of 19
7/28/2019 Oct Nov Dec 07pdf2
1/19
special feature
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
| Govnn, rk, nd comn
12 Risk Management Essentials Every
SAP Customer Now Needs to KnowNarina Sippy
Senior Vice President
SAP solutions or GRC
The correlation is clear: Vigilant risk management leaves your business in good standing
with shareholders and boosts potential prots. Ineective risk management leaves
your business exposed and hides potential opportunities. Executives are becoming
acutely aware o this, and none want to be caught o guard.
But implementing limited-scope practices that address risk at only the highest levels
or assigning a department to identiy risks in an ad hoc project does very little to
address your business exposure and lost opportunities.
Many executives dont understand how to approach risk management strategically.
Others dont have risk management capabilities at their disposal; they lack tools and
metrics to analyze risk/reward trade-os and proceed accordingly.
Risk management does not happen only at the board level either. Risks and opportunities
clearly exist throughout all levels o the organization, across all business processes.
Consider the various internal teams and partners involved in your supply chain. Do they
Business risk. The unknown. The unpredictable. The things that affect
business outcomes but lie outside your managerial sphere of control. Its
not just nance departments and risk managers who grapple with risk and
uncertainty. We all do.
Risk possibilities are endless. Those responsible for the development, mar-
keting, and sales of products and services know that a competitor can quickly
overtake those products or services, or that new technologies can render them
obsolete. A hurricane might disrupt the delivery of important materials from
a supplier in Louisiana, a change in euro-to-dollar valuation might affect
your ability to sell in France, evolving technology could stie your online retail
business, or a product safety issue could hit the press and mar your companys
reputation. These are the risks of everyday business that should be part of
your strategic and budgetary planning.
Inherent in every business decision we make are elements of risk and uncer-
tainty. In fact, a 2006 Accenture global study comprised of interviews with
436 senior executives at major companies in North America, Europe, and Asia
ranks managing risk at the top of executives priority lists.1In this article, Narina Sippy, SAP Senior Vice President and General Manager
of SAP solutions for governance, risk, and compliance (GRC), explains why
companies are investing heavily in risk management and what risk
management essentials the SAP customer base now needs to understand.
InsideS-3 | WhatDataGovernanceModelIsRight
forYourCompany?
BackOce Associates & CranSot, Inc.S-5 | SustainYourGRCStrategywith
ContinuousControlsMonitoringErnst & Young
S-7 | UseMasterDataManagementtoMasterYourComplianceInitiativesSiperian
S-9 | DoYourTestingMethodsWorkinConcertwithYourComplianceEfforts?Worksot, Inc.
S-11 | The7PillarsofStrongInternalControls170 Systems, Inc.
S-12 | AtrionHelpsEH&STeamsStayCompliantintheFaceofNewREACHRegulationsAtrion International Inc.
S-13 | Governance,Risk,andComplianceMovingBeyondIntegrationtoEnterpriseStrategyBearingPoint
S-14 | RemainingCompliantCSI
S-15 | WhyChangeManagementShouldBeaTopCompliancePriorityRevelation Sotware Concepts, Ltd.
S-16 | TheComingRevolutioninTaxReportingandComplianceSabrix, Inc. & Deloitte
S-17 | IncorporateSecurityIntelligenceintoBusinessIntelligenceSECUDE Global Consulting
S-18 | TipsforBuildingaSuccessfulGRCProjectMethodologyTurnkey Consulting
1 Accenture study (September 19, 2006). See www.accenture.com/Countries/Canada/About_Accenture/Newsroom/
ManagingRiskRanks.htm or more inormation.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
2/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
have collaborative indicators to apprise them o goods
delays, outstanding duties or taxes, or import/export license
renewals? Chances are, they dont. But implementing these
types o controls to warn o actual or likely risk events can
reduce the impact o the event. Once controls are in place,
you not only minimize delays and penalties, you also realize
strategic gains:
Money previously lost to nes or production delays is
now available or strategic investment
The very same inormation used to assess risk and provide
early warnings proves invaluable to logistics and inven-
tory optimization
Early warnings can help in managing customer expecta-
tions, thereby preserving your customer base
So its not just risk mitigation thats driving the demand
or risk management tools. These benets o risk manage-
ment also account or the strong demand.
Remember, all loss events negatively aect the bottom
line. Plant managers, saety managers, product develop-
ment teams, HR, customer service, and sales teams all have
to contend with loss events and all stand to benet rom
a better understanding o risk actors in their planning and
optimization activities.The common challenge I see is that nearly all o these
organizations are ill-equipped to evaluate and manage risk.
And whatever measures are in place are oten isolated
rom risk management initiatives across the company.
So Im now seeing high demand, across the board, or
risk management tools. At the same time, theres an awak-
ening to the act that risk doesnt conne itsel to nice, neat
silos. There are lots o interdependencies, and at the top o
the corporate ladder theres a need or integrated risk man-
agement that spans all areas o the business and or an
understanding o the relationships that bind those areas.
Companies need a systematic way to identiy, evaluate,
and manage risks across all phases and acets o their busi-
ness. Thats why were now working with so many customers,
helping them orge a GRC initiative that provides a unied
approach to corporate risk across their enterprise.
Risk Managemen Cnsiderains EverySAP Cusmer Needs Undersand1. DO openly support risk management at the executive
level and make it a part o the company culture.
2. DONT make risk management a one-time or theoretical
exercise, one thats considered unimportant to executives.
3. DO look at the interplay between dierent types o risks:strategic, operational, nancial, human capital, hazards,
and natural disasters.
4. DONT limit your risk management activities to reactive
contingency plans.
5. DO establish a common inrastructure, a set o metrics,
and even a language or your risk discussions.
6. DONT overcomplicate the risk management process. For
risk management to be adopted by everyone, it cannot be
perceived as an experts-only unction.
7. DO ensure that all key stakeholders collaboratively sharethe responsibility o identiying, mitigating, and managing
risk across processes. Its better to have several thousand
keeping an eye out or risk rather than a ew dozen.
8. DONT make risk management an isolated unction or
leave it to a single department.
9. DO look at risk as part o your strategic business planning
and operations processes. Incorporate risk management
in planning and budgeting by identiying key risk indicators
that can be tracked as you implement strategy through
your day-to-day activities.
10. DONT separate risk rom how you run the business.
11. DO make risk consideration a part o corporate peror-
mance management to understand the upside o business
decisions and recognize the impact o poor risks.
12. DONT leverage risk management tools only at the lowest
operational level merely to mitigate risk.
