A discussion I had this morning with one of our IT senior managers served as a good wake-up call to me. We were talking about our organization’s strategic direction for SAP security, and the manager expressed a great deal of confidence that our deployment of SAP GRC 10.x was going to meet our organization’s compliance needs. I was glad to hear it, since our GRC Access Control 10.0 migration project is my primary focus this year; however, I also took the opportunity to mention that, as excited as I am about our migration project, any toolset is not the “end all and be all” of compliance. Deploying a new toolset is just the start; reviewing the security and compliance processes and governance model is equally important to ensure that the organization will get the full value from the GRC toolset implementation. If you, too, are deploying, or migrating to SAP GRC 10.x, here are some things to consider.


For starters, if Access Risk Analysis is in scope, the GRC toolset is only as good as its Segregation of Duties (SOD) ruleset. Has yours been maintained when SAP has released updates and when custom transactions are implemented? Any organization can be “clean” on SOD violations if the ruleset and risks matrix have not been maintained regularly on a timely basis. In addition, if you only have rules for your ECC system, it might be time to consider implementing rules for other connected systems as well.


Do you have a process and organization in place to review all custom transactions for SOD or sensitive access risks before SAP roles are updated?  Does anyone sign off on the risks of new custom transactions before they are added to end user roles? Do you have a strong governance model for security role designs, or is it pretty much anything goes? Is there a designated person or committee with the authority to veto the addition of sensitive Basis transactions and authorizations into end user roles? The latest GRC toolset without a strong governance model may not be fulfilling the promise of its investment to the organization.


When was the last time your security role design was reviewed for alignment with the organization? Whether your roles are task-based, job role based, or a combination of the two, if they are not well aligned with the way the SAP users work, your end users may continue to struggle to identify the “right” roles, even with the improved access request user interface, and many more user access requests are likely to be processed, which is expensive both from a user downtime perspective and an administrative processing perspective.  Business processes often change when new functionality is deployed; a review of the role designs and the risks should be part of that effort as well. Keeping your security role design aligned with the business processes is not something the GRC toolset will do for you, but it is an important part of the compliance picture to ensure that users have the right access to do their jobs. Getting HR engaged in the process can pay off in the long run with more quickly provisioned users, and who doesn’t want faster and better onboarding of new hires? Improve this process and you get to be the hero in your organization.


Getting the latest technology in GRC tools without a well-aligned supporting organization model and processes is a lot like a luxury sports car without a skilled driver and good roads to enable the car to run to its potential.  Consider how your security processes and governance model can be updated to enable your SAP GRC 10.x toolset to deliver the best value to your organization.

In his session at GRC 2013, compliance and security Marc Jackson makes the case for auditing your SAP GRC systems – something not to be overlooked in your system audits.

In a recent online Q&A on Insider Learning Network, Turnkey Consulting's Marc Jackson took questions on GRC audits, useful transactions and tools, auditing  performance and transport paths, the affect of the ABAP stack now in release 10.0, Firefighter audits, and other topics.

Read the Q&A in our Compliance Forum, or review our edited transcript here:

Matt Moore, GRC 2013: Welcome to today's forum on strategies and tools to audit your SAP GRC system. I’m pleased that we have Marc Jackson from Turnkey Consulting here to take your questions.

Marc is a Manager with Turnkey and is responsible for delivering and developing their Audit and Risk Management services.

Marc will also be speaking at GRC 2013 in Amsterdam in June on the topics of auditing GRC systems, AB&C compliance, and SoD management.

Welcome, Marc, and thanks very much for joining us today! It was great to have you as a speaker at GRC 2013 in Las Vegas last month.  I see a number of advance questions here already, so I’ll let you tackle those.

Marc Jackson, Turnkey Consulting: Hi Matt,

Thanks for the introduction, and welcome to everyone for my Q&A session on auditing GRC systems.

I see there has been quite a bit of activity on the posting already so I'll make a start on replying straight away.



Ken Murphy: Hi Marc, can you suggest any steps to simplify audits of change management/transport paths? Thanks, Ken.

