Turning risk into resultsEnabling compliance and process optimization with SAP GRC

What we are seeing in the marketThe role of automation in reducing costs and enabling the more effective use of resources has been widely recognized as a key success factor to managing compliance while adding value to the business. However, many companies have not been able to implement this principle effectively. Developing a clear road map with “quick wins” and strategically leveraging GRC technology to enable its implementation continue to be a challenge and an opportunity.

This is the right time to learn about opportunities to enable your compliance and process optimization program through an SAP GRC Process Control solution that can help:

• Lower the cost of compliance management and related audit activities through centralization and automation

• Expand and improve risk coverage through more strategic allocation of resources and better visibility into risks

• Increase effectiveness of business processes by implementing continuous monitoring techniques

What are the opportunities at your company?Typical current state Mature state

Our recent EY Thinking Outside the SOX Box survey of 225 global executives found that 56% of respondents see cost/level of effort, innovation in control testing strategies and adding value to business as their key challenges. Fully deploying SAP GRC Process Control while focusing on defining your desired maturity model will help address these concerns.

Manual Automated

Reactive Proactive

Fear of unknown Visibility

Cost pressures

Cost- efficient

Compliance-focused

Optimization-focused

Manual testing of data and system controlsManual policy compliance management

Automatic detection of configuration and master data changes and anomaliesAutomated and centralized policy management

Fragmented, manual and ad hoc reportingEmphasis on detective controls

Real-time anomaly and exception reporting resulting in faster remediationContinuous configured controls monitoring and automated testing

Lack of confidence that all risks and controls were capturedPoint-in-time testing

Comprehensive reporting, including dashboardsContinuous testing and integration with SAP GRC Access Control and Risk Management

Too many requests from stakeholders and auditorsDecentralized approach to managing audit results and documentation

Business and audit efficiencies via SAP GRC automation and standardizationCentralized documentation and reporting

“Maintenance-only” mode mentalityNot smart testing

Focus on streamlined testing and process optimizationIncreased compliance governance maturity

SAP GRC Process Control can enable your risk agenda

Automatic detection of configuration and master data changes and anomaliesAutomated and centralized policy management

Resulting in the following benefits:

• Increased integration and coordination among business, IT and compliance

• Real-time notification of potential control failures based on established business rules

• Identification of production change anomalies that may indicate fraud through alerts

• Improved test effectiveness of configured controls with 100% coverage

• Improved operational efficiency through standardization

• Improved policy management process

• User-friendly reporting

• Reduced audit costs due to a reliable and automated environment

• Cost avoidance associated with audit failure

• Efficiencies associated with preparation and analysis of configured controls

• Reduction in the number of manual controls required to be designed and operated

• Continuous configured controls monitoring

• Enhanced visibility to process-related risk exposure and controls testing at the enterprise

• Real-time control exception reporting

• Early detection of configuration and master data changes

• Integrated Process Control, Access Control and Risk Management reporting

Improve controls and processes

Better aligned risk coverage,including the identification of stronger, more pervasive controls

Reduced level of effort associated with performing and testing controls

Increased control and process efficiencies enabled through automation and continuous monitoring

Improved control mix that addresses key business risks while driving process efficiencies

Embed risk management Comprehensive and continuous

risk management and monitoring

Central management of financial, operational and compliance risks and controls across organization

Enhance risk strategy

Improved alignment to the objectives and strategy of the business

Improved visibility to risks that matter most to the organization

Proactive identification of risks

Enhanced decision-making

Optimize risk managementfunctions

Elimination of duplicate and fragmented risk management activities

Increased integration and coordination among business, IT and compliance

Sustainability of risk management process

Effective top-down and bottom-up reporting

Turning risk into results

Enhance risk

strategy

Embed risk

management

Optimize risk management

functions

Improve controls and

processes

Risk agenda

Risk

Cost

Value Risk Value

Cost Cost

ValueRisk

Next steps to improve your compliance management and process optimization landscape

EY SAP performance diagnostic: a tool that provides quantitative analysis and benchmarks of transactional changes and allows for top-down and bottom-up drill-down analysis. It can be used to guide Process Control rule development.

SAP GRC demo environment: demo environment for all the latest versions of software, including SAP GRC 10.0 for Access Control, Process Control, Risk Management and Global Trade Services.

EY RiskUniverse®: industry-specific risk universes, process-normative models and key business risks linked to application-specific controls that can be used to customize SAP GRC demos.

Why EY?

• Global and flexible approach with a focus on SAP GRC

• Knowledgeable team with practical experience in process, risk and technology disciplines

• Industry-specific content and enablers

• Leading-practice assessment diagnostics and leverage models

• Service delivery model design and key performance indicators

Rapid SAP process and control diagnostic provides accelerated current state assessment of SAP processes, controls and technology, allowing you to identify realizable value and develop a future state road map to achieve it.

SAP GRC demo facilitates mapping of business requirements to SAP GRC functionality and could be used to develop an initial business case for implementing SAP GRC.

Our services• Rapid GRC technology diagnostic

• GRC technology vendor selection

• GRC technology implementation and assessments

• Risk transformation enabled by GRC technology

RiCAP™: collects and analyzes process, risk and controls data to help align risk spend to strategic and business objectives by maximizing risk coverage and identifying control cost drivers.

EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2014 EYGM Limited. All Rights Reserved.

EYG/OC/FEA no. XX0000

1403-1222661 EC

ED 0115

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com