SAP ERP Financials SAP Solutions for
Governance, Risk, and Compliance and SAP GRC Access Control
Rainer Salaw, CPA SAP Deutschland AG & Co KG
Regional Solution Sales GRC EMEA
Barbara Mayer Enterprise Risk Management,
SAP Consulting
SAP ERP Financials SAP Solutions for
Governance, Risk, and Compliance and SAP GRC Access Control
Rainer Salaw, CPA SAP Deutschland AG & Co KG
Regional Solution Sales GRC EMEA
SAP AG 2007, SAP Skills 2007 Conference / G3 / 3
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 4
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 5
Gartner Strong Positive
About SAP GRC Access Control SAP is the only vendor with a Gartner recommends rating
in all technique categories (Static analysis, provisioning support, integrated provisioning workflow, transaction monitoring and emergency access)
offers one of the strongest product sets in our analysis, comprehensively addressing all SoD issues across multiple SAP instances.
capable of running on multiple ERP platforms
1 Gartner -
MarketScope
for Segregation of Duties Controls Within ERP, 2007
Rating
StrongNegative
Caution Promising Positive Strong Positive9
SAP AG 2007, SAP Skills 2007 Conference / G3 / 6
mySAP ERP Financials
Corporate Performance
Management (CPM)
Accounting & Finance Transformation
Financial Supply Chain
Management (FSCM)
Governance, Risk, and Compliance
(GRC)
Strategy Management
(Balanced Scorecard)Consolidation
Planning
FI, FI-AA, FI-AR/AP NewGL, CO, PCA
Credit Mgmt., Collections Mgmt.
Dispute Mgmt.FI-CA, Biller direct,
In-house Cash
Governance, Risk, and Compliance
(GRC)
mySAP ERP Financials
Internal regulations / ethical standards
strategic/operative Risks External regulations / compliance to laws
SAP AG 2007, SAP Skills 2007 Conference / G3 / 7
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 8
Business Case: the True Information Age
In 2010 the need for fast, accurate and reliable
information will be increased significantly.
In four areas the demand will be raised most. Two of them are: Risk Management Governance
SAP AG 2007, SAP Skills 2007 Conference / G3 / 9
Supply Chain Customers & Channel
Human Resource environmental health & safety
Financecomplex, international
Compliance requirements (e.g. Revenue recognition)
Compliance / Risk Officehigh level risks, not
proactive
? SalesCredit risks, Customer ratings
PurchasingSupplier rating
& embargo lists
Management
no overview about risk portfolio
IT IT Security; SOD-
management,
Fraud
SALARIES
Supervisory board, internal auditalmost manual, sample based, not
error free controls
Fragmented Processes and Systems: A Risky Situation !
SAP AG 2007, SAP Skills 2007 Conference / G3 / 10
Supply Chain Customers & Channel
Supervisory board, internal auditdocumented decisions, audit trail
Compliance / Risk OfficeReal time risk analysis,
integrated view
ManagementTransparency about risks => max. confidence !
IT highly secured IT-
Systems
Purchasingtransparent
rating, compliance to
trace regulations
FinanceCompliance in group reporting processes
Human Resourcecompliance to environmental standards
Salestransparent customer solvency
SALARIES
Gain Confidence by Proactive Transparency with SAP GRC
SAP AG 2007, SAP Skills 2007 Conference / G3 / 11
Fragmentation vs. Holistic Approach to GRC
Business Process Platform
SAP Solutions for GRC
Cross-Industry GRC
Access Controls Global Trade Environment Process Controls
Risk ManagementGRC Repository: Documentation and Monitoring
Industry-Specific GRC
Business Applications
?Information
Security SOX Compliance
Risk
Mgmt Internal
Audit
Information Security
From Fragmented Risk & Compliance
Risk
Mgmt
SOX
Compliance
Internal
Audit
to Holistic GRC
SAP AG 2007, SAP Skills 2007 Conference / G3 / 12
GRC Suite
Access Control
Risk Management
Process Control
Compliance Calibrator
Role Expert Access Enforcer
Fire Fighter
Cross industry solution Industry specific solutions
Global Trade
Services (GTS)
Environment, Health & Safety (EH&S)
more
Solutions
GRC Suite Functions for All Process Orientated Risks and Regulations
SAP AG 2007, SAP Skills 2007 Conference / G3 / 13
GRC Suite
Access Control
Risk Management
Process Control
GRC-Repository
SAP GRC Access Control
Risk Analysis and Remediation
Enterprise Role Management
Compliant User Provisioning
Super User Privilege
Management
Cross industry solution Industry specific solutions
Global Trade
Services (GTS)
Environment, Health & Safety (EH&S)
more
Solutions
GRC Suite Functions for All Process Orientated Risks and Regulations
SAP AG 2007, SAP Skills 2007 Conference / G3 / 14
SAP Solutions for GRC Framework for an integrated GRC-Solution
Business Process Platform
Business Applications
Business Process
GRC as an integrated part of all business processes
leverage integration through high automation(e.g. automatic controls)
Group-wide utilization, open architecture (usage of SAPstechnology platform no limitation to SAP-ERP systems)
SAP GRC Access Controls
SAP AG 2007, SAP Skills 2007 Conference / G3 / 15
GRC Repository Central System of Record Drives Governance, Increases Transparency
PerformanceMeasures &Benchmarks
Regulations & Industry Mandates Risk & Control
Libraries
Corporate Policies &
Procedures
BOD & Committee
Minutes
GRCRepository
Best PracticesControl
Frameworks (COSO, COBIT)
Advisory Services(Auditors, Attorneys)
Internal Policies
Governmental Agencies
InfluenceCouncils
Enforces governance for the entire enterprise
Regional regulations
Multiple frameworks for each department
Pre-built control & risk libraries
Complete body of evidence for compliance
Centralized knowledge base for all GRC relevant information beyond fragmentation
Single source of truth for reporting
SAP AG 2007, SAP Skills 2007 Conference / G3 / 16
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 17
How Does GRC Supports You?
Access Controls Process
Controls Risk
Management
Identification of all kind of risks (group wide)Segregation of duties risks Fraud Risky system authorizations Misusage of rights
Compliance of processing Stick to governance Focus on operation business risks Quality of processes
Focus on non operative risks Opportunity management Decision supportTransparency and Remediation
Define appropriate actions for identified risks Eliminate risks by segregation of duties (remove authorizations, redesign processes) Minimize risks by defining appropriate mitigation controls Maximize risk awareness ( transparency, continuous monitoring, escalation, mitigation, remediation)
Governance & Compliancee.g. Sarbanes Oxley Act (SOX) etc. KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
automationmanual activity
SAP AG 2007, SAP Skills 2007 Conference / G3 / 18
How Does GRC Supports You?
Access Controls Process
Controls Risk
Management
Identification of all kind of risks (group wide)Segregation of duties risks Fraud Risky system authorizations Misusage of rights
Compliance of processing Stick to governance Focus on operation business risks Quality of processes
Focus on non operative risks Opportunity management Decision supportTransparency and Remediation
Define appropriate actions for identified risks Eliminate risks by segregation of duties (remove authorizations, redesign processes) Minimize risks by defining appropriate mitigation controls Maximize risk awareness ( transparency, continuous monitoring, escalation, mitigation, remediation)
Governance & Compliancee.g. Sarbanes Oxley Act (SOX) etc. KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
automationmanual activity
Access Controls
Risk Analysis and Remediation
Enterprise Role Management
Superuser
Priviledge
Management
Compliant User Provisioning
SAP AG 2007, SAP Skills 2007 Conference / G3 / 19
SAP GRC Access Control Sustainable Prevention of Segregation of Duties Violations
Cross-enterprise library of best practice segregation of duties rules
Compliant User Provisioning
Prevent SoD
violations at
run time
Superuser
Privilege Management
Close #1 audit issue with temporary
emergency access
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
(Stay in Control)(Stay Clean)
Risk analysis, remediation and prevention services
Enterprise Role Management
Enforce SoD
compliance at design time
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal Time To Compliance
Continuous Access Management
Effective Management Oversight
and Audit
Access ControlsSAP GRC
Access Control
SAP AG 2007, SAP Skills 2007 Conference / G3 / 20
Risk Analysis and Remediation Getting Clean
Reporting
Risk Elimination
RiskIdentification
Prevention
End-to-End Automation
Initial Risk Analysis and RemediationFacilitates collaboration between Business and IT to clean up access risks
The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.
