5

Table of Contents

Foreword 7

1 The basic principles of GRC automation 13 1.1 GRC as a content-driven application 13 1.2 A brief overview of SAP GRC solutions 15 1.3 The three lines of defense model 24 1.4 Factors driving GRC automation 30 1.5 Measurable GRC benefits 43

2 Using GRC to fight corruption: From the concept to implementation 61 2.1 The concept: The anti-cube in action 61 2.2 The main features of an anti-corruption framework 67 2.3 Identifying and assessing risks 73 2.4 Preventing risks 84 2.5 Detection 96 2.6 Countermeasures and damage limitation 102

3 Anti-corruption content for GRC 107 3.1 The corruption environment—what you need to know 107 3.2 Anti-corruption content for SAP GRC 122 3.3 Fraud risks in the retail trade 127 3.4 Detecting fraud in the retail trade 138

4 Tips for implementing GRC 143 4.1 The first steps 143 4.2 Building up the SAP GRC sandbox 150 4.3 Setting up scenarios in SAP Fraud Management 159 4.4 Designing the GRC user interface 191 4.5 Design options for GRC reporting 200

0BFOREWORD

6

5 Summary and outlook 209

List of references 213

Bibliography 215

A The Author 218

B Index 219

C Disclaimer 224

61

2 Using GRC to fight corruption: From the concept to implementation

In this chapter, I present a practical concept for fighting corruption which is based on processes that most companies are already using (e.g., ICS, risk and policy management). In doing so, I will show how an anti-corruption framework can be implemented in a company as part of an overarching and integrated GRC initiative.

There are numerous studies about how to tackle the topic of “fraud and corruption” in both the private sector and government institutions. One of the most important of these is the publication by the World Bank Institute, “Fighting Corruption Through Collective Action – a Guide for business” [13]. This study (although it was undertaken in 2008, it is still extremely relevant) is the result of joint work between the World Bank Institute, United Nations Global Compact, Transparency International, and other well-known bodies as well as renowned companies such as Siemens, Microsoft, etc. The above-mentioned Guide for Business and other stud-ies contain similar elements that can be combined into a “best practice” concept for fighting corruption in a company.

2.1 The concept: The anti-cube in action

2.1.1 Introduction to the concept

There are three levels of anti-corruption measures that a company “can establish”:

1. Internal processes

2. External communication

3. Collective action

“Can establish” is a rather diplomatic phrase: these measures are actual-ly more of a must because it is only the three levels as a whole that make an anti-corruption initiative complete—that is, it is only together as

USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION

62

a whole that the measures sustainably secure the success of the initia-tive and the investment made.

In most companies, the focus is on internal processes. This is due to the fact that an anti-corruption initiative is based on a backbone of ICS and risk management.

1) Internal processes should contain clearly defined steps for identifying the conflicts of interest and corruption risks; the processes should es-tablish preventive and detective controls, and should ensure the im-plementation of the measures as well as communicate the policies.

To ensure that internal anti-corruption processes are successful, it is both important and essential to promote a positive perception of the risk man-agement function and ethic within the corporate culture. Management must act as a role model and support the GRC initiatives. Nevertheless, it is also very important to supplement the internal processes with the two other process levels, as already stated.

2) External communication: swapping experiences about best practices, success stories, appearances at conferences; publication of Corpo-rate Social Responsibility (CSR) reports; drawing up contracts with business partners, vendors, and sales partners with reference to their agreement with compliance policies.

Besides communication, there are further ways in which a company can cooperate with the outside world to tackle corruption together. These measures are urgently recommended not only in high-risk regions but also for pertinent industries and transactions regardless of the region. In particular, these more intensive forms of cooperation are aimed at fighting bribery as a type of corruption and they are grouped under the term “collective action” (see also Section 3.1.2).

3) Collective action involves forming alliances to overcome corruption and isolate black sheep together. In addition to companies and their respective supply chain (partners, vendors, customers, etc.), such al-liances include society as well as government and non-government organizations.

We will keep these three important levels of fighting corruption in mind when we describe our concept later on.

What sources is our idea based on and what is the core of the idea? As already mentioned, there are numerous studies and guidelines published

USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION

63

by the World Bank, the UN, Transparency International, etc. that are aimed at helping companies to fight corruption. They are all based on the four internal processes shown in Figure 2.1:

Figure 2.1: Process steps in an anti-corruption framework

These studies and guidelines provide very good suggestions and in some cases, very specific and tangible recommendations for practice. However, they are not very well known among the people responsible for risk and compliance topics in companies even though studies such as COSO and COBIT and relevant ISO standards influence the risk and compliance management processes significantly. The core of our plan, therefore, lies in making anti-corruption studies more well known by link-ing them with known concepts and implementing them practically using software-supported processes.