Marc Jackson: Hi Ken,

This is a good starter, as Change Management is just as significant for GRC systems as it is for any other SAP systems in your landscape.

If unauthorised changes are taking place in your GRC system then this could undermine the integrity of the controls and compliance related data coming out of it.

The key thing to remember around the transport path is that your GRC system should ideally have a 3-tier landscape - DEV, QA & PROD. Therefore, a quick way to check this in your system is to use transaction STMS and then hit the "Transport Routes" icon. This will provide you with a graphical illustration of the GRC systems defined as part of the transport route.

There are many other areas of Change Management which can and should be covered as part of your GRC review, such as the procedural elements which are followed when making changes to the system (e.g. change request procedure, testing steps, migration to production approval etc). The procedure should be tested using traditional sampling techniques.

You should also look for any GRC-related changes which have been made directly in the QA or production environments rather than via the Dev system (use table E070 and look at the system identifier in the initial 3 characters of the transport request name).

There's much more to talk about but I hope that helps as a starter!

malinirao: How to audit SAP GRC Process controls? What are the things to check apart from the controls library?

Marc Jackson: Hi Malinirao,

GRC Process Controls (PC) is quite a unique system to audit but there are some specific parts which need a certain level of attention.

The master data should be checked for appropriateness and completeness (i.e. has your organisation's control framework been reflected accurately within the tool, have the relevant risks been assigned to the correct sub-processes, control and control objectives etc).

However, if your organisation is using PC to automatically monitor the operating effectiveness of controls then you must get assurance over the logic and data held within the related business rules and data sources. The primary purpose of this is to ensure they will accurately reflect the status of the control it is monitoring.

You can do this by looking in the Rule Set-up work area, and select business rules within the Continuous Monitoring section.

AlexanderHartwig: Hi,

I have some questions on GRC v10.0. My clients are now moving into v10.0 and I would like to know what are the key differences between AC5.3 and v10.0 and what would be the implications to an audit.

Are there additional risks that would need to be addressed as a result of the version (and platform) changes?

Marc Jackson: Hi Alexander,

The big difference between the 2 versions is that 10.0 uses an ABAP stack, which actually makes auditing AC easier and reduces the risk in my view!

For example, in 10.0 all non master data-related changes should use the standard SAP Transport Management System. So this means, as is the case in standard ECC systems, that a change can be made in the development system and be migrated through all of the other GRC systems along the transport path in a controlled manner. No need to manually re-apply everything which can easily lead to mistakes, as well as providing some standard tools to help protect the process.

It also means that access is assigned using standard PFCG roles as well. Therefore, it makes it easier to review and understand who has access to specific GRC functionality using traditional techniques such as SUIM reports, or even using the ruleset itself to monitor GRC access.

Another big difference is the integration between the GRC applications. So you might want to check if AC & PC are being used in this way (e.g. managing mitigating controls in PC etc).


  • What are the available tools to audit SAP GRC?
  • What are the best practices that need to be followed to ensure SAP GRC is compliant with the organization security policies and procedures?

Marc Jackson: Hi Malinirao,There aren't any specific dedicated tools to use as such when auditing GRC systems. The tools which you can use either exist in the GRC back-end system itself (i.e. reporting tools such as SUIM, displaying relevant tables, displaying PFCG, SU01d etc.)Or you should use the tools and techniques available in the GRC system for the purposes of auditing it (e.g. defining GRC-specific sensitive access in your ruleset so you can report against it, using Process Control reports to identify any risks which haven't got a control assigned against them in the control framework, digging into the business rules to understand the logic and whether it would accurately identify a control deficiency or not etc.).You can also use traditional interview techniques as well and speak to the people that own and maintain these systems.
charukesh: Hi Marc,What are the best practices for auditing the SOD rule sets?If a landscape has multiple systems like ECC, SRM , HR and no Logical Systems/Cross-systems are defined, how do we highlight the inefficiencies?Best regards,CharukeshMarc Jackson: Hi Charukesh,When auditing the GRC rulesets there are a few things to keep in mind. The ruleset is there to define those access risks that are deemed significant to the business and translates them into SAP authorizations, so that offending users can be identified as part of detective or preventative controls.Therefore, the identification of SOD & SA risks is heavily dependent upon accuracy and completeness of the ruleset. So you need to review the ruleset content, which includes:

