Upload
hakhanh
View
235
Download
2
Embed Size (px)
Citation preview
Anti-Fraud Management Example
In Accounts Payable Michael Heckner
October 12, 2012
© 2011 SAP AG. All rights reserved. 2
GRC Top Reasons Customers Invest Today
Business Process Improvements
Systematic, reliable processes
Improve predictability and performance
Avoid “Negative” Business Issues
Prevent irregularities such as fraud
Prevent human errors
Avoid financial losses
Avoid damage to reputation
Compliance
Comply with governmental regulations and legislation
Comply with industry regulations
Comply with internal company policies
© 2011 SAP AG. All rights reserved. 3
Average fraud loss: 5% of annual revenue One-fourth of the frauds caused at least $1 million in losses (“2010 Report to the Nation,” ©2010 by the Association of Certified Fraud Examiners, Inc.)
46% of organizations with 1000+ employees reported suffering at least one significant economic crime in the past 12 months. In addition to direct financial impact there is indirect or collateral damage incl. employee morale, business relations, reputation/brand, relations with regulators, share price, etc. (PwC Global Economic Crime Survey Nov 2009)
40% believe there is a greater risk of fraud in the current economy. “Staff reductions resulting in fewer resources deployed on internal controls”. (PwC Global Economic Crime Survey Nov 2009)
Estimates are hard to get
Grey zone of criminal behavior
High number of unreported cases
Economic Crime
More frequent than “crime”?
Insufficient controls can result in:
Procurement Errors
Overpayments to Vendors
Excessive Rebates to Customers
Changes to Payment Terms
Accidental Leakage of Intellectual Property
Etc.
Nearly impossible to track the total financial impact of employee errors
Employee Errors
Economic Crime and Errors What Is the Damage Caused by Fraud and Errors?
© 2011 SAP AG. All rights reserved. 4
Overview SAP GRC Top-down and bottom-up risk management/ compliance
Company Wide
Controls
Procure to Pay
Controls
Order to Cash
Controls
IT (General)
Controls
SAP GRC
Access Control
SAP GRC Process Control
SAP GRC Risk Management
Internal Audit Management
Policy
Management
© 2011 SAP AG. All rights reserved. 6
Material risk events
encountered in the past three
years (for enterprises over
US$5 billion in revenue)
Financial • Currency exchange rates
• Interest issue and increasing reserves
• Accuracy of realistic balance sheet
reporting
• Ability to manage cash
• Non-transparent markets
• Economic recession
• Energy and commodity costs
Political/Geopolitical • Change of government – and minority governments
• Grants and budget changes
• Constant change of ministers
• Federal Accountability Act
• Terrorism
Strategic • Industry consolidation and globalization
• Error-filled release of software upgrade
• Change in core product demand
• Cancellation of major customer contracts
• Performance standards and service quality
Environmental/Health • West Nile Virus
• Safety crisis
• Compliance with environmental standards
• Food sanitary management problem
• Climate change
• Environment pollution
Operational • Hurricane Katrina
• Data center outage
• Delivery risk
• Blast furnace cold run
• ERP application crash
• Plant disaster causing production stoppage
Legal & Compliance • Fraud
• Product liability claims
• Missed time line for legal changes
• Embezzlement of parts
• Safety of goods or products
Source: IBM Global Business Services, The Global CFO Study 2008.
Enterprise Risk Management Business Risks Cause Majority of Losses
Head of
Risk Management
87% of risks are not financial
© 2011 SAP AG. All rights reserved. 7
Examples of Enterprise Risks (Transportation Industry)
Examples of Enterprise Risks
Strategic Risks Financial Risks Operational Risks Compliance Risks
Freight Rates Liquidity Major Safety
Incidents
Human Rights
(OECD Standards)
Oil & Gas Prices Credit Risk Major Environ.
