1 GRC Introuduction

8/2/2019 1 GRC Introuduction

1/21

GRC

ByAnil Krishna


2/21

What is GRC

SoX & SoD

GRC & SoX

Process Controls & Access Controls

Internal controls


3/21

GRC IntroductionGRC Introduction

What is GRC..?

GovernanceRisk Compliance


4/21

Governance

is the process of setting policy for an organization.

Compliance

is the process of adhering to those policies.

Risk Management

is the process of addressing uncertainty and making decisions to balance risk and opportunity

based on the organizations mission and tolerance for risk.

SAP GRC is an application that provides an integrated approach to identifying efficient and

effective controls and compliance for business processes and cross-enterprise systems, reducing

the cost of compliance by automating and streamlining controls.

GRC helps you make sure that you do things the right way: It keeps track of what you are doing

and raises an alert when things start to go off track or when risks appear.


5/21

These applications help to document and manage risks

and controls in real time.

Choosing to see GRC as an opportunity can mean significant savings in

auditing costs, creating new sources of information for improving

processes, finding risks earlier, and most of all, avoiding those nasty

surprises that spark a punishing reaction in the stock market.


6/21

The Sarbanes-OxleyAct of 2002

(also known as SOX or Sarbox)

Act was passed in response to a number of major

corporate and accounting scandals, e.g. Enron, Tyco

International, WorldCom,Global Crossing, resulting

in a decline of public trust in accounting and

reporting practices

Sli

de6


7/21

Short Term

Increased risk awareness,

resulting in better decision

making

Improved visibility of riskexposure across the

organization

Reduced risk of breaching

regulations for the Segregation

of Duties

Simplified compliance Minimized Audit time and Cost

Long Term

Increased Shareholder Value

Improved business

performance and predictability

Business sustainability Business agility

Reduced GRC Cost

Benefits of GRC


8/21

Segregation of Duties (SOD) :

Ideally, single individual must not have authority of creation, modification, reviewing

and deletion for any transaction / tasks / resources.

If any individual has access rights to creation and modification, he can create and

after getting it reviewed, he can modify it to do some fraudulent exercises. Similarly

if an individual has creation and deletion rights he can create, initiate payment andlater delete any transaction logs that can track his activity.

In legislation systems, Segregation of Duties (SoD) is called Separation of Power alsoknown as Separation of Duties

Already well known in financial accounting systems as a concept in primary internalcontrol - auditors focus upon

A primary internal control indented to prevent or decrease the risk of errors orirregularities by assigning conflicting duties to different personnel Fraud can occur where duties are not separated

No single individual should have controls over two or more phases of a transaction or operation(more than one person required to complete a task) - decrease the risk of deliberate fraud


9/21

SOX &SOD

SoX : was enacted after the Enron and WorldCom debacles and in response to the resulting

dramatic loss of faith in the governance of public companies. As such, this Act significantly affects

the day-to-day functions of all professionals, managers and executives in corporate America and

around the world.

The contents of the act follow:

Section 404 (Internal Controls) & 302 (Disclosure)

Section 404: Management Assessment of Internal Controls

Section 404. All annual financial reports must include an Internal Control Report stating that

management is responsible for an "adequate" internal control structure, and an assessment by

management of the effectiveness of the control structure. Any shortcomings in these controls must

also be reported. In addition, registered external auditors must attest to the accuracy of the

company managements assertion that internal accounting controls are in place, operational and

effective.

Section 302: Corporate Responsibility for Financial Reports

Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are directly responsible for the

accuracy, documentation and submission of all financial reports as well as the internal control

structure to the SEC.


10/21

SOX &SOD

The all companies Financial Audit must be submitted SEC with the

necessary controls(SoD Duties) in order to comply with the SoX act

sections 302 & 404

SoD can be automated/implemented using GRC application for SAP

Implementations

It is mandatory to implement SoDs in the enterprise IT applications.

