Upload
truongtu
View
216
Download
1
Embed Size (px)
Citation preview
© 2015 IHS
Information | Analytics | Expertise
AUTOMATING CONTROLS
COMPLIANCE, AUDIT AND RISK
JANUARY 2015
Diane Davis, Sr. Director Financial Governance, Risk and Compliance
+1 3039417520
© 2015 IHS
Objectives• Achieve greater efficiency within your financial
compliance processes by automating the
monitoring and tracking of key processes in
your ERP system.
• Recommendations for leveraging governance
risk and compliance (GRC) solutions for
compliance monitoring.
• Provide management additional confidence in the
consistency of its financial statement systems
• Allow for review of financial process exceptions
• Provide a more transparent audit trail
Automating Controls/ January 2015
A brief overview of IHS so you can appreciate
our experience. The focus of the presentation
will be on recommendations.
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
Company Information
Automating Controls/ January 2015
• Leading source of information, insight and
analytics in critical areas that shape today's
business landscape
IHS
(NYSE: IHS)
• Became a publicly traded company on the NYSE in 2005. Headquartered in Colorado, USA, IHS is committed to sustainable, profitable growth & employs ~ 8K people in 31 countries
Established
1959
• Businesses & governments in more than 165 countries rely on comprehensive content, expert independent analysis & flexible delivery methods to make high-impact decisions & develop strategies with speed and confidence
Global
Presence
© 2015 IHS
Automating Controls/ January 2015
© 2015 IHS
Automating Controls/ January 2015
Our Journey
Over four years ago we embarked on a global ERP implementation to
reduce costs, standardize operations, and improve our ability to grow:
SAP ECC was implemented as a global solution configured to be SOX compliant
Concurrent implementations:
• SAP GRC Access Controls (5.3) and
• SAP GRC Process Controls (3.0)
In 2014: upgraded to GRC 10.1
SAP GRC is one of many GRC tools that can enhance your GRC
strategy. Reference to SAP GRC is based on our journey.
We hope to provide you recommendations for your journey.
© 2015 IHS
IHS ERP Landscape / Overview
• >800 users in over 10 countries
• >6 environments solution
• Multi-tiered environment supporting dual transport path
• Break-fix
• Project/Enhancements
Automating Controls/ January 2015
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
Governance, Risk and Compliance (GRC)Defined
GRC is a discipline that aims to synchronize
information and activity across governance,
risk management and compliance in order to
create efficiency, enable more effective
information sharing and reporting and avoid
wasteful overlaps
Organizations reach a size where coordinated
control over GRC activities is required to
operate effectively.
Each of these disciplines creates information
of value to the other two.
Each of the three GRC disciplines touch and
impact the same technologies, people,
processes and information in any
organization.
Automating Controls/ January 2015
© 2015 IHS
GRC Defined (cont’d)
• A fully integrated GRC uses a single core set of
control material, mapped to all of the primary
governance factors being monitored.
• The three most common individual headings
are considered to be Financial GRC, IT GRC,
and Legal GRC.
• Capabilities of GRC include:
• Controls and policy library
• Policy distribution and response
• Controls self-assessment and measurement
• Remediation and exception management
• Reporting
• Advanced risk evaluation and compliance
dashboards
Automating Controls/ January 2015
© 2015 IHS
• Manual processes
• Multiple compliance frameworks
• Increase compliance and risk management tracking capabilities
• Continuous control monitoring (CCM)
• Consistency &
standardization
• Centralization of control
definition
• End-to-end control
experience
• Increased
accountability &
transparency
Automating Controls/ January 2015
The GRC Solution
End to End Solution
Lo
ng
Term
• Automated review of
exceptions
• Automated notifications
• Efficient and effective
utilization of resources
for management
reviews
• Audit trail that could be
considered for change
to the audit approach
• Meets GCC
requirements
Efficient Reliable
Compliance Automation
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
SAP GRC
Solution
Features
• Centralized Solution
• Multiple Compliance Initiatives Control
Repository
• Access and Security Controls
• Controls Automation
• Automated Controls Testing
• Governance through Process and Workflow
• Continuous Controls Monitoring
• Integration with Risk Management Capability
• Enhanced and Automated Fraud Monitoring
Automating Controls/ January 2015
ENABLE TECHNOLOGY
NOT ALL GRC SOLUTIONS OFFER THE SAME FEATURES
© 2015 IHS
IHS GRC Solution: Access Control (AC)
Access Risk Analysis (ARA)