3 Seps Implemen Risk ManagemenIts not an overstatement: The goal is to integrate risk
management into the everyday lives o every manager to
enable them to see and assess the companys complete
risk prole. There is no question that this provides the
most strategic benet to an organization. So how does one
transorm risk management rom a reactive process into a
strategic weapon? I recommend a three-step approach:
Identiy the wealth o risk management-related inorma-
tion already available to your company in SAP ERP and
other ERP systems. Part o the evolution toward a more
mature enterprise risk management ramework incorpo-
rates existing business practices reusing inormation
1.
ev fiac
ogaizatios,
which t to b
amog th most
avac i tms
of isk maag-
mt withi a
compay, oft
ot havsufcit visibility
ito isk vts
that ca impact
potability.
Article continues on page S-19
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
3/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Tom Kennedy
Founder,BackOce Associates &
CEO, CranSot, Inc.
What Data Governance Model Is Right
or Your Company?Sound GRC Initiatives Rely on Quality Data
An essential element o any successul corporate governance,
risk, and compliance (GRC) initiative is quality data. The
accuracy o all GRC-related analysis depends on the under-
lying quality o the transactional and master data within
your ERP systems. And yet, while it would be unthinkable
or a corporation to bypass quality control on the productionfoor, companies are still producing data with little or no
quality control on a daily basis.
To ensure sustainable data quality, it is essential to consider
a data governance initiative complete with remediation
tools to establish metrics or data accountability. Companies
implementing their rst data governance initiative must
understand the dierent levels o data governance and
careully decide which one is the right t or their organiza-
tion (see Figure 1).
4 Levels Daa GvernanceMany companies are setting up departments or teams to
take charge o and responsibility or data quality through-
out their enterprise (see sidebar on the next page). To date,
we have seen various levels at which data governance strat-
egies are implemented:
No data governance This is the Wild West model.
Every user is trusted to enter in their data accurately and
on time, all while minding corporate standard operating
procedures and compliance statutes. The reality? Despite
rigorous training, most users do not ollow standard
operating procedures. Based on the resulting lack o con-
trol and accountability, this is the least ecient and most
risky model.
Center of Excellence (COE) This model tasks a central
group with the responsibility o creating and veriying all
data requests beore posting them to the SAP system.
The intention is to have a central core entering an agreed-
upon single version o the truth. However, in many
cases this model results in slow data-entry times and
costly downstream eects.
Passive data governance Users enter data into the
SAP system, and then a toolset or reporting mechanism
iteratively identies data-related errors within that sys-
tem. Errors are automatically reported back to their
authors or correction and quality metrics are delivered
to management. This model enables a valuable, measur-able process.
Active data governance All data required to support
the congured SAP business processes is collected prior
to posting into the SAP system and validated automati-
cally through a collaborative environment. This elimi-
nates the possibility o business-process interruptions
due to omissions, duplicates, consistency and content
errors, or a lack o standards.
Recmmendain: Sar wih a Minimum
Passive Daa GvernanceThe no data governance model is just too risky. And
although the COE model may improve the quality o data, it
also increases the time required to collect, validate, and
enter that data into the SAP system. This model also proves
dicult to scale with a growing SAP ootprint. Accordingly,
many companies implementing their rst data governance
As makt focs
iv GrC issus
to th fofot
of maistam
busiss pocsss,
compais toask: Is ou ata
ay to mt th
goal of a sustaiabl
GrC statgy?
FIGURE 1q Th fou
mols of atagovac; as
automatio
icass, o
solutio tim
a busiss po-
css ituptios
cas
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
4/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
strategy look to the passive data governance model to
introduce automation and create accountability and data
ownership at the user level.
We recommend that you start building your passive data
governance strategy by acquiring a precongured toolset
built or your unique data challenges. This toolset should
include out-o-the-box unctionality or workfow enablement,
quality-metrics reporting, and duplicate detection. For
global organizations, the tools should also be multilingual.
Most importantly, the toolset should be easily congurable
or business people, not just or IT. Enabling business users
to control data and its quality is imperative to eectively
encapsulating your specic business-process requirements.
Once you implement this toolset, youll also need to build
a business process repository based on your current datarequirements. Over time, the conguration o this repository
should be capable o iteratively reporting on all business-
critical master and transactional data. BackOce Associates
has built our own passive governance solution, DataDialysis
specically made or SAP systems to ulll all o these
requirements.
Since the passive models automation o data governance
implements control while alleviating the bottlenecks asso-
ciated with manual data entry, it is considered a great step
orward. However, it does not always solve the entire data-
governance conundrum.
Fr Mre Sphisicaed Needs, Cnsider AciveDaa GvernanceFor some companies, including those operating in strictly
regulated industries like pharmaceuticals, an active data
governance initiative is necessary to control and validate
data prior to entry into an SAP system.
Remember that the primary mission o data governance is
to enhance bottom-line perormance by eliminating business
process interruptions related to incomplete, missing, or
erroneous data, while ully complying with general busi-
ness and industry-specic GRC regulations. The best way to
accomplish this is to restrict any data that is not business-
ready rom ever reaching the SAP system. An active data
governance model achieves this by implementing an auto-
mated system to manage the data collection and validation
process not just the remediation o existing data, as is the
case with passive data governance.
The development team at BackOce Associates provides
a suite o collaborative applications built specically or
SAP systems that manages the data entry and change
processes through a validated collaborative workfow envi-
ronment. These applications, known as the cApps suite, act
as rewalls or data. They use an automated and transpar-ent process to ensure that only business-ready data reaches
the SAP system.
The CranSot cApps suite, which comprises cMat, cCust,
and cVend, are active data governance applications
designed specically or materials, customer, and vendor
data. Several Fortune 500 companies are already using these
applications to govern their data management strategies.
These applications were created or the business user, so
the technology skill level is based primarily on intuitive SQL
statements. Once live, the solutions help our customers to
mitigate risk and rid their SAP systems o low-quality data.
CnclusinImplementing an automated data governance strategy
whether passive or active is essential or sustaining a suc-
cessul GRC strategy. The costs o implementing a holistic
data governance solution greatly outweigh the risks
involved with using manual data governance or worse,
not having a data governance strategy at all.
To learn more about BackOce Associates automated
GRC data governance oerings, visit www.boaweb.com or
contact us at [email protected]. n
DataGovernanceIsEveryonesResponsibilityMany organizations are conused when it comes to who is responsible or the upkeep o data quality. When we ask
project teams and leadership who owns the datas quality beore, during, and ater an SAP implementation, many
are quick to say the IT department. Our experience, however, shows that the answer should be the business
users. This is not to say that IT has no stake in ensuring data quality, merely that the business must also understand
and be held accountable or the quality o their own data.
Companies that embrace this essential view o data quality responsibility and use it to drive their planning,
organization, tool selection, and implementation processes will have the most successul data governance strategies.
AMr rsach
pots that
lag compais
ca sp
US$250,000 to
US$500,000 o
svic-itsiv
gagmts
to fi, fix, a
pvt ata
govac
poblms.1
1 MDM on a Single ERP Instance: Workfow and Data Quality, an article by Bill
Swanton o AMR (ww w.amrresearch.com).
