Helping enhance the real value of SAP GRC through RouteONE Insight Analytics

Contents

Business context: Making more informed risk and compliance decisions

RouteONE: Insight Analytics

RouteONE Overview

RouteONE: Key Benefits

Want to learn more? Insights on governance, risk and compliance

Contacts

3Helping enhance the real value of SAP GRC through RouteONE Insight Analytics |

Making more informed risk and compliance decisionsAccording to our 2015 SAP Governance, Risk and Compliance (GRC) survey,1 on average, SAP customers are running between four to five GRC systems independently. This statistic underlines the fact that, in many organizations, GRC activities are managed by different functions, lines of business or regions. This makes it an almost impossible task for business leaders and their compliance, risk and audits teams to understand the true status of GRC in their organization and be confident that risks are being properly identified and handled.

To gain anything close to an accurate, enterprise-wide picture, many executives rely on a combination of complex spreadsheets, manual reports and discrete systems to stitch together GRC-related information. It is an approach that is time-consuming, labor-intensive and limited in its ability to provide accurate insight to improve decision-making.

RouteONE Insight Analytics for SAP GRC

1. There’s no reward without risk: EY GRC Survey 2015, EY, 2015.

4 | Helping enhance the real value of SAP GRC through RouteONE Insight Analytics

RouteONE Insight Analytics for SAP GRC

RouteONE Insight Analytics With RouteONE Insight Analytics, SAP customers can utilize the insights provided by real-time GRC dashboards to turn GRC data into information, and this information into knowledge. This approach can help enhance your current SAP GRC reporting with advanced data visualization and aggregation across multiple applications and data sources.

RouteONE Insight Analytics provides prebuilt KPIs, showing the progress of risk and control activities while highlighting specific issues such as ineffective controls, unmitigated risks and segregation of duties (SoDs).

Key features• Data visualization: KPI library and a catalog of white-label

dashboard templates and themes

• Data aggregation: techniques and tools to extract and transform SAP GRC data to create valuable KPI information

• User participation: techniques including trending, thresholds, social GRC and exception management to engage end users

• Mobile integration: RouteONE KPI library optimized with SAP Fiori for access from any device

• Multiple SAP GRC modules: supports data held within SAP GRC Access Control, Process Control, Risk Management and SAP Application Security

RouteONE overview1. Accelerated scoping template and business case

2. Automated deployment:

• QuickBuilder for fast system-build

• QuickLoader for fast mass-data uploads

• Hindsight in advance visualization

3. EY’s controls catalog is different:

• A set of fully tested controls, operating and proven in the real world

• Highly automated, leveraging EY’s IT competency

• Expansive, covering more than 500 control points

4. Example data used in hundreds of managed test plans and control assessments

5. RouteONE Engaging Risk implementation methodology

Figure 1: ARA dashboard

RouteONE Access Management dashboard suite Access Risk Analysis (ARA)

The ARA dashboard is designed to give management a high-level overview of both Segregation of Duties and critical access risks. Information can be broken down by separate reporting units within a company and by business process. The dashboard provides trending information with a time analysis and KPIs, helping enable you to see your overall risk position.

Key KPIs for ARA include:

• Total risks categorized as high, medium or low

• Total risks separated by business process

• Trend of total risks

• Total mitigations applied

• Expired mitigating controls

• Top users with risks

5Helping enhance the real value of SAP GRC through RouteONE Insight Analytics |

RouteONE Insight Analytics for SAP GRC

RouteONE Risk and Compliance dashboard suiteRisk dashboard

The Risk dashboard is designed to provide management with the ability to view risks across the organization, and assess the extent to which those risks are being managed by the different functions or units.

Key KPIs include:

• Total risks by high, medium and low

• Total risks by business process

• Trend of total risks

• Total mitigations applied

Emergency Access Management (EAM)

The EAM dashboard highlights the sessions in SAP in which a higher level of access was requested above an SAP user’s typical job role. Understanding when this extra level of access is required facilitates accurate user access and helps prevent abuse of extra privileges.

Key KPIs for EAM include:

• Sessions that include critical transactions

• Total firefighter IDs used for that period

• Most-used firefighters

• Breakdown by reason codes

• Monthly trending for overall statistics

Access Request Management (ARM)

The ARM dashboard provides a breakdown of user access requests within the SAP GRC environment and across each of its connected systems. Metrics such as total joiner, mover and leaver information can show how the landscape is changing for the selected period, along with the total completed requests. The information presented within the dashboard enables businesses to monitor every aspect relating to access requests efficiently to help improve compliance with processes.

