Risk Assurance SAP controls study

Transcription

1 Risk Assurance SAP controls study

2 Foreword The last few years have brought an increased focus on risk management and controls. Recent headlines and legislation have put compliance under the spotlight. Regulators and stakeholders (i.e.. customers, vendors, lenders, rating agencies, etc..) have increased their focus on the control environment and ability to manage risk. Corporate boards are strategically pursuing risk management progress while integrating risk and internal control with more traditional performance measurements and rewards. This emphasis has put even more pressure on organizations to effectively manage change while leveraging technology to deliver control. The implementation or significant upgrade of an SAP system is accompanied by significant organizational, process, and technological changes, each of which introduces a number of risks and challenges to be managed or mitigated. An SAP implementation or upgrade is often a large, complex project, with high visibility and high stakes for the organization. While management of these organizations generally recognizes the importance of internal control to the success of their organization, there is a broad array of approaches taken to incorporate this focus on risk and internal control into the implementation or upgrade effort. To better understand organizations awareness and how they are managing these issues, PwC conducted an SAP controls study via and the internet. The study, conducted during 2012, generated 88 responses, of which 83 were from SAP users. Among other data, the survey focused on how risk and controls aspects are integrated into the project effort, identified impacts of the project, usage of GRC technology, and lessons learned. We noted several themes and trends in the way companies are dealing with risk and control relative to their SAP projects and environments as outlined in the following highlights: 2

3 Foreword (continued) Controls integration workstream Importantly, two-thirds (66 percent) of SAP software users reported having a controls integration workstream as part of their most recent SAP software implementation or technical upgrade. Typical controls integration cost was -3% of total project costs (36 percent), or in the 4%-7% range (18 percent). Controls integration was involved in all project phases, from Blueprint (60 percent), Design (87 percent), Test (95 percent), Go Live (87 percent), to Past Go Live (78 percent). A higher proportion of these companies controls were automated after the SAP project implementation or technical upgrade rising from a median 14.8 percent prior to a median of 26.4 after the SAP project. Impact of the SAP project Two-thirds (67 percent) of SAP software users surveyed believe that their investment in SAP resulted in an improvement in their overall control environment. Only 16 percent disagreed, while another 17 percent were not certain. A median savings of 13.0 percent was reported by the 39 percent of SAP users who have seen a savings. Significantly, more than half (58 percent) of these SAP software users reported that their company had not seen a savings in its controls and compliance efforts due to the SAP project. Primary responsibility Two functions, internal audit (65 percent) and security and controls teams (67 percent), are primarily responsible for identifying and monitoring of SAP related controls. What would you do differently? Respondents clearly had a desire for more automated controls. Many also expressed the importance of considering controls in the initial phase of their SAP projects to reduce the need to add them in after the fact. Leveraging GRC Technologies The majority (54 percent) of these SAP software users report currently leveraging GRC technologies (47 percent) and/or other compliance tools (18 percent). Most typically used is the GRC AC (34 percent). Background: SAP usage The version of SAP software these companies are using is primarily ECC 6.0 (76 percent). The majority of these SAP users (58 percent) have more than 2,000 SAP software users in their companies. A high proportion (81 percent) had their last SAP software implementation or technical upgrade recently, over the past 0-2 years. Most recent SAP project Two-thirds (66 percent) of the most recent SAP software projects were an implementation, and one-third (33 percent) involved a technical upgrade. One-in-five of these technical upgrades (6 percent of total) involved redesigning or enhancing significant business processes. Note: Total number of respondents = 88 Total number of respondents using SAP = 83 Only SAP users were asked use, implementation and controls questions 3