4NotE!
Sic both th
passiv a
activ mols
a busiss-
citical, w
comm
you us a soli
passiv solutio
as a oamap fo
implmtig
a activ mol.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.boaweb.com/http://localhost/var/www/apps/conversion/tmp/scratch_5/[email protected]://www.amrresearch.com/http://www.amrresearch.com/http://www.amrresearch.com/http://www.amrresearch.com/http://www.amrresearch.com/http://localhost/var/www/apps/conversion/tmp/scratch_5/[email protected]://www.boaweb.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
5/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Sustain Your GRC Strategy with
Continuous Controls Monitoring3 Key Considerations for Building a CCM Program
Michael B. Brunenmeister
Executive Director
Global CCM Solutions Leader
Ernst & Young
Increasing complexity and challenging new business risks
pervade todays global environments. To address these
risks and meet regulatory requirements, organizations
must establish eective internal controls, along with pro-
cesses to make sure these controls remain repeatable, sus-
tainable, and cost-eective. Thereore, as part o theiroverall governance, risk, and compliance (GRC) strategies,
organizations are building continuous controls monitoring
(CCM) programs to improve eciencies, avoid controls de-
ciencies, and ocus resources on managing critical risks.
With an eective and sustainable CCM program thats
designed, managed, and optimized to account or changes
such as regulatory shits, mergers and acquisitions, and
system upgrades an organization can meet its compliance
objectives, reduce risk exposures, and meet the expectations
o key stakeholders. Over time, as their CCM processes
mature, companies can transition rom manual risk detec-tion eorts to automated prevention measures.
Organizations considering CCM must rst ocus on their
control objectives and establish sound processes. Ernst &
Young has assisted many clients with their CCM programs,
gleaning several key learning points rom this experience.
1. Creae a Fundain r Yur CCM PrgramA CCM program should include risk detection, prevention,
remediation, and compliance components, all ocusing on
people, processes, and technology. Using CCM to evaluate
and monitor key business processes against predetermined
business rules enables an organization to identiy patterns
and anomalies to help minimize potential risk exposures.
When our clients embark on a CCM initiative, the automa-
tion or technical aspects oten become their primary ocus.
Although automating the controls can be very benecial to
the organization, we recommend that clients ocus initially
on the ollowing control objectives:
Application access controls and segregation o duties
(SoD)can reduce opportunities or raud or or material
errors by ensuring that nancial and operational trans-
actions are properly authorized and approved. A CCM
strategy should drive the development and enorcement
o eective user and role governance processes, practi-
cal SoD rules, and sustainable access controls.
Business process controls help users evaluate system
conguration settings to identiy events that occur out-
side o set control limits.
Master and transactional data controlsare used to ana-
lyze sensitive elds and transactional data against
predened control criteria. The analysis o this data sup-
ports the detection o potential controls violations, such
as changes to vendor addresses or terms, duplicate pay-
ments, timing issues, and other anomalies. Additionally,
the transactional data analysis can acilitate business
eciency improvements.
2. Manage he CCM Lie CycleTo create and sustain an eective CCM program, an organi-
zation must understand and manage the entire CCM lie
cycle (see Figure 1 on the next page), which includes:
Process design This begins with a clear vision based
on operational objectives (i.e., achieve compliance,
reduce risk). It is impractical to monitor allo a companys
controls, and thereore its essential to rst identiy the
controls most in need o monitoring, based on businessobjectives. We also recommend establishing a CCM gov-
ernance body to lead the process design eort and to
help ensure that business objectives are met.
Jason G. GlantzManager
ERP Advisory Services
Ernst & Young
Aman Joshi
Senior Associate
ERP Advisory Services
Ernst & Young
KeyConcept:Continuous Controls MonitoringContinuous controls monitoring is a repeatable process in which
specic control points can be continuously monitored against established
thresholds to help determine business risk anomalies.
!
Failu to fi a
GrC statgy bfo
automatig CCM
ca sult i sigif-
icat losss of tim
a soucs, o
v th tobuil th CCM
pogam.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
6/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Business rule development A CCM program is only as
eective as the business rules used to evaluate the control
data. Business rules or SoD, master and transactional
data, and automated application controls are used as l-
ters and applied against data sources to identiy poten-
tial control anomalies.
Controls optimization Once signicant risks have been
identied within business process areas, appropriate
controls must be established to mitigate them. A vitalstep in achieving control optimization is establishing
controls that cover multiple risk areas and eliminate
redundant or ineective controls.
Exception validation and rationalization Organizations
oten become overwhelmed by the volume o control
exceptions. Since some exceptions are legitimate, orga-
nizations can manage risks and reduce the number o
reported exceptions and thereore the cost o compli-
ance by ltering out legitimate business exceptions.
Resolution reporting To successully manage and miti-
gate business risk, and to ensure timely resolution o
compliance violations, it is important to set up a process
that allows your company to diligently review and resolve
reported violations.
Process optimization The processes that make up your
CCM program should be fexible and allow your company
to dynamically react to change. They also should be con-
tinually adjusted to meet business needs and sustain
your CCM investment.
3. Aumae CCM wih SAP FuncinaliyOrganizations running SAP have a signicant advantage
when enabling and automating CCM because integrated
business disciplines such as nancial accounting and
asset management can be built into a centralized CCM
program. A CCM program that encompasses well-designed
controls, appropriate business rules, and the diligent man-
agement o the CCM lie cycle, allows organizations to ocus
on their enhancement and automation eorts, reducing
time and resources that would otherwise be spent manually
monitoring controls.
As companies move toward automation, they should
make managing congurable controls through benchmark-
ing a part o their testing strategy, since it is a mechanismthat ensures congurable controls remain unchanged. SAP
provides this capability through table logging, which can help
reduce year-to-year control testing.
SAP also provides a number o tools embedded in its GRC
solution suite, which can be used to automate the CCM pro-
cess. These tools include SAP GRC Access Control, SAP GRC
Process Control, and SAP GRC Global Trade Services. An
organization can leverage these tools, combined with the
unctionality already embedded within SAP systems, to
gain a clear advantage in creating an eective end-to-end
solution or managing risk and compliance.
Cnclusin: Make CCM a PririyHaving a GRC strategy and making an eective CCM program
a priority can help organizations drive their compliance
eorts, identiy potential processing errors, and proactively
detect raud. It also is critical to design practical processes
as you develop your GRC strategy and CCM program. Many
companies hold the misconception that an automated con-
trols solution will solve all compliance needs. However, an
automated solution is only eective ater a successul CCM
program has been established based on well-designed con-
trols, appropriate business rules, and ongoing management
o the CCM program.
