Revamping and optimizing your SAP GRC strategyviewer.media.bitpipe.com/...sSAP_SO32431_EBook_110310.pdfE-Book Revamping and optimizing your SAP GRC strategy GRC is by now a well-known

E-Book

Revamping and optimizing your

SAP GRC strategy

GRC is by now a well-known concept, but processes for keeping track

of it are still in the nascent stages at some companies, with many

companies still using Excel or SharePoint for reporting purposes. But

does your organization need dedicated GRC software? Readers will get

advice on how to get started with GRC software within the SAP

landscape, and how to use the software to achieve a successful

compliance strategy.

Readers will learn:

• How to assess whether your business needs GRC software

• Advice what technology or development efforts can help your

business meet common compliance mandates, such as SOX and

Wal-Mart‟s compliance mandates

• The basics of data governance in the context of a GRC program

• Pros and cons of SAP BusinessObjects Access and Process

Controls software

Sponsored By:

http://www.securityweaver.com/default.asp

SearchSAP.com E-Book

Revamping and optimizing your SAP GRC strategy

Sponsored By: Page 2 of 21

E-Book

Revamping and optimizing your SAP

GRC strategy

Table of Contents

Does your organization’s SAP GRC strategy need software?

Aligning your SAP GRC technology strategy with constantly shifting

compliance requirements

Getting started with data governance for GRC

Pros and cons of SAP BusinessObjects Access and Process Controls software

Resources by Security Weaver




Does your organization’s SAP GRC strategy need software?

By: Chris Maxcer, SearchSAP.com contributor

Any medium-to-large enterprise that faces government or industry regulations can probably

benefit from GRC software solutions, if not a totally revamped strategy.

The days of using spreadsheets or Microsoft SharePoint and a variety of manual checklists

and documentation that's locked up in the bowels of audit departments are far from over,

but savvy organizations are definitely looking to save money, cut time, and find answers.

Through it all, one thing is consistent: regulation.

"We always know there will be more regulations," said Tom Eid, vice president of research

for Gartner. "For instance, we may see more regulations because of what is happening with

Toyota, which may affect other manufacturing organizations across the globe. It's hard to

be proactive because you don't know what the regulations will be."

GRC defined, sort of

As an umbrella term, governance, risk and compliance (GRC) is about as difficult to nail

down as the interconnected compliance, security, governance, and risk management

challenges it sets out to describe. While GRC might be misused and abused as a term, a

loose definition is ultimately more workable than isolating each element because, really, it's

the interconnectedness of the people, processes, data and technology that describes today's

GRC.

Governance leans toward action and processes that work as intended, while risk

management aims to help a business weigh reward against possible pain. Compliance is

about ensuring that an organization is meeting a variety of industry or governmental

requirements. Meanwhile, there are different kinds of GRC even within organizations, which

makes it harder to assess whether a business needs GRC software in the first place.




What's your strategy?

"We all think that everybody has a strategy in place, but strategy, actually, is just

emerging," said Gary Dickhart, vice president of SAP's GRC customer advisory office.

While yesterday's GRC efforts were largely reacting, today's most successful GRC strategies

are moving from industry point solutions that meet specific regulations to broader efforts

that cross corporate silos. The main drivers tend to start with cost reduction but quickly

move into opportunity.

When the auditors went in with Sarbanes-Oxley, they gave people tools, and a lot of those

tools have aged to the point where they're worn out and unsustainable, Dickhart said.

“Businesses are saying, 'Where can we cut? We're spending a lot more here, and I know

we're compliant, but I also want to know about our own risk -- I want to know about our

strategic risk,‟” he said. “„I want more information, not just whether we're compliant with

external regulations.' So the need for this overall risk profile as well as being able to

manage it effectively and efficiently, that's what's driving GRC efforts.”

But how do you get started revamping an enterprise's GRC strategy? One answer is value.

Chris McClean, an analyst for Forrester Research, recommends that to build a business case

for any GRC software solution, most companies will be well served to consider three areas

of value.