SAP AG 2007, SAP Skills 2007 Conference / G3 / 21
Authorization:
Maintain vendor
master data
Authorization: Initiate payment
to vendor
Heterogeneous IT-landscape
Cross-System Risk Analysis
Legacy CustomFinancials
and Accounting
Inventory and purchasing
SAP AG 2007, SAP Skills 2007 Conference / G3 / 22
Authorization:
Maintain vendor
master data
Authorization: Initiate payment
to vendor
Heterogeneous IT-landscape
Cross-System Risk Analysis
Legacy CustomFinancials
and Accounting
Inventory and purchasing
! RISK
VIRSA
Cross-enterprise Rule Set
SAP AG 2007, SAP Skills 2007 Conference / G3 / 23
Business Applications
How Does it Work? Compliance Calibrator
S O D - M A T R I X
RTA RTA RTA RTA
Risk analysis function
ERP 2005
P
L
A
N
??Compliance officer
?Risk analysis for
user Maier
Risks
SAP AG 2007, SAP Skills 2007 Conference / G3 / 24
Business Applications
How Does it Work? Compliance Calibrator
S O D - M A T R I X
RTA RTA RTA RTA
Risk analysis function
ERP 2005
P
L
A
N
A
C
T
U
A
L
Compare
??Compliance officer
?Risk analysis for
user Maier
RisksRisk-
report
SAP AG 2007, SAP Skills 2007 Conference / G3 / 25
SAP GRC Access Control Risk Analysis and Remediation Functionality
GRC Access Control content covers more than 200 Risks
Risk analysis and remediation functionalityRisk-analysis, detection and remediation of SOD-violations in access control and authorization
management
critical transaction or authorization objects
SAP AG 2007, SAP Skills 2007 Conference / G3 / 26
SAP GRC Access Control Risk Analysis and Remediation Functionality
GRC Access Control content covers more than 200 Risks
Risk analysis and remediation functionality Risk-analysis, detection and remediation of SOD-violations in access control and authorization
management
System 1: Transaction 1System 1: Transaction n
System 2: Transaction 1System 2: Transaction n
System n: Transaction 1System n: Transaction n
System 1: Transaction 2System 1: Transaction m
System 2: Transaction 2System 2: Transaction m
System m: Transaction 2System m: Transaction m
180.000 rules
Function 1 Function 2
SAP AG 2007, SAP Skills 2007 Conference / G3 / 27
Architecture
Automatic Rule Generation
Risk 1
Function A
Function B
Action 1+ Permission 1Action 2 + Permission 2Action 3 + Permission 3Action n
+ Permission n
Action 4+ Permission 4Action 5 + Permission 5Action 6 + Permission 6Action n
+ Permission n
+Risk Rule 1Risk Rule 2Risk Rule 3Risk Rule 4Risk Rule 5Risk Rule 6Risk Rule 7Risk Rule 8Risk Rule 9Risk Rule n
ALL
cross combinationsOf Action + Permissionbetween Functions A & B
BusinessRisks
BusinessFunctions
SystemAction & Permission
Compliance CalibratorRule Generation
Risk 2
Function C
Function D
Action 7+ Permission 7Action 8 + Permission 8Action 9 + Permission 9Action n
+ Permission n
Action 10+ Permission 10Action 11 + Permission 11Action 12 + Permission 12Action n
+ Permission n
+ ALL cross combinationsOf Action + Permissionbetween Functions C & D
Risk Rule 10Risk Rule 11Risk Rule 12Risk Rule 13Risk Rule 14Risk Rule 15Risk Rule 16Risk Rule 17Risk Rule 18Risk Rule n
SAP AG 2007, SAP Skills 2007 Conference / G3 / 28
SAP GRC Access Control Risk Analysis and Remediation Functionality
SAP AG 2007, SAP Skills 2007 Conference / G3 / 29
SAP GRC Access Control Risk Analysis and Remediation Functionality
SAP AG 2007, SAP Skills 2007 Conference / G3 / 30
Enterprise Role Definition Enables Enterprise Role Definition and Maintenance in a Single Location
Centralized Role Management
Across applications
Enterprise Rules Audit log
SAP GRC
Access Control
Role
Reduce cost of role maintenance
Ease compliance and avoid authorization risk
Eliminate errors and enforce best practices
Assure audit-ready traceability and security checks
28% time savings in role management
Customer Survey, 3/2006
RoleRole
Role
Role Role Role Role Role Role
Compliant enterprise roles
Unternehmensweite Rollendefinition
und Pflege
mit
eingebauter Funktionstrennungsprfung
SAP AG 2007, SAP Skills 2007 Conference / G3 / 31
SAP GRC Access Control Enterprise Role Management
SAP AG 2007, SAP Skills 2007 Conference / G3 / 32
Typical Challenges.
Too many users have SAP_ALL SOD-Violations!!
No activity monitoring, no audit trail
No time limitation for SAP_ALL Users
No clear responsible for SAP_ALL authorizations
Smart emergency situation management
No clear workflow in case of emergency!
-> SAP GRC superuser
privilege management for SAP
SAP AG 2007, SAP Skills 2007 Conference / G3 / 33
SAP GRC Superuser
Priviledge
Management
Neue
Session
Log
perform activity
conduct processlog in to the system as
normal user Maier
system log off within the
normal userMaier
Log off as FireFighter
FireFighter ID FICO
Start Transaction FireFighter
FireFighter ID MM
FireFighter ID SD
FireFighter ID Basis
FireFighter ID
SAP_ALL
SAP-System
Eliminates the no.1 auditors issue !
Multiple usage
of FireFighters (e.g. year end closing activities, substitution activities, design of new
roles, and many more)
multiple FireFighter
are assigned to user
Maier
All FireFighter
activities are recorded in
detail in a log file
SAP AG 2007, SAP Skills 2007 Conference / G3 / 34
SAP GRC Superuser
Priviledge
Management
SAP AG 2007, SAP Skills 2007 Conference / G3 / 35
SAP GRC Access Controls Compliant User Provisioning
Vergabe
(und Entzug) von Rollen
und Berechtigungsprofilen mit
eingebauter, automatischer
Funktionstrennungsprfung
Access Request
Manager Approval
Role Owner
IT Security
Manual Provisioning
Tabellen, Formulare
Word, Excel etc.
Workflowprozess
im
Access Enforcer
Request generated
Automated provisioning
Mgr approval
Risk analysis
Path workflowbased on request type and
user attributes
Escalation workflow
Exception workflow
100% automatedHR event
Employeehired/retired
Via e-mail
One-click preventive simulation
100% automated
Compliance Calibrator
Online Risikoanalyse
Role ExpertCompliant Roles
We reduced provisioning from 2 weeks to 2 days
Web Seminar Rockwell Collins, 3/2005
Current approach
inefficient, not compliant
SAP AG 2007, SAP Skills 2007 Conference / G3 / 36
SAP GRC Access Controls Compliant User Provisioning
SAP AG 2007, SAP Skills 2007 Conference / G3 / 37
SAP GRC Access Control 5.3 SAP GRC Access Control branding and single launchpad for all 4 access control capabilities
Roadmap SAP GRC Access Control 5.3
Q1 2008 (AC 5.3)
Access Control 5.2 SP3
Language Translations
Country A languages
English
French
German
Japanese
Country B languages
Spanish
Portuguese
Italian
Hungarian
Cross-Enterprise (Greenlight):
Real-Time Agents for Risk Analysis
Comprehensive
SOD Rules for Oracle, JDE and PeopleSoft
Q2 2007 (AC 5.2 SP3)
Superuser
privilege management (formerly known as Virsa
Firefighter for SAP)
Change Log / Self Auditing
Audit trail for configuration changes
Write log report to designated file server
Web report enhancements
Report filter variant
Report for All
systems
Retrieve change log from CDHDR table for performance improvement
Assign multiple FF owners to one FF ID
Enterprise role management (formerly known as Virsa
Role Expert)
Close RE 4.0 gaps
Additional reports
Search roles
Single composite role relationship
List role & transactions
More detail role change history
Role authorization changes at object field level
View PFCG change log
Generate roles for multiple systems
Risk simulation for combined roles and existing user simulation at role design time
Enforce naming convention according to policy
Role Mappings
Misc.
