1 GRC Introuduction
-
Upload
abhimanyu-krishna -
Category
Documents
-
view
225 -
download
2
Transcript of 1 GRC Introuduction
-
8/2/2019 1 GRC Introuduction
1/21
GRC
ByAnil Krishna
-
8/2/2019 1 GRC Introuduction
2/21
What is GRC
SoX & SoD
GRC & SoX
Process Controls & Access Controls
Internal controls
-
8/2/2019 1 GRC Introuduction
3/21
GRC IntroductionGRC Introduction
What is GRC..?
GovernanceRisk Compliance
-
8/2/2019 1 GRC Introuduction
4/21
Governance
is the process of setting policy for an organization.
Compliance
is the process of adhering to those policies.
Risk Management
is the process of addressing uncertainty and making decisions to balance risk and opportunity
based on the organizations mission and tolerance for risk.
SAP GRC is an application that provides an integrated approach to identifying efficient and
effective controls and compliance for business processes and cross-enterprise systems, reducing
the cost of compliance by automating and streamlining controls.
GRC helps you make sure that you do things the right way: It keeps track of what you are doing
and raises an alert when things start to go off track or when risks appear.
-
8/2/2019 1 GRC Introuduction
5/21
These applications help to document and manage risks
and controls in real time.
Choosing to see GRC as an opportunity can mean significant savings in
auditing costs, creating new sources of information for improving
processes, finding risks earlier, and most of all, avoiding those nasty
surprises that spark a punishing reaction in the stock market.
-
8/2/2019 1 GRC Introuduction
6/21
The Sarbanes-OxleyAct of 2002
(also known as SOX or Sarbox)
Act was passed in response to a number of major
corporate and accounting scandals, e.g. Enron, Tyco
International, WorldCom,Global Crossing, resulting
in a decline of public trust in accounting and
reporting practices
Sli
de6
-
8/2/2019 1 GRC Introuduction
7/21
Short Term
Increased risk awareness,
resulting in better decision
making
Improved visibility of riskexposure across the
organization
Reduced risk of breaching
regulations for the Segregation
of Duties
Simplified compliance Minimized Audit time and Cost
Long Term
Increased Shareholder Value
Improved business
performance and predictability
Business sustainability Business agility
Reduced GRC Cost
Benefits of GRC
-
8/2/2019 1 GRC Introuduction
8/21
Segregation of Duties (SOD) :
Ideally, single individual must not have authority of creation, modification, reviewing
and deletion for any transaction / tasks / resources.
If any individual has access rights to creation and modification, he can create and
after getting it reviewed, he can modify it to do some fraudulent exercises. Similarly
if an individual has creation and deletion rights he can create, initiate payment andlater delete any transaction logs that can track his activity.
In legislation systems, Segregation of Duties (SoD) is called Separation of Power alsoknown as Separation of Duties
Already well known in financial accounting systems as a concept in primary internalcontrol - auditors focus upon
A primary internal control indented to prevent or decrease the risk of errors orirregularities by assigning conflicting duties to different personnel Fraud can occur where duties are not separated
No single individual should have controls over two or more phases of a transaction or operation(more than one person required to complete a task) - decrease the risk of deliberate fraud
-
8/2/2019 1 GRC Introuduction
9/21
SOX &SOD
SoX : was enacted after the Enron and WorldCom debacles and in response to the resulting
dramatic loss of faith in the governance of public companies. As such, this Act significantly affects
the day-to-day functions of all professionals, managers and executives in corporate America and
around the world.
The contents of the act follow:
Section 404 (Internal Controls) & 302 (Disclosure)
Section 404: Management Assessment of Internal Controls
Section 404. All annual financial reports must include an Internal Control Report stating that
management is responsible for an "adequate" internal control structure, and an assessment by
management of the effectiveness of the control structure. Any shortcomings in these controls must
also be reported. In addition, registered external auditors must attest to the accuracy of the
company managements assertion that internal accounting controls are in place, operational and
effective.
Section 302: Corporate Responsibility for Financial Reports
Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are directly responsible for the
accuracy, documentation and submission of all financial reports as well as the internal control
structure to the SEC.
-
8/2/2019 1 GRC Introuduction
10/21
SOX &SOD
The all companies Financial Audit must be submitted SEC with the
necessary controls(SoD Duties) in order to comply with the SoX act
sections 302 & 404
SoD can be automated/implemented using GRC application for SAP
Implementations
It is mandatory to implement SoDs in the enterprise IT applications.
