Pave the way: Build a value driven SAP GRC roadmap March 2015

Similar documents
Achieving effective risk management and continuous compliance with Deloitte and SAP

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Oracle Buys Automated Applications Controls Leader LogicalApps

Accelerate Your Enterprise Private Cloud Initiative

OVERVIEW BROCHURE GRC. When you have to be right

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

INTELLIGENCE DRIVEN GRC FOR SECURITY

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SAP security solutions Is your business protected?

To Audit Your IAM Program

2 The IBM Data Governance Unified Process

Symantec Data Center Transformation

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Leveraging advanced controls with PeopleSoft implementation and upgrade projects

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

State of South Carolina Interim Security Assessment

Improve Internal Controls with Governance, Risk, and Compliance Solutions

Turning Risk into Advantage

IBM Corporation. Global Energy Management System Implementation: Case Study. Global

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Symantec Data Center Migration Service

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Demystifying GRC. Abstract

Design Build Services - Service Description-v7

Vulnerability Assessments and Penetration Testing

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Overview. Business value

MNsure Privacy Program Strategic Plan FY

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

COBIT 5 With COSO 2013

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Data Governance. Mark Plessinger / Julie Evans December /7/2017

VMware Cloud Operations Management Technology Consulting Services

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Next Generation Policy & Compliance

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

ORACLE DATABASE LIFECYCLE MANAGEMENT PACK

Data Governance Quick Start

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

The Fine Art of Creating A Transformational Cyber Security Strategy

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Implementing ITIL v3 Service Lifecycle

Security and Privacy Governance Program Guidelines

Public Safety Canada. Audit of the Business Continuity Planning Program

SAP Security Remediation: Three Steps for Success Using SAP GRC

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Red Hat Virtualization Increases Efficiency And Cost Effectiveness Of Virtualization

Professional Services for Cloud Management Solutions

Green Governance Growth

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

Government IT Modernization and the Adoption of Hybrid Cloud

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Hybrid IT for SMBs. HPE addressing SMB and channel partner Hybrid IT demands ANALYST ANURAG AGRAWAL REPORT : HPE. October 2018

TRANSCANADA S AUDIT FOUNDATION FOR THE EXPANSION OF BUSINESS OPERATIONS

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Commercial Catalog & Pricelist. Effective Date: January 1, 2019

How Cisco IT Improved Development Processes with a New Operating Model

College of Agricultural Sciences UNIT STRATEGIC PLANNING UPDATES MARCH 2, Information Technologies

ACL Interpretive Visual Remediation

A Global Look at IT Audit Best Practices

Federal Data Center Consolidation Initiative (FDCCI) Workshop III: Final Data Center Consolidation Plan

IBM Resilient Incident Response Platform On Cloud

Determining Best Fit for ITIL Implementation

EY s data privacy service offering

Modern Database Architectures Demand Modern Data Security Measures

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Growing Communities for Co-Creation : How Employees and Customers/Users Collaborate To Increase Adoption and Retention

Data Virtualization Implementation Methodology and Best Practices

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

TX CIO Leadership Journey Texas CIOs Bowden Hight Texas Health and Human Services Commission Tim Jennings Texas Department of Transportation Mark

Enterprise GRC Implementation

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

HPE Network Transformation Experience Workshop Service

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Common approaches to management. Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

OPTIMIZATION MAXIMIZING TELECOM AND NETWORK. The current state of enterprise optimization, best practices and considerations for improvement

Cybersecurity. Securely enabling transformation and change

locuz.com SOC Services

University of Texas Arlington Data Governance Program Charter

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Survey - Governance, Risk and Compliance

Information Security Continuous Monitoring (ISCM) Program Evaluation

VMware Virtualization and Cloud Management Solutions

SCOTTISH PARLIAMENT WEB AND ONLINE ROADMAP PROJECT (INCLUDING DEVELOPING A NEW IMPROVED WEBSITE PRESENCE FOR THE SCOTTISH PARLIAMENT)

