Governance, Risk, and Compliance Management: Realizing the Value of Cross-Enterprise Solutions

3,092 views

Published on

This paper explains SAP’s vision for a cross-enterprise governance, risk and compliance (GRC) solution and the benefits it can provide, defines key terms, and discusses what to look for when evaluating GRC software options.

Published in: Business, Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,092
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
335
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Governance, Risk, and Compliance Management: Realizing the Value of Cross-Enterprise Solutions

  1. 1. SAP White Paper SAP Solutions for Governance, Risk, and Compliance GOVERNANCE, RISK, AND COMPLIANCE MANAGEMENT: REALIZING THE VALUE OF CROSS-ENTERPRISE SOLUTIONS1
  2. 2. © Copyright 2007 SAP AG. All rights reserved. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, No part of this publication may be reproduced or transmitted in Massachusetts Institute of Technology. any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed Java is a registered trademark of Sun Microsystems, Inc. without prior notice. JavaScript is a registered trademark of Sun Microsystems, Inc., Some software products marketed by SAP AG and its distributors used under license for technology invented and implemented contain proprietary software components of other software by Netscape. vendors. MaxDB is a trademark of MySQL AB, Sweden. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, their respective logos are trademarks or registered trademarks of MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, SAP AG in Germany and in several other countries all over the xSeries, zSeries, System i, System i5, System p, System p5, System x, world. All other product and service names mentioned are the System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, trademarks of their respective companies. Data contained in this Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, document serves informational purposes only. National product OpenPower and PowerPC are trademarks or registered specifications may vary. trademarks of IBM Corporation. These materials are subject to change without notice. These Adobe, the Adobe logo, Acrobat, PostScript, and Reader are materials are provided by SAP AG and its affiliated companies either trademarks or registered trademarks of Adobe Systems (“SAP Group”) for informational purposes only, without Incorporated in the United States and/or other countries. representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. Oracle is a registered trademark of Oracle Corporation. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements UNIX, X/Open, OSF/1, and Motif are registered trademarks accompanying such products and services, if any. Nothing herein of the Open Group. should be construed as constituting an additional warranty. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. 2
  3. 3. CONTENTS Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The Business Need for Cross-Enterprise GRC Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Goal: A Holistic Approach to GRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Cross-Enterprise GRC Solutions: A Closer Look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Support for Business Processes and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 – Reconcile to Report and Financial Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 – Procure to Pay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 – Order to Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 – Hire to Retire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 – Payroll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 – Production to Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 – Support Across the Complete IT Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Support for Enterprise Application Software Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 – Multiapplication GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 – Cross-Application GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Additional Attributes of an Enterprise-Class GRC Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 – Integrated GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 – Automated GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 SAP Solutions for Governance, Risk, and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 SAP Solutions for GRC, Cisco SONA–Ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 – The Foundation for Cross-Enterprise GRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Evolving SAP Software into Cross-Enterprise Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 SAP GRC Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 SAP GRC Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Powered by SAP NetWeaver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3