Import/Export of configuration data
Migration scripts
Compliant user provisioning (formerly known as Virsa
Access Enforcer )
Compliant provisioning for SAP EP,
Compliant provisioning for Oracle, PeopleSoft and JDE (Greenlight)
HR triggers for PeopleSoft
Password resets for ORCL, PSFT, JDE
Close AE.net
& SAFE gaps
Authoritative User Sources: Integration with multiple LDAPs
and SAP HR for user data source
Reporting and reporting enhancements
User Access Reviews (Manager / User Reaffirm)
Cross system risk analysis / simulation
Supporting multiple CUAs
Full support for all SU01 fields
Misc.
Form customization
Import/Export of configuration data
Risk analysis and remediation
(formerly known as Virsa
Compliance Calibrator)
Risk analysis for SAP Enterprise Portal and UME
Close critical CC 4.0*
& SAFE gaps
BI Integration for custom reporting
Reporting/ Reporting Enhancements
Additional auditor, business manager and IT reports
SOD management by exception (Integration w/ Workflow)
Miscellaneous
Import/Export of configuration data
Migration scripts
Download and print capability on every report
Performance improvements
Concurrent Risk Analysis
Batch mode risk analysis
Improved Memory Mgmt
Access Control 5.2 SP4
Web Services for IDM integration (official and stable API for partners)
Fix for connector limit in Compliance Calibrator
Q3 2007 (AC 5.2 SP4)
* Note: This release will not include granular security and logging requirements in the next release
SAP AG 2007, SAP Skills 2007 Conference / G3 / 38
SAP Solutions for GRC Framework for an Integrated GRC-Solution
Business Process Platform
Business Applications
Business Process
SAP GRC Access Controls
SAP AG 2007, SAP Skills 2007 Conference / G3 / 39
SAP Addresses the Needs of Multiple Stakeholders
Business Executives
Business Process Managers
Virsa SupportConcerns
Risk appetite Risk avoidance Visibility Timely notification Cost of compliance
Internal Auditors
IT Security and Support
Concerns
Controls in place Controls working
effectively
Risks correctly identified
Response to control deficiencies
Preventive controls
Concerns
Risk identification & evaluation
Timely notificationMaximum
productivity
Concerns
Identify & implement compliance systems
Fit with IT infrastructure
Transfer accountability to business
Prevent risk from entering systems
SAP AG 2007, SAP Skills 2007 Conference / G3 / 40
Benefits of Using an Integrated Control System
AUTOMATIONReduce cost without compromising
compliance
Reduced audit fees and testing costs Streamlined testing and remediation
INSIGHTEffectively manage business,
financial, and compliance performance
Real time view of control health Enterprise-wide visibility into risks and controls
CONTROLIncrease confidence in the effectiveness of
your controls
100% testing of all data all the time Enable early detection and remediation
SAP AG 2007, SAP Skills 2007 Conference / G3 / 41
Scoping andSet-Up
Document Processes
and Controls
Sign-Off, Prepare
Certification / Internal Control
Report
Assess Control
Design and Remediate
Issues
TestOperatingEffective-
ness
Attest and
Report
Management Auditor
PC 2.5 Supports Compliance Processes
Review Attestation Reporting
Assignment of sub-processes to organizations
Organization-specific control documentation
Documentation of testing procedures
Documentation of entity-level controls
Setup of automated control testing and monitoring
Control and process design assessments via surveys
Entity-level control assessments via surveys
Identification of Issues
Validation of assessments
Remediation of issues
Progress tracking and analysis
Documentation of testing results
Documentation of continuous control monitoring
Identification of issues
Remediation and retest of issues
Progress tracking and analysis
Organization hierarchy
Central process catalog
Central catalog of control objectives/risks
Assignment of sub-processes to significant accounts/relevant assertions
Gap analysis reporting
Identify fraud related risk
Analysis overviews with drill-down functionality
Management reports
Workflow-triggered sign-off supporting 404 reporting / 302 certification
Continuous Control Monitoring
SAP AG 2007, SAP Skills 2007 Conference / G3 / 42
Analytics Work List
Process Control 2.5
Solution Overview
Organization Hierarchy
Account Groups/Assertions
Process Hierarchy
Control Objective Catalog
Entity-Level Controls Hierarchy
Assessment Surveys
Question Library
Survey Library
Manual Tests
Test Plans
Automated Testing
Rules
Queries Scheduling
Evaluation Work List
Compliance
Assess-
ments
Testing Monitoring
Sign-off User Roles Delegation
SAP AG 2007, SAP Skills 2007 Conference / G3 / 43
PC 2.5 Innovation Information Architecture and Organization Hierarchy
Improved productivity with new work center-based design approach
SAP AG 2007, SAP Skills 2007 Conference / G3 / 44
Significant
Account
Remediation Case
Control Tests
(Manual/Auto)
Controls
Risks/Control Objectives
Business Segment
Region
Division/ Legal Entity
Business Operation
Location/ Operating Unit
Organizational Hierarchy (n-tier) Account Hierarchy Process / Risk / Control Hierarchy
Assertions
Assertions
Signoff Flow
Structure Definition
Control Framework and Organization Management
Assessments
Compliance Category
Process
Sub process
Account Groups
SAP AG 2007, SAP Skills 2007 Conference / G3 / 45
SAP GRC Process Control
Convergence of Controls Process Management and Continuous Controls Monitoring
Single Solution for end-to-end enterprise control management
Provides centralized control management for automated and manual controls
Financial Controls
Operational Controls
IT Controls
Enables management by exception
prioritizes remediation activities
provides management insight into the control environment
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
SAP AG 2007, SAP Skills 2007 Conference / G3 / 46
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
GRC Process Control -
Single Solution for End-to-End Enterprise Control Management
GRC Repository Rationalizes controls against
multiple frameworks Link control documentation
to manual and automated control tests
Provides a flexible organization hierarchy
Flexible integration framework for document management systems
Single source of truth for reporting
SAP AG 2007, SAP Skills 2007 Conference / G3 / 47
Actionable Intelligence from Compliance Analytics
Role-based dashboards provide actionable insight to control status
Global heat map highlights exceptions from all control tests and assessments
Management level reports highlights exceptions from all control tests and assessments
Enterprise transparency across multi-instance and multi-platform environments
SAP AG 2007, SAP Skills 2007 Conference / G3 / 48
SAP GRC Process Control
DashboardControl Execution Monitor provides latest information on deficiencies
Control Monitor provides summarized information over time
Inbox provides quick access to cases and tasks
Survey Monitor tracks sign-off and assessment surveys
All information is organized in tabs
SAP AG 2007, SAP Skills 2007 Conference / G3 / 49
Management Reports with Drill-Down
Drill-down capability provides details of the cases and case priority for each report
SAP AG 2007, SAP Skills 2007 Conference / G3 / 50
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
SAP GRC Process Control: Centralized Control Management
Centralized Control Management One system for managing
automated and manual controls
System can manage
Financial Control
Operational Controls
IT Controls
Controls can be monitored across multiple enterprise systems
Improve controls with regular assessments
SAP AG 2007, SAP Skills 2007 Conference / G3 / 51
Control Environment Setup
Selects controls that contribute to financial quantification of risk for executive reporting
Creates complete control environment, including Organizations Business processes Sub processes Risks Objectives Test plans
Creates and links both manual and automated control tests in a single application
Assignment of Test Plan and Test Step Owners
Assignment of Compliance Information (financial and non-financial assertions)
Assignment of Organizations
Control
Prior period posting checkProcess
Manage Financial AccountingSubprocess
Perform Closing
Risk
Manipulation of financial resultsObjective
Accurate financial reporting
SAP AG 2007, SAP Skills 2007 Conference / G3 / 52
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
Automated Process Controls Detects global violations
and prioritizes corrective action (automatic case generation)
Apply same control to multiple organizations (version concept)
Automatically monitors controls in multiple enterprise applications
80 Master controls were delivered
SAP GRC Process Control: Centralized Control Management
SAP AG 2007, SAP Skills 2007 Conference / G3 / 53
Three Ways to Monitor Automated Controls Across Critical Business Processes
ConstructAd-hoc Test
Re-useCustom Test
SelectPre-delivered Test
Pre-delivered tests with flexible rule criteria for SAP and Oracle
Plug-and-play your existing test scripts
Create control tests on-the-fly with custom query builder
Order to Cash Order CaptureOrder
FulfillmentBilling &
Returns
Procure to Pay Demand
PlanningOperational
Procurement
Reconcile to Report Budgeting PlanningSub ledger
TransactionsFinancialClose
IT Basis Application
SecurityChange
Control
Revenue
Recognition
Inventory
Management
Payables
Management
Consolidation
& Reporting
SAP AG 2007, SAP Skills 2007 Conference / G3 / 54
Order to Cash Sample Automated Control Monitoring
Did the customer order exceed allowedthresholds?