4 Company and respondent background Question 1. Please specify your functional title. Question 2. Please specify your company s industry/sector. Internal audit director, manager, or staff 28% Retail / Consumer 3 Chief audit executive 19% Industrial products 15% Information technology director, manager, or staff 9% Pharmaceutical / Life sciences 9% Finance director, manager, or staff 8% Technology 9% Compliance director, manager, or staff Chief information officer (CIO) 8% Entertainment / Media / Communications Transportation / Logistics 5% Chief financial officer (CFO) Aerospace & Defense Division CIO/CTO Automotive Tax director, manager, or staff Accounting director, manager, or staff Chief accounting officer, Corporate controller Diversity director, manager, staff Division controller Division vice president, manager Legal department director, manager, or staff Quality director, manager, or staff Energy / Mining Utilities Engineering / Construction Healthcare Insurance Professional / Business services Other 3 10% Risk management director, manager, or staff Other 7% 4

5 Company and respondent background Question 3. Is your company multinational? Multinational 90% No 10% Question 4. Please specify your company s type? Public 8 Privately held 18% Question 5. What is your company s global annual revenue? Less than $1 billion $1-$5 billion 10% 3 33% $5-$10 billion 19% $10-$25 billion $25-$50 billion More than $50 billion 15% 13% 8% 5

6 SAP Use Question 6. Which version of SAP does your company currently use? ECC The SAP software these companies are using is primarily ECC 6.0 used by 76 percent of those currently using any SAP software. ECC 5.0 is used by 9 percent and R/3 by 8 percent. ECC 5.0 R/3 9% 8% Other 5% Question 7. Please specify total number of SAP software users in your company. Less than 250 5% Among SAP users, the majority (58 percent) have more than 2,000 SAP software users in their companies. Only 5 percent have less than 250 SAP users, and 8 percent did not know total users ,000-2,000 More than 2,000 18% 1 58% Not certain 8% 3 Question 8. How long has it been since your last SAP software implementation or technical upgrade? 0-2 Years 8 A very high proportion of these users, 81 percent had their last SAP implementation or technical upgrade recently, over the past 0-2 years. Another 10 percent, over the past 3-5 years, and 5 percent more than 5 years. 3-5 Years More than 5 years Not certain 5% 4% 10% 6

7 SAP Implementation and Technical Upgrade Question 9. Was your most recent SAP software project an implementation or a technical upgrade? Implementation 6 Two-thirds (66 percent) of the most recent SAP software projects were implementations, and one-third (33 percent) were technical upgrades. Technical upgrade Not certain 33% Question 10. Did the SAP technical upgrade involve redesigning or enhancing significant business processes? One-in-five (19 percent) of SAP technical upgrades involved redesigning or enhancing significant business processes. Four-fifths (81 percent) did not. Redesign or enhance No 19% 8 Base: 27 respondents with a technical upgrade Question 11. What was the overall SAP software project cost? Less than $100 million 3 A total of 71 percent of SAP software users shared with us the overall SAP software project cost. High cost of over $500 million was reported by 13 percent, while lower cost, under $100 million, was reported by 36 percent reflecting a wide range of project costs. $100-$200 million $200-$300 million $300-$400 million 1 3% 7% 3 $400-$500 million More than $500 million 13% 29% 7

8 SAP Controls Integration Question 12. Did you have a controls integration workstream as part of your SAP software implementation or technical upgrade? Importantly, two-thirds (66 percent) of SAP software users reported having a controls integration workstream as part of their SAP software implementation or technical upgrade. Thirty-one percent did not, and 3 percent did not answer. Had controls integration workstream No 3% 3 6 Question 13. What percent of the overall SAP software project cost was spent on the controls integration? None 7% Seventy-one percent of those who reported having a controls integration workstream as part of their SAP software implementation or technical upgrade reported costs spent on controls integration. Typical costs reported for controls integration were in the - 3% range (36 percent), or 4%-7% range (18 percent). Only 6 percent spent in the 8-10% range, and 4 percent spent more than 10% for controls integration. 1-3% 4-7% 8-10% More than 10% 3 18% 4% 29% Base: 55 respondents with controls integration Question 14. What phases did the controls integration involve? Blueprint 3 60% Controls integration was involved in all phases, with virtually all users including it in the Test (95 percent), Design (87 percent), and Go Live phases (87 percent). Seventy-eight percent included it in Past Go Live while somewhat less (60 percent) included it in the initial Blueprint phase. Design Test Go Live 87% 95% 87% Post Go live 78% Base: 55 respondents with controls integration Note: Multiple responses permitted 8