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

SAP Security Remediation: Three Steps for Success Using SAP GRC

Transcription:

www.pwc.be/erp Pave the way: Build a value driven SAP GRC roadmap March 2015

Agenda Introduction Measuring GRC Progression & Benchmarking GRC Program Roadmap Building a Business Case 2

Introduction Pave the way At the end of this session We intend to provide you with the techniques and good practices to help you in building a business case and a roadmap for your GRC program and technologies. We will explore the types of approaches that can be adopted to synchronize your organization in order to streamline activities, create efficiencies, enable effective reporting, and avoid redundancy. 3

Measuring GRC Progression & Benchmarking 4

Measuring GRC Progression Automation Where do you fit on the scale? GRC Technology Enablement 5

Control Mix Benchmarking 600 70% 500 60% 400 50% 300 200 Average Automation 40% 30% 20% 100 10% 0 C1 C2 C3 C4 C5 C6 C7 C8 C9 Auto Controls Manual Controls % Automation 0% It is important to bear in mind that control standards will differ from client to client, and different individuals may even classify the same control differently, however we can still draw some broad conclusions. 6

GRC Program Roadmap An Example 7

GRC Program Roadmap Example Introduction Identify redundant controls, areas for risk & controls consolidation, and controls which can be centralized. Provide recommendations and rationale for which controls should be removed or streamlined. Identify maximum documentation requirements to enable documentation once. Leverage GRC Technology to support the to be control framework and evaluation of that framework. Identify Continuous Control Monitoring opportunities. Risk Assessment & Analysis of Existing Controls 1 2 Risk & Controls Alignment 3 Automation of Controls & Streamlining Processes 4 GRC Technology Enablement 5 GRC Program Maintenance Gain an understanding of risks and controls. Analysis of risks and controls against industry and leading practices. Provide recommendations and rationale for: - Missing risks; - Duplicate risks; - Any recommended changes to risk rating. Identify areas where automation could be leveraged to reduce existing control effort. For example: - Workflow enablement of manual controls; - Preventive configuration in the system; - Restrictions of Access; - Segregation of Duties ; - Near real-time analytics; - Workflow tooling (central provisioning, emergency user management, etc.). Document business case and roadmap to implement recommendations. Establish practices to maintain your control framework s design and keep it relevant. For example: - Incorporation of business, regulatory and technology changes; - Issues found incorporated into control design to prevent reoccurrences. Sustainable and efficient governance over the GRC technology 8

GRC Program Roadmap Example Ownership An important piece of the GRC roadmap is establishing clear ownership and accountability. Ownership completely depends on the size and structure of the organization. There is not a one size fits all. Here are some things you need to consider before initiating your program: Compliance Team: If established and separate from Internal Audit, typically we see the compliance function own risk identification and the GRC program. Business Users All business units have responsibility for operation of controls. Finance have greater responsibility from a compliance perspective. If separate compliance function does not exist, typically risk identification and GRC program falls under finance. IT Team: IT own the technological components and support the technology utilized for the GRC program. Internal Audit: Internal audit has a stake in compliance and the GRC program to help establish that the controls are operating effectively. 9

Building a Business Case 10

Importance of the business case Today s Control Environment Improved, robust, and efficient controls that leverage increased automation are becoming critical as the number and complexity of risks increase for companies. Companies need to invest in a technological infrastructure that supports increased automation, better reporting, and stronger overall controls governance. Challenge Such initiatives are often shot down in the annual budgeting process as they compete with other company priorities. Companies are often only willing to invest in such technologies as a reactive response to audit or compliance failures; or worse public embarrassment. Solution Developing a strong business case with proper financial metrics can help pave the way for more proactive and progressive investments in controls automation technology at your company. 11

Building a business case The process Steps to Build the Case: 1. Define the opportunity 2. Identify your options 3. Gather information on your options 4. Analyze the information on your options 5. Choose an option and assess the risks 6. Create a high level implementation plan 7. Communicate your case Key Financial Metrics Payback Period Net Present Value Return on Investment 12

