integration ofrisk management withinternal · pdf fileintegration ofrisk management...
Post on 10-Feb-2018
241 Views
Preview:
TRANSCRIPT
Integration of Risk
Management with Internal
Control System
Eduardo Barrera
11.04.2013
SAP GRC Risk Management
and Process Controls
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 2
Introduction
Eduardo Barrera
�More than 20 years management consulting, background,
serving large and mid-size companies both globally and locally
�Thereof more than 5 years audit experience (one of the big4
companies)
�Responsible for Governance Risk and Compliance at
BearingPoint Switzerland
�Background in business administration and audit
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 3
Contents
Introduction
Companies Overview
Some Governance Risk and Compliance background
information
Project experience and lessons learned
Summary
Questions
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 4
BearingPoint Overview
AproachCollaborative and Flexible
Characterized by flexibility and result-orientation, we find the
best way forward for our customers
PeopleDedicated and experienced
Through our extensive industry knowledge and our
outstanding commitment we achieve exceptional customer
satisfaction.
ResultsMeasurable and sustainable
We deliver practical, measurable and sustainable solutions
to the problems of our customers.
BearingPoint – Globally
� 15 countries
� 140 Partners
� About 3,400 employees
� Ex KPMG / Arthur Anderson
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 5
� Definition of business strategies
� Control mechanisms and balanced
scorecards
� Market analyses, cost accounting
� Regulatory analyses
� Product, processes and IT benchmarking
� Process and IT outsourcing analyses
� Quality management (SIX Sigma)
� Information management strategies
� Business continuity management
� IT architecture evaluation
� Scenarios for in-house developments /
purchase of IT solutions
� Project- and Program-Planning
� Design of process optimization and
standardization
� Implementation of regulatory
requirements
� Key business indicators and key data for
quality improvement
� Business intelligence concepts
� Information management governance
� Post merger integration
� CRM Design / implementation plan
� Optimization of operational and
organizational structure
� Implementation of project and program
management
� Analysis, design, development and
operation of applications (Enterprise
Application Integration)
� Data warehousing
� Business intelligence
� Master data management
� Data migration
� Digitalization
� Document management
� Test management
� Integration management
� System integration
� Implementation of IT security key data
System integrationBusiness- and IT Strategy Business processes
DesignDecision Implement
Process optimizationStrategic planning System integration
Our consulting approach and expertise supports clients from strategy
to implementation
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 6
Enterprise SOAThought Leadership
Regional ExcellenceEMEA
Special Expertise Partnerships
� SAP Enterprise Portal
� SAP CRM
� SAP Master Data Management
� SAP NetWeaver ESOA
� SAP Process Integration/ Exchange Infrastructure
�SAP Business Intelligence
… and many more
Selected SAP Special Expertise Partnerships
� SAP Netweaver BI
�SAP BusinessObjectsEPM Plattform
� SAP ERP Financial
Further SEPs und Awards
Global Service Partner
We have a long partnership with SAP and have been awarded multiple times for
our excellence
BearingPoint
Switzerland was
selected as the
solution partner
2012 for SAP
Switzerland..
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 7
Schaeffler GmbH Overview
Manufactoring
Sales organization
Employees Revenues (FY 2011) 180 locations
Globally around 74.000 Globally around 10,7 Mrd. Euro in more than 50 countries
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 8
Schaeffler Gruppe AutomotiveProduktpalette Automotive (INA, FAG, LuK)
Motorsysteme
● Motorenelemente
● Riemen- und Kettentrieb
Fahrwerksysteme
● Fahrwerkanwendungen
● Nebenaggregate
Getriebesysteme
● Getriebeanwendungen
● Kupplungssysteme
● Getriebetechnologie
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 9
Schaeffler Gruppe Industrie
Geschäftsbereiche und Branchen
Lineartechnik
Kegelrollen-lager
Kugellager
Nadellager
Pendelrollen-lager
Zylinderrollen-lager
Energie-erzeugung
Motorrad
Fluid/Pneumatik
Windkraft
Aerospace
Schwer-industrie
Antriebs-technik
Consumer Products/Medizin
Bahn
Produktions-maschinen
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 10
Die Entwicklung der Schaeffler GruppeVon 1946 bis zur Gegenwart
Gründung der Industrie GmbH in Herzogenaurach
Rasches Wachstum: weitere Werke und Niederlassungen in Deutschland und weltweit
Übernahme aller LuK-Anteile
Übernahme der FAG Kugelfischer Georg Schäfer AG
INA, LuK und FAG bilden die "Schaeffler Gruppe“.
Markterschließung und neue Standorte in Osteuropa
Gründung der Schaeffler AG, Aufsichtsratsvorsitzender ist Georg F. W. Schaeffler
Schaeffler wird Mehrheits-aktionär der Continental AG
Nach dem Tod von Dr. Ing. E. h. G. Schaeffler übernehmen seine Gattin M.- E. Schaeffler und Sohn G. F. W. Schaeffler die Verantwortung.
