Global Restaurant Chain -- Sarbanes-Oxley Compliance
Overview
In preparation of an initial public offering, we assisted a leading restaurant company with complying with Section 404 of the Sarbanes-Oxley Act. We were involved in all phases of the project, including scoping; performing a risk assessment; documenting entity-level and activity-level controls; preparing test plans and performing testing procedures; and managing remediation activities. In addition, we facilitated on-going discussions with the external auditors and provided thought leadership to streamline the compliance effort and make internal controls more cost-effective and reliable. We also helped the company train internal resources to perform testing on a permanent basis and utilize GRC software to track testing activities and results.
Outcome
The company successfully obtained an unqualified attestation in its first year of compliance without any significant deficiencies and is now self-sufficient in sustaining compliance.
International Oil & Gas -- Business Performance Improvement
Overview
We assisted with a performance improvement (process redesign) project for a major oil and gas organization. The focus of the project was to evaluate, redesign and reduce the financial reporting cycle from 20 days down to 5 business days. This first phase of this project involved significant documentation of all aspects of the current process and a critical path analysis to determine where efficiencies can be achieved through process redesign, use of technology or reallocation of resources. The second phase of the project involved the implementation of the findings and recommendations from phase 1.
Outcome
Based on the results of the analysis and the implementation of the recommendations, our client was able to successfully reduce their financial reporting cycle to 5 business days, representing a 75% time reduction.
Global Restaurant Chain -- SOX ITGC Monitoring
Overview
To improve the reliability of its IT general controls (ITGCs), Sunera deployed a controls monitoring program for an international restaurant company. We developed manuals which provide easy-to-follow guidance for IT personnel on how and when to perform their controls and how to evidence their activities. In addition, we created self-assessment test plans to be performed by assessors within the IT department. Sunera also configured a GRC tool to automatically remind control owners and assessors to perform tasks. The software also tracks self-assessment activities and results and retains testing evidence.
Outcome
As a result of the SOX controls monitoring program, the IT department experienced fewer control failures. The IT department is able to monitor the effectiveness of its controls throughout the year and remediate as necessary. The program was well received by IT personnel because it provides them with the guidance they need to perform their internal control responsibilities. In addition, because the IT department collects much of the evidence through the self-assessment program, there is less disruption to IT operations from audits.
Perishable Food Distributor -- Disaster Recovery Planning
Overview
In preparation for the upcoming hurricane season, a Florida company engaged Sunera to assess its IT infrastructure to identify and mitigate any single points of failure. We evaluated all aspects of the company’s IT environment, including its network, servers, applications and EDI. For all critical infrastructure components, we identified single points of failure and developed cost-effective recommendations to mitigate the risks. We also prepared detailed remediation and testing plans to be executed by the company’s IT personnel.
Outcome
The company did not incur any downtime during the subsequent hurricane season.
Home Security Monitoring -- IT Strategic Assessment
Overview
Sunera was engaged by a fast growing home security monitoring firm to determine whether it had the IT infrastructure, operations and organization in place to effectively support its expanding business operations. We assessed all aspects of the company’s technology and IT policies, procedures and practices, including architecture, application portfolio, governance, strategy, financial management, skills development, support and delivery, project management, and systems development. We prepared recommendations to reduce costs and improve service levels by taking into consideration the company’s industry and relative size. Our recommendations were prioritized based on risk and benefits to the company.
Outcome
Sunera provided the company with the guidance it needed to make the organizational and technology changes to support the demands of its growing business.
Cruise Line -- Supply Chain Audit
Overview
As part of a co-sourced IT audit arrangement, Sunera performed a security and controls audit of a cruise line’s supply chain management systems. Our audit procedures included assessing user authentication controls, configurable controls, tolerances, interface controls and logging. In addition, we performed a detailed segregation of duties analysis of each system to identify high-risk access violations. In support of the business auditors, we performed CAATs to select transactions for substantive testing.
Outcome
As a result of our audit findings, the company corrected inefficient and costly supply chain practices.
Packaging Company -- Approva BizRights Deployment
Overview
We were engaged by a Fortune 1000 packaging company to deliver a broad range of Approva BizRights services in a complex SAP environment. Our responsibilities included configuring SAP Authorization Insight rules, leveraging User Activity Insight data to streamline the remediation process, redesigning SAP security, configuring Access-On-Demand and user provisioning using AMI, upgrading from BizRights 3.0 to 3.5.2, and configuring Process Insight rules to use as compensating controls.
