Pave the way: Build a value driven SAP GRC ... · PDF filePave the way: Build a value driven...
Transcript of Pave the way: Build a value driven SAP GRC ... · PDF filePave the way: Build a value driven...
Pave the way:Build a value driven SAPGRC roadmap
March 2015
www.pwc.be/ERP
PwC
Agenda
2
Introduction
Measuring GRC Progression & Benchmarking
GRC Program Roadmap
Building a Business Case
PwC
IntroductionPave the way
At the end of this session…
We intend to provide you with the techniques and good practices to help you in buildinga business case and a roadmap for your GRC program and technologies.
We will explore the types of approaches that can be adopted to synchronize yourorganization in order to streamline activities, create efficiencies, enable effectivereporting, and avoid redundancy.
3
PwC
Measuring GRC Progression &Benchmarking
4
PwC
Measuring GRC Progression
5
Au
tom
ati
on
GRC Technology Enablement
Where do you fit onthe scale?
PwC
Control Mix Benchmarking
6
It is important to bear in mind that control standards will differ from client to client, and differentindividuals may even classify the same control differently, however we can still draw some broad
conclusions.
0%
10%
20%
30%
40%
50%
60%
70%
0
100
200
300
400
500
600
C1 C2 C3 C4 C5 C6 C7 C8 C9
Auto Controls Manual Controls % Automation
AverageAutomation
PwC
GRC Program RoadmapAn Example
7
PwC
Risk Assessment &Analysis of ExistingControls
• Identify redundant controls,areas for risk & controlsconsolidation, and controlswhich can be centralized.
• Provide recommendationsand rationale for whichcontrols should be removedor streamlined.
• Identify areas where automationcould be leveraged to reduce existingcontrol effort. For example:- Workflow enablement of manual
controls;- Preventive configuration in the
system;- Restrictions of Access;- Segregation of Duties ;- Near real-time analytics;- Workflow tooling (central
provisioning, emergency usermanagement, etc.).
• Document business case androadmap to implementrecommendations.
• Identify maximum documentationrequirements to enabledocumentation once.
• Leverage GRC Technology to supportthe ‘to be‘ control framework andevaluation of that framework.
• Identify Continuous ControlMonitoring opportunities.
• Gain an understanding ofrisks and controls.
• Analysis of risks andcontrols against industryand leading practices.
• Provide recommendationsand rationale for:- Missing risks;- Duplicate risks;- Any recommended
changes to risk rating.
• Establish practices to maintainyour control framework‘sdesign and keep it relevant. Forexample:- Incorporation of business,
regulatory and technologychanges;
- Issues found incorporatedinto control design toprevent reoccurrences.
• Sustainable and efficientgovernance over the GRCtechnology
1
Risk &ControlsAlignment
2
Automation ofControls &StreamliningProcesses
3
GRCTechnologyEnablement
4
GRC ProgramMaintenance
5
8
GRC Program Roadmap ExampleIntroduction
PwC 9
GRC Program Roadmap ExampleOwnership
An important piece of the GRC roadmap is establishing clearownership and accountability.
Ownership completely depends on the size and structure of the organization. There is nota one size fits all. Here are some things you need to consider before initiating yourprogram:
Compliance Team:
If established and separate from Internal Audit, typicallywe see the compliance function own risk identificationand the GRC program.
Business Users
All business units have responsibility for operation ofcontrols. Finance have greater responsibility from acompliance perspective. If separate compliance functiondoes not exist, typically risk identification and GRCprogram falls under finance.
IT Team:
IT own the technological components and support thetechnology utilized for the GRC program.
Internal Audit:
Internal audit has a stake in compliance and the GRCprogram to help establish that the controls are operatingeffectively.
PwC
Building a Business Case
10
PwC
Importance of the business case
11
Today’s Control Environment
• Improved, robust, and efficient controls that leverage increased automation arebecoming critical as the number and complexity of risks increase for companies.
