SAP Solutions For Governance Risk and Compliance and GRC Access Control

SAP ERP Financials
SAP Solutions for

Governance, Risk, and
Compliance and
SAP GRC Access Control
Rainer Salaw, CPA
SAP Deutschland AG & Co KG
Regional Solution Sales GRC
EMEA
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
SAP ERP Financials

SAP Solutions for
Compliance and
Rainer Salaw, CPA
SAP Deutschland AG & Co KG
Regional Solution Sales GRC
EMEA
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 3
The Fast
Track
SAP
Knowledge
AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 4
The Fast
Track
SAP
Knowledge
Gartner Strong Positive

Rating
Strong
Negative
Caution
Promising
Positive
Strong
Positive
About SAP GRC Access Control

SAP is the only vendor with a Gartner recommends rating
in all technique categories (Static analysis, provisioning support,
integrated provisioning workflow, transaction monitoring and
emergency access)
offers one of the strongest product sets in our analysis,
comprehensively addressing all SoD issues across multiple SAP
instances.
capable of running on multiple ERP platforms
1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007
SAP AG 2007, SAP Skills 2007 Conference / G3 / 5
mySAP ERP Financials

Strategy
Management
(Balanced Scorecard)
Consolidation
Planning
FI, FI-AA, FI-AR/AP

NewGL, CO, PCA
Corporate
Performance
Management (CPM)
Credit Mgmt.,
Collections Mgmt.
Dispute Mgmt.
FI-CA, Biller direct,
In-house Cash
mySAP
ERP Financials
Financial
Supply Chain
Management (FSCM)
Accounting &
Finance Transformation
Internal regulations /
ethical standards
strategic/operative Risks
External regulations /
compliance to laws
Governance, Risk,
and Compliance
(GRC)
AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 7
The Fast
Track
SAP
Knowledge
Business Case: the True Information Age
In 2010 the need for fast,

accurate and reliable
information will be increased
significantly.
In four areas the demand will
be raised most. Two of them
are:
Risk Management
Governance
Fragmented Processes and Systems: A Risky Situation !

Supervisory board, internal audit
almost manual, sample based, not
error free controls
Management
no overview about
risk portfolio
SALARIES
Compliance / Risk Office

high level risks, not
proactive
IT
IT Security; SODmanagement,
Fraud
Purchasing
Supplier rating
& embargo
lists
Supply Chain
Finance
complex, international
Compliance requirements
(e.g. Revenue recognition)
Human Resource
environmental health
& safety
Sales
Credit risks,
Customer
ratings
Customers & Channel
Gain Confidence by Proactive Transparency with SAP GRC
Supervisory board, internal audit

documented decisions, audit trail
Compliance / Risk Office
Real time risk analysis,
integrated view
IT
highly secured ITSystems
Purchasing
transparent
rating,
compliance to
trace
regulations
Supply Chain
SALARIES
Management
Transparency about risks
=> max. confidence !
Finance
Compliance in group
reporting processes
Human Resource
compliance to
environmental standards
Sales
transparent
customer
solvency
Customers & Channel
Fragmentation vs. Holistic Approach to GRC

From Fragmented Risk
& Compliance
to Holistic GRC
Information
Security
Information
Security
Risk
Mgmt
SOX
Compliance
Risk
Mgmt
SOX
Compliance
Internal
Audit
Internal
Audit
SAP Solutions for GRC

Industry-Specific GRC
Cross-Industry GRC
GRC Repository: Documentation and Monitoring
Risk Management
Access Controls
Global Trade
Environment
Process Controls
Business Process Platform
Business Applications
GRC Suite
Functions for All Process Orientated Risks and Regulations

Industry specific
solutions
Cross industry solution
GRC Suite
Access
Control
Compliance
Calibrator
Process
Control
Role Expert
Access
Enforcer
Risk
Management
Fire Fighter
Global
Trade
Services
(GTS)
Environment,
Health &
Safety
(EH&S)
more Solutions
GRC Suite
Functions for All Process Orientated Risks and Regulations

Industry specific
solutions
GRC Suite
Access
Control
Process
Control
Risk
Management
Global
Trade
Services
(GTS)

Risk Analysis and
Remediation
Enterprise Role
Management
Compliant User
Provisioning
Super User
Privilege
Management
Environment,
Health &
Safety
(EH&S)
GRC-Repository
more Solutions
Framework for an integrated GRC-Solution

Business Process
GRC as an integrated part

of all business processes
leverage integration
through high automation
(e.g. automatic controls)
SAP GRC Access Controls
Group-wide utilization, open

architecture (usage of SAPs
technology platform no
limitation to SAP-ERP systems)
GRC Repository
Central System of Record Drives Governance, Increases Transparency
Enforces governance for the

entire enterprise
Governmental
Agencies
Performance
Measures &
Benchmarks
BOD &
Committee
Minutes
Influence
Councils
Regulations
& Industry
Mandates
Risk & Control

Libraries
GRC
Repository
Best Practices
Advisory Services
(Auditors, Attorneys)
Corporate
Policies &
Procedures
Control
Frameworks
(COSO, COBIT)
Internal
Policies
Regional regulations
Multiple frameworks for each
department
Pre-built control & risk
libraries
Complete body of evidence

for compliance
Centralized knowledge base
for all GRC relevant
information
beyond fragmentation
Single source of truth for

reporting
AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 16
The Fast
Track
SAP
Knowledge
How Does GRC Supports You?
Access Controls
Process Controls
Risk Management
Governance & Compliance

e.g. Sarbanes Oxley Act (SOX) etc.
KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
Identification of all kind of risks (group wide)

Segregation of duties risks
Fraud
Risky system authorizations
Misusage of rights
Compliance of processing
Stick to governance
Focus on operation business risks
Quality of processes
Focus on non operative risks

Opportunity management
Decision support
Transparency and Remediation
Define appropriate actions for identified risks

Eliminate risks by segregation of duties (remove authorizations, redesign processes)
Minimize risks by defining appropriate mitigation controls
Maximize risk awareness ( transparency, continuous monitoring, escalation, mitigation, remediation)
automation
manual activity
How Does GRC Supports You?
AccessControls
Controls
Access
Process Controls
Risk Management
Governance & Compliance

e.g. Sarbanes Oxley Act (SOX) etc.
KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
Identification of all kind of risks (group wide)

Superuser
Segregation of duties
risks
Priviledge
Fraud
Management
Risky system authorizations
Misusage of rights
Enterprise Role
Management
Compliance of processing
Stick to governance
Focus on operation business risks
Quality of processes
Focus on non operative risks

Opportunity management
Decision support
Transparency and Remediation
Compliant User
Provisioning
Define appropriate actions for identified risks
Eliminate risks by segregation of duties (remove authorizations, redesign processes)

