Escolar Documentos
Profissional Documentos
Cultura Documentos
ISACA Monterrey
1. What is GRC
2. It´s All About Risk
3. Getting Started
4. Common GRC tools
• SAP GRC
• Oracle GRC
• Accelus
• Openpages
• RSA Archer eGRC
Governance
- Strategy Governance:
- Goals and objectives • Manages the risks to the
- Policies and procedures
execution of the company strategy
- Structures and processes
as well as the risks from the
chosen strategy
Risk management:
Risk Management Compliance
• Determines the areas exposed to
- Identify risks - Comply with policy and
- Risk analysis procedures potential risks
- Risk profiles - Laws and regulations
- Risk Monitoring - Controls
- Achievement of objectives - Activities
Compliance:
• Is the tactical action to mitigate risk
Comptroller
• Comprehensive risk
management
• Effective and efficient internal
control environment
Customer
Relationship
• Clear vision of
Relations market trends
with and needs
suppliers
Scheduled and Internal Audit
timely delivery •Audit plan aligned to the objectives of
the organization
•Efficient audit programs
GRC promote the criteria unification, the effort coordination and collaboration between
different characters involve in the direction of the organization through:
GRC Benefits for CFO GRC Benefits for CIO GRC Benefits for CAE
• Reduced time and cost for audits • Management by exception, • Quick identification of potential issues due
reducing time and costs incurred in to rapid authorization flow, giving greater
• quickly and easily Validation of compliance compliance visibility within the organization
standards • Reducing runtimes audit plans through
• With less effort to respond to the self-managed reports and evidence
• Reducing risk and increasing confidence in compliance needs of business centralized online
financial reporting areas and internal audit • Improved coordination and utilization of
resources area
• Improved decision-making process through • Acceleration of the user
• Timely and accurate business operations
real-time diagnostics provisioning process and ensures
(continuous monitoring)
data security
• Improved process of remediation and risk
• Generation of internal control guidelines in
organizational culture management
Our GRC approach focuses on maintaining the right balance between risk and reward. An
effective risk management program focuses simultaneously on value protection and value
creation. We call an organization that has attained this advanced state of risk management
capability a “Risk Intelligent Enterprise™.”
Deloitte’s Nine Principles
for building a
Risk Intelligent Enterprise Risk Intelligent Enterprise™
Common Definition of Risk
Risk
Intelligent
Integrated
Fragmented Top down
Initial
• Details of activities
• Definition of policies and rules
• Use of best practices
• Creation of processes that are
new to the client
• Key stakeholders
Frameworks included: OCEG • Refine, revise
(Open Compliance & Ethics Group), • Finalize policies,
GRC Model (Red Book), COSO, procedures and
CoBIT, ERM, CPMC processes
• Cultural change and
adoption!
13 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.
Technology to Enable GRC
IT Infrastructure
Although the tool is the enabler, understand the features and functions of your tool
BEFORE you start on this journey.
• Better questions
• Easier upload
• More integrated
• Take advantage of what you have
• Understand the journey you are on
Risk Management
Process Control
Access Control
Comprehensive management to
Segregation of duties, user document, testing, monitoring and
automated provisioning, certifying the company's internal
management of super users, roles control
and profiles
SAP
Business
Objects
Environment, Health,
Global Trade Services
and Safety Management
Risk management
globally (imports and exports) Environmental and safety
regulations
• Indicators to monitor
segregation of duties conflicts
and document compensating
controls
• Analysis preventative
segregation of duties for access
creation
Key Benefits
Support internal control areas, internal and external audit, the
review of process controls and risks
Scalable support of corporate internal control and compliance
programs
Improves performance through the identification, prioritization
and focus on key risk areas.
Achieve real-time visibility of all compliance activities and
internal control.
Protect business value with Continuous Monitoring –
Automated Controls and robust policies.
Accelerates audit cycles and reduces the cost of compliance
with automation.
