This white paper discusses SAP solutions for governance, risk, and compliance (GRC). It outlines the business need for cross-enterprise GRC solutions to manage GRC issues holistically across an organization. SAP's vision is to provide an integrated, automated cross-enterprise GRC solution that supports business processes and functions as well as enterprise application software. The paper describes SAP's evolving GRC products that help organizations realize the value of comprehensive cross-enterprise GRC management.

1. SAP White Paper
SAP Solutions for Governance, Risk, and Compliance
GOVERNANCE, RISK, AND
COMPLIANCE MANAGEMENT:
REALIZING THE VALUE
OF CROSS-ENTERPRISE
SOLUTIONS1

2. © Copyright 2007 SAP AG. All rights reserved. HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium,
No part of this publication may be reproduced or transmitted in Massachusetts Institute of Technology.
any form or for any purpose without the express permission of
SAP AG. The information contained herein may be changed Java is a registered trademark of Sun Microsystems, Inc.
without prior notice.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
Some software products marketed by SAP AG and its distributors used under license for technology invented and implemented
contain proprietary software components of other software by Netscape.
vendors.
MaxDB is a trademark of MySQL AB, Sweden.
Microsoft, Windows, Excel, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver,
and other SAP products and services mentioned herein as well as
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, their respective logos are trademarks or registered trademarks of
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, SAP AG in Germany and in several other countries all over the
xSeries, zSeries, System i, System i5, System p, System p5, System x, world. All other product and service names mentioned are the
System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, trademarks of their respective companies. Data contained in this
Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, document serves informational purposes only. National product
OpenPower and PowerPC are trademarks or registered specifications may vary.
trademarks of IBM Corporation.
These materials are subject to change without notice. These
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are materials are provided by SAP AG and its affiliated companies
either trademarks or registered trademarks of Adobe Systems (“SAP Group”) for informational purposes only, without
Incorporated in the United States and/or other countries. representation or warranty of any kind, and SAP Group shall
not be liable for errors or omissions with respect to the materials.
Oracle is a registered trademark of Oracle Corporation. The only warranties for SAP Group products and services are
those that are set forth in the express warranty statements
UNIX, X/Open, OSF/1, and Motif are registered trademarks accompanying such products and services, if any. Nothing herein
of the Open Group. should be construed as constituting an additional warranty.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
2

3. CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Business Need for Cross-Enterprise GRC Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Goal: A Holistic Approach to GRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Cross-Enterprise GRC Solutions: A Closer Look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Support for Business Processes and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
– Reconcile to Report and Financial Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
– Procure to Pay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
– Order to Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
– Hire to Retire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
– Payroll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
– Production to Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
– Support Across the Complete IT Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Support for Enterprise Application Software Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
– Multiapplication GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
– Cross-Application GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Additional Attributes of an Enterprise-Class GRC Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
– Integrated GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
– Automated GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SAP Solutions for Governance, Risk, and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
SAP Solutions for GRC, Cisco SONA–Ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
– The Foundation for Cross-Enterprise GRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Evolving SAP Software into Cross-Enterprise Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SAP GRC Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SAP GRC Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Powered by SAP NetWeaver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3

4. EXECUTIVE SUMMARY
Governance, risk, and compliance (GRC) issues are hot topics This paper explains SAP’s vision for a cross-enterprise GRC
today, thanks to a myriad of high-profile stories about companies solution and the benefits it can provide, defines key terms,
that failed to meet regulatory requirements governing finance, and discusses what to look for when evaluating GRC software
environmental compliance, and other areas. In each case, options. It also discusses how SAP is evolving the SAP® solutions
executives have been held accountable, stock prices have for governance, risk, and compliance (SAP solutions for GRC)
dropped, and brand image has suffered. GRC issues are also a top to deliver the industry’s first comprehensive, fully integrated
priority because business leaders increasingly understand that cross-enterprise GRC solution.
seemingly small operational control weaknesses can significantly
impair corporate performance. These obstacles might range
from a supplier inventory shortage that impacts revenue, to a
faulty or counterfeit product that erodes brand and increases
costs, to a leakage of confidential data that damages reputation
and creates a compliance liability.
Many companies have responded to regulatory mandates by im-
plementing disconnected, tactical processes and point solutions
that address a single regulation or corporate initiative. But these
fragmented efforts can make compliance far more costly and
complicated than it needs to be. You would need to purchase
and deploy multiple GRC applications for each enterprise appli-
cation and then define risks, set policies, and monitor compli-
ance for each application. At the same time, you need to find a
way to manage countless GRC policies, decisions, and GRC data
– data that is likely based on different metrics, standards, soft-
ware, and methodologies. The resulting complexity can make
it impossible to aggregate this data to gain a complete view of
enterprise risk.
SAP offers a new approach for monitoring, identifying, and
managing risk across the enterprise. A true cross-enterprise
GRC solution dramatically simplifies management and
execution of these activities – making it easy to compile data
for a comprehensive perspective on overall exposure, monitor
compliance and risk effectively, and adjust business processes to
meet changing business and regulatory mandates.
4

