Click here to load reader
Upload
letuong
View
212
Download
0
Embed Size (px)
Citation preview
Helping enhance the real value of SAP GRC through RouteONE Insight Analytics
Contents
Business context: Making more informed risk and compliance decisions
RouteONE: Insight Analytics
RouteONE Overview
RouteONE: Key Benefits
Want to learn more? Insights on governance, risk and compliance
Contacts
3Helping enhance the real value of SAP GRC through RouteONE Insight Analytics |
Making more informed risk and compliance decisionsAccording to our 2015 SAP Governance, Risk and Compliance (GRC) survey,1 on average, SAP customers are running between four to five GRC systems independently. This statistic underlines the fact that, in many organizations, GRC activities are managed by different functions, lines of business or regions. This makes it an almost impossible task for business leaders and their compliance, risk and audits teams to understand the true status of GRC in their organization and be confident that risks are being properly identified and handled.
To gain anything close to an accurate, enterprise-wide picture, many executives rely on a combination of complex spreadsheets, manual reports and discrete systems to stitch together GRC-related information. It is an approach that is time-consuming, labor-intensive and limited in its ability to provide accurate insight to improve decision-making.
RouteONE Insight Analytics for SAP GRC
1. There’s no reward without risk: EY GRC Survey 2015, EY, 2015.
4 | Helping enhance the real value of SAP GRC through RouteONE Insight Analytics
RouteONE Insight Analytics for SAP GRC
RouteONE Insight Analytics With RouteONE Insight Analytics, SAP customers can utilize the insights provided by real-time GRC dashboards to turn GRC data into information, and this information into knowledge. This approach can help enhance your current SAP GRC reporting with advanced data visualization and aggregation across multiple applications and data sources.
RouteONE Insight Analytics provides prebuilt KPIs, showing the progress of risk and control activities while highlighting specific issues such as ineffective controls, unmitigated risks and segregation of duties (SoDs).
Key features• Data visualization: KPI library and a catalog of white-label
dashboard templates and themes
• Data aggregation: techniques and tools to extract and transform SAP GRC data to create valuable KPI information
• User participation: techniques including trending, thresholds, social GRC and exception management to engage end users
• Mobile integration: RouteONE KPI library optimized with SAP Fiori for access from any device
• Multiple SAP GRC modules: supports data held within SAP GRC Access Control, Process Control, Risk Management and SAP Application Security
RouteONE overview1. Accelerated scoping template and business case
2. Automated deployment:
• QuickBuilder for fast system-build
• QuickLoader for fast mass-data uploads
• Hindsight in advance visualization
3. EY’s controls catalog is different:
• A set of fully tested controls, operating and proven in the real world
• Highly automated, leveraging EY’s IT competency
• Expansive, covering more than 500 control points
4. Example data used in hundreds of managed test plans and control assessments
5. RouteONE Engaging Risk implementation methodology
Figure 1: ARA dashboard
RouteONE Access Management dashboard suite Access Risk Analysis (ARA)
The ARA dashboard is designed to give management a high-level overview of both Segregation of Duties and critical access risks. Information can be broken down by separate reporting units within a company and by business process. The dashboard provides trending information with a time analysis and KPIs, helping enable you to see your overall risk position.
Key KPIs for ARA include:
• Total risks categorized as high, medium or low
• Total risks separated by business process
• Trend of total risks
• Total mitigations applied
• Expired mitigating controls
• Top users with risks
5Helping enhance the real value of SAP GRC through RouteONE Insight Analytics |
RouteONE Insight Analytics for SAP GRC
RouteONE Risk and Compliance dashboard suiteRisk dashboard
The Risk dashboard is designed to provide management with the ability to view risks across the organization, and assess the extent to which those risks are being managed by the different functions or units.
Key KPIs include:
• Total risks by high, medium and low
• Total risks by business process
• Trend of total risks
• Total mitigations applied
Emergency Access Management (EAM)
The EAM dashboard highlights the sessions in SAP in which a higher level of access was requested above an SAP user’s typical job role. Understanding when this extra level of access is required facilitates accurate user access and helps prevent abuse of extra privileges.
Key KPIs for EAM include:
• Sessions that include critical transactions
• Total firefighter IDs used for that period
• Most-used firefighters
• Breakdown by reason codes
• Monthly trending for overall statistics
Access Request Management (ARM)
The ARM dashboard provides a breakdown of user access requests within the SAP GRC environment and across each of its connected systems. Metrics such as total joiner, mover and leaver information can show how the landscape is changing for the selected period, along with the total completed requests. The information presented within the dashboard enables businesses to monitor every aspect relating to access requests efficiently to help improve compliance with processes.