1. Efficiency

"If you consider SAP's Access Control -- or the new data-heavy GRC products -- a lot of

what they do is increase efficiency, so that's the first area to look at -- cost reduction and

efficiency," McClean said.

If you have all of your controls in one place and documented in the same way, that's going

to save a lot of time on both the internal and external audit process, he said. Data

gathering, for instance, is a huge area of wasted effort.




"If you have 10 people gathering data for a month, if you buy a solution, you might be able

to cut that in half. And the same goes for conducting risk assessments,” McClean said. “GRC

software can definitely help with efficiency."

2. Risk mitigation

Risk, of course, can emerge from the cost of non-compliance with a regulation, but it can

also arise from the failure of a business initiative. Consolidated processes can help identify

not just areas of exposure but also areas of opportunity, he said, because information is

collected in one place rather than scattered and lost across departmental silos.

3. Business decision support

If a company is choosing between India and China for outsourcing or looking at several

potential partners, product lines, or acquisitions it should be making, if the company has a

lot of good risk and compliance content, that can help make those decisions better, McClean

said.

"It's a hard area of value to meet,” he said, “and it usually takes a long time before GRC

programs are at that level.”

At first glance, GRC optimization is a daunting task -- monumental, even -- but SAP

customers, it turns out, have increasingly good options that are helping them gain value

across multiple areas of their enterprises.

Historically, in the areas of segregation of duties and super-user/developer access, Pearson

North America used a combination of manual processes and consulting services to achieve

compliance results. However, they quickly recognized the value of implementing an

automated solution that would ensure a more consistent, cohesive and stable global

business environment, according to Frank Di Pentima, vice president of financial

compliance/systems integration for Pearson North America.

"Additionally, we wanted to build on the company‟s strong risk awareness culture and

enhance our ability to continuously monitor and assess sensitive access for Functional and




Basis environments by creating an automated/preventative control environment without

impacting system performance," Di Pentima said.

“By implementing SAP's BusinessObjects Access Control solution, Pearson North America

gained a variety of benefits. Through the use of preventative and detective controls

implemented with our GRC solution, they were able to automate processes and controls

further by eliminating potential audit risks associated with complex user access

requirements within our ERP environments,” he said. “Additionally, they were able to create

a seamless process that allowed for Super-user/Development access to be granted and

monitored, further reducing risk associated with sensitive access."

"We achieved this without affecting system performance and helped drive down the cost of

compliance,” Di Pentima said.

Who needs to be involved?

At the SAP Customer Advisory Office, Dickhart's GRC teams recommend that enterprises get

their business departments, IT department and audit departments all involved as an

organization looks to consolidate, streamline and build upon its aging GRC processes.

"A lot of companies still have their audit department driving GRC strategies,” Dickhart said,

“but until GRC is recognized and adopted by the business people as part of their everyday

livelihood, it's not going to be part of the business -- it'll always be an adjunct process. So

getting that alignment between the three areas is something we emphasize.”

Getting different stakeholders involved in an SAP GRC revitalization project is a start toward

embedding GRC into the fabric of the enterprise, but what's next?

Before engaging a vendor for GRC software solutions -- even SAP -- companies need to

gather their stakeholder departments and isolate what it is they want to improve. Are you

trying to get ROI by reducing audit costs? Are you trying to improve your understanding of

your risk exposure? Do you need a better compliance management process or reporting

process?




"Figure out those objectives first," McClean said, noting that GRC software has matured to

the point where most of what organizations need right now is available. "If you start by

talking with the vendors, you'll more likely come up with a whole list of requirements or

capabilities that may fit in but may not be what you needed in the first place. Definitely get

your list of requirements really strong before you start talking to vendors."




Aligning your SAP GRC technology strategy with constantly shifting compliance requirements


If there's one thing that's consistent about the world of GRC, it's that compliance

requirements are always changing -- and if a compliance mandate itself doesn't change,

enterprises are seeing guidance on compliance requirements change.

While financial requirements have been all the rage during a recession and time of

struggling banks, there's so much more going on.