  4. 4. EXECUTIVE SUMMARY Governance, risk, and compliance (GRC) issues are hot topics This paper explains SAP’s vision for a cross-enterprise GRC today, thanks to a myriad of high-profile stories about companies solution and the benefits it can provide, defines key terms, that failed to meet regulatory requirements governing finance, and discusses what to look for when evaluating GRC software environmental compliance, and other areas. In each case, options. It also discusses how SAP is evolving the SAP® solutions executives have been held accountable, stock prices have for governance, risk, and compliance (SAP solutions for GRC) dropped, and brand image has suffered. GRC issues are also a top to deliver the industry’s first comprehensive, fully integrated priority because business leaders increasingly understand that cross-enterprise GRC solution. seemingly small operational control weaknesses can significantly impair corporate performance. These obstacles might range from a supplier inventory shortage that impacts revenue, to a faulty or counterfeit product that erodes brand and increases costs, to a leakage of confidential data that damages reputation and creates a compliance liability. Many companies have responded to regulatory mandates by im- plementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise appli- cation and then define risks, set policies, and monitor compli- ance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions, and GRC data – data that is likely based on different metrics, standards, soft- ware, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain a complete view of enterprise risk. SAP offers a new approach for monitoring, identifying, and managing risk across the enterprise. A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities – making it easy to compile data for a comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates. 4
  5. 5. THE BUSINESS NEED FOR CROSS-ENTERPRISE GRC SOLUTIONS Issues related to management of GRC have become top board- Of even greater significance is the fact that fragmented GRC room priorities, thanks to highly publicized corporate scandals efforts make it impossible to implement a cohesive GRC strategy and the release of a myriad of regulatory mandates designed to for monitoring, identifying, and managing risk across the enter- prevent everything from fraud to environmental damage. Most prise. This fragmentation – when replicated many times across likely, you are keenly aware of the potential costs of noncompli- different business applications and business functions – creates a ance today. In addition to facing possible fines, your business GRC management nightmare. For each business process or could face the cost of litigation and remediation, as well as application, you may have one or more different applications to confronting negative impacts on brand, reputation, and market manage it. And for each process and each application, business valuation. Equally important, executives at the top can be held and IT departments need to define risks, set policies, monitor personally responsible for compliance failures. compliance, manage attestations, address escalations and mitigations, generate reports, and more. Complicating matters further is the fact that departments responsible for different GRC A Definition of GRC initiatives may use different metrics, standards, software, and • Governance manages the strategic directives methodologies for analyzing risk and compliance information. This makes it difficult to aggregate data, gain a complete view a company wants to follow. of enterprise risk, effectively monitor compliance and risk, and • Risk management assesses the areas adjust business processes to meet changing requirements, market of exposure and potential impacts. trends, and regulatory mandates. • Compliance is the tactical action to mitigate Clearly, fragmented approaches to GRC represent a massive – risk. and costly – duplication of effort that impairs transparency and Source: John Hagerty, AMR Research, April 3, 2006 increases opportunities for issues or weakness to fall through the cracks until identified by regulatory body. Forrester anticipates that “firms will establish Many companies have responded to regulatory mandates with risk and compliance architectures, develop risk a series of disconnected, tactical, one-off projects to respond intelligence, and implement GRC platforms, to a single regulation or corporate initiative. Your business may as well as centralized communication and deploy multiple point solutions to address process control risks within a core financial application, for example. However, while training on corporate policies and procedures.” fragmented GRC activities may be the status quo, they are likely Forrester also anticipates the continued costing your business more than you think and more than is evolution of the enterprise role that is respon- necessary. AMR Research reports that compliance spending will sible for managing GRC. reach US$27.3 billion in 2006.1 Source: “Trends 2006: Enterprise Risk and Compliance,” Forrester Research Inc., Michael Rasmussen, December 13, 2005 1. Source: John Hagerty, AMR Research, “Spending in an Age of Compliance, 2006,” February 21, 2006 5
  6. 6. THE GOAL: A HOLISTIC APPROACH TO GRC A fragmented approach to GRC prevents transparency into your Integration must extend throughout the entire technology business operations and severely limits your ability to use GRC as stack, from the highest-level enterprise applications down to the a strategic asset for your company. To promote transparency, data-exchange infrastructure. In addition, all applications that GRC solutions must span multiple business processes. As illus- are part of the solution must 1) address GRC issues across all trated in Figure 1, the answer is to implement a single, holistic applications and business functions and 2) feed to and from solution that works with all of the enterprise applications used a single, centralized GRC data repository. These two charac- to support those business processes. teristics of cross-enterprise GRC enable you to address a multi- tude of