oct nov dec 07pdf2

7/28/2019 Oct Nov Dec 07pdf2

1/19

special feature

S-Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com

| Govnn, rk, nd comn

12 Risk Management Essentials Every

SAP Customer Now Needs to KnowNarina Sippy

Senior Vice President

SAP solutions or GRC

The correlation is clear: Vigilant risk management leaves your business in good standing

with shareholders and boosts potential prots. Ineective risk management leaves

your business exposed and hides potential opportunities. Executives are becoming

acutely aware o this, and none want to be caught o guard.

But implementing limited-scope practices that address risk at only the highest levels

or assigning a department to identiy risks in an ad hoc project does very little to

address your business exposure and lost opportunities.

Many executives dont understand how to approach risk management strategically.

Others dont have risk management capabilities at their disposal; they lack tools and

metrics to analyze risk/reward trade-os and proceed accordingly.

Risk management does not happen only at the board level either. Risks and opportunities

clearly exist throughout all levels o the organization, across all business processes.

Consider the various internal teams and partners involved in your supply chain. Do they

Business risk. The unknown. The unpredictable. The things that affect

business outcomes but lie outside your managerial sphere of control. Its

not just nance departments and risk managers who grapple with risk and

uncertainty. We all do.

Risk possibilities are endless. Those responsible for the development, mar-

keting, and sales of products and services know that a competitor can quickly

overtake those products or services, or that new technologies can render them

obsolete. A hurricane might disrupt the delivery of important materials from

a supplier in Louisiana, a change in euro-to-dollar valuation might affect

your ability to sell in France, evolving technology could stie your online retail

business, or a product safety issue could hit the press and mar your companys

reputation. These are the risks of everyday business that should be part of

your strategic and budgetary planning.

Inherent in every business decision we make are elements of risk and uncer-

tainty. In fact, a 2006 Accenture global study comprised of interviews with

436 senior executives at major companies in North America, Europe, and Asia

ranks managing risk at the top of executives priority lists.1In this article, Narina Sippy, SAP Senior Vice President and General Manager

of SAP solutions for governance, risk, and compliance (GRC), explains why

companies are investing heavily in risk management and what risk

management essentials the SAP customer base now needs to understand.

InsideS-3 | WhatDataGovernanceModelIsRight

forYourCompany?

BackOce Associates & CranSot, Inc.S-5 | SustainYourGRCStrategywith

ContinuousControlsMonitoringErnst & Young

S-7 | UseMasterDataManagementtoMasterYourComplianceInitiativesSiperian

S-9 | DoYourTestingMethodsWorkinConcertwithYourComplianceEfforts?Worksot, Inc.

S-11 | The7PillarsofStrongInternalControls170 Systems, Inc.

S-12 | AtrionHelpsEH&STeamsStayCompliantintheFaceofNewREACHRegulationsAtrion International Inc.

S-13 | Governance,Risk,andComplianceMovingBeyondIntegrationtoEnterpriseStrategyBearingPoint

S-14 | RemainingCompliantCSI

S-15 | WhyChangeManagementShouldBeaTopCompliancePriorityRevelation Sotware Concepts, Ltd.

S-16 | TheComingRevolutioninTaxReportingandComplianceSabrix, Inc. & Deloitte

S-17 | IncorporateSecurityIntelligenceintoBusinessIntelligenceSECUDE Global Consulting

S-18 | TipsforBuildingaSuccessfulGRCProjectMethodologyTurnkey Consulting

1 Accenture study (September 19, 2006). See www.accenture.com/Countries/Canada/About_Accenture/Newsroom/

ManagingRiskRanks.htm or more inormation.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.accenture.com/Countries/Canada/About_Accenture/Newsroom/ManagingRiskRanks.htmhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


2/19

S-

special feature

Govnn, rk, nd comn | SAP InSIder

Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com

have collaborative indicators to apprise them o goods

delays, outstanding duties or taxes, or import/export license

renewals? Chances are, they dont. But implementing these

types o controls to warn o actual or likely risk events can

reduce the impact o the event. Once controls are in place,

you not only minimize delays and penalties, you also realize

strategic gains:

Money previously lost to nes or production delays is

now available or strategic investment

The very same inormation used to assess risk and provide

early warnings proves invaluable to logistics and inven-

tory optimization

Early warnings can help in managing customer expecta-

tions, thereby preserving your customer base

So its not just risk mitigation thats driving the demand

or risk management tools. These benets o risk manage-

ment also account or the strong demand.

Remember, all loss events negatively aect the bottom

line. Plant managers, saety managers, product develop-

ment teams, HR, customer service, and sales teams all have

to contend with loss events and all stand to benet rom

a better understanding o risk actors in their planning and

optimization activities.The common challenge I see is that nearly all o these

organizations are ill-equipped to evaluate and manage risk.

And whatever measures are in place are oten isolated

rom risk management initiatives across the company.

So Im now seeing high demand, across the board, or

risk management tools. At the same time, theres an awak-

ening to the act that risk doesnt conne itsel to nice, neat

silos. There are lots o interdependencies, and at the top o

the corporate ladder theres a need or integrated risk man-

agement that spans all areas o the business and or an

understanding o the relationships that bind those areas.

Companies need a systematic way to identiy, evaluate,

and manage risks across all phases and acets o their busi-

ness. Thats why were now working with so many customers,

helping them orge a GRC initiative that provides a unied

approach to corporate risk across their enterprise.

Risk Managemen Cnsiderains EverySAP Cusmer Needs Undersand1. DO openly support risk management at the executive

level and make it a part o the company culture.

2. DONT make risk management a one-time or theoretical

exercise, one thats considered unimportant to executives.

3. DO look at the interplay between dierent types o risks:strategic, operational, nancial, human capital, hazards,

and natural disasters.

4. DONT limit your risk management activities to reactive

contingency plans.

5. DO establish a common inrastructure, a set o metrics,

and even a language or your risk discussions.

6. DONT overcomplicate the risk management process. For

risk management to be adopted by everyone, it cannot be

perceived as an experts-only unction.

7. DO ensure that all key stakeholders collaboratively sharethe responsibility o identiying, mitigating, and managing

risk across processes. Its better to have several thousand

keeping an eye out or risk rather than a ew dozen.

8. DONT make risk management an isolated unction or

leave it to a single department.

9. DO look at risk as part o your strategic business planning

and operations processes. Incorporate risk management

in planning and budgeting by identiying key risk indicators

that can be tracked as you implement strategy through

your day-to-day activities.

10. DONT separate risk rom how you run the business.

11. DO make risk consideration a part o corporate peror-

mance management to understand the upside o business

decisions and recognize the impact o poor risks.

12. DONT leverage risk management tools only at the lowest

operational level merely to mitigate risk.

