Pave the way:Build a value driven SAPGRC roadmap

March 2015

www.pwc.be/ERP

PwC

Agenda

2

Introduction

Measuring GRC Progression & Benchmarking

GRC Program Roadmap

Building a Business Case

PwC

IntroductionPave the way

At the end of this session…

We intend to provide you with the techniques and good practices to help you in buildinga business case and a roadmap for your GRC program and technologies.

We will explore the types of approaches that can be adopted to synchronize yourorganization in order to streamline activities, create efficiencies, enable effectivereporting, and avoid redundancy.

3

PwC

Measuring GRC Progression &Benchmarking

4

PwC

Measuring GRC Progression

5

Au

tom

ati

on

GRC Technology Enablement

Where do you fit onthe scale?

PwC

Control Mix Benchmarking

6

It is important to bear in mind that control standards will differ from client to client, and differentindividuals may even classify the same control differently, however we can still draw some broad

conclusions.

0%

10%

20%

30%

40%

50%

60%

70%

0

100

200

300

400

500

600

C1 C2 C3 C4 C5 C6 C7 C8 C9

Auto Controls Manual Controls % Automation

AverageAutomation

PwC

GRC Program RoadmapAn Example

7

PwC

Risk Assessment &Analysis of ExistingControls

• Identify redundant controls,areas for risk & controlsconsolidation, and controlswhich can be centralized.

• Provide recommendationsand rationale for whichcontrols should be removedor streamlined.

• Identify areas where automationcould be leveraged to reduce existingcontrol effort. For example:- Workflow enablement of manual

controls;- Preventive configuration in the

system;- Restrictions of Access;- Segregation of Duties ;- Near real-time analytics;- Workflow tooling (central

provisioning, emergency usermanagement, etc.).

• Document business case androadmap to implementrecommendations.

• Identify maximum documentationrequirements to enabledocumentation once.

• Leverage GRC Technology to supportthe ‘to be‘ control framework andevaluation of that framework.

• Identify Continuous ControlMonitoring opportunities.

• Gain an understanding ofrisks and controls.

• Analysis of risks andcontrols against industryand leading practices.

• Provide recommendationsand rationale for:- Missing risks;- Duplicate risks;- Any recommended

changes to risk rating.

• Establish practices to maintainyour control framework‘sdesign and keep it relevant. Forexample:- Incorporation of business,

regulatory and technologychanges;

- Issues found incorporatedinto control design toprevent reoccurrences.

• Sustainable and efficientgovernance over the GRCtechnology

1

Risk &ControlsAlignment

2

Automation ofControls &StreamliningProcesses

3

GRCTechnologyEnablement

4

GRC ProgramMaintenance

5

8

GRC Program Roadmap ExampleIntroduction

PwC 9

GRC Program Roadmap ExampleOwnership

An important piece of the GRC roadmap is establishing clearownership and accountability.

Ownership completely depends on the size and structure of the organization. There is nota one size fits all. Here are some things you need to consider before initiating yourprogram:

Compliance Team:

If established and separate from Internal Audit, typicallywe see the compliance function own risk identificationand the GRC program.

Business Users

All business units have responsibility for operation ofcontrols. Finance have greater responsibility from acompliance perspective. If separate compliance functiondoes not exist, typically risk identification and GRCprogram falls under finance.

IT Team:

IT own the technological components and support thetechnology utilized for the GRC program.

Internal Audit:

Internal audit has a stake in compliance and the GRCprogram to help establish that the controls are operatingeffectively.

PwC

Building a Business Case

10

PwC

Importance of the business case

11

Today’s Control Environment

• Improved, robust, and efficient controls that leverage increased automation arebecoming critical as the number and complexity of risks increase for companies.

• Companies need to invest in a technological infrastructure that supports increasedautomation, better reporting, and stronger overall controls governance.

Challenge

• Such initiatives are often “shot down” in the annual budgeting process as they competewith other company priorities.