GRC challenges and result in the following benefits: A true cross-enterprise GRC solution delivers key functionality • Enterprise-wide risk monitoring –You can monitor risk across two dimensions: across all enterprise applications and business functions, • Breadth in terms of business processes or functions covered, deploying one solution, rather than multiple applications that such as human resources, finance, customer relationship manage only a subset of GRC activities. You can significantly management, sales, and so on lower the effort and cost of GRC for your company, freeing • Depth in terms of integration with multiple business applica- resources for innovation and top-line growth. tions, which may include software from a major vendor, as well as legacy and custom applications Cross-Enterprise GRC Hire to Retire Reconcile to Report Cross-Functional Procure to Pay Order to Cash Production to Delivery Legacy SAP Oracle Cross-Application Figure 1: The Breadth and Depth of Cross-Enterprise Solutions 6
  7. 7. CROSS-ENTERPRISE GRC SOLUTIONS: A CLOSER LOOK • Greater transparency – Executives gain greater transparency When evaluating GRC technologies, it’s important to under- into business operations across the enterprise, essential to in- stand the baseline functionality required in a cross-enterprise creasing overall GRC effectiveness. Transparency enables you GRC solution. The solution should provide the following: to overcome the effects of fragmentation, such as increased • Support for all core business processes and functions risks, reduced effectiveness of controls, strategic misalignment, • Support for all major enterprise application software solutions and missed opportunities. • Support across the complete IT stack • Increased automation – You can automate manual process- • Integrated GRC processes es, which results in highly repeatable, consistent, and auditable • Automated GRC processes GRC processes. At the same time, automation enables fast, cost-effective reporting that saves time and money and Support for Business Processes and Functions helps ensure that the data you submit to regulatory agencies is To qualify as a true cross-enterprise GRC application, the solu- reliable and supportable. tion must provide business process controls that address all core • Simplified compliance – You can adjust to regulatory chang- business processes in your organization, ranging from the supply es easily and speed compliance efforts, which can play a critical chain to finance to operations. Examples include the following. role – for example, bringing new products to market faster than the competition. Reconcile to Report and Financial Close The leading source of material weakness disclosures relates to All of these benefits are made possible by the fact that a true controls for the reconcile-to-report process – a process that cross-enterprise GRC solution dramatically simplifies manage- places a tremendous strain on the accounting staff. In addition, ment and execution of GRC activities. Whereas before you mistakes or delays can cause significant harm to a company’s needed a different application to manage each business process financial statements and ultimately, its share price. or application, with cross-enterprise GRC, you need only one. Having a single GRC solution means that you need to define Errors in financial results are often the result of manual process- risks and set policies once for the entire enterprise. It also means es and calculations performed in a compressed time frame across that metrics, standards, software, and methodologies for analyz- multiple locations and groups and a wide variety of enterprise ing risk and compliance information are consistent across the applications. All of these variables create an environment in enterprise, making it easy to aggregate data, gain a complete view which it is easy to make simple calculation and data-entry of enterprise risk, effectively monitor compliance and risk, and mistakes. These mistakes can easily add up to material problems adjust business processes to meet changing requirements, market that require rework or in the worst case, a financial restatement. trends, and regulatory mandates. A true cross-enterprise GRC solution automates manual processes with controls in the reconcile-to-report area as much as possible. These controls eliminate the source of most material weaknesses – and by default, significantly reduce the need for financial restatements. In addition, they free accounting staff to focus on more strategic activities. 7
  8. 8. Procure to Pay Payroll For most large organizations, procurement activities generate Payroll is one of the largest expenditures in many organizations, thousands of transactions across multiple enterprise applications making it a prime target for fraud. The volume and frequency of each day. This complexity can make it nearly impossible to payroll transactions create additional risks, such as the likelihood ensure the validity of procure-to-pay transactions. Lack of auto- of errors due to complexities in tax regulations, time accounting, mated controls for procure-to-pay processes impairs cash flow and other areas. With a cross-enterprise GRC solution in place, and can cause inaccurate account balances related to delivery of you receive best-practice controls that protect the entire payroll low-quality goods, duplicate vendor payments, lost discounts, process from accidental or malicious activities. and improperly valued inventory. An even more serious threat is significant