Were shipments made without proper sales documents?
Was pricing or exchange rates adjusted?
Were there changes to revenue accounts and posting tolerances?
SAP AG 2007, SAP Skills 2007 Conference / G3 / 55
Automatically Create & Test 1000s of Controls
Configuration, Master Data and Transaction Data
Multiple Controls
Any Form, Tab or Field
...
Apply percentage threshold
Apply absolute value threshold
Monitor change frequency
Monitor changes to control
Check that control value exists
Is the Duplicate Voucher flag turned ON?
Have any duplicate vouchers been
processed over the past 30, 60, 90 days?
Hide / Disable / Query Only
Has the duplicate Voucher control
changed? How often?
SAP AG 2007, SAP Skills 2007 Conference / G3 / 56
Sample Automated Control Tests
SAP AG 2007, SAP Skills 2007 Conference / G3 / 57
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
Manual Control Testing Streamlines manual
controls and tests Provides manual test plans
with detailed test steps and instructions
Promotes timely performance with scheduled workflow and email notifications
Documents evidence to support evaluation results
Capture monetary risk quantification for failed tests
SAP GRC Process Control: Centralized Control Management
SAP AG 2007, SAP Skills 2007 Conference / G3 / 58
Manual Compliance Management Costly Effort to Coordinate Tasks
Control TestersCompliance Team Management & Executives
! ?
What do we need to test?
Who should perform the test?
Where do we stand?
How can we improve?
Create documents and spreadsheets
and save to local file servers
Create test plan
Paper-based documentation surveys
for completion?
What am I supposed to do?
Why is this important?
?
Receive test instructions via email
Perform manual tests based on
verbal instructions
Consolidate results from multiple
sources
Is this the right process?
SAP AG 2007, SAP Skills 2007 Conference / G3 / 59
Workflow Streamlines Manual Control Activities Automated Notification and Guided Procedures Ensure Timeliness and Reliability
Document control and test plan
Attach reference document and spreadsheet
Follow guided procedure and perform test
Report results and attach evidence
Automatic notification routes tasks to appropriate users Guided procedures and reference documents train users Complete audit trail of testing results and evidence
Control Testers
Compliance Team Management & Executives
SAP AG 2007, SAP Skills 2007 Conference / G3 / 60
Perform Self-
Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
SAP GRC Process Control Convergence of Compliance Process Management and Continuous Controls Monitoring
Self Assessment Flexible surveys to support
design assessments and self-assessments
Assessments for process design, control design, entity-levels, and more
Promotes timely performance with scheduled workflow and email notifications
Reference information and instructions guides occasional users
SAP AG 2007, SAP Skills 2007 Conference / G3 / 61
Deploy Flexible Assessments
Flexible survey creation, scheduling, and routing
Handles assessments for process design, control design, entity-levels, and more
Reference information and instructions guides occasional users
SAP AG 2007, SAP Skills 2007 Conference / G3 / 62
Survey Management
Survey reports provide drill-down to any cases generated
SAP AG 2007, SAP Skills 2007 Conference / G3 / 63
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
SAP GRC Process Control
Management by Exception
Management by Exception Remediation Case
Management Detects global exceptions
and prioritizes corrective action
Workflow-based notifications alert users to failed tests or assessments
Documents remediation activities and resolution
Dashboards and reporting provide actionable insight to exceptions
SAP AG 2007, SAP Skills 2007 Conference / G3 / 64
Accelerate Time to Resolution with Remediation Case Management
Perform Self-
Assessments
Deploy
Automated Controls
Test Manual
Controls
IT Infrastructure
Business Processes
Automated prioritization focuses valuable resources on high-impact exceptions
Automated routing and notification ensures nothing falls through the cracks
Threaded discussion of resolution activities provides evidence for external auditors
S U R V
E Y
YesNo
SAP AG 2007, SAP Skills 2007 Conference / G3 / 65
Case Trail and Status Tracking During Case Remediation
Case trail and status tracking during case remediation
Resolution can be captured along with the case details for audit purposes
Linked to test results
SAP AG 2007, SAP Skills 2007 Conference / G3 / 66
Perform Assessments
Test Automated Controls
Test Manual
Controls
D
o
c
u
m
e
n
t
T
e
s
t
M
o
n
i
t
o
r
C
e
r
t
i
f
y
Certify and Sign-off
(302, Designs,)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
Review Exceptions Remediate
Issues
9999
999999
9
Has pro
duction b
een impr
oved with
the insta
llation an
d implem
entation
of SAP?
S U R V
E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
SAP GRC Process Control Convergence of Control Process Management and Continuous Controls Monitoring
Management Certification Section 302 and 404
certification Business process review
and approval Freeze key information that
has been signed-off Hierarchical, bottom-up
progression
SAP AG 2007, SAP Skills 2007 Conference / G3 / 67
Automatic Sign-Off Process
AR Billing
Order to Cash
US Finance
US
Corporate Signers
CEO/CFO
1
2
3
4
5
6
Each sub process owner signs off
Process owner signs off
Lowest location signs off
Higher location signs off
Corporate signer(s) sign off
CEO/CFO sign off
AR Collections
Support section 302 certification
Freeze key information that has been signed-off
Hierarchical, bottom-up progression
SAP AG 2007, SAP Skills 2007 Conference / G3 / 68
SAP GRC Process Control
the Integrated Solution for Enterprise-Wide Management of Any Kind of Controls
Cost reduction through automation
Automated case management accelerated remediation process
Reduces RISKS and saves TIME and MONEY
Integrated solution low TCO
Risk based approach
12
6
9 3
12
11
45
8
10
7
SAP AG 2007, SAP Skills 2007 Conference / G3 / 69
SAP GRC PC 2.5 Architecture
Repository
Interfaces
Repository
Interfaces
SAP Services (ABAP Stack)
GRC NWBC User Interface
NavigationNavigation WebDynpro
Content
WebDynpro
Content
SAP Application Pages
SAP Application Pages
BI Pages for
Analytics
BI Pages for
Analytics
Portal Pages
for Analytics
Portal Pages
for Analytics
Automated
Controls
Automated
Controls
Query
Builder
Query
Builder
Cross-
Platform
Enablement
Cross-
Platform
Enablement
Savvion
BPM/Workflow
Savvion
BPM/Workflow
Process Control Plus (Java Stack)
Master DataMaster Data Audit LogAudit Log Survey
Assessments
Survey
Assessments TestingTesting
Report
Mart
Report
Mart
Object Level
Security
Object Level
Security Sign OffSign Off
SAP AG 2007, SAP Skills 2007 Conference / G3 / 70
SAP Solutions for GRC Framework for an Integrated GRC-Solution
Business Process Platform
Business Applications
Business Process
SAP GRC Access Controls
SAP AG 2007, SAP Skills 2007 Conference / G3 / 71
Risk Management Today No Transparency, Suboptimal Decision-Making
Send out MS Excels
Workshop after
workshop
Ask for additional
input
Brainstorm
one-off response possibilities
Siloed risk thinking
Focus only on
negative risks
Risk Managers
What is the statusof our top risks?