Minimize risks by defining appropriate mitigation controls
Maximize
risk Remediation
awareness ( transparency, continuous monitoring, escalation, mitigation, remediation)
Risk
Analysis and
automation
manual activity
Sustainable Prevention of Segregation of Duties Violations
SAP GRC
AccessControl
Controls
Access
Minimal
Time To Compliance
Continuous
Access Management
Effective
Management Oversight
and Audit
(Get Clean)
(Stay Clean)
(Stay in Control)
Risk Analysis
and Remediation
Enterprise Role
Management
Compliant User
Provisioning
Superuser Privilege
Management
Periodic Access
Review and Audit
Rapid, cost-effective
and comprehensive
initial clean-up
Enforce SoD
compliance at
design time
Prevent SoD
violations at
run time
Close #1 audit issue

with temporary
emergency access
Focus on remaining
challenges during
recurring audits
Risk analysis, remediation and prevention services
Cross-enterprise library of best practice segregation of duties rules
Risk Analysis and Remediation

Getting Clean
Initial Risk Analysis and Remediation

Facilitates collaboration
between Business and IT to
clean up access risks
Risk
Identification
Risk Elimination
Reporting
Prevention
End-to-End
Automation
The clean-up process has
brought a tremendous degree of
discipline to the way we think
about and manage user access
and authorizations.
Deepak Mehrotra, SOX Compliance Manager,
Synopsys Inc.
Cross-System Risk Analysis

Heterogeneous IT-landscape
Legacy
Custom
Inventory and
purchasing
Financials
and
Accounting
Authorization:
Maintain vendor
master data
Authorization:
Initiate payment
to vendor
Cross-System Risk Analysis

Heterogeneous IT-landscape
Legacy
Inventory and
purchasing
Authorization:
Maintain vendor
master data
Custom
VIRSA
Cross-enterprise Rule Set
!
RISK
Financials
and
Accounting
Authorization:
Initiate payment
to vendor
How Does it Work? Compliance Calibrator
?? Compliance ?
Risk analysis for

user Maier
S
O
D
M
A
T
R
I
X
officer
Risks
P
L
A
N
Risk analysis
function
ERP 2005
RTA
RTA
RTA
RTA
How Does it Work? Compliance Calibrator
?? Compliance ?
Risk analysis for

user Maier
S
O
D
M
A
T
R
I
X
officer
Risks
P
L
A
N
Risk analysis
function A
Compare
Riskreport
C
T
U
A
L
ERP 2005
RTA
RTA
RTA
RTA
Risk Analysis and Remediation Functionality
Risk analysis and remediation functionality

Risk-analysis, detection and remediation of SOD-violations in access control and authorization
management
GRC Access Control content covers more than 200 Risks
critical transaction or
authorization objects
Risk analysis and remediation functionality

Risk-analysis, detection and remediation of SOD-violations in access control and authorization
management
GRC Access Control content covers more than 200 Risks
Function 1
Function 2
180.000 rules
System 1: Transaction 1
System 1: Transaction n
System 1: Transaction m
System 2: Transaction n
System 2: Transaction m
System n: Transaction 1
System n: Transaction n
System m: Transaction 2
System m: Transaction m
Architecture Automatic Rule Generation

Business
Risks
Risk 1
Risk 2
Business
Functions
System
Action & Permission
Function A
Action 1+ Permission 1
Action 2 + Permission 2
Action n + Permission n
+
Function B
Function C
+
Function D

Compliance Calibrator
Rule Generation
ALL cross combinations

Of Action + Permission
between Functions A & B
ALL cross combinations

Of Action + Permission
between Functions C & D
Risk Rule 1
Risk Rule 2
Risk Rule 3
Risk Rule 4
Risk Rule 5
Risk Rule 6
Risk Rule 7
Risk Rule 8
Risk Rule 9
Risk Rule n
Risk Rule 10
Risk Rule 11
Risk Rule 12
Risk Rule 13
Risk Rule 14
Risk Rule 15
Risk Rule 16
Risk Rule 17
Risk Rule 18
Risk Rule n
Enterprise Role Definition
Enables Enterprise Role Definition and Maintenance in a Single Location
Unternehmensweite
Rollendefinition und Pflege
mit eingebauter
Funktionstrennungsprfung
Centralized Role Management

Enterprise
Rules
SAP GRC
Access Control
Audit log
Reduce cost of role

maintenance
Ease compliance and avoid
authorization risk
Across applications
Role
Role
Role
Role
Role
Role
Role
Compliant enterprise roles
Role
Role
Role
Eliminate errors and enforce

best practices
Assure audit-ready
traceability and security
checks
28% time savings in role
management
Customer Survey, 3/2006

Enterprise Role Management
Typical Challenges.
Too many users have SAP_ALL
SOD-Violations!!
No activity monitoring, no audit trail
No time limitation for SAP_ALL Users
No clear responsible for SAP_ALL authorizations
Smart emergency situation management
No clear workflow in case of emergency!
-> SAP GRC superuser privilege management for SAP
SAP GRC Superuser Priviledge Management

multiple
SAP-System
FireFighter are
log in to the
system as
normal user
Maier
assigned to user
Maier
conduct process
Neue Session
perform activity
FireFighter ID FICO
Start
Transaction
FireFighter
All FireFighter
activities are
recorded in
detail in a log
file
FireFighter ID MM
FireFighter ID SD
Log
FireFighter ID Basis
FireFighter ID
Log off as
FireFighter
SAP_ALL
Eliminates the no.1 auditors

issue !
system log off

within the
normal user
Maier
Multiple usage of FireFighters

(e.g. year end closing activities,
substitution activities, design of new
roles, and many more)
SAP GRC Superuser Priviledge Management

Compliant User Provisioning
We reduced provisioning from 2

weeks to 2 days
Web Seminar Rockwell Collins, 3/2005
Current approach inefficient, not compliant
Workflowprozess im Access Enforcer
HR event
Access
Request
email
Employee
hired/retired
Manager
Approval
email
Request
generated
Path workflowbased
on request type and
user attributes
Mgr
approval
Role Expert
Compliant Roles
Role
Owner
Word, Excel etc.
IT Security
Compliance
Calibrator
Online Risikoanalyse
Via e-mail
Escalation
workflow
Risk
analysis
Tabellen,
Formulare
100% automated
One-click preventive
simulation
Exception
workflow
Automated
provisioning
100% automated
Manual
Provisioning
Vergabe (und Entzug) von Rollen und Berechtigungsprofilen

mit eingebauter, automatischer Funktionstrennungsprfung

Roadmap
SAP GRC Access Control 5.3

Q2 2007 (AC 5.2 SP3)
Access Control
5.2 SP3
Language Translations
Country A languages
English
French
German
Japanese
Country B languages
Spanish
Portuguese
Italian
Hungarian
Cross-Enterprise
(Greenlight):
Real-Time
Agents for Risk
Analysis
Comprehensive
SOD Rules for
Oracle, JDE and
PeopleSoft
Q3 2007 (AC 5.2 SP4)
Access Control
5.2 SP4
Web Services for IDM
integration (official
and stable API for
partners)
Fix for connector limit
in Compliance
Calibrator
* Note: This release will not include

granular security and logging
requirements in the next release
Q1 2008 (AC 5.3)
SAP GRC Access Control 5.3
SAP GRC Access Control branding and single launchpad for all 4 access control capabilities
Risk analysis and remediation