losses due to fraud. Production to Delivery The production-to-delivery process often requires a wide range A true cross-enterprise GRC solution addresses these challenges of cross-industry controls to address issues such as product by providing controls throughout the procure-to-pay process quality and workplace safety. In addition, there are many that detect or even prevent accidental or malicious activities. industry-specific variations and additions to these horizontal controls, such as enhancements specific to the U.S. Food and Order to Cash Drug Administration in the life sciences industry. A true cross- Optimizing the order-to-cash process is a strategic priority for enterprise GRC solution also delivers controls for this process to most companies. Since this process concludes with revenue ensure that there are no material deviations from regulatory recognition, it can present a high degree of risk to company mandates or company policy. management. The risks are magnified when companies have high order volumes from a global customer base, and customers Support Across the Complete IT Stack use complex discounting structures and multiple payment Businesses increasingly need controls that extend down to oper- terms. Clearly, financial professionals need to implement auto- ating system and network layers. For example, to address net- mated process controls to identify revenue leakage, improper work and IT security risks related to compliance, you are proba- shipping cutoffs, and potentially fraudulent activities. bly performing manual audits of all devices and IT systems or using point solutions focused on IT or network compliance. In A true cross-enterprise GRC solution addresses these challenges either case, this approach requires addressing regulatory require- by providing best-practice controls that safeguard the order-to- ments manually and makes it difficult to leverage data between cash processes. the point solutions. This can be a serious problem given that the reporting requirements for compliance with the Control Hire to Retire Objectives for Information and Related Technologies (COBIT) Ensuring employee information security – while maintaining framework alone can diminish IT productivity. adequate information transparency for key stakeholders of an organization – requires a robust hire-to-retire process with the To address these types of risks, you need a holistic cross- appropriate controls needed to achieve both objectives. With a enterprise GRC solution that takes into account not only cross-enterprise GRC solution in place, you get best-practice controls for core business processes but also IT controls that controls that enforce policies and detect or even prevent failures extend through all levels of the IT infrastructure – from the in the hire-to-retire process. operating system and network all the way up to the highest-level business applications. The software that typically monitors and reports on network activity should correlate events to 8
  9. 9. higher-level GRC information so that, for example, sensitive A multiapplication solution automatically applies the rules to customer information (such as customer credit card numbers) each business application involved in creating and paying ven- does not pass outside company firewalls. dors. Multiapplication functionality alone, however, does not ad- dress the fact that business processes often span multiple applica- Support for Enterprise Application Software tions. To return to our prior example, multiapplication Solutions functionality allows you to detect instances when a user has per- A cross-enterprise GRC solution also needs to provide full mission to both create and pay a vendor within a single applica- support for heterogeneous business applications by providing tion. But it cannot detect when a user tries to bypass the policy both multiapplication functionality and cross-application by creating a vendor in one application and paying the vendor in functionality. The following sections explore these terms. another. Multiapplication GRC Cross-Application GRC Multiapplication GRC solutions enable you to define all risks, Only GRC software that offers cross-application functionality policies, functions, and controls just once using nontechnical, can detect cross-application risks. Multiapplication software is common business language and to store this data in a central gradually evolving into cross-application software that enables repository for reuse by multiple GRC applications. The solutions you to apply policies and controls across business applications automatically map these risks, policies, and functions to all of and uncover risks spread across them – the holy grail of GRC. the underlying business applications, regardless of where they are in the enterprise. For example, you may have a business policy stating that purchase orders over a certain amount require management Automated, multiapplication functionality helps you avoid frag- approval. This process control can potentially be sidestepped by mentation of risk analysis, policies, and controls; ensures consis- employees who submit two purchase orders for lesser amounts tency across the enterprise; and eliminates duplication of effort across two different applications. To prevent this type of process across applications. For example, you may have three applica- control failure, you can deploy a cross-application GRC product tions that support “create vendor” and “pay vendor” processes. that includes functionality for monitoring all purchase