Table of Contents. Foreword 7

Transcription

1

2 Table of Contents Foreword 7 1 The basic principles of GRC automation GRC as a content-driven application A brief overview of SAP GRC solutions The three lines of defense model Factors driving GRC automation Measurable GRC benefits 43 2 Using GRC to fight corruption: From the concept to implementation The concept: The anti-cube in action The main features of an anti-corruption framework Identifying and assessing risks Preventing risks Detection Countermeasures and damage limitation Anti-corruption content for GRC The corruption environment what you need to know Anti-corruption content for SAP GRC Fraud risks in the retail trade Detecting fraud in the retail trade Tips for implementing GRC The first steps Building up the SAP GRC sandbox Setting up scenarios in SAP Fraud Management Designing the GRC user interface Design options for GRC reporting 200 5

3 0BFOREWORD 5 Summary and outlook 209 List of references 213 Bibliography 215 A The Author 218 B Index 219 C Disclaimer 224 6

4 2 Using GRC to fight corruption: From the concept to implementation In this chapter, I present a practical concept for fighting corruption which is based on processes that most companies are already using (e.g., ICS, risk and policy management). In doing so, I will show how an anti-corruption framework can be implemented in a company as part of an overarching and integrated GRC initiative. There are numerous studies about how to tackle the topic of fraud and corruption in both the private sector and government institutions. One of the most important of these is the publication by the World Bank Institute, Fighting Corruption Through Collective Action a Guide for business [13]. This study (although it was undertaken in 2008, it is still extremely relevant) is the result of joint work between the World Bank Institute, United Nations Global Compact, Transparency International, and other well-known bodies as well as renowned companies such as Siemens, Microsoft, etc. The above-mentioned Guide for Business and other studies contain similar elements that can be combined into a best practice concept for fighting corruption in a company. 2.1 The concept: The anti-cube in action Introduction to the concept There are three levels of anti-corruption measures that a company can establish : 1. Internal processes 2. External communication 3. Collective action Can establish is a rather diplomatic phrase: these measures are actually more of a must because it is only the three levels as a whole that make an anti-corruption initiative complete that is, it is only together as 61

5 USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION a whole that the measures sustainably secure the success of the initiative and the investment made. In most companies, the focus is on internal processes. This is due to the fact that an anti-corruption initiative is based on a backbone of ICS and risk management. 1) Internal processes should contain clearly defined steps for identifying the conflicts of interest and corruption risks; the processes should establish preventive and detective controls, and should ensure the implementation of the measures as well as communicate the policies. To ensure that internal anti-corruption processes are successful, it is both important and essential to promote a positive perception of the risk management function and ethic within the corporate culture. Management must act as a role model and support the GRC initiatives. Nevertheless, it is also very important to supplement the internal processes with the two other process levels, as already stated. 2) External communication: swapping experiences about best practices, success stories, appearances at conferences; publication of Corporate Social Responsibility (CSR) reports; drawing up contracts with business partners, vendors, and sales partners with reference to their agreement with compliance policies. Besides communication, there are further ways in which a company can cooperate with the outside world to tackle corruption together. These measures are urgently recommended not only in high-risk regions but also for pertinent industries and transactions regardless of the region. In particular, these more intensive forms of cooperation are aimed at fighting bribery as a type of corruption and they are grouped under the term collective action (see also Section 3.1.2). 3) Collective action involves forming alliances to overcome corruption and isolate black sheep together. In addition to companies and their respective supply chain (partners, vendors, customers, etc.), such alliances include society as well as government and non-government organizations. We will keep these three important levels of fighting corruption in mind when we describe our concept later on. What sources is our idea based on and what is the core of the idea? As already mentioned, there are numerous studies and guidelines published 62

6 USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION by the World Bank, the UN, Transparency International, etc. that are aimed at helping companies to fight corruption. They are all based on the four internal processes shown in Figure 2.1: Figure 2.1: Process steps in an anti-corruption framework These studies and guidelines provide very good suggestions and in some cases, very specific and tangible recommendations for practice. However, they are not very well known among the people responsible for risk and compliance topics in companies even though studies such as COSO and COBIT and relevant ISO standards influence the risk and compliance management processes significantly. The core of our plan, therefore, lies in making anti-corruption studies more well known by linking them with known concepts and implementing them practically using software-supported processes. The idea of considering anti-corruption topics as an important part of compliance processes is not new. This is because: On one hand, an internal control system according to COSO has, amongst other things, a clear anti-fraud focus On the other hand, the multiple compliance framework principle (i.e., the opportunity of mapping multiple customer-specific compliance dimensions) has become established in GRC applications and processes To get a better understanding of how a company can achieve its own anti-corruption objectives with the support of software, I would like to highlight this special focus to the maximum. However, I will start with the conceptual structure of an anti-corruption framework, which is independent of any particular software. 63