9 SAP Controls Question 15. What percent of your controls were automated prior to the recent SAP software implementation or technical upgrade? Most controls were not automated prior to the SAP software implementation or technical upgrade. Over one third, 36 percent, had less than 10% automated prior, another 35 percent had between 1 and 30% automated prior, and only 16 percent had over 30% automated prior. Thirteen percent did not answer. The median of those answering was just 14.8 percent with prior automation. None 1-10% 11-20% 21-30% 31-40% 41-50% 19% 1 3% 7% 30% 51-60% 0% More than 60% 13% Question 16. What percent of your company s controls were automated after the SAP project? None A notably higher proportion of these companies controls were automated after their SAP project, rising from a median of 14.8 percent before to a median of 26.4 percent after. Only 18 percent had less than 10% automated after, another 33 percent had between 1 and 30% automated after, and 37 percent had over 30% after, compared to just 16 percent over 30% prior. Twelve percent did not answer. 1-10% 11-20% 21-30% 31-40% 41-50% 9% 1 17% % 1 More than 60% 1 1 9

10 SAP Controls Question 17. Has your company seen a savings in its controls and compliance efforts due to the SAP project? No savings 58% Significantly, the majority, 58 percent, of these SAP software users reported that their companies had not seen a savings in their controls and compliance efforts as a result of their SAP project. A still solid 39 percent did, and 3 percent did not answer. Company savings 3% 39% Question 18. What is the percentage reduction in your company s controls and compliance related efforts? None 0% Two-thirds (65 percent) of those reporting a savings in their controls and compliance efforts gave an estimate of the reduction in effort. The median reduction among those reporting was 13.0 percent. Many reported a reduction of under 10% (31 percent), or 1-20% (16 percent), but 9 percent reported a reduction of more than 50%. Thirty- five percent of this small base did not answer. 1-10% 11-20% 21-30% 31-40% 41-50% 1 3% 0% % More than 60% 3% 35% Base: 32 respondents 3 with savings in controls and compliance efforts Question 19. Has your company s investment in SAP resulted in an improvement in your overall control environment? It is noteworthy that two-thirds (67 percent) of SAP software users surveyed believe that their investment in SAP resulted in an improvement in their overall control environment. Only 16 percent disagreed, and 17 percent did not know. Improvement No improvement Not certain 1 17% 67% 10

11 SAP Controls Question 20. Who in your company is primarily responsible for the identification and monitoring of SAP related controls? Two functions, security and controls (67 percent) and internal audit (65 percent), are primarily responsible for the identification and monitoring of SAP related controls. End users (34 percent) and other functions (21 percent) were also mentioned. Security and controls Internal audit End users Other 2 34% 67% 65% Note: Multiple responses permitted Question 21. Is your company currently leveraging any of the following GRC technologies to assist in the management of SAP related compliance? The majority (54 percent) of these SAP software users report currently leveraging SAP s GRC Access Control (AC) and/or Process Control (PC) (47 percent) technologies, and/or other compliance tools (18 percent), to assist in the management of SAP related compliance. Most typically used is GRC AC (34 percent). Another 18 percent either did not know or did not answer, while 28 percent reported not using any of the listed or other technologies. GRC AC GRC PC GRC AC and PC Other compliance tools None of the above Not certain 34% 1 18% 28% 1 3 Note: Multiple responses permitted 11

