Automating Controls SUPPORTING - ISACA Denver · PDF fileAUTOMATING CONTROLS COMPLIANCE, AUDIT AND RISK ... SAP GRC is one of many GRC tools that can enhance your GRC ... • Segregation

© 2015 IHS

Information | Analytics | Expertise

AUTOMATING CONTROLS

COMPLIANCE, AUDIT AND RISK

JANUARY 2015

Diane Davis, Sr. Director Financial Governance, Risk and Compliance

+1 3039417520

[email protected]

mailto:[email protected]

© 2015 IHS

Objectives• Achieve greater efficiency within your financial

compliance processes by automating the

monitoring and tracking of key processes in

your ERP system.

• Recommendations for leveraging governance

risk and compliance (GRC) solutions for

compliance monitoring.

• Provide management additional confidence in the

consistency of its financial statement systems

• Allow for review of financial process exceptions

• Provide a more transparent audit trail

Automating Controls/ January 2015

A brief overview of IHS so you can appreciate

our experience. The focus of the presentation

will be on recommendations.

© 2015 IHS

What we will

cover• Company background

• What is GRC

• SAP GRC-Access Control

• SAP GRC-Process Control

• How to start your GRC Journey

• Implementation Considerations

• Lessons Learned

• Key Points


© 2015 IHS

Company Information


• Leading source of information, insight and

analytics in critical areas that shape today's

business landscape

IHS

(NYSE: IHS)

• Became a publicly traded company on the NYSE in 2005. Headquartered in Colorado, USA, IHS is committed to sustainable, profitable growth & employs ~ 8K people in 31 countries

Established

1959

• Businesses & governments in more than 165 countries rely on comprehensive content, expert independent analysis & flexible delivery methods to make high-impact decisions & develop strategies with speed and confidence

Global

Presence

© 2015 IHS


© 2015 IHS


Our Journey

Over four years ago we embarked on a global ERP implementation to

reduce costs, standardize operations, and improve our ability to grow:

SAP ECC was implemented as a global solution configured to be SOX compliant

Concurrent implementations:

• SAP GRC Access Controls (5.3) and

• SAP GRC Process Controls (3.0)

In 2014: upgraded to GRC 10.1

SAP GRC is one of many GRC tools that can enhance your GRC

strategy. Reference to SAP GRC is based on our journey.

We hope to provide you recommendations for your journey.

© 2015 IHS

IHS ERP Landscape / Overview

• >800 users in over 10 countries

• >6 environments solution

• Multi-tiered environment supporting dual transport path

• Break-fix

• Project/Enhancements


© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS

Governance, Risk and Compliance (GRC)Defined

GRC is a discipline that aims to synchronize

information and activity across governance,

risk management and compliance in order to

create efficiency, enable more effective

information sharing and reporting and avoid

wasteful overlaps

Organizations reach a size where coordinated

control over GRC activities is required to

operate effectively.

Each of these disciplines creates information

of value to the other two.

Each of the three GRC disciplines touch and

impact the same technologies, people,

processes and information in any

organization.


© 2015 IHS

GRC Defined (cont’d)

• A fully integrated GRC uses a single core set of

control material, mapped to all of the primary

governance factors being monitored.

• The three most common individual headings

are considered to be Financial GRC, IT GRC,

and Legal GRC.

• Capabilities of GRC include:

• Controls and policy library

• Policy distribution and response

• Controls self-assessment and measurement

• Remediation and exception management

• Reporting

• Advanced risk evaluation and compliance

dashboards


© 2015 IHS

• Manual processes

• Multiple compliance frameworks

• Increase compliance and risk management tracking capabilities

• Continuous control monitoring (CCM)

• Consistency &

standardization

• Centralization of control

definition

• End-to-end control

experience

• Increased

accountability &

transparency


The GRC Solution

End to End Solution

Lo

ng

Term

• Automated review of

exceptions

• Automated notifications

• Efficient and effective

utilization of resources

for management

reviews

• Audit trail that could be

considered for change

to the audit approach

• Meets GCC

requirements

Efficient Reliable

Compliance Automation

© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS

SAP GRC

Solution

Features

• Centralized Solution

• Multiple Compliance Initiatives Control

Repository

• Access and Security Controls

• Controls Automation

• Automated Controls Testing

• Governance through Process and Workflow

• Continuous Controls Monitoring

• Integration with Risk Management Capability

• Enhanced and Automated Fraud Monitoring


ENABLE TECHNOLOGY

NOT ALL GRC SOLUTIONS OFFER THE SAME FEATURES

© 2015 IHS

IHS GRC Solution: Access Control (AC)

