What is GRC

IBM SAP GRC Process Control Team

1

SAP Pearl - IBM

Introduction to SAP GRC and

SAP GRC Process Control Overview

Author Mohammed K MasoodIndiaIBM


2

What is GRCGRC is an integrated holistic approach to organization-wide governance risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite internal policies and external regulations through the alignment of strategy processes technology and people thereby improving efficiency and effectivenessldquo

bull Governance describes the overall management approach through which senior executives direct and control the entire organization using a combination of management information and hierarchical management control structures Governance activities ensure that critical management information reaching the executive team is sufficiently complete accurate and timely to enable appropriate management decision making and provide the control mechanisms to ensure that strategies directions and instructions from management are carried out systematically and effectively

bull Risk management is the set of processes through which management identifies analyzes and where necessary responds appropriately to risks that might adversely affect realization of the organizations business objectives The response to risks typically depends on their perceived gravity and involves controlling avoiding accepting or transferring them to a third party Whereas organizations routinely manage a wide range of risks (eg technological risks commercialfinancial risks information security risks etc) external legal and regulatory compliance risks are arguably the key issue in GRC

bull Compliance means conforming with stated requirements At an organizational level it is achieved through management processes which identify the applicable requirements (defined for example in laws regulations contracts strategies and policies) assess the state of compliance assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance and hence prioritize fund and initiate any corrective actions deemed necessary


3

Why GRCWidespread interest in GRC was sparked by the US Sarbanes-Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance but the focus of GRC has since shifted towards adding business value through improving operational decision making and strategic planning It therefore has relevance beyond the SOX worldGovernance Risk and Compliance or GRC is an increasingly recognized term that reflects a new way in which organizations are adopting an integrated approach to these aspects of their business


4

Summary of the Sarbanes-Oxley Act of 2002

1048708 Enacted by the US Congress on July 30 20021048708 Defined a new paradigm for corporate accountability1048708 Applies to all companies registered with the Securities and Exchange Commission (SEC)1048708 Clearly defines corporate responsibilities

1048708 Audit Committee1048708 Chief Executive Officer (CEO)1048708 Chief Financial Officer (CFO)

1048708 Created a new standard for the design implementation and operation of an internal control structure

Sound internal controls are no longer just a best practice they are required by law

SOX and Public Company Accounting Oversight Board (PCAOB)In 2002 Congress passed the Sarbanes-Oxley Act (the Act) which among other things

established new provisions related to internal control over financial reportingSections 302 and 404 of the Act require company management to assess and report on the effectiveness of the companys internal control process

PCAOB published Auditing Standard 2 (AS2) in 2004 Auditing Standard 5 (AS5) was published in

July 2007 to replace Audit Standard 2 PCAOB inspects registered external auditors to ensure they

are following PCAOBrsquos auditing standards

The goal of the consultant is not to interpret Sarbanes-Oxley or Audit Standard 5 but to highlight the

information published by the PCAOB as it relates to the Process Control product


5

Internal Controls Environmentsupported by SAP GRC Products


6

SAP GRC ndash The ProductSAP BusinessObjects governance risk and compliance solutions (SAP BusinessObjects GRC solutions) offer your organization a preventive real-time approach to governance risk and compliance Automated risk and compliance monitoring activities can help you proactively prevent risk events and compliance violations helping you protect the value of your organization

Whats more SAP BusinessObjects GRC solutions can empower you to incorporate risk management and compliance into your strategy planning and operational execution ndash helping you leverage GRC as a competitive differentiator and optimize performance

bull Enterprise GRC ndash Automate risk management compliance and monitoring activities and minimize the associated cost and effort required

bull Access risk management ndash Confidently manage and reduce access risk across the enterprise with a single solution to manage a centralized strategy for governance risk and compliance

bull Global trade services ndash Minimize global trade violations with a single integrated platform to meet complex and ever-changing global trade compliance requirements

bull Environment health and safety management ndash Empower your organization to address regulatory compliance integrate the management of operational risks related to environment health and safety and address corporate sustainability initiatives

bull Sustainability performance management ndash Help your organization track and communicate sustainability performance set goals and objectives manage risks and monitor activities