5. THE BUSINESS NEED FOR CROSS-ENTERPRISE
GRC SOLUTIONS
Issues related to management of GRC have become top board- Of even greater significance is the fact that fragmented GRC
room priorities, thanks to highly publicized corporate scandals efforts make it impossible to implement a cohesive GRC strategy
and the release of a myriad of regulatory mandates designed to for monitoring, identifying, and managing risk across the enter-
prevent everything from fraud to environmental damage. Most prise. This fragmentation – when replicated many times across
likely, you are keenly aware of the potential costs of noncompli- different business applications and business functions – creates a
ance today. In addition to facing possible fines, your business GRC management nightmare. For each business process or
could face the cost of litigation and remediation, as well as application, you may have one or more different applications to
confronting negative impacts on brand, reputation, and market manage it. And for each process and each application, business
valuation. Equally important, executives at the top can be held and IT departments need to define risks, set policies, monitor
personally responsible for compliance failures. compliance, manage attestations, address escalations and
mitigations, generate reports, and more. Complicating matters
further is the fact that departments responsible for different GRC
A Definition of GRC initiatives may use different metrics, standards, software, and
• Governance manages the strategic directives methodologies for analyzing risk and compliance information.
This makes it difficult to aggregate data, gain a complete view
a company wants to follow.
of enterprise risk, effectively monitor compliance and risk, and
• Risk management assesses the areas adjust business processes to meet changing requirements, market
of exposure and potential impacts. trends, and regulatory mandates.
• Compliance is the tactical action to mitigate
Clearly, fragmented approaches to GRC represent a massive –
risk.
and costly – duplication of effort that impairs transparency and
Source: John Hagerty, AMR Research, April 3, 2006 increases opportunities for issues or weakness to fall through the
cracks until identified by regulatory body.
Forrester anticipates that “firms will establish
Many companies have responded to regulatory mandates with risk and compliance architectures, develop risk
a series of disconnected, tactical, one-off projects to respond
intelligence, and implement GRC platforms,
to a single regulation or corporate initiative. Your business may
as well as centralized communication and
deploy multiple point solutions to address process control risks
within a core financial application, for example. However, while training on corporate policies and procedures.”
fragmented GRC activities may be the status quo, they are likely Forrester also anticipates the continued
costing your business more than you think and more than is evolution of the enterprise role that is respon-
necessary. AMR Research reports that compliance spending will
sible for managing GRC.
reach US$27.3 billion in 2006.1
Source: “Trends 2006: Enterprise Risk and Compliance,”
Forrester Research Inc., Michael Rasmussen,
December 13, 2005
1. Source: John Hagerty, AMR Research, “Spending in an Age of Compliance,
2006,” February 21, 2006
5

6. THE GOAL: A HOLISTIC APPROACH TO GRC
A fragmented approach to GRC prevents transparency into your Integration must extend throughout the entire technology
business operations and severely limits your ability to use GRC as stack, from the highest-level enterprise applications down to the
a strategic asset for your company. To promote transparency, data-exchange infrastructure. In addition, all applications that
GRC solutions must span multiple business processes. As illus- are part of the solution must 1) address GRC issues across all
trated in Figure 1, the answer is to implement a single, holistic applications and business functions and 2) feed to and from
solution that works with all of the enterprise applications used a single, centralized GRC data repository. These two charac-
to support those business processes. teristics of cross-enterprise GRC enable you to address a multi-
tude of GRC challenges and result in the following benefits:
A true cross-enterprise GRC solution delivers key functionality • Enterprise-wide risk monitoring –You can monitor risk
across two dimensions: across all enterprise applications and business functions,
• Breadth in terms of business processes or functions covered, deploying one solution, rather than multiple applications that
such as human resources, finance, customer relationship manage only a subset of GRC activities. You can significantly
management, sales, and so on lower the effort and cost of GRC for your company, freeing
• Depth in terms of integration with multiple business applica- resources for innovation and top-line growth.
tions, which may include software from a major vendor, as
well as legacy and custom applications
Cross-Enterprise GRC
Hire to Retire
Reconcile to
Report
Cross-Functional
Procure to Pay
Order to Cash
Production to
Delivery
Legacy SAP Oracle
Cross-Application
Figure 1: The Breadth and Depth of Cross-Enterprise Solutions
6