Incidents
Tax
Political Risks Foreign Exchange War, terrorism or
piracy attack
Anti-corruption,
competition and
export control
Information Risk Insurance
(Self-Insurance)
Procedures and
Controls
© 2011 SAP AG. All rights reserved. 8
Examples of Enterprise Risks
Governance Strategy and Planning Operations Compliance Reporting
Corp.
Governance
Ethics Corp.
Responsab./
Sustainab.
External
Factors
Planning Strategy Corp. Assets Finance Human
Resources
Information
Technology
Legal Product
Development Sales,
Marketing &
Communic.
Supply Chain Compliance Reporting
Board Effectiveness /
Knowledge
Management
Addressing
Allegations
Biodiversity Competition Business Continuity
Management (BCM)
Alliances Facilities and
Equipment
Accounting Corporate Culture Architecture Bankruptcy Discontinuance and
Divestiture
Branding and
Reputation
Planning Communication and
Training
Compliance with
Accounting
Standards and
Policies
Board Structure and
Leadership
Communication Climate Change Credit Rating Capital Planning Business
Concentration
Intangible Assets Audit Quality Health and Welfare
Benefits
Asset Management Competition Innovation, Research
and Development
Communication Sourcing Compliance Culture Financial Disclosures
Compensation /
Performance
Incentives /
Alignment
Corrective Actions
and Discipline
Community
Investment
Customer Demands Knowledge
Management
Business Model Personal Safety Capital Management Human Resources
Policies and
Procedures
Business Continuity
Management (BCM)
Contract
Management
Launch Customer Relations /
Customer Support
Production Compliance
Information
Management
Financial Information
Availability
Corporate
Responsibility &
Sustainability
Ethical Culture / Tone
at the Top
Energy Management
and Alternative
Sourcing
Economic Conditions
/ Industry Trends
Operational Planning Customers Physical Security Credit Implications of
Significant Events
Change Management Corporate
Investigations
Liability Distribution Delivery Compliance
Organization
Financial Statement
Fraud
Reputation /
Shareholder
Relations
Ethics Reporting Fair Trade
Certification
External Fraud Performance
Management
Extended Enterprise Process Management Financial Asset
Management
Labor Relations Contracting and
Outsourcing
Environmental,
Health and Safety
Product Design /
Quality
E-Commerce /
Internet Strategy
Returns Compliance
Reporting
Management
Reporting
Risk Oversight Investigation Natural Resource
Utilization and
Accounting
Geopolitical Scenario Planning Growth Taxation Insurance and
Hedging
Organization
Structure
Information Security Finance and
Accounting
Production Investor Relations Controls and
Monitoring
Regulatory Reporting
Transparency &
Financial Integrity
Monitoring and
Auditing
Philanthropy Hazards /
Catastrophic Loss
Innovation Utilization Liquidity Payroll Operations Government
Investigations
Substitution Marketing Programs Policies and
Procedures
Reporting Quality
Policies and
Procedures
Project Financing Laws and
Regulations
Markets Pensions Performance / Talent
Management and
Compensation
Physical and
Environmental
Intellectual Property Technology
Obsolescence
Market Research Risk Assessment Statutory Reporting
Program Assessment
and Evaluation
Resource Scarcity Markets Mergers /
Acquisitions /
Divestitures
Planning / Budgeting
/ Forecasting
Retirement Programs Privacy and Data
Protection
Labor and
Employment Issues
Testing Marketing Strategy Supervision Sustainability
Reporting
Structure and
Oversight
Sustainability
Strategy
Third Party / Joint
