Transcription
How to Manage Enterprise and Cyber RiskUsing the COSO Framework with SAP GRC SolutionsJames Chiu, Director, Solution Management, SAPAnne Marie Colombo, Cybersecurity Solution Advisor, SAPSession ID # ASUG 84022May 7 – 9, 2019
About the SpeakersJames Chiu, CPA, CISSPAnne Marie Colombo, CISSP SAP GRC Solution Owner, SAP Solution owner of SAP AuditManagement, ProcessControl, and RiskManagement. He has beeninvolved with audit, risk, andcompliance management andsoftware at professionalservices firms and SAP forover 20 years. Cybersecurity Advisor, SAP Security Professional, 12years, SAP Identity AccessManagement Solutionsincluding Single Sign-on, DataProtection, Encryptionsolutions
SAP Risk ManagementPreserve and grow valuePlanPlan risk management withinthe context of value to theorganizationMonitor and reportMonitor thresholds,effectiveness of risk responses,and corrective actionsRespondRespond to risk after balancingcosts and benefitsEnterpriserisk andcomplianceIdentifyLink risks, risk drivers, riskindicators, impacts andresponsesAnalyzeAnalyze risk via scenarios,modeling, and other factors tounderstand exposure
How SAP is recording the risk information andassessing itCompliance requirementsMandatory for SAP to comply with (size represents scope)
Plan – value proposition from planning andprioritizationPlanning requires prioritization. Identify the valuedrivers of the business and focus on how value iscreated and destroyed.Align risk management with strategies andopportunitiesDocument risks and link to business objectivesModel and align risks to org structureUtilize organizational hierarchies and flexible activitystructuresWhat drives thevalue of thebusinessCreate/leverage risk and activity catalogsWhat activitiessupport thatvalue?Use standard risk templates for consistencyDocument risk appetiteAssign thresholds for inherent, planned, and residual riskScan the horizonfor emerging risks
Identify – value propositionRisks to the business are more reliably identifiedby business users using tools to engage thebusiness owners. Utilize surveys and charting capabilities Harness the wisdom of business managers withsurveys for identifying and assessing risks Aggregate by organization category Map risks to organization hierarchy to manageaccountability Identify risk impacts Standardize risk management and make itscalable Prioritize via an individualized heat map Add value by aligning risk appetite with the needs ofthe business; preserve value by identifyingunnecessary risks
Analyze – value propositionAnalysis of risks provides insight. Quantitative toolsprovide the basis for risk acceptance or rejection.Use modeling scenarios such as Monte CarlosimulationUnderstand the probable lossesDetermine inherent, residual, and planned residualrisk levelsGain insight into the profile of risk levelsRun “what-if” scenariosAnticipate impacts of related risksIncorporate qualitative and quantitative factorsincluding velocityFactor in management’s judgement
Respond – value propositionValue is created only when risk is acceptedresponsibly for value-adding activities.Value is preserved when risk is minimized in nonvalue-adding supporting activities.Document responsesEnsure risks are managed consistently across theorganizationAssign accountabilityEnsure risks are not orphanedLaunch a workflow-driven response withremediation trackingCreate consistent, efficient, and auditable responsesIntegrate with SAP Process Control and SAP AuditManagementLeverage the common frameworks across the three linesof defense
Monitor and report – the value propositionBoards, executives, and stakeholders have oversightresponsibilities that require monitoring and reportingcapabilities. Analytics and reports including heat maps Visualize the distribution and level of risks Notifications to risk owners via automatedalerts and KRIs Proactively respond to changes Monitoring of response effectiveness Maximize value and minimize losses Assessment of impact on business objectives Provide insight to the business
SAP Process ControlHelp ensure effective controls and on-going complianceDocumentSingle source of truth sharedacross the enterpriseReportInsightful reporting foranalysis and accountabilityEvaluateEnd-to-end test and issueresolutionEnterpriserisk andcompliancePlanPlanning of focused actions tohelp ensure timelinessPerform and monitorStreamlined manual andautomated performance
Document – value propositionStreamlined, scalable support for multiple compliance regulationsHarmonized controls across financial and operational regulationsWherever you are, whatever regulations or companyinitiatives you are subject to,Reduce effort and costBy sharing documentation and test results across regulationsand company initiativesMaintain accountabilityBy establishing geographic and regulatory ownership acrossthe global enterpriseHarmonize and scaleWith centralized maintenance of documentation and optionallocal variation and language supportSAP Process Control can help you break down silosamong your multiple GRC initiatives.