• Companies are often only willing to invest in such technologies as a reactive responseto audit or compliance failures; or worse – public embarrassment.

Solution

• Developing a strong business case with proper financial metrics can help pave the wayfor more proactive and progressive investments in controls automation technology atyour company.

PwC

Key Financial Metrics

• Payback Period

• Net Present Value

• Return on Investment

Building a business caseThe process

Steps to Build the Case:

1. Define the opportunity

2. Identify your options

3. Gather information on your options

4. Analyze the information on your options

5. Choose an option and assess the risks

6. Create a high level implementation plan

7. Communicate your case

12

PwC

Building a business caseROI Framework for automated controls

13

Return on investment (ROI)—A financial ratio measuring the cash return from aninvestment relative to its cost for a stated period of time.

Estimate Monetary Benefits of Automated Controls

Benefit Area FY '15 FY '16 FY '17 FY '18 FY '19 Notes / Total

Cost Savings & Direct Benefits

Continuous Control Monitoring

Cost savings by enabling CCM onexisting controls

€58,080 €58,080 €58,080 €58,080 €58,080Existing 33 automated controls will besubjected to CCM.

Cost savings by converting manualcontrols to automated resulting inreduced operation cost associatedwith execution of controls

€23,040 €23,040 €23,040 €23,040 €23,0408 manual controls can potentially be convertedto automated controls.

Cost savings by converting manualcontrols to automated resulting inreduced testing cost

€14,080 €14,080 €14,080 €14,080 €14,080

8 manual controls can potentially be convertedto automated controls eliminating need toperform periodic substantive testing at each inscope location.

Cost savings due tocontinuous monitoring

€95,200 €95,200 €95,200 €95,200 €95,200 €476,000

Data Analytics

Cost savings by enabling dataanalytics mechanisms (includesoperation and testing savings)

€25,000 €25,000 €25,000 €25,000 €25,000Assuming €25,000 analytics would bedeveloped for XYZ.

Cost savings due to dataanalytics

€25,000 €25,000 €25,000 €25,000 €25,000 €125,000

• * For illustrative purposes only

PwC

Building a business caseROI Framework for automated controls

14

In building the business case a number of assumptions have been made in order toprovide a comprehensive calculation of all the benefits and costs. Some of theassumptions listed below are derived from our experience but can be amended accordingto company’s specific requirements and characteristics.

# Description Assumption

1 Average time testing each control (documenting and reviewing results) 8

2 Average number of times the controls are tested per year 2

3 Average time updating supporting controls documentation 2

4 Average time spent around remediation, reporting and decision making 2

5 Average monthly time spent to execute and document a manual control 3

6 Average hourly cost per employee €80.00

7 Average hourly cost for contractor assistance €200.00

8 Employee / Contractor Ratio 3

9 Weighted average cost per hour blend b/w employee/contractor €110.00

10 Increased effectiveness of Internal Audit by leveraging GRC 10.0 10%

Estimate Monetary Benefits of Automated Controls

• * For illustrative purposes only

PwC

Building a business caseLessons Learned

15

• Know your audience! Anticipate difficult questions ahead of time and provideappropriate information that aligns with the style of your leader.

• Cross-functional collaboration and support can be critical. Understand theorganizational impacts of what is in your business case and engage with impactedstakeholders for support.

• The more subjective the estimate, the more communication and collaboration isrecommended prior to submitting the case to senior leadership. Clearly define andcommunicate assumptions that support estimates to gain others’ confidence in yournumbers.

• Know the budgeting process and budgeting calendar. Plan ahead!

• Get help from trusted advisors with appropriate subject matter expertise.

• Talk to other companies with experience in implementing automated controlstechnologies to establish additional internal credibility.

PwC

Your Questions

16

PwC

PwC SAP GRC webcast series:Looking to better manage and govern access risk?