(formerly known as Virsa Compliance Calibrator)
Risk analysis for SAP Enterprise Portal and UME
Close critical CC 4.0* & SAFE gaps
BI Integration for custom reporting
Reporting/ Reporting Enhancements
Additional auditor, business manager and IT

reports
SOD management by exception (Integration w/
Workflow)
Miscellaneous
Import/Export of configuration data
Migration scripts
Download and print capability on every report

Performance improvements
Concurrent Risk Analysis
Batch mode risk analysis
Improved Memory Mgmt
Compliant user provisioning

(formerly known as Virsa Access Enforcer )
Compliant provisioning for SAP EP,
Compliant provisioning for Oracle, PeopleSoft and JDE
(Greenlight)
HR triggers for PeopleSoft
Password resets for ORCL, PSFT, JDE
Close AE.net & SAFE gaps
Authoritative User Sources: Integration with multiple
LDAPs and SAP HR for user data source
Reporting and reporting enhancements
User Access Reviews (Manager / User Reaffirm)
Cross system risk analysis / simulation
Supporting multiple CUAs
Full support for all SU01 fields
Misc.
Form customization
Enterprise role management

(formerly known as Virsa Role Expert)
Close RE 4.0 gaps
Additional reports
Search roles
Single composite role relationship
List role & transactions

More detail role change history
Role authorization changes at object field level
View PFCG change log

Generate roles for multiple systems
Risk simulation for combined roles and existing user
simulation at role design time
Enforce naming convention according to policy
Role Mappings
Misc.
Migration scripts
Superuser privilege management

(formerly known as Virsa Firefighter for SAP)
Change Log / Self Auditing
Audit trail for configuration changes
Write log report to designated file server
Web report enhancements
Report filter variant
Report for All systems

Retrieve change log from CDHDR table for performance
improvement
Assign multiple FF owners to one FF ID
Framework for an Integrated GRC-Solution

Business Process
SAP Addresses the Needs of Multiple Stakeholders
Concerns
Virsa
Support
Concerns
Risk appetite
Controls in place
Risk avoidance
Controls working
effectively
Visibility
Timely notification
Cost of compliance
Business
Process
Managers
Internal
Auditors
Business
Executives
Risks correctly
identified
Response to
control deficiencies
Preventive controls
Concerns
Risk identification &
evaluation
Timely notification
Maximum
productivity
IT Security
and Support
Concerns
Identify &
implement
compliance
systems
Fit with IT
infrastructure
Transfer
accountability to
business
Prevent risk from
entering systems
Benefits of Using an Integrated Control System

CONTROL
Increase confidence in the effectiveness of
your controls
100% testing of all data all the time
Enable early detection and remediation
AUTOMATION
Reduce cost without compromising
compliance
Reduced audit fees and testing costs
Streamlined testing and remediation
INSIGHT
Effectively manage business,
financial, and compliance performance
Real time view of control health
Enterprise-wide visibility into risks and controls
PC 2.5 Supports Compliance Processes

Management
Scoping and
Set-Up
Document
Processes
and Controls
Assess
Control
Design and
Remediate
Issues
Auditor
Test
Operating
Effectiveness
Sign-Off,
Prepare
Certification /
Internal Control
Report
Attest
and
Report
Continuous Control Monitoring

Organization
hierarchy
Assignment of
sub-processes
to organizations
Central process
Organizationcatalog
specific control
Central catalog
documentation
of control
objectives/risks Documentation
of testing
Assignment of
procedures
sub-processes
Documentation
to significant
of entity-level
accounts/releva
controls
nt assertions
Setup of
Gap analysis
automated
reporting
control testing
Identify fraud
and monitoring
related risk
Control and
process
design
assessments
via surveys
Entity-level
control
assessments
via surveys
Identification
of Issues
Validation of
assessments
Remediation
of issues
Progress
tracking and
analysis
Documentation
of testing
results
Documentation
of continuous
control
monitoring
Identification of
issues
Remediation
and retest of
issues
Progress
tracking and
analysis
Review
Analysis
overviews with Attestation
drill-down
Reporting
functionality
Management
reports
Workflowtriggered signoff supporting
404 reporting /
302 certification
Process Control 2.5 Solution Overview
Analytics
Work List
Organization
Hierarchy
Assessment
Surveys
Account Groups/
Assertions
Question
Library
Process
Hierarchy
Survey
Library
Control Objective
Catalog
Entity-Level
Controls
Hierarchy
Manual Tests
Test
Plans
Automated
Testing
Rules
Queries
Scheduling
Evaluation
Work List
Compliance
Assessments
Testing
Monitoring
Sign-off
User
Roles
Delegation
PC 2.5 Innovation
Information Architecture and Organization Hierarchy
Improved productivity with new work center-based design approach
Control Framework and Organization Management

Structure Definition
Organizational
Hierarchy (n-tier)
Account Hierarchy
Business
Segment
Account
Groups
Compliance
Category
Process
Region
Division/
Legal Entity
Process / Risk / Control Hierarchy
Significant
Account
Business
Operation
Location/
Operating Unit
Assessments
Sub process
Assertions
Risks/Control
Objectives
Controls
Assertions
Control Tests
(Manual/Auto)
Signoff Flow
Remediation
Case
Monitor
Certify
SAP GRC Process Control Convergence of Controls

Process Management and Continuous Controls Monitoring
9
9
9
9 9 9 9
9
9
9
9
Single Solution for end-toend enterprise control

management
Certify and Sign-off

(302, Designs,)
Provides centralized control

management for automated
and manual controls
Review Exceptions
Remediate Issues
Financial Controls
Operational Controls
Test
Test Automated
Controls
Business Processes
Test
Manual
Controls
6
13
20
27
Document
IT Infrastructure
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
5
4
11 12
19
18
26
25
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im men
le
bee
o nd imp
ti
c
S pU
u
rod tion a
s
Ha installa
the AP?
of S
Ye s
No
IT Controls
Enables management by
exception
prioritizes remediation
activities
provides management
insight into the control
environment
Process-Control-Objective-Risk
Monitor
Certify
GRC Process Control - Single Solution for End-to-End

Enterprise Control Management
GRC Repository
9
9
9
9 9 9 9
9
9
9
9

(302, Designs,)
Link control documentation

to manual and automated
control tests
Review Exceptions
Test
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
ti
c
S pU
u
rod tion a
6
13
20
27
IT Infrastructure
Document
Rationalizes controls against

multiple frameworks
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
4
11
18
25
5
12
19
26
s
Ha installa
the AP?
of S
Ye s
No
Provides a flexible
organization hierarchy
Flexible integration
framework for document
management systems
Single source of truth for
reporting
Actionable Intelligence from Compliance Analytics

Role-based dashboards
provide actionable insight
to control status
Global heat map
highlights exceptions
from all control tests and
assessments
Management level reports
highlights exceptions
from all control tests and
assessments
Enterprise transparency
across multi-instance and
multi-platform
environments
SAP GRC Process Control Dashboard