7. CROSS-ENTERPRISE GRC
SOLUTIONS: A CLOSER LOOK
• Greater transparency – Executives gain greater transparency When evaluating GRC technologies, it’s important to under-
into business operations across the enterprise, essential to in- stand the baseline functionality required in a cross-enterprise
creasing overall GRC effectiveness. Transparency enables you GRC solution. The solution should provide the following:
to overcome the effects of fragmentation, such as increased • Support for all core business processes and functions
risks, reduced effectiveness of controls, strategic misalignment, • Support for all major enterprise application software solutions
and missed opportunities. • Support across the complete IT stack
• Increased automation – You can automate manual process- • Integrated GRC processes
es, which results in highly repeatable, consistent, and auditable • Automated GRC processes
GRC processes. At the same time, automation enables fast,
cost-effective reporting that saves time and money and Support for Business Processes and Functions
helps ensure that the data you submit to regulatory agencies is To qualify as a true cross-enterprise GRC application, the solu-
reliable and supportable. tion must provide business process controls that address all core
• Simplified compliance – You can adjust to regulatory chang- business processes in your organization, ranging from the supply
es easily and speed compliance efforts, which can play a critical chain to finance to operations. Examples include the following.
role – for example, bringing new products to market faster
than the competition. Reconcile to Report and Financial Close
The leading source of material weakness disclosures relates to
All of these benefits are made possible by the fact that a true controls for the reconcile-to-report process – a process that
cross-enterprise GRC solution dramatically simplifies manage- places a tremendous strain on the accounting staff. In addition,
ment and execution of GRC activities. Whereas before you mistakes or delays can cause significant harm to a company’s
needed a different application to manage each business process financial statements and ultimately, its share price.
or application, with cross-enterprise GRC, you need only one.
Having a single GRC solution means that you need to define Errors in financial results are often the result of manual process-
risks and set policies once for the entire enterprise. It also means es and calculations performed in a compressed time frame across
that metrics, standards, software, and methodologies for analyz- multiple locations and groups and a wide variety of enterprise
ing risk and compliance information are consistent across the applications. All of these variables create an environment in
enterprise, making it easy to aggregate data, gain a complete view which it is easy to make simple calculation and data-entry
of enterprise risk, effectively monitor compliance and risk, and mistakes. These mistakes can easily add up to material problems
adjust business processes to meet changing requirements, market that require rework or in the worst case, a financial restatement.
trends, and regulatory mandates.
A true cross-enterprise GRC solution automates manual
processes with controls in the reconcile-to-report area as much
as possible. These controls eliminate the source of most material
weaknesses – and by default, significantly reduce the need for
financial restatements. In addition, they free accounting staff to
focus on more strategic activities.
7