Access Risk Analysis (ARA)

• Identify SOD/critical

access violation

• Remediate

• Real-time/Simulation

• Role/User level

Access Request Mgmt (ARM)

• Self-service

• Provisioning/deprovisioning

• Consistent platform experience

Business Role Management (BRM)

• Workflow enabled

• Reduced administration

ARA & BRM

• Periodic review

• Certify roles

• Confirm mitigations

Emergency Access Management (EAM)

• Transaction logging

• Mitigating review

• Proactive notification


© 2015 IHS

SAP GRC & ECC Application Security

Users

Roles

Transaction Codes

Authorization Objects


Dialog; Service; Communication

Single or Composite

Enables navigation

What is impacted, how it is impacted (CRUD)

© 2015 IHS

Risks associated with Application Security

SOD violations when roles come together

Roles are complex or have sensitive transactions

Custom transactions are not treated appropriately

Objects/Programs are not restricted or identified


User account is

manipulated for fraudulent

purpose

Roles modification is

unauthorized

Control over critical

transactions is bypassed

Unauthorized modification

to authorization in existing

role

© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS


IHS GRC Solution: Process Control (PC)

• Document controls,

policies

• Map to regulations

• Map to organization

• Perform risk

assessments

• Determine scope

• Define test strategy

• Evaluate control design or effectiveness

• Remediate issues

• Perform automated,

exception based

monitoring of ERP

• Support decisions

• Increase accountability

• Analytics

• Sign-off

© 2015 IHS

What is Continuous Compliance Monitoring


© 2015 IHS

Continuous Monitoring Features

Category Features Benefits

Transaction

Monitoring

• Identify suspicious transactions

for review

• Isolate transactions not

compliant with business rules

• Identify inappropriate flows

(i.e,duplicate payments)

• Provide evidence of control

operation

Master Data

Monitoring

• Identify unusual master data

changes

• Focus on suspect activity

(exception)

Access Controls and

SOD Monitoring

• Monitor user or role access

changes

• Detect transactions that violate

SOD rules

• Detect unauthorized access

changes

• Review emphasis on violations

Application

Configuration

• Detect change to system

configuration

• Continued effectiveness of

application controls

Source: IHS


© 2015 IHS

Example of Continuous Controls Monitored (CCMs)

CCM’s for the Procure To Pay (PTP) process:


Master Data

Duplicate invoice

check on the vendor

master file

Transactional Data

Prevent unauthorized

changes to

processed records

Configuration

Monitor changes to

system messages

© 2015 IHS


CCM’s for the Security/Development area:


Security Provisioning

Monitor security

administrator does

not self-provision

access

System Parameters

Monitor that critical

system settings are

not changed without

authorization (i.e.,

password settings)

Critical functions

Monitor certain roles

or profiles are not

provisioned

Reduce likelihood of event occurring between auditor visits

© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS

Business Case Considerations

• Compliance is one of those areas that is “preventative” in nature

• If you do a great job, you may not “know” what negative situations you avoided

or missed

• Hard to quantify the value added to the organization.

• Leverage opportunity cost vs. investment

• Automated monitoring can be used for other operational areas

• Performance impact of logging options

• A GRC solution may provide an alternative to specific logging within the

application, which could have greater negative performance impact

• Change control approach from review/inspection to exception-based using a

GRC tool.


© 2015 IHS

Initial Planning


Short term:

• COSO 2013

• Segregation of Duties analysis

• CCM results

Long-term:

• Other GRC functions

• Enterprise Risk Management

• Operational use of CCMs, etc

Roadmap

Definition

Implement

GRC

Platform

(AC)

Fully utilize

AC

Implement

PC (CCM)

Additional

Regulations

Implement

other

modules

Assess Phase 1 Phase 2Phase 3

Phase 4

Phase N

Sta

kehold

er

Valu

e

• Standardize control footprint for individual locations/systems to achieve

efficiency

• Understand company specific control reporting needs

• Develop a compliance roadmap

© 2015 IHS

• Do you have a lot of organizational changes?

• To what extent does your control environment need to be reliable,

transparent and drive accountability?

• What type of regulatory requirements are you considering?

• The more complex the organizational structure (e.g. companies,

plants)……..