Control Execution
Monitor provides
latest information on
deficiencies
All information
is organized in
tabs
Control Monitor
provides summarized
information over time
Inbox provides
quick access to
cases and tasks
Survey Monitor tracks

sign-off and
assessment surveys
Management Reports with Drill-Down

Drill-down capability
provides details of the
cases and case priority for
each report
Monitor
Certify
SAP GRC Process Control: Centralized Control

Management
9
9
9
9 9 9 9
9
9
9
9
One system for managing

automated and manual
controls
Review Exceptions
Test
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
27
IT Infrastructure
Document
Centralized Control
Management

(302, Designs,)
7
14
21
28
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
25
24
23
22
15
29
30
s
Ha installa
the AP?
of S
Ye s
No
System can manage

Financial Control
Operational Controls
IT Controls
Controls can be monitored
across multiple enterprise
systems
Improve controls with regular
assessments
Control Environment Setup

Assignment of
Compliance
Information (financial
and non-financial
assertions)
Assignment of
Organizations
Assignment of
Test Plan and
Test Step Owners
Control Prior period

posting check
Process Manage
Financial Accounting
Subprocess Perform
Closing
Risk Manipulation
of financial results
Objective Accurate
financial reporting
Creates complete control

environment, including
Organizations
Business processes
Sub processes
Risks
Objectives
Test plans
Creates and links both

manual and automated
control tests in a single
application
Selects controls that

contribute to financial
quantification of risk for
executive reporting
Monitor
Certify

Management
9
9
9
9 9 9 9
9
9
9
9
Review Exceptions
Test
Test Automated
Controls
Business Processes
Detects global violations

and prioritizes corrective
action (automatic case
generation)
Remediate Issues
Test
Manual
Controls
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
27
IT Infrastructure
Document
Automated Process Controls

(302, Designs,)
7
14
21
28
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
25
24
23
22
15
29
30
s
Ha installa
the AP?
of S
Ye s
No
Apply same control to

multiple organizations
(version concept)
Automatically monitors
controls in multiple
enterprise applications
80 Master controls were
delivered
Three Ways to Monitor Automated Controls Across Critical

Business Processes
Select
Re-use
Pre-delivered Test
Custom Test
Pre-delivered tests with

flexible rule criteria for
SAP and Oracle
Plug-and-play your
existing test scripts
Construct
Ad-hoc Test
Create control tests onthe-fly with custom

query builder
Order to Cash
Order
Capture
Order
Fulfillment
Procure to Pay
Demand
Planning
Operational
Inventory
Payables
Procurement Management Management
Reconcile to Report
Budgeting
Sub ledger
Planning
Transactions
IT Basis
Application
Security
Change
Control
Billing &
Returns
Financial
Close
Revenue
Recognition
Consolidation
& Reporting
Order to Cash Sample Automated Control Monitoring
Did the customer order

exceed allowed
thresholds?
Was pricing or
exchange rates
adjusted?
Were there changes to

revenue accounts and
posting tolerances?
Were
shipments
made without
proper sales
documents?
Automatically Create & Test 1000s of Controls

Configuration, Master Data and Transaction Data
Any Form, Tab
or Field
...
Multiple Controls
Check that control value exists
Monitor changes to control
Monitor change frequency
Apply absolute value threshold
Apply percentage threshold
Hide / Disable / Query Only
Have any duplicate

vouchers been
processed over the
past 30, 60, 90 days?
Is the Duplicate
Voucher flag
turned ON?
Has the duplicate
Voucher control
changed?
How often?
Sample Automated Control Tests
Monitor
Certify

Management
9
9
9
9 9 9 9
9
9
9
9

(302, Designs,)
Test
Streamlines manual
controls and tests
Provides manual test plans
with detailed test steps and
instructions
Review Exceptions
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
20
IT Infrastructure
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
ti
c
S pU
u
rod tion a
13
Document
Manual Control Testing
27
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
11 12
19
18
26
25
s
Ha installa
the AP?
of S
Ye s
No
Promotes timely
performance with
scheduled workflow and
email notifications
Documents evidence to
support evaluation results
Capture monetary risk
quantification for failed
tests
Manual Compliance Management

Costly Effort to Coordinate Tasks
Compliance Team
Control Testers
Receive test
instructions via email
Create documents
and spreadsheets
and save to local file
servers
Paper-based
documentation surveys
for completion
Create test
plan
What do we
need to test?
Who should
perform the
test?
Management &
Executives
Perform manual
tests based on
verbal instructions
Is this the right

process?
Consolidate results
from multiple
sources
What am I
supposed to
do?
Why is this
important?
Where do we
stand?
How can we
improve?
Workflow Streamlines Manual Control Activities Automated

Notification and Guided Procedures Ensure Timeliness and Reliability
Compliance Team
Management &
Executives
Control
Testers
Document control
and test plan
Follow guided procedure

and perform test
Attach reference document

and spreadsheet
Report results and

attach evidence
Automatic notification routes tasks to appropriate users

Guided procedures and reference documents train users
Complete audit trail of testing results and evidence
SAP GRC Process Control Convergence of Compliance Process
Monitor
Certify
Management and Continuous Controls Monitoring

9
9
9
9 9 9 9
9
9
9
9
Review Exceptions
Test
Test Automated
Controls
Business Processes
Test
Manual
Controls
Perform
SelfAssessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
Document
Flexible surveys to support

design assessments and
self-assessments
Remediate Issues
IT Infrastructure
Self Assessment

(302, Designs,)
27
7
14
21
28
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
25
24
23
22
15
29
30
s
Ha installa
the AP?
of S
Ye s
No
Assessments for process

design, control design,
entity-levels, and more
Promotes timely
performance with
scheduled workflow and
email notifications
Reference information and
instructions guides
occasional users
Deploy Flexible Assessments
Flexible survey
creation, scheduling,
and routing
Handles assessments
for process design,
control design, entitylevels, and more
Reference information
and instructions guides
occasional users
Survey Management
Survey reports provide
drill-down to any cases
generated
Monitor
Certify
SAP GRC Process Control Management by Exception

9
9
9
9 9 9 9
9
9
9
9
Test
Remediation Case
Management
Detects global exceptions
and prioritizes corrective
action
Review Exceptions
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
E Yed with
n
v
pro tatio
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
IT Infrastructure
Document
Management by Exception

(302, Designs,)
27
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
4
11
18
25
5
12
19
26
s
Ha installa
the AP?
of S
Ye s
No
Workflow-based
notifications alert users to
failed tests or assessments
Documents remediation
activities and resolution
Dashboards and reporting
provide actionable insight
to exceptions
Accelerate Time to Resolution with Remediation Case

Management
Automated prioritization
focuses valuable
resources on high-impact
exceptions
Automated routing and
notification ensures
nothing falls through the
cracks
Deploy
Automated Controls
Business Processes
Test
Manual
Controls
IT Infrastructure
Perform
SelfAssessments
SU
RV
EY
Ye s
No
Threaded discussion of
resolution activities
provides evidence for
external auditors
Case Trail and Status Tracking During Case Remediation