7 USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION Based on the familiar COSO cube, the 3D diagram of an anti-corruption framework shown in Figure 2.2 (for the sake of simplicity, I will call this the anti-cube) is intended to supplement the four process groups referred to above and summarize their most important properties. Figure 2.2: The anti-cube The three sides of the anti-cube summarize the following: on the top, you can see the most important content elements (or simply content); these elements are strongly rooted in the internal control system. As well as having anti-corruption-specific properties, the activity types (right-hand side of the anti-cube) are based on COSO components and identify activities. The activities are grouped in four process groups. Before we look at the individual sides of the anti-cube in more detail, I would like to explain how this still rather abstract construct should help you to automate GRC How do you get the anti-cube rolling? What does automating an anti-corruption initiative in a company mean, and how can you close the gap between concepts and the efficient and practical implementation of these concepts? In other words: how do you get the anti-cube rolling? And what do you want to achieve by doing so? To keep the concept as simple as possible, I will use an abstraction which, based on many years of experience in implementations in prac- 64

8 USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION tice, is very suitable on the one hand for explaining the principle of automation of the GRC processes to customers; and on the other hand, the abstraction is very suitable for planning and realizing corresponding implementation projects. This proven approach is based on connecting the following views: Content view: definition of the structure and contents of a GRC framework: organizational hierarchy, processes, risk categories, controls, risks, and much more. It is not simply a matter of creating as complete and correct an image of the risk and compliance landscape as possible; from a functional perspective, the GRC concept is also effective in the role concept and reporting, amongst other things. Process view: processes are made up of manual and automated steps that are enabled by authorization roles, workflows, and interface design. If we break down the complex facts in this way, we get the simplified representation shown in Figure 2.3: Figure 2.3: Abstraction of a GRC automation With regard to software-supported GRC automation, in general, the following applies: We can present it as documentation of the GRC content The elements of the GRC content are included in various activities (usually via workflows) with the aim of remaining informed about the status of things in GRC at all times by means of reporting 65

9 INDEX B Index A ABAP report 100 Access risk 85 Ad-hoc issue 97 Adobe Document Services 148 Adobe Flash Player 148 Adobe Interactive Forms 33 Adobe Reader 148 Alert 39, 105 Analysis profile 82 Analytic view 171 Analytical audit procedure 117 Anti-corruption declaration 114 Anti-corruption initiative 64, 69 Anti-corruption measure 61 Anti-cube 64 ASAP 160 Association view 172 Attribute view 171 Audit reform 119 Audit report 119 Audit universe 84 B Batch risk analysis 158 BC sets 156 Bribery 110 Business process control 68 Business rule 100 Business rule parameters 101 C Calculation view 171 CAPA 104 Cash register sales slip cancellation 133 CCM 39, 99, 101 Scenario type 99 Certifying business coalition 114 CHIP 194, 195 Collective action 49, 62, 114 Complaints 136 Compliance 13 Configurable rules 99 Conflict of interest 121 Control at company level 68 Control documentation 94 HTML5 32 Hybrid approach 94 Risk-based approach 94 Control risk assessment 94 Control transactions 131 Corruption 44, 107 Gray zone 108 Corruption tree 108 COSO 63, 67, 69 COSO ERM 70 Crystal Report Adaptor 149 Customer-specific fields 203 Cyber security

10 INDEX D Data source 99 Datamarts 206 Developer perspective 182 E Economic crime 45, 107 Eighth EU Directive 30 Embedded search 93 Enhancement 203 Enrichment view 172 Enterprise Risk Reporting 207 Entry page 194 EUBestG 110 Exception-based approach 38 Execution procedures 20 External auditing 116 External integration 38 F False positive 23 Feedback principle 73, 96 Field-based configuration 194 Financial statements 118 Foreign Corrupt Practices Act 112 Forensic 121 Fraud pattern 139 Fraud triangle 66 Fuzzy search logic 23 G General controls review 117 German Penal Code 110 Goods movements 131 Governance 13 GRC 13, 30 Authorization object 193 Automation 31 Connector 158 Framework 14 Integration Framework 99 Plug-ins 150 Process design 66 Reporting 41 Training courses 146 GRC BI content 205 GRC business case Expenses figures 51 ICS and the company value 52 Measurable efficiency benefit 57 Qualitative benefits 49 Sales figures 51 GRC object number range 153 GRC organization Acceptance 32 Acceptance within the company 27 Centralized 27 Challenges 26 Constructive GRC culture 28 Integrated approach 67 Lines of defense 24, 30 Reduction in administrative effort 59 Silo situation 27, 36 Gross risk 82 H Helpline 97 HTML4 32 HTML5 196 I ICAEW 120 ICoFR 94 ICS 36, 52, 93, See Internal control system ICS review 122 ICS-relevant service

