Professional Documents
Culture Documents
How To Stay in Control in A Rapidly Changing World?
How To Stay in Control in A Rapidly Changing World?
68%
of Belgian companies are
using a dedicated GRC tool today.
75%
of Belgian companies agree
their GRC tool efficiently supports
their periodic user reviews and
monitoring of SoD risks.
79%
have access procedures over
their GRC tool in place.
90%
of SAP GRC implementations that
occurred since 2013 have been
supported by an external consultant.
www.pwc.be
Content
1. Welcome...........................................................................................................2
2. Management summary.....................................................................................3
3. Introduction......................................................................................................4
3.1 What is GRC technology?...........................................................................4
3.2 Our survey respondents.............................................................................5
3.3 GRC technology providers.........................................................................7
4. Results..............................................................................................................8
4.1 Belgian companies have increasingly adopted GRC technology,
but are still lagging behind the global trend...............................................8
4.2 Companies using GRC technology use it for a variety of reasons............... 11
4.3 GRC tooling governance.......................................................................... 11
1
1. Welcome
How are Belgian organisations performing when it comes to the use and We’d like to thank the close to
adoption of Governance Risk and Compliance (GRC) technology? PwC 100 respondents who completed this
Belgium conducted a survey to gain insight into Belgian organisations’ survey. They represent a great diversity
of company sizes and sectors.
maturity on the use of GRC technology. The results of this survey show Respondents were individuals from all
the evolution in the Belgian market since the previous survey, which was levels within these companies, from
conducted by PwC Belgium in 2013. At the same time it benchmarks C-suite to operational staff and expert
Belgian organisations with the global trends. users. We analysed the survey results
and highlighted some key findings in
this report.
Sincerely yours,
Wim Rymen
Partner,
ERP security & control solutions
• Centralised repository of a
company’s internal control
components, linked to all relevant
regulations. This includes the
documentation of actual control
execution (by management and
control owners), combined with
internal control test plans and
results of regular internal control
assessments (e.g. by an
independent ‘risk & compliance’
function);
The demographics of the companies we surveyed are illustrated in the following graphs
Belgium is currently at the same stage Global companies were 5 years ago
5.1 Some key GRC technology diminish, as automated controls have In our experience, we see below as the
value drivers a higher pass rate. most common benefits generated
from GRC technology adoption:
The potential benefits of having a GRC An undeniable advantage of GRC
tool in place are numerous and varied. implementation is a more efficient • Continuous monitoring
Benefits can be quantitative, such as enterprise risk management (ERM). Increased focus on continuous,
reduced cost and increased Respondents claim faster resolution automated monitoring as opposed
efficiencies, and qualitative such as of deficiencies and better visibility on to manual periodic sample testing
fraud reduction and creating more remediation activities. Maturity of not only reduces the cost of audit
time for value-added tasks. internal control increases by preparation and external auditor
adopting consistent practices, while fees but also FTE requirements.
GRC implementation can reduce costs audit costs and preparation time are
through standardisation of testing, reduced by leveraging the shared • Segregation of duties and
reporting, monitoring and repository of risks and controls restricted access reviews
documentation. The costs of across the business. GRC process Organisations that automated
managing compliance activities and automation technology is improving periodic certification reviews see
centralising control monitoring and accuracy and efficiency across significant time savings in
audit scheduling can also be cut by various aspects of the business, evaluating and responding to
adopting a GRC tool. Remediation and thereby freeing time for more access reviews and certifications.
costs for retesting failed controls also customer-focused tasks. The PwC global survey shows that
84% of the organisations are using
a GRC tool to monitor their SoD
violations, and our survey shows
that 75% of respondents agree that
their tool efficiently supports their
periodic user reviews and
monitoring of SoD risks.
• Access approvals
The time to request, approve and
systematically assign access
decreases significantly with GRC
tool automation. Users are more
quickly able to obtain the access
required to carry out their duties,
resulting in significant
operational efficiencies.
How satisfied are you with the implementation of your GRC software/tool?
To ensure your organisation benefits Furthermore, and as indicated earlier A critical success factor for leveraging
from investing in these tools, a sound in this study, also GRC technology the benefit of your GRC technology
technical implementation of the GRC requires governance. As part of your investment is therefore ensuring you
tool is required. However, it doesn’t implementation, sufficient attention have the right skills on board during
stop there. It is key to embed GRC should be given to the processes your GRC technology implementation,
technology in your existing risk and needed to continuously maintain your either in-house or via external
control-related processes and GRC technology after go-live, in order support. Survey respondents
initiatives in order to reap the benefit for the technology to continue to confirmed that external support is
for your technology investment. This support the evolving needs of your often called upon during GRC
requires sufficient time and attention organisation. technology implementation, with
to be spent to people change close to 90% of SAP GRC
management and end-user training as implementations that occurred in
part of your implementation. Belgium since 2013 having been
supported by an external consultant.
GRC technology initiatives are often A GRC tool adds value, and developing
denied in the annual budgeting a strong business case with proper
process, as they compete with other financial metrics can help pave the
business priorities. Companies are way for more proactive and
often only willing to invest in such progressive investments in controls
technologies as a response to audit or automation technology.
compliance failures, or worse –
reputational damage.
• Continuous Control
Monitoring (CCM)
• Reliance by external
auditors – While this can be a
sensitive option, it can reduce
annual audit fees when the
external auditor relies on the
automated controls/validation in
your GRC tool.
Whether your organisation is looking to upgrade an existing platform or implement a GRC solution for the first
time, PwC is here to help you benefit from the full potential of GRC technology. We’ve built a strong track record
of helping clients implement GRC technology. By combining our business process and internal control expertise
with our technical implementation expertise, you’ll get the best of both worlds. As the world’s second largest
supplier of SAP S/4 HANA related services by volume, we have extensive experience and deep technical
knowledge of this solution, which enables us to embed it into your GRC process and tools. Our tools and
accelerators will ensure an efficient yet tailored approach, while limiting disruption to your day-to-day
business.
Our technology experts are continuously following the latest trends and are familiar with the new technologies
such as robotic process automation (RPA). This enables us to combine these skills together with our knowledge
of SAP and bring truly innovative services to the market to help you become a digital champion.
SAP GRC Access Control SAP GRC Process Control SAP GRC Risk Management
PwC has a long history of assisting PwC can help your organisation PwC has the experience and know-
companies through sensitive access embed better governance and controls how to understand the unique
and S0D activities to minimise risk into your business processes and problems your business faces and help
and maximise efficiency. In 2000, we transition into a sustainable state of you roll out the SAP GRC Risk
developed the first automated tool to monitoring by implementing the SAP Management solution across the
control access provisioning and GRC PC solution. As SAP’s leading organisation. We’ll tailor a solution to
management within SAP – implementation partner for PC, we tame your risk management processes
technology that has been integrated assisted SAP with the detailed testing and streamline cross-enterprise risk
into SAP’s current Access Control and validation of the tool, which gives identification, analysis and
solution. Since then, we’ve conducted us better insight and understanding monitoring. We take a systematic
hundreds of SAP Access Control into its characteristics. Because of our approach, using incremental steps to
implementations worldwide. Our inherent position as a leading audit help you develop and adopt a robust
teams integrate industry-specific firm, we also understand business and sustainable risk management
business process insight with deep controls inside and outside. This program – aligned with leading
technical knowledge of SAP allows us to help companies optimise practices – across your organisation.
applications and security expertise. controls and rationalise them (so
Our proven ‘get clean, stay clean’ there are fewer controls to maintain) By leveraging knowledge and lessons
methodology ensures that you and help implement the technology to learned across other SAP GRC projects,
continue to benefit from your GRC keep that reduced number of controls our unique Centre of Excellence team
implementation for years to come. in place. can assist you throughout the
implementation life cycle by providing
a wide range of accelerators to
facilitate project success, from Strategy
through Execution.
Wim Rymen
Partner – ERP security & control solutions
M +32 473 26 92 27
E wim.rymen@pwc.com
Jeffrey Beetens
Manager – ERP security & control solutions
M +32 475 75 03 28
E jeffrey.beetens@pwc.com
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 158 countries with more than
236,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters
to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see www.pwc.com/structure for further details.
© 2018 PwC. All rights reserved
Appendix
Key components of GRC technology
Document and manage the company’s overall Document and manage the company’s overall
enterprise risk framework(s), which includes: compliance and control framework(s), which includes:
• Risk Framework (Risk Profile, Risk Appetite, Risk Tolerances, • Support multiple compliance framework(s)
Strategy, Objectives, etc.) • Centralised organisation structure and hierarchy
• Centralised organisation structure and hierarchy • Policy, process and procedure definition and mgmt.
• Risk Repository & Classification (Risk portfolio) • Centralised control repository
• Risk assessment processes • Centralised test and assessment libraries
• Risk Correlation & Simulation • Centralised planning
• Response plans library & Incident Mgmt • Whistleblower mechanisms (Ad-hoc issue Mgmt)
• Loss metrics and event collection Mgmt • Testing evidence repository
• Consolidated risk Heatmap & risk exposure • Issue and remediation management
• Role-based access controls and Security • Role-based access controls and security