Linked to test results
Case trail and

status tracking
during case
remediation
Resolution can be
captured along with the
case details for audit
purposes
Monitor
Certify
SAP GRC Process Control Convergence of Control

Process Management and Continuous Controls Monitoring
9
9
9
9 9 9 9
9
9
9
9
Test
Section 302 and 404

certification
Business process review
and approval
Review Exceptions
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
6
13
20
27
IT Infrastructure
Document
Management Certification

(302, Designs,)
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
5
4
11 12
19
18
26
25
Perform
Assessments
EproYved wtiitohn
enta
Rn V
n im
bee plem
im
o
S pU
ucti n and
d
ro
tio
s
Ha installa
the AP?
of S
Ye s
No
Freeze key information that

has been signed-off
Hierarchical, bottom-up
progression
Automatic Sign-Off Process

6
CEO/CFO
CEO/CFO sign off
Corporate Signers
Corporate signer(s) sign off
US
Higher location signs off
US Finance
Lowest location signs off
Order to Cash
Process owner signs off
1
AR Billing
AR Collections
Each sub process owner

signs off
Support
section 302
certification
Freeze key
information
that has
been
signed-off
Hierarchical,
bottom-up
progression
SAP GRC Process Control the Integrated Solution for

Enterprise-Wide Management of Any Kind of Controls
Risk based approach

Cost reduction through
automation
12 1
11
2
10
9
3
8
4
7 6 5
Automated case management

accelerated remediation process
Integrated solution low TCO
Reduces RISKS and saves TIME

and MONEY
SAP GRC PC 2.5 Architecture

GRC NWBC User Interface
Navigation
Navigation
WebDynpro
WebDynpro
Content
Content
SAP
SAP Application
Application
Pages
Pages
BI
BI Pages
Pages for
for
Analytics
Analytics
Process Control Plus (Java Stack)

Automated
Automated
Controls
Controls
CrossCrossPlatform
Platform
Enablement
Enablement
Repository
Repository
Interfaces
Interfaces
Savvion
Savvion
BPM/Workflow
BPM/Workflow
SAP Services (ABAP Stack)

Master
Master Data
Data
Audit
Audit Log
Log
Survey
Survey
Assessments
Assessments
Testing
Testing
Object
Object Level
Level
Security
Security
Sign
Sign Off
Off
Query
Query
Builder
Builder
Report
Report
Mart
Mart
Portal
Portal Pages
Pages
for
for Analytics
Analytics
Framework for an Integrated GRC-Solution

Business Process
Risk Management Today
No Transparency, Suboptimal Decision-Making
What is the status

of our top risks?
Am I on track to
reach my goals?
Will we meet analyst /

market expectations?
What risks dont we

know about?
Another assessment to
fill out?
What are our

top 10 risks?
Brainstorm
one-off response
possibilities
Ask for
additional
input
Siloed risk
thinking
Send out
MS Excels
Workshop after
workshop
Risk
Managers
Focus only on
negative risks
Lines of
Business
Management &
Executives
The Goal
Risk-Adjusted Management of Enterprise Performance
Executives
Risk in context of corporate

strategy and performance
Understand true exposure
resulting from risk correlation
Achieve proactive transparency
Applications to
mitigation top risks
Automatic risk
identification
Role-based best
practice playbooks
End-to-end risk
processes across
the value chain
Enable risk
management
innovation
Lines of
Business
Risk
Managers
Become a driver of
business change
Risk Management in a Leading Role

other
Partner
Solutions
SONA
xApp
GRC-Suite
GTS
Risk
Management
Process
Controls
Access
Controls
EH&S
GRC-Repository
REA
xEM
SONA
External
Provider
KRIs /
Content
Risks Management Steps
Process Automation for the Virtuous Cycle
Establish
risk appetite
and thresholds
Actionable,
role-based
dashboards
and alerts
Collaborate and
aggregate across the
enterprise
Balance cost of
risk avoidance
and opportunity
Drive Consistency
Agreement on Top Risks, Thresholds, and Appetite
Create Risk and Activity Catalogs
What types of risks do we want to track?
Proposed risks based on activity type
Align risks to corporate goals
Customizable, pre-delivered content
Risk Catalog
GRC Repository
Identify KRI Targets and Thresholds
KRI 1
Scrap Rates
5%
KRI 2
<95%
Supplier on-time
delivery
Supply chain
continuity risk
Document Risk Appetite
Avoid Surprises
Identify and Assess All Key Risks Across the Enterprise
Automatically
Identify Risks
Embedded into key
business processes
Workflow delivers
assessments to
experts
SAP CRM example
Collaborative Assessments
for Manual Risk Activities
Prioritization using Risk Heat Map
Qualitative &
quantitative point and
scenario analyses
Analyses done before
and after response
Workflow reminders
for updates
Prioritization for response investment

Identifying shifting in risk profile
Respond Intelligently
Create Resolution Strategies for Critical Risks
Spot Risk
Interdependencies
Indirect
Global
Taxes
Correlation
New Global
Suppliers
Mismatch of Demand with Supply
xSOP
Employee health and safety
EH&S
Non-compliance with emissions
xEM
Production disruptions
EAM
Supplier disruptions
SRM/xSA
Non-compliance with RoHS/WEEE
CfP
Non-compliance to Fin Regulations
GRC
...
Solution
Supply
Top Industry Risks
IT
Sales
Finance
Enabling Lines of Business to

Effectively Mitigate Risks
Best Practice Response Playbooks

Risk: Merger / Acquisition
Lessons
Learned
Propose Risk
Response
Loss Event
Tracking
Proposed Responses
Self-learning Response
Effectiveness
Stay Informed
Build Proactive Monitoring Into Existing Business Processes
Executive and Risk Manager Dashboards
Set Control Limits Based Upon

Associated Risk
Regulatory checklist approach has lead to overcontrolling and under-controlling many processes
Set controls based upon the level or risk associated
with each business process
Capture Incidents and Losses
Learn from previous experiences

Incorporate into response playbook
We Drink Our Own Champagne
SAP Risk Management Drives Excellence at SAP AG
A sustainable business benefit

IT matters in achieving good governance as it helps in becoming
a better run business. It can enable companies to move beyond
pure compliance towards a sustainable business benefit.
Werner Brandt
CFO SAP AG. Event: The 4th Boardroom Series Breakfast Meeting Shanghai,
June 12, 2006
In an ever changing world economy, partners, and

customers management excellence is required to react
positively and therefore fast to any changes. Risk
Management is clearly a part of management excellence.
Hans Peter Klaey, President SAP Asia Pacific
2005
2007
a part of management excellence
Why SAP GRC Risk Management?
Automatic Risk Identification and

Monitoring Across the Enterprise
Enabling Lines of Business to

Mitigate Top Industry Risks
Top Industry Risks
xSOP
Employee health and safety
EH&S
Non-compliance with emissions
xEM
Production disruptions
EAM
Supplier disruptions
SRM/xSA
Non-compliance with RoHS/WEEE
CfP
Non-compliance to Fin Regulations
GRC
Risks in Context of Strategy and Objectives