• Identify SOD/critical
access violation
• Remediate
• Real-time/Simulation
• Role/User level
Access Request Mgmt (ARM)
• Self-service
• Provisioning/deprovisioning
• Consistent platform experience
Business Role Management (BRM)
• Workflow enabled
• Reduced administration
ARA & BRM
• Periodic review
• Certify roles
• Confirm mitigations
Emergency Access Management (EAM)
• Transaction logging
• Mitigating review
• Proactive notification
Automating Controls/ January 2015
© 2015 IHS
SAP GRC & ECC Application Security
Users
Roles
Transaction Codes
Authorization Objects
Automating Controls/ January 2015
Dialog; Service; Communication
Single or Composite
Enables navigation
What is impacted, how it is impacted (CRUD)
© 2015 IHS
Risks associated with Application Security
SOD violations when roles come together
Roles are complex or have sensitive transactions
Custom transactions are not treated appropriately
Objects/Programs are not restricted or identified
Automating Controls/ January 2015
User account is
manipulated for fraudulent
purpose
Roles modification is
unauthorized
Control over critical
transactions is bypassed
Unauthorized modification
to authorization in existing
role
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
Automating Controls/ January 2015
IHS GRC Solution: Process Control (PC)
• Document controls,
policies
• Map to regulations
• Map to organization
• Perform risk
assessments
• Determine scope
• Define test strategy
• Evaluate control design or effectiveness
• Remediate issues
• Perform automated,
exception based
monitoring of ERP
• Support decisions
• Increase accountability
• Analytics
• Sign-off
© 2015 IHS
What is Continuous Compliance Monitoring
Automating Controls/ January 2015
© 2015 IHS
Continuous Monitoring Features
Category Features Benefits
Transaction
Monitoring
• Identify suspicious transactions
for review
• Isolate transactions not
compliant with business rules
• Identify inappropriate flows
(i.e,duplicate payments)
• Provide evidence of control
operation
Master Data
Monitoring
• Identify unusual master data
changes
• Focus on suspect activity
(exception)
Access Controls and
SOD Monitoring
• Monitor user or role access
changes
• Detect transactions that violate
SOD rules
• Detect unauthorized access
changes
• Review emphasis on violations
Application
Configuration
• Detect change to system
configuration
• Continued effectiveness of
application controls
Source: IHS
Automating Controls/ January 2015
© 2015 IHS
Example of Continuous Controls Monitored (CCMs)
CCM’s for the Procure To Pay (PTP) process:
Automating Controls/ January 2015
Master Data
Duplicate invoice
check on the vendor
master file
Transactional Data
Prevent unauthorized
changes to
processed records
Configuration
Monitor changes to
system messages
© 2015 IHS
Example of Continuous Controls Monitored (CCMs)
CCM’s for the Security/Development area:
Automating Controls/ January 2015
Security Provisioning
Monitor security
administrator does
not self-provision
access
System Parameters
Monitor that critical
system settings are
not changed without
authorization (i.e.,
password settings)
Critical functions
Monitor certain roles
or profiles are not
provisioned
Reduce likelihood of event occurring between auditor visits
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
Business Case Considerations
• Compliance is one of those areas that is “preventative” in nature
• If you do a great job, you may not “know” what negative situations you avoided
or missed
• Hard to quantify the value added to the organization.
• Leverage opportunity cost vs. investment
• Automated monitoring can be used for other operational areas
• Performance impact of logging options
• A GRC solution may provide an alternative to specific logging within the
application, which could have greater negative performance impact
• Change control approach from review/inspection to exception-based using a
GRC tool.
Automating Controls/ January 2015
© 2015 IHS
Initial Planning
Automating Controls/ January 2015
Short term:
• COSO 2013
• Segregation of Duties analysis
• CCM results
Long-term:
• Other GRC functions
• Enterprise Risk Management
• Operational use of CCMs, etc
Roadmap
Definition
Implement
GRC
Platform
(AC)
Fully utilize
AC
Implement
PC (CCM)
Additional
Regulations
Implement
other
modules
Assess Phase 1 Phase 2Phase 3
Phase 4
Phase N
Sta
kehold
er
Valu
e
• Standardize control footprint for individual locations/systems to achieve
efficiency
• Understand company specific control reporting needs
• Develop a compliance roadmap
© 2015 IHS
• Do you have a lot of organizational changes?
• To what extent does your control environment need to be reliable,
transparent and drive accountability?
• What type of regulatory requirements are you considering?
• The more complex the organizational structure (e.g. companies,
plants)……..