Building a business case ROI Framework for automated controls Return on investment (ROI) A financial ratio measuring the cash return from an investment relative to its cost for a stated period of time. Estimate Monetary Benefits of Automated Controls Benefit Area FY '15 FY '16 FY '17 FY '18 FY '19 Notes / Total Continuous Control Monitoring Cost savings by enabling CCM on existing controls Cost savings by converting manual controls to automated resulting in reduced operation cost associated with execution of controls Cost savings by converting manual controls to automated resulting in reduced testing cost Cost savings due to continuous monitoring Data Analytics Cost savings by enabling data analytics mechanisms (includes operation and testing savings) Cost savings due to data analytics Cost Savings & Direct Benefits 58,080 58,080 58,080 58,080 58,080 23,040 23,040 23,040 23,040 23,040 14,080 14,080 14,080 14,080 14,080 Existing 33 automated controls will be subjected to CCM. 8 manual controls can potentially be converted to automated controls. 8 manual controls can potentially be converted to automated controls eliminating need to perform periodic substantive testing at each in scope location. 95,200 95,200 95,200 95,200 95,200 476,000 25,000 25,000 25,000 25,000 25,000 Assuming 25,000 analytics would be developed for XYZ. 25,000 25,000 25,000 25,000 25,000 125,000 * For illustrative purposes only 13

Building a business case ROI Framework for automated controls Estimate Monetary Benefits of Automated Controls In building the business case a number of assumptions have been made in order to provide a comprehensive calculation of all the benefits and costs. Some of the assumptions listed below are derived from our experience but can be amended according to company s specific requirements and characteristics. # Description Assumption 1 Average time testing each control (documenting and reviewing results) 8 2 Average number of times the controls are tested per year 2 3 Average time updating supporting controls documentation 2 4 Average time spent around remediation, reporting and decision making 2 5 Average monthly time spent to execute and document a manual control 3 6 Average hourly cost per employee 80.00 7 Average hourly cost for contractor assistance 200.00 8 Employee / Contractor Ratio 3 9 Weighted average cost per hour blend b/w employee/contractor 110.00 10 Increased effectiveness of Internal Audit by leveraging GRC 10.0 10% * For illustrative purposes only 14

Building a business case Lessons Learned Know your audience! Anticipate difficult questions ahead of time and provide appropriate information that aligns with the style of your leader. Cross-functional collaboration and support can be critical. Understand the organizational impacts of what is in your business case and engage with impacted stakeholders for support. The more subjective the estimate, the more communication and collaboration is recommended prior to submitting the case to senior leadership. Clearly define and communicate assumptions that support estimates to gain others confidence in your numbers. Know the budgeting process and budgeting calendar. Plan ahead! Get help from trusted advisors with appropriate subject matter expertise. Talk to other companies with experience in implementing automated controls technologies to establish additional internal credibility. 15

Your Questions 16

SAP GRC webcast series: Looking to better manage and govern access risk? Date & time 12 March 2015 12:30pm 13:30pm What s in it for you? Discover SAP GRC 10.1 functionality via a live demo Learn about best practices to upgrade from older SAP GRC versions to version 10.1 Interact in real time with experts with extensive hands-on SAP GRC experience Understand the latest SAP GRC Access Control 10.1 functionality and how it can help you improve access management processes Understand the upgrade track from older SAP GRC versions to v10.1 To subscribe to 's SAP GRC Webcast series please visit: http://www.pwc.be/en/pwc-academy/sap-webinar-grc.jhtml Enter your email address to create or update your profile and manage your subscriptions. 17

For further information, please contact: Wim Rymen Director Office: +32 (0) 2 710 7238 Cell: +32 (0) 473 269 227 E-mail: wim.rymen@be.pwc.com Kris Wauters Manager Office: +32 (0) 2 710 4631 Cell: +32 (0) 499 558 949 E-mail: kris.wauters@be.pwc.com 18

The information contained in this document is shared as a matter of courtesy and for information or interest only. has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and has not independently verified, validated, or audited such data. does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by and is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of. Before making any decision or taking any action, you should consult a competent professional adviser. 2015 PricewaterhouseCoopers LLP. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Appendix GRC Program Roadmap 20