Strategy
Management
Solution
Mismatch of Demand with Supply
Planning
AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
SAP Solutions for Governance, Risk and Compliance
Single, holistic and integrated

approach for managing governance,
risks and compliance
Deliver enterprise predictability and
quality of operations: No Surprises
Reduce the cost of compliance and
free resources for innovation
Improves performance by proactive
risk management
Prevention of fraud, bribery ,
corruption
Increase confidence of stakeholders
SAP Solutions for GRC Access Control

Customer
Users
Customer
Users
Customer
Users
11,800
100,000+
6,500
10,700
40,895
6,250
10,000
40,000
6,050
10,000
32,000
6,000
8,000
30,876
6,000
8,000
30,000
5,723
7,500
27,000
5,600
7,410
26,000
5,200
7,400
23,020
4,500
7,000
20,000
4,200
Summary
Market leader
Real-time Prevention
RISK
Cross system
Integrated end-to-end solution
Contact
Rainer Salaw, CPA

CFO Solution Sales EMEA
Governance, Risk & Compliance
SAP Deutschland AG & Co. KG
Phone +49 (811) 5545-225
Mobil +49 (0170) 2200125
Rainer.Salaw@sap.com
http://www.sap.com/financials
SAP ERP Financials

SAP Solutions for
Compliance and
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
AGENDA
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
AGENDA
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Client Issues
Negative Sarbanes-Oxley Audit Results
Segregation of Duties / Excessive Access
Security Administration Process
Internal Controls Repository
Maintaining a clean environment
ERP Upgrades
Escalating help desk costs
Change management
SOX awareness/responsibility
GRC - Governance
Governance
Corporate Governance:
Ethical corporate behavior together with management practices
in the creation of wealth for all stakeholders
Spells out the rules and procedures for making decisions on
corporate affairs
IT-Governance:
Helps to ensure the alignment of IT and enterprise objectives
IT resources are used responsibly and its risks are managed
properly
GRC - Risk Management

Risk Mgmt.
Risk Management
Identify, classify, document and reduce risks to an acceptable
level based on the value of the information resource to the
organization
Risk- is a result of three different parameters
Existence of a threat for a business process
Likelihood of occurrence
Impact for the business process
RISK
THREAT
LIKELIHOOD
IMPACT
GRC - Compliance
Compliance
Acting according:
National and international legal requirements
Sarbanes-Oxley-Act (US)
Data Protection Law (Germany)
J-SOX (Japan) ...
Corporate Policies representing the corporate philosophy and
the strategic thinking on a high-level
Low-Level policies focusing on the operational layer.
Policies need to be in sync with the overall business

strategy and legal requirements
Benefit: Collaboration Within the Company

OWNER
Key Areas
GRC Access Control
Business Users
Risk Identification and

Elimination
Analysis and elimination of potential

access risks and actual risks
Real-time check and assignment of
detective and preventive controls
Role Design and Management
Risk-preventive role design to address

the root of a problem
Efficient user provisioning and deprovisioning from hire to retire
Privileged User Access
Auditable superuser privilege

management
IT Security
Collaboration between
Business and IT
Enabling business to take

accountability for access
Management Oversight
Periodic Access Review
Review of roles, users and mitigation

controls by using automated reporting
views
Internal Audit
Audit Cycle Management
Provide documentation to help validate

that the business team is following the
control process
Interdependencies GRC Access Controls
Firefighter
Risk Analysis
for simulation
Critical
Transactions
SoD Analysis
Compliance
Calibrator
with
Risk Terminator
Risk Analysis
Work Flows
Access Enforcer
Role Expert
Role Information
Workflow
Engine
for role approval
Best Practice Road Map GRC Access Controls

Installation
Installation and configuration Compliance Calibrator and Risk Manager
Firefighter comes with the RTAs, (+BC Sets)
Later install and configure Access Enforcer and Role Expert
Implementation
Firefighter
Compliance
Calibrator
with
Risk Terminator
Access Enforcer
Role Expert
This Road Map ensures fastest implementation, while

optimal change management
AGENDA
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
AGENDA
Risk Recognition
Rule Building
Mitigation
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
SoD Management Process: Get Clean & Stay Clean
Risk
Recognition
Rule
Building and
Validation
3
Analysis
PHASE ONE
4
Remediation
PHASE TWO
5
Mitigation
6
Continuous
Compliance
PHASE THREE
SOD Risk Management Process

Although every business and every system is unique, each implementation
follows the same risk-based Best Practice methodology, which has been
proven at many customer sites.
Roles and Responsibilities

Roles
Responsibilities
Identify risks and/or approve risks for monitoring
Business Process Owners
Approve remediation involving user access

Design controls for mitigating conflicts
Communicate access assignments or role changes
Perform proactive continuous compliance
Senior Officers
Approve/Reject risks between business areas

Approve mitigating controls for selected risks
Ownership of SAP GRC tools and security process
Security Administrator and

Technical Liaisons
Design and maintain rules to identify risk conditions

Customize SAP GRC roles to enforce roles and responsibilities
Analysis and remediation of SoD conflicts at role level
Perform risk assessment on a regular basis
Auditors & Regulators
Provide specific requirements for audit purposes

Perform periodic testing of rules and mitigating controls
Act as liaison between external auditors
Responsible for SAP GRC tool configuration and administration
SoD Rule Keeper
Maintain controls over rules to ensure integrity

Act as liaison between basis and SAP GRC Support Center
AGENDA
Risk Recognition
Rule Building
Mitigation
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Phase One: Risk Recognition
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
RISK RECOGNITION
Identify conflicts and approve
exceptions
Clarify and classify risk high,
medium, low
Identify new risks and conditions for
monitoring in the future
Mitigation
Continuous
Compliance
Segregation of Duties
John can create sales orders and issue credit

memos
Risk!
Gives someone the access to create a sales order,
generating fraudulent revenue, and then reverse
the revenue in a subsequent period by issuing a
credit memo
Sandy can create vendor master records and

process accounts payable payments
Risk!
Gives someone the access to create a fictitious
vendor and generate fraudulent payments to the
vendor
Risk Recognition: Business Process Owners
The Business Process Owners

should do the following:
Document business risk and prepare a risk
statement
Cross-reference the risk statement with the
risks provided with Compliance Calibrator
Assign Risk Levels
Risk Recognition: Example SOD Risk

Maintain a non bona-fide bank account and divert
incoming payments to it.
F-04
Post with Clearing
F-06
Post Incoming Payments
F-26
Incoming Payments Fast Entry
F-28
F-29
Post Customer Down Payment
F-30
Post with Clearing
F-36
Bill of Exchange Payment
F-39
FI01
Create Bank
Clear Customer Down Payment
FI02
Change Bank
F-40
Bill of Exchange Payment
FI06
Set Flag to Delete Bank
F-52
FBA2
Post Customer Down Payment
FBZ1
FBZ3
Incoming Payments Fast Entry
Conflicting Transactions are grouped into functions
Risk Recognition: Example Critical Transactions

