To improve internal productivity and resource availability
�Focus on prevention. It’s better to prevent bad things from happening in
the first place than to simply detect them after the fact.
�Document test results and violations by business process and organiza-
tion. Doing so will give you a scorecard of what’s happening in various
business processes and units.
�Select controls and tolerances concurrent with organization policies,
procedures, and regulations. In other words, you don’t want alarms
going off all the time — just when something warrants further
investigation.
Adopt Best Practices ...................................................................................
The 2006 SAP GRC Benchmarking Survey identified seven best practices
for GRC:
�Document well and store the documentation centrally. All processes
should be well-documented and stored in a central repository, including
the documentation of policies, work papers, and evidence to meet
requirements of Sarbanes-Oxley sections 302 and 404.
�Automate as many controls as possible. The majority of process control
testing is automated and can be scheduled for appropriate locations,
business units, or legal entities.
�Automate the flow of manual controls to keep them moving. Manual
control testing is streamlined with automated task assignments, guided
procedures, and workflows.
�Find segregation of duties (SoD) violations automatically. SoD risk identi-
fication and remediation should be performed automatically, across
multiple ERP environments and instances.
�Automate user provisioning and changes. User access administration
and change management should be automated with approval notification
and mandatory compliance verification.
�Make business people responsible. Business process managers should
be accountable for control documentation and testing, not Internal
Audit or IT.
�Audit yourself. Internal Audit should regularly perform audits to cover
the effectiveness and efficiency of operations, the reliability of financial
reporting, compliance with applicable laws and regulations, and safe-
guarding of assets.
298 Part V: The Part of Tens