Asienoffensive: Investitionen inWerke sowie Forschung und Entwicklung
1946
50er/60er Jahre
ab 1991
1996
1999
2001
2003
2009
2011
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 12
Political
Economic
SocialTechnological
Environ-
mental
Legislative
What could go wrong, what will go wrong
Companies face many sources of risk
Company
External Fraud
• Google (Chinese
environment)
• SecureID
Internal Fraud
• Societe General (2008)
• UBS (2011)
• Gate Group
Theft
• Retail companies typically loose about
10% of products because of theft
Non Compliance (with Regulation)
• Collaboration
Incorrect Financial Statements
• Enron (2001)
• Worldcom (2002)
• Parmalat (2003)
Supply Stability
• Bankruptcy of suppliers
Information security
• Swiss National Bank
• LGT
Environmental Risk
• BP Deepwater Horizon
(2010)
• Tepko (Fukushima)
Others (reputation)
• Shell
• Total
• Glencore
• Xtrata
Risk Sources in Context of PESTEL Analysis: Political, Economic, Social,
Technological, Environmental and Legislative:
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 13
An Overview
What is Governance, Risk and Compliance?
Governance
Risk Mgmt. Compliance
Risk
appetite
External
Regulation
Internal Policies
• Social responsibility
• Education
• Ethically correct behavior
• Ensure sustainability
Strategy
Technology
People ProcessesIntegrated
Holistic
Organization-wide
• Improve efficiency
• Improve effectiveness
• Operations managed and
supported by suitable technology
• Innovation
• Vision
Strategy
Technology
People Processes
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 14
Managing GRC is a challenge
Lack of Transparency
� Poor visibility into enterprise risk exposure
� Processes are too reactive and defensive
� Fragmentation limits effectiveness of risk and
compliance initiaives
Lack of resources
� Limited time and personnel to effectively
manage risk and compliance
� Inefficient and costly manual processes
� Inability to proactively mitigate risk events
Lack of Alignment
� Risk and compliance management processes
are not embedded within the business
� Controls are not aligned to key risks
� Limited risk and compliance influence on
business decisions
Fragmented and manual risk and compliance activities increase cost and fail to provide strategic value
!
Executive
Management
Compliance, Risk
and Audit
Business
Owners!
!
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 15
Current State
Heterogeneous
environment• Different concepts and
definitions of risks and controls
Inconsistency • Inconsistent views of
business processes and risks reported to the Board of Directors and senior management
Multiple regulations• Businesses required to address
multiple regulatory and risk management initiatives.
Not harmonized and not standardized
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 16
GRC responsibility
BearingPoint study on GRC maturity - results
� As there are GRC responsibilities defined in nearly each company, related tasks so far often are fulfilled by finance area.
� Participants of the survey mostly are located in the second or third management level of the company.
5%
5%
10%
10%
29%
43%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
CxO
Legal responsible
Governance responsible
Risk management responsible
Compliance responsible
Finance responsible
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 17
Future State
Governance structure• Clearly defined
responsibilities
• Clear and comprehensive
risk reportingReduction of redundancies• Opportunity to Leverage/
Coordinate with other control
functions
Processes, Organization and
Information Technology• Foundations of convergence
Gain Efficiency and Effectiveness
AND
Increase level of safety (better protection and high assurance)
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 19
Political
Economic
SocialTechnological
Environ-
mental
Legislative
ICS is often considered as a financial requirement, the effort of compliance is significant
Risks associated to Internal controls systems (ICS) in the context of Enterprise
Risk Management (ERM)
Company
Where to find risks related to ICS
requirements
Importance of ICS from an
enterprise risk wide perspective
Effort of response activities
Operational
ICS
Operational
ICS
Risks and thereof consideration of
controls from ICS perspective are in
relation to an overall enterprise risk
management low, however, financial
risks due to insufficient compliance
are high
ICS control activities are time
consuming, reporting standards,
documentation level and IT
(especially access controls) lead to a
big effort and could be reduced while
considering those areas integrated
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 20
Current and future state of Schaeffler's RMS and ICS environment
� RMS and ICS not integraded,
isoleted processes,
� High manual efforts,
� Lack on transparency, real time
indicators and reporting
� Real time reporting based on
integrated compliance activities
addressing relevant risks
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 21
How risks valuation and assessment are considered within Schaeffler
Risk
Localassessments
Global assessment
Division assessment
• First assessment needs to be re-
assessed by a second party
• Risks which are initial assessed
should be historically recorded
• Second assessment could override
initial assessment
• Assessments are period depending
• Comparison between initial and
second assessment required
• Comparison between periods (how
risks changed)
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 22
How risk could be assessed with SAP GRC
Risk
riskassessments
riskassessments
riskassessments
riskassessments
riskassessments
riskassessments
riskassessments
Identification and evaluation of risks via
• Collaborative assessments
• Surveys, questionnaire
• Direct entries
Valuation methods
• Professional judgments
• Uploads (different tools)
• Statistics methods
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 23
How to assess risks
Localassessments
Risk
Division assessment
Global assessment
Risk
Risk
Cross Risk
Response Strategy
Effort
Mitigation
Control
Net Risk
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 24
How to evaluate internal controls
Controlcatalogue
Controldescription
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
• Controls are covered within one
central catalogue
• Controls are identified, classified,
documented and shared with the
local entities by HQ
• Design and effectiveness test
procedures are written and
executed by the local entities
• Controls are not linked to ERM
risks
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 25
How to evaluate controls and test effectiveness
Results of test of
effectiveness
Head Quarter Local Entities Head Quarter
Providing list of controls and
requesting initial evaluation
Local entities and responsible assessing scope and evaluating
design
Covering results and collecting
evaluations to an overall reporting
Controlcatalogue
Controldescription
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
Self Assessment and Testing
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 26
Strategic expertise
Project approach and goals to be primarily achieved before an implementation of such a
comprehensive solution
Workshops Workshops
SAP GRC Ready2Go System of BearingPoint
Requirements
of Schaeffler
Workshops Workshops
Risk Management
Audit background
SAP System
knowledge
Be
ari
ng
Po
int'
sca
pa
bil
itie
s
Blueprint
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 27
Access Risk
Management
BearingPoint's Ready2Go System was considered from the
beginning of the project
Check Segregation of Duties
Compensating Controls
manual
autom. semi-autom.