Key KPIs for ARM include:
• Periodic total requests
• Approved versus rejected requests for each reporting unit
• Breakdown of joiners, movers and leavers, and firefighter access requests
• Daily breakdown of requests (with rejected data) to monitor monthly peaks or weekend use
• Top requests or rejections by user group
• Changes made per business process
Figure 2: Risk dashboard
6 | Helping enhance the real value of SAP GRC through RouteONE Insight Analytics
RouteONE Insight Analytics for SAP GRC
Compliance dashboard
The Compliance dashboard is comprised of many different aspects of the control monitoring system helping to give quick and easy access to the compliance performance of the business. This report is built with individual screens for the subsections that are reported on, which can include the manual test plan status, continuous automated control monitoring status, issue remediation status and policy management status.
Key KPI’s include:
• Continuous control monitoring rating
• Control assessment rating
• Managed test plans rating
• Policy status rating
• Controls subject to sign off total
Figure 3: Compliance dashboard
Key benefits of RouteONE Insight Analytics
• Helps enhance management engagement of GRC
• Encourages business unit participation via social GRC (leveraging gamification to show relative performance and inspire improvement)
• Leverages experiences from many other customers to enhance implementation
• Helps achieve oversight at a fraction of the cost of your traditional business intelligence solutions
• Enables enterprise-wide visibility into GRC
• Helps improve risk decisions through more informed insight and interpretation
• Helps you one step ahead of potential control and SoD violations
• Uses data to identify the root cause of issues, and then refine and streamline access management and SoD-related processes
• Can reduce the overall cost of regulatory compliance through greater control efficiency
7Helping enhance the real value of SAP GRC through RouteONE Insight Analytics |
RouteONE Insight Analytics for SAP GRC
Creating trust in the digital world: EY’s Global Information Security Survey 2015
ey.com/GISS
Want to learn more?
Enhancing your security operations with Active Defense
ey.com/GRCinsights
Centralized operations: the future of operating models for Risk, Control and Compliance functions
ey.com/GRCinsights
Metrics matter: How Internal Audit can help organizations assess performance measurement
ey.com/GRCinsights
There’s no reward without risk: EY’s global governance, risk and compliance survey 2015
ey.com/GRCinsights
Maximizing value from your lines of defense
ey.com/LOD
Step up to the challenge: helping Internal Audit keep pace with a volatile risk landscape
ey.com/IArisks
Expecting more from risk management: drive business results through harnessing uncertainty
ey.com/REPM
Unlocking the value of your program investments: how predictive analytics can help in achieving successful outcomes
ey.com/PRM
Harnessing the power of data: how Internal Audit can embed data analytics and drive more value
ey.com/IAanalytics
Megatrends 2015: making sense of a world in motion
ey.com/megatrends
Improve your business performance: transform your governance, risk and compliance program
ey.com/transformGRC
Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks, and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you with valuable insights about our perspective. Please view our Insights on governance, risk and compliance series at www.ey.com/GRCinsights.
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
About EY’s Advisory ServicesIn a world of unprecedented change, EY Advisory believes a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses.
From C-suite and functional leaders of Fortune 100 multinationals to disruptive innovators and emerging market small and medium-sized enterprises, EY Advisory works with clients — from strategy through execution — to help them design better outcomes and realize long-lasting results.
A global mindset, diversity and collaborative culture inspires EY consultants to ask better questions. They work with their clients, as well as an ecosystem of internal and external experts, to create innovative answers. Together, EY helps clients’ businesses work better.
The better the question. The better the answer. The better the world works.
© 2016 EYGM Limited. All Rights Reserved.
EYG no. 00867-162GBLBMC AgencyGA 0000_05058
ED 0217
In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com/sap
Follow us on Twitter: EY_SAP
EY | Assurance | Tax | Transactions | AdvisoryContactsMarcus GötzPartner, Advisory [email protected] +49 89 14331 23471
Gavin CampbellPartner, Advisory [email protected] +971 4 332 4000
Werner van HaelstPartner, Advisory [email protected] +31 88 407 1167
Martyn ProctorExecutive Director, Advisory [email protected] +44 20 7951 3989