Fettke, P. Eine Untersuchung der Forschungsmethode 'Review' innerhalb der Wirtschaftsinformatik. The preceding definition does partly explain why IT security professionals are sometimes opposed to GRC.
It is seen as an overhead that does not provide Broadbrent, M. Indiana: Wiley Publishing Company. Campbell, P. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. With the introduction of SAP'S GRC products onto the market, in particular Process Control, proactive controls for configuring systems that have to comply with the regulations of the FDA or similar authorities are now available for the SAP GRC helps companies develop insights into risks and compliance initiatives—critical areas in which it is easy for organizations to lose focus.
But GRC doesn't have to be a boil on your corporate behind. SAP GRC For Dummies untangles the web of regulations that confronts your company and introduces you to software solutions the not only keep you in compliance, but also make your whole enterprise stronger.
This completely practical guide starts with a big-picture look and GRC and explains how it can help your organization grow. You'll find out why these regulations were enacted; what you can do to ensure compliance; and how compliance can help you prevent fraud, bolster your corporate image, and envision and execute the best possible corporate strategy. This all-business handbook will help you: Understand the impact of Sarbanes-Oxley Control access effectively Color your company a greener shade of green Source or sell goods internationally Keep your employees safe and healthy Ensure that data is kept secret and private Manage information flow in all directions Enhance your public image through sustainability reporting Use GRC as the basis for a powerful new corporate strategy Complete with enlightening lists of best practices for successful GRC implementation and conducting global trade, this book also puts you in touch with thought leadership Web sights where you can deepen your understanding of GRC-based business strategies.
Clearly,ithas become almost impossible to imagine life without a personal computer or laptop, or without a cell phone. Social network sites SNS are competing with face-- face encounters and may even oust them.
This will not only e? In the near future, elderly people will be able to stay longer at home due to clever health monitoring systems. When properly addressed, GRC helps identify ways that core business processes can be improved. Identification of risks also leads to discovery of opportunities. Governance processes can help create orderly ways to evolve a company, and improve program and change management across the board. Getting Motivated to Make the Most of GRC Although concern about GRC is growing, most companies that have engaged in a program of GRC are usually reacting to some pressure or concern that takes GRC from a necessary evil to an initiative that can really benefit the company if is executed thoroughly and efficiently.
A serious approach to GRC may flow from any or all of these motivating forces that we discuss in the following sections. Complying with financial regulations New laws in the United States and in many other countries mean that if serious errors in financial reports are found, those responsible will face criminal prosecution. Section of Sarbanes-Oxley says exactly this, and prosecutors around the nation have shown great eagerness to enforce this law.
It is not just American companies that are facing such dramatic penalties. Governments of most of the largest economies have passed their own forms of legislation increasing the level of scrutiny about financial reporting and controls. The driving force behind this regulation is the fear that inaccurate financial reporting will damage the financial system. Without accurate financial information, investors will have little to go on when making decisions about where Chapter 1: The ABCs of GRC The march of the three-letter acronyms The world of enterprise software has given birth to many Three-Letter Acronyms, called appropriately by yet another three-letter acronym: TLA.
Here is a sample of the most common TLAs: among a distributed network of partners working together. SCM helped manage increased specialization, outsourcing, and globalization. ERP was about closing the books faster and tracking the key financial and management processes of a business. PLM was about helping increase the speed of product development. CRM was about getting closer to the customer. If confidence drops too far, all companies, not just those who have engaged in bad behavior, will find it harder and more expensive to raise money.
This is not the first time that such fears have been raised and reporting requirements have been tightened. Even the powerful tycoons of the Robber Baron era had bankers insisting on better accounting. So, while compliance with regulations aimed at improving financial reporting and governance is really just one piece of the puzzle when it comes to GRC, fears related to such compliance are clearly the force that has driven most companies to action.
Failing an audit There is nothing like failing an audit to spur companies to improve their GRC processes. In the wake of a failed audit, which must be reported in public financial statements, investors frequently lose confidence and sell stock.
Nowadays, audits can fail for more reasons than ever. Discovery of fraud or other bad behavior is of course the most dramatic reason. But in the face of 15 16 Part I: Governance, Risk, and Compliance Demystified tighter regulations for governance and reporting, audit problems can include the lack of adequate controls, improper segregation of duties, insufficient oversight of the creation of financial reports, and many other causes.