What risks dont weknow about?
Am I on track toreach my goals?
Another assessment to fill out?
Lines of Business
Management & Executives
Will we meet analyst / market expectations?
What are our top 10 risks?
SAP AG 2007, SAP Skills 2007 Conference / G3 / 72
Lines of Business
Executives
Risk Managers
The Goal Risk-Adjusted Management of Enterprise Performance
Applications to mitigation top risks
Role-based best practice playbooks
Enable risk management innovation
Risk in context of corporate strategy and performance
Understand true exposure resulting from risk correlation
Achieve proactive transparency
Automatic risk identification
End-to-end risk processes across the value chain
Become a driver of business change
SAP AG 2007, SAP Skills 2007 Conference / G3 / 73
SAP Solutions for GRC Risk Management in a Leading Role
Cross industry solution
Access Controls
Risk Management
GRC-Repository
GRC-Suite
Process Controls
GTS
EH&S
Business Process Platform
SONAExternal Provider
KRIs / Content
SONA xApp
xEM
other Partner
Solutions
REA
SAP AG 2007, SAP Skills 2007 Conference / G3 / 74
Risks Management Steps Process Automation for the Virtuous Cycle
Actionable, role-based
dashboards and alerts
Establish risk appetite
and thresholds
Collaborate and aggregate across the
enterprise
Balance cost of risk avoidance
and opportunity
SAP AG 2007, SAP Skills 2007 Conference / G3 / 75
Drive Consistency Agreement on Top Risks, Thresholds, and Appetite
Create Risk and Activity Catalogs
GRC Repository
What types of risks do we want to track? Proposed risks based on activity type Align risks to corporate goals Customizable, pre-delivered content
Risk Catalog
KRI 2Supplier on-time delivery
Supply chain continuity risk
Document Risk Appetite
SAP AG 2007, SAP Skills 2007 Conference / G3 / 76
Avoid Surprises Identify and Assess All Key Risks Across the Enterprise
Collaborative Assessments for Manual Risk Activities
Qualitative & quantitative point and scenario analyses
Analyses done before and after response
Workflow reminders for updates
Prioritization using Risk Heat Map
Prioritization for response investment Identifying shifting in risk profile
Automatically Identify Risks
SAP CRM example
Embedded into key business processes
Workflow delivers assessments to experts
SAP AG 2007, SAP Skills 2007 Conference / G3 / 77
Enabling Lines of Business toEffectively Mitigate Risks
Respond Intelligently Create Resolution Strategies for Critical Risks
Best Practice Response Playbooks
Propose Risk Response
Loss Event Tracking
Lessons Learned
Risk: Merger / Acquisition
Proposed ResponsesSelf-learning Response
Effectiveness
Spot Risk Interdependencies
Finance
Sales
IT
Supply
...
New Global Suppliers
Indirect Global Taxes
Correlation
Mismatch of Demand with Supply
Employee health and safety
Non-compliance with emissions
Production disruptions
Supplier disruptions
Non-compliance with RoHS/WEEE
Non-compliance to Fin Regulations
xSOP
EH&S
xEM
EAM
SRM/xSA
CfP
GRC
Top Industry Risks Solution
SAP AG 2007, SAP Skills 2007 Conference / G3 / 78
Stay Informed Build Proactive Monitoring Into Existing Business Processes
Capture Incidents and LossesSet Control Limits Based Upon Associated Risk
Learn from previous experiences Incorporate into response playbook
Executive and Risk Manager Dashboards
Regulatory checklist approach has lead to over-controlling and under-controlling many processes
Set controls based upon the level or risk associated with each business process
SAP AG 2007, SAP Skills 2007 Conference / G3 / 79
A sustainable business benefitIT matters in achieving good governance as it helps in becoming a better run business. It can enable companies to move beyond pure compliance towards a sustainable business benefit.
Werner Brandt
CFO SAP AG. Event: The 4th Boardroom Series Breakfast Meeting Shanghai, June 12, 2006
We Drink Our Own Champagne SAP Risk Management Drives Excellence at SAP AG
a part of management excellenceIn an ever changing world
economy, partners, and customers management excellence is required to react positively and therefore fast to any changes. Risk Management is clearly a part of management excellence.
Hans Peter Klaey, President SAP Asia Pacific
2005 2007
SAP AG 2007, SAP Skills 2007 Conference / G3 / 80
Why SAP GRC Risk Management?
Enabling Lines of Business toMitigate Top Industry Risks
Automatic Risk Identification and Monitoring Across the Enterprise
Risks in Context of Strategy and Objectives
Strategy Management Planning
Mismatch of Demand with Supply
Employee health and safety
Non-compliance with emissions
Production disruptions
Supplier disruptions
Non-compliance with RoHS/WEEE
Non-compliance to Fin Regulations
xSOP
EH&S
xEM
EAM
SRM/xSA
CfP
GRC
Top Industry Risks Solution
SAP AG 2007, SAP Skills 2007 Conference / G3 / 81
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 82
SAP Solutions for Governance, Risk and Compliance
Single, holistic and integrated approach for managing governance, risks and compliance
Deliver enterprise predictability and quality of operations: No Surprises
Reduce the cost of compliance and free resources for innovation
Improves performance by proactive risk management
Prevention of fraud, bribery , corruption
Increase confidence of stakeholders
SAP AG 2007, SAP Skills 2007 Conference / G3 / 83
SAP Solutions for GRC
Access Control
7,000
7,400
7,410
7,500
8,000
8,000
10,000
10,000
10,700
11,800
20,000
23,020
26,000
27,000
30,000
30,876
32,000
40,000
40,895
100,000+Customer Users Customer Users Customer Users
4,200
4,500
5,200
5,600
5,723
6,000
6,000
6,050
6,250
6,500
SAP AG 2007, SAP Skills 2007 Conference / G3 / 84
Market leader
Cross system
Summary
Real-time Prevention
Integrated end-to-end solution
RISK
11
SAP AG 2007, SAP Skills 2007 Conference / G3 / 85
Contact
Rainer Salaw, CPA
CFO Solution Sales EMEAGovernance, Risk & ComplianceSAP Deutschland AG & Co. KG
Phone +49 (811) 5545-225Mobil +49 (0170) 2200125
http://www.sap.com/financials
SAP ERP Financials SAP Solutions for
Governance, Risk, and Compliance and SAP GRC Access Control
Barbara Mayer Enterprise Risk Management,
SAP Consulting
SAP AG 2007, SAP Skills 2007 Conference / G3 / 87
AGENDA
The Fast Track to SAP Knowledge
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP AG 2007, SAP Skills 2007 Conference / G3 / 88
AGENDA
The Fast Track to SAP Knowledge
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP AG 2007, SAP Skills 2007 Conference / G3 / 89
Client Issues
Negative Sarbanes-Oxley Audit Results Segregation of Duties / Excessive Access Security Administration Process Internal Controls Repository Maintaining a clean environment ERP Upgrades Escalating help desk costs Change management SOX awareness/responsibility
SAP AG 2007, SAP Skills 2007 Conference / G3 / 90
Corporate Governance: Ethical corporate behavior together with management practices
in the creation of wealth for all stakeholders Spells out the rules and procedures for making decisions on
corporate affairs
IT-Governance: Helps to ensure the alignment of IT and enterprise objectives IT resources are used responsibly and its risks are managed
properly
GRC -
Governance
Governance
SAP AG 2007, SAP Skills 2007 Conference / G3 / 91
Risk Management Identify, classify, document and reduce risks to an acceptable
level based on the value of the information resource to the organization
Risk- is a result of three different parameters
Existence of a threat for a business process
Likelihood of occurrence
Impact for the business process
GRC -
Risk Management
Risk Mgmt.