8. Procure to Pay Payroll
For most large organizations, procurement activities generate Payroll is one of the largest expenditures in many organizations,
thousands of transactions across multiple enterprise applications making it a prime target for fraud. The volume and frequency of
each day. This complexity can make it nearly impossible to payroll transactions create additional risks, such as the likelihood
ensure the validity of procure-to-pay transactions. Lack of auto- of errors due to complexities in tax regulations, time accounting,
mated controls for procure-to-pay processes impairs cash flow and other areas. With a cross-enterprise GRC solution in place,
and can cause inaccurate account balances related to delivery of you receive best-practice controls that protect the entire payroll
low-quality goods, duplicate vendor payments, lost discounts, process from accidental or malicious activities.
and improperly valued inventory. An even more serious threat is
significant losses due to fraud. Production to Delivery
The production-to-delivery process often requires a wide range
A true cross-enterprise GRC solution addresses these challenges of cross-industry controls to address issues such as product
by providing controls throughout the procure-to-pay process quality and workplace safety. In addition, there are many
that detect or even prevent accidental or malicious activities. industry-specific variations and additions to these horizontal
controls, such as enhancements specific to the U.S. Food and
Order to Cash Drug Administration in the life sciences industry. A true cross-
Optimizing the order-to-cash process is a strategic priority for enterprise GRC solution also delivers controls for this process to
most companies. Since this process concludes with revenue ensure that there are no material deviations from regulatory
recognition, it can present a high degree of risk to company mandates or company policy.
management. The risks are magnified when companies have
high order volumes from a global customer base, and customers Support Across the Complete IT Stack
use complex discounting structures and multiple payment Businesses increasingly need controls that extend down to oper-
terms. Clearly, financial professionals need to implement auto- ating system and network layers. For example, to address net-
mated process controls to identify revenue leakage, improper work and IT security risks related to compliance, you are proba-
shipping cutoffs, and potentially fraudulent activities. bly performing manual audits of all devices and IT systems or
using point solutions focused on IT or network compliance. In
A true cross-enterprise GRC solution addresses these challenges either case, this approach requires addressing regulatory require-
by providing best-practice controls that safeguard the order-to- ments manually and makes it difficult to leverage data between
cash processes. the point solutions. This can be a serious problem given that
the reporting requirements for compliance with the Control
Hire to Retire Objectives for Information and Related Technologies (COBIT)
Ensuring employee information security – while maintaining framework alone can diminish IT productivity.
adequate information transparency for key stakeholders of an
organization – requires a robust hire-to-retire process with the To address these types of risks, you need a holistic cross-
appropriate controls needed to achieve both objectives. With a enterprise GRC solution that takes into account not only
cross-enterprise GRC solution in place, you get best-practice controls for core business processes but also IT controls that
controls that enforce policies and detect or even prevent failures extend through all levels of the IT infrastructure – from the
in the hire-to-retire process. operating system and network all the way up to the highest-level
business applications. The software that typically monitors and
reports on network activity should correlate events to
8

9. higher-level GRC information so that, for example, sensitive A multiapplication solution automatically applies the rules to
customer information (such as customer credit card numbers) each business application involved in creating and paying ven-
does not pass outside company firewalls. dors. Multiapplication functionality alone, however, does not ad-
dress the fact that business processes often span multiple applica-
Support for Enterprise Application Software tions. To return to our prior example, multiapplication
Solutions functionality allows you to detect instances when a user has per-
A cross-enterprise GRC solution also needs to provide full mission to both create and pay a vendor within a single applica-
support for heterogeneous business applications by providing tion. But it cannot detect when a user tries to bypass the policy
both multiapplication functionality and cross-application by creating a vendor in one application and paying the vendor in
functionality. The following sections explore these terms. another.
Multiapplication GRC Cross-Application GRC
Multiapplication GRC solutions enable you to define all risks, Only GRC software that offers cross-application functionality
policies, functions, and controls just once using nontechnical, can detect cross-application risks. Multiapplication software is
common business language and to store this data in a central gradually evolving into cross-application software that enables
repository for reuse by multiple GRC applications. The solutions you to apply policies and controls across business applications
automatically map these risks, policies, and functions to all of and uncover risks spread across them – the holy grail of GRC.
the underlying business applications, regardless of where they
are in the enterprise. For example, you may have a business policy stating that
purchase orders over a certain amount require management
Automated, multiapplication functionality helps you avoid frag- approval. This process control can potentially be sidestepped by
mentation of risk analysis, policies, and controls; ensures consis- employees who submit two purchase orders for lesser amounts
tency across the enterprise; and eliminates duplication of effort across two different applications. To prevent this type of process
across applications. For example, you may have three applica- control failure, you can deploy a cross-application GRC product
tions that support “create vendor” and “pay vendor” processes. that includes functionality for monitoring all purchase order
To prevent fraud, you define a rule that no one user can have activity across all relevant enterprise applications. Centralized
permission to both create and pay a vendor. Without multi- business rules can detect a suspicious sequence of purchase
application functions in place, you need to deploy a different orders for an individual and generate an alert to a manager
GRC application to monitor each business application – and responsible for compliance in the procurement area with the
define the rule three different times. Given the law of large Sarbanes-Oxley Act, who can take immediate action. (In con-
numbers, having this kind of data scattered across multiple trast, multiapplication software would only enable you to detect
applications eventually results in inconsistencies, errors, and when employees submit two purchase orders within the same
oversights. Also, if you find a violation of a rule, you need to put application.)
a mitigating control in place across three different applications –
another potential source of oversight, as companies can lose As this example illustrates, end-to-end business processes can
track of which users have what controls, when they expire, and touch multiple enterprise applications and departments – and as
so on. And if management needs visibility across the enterprise a result, GRC solutions must be able to identify and manage
with regard to this issue, individual reports from the various risk within and across them. You want one GRC solution that
GRC applications need to be manually reconciled – a costly and enables you to do the following:
error-prone process.
9