7

Overview SAP Business Objects Portfolio

Enterprise Performance Management

Strategy Management

Business Planning

Profitability andCost

Management

FinancialConsolidati

onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management

Information Management

Governance Riskand Compliance

RiskManagement

Access Control

Process Control

Global Trade

ServicesEnvironment Health and Safety

Information Discovery and

DeliveryReporting Query

Reporting and Analysis

Dashboards and

Visualization

Search and Navigation

Advanced Analytics


8

Introduction to SAP GRC Process Control

The SAP BusinessObjects Risk Management and SAP BusinessObjects Process Control applications offer comprehensive functionality that supports the following

bull Automatic monitoring of key risk indicators and compliance effectivenessbull Automatic risk and compliance management delivered through predefined best practice

workflows assessments surveys and signoffbull Risk response and remediation tracking for easy assessment of effectiveness of

responsesbull Automated business process and system monitoring across heterogeneous landscapesbull Scalable support for multiple compliance and risk programsbull Risk-based scenario analysis provides insights into the potential impact of

increased risk levels and compliance violationsbull Predefined risk and regulatory content formulated for specific industries and lines

of businessbull Unified management and control of strategic financial operational and compliance

risksbull Unified framework that help you align business process compliance and risk

methodologiesbull Consolidated views that can help simplify risk and performance analysis across

multiple lines of businessbull Automated risk and compliance alerts notifications reports and workflows

SAP GRC Process Control deals with the SAP application for process control SAP GRC Process Control provides a risk-based procedure for creating a control framework and for indicating the most effective and powerful controls for business processes and cross-enterprise IT systems


9

SAP Process Control ndash Big Picture

Perform Assessment

s

TestAutomated Controls

Test Manual

Controls

Certify and Sign Off

Remediate Issues

Organization Process Sub-process Risk

Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off

SOXEnterprise Integration

Risk Management

Access Control

Third-party applications

Data Privacy Event Systems

Enterprise Productivity

Reporting Crystal Reports Xcelsius Dashboard BI Reports Datasheets

Oracle PeopleSoft

Docu

ment


10

SAP Process Control ndash Application Life Cycle


11

Case Study PC consultant

A business case explained on how SAP GRC Process Control affects the life span of an enterprise and a consultant who works towards getting the enterprise Compliant


12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5

SAP GRC ndash The Product

Slide 7





QampA


2

What is GRCGRC is an integrated holistic approach to organization-wide governance risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite internal policies and external regulations through the alignment of strategy processes technology and people thereby improving efficiency and effectivenessldquo

bull Governance describes the overall management approach through which senior executives direct and control the entire organization using a combination of management information and hierarchical management control structures Governance activities ensure that critical management information reaching the executive team is sufficiently complete accurate and timely to enable appropriate management decision making and provide the control mechanisms to ensure that strategies directions and instructions from management are carried out systematically and effectively

bull Risk management is the set of processes through which management identifies analyzes and where necessary responds appropriately to risks that might adversely affect realization of the organizations business objectives The response to risks typically depends on their perceived gravity and involves controlling avoiding accepting or transferring them to a third party Whereas organizations routinely manage a wide range of risks (eg technological risks commercialfinancial risks information security risks etc) external legal and regulatory compliance risks are arguably the key issue in GRC

bull Compliance means conforming with stated requirements At an organizational level it is achieved through management processes which identify the applicable requirements (defined for example in laws regulations contracts strategies and policies) assess the state of compliance assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance and hence prioritize fund and initiate any corrective actions deemed necessary


3



4














5



6









7



Strategy Management

Business Planning


Management


onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management



RiskManagement

Access Control

Process Control

Global Trade





Dashboards and

Visualization


Advanced Analytics


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


3



4














5



6









7



Strategy Management

Business Planning


Management


onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management



RiskManagement

Access Control

Process Control

Global Trade





Dashboards and

Visualization


Advanced Analytics


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


4














5



6









7



Strategy Management

Business Planning


Management


onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management



RiskManagement

Access Control

Process Control

Global Trade





Dashboards and

Visualization


Advanced Analytics


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


5



6









7



Strategy Management

Business Planning


Management


onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management



RiskManagement

Access Control

Process Control

Global Trade





Dashboards and

Visualization


Advanced Analytics


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


6









7



Strategy Management

Business Planning


Management


onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management



RiskManagement

Access Control

Process Control

Global Trade





Dashboards and

Visualization


Advanced Analytics


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


7



Strategy Management

Business Planning


Management


onSpend

Analytics

Data Integratio

n

Data Quality

Management

Master Data

Management

Metadata Management



RiskManagement

Access Control

Process Control

Global Trade





Dashboards and

Visualization


Advanced Analytics


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


8













9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


9


Perform Assessment

s


Test Manual

Controls


Remediate Issues


Control

IT Infrastructure

Business Processes

hellip YesN

o

S U R V E

Y

Eval

uate

Monito

r Perform CAPA

Scop

e

Monitor Exceptions

Sign

Off


Risk Management

Access Control





Oracle PeopleSoft

Docu

ment


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


10



11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


11




12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA


12

QampA

SAP Pearl - IBM

What is GRC

Why GRC


Slide 5


Slide 7





QampA

What is GRC

Documents

Transcript of What is GRC