Examples of security critical basis transactions:
SA38
Execute ABAP Reports
SE01
Transport Organizer
SE06
Transport Organizer
SE09
Transport Organizer
SE11
ABAP Dictionary
SE16
Table Maintenance
SE11
ABAP Dictionary
SE36
Logical Database Builder
SE37
ABAP Function Modules
SE41
Menu Painter
SM30
Table Maintenance
SQ00
SAP Query: Start queries
SU12
Delete ALL users
SUB%
Internal call: Submit via command fld
...
...
Risk Recognition: SAP GRC Risk Database

Over 200 Risk Groups
E.g. Order to Cash,
Procure to Pay,
Financial Accounting,
HR/Payroll, APO, CRM,
EBP/SRM, Basis
Validated by Big 4 auditors at 400+ customers
Business language
SAP - Results in over
180,000 SoD Object
Level Rules
Rules at the
Authorization Object
level eliminate false
positives
Automated rule
building
Reduces time for implementation
AGENDA
Risk Recognition
Rule Building
Mitigation
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Phase One: Rule Building and Validation
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
RULE BUILDING AND VALIDATION

Reference best practices rules for your
environment
Validate rules
Customize rules, then test
Verify against test user/role cases
Continuous
Compliance
Rule Architect Overview
Rule Structure The Full Picture

Rule Set A
Global
Business Process
Order to Cash
Business Process
n
Business Process
Purchase to Pay
Risk A:
Risk B:
Risk C:
Enter sales documents

and lower prices for
fraudulent gain.
User is able to maintain

vendor master data and
initiate payment runs.
User is able to ....
Func. 5:
Function 1:
Function 2:
Function 3:
Function 4:
Sales Order Agreements
Sales Pricing Maintenance
Vendor Master Maint.
Process Vendor Invoices
Actions/Permissions
Actions/Permissions
Actions/Permissions
Actions/Permissions
Actions/Permissions
SAP ERP
SAP ERP
SAP ERP
SAP ERP
SAP ERP
Rule Building: Step One
Create a
Business
Process
Examples: Procure
to Pay, Order to
Cash, Finance and
Controlling
Define a Rule Set

ID and
Description
Example: Global
Rule Set
Create Functions
for the Business
Process
Assign Actions and
Permissions to the
Function
Create a Risk for

the Business
Process
Assign Conflicting
Functions
Assign to a Rule
Set
Rule Building: Create Functions
GL02
GL01
Rule Building: Create Risks
Standard Rule Set

SAP Rules in the standard
Rule Set include
ERP
Basis
Finance
- General Ledger Accounting
- Fixed Assets
- Project Systems
HR / Payroll
MM / PP / QM
Order to Cash
Procure to Pay
SRM / EBP
CRM
Consolidation
APO
AGENDA
Risk Recognition
Rule Building
Mitigation
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Phase Two: Analysis
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
ANALYSIS
Run analytical reports
Estimate cleanup efforts
Analyze roles and users
Modify rules based on analysis
Set Alerts to distinguish executed risks
Management View Reports
Risk Analysis Reports
Phase Two: Remediation
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
REMEDIATION
Determine alternatives for eliminating risks
Present analysis and select corrective
actions
Document approval of corrective actions
Modify or create roles or user assignments
Remediation Strategy
Analyze reports results to determine extent of
remediation efforts
Discuss potential remediation methodologies
that are appropriate to address the security
violations identified
Remediation Exercise
Perform walkthroughs of the remediation
strategies using live examples
AGENDA
Risk Recognition
Rule Building
Mitigation
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Phase Two: Mitigation
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
MITIGATION
Determine alternative controls to mitigate
risk
Educate management about conflicts
approval and monitoring
Document a process for monitoring
mitigation controls
Implement controls
Mitigating Controls Are Required when Remediation Fails

Mitigating controls are required when it is not possible
to segregate duties within the business process
E.g. within a small office one person has to take over two roles
within the business process which causes a missing SoD conflict
Examples for Mitigating Controls are:
Release strategies / Authorization limits
Review of user logs
Review of exception reports
Detailed variance analysis
Establish insurance
Firefighter A Key Mitigation Control

What is Firefighter?
Firefighter allows super users to perform emergency activities
outside their normal role within a controlled and auditable
environment.
All activities of the user accessing the higher authorization privileges
will be reported
Firefighter will generate an audit trail, which can be used to document
the reasons for using higher access privileges
Audit trail is required for SoX compliance
Monitoring logs must be analysed timely and frequently!!
Firefighter Business Scenarios

Compliant controls for emergency access
Users assigned to specific firefighting IDs with defined authorizations
and validity dates
Separate login is required as well as documentation regarding reason
for use
Can only be used by one user at a time
Auditable Support-Access
Gives the customer full control about external support activities
Mitigation Control
Logs critical business activities a user is performing as FireFighter
Helps to resolve SOD issues without the involvement of extra staff
The Process
Firefighter
Role Setup
Document Why Needed

3
Audit Log
AGENDA
Risk Recognition
Rule Building
Mitigation
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Phase Three: Continuous Compliance
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
CONTINUOUS COMPLIANCE
Communicate changes in roles and user
assignments
Simulate changes to roles and users
Implement Alerts to monitor for new
selected risks and mitigating control testing
1. Use Simulation for ongoing preventive

compliance
a. New role or change request
b. New user or user change request
2. Use the integration capabilities of Role Expert,

Access Enforcer, and Risk Terminator to
prevent SoD violations from being
incorporated during day-to-day operation and
security maintenance
3. Perform regular maintenance activities to
ensure that rules are complete and accurate
Continuous Compliance: User Access Management

Enables compliant
end-to-end
provisioning
hire to retire
Current approach inefficient, not compliant

Access
request
e-mail
e-mail
Manager
approval
Role
owner
spreadsheets,
paper forms
spreadsheets,
paper forms
Manual
provisioning
IT security
Continuous Compliance: What Is Access Enforcer?

Access Enforcer is an automated user request, approval, and compliant
provisioning solution that is web-based and workflow configurable with
proactive SoD compliance checking.
User
Provisioning
Human
to SAP
Resources
systems
System
+
User
Role
Requests
Financial
System
CRM
System
Access Enforcer
ACCESS ENFORCER PROCESS OVERVIEW
Payroll
System
Access Enforcer Real Time Risk Simulation Results
Workflow Results
What can be accomplished after a workflow is finished:
Create User in SAP
Assign Roles in SAP
Change Role Assignment
Lock User in SAP
Unlock User in SAP
Delete User in SAP
Create and Assign Mitigation
Send Notifications
If the auto-provisioning feature is configured to yes, the first six items can be
automatically completed by AE. Otherwise the security approver must complete
the provisioning in SAP manually.
AGENDA
SAP CC: The SOD Management Process
SAP
AG 2007,to
SAP
Skills 2007
The Fast
Track
SAP
Knowledge
Interdependencies GRC Access Controls
Firefighter
Risk Analysis
for simulation
Critical
Transactions
SoD Analysis
Compliance
Calibrator
with
Risk Terminator
Risk Analysis
Work Flows
Access Enforcer
Role Expert
Role Information
Workflow
Engine
for role approval
Best Practice Road Map GRC Access Controls

