GOVERNANCE, RISK, AND COMPLIANCE MANAGEMENT:REALIZING THE VALUE OF CROSS-ENTERPRISE SOLUTIONS1

SAP White PaperSAP Solutions for Governance, Risk, and Compliance

2

© Copyright 2007 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

3

CONTENTS

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The Business Need for Cross-Enterprise GRC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The Goal: A Holistic Approach to GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Cross-Enterprise GRC Solutions: A Closer Look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Support for Business Processes and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Reconcile to Report and Financial Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Procure to Pay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Order to Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Hire to Retire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Payroll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Production to Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Support Across the Complete IT Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Support for Enterprise Application Software Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Multiapplication GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Cross-Application GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Additional Attributes of an Enterprise-Class GRC Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Integrated GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Automated GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

SAP Solutions for Governance, Risk, and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11SAP Solutions for GRC, Cisco SONA–Ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

The Foundation for Cross-Enterprise GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Evolving SAP Software into Cross-Enterprise Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13SAP GRC Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13SAP GRC Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Powered by SAP NetWeaver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

–––––––

––

––

–

4

This paper explains SAP’s vision for a cross-enterprise GRC solution and the benefits it can provide, defines key terms, and discusses what to look for when evaluating GRC software options. It also discusses how SAP is evolving the SAP® solutions for governance, risk, and compliance (SAP solutions for GRC) to deliver the industry’s first comprehensive, fully integrated cross-enterprise GRC solution.

Governance, risk, and compliance (GRC) issues are hot topics today, thanks to a myriad of high-profile stories about companies that failed to meet regulatory requirements governing finance, environmental compliance, and other areas. In each case, executives have been held accountable, stock prices have dropped, and brand image has suffered. GRC issues are also a top priority because business leaders increasingly understand that seemingly small operational control weaknesses can significantly impair corporate performance. These obstacles might range from a supplier inventory shortage that impacts revenue, to a faulty or counterfeit product that erodes brand and increases costs, to a leakage of confidential data that damages reputation and creates a compliance liability.

Many companies have responded to regulatory mandates by im-plementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise appli-cation and then define risks, set policies, and monitor compli-ance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions, and GRC data – data that is likely based on different metrics, standards, soft-ware, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain a complete view of enterprise risk.

SAP offers a new approach for monitoring, identifying, and managing risk across the enterprise. A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities – making it easy to compile data for a comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.

EXECUTIVE SUMMARY

5

Issues related to management of GRC have become top board-room priorities, thanks to highly publicized corporate scandals and the release of a myriad of regulatory mandates designed to prevent everything from fraud to environmental damage. Most likely, you are keenly aware of the potential costs of noncompli-ance today. In addition to facing possible fines, your business could face the cost of litigation and remediation, as well as confronting negative impacts on brand, reputation, and market valuation. Equally important, executives at the top can be held personally responsible for compliance failures.

Many companies have responded to regulatory mandates with a series of disconnected, tactical, one-off projects to respond to a single regulation or corporate initiative. Your business may deploy multiple point solutions to address process control risks within a core financial application, for example. However, while fragmented GRC activities may be the status quo, they are likely costing your business more than you think and more than is necessary. AMR Research reports that compliance spending will reach US$27.3 billion in 2006.1

1. Source: John Hagerty, AMR Research, “Spending in an Age of Compliance, 2006,” February 21, 2006

Of even greater significance is the fact that fragmented GRC efforts make it impossible to implement a cohesive GRC strategy for monitoring, identifying, and managing risk across the enter-prise. This fragmentation – when replicated many times across different business applications and business functions – creates a GRC management nightmare. For each business process or application, you may have one or more different applications to manage it. And for each process and each application, business and IT departments need to define risks, set policies, monitor compliance, manage attestations, address escalations and mitigations, generate reports, and more. Complicating matters further is the fact that departments responsible for different GRC initiatives may use different metrics, standards, software, and methodologies for analyzing risk and compliance information. This makes it difficult to aggregate data, gain a complete view of enterprise risk, effectively monitor compliance and risk, and adjust business processes to meet changing requirements, market trends, and regulatory mandates.