The idea of considering anti-corruption topics as an important part of compliance processes is not new. This is because:

On one hand, an internal control system according to COSO has, amongst other things, a clear anti-fraud focus

On the other hand, the multiple compliance framework principle (i.e., the opportunity of mapping multiple customer-specific com-pliance dimensions) has become established in GRC applica-tions and processes

To get a better understanding of how a company can achieve its own anti-corruption objectives with the support of software, I would like to highlight this special focus to the maximum. However, I will start with the conceptual structure of an anti-corruption framework, which is independ-ent of any particular software.

USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION

64

Based on the familiar COSO cube, the 3D diagram of an anti-corruption framework shown in Figure 2.2 (for the sake of simplicity, I will call this the anti-cube) is intended to supplement the four process groups referred to above and summarize their most important properties.

Figure 2.2: The anti-cube

The three sides of the anti-cube summarize the following: on the top, you can see the most important content elements (or simply content); these elements are strongly rooted in the internal control system. As well as having anti-corruption-specific properties, the activity types (right-hand side of the anti-cube) are based on COSO components and identify ac-tivities. The activities are grouped in four process groups.

Before we look at the individual sides of the anti-cube in more detail, I would like to explain how this still rather abstract construct should help you to automate GRC.

2.1.2 How do you get the anti-cube rolling?

What does automating an anti-corruption initiative in a company mean, and how can you close the gap between concepts and the efficient and practical implementation of these concepts? In other words: how do you get the anti-cube rolling? And what do you want to achieve by doing so?

To keep the concept as simple as possible, I will use an abstraction which, based on many years of experience in implementations in prac-

USING GRC TO FIGHT CORRUPTION: FROM THE CONCEPT TO IMPLEMENTATION

65

tice, is very suitable on the one hand for explaining the principle of auto-mation of the GRC processes to customers; and on the other hand, the abstraction is very suitable for planning and realizing corresponding im-plementation projects. This proven approach is based on connecting the following views:

Content view: definition of the structure and contents of a GRC framework: organizational hierarchy, processes, risk categories, controls, risks, and much more. It is not simply a matter of creat-ing as complete and correct an image of the risk and compliance landscape as possible; from a functional perspective, the GRC concept is also effective in the role concept and reporting, amongst other things.

Process view: processes are made up of manual and automated steps that are enabled by authorization roles, workflows, and in-terface design.

If we break down the complex facts in this way, we get the simplified representation shown in Figure 2.3:

Figure 2.3: Abstraction of a GRC automation

With regard to software-supported GRC automation, in general, the fol-lowing applies:

We can present it as documentation of the GRC content The elements of the GRC content are included in various activities

(usually via workflows) with the aim of remaining informed about the status of things in GRC at all times by means of reporting

INDEX

219

B Index

A ABAP report 100 Access risk 85 Ad-hoc issue 97 Adobe Document Services 148 Adobe Flash Player 148 Adobe Interactive Forms 33 Adobe Reader 148 Alert 39, 105 Analysis profile 82 Analytic view 171 Analytical audit procedure 117 Anti-corruption declaration 114 Anti-corruption initiative 64, 69 Anti-corruption measure 61 Anti-cube 64 ASAP 160 Association view 172 Attribute view 171 Audit reform 119 Audit report 119 Audit universe 84

B Batch risk analysis 158 BC sets 156 Bribery 110 Business process control 68 Business rule 100 Business rule parameters 101

C Calculation view 171 CAPA 104 Cash register sales slip

cancellation 133 CCM 39, 99, 101

Scenario type 99 Certifying business coalition

114 CHIP 194, 195 Collective action 49, 62, 114 Complaints 136 Compliance 13 Configurable rules 99 Conflict of interest 121 Control at company level 68 Control documentation 94

HTML5 32 Hybrid approach 94 Risk-based approach 94

Control risk assessment 94 Control transactions 131 Corruption 44, 107

Gray zone 108 Corruption tree 108 COSO 63, 67, 69 COSO ERM 70 Crystal Report Adaptor 149 Customer-specific fields 203 Cyber security 69

INDEX

220

D Data source 99 Datamarts 206 Developer perspective 182

E Economic crime 45, 107 Eighth EU Directive 30 Embedded search 93 Enhancement 203 Enrichment view 172 Enterprise Risk Reporting 207 Entry page 194 EUBestG 110 Exception-based approach 38 Execution procedures 20 External auditing 116 External integration 38

F False positive 23 Feedback principle 73, 96 Field-based configuration 194 Financial statements 118 Foreign Corrupt Practices Act

112 Forensic 121 Fraud pattern 139 Fraud triangle 66 Fuzzy search logic 23

G General controls review 117 German Penal Code 110 Goods movements 131 Governance 13 GRC 13, 30

Authorization object 193 Automation 31 Connector 158

Framework 14 Integration Framework 99 Plug-ins 150 Process design 66 Reporting 41 Training courses 146