  • Risks
  • Functions
  • Actions
  • Permissions

Now, you won't be able to say on your own whether everything is OK or not. You also need to talk to the relevant people to understand the process taken during construction of the ruleset to ensure that the right people were included in the design workshops, so that the risks are relevant to the organisation and not just out-of-the-box.

You should also ensure custom functionality has been included where it could help contribute towards a risk.

I'm not sure I completely understand the 2nd part of your question - could you please elaborate? Thanks.

charukesh: Thanks for your reply Marc.

Let me rephrase the question. Maybe now I am asking a slightly different question:

If 2 systems connected to RAR have conflicting functions (Analysis Scope for function is set to cross system) and if no cross system rules are generated, will the system detect/show correct results?

Marc Jackson: Hi Charukesh,

Thanks for your follow-up post.

Regarding your question, I haven't actually used RAR with the cross-system function as yet, but logically I would expect that if no cross system rules are generated then a 'no access rule' selected error would result. However, I can't confirm this for sure based on my lack of exposure to these situations.

Apologies I couldn't be more conclusive for you, but hopefully it's provided a little bit of help for you.



D.J.: We will be upgrading from GRC v5.3 to v10 later in the year. What is the best approach for migrating our rulesets, workflows, and settings from one version to another? Any other tips for upgrading?

Marc Jackson: Hi DJ,

This question is a little "off topic" as it's related to GRC upgrades rather than tips and techniques to audit your GRC system. Therefore, it's a little bit out of my own subject area and I don't want to give you any false advice.

However, I have colleagues who would be able to provide you with a full and accurate answer to these upgrade queries. Could you please email one or both of the following contacts: Simon Persin  Kehind Eseyinkehinde.eseyin@turnkeyconsulting.com



JuneChandler: Hi Marc,  In order to fully audit the usage of Fire Fighter in GRC10 is it possible to track from the FF log report right through the documents posted or data changed in the back end system?

We are in the process of upgrading from 5.3 and this is one of our key challenges as we end up running numerous reports in our backend ECC system to identify the impact of the FF usage.

Thanks, June

Marc Jackson: Hi June,

This is quite a common problem, so you're not alone with your challenges! Unfortunately, you are going to encounter the same problems in 10.0 as you're currently experiencing in 5.3.

The good thing is that SAP are aware of these limitations and are currently trying to enhance this transparency within the audit log of FF usage report to more explicitly tell you what actions have actually been performed with the FF user.

I hope that helps ease your frustrations a little. Although it's encouraging you are being so diligent!


JuneChandler: Hi Marc,

Thanks for the response.  It's great to hear that SAP are aware and looking into it.  I will keep an eye out for developments from them.  Thanks for answering the questions.  Some extremely useful information for us.

Kind Regards, June

Dave Hannon: Marc, thanks for taking our questions today.

A person I spoke with recently brought up the performance of their GRC system, so I'm wondering if GRC auditing can have any implication on the overall performance of the GRC system, for better or worse? Thanks.

Marc Jackson: Hi Dave,

That's a good question to ask. Because the common techniques which you will be using to audit your GRC system tend to be quite traditional methods such as running reports, or displaying tables in the back-end, or checking parameter settings etc., then there is no impact at all.

Even when you're actually doing stuff in the front-end, it tends to be navigating around to relevant parts of the tool to check master data, ruleset content, business rule logic, assignment of mitigating controls etc., all of which require no "heavy lifting" on system performance.

The only impact I can foresee is when you are using the ruleset to run risk analysis reports as part of your investigation, but these can be done smartly to avoid any detrimental impact (e.g., running it for targeted user groups at a time, running them in the background, etc.).