Clearly, fragmented approaches to GRC represent a massive – and costly – duplication of effort that impairs transparency and increases opportunities for issues or weakness to fall through the cracks until identified by regulatory body.

THE BUSINESS NEED FOR CROSS-ENTERPRISE GRC SOLUTIONS

A Definition of GRC

• Governance manages the strategic directives

a company wants to follow.

• Risk management assesses the areas

of exposure and potential impacts.

• Compliance is the tactical action to mitigate

risk.

Source: John Hagerty, AMR Research, April 3, 2006

Forrester anticipates that “firms will establish

risk and compliance architectures, develop risk

intelligence, and implement GRC platforms,

as well as centralized communication and

training on corporate policies and procedures.”

Forrester also anticipates the continued

evolution of the enterprise role that is respon-

sible for managing GRC.

Source: “Trends 2006: Enterprise Risk and Compliance,” Forrester Research Inc., Michael Rasmussen, December 13, 2005

6

THE GOAL: A HOLISTIC APPROACH TO GRC

A fragmented approach to GRC prevents transparency into your business operations and severely limits your ability to use GRC as a strategic asset for your company. To promote transparency, GRC solutions must span multiple business processes. As illus-trated in Figure 1, the answer is to implement a single, holistic solution that works with all of the enterprise applications used to support those business processes.

A true cross-enterprise GRC solution delivers key functionality across two dimensions: • Breadth in terms of business processes or functions covered,

such as human resources, finance, customer relationship management, sales, and so on

• Depth in terms of integration with multiple business applica-tions, which may include software from a major vendor, as well as legacy and custom applications

Integration must extend throughout the entire technology stack, from the highest-level enterprise applications down to the data-exchange infrastructure. In addition, all applications that are part of the solution must 1) address GRC issues across all applications and business functions and 2) feed to and from a single, centralized GRC data repository. These two charac-teristics of cross-enterprise GRC enable you to address a multi-tude of GRC challenges and result in the following benefits: • Enterprise-wide risk monitoring –You can monitor risk

across all enterprise applications and business functions, deploying one solution, rather than multiple applications that manage only a subset of GRC activities. You can significantly lower the effort and cost of GRC for your company, freeing resources for innovation and top-line growth.

Figure 1: The Breadth and Depth of Cross-Enterprise Solutions

Hire to Retire

Reconcile to Report

Procure to Pay

Order to Cash

Production toDelivery

Cross-Application

Cro

ss-F

uncti

onal

Legacy SAP Oracle

Cross-Enterprise GRC

7

• Greater transparency – Executives gain greater transparency into business operations across the enterprise, essential to in-creasing overall GRC effectiveness. Transparency enables you to overcome the effects of fragmentation, such as increased risks, reduced effectiveness of controls, strategic misalignment, and missed opportunities.

• Increased automation – You can automate manual process-es, which results in highly repeatable, consistent, and auditable GRC processes. At the same time, automation enables fast, cost-effective reporting that saves time and money and helps ensure that the data you submit to regulatory agencies is reliable and supportable.

• Simplified compliance – You can adjust to regulatory chang-es easily and speed compliance efforts, which can play a critical role – for example, bringing new products to market faster than the competition.

All of these benefits are made possible by the fact that a true cross-enterprise GRC solution dramatically simplifies manage-ment and execution of GRC activities. Whereas before you needed a different application to manage each business process or application, with cross-enterprise GRC, you need only one. Having a single GRC solution means that you need to define risks and set policies once for the entire enterprise. It also means that metrics, standards, software, and methodologies for analyz-ing risk and compliance information are consistent across the enterprise, making it easy to aggregate data, gain a complete view of enterprise risk, effectively monitor compliance and risk, and adjust business processes to meet changing requirements, market trends, and regulatory mandates.