Venture
Requirements
Outsourcing Taxation Talent Pipeline /
Recruitment
Problem
Management
Legal and Regulatory
Compliance
Timing Public Relations Tax Reporting
Training Sustainable Water
Quality
Policy Training and
Development
Project Management Legal Entity Planning Sales Strategy
Waste Reduction and
Closed Loop
Production
Pricing Records
Management
Litigation and
Dispute Resolution
Technology Technology
Licensing
Privacy and Security
Laws
Vision, Mission, and
Values
Records Information
Management
Source: Deloitte Risk Intelligence Map, 2009
© 2011 SAP AG. All rights reserved. 9
SAP Risk Management Heatmap
Fraudulent AP activities
© 2011 SAP AG. All rights reserved. 10
Risk “Fraudulent Accounts Payable”
Prevent
Accounts Payable risk
(errors and fraud)
Chief Security Officer / IT
© 2011 SAP AG. All rights reserved. 11
Risk “Fraudulent Accounts Payable”
Prevent
Accounts Payable risk
(errors and fraud)
Chief Security Officer / IT
1st Risk Driver:
Lack of SoD
© 2011 SAP AG. All rights reserved. 12
Risk “Fraudulent Accounts Payable”
Prevent
Accounts Payable risk
(errors and fraud)
(resulting from lack of SoD)
Chief Security Officer / IT
1st First Driver:
Lack of SoD
© 2011 SAP AG. All rights reserved. 13
Risk “Fraudulent Accounts Payable”
Access Control
Prevent
Accounts Payable
errors and fraud
(resulting from lack
of SoD)
Chief Security Officer / IT
© 2011 SAP AG. All rights reserved. 14
Prevent
Accounts Payable
errors and fraud
(resulting from lack
of SoD)
Question:
Are SoD violations the
only risk to the
“Accounts Payable”
Process ???
Risk “Fraudulent Accounts Payable”
IT General Control 1: Access Control
Head of Internal Controls Head of Compliance
Chief Security Officer / IT
© 2011 SAP AG. All rights reserved. 15
Risk “Fraudulent Accounts Payable”
Process-Level
Control 1:
Accounts
Payable
IT General Control 1: Access Control
Example:
What about abuse
of “one time vendor
accounts”
???
Head of Internal Audit, Controls, Compliance
Chief Security Officer / IT
© 2011 SAP AG. All rights reserved. 16
Risk “Fraudulent Accounts Payable”
Process-Level
Control 1:
Accounts
Payable
IT General Control 1: Access Control
Example:
What about abuse
of “one time vendor
accounts”
???
Chief Security Officer / IT
Payments
Date Vendor Amount
1.10. ABC Chemicals 1,599.-
2.10. Anonymous1 1,000.-
2.10. Northstar Energy 563.-
5.10. Anonymous1 10,000.-
9.10. Hardware Central 23,618.-
Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 17
Risk “Fraudulent Accounts Payable”
Process-Level
Control n:
Accounts
Payable
IT General Control 1: Access Control
Example:
What about other
process level risks
in Accounts
Payable ???
Chief Security Officer / IT
Process-Level
Control 1:
Accounts
Payable
Example:
What about other
process level risks
in Accounts
Payable ???
…
Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 18
Risk “Fraudulent Accounts Payable”
Process-Level
Controls 1-n:
Accounts
Payable
IT General Control 1: Access Control
Business Necessity:
Process and Access
Level Controls
to protect AP process
Chief Security Officer / IT Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 19
Other Risks? In Other Processes? At the IT-Level?
Process 1:
Procure to Pay
Controls
Process n:
Order to Cash
Controls
IT General Control 1: Access Control
IT General
Control n:
Controls … …
What about
other processes
and their controls?
Chief Security Officer / IT Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 20
Other Risks? In Other Processes? At the IT-Level?