So even if nothing is wrong, you can fail your audit for not having sufficient documentation. In the wake of a failed audit, reporting requirements skyrocket. Controls, which are detailed reports of various types of activity that must be cross-checked for problems, may have to be run on a monthly or quarterly basis instead of annually. New controls are usually introduced. Other sorts of testing to discover problems will also usually result. The work related to all of this new activity must be staffed either from inside a company or by personnel from an auditing or consulting firm.
Either way, costs rise. Numerous countries have enacted legislation to improve governance. As with the United States, many of these countries have passed legislation in response to the outcry over corporate scandals. CLERP 9 aims to make sure that business regulation is consistent with promoting a strong economy, in addition to providing a framework that helps businesses adapt to change.
These scandals led to the creation of quite a few reports that dealt with many governance issues. Clause 49 focuses on issues that are already implemented in many other countries, such as establishing a board of directors and appointing a managing director who reports to the board, in addition to the creation of an audit committee.
A revised Clause 49 was released on October 9, This revision covers many areas, including a clarification and enhancement of the responsibilities of the board and the director and a consolidation of the roles of the audit committee as they relate to controls and financial reporting. The rising costs that occur after a failed audit are a powerful motivator for a company to automate its GRC processes so that controls and testing are much easier and cheaper.
Experiencing a rude awakening Another sort of inspiration for improved GRC performance comes in the form of outside scrutiny. Usually this happens because people do not deeply understand the demands that laws and regulations are placing on them or the complexity of meeting those demands using their current software systems.
Scrutiny can also come from senior management, the board of directors, new employees, auditors, and so on. Companies that lack the knowledge and expertise may think they are safe when they actually are not. Going from private to public The imminent conversion of a company from a private form of ownership to a public form can be another driver of increased attention to GRC.
Jail is a remedy for people who are engaged in criminal activity. You can apply that knowledge to all sorts of areas: governance, risk, compliance, trade, environmental, data privacy, and much more. If you do it right, GRC can help you run your business better than ever before, gain competitive advantage, and increase the rewards to you and your shareholders.
From a shareholder perspective, which is worse: a CEO going to jail or an entire company running itself on stale data? But other events such as selling bonds or issuing other forms of debt can also initiate the same requirements to meet higher levels of reporting.
Private companies also seek to improve their GRC processes if they may be up for sale to public companies that have to meet more stringent levels of governance and reporting.
On the other hand, even private companies can benefit from implementing the best practices highlighted by SOX.
Private companies with government contracts get a favorable reaction from the government when they implement best practices based on SOX. With appropriate controls and tests, management can rest assured that the company is not at risk as more new people take over key tasks.
Segregation of duties requires dividing key steps among employees to help prevent fraud that could take place if one person did all the tasks. But with fewer employees, there is less specialization and a single person may be doing many more tasks than in a larger company. One common misunderstanding is that implementing GRC means that all potential conflicts are eliminated. Even in the largest companies, this is almost never the case. Usually, some employees are able to do things that might result in fraud.
Such potential conflicts can be handled by adding controls and tests that reveal any bad behavior. Taking out an insurance policy When new owners arrive to take over a company, implementing GRC is one common way to make sure that everything is operating properly and that nothing fraudulent is taking place. GRC is like added insurance for the new owners: Adding the controls and testing that is part of a thorough GRC implementation provides added assurance that the financial management of a company is taking place in a proper way and that the condition of the company is accurately conveyed by its accounting reports.
Managing risk Companies that have had a series of nasty surprises often improve GRC processes and automation as a way to create an early warning system to identify and manage potential operational risks. Unforeseen risks can lead to punishment in the markets as investors worry about what problems might be next. As this chapter has noted, it is a mistake to think of GRC only in financial terms.
Risks that have dire financial consequences can arise from a multitude of operational factors that never show up on a balance sheet. For example, in a manufacturing plant, what if spare parts inventory for a key piece of equipment drops to dangerously low levels?
If someone notices this, how can they go on record to make sure that the significance of the risk is understood and that management knows that something must be done to avoid a huge problem? The risk management processes of GRC provide just such a solution. In the mad rush to comply with Sarbanes-Oxley in , many compliance activities were performed manually.