10. • Document and store all rules and policies in a central GRC ments, market trends, and regulatory mandates. It also simplifies
repository GRC, which reduces costs and the potential for error. And
• Apply these centralized rules and policies across all of your because data is truly integrated, you can more easily link GRC to
major enterprise applications to identify and analyze risk corporate performance management, strategy setting, and com-
• Mitigate and remediate risks from a central GRC solution pany policies to create reports that are useful to senior manage-
ment. If this information is fragmented, creating reports that
Additional Attributes of an Enterprise-Class GRC synthesize this data would require repeated linkages dozens of
Solution times across different enterprise systems – a costly endeavor.
In addition to supporting GRC activities across all business pro-
cesses and applications, a true cross-enterprise GRC solution also Automated GRC
delivers the following functionality. True cross-enterprise GRC solutions also automate the bulk of
activities that are typically processed manually by most compa-
Integrated GRC nies today – for example, managing segregation-of-duties infor-
A cross-enterprise GRC solution does not treat GRC activities as mation using spreadsheets. Automating the tracking and man-
separate activities but rather addresses them as one integrated so- agement of this type of data across the enterprise reduces GRC
lution. Integrated GRC enables you to aggregate data, gain a costs and eliminates countless errors that can lead to major
complete view of enterprise risk, effectively monitor compliance liabilities.
and risk, and adjust business processes to meet changing require-
Defining Single-, Multi-, and Cross-Application Software
The GRC software industry is relatively new and, in many ways, has been playing catch-up with the needs of businesses seeking
to comply with regulatory mandates in an effective, cost-efficient manner. As illustrated in Figure 2, software products are
continuing to evolve from “siloed” GRC applications that focus on only one enterprise application to those that enable cross-
application management.
Single Application Multiapplication Cross-Application
For a single application For multiple applications Across multiple applications
Rules Rules Rules Rules Rules Rules
GRC Application GRC Application GRC Application
SAP SAP ORACLE PeopleSoft ... SAP ORACLE PeopleSoft ...
Figure 2: The Evolution of GRC Applications
10