3 Seps Implemen Risk ManagemenIts not an overstatement: The goal is to integrate risk

management into the everyday lives o every manager to

enable them to see and assess the companys complete

risk prole. There is no question that this provides the

most strategic benet to an organization. So how does one

transorm risk management rom a reactive process into a

strategic weapon? I recommend a three-step approach:

Identiy the wealth o risk management-related inorma-

tion already available to your company in SAP ERP and

other ERP systems. Part o the evolution toward a more

mature enterprise risk management ramework incorpo-

rates existing business practices reusing inormation

1.

ev fiac

ogaizatios,

which t to b

amog th most

avac i tms

of isk maag-

mt withi a

compay, oft

ot havsufcit visibility

ito isk vts

that ca impact

potability.

Article continues on page S-19
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


3/19

special feature

SAP InSIder| Govnn, rk, nd comn


Tom Kennedy

Founder,BackOce Associates &

CEO, CranSot, Inc.

What Data Governance Model Is Right

or Your Company?Sound GRC Initiatives Rely on Quality Data

An essential element o any successul corporate governance,

risk, and compliance (GRC) initiative is quality data. The

accuracy o all GRC-related analysis depends on the under-

lying quality o the transactional and master data within

your ERP systems. And yet, while it would be unthinkable

or a corporation to bypass quality control on the productionfoor, companies are still producing data with little or no

quality control on a daily basis.

To ensure sustainable data quality, it is essential to consider

a data governance initiative complete with remediation

tools to establish metrics or data accountability. Companies

implementing their rst data governance initiative must

understand the dierent levels o data governance and

careully decide which one is the right t or their organiza-

tion (see Figure 1).

4 Levels Daa GvernanceMany companies are setting up departments or teams to

take charge o and responsibility or data quality through-

out their enterprise (see sidebar on the next page). To date,

we have seen various levels at which data governance strat-

egies are implemented:

No data governance This is the Wild West model.

Every user is trusted to enter in their data accurately and

on time, all while minding corporate standard operating

procedures and compliance statutes. The reality? Despite

rigorous training, most users do not ollow standard

operating procedures. Based on the resulting lack o con-

trol and accountability, this is the least ecient and most

risky model.

Center of Excellence (COE) This model tasks a central

group with the responsibility o creating and veriying all

data requests beore posting them to the SAP system.

The intention is to have a central core entering an agreed-

upon single version o the truth. However, in many

cases this model results in slow data-entry times and

costly downstream eects.

Passive data governance Users enter data into the

SAP system, and then a toolset or reporting mechanism

iteratively identies data-related errors within that sys-

tem. Errors are automatically reported back to their

authors or correction and quality metrics are delivered

to management. This model enables a valuable, measur-able process.

Active data governance All data required to support

the congured SAP business processes is collected prior

to posting into the SAP system and validated automati-

cally through a collaborative environment. This elimi-

nates the possibility o business-process interruptions

due to omissions, duplicates, consistency and content

errors, or a lack o standards.

Recmmendain: Sar wih a Minimum

Passive Daa GvernanceThe no data governance model is just too risky. And

although the COE model may improve the quality o data, it

also increases the time required to collect, validate, and

enter that data into the SAP system. This model also proves

dicult to scale with a growing SAP ootprint. Accordingly,

many companies implementing their rst data governance

As makt focs

iv GrC issus

to th fofot

of maistam

busiss pocsss,

compais toask: Is ou ata

ay to mt th

goal of a sustaiabl

GrC statgy?

FIGURE 1q Th fou

mols of atagovac; as

automatio

icass, o

solutio tim

a busiss po-

css ituptios

cas
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.boaweb.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


4/19

S-

special feature



strategy look to the passive data governance model to

introduce automation and create accountability and data

ownership at the user level.

We recommend that you start building your passive data

governance strategy by acquiring a precongured toolset

built or your unique data challenges. This toolset should

include out-o-the-box unctionality or workfow enablement,

quality-metrics reporting, and duplicate detection. For

global organizations, the tools should also be multilingual.

Most importantly, the toolset should be easily congurable

or business people, not just or IT. Enabling business users

to control data and its quality is imperative to eectively

encapsulating your specic business-process requirements.

Once you implement this toolset, youll also need to build

a business process repository based on your current datarequirements. Over time, the conguration o this repository

should be capable o iteratively reporting on all business-

critical master and transactional data. BackOce Associates

has built our own passive governance solution, DataDialysis

specically made or SAP systems to ulll all o these

requirements.

Since the passive models automation o data governance

implements control while alleviating the bottlenecks asso-

ciated with manual data entry, it is considered a great step

orward. However, it does not always solve the entire data-

governance conundrum.

Fr Mre Sphisicaed Needs, Cnsider AciveDaa GvernanceFor some companies, including those operating in strictly

regulated industries like pharmaceuticals, an active data

governance initiative is necessary to control and validate

data prior to entry into an SAP system.

Remember that the primary mission o data governance is

to enhance bottom-line perormance by eliminating business

process interruptions related to incomplete, missing, or

erroneous data, while ully complying with general busi-

ness and industry-specic GRC regulations. The best way to

accomplish this is to restrict any data that is not business-

ready rom ever reaching the SAP system. An active data

governance model achieves this by implementing an auto-

mated system to manage the data collection and validation

process not just the remediation o existing data, as is the

case with passive data governance.

The development team at BackOce Associates provides

a suite o collaborative applications built specically or

SAP systems that manages the data entry and change

processes through a validated collaborative workfow envi-

ronment. These applications, known as the cApps suite, act

as rewalls or data. They use an automated and transpar-ent process to ensure that only business-ready data reaches

the SAP system.

The CranSot cApps suite, which comprises cMat, cCust,

and cVend, are active data governance applications

designed specically or materials, customer, and vendor

data. Several Fortune 500 companies are already using these

applications to govern their data management strategies.

These applications were created or the business user, so

the technology skill level is based primarily on intuitive SQL

statements. Once live, the solutions help our customers to

mitigate risk and rid their SAP systems o low-quality data.

CnclusinImplementing an automated data governance strategy

whether passive or active is essential or sustaining a suc-

cessul GRC strategy. The costs o implementing a holistic

data governance solution greatly outweigh the risks

involved with using manual data governance or worse,

not having a data governance strategy at all.

To learn more about BackOce Associates automated

GRC data governance oerings, visit www.boaweb.com or

contact us at [email protected]. n

DataGovernanceIsEveryonesResponsibilityMany organizations are conused when it comes to who is responsible or the upkeep o data quality. When we ask

project teams and leadership who owns the datas quality beore, during, and ater an SAP implementation, many

are quick to say the IT department. Our experience, however, shows that the answer should be the business

users. This is not to say that IT has no stake in ensuring data quality, merely that the business must also understand

and be held accountable or the quality o their own data.

Companies that embrace this essential view o data quality responsibility and use it to drive their planning,

organization, tool selection, and implementation processes will have the most successul data governance strategies.