RISK
THREAT IMPACTLIKELIHOOD
SAP AG 2007, SAP Skills 2007 Conference / G3 / 92
GRC
-
Compliance
Compliance
Acting according: National and international legal requirements
Sarbanes-Oxley-Act (US)
Data Protection Law (Germany)
J-SOX (Japan) ... Corporate Policies representing the corporate philosophy and
the strategic thinking on a high-level Low-Level policies focusing on the operational layer.
Policies need to be in sync with the overall business strategy and legal requirements
SAP AG 2007, SAP Skills 2007 Conference / G3 / 93
Benefit: Collaboration Within the Company
OWNER Key Areas GRC Access Control
Business Users Risk Identification and Elimination
Analysis and elimination of potential access risks and actual risks
Real-time check and assignment of detective and preventive controls
Role Design and Management Risk-preventive role design to address the root of a problem
Compliant User Provisioning Efficient user provisioning and de-provisioning from hire to retire
Privileged User Access Auditable superuser privilege management
IT Security Collaboration between Business and IT
Enabling business to take accountability for access
Management Oversight Periodic Access Review Review of roles, users and mitigation controls by using automated reporting views
Internal Audit Audit Cycle Management Provide documentation to help validate that the business team is following the control process
SAP AG 2007, SAP Skills 2007 Conference / G3 / 94
Interdependencies GRC Access Controls
Role Expert
Access Enforcer
Firefighter
Compliance Calibrator
with Risk Terminator
Critical
Transactions
SoD
Analysis
Risk Analysis
for simulation
Role InformationWorkflow
Engine
for role approval
Risk AnalysisWork Flows
SAP AG 2007, SAP Skills 2007 Conference / G3 / 95
Best Practice Road Map GRC Access Controls
Implementation
Firefighter
Compliance Calibrator
with Risk Terminator
Access Enforcer Role Expert
This Road Map ensures fastest implementation, while optimal change management
Installation Installation and configuration Compliance Calibrator and Risk Manager Firefighter comes with the RTAs, (+BC Sets) Later install and configure Access Enforcer and Role Expert
SAP AG 2007, SAP Skills 2007 Conference / G3 / 96
AGENDA
The Fast Track to SAP Knowledge
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP AG 2007, SAP Skills 2007 Conference / G3 / 97
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 98
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 99
SoD Management Process: Get Clean & Stay Clean
SOD Risk Management ProcessAlthough every business and every system is unique, each implementation follows the same risk-based Best Practice
methodology, which has been proven at many customer sites.
PHASE ONE PHASE THREE
Risk Recognition
Rule Building andValidation
Analysis Remediation Mitigation ContinuousCompliance
1 2 3 4 6
PHASE TWO
5
SAP AG 2007, SAP Skills 2007 Conference / G3 / 100
Roles and Responsibilities
Roles Responsibilities
Business Process Owners
Identify risks and/or approve risks for monitoring Approve remediation involving user access Design controls for mitigating conflicts Communicate access assignments or role changes Perform proactive continuous compliance
Senior Officers Approve/Reject risks between business areas Approve mitigating controls for selected risks
Security Administrator and Technical Liaisons
Ownership of SAP GRC tools and security process Design and maintain rules to identify risk conditions Customize SAP GRC roles to enforce roles and responsibilities Analysis and remediation of SoD conflicts at role level
Auditors & Regulators
Perform risk assessment on a regular basis Provide specific requirements for audit purposes Perform periodic testing of rules and mitigating controls Act as liaison between external auditors
SoD Rule Keeper Responsible for SAP GRC tool configuration and administration Maintain controls over rules to ensure integrity Act as liaison between basis and SAP GRC Support Center
SAP AG 2007, SAP Skills 2007 Conference / G3 / 101
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 102
Phase One: Risk Recognition
3 4 65Rule
Building andValidation
Analysis Remediation Mitigation ContinuousCompliance
2Risk
Recognition
1
RISK RECOGNITION Identify conflicts and approve
exceptions Clarify and classify risk high,
medium, low Identify new risks and conditions for
monitoring in the future
SAP AG 2007, SAP Skills 2007 Conference / G3 / 103
Segregation of Duties
John can create sales orders and issue credit memosRisk!Gives someone the access to create a sales order, generating fraudulent revenue, and then reverse the revenue in a subsequent period by issuing a credit memo
Risk!Gives someone the access to create a fictitious vendor and generate fraudulent payments to the vendor
Sandy can create vendor master records and process accounts payable payments
SAP AG 2007, SAP Skills 2007 Conference / G3 / 104
Risk Recognition: Business Process Owners
The Business Process Owners should do the following: Document business risk and prepare a risk
statement Cross-reference the risk statement with the
risks provided with Compliance Calibrator Assign Risk Levels
SAP AG 2007, SAP Skills 2007 Conference / G3 / 105
Risk Recognition: Example SOD Risk
Maintain a non bona-fide bank account and divert incoming payments to it.
FI01 Create Bank
FI02 Change Bank
FI06 Set Flag to Delete Bank
F-04 Post with Clearing
F-06 Post Incoming Payments
F-26 Incoming Payments Fast Entry
F-28 Post Incoming Payments
F-29 Post Customer Down Payment
F-30 Post with Clearing
F-36 Bill of Exchange Payment
F-39 Clear Customer Down Payment
F-40 Bill of Exchange Payment
F-52 Post Incoming Payments
FBA2 Post Customer Down Payment
FBZ1 Post Incoming Payments
FBZ3 Incoming Payments Fast Entry
Conflicting Transactions are grouped into functions
SAP AG 2007, SAP Skills 2007 Conference / G3 / 106
Risk Recognition: Example Critical Transactions
Examples of security critical basis transactions:
SA38 Execute ABAP Reports
SE01 Transport Organizer
SE06 Transport Organizer
SE09 Transport Organizer
SE11 ABAP Dictionary
SE16 Table Maintenance
SE11 ABAP Dictionary
SE36 Logical Database Builder
SE37 ABAP Function Modules
SE41 Menu Painter
SM30 Table Maintenance
SQ00 SAP Query: Start queries
SU12 Delete ALL users
SUB% Internal call: Submit via command fld
... ...
SAP AG 2007, SAP Skills 2007 Conference / G3 / 107
Risk Recognition: SAP GRC Risk Database
Over 200 Risk GroupsE.g. Order to Cash, Procure to Pay, Financial Accounting, HR/Payroll, APO, CRM, EBP/SRM, Basis
Business language SAP - Results in over
180,000 SoD Object Level Rules
Rules at the Authorization Object level eliminate false positives
Automated rule building
Reduces time for implementation
Validated by Big 4 auditors at 400+ customers
SAP AG 2007, SAP Skills 2007 Conference / G3 / 108
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 109
Phase One: Rule Building and Validation
3 4 65Analysis Remediation Mitigation Continuous
ComplianceRule
Building andValidation
2
Risk Recognition1
RULE BUILDING AND VALIDATION Reference best practices rules for your
environment Validate rules Customize rules, then test Verify against test user/role cases
SAP AG 2007, SAP Skills 2007 Conference / G3 / 110
Rule Architect Overview
SAP AG 2007, SAP Skills 2007 Conference / G3 / 111
Rule Structure
The Full Picture
Rule Set A
Global
Business Process
Order to CashBusiness Process
Purchase to Pay
Risk A:Enter sales documents and lower prices for fraudulent gain.
Function 1:Sales Order Agreements
Function 2:Sales Pricing Maintenance
Actions/Permissions
SAP ERP
Actions/Permissions
SAP ERP
Actions/Permissions
SAP ERP
Business Process n
Risk B:User is able to maintain vendor master data and initiate payment runs.
Function 3:Vendor Master Maint.
Function 4:Process Vendor Invoices
Func. 5:
Actions/Permissions
SAP ERP
Risk C:User is able to ....
