KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you for these sessions about the security and governance, Don. Right. My name is an Wilder. I am professor in compliance and risk management, and I am also working and playing with recent controls since a long, long time, maybe 22 years. And in this session, I will share some of best practices and tips in order to centralize controls in order to use SAP CRC for compliance in order to also understand what we can do for the certification in SAP and how we can deal with red flags and analytics and dealing with access management in terms of separating tasks.
The first thing that they want us to reflect upon is how important is to centralize processes. When we are now implementing a new wave of cost reduction programs and improving the way that we are serving the client, going to digitalize more and more services in response to the COVID crisis.
We need to have a centralized repository of actions, a repository, a central repository of controls and risks in order to be able to finally identify all the processes that can have a synergy when we are improving the execution in that direction, SAP CRC will be able to support you for getting an overview of the processes and the sub processes. This is extremely important to start with the simplification and also with the core reduction and transformation initiatives.
SAP is also to centralized the controls that we are using for different purposes, from physical security to data security, for financial reporting in a way that we can have a H hierarchy of those controls and they can be enforced not only at the group level, but also the subsidiary levels. Then also, when we are talking about digitalization, eh, SAP CRC can schedule this controls in workflows and for due diligence for ongoing due diligence for self-assessment for risk self-assessment.
They can manage the way that we are sending and receiving surveys in order to get ations particularly for business planning and parties and third parties, what they are doing in terms of complaining with our own contracts, our own regulations, our own controls. And right now we are getting a, a lot of increase risks and incident related to fraud.
They had done so many changes and adjustments in response to the COVID crisis that there rationalization and the opportunity for fraud is there to commit from accounting to operational fraud is increased under, are new threats, and there are new vulnerabilities too. And SAP is able to accommodate this investigation of fraudulent activities in and red flags.
Also, we are getting a lot of attention from third parties in order to monitor the solvency. Very, very important. Many of our third parties are being challenged by financial constraints, and we need to monitor that what are we doing in order to monitor the solvency of the third parties right now? Do we need to get an exit plan also talking about performance.
If we are dealing with cost saving initiatives, it's very important that we ensure that the performance for the services and the goods that we are procuring is aligned to the quality standards and the contractual clause and the requirements that they need to comply with. Also service continuity. We are seeing more restrictions going up and down and the way that we are challenging operations, the way that we are seeing a lot of this continuation of services is something that we need to closely monitor. So there are four models use that we can use and leverage in SAP. CRC.
My first advice here is to use the business I screening to get notification on fraud, red flags, extremely important that we are updating the rational for the red flags that we have in the past process. Delay changes in the operations. Open reversal of activities, have a different pattern. Right now we are seeing that having open items for good receipts in the, in the way that we are now operating, working from home and working more on, on digital services is a completely different scenario that the one that we had before.
So being able to centralize the, the management of the integrity screen and to get the, the notification for fraud and updating the criteria for the red flag to happen is extremely important. Other module that I highly recommend to consider is the business partners screening. Many of the organization have very strong processes for diligence on certain parties and business partners.
How however, when we are going for vendor monitoring, when we are talking about ongoing new diligence and how we are following up that all the capabilities that the potentials are party shown to us in a new diligence are finally deployed for the contract requires to have a, a better monitoring. And this is something that is getting a lot of attention right now.
Then we need to improve the way that we are managing risk those days in which somebody was pointing a finger in the air saying red, yellow, and green 1, 2, 5, these bias analysis based on aches and words that have a different meaning from the internal auditor, that from the business from it are gone and are gone for good.
Right now, we need to really be able to ensure that we had the proper exit plan for third parties, that we are able to deal with the continuity risks and being able to link risk management to insurance to contractual closes to outsourcing, which is a different type of risk management that we need to do. And also because of the, somebody have to pay for the party in terms of the, the reaction to the COVID. We are gonna see a lot of changes in tax compliance. So SAP have a diff a dedicated module here that is preventing fines and dispute.
When you are able to check for each time that the proper approvals and the submissions and updates in the way that we are ING the reporting and the calculation for taxes is properly done in the direction of risks. I would like to suggest to use Monolo simulations right now is the golden standard in quantit risk management is it became the way to go for particularly challenge the volatility of assumption in planning.
