ControlPanelGRC Gets to the Heart of Abiomed’s GRC Requirements
ControlPanelGRC, as second-generation software, has not only helped Abiomed automate its governance, risk, and compliance (GRC) efforts; it is also helping them streamline their business processes overall, which has been an unexpected but welcome additional benefit.
With its mission of “recovering hearts and saving lives,” Abiomed develops, manufactures, and markets advanced medical technologies designed to assist or replace the pumping function of the failing heart. It is the global leader for products in the acute heart failure market and ships more ventricle assist devices (VADs) than any other company worldwide. Founded in 1981, Abiomed is the only company in the world with exclusive labeling on ventricular assist devices for all potentially recoverable heart failure indications. The company has more than 300 employees spread across its corporate headquarters in Danvers, Mass., and its office in Aachen, Germany, with fiscal 2009 revenue of $73.2 million.
Abiomed is very focused on being able to demonstrate Segregation of Duties (SOD) to meet its Sarbanes-Oxley (SOX) audit requirements. The company also places high value on risk management in general to be sure its financial statements are accurate and timely. The information it was receiving in both areas was good, but it came at a cost.
“We were closely monitoring risks, but much of that work was being done manually,” says Sharon Kaiser, CIO at Abiomed. “It was a very labor-intensive process. We were also limited to the information we could obtain ourselves from the system.”
One of the major issues Abiomed faced was identifying user-based risk within its SAP ERP system. While Symmetry, an SAP partner Abiomed uses for Basis and Security support, would send regular reports that identified whether users were high-, medium- or low-risk due to their roles and profiles, those reports were not able to identify when someone violated a risk, so it could be remediated.
Abiomed also wanted to be able to document changes within its SAP system, both to demonstrate that changes had not been made within the production system, and to show the auditors that all changes had been reviewed and approved by at least three business users.
“We are a small company, so the risk piece is very important to our controller,” Kaiser says. “Our small size also means we don’t have a lot of resources available to perform manual audits. We really needed something that would automate and streamline our processes, and provide more information with less work on our part.”
In the summer of 2009, Symmetry introduced Abiomed to SymSoft’s ControlPanelGRC, a second-generation governance, risk and compliance (GRC) solution designed specifically for SAP. Kaiser recognized immediately that it could help solve a number of challenges.
“The ControlPanelGRC suite had some of the functionality we were already using, but greatly enhanced,” she says. “It also introduced several new modules that would help us both with our SOX compliance and risk management. The more I got into the different modules, the more I realized it could save us time and effort as well as streamline some of our compliance efforts. There were a lot of possibilities.”
Installation took place over three days in December 2009. On the third day, Symmetry provided on-site training, answered questions and worked through any remaining tweaks on the system.
“And then we were ready to go,” Kaiser says. “Implementation was really a non-event for us.”
One of the major improvements ControlPanelGRC brings is the ability to embed compliance within business processes rather than forcing the organization to document it separately. For example, when a transport request comes through to the Change Review Board, one of Abiomed’s SOX controls requires that the change be reviewed by at least three of the 10 members before it is sent to the technical team for final approval and then moved into production.
With the Transport Manager module, all of that is documented within the system automatically, including who reviewed a change and when they reviewed it. When the auditors come in at the end of the year, they can take a sampling of all of Abiomed’s changes within SAP to verify that at least three business users reviewed and approved the changes. No additional work is required from Abiomed personnel to prepare a report.
The ControlPanelGRC Risk Analyzer makes it easier for Abiomed to identify problems with SOD requirements. In addition to receiving the risk report, Abiomed can leverage the Usage Analyzer to identify anyone who has executed a compliance risk, such as someone setting up a vendor and then posting an invoice against that vendor.
“Having that capability not only assists us with SOX compliance, it also helps us run our business better,” Kaiser says. “That has been a real plus for us.”
Although they have only had ControlPanelGRC installed for a short time, the results Abiomed is experiencing are exceeding expectations.
“I went through my general IT controls, and there are probably four to five of the 13 that I can move right into ControlPanelGRC,” Kaiser says. “The more I learn about the capabilities of the system, the more I am realizing what we can do with it.”
Kaiser is also happy with ControlPanelGRC’s ease of use. Actions that normally required a developer or someone with a deep knowledge of SAP can now be performed by higher-level users.
“I now have clear visibility into issues, and it’s all accessed through one nice, front-end menu,” Kaiser states. “I have access to the panel and any of the modules. I have dashboards that give me a high-level view, and if I need to drill down further, I can.”
As far as SOX compliance goes, Kaiser has found that ControlPanelGRC has reduced time and labor costs both externally and internally. On the internal side, she says Abiomed’s manager of applications would typically spend 10 hours per quarter pulling and printing SOD analysis reports, preparing packets of information and then taking them to the functional managers for review before turning them over to the auditors. Now, ControlPanelGRC creates the reports for him, freeing him to perform more strategic work, while the functional managers review and approve the reports online.
On the external side, Abiomed uses an outside firm to perform a pre-audit and identify any deficiencies. When the official auditors come in, they review the controls and information from the pre-auditors, then decide what additional audit tests need to be performed.
“The pre-auditors come in once a year, and they charge us by the hour,” Kaiser says. “In the past it has taken them four weeks. My goal is to simplify things so they’re only here for a week. I think with ControlPanelGRC I will be able to realize that goal because a lot of the data they currently look at on a paper-ticket-by-paper ticket basis they’ll now be able to see online so they can check it off quicker.”
Overall, Kaiser has been very satisfied with the results, and expects to be even more satisfied as time goes on.
“This has been one of the few software applications that went in very quickly and smoothly, and delivered immediate returns the first day we started using it,” she says. “It’s there, it works, it’s what they said it would be, and we’re just looking to see how we can use it more. We’re all excited about it, and seeing applications to use it in many different areas.”