To learn more about how Ernst & Young can help your
company build and sustain a CCM program, please email
[email protected] or visit www.ey.com. n
FIGURE 1p Builig
a ffctiv CCM
pogam mas
takig all aspcts of
th CCM lif cycl
ito cosiatio
dvlopig a po-
css fo halig
xcptios with
fi ols,
sposibilitis,
a pioitiz
solutio
pocus is
citical to succss.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.ey.com/http://www.ey.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
7/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Use Master Data Management to Master Your
Compliance InitiativesRavi Shankar
Director o
Product Marketing
Siperian
Companies in a wide range o industries are challenged to
meet the oten complex and always evolving requirements
o regulatory governance, risk, and compliance (GRC).
But despite their attempts to establish internal controls
to enorce this regulatory compliance, many companies
have yet to be ully successul. Oten, these businesses willtry to enorce compliance by using existing back-oce sys-
tems, only to nd data and processes that are duplicated
across the organization. Compliance-relevant data in one
system is oten incorrect or inconsistent in another system
and this can have serious consequences.
Consider a manuacturer with a marketing division that
regularly mails fyers, brochures, and other marketing
materials. This marketing team is required to manage opt-
out compliance; ailing to do so costs US$11,000 or each
violation. Even with such hety nes, however, opt-out data
oten slips through the cracks.Say a customer calls into customer service to opt out o
all marketing campaigns. I a company has not ensured the
consistency o its data, that customers record may be
updated in the customer service application but not in the
marketing database. With customer records ragmented
and inconsistent across the organization, it is no surprise
that companies may inadvertently violate privacy or other
compliance regulations.
The bottom line? Companies are nding they cannot
successully enorce compliance without rst addressing
the underlying issue o master data. To uniy data andensure that all parts o an organization are working rom
the same source o inormation, companies need a solid
master data management ramework (see sidebar).
Find a Maser Daa Managemen Plarm FiYur Cmpliance GalsCompanies can more easily and eectively manage regulatory
compliance to reduce business risk with a master data
management platorm, such as Siperian MDM Hub. A mas-
ter data management platorm helps uniy critical data
about customers, products, and organizations across di-erent systems, delivering reliable, complete views o this
data to reduce operational costs, improve compliance, and
drive operational eectiveness.
Siperian MDM Hub enables customers to create a reliable,
centralized master data store. It includes integrated capabilities
Compais caot
succssfully
foc compliac
without st
assig th
ulyig issu
of mast ata.
UseMasterDataManagementtoEnsureYourEntireOrganizationIsWorkingfromaSingleVersionoftheTruth
Master data is a collection o common, core business data entities including customers, products, organizations, as
well as their attributes and values that are considered critical to a companys business and are required or use in
two or more systems or business processes. Master data management (MDM) is the controlled process by which master
data is created and maintained as the system o record or the enterprise. This record can then be circulated or
consumption by business processes, applications, or users. Ultimately, MDM should be deployed as part o a broader
data governance program that involves a combination o technology, people, policy, and processes.
Typically, master data is widely distributed across dierent business unctions and applications within the organi-
zation, leading to data duplication, inconsistencies, and incompleteness. By centralizing master data in one location
and synchronizing a reliable, single version o truth with downstream applications that eed business processes,
companies can uniormly enorce compliance across the organization. Additionally, by synchronizing the reliable
version o truth with analytical systems, companies are able to more quickly provide reliable regulatory reporting.
http://www.siperian.net/datagovhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
8/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
to cleanse, match, and merge data to correct errors, iden-
tiy duplicate records across systems, and create a single
version o the truth to which all levels o the organization
can adhere (see Figure 1).
Siperian MDM Hub also supports regulatory audit
requirements or any given period by storing the complete
history o all data changes, as well as a lineage o how data
records have changed over a period o time. In addition,
this master data management platorm allows users to createreliable reports rom analytical systems by synchronizing
data rom the centralized master data hub. It also enables
customers to enorce strict, granular-level security regarding
who is allowed to view and edit what data and when.
Using master data management as the oundation or
successul data governance, Siperian has helped many
companies successully address their compliance initiatives
(see sidebar), as well as other business-critical areas including:
Customer-centric marketing
New product introduction
Order-to-cash processes
Contract management
Physician spend management
State license validation
And since Siperian MDM Hub is a complementary solution
to SAP NetWeaver MDM and is certied or integration with
SAP NetWeaver, SAP customers can integrate SAP masterdata sources, such as SAP CRM, into the Siperian MDM Hub.
Cnnec Yur Cmpliance Sraegy a MaserDaa Gvernance FramewrkOrganizations oten struggle to establish processes that will
help govern their data assets and prevent the unauthorized
creation, duplication, and deletion o key master data. Master
data management platorms like Siperian MDM Hub can
help customers establish overarching policies, dene gran-
ular processes to enable these policies, enorce strict con-
trols, and provide historical data needed or audit andregulatory reporting.
To learn more about data governance best practices, visit
www.siperian.net/datagov and download a ree white
paper by Jill Dych, co-ounder o Baseline Consulting, enti-
tled A Data Governance Maniesto: Designing and Deploying
Sustainable Data Governance.n
FIGURE 1p Sipia
MdM Hub
itgats with
SAP systms
to liv a
tpis mast
ata maagmt
solutio that
complmts th
capabilitis of SAPntWav MdM
Several states have passed legislation requiring all phar-
maceutical companies to establish rm caps on theamount o money they spend on each physician per year
on direct promotion. One large pharmaceutical company
ound itsel unable to proactively track and control
spend on each physician by expense type based on state
limits, causing dierent divisions within the company to
continue paying physicians even ater the spend limit
had been reached.
This legislation violation was a direct result o incon-
sistent, incomplete, and inaccurate master data across
dierent data classes (such as physicians and hospitals)
inaccurate data that was then captured and stored inmore than 40 dierent systems.
By using Siperian MDM Hub, this pharmaceutical
company was able to create an authoritative view o
master data across these dierent data classes to see
the relationships among key business entities, such as
physicians and hospitals. In addition, since the solution
provided automatic notication and tracking o spend
per physician, the company was nally able to ully com-
ply with US and state physician spend requirements.
GlobalPharmaceuticalCompanySuccessfullyManagesComplianceUsingSiperianMDMHub
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
9/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Do Your Testing Methods Work in Concert with
Your Compliance Eorts?Consider Automated Testing to Secure Your Audit Trail
Linda Hayes
Founder
Worksot, Inc.
A crucial advantage o SAP system architecture is that it
allows organizations to easily modiy application capabili-
ties; they can quickly respond to competitive and market
pressures with new unctionality. Accordingly, its important
or IT teams to ensure that any custom upgrades or changes
do not introduce risk to your organization.IT typically addresses this with unctional sotware test-
ing. But traditional, manual testing strategies may be work-
ing at cross-purposes with your compliance eorts.
We encourage SAP customers to instead automate testing
and to consider an innovative way to accelerate your deliv-
ery velocity, improve the productivity o your business
experts, and assure the availability, accuracy, and compliance
o your business processes ater each and every change.
Manual tesing Can Cmprmise Cmpliance
The majority o sotware unctional testing today is per-ormed manually, primarily because o the deep subject
matter expertise needed to understand all o a companys
business process variations and rules. But there are several
drawbacks to a manual approach:
The most obvious is the sheer amount o time that manual
testing takes. In a typical SAP business process, such as
order-to-cash or procure-to-pay, testers must execute the
same end-to-end activities hundreds o times in order to
veriy the varying types o orders, materials, delivery
options, and pricing rules. Manually executing these vari-
ations not only takes valuable resources away rom the
business, but also delays the delivery o desired capabili-
ties that may impact revenue or operating costs.
Manual testing tends to be less ormal and thereore sub-
ject to the skills and preerences o the tester. This makes
coverage and quality unpredictable and not repeatable
rom one transport to the next.
Manual testing is dicult to coordinate across end-to-
end business processes that span various solution modules.
Business process experts are usually organized around
unctional areas, yet the risk o up and downstream
impact rom changes requires that processes be tested
across departments and modules.
Documentation and in turn compliance suers
because manual testing is so time-consuming that tes-
ters oten do not have time to thoroughly or consistently
document tests or results. Even i testers create docu-
mentation originally, theyre usually strapped to keep it
current with changes. This leads to a lack o manage-
ment visibility and an inability to support compliance
audits or regulatory requirements.
Because o these challenges, many companies have
sought to automate their unctional testing using tools
commonly known as record/play.
think twice Abu Recrd/Play tlsRecord/play sounds easy and attractive: Simply perorm a
test manually and record the steps into a script that can be
replayed multiple times. Unortunately, this approach oten
produces poorly structured, undocumented, or unstable
tests that are not reusable, maintainable, or auditable.
Recorded scripts are sensitive to the slightest changes. I
an application is running more slowly at some times than
others, the script can get out o synch and result in errors.
Or i an unexpected condition arises, the script has no logic
to recover and continue. Even changes in data can cause
recorded scripts to ail.
Scripts also create a high maintenance overhead because
they contain hard-coded data. This means that i you test a
hundred dierent order variations, or example, your script
must contain the same steps hundreds o times. I you make
a change to the order process, the script will also have to be
updated hundreds o times.
The lack o logic within these scripts also precludes making
decisions or changing the workfow based on test results.
For example, a particular material code may cause a window
to appear that normally wouldnt with other material codes.
Brian Anderson
Director o Product
Management
Worksot, Inc.
Taitioal,
maual tstig
statgis may
b wokig at
coss-puposs
with you
compliac
ffots.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
10/19
S-0
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
The record/play approach requires that there be two
separate scripts one or each condition. When you take
into account the large number o similar cases, this leads to
a high degree o redundancy.
The only way to overcome these challenges is to employ
the underlying scripting language to manage timing, detect
and recover rom errors, make decisions, parameterize the
data values, and read external data sources. Scripting is
essentially programming, so it requires advanced technical
skills; this excludes the very business process experts
whose knowledge is required or eective testing.
Companies that decide to invest in coding test scripts
soon nd themselves with thousands o lines o code that
have to be maintained. Oten the code was written by con-tractors who are no longer available, and the code itsel is
rarely documented. As a result, most test automation
eorts are abandoned.
Aumae tesing wih Wrks CeriyWorksot Certiy was designed as an analyst-riendly test
automation solution. It requires no coding and, instead o
the record/play/script model, allows tests to be documented
using point and click and then to be immediately executed.
The tests are developed in a standard, structured ormat
and are stored as data in a shared repository here theycan be easily managed, maintained, and reused.
Because Certiy stores tests as data, it can span multi-
ple applications, platorms, and technologies to perorm
end-to-end business process verication. A single Certiy
test session can span SAP applications, Web, mainrame,
and client/server even SOA message layers to exercise
both upstream and downstream results. This innovative
approach empowers all stakeholders, including business
process experts, to capture their knowledge and reuse it
through automated tests and data. Technical barriers
disappear, and the time and cost to implement go down
signicantly.
Certiy, which is Certied or SAP NetWeaver, comes pre-
stocked with many o the most common SAP transaction
screens (see Figure 1). Additional SAP modules or other
applications can be learned simply by navigating through
the screens to interactively capture elds and objects.
Test coverage can be rapidly expanded just by addingvariations o data values to exercise dierent business rules
and conditions. Certiy automatically loops through the
data, row by row, to repeat processes and log results. Test
data is supplied dynamically rom a number o sources,
including spreadsheets, les, databases, or other screens.
This data is captured and stored in the Worksot Certiy
repository where it can be easily shared and reused.
At every step, Certiy manages timing synchronization,
veries screen context, and allows decisions based on test
results to control the workfow. Certiy supports unattended,
automated test execution or lets you step through yourtransactions, set breakpoints, monitor data values, and
capture screens while it captures a detailed, step-by-step
results log that includes captured screen images.
Make Cusm Changes wih CnfdenceThe testing o changes resulting rom new application
modules, enhancements, upgrades, or even as service
packs is where Certiys design really shines. Certiy guides
you through an instant impact analysis to locate all reer-
ences to changed objects with only one click. You can then
make global changes automatically (in most cases). There is
no need to wade through complex script les, looking or
potential impact or changing code that then must be
debugged and tested. And all o these changes are also
documented so you have a complete audit trail.
Certiy delivers a compelling value proposition suited to
the SAP marketplace; with it, you can make your resources
more productive, accelerate the delivery o value to the
business, and ensure that any changes are documented or
compliance purposes and do not disturb your critical opera-
tions. Visit www.worksoft.com or more inormation. n
FIGURE 1qWoksoft
Ctify coms
pliv with
may of th most
commo SAP
tasactio scs
Woksoft Ctify
was sig as
a aalyst-fily
tst automatio
solutio. It quis
o coig a
allows tsts to b
ocumt usig
poit a click
a th xcut
immiatly.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.worksoft.com/http://www.worksoft.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
11/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Finance departments are already working in a corporate
environment that expects them to do more with less. Regu-
lations like Sarbanes-Oxley and Basel II increase the pressure
on these departments to strengthen internal compliance
controls without hampering everyday activities. The solu-
tion? Financial process automation, which helps strengthenthese controls while improving visibility and eciency.
Build Yur Cmpliance Sraegy n 7 Key PillarsAt 170 Systems, we encourage nance departments to
leverage a strong nancial process automation solution and
structure internal controls according to seven key principles:
1. End-to-end visibility:In the typical accounts payable
(AP) process, invoices sit in eld oces waiting or coding
and approval beore being orwarded to the AP department
or entry into an SAP system. This paper-based method
lacks needed ront-end visibility and creates a breedingground or raud. The best-practice approach is to receive and
capture all invoices centrally by using nancial process
automation sotware integrated with SAP ERP to give
management visibility into the entire review, approval, and
payment process.