Organizational Factors

the greater the risk

associated with ERP

configuration and

consistency across

structures. ManyFew

© 2015 IHS

GRC Control Management

• GRC solutions require a detailed understanding of your business

controls, system controls and ERP configuration

• Set expectations for……………

Design standardization

Prioritization and scalability of

functionality implemented

Observance of best practice

GRC methodology

Identification and

development of control

synergies


© 2015 IHS

Governance Considerations


Audit Impact

•Plan for

adequate

personnel to

evaluate

GRC output

Impact and Other Factors

•Other factors

requiring

change to

GRC

• Implement

new

initiatives

leveraging

common test

objectives

•GRC impact

to the audit

process/

evidence

•Optimize

features with

greatest

impact first

•Types of

data/

information

expected

•Ability to

interpret data

•Possible

volume

generated

•Alternative

applications

able to

monitor

highly

privileged

areas/users

•Monitoring

within the

application

layer is

challenging

Log Results Changes Architecture Architecture

Recommendation: Do not generate logs/output if it’s not actively reviewed

© 2015 IHS

Technical Planning

• What is your ERP environment landscape?

• Break-fix, enhancements AND upgrades

• What about additional roll-ins?

• What types of GRC control approaches will you be deploying?

• Configurable - runs against backend tables or views

• Programmed -

© 2015 IHS

Governance Considerations


Architecture

• Access to the

underlying log

tables

• Potential to

cover up fraud

• Impact to control

reliance.

Technical Factors

Technical Support Infrastructure Log Integrity

• Manage various

infrastructure

layers risk

• Risks associated

with various

solutions

• Number of

environments /

clients

• Hosted vs.

internally

managed

hardware

• Possible

manipulation by

the same

personnel who

maintain the

ERP

© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS

•

© 2015 IHS

System/Solution Suggestions

• Implement GRC as a pilot with focus on your most critical/high risk

functions first.

• IT/basis/development

• Security role changes

• Sensitive access

• Build in a layered approach to ERP sensitive users / access:

• Leverage GRC AC Emergency Access Management

• Use GRC PC to monitor changes to EAM role assignment

• Leverage GRC AC to identify highly sensitive access/users

• Use GRC AC and/or PC to monitor changes to those users


© 2015 IHS

GRC Implementation

• What can you expect from a Pilot:

• Implement a limited number of standard controls

• Gain knowledge around what is required to configure and maintain GRC

• Develop GRC technical knowledge to strengthen research that may be needed

to perform management review

• Consider impact to the audit approach

• Short-Term Objectives

• Establish end-to-end process to support pilot controls

• Roll-out to other areas within the same compliancy structure once you have an

established approach/process

• Re-evaluate expectations, key metrics, resources needed

• Realign with audit partners


© 2015 IHS

GRC Design Suggestions

• Maintain a master data

configuration document

• Track single and multiple

compliance initiative

structures

• Note effective dates

• Baseline for GRC roadmap

–phases

Reporting Requirements

Control execution location

Control testing location

Control nomenclature

GRC risks : Risk assessment

ERM requirements

Control effective dates

Master Data Maintenance


Organization Hierarchy

Process Structure

Risk Categories

Control Master Data

© 2015 IHS

Phase-Considerations

• Identify potential

benefits:

• Would having

continuous monitoring

results impact your

auditor’s approach

• Would resources

being audited

change? Does this

free up other control

owners due to

continuous

monitoring?

• Limit initial functionality

implemented

• Limited number of

controls for 1

compliance area

• Implement for one

company end to end

• Define KPI’s

• Configure additional

controls

• Expand usage of

Continuous Control

Monitoring (CCM)

• Automated controls

• Manual controls

• Leverage GRC for

multiple compliance

initiatives

• Grow and enhance

your GRC platform and

utilization


Phase 1 Subsequent phase(s)

© 2015 IHS

Applicability to Application Security

SOD violations when roles come together

Roles are complex or have sensitive transactions

Custom transactions are not treated appropriately

Objects/Programs are not restricted or identified


User account is

manipulated for fraudulent

purpose

Roles modification is

unauthorized

Control over critical

transactions is bypassed

Unauthorized modification

to authorization in existing

role

SAP GRC PC

(CCMs)

SAP GRC AC

(ARA/EAM)

© 2015 IHS


Phase 2 CCM’s for the Procure To Pay (PTP) process:


Master Data

Immediate

notifications when

unauthorized

changes are made to

certain aspects of the

Vendor Master

Transactional Data

Prevent transactional

data errors

Configuration

Test for system hard

stop

© 2015 IHS

GRC Implementation Strategy Checklist

• Ensure key aspects of your GRC

footprint aligns with your GRC

organization hierarchy:

• Entity risk management

• Global Policies/procedures

• Risk Assessment/scoping

• Definition of controls

• Risk ownership/tolerance

• Remediation

• Risk Mitigation

• Compliance initiative ownership

• Other types of controls


© 2015 IHS

GRC Implementation Strategy (cont’d)

• Key questions to ask:

• Who should approve changes to the

automated control alert settings?