Process 1:
Procure to Pay
Controls
Process n:
Order to Cash
Controls
IT General Control 1: Access Control
IT Control n:
(IT General)
Controls … …
Group/Entity:
Company Wide
Controls …
Group/Entity:
Company Wide
Controls
Chief Security Officer / IT Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 21
SAP Process Control Control at all levels
Process 1:
Procure to Pay
Controls
Process n:
Order to Cash
Controls
IT General Control 1: Access Control
SAP Process Control
IT Control n:
(IT General)
Controls … …
Group/Entity:
Company Wide
Controls …
Group/Entity:
Company Wide
Controls
Chief Security Officer / IT Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 22
SAP Risk Management
Risk-based Approach
to Internal Controls
Process 1:
Procure to Pay
Controls
Process n:
Order to Cash
Controls
IT General Control 1: Access Control
SAP Process Control
IT Control n:
(IT General)
Controls … …
Group/Entity:
Company Wide
Controls …
Group/Entity:
Company Wide
Controls
Chief Security Officer / IT Head of Risk Management Head of Risk Management
Head of Internal Audit, Controls, Compliance
© 2011 SAP AG. All rights reserved. 23
Continuous Monitoring Example Accounts Payable Manager - Dashboard
© 2011 SAP AG. All rights reserved. 24
Continuous Monitoring Example Accounts Payable Manager: Issues Report
© 2011 SAP AG. All rights reserved. 25
Continuous Monitoring Example Drill-Down into One-Time Vendor Issue
© 2011 SAP AG. All rights reserved. 26
Continuous Monitoring Example Accounts Payable Manager: Issues Report
© 2011 SAP AG. All rights reserved. 27
Continuous Monitoring Example Drill down into Segregation of Duties Issue
© 2011 SAP AG. All rights reserved. 28
Achieving Higher Confidence
Manual Controls
Today
time
# controls
© 2011 SAP AG. All rights reserved. 29
Achieving Higher Confidence Lower Cost
Cost Reduction
Manual Controls
Today
Manual Controls
Automated
Maturity Level 1
time
# controls
Less Manual Labor
Less Pushback from the Business
Lower Cost of Preparing for an Audit
© 2011 SAP AG. All rights reserved. 30
Achieving Higher Confidence Lower Cost and Business Process Improvement
Cost Reduction and Process Improvement
Manual Controls
Manual Controls
Automated
Today Maturity Level 1
Manual Controls
Automated
Maturity Level 2
time
# controls
More controls
More granularity
Higher frequency of checks
Consistency
Less Manual Labor
Less Pushback from the Business
Lower Cost of Preparing for an Audit
© 2011 SAP AG. All rights reserved. 31
Achieving Higher Confidence
Lower Cost and Business Process Improvement
Cost Reduction and Process Improvement
Manual Controls
Manual Controls
Automated
Today Maturity Level 1
Manual Controls
Automated
Maturity Level 2
Time
# Controls
Cost
Assurance
© 2011 SAP AG. All rights reserved. 32
Managing Risk and Compliance SAP GRC Solutions
Managing Risk and Compliance ensures all categories of risk across the
organization are aggregated at the enterprise level and managed holistically
Head of Compliance/ Controls / Internal Audit
Head of Internal Audit Head of Risk Management
Head of Internal Audit/ Chief Security Officer
Risk-Based Internal Controls
Enterprise Risk Management
Access Management
Risk Response
Risk Monitoring
Risk Planning
Risk Identification
Risk Analysis
Plan and Perform
Assessments and Tests
Remediate Issues and
Certify Results
Access Planning
Access Analysis & Response Access
Monitoring
Document Compliance Initiatives
SAP
Risk Mgmt
SAP
Process Control
SAP
Access Control
Manage Audit
Engagements
CEO / CFO
Audit Planning
Remediation
Audit Management
SAP
NetWeaver
Audit Mgmt
SAP GRC Solution
© 2011 SAP AG. All rights reserved. 33
Questions?
Michael Heckner Sr. Director,
EMEA Solutions Business Development
Phone +49 (170) 8 555 125
Michael . Heckner @ sap . com
www.sap.com/grc
Thank You!
Contact information:
Michel Heckner
Sr. Director, EMEA Solution Business Development (GRC)
Zeppelinstrasse 2
85399 Hallbergmoos/München
+ 49 6227 – 7 – 54143