Actions/Permissions
SAP ERP
SAP AG 2007, SAP Skills 2007 Conference / G3 / 112
Create a Risk for the Business
Process
Create Functions for the Business
Process
Rule Building: Step One
Examples: Procure to Pay, Order to Cash, Finance and Controlling
Define a Rule Set ID and
Description
Create aBusinessProcess
Example: Global Rule Set
Assign Actions and Permissions to the Function
Assign Conflicting Functions
Assign to a Rule Set
SAP AG 2007, SAP Skills 2007 Conference / G3 / 113
Rule Building: Create Functions
GL02 GL01
SAP AG 2007, SAP Skills 2007 Conference / G3 / 114
Rule Building: Create Risks
SAP AG 2007, SAP Skills 2007 Conference / G3 / 115
Standard Rule Set
SAP Rules in the standard Rule Set include ERP
Basis
Finance -
General Ledger Accounting-
Fixed Assets -
Project Systems
HR / Payroll
MM / PP / QM
Order to Cash
Procure to Pay SRM / EBPCRMConsolidationAPO
SAP AG 2007, SAP Skills 2007 Conference / G3 / 116
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 117
Phase Two: Analysis
34 65
Analysis Remediation Mitigation ContinuousCompliance
2
ANALYSIS Run analytical reports Estimate cleanup efforts Analyze roles and users Modify rules based on analysis Set Alerts to distinguish executed risks
Rule Building and
Validation
Risk Recognition1
SAP AG 2007, SAP Skills 2007 Conference / G3 / 118
Management View Reports
SAP AG 2007, SAP Skills 2007 Conference / G3 / 119
Risk Analysis Reports
SAP AG 2007, SAP Skills 2007 Conference / G3 / 120
Phase Two: Remediation
34
65Analysis Remediation Mitigation Continuous
Compliance2
Rule Building and
Validation
REMEDIATION Determine alternatives for eliminating risks Present analysis and select corrective
actions Document approval of corrective actions Modify or create roles or user assignments
1Risk
Recognition
SAP AG 2007, SAP Skills 2007 Conference / G3 / 121
Remediation Strategy
Analyze reports results to determine extent of remediation efforts
Discuss potential remediation methodologies that are appropriate to address the security violations identified
Remediation Exercise Perform walkthroughs of the remediation
strategies using live examples
SAP AG 2007, SAP Skills 2007 Conference / G3 / 122
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 123
Phase Two: Mitigation
3 4 65
2Rule
Building andValidation
Analysis Remediation Mitigation ContinuousCompliance
MITIGATION Determine alternative controls to mitigate
risk Educate management about conflicts
approval and monitoring Document a process for monitoring
mitigation controls Implement controls
1Risk
Recognition
SAP AG 2007, SAP Skills 2007 Conference / G3 / 124
Mitigating Controls Are Required when Remediation Fails
Mitigating controls are required when it is not possible to segregate duties within the business process
E.g. within a small office one person has to take over two roles within the business process which causes a missing SoD conflict
Examples for Mitigating Controls are: Release strategies / Authorization limits Review of user logs Review of exception reports Detailed variance analysis Establish insurance
SAP AG 2007, SAP Skills 2007 Conference / G3 / 125
Firefighter
A Key Mitigation Control
What is Firefighter? Firefighter allows super users to perform emergency activities
outside their normal role within a controlled and auditable environment.
All activities of the user accessing the higher authorization privilegeswill be reported
Firefighter will generate an audit trail, which can be used to documentthe reasons for using higher access privileges
Audit trail is required for SoX compliance Monitoring logs must be analysed timely and frequently!!
SAP AG 2007, SAP Skills 2007 Conference / G3 / 126
Firefighter Business Scenarios
Compliant controls for emergency access Users assigned to specific firefighting IDs with defined authorizations
and validity dates Separate login is required as well as documentation regarding reason
for use Can only be used by one user at a time
Auditable Support-Access Gives the customer full control about external support activities
Mitigation Control Logs critical business activities a user is performing as FireFighter Helps to resolve SOD issues without the involvement of extra staff
SAP AG 2007, SAP Skills 2007 Conference / G3 / 127
The Process
Firefighter Role Setup1
2
3
Document Why Needed
Audit Log
SAP AG 2007, SAP Skills 2007 Conference / G3 / 128
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 129
Phase Three: Continuous Compliance
3 46
52Analysis Remediation Mitigation Continuous
Compliance
CONTINUOUS COMPLIANCE Communicate changes in roles and user
assignments Simulate changes to roles and users Implement Alerts to monitor for new
selected risks and mitigating control testing
Rule Building and
Validation1Risk
Recognition
SAP AG 2007, SAP Skills 2007 Conference / G3 / 130
Continuous Compliance
1.
Use Simulation for ongoing preventive compliancea.
New role or change request
b.
New user or user change request
2.
Use the integration capabilities of Role Expert, Access Enforcer, and Risk Terminator to prevent SoD violations from being incorporated during day-to-day operation and security maintenance
3.
Perform regular maintenance activities to ensure that rules are complete and accurate
SAP AG 2007, SAP Skills 2007 Conference / G3 / 131
Continuous Compliance: User Access Management
Enables compliant end-to-end provisioninghire to retire
Current approach
inefficient, not compliant
Access request
Manager approval
Role owner
IT security
Manual provisioning
spreadsheets, paper forms
spreadsheets, paper forms
SAP AG 2007, SAP Skills 2007 Conference / G3 / 132
Continuous Compliance: What Is Access Enforcer?
Access Enforcer is an automated user request, approval, and compliant provisioning solution that is web-based and workflow configurable with proactive SoD compliance checking.
User Provisioning to SAP systems
FinancialSystem
CRMSystem
PayrollSystem
Human Resources
System
Access Enforcer
UserRole
Requests
ACCESS ENFORCER PROCESS OVERVIEW
+ +
SAP AG 2007, SAP Skills 2007 Conference / G3 / 133
Access Enforcer
Real Time Risk Simulation Results
SAP AG 2007, SAP Skills 2007 Conference / G3 / 134
Workflow Results
What can be accomplished after a workflow is finished: Create User in SAP Assign Roles in SAP Change Role Assignment Lock User in SAP Unlock User in SAP Delete User in SAP Create and Assign Mitigation Send Notifications
If the auto-provisioning feature is configured to yes,
the first six items can be automatically completed by AE. Otherwise the security approver must complete the provisioning in SAP manually.
SAP AG 2007, SAP Skills 2007 Conference / G3 / 135
The Access Control Suite: An Overview
SAP CC: The SOD Management Process
Project Organization
AGENDA
The Fast Track to SAP Knowledge
SAP AG 2007, SAP Skills 2007 Conference / G3 / 136
Interdependencies GRC Access Controls
Role Expert
Access Enforcer
Firefighter
Compliance Calibrator
with Risk Terminator
Critical
Transactions
SoD
Analysis
Risk Analysis
for simulation
Role InformationWorkflow
Engine
for role approval
Risk AnalysisWork Flows
SAP AG 2007, SAP Skills 2007 Conference / G3 / 137
Best Practice Road Map GRC Access Controls
Implementation
Firefighter
Compliance Calibrator
with Risk Terminator
Access Enforcer Role Expert
This Road Map ensures fastest implementation, while optimal change management
Installation Installation and configuration Compliance Calibrator and Risk Manager Firefighter comes with the RTAs, (+BC Sets) Later install and configure Access Enforcer and Role Expert
SAP AG 2007, SAP Skills 2007 Conference / G3 / 138
Service Levels
SAP Consulting offers the following scenarios of service: Basic service
The customer nominates and empowers a project manager and an implementation team of his own. As the project manager is qualified but lacks experience in implementing the GRC system, a project management assistance (PMA) of SAP Consulting ensures via checks on pre-defined focus topics at pre-defined project stages that the GRC Access Controls project is delivered on time and in budget according to defined scope.
Extended service
Based on scoping workshops, Mainova
can order extended service.
Full service
As the customer lacks resources, a full service can be ordered. Individual effort estimation required.
