Standardising the control and compliance environment
How does a leading global agriculture business with an impressive product portfolio developed over the last 15 years transform and standardise its control and compliance environment?
Syngenta, the world’s largest crop chemical producer,
ranking third in seeds and biotechnology sales, has been growing exponentially, both organically and through acquisitions. With sales almost doubling in the last 10 years, this growth has increased complexity, customisation, and the duplication of processes and the compliance environment. The company was managing compliance through a set of traditional processes across multiple units and countries, operating an extremely diverse process and application landscape that was making it difficult to maintain its control and compliance environment.
Taking the risk out of compliance
Syngenta recognised the need to make the compliance program more effective and proactive, achieve better visibility, and optimise the cost of compliance. They wanted a compliance program that provided better assurance that risks would be proactively identified and mitigated, and one that also met the requirements under SarbanesOxley (SOX).
The backbone of Syngenta’s compliance program
Capgemini responded by leveraging its Global Process Model© (GPM©) to standardise Syngenta’s compliance processes across geographies. Capgemini also leveraged its expertise in the area of compliance to design and implement “Continuous Control Monitoring” from its GRC practice, which has become the backbone of Syngenta’s compliance program. Known as the Continuous Assurance
Program (CAP), it has some unique features, that include:
- Moving from traditional periodic testing to continual testing and walkthroughs
- Using representative sample methodology to assess the control environment
- Proactive remediation
- Test results fed a Global Process Owners’ organisation
- A central team – a single point of contact for all stakeholders
Run by a dedicated and independent team of compliance experts under the leadership of a Capgemini Compliance Manager, the scope of CAP includes:
- Continuous internal control evaluation – process walkthroughs and control testing are performed on a continual basis with monthly Service Delivery Reviews to report results and discuss remediation. Additional process walkthroughs and control testing are performed to ensure that SOX requirements are met.
- Internal audit recommendations follow-up – Internal audit recommendations are tracked globally and reported to proactively identify and assess issues that are have become overdue or need special attention. An independent audit is performed to ensure that recommendations have been sustainably implemented.
- Access controls process – research and risk analysis of ERP access for each request is carried out to ensure risk-free access in line with Segregation of Duties (SOD) specifications. Audit and approval of emergency access ensures that usage is within requirements. Monthly reporting that includes insights into the current status of SOD risks and emergency access usage allows for the identification of improvement areas in role design and reduction in emergency access usage.
Results count – increased confidence in the compliance environment implementation of the CAP resulted in a significant increase in confidence among stakeholders in the compliance environment.
The CAP enforces the Control Framework across business units, which proved to be challenging before its implementation keep the full stop.
An independent CAP team based out of Capgemini’s Global Competency Center in Bangalore enabled Syngenta to free up resources in its headquarters, regions, and country teams. This led to some specific tangible benefits including:
- Cost savings – the cost of CAP offset a reduction in internal compliance resources by more than 35%, substantially reduced contract compliance resources, and reduced external audit fees.
- Agility – a centralised CAP team allows Syngenta to respond to compliance requirements resulting from new business changes with much more agility and less cost.
- Transparency – monthly reporting provides visibility on a near real-time basis on open risks and their remediation status.
- More objective controls testing – the CAP team is fully independent from control performers and managers.
- Increased efficiency – Syngenta has remained SOX compliant at all times.
- Risk free SOD – continuous provisioning with risk free roles and remediation helps reduce SOD risks to a minimum globally.
In addition, CAP implementation has seen Syngenta’s reputation grow, as this is the first time that a continuous controls program has been implemented in the Agribusiness industry. Syngenta is also being perceived as a role model, and continues to receive visits from other companies asking for guidance.