When evaluating GRC technologies, it’s important to under-stand the baseline functionality required in a cross-enterprise GRC solution. The solution should provide the following:• Support for all core business processes and functions• Support for all major enterprise application software solutions• Support across the complete IT stack• Integrated GRC processes• Automated GRC processes

Support for Business Processes and Functions

To qualify as a true cross-enterprise GRC application, the solu-tion must provide business process controls that address all core business processes in your organization, ranging from the supply chain to finance to operations. Examples include the following.

Reconcile to Report and Financial Close

The leading source of material weakness disclosures relates to controls for the reconcile-to-report process – a process that places a tremendous strain on the accounting staff. In addition, mistakes or delays can cause significant harm to a company’s financial statements and ultimately, its share price.

Errors in financial results are often the result of manual process-es and calculations performed in a compressed time frame across multiple locations and groups and a wide variety of enterprise applications. All of these variables create an environment in which it is easy to make simple calculation and data-entry mistakes. These mistakes can easily add up to material problems that require rework or in the worst case, a financial restatement.

A true cross-enterprise GRC solution automates manual processes with controls in the reconcile-to-report area as much as possible. These controls eliminate the source of most material weaknesses – and by default, significantly reduce the need for financial restatements. In addition, they free accounting staff to focus on more strategic activities.

CROSS-ENTERPRISE GRC SOLUTIONS: A CLOSER LOOK

Procure to Pay

For most large organizations, procurement activities generate thousands of transactions across multiple enterprise applications each day. This complexity can make it nearly impossible to ensure the validity of procure-to-pay transactions. Lack of auto-mated controls for procure-to-pay processes impairs cash flow and can cause inaccurate account balances related to delivery of low-quality goods, duplicate vendor payments, lost discounts, and improperly valued inventory. An even more serious threat is significant losses due to fraud.

A true cross-enterprise GRC solution addresses these challenges by providing controls throughout the procure-to-pay process that detect or even prevent accidental or malicious activities.

Order to Cash

Optimizing the order-to-cash process is a strategic priority for most companies. Since this process concludes with revenue recognition, it can present a high degree of risk to company management. The risks are magnified when companies have high order volumes from a global customer base, and customers use complex discounting structures and multiple payment terms. Clearly, financial professionals need to implement auto-mated process controls to identify revenue leakage, improper shipping cutoffs, and potentially fraudulent activities.

A true cross-enterprise GRC solution addresses these challenges by providing best-practice controls that safeguard the order-to-cash processes.

Hire to Retire

Ensuring employee information security – while maintaining adequate information transparency for key stakeholders of an organization – requires a robust hire-to-retire process with the appropriate controls needed to achieve both objectives. With a cross-enterprise GRC solution in place, you get best-practice controls that enforce policies and detect or even prevent failures in the hire-to-retire process.

Payroll

Payroll is one of the largest expenditures in many organizations, making it a prime target for fraud. The volume and frequency of payroll transactions create additional risks, such as the likelihood of errors due to complexities in tax regulations, time accounting, and other areas. With a cross-enterprise GRC solution in place, you receive best-practice controls that protect the entire payroll process from accidental or malicious activities.

Production to Delivery

The production-to-delivery process often requires a wide range of cross-industry controls to address issues such as product quality and workplace safety. In addition, there are many industry-specific variations and additions to these horizontal controls, such as enhancements specific to the U.S. Food and Drug Administration in the life sciences industry. A true cross-enterprise GRC solution also delivers controls for this process to ensure that there are no material deviations from regulatory mandates or company policy.

Support Across the Complete IT Stack

Businesses increasingly need controls that extend down to oper-ating system and network layers. For example, to address net-work and IT security risks related to compliance, you are proba-bly performing manual audits of all devices and IT systems or using point solutions focused on IT or network compliance. In either case, this approach requires addressing regulatory require-ments manually and makes it difficult to leverage data between the point solutions. This can be a serious problem given that the reporting requirements for compliance with the Control Objectives for Information and Related Technologies (COBIT) framework alone can diminish IT productivity.