GRC Program Roadmap Example Risk Assessment & Analysis of Existing Controls 1 Risk Assessment & Analysis of Existing Controls What do we see? Value: Objectives: Risk Assessment focused on SOX only, but not relevant to other areas of the business. Not used to prioritize controls coverage or GRC enablement. Not granular enough to be an actionable tool. To acquire deeper insight in your processes, risks and existing controls. To socialize and obtain agreement on risks and risk ratings as this assessment forms the basis for the control analysis performed in subsequent phases of the project. Recommended: Streamlining of risks to help establish risks that meet multiple objectives (financial and operational) are identified. Gap analysis of risks against industry and SAP leading practice to identify any other areas for consideration. Alignment of SOX/compliance initiatives with other process improvement initiatives. Risk assessment to consider compliance and operational initiatives. This would allow you to identify areas of redundancy across regulatory / operational objectives and improve the rationalization effort. This could be utilized as the first step in building a business case for expansion of your GRC footprint. 21

GRC Program Roadmap Example Risk Assessment & Analysis of Existing Controls (continued) Output Benchmark against other clients in the industry and SAP Optimized. Assessment to determine whether the risks within the organization have been appropriately recognized. Examples of output includes but is not limited to: - Missing risks; - Duplicate risks; and - Any recommended changes to risk rating. 0% Benchmark Percentage Automation 70% 60% 50% 40% 30% 20% 10% Client Utility 1 Client Utility 2 Client Utility 3 Client Utility 4 Utility 5 Client 5 Current Client 6 Reccom Client 7 Utility 6 Client 8 Optimized SAP Client 9 Example deliverables illustrative only 22

GRC Program Roadmap Example Risk & Controls Alignment 2 Risk & Controls Alignment Objectives: Identify opportunities where controls could be eliminated or consolidated and new controls are required to mitigate new risks. Streamline controls to enable efficiencies in controls management. What do we see? Focus on # of controls, as opposed to the right controls to mitigate the risk. Access controls are not aligned to risks Controls are mapped to risks, instead of risks driving controls Recommended: Thorough initiative to align controls to the organization s risks. This would enable you to identify areas of redundancy across regulatory / operational objectives and improve the rationalization effort. The risk and controls alignment could be used as the foundation for an initiative by way of establishing key access control objectives across process and regulations. Value: Potential reduction and consolidation of controls. Potential reduction in time spent operating and evaluating the current framework. Less likelihood for audit conversations about control issues for controls which are not really key. Template to achieve coverage for any new areas. 23

GRC Program Roadmap Example Risk & Controls Alignment (continued) Output Assessment to align controls to risks. Examples of output include, but is not limited to: - Controls which could be eliminated or consolidated. - Controls which could be improved through better leverage of current technology (such as further automation).; and - New controls required to mitigate new risks. An example of this includes: Control Recommendations - Overview Controls Automation of controls Manual report procedures Current State 260 Key Controls for SOX 21% Automated Controls 48 key reports for SAP Example deliverables illustrative only Recommended State 87 Key Controls for SOX 52% Automated Controls 33 of 48 have automation or event based reporting opportunities Client assessed restrictive access to a PO and segregation of duties between maintain/approve PO in order to mitigate the risk of POs being inappropriately approved. The control was incomplete because the release strategies were not configured. 24

GRC Program Roadmap Example Automation of Controls & Streamlining Processes 3 Automation of Controls & Streamlining Processes What do we see? Objectives: If it's not in SAP, it cannot be monitored. Controls governance model is not widely established or aligned. Business case does not exist or is not tangible. Identify controls which could be enhanced through better leverage of current technology. Advise management of improvements that can be made which would require additional efforts. Identify requirements and build a business case to obtain funding for any recommendations. Recommended: Perform an automation assessment. This will enable you to identify opportunities to reduce effort around sustaining the environment and operating controls and processes. Consideration should be given to a pilot process. This has a few advantages such as allowing for a prototyping approach, starting with a smaller investment, and enabling the development of a business case with real achieved business savings. Value: Increased leverage of SAP automation and investment. Potential reduction in time from the business to operate controls and processes. Automation at higher levels to help establish consistently implemented configurable controls. Transition from decentralized controls to centralized risk and controls. 25