2. Strong approval framework: It is imperative or com-
panies to maintain a robust, timely approval ramework.
Financial process automation sotware incorporates online
approvals with ull security controls, improving accuracy and
ensuring the completion o key steps such as signature
verication that are oten neglected in manual, paper-
based processes.
3. Segregation of duties (SoD): SoD activities are
typically done at the role or responsibility levels. Well-
designed nancial process automation sotware, however,
adds the ability to segregate controls by transaction and
maintains an ongoing record o what action was perormed
by whom. This approach prevents a user rom perorming
conficting unctions in the same transaction.
4. Policies and procedures enforcement: Even the most
sophisticated compliance procedures are useless i they are
not ollowed. Financial process automation sotware
enorces corporate policies by asserting incorruptible
control over procedures; any attempt to bypass them
triggers reminders and alerts.
5. Properly maintained transaction-level backup: The
greatest risk or accounting raud lies in the messy worldo paper-based, transaction-level backup documentation.
Best practice nancial process automation sotware links
source documents to the SAP nancial record via capture
technology, merging the paper trail into the digital world
and making all backups easily accessible.
6. Internal and external audit support:Its important to
do more than just veriy that records are accurate; companies
must also ensure that an auditor can easily access those
records. Well-implemented nancial process automation
sotware gives auditors the complete transaction history o
who accessed what document and when, as well as allbackup documentation. 7. Error reduction: When nance uses manual, paper-based processes, even a minor error can trigger a cascade
o time-consuming and expensive consequences. With
nancial process automation, however, automated controls
and alerts can identiy errors early on, beore they become
costly time-sinks.
Cnsider 170 MarkView r Yur FinancialPrcess Aumain
The 170 MarkViewFinancial Suite gives nance executives
visibility and control over their core nancial processes,
such as accounts payable and expense management. With
SAP-certied integration, 170 MarkView embeds best prac-
tices into the end-to-end automation o nancial processes
to help companies reduce costs, strengthen internal controls,
and improve their visibility and service levels.
To learn more about how 170 Systems an SAP sotware
partner can help you leverage your SAP investment, visit
www.170systems.com/SAP .n
The 7 Pillars o Strong Internal Controls
Discover the Compliance-Specic Benefits ofFinancial Process Automation
Larry Concannon
Director o Product
Marketing
170 Systems, Inc.
Th 170 MakViw
Fiacial Suit
givs ac
xcutivs visibilitya cotol ov
thi co acial
pocsss.
http://www.170systems.com/SAPhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
12/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
David Lavoie
Executive Vice President
Marketing
Atrion International Inc.
Atrion Helps EH&S Teams Stay Compliant
in the Face o New REACH Regulations
Europe has adopted an ambitious new ramework
Registration, Evaluation, and Authorization o Chemicals
(REACH) to regulate the manuacture, import, marketing,
and use o chemicals. REACH ocially came into orce on
June 1, 2007, so environment, health, and saety (EH&S)
departments are now gearing up to meet its requirements.
Keep Pace wih REACH RequiremensAtrion Internationals products and content are ully inte-
grated with SAP EH&S environments. Additionally, Atrions
consultants can help implement enhanced SAP EH&S unc-
tionalities, including the upcoming SAP International Uni-
orm Chemical Inormation Database (IUCLID) 5 Interace
and SAP REACH Portal in line with progressive REACH leg-
islation deadlines.
For example, in 2008 the pre-registration phase o
REACH legislation requires companies to determine whichchemicals they need to track. With the REACH substance
volume tracking (SVT) capability within SAP EH&S, Atrion
and partner Linx/AS can assist in SVT implementations.
Another REACH requirement will directly aect regulatory
documents, such as the Saety Data Sheet (SDS). Atrions
REACH Solution or SAP EH&S Environments automatically
updates SDSs specically or REACH specications
within SAP EH&S environments. Atrion simplies and ensures
its up-to-date global content or SDS by monitoring regula-tory changes and maintaining a validated database o rules
through a network o regulatory, chemistry, and toxicology
experts (see Figure 1).
take Advanage Arins REACH ExperiseAtrions experienced consultants can help customers
develop exposure scenarios and appropriate risk management
measures; provide updated regulatory content to allow
automated generation o Saety Data Sheets and Chemical
Saety Reports; dene collection and pre-registration
requirements or documentation; and implement the SAPDocument Management system and project management
components o SAP EH&S and the REACH Portal. Atrions
oerings or SAP EH&S environments also have these key
benets:
Customers can produce compliance documents in more
than 40 languages
As soon as legislation changes, regulatory content is
updated to keep clients compliant
With Atrions compliance engine, users can make audit
reports based on rules used or regulatory classication
CnclusinBy leveraging their investments in SAP EH&S, enterprises
can avoid increased operational costs associated with meet-
ing REACH regulations. Atrion International oers products
and services to ensure successul compliance measures.
For more inormation, call +1 888 8-ATRION (in North
America) or +31 24 329 7420 (in the EU). Or visit us at
www.atrionintl.com and www.linxas.com . n
FIGURE 1q Atios
reACH Solutio
fo SAP eH&S
viomts
http://www.atrionintl.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.linxas.com/http://www.linxas.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
13/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Governance, Risk, and Compliance Moving
Beyond Integration to Enterprise StrategyDavid J. Evans
Managing Director
Technology Solutions
SAP Practice
BearingPoint
J.R. Reagan
Managing Director and
Global Solution Leader
Risk, Compliance, and
Security
BearingPoint
Governance. Risk. Compliance. There are substantial benets
to implementing an integrated solution to address these
issues. Organizations can dramatically improve organiza-
tional transparency so that precise risks and what can be
done to mitigate them are understood across multiple
business units and unctions. An integrated governance,risk, and compliance (GRC) strategy will also improve
accountability and ownership or risk management through-
out the enterprise. Further benets can include reduced
audit ees, lower cost o capital, and enhanced operational
eciency all things that directly impact the bottom line.
Yet, there can be signicant challenges to successully
establishing a GRC initiative:
It can be very dicult to justiy costs in the short term
As GRC moves rom being an organizationally siloed con-
cern to an enterprise-wide one, it must be addressed in amuch more holistic manner
Companies must take a risk-based approach rather than
indiscriminately documenting organizational activities
Technical and organizational complexities urther com-
plicate GRC eorts. These challenges can be specic to your
companys industry requirements, reinorcing the need or
solutions tailored to specic risk-management situations.
Undersanding Yur Exac GRC Needs
Its critical to comprehensively assess, plan, and design GRC
requirements and processes and then to identiy which
components o GRC technology you need to align those pro-
cesses with overall corporate strategy (see sidebar). This
upront work shouldnt lead you to analysis paralysis but to
a system implementation thats justied with a solid busi-
ness case and benets that meet your particular needs.