Information was gathered, 19 20 Part I: Governance, Risk, and Compliance Demystified organized in spreadsheets or other simple ways, and then used to make sure that the company was complying with all requirements. While this sort of manual work was inevitable the first time around, and perhaps even beneficial in that it gave those involved a hands-on understanding of what sort of work needed to be done and information needed to be assembled, it was not efficient.
Given the shortage of personnel trained in GRC and the expense of using external consultants and auditors to perform reporting and analysis related to controls and testing, many companies are seeking to implement GRC as a way to increase automation and cut costs. Some companies have reported reductions in auditing costs of more than 20 percent.
Struggling with the high volume of compliance Risk goes way beyond financials and so does compliance. Globalization means that goods may be sourced from just about anywhere and shipped anywhere, and the compliance requirements for moving these goods are significant: each cross-border trade can involve as many as 25 different parties and generate 35 documents that must be tracked and saved.
Environmental regulations are also increasingly the focus of compliance. The number of environmental regulations companies must comply with is constantly growing, both at the state and national level, particularly relating to hazardous substances. In many cases, the sheer volume of compliance activities forces automation because no other approach is feasible. Introducing the GRC Stakeholders No matter what the motivators and how much automation you may apply, the essence of GRC is to change the hearts and minds of the people in a company.
The responsibility for GRC enforcement and implementation is spread across a variety of different stakeholders, each of which plays an important role. Understanding the interactions between these stakeholders is a key element of a successful program of GRC improvement. Of course, the ultimate responsibility for all corporate issues resides with the board of directors and the CEO, and then devolves down through the organization.
The consequences of inadequate attention to GRC processes are so extreme that interest from senior management is at an all-time high. From this point of view, GRC should be something for which every line of business is responsible. The creation of a separate department dedicated to GRC is an invitation to empire building. After a department dedicated to any specific purpose is created, it tends to grow.
GRC stakeholders outside a company Investors and shareholders have perhaps the most to lose monetarily from failures of GRC processes. When a stock price drops after a company reports an audit failure, a material breach of compliance with regulations, or any other sort of negative event that could have been foreseen, investors are demonstrating their profound concern.
Customs, and many others. This list of stakeholders is constantly changing as new issues arise and new laws and regulations are created to address them. Now it is time to open that box and look inside at all the moving parts. The challenge in moving to a more detailed discussion of GRC is that the meaning of the terms and the actions required are different depending on the nature of the business. GRC activities at a stock brokerage firm will be quite different from those at a chain of grocery stores, for example, although the goals at the highest level are the same.
This section breaks down GRC into its component parts by looking at the meaning of each of the three words that make up the acronym: governance, risk, and compliance. The challenge here is that these words are general terms as well as terms of art applied to GRC, so we start our discussion by separating the informal meanings of the terms from the precise way these words are used with respect to GRC.
The way that a board of directors works with a CEO is a form of governance, for example. How are you going to do what you must do to execute on a strategy? How is the CEO making sure that the right policies and procedures are in place to run a company? How are those policies communicated? What sort of checking is done to make sure that the policies and procedures are being followed? How are the policies and procedures updated? What controls are in place?
How can methods of checking and confirming that policies are being followed be improved? Risk The word risk is the trickiest of the three that make up the GRC acronym. All of GRC, for example, can be seen as an exercise in understanding and controlling the risk of running a business.
So a program of GRC improvement helps reduce the risk of failing to comply with regulations for financial reporting, trade, environmental protection, or safety. GRC also deals with the risk of not having adequate governance structures to keep a company under control and effectively managed. Every business strategy runs certain risks that can be identified at the outset and must be monitored.
There is also the risk of not identifying operational risks that may have significant impact on a business early and dealing with them adequately. The R in GRC includes all these risks, in fact, any risk the business faces. Compliance Compliance is the term that has a general meaning that is closest to the way it applies specifically to GRC.
Compliance in general means that you are satisfying a set of conditions that has been set forth for you. Compliance implies that someone else has set those conditions up and that you must meet them. Most of the time, when people talk about compliance, they are referring to external standards for which compliance is mandatory.
The word compliance also sometimes refers to internal standards as well. Defining the C in GRC as standing for controls can broaden the discussion. Compliance is what we have to do, and controls are the way we do it. Furthermore, controls are a way to monitor that the business is compliant, and also efficient and orderly in every way. Governance guidelines, which are the policies and rules of the game for a company that explain how the company will be run to best meet its obligations and pursue the business strategy, are set forth by senior management.
