SAP Solution Brief SAP Solutions for Governance, Risk, and Compliance

BUSINESS PROCESS CONTROL MANAGEMENT

INTEGRATED END-TO-END COMPLIANCE MANAGEMENT

The SAP GRC Process Control application provides a control management solution that integrates endto-end compliance activities from documenting business processes and identifying risks to deploying the right controls and testing them before management certification.

Simplify Compliance Management Across Business Processes

SAP solutions for governance, risk, and compliance (SAP solutions for GRC) help organizations establish a Poor corporate governance has resulted reputation of accountability and responin a number of well-publicized scandals sibility by providing operational transparthat have led to an avalanche of new ency. The solutions also provide evidence government mandates and regulations that organizations are conducting business requiring companies to implement busiwithin ethical standards and regulatory ness controls and prove their effectivemandates. SAP solutions for GRC instill ness. At the same time, company stake- proper executive oversight, expose and holders now demand evidence that mitigate risks, and implement controls organizations are conducting operations to ensure compliance with regulations effectively and profitably but within the and corporate policy. guidelines of corporate accountability and responsibility that those stakehold- For example, with the SAP GRC Process ers expect to be upheld. Control application part of SAP solutions for GRC you can embed a rich Most businesses have responded by set of rationalized, automated controls implementing a series of fragmented, into cross-enterprise business protactical, one-off projects to address cesses. Using the application to implegovernance, risk, and compliance (GRC) ment effective GRC practices actually issues. These are usually manual efforts improves operational effectiveness by that result in duplicated activities, high ensuring that daily business activities costs, and limited GRC effectiveness. align with the strategies and policies But building effective GRC controls into developed by executive management. processes is no simple task. You need And it can significantly increase the to be able to document and monitor level of confidence that executives have business processes that cross multiple in the integrity of corporate financial enterprise divisions and regions, span statements. entire process chains, and are supported by multiple, disconnected IT applications. Mitigate Risks by Implementing Your business processes and the vari- Business Controls ous regulations impacting them may SAP GRC Process Control lets you also vary by country or business unit, which further complicates GRC efforts. significantly reduce costly manual When you try to manage GRC activities control activities and centrally monitor manually, without supporting technology key controls to ensure accountability to automate processes, you run the risk across the organization, as illustrated in the figure. In addition, the software that control steps are not performed helps ensure that your organization properly, if at all which can lead to meets compliance mandates in a timely, critical weaknesses.

The SAP GRC Process Control Application: Optimized Business Processes Monitor and Remediate Monitor Exceptions Remediate Issues Mitigate risks by implementing business controls Operational controls Financial controls IT controls Reduce costs by utilizing a controls engine Deliver automated controls Automate process for manual controls Optimize business processes Continuous control monitoring Cross-enterprise integration

Control Activities

Automated Controls

Guided Business Procedures

Assessments

Business Processes

IT Infrastructure FIN SCM SRM Back-End Solutions MFG HR

Control Environment Regulations

FIN = Finance

Risk Process Objective Control Frameworks Corporate Policies Best Practices

MFG = Manufacturing

SCM = Supply Chain Management

SRM = Supplier Relationship Management

Functionality of SAP GRC Process Control

cost-effective fashion while optimizing operational efficiency. You also gain complete visibility into process controls to ensure that they are operating as designed and you can trust the data provided to regulatory bodies. SAP GRC Process Control applies a risk-based approach to setting up your control environment and identifying the most effective controls to achieve compliance. You can create a library of all process documentation, risks, and controls across the enterprise and centralize process control management. You can also test controls for key risks using a combination of monitoring for automated controls, testing for manual controls, and self-assessments. As a result, you can establish controls that promote desired organizational behavior

and optimize business processes, as well as ensure that your organization meets compliance mandates on time and cost-effectively. Use Work Centers to Simplify and Streamline Activities SAP GRC Process Control uses work centers that group tasks on the basis of a logical process flow for control and compliance activities. You can use the following work centers: Home work center Gain full visibility into business control metrics to identify control gaps, and gain fast access to personalized task lists Compliance structures work center Create and maintain objects representing organizations, processes, controls, significant accounts, and entity-level controls all within a central database

Evaluation setup work center Embed automated controls (both predefined and custom) and manual controls within business processes and schedules; execute tests of controls; and define and schedule self-assessment surveys Evaluation results work center Manage compliance activities resulting from issues related to control exceptions or self-assessments, as well as evaluate issues and establish remediation activities as needed all with a complete audit trail Certification work center Automatically trigger formal, sequential internal control sign-offs by appropriate executives, and track the progress of sign-offs across the organization User access work center Assign user access, roles, and responsibilities without IT assistance