A Framewrk r Acinable ResulsAt BearingPoint, our approach to GRC (see Figure 1) goes
beyond helping an organization ormulate strategy and
establish processes. BearingPoint provides an end-to-end
view o GRC that delivers an actionable, operational plan,
moving rom the initial requirements assessment and analy-
sis through technology deployment.
BearingPoint has been named a leader in risk consulting
services, according to The Forrester Wave: Risk ConsultingServices, Q2 June 2007 Report. For more inormation, visit
www.bearingpoint.com/sap. n
5QuestionstoReachGRCReadinessandSuccess
To increase your chances o success, BearingPoint recommends that youask yoursel ve questions beore embarking on a GRC initiative:
Why do we need a GRC ramework?
Why doesnt our current GRC strategy work or our organization?
What should we improve within our current GRC strategy?
What are the risks o not improving our GRC strategy?
What benets do we hope to gain as a result o a new GRC strategy?
Addressing these questions will help you implement a GRC strategy that
results in tangible benefts to your organization.
FIGURE 1t
BaigPoits
big pictu GrC
famwok fo
scuity, isk, a
compliac
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
14/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Federico Pagiola
Partner
CSI Switzerland
Remaining Compliant
Use CSI KPIs to Identify and Analyze Weak Spots in YourCompanys Governance
Following the introduction o legislation, such as the Sarbanes-
Oxley Act, most companies have completed intensive projects
to establish internal controls and ensure compliance. Now,
companies ace a new challenge: How do they maintain
compliance and control levels, especially as their business
processes fuctuate?Many in the SAP user community are nding that remaining
compliant requires an entirely new set o processes and
that these processes must seamlessly integrate into their
SAP systems so as not to interrupt everyday business.
Unlike the bottom-up approach that many companies
used to rst implement compliance practices (using analysis
tools or controls and security, such as CSI Accelerator, to
pinpoint areas where remediation was needed), we recom-
mend a top-down approach to remaining compliant. Give
management a clear indication o control status and allow
them to drill down and identiy potential areas o concernthrough key perormance indicators (KPIs).
Generae Inuiive, Aumaed KPIsKPIs must be understood quickly and should be easy to set
up and automate with the right tools. With some o our
clients, or example, we set our CSI Authorization Auditorto
regularly collect and analyze inormation on access rights
and segregation o duties (SoD) within a companys business
processes. Using the CSI Export to Exceltool, we could then
process the data into a radar chart that groups results by
business domains or easy analysis (see Figure 1).
The resulting KPI, nicknamed the Rose o Rights, providesa powerul view o current control rights. It also indicates
both good and bad compliance trends and triggers immediate
alerts on control ailures in the SAP system. With this KPI,
decision makers can access analytics to ocus on measuring
risk. They can also see areas within the company that are
successully balancing compliance controls.
the Cmpnens a Successul Cmpliance KPIA successul compliance monitoring process is one that can
quickly indicate potential problems, give early warnings o
trends, and oer easy, intuitive analysis o complianceprocesses. With CSIs KPI-based approach to compliance
management, business managers can view SAP authorizations
in a simple, nontechnical way this is key to a successul
GRC strategy that extends ar beyond implementation.
For more inormation on CSIs GRC consulting services
and sotware solutions, please visit www.csi4grc.com. n
Werner van Haelst
Partner
CSI Netherlands
FIGURE 1u CSIs ros
of rights aalytic
KPI psts
compliac of SAP
authoizatios a
Sod; maags ca
quickly cogiz
ay masumts
byo th out
ott li as isk
cocs that
shoul b moi-
to closly, whil
aas of xcssivly
stict cotols a
also visibl i th
ct of th os
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
15/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Why Change Management Should Be a Top
Compliance PriorityEnsure Compliance by Automating and
Documenting Your Processes
David Drake
Founder and
Chie Executive Ocer
Revelation Sotware
Concepts, Ltd.
The impact o the Sarbanes-Oxley Act continues to hit home
as companies realize that its mandated audit capability is
no simple order to ll especially i they dont have strong
change management processes in place. Even simple
changes to an extensive business inormation system can
have unanticipated consequences.Say youre planning to enhance your visibility and report-
ing capabilities which are key to maintaining compliance.
These changes require auditable change management pro-
cesses to ensure the revised reporting capability changes
are approved and documented in accordance with a compa-
nys internal control processes. Change management is no
longer just a technical issue it is now business critical.
Aumae Ensure CmplianceYou likely already have change management processes in
place, perhaps based on widely accepted best practicesrom the Inormation Technology Inrastructure Library
(ITIL).1 The logical next step in using change management
to ensure compliance is to automate these processes.
Eliminating manual processes can help guarantee that
deviations rom the change control process wont go unde-
tected and that they dont happen in the rst place!
Rev-Tracrom Revelation Sotware Concepts is a solution
that allows users to automate and enorce their change
management processes, such as workfow, change control,
transport migrations, electronic signature authorizations,
and document reerencing. This automation rees users to
ocus on managing changes rather than adhering to pro-
cesses, ensures that they ollow robust procedures, and
assures change control teams that everyone who touches
any aspect o change management within the organization
is using a consistent and ully auditable process.
Additionally, Rev-Tracs process automation prevents acci-
dental system disruptions by providing built-in extended object
1 For more inormation about ITIL best practices, see www.best-management-
practice.com.
and conguration locking even across multiple landscapes
and incorporated overtake and overwrite prevention.
Leave a Fully Audiable Change trailSince compliance regulations require rm policies or
processes, authorizations, and documentation, Rev-Trac isdesigned to enorce your policies so compliance is indepen-
dent o everyday practices. With Rev-Trac, or example, you
can always trace technical changes back to their specic
change requests. Rev-Trac also prevents processes rom
progressing beore all proper approvals are gained, neces-
sary documents are completed, or test results are ully
documented. Nothing alls through the cracks as it might
have when using manual, paper-based processes.
Automating your change management processes also
means that these processes will be enorced and that every
change made in your system will be documented. This iskey since, at its core, compliance is about proving the suc-
cess o your internal controls and making them ully visible
to an auditor, or example. With Rev-Trac, youll be able to
approach compliance issues assured that all technical
changes have been reerenced. A ull audit trail including
the process ollowed, approvals received, and approvers or
each status will also be generated or each change.
Rev-Trac makes all inormation available complete with
drill-down capabilities to key levels o detail rom the
Rev-Trac console, where an auditor can easily identiy
changes requiring inspection and drill down into the audit
trail to make certain compliance requirements were met.
CnclusinRev-Trac change control management ensures you can prove
your compliance measures. There are no additional network
security, disaster recovery plan, database administration,
or desktop rollout requirements; i youre running SAP solu-
tions, youve got all you need to run Rev-Trac. And since
Rev-Trac lives in the SAP system, it comes with a low TCO.