It might also mean you may need to set up an extra user or two on your GRC system for the auditors to use, unless you already have such users set up.



Matt Moore: Thanks to all who posted questions and followed the discussion!

A full summary of all the questions will be available here in the Compliance Forum. And of course, I invite you to our annual GRC 2013 conference in Amsterdam, June 11-13.

Marc will present three sessions, and we hope you have the chance to see at least one of them in person!

You can get updates on the conference by following me on Twitter at @mattmoorewis, and you can discuss the event using the hashtag #grc2013

And finally, thank you to Turnkey Consulting’s Marc Jackson for taking the time to respond to these questions.

Marc Jackson: Thanks Matt. I'd also like to quickly thank all of you for posting questions or following the session. Please don't hesitate to contact me if you have any further questions on this topic area. You can e-mail me at marc.jackson@turnkeyconsulting.commarc.jackson@turnkeyconsulting.com



Paul Davis

IE 10 Issues with NWBC

Posted by Paul Davis May 8, 2013

Please be aware that some customers who have upgraded to Internet Explorer 10 are having problems with NWBC in GRC 10.  SAP is aware of the issue and are working on it.  Please report any problems encountered, however, so all problems can be identified and corrected. 

I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.


But, there is true value in considering GRC within your organization – without taking away from the points I made in that earlier post.

GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”.


The message behind GRC is that all of the different pieces described and included in that definition of GRC need to work together, in harmony and an orchestrated fashion, if the organization is to optimize performance and reliably achieve objectives. For example:

  • If strategy is developed and only then is risk considered (instead of formulating strategy after understanding risks and opportunities both within the organization and in its business environment), you may set the wrong strategies and objectives.
  • If performance is evaluated, monitored, and managed without an integrated understanding of risks or compliance considerations, you are unlikely to optimize results.
  • If politics and other factors cause the organization to fail to share information and resources, have redundant and siloed operations, you are unlikely to perform.
  • If the compliance function is always chasing after initiatives and plans so it can add compliance bandaids, instead of being on the bus from the beginning, failure is likely.


I think organizations need to build out the maturity of the individual pieces of GRC while ensuring that they don’t result in silos, and with a vision of orchestration and harmony across the organization.


Since the failure to harmonize is most often the result of the sickness we call internal politics, this needs to be monitored, diagnosed, and treated aggressively.

I welcome your views and comments.

Gartner’s 2013 Global CIO Study points to issues I have previously aired: namely a failure to obtain full advantage from new and disruptive technology.

This should be of concern to board, all executives, leaders of IT, and risk and assurance professionals.


Here are some key excerpts:

  • Enterprises realize on average only 43 percent of technology's business potential. That number has to grow for IT to remain relevant in an increasingly digital world.
  • Over the last 18 months, digital technologies — including mobile, analytics, big data, social and cloud — have reached a tipping point with business executives. Analysts said there is no choice but to increase technology's potential in the enterprise, and this means evolving IT's strategies, priorities and plans.
  • Digital technologies provide a platform to achieve results, but only if CIOs adopt new roles and behaviors to find digital value. CIOs require a new agenda that incorporates hunting for new digital innovations and opportunities, and harvesting value from products, services and operations.
  • In a world of change, it is concerning that around half of CIOs surveyed do not see IT's enterprise role changing over the next three years.
  • Without change, CIOs and IT consign themselves to tending a garden of legacy assets and responsibilities.


However, the top priorities continue to be individual new technologies, not the more holistic perspective discussed in other studies where the CIO is asked – and expected – to step up and play a more strategic role in the organization: leading the path to growth through the smart deployment of technology. Elsewhere, Gartner has talked about “Nexus”, the growing need for IT to use multiple technologies together to create value. IDC refers to this as the third platform.


I have a few questions for board members, executives, and risk and assurance professionals to ask:

  1. Are we obtaining full advantage from the new technologies?
  2. Do we have the capabilities to understand, assess, and realize their potential value?
  3. Do we have the capabilities to adopt new technology safely? Are risk and assurance professionals actively involved, helping us understand and address any new or changed risks as a result of adopting new technology?
  4. Is IT leading the way with a vision of how technology can reshape our organization’s processes, products, services, communications with customers, and so on?
  5. Do we know what we are missing? Is that acceptable?