To address these types of risks, you need a holistic cross-enterprise GRC solution that takes into account not only controls for core business processes but also IT controls that extend through all levels of the IT infrastructure – from the operating system and network all the way up to the highest-level business applications. The software that typically monitors and reports on network activity should correlate events to

8

higher-level GRC information so that, for example, sensitive customer information (such as customer credit card numbers) does not pass outside company firewalls.

Support for Enterprise Application Software

Solutions

A cross-enterprise GRC solution also needs to provide full support for heterogeneous business applications by providing both multiapplication functionality and cross-application functionality. The following sections explore these terms.

Multiapplication GRC

Multiapplication GRC solutions enable you to define all risks, policies, functions, and controls just once using nontechnical, common business language and to store this data in a central repository for reuse by multiple GRC applications. The solutions automatically map these risks, policies, and functions to all of the underlying business applications, regardless of where they are in the enterprise.

Automated, multiapplication functionality helps you avoid frag-mentation of risk analysis, policies, and controls; ensures consis-tency across the enterprise; and eliminates duplication of effort across applications. For example, you may have three applica-tions that support “create vendor” and “pay vendor” processes. To prevent fraud, you define a rule that no one user can have permission to both create and pay a vendor. Without multi-application functions in place, you need to deploy a different GRC application to monitor each business application – and define the rule three different times. Given the law of large numbers, having this kind of data scattered across multiple applications eventually results in inconsistencies, errors, and oversights. Also, if you find a violation of a rule, you need to put a mitigating control in place across three different applications – another potential source of oversight, as companies can lose track of which users have what controls, when they expire, and so on. And if management needs visibility across the enterprise with regard to this issue, individual reports from the various GRC applications need to be manually reconciled – a costly and error-prone process.

A multiapplication solution automatically applies the rules to each business application involved in creating and paying ven-dors. Multiapplication functionality alone, however, does not ad-dress the fact that business processes often span multiple applica-tions. To return to our prior example, multiapplication functionality allows you to detect instances when a user has per-mission to both create and pay a vendor within a single applica-tion. But it cannot detect when a user tries to bypass the policy by creating a vendor in one application and paying the vendor in another.

Cross-Application GRC

Only GRC software that offers cross-application functionality can detect cross-application risks. Multiapplication software is gradually evolving into cross-application software that enables you to apply policies and controls across business applications and uncover risks spread across them – the holy grail of GRC.

For example, you may have a business policy stating that purchase orders over a certain amount require management approval. This process control can potentially be sidestepped by employees who submit two purchase orders for lesser amounts across two different applications. To prevent this type of process control failure, you can deploy a cross-application GRC product that includes functionality for monitoring all purchase order activity across all relevant enterprise applications. Centralized business rules can detect a suspicious sequence of purchase orders for an individual and generate an alert to a manager responsible for compliance in the procurement area with the Sarbanes-Oxley Act, who can take immediate action. (In con-trast, multiapplication software would only enable you to detect when employees submit two purchase orders within the same application.)

As this example illustrates, end-to-end business processes can touch multiple enterprise applications and departments – and as a result, GRC solutions must be able to identify and manage risk within and across them. You want one GRC solution that enables you to do the following:

9

• Document and store all rules and policies in a central GRC repository

• Apply these centralized rules and policies across all of your major enterprise applications to identify and analyze risk

• Mitigate and remediate risks from a central GRC solution

Additional Attributes of an Enterprise-Class GRC

Solution

In addition to supporting GRC activities across all business pro-cesses and applications, a true cross-enterprise GRC solution also delivers the following functionality.