"In other industries -- for example, with consumer product companies -- the U.S. Consumer

Product Safety Commission is not really changing requirements, but they are upping the

ante as far as scrutiny," said Chris McClean, an analyst for Forrester Research. More

resources for investigation are becoming available, and enterprises are facing larger fines

and increased risks in getting called out for business practices that fall on the wrong side of

regulatory -- or even public -- favor.

Moving targets

What started out as something that was thought to be fairly straightforward -- certification

of financial results with SOX 404 -- has developed into a number of different GRC solutions

and corporate strategies, according to Tom Eid, a vice president of research for Gartner.

Solutions that dive into the financial elements of GRC are the most mature, Eid said, but in

recent years solution providers have been coming at GRC problems from other angles, most

notably IT GRC, which is focused on infrastructure-related technologies and requirements.

IT GRC covers things around segregation of duties, configuration auditing, security and

identity access management, and secure event and identity monitoring, he said.




In turn, there is operations GRC, which tends to be aligned with revenue producing

activities, transaction monitoring, quality management, and environmental health and

safety regulations and requirements.

Understanding the three major types of GRC -- financial, IT and operational -- is critical to

helping an organization start mapping out a revamped GRC strategy. While every

organization is different, the major departments within an enterprise will have their own

areas of compliance to address. For instance, a CFO may typically face SOX, Basel-II or

OMB A-123, while the CIO may be concerned with HIPAA, ISO/IEC27001, AS8015-2005,

GLBA and/or PCI DSS.

The vice president of HR may have to worry about FMLA or ERISA, while the vice president

of procurement may need to straddle aspects of OSHA, REACH and Clean Air, the last two of

which may also be shared with the vice president of an enterprise supply chain and/or COO.

The vice president of manufacturing (and COO), may also need to worry about regulations

with NERC, Clean Water, SARA and the FDA. A vice president of customer service or chief

marketing officer may have to maintain a handle on a variety of privacy and anti-spam

regulations.

Meanwhile, new business partner requirements are creating new areas of compliance, and

while failure to comply may not lead to jail time for executives or painful fines, business

partners have the power to choke off key revenue streams. Take, for example, the retail

giant, Walmart. With $405 billion in sales earned across more than 8,400 retail outlets in 15

countries, the company is one of the most important partners for its 100,000 suppliers

around the world.

Back in 2004, Walmart shook up its top suppliers with its RFID tagging and tracking

mandate, and now the company is at it again with its new "green" initiative. First

announced in July 2009, the effort started with Walmart asking its suppliers 15 questions

about their companies‟ sustainability, including key areas such as greenhouse gas

emissions, factory locations, water use, and solid waste produced. Next, the information

(and more details) will generate a database of information on the lifecycle of each product,

from raw materials to disposal, ultimately ending with a consumer product index rating that

will help consumers choose more environmentally friendly and sustainable products.




What are the net effects on suppliers? They‟re still unclear, but failing to play along with

Walmart could very well lead to a major drop in sales.

Technology to the rescue

Because most organizations operate in a fragmented and siloed fashion, IT departments

have often been tapped to help acquire and support an outright mess of different point --

and homegrown compliance -- solutions. Even so, many compliance requirements get

pushed back to business or operational departments, where they are effectively lost to the

organizational leaders as a whole. In this situation, a board of directors, for example, can't

get a level of transparency necessary to assure compliance across an enterprise, much less

have a real understanding of everyday and strategic risk.

"In the software market, products start out as point solutions, but over time they develop

into platforms or suites, and that's what we're seeing now -- this marketplace is still best-

of-breed in finance, operations and IT GRC, and at the same time we're seeing

developments where the GRC vendors can specialize in two but not three of these areas,"

Eid said.

GRC companies like OpenPages, Paisley, BWise, Protiviti, Aline, Archer Technologies, and

MetricStream -- most of these best-of-breed companies are either finance GRC vendors that

are building out additional IT GRC capabilities or they are IT GRC providers now building out

more financial GRC capabilities, he said.

Flexibility is key

While older regulations like SOX are understood and now have good guidance on how to

implement controls, every company is still unique.