17

To subscribe to PwC's SAP GRC Webcast seriesplease visit:http://www.pwc.be/en/pwc-academy/sap-webinar-grc.jhtmlEnter your email address to create or update your profile and manage your subscriptions.

Date & time12 March 201512:30pm – 13:30pm

What’s in it for you?• Discover SAP GRC 10.1 functionality via a live demo• Learn about best practices to upgrade from older SAP GRC versions

to version 10.1• Interact in real time with experts with extensive hands-on SAP GRC

experience• Understand the latest SAP GRC Access Control 10.1 functionality and

how it can help you improve access management processes• Understand the upgrade track from older SAP GRC versions to v10.1

PwC

For further information, please contact:

18

Wim RymenDirectorOffice: +32 (0) 2 710 7238Cell: +32 (0) 473 269 227

E-mail: wim.rymen@be.pwc.com

Kris WautersManagerOffice: +32 (0) 2 710 4631Cell: +32 (0) 499 558 949

E-mail: kris.wauters@be.pwc.com

The information contained in this document is shared as a matter of courtesy and forinformation or interest only. PwC has exercised reasonable professional care and diligence inthe collection, processing, and reporting of this information. However, data used may be fromthird-party sources and PwC has not independently verified, validated, or audited suchdata. PwC does not warrant or assume any legal liability or responsibility for the accuracy,adequacy, completeness, availability and/or usefulness of any data, information, product, orprocess disclosed in this document; and is not responsible for any errors or omissions or forthe results obtained from the use of such information. PwC gives no express or impliedwarranties, including, but not limited to, warranties or merchantability or fitness for a particularpurpose or use. In no event shall PwC be liable for any indirect, special, or consequentialdamages in connection with use of this document or its content. Information presented hereinby a third party is not authored, edited or reviewed by PwC and PwC is not endorsing thirdparties or their views. Reproduction of this document or recording of its presentation, in wholeor in part, in any form, is prohibited except with the prior written permission of PwC. Beforemaking any decision or taking any action, you should consult a competent professionaladviser.

© 2015 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United Statesmember firm, and may sometimes refer to the PwC network. Each member firm is a separatelegal entity. Please see www.pwc.com/structure for further details.

PwC

AppendixGRC Program Roadmap

20

PwC

What do we see?

◦ Risk Assessment focused on SOX only, but not relevant to other areas of thebusiness.

◦ Not used to prioritize controls coverage or GRC enablement.

◦ Not granular enough to be an actionable tool.

Objectives:

• To acquire deeper insight in your processes, risks and existing controls.

• To socialize and obtain agreement on risks and risk ratings as this assessment forms thebasis for the control analysis performed in subsequent phases of the project.

Value:

• Streamlining of risks to help establish risks that meet multiple objectives (financial and operational) are identified.

• Gap analysis of risks against industry and SAP leading practice to identify any other areas for consideration.

• Alignment of SOX/compliance initiatives with other process improvement initiatives.

Risk Assessment &Analysis of ExistingControls

1

Recommended:

• Risk assessment to consider compliance and operational initiatives.This would allow you to identify areas of redundancy acrossregulatory / operational objectives and improve the rationalizationeffort.

• This could be utilized as the first step in building a business case forexpansion of your GRC footprint.

21

GRC Program Roadmap ExampleRisk Assessment & Analysis of Existing Controls

PwC 22

GRC Program Roadmap ExampleRisk Assessment & Analysis of Existing Controls (continued)

Output

• Benchmark against other clients in the industry and SAP Optimized.

• Assessment to determine whether the risks within the organization have beenappropriately recognized.