GRC BI content 205 GRC business case

Expenses figures 51 ICS and the company value

52 Measurable efficiency benefit

57 Qualitative benefits 49 Sales figures 51

GRC object number range 153 GRC organization

Acceptance 32 Acceptance within the

company 27 Centralized 27 Challenges 26 Constructive GRC culture 28 Integrated approach 67 Lines of defense 24, 30 Reduction in administrative

effort 59 Silo situation 27, 36

Gross risk 82

H Helpline 97 HTML4 32 HTML5 196

I ICAEW 120 ICoFR 94 ICS 36, 52, 93, See Internal

control system ICS review 122 ICS-relevant service 120

INDEX

221

IFAC 120 Immediate cancellation 137 Incident 97, 106 Insider speculation 110 Installation Guide 145 Institute of Internal Auditors 28 IntBestG 110 Integrity pact 114, 115 Internal audit 21, 28, 83 Internal control system (ICS) 31 Internal integration 36 Intrinsic honesty 112 Inventory differences 128 ISO 27001 43 Issue 104

K Key risk indicators (KRI) 39

L Launchpad 192 LDAP 41 Lines of defense 25, 27, 28 Loss 97 Loss management 106

M Manual control activity 95 Mass detection 159, 190 Master Data Upload Generator

124 Master Guide 145 Mitigating control 87 MSMP 88 Multiple compliance framework

67, 94

N Net risk 82 Network analysis 23 NWBC 193

O OData service 196 OECD 110 Online detection 159 Operational compliance 31 Organizational hierarchy 35 ORM 106

P Plug-in 99, 150 Point of sale 127 Policy 90 Policy Management 41 Policy scope 41, 91 Politically exposed person 22 Preconfigured workflow 95 Predictive analytics 20 Prevention 48 Price query 134 Price reduction 132 Principle of minimal assignment

75 Principle-based initiative 114 Product Availability Matrix (PAM)

147 Programmable rules 100

Q Quick view 100

R Remote Function Call (RFC) 99 RFC 158 Risk

INDEX

222

Assessment 94 Category 79 Countermeasure 37 Documentation 79 Reduction 37, 50, 51

Risk bow tie representation 81 Risk management 36, 78 Risk Management 13

S S/4HANA 100 Sample-based detailed check

117 Sanction list 22 SAP Access Control 40, 41, 58,

75, 85, 158 Access Risk Analysis (ARA) Business Role Management

(BRM) Emergency Access

Management (EAM) User Access Management

(UAM) 16 SAP Audit Management 21, 83 SAP BO Design Studio 206 SAP Business Partner

Screening 22 SAP CAR 129 SAP Case Management 72,

152 SAP Document Management

90 SAP Enterprise Threat

Detection 23 SAP ERP Retail 129 SAP Fiori 32, 148

Analytical apps 207 SAP Fiori apps 198 SAP FM

Additional info procedure 181 Detection 48 Detection method 142, 186

Detection strategy 142, 187 Risk value 189

Execution procedure 181 Mapping procedure 181 Selection procedure 181 Test procedure 181

SAP Fraud Management 19, 39, 141 Access authorization 173 Calibration 189 Data Mining 184 Data model 164 Field Catalog 167 Implementation 160 Location parameter 177 Mass detection 20 Naming convention 167 Online detection 20 Out-of-the-box scenarios 162 Parameters 167 SAP HANA views 170 Source domain 174 SQL procedures 183 Wizard 182

SAP GRC solutions 15 SAP HANA 18, 24

Column-based storage 24 Row-based storage 24 View 100

SAP HANA Application Lifecycle Management 169

SAP HANA Design Studio 172 SAP Help for GRC 143 SAP Lumira 207 SAP Mobile Platform 200 SAP NetWeaver ABAP 148 SAP NW Gateway 200 SAP Policy Management (PM)

90, 104 SAP Portal 148, 193 SAP POS DTA 129 SAP Predictive Analytics 183

INDEX

223

SAP Process Control 17 SAP PS 41, 104 SAP query 100 SAP Risk Management 17, 106 SAP standard content 156 SAP Tax Compliance 21 SAPUI5 32 Scoping 94 Security Guide 145 Segregation of duties 40, 70,

75 Segregation of duties risk 86 Selection view 172 Side panel 194 Sizing Guide 145 SoD 86

Review 88, 89 Risk analysis 100 Risk definition 75 Rule 156

SOX 30, 53 StGB 111

T Three Lines of Defense (TLoD)

24 TLOGF 130 Tobin’s Quotient 53 Totals information 131 TREX 148 Turnbull Guidance 53

U UI role in GRC 192 User Access Review 86, 89 User-friendliness 32 UWG 111

W Walking strategy 202 Web browser 148 Web services 99, 151 Whistleblower 98, 111