Deploy and Manage Controls to Optimize Business Processes

SAP GRC Process Control addresses the full range of enterprise control management needs by supporting the following activities. Centralize Control Management Good governance requires a single system of record to ensure consistent, effective, and efficient coverage of regulatory frameworks, laws, and internal company policies. Now you can document and centrally store records for all GRC information across the enterprise. The software leverages this data, linking risks and controls to multiple security and control frameworks (such as Committee of Sponsoring Organizations of the Treadway Commission [COSO] and Control Objectives for Information and Related Technologies [COBIT]) and regulatory requirements. As a result, you gain a clear understanding of your enterprise control matrix and the ability to identify critical control gaps, maximize opportunities to reuse controls, and increase business predictability and shareholder value. Increase Confidence in Controls Through Continuous Monitoring SAP GRC Process Control uses automated controls to continuously monitor business processes for fraud, abuse, and inefficiencies, so you can reduce costs without compromising compliance. The software continuously checks for weaknesses in controls, including master data, system configuration, and transactions, and flags risky transactions across critical processes. The software also integrates directly with enterprise applications to eliminate false positives

and enables you to drill down on supporting data for faster remediation. SAP GRC Process Control delivers predefined, automated controls for the following business processes: Reconcile to report Closely monitor subledgers, general ledgers, and financial consolidations, as well as streamline closing processes Order to cash Use automated process control monitoring to identify revenue leakage and fraudulent activities across processes and applications Procure to pay Enforce procurement policies and reduce spending to increase the effectiveness of purchasing, inventory, and accounts payable applications System security management Monitor controls across the IT landscape With SAP GRC Process Control, you can also monitor cross-enterprise business processes through support from SAP partners. SAP partners provide predelivered, automated controls for multiple back-end software systems such as SAP, Oracle, and PeopleSoft software. These controls can also help you integrate legacy systems. Ensure Reliability of Manual Control Activities While automated controls and continuous monitoring can be used to address many control activities, others require human intervention. SAP GRC Process Control supports your use of manual control activities using structured, workflow-driven procedures that automatically notify appropriate personnel of tasks and action items and escalate

or reroute notifications when control testers dont respond quickly. Guided procedures walk testers through stepby-step processes, and approved spreadsheet templates and policy documents help minimize data collection errors. The software maintains a complete audit trail and change history of activities performed. Manage Exceptions to Prevent Material Weaknesses SAP GRC Process Control helps you prevent control exceptions from turning into material weaknesses by providing real-time visibility into all compliance activities. The software also provides a centralized remediation workbench that allows you to assign cases to fix control exceptions. All remedial actions are tracked, documented, and measured, so nothing escapes your attention. The software also automatically generates an audit trail for all activities related to control issues, which helps you lower audit costs. Analyze Data and Create Reports SAP GRC Process Control comes with over 25 predelivered compliance reports, which are organized by function for easy selection. You can select, remove, and rearrange report data columns as needed. In addition, the software integrates with the SAP NetWeaver Business Intelligence component, which enables more sophisticated data analysis, trending, and decision support. This integration is used to provide a graphical global heat map that superimposes your enterprise over a map of the world or a particular operating region, so you can instantly identify trouble spots for control exceptions and drill down to find root causes.

QUICK FACTS

www.sap.com /contactsap

Summary The SAP GRC Process Control application lets you centralize control management by embedding automated controls into your cross-enterprise business processes. You can move away from resource-intensive manual control activities to address critical business risks with a rationalized set of automated controls. This helps you ensure that your organization meets compliance mandates in the most timely and cost-effective fashion while optimizing operational efficiency. Challenges Centralize business process control to attain enterprise and cross-enterprise-wide visibility Automate control processes to improve efficiency and reduce costs Optimize operations across the enterprise without compromising compliance Ensure the security of your operations to meet regulatory standards Reduce the audit effort required to ensure compliance Supported Business Processes and Software Functions Automated control processes Transform your manual and piecemeal compliance activities into automated and simplified real-time control management processes Centralized process control Establish controls across multiple business processes for key risks Reduced operation costs Deploy predefined, automated control tests across multiple organizations and business units to reduce the number of controls that must be maintained Effective management of business control risks Gain a global view of complex control environments to identify and address control gaps Business Benets Streamline process control through automated and simplified real-time control management Reduce costs by centralizing and automating key monitoring, assessment, and control activities Mitigate risks by monitoring an intuitive, hierarchical representation of complex control environments to identify control gaps Optimize performance by analyzing activity trends and patterns Secure access to critical information with role-based software For More Information To find out more about SAP GRC Process Control and other offerings within SAP solutions for governance, risk, and compliance, visit www.sap.com/grc.
50 082 138 (08/03) 2008 by SAP AG. All rights reserved. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its aliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.