Automating Controls/ January 2015
Organizational Factors
the greater the risk
associated with ERP
configuration and
consistency across
structures. ManyFew
© 2015 IHS
GRC Control Management
• GRC solutions require a detailed understanding of your business
controls, system controls and ERP configuration
• Set expectations for……………
Design standardization
Prioritization and scalability of
functionality implemented
Observance of best practice
GRC methodology
Identification and
development of control
synergies
Automating Controls/ January 2015
© 2015 IHS
Governance Considerations
Automating Controls/ January 2015
Audit Impact
•Plan for
adequate
personnel to
evaluate
GRC output
Impact and Other Factors
•Other factors
requiring
change to
GRC
• Implement
new
initiatives
leveraging
common test
objectives
•GRC impact
to the audit
process/
evidence
•Optimize
features with
greatest
impact first
•Types of
data/
information
expected
•Ability to
interpret data
•Possible
volume
generated
•Alternative
applications
able to
monitor
highly
privileged
areas/users
•Monitoring
within the
application
layer is
challenging
Log Results Changes Architecture Architecture
Recommendation: Do not generate logs/output if it’s not actively reviewed
© 2015 IHS
Technical Planning
• What is your ERP environment landscape?
• Break-fix, enhancements AND upgrades
• What about additional roll-ins?
• What types of GRC control approaches will you be deploying?
• Configurable - runs against backend tables or views
• Programmed -
© 2015 IHS
Governance Considerations
Automating Controls/ January 2015
Architecture
• Access to the
underlying log
tables
• Potential to
cover up fraud
• Impact to control
reliance.
Technical Factors
Technical Support Infrastructure Log Integrity
• Manage various
infrastructure
layers risk
• Risks associated
with various
solutions
• Number of
environments /
clients
• Hosted vs.
internally
managed
hardware
• Possible
manipulation by
the same
personnel who
maintain the
ERP
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
•
© 2015 IHS
System/Solution Suggestions
• Implement GRC as a pilot with focus on your most critical/high risk
functions first.
• IT/basis/development
• Security role changes
• Sensitive access
• Build in a layered approach to ERP sensitive users / access:
• Leverage GRC AC Emergency Access Management
• Use GRC PC to monitor changes to EAM role assignment
• Leverage GRC AC to identify highly sensitive access/users
• Use GRC AC and/or PC to monitor changes to those users
Automating Controls/ January 2015
© 2015 IHS
GRC Implementation
• What can you expect from a Pilot:
• Implement a limited number of standard controls
• Gain knowledge around what is required to configure and maintain GRC
• Develop GRC technical knowledge to strengthen research that may be needed
to perform management review
• Consider impact to the audit approach
• Short-Term Objectives
• Establish end-to-end process to support pilot controls
• Roll-out to other areas within the same compliancy structure once you have an
established approach/process
• Re-evaluate expectations, key metrics, resources needed
• Realign with audit partners
Automating Controls/ January 2015
© 2015 IHS
GRC Design Suggestions
• Maintain a master data
configuration document
• Track single and multiple
compliance initiative
structures
• Note effective dates
• Baseline for GRC roadmap
–phases
Reporting Requirements
Control execution location
Control testing location
Control nomenclature
GRC risks : Risk assessment
ERM requirements
Control effective dates
Master Data Maintenance
Automating Controls/ January 2015
Organization Hierarchy
Process Structure
Risk Categories
Control Master Data
© 2015 IHS
Phase-Considerations
• Identify potential
benefits:
• Would having
continuous monitoring
results impact your
auditor’s approach
• Would resources
being audited
change? Does this
free up other control
owners due to
continuous
monitoring?
• Limit initial functionality
implemented
• Limited number of
controls for 1
compliance area
• Implement for one
company end to end
• Define KPI’s
• Configure additional
controls
• Expand usage of
Continuous Control
Monitoring (CCM)
• Automated controls
• Manual controls
• Leverage GRC for
multiple compliance
initiatives
• Grow and enhance
your GRC platform and
utilization
Automating Controls/ January 2015
Phase 1 Subsequent phase(s)
© 2015 IHS
Applicability to Application Security
SOD violations when roles come together
Roles are complex or have sensitive transactions
Custom transactions are not treated appropriately
Objects/Programs are not restricted or identified
Automating Controls/ January 2015
User account is
manipulated for fraudulent
purpose
Roles modification is
unauthorized
Control over critical
transactions is bypassed
Unauthorized modification
to authorization in existing
role
SAP GRC PC
(CCMs)
SAP GRC AC
(ARA/EAM)
© 2015 IHS
Example of Continuous Controls Monitored (CCMs)
Phase 2 CCM’s for the Procure To Pay (PTP) process:
Automating Controls/ January 2015
Master Data
Immediate
notifications when
unauthorized
changes are made to
certain aspects of the
Vendor Master
Transactional Data
Prevent transactional
data errors
Configuration
Test for system hard
stop
© 2015 IHS
GRC Implementation Strategy Checklist
• Ensure key aspects of your GRC
footprint aligns with your GRC
organization hierarchy:
• Entity risk management
• Global Policies/procedures
• Risk Assessment/scoping
• Definition of controls
• Risk ownership/tolerance
• Remediation
• Risk Mitigation
• Compliance initiative ownership
• Other types of controls
Automating Controls/ January 2015
© 2015 IHS
GRC Implementation Strategy (cont’d)
• Key questions to ask:
• Who should approve changes to the
automated control alert settings?