order To prevent fraud, you define a rule that no one user can have activity across all relevant enterprise applications. Centralized permission to both create and pay a vendor. Without multi- business rules can detect a suspicious sequence of purchase application functions in place, you need to deploy a different orders for an individual and generate an alert to a manager GRC application to monitor each business application – and responsible for compliance in the procurement area with the define the rule three different times. Given the law of large Sarbanes-Oxley Act, who can take immediate action. (In con- numbers, having this kind of data scattered across multiple trast, multiapplication software would only enable you to detect applications eventually results in inconsistencies, errors, and when employees submit two purchase orders within the same oversights. Also, if you find a violation of a rule, you need to put application.) a mitigating control in place across three different applications – another potential source of oversight, as companies can lose As this example illustrates, end-to-end business processes can track of which users have what controls, when they expire, and touch multiple enterprise applications and departments – and as so on. And if management needs visibility across the enterprise a result, GRC solutions must be able to identify and manage with regard to this issue, individual reports from the various risk within and across them. You want one GRC solution that GRC applications need to be manually reconciled – a costly and enables you to do the following: error-prone process. 9
  10. 10. • Document and store all rules and policies in a central GRC ments, market trends, and regulatory mandates. It also simplifies repository GRC, which reduces costs and the potential for error. And • Apply these centralized rules and policies across all of your because data is truly integrated, you can more easily link GRC to major enterprise applications to identify and analyze risk corporate performance management, strategy setting, and com- • Mitigate and remediate risks from a central GRC solution pany policies to create reports that are useful to senior manage- ment. If this information is fragmented, creating reports that Additional Attributes of an Enterprise-Class GRC synthesize this data would require repeated linkages dozens of Solution times across different enterprise systems – a costly endeavor. In addition to supporting GRC activities across all business pro- cesses and applications, a true cross-enterprise GRC solution also Automated GRC delivers the following functionality. True cross-enterprise GRC solutions also automate the bulk of activities that are typically processed manually by most compa- Integrated GRC nies today – for example, managing segregation-of-duties infor- A cross-enterprise GRC solution does not treat GRC activities as mation using spreadsheets. Automating the tracking and man- separate activities but rather addresses them as one integrated so- agement of this type of data across the enterprise reduces GRC lution. Integrated GRC enables you to aggregate data, gain a costs and eliminates countless errors that can lead to major complete view of enterprise risk, effectively monitor compliance liabilities. and risk, and adjust business processes to meet changing require- Defining Single-, Multi-, and Cross-Application Software The GRC software industry is relatively new and, in many ways, has been playing catch-up with the needs of businesses seeking to comply with regulatory mandates in an effective, cost-efficient manner. As illustrated in Figure 2, software products are continuing to evolve from “siloed” GRC applications that focus on only one enterprise application to those that enable cross- application management. Single Application Multiapplication Cross-Application For a single application For multiple applications Across multiple applications Rules Rules Rules Rules Rules Rules GRC Application GRC Application GRC Application SAP SAP ORACLE PeopleSoft ... SAP ORACLE PeopleSoft ... Figure 2: The Evolution of GRC Applications 10
  11. 11. SAP SOLUTIONS FOR GOVERNANCE, RISK, AND COMPLIANCE SAP has recognized the need for cross-enterprise GRC applica- leverage information within your existing business applications tions and has deepened its own GRC domain expertise by invest- to evaluate risk and apply controls directly within business ing in SAP® solutions for governance, risk, and compliance (SAP processes. This results in greater transparency and predictabili- solutions for GRC) and a robust, industry-leading GRC partner ty, enabling you to improve GRC activities – and overall enter- ecosystem. These solutions will enable you to achieve the goal prise performance. of managing GRC across your enterprise and even across your extended business landscape – and do so with confidence. SAP solutions for GRC are based on the concept that business processes are not contained within a single application or silo SAP solutions for GRC make up an integrated portfolio of appli- function of a business. Instead, they cut across an entire corpo- cations that embed and optimize all GRC activities to overcome ration or distributed value chain. This means that SAP solutions the problems caused by business fragmentation and disjointed for GRC have to function reliably outside a single application approaches to GRC management. These solutions are powered and across a complex business network. The complexity of the by the SAP NetWeaver® platform, which