Protecting your data - SAP GRC & Analytics
Ron Corsello – COE Finance Lead
NASC conference 2015
Legal disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without
the permission of SAP. This presentation is not subject to your license agreement or any other service or
subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation and SAP's strategy and possible future developments, products and
or platforms directions and functionality are all subject to change and may be changed by SAP at any time
for any reason without notice. The information in this document is not a commitment, promise or legal
obligation to deliver any material, code or functionality. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement. This document is for informational purposes and may not be
incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except
if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results
to differ materially from expectations. Readers are cautioned not to place undue reliance on these forwardlooking statements, which speak only as of their dates, and they should not be relied upon in making
purchasing decisions.
© 2014 SAP AG. All rights reserved.
Customer
2
Challenges with Governance, Risk & Compliance today
Usually a hodge-podge of systems for:
- User Provisioning
- Identity Mgt (incl web access)
- Role Mgt
- Segregation of Duties (SOD)
- Compliance Reporting
Lack of Workflow
Lack of oversight by non-IT staff
Lack of mobile access
Internet access risks
© 2014 SAP AG. All rights reserved.
Customer
3
Why GRC Matters
What is “top of mind” for management?
© 2014 SAP AG. All rights reserved.
Customer
4
The real world implications
Control failures / Risk event
Disrupts operations
Lowers public perception
Reduces confidence
Increases scrutiny
Raises costs
Lack of transparency
Performance
Impact
© 2014 SAP AG. All rights reserved.
Customer
5
The Potential for Positive Impact
Optimized
Performance
Confidence attained
Brand enhanced
Public demands met
Major disruptions avoided
Controls enhance performance
Risks anticipated and managed
Opportunities identified
© 2013 SAP AG. All rights reserved.
Customer
6
Ask yourself these questions
Are your employees and systems compliant?
What is the cost of compliance?
Are controls in place and shared across your
organization?
What is the opportunity for fraud and errors?
Are risk responses ready and effective?
Are behaviors reflective of policies?
© 2014 SAP AG. All rights reserved.
Customer
7
GRC involves many elements...
Compliance
Audit
Identity management
Legal
Quality
Risk
Monitoring
Access management
© 2014 SAP AG. All rights reserved.
Policy
Regulatory reporting
Customer
8
What you achieve with GRC technology
Automation and
streamlining of tasks
Visibility into the status
and controls
Alignment and integration
among GRC programs
Integrity and improvement
of business processes
Reduced number of
compliance events & cost
Collaboration and
engagement
© 2014 SAP AG. All rights reserved.
Customer
9
SAP solutions for Governance, Risk and Compliance
Complete and Integrated
SAP Risk
Management
SAP Process
Control
SAP Access
Control
SAP Identity
Analytics
Preserve and
grow value
Ensure effective controls
and ongoing compliance
Manage access risk and
prevent fraud
Gain insights into user roles
and optimize decision making
SAP Fraud
Management
SAP Audit
Management
Better detect and
prevent fraud
Drive increased audit
efficiency and effectiveness
SAP Access Violation
Management
SAP Regulation
Management
Identify and quantify the impact
of actual access risk violations
Manage regulatory
requirements and align with
internal control activities
Governor, Agencies,

Visibility and confidence

Reduced cost of
compliance
Controller
Public
© 2014 SAP AG. All rights reserved.
Customer
10
Regulation Management
Regulatory Collaboration & Execution
Regulatory Citations
1
Requirements
2
 Capture, intake and reporting of
regulations
 Version control and gap
analysis
 Delta change management
 Leverage content from UCF,
LexisNexis, Thomson Reuters,
etc.
 Pre-built reports for regulatory
requirements
 Regulatory alerts and monitoring
3
Business
IT
Audit
Legal
Collaboration
Workflow
Control Definition
 Central repository for regulatory
content, requirement and reporting
 Dynamic, multi-threaded
workflow capabilities
 Best practice control mapping &
content creation
 Review all or part of citations,
requirements or controls at any
time
 Unified control framework for all
regulatory agencies
Controls Management
Control Automation
Reporting and Documentation
 Manage, monitor and test controls
against production systems*
 Automatically execute control tests
and import results*
 Capture, store and report results*
 Comment and interact from start
to finish
 Share and review best practices
4
Compliance
 Map controls back to citations
 Manage and maintain findings*
* With SAP Process Control
© 2014 SAP AG. All rights reserved.
Customer
14
Fraud is Typically Found Without Technology
Detection through Automation can be leveraged to find more
Source: 2012 Report to the Nations on Occupational Fraud and Abuse,
Association of Certified Fraud Examiners
© 2014 SAP AG. All rights reserved.
Customer
15
Fully integrated fraud processing
Advanced alert management
Real-time alerting & option to hold suspicious transactions and avoid damages
Key Benefits
© 2014 SAP AG. All rights reserved.
•
Track fraud as early as possible
before transactions are further
processed
•
Improve the efficacy of the
fraud team and increase ROI of
the fraud detection system
•
Faster fraud processing to avoid
blocking a transaction longer
than needed
•
Early identification of potential
fraud situation enables business
users to gather more data for
their investigation
Customer
16
The world is changing
consumer user experience
is the new standard
© 2014 SAP AG. All rights reserved.
Customer
17
GRC Analytics
Simple user interface
Key Benefits
Internal auditors view the
status and action items
anytime/anywhere
Provides e-mail
reminders
with action items
Collaborate audit issues
with colleagues
© 2014 SAP AG. All rights reserved.
Customer
18
GRC Analytics
Audit Management example
Key Benefits
Internal auditors can use the
mobile app to identify
sufficient, reliable, relevant,
and useful information to
achieve the engagement’s
objectives.
Documentation is captured
once and shared
Documentation can be
reviewed by audit
management
© 2014 SAP AG. All rights reserved.
Customer
19
Why a comprehensive GRC system?
Proactively balance risk and opportunity
MANAGE
BETTER
PROTECT
VALUE
OPTIMIZE
PERFORMANCE
Automate manual tasks
Automate monitoring
Provide timely information
to decision makers
Employ best practices
Report and analyze
Unify the platform
Leverage predefined content
© 2014 SAP AG. All rights reserved.
Gain business process insights
Link to value drivers
Customer
20
Thank You!
Compliance and control management challenges
Compliance Office

Manual, inefficient, slow and inaccurate

Lack of focus on most critical
requirements, risks and processes

MISSION
HR
Finance
Not scalable
Manufacturing
Operations, Finance, Audit, Local GRC

Information and data is spread
across many people and
systems

Inconsistent practices

Lack of accountability
© 2014 SAP AG. All rights reserved.
Operations
Finance
Compliance
Internal
Controls
Risk
Management
Internal Audit
Customer
22