I welcome your views and comments.


Related posts:


When data builds up it can affect SAP system performance.  The best practice for this situation is data archiving.  This moves the data out of the production system in order to manage database growth while allowing business users direct, transparent access to it. But what about data created by the GRC system?  It is imperative that data needed for any audit or legal requirement be immediate available.


Dolphin has a solution, the Dolphin Data Management Cockpit (DMC), which offers traditional SAP archiving and serves GRC objectives. DMC permits data encryption at the field level. It works with /virsa/ tables (especially the firefighter log tables – which can build up fast), and allows this data to be archived with standard SAP archiving protocol (using SARA).  The SAP application provides archive capabilities, but this is not true archiving but more of a download/upload process. The download/upload process can take time to accomplish and can affect system performance.


The DMC solution uses the standard archiving process, which has minimal effect on your system. For data retrieval, we can update SAP Tcodes for GRC to read the archived data, making both online and archived data available to end users.


The cost of storing data in an active database can be expensive regardless of your SAP system and even more so for those using SAP HANA. Implementing an archiving strategy with transparent access to the data is a much more cost efficient alternative when data is no longer used by end users on regular bases.


Plus an added advantage to archiving, once data is archived, data cannot be altered or deleted which is ensures compliance when it comes to audits.

1.)  Some of the common attributes on which you will base your BRF msmp rule are alredy available in context( like priority,criticality      etc.) but there  are few other attributes which are not available in the context like role sensitivity etc. To create your rules based on these attributes you can create expression of type DB lookup and read these attributes realtime from database table. Following example will provide mode details of creating an initiator rule based on availablity of role owners




C     Create a new expression of type ‘DB Lookup’ in your existing initiator rule






1.)      Provide name and description to your DB lookup and fill in following details





      Once DB lookup is created and activated. Open your decision table and click on ‘Table Settings’ button. In your table settings ‘Insert Column’ as shown below






4.)     Select the newely created DB Lookup as a new column








5.)      Now in your decision table you can have first row for roles without role owners and rest of the table can remain same as your existing rule






If you haven’t registered yet for GRC 2013, March 19-22 in Las Vegas, there’s still time!  With more than 250 sessions to choose from, including workshops, case studies, demos, panel discussions, and roundtables, this is the best event of the year to attend if you’re using or evaluating SAP solutions for governance, risk, and compliance (GRC).


In this video, Michael Lortz gives you a peak at some of the planned activities


With four days and so many options, how do you get the most ‘bang for your buck’?  I’d like to recommend the following sessions and opportunities.


Education Sessions


You can view all the sessions in the conference guide, or if you’re already registered, you can find sessions via the online agenda builder.  If you’re limited on time, these are the sessions I highly recommend:



GRC Solutions Center


Do you have questions about  product functionality, implementation best practices, or the product roadmap? The GRC Solution Center is your opportunity to
have them answered in one-on-one meetings with SAP’s GRC experts – including the solution management and development teams. Note: meetings are by appointment only, and fill up quickly.  Visit the reservation desk early to reserve your spot. The solution center is located at level 1, room 103, and opens every morning at 8:00 a.m.




Ask-the-Experts is another great opportunity for one-on-one meetings with solution experts from SAP and our partners.  Whether you're looking for tips and tricks on technical implementation or functional design, or trying to build a business case for your next project, these experts can share the good, the bad, and the ugly based on their years of experience. The GRC Ask-the-Experts sessions are scheduled for Tuesday at 6pm, so grab a beverage of your choice in the Welcome Reception and find the Ask-the-Experts tables in the same room. These sessions run until 6:45pm.


Discussion Forums


New at GRC2012 and back by popular demand,  these 30-minute interactive discussions, led by a subject-matter expert,  offer an opportunity for customers with similar interests to talk informally about specific topics and is a great networking opportunity.