Integrated GRC

A cross-enterprise GRC solution does not treat GRC activities as separate activities but rather addresses them as one integrated so-lution. Integrated GRC enables you to aggregate data, gain a complete view of enterprise risk, effectively monitor compliance and risk, and adjust business processes to meet changing require-

ments, market trends, and regulatory mandates. It also simplifies GRC, which reduces costs and the potential for error. And because data is truly integrated, you can more easily link GRC to corporate performance management, strategy setting, and com-pany policies to create reports that are useful to senior manage-ment. If this information is fragmented, creating reports that synthesize this data would require repeated linkages dozens of times across different enterprise systems – a costly endeavor.

Automated GRC

True cross-enterprise GRC solutions also automate the bulk of activities that are typically processed manually by most compa-nies today – for example, managing segregation-of-duties infor-mation using spreadsheets. Automating the tracking and man-agement of this type of data across the enterprise reduces GRC costs and eliminates countless errors that can lead to major liabilities.

10

For a single application For multiple applications

Multiapplication

RulesRulesRulesRules

. . .PeopleSoftORACLESAP

GRC Application

Across multiple applications

Cross-Application

Rules

. . .PeopleSoftORACLESAP

GRC Application

Single Application

Rules

SAP

GRC Application

Figure 2: The Evolution of GRC Applications

Defining Single-, Multi-, and Cross-Application Software

The GRC software industry is relatively new and, in many ways, has been playing catch-up with the needs of businesses seeking to comply with regulatory mandates in an effective, cost-efficient manner. As illustrated in Figure 2, software products are continuing to evolve from “siloed” GRC applications that focus on only one enterprise application to those that enable cross-application management.

SAP has recognized the need for cross-enterprise GRC applica-tions and has deepened its own GRC domain expertise by invest-ing in SAP® solutions for governance, risk, and compliance (SAP solutions for GRC) and a robust, industry-leading GRC partner ecosystem. These solutions will enable you to achieve the goal of managing GRC across your enterprise and even across your extended business landscape – and do so with confidence.

SAP solutions for GRC make up an integrated portfolio of appli-cations that embed and optimize all GRC activities to overcome the problems caused by business fragmentation and disjointed approaches to GRC management. These solutions are powered by the SAP NetWeaver® platform, which provides a common technical foundation that integrates with the mySAP™ Business Suite applications and with third-party applications. They can

SAP SOLUTIONS FOR GOVERNANCE, RISK, AND COMPLIANCE

11

SAP® PRODUCT DESCRIPTION

SAP GRC Access Control application

This application for monitoring, testing, and enforcing access and authentication controls across the enterprise addresses compliant-resource provisioning and ensures proper segregation of duties at all times. It is designed to help organizations with duty segregation and application-access management, a fundamental requirement of many regulations (including Sarbanes-Oxley in the United States, Combined Code in the United Kingdom, and KonTraG in Germany). The application enables businesses to rapidly identify and remove access and authorization risk from IT systems and embed preventive controls into business processes that stop future violations from occurring.

SAP GRC Process Control application

This cross-enterprise control management application for compliance with Sarbanes-Oxley supports frameworks such as Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technologies (COBIT). The software deploys configurable, prebuilt, and custom-automated control tests across multiple target systems. It delivers workflows and templates for manual control tests, self-assessment surveys, and certification.

SAP GRC Risk Management application

This application automates collaborative process management for enterprise risk planning, identification, analysis, response, and monitoring. The software graphically depicts risk profiles and proactively alerts management regarding high-impact and high-probability issues.

SAP GRC Repository application This central application of a record of GRC content includes corporate policies, compliance and control frameworks, and risk and control libraries. SAP GRC Repository currently comes as part of all SAP solutions for GRC at no additional fee.

SAP Global Trade Services application

This application enables secure, expedited, cross-border trade transactions that comply with trade export and import regulations, restricted-party-list screening, and regional customs-reporting mandates. It works across all enterprise ap-plications that support cross-border transactions.