• Companies need to invest in a technological infrastructure that supports increasedautomation, better reporting, and stronger overall controls governance.
Challenge
• Such initiatives are often “shot down” in the annual budgeting process as they competewith other company priorities.
• Companies are often only willing to invest in such technologies as a reactive responseto audit or compliance failures; or worse – public embarrassment.
Solution
• Developing a strong business case with proper financial metrics can help pave the wayfor more proactive and progressive investments in controls automation technology atyour company.
PwC
Key Financial Metrics
• Payback Period
• Net Present Value
• Return on Investment
Building a business caseThe process
Steps to Build the Case:
1. Define the opportunity
2. Identify your options
3. Gather information on your options
4. Analyze the information on your options
5. Choose an option and assess the risks
6. Create a high level implementation plan
7. Communicate your case
12
PwC
Building a business caseROI Framework for automated controls
13
Return on investment (ROI)—A financial ratio measuring the cash return from aninvestment relative to its cost for a stated period of time.
Estimate Monetary Benefits of Automated Controls
Benefit Area FY '15 FY '16 FY '17 FY '18 FY '19 Notes / Total
Cost Savings & Direct Benefits
Continuous Control Monitoring
Cost savings by enabling CCM onexisting controls
€58,080 €58,080 €58,080 €58,080 €58,080Existing 33 automated controls will besubjected to CCM.
Cost savings by converting manualcontrols to automated resulting inreduced operation cost associatedwith execution of controls
€23,040 €23,040 €23,040 €23,040 €23,0408 manual controls can potentially be convertedto automated controls.
Cost savings by converting manualcontrols to automated resulting inreduced testing cost
€14,080 €14,080 €14,080 €14,080 €14,080
8 manual controls can potentially be convertedto automated controls eliminating need toperform periodic substantive testing at each inscope location.
Cost savings due tocontinuous monitoring
€95,200 €95,200 €95,200 €95,200 €95,200 €476,000
Data Analytics
Cost savings by enabling dataanalytics mechanisms (includesoperation and testing savings)
€25,000 €25,000 €25,000 €25,000 €25,000Assuming €25,000 analytics would bedeveloped for XYZ.
Cost savings due to dataanalytics
€25,000 €25,000 €25,000 €25,000 €25,000 €125,000
• * For illustrative purposes only
PwC
Building a business caseROI Framework for automated controls
14
In building the business case a number of assumptions have been made in order toprovide a comprehensive calculation of all the benefits and costs. Some of theassumptions listed below are derived from our experience but can be amended accordingto company’s specific requirements and characteristics.
# Description Assumption
1 Average time testing each control (documenting and reviewing results) 8
2 Average number of times the controls are tested per year 2
3 Average time updating supporting controls documentation 2
4 Average time spent around remediation, reporting and decision making 2
5 Average monthly time spent to execute and document a manual control 3
6 Average hourly cost per employee €80.00
7 Average hourly cost for contractor assistance €200.00
8 Employee / Contractor Ratio 3
9 Weighted average cost per hour blend b/w employee/contractor €110.00
10 Increased effectiveness of Internal Audit by leveraging GRC 10.0 10%
Estimate Monetary Benefits of Automated Controls
• * For illustrative purposes only
PwC
Building a business caseLessons Learned
15
• Know your audience! Anticipate difficult questions ahead of time and provideappropriate information that aligns with the style of your leader.
• Cross-functional collaboration and support can be critical. Understand theorganizational impacts of what is in your business case and engage with impactedstakeholders for support.
• The more subjective the estimate, the more communication and collaboration isrecommended prior to submitting the case to senior leadership. Clearly define andcommunicate assumptions that support estimates to gain others’ confidence in yournumbers.
• Know the budgeting process and budgeting calendar. Plan ahead!
• Get help from trusted advisors with appropriate subject matter expertise.
• Talk to other companies with experience in implementing automated controlstechnologies to establish additional internal credibility.
