Your Learing Plattformfor SAP-Software
Sign Up now
Fabian Bentz
Excerpt from Leveraging SAP GRC in the Fight Against Corruption and Fraud by Maxim Chuprunov.
Using GRC to fight corruption: From the concept to implementation In this chapter, I present a practical concept for fighting corruption which is based on processes that most companies are already using (e.g., ICS, risk and policy management). In doing so, I will show how an anti-corruption framework can be implemented in a company as part of an overarching and integrated GRC initiative.
There are numerous studies about how to tackle the topic of “fraud and corruption” in both the private sector and government institutions. One of the most important of these is the publication by the World Bank Institute, “Fighting Corruption Through Collective Action – a Guide for business” [13]. This study (although it was undertaken in 2008, it is still extremely relevant) is the result of joint work between the World Bank Institute, United Nations Global Compact, Transparency International, and other well-known bodies as well as renowned companies such as Siemens, Microsoft, etc. The above-mentioned Guide for Business and other studies contain similar elements that can be combined into a “best practice” concept for fighting corruption in a company.
2.1 The concept: The anti-cube in action There are three levels of anti-corruption measures that a company “can establish”: 1. Internal processes 2. External communication 3. Collective action
“Can establish” is a rather diplomatic phrase: these measures are actually more of a must because it is only the three levels as a whole that make an anti-corruption initiative complete—that is, it is only together as a whole that the measures sustainably secure the success of the initiative and the investment made.
In most companies, the focus is on internal processes. This is due to the fact that an anti corruption initiative is based on a backbone of ICS and risk management.
1) Internal processes should contain clearly defined steps for identifying the conflicts of interest and corruption risks; the processes should establish preventive and detective controls, and should ensure the implementation of the measures as well as communicate the policies.
To ensure that internal anti-corruption processes are successful, it is both important and essential to promote a positive perception of the risk management function and ethic within the corporate culture. Management must act as a role model and support the GRC initiatives. Nevertheless, it is also very important to supplement the internal processes with the two other process levels, as already stated. 2) External communication: swapping experiences about best practices, success stories, appearances at conferences; publication of Corporate Social Responsibility (CSR) reports; drawing up contracts with business partners, vendors, and sales partners with reference to their agreement with compliance policies.
Besides communication, there are further ways in which a company can cooperate with the outside world to tackle corruption together. These measures are urgently recommended not only in high-risk regions but also for pertinent industries and transactions regardless of the region. In particular, these more intensive forms of cooperation are aimed at fighting bribery as a type of corruption and they are grouped under the term “collective action” (see also Section 3.1.2). 3) Collective action involves forming alliances to overcome corruption and isolate black sheep together. In addition to companies and their respective supply chain (partners, vendors, customers, etc.), such alliances include society as well as government and non-government organizations.
We will keep these three important levels of fighting corruption in mind when we describe our concept later on. What sources is our idea based on and what is the core of the idea? As already mentioned, there are numerous studies and guidelines published by the World Bank, the UN, Transparency International, etc. that are aimed at helping companies to fight corruption. They are all based on the four internal processes shown in Figure 2.1:
Figure 2.1: Process steps in an anti-corruption framework
These studies and guidelines provide very good suggestions and in some cases, very specific and tangible recommendations for practice. However, they are not very well known among the people responsible for risk and compliance topics in companies even though studies such as COSO and COBIT and relevant ISO standards influence the risk and compliance management processes significantly. The core of our plan, therefore, lies in making anti-corruption studies more well known by linking them with known concepts and implementing them practically using software-supported processes.
The idea of considering anti-corruption topics as an important part of compliance processes is not new. This is because: – On one hand, an internal control system according to COSO has, amongst other things, a clear anti-fraud focus – On the other hand, the multiple compliance framework principle (i.e., the opportunity of mapping multiple customer-specific compliance dimensions) has become established in GRC applications and processes
To get a better understanding of how a company can achieve its own anti-corruption objectives with the support of software, I would like to highlight this special focus to the maximum. However, I will start with the conceptual structure of an anti-corruption framework, which is independent of any particular software.
Based on the familiar COSO cube, the 3D diagram of an anti-corruption framework shown in Figure 2.2 (for the sake of simplicity, I will call this the anti-cube) is intended to supplement the four process groups referred to above and summarize their most important properties.
Figure 2.2: The anti-cube
The three sides of the anti-cube summarize the following: on the top, you can see the most important content elements (or simply content); these elements are strongly rooted in the internal control system. As well as having anti-corruption-specific properties, the activity types (right-hand side of the anti-cube) are based on COSO components and identify activities. The activities are grouped in four process groups.
Before we look at the individual sides of the anti-cube in more detail, I would like to explain how this still rather abstract construct should help you to automate GRC.
In many companies, GRC is predominantly used to help ensure the correctness of external financial reporting. This book shows you how you can also use GRC components to detect and prevent corruption and fraud.
Walk through an overview on the solutions available in the SAP GRC Suite, as well as the new SAP applications for Assurance and Compliance. You will learn how to benefit from SAP HANA in Big Data scenarios and obtain guidelines on how to set up detection scenarios in SAP Fraud Management.
The author expertly shows readers that the key to a successful GRC initiative does not lie in the features and functions of a specific software product. Understand the drivers for efficiency and the multi-layered added value of automating. In addition, you will learn the basics to provide a tool-independent foundation for the automation of a group-wide anti-corruption initiative.
– Risk management and internal control systems – Design and implement an anti-corruption initiative – Automated drivers and added value GRC – Detection scenarios using SAP Fraud Management and SAP HANA
Author Maxim Chuprunov (CPA, CISA, CRISC) studied Business Administration in Russia and Germany. He was then employed for a long time at KPMG DTG in Munich, Germany, and KPMG LLP in Boston, USA. From the very beginning, he specialized in the topics of risks, ICS, and data analytics in the SAP environment. Maxim Chuprunov then worked as an SAP FI/CO consultant at SCHENKER AG in Germany. In 2007, he joined the Center of Expertise Financials & Compliance at SAP (Switzerland) AG. In his role as Senior Consultant, he realized implementation projects for SAP GRC solutions with a focus on ICS automation worldwide and took part in tests and the software design for SAP Process Control. In 2010, Maxim Chuprunov founded Riscomp GmbH (SAP Implementation Partner, Recognized Expertise Partner, SAP Education Partner) and since then, with his team of experts, has been helping customers to automate GRC-relevant processes, amongst other things, based on Riscomp GRC Cloud. He is also engaged by SAP Education as a trainer for various GRC training courses.