SAP AG 2007, SAP Skills 2007 Conference / G3 / 139
Packaged Solutions Model Access Controls
GRC Compliance Calibrator
AS-IS Analysis and Evaluation
GRC Assessment GRC Risk Analysis Entry
Risk Analysis based on standard rules
Basic Implementation GRC Compliance Calibrator
Brief
Value proposition
Project Team Effort Duration
Deliverables
Packaged Solution
Identification of strategic GRC focus areas based on risk potential
Identification of improvement potential
Focus for roadmap Haptic Approach
Cost efficient wayto implement GRC CC using implementation expertise of SAP as Project Management Guidance
Text Text Text
Basic Analysis/Entry Risk Assessment
Management Letter Review
Roadmap Entry Business Case
Risk Analysis Workshop
Risk Analysis based on standard SOD-Matrix
Risk Report by User/Roles
Recommendations
License GRC Access Controls
Installation on one Development and one Quality System
Basic Configuration Know-How Transfer
(Coaching) for System Administrator
Project Management Coach for GRC CC Implementation
ClientSAP
6 days Consulting *)
> 2 weeks
ClientSAP
1 d Tech Cons.+1 d Cons. *)
1 week
ClientSAP
12 d Cons + 5 d Tech Cons*)
> 6 weeks
Packaged Solutions Step 1
*) + Client effort
SAP AG 2007, SAP Skills 2007 Conference / G3 / 140
Packaged Solutions Model Access Controls
GRC Firefighter enablement
GRC Firefighter
GRC Access Enforcer enablementBrief
Value proposition
Project Team Effort Duration
Deliverables
Packaged Solution
Fast and cost efficient way to implement GRC Firefighter, the compliant answer to SAP_ALL and other emergency accesses.
Fast and cost efficient way to implement audit-proofed access granting
Building up in-house expertise using SAP expertise
Text Text
Installation Firefighter on one Development and one Quality Assurance System
Basic Configuration Know-How Transfer (Coaching) Template FF Recommendations
Installation Access Enforcer on one Development and one Quality Assurance System
Basic Configuration Know-How Transfer (Coaching) Audit proofed Workflow Design
(max 2 WF) Create/Change/Delete 5 Test
users
ClientSAP
1 d Tech Cons.+ 4 d Cons. *)
> 1 week
ClientSAP
2 d Tech Cons.+ 10 d Consulting *)
> 3 weeks
Based on Step 1 the following Packages can be implemented
GRC Access Enforcer
*) + Client effort
SAP AG 2007, SAP Skills 2007 Conference / G3 / 141
Project Plan
Full Service
Installation Architecture
Start
Risk Recognition
Remediation & Mitigation
Project Setup
UAT and Review / Documentation
Training on the Job / Coaching / Testing
Rule Building and Validation
Go-
live
Full Support
Project
Closing
Exemplary
Support
Go-LiveAnalysis
SAP AG 2007, SAP Skills 2007 Conference / G3 / 142
Project Organization
Full Service
Steering Committee
Project Managers
Business Process Owners
Key UsersAudit
PM(A) SAP PM Customer
SAP AG 2007, SAP Skills 2007 Conference / G3 / 143
Required Availability of Resources
Min
= On requirementMedium
= 1-
2 days per weekHigh = 3-4 days per week
Project role Required availability
Project Executive Sponsor Sponsorship + steering
Project Steering Committee Once per month
Customer Project Manager High
Business Process Owner Min
Business Process Team Member (key user) Medium
Technical Team High
SAP AG 2007, SAP Skills 2007 Conference / G3 / 144
Questions?
SAP AG 2007, SAP Skills 2007 Conference / G3 / 145
SAP AG 2007, SAP Skills 2007 Conference / G3 / 146
Copyright 2007 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent
Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower
and PowerPC are trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin
are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks
of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB
is a trademark of MySQL
AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP
product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the
information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that
you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
SAP ERP FinancialsSAP Solutions for Governance, Risk, and Compliance and SAP GRC Access ControlSAP ERP FinancialsSAP Solutions for Governance, Risk, and Compliance and SAP GRC Access ControlFoliennummer 3Foliennummer 4Gartner Strong PositivemySAP ERP FinancialsFoliennummer 7Business Case: the True Information AgeFragmented Processes and Systems: A Risky Situation !Gain Confidence by Proactive Transparency with SAP GRCFragmentation vs. Holistic Approach to GRCGRC SuiteFunctions for All Process Orientated Risks and RegulationsGRC SuiteFunctions for All Process Orientated Risks and RegulationsSAP Solutions for GRCFramework for an integrated GRC-SolutionGRC RepositoryCentral System of Record Drives Governance, Increases TransparencyFoliennummer 16How Does GRC Supports You?How Does GRC Supports You?SAP GRC Access ControlSustainable Prevention of Segregation of Duties Violations Risk Analysis and Remediation Getting CleanCross-System Risk Analysis Cross-System Risk Analysis How Does it Work? Compliance CalibratorHow Does it Work? Compliance CalibratorSAP GRC Access ControlRisk Analysis and Remediation FunctionalitySAP GRC Access ControlRisk Analysis and Remediation FunctionalityArchitecture Automatic Rule GenerationSAP GRC Access ControlRisk Analysis and Remediation FunctionalitySAP GRC Access ControlRisk Analysis and Remediation FunctionalityEnterprise Role DefinitionEnables Enterprise Role Definition and Maintenance in a Single Location SAP GRC Access ControlEnterprise Role ManagementTypical Challenges.SAP GRC Superuser Priviledge Management SAP GRC Superuser Priviledge Management SAP GRC Access ControlsCompliant User ProvisioningSAP GRC Access ControlsCompliant User ProvisioningRoadmapSAP GRC Access Control 5.3 SAP Solutions for GRCFramework for an Integrated GRC-SolutionSAP Addresses the Needs of Multiple StakeholdersBenefits of Using an Integrated Control SystemPC 2.5 Supports Compliance ProcessesProcess Control 2.5 Solution OverviewPC 2.5 InnovationInformation Architecture and Organization HierarchyControl Framework and Organization ManagementSAP GRC Process Control Convergence of Controls Process Management and Continuous Controls MonitoringGRC Process Control - Single Solution for End-to-End Enterprise Control Management Actionable Intelligence from Compliance AnalyticsSAP GRC Process Control DashboardManagement Reports with Drill-DownSAP GRC Process Control: Centralized Control ManagementControl Environment SetupSAP GRC Process Control: Centralized Control ManagementThree Ways to Monitor Automated Controls Across Critical Business Processes Order to Cash Sample Automated Control MonitoringAutomatically Create & Test 1000s of ControlsSample Automated Control TestsSAP GRC Process Control: Centralized Control ManagementManual Compliance Management Costly Effort to Coordinate TasksWorkflow Streamlines Manual Control Activities Automated Notification and Guided Procedures Ensure Timeliness and ReliabilitySAP GRC Process Control Convergence of Compliance Process Management and Continuous Controls MonitoringDeploy Flexible AssessmentsSurvey Management SAP GRC Process Control Management by ExceptionAccelerate Time to Resolution with Remediation Case Management Case Trail and Status Tracking During Case Remediation SAP GRC Process Control Convergence of Control Process Management and Continuous Controls MonitoringAutomatic Sign-Off Process SAP GRC Process Control the Integrated Solution for Enterprise-Wide Management of Any Kind of ControlsSAP GRC PC 2.5 ArchitectureSAP Solutions for GRCFramework for an Integrated GRC-SolutionRisk Management TodayNo Transparency, Suboptimal Decision-MakingThe Goal Risk-Adjusted Management of Enterprise PerformanceSAP Solutions for GRCRisk Management in a Leading RoleRisks Management Steps Process Automation for the Virtuous CycleDrive Consistency Agreement on Top Risks, Thresholds, and Appetite Avoid SurprisesIdentify and Assess All Key Risks Across the EnterpriseRespond IntelligentlyCreate Resolution Strategies for Critical RisksStay InformedBuild Proactive Monitoring Into Existing Business ProcessesWe Drink Our Own Champagne SAP Risk Management Drives Excellence at SAP AGWhy SAP GRC Risk Management?Foliennummer 81SAP Solutions for Governance, Risk and ComplianceSAP Solutions for GRC Access ControlSummaryContactSAP ERP FinancialsSAP Solutions for Governance, Risk, and Compliance and SAP GRC Access ControlFoliennummer 87Foliennummer 88Client IssuesGRC - GovernanceGRC - Risk ManagementGRC - ComplianceBenefit: Collaboration Within the CompanyInterde