Академический Документы
Профессиональный Документы
Культура Документы
Optimization Framework
Clark Oeler
Deloitte & Touche LLP
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2016 Wellesley Information Services. All rights reserved.
In This Session
The challenge The opportunity
Greater focus on increasing performance and maximizing Many large organizations cannot Getting controls right
productivity has led to business reorganization, reductions in operate effectively without an enables organizations to
staff, complex relationships with customers and third parties, optimized control framework. effectively manage risks. It
increased risk of employee fraud, and increasingly complex Adequately designed controls also keeps costs down,
systems. These changes can create challenges aligning help organizations manage protects revenue, secures
effective, efficient, and sustainable controls. critical risks and proactively plan assets, and supports
for the future enhancing compliance obligations.
operations, managing
Many organizations have performance, and minimizing
made significant Getting controls wrong costs.
investments improving and wastes resources, leaves
tightening controls, organizations exposed,
particularly in response to increases compliance costs,
new regulatory requirements and distracts management Business performance can be When management knows
but sometimes at the from running the business.. enhanced by improving the that they have the right
expense of efficiency. effectiveness of controls across controls, they can rely on
functions closely linked to the those controls to manage
In challenging times, even the most mature organizations financial statements. the potential risks.
consider whether their controls are relevant, efficient, and
adaptable.
1
In This Session (cont.)
Learn
Key reasons for optimizing SAP Controls
framework
Build a foundation for technology enablement, automation, and continuous controls
monitoring
Leverage corporate or system initiatives to optimize SAP controls
SAP Teams
Internal Audit
Business Owners
2
What Well Cover
Approach
Technology enablement
Wrap-up
3
Need for Controls Optimization
Addressing SAP Controls Optimization can be an important strategy for your enterprise
initiatives and your compliance requirements
Enterprise Initiatives Compliance Requirements
Set out a clear definition of
how your enterprise initiative
Scope Provides focused risk
assessment and control
can ascertain that SAP Business
activities to address material
Process Controls
appropriate security and business processes and
controls are implemented information technology (IT)
SAP Application
Appropriate controls are Security systems
optimized during the Provides management with
initiatives to ensure that risk Data Quality and foundational control
considerations can be Integrity frameworks that form basis
assessed and dealt with in a Infrastructure of ongoing assessment and
cost-effective and efficient Security and monitoring
manner Controls
SAP Controls Optimization is an important component that can help bridge these two states
4
What Well Cover
Approach
Technology enablement
Wrap-up
5
Defining Success: Five Key Attributes
6
What Well Cover
Approach
Technology enablement
Wrap-up
7
Attribute 1: Governance
Develops and maintains baseline components Accountable for business processes and
of control structure documentation, maintenance, and execution of
related internal controls
Develops and maintains the control
methodology, tools, and approach for SAP Periodically assesses and asserts on risk
optimization management and the control environment
Updates and optimizes baseline control Develops and implements action plans for
structure improvement based on Controls and Audit
feedback
Provides Business Unit with internal controls
Adjusts and updates the control baseline
subject matter expert support
documentation to reflect Business-Unit-specific
Manages integration to testing program. Monitor and Evaluate processes and controls
Provides Internal Audit support, remediation
support, etc. Periodically assesses the adequacy of the control
baseline maintained by Controls Group
Audits business processes and operational
effectiveness of the Business Unit (financial, IT,
operational audits)
8
Attribute 1: Governance (cont.)
9
Attribute 1: Governance (cont.)
A set of roles and responsibilities that balances design, operation, assessment, and
10
What Well Cover
Approach
Technology enablement
Wrap-up
11
Attribute 2: Approach
Two approaches are possible to SAP optimization a review of existing frameworks or
control redesign approach
Approaches to Optimization
Scope Top-Down Rationalization Controls Redesign/Bottom-Up
Approach/ Management to rationalize existing control frameworks access and Management to select geography, business units, or location to conduct
between locations bottom-up control redesign
Outcomes Apply principles of control rationalization including: Controls redesign approach may leverage in-progress SAP
Risk-based scoping and risk assessment implementation or other initiative
Review of multi-location scoping Goal to create a common control framework for rollout to additional
Top-down approach to controls identification geographies, business units, or locations
Consider approaches for automation Principles of control rationalization would be followed (risk-based scoping,
Risk-based testing strategy and design top-down approach, etc.)
A pilot or proof-of-concept location would be selected to start with a roll-out Common control framework would be basis for deployment to other
strategy for deployment of rationalization and localization guidelines locations, along with localization guidelines
12
Attribute 2: Approach Top-Down Optimization
A top-down optimization can start with existing frameworks. This can be performed with a pilot or reviewed
across business units and processes. Steps to take include:
Top-down risk-based scoping
Address multi-location/
Entity-level controls
IT general controls
Risk-based testing Copyright 2016 Deloitte Development LLC. All rights reserved.
13
Attribute 2: Approach Top-Down Optimization (cont.)
14
Attribute 2: Approach Top-Down Assessment
15
Attribute 2: Approach Controls Redesign Approach
16
Attribute 2: Approach
Has SAP control optimization been applied previously, including top-down scoping,
review of entity-level, process controls, IT general controls?
Have testing plans been reviewed?
17
Attribute 2: Approach (cont.)
Are there current enterprise initiatives suitable for controls redesign as a pilot or to
build a common controls framework?
Do processes and approaches exist for controls design in an implementation?
18
Attribute 2: Approach (cont.)