provides a common network requires that SAP solutions for GRC must be increas- technical foundation that integrates with the mySAP™ Business ingly adaptable and flexible to work in any heterogeneous Suite applications and with third-party applications. They can environment. Key applications are described in the table that follows. SAP® PRODUCT DESCRIPTION SAP GRC Access This application for monitoring, testing, and enforcing access and authentication controls across the enterprise addresses Control application compliant-resource provisioning and ensures proper segregation of duties at all times. It is designed to help organizations with duty segregation and application-access management, a fundamental requirement of many regulations (including Sarbanes-Oxley in the United States, Combined Code in the United Kingdom, and KonTraG in Germany). The application enables businesses to rapidly identify and remove access and authorization risk from IT systems and embed preventive controls into business processes that stop future violations from occurring. SAP GRC Process Control This cross-enterprise control management application for compliance with Sarbanes-Oxley supports frameworks such as application Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technologies (COBIT). The software deploys configurable, prebuilt, and custom-automated control tests across multiple target systems. It delivers workflows and templates for manual control tests, self-assessment surveys, and certification. SAP GRC Risk Management This application automates collaborative process management for enterprise risk planning, identification, analysis, application response, and monitoring. The software graphically depicts risk profiles and proactively alerts management regarding high-impact and high-probability issues. SAP GRC Repository application This central application of a record of GRC content includes corporate policies, compliance and control frameworks, and risk and control libraries. SAP GRC Repository currently comes as part of all SAP solutions for GRC at no additional fee. SAP Global Trade Services This application enables secure, expedited, cross-border trade transactions that comply with trade export and import application regulations, restricted-party-list screening, and regional customs-reporting mandates. It works across all enterprise ap- plications that support cross-border transactions. SAP Environment, Health & This application tracks compliance with multiple environment, health, and safety (EH&S) regulations relating to waste man- Safety application agement, dangerous goods, product safety, hazardous substances, industrial hygiene and safety, and occupational health. SAP xApp™ Emissions Manage- This composite application tracks compliance with global and regional emissions regulations, such as the Kyoto Protocol ment composite application and the U.S. Clean Air Act for the chemicals, oil and gas, and mining industries. SAP solution for environmental This automated environmental-product-compliance software is a joint offering from SAP and TechniData that addresses product compliance products regulated by mandates such as the restriction of the use of certain hazardous substances (RoHS) and waste electrical and electronic equipment (WEEE) directives. 11
  12. 12. SAP Solutions for GRC, Cisco SONA–Ready SAP and Cisco are developing a growing portfolio of prebuilt SAP and Cisco Systems Inc. have partnered to deliver a joint set composite applications – to address customers’ critical business of solutions based on enterprise service-oriented architecture process issues. These predelivered composite applications for (enterprise SOA) that allow you to address GRC needs across the GRC leverage SOA to address the most common challenges enterprise in a holistic, nonintrusive, flexible, and cost-effective around GRC, such as network and IT security, data privacy and way. This approach leverages SAP solutions for GRC and the in- protection, and service-level compliance. They are also unique telligent network delivered by Cisco Service-Oriented Network because they are network-aware composite applications, result- Architecture (SONA), Cisco’s leading network architecture. ing in more powerful and farther-reaching functionality than is SAP solutions for GRC provide the business context for GRC possible with traditional composite applications. needs across the enterprise – that is, the specific GRC-related policies you have identified that are important to your business. Cisco SONA expands the reach of SAP solutions for GRC into the extended enterprise, beyond the borders of packaged enterprise applications and into the landscape of physical and infrastruc- ture risk. SAP solutions for GRC give you the visibility needed to move away from reacting to business risks and events and toward im- proving business predictability and performance. These solutions provide business content to correctly interpret and respond to the events detected and tracked by Cisco SONA. Cisco SONA can then aggregate, normalize, and act upon business and IT events with the appropriate business context for your organization and across existing geographies and organizations. The Foundation for Cross-Enterprise GRC Both SAP and Cisco have built their solutions using a standards- based SOA, making it easy to integrate corporate GRC policies and processes into your existing operations and heterogeneous IT systems. In addition, this lays the ideal foundation for creating and deploying composite applications to drive specialized GRC processes. Composite applications span multiple solutions, departments, and organizations to leverage existing systems and ease future integration. They also allow quick reconfiguration to accommodate new business structures, processes, and partner requirements. 12