For more inormation, visit www.xrsc.com. n
With rv-Tacsautomat siga-
tu vicatio
pocsss, youll
o log hav to
chas aft siga-
tus oly to b
tol somboy just
lft fo lucho
fo a cofc i
Hog Kog.
http://www.xrsc.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.best-management-practice.com/http://www.best-management-practice.com/http://www.best-management-practice.com/http://www.xrsc.com/http://www.xrsc.com/http://www.best-management-practice.com/http://www.best-management-practice.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
16/19
S-
special feature
Govnn, rk, nd comn | SAP InSIder
Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Mehrdad Talaifar
Vice President
Partner Network
Sabrix, Inc.
The Coming Revolution in Tax Reporting
and CompliancePrepare for a Tax-Specific Workow as Part of Your GRC Strategy
Mike RobertsDirector
Tax Management Consulting
Deloitte
Ainol Yaacob
Senior Manager
Tax Management Consulting
Deloitte
Increased shareholder interest means that tax consider-
ations are now high on the priority list when it comes to
companies governance, risk, and compliance (GRC) eorts
especially given the complexity o tax rules and the sig-
nicant impact o tax on nancial results. Imagine the level
o risk involved when accurate tax liability has to beaccounted or in every business transaction, on every
invoice. What would happen i data quality and integrity is
limited or poor?
Is Criical Knw Where Yur tax Risk LiesTax departments are aware o ERP systems limitations
when it comes to determining and calculating various types
o tax and providing reports to comply with numerous rules
and regulations. Because o increased stakeholder interest,
tax departments are required to understand limitations in
systems and processes and must identiy underlying taxrisks within record to report (R2R) processes (see Figure 1).
There is also a greater push rom scal authorities to
undertake systems audits and electronic ling o tax
returns. As a result, global businesses must now rethink
their approach and investment in tax R2R processes.
Big Changes in he Wrld tax ManagemenHistorically, tax proessionals have built technology mostly
in the report portion o the R2R cycle and in workfow man-
agement. However, the last year has heralded a revolution
in this approach. Tax consultancies, which now commonly
advise clients across the entire tax R2R process, have ound
several requently encountered issues:
Lack o consistency and inadequate quality o data or
tax reporting and compliance, oten resulting in duplica-
tion o eorts and resources
Diculty obtaining data or tax reporting and compli-
ance, resulting in labor-intensive tax reporting cycles
The translation gap between clients own IT unctions
and tax departments in terms o identiying, mapping, and
maintaining tax reporting and compliance requirements
These issues have the potential to create costly mainte-
nance problems in traditional ERP systems. Organizations
need to engage the appropriate tax experts and technologists
to ensure that their ERP solution includes tax processes
rom beginning to end.
This is why the tax workstream within GRC is so impor-
tant. The right transaction tax engine and implementationteam can help tax unctions mitigate and control tax risks
within R2R processes. Weve also ound that ully integrated,
bolt-on tax applications allow IT departments to ocus on
their core responsibilities while giving the tax department
tools to eectively manage global transaction tax needs.
Additional benets to having an automated and consoli-
dated tax reporting and compliance solution include visibility
to tax-specic inormation, a centralized repository o rules
and policies, tax department control over tax policy enorce-
ment, increased accuracy, consistency, and eciency in tax
data recording, and decreasing compliance eorts and costs.
For more detailed inormation, please visit www.sabrix.
comand www.deloitte.com . n
FIGURE 1u Tax isk
ca ais i ay
aa withi th
r2r pocss
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.sabrix.com/http://www.sabrix.com/http://www.deloitte.com/http://www.deloitte.com/http://www.sabrix.com/http://www.sabrix.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/7/28/2019 Oct Nov Dec 07pdf2
17/19
special feature
SAP InSIder| Govnn, rk, nd comn
S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com
Incorporate Security Intelligence into
Business IntelligenceMake Risk Management Part of Your Companys
Overall Decision-Making Strategy
Mario Linkies
Chie Executive Ocer
SECUDE Global
Consulting AG
Dr. Frank OffChie Consulting Ocer
SECUDE Global
Consulting AG
Successul companies use business intelligence (BI) systems
like SAP NetWeaver BI and SAP SEM or their operational
and strategic business management. So top managers are
already accustomed to using BI to identiy orecasting
scenarios and key perormance indicators (KPIs) to help
them make the right strategic and operational decisions.But on top o day-to-day BI, companies are seeing an
increase in business risks that they must mitigate to remain
competitive. Key business decisions must take into account
KPIs that can control risks in an eective, compliant, and
secure way. To do this, SECUDE Global Consulting (SGC)
recommends building a security intelligence ramework,
based on SAPs solutions or governance, risk, and compli-
ance (GRC), to inuse your BI strategy with knowledge rom
your previous experience in risk evaluation and mitigation.
Inuse Securiy Inelligence in BI AnalyicsSecurity intelligence provides appropriate and comprehen-
sive measures both internal and external or risk control
and sustainability within a business environment. SGCs
vision or a security intelligence ramework is built on our
model o enterprise risk management (ERM) an internal
methodology used to make security decisions.1 But security
intelligence takes ERM a step urther to consider aspects
like security incidents, noncompliance violations, and other
security-related actors in major business decisions.
Think o security intelligence as a warehouse in which to
record your experiences in building and implementing risk
management procedures. You can then use your previous
experiences to decide how to handle new risk mitigation
challenges and use those experiences to update your
security inormation ramework (see Figure 1).
For example, consider a manager at a retail company
who has to decide whether to introduce a new RFID-based
logistics and payment system. Business KPIs such as cost
reduction might make this transition look promising. But i
1 For more about building an ERM ramework, see www.secude-consulting.com.
this manager has a security intelligence ramework in place,
he could notice that such an RFID system oten results in
raud incidents and manipulation deciencies. Because o
these risks, the manager could decide to introduce RFID
technology on a smaller scale, to get a better picture about
the possible business risks beore moving orward. Andwith the inormation gleaned rom this trial RFID imple-
mentation, the company could urther rene their security
intelligence warehouse to help manage uture risk situations.
Se Up a Securiy Inelligence Warehuse HelpMake Risk Managemen DecisinsSECUDE Global Consulting can help you to set up an integrated
security intelligence ramework that ts your specic business
needs. SGCs mission is to help enhance and sustain your
business by identiying and limiting risks. For more inor-
mation, visit us at www.secude-consulting.com. n
FIGURE 1qTh SeCUde Global Cosultig scuity itlligc
famwok fosts a cyclical appoach to scuity; th
ifomatio i you scuity itlligc wahous fs
ito a is f by isk maagmt xpic
Eric Kang
Senior Vice President
SAP Security Technology
SECUDE Global
Consulting (US), LLC
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://