Analyzes failures proactively monitors control and
remediation.
GRC Intelligence:
Oracle GRC Platform consists of three
• Visibility into compliance readiness and responsiveness
• Risk and performance analytics and dashboarding
major components: GRC Intelligence,
• Planning, modeling, reporting, and analysis of GRC GRC Manager, and GRC Controls
activities
GRC Manager:
• Central GRC repository Cross-
• Documentation of critical business policies, processes, GRC Intelligence Enterprise:
controls, risks, and issues Enables
• Test plans and performance of control tests Integrated
• Automatic initiation of testing review and approval Risk and
processes eGRC Manager Compliance
Management
• Capture and storage of test evidence
Key Benefits
Governance Risk and Compliance
Soft Benefits Measurable Benefits
• Avoid the pain of returning to significant deficiency or material Cost Reduction
weakness disclosure • Less internal / external audit costs related to security
• Easier to detect fraud and respond quicker • Less help desk resources to provision security and resets
• Quality and reliability of Oracle generated audit reporting • Consultant fees for form / workflow customization
inherently more credible • Post-implementation remediation / rework
• Allows shift of ownership for access decisions from IT to • Form customization / workflow consulting
Business Management • Configuration change management
• Enhanced security restrictions
• Ability to identify and prevent segregation of duty violations Time Reduction
and to enforce segregation of duties compliance • Time spent on design/build/test/maintaining compliant security
• Manage by exception; reduce time and cost of compliance roles
• Improved support of Internal Audit and LOB compliance • Time spent testing authorization manager approvals
needs with less effort • Time spent validating compliance
• Consistent environments, full audit trail of changes, easier • Time spent Sarbanes-Oxley, SOD, or any other initiative
migration/upgrade testing
• Better decision making armed with real-time diagnostics due • Time spent conducting management review of access
to timely and accurate information • Time to respond to user provisioning requests
• Free up resources and time for core value-add activities; • Reduced audit time and efforts through self-service reporting
enhanced morale of finance staff and online centralized evidence
• Faster information flow and better visibility for quicker
identification of potential issues Costs
• Better utilization of audit resources and coordinated efforts
• Fewer duplicate payments • Resources required for the implementation
• Reduce/eliminate duplicate vendors and customers,… • Hardware assumed under ERP infrastructure
• Ability to identify and track changes to configurations; catch • Software license and maintenance costs
unexpected setup changes before going live • Implementation team
• Upgrade costs
GRC Manager & Intelligence Manages GRC processes, integrating Central repository of business policies,
robust process management capabilities processes, controls, risks and issues
Capture internal and external performance Reduction in costs of proving risk and
metrics quickly & accurately compliance effectiveness across the
Fact-based continuous improvement enterprise.
Configuration Controls Lock down & monitor critical application Deliver complete audit trail (When, Who,
setups against corporate standards What & Why) for changes to key
configurations
Transaction Controls Continuously monitor for fraud and errors in Ensure accuracy, test against thresholds and
business transactions search for anomalies
Preventive Controls Deploy preventive UI controls on risky Proactively restrict access to sensitive data
transactions and configurations and route key changes for approval
Predefined Content for P2P and O2C Pre-built Business objects that represent Reusable, Business User Friendly terms to
processes, system administrator key business entities across processes author new objects based on policies
setups
Pre-built Connector to EBS and PSFT Includes the ETL adapter plus 100s meta- Enables customers to build their own
data object mappings to EBS and PSFT adapters using easy to understand business
transactional and setup tables objects (meta-data) out of the box.
Oracle GRC Controls provide the opportunity to deploy automated continuous monitoring.
Application Access Clients are unsatisfied with current Automate the SOD/Access life cycle detection, analysis,
Controls Governor state of application data access and remediation, deployment of preventive control, and
security. compensating control to accommodate dynamic business
requirements.
