SAP GRC to protect businesses from fraud
Source: SAP website, February 2013
SAP GRC can help businesses prevent multi-million-dollar losses from potential malicious acts by employees – a threat which is taking on alarming proportions.
According to the ACFE's survey of professionals in 94 countries, the average organisation loses 5 percent of its income to fraud annually. If extended to global output for 2011, these losses would exceed $3.5 billion.
Malicious activities include misappropriation of corporate resources, non-authorised use of corporate assets, bribery, and corruption, as well as fraudulent financial reporting practices involving deliberate misstatements or omissions. Apart from direct financial losses, fraudulent practices can cause personal data leaks that may result in reputational risks and regulatory violations, including breaches of Federal Law No. 152 On personal data. The survey clearly shows that management needs to take a particularly focused approach to detecting and preventing fraud risks.
Karina Sarkisyan, a partner with Deloitte Enterprise Risk Services Group, is confident that "management involvement in implementing and maintaining internal controls is the most efficient way to mitigate fraud risks. Operating executives responsible for organising and maintaining internal controls and internal auditors monitoring the efficiency of internal controls could be an effective and well-balanced solution for an organisation. Segregation of duties is important for internal controls. A failure to maintain this principle may result in delayed detection of errors and internal fraud."
A systematic approach to risk management requires specially designed tools. Having internal controls automated with information tools could make control processes more efficient. With external audit methodology inevitably relying on sampling, and with fraud detection not constituting a key audit focus, external audits can bring to light only about 3 percent of frauds without a noticeable impact on losses. Internal fraud mitigation activities provide much higher efficiency. Absent internal controls have been named as the source of 35 percent of frauds.
- SAP GRC - a governance, risk and compliance tool - is an integrated scalable solution with broad functionality to detect and manage risks as well as monitor business processes. It consists of:
- SAP GRC Access Control for managing unauthorised access risk and role segregation
- SAP GRC Process Control for managing regulatory compliance and financial reporting risks as well as automating internal controls
- SAP GRC Risk Management for managing corporate risks
These components share a common user interface and key data that could be used, for example, to document business processes and controls.
SAP GRC helps ensure compliance with information security requirements for secured access to personal data systems ("PDS") and for duty segregation and access risk control in real time. SAP GRC solutions work in concert to help detect and prevent frauds not only by identifying duty segregation conflicts, but also by detecting fraudulent actions at the level of permitted functions by continuously monitoring corporate business processes.
SAP GRC comes with a business process control matrix, a duty segregation matrix, and a basic risk catalogue featuring key risk indicators to control:
- discrepancies between prices in purchase orders and invoices
- inconsistencies between quantities ordered and invoiced
- inconsistent delivery dates
- price history for the previous three months and non-contracted purchases
According to Dmitry Lisogor, the deputy general director for SAP CIS, SAP GRC has seen many successful implementations all over the world. "For instance, ABB India, with an annual revenue of $29 billion and a staff of 6,500 people, has implemented SAP GRC as a 'one stop-shop' solution across its offices in 14 countries, reducing its audit and SOX compliance costs,” said Lisogor.
“Another example is Panalpina Group, which uses SAP GRC for risk analysis based on common standards. The solution has helped the company ensure a more transparent powers allocation process as well as lower audit costs by 5-10 percent and reduce the time needed to manage user powers in information systems by about 60-75 percent."
Moscow, 13 February 2013