AMr rsach

pots that

lag compais

ca sp

US$250,000 to

US$500,000 o

svic-itsiv

gagmts

to fi, fix, a

pvt ata

govac

poblms.1

1 MDM on a Single ERP Instance: Workfow and Data Quality, an article by Bill

Swanton o AMR (ww w.amrresearch.com).

4NotE!

Sic both th

passiv a

activ mols

a busiss-

citical, w

comm

you us a soli

passiv solutio

as a oamap fo

implmtig

a activ mol.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.boaweb.com/http://localhost/var/www/apps/conversion/tmp/scratch_5/[email protected]://www.amrresearch.com/http://www.amrresearch.com/http://www.amrresearch.com/http://www.amrresearch.com/http://www.amrresearch.com/http://localhost/var/www/apps/conversion/tmp/scratch_5/[email protected]://www.boaweb.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


5/19

special feature



Sustain Your GRC Strategy with

Continuous Controls Monitoring3 Key Considerations for Building a CCM Program

Michael B. Brunenmeister

Executive Director

Global CCM Solutions Leader

Ernst & Young

Increasing complexity and challenging new business risks

pervade todays global environments. To address these

risks and meet regulatory requirements, organizations

must establish eective internal controls, along with pro-

cesses to make sure these controls remain repeatable, sus-

tainable, and cost-eective. Thereore, as part o theiroverall governance, risk, and compliance (GRC) strategies,

organizations are building continuous controls monitoring

(CCM) programs to improve eciencies, avoid controls de-

ciencies, and ocus resources on managing critical risks.

With an eective and sustainable CCM program thats

designed, managed, and optimized to account or changes

such as regulatory shits, mergers and acquisitions, and

system upgrades an organization can meet its compliance

objectives, reduce risk exposures, and meet the expectations

o key stakeholders. Over time, as their CCM processes

mature, companies can transition rom manual risk detec-tion eorts to automated prevention measures.

Organizations considering CCM must rst ocus on their

control objectives and establish sound processes. Ernst &

Young has assisted many clients with their CCM programs,

gleaning several key learning points rom this experience.

1. Creae a Fundain r Yur CCM PrgramA CCM program should include risk detection, prevention,

remediation, and compliance components, all ocusing on

people, processes, and technology. Using CCM to evaluate

and monitor key business processes against predetermined

business rules enables an organization to identiy patterns

and anomalies to help minimize potential risk exposures.

When our clients embark on a CCM initiative, the automa-

tion or technical aspects oten become their primary ocus.

Although automating the controls can be very benecial to

the organization, we recommend that clients ocus initially

on the ollowing control objectives:

Application access controls and segregation o duties

(SoD)can reduce opportunities or raud or or material

errors by ensuring that nancial and operational trans-

actions are properly authorized and approved. A CCM

strategy should drive the development and enorcement

o eective user and role governance processes, practi-

cal SoD rules, and sustainable access controls.

Business process controls help users evaluate system

conguration settings to identiy events that occur out-

side o set control limits.

Master and transactional data controlsare used to ana-

lyze sensitive elds and transactional data against

predened control criteria. The analysis o this data sup-

ports the detection o potential controls violations, such

as changes to vendor addresses or terms, duplicate pay-

ments, timing issues, and other anomalies. Additionally,

the transactional data analysis can acilitate business

eciency improvements.

2. Manage he CCM Lie CycleTo create and sustain an eective CCM program, an organi-

zation must understand and manage the entire CCM lie

cycle (see Figure 1 on the next page), which includes:

Process design This begins with a clear vision based

on operational objectives (i.e., achieve compliance,

reduce risk). It is impractical to monitor allo a companys

controls, and thereore its essential to rst identiy the

controls most in need o monitoring, based on businessobjectives. We also recommend establishing a CCM gov-

ernance body to lead the process design eort and to

help ensure that business objectives are met.

Jason G. GlantzManager

ERP Advisory Services

Ernst & Young

Aman Joshi

Senior Associate

ERP Advisory Services

Ernst & Young

KeyConcept:Continuous Controls MonitoringContinuous controls monitoring is a repeatable process in which

specic control points can be continuously monitored against established

thresholds to help determine business risk anomalies.

!

Failu to fi a

GrC statgy bfo

automatig CCM

ca sult i sigif-

icat losss of tim

a soucs, o

v th tobuil th CCM

pogam.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.ey.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


6/19

S-

special feature



Business rule development A CCM program is only as

eective as the business rules used to evaluate the control

data. Business rules or SoD, master and transactional

data, and automated application controls are used as l-

ters and applied against data sources to identiy poten-

tial control anomalies.

Controls optimization Once signicant risks have been

identied within business process areas, appropriate

controls must be established to mitigate them. A vitalstep in achieving control optimization is establishing

controls that cover multiple risk areas and eliminate

redundant or ineective controls.

Exception validation and rationalization Organizations

oten become overwhelmed by the volume o control

exceptions. Since some exceptions are legitimate, orga-

nizations can manage risks and reduce the number o

reported exceptions and thereore the cost o compli-

ance by ltering out legitimate business exceptions.

Resolution reporting To successully manage and miti-

gate business risk, and to ensure timely resolution o

compliance violations, it is important to set up a process

that allows your company to diligently review and resolve

reported violations.

Process optimization The processes that make up your

CCM program should be fexible and allow your company

to dynamically react to change. They also should be con-

tinually adjusted to meet business needs and sustain

your CCM investment.

3. Aumae CCM wih SAP FuncinaliyOrganizations running SAP have a signicant advantage

when enabling and automating CCM because integrated

business disciplines such as nancial accounting and

asset management can be built into a centralized CCM

program. A CCM program that encompasses well-designed

controls, appropriate business rules, and the diligent man-

agement o the CCM lie cycle, allows organizations to ocus

on their enhancement and automation eorts, reducing

time and resources that would otherwise be spent manually

monitoring controls.

As companies move toward automation, they should

make managing congurable controls through benchmark-

ing a part o their testing strategy, since it is a mechanismthat ensures congurable controls remain unchanged. SAP

provides this capability through table logging, which can help

reduce year-to-year control testing.

SAP also provides a number o tools embedded in its GRC

solution suite, which can be used to automate the CCM pro-

cess. These tools include SAP GRC Access Control, SAP GRC

Process Control, and SAP GRC Global Trade Services. An

organization can leverage these tools, combined with the

unctionality already embedded within SAP systems, to

gain a clear advantage in creating an eective end-to-end

solution or managing risk and compliance.

Cnclusin: Make CCM a PririyHaving a GRC strategy and making an eective CCM program

a priority can help organizations drive their compliance

eorts, identiy potential processing errors, and proactively

detect raud. It also is critical to design practical processes

as you develop your GRC strategy and CCM program. Many

companies hold the misconception that an automated con-

trols solution will solve all compliance needs. However, an

automated solution is only eective ater a successul CCM

program has been established based on well-designed con-

trols, appropriate business rules, and ongoing management

o the CCM program.

