SymSoft ControlPanelGRC Suite Aids In Regulation Management & Compliance- Processor.com

Publicly traded companies are required to act in accordance with various compliance regulations, including occupational health and safety policies, privacy laws, financial reporting, and corporate governance rules intended to protect investors. Such regulations include HIPAA and Sarbox.

Compliance and management of all these regulations is a daunting task that, when handled manually, is time consuming and risky.

The Challenges

Abiomed is a 29-year-old global company headquartered in Danvers, Mass., that develops artificial-heart technology and cardiac-assist devices, known as recovery pumps, for critically ill patients. According to CIO Sharon Kaiser, the company needed to get a better handle on its SOD (segregation of duties) and risk as part of its audit requirements. “And, as a publicly traded company, we needed a tool to help us manage our Sarbanes-Oxley compliance needs.”

After reviewing the various options, Abiomed chose ControlPanelGRC from SymSoft (www.controlpanelGRC.com) to solve these daily issues. Based in Milwaukee, Wis., SymSoft provides GRC (governance, risk, and compliance) software solutions for SAP application environments. “Our flagship product, ControlPanelGRC, is a second-generation suite of modular, integrated GRC applications that address the major areas of compliance concern at every level for SAP users, especially in heavily regulated industries,” says Scott Goolik, SymSoft CTO.

At Abiomed, Kaiser says, “We’re always looking at the potential risks . . . to make sure that our financial statements are accurate and timely.” Kaiser says, “We were closely monitoring the risks, but many of these tasks are performed manually, and we were limited to the information that we could obtain ourselves from the system. It was a very labor-intensive process. . . . The more I reviewed the different modules of ControlPanelGRC, the more I realized it could save us time and effort and streamline some of our compliance efforts. That’s why we chose this product,” she says.

Kaiser says SymSoft’s Goolik implemented the program for Abiomed, adding that “It was a non-event for us.”

Goolik provided Abiomed employees with onsite training, answered questions, and worked through the little bugs in the system. Kaiser says there was little to no learning curve. Goolik showed Abiomed employees what the software could do, he provided the documentation, and then the employees were up and running. Abiomed has a team in Germany that is also using the program and was able to attend the training session remotely.

How It Works

Goolik says ControlPanelGRC reduces the time, expense, and distractions associated with manual audits by embedding compliance into day-to-day operations and business processes. “The solution goes beyond SOD requirements and takes a broader view of controls, which allows organizations to be more strategic in their approach to deploying IT and other personnel,” he says.

According to Kaiser, Abiomed is using the entire ControlPanelGRC suite, which includes seven different modules: the GRC Risk Analyzer, Usage Analyzer, Transport Manager, User and Role Manager, Emergency Access Manager, AutoAuditor, and Batch Manager.

“We used to get a report from [another program] that would say that certain users, because of their roles and profiles in SAP, were a high-risk, mid-, or low-risk, and that they might have a conflict of duty,” says Kaiser. “We look at a report that says, ‘You might have a high risk here because of how these people are set up in the system.’”

She explains that now, ControlPanelGRC actually tells Abiomed administrators if someone has violated a risk, something Abiomed can monitor to ensure that no one violates their roles within the company. And with the ControlPanelGRC Risk Analyzer, it’s all automated, reports Kaiser. It provides that same report, but in addition, administrators can actually leverage the Usage Analyzer, which takes it one step further and identifies anyone who has executed that risk. For example, a user might set up a vendor and post an invoice. This feature helps administrators manage their business and their security, plus it helps with their Sarbox compliance, she adds.

“In terms of the risk side,” says Kaiser, “When we look at SOD analysis, we will realize a cost reduction, because many of the items that have been performed manually will now be handled by ControlPanelGRC, including the reporting.”

“Now we can manage things easier and in a more controlled manner. We can see potential risks earlier, so that we can mitigate them. The Usage Analyzer shows actual risks that need to be addressed, and we can do the pre-analysis to mitigate the risk before it becomes a problem,” says Kaiser.

Abiomed’s team in Germany has used the Security Management module to make a requested security change. “They . . . asked one question and, instantly, the request was in the system for the functional owner to be notified for approval, via workflow. They did it, so it was very intuitive. Once their confidence level is up, I probably won’t get any more questions. It was very simple, very easy,” notes Kaiser.

More Challenges, More Solutions

Kaiser adds that Abiomed does not have an internal audit department, so, before ControlPanelGRC, Sarbox compliance was also performed manually. “We actually hire a company to perform a pre-audit, based on our audit controls, and they tell us if they discover any deficiencies. These pre-auditors come once a year, for four weeks, and charge us by the hour.”

When the official auditors arrive, they review Abiomed’s controls and evaluate the pre-auditors’ information and findings. Then they decide what additional audit tests need to be performed, adds Kaiser. Because much of the data that the pre-auditors review is on a ticket-by-ticket basis, this task takes a lot of time.

“ControlPanelGRC allows them to see this information online, so they can locate and verify it much more quickly. I believe these added features will cut the pre-auditors’ time in half (or more), thereby providing a significant savings.”

But Kaiser says the Abiomed applications manager sees some of the best benefits of ControlPanelGRC. Previously, the applications manager spent about 10 hours a quarter pulling SOD analysis reports, printing them, preparing packets of information, and then distributing them to the functional owners for review. After the review process concludes, the functional owners must sign and return these reports to the applications manager for filing, explains Kaiser.

That task is now obsolete, Kaiser says. ControlPanelGRC creates the SOD reports, then routes them to the correct functional owners through workflow. The owners review the reports online and indicate their approvals, then the information is all stored in the system for the auditors to review instead of wading through binders full of paper. “[Our applications manager] is so excited about it,” she says. “He doesn’t like all this paper pushing, so this is one area that will make his life easier and more efficient and productive. Now, he can focus on more strategic projects.”

Future Plans

“We definitely have no regrets,” Kaiser says. “I think this has been one of the few software applications that went in very quickly and smoothly and delivered immediate returns the first day we started using it. It’s there, it works, [and] it’s what they said it would be, and we’re just looking to see how we can use it more.”

SymSoft’s future plans include developing additional continuous controls monitoring solutions. SymSoft also recently Web-enabled its ControlPanelGRC solution, which provides full functionality to any system with an Internet connection. This Web-enabled version will provide the foundation for future product development, Goolik says.