Plan – value propositionRisk assessments performed periodicallyDetermination of scope and test strategiesNot all internal controls are of equal importance. Withtop-down, risk-based scoping,Determine scopeBy reviewing account materiality, as well as subprocess andcontrol riskUse resources wiselyBy implementing risk-based test strategies that neitherovertest nor undertest controlsAutomateThrough selection of controls and transmittal of an evaluationworkflow based on test strategiesSAP Process Control can help you focus yourdocumentation and test efforts.
Perform and monitor – value propositionAutomated control testing for SAP and non-SAP software systemsException-based, continuous control monitoringLooking for a way to do more with less? Continuous controlmonitoring and automated testingCreate your own rulesWithout programming and deploy them across organizationsusing configurable parametersFind issues fasterBy scheduling continuous control monitoring to run on arecurring basis – “set it and forget it”Manage by exceptioncan reduce workload for business users and internal auditorswhile increasing timeliness and reliability.By routing only exceptions through the workflow to the rightperson to review and correct, if needed
Automated control testing and monitoring ofprocess flowA high-level view of CCM process flow in SAP Process ControlMap tocontrolsConfigurablerules and queriesConfigurabledeficienciesMaster datacontrolsNon-SAPDelivered rulesand Define data sourcesand business rulesTriggerAnalyze andreportFINO2CAudit trailP2PSchedulingHRITDashboards andanalyticsRouting ofworkflowFixed assetsOptional in version 12.0ReportsFIN finance; O2C order to cash; P2P procure to pay
Defining data sourcesWhere is the data?How to find itSAP S/4HANAHANA ViewHow to refine itSOD (AC)Field Selectionand LabelsSAP ECCConnectorsConfigurableSAP QueryFiltersOther SAPProgrammedNon-SAPBW QueryOther Ways
Evaluate – value propositionComprehensive control performance, evaluations, and issue managementClear ownership and accountability with best-practice workflowsRegardless of whether you evaluate your controls with selfassessments or more-formal tests of effectiveness.Assign ownership and responsibilityWithout the need for IT authorization or workflow expertsAvoid missed deadlinesThrough automatic release of e-mail-based reminders andescalationsTrack it allWith detailed tracking of control performance, evaluations,issues, and remediation plansSAP Process Control can streamline workflow-drivenprocesses either online or offline.
Report – value propositionInsightful analytics to support decisions and promote accountabilityBuilt-in or custom reports with SAP BusinessObjects Business Intelligence (BI) suiteWhether you are tracking compliance status orproducing year-end reports,Use extensive standard reportsTo get deep and real-time insight into the status of yourcontrols and critical issuesTake actionBy identifying the source of problems through drilling down tothe most-granular details, if necessaryBuild your ownBy slicing and dicing data for deeper analyses with powerfulvisualization possibilitiesSAP Process Control provides a variety of standard,configurable, and custom reporting options.
Leveraging SAP Risk Managementintegration With SAP RiskManagementproduct integration:– Policies can beassigned as riskresponses toreduce residualrisk, dependinguponcompletenessandeffectiveness ofthe policy
Simplified view of integration for three lines ofdefenseSAP Risk ManagementIdentify and Assess Risks,Respond,and ReportSAP S/4HANA, SAP ECC, OtherSAP, Non-SAPSAP Business IntegrityScreeningSAP Audit ManagementConfiguration, MasterData, Transactions, LogsDetection Strategiesand AlertsPlan and Execute Auditsand Report ResultsSAP Process ControlDocument ControlEnvironmentand PoliciesPerform, Monitor, andEvaluate Controls;Remediate Issues Risks and controls are shared to create a consistententerprise view Risks and controls plus test, monitoring, and screening resultscan be used to streamline audit performance SAP S/4HANA, SAP ECC, Other SAP, Non-SAP data isavailable for monitoring risk indicators, controls,anomalies, and business partners Reports to management include comprehensive and consistentinformation from across the enterprise
Simplified view of integration for three lines ofdefense
Demo steps Overview of Implementation of risk monitoring forSAP Enterprise Threat Detection Create risk monitoring rules Check Threshold Violation Display risk heatmap Display NIST requirements Show remediation steps
DEMO
Thank youJames Chiu, CPA, CISSPAnne Marie Colombo, CISSPGRC Solution OwnerCybersecurity Solution m
THANK YOU
SAP Audit Management Plan and Execute Audits and Report Results SAP S/4HANA, SAP ECC, Other SAP, Non-SAP Configuration, Master Data, Transactions, Logs SAP Business Integrity Screening Detection Strategies and Alerts Risks and controls are shared to create a consistent enterprise view SAP S/4HANA, SAP ECC, Oth
