and optimization.
The multi-companies framework above, combined with the chosen Baan DEM modeling approach at Zebra where each employee have multiple identities across different Baan companies, required a special implementation approach. To support such architecture, Dynaflow Compliance was implemented at Zebra using multiple repositories. Each Baan company authorizations is managed with its “mirror” repository in Dynaflow Compliance. A very simple approach that has proven efficient and easy to maintain.
To make its operations even smoother and maintenance-free, the import of the employee authorizations from the 5 Baan companies was automated. Without any human intervention, Dynaflow Compliance is updated automatically every day of all authorizations changes (such as employee hiring/termination, role/access modifications, etc…) and is therefore able to signal quickly any new SOD conflicts to Zebra Management.
Pierre Beaulieu, President of Dynaflow, states: “The particular structure of Zebra custom DEM authorizations across several Baan companies made this project unique and challenging. I am happy to confirm that Dynaflow Compliance functional and technical capabilities were able to address these special requirements to Zebra satisfaction, resulting in a low-maintenance SOD Management solution for Baan, and if needed for Oracle”.
Richard Jaszka, Internal Audit Director for Zebra added, “We appreciated the responsiveness of Dynaflow specialists to adapt and to quickly find the optimal implementation approach to our non-standard DEM authorizations structure. Not only was it done without Zebra having to change our DEM configuration, the implemented automation made possible by Dynaflow Compliance greatly simplify our SOX deliverable”.
- The availability of the Baan SOD Conflicting Sessions Library, enabling all Zebra employee authorizations to be scanned and the identification of any SOD conflicts at Zebra within the very first day of implementation;
- The automated import of Baan authorizations and the background SOD scans, enabling Zebra to always have accurate and complete SOD status for all employees, much appreciated by external auditors;
- The ability to extend Dynaflow Compliance usage and benefits to any other office/enterprise applications such as Oracle, SAP, Mapics, PeopleSoft, etc…
- The ability to perform “Preventive SOD scan”, enabling Zebra to execute what-if analysis of new employee authorizations and to optimize existing employee accesses.
Senior Internal Auditor for Zebra, Eniko Tucker, adds: “Significant time and effort was required to review and streamline the authorizations we give to our employees globally. We appreciate greatly the ability of Dynaflow Compliance to enable visibility of our authorizations via a simple to use Portal and to fully automate the tedious manual work to monitor current and new SOD conflicts. A true time and cost saving for us”.