SAP Environment, Health & Safety application

This application tracks compliance with multiple environment, health, and safety (EH&S) regulations relating to waste man-agement, dangerous goods, product safety, hazardous substances, industrial hygiene and safety, and occupational health.

SAP xApp™ Emissions Manage-ment composite application

This composite application tracks compliance with global and regional emissions regulations, such as the Kyoto Protocol and the U.S. Clean Air Act for the chemicals, oil and gas, and mining industries.

SAP solution for environmental product compliance

This automated environmental-product-compliance software is a joint offering from SAP and TechniData that addresses products regulated by mandates such as the restriction of the use of certain hazardous substances (RoHS) and waste electrical and electronic equipment (WEEE) directives.

leverage information within your existing business applications to evaluate risk and apply controls directly within business processes. This results in greater transparency and predictabili-ty, enabling you to improve GRC activities – and overall enter-prise performance.

SAP solutions for GRC are based on the concept that business processes are not contained within a single application or silo function of a business. Instead, they cut across an entire corpo-ration or distributed value chain. This means that SAP solutions for GRC have to function reliably outside a single application and across a complex business network. The complexity of the network requires that SAP solutions for GRC must be increas-ingly adaptable and flexible to work in any heterogeneous environment. Key applications are described in the table that follows.

SAP and Cisco are developing a growing portfolio of prebuilt composite applications – to address customers’ critical business process issues. These predelivered composite applications for GRC leverage SOA to address the most common challenges around GRC, such as network and IT security, data privacy and protection, and service-level compliance. They are also unique because they are network-aware composite applications, result-ing in more powerful and farther-reaching functionality than is possible with traditional composite applications.

12

SAP Solutions for GRC, Cisco SONA–Ready

SAP and Cisco Systems Inc. have partnered to deliver a joint set of solutions based on enterprise service-oriented architecture (enterprise SOA) that allow you to address GRC needs across the enterprise in a holistic, nonintrusive, flexible, and cost-effective way. This approach leverages SAP solutions for GRC and the in-telligent network delivered by Cisco Service-Oriented Network Architecture (SONA), Cisco’s leading network architecture. SAP solutions for GRC provide the business context for GRC needs across the enterprise – that is, the specific GRC-related policies you have identified that are important to your business. Cisco SONA expands the reach of SAP solutions for GRC into the extended enterprise, beyond the borders of packaged enterprise applications and into the landscape of physical and infrastruc-ture risk.

SAP solutions for GRC give you the visibility needed to move away from reacting to business risks and events and toward im-proving business predictability and performance. These solutions provide business content to correctly interpret and respond to the events detected and tracked by Cisco SONA. Cisco SONA can then aggregate, normalize, and act upon business and IT events with the appropriate business context for your organization and across existing geographies and organizations.

The Foundation for Cross-Enterprise GRC

Both SAP and Cisco have built their solutions using a standards-based SOA, making it easy to integrate corporate GRC policies and processes into your existing operations and heterogeneous IT systems. In addition, this lays the ideal foundation for creating and deploying composite applications to drive specialized GRC processes. Composite applications span multiple solutions, departments, and organizations to leverage existing systems and ease future integration. They also allow quick reconfiguration to accommodate new business structures, processes, and partner requirements.

Forward-looking customers are engaging with vendors such as SAP that have committed to a holistic GRC vision. SAP is evolving its SAP solutions for GRC into cross-application and cross-functional products that support cross-enterprise GRC management and transparency. As illustrated in the tables that follow, SAP solutions for GRC support both breadth and depth.

SAP GRC Access Control

The following table describes the cross-application functional-ities of the SAP GRC Access Control application across various business processes and functions. It lists the out-of-the-box pro-cess coverage for access risk provided by SAP GRC Access Control.