The operational executives then carry out programs and put in place controls that ensure compliance, frequently with the help of consultants or auditors who are expert in applying GRC. Risk management results in the creation of mechanisms so that risks can be brought to the attention of senior managers who then take steps to reduce them.
So although Figure shows a top-down structure, in most companies, GRC is actually implemented from the bottom up, like this: 1. The company puts in place controls to make sure that compliance requirements are satisfied so that no laws or regulations are violated. After the controls are in place, which may take a year or more to achieve, the next task is to analyze what has been done to make it more efficient and effective and to reduce costs associated with compliance.
At this stage processes for governance may begin to be developed as internal policies are added to external requirements and the company looks at its compliance activities from the top down. Risk management processes may be added at any time during this cycle, depending on how worried a company is about risks connected to a particular strategy or about unforeseen risks.
In preschool, you may have learned letters by remembering that A is for apple: The same approach can be taken with GRC.
We take the bottom up approach in our explanation and work through the acronym from right to left. C Is for Compliance: Playing by the Rules The goal of the compliance process is to make sure that a company meets or exceeds all of the demands that are placed on it by external institutions that make laws and regulations for various purposes.
Compliance is also concerned with self-inflicted rules; in other words, policies related to how a company does business. Financial compliance is the one that has gotten the most attention in the past couple of years, but trade management and environmental, health, and safety compliance are also always key concerns.
These areas are all interrelated and provide companies a set of guidelines to follow from a perspective of best practices and processes. Each of these areas will be covered in detail later in this section. Some regulations require that reports of activities are created and may set thresholds for acceptable financial ratios or amounts of emissions, for example. But by far the most frequently mandated item from a compliance perspective is the mandate that a company have sufficient controls to detect bad behavior.
A complete grasp of what controls are and how they work is key to a complete understanding of GRC. Controls: Mechanisms of compliance Controls are the means by which bad behavior or violations of policies are discovered. Controls also provide companies with an alert mechanism for highlighting what processes are working well and which areas need to be improved. Some controls are preventative, meaning that they stop you from doing things that are not allowed.
Preventative controls are frequently part of access control, which is the discipline of allowing people to have access only to transactions and capabilities that they need to do their jobs and to limit the potential for bad behavior. Access control is key to managing segregation of duties, which is one of the most important mandates of Sarbanes-Oxley. See Chapter 5 for more information about segregation of duties. Most of the controls that are used to enforce policies in a company are detective controls, which analyze what has gone on in a company and reveal policy violations or bad behavior after it has happened.
Although in some ways it seems like creating a system that makes bad behavior impossible is preferable, in practice, the processes in a business are too complex and fluid to be automated in such a rigid way. When implementing policies and enforcing them with detective controls, you never stop people from doing what they need to do to keep the business running. You do, however, detect the problems after they occur and then come up with remedies of various sorts to mitigate the problems and prevent them in the future.
Mitigating controls are those controls that are put in place to fix any problems created by violations of policies. Mitigating controls are descriptions of steps that need to be taken to fix problems. Detective controls can either be automated or manual.
For a manual control, someone may have to scour through the logs of various types of activity to find certain types of transactions and record them in a spreadsheet. Then the collected transactions are analyzed to see if any of the transactions have violated a policy. Automated controls gather the information and check for the violation automatically. Automated controls can also generate alerts and cases that can be assigned to the appropriate manager for remediation.
One of the key methods for making GRC processes more efficient is through the application of automated controls.
Given that most companies have around controls in place, improving the efficiency of controls can mean significant savings. For more on access control, see Chapter 6; turn to Chapter 7 for more on internal controls. Controls are determined by the direction provided by corporate governance and risk management and then are applied to the most important processes of the enterprise.
One common control is to check the credit of each new customer before doing business with them. A control could take the form of looking at each new customer record and then examining activity to see if a credit check was performed. If new customers have been created without credit checks being performed, a mitigating control may need to be executed, perhaps to perform the credit check after the fact.
Then the control may analyze why the credit check was not performed. Perhaps the problem is systematic, resulting from inadequate training, for example.