Key KPIs for ARM include:

• Periodic total requests

• Approved versus rejected requests for each reporting unit

• Breakdown of joiners, movers and leavers, and firefighter access requests

• Daily breakdown of requests (with rejected data) to monitor monthly peaks or weekend use

• Top requests or rejections by user group

• Changes made per business process

Figure 2: Risk dashboard

6 | Helping enhance the real value of SAP GRC through RouteONE Insight Analytics

RouteONE Insight Analytics for SAP GRC

Compliance dashboard

The Compliance dashboard is comprised of many different aspects of the control monitoring system helping to give quick and easy access to the compliance performance of the business. This report is built with individual screens for the subsections that are reported on, which can include the manual test plan status, continuous automated control monitoring status, issue remediation status and policy management status.

Key KPI’s include:

• Continuous control monitoring rating

• Control assessment rating

• Managed test plans rating

• Policy status rating

• Controls subject to sign off total

Figure 3: Compliance dashboard

Key benefits of RouteONE Insight Analytics

• Helps enhance management engagement of GRC

• Encourages business unit participation via social GRC (leveraging gamification to show relative performance and inspire improvement)

• Leverages experiences from many other customers to enhance implementation

• Helps achieve oversight at a fraction of the cost of your traditional business intelligence solutions

• Enables enterprise-wide visibility into GRC

• Helps improve risk decisions through more informed insight and interpretation

• Helps you one step ahead of potential control and SoD violations

• Uses data to identify the root cause of issues, and then refine and streamline access management and SoD-related processes

• Can reduce the overall cost of regulatory compliance through greater control efficiency

7Helping enhance the real value of SAP GRC through RouteONE Insight Analytics |

RouteONE Insight Analytics for SAP GRC

Creating trust in the digital world: EY’s Global Information Security Survey 2015

ey.com/GISS

Want to learn more?

Enhancing your security operations with Active Defense

ey.com/GRCinsights

Centralized operations: the future of operating models for Risk, Control and Compliance functions

ey.com/GRCinsights

Metrics matter: How Internal Audit can help organizations assess performance measurement

ey.com/GRCinsights

There’s no reward without risk: EY’s global governance, risk and compliance survey 2015

ey.com/GRCinsights

Maximizing value from your lines of defense

ey.com/LOD

Step up to the challenge: helping Internal Audit keep pace with a volatile risk landscape

ey.com/IArisks

Expecting more from risk management: drive business results through harnessing uncertainty

ey.com/REPM

Unlocking the value of your program investments: how predictive analytics can help in achieving successful outcomes

ey.com/PRM

Harnessing the power of data: how Internal Audit can embed data analytics and drive more value

ey.com/IAanalytics

Megatrends 2015: making sense of a world in motion

ey.com/megatrends

Improve your business performance: transform your governance, risk and compliance program

ey.com/transformGRC

Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks, and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you with valuable insights about our perspective. Please view our Insights on governance, risk and compliance series at www.ey.com/GRCinsights.

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

About EY’s Advisory ServicesIn a world of unprecedented change, EY Advisory believes a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses.

From C-suite and functional leaders of Fortune 100 multinationals to disruptive innovators and emerging market small and medium-sized enterprises, EY Advisory works with clients — from strategy through execution — to help them design better outcomes and realize long-lasting results.

A global mindset, diversity and collaborative culture inspires EY consultants to ask better questions. They work with their clients, as well as an ecosystem of internal and external experts, to create innovative answers. Together, EY helps clients’ businesses work better.

The better the question. The better the answer. The better the world works.

© 2016 EYGM Limited. All Rights Reserved.

EYG no. 00867-162GBLBMC AgencyGA 0000_05058

ED 0217

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com/sap

Follow us on Twitter: EY_SAP

EY | Assurance | Tax | Transactions | AdvisoryContactsMarcus GötzPartner, Advisory marcus.goetz@de.ey.com +49 89 14331 23471

Gavin CampbellPartner, Advisory gavin.campbell@ae.ey.com +971 4 332 4000

Werner van HaelstPartner, Advisory werner.van.haelst@nl.ey.com +31 88 407 1167

Martyn ProctorExecutive Director, Advisory mproctor1@uk.ey.com +44 20 7951 3989