11. SAP SOLUTIONS FOR GOVERNANCE, RISK,
AND COMPLIANCE
SAP has recognized the need for cross-enterprise GRC applica- leverage information within your existing business applications
tions and has deepened its own GRC domain expertise by invest- to evaluate risk and apply controls directly within business
ing in SAP® solutions for governance, risk, and compliance (SAP processes. This results in greater transparency and predictabili-
solutions for GRC) and a robust, industry-leading GRC partner ty, enabling you to improve GRC activities – and overall enter-
ecosystem. These solutions will enable you to achieve the goal prise performance.
of managing GRC across your enterprise and even across your
extended business landscape – and do so with confidence. SAP solutions for GRC are based on the concept that business
processes are not contained within a single application or silo
SAP solutions for GRC make up an integrated portfolio of appli- function of a business. Instead, they cut across an entire corpo-
cations that embed and optimize all GRC activities to overcome ration or distributed value chain. This means that SAP solutions
the problems caused by business fragmentation and disjointed for GRC have to function reliably outside a single application
approaches to GRC management. These solutions are powered and across a complex business network. The complexity of the
by the SAP NetWeaver® platform, which provides a common network requires that SAP solutions for GRC must be increas-
technical foundation that integrates with the mySAP™ Business ingly adaptable and flexible to work in any heterogeneous
Suite applications and with third-party applications. They can environment. Key applications are described in the table that
follows.
SAP® PRODUCT DESCRIPTION
SAP GRC Access This application for monitoring, testing, and enforcing access and authentication controls across the enterprise addresses
Control application compliant-resource provisioning and ensures proper segregation of duties at all times. It is designed to help organizations
with duty segregation and application-access management, a fundamental requirement of many regulations (including
Sarbanes-Oxley in the United States, Combined Code in the United Kingdom, and KonTraG in Germany). The application
enables businesses to rapidly identify and remove access and authorization risk from IT systems and embed preventive
controls into business processes that stop future violations from occurring.
SAP GRC Process Control This cross-enterprise control management application for compliance with Sarbanes-Oxley supports frameworks such as
application Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information
and Related Technologies (COBIT). The software deploys configurable, prebuilt, and custom-automated control tests
across multiple target systems. It delivers workflows and templates for manual control tests, self-assessment surveys,
and certification.
SAP GRC Risk Management This application automates collaborative process management for enterprise risk planning, identification, analysis,
application response, and monitoring. The software graphically depicts risk profiles and proactively alerts management regarding
high-impact and high-probability issues.
SAP GRC Repository application This central application of a record of GRC content includes corporate policies, compliance and control frameworks, and
risk and control libraries. SAP GRC Repository currently comes as part of all SAP solutions for GRC at no additional fee.
SAP Global Trade Services This application enables secure, expedited, cross-border trade transactions that comply with trade export and import
application regulations, restricted-party-list screening, and regional customs-reporting mandates. It works across all enterprise ap-
plications that support cross-border transactions.
SAP Environment, Health & This application tracks compliance with multiple environment, health, and safety (EH&S) regulations relating to waste man-
Safety application agement, dangerous goods, product safety, hazardous substances, industrial hygiene and safety, and occupational health.
SAP xApp™ Emissions Manage- This composite application tracks compliance with global and regional emissions regulations, such as the Kyoto Protocol
ment composite application and the U.S. Clean Air Act for the chemicals, oil and gas, and mining industries.
SAP solution for environmental This automated environmental-product-compliance software is a joint offering from SAP and TechniData that addresses
product compliance products regulated by mandates such as the restriction of the use of certain hazardous substances (RoHS) and waste
electrical and electronic equipment (WEEE) directives.
11

12. SAP Solutions for GRC, Cisco SONA–Ready SAP and Cisco are developing a growing portfolio of prebuilt
SAP and Cisco Systems Inc. have partnered to deliver a joint set composite applications – to address customers’ critical business
of solutions based on enterprise service-oriented architecture process issues. These predelivered composite applications for
(enterprise SOA) that allow you to address GRC needs across the GRC leverage SOA to address the most common challenges
enterprise in a holistic, nonintrusive, flexible, and cost-effective around GRC, such as network and IT security, data privacy and
way. This approach leverages SAP solutions for GRC and the in- protection, and service-level compliance. They are also unique
telligent network delivered by Cisco Service-Oriented Network because they are network-aware composite applications, result-
Architecture (SONA), Cisco’s leading network architecture. ing in more powerful and farther-reaching functionality than is
SAP solutions for GRC provide the business context for GRC possible with traditional composite applications.
needs across the enterprise – that is, the specific GRC-related
policies you have identified that are important to your business.
Cisco SONA expands the reach of SAP solutions for GRC into the
extended enterprise, beyond the borders of packaged enterprise
applications and into the landscape of physical and infrastruc-
ture risk.
SAP solutions for GRC give you the visibility needed to move
away from reacting to business risks and events and toward im-
proving business predictability and performance. These solutions
provide business content to correctly interpret and respond to
the events detected and tracked by Cisco SONA. Cisco SONA can
then aggregate, normalize, and act upon business and IT events
with the appropriate business context for your organization and
across existing geographies and organizations.
The Foundation for Cross-Enterprise GRC
Both SAP and Cisco have built their solutions using a standards-
based SOA, making it easy to integrate corporate GRC policies
and processes into your existing operations and heterogeneous
IT systems. In addition, this lays the ideal foundation for creating
and deploying composite applications to drive specialized GRC
processes. Composite applications span multiple solutions,
departments, and organizations to leverage existing systems and
ease future integration. They also allow quick reconfiguration to
accommodate new business structures, processes, and partner
requirements.
12