"Flexibility with GRC systems is routinely one of a customer's top one or two key points they

are looking for," McClean said. "It needs to adjust to their workflow, their documentation,

their organizational structure -- and that flexibility is absolutely essential.”




That said, even without a GRC technology, companies have a fairly good handle on their

business requirements most of the time, whether it's their business partner requirements,

SOX, privacy legislation, or environmental health and safety, McClean added. The

companies have had to deal with the requirements for a long time, and the controls are

fairly well understood.

"It's being able to mold the GRC product around the business processes, the workflow and

the organizational structure that really matters," he said.

Enter SAP

For SAP, business processes represent the linkages across enterprise silos, and these basic

processes can be adapted to meet a variety of compliance requirements.

"If everyone in an enterprise came to IT and said, 'Hey, I need a solution for this, for that,'

it would be a nightmare because you would have more to buy than you would ever have

budget for and more to implement than you would ever have time for," explained SAP's

Dickhart. "What we try to do is provide one process, whether it's compliance to an external

regulation or its compliance to an internal policy, so that the same process can be used

across all those entities -- and that's the basis for SAP's Process Control product."

It sounds so easy -- one process to rule them all. But there are more dimensions of the

problem. Not only do these processes go horizontally across organizations, they need to be

able to delve deeply into IT systems to make any sort of monitoring effective.

“SAP‟s GRC solution sits on the NetWeaver stack independently, then we provide agents

that sit in the processes -- or other systems -- that enable us to monitor information or

events that let us trigger exceptions against the rules that sit on our NetWeaver platform,”

Dickhart said.

"For example, in a heterogeneous environment, we have a customer who has Oracle, SAP

and a legacy system, and we can gather information from all of those systems,” he said.




“But the rules -- from a business process or segregation of duties perspective -- can be

normalized and stated in one way.”

SAP's strategy is not to replace dozens of other GRC tools and solutions but to utilize what a

customer has that's working already. For instance, SAP has partnered with Novell for down-

in-the-trenches event monitoring and identity management that can, for example, actually

give access control policies some teeth.

"We don't want to replace everything that the customer already has,” Dickhart said. “What

we're trying to do is find the spots in the business processes where we can supply the risk

information to the risk owner or business person and let them take action at the same time,

not as a process or report they have to review separately.”

MTU Detroit Diesel manufactures heavy-duty diesel engines for off-road use, and the

manufacturer is both an importer of mechanical parts and a global exporter of its products.

The company used to rely on manual processes for complying with federal import and

export regulations, requiring labor-intensive and time-consuming screening and licensing

processes. By implementing the SAP BusinessObjects Global Trade Services application,

however, MTU Detroit Diesel automated the processes, eliminated dependence on third

parties for regulations adherence, enhanced visibility into its international transactions,

benefited from improved compliance ratings, decreased the risk of noncompliance, and

decreased its cost of conducting compliance-related processes.

"The SAP BusinessObjects Global Trade Services application equips us with the tools we

need to maintain the level of compliance that U.S. Customs expects," said Adam Wood,

director of logistics for MTU Detroit Diesel. "It puts us in the driver's seat on issues that

could greatly affect our compliance. This is important to us because noncompliance can

result in audits, fines and penalties."

The fastest way tosecurity compliance!

Register for a demo at https://securityweaver.webex.com

www.SecurityWeaver.com 1.800.620.4210

http://www.securityweaver.com

https://securityweaver.webex.com




Getting started with data governance for GRC


Data governance is nearly as expansive and confusing as GRC, and like GRC, it comes in

overlapping categories with terms that are poorly defined.

For example, the data quality and master data management (MDM) initiatives that

organizations have launched for use in data warehousing and business intelligence efforts

are tangential to data governance for financial reporting and compliance. The aims are

similar -- ensuring that data is not only accurate but also put to work accurately -- but the

solutions that ensure accurate data for BI may have little to do with the people and

processes needed to ensure correct financial reporting or compliance with environmental

health and safety regulations.