To learn more about how Ernst & Young can help your

company build and sustain a CCM program, please email

[email protected] or visit www.ey.com. n

FIGURE 1p Builig

a ffctiv CCM

pogam mas

takig all aspcts of

th CCM lif cycl

ito cosiatio

dvlopig a po-

css fo halig

xcptios with

fi ols,

sposibilitis,

a pioitiz

solutio

pocus is

citical to succss.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.ey.com/http://www.ey.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


7/19

special feature



Use Master Data Management to Master Your

Compliance InitiativesRavi Shankar

Director o

Product Marketing

Siperian

Companies in a wide range o industries are challenged to

meet the oten complex and always evolving requirements

o regulatory governance, risk, and compliance (GRC).

But despite their attempts to establish internal controls

to enorce this regulatory compliance, many companies

have yet to be ully successul. Oten, these businesses willtry to enorce compliance by using existing back-oce sys-

tems, only to nd data and processes that are duplicated

across the organization. Compliance-relevant data in one

system is oten incorrect or inconsistent in another system

and this can have serious consequences.

Consider a manuacturer with a marketing division that

regularly mails fyers, brochures, and other marketing

materials. This marketing team is required to manage opt-

out compliance; ailing to do so costs US$11,000 or each

violation. Even with such hety nes, however, opt-out data

oten slips through the cracks.Say a customer calls into customer service to opt out o

all marketing campaigns. I a company has not ensured the

consistency o its data, that customers record may be

updated in the customer service application but not in the

marketing database. With customer records ragmented

and inconsistent across the organization, it is no surprise

that companies may inadvertently violate privacy or other

compliance regulations.

The bottom line? Companies are nding they cannot

successully enorce compliance without rst addressing

the underlying issue o master data. To uniy data andensure that all parts o an organization are working rom

the same source o inormation, companies need a solid

master data management ramework (see sidebar).

Find a Maser Daa Managemen Plarm FiYur Cmpliance GalsCompanies can more easily and eectively manage regulatory

compliance to reduce business risk with a master data

management platorm, such as Siperian MDM Hub. A mas-

ter data management platorm helps uniy critical data

about customers, products, and organizations across di-erent systems, delivering reliable, complete views o this

data to reduce operational costs, improve compliance, and

drive operational eectiveness.

Siperian MDM Hub enables customers to create a reliable,

centralized master data store. It includes integrated capabilities

Compais caot

succssfully

foc compliac

without st

assig th

ulyig issu

of mast ata.

UseMasterDataManagementtoEnsureYourEntireOrganizationIsWorkingfromaSingleVersionoftheTruth

Master data is a collection o common, core business data entities including customers, products, organizations, as

well as their attributes and values that are considered critical to a companys business and are required or use in

two or more systems or business processes. Master data management (MDM) is the controlled process by which master

data is created and maintained as the system o record or the enterprise. This record can then be circulated or

consumption by business processes, applications, or users. Ultimately, MDM should be deployed as part o a broader

data governance program that involves a combination o technology, people, policy, and processes.

Typically, master data is widely distributed across dierent business unctions and applications within the organi-

zation, leading to data duplication, inconsistencies, and incompleteness. By centralizing master data in one location

and synchronizing a reliable, single version o truth with downstream applications that eed business processes,

companies can uniormly enorce compliance across the organization. Additionally, by synchronizing the reliable

version o truth with analytical systems, companies are able to more quickly provide reliable regulatory reporting.
http://www.siperian.net/datagovhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


8/19

S-

special feature



to cleanse, match, and merge data to correct errors, iden-

tiy duplicate records across systems, and create a single

version o the truth to which all levels o the organization

can adhere (see Figure 1).

Siperian MDM Hub also supports regulatory audit

requirements or any given period by storing the complete

history o all data changes, as well as a lineage o how data

records have changed over a period o time. In addition,

this master data management platorm allows users to createreliable reports rom analytical systems by synchronizing

data rom the centralized master data hub. It also enables

customers to enorce strict, granular-level security regarding

who is allowed to view and edit what data and when.

Using master data management as the oundation or

successul data governance, Siperian has helped many

companies successully address their compliance initiatives

(see sidebar), as well as other business-critical areas including:

Customer-centric marketing

New product introduction

Order-to-cash processes

Contract management

Physician spend management

State license validation

And since Siperian MDM Hub is a complementary solution

to SAP NetWeaver MDM and is certied or integration with

SAP NetWeaver, SAP customers can integrate SAP masterdata sources, such as SAP CRM, into the Siperian MDM Hub.

Cnnec Yur Cmpliance Sraegy a MaserDaa Gvernance FramewrkOrganizations oten struggle to establish processes that will

help govern their data assets and prevent the unauthorized

creation, duplication, and deletion o key master data. Master

data management platorms like Siperian MDM Hub can

help customers establish overarching policies, dene gran-

ular processes to enable these policies, enorce strict con-

trols, and provide historical data needed or audit andregulatory reporting.

To learn more about data governance best practices, visit

www.siperian.net/datagov and download a ree white

paper by Jill Dych, co-ounder o Baseline Consulting, enti-

tled A Data Governance Maniesto: Designing and Deploying

Sustainable Data Governance.n

FIGURE 1p Sipia

MdM Hub

itgats with

SAP systms

to liv a

tpis mast

ata maagmt

solutio that

complmts th

capabilitis of SAPntWav MdM

Several states have passed legislation requiring all phar-

maceutical companies to establish rm caps on theamount o money they spend on each physician per year

on direct promotion. One large pharmaceutical company

ound itsel unable to proactively track and control

spend on each physician by expense type based on state

limits, causing dierent divisions within the company to

continue paying physicians even ater the spend limit

had been reached.

This legislation violation was a direct result o incon-

sistent, incomplete, and inaccurate master data across

dierent data classes (such as physicians and hospitals)

inaccurate data that was then captured and stored inmore than 40 dierent systems.

By using Siperian MDM Hub, this pharmaceutical

company was able to create an authoritative view o

master data across these dierent data classes to see

the relationships among key business entities, such as

physicians and hospitals. In addition, since the solution

provided automatic notication and tracking o spend

per physician, the company was nally able to ully com-

ply with US and state physician spend requirements.

GlobalPharmaceuticalCompanySuccessfullyManagesComplianceUsingSiperianMDMHub
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.siperian.net/datagovhttp://www.siperian.net/datagovhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/


9/19

special feature



Do Your Testing Methods Work in Concert with

Your Compliance Eorts?Consider Automated Testing to Secure Your Audit Trail

Linda Hayes

Founder

Worksot, Inc.

A crucial advantage o SAP system architecture is that it

allows organizations to easily modiy application capabili-

ties; they can quickly respond to competitive and market

pressures with new unctionality. Accordingly, its important

or IT teams to ensure that any custom upgrades or changes

do not introduce risk to your organization.IT typically addresses this with unctional sotware test-

ing. But traditional, manual testing strategies may be work-

ing at cross-purposes with your compliance eorts.