• Examples of output includes but is not limited to:

- Missing risks;

- Duplicate risks; and

- Any recommended changes to risk rating. 0%

10%

20%

30%

40%

50%

60%

70%

Uti

lity

1

Uti

lity

2

Uti

lity

3

Uti

lity

4

Uti

lity

5

Cu

rren

t

Rec

com

Uti

lity

6

Op

tim

ized

SA

P

Benchmark Percentage Automation

Example deliverables—illustrative only

Cli

ent

1

Cli

ent

2

Cli

ent

3

Cli

ent

4

Cli

ent

5

Cli

ent

6

Cli

ent

7

Cli

ent

8

Cli

ent

9

PwC

What do we see?

◦ Focus on # of controls, as opposed to the right controls to mitigate the risk.

◦ Access controls are not aligned to risks

◦ Controls are mapped to risks, instead of risks driving controls

Objectives:

• Identify opportunities where controls could be eliminated or consolidated and new controls arerequired to mitigate new risks.

• Streamline controls to enable efficiencies in controls management.

Value:

• Potential reduction and consolidation of controls.

• Potential reduction in time spent operating and evaluating the current framework.

• Less likelihood for audit conversations about control ‘issues’ for controls which are not really key.

• Template to achieve coverage for any new areas.

Recommended:

• Thorough initiative to align controls to the organization’s risks. Thiswould enable you to identify areas of redundancy across regulatory /operational objectives and improve the rationalization effort.

• The risk and controls alignment could be used as the foundation foran initiative by way of establishing key access control objectives acrossprocess and regulations.

23

GRC Program Roadmap ExampleRisk & Controls Alignment

Risk & ControlsAlignment

2

PwC 24

GRC Program Roadmap ExampleRisk & Controls Alignment (continued)

Output

• Assessment to align controls to risks.

• Examples of output include, but is not limited to:

- Controls which could be eliminated or consolidated.

- Controls which could be improved through better leverage of current technology(such as further automation).; and

- New controls required to mitigate new risks. An example of this includes:

Client assessed restrictive access to a PO and segregation of duties betweenmaintain/approve PO in order to mitigate the risk of POs being inappropriatelyapproved. The control was incomplete because the release strategies were notconfigured.

Control Recommendations - Overview

Current State RecommendedState

Controls 260 Key Controlsfor SOX

87 Key Controls forSOX

Automationof controls

21% AutomatedControls

52% AutomatedControls

Manualreportprocedures

48 ‘key’ reportsfor SAP

33 of 48 haveautomation or eventbased reportingopportunities

Example deliverables—illustrative only

PwC

Automationof Controls &StreamliningProcesses

3

What do we see?

◦ “If it's not in SAP, it cannot be monitored”.

◦ Controls governance model is not widely established or aligned.

◦ Business case does not exist or is not tangible.

Objectives:

• Identify controls which could be enhanced through better leverage of current technology.

• Advise management of improvements that can be made which would require additional efforts.

• Identify requirements and build a business case to obtain funding for any recommendations.

Value:

• Increased leverage of SAP automation and investment.

• Potential reduction in time from the business to operate controls and processes.

• Automation at higher levels to help establish consistently implemented configurable controls.

• Transition from decentralized controls to centralized risk and controls.

Recommended:

• Perform an automation assessment. This will enable you to identifyopportunities to reduce effort around sustaining the environment andoperating controls and processes.

• Consideration should be given to a pilot process. This has a fewadvantages such as allowing for a prototyping approach, starting witha smaller investment, and enabling the development of a businesscase with real achieved business savings.

25

GRC Program Roadmap ExampleAutomation of Controls & Streamlining Processes

PwC 26

GRC Program Roadmap ExampleAutomation of Controls & Streamlining Processes (continued)

Output

• Output includes changes to controls. Examples include, but are not limited to:

- Controls and processes which can be automated in SAP or other technology Anexample of this includes:

Client placed a high amount of rigor in a number of manual physical inventorycontrols in order to gain comfort around the accuracy of their inventory balances.The recommendation removed emphasis on time consuming processes and insteadidentified an opportunity to automate inventory cycle count initiation;

- Controls and processes which can be automated in GRC. An example of thisincludes:

Client whom currently spends a significant time manually provisioning users,utilizing a GRC tool to preventatively assess SoD and sensitive access. This reviewidentified an opportunity to enhance existing technologies to automate userprovisioning through workflow;

- Event-based reporting opportunities;

- Workflow enablement for manual controls; and

- Continuous control monitoring (CCM) opportunities for current and proposedconfigurable controls.