  13. 13. EVOLVING SAP SOFTWARE INTO CROSS-ENTERPRISE PRODUCTS Forward-looking customers are engaging with vendors such SAP GRC Access Control as SAP that have committed to a holistic GRC vision. SAP is The following table describes the cross-application functional- evolving its SAP solutions for GRC into cross-application and ities of the SAP GRC Access Control application across various cross-functional products that support cross-enterprise GRC business processes and functions. It lists the out-of-the-box pro- management and transparency. As illustrated in the tables that cess coverage for access risk provided by SAP GRC Access follow, SAP solutions for GRC support both breadth and depth. Control. SAP® GRC ACCESS CONTROL – A CROSS-ENTERPRISE APPLICATION SAP Oracle PeopleSoft JD Edwards Hyperion HR HR HR HR/Payroll Custom Rules Procure to pay Procure to pay Procure to pay Procure to pay Order to cash Order to cash Order to cash Order to cash Finance Finance Finance Finance – General accounting – General accounting – General accounting – General accounting – Project systems – Project systems – Fixed assets – Fixed assets – Fixed assets Basis, security, and system System administration System administration Consolidations administration Materials management SAP Advanced Planning & Optimization mySAP™ Supplier Relation- ship Management mySAP Customer Relation- ship Management Consolidations 13
  14. 14. SAP GRC Process Control • Reconcile to report: Predelivered, automated controls for sub- The SAP GRC Process Control application deploys configurable, ledgers, general ledgers, and consolidation systems eliminate automated controls for key business processes – and even sup- manual controls, streamline the financial close process, and ports custom controls unique to your company. Examples of help ensure the accuracy of financial results. Examples of these processes supported by SAP GRC Process Control include the controls include the following: following: • Procure to pay: Predelivered controls ensure control effective- EXAMPLES OF RECONCILE-TO-REPORT CONTROLS ness and efficiency for purchasing, inventory, accounts SAP® GRC Process Control Control Objective payable, and legacy applications. Examples of these controls Identify split purchase orders Ensure proper authorization of purchase orders include the following: Match receipts to purchase orders Ensure accuracy of transactions and prevent overpayments for EXAMPLES OF PROCURE-TO-PAY CONTROLS underdelivery SAP® GRC Process Control Control Objective Identify duplicate vendors Prevent duplicate payments and fraud Identify split purchase orders Ensure proper authorization of purchase orders Match receipts to purchase orders Ensure accuracy of transactions and prevent overpayments for In addition to providing process-level support across the enter- underdelivery prise, SAP GRC Process Control addresses risks across various Identify duplicate vendors Prevent duplicate payments and functions and applications. Examples of the software’s cross- fraud functional support are illustrated in the following table: • Order to cash: Predelivered controls ensure control effective- CROSS-ENTERPRISE SAP® GRC PROCESS CONTROL ness and efficiency for order management, inventory, accounts SAP Oracle receivable, general ledger, and legacy applications. Examples of Finance and controlling General ledger these controls include the following: Purchasing Global consolidation system Accounts receivable Order management EXAMPLES OF ORDER-TO-CASH CONTROLS Accounts payable Accounts payable Inventory Accounts receivable SAP® GRC Process Control Control Objective Order management Inventory Monitor price changes Ensure proper, authorized pricing on Basis, security, and system sales invoices administration Match billing and shipping Identify variances between quantity documents and price to ensure valid and ac- curate revenue recognition Monitor excessive write-offs Ensure validity of write-offs and prevent undue losses 14
  15. 15. FOR MORE INFORMATION POWERED BY SAP NetWeaver The SAP approach to GRC and the solution portfolio provides SAP solutions for GRC are powered by the SAP NetWeaver the framework and the software solutions to help you build platform. SAP NetWeaver unifies technology components into a your GRC architecture step-by-step, leveraging your existing single platform, providing the best way to integrate all systems IT investments in SAP software and other technologies. SAP’s running SAP or non-SAP software. SAP NetWeaver also helps business process expertise, industry knowledge, and global organizations align IT with their business. As the foundation for presence attract a continuously growing partner ecosystem. enterprise service-oriented architecture (enterprise SOA), In combination, SAP and its partners deliver a comprehensive SAP NetWeaver allows organizations to compose and enhance and integrated GRC solution portfolio unmatched by any single business applications rapidly to drive business change. vendor in the market. To learn more about how SAP can help you with your GRC strategy and reap the benefits of an integrated GRC approach, please call your SAP representative today or visit us on the Web at www.sap.com/grc. 15
  16. 16. www.sap.com/contactsap 50 082 958 (07/01)

×