We encourage SAP customers to instead automate testing

and to consider an innovative way to accelerate your deliv-

ery velocity, improve the productivity o your business

experts, and assure the availability, accuracy, and compliance

o your business processes ater each and every change.

Manual tesing Can Cmprmise Cmpliance

The majority o sotware unctional testing today is per-ormed manually, primarily because o the deep subject

matter expertise needed to understand all o a companys

business process variations and rules. But there are several

drawbacks to a manual approach:

The most obvious is the sheer amount o time that manual

testing takes. In a typical SAP business process, such as

order-to-cash or procure-to-pay, testers must execute the

same end-to-end activities hundreds o times in order to

veriy the varying types o orders, materials, delivery

options, and pricing rules. Manually executing these vari-

ations not only takes valuable resources away rom the

business, but also delays the delivery o desired capabili-

ties that may impact revenue or operating costs.

Manual testing tends to be less ormal and thereore sub-

ject to the skills and preerences o the tester. This makes

coverage and quality unpredictable and not repeatable

rom one transport to the next.

Manual testing is dicult to coordinate across end-to-

end business processes that span various solution modules.

Business process experts are usually organized around

unctional areas, yet the risk o up and downstream

impact rom changes requires that processes be tested

across departments and modules.

Documentation and in turn compliance suers

because manual testing is so time-consuming that tes-

ters oten do not have time to thoroughly or consistently

document tests or results. Even i testers create docu-

mentation originally, theyre usually strapped to keep it

current with changes. This leads to a lack o manage-

ment visibility and an inability to support compliance

audits or regulatory requirements.

Because o these challenges, many companies have

sought to automate their unctional testing using tools

commonly known as record/play.

think twice Abu Recrd/Play tlsRecord/play sounds easy and attractive: Simply perorm a

test manually and record the steps into a script that can be

replayed multiple times. Unortunately, this approach oten

produces poorly structured, undocumented, or unstable

tests that are not reusable, maintainable, or auditable.

Recorded scripts are sensitive to the slightest changes. I

an application is running more slowly at some times than

others, the script can get out o synch and result in errors.

Or i an unexpected condition arises, the script has no logic

to recover and continue. Even changes in data can cause

recorded scripts to ail.

Scripts also create a high maintenance overhead because

they contain hard-coded data. This means that i you test a

hundred dierent order variations, or example, your script

must contain the same steps hundreds o times. I you make

a change to the order process, the script will also have to be

updated hundreds o times.

The lack o logic within these scripts also precludes making

decisions or changing the workfow based on test results.

For example, a particular material code may cause a window

to appear that normally wouldnt with other material codes.

Brian Anderson

Director o Product

Management

Worksot, Inc.

Taitioal,

maual tstig

statgis may

b wokig at

coss-puposs

with you

compliac

ffots.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.worksoft.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


10/19

S-0

special feature



The record/play approach requires that there be two

separate scripts one or each condition. When you take

into account the large number o similar cases, this leads to

a high degree o redundancy.

The only way to overcome these challenges is to employ

the underlying scripting language to manage timing, detect

and recover rom errors, make decisions, parameterize the

data values, and read external data sources. Scripting is

essentially programming, so it requires advanced technical

skills; this excludes the very business process experts

whose knowledge is required or eective testing.

Companies that decide to invest in coding test scripts

soon nd themselves with thousands o lines o code that

have to be maintained. Oten the code was written by con-tractors who are no longer available, and the code itsel is

rarely documented. As a result, most test automation

eorts are abandoned.

Aumae tesing wih Wrks CeriyWorksot Certiy was designed as an analyst-riendly test

automation solution. It requires no coding and, instead o

the record/play/script model, allows tests to be documented

using point and click and then to be immediately executed.

The tests are developed in a standard, structured ormat

and are stored as data in a shared repository here theycan be easily managed, maintained, and reused.

Because Certiy stores tests as data, it can span multi-

ple applications, platorms, and technologies to perorm

end-to-end business process verication. A single Certiy

test session can span SAP applications, Web, mainrame,

and client/server even SOA message layers to exercise

both upstream and downstream results. This innovative

approach empowers all stakeholders, including business

process experts, to capture their knowledge and reuse it

through automated tests and data. Technical barriers

disappear, and the time and cost to implement go down

signicantly.

Certiy, which is Certied or SAP NetWeaver, comes pre-

stocked with many o the most common SAP transaction

screens (see Figure 1). Additional SAP modules or other

applications can be learned simply by navigating through

the screens to interactively capture elds and objects.

Test coverage can be rapidly expanded just by addingvariations o data values to exercise dierent business rules

and conditions. Certiy automatically loops through the

data, row by row, to repeat processes and log results. Test

data is supplied dynamically rom a number o sources,

including spreadsheets, les, databases, or other screens.

This data is captured and stored in the Worksot Certiy

repository where it can be easily shared and reused.

At every step, Certiy manages timing synchronization,

veries screen context, and allows decisions based on test

results to control the workfow. Certiy supports unattended,

automated test execution or lets you step through yourtransactions, set breakpoints, monitor data values, and

capture screens while it captures a detailed, step-by-step

results log that includes captured screen images.

Make Cusm Changes wih CnfdenceThe testing o changes resulting rom new application

modules, enhancements, upgrades, or even as service

packs is where Certiys design really shines. Certiy guides

you through an instant impact analysis to locate all reer-

ences to changed objects with only one click. You can then

make global changes automatically (in most cases). There is

no need to wade through complex script les, looking or

potential impact or changing code that then must be

debugged and tested. And all o these changes are also

documented so you have a complete audit trail.

Certiy delivers a compelling value proposition suited to

the SAP marketplace; with it, you can make your resources

more productive, accelerate the delivery o value to the

business, and ensure that any changes are documented or

compliance purposes and do not disturb your critical opera-

tions. Visit www.worksoft.com or more inormation. n

FIGURE 1qWoksoft

Ctify coms

pliv with

may of th most

commo SAP

tasactio scs

Woksoft Ctify

was sig as

a aalyst-fily

tst automatio

solutio. It quis

o coig a

allows tsts to b

ocumt usig

poit a click

a th xcut

immiatly.
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.worksoft.com/http://www.worksoft.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


11/19

special feature



Finance departments are already working in a corporate

environment that expects them to do more with less. Regu-

lations like Sarbanes-Oxley and Basel II increase the pressure

on these departments to strengthen internal compliance

controls without hampering everyday activities. The solu-

tion? Financial process automation, which helps strengthenthese controls while improving visibility and eciency.

Build Yur Cmpliance Sraegy n 7 Key PillarsAt 170 Systems, we encourage nance departments to

leverage a strong nancial process automation solution and

structure internal controls according to seven key principles:

1. End-to-end visibility:In the typical accounts payable

(AP) process, invoices sit in eld oces waiting or coding

and approval beore being orwarded to the AP department

or entry into an SAP system. This paper-based method

lacks needed ront-end visibility and creates a breedingground or raud. The best-practice approach is to receive and

capture all invoices centrally by using nancial process

automation sotware integrated with SAP ERP to give

management visibility into the entire review, approval, and

payment process.