PwC
Your Questions
16
PwC
PwC SAP GRC webcast series:Looking to better manage and govern access risk?
17
To subscribe to PwC's SAP GRC Webcast seriesplease visit:http://www.pwc.be/en/pwc-academy/sap-webinar-grc.jhtmlEnter your email address to create or update your profile and manage your subscriptions.
Date & time12 March 201512:30pm – 13:30pm
What’s in it for you?• Discover SAP GRC 10.1 functionality via a live demo• Learn about best practices to upgrade from older SAP GRC versions
to version 10.1• Interact in real time with experts with extensive hands-on SAP GRC
experience• Understand the latest SAP GRC Access Control 10.1 functionality and
how it can help you improve access management processes• Understand the upgrade track from older SAP GRC versions to v10.1
PwC
For further information, please contact:
18
Wim RymenDirectorOffice: +32 (0) 2 710 7238Cell: +32 (0) 473 269 227
E-mail: [email protected]
Kris WautersManagerOffice: +32 (0) 2 710 4631Cell: +32 (0) 499 558 949
E-mail: [email protected]
The information contained in this document is shared as a matter of courtesy and forinformation or interest only. PwC has exercised reasonable professional care and diligence inthe collection, processing, and reporting of this information. However, data used may be fromthird-party sources and PwC has not independently verified, validated, or audited suchdata. PwC does not warrant or assume any legal liability or responsibility for the accuracy,adequacy, completeness, availability and/or usefulness of any data, information, product, orprocess disclosed in this document; and is not responsible for any errors or omissions or forthe results obtained from the use of such information. PwC gives no express or impliedwarranties, including, but not limited to, warranties or merchantability or fitness for a particularpurpose or use. In no event shall PwC be liable for any indirect, special, or consequentialdamages in connection with use of this document or its content. Information presented hereinby a third party is not authored, edited or reviewed by PwC and PwC is not endorsing thirdparties or their views. Reproduction of this document or recording of its presentation, in wholeor in part, in any form, is prohibited except with the prior written permission of PwC. Beforemaking any decision or taking any action, you should consult a competent professionaladviser.
© 2015 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United Statesmember firm, and may sometimes refer to the PwC network. Each member firm is a separatelegal entity. Please see www.pwc.com/structure for further details.
PwC
AppendixGRC Program Roadmap
20
PwC
What do we see?
◦ Risk Assessment focused on SOX only, but not relevant to other areas of thebusiness.
◦ Not used to prioritize controls coverage or GRC enablement.
◦ Not granular enough to be an actionable tool.
Objectives:
• To acquire deeper insight in your processes, risks and existing controls.
• To socialize and obtain agreement on risks and risk ratings as this assessment forms thebasis for the control analysis performed in subsequent phases of the project.
Value:
• Streamlining of risks to help establish risks that meet multiple objectives (financial and operational) are identified.
• Gap analysis of risks against industry and SAP leading practice to identify any other areas for consideration.
• Alignment of SOX/compliance initiatives with other process improvement initiatives.
Risk Assessment &Analysis of ExistingControls
1
Recommended:
• Risk assessment to consider compliance and operational initiatives.This would allow you to identify areas of redundancy acrossregulatory / operational objectives and improve the rationalizationeffort.
• This could be utilized as the first step in building a business case forexpansion of your GRC footprint.
21
GRC Program Roadmap ExampleRisk Assessment & Analysis of Existing Controls
PwC 22
GRC Program Roadmap ExampleRisk Assessment & Analysis of Existing Controls (continued)
Output
• Benchmark against other clients in the industry and SAP Optimized.
• Assessment to determine whether the risks within the organization have beenappropriately recognized.