So how does an SAP-based organization get started with data governance for GRC? Here

are three core elements:

1. Don't start with a technology solution

It's not that SAP doesn't have options, and it's not that there aren't third-party vendors

available to help. Technology is only a part of the story, and it's not even in the early

chapters, so avoid the pitfall of thinking a shiny new MDM suite with a "GRC" tag on it will

keep your data-focused activities squeaky clean.

"Data governance can be a monstrous project, and for any large organization, it cannot be

handled simply by licensing a software package," said Chris McClean, an analyst for

Forrester.

Data related to GRC will be used to craft financial statements, submit regulatory filings, and

justify decisions at the highest level of the organization, McClean said. Confidence in that

data is clearly a high priority. Many GRC solutions have good capabilities for tracking how




certain information is created, changed or used, but the scope of this oversight is usually

quite limited.

“Comprehensive GRC efforts involve data related to customers, finances, market

information, product, quality, and much more," he said. "To gain confidence that all this

data is accurate and up to date usually requires sophisticated technology solutions as well

as rigorous process controls."

2. Expand your GRC stakeholders

A CFO, CIO or COO, for example, all have different GRC needs stemming from different

regulatory requirements that land on their departmental doorsteps. These stakeholders will

be the critical weight needed to make sure data is not only accurate in and of itself but,

more importantly, that the business processes and the people who interact with the data

actually work together appropriately within the expected business rules.

"Whether talking about data governance or just governance, the people part of the equation

is extremely important. The most successful GRC programs are when the number of GRC

stakeholders is expanded, not reduced," said Ranga Bodla, senior director of governance,

risk and compliance solutions for SAP.

“The way to do this is build a business case with the business that shows how an effective

program can reduce their individual work or make it more effective," Bodla said.

"Especially when it comes to data governance, so much of the focus is on data protection

after the fact; and, as a result, people get information that they then cannot use,” he said.

“Good GRC programs ensure that people only get the data that is appropriate for them, and

then people aren‟t dealing with data barriers."

3. Enlist help to save time and effort

In order to implement an effective data governance plan for GRC, most organizations will

need to go to SAP, to SAP's business partners, or to SAP-savvy data governance consultants




for the heavy lifting that will map their specific organization to business-appropriate

solutions. If your company is primed and ready to protect its data assets, consultants can

save you time and money -- not to mention headache and heartache.

It is possible, however, that larger organizations have internal experts who have already

completed similar data-intensive governance efforts in related ERP or CRM projects, and

GRC project managers can tap that experience for GRC-focused governance projects as

well, McClean said.

"However,” he added, “many will have to look for external guidance.”

For SAP customers in particular, SAP works to offer flexible options to help individual

enterprises.

"Most organizations will need some help in planning, deployment or best practices,” Bodla

said. “In that context, the best consultants know the product, can supply content, but also

can relay best practices that avoid elongated or false-start project expenses.”

“SAP‟s customer advisory office is actually providing our customers with a resource that can

suggest 'preferred' practices that can ensure project success,” Bodla said. The SAP

customer advisory office works hand in hand with consultants and the customer to drive the

adoption of these practices, he said.

SAP's BusinessObjects portfolio

SAP's primary GRC solutions are bundled as part of the SAP BusinessObjects portfolio,

which also includes the SAP BusinessObjects information management solutions that not

only support business intelligence efforts but also include solutions for data quality

management, MDM, and other data integration and related services.

SAP‟s GRC suite is part of the broader SAP BusinessObjects portfolio, which includes BI,

information management, and enterprise performance management, according to Gary

Dickhart, vice president of the GRC Customer Advisory Office for SAP.




“There's a lot of solutions out there that say, 'Let me look at all orders that were sent to a

sanctioned party list, or let me look for all adjustments made to our financials more than

$10,000 after the end of the period,' and there's all these bad scenarios that people look for

after they happened,” Dickhart said. “Our approach is, don't look for it after, build the

process so that it takes it into consideration within the process -- embed it in the process.”

The takeaway here is SAP's progressive strategy for GRC -- data governance and all the

process controls that go along with operating a business are best served when risk and

compliance are addressed from within the moment any action is occurring.