12 SAP Controls Question 22. What would you do differently with respect to SAP controls? A common theme in the responses was a desire for more automated controls. In addition, a number of respondents noted that it was important to consider controls in the initial design phase, reducing the need to add them in after Go Live. Assess the controls in build and design phase of the project. Leverage more of SAP for automated controls. Define the end state organization to maintain control environment. Spend more time updating company processes to use more inherent SAP controls Map and rely on more automated controls. Improve tone at the top push down to consider controls within IT project implementation Ensure that the application controls are in place prior to go-live and that the staff are properly trained to understand the system and controls. Created them in conjunction to the implementation instead of after the fact. Embed security and controls components within each process workstream rather than having them represent a standalone activity. Make sure the project team took more ownership in driving the design of controls. Hold up \go-lives\" to enforce security related controls (system access/ segregation of duties) are in place AND operational AND effective. Current methodology seems to be a get it in and clean it up later approach." More automation More Automation and better integration of controls in the project plan We are considering adding GRC process controls when we upgrade to GRC10 Spend more time before first implementation on designing roles and controls and understanding object control availability Embed identification of business process controls up front in the project. Implement GRC as part of Wave 1 Automate more Hard to say -- implementation is not scheduled to be complete until Try to leverage the system more to perform the controls (automation) Implement GRC soon... Better alignment to SOX controls as a part of the SAP standard delivery methodology Try to have more automated controls; put more thought into provisioning and role design up front and then stick with the chosen model We rely on processing controls, approval tables and reference to mitigating controls as defined for key employees. Better engagement between implementation and business teams. Better \future state\" planning (roles and responsibilities We are currently investigating SAP tooling within Solution Mgr. Implement more real-time controls monitoring and potential exception reporting I would like the use of and reliance upon system controls - initially through workflow in the system. Additionally, I would like to implement GRC. 3 Involve business more in identification and 'ownership' of automated controls. We have 9 separate instances of SAP around the world and tend to do things differently. We are planning to further commonize processes and tools. Acquire and leverage GRC tools Create more automation in the environment More use of automated controls monitoring More time spent on assessing potential process improvements in the design phase of the project. The users just build what they already know. 12

13 Contact: Robert Clark Principal; Risk Assurance (267) Sean Donahue Partner, Risk Assurance (414) James Draper Principal, Risk Assurance (415) Dave Erickson Partner, Risk Assurance (312) Sachin Mandal Principal; Risk Assurance (973) Greg Pillay Principal, Risk Assurance (813) Tammy Wojtasiak Partner, Risk Assurance (612) Eric Bloesch Managing Director; Risk Assurance (267) About PwC s SAP practice: PwC is the largest professional services firm in the world with over 168,000 people in 158 countries. Our SAP practice has been involved with SAP transformation initiatives from the early 1990 s, with more than 1,400 SAP-dedicated professionals. Focused on driving performance improvement through integrating risk, process, and technology solutions, we leverage our experience and product knowledge to address the financial, operational, technical and compliance challenges that you face when undertaking significant upgrades or implementations of SAP. About the research: PwC s ERP SAP controls study was conducted via and the internet during April and May, A list of likely SAP users was developed by PwC. The independent research firm BSI Global Research Inc. ed potential respondents with an invitation to participate in the survey on behalf of PwC. The invitation directed respondents to a web survey application. The survey was completed by 88 respondents, of which 83 were SAP users. Individual responses were confidential and no company specific data was shared with PwC. PricewaterhouseCoopers has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, the data used is from third-party sources and PricewaterhouseCoopers has not independently verified, validated, or audited the data. PricewaterhouseCoopers makes no representations or warranties with respect to the accuracy of the information, nor whether it is suitable for the purposes to which it is put by users. PricewaterhouseCoopers shall not be liable to any user of this report or to any other person or entity for any inaccuracy of this information or any errors or omissions in its content, regardless of the cause of such inaccuracy, error or omission. Furthermore, in no event shall PricewaterhouseCoopers be liable for consequential, incidental or punitive damages to any person or entity for any matter relating to this information PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" and PwC refer to PricewaterhouseCoopers LLP or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.