EVOLVING SAP SOFTWARE INTO CROSS-ENTERPRISE PRODUCTS

13

SAP® GRC ACCESS CONTROL – A CROSS-ENTERPRISE APPLICATION

SAP Oracle PeopleSoft JD Edwards Hyperion

HR HR HR HR/Payroll Custom Rules

Procure to pay Procure to pay Procure to pay Procure to pay

Order to cash Order to cash Order to cash Order to cash

Finance– General accounting– Project systems– Fixed assets

Finance– General accounting– Project systems– Fixed assets

Finance– General accounting– Fixed assets

Finance– General accounting

Basis, security, and system administration

System administration System administration Consolidations

Materials managementSAP Advanced Planning & OptimizationmySAP™ Supplier Relation-ship ManagementmySAP Customer Relation-ship ManagementConsolidations

SAP GRC Process Control

The SAP GRC Process Control application deploys configurable, automated controls for key business processes – and even sup-ports custom controls unique to your company. Examples of processes supported by SAP GRC Process Control include the following:• Procure to pay: Predelivered controls ensure control effective-

ness and efficiency for purchasing, inventory, accounts payable, and legacy applications. Examples of these controls include the following:

• Order to cash: Predelivered controls ensure control effective-ness and efficiency for order management, inventory, accounts receivable, general ledger, and legacy applications. Examples of these controls include the following:

• Reconcile to report: Predelivered, automated controls for sub-ledgers, general ledgers, and consolidation systems eliminate manual controls, streamline the financial close process, and help ensure the accuracy of financial results. Examples of these controls include the following:

In addition to providing process-level support across the enter-prise, SAP GRC Process Control addresses risks across various functions and applications. Examples of the software’s cross-functional support are illustrated in the following table:

14

EXAMPLES OF PROCURE-TO-PAY CONTROLS

SAP® GRC Process Control Control Objective

Identify split purchase orders Ensure proper authorization of purchase orders

Match receipts to purchase orders Ensure accuracy of transactions and prevent overpayments for underdelivery

Identify duplicate vendors Prevent duplicate payments and fraud

EXAMPLES OF ORDER-TO-CASH CONTROLS

SAP® GRC Process Control Control Objective

Monitor price changes Ensure proper, authorized pricing on sales invoices

Match billing and shipping documents

Identify variances between quantity and price to ensure valid and ac-curate revenue recognition

Monitor excessive write-offs Ensure validity of write-offsand prevent undue losses

EXAMPLES OF RECONCILE-TO-REPORT CONTROLS

SAP® GRC Process Control Control Objective

Identify split purchase orders Ensure proper authorization of purchase orders

Match receipts to purchase orders Ensure accuracy of transactions and prevent overpayments for underdelivery

Identify duplicate vendors Prevent duplicate payments and fraud

CROSS-ENTERPRISE SAP® GRC PROCESS CONTROL

SAP Oracle

Finance and controlling General ledger

Purchasing Global consolidation system

Accounts receivable Order management

Accounts payable Accounts payable

Inventory Accounts receivableOrder management InventoryBasis, security, and system administration

The SAP approach to GRC and the solution portfolio provides the framework and the software solutions to help you build your GRC architecture step-by-step, leveraging your existing IT investments in SAP software and other technologies. SAP’s business process expertise, industry knowledge, and global presence attract a continuously growing partner ecosystem. In combination, SAP and its partners deliver a comprehensive and integrated GRC solution portfolio unmatched by any single vendor in the market.

To learn more about how SAP can help you with your GRC strategy and reap the benefits of an integrated GRC approach, please call your SAP representative today or visit us on the Web at www.sap.com/grc.

SAP solutions for GRC are powered by the SAP NetWeaver platform. SAP NetWeaver unifies technology components into a single platform, providing the best way to integrate all systems running SAP or non-SAP software. SAP NetWeaver also helps organizations align IT with their business. As the foundation for enterprise service-oriented architecture (enterprise SOA), SAP NetWeaver allows organizations to compose and enhance business applications rapidly to drive business change.

FOR MORE INFORMATION

15

POWERED BY SAP NetWeaver

www.sap.com/contactsap

50 082 958 (07/01)