protecting your data - sap grc & analytics ron corsello – coe finance lead nasc conference...

Protecting your data - SAP GRC & Analytics

Ron Corsello – COE Finance LeadNASC conference 2015

© 2014 SAP AG. All rights reserved. 2Customer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Legal disclaimer


Challenges with Governance, Risk & Compliance today

Usually a hodge-podge of systems for: - User Provisioning - Identity Mgt (incl web access) - Role Mgt - Segregation of Duties (SOD) - Compliance Reporting

Lack of Workflow

Lack of oversight by non-IT staff

Lack of mobile access

Internet access risks


Why GRC Matters

What is “top of mind” for management?

Avoid fines/penalties

Identify risks that will keep me

from meeting my objectives

Will we be the next Headline?

Data Quality

Reduce Compliance Cost

Brand

Protection

Continuous Improvement

VisibilityAccurate Governance

ImprovePerformance

FraudPrevention

Am I aware?

Avoid Surprises


Control failures / Risk event

Lowers public perception

Reduces confidence

Raises costs

Increases scrutiny

The real world implications

Performance Impact

Lack of transparency

Disrupts operations


Brand enhanced

Controls enhance performance

Opportunities identified

Risks anticipated and managed

The Potential for Positive Impact

Public demands met

Major disruptions avoided

Confidence attained

OptimizedPerformance


Ask yourself these questions

Are your employees and systems compliant?

What is the cost of compliance?

Are controls in place and shared across your organization?

What is the opportunity for fraud and errors?

Are risk responses ready and effective?

Are behaviors reflective of policies?


GRC involves many elements...

Compliance

Audit

Risk

Monitoring

Access management

Policy

Identity management

Legal

Quality

Regulatory reporting


What you achieve with GRC technology

Collaboration and engagement

Alignment and integration among GRC programs

Visibility into the status and controls

Automation and streamlining of tasks

Reduced number of compliance events & cost

Integrity and improvement of business processes


SAP solutions for Governance, Risk and ComplianceComplete and Integrated

Manage access risk and prevent fraud

SAP AccessControl

SAP ProcessControl

SAP RiskManagement

Preserve and grow value

Ensure effective controls and ongoing compliance

SAP AuditManagement

Drive increased audit efficiency and effectiveness

SAP FraudManagement

Better detect and prevent fraud

SAP Identity Analytics

Gain insights into user roles and optimize decision making

SAP Access Violation Management

SAP Regulation Management

Identify and quantify the impact of actual access risk violations

Manage regulatory requirements and align with

internal control activities

Controller

Governor, Agencies,

Visibility and confidence

Reduced cost of compliance

Public


Regulation Management Regulatory Collaboration & Execution

1 Regulatory Citations Capture, intake and reporting of

regulations

Leverage content from UCF,

LexisNexis, Thomson Reuters,

etc.

Regulatory alerts and monitoring

2 Requirements Version control and gap

analysis

Delta change management

Pre-built reports for regulatory

requirements

3

Collaboration Central repository for regulatory

content, requirement and reporting

Comment and interact from start to finish

Share and review best practices

Workflow Dynamic, multi-threaded

workflow capabilities

Review all or part of citations,

requirements or controls at any

time

Control Definition Best practice control mapping &

content creation

Unified control framework for all

regulatory agencies

Map controls back to citations

4 Controls Management Manage, monitor and test controls

against production systems*

Control Automation Automatically execute control tests

and import results*

Reporting and Documentation Capture, store and report results*

Manage and maintain findings*

IT ComplianceBusiness Audit Legal

* With SAP Process Control


Fraud is Typically Found Without TechnologyDetection through Automation can be leveraged to find more

Source: 2012 Report to the Nations on Occupational Fraud and Abuse,Association of Certified Fraud Examiners


Key Benefits• Track fraud as early as

possible before transactions are further processed

• Improve the efficacy of the fraud team and increase ROI of the fraud detection system

• Faster fraud processing to avoid blocking a transaction longer than needed

• Early identification of potential fraud situation enables business users to gather more data for their investigation

Real-time alerting & option to hold suspicious transactions and avoid damages

Fully integrated fraud processingAdvanced alert management


consumer user experience is the new standard

The world is changing


GRC AnalyticsSimple user interface

Key Benefits

Internal auditors view the status and action items anytime/anywhere

Provides e-mail reminders

with action items

Collaborate audit issues with colleagues


GRC Analytics

Key Benefits

Internal auditors can use the mobile app to identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

Documentation is captured once and shared

Documentation can be reviewed by audit management

Audit Management example


MANAGE BETTER

PROTECT VALUE

OPTIMIZE PERFORMANCE

Automate manual tasks

Employ best practices

Unify the platform

Automate monitoring

Report and analyze

Leverage predefined content

Provide timely information to decision makers

Gain business process insights

Link to value drivers

Why a comprehensive GRC system?Proactively balance risk and opportunity

Thank You!

Ron CorselloFinance Lead, Center of [email protected]


Compliance and control management challenges

Manual, inefficient, slow and inaccurate

Lack of focus on most critical requirements, risks and processes

Not scalable

MISSION

HR

Finance

Manufacturing

Compliance Office

Information and data is spread across many people and systems

Inconsistent practices

Lack of accountability Risk Management

InternalControlsCompliance

FinanceOperations Internal Audit

Operations, Finance, Audit, Local GRC

protecting your data - sap grc & analytics ron corsello – coe finance lead nasc conference...

Documents

permission of sap

legal disclaimer2014

related presentation

short presentation title

business users arent

data management

forwardlooking statements

mountains of data