Maybe the people creating new customers did not know that a credit check was required. Perhaps the problem was that the system used to check credit is unreliable so that credit checks cannot always be performed. Whatever the reason, the control can discover a problem that must be dealt with to comply with a policy or regulation.
Some controls are run once a year; for example, to check whether policies for capitalizing equipment are followed. Other controls may be run once a quarter or once a month. One of the things that usually happens when problems are discovered in an audit is that controls are run more frequently. If the controls are manual, this means that someone must be doing a lot more work, Chapter 1: The ABCs of GRC which can drive up auditing and personnel costs and the cost of doing business.
Replacing manual controls with automated controls is one way to allow controls to be run more frequently — in some cases, continuously — without large additional costs. That way, if 1 in transactions violates a control, an automated control will catch it every time without incurring the cost of checking the 99 transactions that did not violate the control.
A manual control that tests every transaction would find such a problem, but the more common approach — sampling transactions — is unlikely to find needles in haystacks.
Automated controls save money, run percent of the time, and allow you to practice exception management. In the process of designing, applying, and analyzing controls in a business, you develop a deeper understanding of the processes of your business.
Problems discovered by controls can lead to the redesign of processes to better meet both business and compliance goals. To get the most out of GRC, the insights gathered in compliance activities must be shared with managers in each department so that compliance can become part of the process of continuous improvement. Domains of compliance The sorts of controls just described are used in numerous domains of compliance: financial management, global trade, and environmental, health, and safety.
In each of these areas, different external regulators have set forth increasingly complex rules and regulations. Proof of compliance with these regulations may be required in the forms of controls, reports, and certifications to the veracity of reported information. The section below summarizes the sorts of compliance that are required in each area.
Section of the law makes it a crime to certify financial statements that have material errors. Section requires strict segregation of duties to prevent various forms of bad behavior including fraud, inaccurate reporting, and other forms of malfeasance. Section requires that CEOs and CFOs literally sign on the dotted line on annual and quarterly reports and certify that the information is true. Behind that signature are many other levels of signatures of everyone in the chain of command, stating that they vouch for the numbers they provided for this report.
Controls designed to monitor key processes are one of the ways that executives and managers feel comfortable putting their signatures on these reports: Controls help to verify that the numbers are accurate and not inflated.
If a CEO knows that processes like order-to-cash, revenue recognition, and procure-to-pay are all being monitored closely through a comprehensive set of controls, the CEO and those under him or her can feel comfortable certifying that there is no fraud or inaccuracies in financial reports.
If errors do show up, everyone involved will be more understanding if a full set of compliance and information quality procedures are in place and diligently enforced. Section is handled through putting access control mechanisms in place.
When someone is given access to a computer system, a role is usually assigned to them. That role has a set of permissions that grants that user access to a certain set of transactions.
In a modern computer system like SAP ERP, for example, there can be more than 20, transactions and more than , data elements. Each company has hundreds of roles in place. It is impossible to manually check that the roles assigned to any one individual do not grant access that would violate any reasonable segregation of duties schemes.
Depending on the nature of a business, a company may have to provide other forms of reporting, such as levels of capital for banks or other indicators of financial health. Modern GRC systems help automate the process of implementing, running, and analyzing controls, performing segregation of duties checks, and creating regulator reports of all kinds. Each country has its own regulations. For example, worldwide there are approximately 50 different lists of denied persons or companies that countries prohibit sending goods to.
Many of these lists change daily. Although U. Also, governments are starting to use more advanced methods of providing information and are requiring electronic submission of global trade documents. Globalization and outsourcing mean that more and more goods are moving across borders. When products are shipped, regulations of the receiving and sending countries must be satisfied as well as any countries that the goods pass through. Companies at one time left many of these tasks to the shipping and freightforwarding companies.
But now compliance is so challenging and the penalties so severe that this is less often a viable solution. The latest trade management systems help automate these activities as much as possible through integration with internal systems like ERP Enterprise Resource Planning and SCM Supply Chain Management and external sources of information. Environment, health, and safety compliance Environmental, health, and safety regulations are constantly moving forward as new dangers are identified and new concerns arise.