SOD conflicts are not equally important to every company:
Safeguarding of assets vs. financial reporting risks
Relative importance of information confidentiality SAP Security work
Reduced risk when the chain of access is broken
SOD risks are company specific
-
8/2/2019 1 GRC Introuduction
11/21
SoD benefits
` Maintaining SOX compliance in a SAP environment by implementingautomated tools to continuously monitor SAP internal controls
` Provide an opportunity to make the process more efficient, sustainable, andtransparent
`
The SAPGRC
product set has been chosen - has capabilities beyond SarbanesOxley legislation
` Significant benefit realisation to company as the available functionality isleveraged
` The solution will utilise the existing SAP infrastructure
-
8/2/2019 1 GRC Introuduction
12/21
There are Two main areas to the SAP GRC solution:
1. Access Control
2. Process Control
3. EHS(Environment , Health Services
4. Global Trade services
5. Risk Management
-
8/2/2019 1 GRC Introuduction
13/21
SAP GRC Access Control provides a compliance foundation for access controls with intrinsic preventive
controls to stop SoD violations and helps companies to comply with regulatory req
uirements s
uch as
Sarbanes-Oxley (SOX).
SAP GRC Access capabilities include:
Compliant User Provisioning (formerly known as Access Enforcer) provides a
workflow engine to automatically process user security requests. This means activities such as business
approvals for user security requests and user notification of new accounts are driven by workflows. With this
capability, you can better track security authorization approvals for user provisioning (for example, new
user requests, role changes for employee promotion, terminations) to the environment, enforce SoD policies
and ensure that there are no new SoD risks introduced without management approval.
Enterprise Role Management (formerly known as Role Expert) provides a methodology for developing,
documenting, and simulating the security roles before they are assigned to users with inherent risks.
Risk Analysis and Remediation (formerly known as Compliance Calibrator) provides real-time
compliance monitoring and controls, integrated within the ERP system. It also provides business rules for
SoD risks which the management wants to monitor, analyze, and prevent in the future.
Superuser Privilege Management (formerly known as Firefighter) manages the access of superusers
to emergency and sensitive transactions through timely notification and tracking facilities. This means if an
analyst is assigned superuser access for emergency troubleshooting purposes, all the activities performed
with the superuser access are logged.
-
8/2/2019 1 GRC Introuduction
14/21
-
8/2/2019 1 GRC Introuduction
15/21
-
8/2/2019 1 GRC Introuduction
16/21
-
8/2/2019 1 GRC Introuduction
17/21
-
8/2/2019 1 GRC Introuduction
18/21
SAP GRC Process Control
SAP GRC Process Control provides various tracking tools and interactive reports which enable
members of internal control, audit, and business process teams to effectively manage
compliance activities. It enables organizations to document their control environment efficiently,
automate test and assessment of controls, track issues to remediation, and certify and report on
the state and quality of internal controls
SAP GRC Process Control supports the documentation of controls for identified risks within
business processes and the assessment and testing of controls from management and monitoring
to the elimination of control weaknesses.
SAP GRC Process Control can automate time-consuming tasks, such as controls assessments which
are requirements for Sarbanes-Oxley (SOX) compliance. It integrates with Risk Analysis and
Remediation, which is a component of GRC Access Control, enabling Process Control to providereal-time compliance monitoring and controls.
Furthermore, it can identify any SoD risks associated with critical actions and permissions. Once
these SoD risks have been identified, you can use Risk Analysis and Remediation controls to
mitigate or eliminate the compliance risks via Access controls.
-
8/2/2019 1 GRC Introuduction
19/21
-
8/2/2019 1 GRC Introuduction
20/21
Internal Control is a strategic approach aimed at ensuring that a business application is
safegu
arded against frau
du
lent and/or erroneou
s activities. Controls are normally designed toensure the security, consistency, confidentiality and safety of data an entitys jewel. SAP ERP
adopts a number of strategies to enforce internal control in the business application. Some of the
Internal control strategies in built into SAPERP are:
Online, Real-time access: Depending on defined roles and profiles, an individual can have access
to the information resident in a system online-real time. This allows for prompt analysis of changes
made into the system at any point in time.
Duplicate checks: The system can be configured to intelligently check for duplicate records or
transactions in the system.
Audit trail: The system has functionality to allow you to see the history of processed transactions
and ascertain their correctness or otherwise.
Integrated closing period: This strategy allow you to closely monitor fictitious transactions
posted into the system.
Sequential documentation: This internal control strategy ensures that transactions are recorded
in the sequence in which they occur and time stamped.
-
8/2/2019 1 GRC Introuduction
21/21
Government entities need strict, documented, and tested
Internal Controls to:
1. Guard against fraud and mistakes
2. Provide assurance to Congress and taxpayers that funds and areaccounted for and used wisely
3. Pass a Financial and an Internal Controls audit
4. Stay out of the news