Outcome
The company now enjoys a more secure SAP environment. In addition, the company can detect potential segregation of duties violations before changes are made to user access and automated process controls are in place to mitigate incompatible duties which could not be removed from the system for operational reasons.
Global Power Producer -- IT Audit Co-source
Overview
Following a competitive tender in which Sunera was asked to deliver a trial audit, Sunera was engaged by a major Global Energy Company to deliver IT internal audit services at its international portfolio of power stations. The assignment included developing and executing a fixed-scope work program to review technical, regulatory and organizational policy compliance at each site. The delivery methodology was arranged to ensure testing and final reporting were completed during the brief time on-site at each power station. In addition, Sunera was asked to deliver a core team of UK and USA based resources to enable consistent and rapid deployment of IT audit services to support completion of the Internal Audit plan.
Outcome
Sunera has delivered an average of one IT audit per month, to time and budget, across Europe, North America, Australia and the Middle East. A core team of five employees across Europe and USA has been trained to deliver this work to ensure continuity of skills and re enforce the ability to deliver at short notice. The Global Energy Company was able to meet the commitments of the IT Internal Audit plan for 2007, and has an international multidisciplinary team available to support the coming year’s work.
Cruise Line –- Data Privacy
Overview
Sunera was engaged to perform a comprehensive data privacy project for a large multinational cruise line. Our project activities included the development of a privacy framework encompassing a privacy policy, privacy principles, data protection practices, breach notification procedures and a comprehensive data inventory. In addition, we helped the company to register with privacy authorities and implement privacy practices to comply with domestic and international data privacy laws and the company's new privacy policy. Throughout the engagement, areas of high risk were identified and appropriate procedures and practices were developed to reduce the risk to the organization.
Outcome
As a result of our data privacy engagement, a comprehensive corporate privacy framework and policy were implemented and leveraged to ensure compliance with data privacy legislation from around the world.
National Retailer -- Control Rationalization Project
Overview
The objective of this project was to conduct an assessment and rationalization of all internal controls over financial reporting for a national retailer. We employed a top-down, risk-based (TDRB) approach in accordance with Audit Standard #5 in order to conduct the assessment. In accordance with a TDRB approach, we reviewed company level controls (entity controls) and I/T general controls to ensure appropriate coverage and identified any redundancies between the controls. Based on the strength and effectiveness of the entity level and general computer controls, we evaluated all financial and automated (application) transactional controls to identify and remove redundant controls or non-key controls that did not specifically address financial reporting risks/objectives. We also identified where I/T automated controls could be leveraged, resulting in the removal of unnecessary manual financial controls. Based on a control risk assessment, we presented a risk-based testing strategy to reduce ongoing testing requirements.
Outcome
We identified 320 controls (or 60% of 532 original controls) through our control rationalization efforts that could be eliminated. Based on the controls eliminated and the incorporation of a risk-based testing strategy, we estimated cost savings of approximately $220,000 per year in testing efforts.
International Oil & Gas -- Vendor Audit / Contract Compliance
Overview
We led and conducted a Vendor Audit / Contract Compliance and cost recovery audit for an International Oil & Gas organization. The audit used generalized audit software (ACL) to provide management with data analysis needed to negotiate an upcoming contract extension. The audit also included accounts payable data analysis, and examinations of vendor payroll, direct service provider, and 3rd party billings. Vendor billings were further examined for duplicates, indirect costs, labor and equipment rate increases, labor and equipment category trends, contract controls and fraud.
Outcome
As a result of the audit, the Company successfully negotiated a contract extension with the supplier. The ACL audit program developed by Sunera made the recovery effort more efficient and effective to identify and collect on payment exceptions. Based on our data analysis, we identified a potential recovery of costs of $2.6 million (or 14% of total vendor expenses) for the organization. The recommendations from the audit also helped the Company to improve its internal controls over the contract and payment process.
Quick Service Restaurant Company -- Compensation Audit
Overview
Sunera was engaged by a leading global quick service restaurant company to complete an internal audit project impacting the compensation function. The engagement included developing and executing an audit program against agreed upon objectives. Specifically, we reviewed the procedures surrounding the payment of executive and equity compensation, relocation expenses, and salaries and bonuses. Sunera delivered comprehensive work papers and an audit report that was used by the Internal Audit Director as part of quarterly update to the Audit Committee.
Outcome
As a result of this audit, Internal Audit provide management valuable and valued added feedback that resulted in several suggested changes to existing processes and procedures that could be incorporated on a go forward basis.
