Like most small public companies, Abiomed Corp., a $73 million medical device maker, must meet all the same Sarbanes-Oxley internal control compliance requirements as most large public companies—but with quite fewer resources.
Little wonder, then, that achieving SOX compliance quickly proved to be an expensive, labor-intensive process that overwhelmed Abiomed’s small IT staff. A particularly daunting challenge was staying on top of segregation-of-duties controls. Prior to implementing a compliance automation tool last year, the company’s manager of applications had to compile and distribute Excel-based segregation-of-duties analysis reports by hand, which were then reviewed and approved by each department manager every quarter. That, Abiomed CIO Sharon Kaiser says, “took forever.”
Such a manual process also carried security risks. Because the spreadsheet was a complex matrix marked with various profiles, roles, and transactions, “you really had to know what you were looking at to see if somebody had a particular role that they shouldn’t have,” Kaiser explains. Few employees knew how to analyze that data well, she says.
What’s more, Abiomed had no easy way to determine if a new security request would inadvertently introduce a new or different security risk.
By mid-2009, Kaiser and Abiomed Controller Ian McLeod started to assess how the company could mitigate its compliance risks more effectively, and better analyze the potential consequences of changing a user’s security permissions. The goal, McLeod says, was a control system that could police against somebody changing access privileges in ways that might put the company risk.
Finding a vendor did not take long. Over the previous three years, Abiomed had been working with Symmetry Corp., a consulting firm that helped Abiomed manage its SAP enterprise software. “They do most of the legwork,” Kaiser says. “If we have to add a new role in the system or add a profile, they’re the ones that actually do it.”
Symmetry alerted Kaiser and McLeod to an automation tool called ControlPanelGRC from SymSoft, an offshoot from Symmetry that sells GRC software. “We thought the tool they offered sounded great, but as small of a company as we are, we didn’t think we could afford an automated tool to help us with our risk compliance,” Kaiser says.
Kaiser and McLeod let the idea stew for a few months. But Kaiser says the more she reviewed the different modules of ControlPanelGRC, the more she realized it was “the right tool for us.” Abiomed finally installed the tool last October.
Getting It Done
Kaiser describes the implementation itself as “anticlimactic;” the process took only three days. Training and effective use of the entire suite of modules, however, “we’re still working on,” McLeod quips.
Abiomed trains selected members of the finance and IT teams on the SymSoft tool, both at the company’s headquarters in Danvers, Mass., and its facilities in Germany. “It’s pretty user friendly,” McLeod says. “You don’t have to be an IT security expert to look at the forms and see how it’s going to effect the business, so it’s very functional from a standpoint that it allows the real business owners to look at it in an easy way.”
ControlPanelGRC makes Abiomed’s compliance mandates more efficient to complete by identifying risks on a real-time basis, McLeod says. For example, its Risk Analyzer and Usage Analyzer modules (the software program has seven in total) automates the analysis of a potential segregation of duties and identifies anyone who has executed a potential risk. The transport module of the toolset also documents functional changes made to the system, who requested each change and who from Abiomed’s change-review team approved it.
Kaiser says the software also provides a bird’s-eye view, allowing her to identify issues and risks before they even happen. She offers a recent example in which she was able to identify through the system two functions, that taken together could have been a potential risk to the company. By drilling down further into the details, she was also able to discover who had the ability to execute that risk—and if they had ever executed that risk in the past. “So we were able to remove that risk from that person’s profile before the auditors ever came in,” she explains.
The ControlPanelGRC tool can do more, but Kaiser says Abiomed has chosen to implement some modules earlier than others and step into full implementation slowly. “As we gain knowledge of the software, we’re starting to add more information into it,” she says. For example, she says, new or important tasks are now being added to the Batch Manager module, which monitors and controls the company’s batch jobs from SAP.
Abiomed’s outside auditor, Deloitte and Touche, will want to learn more about the tool over the next audit cycle to assist them in planning their audit approach. “They are aware of it and appreciate the tool’s ability to make it easier for people to identify and mitigate risks,“ says McLeod. During future audits, the auditors will be able to view much of the information online that previously was compiled manually, Kaiser says, and next year the team wants to see how it can use ControlPanelGRC to be more efficient for its own reviews.
But while Abiomed has benefitted from ControlPanelGRC, Kaiser cautions that it is not a universal solution for everyone. “My advice would be to identify what you’re really looking for, and then fit the tools for what your business requirements are … because you can really overbuy in this marketplace,” she says.
Another warning, from an IT perspective: “Don’t make it a technical project,” she advises; bring the finance team into the project early so it can express its needs and concerns.
Finally, “talk to your auditors,” McLeod says. The more you communicate with them about your business, you will assist them in their understanding. This should make their audit approach more efficient, and you will have a better working relationship with them.
No comments yet