For more details about GRC2013, download the conference brochure – and make sure to follow the conversation on Twitter #GRC2013. 


I look forward to meeting you at GRC2013.


Originally posted on the Analytics from SAP Blog

In recent days, both noted GRC pundit and analyst Michael Rasmussen and consultant James Roeske sat down with Dave Hannon of SAPinsider to answer questions regarding GRC frameworks and SAP Access Control 10.0.

First, Michael provided insights on topics including:

  • Common mistakes in setting GRC strategy
  • The role of technology in a GRC strategy
  • The one true definition of GRC
  • How to drive collaboration in your GRC program
  • Importance of GRC maturity and integrity
  • Selecting the right GRC solution for your organization

You can hear the full podcast here: ow.ly/i2c1H

James, who is CEO of Customer Advisory Group, discussed getting the most "bang for your buck" with SAP Access Control 10.0. James discussed topics such as:

  • New features in the 10.0 release
  • Enhanced integration with other SAP solutions for GRC
  • Important technical- and business-level considerations before implementing or upgrading to 10.0.

You can listen to the full podcast here: bit.ly/YP8g1j

In addition, both Michael and James will present at the upcoming GRC 2013 conference in Las Vegas from March 18-22.

Michael will lead two pre-conference workshops on March 18:


James will present two sessions on March 19:


Matthew Moore

Conference Producer, GRC 2013

Follow me at @mattmoorewis

Many organizations do far too much work on these areas, primarily because they scope the work in isolation from their top-down approach to the identification of key controls. They base their scope on good business practice, and/or a list of ‘rules’ from a consultant or software vendor, rather than focusing on the access limitations necessary to prevent an action that might lead to a material misstatement of the financials.

The following discussion is taken from my book, Minimize Costs and Increase the Value of Your Sarbanes-Oxley 404 Program: Management's Guide to Effective Internal Controls, published by and available from the Institute of Internal Auditors (just $35 for members in hard copy, $25 as a PDF download).

Segregation of duties and restricted access controls must be identified, assessed, and tested where they are key controls. (A key control is one that is relied upon to either prevent of detect a material misstatement of the financials.) Key SOD and RA controls include those that:

  • Are required for an authorization control to be effective. For example, if the business control requires that all purchase orders be approved in the system by the purchasing manager, it is critical to ensure that only the purchasing manager has that capability.
  • Reduce the risk of a material fraud that could be reported incorrectly in the financial statements.

With restricted access and segregation of duties, there is a risk of doing more work than is required for Sarbanes-Oxley. While there are excellent business reasons for restricting access to only those functions individuals need to perform their assigned tasks, it is important to remember that only fraud risk that is both material and also misstated in the financials is within scope for Sarbanes-Oxley.

This last point is important. Many companies test SOD using a standard set of “rules” (combinations of access privileges deemed inappropriate) that have been provided by a consultant or vendor. While they may represent a risk to the business (at least in theory), they may not represent a risk of material misstatement for your organization. The rules used to drive SOD testing should be based on the top-down, risk-based approach described above, to support a key control or reduce the risk of a material fraud.

As an example, at a company where I was responsible for the Sarbanes-Oxley program, both the external auditor and the internal auditor (at that point, the internal audit activity was outsourced) had tested user access consistently for several years. They each used a standard set of more than 150 rules to identify (a) access to important ERP transactions, and (b) SOD conflicts where one individual would have the ability, using a combination of ERP transactions, to commit a fraud. When the Sarbanes-Oxley team changed to a risk-based approach, concentrating on testing access rights that represented a risk of material misstatement, the number of rules was cut to about 20.

Is your SOX scope based on a top-down, risk-based assessment when it comes to SOD and RA?

Please share how many rules you test (tests of SOD and/or RA).

Recently, two of the Big Four accounting firms released reports that address the increasing importance of the CIO. PwC published their 5th Annual Digital IQ Survey and Deloitte issued an Audit Committee Brief on the topic of “Understanding the CFO and CIO Dynamic”.