19
What Well Cover
Approach
Technology enablement
Wrap-up
20
Attribute 3: Technology Enablement
SAP Control Optimization should leverage technology to enhance the streamlining and
efficiency of the controls program. Areas of technology enablement for optimization
include:
Access and Security Controls
Controls Automation
21
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 and its modules can contribute to SAP Controls Optimization through
enablement, automation, and efficiency
Access Process Risk Fraud Global Trade Sustainability Audit
Control Control Management Management Services Management Management
Manage access Ensure effective Preserve and Achieve Optimize global Manage Drive a unified
risk and prevent controls and grow value effective and trade and environmental fraud
fraud ongoing efficient fraud screen restricted compliance management
compliance management parties function
22
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Access Control
Some benefits to SAP Control Optimization:
Automate segregation of duties (SOD) management
23
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Process Control Some benefits to SAP Control Optimization:
Automate business controls
24
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Process Controls Continuous Controls
Monitoring
Category Features Benefits
Transaction Identifies suspicious transactions for review Identifies inappropriate flows (e.g., duplicate payments)
Monitoring Isolates transactions out of compliance with business rules Provides evidence of control operation, quickly identifies
Issues
Master Data Monitors changes to master data for suspicious activity Identifies and addresses suspicious changes to master
Monitoring Identifies unusual additions and deletions data
Detects stale master data files
Access Controls and Monitors changes to user access, role access, and testing Detects unauthorized modification to user access and
SOD Monitoring documentation role access
Detects executed transactions that violate SOD rules Identifies SOD conflicts that increase risk of fraud and
error
Application Detects changes to system configuration Demonstrates the continued effectiveness of application
Configuration controls
An end state for SAP Controls Optimization is the automation toward Continuous Control Monitoring
25
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Risk Management
Benefits to SAP Control Optimization:
Risk Planning Formal integration of risk management with
SAP Control Optimization Strategy
Automate and optimize manual and fragmented
Risk Identification
risk and control activities across lines of
business
Risk Analysis Repeatable framework to analyze and mitigate
risk to organization and initiative
Continuous monitoring of key risk indicators
Risk Response
across defined optimization objectives
Automatically identify and prioritize risks
Risk Monitoring through proactive alerts and escalations
26
Attribute 3: Technology Enablement (cont.)
Benefits to SAP Control Optimization:
Improve operational efficiency through
Fraud Global Trade Sustainability Audit automating fraud monitoring and direct integration
Management Services Management Management
with SAP control optimization activities
Automate compliance to import and export
regulations such as International Traffic in Arms
Regulations (ITAR)
Address environmental controls and compliance
processes
Streamline the audit lifecycle, including creating,
Achieve effective Optimize global Manage Drive a unified fraud
and efficient fraud trade and screen environmental management reviewing, approving, and linking audits
management restricted parties compliance function
throughout your organization
27
Attribute 3: Technology Enablement (cont.)
28
Attribute 3: Technology Enablement (cont.)
29
What Well Cover
Approach
Technology enablement
Wrap-up
30
Attribute 4: Rollout and Localization
A key principle of either approach selected requires rollout to locations from an initial
pilot or Common Controls Framework
31
Attribute 4: Rollout and Localization (cont.)
33
Attribute 4: Rollout and Localization (cont.)
Is there a location or business unit better suited to pilot or apply controls design?
Approach
Technology enablement
Wrap-up
35
Attribute 5: Implementation and Sustainment
SAP control optimization is not complete until both design and implementation of the
SAP controls is achieved, which requires rollout, training, operation, and the eventual
monitoring, management testing, and operating effectiveness of the controls
Key Questions to Consider
How will control optimization be rolled out? Centralized group to each region, local
resources?
If local teams optimize, is there a central controls group to review, provide quality
assurance, and monitor?
How will local control owners be trained on controls?
What will be the initial management testing process? Will there be oversight and early
testing to head off deficiencies and address remediation?
What will be the communication process with internal and external auditors?
36
Attribute 5: Implementation and Sustainment (cont.)
37
What Well Cover
Approach
Technology enablement
Wrap-up
38
Where to Find More Information
www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/grc-at-
heart-of-managing-business.html
Deloitte Insights, GRC At the heart of managing business (Deloitte, 2014).
www2.deloitte.com/content/dam/Deloitte/global/Documents/Technology/dttl_technology_
GrupoModeloManagesRiskWithSAPsLatestSolutionsForGRC.pdf
Ken Murphy, Brewing Up Process Change: Grupo Modelo Manages Risk with SAPs
Latest Solutions for GRC (insiderPROFILES, 2013).
www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/dbf8f10c3f
889210VgnVCM200000bb42f00aRCRD.html
Continuous Monitoring and Continuous Auditing: From Idea to Implementation
(Deloitte, 2010).
39
7 Key Points to Take Home
Assemble a team of subject matter specialists with the right skill set, industry knowledge,
and understanding of operations
Take an approach either existing or redesign to yield greater efficiencies and
consistency
Work side-by-side with corporate and local leadership as a core team, and leverage
existing resources where possible
Demonstrate quicker results through a global controls template approach and focused
redesign in an area for rapid results
Leverage enabling technology such as SAP GRC 10.1 to roll out consistent frameworks
and more automated testing of controls
Integrate and align with other enterprise initiatives
Enforce accountability through local/regional localization training and rollout of a uniform
and repeatable approach
40
Your Turn!
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a
legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and
its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not
be available to attest clients under the rules and regulations of public accounting.
This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax,
or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision
or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
42
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright 2016 Wellesley Information Services. All rights reserved.