Installation
Installation and configuration Compliance Calibrator and Risk Manager
Firefighter comes with the RTAs, (+BC Sets)
Later install and configure Access Enforcer and Role Expert
Implementation
Firefighter
Compliance
Calibrator
with
Risk Terminator
Access Enforcer
Role Expert
This Road Map ensures fastest implementation, while

optimal change management
Service Levels
SAP Consulting offers the following scenarios of
service:
Basic service
The customer nominates and empowers a project manager
and an implementation team of his own. As the project
manager is qualified but lacks experience in implementing
the GRC system, a project management assistance (PMA) of
SAP Consulting ensures via checks on pre-defined focus
topics at pre-defined project stages that the GRC Access
Controls project is delivered on time and in budget
according to defined scope.
Extended service
Based on scoping workshops, Mainova can order extended
service.
Full service
As the customer lacks resources, a full service can be
ordered. Individual effort estimation required.
Packaged Solutions Model Access Controls

Packaged Solutions Step 1
Packaged
Solution
Brief
GRC Assessment
Project
Team
Effort
Duration
GRC
Compliance
Calibrator
AS-IS Analysis and

Evaluation
Risk Analysis based

on standard rules
Basic Implementation
GRC Compliance
Calibrator
Identification of
strategic GRC focus
areas based on risk
potential
Identification of
improvement potential
Cost efficient way
Value
proposition
GRC Risk
Analysis Entry
Focus for roadmap

Haptic Approach
Text
to implement GRC CC
using implementation
expertise of SAP as Project
Management Guidance
SAPText Client
SAP
6 days Consulting *)
1 d Tech Cons.+1 d Cons. *)
12 d Cons + 5 d Tech Cons*)
> 2 weeks
1 week
> 6 weeks
Client
Text
Client
SAP
*) + Client effort
Basic Analysis/
Entry Risk
Assessment
Deliverables
Management Letter
Review
Roadmap
Entry Business Case
Risk Analysis
Workshop
License
GRC Access Controls
Risk Analysis based

on standard SODMatrix
Installation on one
Development and one
Quality System
Risk Report by
User/Roles
Recommendations
Basic Configuration
Know-How Transfer
(Coaching) for System
Administrator
Project Management
Coach for GRC CC
Implementation
Packaged Solutions Model Access Controls

Based on Step 1 the following Packages can be implemented
Packaged
Solution
GRC Firefighter
GRC Firefighter enablement
Brief
Value
proposition
Project
Team
Effort
Duration
Fast and cost efficient way to

implement GRC Firefighter, the
compliant answer to SAP_ALL
and other emergency
accesses.
SAPText
Client
GRC Access Enforcer

GRC Access Enforcer
enablement
Fast and cost efficient way to

implement audit-proofed access
granting
Building up in-house expertise
using SAP expertise
SAP
TextClient
1 d Tech Cons.+ 4 d Cons. *)
2 d Tech Cons.+ 10 d Consulting *)
> 1 week
> 3 weeks
*) + Client effort
Deliverables
Installation Firefighter on one

Development and one Quality
Assurance System
Installation Access Enforcer on

one Development and one Quality
Assurance System
Basic Configuration
Basic Configuration
Know-How Transfer (Coaching)

Template FF
Recommendations
Know-How Transfer (Coaching)

Audit proofed Workflow Design
(max 2 WF)
Create/Change/Delete 5 Test
users
Project Plan Full Service
UAT and Review /

Documentation
Remediation
& Mitigation
Analysis
Project
Closing
Go-Live
Rule Building
and Validation
Risk
Recognition
Project
Setup
Installation
Architecture
Training on the Job / Coaching / Testing
Start
Full Support
Go- Exemplary
live Support
Project Organization Full Service
Steering
Committee
Project
Managers
PM(A) SAP
Business Process
Owners
Key Users
PM Customer
Audit
Required Availability of Resources
Project role
Required availability
Project Executive
Sponsor
Sponsorship + steering
Project Steering
Committee
Once per month
Customer Project
Manager
High
Business Process Owner
Min
Business Process Team

Member (key user)
Medium
Technical Team
High
Min
= On requirement
Medium = 1- 2 days per week
High
= 3-4 days per week
Questions?
Copyright 2007 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p,
System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This
limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

SAP Solutions For Governance Risk and Compliance and GRC Access Control

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SAP Solutions For Governance Risk and Compliance and GRC Access Control

Загружено:

Авторское право:

Доступные форматы

SAP ERP Financials

SAP Solutions for

SAP ERP Financials

Gartner Strong Positive

About SAP GRC Access Control

mySAP ERP Financials

FI, FI-AA, FI-AR/AP

SAP AG 2007, SAP Skills 2007 Conference / G3 / 6

Business Case: the True Information Age

In 2010 the need for fast,

SAP AG 2007, SAP Skills 2007 Conference / G3 / 8

Fragmented Processes and Systems: A Risky Situation !

Compliance / Risk Office

Customers & Channel

Gain Confidence by Proactive Transparency with SAP GRC

Supervisory board, internal audit

SAP AG 2007, SAP Skills 2007 Conference / G3 / 10

Customers & Channel

Fragmentation vs. Holistic Approach to GRC

SAP Solutions for GRC

Business Process Platform

SAP AG 2007, SAP Skills 2007 Conference / G3 / 11

Functions for All Process Orientated Risks and Regulations

Cross industry solution

SAP AG 2007, SAP Skills 2007 Conference / G3 / 12

Functions for All Process Orientated Risks and Regulations

Cross industry solution

SAP GRC Access Control

SAP AG 2007, SAP Skills 2007 Conference / G3 / 13

SAP Solutions for GRC

Framework for an integrated GRC-Solution

GRC as an integrated part

Group-wide utilization, open

Business Process Platform

Central System of Record Drives Governance, Increases Transparency

Enforces governance for the

Risk & Control

Complete body of evidence

Single source of truth for

SAP AG 2007, SAP Skills 2007 Conference / G3 / 15

How Does GRC Supports You?

Governance & Compliance

Rules of Business Conduct, Ethical standards, Governance rules

Identification of all kind of risks (group wide)

Focus on non operative risks

Define appropriate actions for identified risks

How Does GRC Supports You?

Governance & Compliance

Rules of Business Conduct, Ethical standards, Governance rules

Identification of all kind of risks (group wide)

Focus on non operative risks

Define appropriate actions for identified risks

Eliminate risks by segregation of duties (remove authorizations, redesign processes)

SAP GRC Access Control

Sustainable Prevention of Segregation of Duties Violations

Close #1 audit issue

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

SAP AG 2007, SAP Skills 2007 Conference / G3 / 19

Risk Analysis and Remediation

Initial Risk Analysis and Remediation

SAP AG 2007, SAP Skills 2007 Conference / G3 / 20

Cross-System Risk Analysis