13. EVOLVING SAP SOFTWARE INTO CROSS-ENTERPRISE
PRODUCTS
Forward-looking customers are engaging with vendors such SAP GRC Access Control
as SAP that have committed to a holistic GRC vision. SAP is The following table describes the cross-application functional-
evolving its SAP solutions for GRC into cross-application and ities of the SAP GRC Access Control application across various
cross-functional products that support cross-enterprise GRC business processes and functions. It lists the out-of-the-box pro-
management and transparency. As illustrated in the tables that cess coverage for access risk provided by SAP GRC Access
follow, SAP solutions for GRC support both breadth and depth. Control.
SAP® GRC ACCESS CONTROL – A CROSS-ENTERPRISE APPLICATION
SAP Oracle PeopleSoft JD Edwards Hyperion
HR HR HR HR/Payroll Custom Rules
Procure to pay Procure to pay Procure to pay Procure to pay
Order to cash Order to cash Order to cash Order to cash
Finance Finance Finance Finance
– General accounting – General accounting – General accounting – General accounting
– Project systems – Project systems – Fixed assets
– Fixed assets – Fixed assets
Basis, security, and system System administration System administration Consolidations
administration
Materials management
SAP Advanced Planning &
Optimization
mySAP™ Supplier Relation-
ship Management
mySAP Customer Relation-
ship Management
Consolidations
13

14. SAP GRC Process Control • Reconcile to report: Predelivered, automated controls for sub-
The SAP GRC Process Control application deploys configurable, ledgers, general ledgers, and consolidation systems eliminate
automated controls for key business processes – and even sup- manual controls, streamline the financial close process, and
ports custom controls unique to your company. Examples of help ensure the accuracy of financial results. Examples of these
processes supported by SAP GRC Process Control include the controls include the following:
following:
• Procure to pay: Predelivered controls ensure control effective- EXAMPLES OF RECONCILE-TO-REPORT CONTROLS
ness and efficiency for purchasing, inventory, accounts SAP® GRC Process Control Control Objective
payable, and legacy applications. Examples of these controls Identify split purchase orders Ensure proper authorization of
purchase orders
include the following:
Match receipts to purchase orders Ensure accuracy of transactions
and prevent overpayments for
EXAMPLES OF PROCURE-TO-PAY CONTROLS underdelivery
SAP® GRC Process Control Control Objective Identify duplicate vendors Prevent duplicate payments and
fraud
Identify split purchase orders Ensure proper authorization of
purchase orders
Match receipts to purchase orders Ensure accuracy of transactions
and prevent overpayments for In addition to providing process-level support across the enter-
underdelivery prise, SAP GRC Process Control addresses risks across various
Identify duplicate vendors Prevent duplicate payments and functions and applications. Examples of the software’s cross-
fraud
functional support are illustrated in the following table:
• Order to cash: Predelivered controls ensure control effective- CROSS-ENTERPRISE SAP® GRC PROCESS CONTROL
ness and efficiency for order management, inventory, accounts SAP Oracle
receivable, general ledger, and legacy applications. Examples of Finance and controlling General ledger
these controls include the following: Purchasing Global consolidation system
Accounts receivable Order management
EXAMPLES OF ORDER-TO-CASH CONTROLS Accounts payable Accounts payable
Inventory Accounts receivable
SAP® GRC Process Control Control Objective
Order management Inventory
Monitor price changes Ensure proper, authorized pricing on
Basis, security, and system
sales invoices
administration
Match billing and shipping Identify variances between quantity
documents and price to ensure valid and ac-
curate revenue recognition
Monitor excessive write-offs Ensure validity of write-offs
and prevent undue losses
14

15. FOR MORE INFORMATION POWERED BY SAP NetWeaver
The SAP approach to GRC and the solution portfolio provides SAP solutions for GRC are powered by the SAP NetWeaver
the framework and the software solutions to help you build platform. SAP NetWeaver unifies technology components into a
your GRC architecture step-by-step, leveraging your existing single platform, providing the best way to integrate all systems
IT investments in SAP software and other technologies. SAP’s running SAP or non-SAP software. SAP NetWeaver also helps
business process expertise, industry knowledge, and global organizations align IT with their business. As the foundation for
presence attract a continuously growing partner ecosystem. enterprise service-oriented architecture (enterprise SOA),
In combination, SAP and its partners deliver a comprehensive SAP NetWeaver allows organizations to compose and enhance
and integrated GRC solution portfolio unmatched by any single business applications rapidly to drive business change.
vendor in the market.
To learn more about how SAP can help you with your GRC
strategy and reap the benefits of an integrated GRC approach,
please call your SAP representative today or visit us on the
Web at www.sap.com/grc.
15

16. www.sap.com/contactsap
50 082 958 (07/01)