2. Strong approval framework: It is imperative or com-

panies to maintain a robust, timely approval ramework.

Financial process automation sotware incorporates online

approvals with ull security controls, improving accuracy and

ensuring the completion o key steps such as signature

verication that are oten neglected in manual, paper-

based processes.

3. Segregation of duties (SoD): SoD activities are

typically done at the role or responsibility levels. Well-

designed nancial process automation sotware, however,

adds the ability to segregate controls by transaction and

maintains an ongoing record o what action was perormed

by whom. This approach prevents a user rom perorming

conficting unctions in the same transaction.

4. Policies and procedures enforcement: Even the most

sophisticated compliance procedures are useless i they are

not ollowed. Financial process automation sotware

enorces corporate policies by asserting incorruptible

control over procedures; any attempt to bypass them

triggers reminders and alerts.

5. Properly maintained transaction-level backup: The

greatest risk or accounting raud lies in the messy worldo paper-based, transaction-level backup documentation.

Best practice nancial process automation sotware links

source documents to the SAP nancial record via capture

technology, merging the paper trail into the digital world

and making all backups easily accessible.

6. Internal and external audit support:Its important to

do more than just veriy that records are accurate; companies

must also ensure that an auditor can easily access those

records. Well-implemented nancial process automation

sotware gives auditors the complete transaction history o

who accessed what document and when, as well as allbackup documentation. 7. Error reduction: When nance uses manual, paper-based processes, even a minor error can trigger a cascade

o time-consuming and expensive consequences. With

nancial process automation, however, automated controls

and alerts can identiy errors early on, beore they become

costly time-sinks.

Cnsider 170 MarkView r Yur FinancialPrcess Aumain

The 170 MarkViewFinancial Suite gives nance executives

visibility and control over their core nancial processes,

such as accounts payable and expense management. With

SAP-certied integration, 170 MarkView embeds best prac-

tices into the end-to-end automation o nancial processes

to help companies reduce costs, strengthen internal controls,

and improve their visibility and service levels.

To learn more about how 170 Systems an SAP sotware

partner can help you leverage your SAP investment, visit

www.170systems.com/SAP .n

The 7 Pillars o Strong Internal Controls

Discover the Compliance-Specic Benefits ofFinancial Process Automation

Larry Concannon

Director o Product

Marketing

170 Systems, Inc.

Th 170 MakViw

Fiacial Suit

givs ac

xcutivs visibilitya cotol ov

thi co acial

pocsss.
http://www.170systems.com/SAPhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.170systems.com/SAPhttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


12/19

S-

special feature


Reproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.comReproduced with permission rom the Oct n Nov n Dec 2007 issue o SAP Insider | www.SAPinsideronline.com

David Lavoie

Executive Vice President

Marketing

Atrion International Inc.

Atrion Helps EH&S Teams Stay Compliant

in the Face o New REACH Regulations

Europe has adopted an ambitious new ramework

Registration, Evaluation, and Authorization o Chemicals

(REACH) to regulate the manuacture, import, marketing,

and use o chemicals. REACH ocially came into orce on

June 1, 2007, so environment, health, and saety (EH&S)

departments are now gearing up to meet its requirements.

Keep Pace wih REACH RequiremensAtrion Internationals products and content are ully inte-

grated with SAP EH&S environments. Additionally, Atrions

consultants can help implement enhanced SAP EH&S unc-

tionalities, including the upcoming SAP International Uni-

orm Chemical Inormation Database (IUCLID) 5 Interace

and SAP REACH Portal in line with progressive REACH leg-

islation deadlines.

For example, in 2008 the pre-registration phase o

REACH legislation requires companies to determine whichchemicals they need to track. With the REACH substance

volume tracking (SVT) capability within SAP EH&S, Atrion

and partner Linx/AS can assist in SVT implementations.

Another REACH requirement will directly aect regulatory

documents, such as the Saety Data Sheet (SDS). Atrions

REACH Solution or SAP EH&S Environments automatically

updates SDSs specically or REACH specications

within SAP EH&S environments. Atrion simplies and ensures

its up-to-date global content or SDS by monitoring regula-tory changes and maintaining a validated database o rules

through a network o regulatory, chemistry, and toxicology

experts (see Figure 1).

take Advanage Arins REACH ExperiseAtrions experienced consultants can help customers

develop exposure scenarios and appropriate risk management

measures; provide updated regulatory content to allow

automated generation o Saety Data Sheets and Chemical

Saety Reports; dene collection and pre-registration

requirements or documentation; and implement the SAPDocument Management system and project management

components o SAP EH&S and the REACH Portal. Atrions

oerings or SAP EH&S environments also have these key

benets:

Customers can produce compliance documents in more

than 40 languages

As soon as legislation changes, regulatory content is

updated to keep clients compliant

With Atrions compliance engine, users can make audit

reports based on rules used or regulatory classication

CnclusinBy leveraging their investments in SAP EH&S, enterprises

can avoid increased operational costs associated with meet-

ing REACH regulations. Atrion International oers products

and services to ensure successul compliance measures.

For more inormation, call +1 888 8-ATRION (in North

America) or +31 24 329 7420 (in the EU). Or visit us at

www.atrionintl.com and www.linxas.com . n

FIGURE 1q Atios

reACH Solutio

fo SAP eH&S

viomts
http://www.atrionintl.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.linxas.com/http://www.linxas.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.atrionintl.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


13/19

special feature



Governance, Risk, and Compliance Moving

Beyond Integration to Enterprise StrategyDavid J. Evans

Managing Director

Technology Solutions

SAP Practice

BearingPoint

J.R. Reagan

Managing Director and

Global Solution Leader

Risk, Compliance, and

Security

BearingPoint

Governance. Risk. Compliance. There are substantial benets

to implementing an integrated solution to address these

issues. Organizations can dramatically improve organiza-

tional transparency so that precise risks and what can be

done to mitigate them are understood across multiple

business units and unctions. An integrated governance,risk, and compliance (GRC) strategy will also improve

accountability and ownership or risk management through-

out the enterprise. Further benets can include reduced

audit ees, lower cost o capital, and enhanced operational

eciency all things that directly impact the bottom line.

Yet, there can be signicant challenges to successully

establishing a GRC initiative:

It can be very dicult to justiy costs in the short term

As GRC moves rom being an organizationally siloed con-

cern to an enterprise-wide one, it must be addressed in amuch more holistic manner

Companies must take a risk-based approach rather than

indiscriminately documenting organizational activities

Technical and organizational complexities urther com-

plicate GRC eorts. These challenges can be specic to your

companys industry requirements, reinorcing the need or

solutions tailored to specic risk-management situations.