Risk
Management
Compliance
Management
Controls
manual
autom. semi-autom.
Response Strategies
Transfer
Avoid
Accept
Control
ERP Systems
ECC CRM SCMNonSAP
3333Heatmap
Policies
Governance
22221111
44445555
6666 7777Report
BUKRS
2139 Process
Process Post Journal Entries to GL
Accounts
Reconcile Bank Statement
FSCP Results
Customer Incoming Payment
Delivery Processing
Enter Customer Credit Memo
Maintain Pricing Conditions
Maintain Sales Orders
Manage Customer Credit
Limit
Process Billing (Invoice
Processing SD)
Sales Order Release or
Release Blocked Documents
O2C Results
Cash Payment Processing
Create and Maintain Vendor
Records
Create Purchase Orders
Create Purchase Requisitions
Post Parked Vendor Invoice
Post Vendor Downpayment
Request
Pricing Master Data
Process Direct (FI) Vendor
Invoices
Process Goods Receipt
Process Incoming Payments
Process Vendor Invoices
(MM)
Release Blocked Invoices
Vendor Downpayment
Request
P2P Results
Bank Maintenance 91 206 297 297
Create and Maintain GL Accounts 85 85 85
Open and Close Accounting Periods 143 143 143
Park Journal Entries 151 151 151
FSCP Results 470 206 676 676
Create Maintain Customer Master Records 151 178 82 206 72 124 211 1024 1024
Customer Incoming Payment 98 80 148 326 326
Delivery Processing 86 206 292 292
Enter Customer Credit Memo 69 97 166 166
Maintain Pricing Conditions 75 142 217 217
Maintain Sales Orders 68 83 151 151
O2C Results 151 178 266 206 502 334 456 83 2176 2176
Approve or Release Purchase Orders 109 126 127 77 101 104 82 726 726
Approve or Release Purchase Requisit ion 84 84 84
Bank Maintenance 118 78 216 412 412
Cash Payment Processing 121 122 197 103 108 651 651
Create and Maintain Vendor Records 140 143 104 91 478 478
Create Maintain Purchase Contract 113 113 113
Create Purchase Orders 104 110 146 270 125 137 892 892
Manage Physical Inventory 86 86 86
Park Vendor Invoice 69 69 69
Post Vendor Downpayment Request 85 85 85
Process Goods Receipt 119 133 252 252
Process Vendor Invoices (MM) 114 114 114
P2P Results 227 247 389 188 146 78 110 587 564 216 633 492 85 3962 3962
Overall Results 470 206 676 151 178 266 206 502 334 456 83 2176 227 247 389 188 146 78 110 587 564 216 633 492 85 3962 6814Overall Results
P2P
O2C
FSCP
FSCP P2PO2C
REGULATION MEASUREMENT
GRC R2Go Systemby BearingPoint
Continuous
Control
Monitoring
effective
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 28
SAP GRC enforce to establish a highly mature process landscape – following standards
which allow companies to gain efficiency, effectiveness and more consistence
Controls
Testplans
Risk
Control Objective
1ICS relevant processes to be
considered, identification of relevant
controls and definition of procedures
to mitigate risks, design of testplans
Process Owners (corporate)
Process Owners (local)
Internal Control Owners (corporate)
2Create controls and testplans within
SAP GRC Internal Control Owners (corporate)
3Test of Design (ToD)
Regularly to test design of controls to
ensure that control is designed to
mitigate respective control
4Test of Effectiveness (ToE)
Based on a testplan to audit controls
and to assess operationel effectiveness
Internal Control Owners (corporate)
Internal Control Owners (local)
Segregation of duties for both process owners
and internal control owners as mentioned in step
1,2 and 3
Internal Control Owners (corporate)
Internal Control Owners (local)
SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 30
To integrade ICS within ERM an harmonized and structured organization needs to be
established
Harmonized, homogeneous
structured and clearly defined:
• Roles and responsibilities
• Competencies
• Communication lines
• Process control processes
• Reporting rules
• Control testing approach
• Remediation actions
top related