The short discussion by Deloitte provides advice for members of the audit committee. The authors say that “The ability to mine data and drive insight from a company’s numerous systems has highlighted the importance of an effective relationship between the CFO and CIO”. They refer to an earlier Deloitte publication, CFO Signals, which found that “only a little over half of the CFOs said they have the information they need to manage the business effectively, and about one-third expressed a neutral opinion”.

It is understandable that the Deloitte piece focuses on the clear and troubling problem that CFOs and other executives are making decisions without the benefit of the information they need, both on performance and risk. It is also understandable that their advice to the audit committee brings in the issue of financial reporting risks. But, I think there is more that the audit committee and the board as a whole should be concerned with, let alone the CFO, than that the CIO has aligned the activities of the IT organization with the strategies set by top management.

Rather, I think the CFO and the board should be asking whether the CIO is sufficiently involved in helping to set the strategies and vision of the organization.

I found the PwC contribution more useful. Although the paper talks about ‘collaboration’ between the CIO and the top executives, the value is clearly highest when the executive team – with the CEO as active champion – recognizes that “technology is a critical driver of business value”

PwC talks about “Strong Collaborators” and how these companies outperform their rivals. They say “Strong Collaborators are those that said that the CIO has a strong relationship (4.5 out of 5 or better across all relationship pairs) with members across the C-suite: CEO, CFO, CMO, CRO, CSO, CISO, and business unit leaders”.

Here are a couple of key excerpts, but I recommend reading the entire 9-page document:

  • “Naturally, companies with high Digital IQ understand which technologies will provide the greatest business benefits, leveraging the tools and platforms to optimize processes and improve overall performance. Our analysis shows that Strong Collaborators are more likely to aggressively invest in the four key digital technologies—mobility, cloud computing, business analytics and social media—than other companies.”
  • “Our survey found that companies with collaborative C-suites intertwine business strategy and information technology and are often rewarded with stronger company performance. They can also adapt quickly to market changes to maintain an advantage over competitors.”

PwC addresses the need for information to drive decisions. They say “Strong Collaborators are more likely to integrate internal and third-party data to better support decision-making, a critical step to provide senior leaders with the insight to make the right choices.”

But the key for me is that the CIO moves out of a role as the janitor and enters the organization’s executive team to drive the organization forward. PwC captures this with:

“CIOs of Strong Collaborator companies tend to not only ensure that technology initiatives are in step with the business plan but champion innovation across the enterprise.”

I welcome your views and comments. My recommendation is that CFOs and members of the audit committee review the two papers together and consider whether the role and relationship of the CIO within the organization is as effective as it should be.

Security Guide

SAP Access Control™ 10.0 / Process Control™ 10.0 / Risk Management™ 10.0


Please find the the same in the below link :





Since the announcement of SAP GRC 10.0, every organization wants to migrate from 5.3 to 10.0


Hence I would like to start this blog with some questions of Migration from 5.3 to 10.0.


1. Why do every customer has to migrate it to  SAP GRC 10.0?


2. What are excellent features exist between GRC 5.3 to 10.0?


2. Will my current GRC technology infrastructure suffice?


2. Will the cost justify the return?


3. What will be migration impact?


4. What is the average time for Implementation?


5. At anytime can we get a Audit reports?


I welcome your views and commentary.

The Aberdeen Group has a new research report out on Fighting Fraud with Big Data Visibility and Intelligence.


The report includes a useful review of the risk and cost of fraud. (Note that it errs when it refers to ‘tips’ as being external: these are typically calls to the internal compliance hotline or whistleblower line.)


What is new in the report is the discussion of the ability to mine the mass of Big Data, perhaps with predictive analytics, to understand and assess fraud risk, and also to monitor for red flags that indicate an investigation is warranted. As the report says:


“Rapid changes in information technology infrastructure are increasing the difficulty of maintaining high levels of preparedness simultaneously against all threats. In response, organizations are adopting enhanced strategies for fighting fraud: from 100% success at prevention, to greater visibility, faster detection and incident response; from “figure out what already happened” using post-incident forensics, to proactively “figuring out what’s happening” using Big Data and predictive analytics.”