Undersanding Yur Exac GRC Needs

Its critical to comprehensively assess, plan, and design GRC

requirements and processes and then to identiy which

components o GRC technology you need to align those pro-

cesses with overall corporate strategy (see sidebar). This

upront work shouldnt lead you to analysis paralysis but to

a system implementation thats justied with a solid busi-

ness case and benets that meet your particular needs.

A Framewrk r Acinable ResulsAt BearingPoint, our approach to GRC (see Figure 1) goes

beyond helping an organization ormulate strategy and

establish processes. BearingPoint provides an end-to-end

view o GRC that delivers an actionable, operational plan,

moving rom the initial requirements assessment and analy-

sis through technology deployment.

BearingPoint has been named a leader in risk consulting

services, according to The Forrester Wave: Risk ConsultingServices, Q2 June 2007 Report. For more inormation, visit

www.bearingpoint.com/sap. n

5QuestionstoReachGRCReadinessandSuccess

To increase your chances o success, BearingPoint recommends that youask yoursel ve questions beore embarking on a GRC initiative:

Why do we need a GRC ramework?

Why doesnt our current GRC strategy work or our organization?

What should we improve within our current GRC strategy?

What are the risks o not improving our GRC strategy?

What benets do we hope to gain as a result o a new GRC strategy?

Addressing these questions will help you implement a GRC strategy that

results in tangible benefts to your organization.

FIGURE 1t

BaigPoits

big pictu GrC

famwok fo

scuity, isk, a

compliac
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.bearingpoint.com/saphttp://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


14/19

S-

special feature



Federico Pagiola

Partner

CSI Switzerland

Remaining Compliant

Use CSI KPIs to Identify and Analyze Weak Spots in YourCompanys Governance

Following the introduction o legislation, such as the Sarbanes-

Oxley Act, most companies have completed intensive projects

to establish internal controls and ensure compliance. Now,

companies ace a new challenge: How do they maintain

compliance and control levels, especially as their business

processes fuctuate?Many in the SAP user community are nding that remaining

compliant requires an entirely new set o processes and

that these processes must seamlessly integrate into their

SAP systems so as not to interrupt everyday business.

Unlike the bottom-up approach that many companies

used to rst implement compliance practices (using analysis

tools or controls and security, such as CSI Accelerator, to

pinpoint areas where remediation was needed), we recom-

mend a top-down approach to remaining compliant. Give

management a clear indication o control status and allow

them to drill down and identiy potential areas o concernthrough key perormance indicators (KPIs).

Generae Inuiive, Aumaed KPIsKPIs must be understood quickly and should be easy to set

up and automate with the right tools. With some o our

clients, or example, we set our CSI Authorization Auditorto

regularly collect and analyze inormation on access rights

and segregation o duties (SoD) within a companys business

processes. Using the CSI Export to Exceltool, we could then

process the data into a radar chart that groups results by

business domains or easy analysis (see Figure 1).

The resulting KPI, nicknamed the Rose o Rights, providesa powerul view o current control rights. It also indicates

both good and bad compliance trends and triggers immediate

alerts on control ailures in the SAP system. With this KPI,

decision makers can access analytics to ocus on measuring

risk. They can also see areas within the company that are

successully balancing compliance controls.

the Cmpnens a Successul Cmpliance KPIA successul compliance monitoring process is one that can

quickly indicate potential problems, give early warnings o

trends, and oer easy, intuitive analysis o complianceprocesses. With CSIs KPI-based approach to compliance

management, business managers can view SAP authorizations

in a simple, nontechnical way this is key to a successul

GRC strategy that extends ar beyond implementation.

For more inormation on CSIs GRC consulting services

and sotware solutions, please visit www.csi4grc.com. n

Werner van Haelst

Partner

CSI Netherlands

FIGURE 1u CSIs ros

of rights aalytic

KPI psts

compliac of SAP

authoizatios a

Sod; maags ca

quickly cogiz

ay masumts

byo th out

ott li as isk

cocs that

shoul b moi-

to closly, whil

aas of xcssivly

stict cotols a

also visibl i th

ct of th os
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.csi4grc.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


15/19

special feature



Why Change Management Should Be a Top

Compliance PriorityEnsure Compliance by Automating and

Documenting Your Processes

David Drake

Founder and

Chie Executive Ocer

Revelation Sotware

Concepts, Ltd.

The impact o the Sarbanes-Oxley Act continues to hit home

as companies realize that its mandated audit capability is

no simple order to ll especially i they dont have strong

change management processes in place. Even simple

changes to an extensive business inormation system can

have unanticipated consequences.Say youre planning to enhance your visibility and report-

ing capabilities which are key to maintaining compliance.

These changes require auditable change management pro-

cesses to ensure the revised reporting capability changes

are approved and documented in accordance with a compa-

nys internal control processes. Change management is no

longer just a technical issue it is now business critical.

Aumae Ensure CmplianceYou likely already have change management processes in

place, perhaps based on widely accepted best practicesrom the Inormation Technology Inrastructure Library

(ITIL).1 The logical next step in using change management

to ensure compliance is to automate these processes.

Eliminating manual processes can help guarantee that

deviations rom the change control process wont go unde-

tected and that they dont happen in the rst place!

Rev-Tracrom Revelation Sotware Concepts is a solution

that allows users to automate and enorce their change

management processes, such as workfow, change control,

transport migrations, electronic signature authorizations,

and document reerencing. This automation rees users to

ocus on managing changes rather than adhering to pro-

cesses, ensures that they ollow robust procedures, and

assures change control teams that everyone who touches

any aspect o change management within the organization

is using a consistent and ully auditable process.

Additionally, Rev-Tracs process automation prevents acci-

dental system disruptions by providing built-in extended object

1 For more inormation about ITIL best practices, see www.best-management-

practice.com.

and conguration locking even across multiple landscapes

and incorporated overtake and overwrite prevention.

Leave a Fully Audiable Change trailSince compliance regulations require rm policies or

processes, authorizations, and documentation, Rev-Trac isdesigned to enorce your policies so compliance is indepen-

dent o everyday practices. With Rev-Trac, or example, you

can always trace technical changes back to their specic

change requests. Rev-Trac also prevents processes rom

progressing beore all proper approvals are gained, neces-

sary documents are completed, or test results are ully

documented. Nothing alls through the cracks as it might

have when using manual, paper-based processes.

Automating your change management processes also

means that these processes will be enorced and that every

change made in your system will be documented. This iskey since, at its core, compliance is about proving the suc-

cess o your internal controls and making them ully visible

to an auditor, or example. With Rev-Trac, youll be able to

approach compliance issues assured that all technical

changes have been reerenced. A ull audit trail including

the process ollowed, approvals received, and approvers or

each status will also be generated or each change.

Rev-Trac makes all inormation available complete with

drill-down capabilities to key levels o detail rom the

Rev-Trac console, where an auditor can easily identiy

changes requiring inspection and drill down into the audit

trail to make certain compliance requirements were met.

