what we will cover - · pdf filewhat we will cover • who is exxaro? • the exxaro grc...
Post on 03-Feb-2018
224 Views
Preview:
TRANSCRIPT
What we will cover
• Who is Exxaro?
• The Exxaro GRC Strategy and how SAP supports this
• Using SAP Risk Management to prioritise business processes
• Driving operational accountability and transparency: SAPProcess Control
• Driving efficiency through management reports out of SAPProcess Control
• Wrap-up
Setting the context, who is Exxaro?
• Exxaro is a diversified mining company: interests in coal,TI02, Ferrous & Energy
• 2nd largest coal producer in RSA with production of40 million tones
• Largest open-pit coal mine in Africa
• One of top 10 companies globally with bestshareholder returns
• Market capitalisation of R52 billion ($6 billion)
GRC = Proactive + Efficient
Management system to ensure youexist in future
Clear roles and responsibilities
Effective decision making
+
+
Transparency, accountability andintegrity
+
Business Efficiency=
GRC and its elements are set out in various lawsand standards
Proactive + efficient = more money onthe bottom line …
The Exxaro GRC strategy
EnergyFuelsMatter
Non-renewableRenewableResourcesProspecting to Proven
BWAWaste
Ecosystem processesClimate changeEco-efficiency
Health & hygieneSafetyKnowledgeSkillsIntellectual outputMotivationWellnessRelationshipsHuman rightsEquity
Internal socialSocial relationshipsValues and trustEthicsCo-operationNetworksOperating model
External socialPartnershipsCo-operation
CommunicationTrust & ReputationLicence to operateCustomersSuppliers
InfrastructureMiningBeneficiationLogisticsBuildingsGeneral
TechnologyEngineering ProductiveICT Systems
ProcessesPlanning , execution ,BICompetitive edge
InnovationIPEco-efficiency
OwnershipCash & currencyIntangible assetsShare price ÷ndsRiskCorporate governancePerformancemeasurementInvestment & growth
To the extent that these capitals are maintained or developed, the organisation will remain sustainable.
Governance
Risk/Assurance
Compliance
How this is reflected in our strategyand business model …
How this is reflected in our strategyand business model …
Understand where SAP GRC fits into theorganisational GRC culture …
What is SAPRisk Management
in relation toGRC culture?
What is SAPRisk Management
in relation toGRC culture?
Peo
ple
Step Location
Resilient
Resilient
Proactive
Compliant
Basic
Where are we in the SAP GRC journey?
2013 2014 2015SA
PR
isk
SAP
PCIn
tegr
atio
nSA
PPo
licy
Strategic +Operational
Procure toPay
Hire to Retire
Strategic
EWPM EHS&M
Safety, Health,Environment &
Community
Upgrade to 10.1
There are three business rule types
Configuration
Master data
Transaction
Rules relating toconfiguration settings orparameters in the ERP
system
Rules relating togovernance of master
data in ERP system
Rules relating to businesstransactions within theERP system based on
available data
Monitor configurationchanges to the duplicate
invoice indicators
Monitor changes to vendormaster records e.g.
change in banking details
Identify duplicatepayments e.g. same
vendor, same date, sameamount, same invoice
Description Example
Controls aremonitored byusing business
rules(automated
testing)
Exceptions andinternal controls
are identified andraised
automatically asissues and sent tothe control owner
The control ownerreviews the issue,
creates aremediation planand assigns it to a
remediator
Users follow aworkflow-based
process to ensurethat appropriate
remediationaction is taken
Once remediationplan has been
completed by theremediator, it is
automatically sentback to the
control owner toclose the issue
Testcontrol
Raiseissues
Createremediation plan
Remediateissue
Closeissue
System Control owner Mediator Control owner
Control and issue remediation
Exxaro risk management process5 Phases
Risk Planning Risk IdentificationRisk
Assessment /Analysis
Risk Treatment Reporting
Reporting = Management tools for efficiencyand proactiveness
How does SAP process control differfrom traditional auditing?
Traditional auditing• Sample testing
• Focus on manual controls
• Detective monitoring
• Once-off annually
• Compliance driven
SAP process control• Testing of all controls in the
business process
• Focus on automated controls
• Real time monitoring
• Preventative monitoring
• 24/7
• Increase in business efficiency
Process control = audit = efficiencyAchieving higher confidence – lower cost
Cost Reduction
Manual Controls
Today
Manual Controls
Automated
Maturity Level 1
# controls
Less manual labour,Less pushback from thebusiness and lower costof preparing for an audit
Achieving higher confidence – lower cost andbusiness process improvement
Cost Reduction and Process Improvement
Manual Controls
Manual Controls
Automated
Today Maturity Level 1
Manual Controls
Automated
Maturity Level 2
time
# controls
Less manual labour(workflow, reports)
Less pushback from theBusiness lower cost ofpreparing for an audit
More controls,more granularity andhigher frequency ofchecks consistency
Achieving higher confidence – lower cost and businessprocess improvement (cont.)
Cost Reduction and Process Improvement
Manual Controls
Manual Controls
Automated
Today Maturity Level 1
Manual Controls
Automated
Maturity Level 2
Time
# Controls
Cost
Assurance
• High-level procure-to-pay process
An Exxaro case study: procure-to-pay
Createrequisition
orderCreate RFQ
Createpurchase
order
Create agoods receipt
note uponreceiving
goods
Receive &capture an
invoicePay the invoice
Vendor masterrecords
Proc
urem
ent
Fina
nce
Vend
orm
anag
emen
t
• Summary of controls implemented
An Exxaro Case Study: Procure-to-Pay (cont.)
Controls
10Business
rules
13Controls
14Business
rules
31Controls
5Business
rules
125629
Proc
urem
ent
Fina
nce
Vend
orm
anag
emen
t
NB
Every report serves a different purpose – summaryreport for process owner
Every report serves a different purpose – summary reportby organisation for BU financial manager
Every report serves a different purpose – detailed issuereport for sub-process owner and control owner
Every report serves a different purpose – remediationstatus report for control owner and sub-process owner
Every report serves a different purpose – summary issueowner report
Wrap-up, take home points
• GRC = Being efficient + proactive
• First define your GRC strategy
• Align your organisational GRC culture with SAP GRC
• Follow a risk-based approach for all audit activities
• Implement high impact controls first
• Opt for automated control monitoring
• Design your management reports in such a way that yourimplementation will lead to a more efficient organisation
Your Turn!
How to contact me:
Saret van LoggerenbergSaret.vanloggerenberg@exxaro.com
top related