So my recommendation here is to be able to analyze the cash flows, look for the assumption that you got in the budgets, in the price calculations, in the way that you are operating and planning for uhcontract and work and, and manufacturing. There are some risk and related to other costs. There are risk related to delays in the process. There are some risk, which you may not have the right reserve for addressing a contract, and you cannot tell the decision makers to change the assumptions by telling them red, green, or yellow, or one to five.
They really need to be able to use tools like Monte. That is part of the CRC model in SAP for risk management, which is extremely effective in the way that you can see different scenarios. And then you can calculate and to address very concrete questions from the decision makers, from the business that they can use this approach in from SAP.
Also, one of the processes that we, I want to emphasize is the way that we are performing the user access reviews years ago, we were extremely focused on the execution of different transaction. The TCOs in SAP, and right now with so many privacy regulations around the world, we are. And also because we empowered users with data pools and a lot of queries and data lakes that they were able to finally manage, download a huge amount of information.
Now, we are focusing the access reviews on the visualization rights, and this is a journey. This is his is, is a way that SAP can help us in order to first understand who is the owner of the asset, the data, and also the functional owners of the different modules for them to update, to update who needs to have access to another suggestion here is to be able to highlight the changes in the most roles. The traditional certification of our user accesss was sending the download of the user list to the process owners.
But I highly recommend to start talking about changes who has access in the previous year, who has access in the previous two years. So the, the business owner is able to focus not only for the current accesses, but also on the changes. And then always, we have a challenge with terminations of employees and contractors. We have seen a lot of contractors now working with extension of contracts is a very different game ball in during COVID. So please take attention to pay attention to determinations and the contractors. And then also review how the accesses are done.
What has been happening, how the accesses are being revoked review. They are making sense review if the profiles need to be updated. Other recommendation here is to being able to start addressing the consistencies that we have for in SAP data, during the COVID crisis, there were so many changes. There are operations, there were so many changes in the conditions and in activities.
And the goals that we have that now is the right time to start a cleanup of the data and being very sure, which is the data data that you are netting cleaning, waving for having further actions, because it may be a risk of flow here. So focused on the, on the data and start fixing all the inconsistencies in the process that are now shown in the SAP data. Many purchase orders were not unable to be fulfilled. Many sales orders are were pending.
And so on in terms of the VE integrity screening, I want you to start considering some common scenarios here for the new normal duplicated payments is extremely important. We are seeing here, eh, also the way that we may have a SHA contracting people that are actually employees and no contract, that they were hided as a contractor, because we have in most of the organization are hiding free during the COVID crisis. So right now they will be more challenges.
And in the way that we have duplicated payments, also split orders, they have been also many changes in the operations is a, is a where risk that we need to focus about the right level of approvals, how the contracts were done. They were a lot of changes and reversals on the contracts. So being able to update the split, other queries also invoice before receptions. Also the supply chain was delayed during the whole COVID time and we were paying invoices.
So right now we have plenty of inconsistencies related to the invoice before reception inaccurate metadata clients, that they were not finally engaged supplier, that they were changing. And yeah, it created a lot of inconsistencies in the metadata and also focused on the unusual discounts during the co. They were a lot of need in order to sell and they were discounts. So let's see the who approved those discounts and how they were given to issue that there is not any risk of fraud in the discount. And finally, the last topic to cover is the SAP segregation rules.
Being able to review the changes in the access control attributes, leverage the default inconsistencies and conflicts that SAP have by default, depending on the industry is a very comprehensive approach. Let's use the knowledge that SAP have for each industry to detect whether there are conflict in the duration of duties, continue with the improvement of the display rights right now is not the de the deletion. The creations are fully managed in most organizations. We understand all the conflicts in related to those transactions.
And now the next step that we are still improving is the way that we are dealing with accesses to reports, and also the data warehouse and data pools and business intelligence, and many other additional platforms used in SAP data. Also simplify the roles. There is a new norm. There are a lot of changes in the, in the business roles, in the shop roles, being able to simplify the process. I am happy to connect with you. You can reach out to me on LinkedIn or, or Twitter in order to expand this ideas further.
And I am very happy to be here in this forum, always helping in the digital transformation and working on information security and SAP is something that is very, very, very rewarding. Thank you.