Unfortunately, Aberdeen’s research showed that only about 16% are using predictive analytics for the detection and prevention of fraud.


Why is this? I suggest it’s from one or more of these factors:


  1. Those responsible for fraud prevention/detection are not aware of the capabilities of the new technology
  2. Those responsible for fraud prevention/detection are (justifiably or not) content with the ‘older’ technology
  3. Priority and/or resources are not given to fraud prevention/detection


I welcome your views.

I admit to criticizing my “alma mater”, PwC, for much of their thought ‘leadership’ over the last years.

Today, I come to praise PwC, not to bury it.

They have published an excellent guide for boards that merits reading not only by board members but also by all those responsible for management of IT, risk management, and internal audit.

Directors and IT: What Works Best suggests a six-step process, what they refer to as an IT Oversight Framework, that I believe should be effective for the majority of organizations.

Why is this important? PwC answers:

  • “The pace of change in this area is rapid, the subject matter is complicated, and the highly technical jargon used to describe emerging and evolving risks makes this a challenging area. And companies are relying more and more on technology to get ahead, often prompting substantial changes in how they operate.”
  • “Many directors are confused by and uncomfortable with overseeing IT. They sometimes don’t have an adequate understanding of the subject to be effective and confident in overseeing this area. And they do not necessarily have a well-defined process to help them in fulfilling this very important responsibility. Together, these factors can create an “IT confidence gap.””
  • “Directors are hungry for more information about the company’s approach to managing IT strategy and risk and believe they do not get enough information from management: 67% indicate their company’s approach to managing IT risk and strategy provides them with only “moderate” information to be effective or the information “needs improvement.” Many directors want more comfort regarding IT activities so they can sleep better at night.”

The six step process is described in detail in the guide. Here’s is my summary:

  1. Assessment: Understand the role of and reliance on technology – in the industry in general, and as it affects the organization in particular. As PwC says: “Conclude how important IT is to the company’s success”. But a word of caution – see #4, below
  2. Approach: Who will provide oversight of IT and technology, and how?
  3. Prioritization: Of all the technology-related activities, which merit priority attention?
  4. Strategy: In many ways, this is the most important area of focus. Most organizations are highly dependent on technology to advance – much more so than is evidenced by the responses to PwC’s study. Frankly, as intimated by PwC, when 87% directors and executives fail to indicate that reliance on technology is critical, it indicates myopia or outright blindness to the future.  PwC reports that “Nearly half of directors believe the board’s ability to oversee strategic use of IT is less than effective”. However, they also say that “Most CEOs of global companies say technology is the number-one factor that will impact their company’s future in the next three years; they believe it will be even bigger than changing economic and market conditions”.
  5. Risk: As PwC indicates, technology is a source of risk to the business, and technology-related issues need to be ‘baked’ into the risk management oversight process
  6. Monitoring speaks to the continued need for oversight, not something you take on once a year

This is, in my opinion, an excellent starting point for oversight (and management) of technology.


  • My advice is to start looking at technology as the subject of discussion rather than IT. The IT function or department only manages or directs part of the investment in and use of technology across the organization. In fact, much of the budget and decision-making when it comes to technology is increasingly outside the IT function – especially when it comes to the use of technology for marketing
  • New technology and related issues change constantly, so don’t limit yourself to the subject areas introduced by PwC. For example, I think the announcement on January 10th by SAP that they now enable organizations to run their ERP systems (including manufacturing capacity planning and other complex and calculation-intensive applications) in memory, and as much as 300,000 times faster, is amazing and may transform traditional computing.
  • Boards need to understand that IT is no longer a utility that provides a platform for the business. In most cases, it is a vital and integrated element and capability for strategy and execution. Separate discussions on IT and strategy, or even organizational performance, may soon have to disappear

I welcome your views and commentary.



Filter Blog

By author:
By date:
By tag: