PwC Belgium’s 2nd GRC technology survey

How to stay in control in

a rapidly changing world?
Insights into the use of Governance, Risk and Compliance
(GRC) technology solutions in the Belgian market

68%
of Belgian companies are
using a dedicated GRC tool today.

75%
of Belgian companies agree
their GRC tool efficiently supports
their periodic user reviews and
monitoring of SoD risks.

79%
have access procedures over
their GRC tool in place.

90%
of SAP GRC implementations that
occurred since 2013 have been
supported by an external consultant.

www.pwc.be
Content
1. Welcome...........................................................................................................2

2. Management summary.....................................................................................3

3. Introduction......................................................................................................4
3.1 What is GRC technology?...........................................................................4
3.2 Our survey respondents.............................................................................5
3.3 GRC technology providers.........................................................................7

4. Results..............................................................................................................8
4.1 Belgian companies have increasingly adopted GRC technology,
but are still lagging behind the global trend...............................................8
4.2 Companies using GRC technology use it for a variety of reasons............... 11
4.3 GRC tooling governance.......................................................................... 11

5. Value driven through GRC technology adoption.............................................. 12

5.1 Some key GRC technology value drivers.................................................. 12
5.2 Safeguard your investment by involving specialists.................................. 13
5.3 Building your GRC technology business case............................................ 14

6. What will the future bring?............................................................................. 16

7. A call-to-action for Belgian organisations........................................................20

8. How PwC can help.......................................................................................... 21

1
1. Welcome
How are Belgian organisations performing when it comes to the use and We’d like to thank the close to
adoption of Governance Risk and Compliance (GRC) technology? PwC 100 respondents who completed this
Belgium conducted a survey to gain insight into Belgian organisations’ survey. They represent a great diversity
of company sizes and sectors.
maturity on the use of GRC technology. The results of this survey show Respondents were individuals from all
the evolution in the Belgian market since the previous survey, which was levels within these companies, from
conducted by PwC Belgium in 2013. At the same time it benchmarks C-suite to operational staff and expert
Belgian organisations with the global trends. users. We analysed the survey results
and highlighted some key findings in
this report.

We hope you find the information

insightful and valuable in helping
you further direct the GRC
investments within your organisation.
The information obtained through the
survey has been used solely for
preparing this report. At your request,
we are more than willing to further
discuss the results of this survey in
the context of your own organisation,
or to facilitate the development of an
action plan that suits the focus of
your business.

Sincerely yours,

Wim Rymen
Partner,
ERP security & control solutions

2 GRC technology survey

2. Management summary

GRC technology survey 3

3. Introduction
We wanted to gain more insight into how Belgian companies are managing risk, compliance and controls
through the use of GRC technology and what added value such technology delivers for these companies.
96 organisations located in Belgium of various sizes across more than ten industries were surveyed on GRC tool
implementation. We looked at if, when and why they used GRC technology and the advantages it offers. Given
the majority of the respondents had SAP as their primary ERP (Enterprise Resource Planning) system, this
report focuses on the conclusions related to GRC tools in a SAP context.

3.1 What is GRC technology?

‘GRC’ as a concept is an integrated,
holistic approach to organisation-wide
governance, risk and compliance.
GRC aims to help ensure that an
organisation acts ethically and in
accordance with its risk appetite,
internal policies and external
regulations through the alignment of
strategy, processes, technology and
people. Focus on efficiency and
effectiveness improvement of
impacted business and/ IT processes
is a key component of GRC as well.
• Preventive and detective
management of security-related
risks, like segregation of duties,
access to sensitive business and
IT-related functionalities and
highly sensitive emergency-type
access; and
Key components of GRC technology
• Management of an internal audit
lifecycle, starting from risk
assessment, to audit planning,
scoping, staffing, working paper
documentation and action plan
definition and follow-up.

GRC technology are those tools

adopted by companies to support
them in their GRC initiatives. Key
components of GRC technology entail:

• Documentation and assessment of

a company’s enterprise-wide risks
and risk management initiatives;

• Centralised repository of a
company’s internal control
components, linked to all relevant
regulations. This includes the
documentation of actual control
execution (by management and
control owners), combined with
internal control test plans and
results of regular internal control
assessments (e.g. by an
independent ‘risk & compliance’
function);

• Continuous monitoring of internal

control elements, e.g. configurable
elements of automated controls,
critical master data updates,
transaction level exceptions, etc.;

4 GRC technology survey

3.2 Our survey respondents

The demographics of the companies we surveyed are illustrated in the following graphs

GRC technology survey 5

6 GRC technology survey
 3.3 GRC technology providers
There are currently a number of players in the market providing GRC technology
solutions including SAP, CSI tools, BWise, OpenPages and more. Of the
companies we surveyed, SAP emerged as the solution of choice with 40%
adherence. The graph below shows the breakdown of GRC technology use by
technology provider.

GRC tool or software in place

GRC technology survey 7

4. Results
4.1 Belgian companies have
increasingly adopted GRC
technology, but are still lagging
behind the global trend
Our survey shows an important
increase in the adoption of GRC
technology in the Belgian market.
While in 2013, only 18% of companies
used a dedicated GRC tool, today close
to 70% of companies have adopted
such technology in their organisation.
Advanced use of ‘spreadsheet’ type
solutions (MS Office products) dropped
from 51% in 2013 to 13% today.
Despite this trend, Belgian companies
still lag behind the global curve,
where results of PwC’s last global GRC
survey (dated 2015) revealed that
96% of companies had invested in
dedicated GRC technology.

Belgium is currently at the same stage Global companies were 5 years ago

8 GRC technology survey

 More than 40% of GRC technology implementations of companies surveyed only
occurred in the last 5 years.

Does your company

have a GRC tool in place? Year of initial installation

GRC technology survey 9

Use of a GRC tool is widespread across GRC tool implementation by organisation size
industries, regardless of organisation
type, size and international presence.
The graphs below illustrate the extent
of GRC tool use across these variables.

We see increased adoption across all

sizes of companies, including small
and medium-sized enterprises (SMEs;
less than 1,000 employees): 70% have
a tool (other than spreadsheets), vs.
69% overall, demonstrating that the
use of such tools is no longer just for
large corporations. This also shows
that companies realise that
spreadsheets are no longer the most
effective tools to manage their risks.

Our study shows that the

implementation of a GRC tool does
not depend on the presence of
certain internal audit or other risk/ GRC tool implementation by organisation type
compliance functions. Regulatory
compliance such as Sarbanes-Oxley
(SOx) and International Standard on
Assurance Engagements (ISAE)
certification doesn’t influence the
presence of dedicated GRC tools,
clearly showing that regulatory
compliance is not the only driver for
implementing GRC tools.

GRC tool implementation by international presence

10 GRC technology survey

4.2 Companies using GRC technology use it for a variety of reasons This indicates a clear shift from the
older vision of GRC tools. In our 2013
We asked organisations with a GRC tool in place what they used it for most. The survey, only seven percent used a GRC
main purpose cited was risk management, followed closely by internal control tool to document risks. Now, 48
and access management: respondents out of 72 indicate they’re
using it to manage risk and 42 agree
that their GRC tool is good for
What does your organisation use its GRC software/tool for? mapping risks to strategic priorities.
Of the 72 respondents, 49 state the
tool helps them understand how risks
can occur.

In the past, GRC tools were mainly

used to manage segregation of duties
(SoD) and sensitive access (SA) rights
related risks in back-end ERP systems
like SAP. While respondents agree
that their GRC tool allows them to
adequately manage their SoD and SA
risks, other functionalities are cited
such as risk identification and
In my view, my GRC software/tool enables my organisation to quantification, and automation of
controls testing. Compared to our
2013 survey, where only five percent
of respondents agreed their GRC tool
provides a good way for continuous
monitoring, this number has
increased to nearly 50%.

4.3 GRC tooling governance

Despite an increase in the use of
functionality of the tools themselves,
a significant number of companies
doesn’t have the same level of controls
on these GRC tools as on the ERP tools
that they’re managing. This is clearly
an area of attention in order to help
ensure that GRC technology continues
to evolve with the organisation and
generates accurate and complete
information.

• Only 40% indicate having a tool in

place to protect their GRC from
external risks

• 22 respondents indicate they don’t

have the governance to enable
long-term sustainability (or were
unsure)

• 79% have access procedures in

place, although 19 out of 72
indicated these are informal

• 82% have change procedures,

although 19 out of 72 indicated
these are informal

GRC technology survey 11

5. Value driven through
GRC technology adoption
A rapidly changing business environment has increased the need for robust operational processes, regulatory
compliance and effective risk management. Technology has evolved significantly over the past years and will
continue to do so. Technology will become (or is already) the cornerstone of successful organisations. With these
technological advancements comes the need for more pro-active risk management. This is where GRC tools come
into play. Like other tools, GRC tools have evolved over time and are now more performant and offer a wider range
in functionality. As a result, a growing number of organisations is embracing the advantages of a GRC tool.
Below is an overview of some of the main benefits associated with adopting GRC technology.

5.1 Some key GRC technology
value drivers
The potential benefits of having a GRC
tool in place are numerous and varied.
Benefits can be quantitative, such as
reduced cost and increased
efficiencies, and qualitative such as
fraud reduction and creating more
time for value-added tasks.
GRC implementation can reduce costs
through standardisation of testing,
reporting, monitoring and
documentation. The costs of
managing compliance activities and
centralising control monitoring and
audit scheduling can also be cut by
adopting a GRC tool. Remediation and
costs for retesting failed controls also
diminish, as automated controls have
a higher pass rate.
An undeniable advantage of GRC
implementation is a more efficient
enterprise risk management (ERM).
Respondents claim faster resolution
of deficiencies and better visibility on
remediation activities. Maturity of
internal control increases by
adopting consistent practices, while
audit costs and preparation time are
reduced by leveraging the shared
repository of risks and controls
across the business. GRC process
automation technology is improving
accuracy and efficiency across
various aspects of the business,
thereby freeing time for more
customer-focused tasks.
In our experience, we see below as the
most common benefits generated
from GRC technology adoption:
• Continuous monitoring
Increased focus on continuous,
automated monitoring as opposed
to manual periodic sample testing
not only reduces the cost of audit
preparation and external auditor
fees but also FTE requirements.
• Segregation of duties and
restricted access reviews
Organisations that automated
periodic certification reviews see
significant time savings in
evaluating and responding to
access reviews and certifications.
The PwC global survey shows that
84% of the organisations are using
a GRC tool to monitor their SoD
violations, and our survey shows
that 75% of respondents agree that
their tool efficiently supports their
periodic user reviews and
monitoring of SoD risks.

• Access approvals
The time to request, approve and
systematically assign access
decreases significantly with GRC
tool automation. Users are more
quickly able to obtain the access
required to carry out their duties,
resulting in significant
operational efficiencies.

12 GRC technology survey

5.2 Safeguard your investment by involving specialists
Respondents generally agree that their investment has provided the benefits
promised by the software provider. Only eight percent indicated otherwise. Most
respondents are satisfied with the implementation (or at least partly satisfied),
with only two respondents indicating dissatisfaction.

How satisfied are you with the implementation of your GRC software/tool?

To ensure your organisation benefits
from investing in these tools, a sound
technical implementation of the GRC
tool is required. However, it doesn’t
stop there. It is key to embed GRC
technology in your existing risk and
control-related processes and
initiatives in order to reap the benefit
for your technology investment. This
requires sufficient time and attention
to be spent to people change
management and end-user training as
part of your implementation.
Furthermore, and as indicated earlier
in this study, also GRC technology
requires governance. As part of your
implementation, sufficient attention
should be given to the processes
needed to continuously maintain your
GRC technology after go-live, in order
for the technology to continue to
support the evolving needs of your
organisation.
A critical success factor for leveraging
the benefit of your GRC technology
investment is therefore ensuring you
have the right skills on board during
your GRC technology implementation,
either in-house or via external
support. Survey respondents
confirmed that external support is
often called upon during GRC
technology implementation, with
close to 90% of SAP GRC
implementations that occurred in
Belgium since 2013 having been
supported by an external consultant.

GRC technology survey 13

5.3 Building your GRC technology business case
Improved, robust, and efficient controls that leverage increased automation are
becoming critical as the number and complexity of risks increase for companies.
Organisations need to invest in a technological infrastructure that supports
increased automation, better reporting and stronger overall controls
governance. However, we see that cost is still often considered a hurdle. Twelve
out of 14 respondents who didn’t yet have a GRC tool in place indicated that cost
is a main reason.

GRC technology initiatives are often
denied in the annual budgeting
process, as they compete with other
business priorities. Companies are
often only willing to invest in such
technologies as a response to audit or
compliance failures, or worse –
reputational damage.
A GRC tool adds value, and developing
a strong business case with proper
financial metrics can help pave the
way for more proactive and
progressive investments in controls
automation technology.

14 GRC technology survey

 Clearly defining and quantifying the
benefits of implementing a GRC tool
will be essential for a strong business
case. Examples of elements to be
taken into account when quantifying
the return on your GRC technology
investment are:

• Continuous Control
Monitoring (CCM)

–– Cost savings by enabling CCM

on existing controls;

–– Cost savings by converting

manual controls to automated,
resulting in reduced operation
cost associated with execution
of controls;

–– Cost savings by converting

manual controls to automated,
resulting in reduced testing
cost.

• Data Analytics – Improved data

analytics lead to operational and
test savings (centralising analytics,
improving filters to quickly
identify exceptions, increasing
frequency through better
technology).

• Reliance by external
auditors – While this can be a
sensitive option, it can reduce
annual audit fees when the
external auditor relies on the
automated controls/validation in
your GRC tool.

• Increased compliance team

efficiency – Your GRC tool
facilitates reporting (centralised
reporting) and issue management
resolution, provides semi-
automation of manual controls
and improved standardisation.

GRC technology survey 15

 6. What will
the future bring?
S/4 HANA
SAP’s latest ERP platform S/4 HANA
is a robust next generation business
solution. It’s deployable in the cloud or
on-premise and is built to provide
value and simplicity of use while
effectively controlling and automating
processes, including compliance. SAP
announced that it will end its
mainstream maintenance support for
SAP Business Suite 7 core application
releases at the end of 2025. As a
result, many organisations will be
migrating to the newer version of SAP
S/4 HANA in the coming years.
To make sure that you continue to
benefit from the investments made in
your GRC tools, you must ensure that
these are adapted to be fit for purpose
for S/4 HANA. Regardless of whether
you opt for an on-premise or cloud
solution, your GRC tools and related-
risk management procedures should
be updated. This includes the
necessary technical changes to your
systems, but also identifying and
responding to the risks that arise
through these new technologies, e.g.
increased use of Fiori apps.
16
GDPR
Starting 25 May 2018, all
organisations processing personal
data of European citizens must apply
the new General Data Protection
Regulation (GDPR). The objective of
GDPR is to protect natural persons
with regard to the processing of
personal data and set out rules around
the free movement of personal data.
This regulation has a major impact on
organisations’ data protection
policies, processes, governance and
overall how personal data needs to be
handled in business. They’ll have to
implement the new rules and must be
able to demonstrate that they’re
compliant with the new rules. In case
of non-compliance, the GDPR
introduced substantially higher
(administrative) penalties of up to
four percent of an organisation’s
global annual turnover or 20 million
euros, whichever is the highest.
Many companies are implementing
measures to ensure compliance with
this new regulation. GRC tools can be
a major asset to record the identified
risks and the way companies are
responding to these risks.
GRC tools can also assist to
demonstrate to the regulator that your
company has implemented the
necessary controls. Tools such as SAP
GRC Emergency Access Management
clearly show who has logged on to
your system and what they have done.
Not only can GRC technology be used
to detect and prevent internal misuse
of personal data, they can also be
applied for protection against external
threats.
GRC technology survey
 Cyber
Our recent CEO survey showed that
cyber threats are a major concern to
most CEOs, with 40% of CEOs
indicating they are extremely
concerned about the impact of
cyberattacks on their organisations.
While ERP systems are often
overlooked when it comes to
cyberattacks, their increasing online
availability makes them vulnerable.
ERP systems are often connected to
other systems within an organisation,
which could result in further exposure
in case of a cyber breach.

A recent study from Onapsis shows

that each year, on average, 340 SAP
security notes were released over the
last five years. On average, it takes
12 months for SAP to release a
security note after it’s been identified
and another six months before
organisations implement the security
notes, meaning a window of
vulnerability of 18 months.

As GRC tools grow in this space,

organisations need to invest to ensure
their systems are protected against
cyberattacks. A GRC tool can help
automate the efforts to protect your
systems, from both internal and
external threats.

GRC technology survey 17

 Intelligent automation
Robotic process automation (RPA)
and intelligent process automation
(IPA) are new technologies that allow
companies to automate their risk and
compliance activities so GRC users
can focus their efforts on interpreting
results rather than manually
generating them. However, attention
should be paid to applying the right
technology. For example, the use of
RPA to automate the monitoring of a
particular control may be unnecessary
if the situation can be fixed at the
source with more effective application
configuration or security. Conversely,
advanced analytics and RPA may be
best used together. Analytics can be
used to pull data across diverse
environments, then an RPA solution
can review the output. Existing GRC
technologies can provide an end-to-
end compliance management solution
and workflow for all of these
capabilities, not to mention a single
source of truth for governance, risk
and compliance.

18 GRC technology survey

Data visualisation
With the automation of business and
compliance processes comes great
amounts of data. Companies are
starting to use this data to carry out
advanced analytics to gain insights
into the processes and controls. One
of the key challenges is to present this
data in a digestible way for the end
user. This is where the use of
dashboards and other visualisation
techniques comes in, e.g. the new SAP
GRC Access Control 12.0 is Fiori-
enabled and focuses even more on the
user’s experience
GRC technology survey
At PwC, we’ve developed a dashboard to help users interpret SAP
FireFighter (FF) activities. Our dashboard converts your SAP FF logs into
easy-to-understand graphs providing a complete overview on your SAP FF
activities and focus your review on the key risk areas.
SAP Emergency Access Management is critical to address high-priority
access issues, but few organisations have a deep understanding of how that
emergency access is actually used. Learn to analyse emergency usage to
spot trends and gain insights from your firefighters with the SAP Firefighter
dashboard, developed by our SAP Risk assurance experts.
Our SAP Firefighter Dashboard is a user-friendly, digital platform which
allows you to:
• Identify high-risk activities in the use of your SAP firefighters
• Spot trends in emergency user behaviour
• Improve your firefighter process
• Improve your IT controls over SAP emergency users
• Save time in log review
Clients who’ve adopted the tool have reported a significantly streamlined
and more mature emergency process.
19
7. A call-to-action
for Belgian organisations
Regulations and security threats are constantly evolving. Managing governance, risk, compliance and security
continues to be a challenge for most organisations. With increasing compliance requirements, organisations are
seeking to reduce cost and increase value derived from investment in control processes, people and technology.
Understanding your organisation’s
unique business and compliance risks
and then aligning people, processes
and technologies is key to
establishing an added value risk and
controls organisation that can adapt
as regulations change.
20
GRC tools offer non-negligible
advantages in the form of reduced
costs, increased efficiencies through
automation and minimised errors
resulting in greater compliance. The
results of our study show that Belgian
companies have made efforts to
implement dedicated GRC tools but
are still behind compared to their
global peers and competitors. We see
an increase in terms of number of
companies using GRC tools and in
terms of functionality. However, as
these technologies evolve, your
organisation must ensure your tools
continue to adequately manage risk,
including detecting and protecting
against cyber threats.
A dedicated GRC solution should be
an essential component of any
company’s risk and control structure.
Those companies relying on outdated
or manual tools leave themselves at a
distinct disadvantage in the face of
their competitors.
GRC technology survey
8. How PwC can help

Whether your organisation is looking to upgrade an existing platform or implement a GRC solution for the first
time, PwC is here to help you benefit from the full potential of GRC technology. We’ve built a strong track record
of helping clients implement GRC technology. By combining our business process and internal control expertise
with our technical implementation expertise, you’ll get the best of both worlds. As the world’s second largest
supplier of SAP S/4 HANA related services by volume, we have extensive experience and deep technical
knowledge of this solution, which enables us to embed it into your GRC process and tools. Our tools and
accelerators will ensure an efficient yet tailored approach, while limiting disruption to your day-to-day
business.
Our technology experts are continuously following the latest trends and are familiar with the new technologies
such as robotic process automation (RPA). This enables us to combine these skills together with our knowledge
of SAP and bring truly innovative services to the market to help you become a digital champion.

SAP GRC Access Control
PwC has a long history of assisting
companies through sensitive access
and S0D activities to minimise risk
and maximise efficiency. In 2000, we
developed the first automated tool to
control access provisioning and
management within SAP –
technology that has been integrated
into SAP’s current Access Control
solution. Since then, we’ve conducted
hundreds of SAP Access Control
implementations worldwide. Our
teams integrate industry-specific
business process insight with deep
technical knowledge of SAP
applications and security expertise.
Our proven ‘get clean, stay clean’
methodology ensures that you
continue to benefit from your GRC
implementation for years to come.
SAP GRC Process Control
PwC can help your organisation
embed better governance and controls
into your business processes and
transition into a sustainable state of
monitoring by implementing the SAP
GRC PC solution. As SAP’s leading
implementation partner for PC, we
assisted SAP with the detailed testing
and validation of the tool, which gives
us better insight and understanding
into its characteristics. Because of our
inherent position as a leading audit
firm, we also understand business
controls inside and outside. This
allows us to help companies optimise
controls and rationalise them (so
there are fewer controls to maintain)
and help implement the technology to
keep that reduced number of controls
in place.
SAP GRC Risk Management
PwC has the experience and know-
how to understand the unique
problems your business faces and help
you roll out the SAP GRC Risk
Management solution across the
organisation. We’ll tailor a solution to
tame your risk management processes
and streamline cross-enterprise risk
identification, analysis and
monitoring. We take a systematic
approach, using incremental steps to
help you develop and adopt a robust
and sustainable risk management
program – aligned with leading
practices – across your organisation.
By leveraging knowledge and lessons
learned across other SAP GRC projects,
our unique Centre of Excellence team
can assist you throughout the
implementation life cycle by providing
a wide range of accelerators to
facilitate project success, from Strategy
through Execution.

GRC technology survey 21

Contacts

Wim Rymen
Partner – ERP security & control solutions
M +32 473 26 92 27
E wim.rymen@pwc.com

Jeffrey Beetens
Manager – ERP security & control solutions
M +32 475 75 03 28
E jeffrey.beetens@pwc.com

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 158 countries with more than
236,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters
to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see www.pwc.com/structure for further details.
© 2018 PwC. All rights reserved
Appendix
Key components of GRC technology
Document and manage the company’s overall
enterprise risk framework(s), which includes:
• Risk Framework (Risk Profile, Risk Appetite, Risk Tolerances,
Strategy, Objectives, etc.)
• Centralised organisation structure and hierarchy
• Risk Repository & Classification (Risk portfolio)
• Risk assessment processes
• Risk Correlation & Simulation
• Response plans library & Incident Mgmt
• Loss metrics and event collection Mgmt
• Consolidated risk Heatmap & risk exposure
• Role-based access controls and Security
Document and manage the company’s overall
compliance and control framework(s), which includes:
• Support multiple compliance framework(s)
• Centralised organisation structure and hierarchy
• Policy, process and procedure definition and mgmt.
• Centralised control repository
• Centralised test and assessment libraries
• Centralised planning
• Whistleblower mechanisms (Ad-hoc issue Mgmt)
• Testing evidence repository
• Issue and remediation management
• Role-based access controls and security

End-to-end management of the

audit lifecycle, which includes:
• Audit scoping & scheduling
• Organise work papers & documentation
• Support all types of audits, including
internal audits, operational audits, IT
audits, quality audits, etc.
• Manage audit work plans
• Risk Management monitoring
efforts including but not limited to
independent reviews, RCSAs, and
surveys to oversee and monitor
compliance and risk management
activities
• Role-based access controls and Security
Document and manage the
company’s overall SAP security
framework, which includes:
• Sensitive access risks and controls
• Segregation of Duties risks and controls
• Continuous access monitoring
• Super-user access Mgmt
• Security in user provisioning & Role
management
• Role-based access controls and Security
Continuous monitoring and
analysis of controls, data and
transactions, which includes:
• Continuous control monitoring
• Continuous data monitoring (master &
transactional)
• Continuous risk monitoring
• Automated business rule framework
• Exception-based monitoring
• Data analytics capabilities
• Exception and issue-tracking platform
• Role-based access controls and Security