Upload
lucy-paul
View
213
Download
0
Embed Size (px)
Citation preview
Surviving in a Riskier World with a Governance Risk and Compliance Strategy
Patrick WangGRC Business Development APJ
© 2013 SAP AG. All rights reserved. 2
Agenda
Introduction
GRC solutions
Risk Management
Internal Controls
Access Controls
Summary
Introduction
© 2013 SAP AG. All rights reserved. 4
What is GRC?
Brakes
Seatbelts
Car seats
Airbags
Maintenance records
Temperature gaugeFuel gauge
Crash avoidance
© 2013 SAP AG. All rights reserved. 5
GRC involves these elements and many others….
Compliance
Audit
Risk
Monitoring
Access risk management
Policy
Global trade compliance
Legal
Quality
EH&S
© 2013 SAP AG. All rights reserved. 6
Can your organization answer these questions?
What risks impact your ability to perform?
What is the status of your compliance initiatives?
Does excessive access introduce opportunity for fraud and errors?
Are controls in place and shared across your organization?
Are risk responses ready and effective?
Are behaviors reflective of policies?
© 2013 SAP AG. All rights reserved. 7
The cost is realCompliance enforcement and poorly managed risk events are costly
Bribery and Corruption,
Spills, Explosions
Trading conflicts, currency manipulation, laundering, restricted
trading parties
Off-label marketing,
product recalls, price fixing
Conduct, transmission,
ownership, manipulation, disruptions
© 2013 SAP AG. All rights reserved. 8
Costs resulting from non-compliance can’t be ignoredEnforcement is 2.7 times higher than investing in compliant processes
$3.5 Million
$9.4 Million
Source: Ponemon Institute LLC The True Cost of Compliance 2011
© 2013 SAP AG. All rights reserved. 9
Control failures / Risk event
Lowers customer satisfaction
Reduces investor confidence
Raises business costs
Increases scrutiny
But what’s the hidden cost?
Performance Impact
Unachieved objectives
Disrupts operations
© 2013 SAP AG. All rights reserved. 10
Brand enhanced
Controls enhance performance
Opportunities identified
Risks anticipated and managed
Conversely, there is potential for a positive impact
Customer demands met
Major disruptions avoided
Shareholder value attained
OptimizedPerformance
© 2013 SAP AG. All rights reserved. 11
SAP GRC customers are seeing a positive impactOptimizing Performance
Grew through financial crisisDiscovered new oil reservesMinimizing risk and non-compliance events
Worlds largest dairy exporter Expanding global dairy trade
in a compliant manner 17% growth of net profit
SAP GRC Solutions
© 2013 SAP AG. All rights reserved. 13
SAP capabilities for GRC
GRC Shared Compliance Platform
Hierarchies PoliciesControlsRisk
ResponseProduct Updates
User Experience
SAP Solutions for GRC
Monitor
Risk Indicators Controls Transactions ERP Configuration Events
Manage
Risk Compliance Audit Policy Access Trade
AnalyzeDashboards And
VisualizationNon-compliance Effectiveness Exceptions
© 2013 SAP AG. All rights reserved. 14
Reporting & Analytics
Key solutions for successSAP GRC solutions translate capabilities into value
SAP Solutions for GRC
GRC Shared Compliance Platform
Hierarchies PoliciesControlsRisk
ResponseProduct Updates
User Experience
SAP Audit Management
SAP RiskManagement
SAP Nota Fiscal Electronica
SAP Access Control SAP Process ControlSAP Global Trade Services
(mobile)
SAP Access Approver SAP Policy Survey SAP Sanction-Party List(mobile)(mobile)
© 2013 SAP AG. All rights reserved. 15
GRC Shared Compliance Platform
Hierarchies PoliciesControlsRisk
ResponseProduct Updates
User Experience
Key solutions for successSAP GRC solutions translate capabilities into value
SAP Solutions for GRC
SAP Audit Management
SAP RiskManagement
SAP Nota Fiscal Electronica
SAP Access Control SAP Process ControlSAP Global Trade Services
(mobile)
SAP Access Approver SAP Policy Survey SAP Sanction-Party List(mobile)(mobile)
Reporting & Analytics
© 2013 SAP AG. All rights reserved. 16
GRC Shared Compliance Platform
Hierarchies PoliciesControlsRisk
ResponseProduct Updates
User Experience
Key solutions for successSAP GRC solutions translate capabilities into value
SAP Solutions for GRC
SAP Audit Management
SAP RiskManagement
SAP Nota Fiscal Electronica