SOD conflicts are not equally important to every company:

Safeguarding of assets vs. financial reporting risks

Relative importance of information confidentiality SAP Security work

Reduced risk when the chain of access is broken

SOD risks are company specific


11/21

SoD benefits

` Maintaining SOX compliance in a SAP environment by implementingautomated tools to continuously monitor SAP internal controls

` Provide an opportunity to make the process more efficient, sustainable, andtransparent

`

The SAPGRC

product set has been chosen - has capabilities beyond SarbanesOxley legislation

` Significant benefit realisation to company as the available functionality isleveraged

` The solution will utilise the existing SAP infrastructure


12/21

There are Two main areas to the SAP GRC solution:

1. Access Control

2. Process Control

3. EHS(Environment , Health Services

4. Global Trade services

5. Risk Management


13/21

SAP GRC Access Control provides a compliance foundation for access controls with intrinsic preventive

controls to stop SoD violations and helps companies to comply with regulatory req

uirements s

uch as

Sarbanes-Oxley (SOX).

SAP GRC Access capabilities include:

Compliant User Provisioning (formerly known as Access Enforcer) provides a

workflow engine to automatically process user security requests. This means activities such as business

approvals for user security requests and user notification of new accounts are driven by workflows. With this

capability, you can better track security authorization approvals for user provisioning (for example, new

user requests, role changes for employee promotion, terminations) to the environment, enforce SoD policies

and ensure that there are no new SoD risks introduced without management approval.

Enterprise Role Management (formerly known as Role Expert) provides a methodology for developing,

documenting, and simulating the security roles before they are assigned to users with inherent risks.

Risk Analysis and Remediation (formerly known as Compliance Calibrator) provides real-time

compliance monitoring and controls, integrated within the ERP system. It also provides business rules for

SoD risks which the management wants to monitor, analyze, and prevent in the future.

Superuser Privilege Management (formerly known as Firefighter) manages the access of superusers

to emergency and sensitive transactions through timely notification and tracking facilities. This means if an

analyst is assigned superuser access for emergency troubleshooting purposes, all the activities performed

with the superuser access are logged.


14/21


15/21


16/21


17/21


18/21

SAP GRC Process Control

SAP GRC Process Control provides various tracking tools and interactive reports which enable

members of internal control, audit, and business process teams to effectively manage

compliance activities. It enables organizations to document their control environment efficiently,

automate test and assessment of controls, track issues to remediation, and certify and report on

the state and quality of internal controls

SAP GRC Process Control supports the documentation of controls for identified risks within

business processes and the assessment and testing of controls from management and monitoring

to the elimination of control weaknesses.

SAP GRC Process Control can automate time-consuming tasks, such as controls assessments which

are requirements for Sarbanes-Oxley (SOX) compliance. It integrates with Risk Analysis and

Remediation, which is a component of GRC Access Control, enabling Process Control to providereal-time compliance monitoring and controls.

Furthermore, it can identify any SoD risks associated with critical actions and permissions. Once

these SoD risks have been identified, you can use Risk Analysis and Remediation controls to

mitigate or eliminate the compliance risks via Access controls.


19/21


20/21

Internal Control is a strategic approach aimed at ensuring that a business application is

safegu

arded against frau

du

lent and/or erroneou

s activities. Controls are normally designed toensure the security, consistency, confidentiality and safety of data an entitys jewel. SAP ERP

adopts a number of strategies to enforce internal control in the business application. Some of the

Internal control strategies in built into SAPERP are:

Online, Real-time access: Depending on defined roles and profiles, an individual can have access

to the information resident in a system online-real time. This allows for prompt analysis of changes

made into the system at any point in time.

Duplicate checks: The system can be configured to intelligently check for duplicate records or

transactions in the system.

Audit trail: The system has functionality to allow you to see the history of processed transactions

and ascertain their correctness or otherwise.

Integrated closing period: This strategy allow you to closely monitor fictitious transactions

posted into the system.

Sequential documentation: This internal control strategy ensures that transactions are recorded

in the sequence in which they occur and time stamped.


21/21

Government entities need strict, documented, and tested

Internal Controls to:

1. Guard against fraud and mistakes

2. Provide assurance to Congress and taxpayers that funds and areaccounted for and used wisely

3. Pass a Financial and an Internal Controls audit

4. Stay out of the news

1 GRC Introuduction

Documents

Transcript of 1 GRC Introuduction