• Examples of output includes but is not limited to:
- Missing risks;
- Duplicate risks; and
- Any recommended changes to risk rating. 0%
10%
20%
30%
40%
50%
60%
70%
Uti
lity
1
Uti
lity
2
Uti
lity
3
Uti
lity
4
Uti
lity
5
Cu
rren
t
Rec
com
Uti
lity
6
Op
tim
ized
SA
P
Benchmark Percentage Automation
Example deliverables—illustrative only
Cli
ent
1
Cli
ent
2
Cli
ent
3
Cli
ent
4
Cli
ent
5
Cli
ent
6
Cli
ent
7
Cli
ent
8
Cli
ent
9
PwC
What do we see?
◦ Focus on # of controls, as opposed to the right controls to mitigate the risk.
◦ Access controls are not aligned to risks
◦ Controls are mapped to risks, instead of risks driving controls
Objectives:
• Identify opportunities where controls could be eliminated or consolidated and new controls arerequired to mitigate new risks.
• Streamline controls to enable efficiencies in controls management.
Value:
• Potential reduction and consolidation of controls.
• Potential reduction in time spent operating and evaluating the current framework.
• Less likelihood for audit conversations about control ‘issues’ for controls which are not really key.
• Template to achieve coverage for any new areas.
Recommended:
• Thorough initiative to align controls to the organization’s risks. Thiswould enable you to identify areas of redundancy across regulatory /operational objectives and improve the rationalization effort.
• The risk and controls alignment could be used as the foundation foran initiative by way of establishing key access control objectives acrossprocess and regulations.
23
GRC Program Roadmap ExampleRisk & Controls Alignment
Risk & ControlsAlignment
2
PwC 24
GRC Program Roadmap ExampleRisk & Controls Alignment (continued)
Output
• Assessment to align controls to risks.
• Examples of output include, but is not limited to:
- Controls which could be eliminated or consolidated.
- Controls which could be improved through better leverage of current technology(such as further automation).; and
- New controls required to mitigate new risks. An example of this includes:
Client assessed restrictive access to a PO and segregation of duties betweenmaintain/approve PO in order to mitigate the risk of POs being inappropriatelyapproved. The control was incomplete because the release strategies were notconfigured.
Control Recommendations - Overview
Current State RecommendedState
Controls 260 Key Controlsfor SOX
87 Key Controls forSOX
Automationof controls
21% AutomatedControls
52% AutomatedControls
Manualreportprocedures
48 ‘key’ reportsfor SAP
33 of 48 haveautomation or eventbased reportingopportunities
Example deliverables—illustrative only
PwC
Automationof Controls &StreamliningProcesses
3
What do we see?
◦ “If it's not in SAP, it cannot be monitored”.
◦ Controls governance model is not widely established or aligned.
◦ Business case does not exist or is not tangible.
Objectives:
• Identify controls which could be enhanced through better leverage of current technology.
• Advise management of improvements that can be made which would require additional efforts.
• Identify requirements and build a business case to obtain funding for any recommendations.
Value:
• Increased leverage of SAP automation and investment.
• Potential reduction in time from the business to operate controls and processes.
• Automation at higher levels to help establish consistently implemented configurable controls.
• Transition from decentralized controls to centralized risk and controls.
Recommended:
• Perform an automation assessment. This will enable you to identifyopportunities to reduce effort around sustaining the environment andoperating controls and processes.
• Consideration should be given to a pilot process. This has a fewadvantages such as allowing for a prototyping approach, starting witha smaller investment, and enabling the development of a businesscase with real achieved business savings.
25
GRC Program Roadmap ExampleAutomation of Controls & Streamlining Processes
PwC 26
GRC Program Roadmap ExampleAutomation of Controls & Streamlining Processes (continued)
Output
• Output includes changes to controls. Examples include, but are not limited to:
- Controls and processes which can be automated in SAP or other technology Anexample of this includes:
Client placed a high amount of rigor in a number of manual physical inventorycontrols in order to gain comfort around the accuracy of their inventory balances.The recommendation removed emphasis on time consuming processes and insteadidentified an opportunity to automate inventory cycle count initiation;
- Controls and processes which can be automated in GRC. An example of thisincludes:
Client whom currently spends a significant time manually provisioning users,utilizing a GRC tool to preventatively assess SoD and sensitive access. This reviewidentified an opportunity to enhance existing technologies to automate userprovisioning through workflow;
- Event-based reporting opportunities;
- Workflow enablement for manual controls; and
- Continuous control monitoring (CCM) opportunities for current and proposedconfigurable controls.
• For automation opportunities, effort efficiency estimates can be provided to compareexisting state to proposed state, enabling management to prioritize activities.
Efficiency Estimates(Example ITGC Process) - Overview
Hours ayear
Days ayear
Change management 2,992 374
User accessmanagement
15,471 1,934
Systems management 1,012 126.5
Total 19,475 2,435
Example deliverables—illustrative only
PwC
GRCTechnologyEnablement
4
What do we see?
◦ Systems and functionality selected before requirements are defined.
◦ Biting off more than you can chew.
◦ Unrealistic expectations.
Objectives:
• Identify new and existing technologies to support your rationalized and improved frameworktogether with your processes.
Value:
• Early detection and remediation of control issues.
• Increased return on the GRC investment by way of expanding the functional use to support and monitor the controlframework.
• Potential operational, financial and regulatory compliance efficiencies can be realized by automating various time-consumingprocesses.
Recommended:
• Utilize the recommendations from the prior phases to develop the in-depth path and multiyear year plan. Facilitating a deep dive into atleast one of business processes will enable you to have the tangibleunderstanding of types of technology you would want to consider andpotential efficiencies of these enhancements to establish business caseand prioritization.
• This plan can be revised and enhanced as you analyze the otherprocesses.
27
GRC Program Roadmap ExampleGRC Technology Enablement
PwC
GRC Program Roadmap ExampleGRC Technology Enablement (continued)
28
Capabilities Assessment:
• Inventory requirements and plot these against existing and potentially new technologies.
• Set expectations of what the solutions will and will not do in terms of capabilities.
SOD / Sensitive AccessDetective Reviews
Emergency Access Management
Controls Documentation in GRCtool
Workflow EnablementOf Manual Controls
Solution A
Prioritize and Determine optimum sequence:
• Prioritize the actions with a focus on return on investment or alternatively ,business issues.
• Organization needs to understand impact of extending usage of existing technologies and introducing new technologies
• Based on the impact and prioritization a sequence should then be defined to facilitate effective and efficient integration.
Tooling Requirements Existing Technology Enhance ExistingTechnology
New Technology
Solution A
Solution B
PwC 29
GRC Program Roadmap ExampleGRC Technology Enablement (continued)
Output
• Overall program business case for supporting the control environment and supporting processes with GRC technologies. Thiswill take into consideration the risks and regulations of the organization.
• A phased technological roadmap with sequenced activities based on prioritization.
• A target operating model (TOM) for the GRC program covering most aspects of control management and GRC usage.
PwC
GRC ProgramMaintenance
5
What do we see?
◦ Ongoing GRC program does not have proper alignment with management’sstrategy.
◦ The deployed governance model is not living and breathing.
Objectives:
• Establish practices to maintain your control framework‘s design and keep it relevant.
Value:
• Less likelihood of a need for a risk rationalization in future years as it will be part of on-going maintenance.
• Potential reduction in cost to sustain environment and compliance.
Recommended:
• Maintenance program should include:
i. Definition of policies and procedures to incorporate embedtechnologies within governance model.
ii. Establish protocols to incorporate new risks, controls andbusiness changes as a company grows and matures.
iii. Establish IT management procedures for ne w technologies.
iv. Identify GRC stakeholders to facilitate adequate involvementfrom the business, integration with IT, internal audit andcompliance, and value to the organization on the whole.
• Establish a GRC Operating model to maintain the GRC program androadmap.
30
GRC Program Roadmap ExampleGRC Program Maintenance