For example, for companies that create and ship hazardous materials, labeling requirements differ throughout the world, as do requirements for the data sheets that accompany such materials. Risk management compliance Although laws regarding risk management are not yet mainstream compliance requirements in the U. Switzerland and Germany already have laws mandating risk management. In the U. Amended Sentencing Guidelines state that organizations must take reasonable steps to ensure that their compliance and ethics programs are followed, including monitoring and auditing to detect criminal conduct and to evaluate periodically the effectiveness of their compliance and ethics program.
Although risk management is 29 30 Part I: Governance, Risk, and Compliance Demystified not explicitly stated in the guidelines, what is required to meet them is basically, in fact, a systematic approach to managing and monitoring risks.
Data privacy and security compliance The problem of identity theft is driving increased regulation as well, both in the areas of data privacy and computer security, which go hand in hand in protecting sensitive data.
Companies are increasingly being asked to demonstrate that their operations do not have long-term damaging effects on the planet and that they practice good corporate citizenship. The United Nations releases a list of sustainability indicators that companies may one day be required to report on.
Chapter 13 discusses the topic of sustainability. R Is for Risk: Creating Opportunity Risk management is the process of uncovering what could go wrong for the express purpose of making more things go right. All strategies and all opportunities worth pursuing involve risks that must be monitored and managed.
Racecars win not just because of their gas pedal but also because of their brakes, which help drivers deftly maneuver around corners and other obstacles. In the same way, risk management can help companies identify potential pitfalls and thereby optimize their opportunities for success. Or perhaps, a major customer has indicated they are in big financial trouble and may cut back on orders.
Or, what if replacement parts for a critical piece of equipment are no longer being produced? A well-run company has a way for its employees to identify such risks and raise the alarm so that the risks can be prioritized and mitigated. Unmanaged risks increase the potential for unpleasant surprises. Thinking that risk management is only about catastrophic risks is a mistake.
A series of unanticipated smaller risks can have an equally devastating effect, especially if they cause targets for financial performance to be missed, even by a small amount.
Risk management, though it initially sounds negative, has great potential for helping companies maximize their opportunities. Reporting mechanisms to raise alerts about risks may also be used to identify opportunities. When done properly, risk management can be like a crystal ball that helps you get a vision of the future, tweak it according to your strategy, and make that improved vision come true. G Is for Governance: Keeping Focused and Current Governance is about the big picture, about steering a company in the right direction and evolving policies, procedures, and processes as needed.
Governance is about how you are doing what the strategy of your business demands that you do. Governance is about establishing the larger goals, the top-down perspective that organizes compliance and risk management activities as well as everything else a company does. Governance is also about how the data gathered by GRC processes is analyzed and used to improve a business.
At the highest level, governance is about steering the corporation: making sure that a company is selling the right products in the right markets. Governance exists to translate the strategy set by the board of directors and CEO into the actions that will bring that strategy to life.
The first step most companies take with respect to GRC is to put in place controls that ensure the firm is complying with external requirements. But after that has been accomplished, the sort of self-governance shown in Figure becomes an issue. Self-governance helps create a continuous feedback loop of information to improve the operations of a company and to make sure that any important operational processes take place as desired by the board and CEO. One of the most important governance activities is to look at the existing set of controls for both imposed and self-imposed governance and ensure that they have the proper scope and effect.
In performing this analysis, a company frequently gains insights into how to redesign its processes to increase efficiency and better align them to corporate goals. After new ideas for improvements have been discovered, they must be implemented in order to take effect.
In other words, governance, when properly implemented, helps guide the evolution of a company. For this reason, there is a natural link between governance and program management. Hitting the Audit Trail Increased attention to GRC has been a boon for auditing firms as companies have hired them to help make sure they are complying with Sarbanes-Oxley and other regulations. Auditors have been asked to help design and implement controls and to perform other forms of testing to ensure compliance.
Chapter 1: The ABCs of GRC Most auditing activity involves examining the transactional record of a company that is kept in various sorts of audit trails that record corporate activity.
When this work is performed manually, it can take an enormous amount of time to carry out. SAP GRC For Dummies untangles the web of regulations that confronts your company and introduces you to software solutions the not only keep you in compliance, but also make your whole enterprise stronger. This completely practical guide starts with a big-picture look and GRC and explains how it can help your organization grow.
Programmer Books. Random Books. Book Description: Governance, risk, and compliance — these three big letters can add up to one giant headache. Articulate Storyline Essentials.
0コメント