• For automation opportunities, effort efficiency estimates can be provided to compareexisting state to proposed state, enabling management to prioritize activities.

Efficiency Estimates(Example ITGC Process) - Overview

Hours ayear

Days ayear

Change management 2,992 374

User accessmanagement

15,471 1,934

Systems management 1,012 126.5

Total 19,475 2,435

Example deliverables—illustrative only

PwC

GRCTechnologyEnablement

4

What do we see?

◦ Systems and functionality selected before requirements are defined.

◦ Biting off more than you can chew.

◦ Unrealistic expectations.

Objectives:

• Identify new and existing technologies to support your rationalized and improved frameworktogether with your processes.

Value:

• Early detection and remediation of control issues.

• Increased return on the GRC investment by way of expanding the functional use to support and monitor the controlframework.

• Potential operational, financial and regulatory compliance efficiencies can be realized by automating various time-consumingprocesses.

Recommended:

• Utilize the recommendations from the prior phases to develop the in-depth path and multiyear year plan. Facilitating a deep dive into atleast one of business processes will enable you to have the tangibleunderstanding of types of technology you would want to consider andpotential efficiencies of these enhancements to establish business caseand prioritization.

• This plan can be revised and enhanced as you analyze the otherprocesses.

27

GRC Program Roadmap ExampleGRC Technology Enablement

PwC

GRC Program Roadmap ExampleGRC Technology Enablement (continued)

28

Capabilities Assessment:

• Inventory requirements and plot these against existing and potentially new technologies.

• Set expectations of what the solutions will and will not do in terms of capabilities.

SOD / Sensitive AccessDetective Reviews

Emergency Access Management

Controls Documentation in GRCtool

Workflow EnablementOf Manual Controls

Solution A

Prioritize and Determine optimum sequence:

• Prioritize the actions with a focus on return on investment or alternatively ,business issues.

• Organization needs to understand impact of extending usage of existing technologies and introducing new technologies

• Based on the impact and prioritization a sequence should then be defined to facilitate effective and efficient integration.

Tooling Requirements Existing Technology Enhance ExistingTechnology

New Technology

Solution A

Solution B

PwC 29

GRC Program Roadmap ExampleGRC Technology Enablement (continued)

Output

• Overall program business case for supporting the control environment and supporting processes with GRC technologies. Thiswill take into consideration the risks and regulations of the organization.

• A phased technological roadmap with sequenced activities based on prioritization.

• A target operating model (TOM) for the GRC program covering most aspects of control management and GRC usage.

PwC

GRC ProgramMaintenance

5

What do we see?

◦ Ongoing GRC program does not have proper alignment with management’sstrategy.

◦ The deployed governance model is not living and breathing.

Objectives:

• Establish practices to maintain your control framework‘s design and keep it relevant.

Value:

• Less likelihood of a need for a risk rationalization in future years as it will be part of on-going maintenance.

• Potential reduction in cost to sustain environment and compliance.

Recommended:

• Maintenance program should include:

i. Definition of policies and procedures to incorporate embedtechnologies within governance model.

ii. Establish protocols to incorporate new risks, controls andbusiness changes as a company grows and matures.

iii. Establish IT management procedures for ne w technologies.

iv. Identify GRC stakeholders to facilitate adequate involvementfrom the business, integration with IT, internal audit andcompliance, and value to the organization on the whole.

• Establish a GRC Operating model to maintain the GRC program androadmap.

30

GRC Program Roadmap ExampleGRC Program Maintenance