As companies look to gain benefit from their compliance efforts in order to actively reduce

risk and seek out opportunity, data governance is being recognized as a key foundation for

GRC.

This is an increasing issue, McClean said. In some aspects, a lot of the risk and compliance

programs over the last five years have been focused on documentation, so that in terms of

data governance, there‟s an audit trail of when policies were created or when certain data

was collected for risk assessment.

"Those are all important, but companies are looking for more data-centric risk and

compliance -- actually running analysis of key risk indicators and key performance

indicators -- so data governance is definitely becoming more important,” McClean said.

“You're talking about collecting data from hundreds of different locations, from different

business partners, so you must make sure that data is accurate and coming from the right

places."




Pros and cons of SAP BusinessObjects Access and Process Controls software


Two of the most important core GRC solutions from SAP are part of the company's SAP

BusinessObjects portfolio: Access Control and Process Control.

Both access and process controls, generically speaking, are critical to many GRC efforts, so

these two SAP offerings cut a wide swath of possibilities for many SAP-focused enterprises.

Does this make looking to SAP for GRC solutions a no-brainer decision?

"Definitely not a no-brainer," notes Chris McClean, an analyst for Forrester Research. "If you

have a working relationship or a strategic relationship with SAP and they are running a lot of

your business processes anyway, it is a natural fit because they do have a lot of capabilities

to oversee the products you have in place."

The important thing to remember, even for SAP-focused companies, McClean warned, is

that there's no single platform or solution that's going to cover all of your GRC needs.

Because GRC is such a broad topic and covers so many of the world's largest and best-

funded enterprises, the GRC software landscape is extremely wide.

"The number of vendors that talk about having GRC or GRC-related technology is just

huge," McClean said, noting that most companies have already purchased and implemented

several products across their organizations, covering segregation of duties, risk

management, security, environmental health and safety, and many other point solutions.

While SAP should make your short list, there are other factors at play -- cost, flexibility and

the specific area of GRC you need to focus on, McClean said.

"SAP also has an environmental risk and compliance area as part of their GRC suite, so that

could be important,” he said. “But they don't have everything. For example, if you need

really detailed IT or HR risk and compliance, you might want to consider other solutions."




Ask the important questions

One starting point is to look at what collectively you are trying to solve. Ask questions such

as, “Are you still in a tactical mode or are you more proactive?” Tom Eid, a vice president of

research for Gartner, recommended.

For many companies, cost-reduction through streamlined solutions can't be dismissed as a

great tactical move.

One of SAP's BusinessObjects Process Control application customers, Sharp -- the leading

electronic manufacturer -- needed a GRC solution that could help it meet several objectives,

including providing a platform for process and control documentation. The company also

needed to streamline attestation and testing procedures, and to centralize and standardize

controls across the organization.

"SAP BusinessObjects Process Control provides us with an advanced set of tools that are

both sophisticated and intuitive for end users," noted George Dramalis, VP CIO for Sharp.

"The impact has been a more streamlined, transparent control environment that has

ultimately reduced our overall testing efforts. We expect that these improvements will yield

reduced external audit activity, as well as reduced external audit expenditures."

Another key factor is to understand whether your organization is inclined to implement a

short-term or long-term solution.

"Some will say, 'Longer term, we're looking to catch up and integrate in with our ERP, but

right now, this is a short-term problem, so we're looking at best of breed,'" Dramalis said.

Next, you need to know your core type of GRC -- financial, IT or operational GRC? Most GRC

solution providers have competencies in one or two key areas but are not yet savvy with all

three.

"You can enter in with any core GRC area, but make sure that downstream, you are

planning to support all three," Eid said. "Don't buy yourself into a corner so you have to go

through the whole process again in three or four years."




Where does SAP fit in?

"Our cut is SAP was being a bit more tactical until 2009, but then in 2009, we feel they've

taken a big step forward to take a more strategic view of the GRC marketplace where they

are really trying to create a linkage between GRC capabilities and overall enterprise

performance management," Eid said. "We anticipate by the end of this year, they'll have

another refresh going into their portfolio, and their GRC portfolio will continue to align with

the overall enterprise performance management strategy they have in place."