SAP Access Control SAP Process ControlSAP Global Trade Services
(mobile)
SAP Access Approver SAP Policy Survey SAP Sanction-Party List(mobile)(mobile)
Reporting & Analytics
GRC for Industries and LoBs
NATIVE SAP ERP integration and integration to non-SAP ERP
OthersLegacySAP
Risk Management
© 2013 SAP AG. All rights reserved. 18
Monitor thresholds, effectiveness of risk responses, and corrective actions
Respond to risk after balancing costs and benefits
Analyze risk via scenarios, modeling,& other factors to understand
exposure
Link risks, risk drivers, risk indicators,
impacts and responses
Plan risk management within the context of value
to the organization
SAP Risk ManagementPreserve and grow value
© 2013 SAP AG. All rights reserved. 19
Risk Heatmap
© 2013 SAP AG. All rights reserved. 20
First level
Second level Third level
© 2013 SAP AG. All rights reserved. 21
Response Plan
Internal Controls
© 2013 SAP AG. All rights reserved. 23
Support decisions and promote accountability with insightful analytics and sign-off
Perform automated, exception-based monitoring of ERP systems
Evaluate control design and effectiveness; raise and
remediate issues
Perform periodic risk assessments to determine scope and test strategies
Document controls and policies centrally; map to key regulations
and impacted organizations
SAP Process ControlEnsure effective controls and on-going compliance
© 2013 SAP AG. All rights reserved. 24
Business Pain: Overuse of One-Time Vendors
One-time vendors
Generally used to limit admin burden for infrequently used vendors
Bypassing controls
May be used to bypass ERP controls related to vendor maintenance and payment
Implications
Non-compliance with company policies
Fraud
Errors
Inadequate vendor history
….
Excerpt from above:
One-time vendor records shall be used for all payments made to vendors that are paid on a one-time basis or very infrequently and that are not established in the SAP Vendor Master Database
The Bureau of Financial Management performs a periodic analysis of the payments posted to one-time vendor records to determine if a permanent vendor master record should be established.
© 2013 SAP AG. All rights reserved. 25
Solution: Automating One-Time Vendor Review
What the business rule does
Uses new grouping and aggregation feature to group AP invoices for one-time vendors, presenting both the sum and the count of the invoices
What the customer does
Customer schedules on a recurring basis to trigger semi-automated activity to verify one-time vendors are being used appropriately
Access Controls
© 2013 SAP AG. All rights reserved. 27
Monitor emergency access and transaction usage
Certify access assignments are still warranted
Define and maintain roles in business terms
Automate access assignments across SAP
and non-SAP systems
Find and remediate SoD and critical access violations
SAP Access ControlManage access risk and prevent fraud
SAP_ALL
X
Legacy
© 2013 SAP AG. All rights reserved. 28
Segregation of duties (SoD)
Create Vendor Pay Vendor Create Vendor Pay Vendor
© 2013 SAP AG. All rights reserved. 29
© 2013 SAP AG. All rights reserved. 30
Ac
ce
ss
Ris
k
Ma
na
ge
me
nt
Integrated GRC
Develop and Package External
Content
Co
mp
lia
nc
e
Ma
na
ge
me
nt
Ris
k M
an
ag
em
en
t
Enterprise Risk: Fraud
Responses
ReduceControlAvoidAccept Transfer
Regulations
ProcessProcure to Pay
Vendor Mgmt
AP Invoicing
Process Risks
Fraudulent invoices paid
Valid invoices not
entered
Access Risks
User can enter vendor
& POUser can
enter invoices & payments
Controls
Review of new vendors and
related invoice support
AP SOD rules in AC
Review of uninvoiced
goods receipts
Monitor Access Status
Mitigate Access
Violations
Policies
Update and roll out strengthened security policy
© 2013 SAP AG. All rights reserved. 31
The SAP Difference
Unified GRC Platform: risk, compliance, audit, policy and internal control management
Proactive: integrated monitoring, continuous controls monitoring
Large Eco-system: industry-specific tailored solutions meeting your requirements
Proven: remarkable customers using essential solutions
© 2013 SAP AG. All rights reserved. 32
The SAP DifferenceProven: remarkable customers using essential solutions