Configuration Controls Clients have ineffective controls Design and implement configuration controls on field value
Governor around system integrity and security. changes, action buttons, and sensitive data based on
company policy and risk appetite.
Transaction Controls Clients have trouble monitoring Design and implement automated transaction controls to
Governor controls to prevent error and fraud validate application and systems control effectiveness, identify
from happening. suspect transactions, and route to process owners for visibility
before material issues arise.
Preventive Controls Clients struggle with master data Design and configure policy-based access to field data within
Governor maintenance. the application to enforce mandatory fields, as well as address
data privacy and protection of sensitive data.
Data privacy and protection of
sensitive data often requires extensive
application customization.
Solution built to handle the diverse requirements of internal audit, internal controls management, risk
management, policy management, legal, and compliance professionals, the Thomson Reuters Accelus
suite of products provides solutions for documentation and workflow, regulatory news and information,
global compliance screening, board management, and regulatory disclosure.
Complian
ce THOMSON REUTERS
Manager THOMSON REUTERS ACCELUS
ACCELUS
SOLUTION SETS
Key Benefits
Is an integrated governance, risk and compliance platform that enables companies to manage risk and
regulatory challenges across the enterprise. It provides a set of core services and functional
components that span risk and compliance domains including operational risk, policy and compliance,
financial controls management, IT governance and internal audit.
.
IT Governance
• Build and maintain a
sustainable IT risk and
compliance approach to
meet the challenges
posed by sensitive data,
managing technology
Policy and Financial assets, and evolving
Controls regulatory requirements
Compliance
Management Management
• Consolidate the policy • Automate the financial
and compliance controls management
management process in process to address
a single solution and Operational Risk reporting requirements
manage regulatory introduced by Sarbanes-
change and regulator Management Oxley and similar global
interaction • Identify, manage, mandates
monitor, and analyze
operational risk across
the enterprise in a single
integrated solution
GRC Platform Internal Audit
• Unprecedented insight Management
into enterprise-wide risk
and compliance activities • Enable internal auditors
to automate and manage
intraorganizational audits
and leverage broader
risk and compliance
management activities
Key Benefits
Features
Benefits
RSA Archer eGRC solutions allow you to build an efficient, collaborative enterprise governance, risk
and compliance (eGRC) program across IT, finance, operations and legal domains. With RSA Archer
eGRC, you can manage risks, demonstrate compliance, automate business processes, and gain
visibility into corporate risk and security controls.
RSA Archer
Policy
Management
RSA Archer RSA Archer
Audit Risk
Management Management
Key Benefits
Deloitte presta servicios profesionales de auditoría, impuestos, consultoría y asesoría financiera, a clientes públicos y privados de diversas
industrias. Con una red global de firmas miembro en más de 150 países, Deloitte brinda capacidades de clase mundial y servicio de alta calidad a
sus clientes, aportando la experiencia necesaria para hacer frente a los retos más complejos de los negocios. Cuenta con alrededor de 200,000
profesionales, todos comprometidos a ser el modelo de excelencia.
Tal y como se usa en este documento, “Deloitte” significa Galaz, Yamazaki, Ruiz Urquiza, S.C., la cual tiene el derecho legal exclusivo de
involucrarse en, y limita sus negocios a, la prestación de servicios de auditoría, consultoría fiscal, asesoría financiera y otros servicios
profesionales en México, bajo el nombre de “Deloitte”.
Esta publicación sólo contiene información general y ni Deloitte Touche Tohmatsu Limited, ni sus firmas miembro, ni ninguna de sus respectivas
afiliadas (en conjunto la “Red Deloitte”), presta asesoría o servicios por medio de esta publicación. Antes de tomar cualquier decisión o medida
que pueda afectar sus finanzas o negocio, debe consultar a un asesor profesional calificado. Ninguna entidad de la Red Deloitte, será
responsable de pérdidas que pudiera sufrir cualquier persona o entidad que consulte esta publicación.