Look to the future

One of the important things to understand about SAP's GRC strategy is that it is aimed at

being able to work with solutions you may already have installed. SAP BusinessObjects has

a business intelligence background, and a hallmark of BI solutions is the ability to tap into a

wide variety of data from across corporate silos and then put it to work. This architectural

tie to SAP BusinessObjects helps enable SAP GRC solutions reach effectively across many

SAP and non-SAP systems to tap into data and processes.

"One of those things that is really interesting is that companies are starting to look seriously

at how risk relates to performance," Forrester's McClean said.

Going back to the financial crisis and similar issues, a lot of companies are very focused on

short-term results, making it easier to ignore risk data, he said. He is seeing more

companies that are starting to realize that when they look at the performance of a product

line or a business unit or an office, they can't look at performance without looking at risk

exposure also.

"It's going to take some time to actually implement that concept through processes and

technologies, but a lot of companies are starting to look at risk and performance together --

and that's one area that SAP has a fairly good message and a set of capabilities they are

starting to bring together," McClean said.




As part of the GRC software evaluation process, it's a good idea to look beyond the audit,

beyond compliance, and consider how GRC solutions can affect ongoing business.

As a former auditor, Gary Dickhart, vice president of the GRC Customer Advisory Office for

SAP, knows firsthand how many organizations have held onto the SOX-generated division

between consulting and auditing -- auditors could not audit solutions they themselves

recommended, and the effect has been that many executives have looked to audits to

understand their performance.

"What's really been lacking is the infusion of knowledge down into the operation so the

people who are running their business know they are responsible for the controls and they

perform these every day, and know what makes a good or bad control,” Dickhart said.

“That's evolving. The days of knowing whether I was doing bad or good, that was an audit -

- if I got a good audit, I'm doing well, so we can wait until next time."

Next time you might have an operational problem, and that has to do with your controls and

how to manage risk, and that has nothing to do with the audit -- the audit is just a point-in-

time snapshot. Making people realize that the audit is not the control and that it's not

something they should depend on, that's key to actually extending GRC to the enterprise,

he said.

One such company that is extending understanding into real time is BearingPoint, a global

provider of management and technology consulting services that is using the SAP

BusinessObjects Access Control application. In need of a better way to handle analysis

around compliance initiatives like Sarbanes-Oxley, BearingPoint chose Access Control to

replace inefficient, manual processes. The company also needed to reduce the high level of

administrative effort and involvement around managing controls.

"With the SAP BusinessObjects Access Control application, BearingPoint now has real-time

insight into controls," said Serkan Caliskan, a manager for BearingPoint. "We have

approximately 3,000 users of the application spread out over 14 … countries, and it enables

us to conduct real-time analysis and remediation to discover any potential regulatory

violations and provide solutions for them."




Resources from Security Weaver

Podcast: Improving Security & Accountability in the Public Sector

Case Study: Sunsweet Growers Cultivates Excellence Company Relies on Security

Weaver for Fast, Accurate Reporting

Case Study: Stiefel Laboratories

Skin Care Bellwether Generates Big Benefits with Security Weaver

About Security Weaver

Security Weaver is a leading provider of application controls management software for SAP.

The Security Weaver product suite is engineered to take the guesswork out of compliance in

any SAP environment and delivers actionable results in a matter of days.

http://www.securityweaver.com/News_Main.asp

http://www.securityweaver.com/CaseStudies_Sunsweet.asp

http://www.securityweaver.com/CaseStudies_Sunsweet.asp

http://www.securityweaver.com/CaseStudies_Stiefel.asp

http://www.securityweaver.com/CaseStudies_Stiefel.asp

http://www.securityweaver.com/default.asp

Documents

Revamping and optimizing your SAP GRC strategyviewer.media.bitpipe.com/...sSAP_SO32431_EBook_110310.pdfE-Book Revamping and optimizing your SAP GRC strategy GRC is by now a well-known