CnclusinRev-Trac change control management ensures you can prove

your compliance measures. There are no additional network

security, disaster recovery plan, database administration,

or desktop rollout requirements; i youre running SAP solu-

tions, youve got all you need to run Rev-Trac. And since

Rev-Trac lives in the SAP system, it comes with a low TCO.

For more inormation, visit www.xrsc.com. n

With rv-Tacsautomat siga-

tu vicatio

pocsss, youll

o log hav to

chas aft siga-

tus oly to b

tol somboy just

lft fo lucho

fo a cofc i

Hog Kog.
http://www.xrsc.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.best-management-practice.com/http://www.best-management-practice.com/http://www.best-management-practice.com/http://www.xrsc.com/http://www.xrsc.com/http://www.best-management-practice.com/http://www.best-management-practice.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.xrsc.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


16/19

S-

special feature



Mehrdad Talaifar

Vice President

Partner Network

Sabrix, Inc.

The Coming Revolution in Tax Reporting

and CompliancePrepare for a Tax-Specific Workow as Part of Your GRC Strategy

Mike RobertsDirector

Tax Management Consulting

Deloitte

Ainol Yaacob

Senior Manager

Tax Management Consulting

Deloitte

Increased shareholder interest means that tax consider-

ations are now high on the priority list when it comes to

companies governance, risk, and compliance (GRC) eorts

especially given the complexity o tax rules and the sig-

nicant impact o tax on nancial results. Imagine the level

o risk involved when accurate tax liability has to beaccounted or in every business transaction, on every

invoice. What would happen i data quality and integrity is

limited or poor?

Is Criical Knw Where Yur tax Risk LiesTax departments are aware o ERP systems limitations

when it comes to determining and calculating various types

o tax and providing reports to comply with numerous rules

and regulations. Because o increased stakeholder interest,

tax departments are required to understand limitations in

systems and processes and must identiy underlying taxrisks within record to report (R2R) processes (see Figure 1).

There is also a greater push rom scal authorities to

undertake systems audits and electronic ling o tax

returns. As a result, global businesses must now rethink

their approach and investment in tax R2R processes.

Big Changes in he Wrld tax ManagemenHistorically, tax proessionals have built technology mostly

in the report portion o the R2R cycle and in workfow man-

agement. However, the last year has heralded a revolution

in this approach. Tax consultancies, which now commonly

advise clients across the entire tax R2R process, have ound

several requently encountered issues:

Lack o consistency and inadequate quality o data or

tax reporting and compliance, oten resulting in duplica-

tion o eorts and resources

Diculty obtaining data or tax reporting and compli-

ance, resulting in labor-intensive tax reporting cycles

The translation gap between clients own IT unctions

and tax departments in terms o identiying, mapping, and

maintaining tax reporting and compliance requirements

These issues have the potential to create costly mainte-

nance problems in traditional ERP systems. Organizations

need to engage the appropriate tax experts and technologists

to ensure that their ERP solution includes tax processes

rom beginning to end.

This is why the tax workstream within GRC is so impor-

tant. The right transaction tax engine and implementationteam can help tax unctions mitigate and control tax risks

within R2R processes. Weve also ound that ully integrated,

bolt-on tax applications allow IT departments to ocus on

their core responsibilities while giving the tax department

tools to eectively manage global transaction tax needs.

Additional benets to having an automated and consoli-

dated tax reporting and compliance solution include visibility

to tax-specic inormation, a centralized repository o rules

and policies, tax department control over tax policy enorce-

ment, increased accuracy, consistency, and eciency in tax

data recording, and decreasing compliance eorts and costs.

For more detailed inormation, please visit www.sabrix.

comand www.deloitte.com . n

FIGURE 1u Tax isk

ca ais i ay

aa withi th

r2r pocss
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.sabrix.com/http://www.sabrix.com/http://www.deloitte.com/http://www.deloitte.com/http://www.sabrix.com/http://www.sabrix.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.deloitte.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sabrix.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/


17/19

special feature



Incorporate Security Intelligence into

Business IntelligenceMake Risk Management Part of Your Companys

Overall Decision-Making Strategy

Mario Linkies

Chie Executive Ocer

SECUDE Global

Consulting AG

Dr. Frank OffChie Consulting Ocer

SECUDE Global

Consulting AG

Successul companies use business intelligence (BI) systems

like SAP NetWeaver BI and SAP SEM or their operational

and strategic business management. So top managers are

already accustomed to using BI to identiy orecasting

scenarios and key perormance indicators (KPIs) to help

them make the right strategic and operational decisions.But on top o day-to-day BI, companies are seeing an

increase in business risks that they must mitigate to remain

competitive. Key business decisions must take into account

KPIs that can control risks in an eective, compliant, and

secure way. To do this, SECUDE Global Consulting (SGC)

recommends building a security intelligence ramework,

based on SAPs solutions or governance, risk, and compli-

ance (GRC), to inuse your BI strategy with knowledge rom

your previous experience in risk evaluation and mitigation.

Inuse Securiy Inelligence in BI AnalyicsSecurity intelligence provides appropriate and comprehen-

sive measures both internal and external or risk control

and sustainability within a business environment. SGCs

vision or a security intelligence ramework is built on our

model o enterprise risk management (ERM) an internal

methodology used to make security decisions.1 But security

intelligence takes ERM a step urther to consider aspects

like security incidents, noncompliance violations, and other

security-related actors in major business decisions.

Think o security intelligence as a warehouse in which to

record your experiences in building and implementing risk

management procedures. You can then use your previous

experiences to decide how to handle new risk mitigation

challenges and use those experiences to update your

security inormation ramework (see Figure 1).

For example, consider a manager at a retail company

who has to decide whether to introduce a new RFID-based

logistics and payment system. Business KPIs such as cost

reduction might make this transition look promising. But i

1 For more about building an ERM ramework, see www.secude-consulting.com.

this manager has a security intelligence ramework in place,

he could notice that such an RFID system oten results in

raud incidents and manipulation deciencies. Because o

these risks, the manager could decide to introduce RFID

technology on a smaller scale, to get a better picture about

the possible business risks beore moving orward. Andwith the inormation gleaned rom this trial RFID imple-

mentation, the company could urther rene their security

intelligence warehouse to help manage uture risk situations.

Se Up a Securiy Inelligence Warehuse HelpMake Risk Managemen DecisinsSECUDE Global Consulting can help you to set up an integrated

security intelligence ramework that ts your specic business

needs. SGCs mission is to help enhance and sustain your

business by identiying and limiting risks. For more inor-

mation, visit us at www.secude-consulting.com. n

FIGURE 1qTh SeCUde Global Cosultig scuity itlligc

famwok fosts a cyclical appoach to scuity; th

ifomatio i you scuity itlligc wahous fs

ito a is f by isk maagmt xpic

Eric Kang

Senior Vice President

SAP Security Technology

SECUDE Global

Consulting (US), LLC
http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://www.sapinsideronline.com/http://

oct nov dec 07pdf2

Documents