• Who should approve mitigation

control documentation?

• What is your retention requirement for

GRC supporting documentation of

configuration assumptions?

• What are your current control

procedures, including control analysis

and remediation activities?

• Should a service level agreement

(SLA) will be established based on

the severity of the control

alert/change identified?


© 2015 IHS

Define Roles &

Responsibilities


Don’t forget to ensure your GRC

solution is compliant (not just what is

being monitored is compliant)

Design

mitigating

controls

Approve

control

remediation

Perform

periodic test of

rules/risks

Rule changes/

creation

GRC

application

Owner

Manage PC

related risks/

controls

Routine

review of

user access

Control &

rule

definition/

execution

Perform

control

mitigation/

reviews

Explain

outcome to

other users

© 2015 IHS

GRC

Implementation

Resources

• Infrastructure/Hosting Partner

(installation, infrastructure support)

• Systems Implementation Partner

(configuration, unit testing, user training/

knowledge transfer, on-going support)

• Control/Governance advisor (objective

GRC configuration oversight,

identification of additional risks/

considerations)

• Internal Audit (perform independent

SDLC audit testing and create baseline

of application controls for potential

reliance in the upcoming year)


© 2015 IHS

• Control rationalization /requirements

• Control Design Document

• Risk/control owner design approval

• Master Data Configuration Document

• Test Plans

• Configuration documentation

• Control owner training materials

• Test scripts with evidence for UAT

• Risk/Control approval for go live

• Control master data change document

GRC Project – Compliance throughout the process

Follow a phased methodology for the implementation, considering:

• Post Install

• Baseline

ensure system

is performing

as intended

• Design docs &

technical specs

• Ensure scope

is covered and

expected

results

documented

• Build controls

in GRC

• Create reports

outlined in

technical

specs.

• User review

and validation

• Training

• Knowledge

transfer

• Deploy

• Support

procedures

Installation Validation

Solution Design

Build / Test

AcceptanceGo-live & Support

Deli

vera

ble

sAutomating Controls/ January 2015

© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS

Lessons Learned • Implement a GRC solution using a

phased approach

• Determine control objectives first, then

design and configure GRC solution

accordingly

• Production data may have greater

volume/variation than project could

anticipate

• Spend time reviewing understanding

GRC reporting capabilities

• Understand value GRC automation of

controls provides

• Auditor acceptance – plan for transition


Base implementation on what your team

can reasonably analyze, add over time

© 2015 IHS

Lessons Learned • Analyze preliminary results produced by

the solution

• Identify and document the GRC-based

control review process early in your

design

• Consider how process owners will see

continuous monitoring

• Balance control configuration -

organizational control efficiency – and

resources needed

• Actively analyze output - don’t get

behind


Don’t underestimate the importance of

collaborating with Audit

© 2015 IHS

What we will


• What is GRC





• Lessons Learned

• Key Points


© 2015 IHS

Key Points • Develop a GRC strategy/approach with key

milestones/metrics

• Engage your Audit partners early, include

them in the design and communicate with

them frequently

• Less can be more. Consider small, frequent

controlled rollouts

• Find the sweet spot between controls

configured, control efficiency and resources

needed to support your implementation

• Consider control owner learning curve when

developing your control project

timeline/approach

• Don’t wait to identify and document the control

review process and the output produced by a

GRC solution


© 2015 IHS. No portion of this report may be reproduced, reused, or otherwise distributed in any form without prior written consent, with the exception of any

internal client distribution as may be permitted in the license agreement between client and IHS. Content reproduced or redistributed with IHS permission must

display IHS legal notices and attributions of authorship. The information contained herein is from sources considered reliable but its accuracy and

completeness are not warranted, nor are the opinions and analyses which are based upon it, and to the extent permitted by law, IHS shall not be liable for any

errors or omissions or any loss, damage or expense incurred by reliance on information or any statement contained herein. For more information, please

contact IHS at [email protected], +1 800 IHS CARE (from North American locations), or +44 (0) 1344 328 300 (from outside North America). All

products, company names or other marks appearing in this publication are the trademarks and property of IHS or their respective owners. V2.0-29.04.14

Americas:

+1.800.IHS.CARE (+1.800.447.2273);

[email protected]

Europe, Middle East, and Africa:

+44.(0).1344.328.300;

[email protected]

Asia and the Pacific Rim:

+604.291.3600;

[email protected]

Contact us

Documents

Automating Controls SUPPORTING - ISACA Denver · PDF fileAUTOMATING CONTROLS COMPLIANCE, AUDIT AND RISK ... SAP GRC is one of many GRC tools that can enhance your GRC ... • Segregation