• Who should approve mitigation
control documentation?
• What is your retention requirement for
GRC supporting documentation of
configuration assumptions?
• What are your current control
procedures, including control analysis
and remediation activities?
• Should a service level agreement
(SLA) will be established based on
the severity of the control
alert/change identified?
Automating Controls/ January 2015
© 2015 IHS
Define Roles &
Responsibilities
Automating Controls/ January 2015
Don’t forget to ensure your GRC
solution is compliant (not just what is
being monitored is compliant)
Design
mitigating
controls
Approve
control
remediation
Perform
periodic test of
rules/risks
Rule changes/
creation
GRC
application
Owner
Manage PC
related risks/
controls
Routine
review of
user access
Control &
rule
definition/
execution
Perform
control
mitigation/
reviews
Explain
outcome to
other users
© 2015 IHS
GRC
Implementation
Resources
• Infrastructure/Hosting Partner
(installation, infrastructure support)
• Systems Implementation Partner
(configuration, unit testing, user training/
knowledge transfer, on-going support)
• Control/Governance advisor (objective
GRC configuration oversight,
identification of additional risks/
considerations)
• Internal Audit (perform independent
SDLC audit testing and create baseline
of application controls for potential
reliance in the upcoming year)
Automating Controls/ January 2015
© 2015 IHS
• Control rationalization /requirements
• Control Design Document
• Risk/control owner design approval
• Master Data Configuration Document
• Test Plans
• Configuration documentation
• Control owner training materials
• Test scripts with evidence for UAT
• Risk/Control approval for go live
• Control master data change document
GRC Project – Compliance throughout the process
Follow a phased methodology for the implementation, considering:
• Post Install
• Baseline
ensure system
is performing
as intended
• Design docs &
technical specs
• Ensure scope
is covered and
expected
results
documented
• Build controls
in GRC
• Create reports
outlined in
technical
specs.
• User review
and validation
• Training
• Knowledge
transfer
• Deploy
• Support
procedures
Installation Validation
Solution Design
Build / Test
AcceptanceGo-live & Support
Deli
vera
ble
sAutomating Controls/ January 2015
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
Lessons Learned • Implement a GRC solution using a
phased approach
• Determine control objectives first, then
design and configure GRC solution
accordingly
• Production data may have greater
volume/variation than project could
anticipate
• Spend time reviewing understanding
GRC reporting capabilities
• Understand value GRC automation of
controls provides
• Auditor acceptance – plan for transition
Automating Controls/ January 2015
Base implementation on what your team
can reasonably analyze, add over time
© 2015 IHS
Lessons Learned • Analyze preliminary results produced by
the solution
• Identify and document the GRC-based
control review process early in your
design
• Consider how process owners will see
continuous monitoring
• Balance control configuration -
organizational control efficiency – and
resources needed
• Actively analyze output - don’t get
behind
Automating Controls/ January 2015
Don’t underestimate the importance of
collaborating with Audit
© 2015 IHS
What we will
cover• Company background
• What is GRC
• SAP GRC-Access Control
• SAP GRC-Process Control
• How to start your GRC Journey
• Implementation Considerations
• Lessons Learned
• Key Points
Automating Controls/ January 2015
© 2015 IHS
Key Points • Develop a GRC strategy/approach with key
milestones/metrics
• Engage your Audit partners early, include
them in the design and communicate with
them frequently
• Less can be more. Consider small, frequent
controlled rollouts
• Find the sweet spot between controls
configured, control efficiency and resources
needed to support your implementation
• Consider control owner learning curve when
developing your control project
timeline/approach
• Don’t wait to identify and document the control
review process and the output produced by a
GRC solution
Automating Controls/ January 2015
© 2015 IHS. No portion of this report may be reproduced, reused, or otherwise distributed in any form without prior written consent, with the exception of any
internal client distribution as may be permitted in the license agreement between client and IHS. Content reproduced or redistributed with IHS permission must
display IHS legal notices and attributions of authorship. The information contained herein is from sources considered reliable but its accuracy and
completeness are not warranted, nor are the opinions and analyses which are based upon it, and to the extent permitted by law, IHS shall not be liable for any
errors or omissions or any loss, damage or expense incurred by reliance on information or any statement contained herein. For more information, please
contact IHS at [email protected], +1 800 IHS CARE (from North American locations), or +44 (0) 1344 328 300 (from outside North America). All
products, company names or other marks appearing in this publication are the trademarks and property of IHS or their respective owners. V2.0-29.04.14
Americas:
+1.800.IHS.CARE (+1.800.447.2273);
Europe, Middle East, and Africa:
+44.(0).1344.328.300;
Asia and the Pacific Rim:
+604.291.3600;
Contact us