11 INDEX IFAC 120 Immediate cancellation 137 Incident 97, 106 Insider speculation 110 Installation Guide 145 Institute of Internal Auditors 28 IntBestG 110 Integrity pact 114, 115 Internal audit 21, 28, 83 Internal control system (ICS) 31 Internal integration 36 Intrinsic honesty 112 Inventory differences 128 ISO Issue 104 K Key risk indicators (KRI) 39 L Launchpad 192 LDAP 41 Lines of defense 25, 27, 28 Loss 97 Loss management 106 M Manual control activity 95 Mass detection 159, 190 Master Data Upload Generator 124 Master Guide 145 Mitigating control 87 MSMP 88 Multiple compliance framework 67, 94 N Net risk 82 Network analysis 23 NWBC 193 O OData service 196 OECD 110 Online detection 159 Operational compliance 31 Organizational hierarchy 35 ORM 106 P Plug-in 99, 150 Point of sale 127 Policy 90 Policy Management 41 Policy scope 41, 91 Politically exposed person 22 Preconfigured workflow 95 Predictive analytics 20 Prevention 48 Price query 134 Price reduction 132 Principle of minimal assignment 75 Principle-based initiative 114 Product Availability Matrix (PAM) 147 Programmable rules 100 Q Quick view 100 R Remote Function Call (RFC) 99 RFC 158 Risk 221

12 INDEX Assessment 94 Category 79 Countermeasure 37 Documentation 79 Reduction 37, 50, 51 Risk bow tie representation 81 Risk management 36, 78 Risk Management 13 S S/4HANA 100 Sample-based detailed check 117 Sanction list 22 SAP Access Control 40, 41, 58, 75, 85, 158 Access Risk Analysis (ARA) Business Role Management (BRM) Emergency Access Management (EAM) User Access Management (UAM) 16 SAP Audit Management 21, 83 SAP BO Design Studio 206 SAP Business Partner Screening 22 SAP CAR 129 SAP Case Management 72, 152 SAP Document Management 90 SAP Enterprise Threat Detection 23 SAP ERP Retail 129 SAP Fiori 32, 148 Analytical apps 207 SAP Fiori apps 198 SAP FM Additional info procedure 181 Detection 48 Detection method 142, 186 Detection strategy 142, 187 Risk value 189 Execution procedure 181 Mapping procedure 181 Selection procedure 181 Test procedure 181 SAP Fraud Management 19, 39, 141 Access authorization 173 Calibration 189 Data Mining 184 Data model 164 Field Catalog 167 Implementation 160 Location parameter 177 Mass detection 20 Naming convention 167 Online detection 20 Out-of-the-box scenarios 162 Parameters 167 SAP HANA views 170 Source domain 174 SQL procedures 183 Wizard 182 SAP GRC solutions 15 SAP HANA 18, 24 Column-based storage 24 Row-based storage 24 View 100 SAP HANA Application Lifecycle Management 169 SAP HANA Design Studio 172 SAP Help for GRC 143 SAP Lumira 207 SAP Mobile Platform 200 SAP NetWeaver ABAP 148 SAP NW Gateway 200 SAP Policy Management (PM) 90, 104 SAP Portal 148, 193 SAP POS DTA 129 SAP Predictive Analytics

13 INDEX SAP Process Control 17 SAP PS 41, 104 SAP query 100 SAP Risk Management 17, 106 SAP standard content 156 SAP Tax Compliance 21 SAPUI5 32 Scoping 94 Security Guide 145 Segregation of duties 40, 70, 75 Segregation of duties risk 86 Selection view 172 Side panel 194 Sizing Guide 145 SoD 86 Review 88, 89 Risk analysis 100 Risk definition 75 Rule 156 SOX 30, 53 StGB 111 T Three Lines of Defense (TLoD) 24 TLOGF 130 Tobin s Quotient 53 Totals information 131 TREX 148 Turnbull Guidance 53 U UI role in GRC 192 User Access Review 86, 89 User-friendliness 32 UWG 111 W Walking strategy 202 Web browser 148 Web services 99, 151 Whistleblower 98,