GRC Program Roadmap Example Automation of Controls & Streamlining Processes (continued) Output Output includes changes to controls. Examples include, but are not limited to: - Controls and processes which can be automated in SAP or other technology An example of this includes: Client placed a high amount of rigor in a number of manual physical inventory controls in order to gain comfort around the accuracy of their inventory balances. The recommendation removed emphasis on time consuming processes and instead identified an opportunity to automate inventory cycle count initiation; - Controls and processes which can be automated in GRC. An example of this includes: Client whom currently spends a significant time manually provisioning users, utilizing a GRC tool to preventatively assess SoD and sensitive access. This review identified an opportunity to enhance existing technologies to automate user provisioning through workflow; - Event-based reporting opportunities; - Workflow enablement for manual controls; and - Continuous control monitoring (CCM) opportunities for current and proposed configurable controls. For automation opportunities, effort efficiency estimates can be provided to compare existing state to proposed state, enabling management to prioritize activities. Efficiency Estimates (Example ITGC Process) - Overview Hours a year Change management 2,992 374 User access management Days a year 15,471 1,934 Systems management 1,012 126.5 Total 19,475 2,435 Example deliverables illustrative only 26

GRC Program Roadmap Example GRC Technology Enablement 4 GRC Technology Enablement Objectives: Identify new and existing technologies to support your rationalized and improved framework together with your processes. What do we see? Systems and functionality selected before requirements are defined. Biting off more than you can chew. Unrealistic expectations. Recommended: Utilize the recommendations from the prior phases to develop the indepth path and multiyear year plan. Facilitating a deep dive into at least one of business processes will enable you to have the tangible understanding of types of technology you would want to consider and potential efficiencies of these enhancements to establish business case and prioritization. This plan can be revised and enhanced as you analyze the other processes. Value: Early detection and remediation of control issues. Increased return on the GRC investment by way of expanding the functional use to support and monitor the control framework. Potential operational, financial and regulatory compliance efficiencies can be realized by automating various time-consuming processes. 27

GRC Program Roadmap Example GRC Technology Enablement (continued) Capabilities Assessment: Inventory requirements and plot these against existing and potentially new technologies. Set expectations of what the solutions will and will not do in terms of capabilities. Tooling Requirements Existing Technology Enhance Existing Technology SOD / Sensitive Access Detective Reviews Solution A New Technology Emergency Access Management Solution A Controls Documentation in GRC tool Workflow Enablement Of Manual Controls Solution B Prioritize and Determine optimum sequence: Prioritize the actions with a focus on return on investment or alternatively,business issues. Organization needs to understand impact of extending usage of existing technologies and introducing new technologies Based on the impact and prioritization a sequence should then be defined to facilitate effective and efficient integration. 28

GRC Program Roadmap Example GRC Technology Enablement (continued) Output Overall program business case for supporting the control environment and supporting processes with GRC technologies. This will take into consideration the risks and regulations of the organization. A phased technological roadmap with sequenced activities based on prioritization. A target operating model (TOM) for the GRC program covering most aspects of control management and GRC usage. 29

GRC Program Roadmap Example GRC Program Maintenance GRC Program Maintenance Objectives: Establish practices to maintain your control framework s design and keep it relevant. 5 What do we see? Ongoing GRC program does not have proper alignment with management s strategy. The deployed governance model is not living and breathing. Recommended: Maintenance program should include: i. Definition of policies and procedures to incorporate embed technologies within governance model. ii. iii. iv. Establish protocols to incorporate new risks, controls and business changes as a company grows and matures. Establish IT management procedures for ne w technologies. Identify GRC stakeholders to facilitate adequate involvement from the business, integration with IT, internal audit and compliance, and value to the organization on the whole. Establish a GRC Operating model to maintain the GRC program and roadmap. Value: Less likelihood of a need for a risk rationalization in future years as it will be part of on-going maintenance. Potential reduction in cost to sustain environment and compliance. 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback