Академический Документы
Профессиональный Документы
Культура Документы
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 3
The Fast
Track
SAP
Knowledge
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 4
The Fast
Track
SAP
Knowledge
Caution
Promising
Positive
Strong
Positive
Corporate
Performance
Management (CPM)
Credit Mgmt.,
Collections Mgmt.
Dispute Mgmt.
FI-CA, Biller direct,
In-house Cash
mySAP
ERP Financials
Financial
Supply Chain
Management (FSCM)
Accounting &
Finance Transformation
Internal regulations /
ethical standards
strategic/operative Risks
External regulations /
compliance to laws
Governance, Risk,
and Compliance
(GRC)
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 7
The Fast
Track
SAP
Knowledge
Management
no overview about
risk portfolio
SALARIES
Supply Chain
SAP AG 2007, SAP Skills 2007 Conference / G3 / 9
Finance
complex, international
Compliance requirements
(e.g. Revenue recognition)
Human Resource
environmental health
& safety
Sales
Credit risks,
Customer
ratings
Supply Chain
SALARIES
Management
Transparency about risks
=> max. confidence !
Finance
Compliance in group
reporting processes
Human Resource
compliance to
environmental standards
Sales
transparent
customer
solvency
to Holistic GRC
Information
Security
Information
Security
Risk
Mgmt
SOX
Compliance
Risk
Mgmt
SOX
Compliance
Internal
Audit
Internal
Audit
Global Trade
Environment
Process Controls
Business Applications
GRC Suite
GRC Suite
Access
Control
Compliance
Calibrator
Process
Control
Role Expert
Access
Enforcer
Risk
Management
Fire Fighter
Global
Trade
Services
(GTS)
Environment,
Health &
Safety
(EH&S)
more Solutions
GRC Suite
GRC Suite
Access
Control
Process
Control
Risk
Management
Global
Trade
Services
(GTS)
Enterprise Role
Management
Compliant User
Provisioning
Super User
Privilege
Management
Environment,
Health &
Safety
(EH&S)
GRC-Repository
more Solutions
Business Applications
SAP AG 2007, SAP Skills 2007 Conference / G3 / 14
GRC Repository
Performance
Measures &
Benchmarks
BOD &
Committee
Minutes
Influence
Councils
Regulations
& Industry
Mandates
GRC
Repository
Best Practices
Advisory Services
(Auditors, Attorneys)
Corporate
Policies &
Procedures
Control
Frameworks
(COSO, COBIT)
Internal
Policies
Regional regulations
Multiple frameworks for each
department
Pre-built control & risk
libraries
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 16
The Fast
Track
SAP
Knowledge
Access Controls
Process Controls
Risk Management
KonTraG
Compliance of processing
Stick to governance
Focus on operation business risks
Quality of processes
automation
SAP AG 2007, SAP Skills 2007 Conference / G3 / 17
manual activity
AccessControls
Controls
Access
Process Controls
Risk Management
KonTraG
Compliance of processing
Stick to governance
Focus on operation business risks
Quality of processes
Compliant User
Provisioning
automation
SAP AG 2007, SAP Skills 2007 Conference / G3 / 18
manual activity
SAP GRC
AccessControl
Controls
Access
Minimal
Time To Compliance
Continuous
Access Management
Effective
Management Oversight
and Audit
(Get Clean)
(Stay Clean)
(Stay in Control)
Risk Analysis
and Remediation
Enterprise Role
Management
Compliant User
Provisioning
Superuser Privilege
Management
Periodic Access
Review and Audit
Rapid, cost-effective
and comprehensive
initial clean-up
Enforce SoD
compliance at
design time
Prevent SoD
violations at
run time
Focus on remaining
challenges during
recurring audits
Risk
Identification
Risk Elimination
Reporting
Prevention
End-to-End
Automation
The clean-up process has
brought a tremendous degree of
discipline to the way we think
about and manage user access
and authorizations.
Deepak Mehrotra, SOX Compliance Manager,
Synopsys Inc.
Legacy
Custom
Inventory and
purchasing
Financials
and
Accounting
Authorization:
Maintain vendor
master data
Authorization:
Initiate payment
to vendor
Legacy
Inventory and
purchasing
Authorization:
Maintain vendor
master data
Custom
VIRSA
Cross-enterprise Rule Set
!
RISK
Financials
and
Accounting
Authorization:
Initiate payment
to vendor
?? Compliance ?
S
O
D
M
A
T
R
I
X
officer
Risks
P
L
A
N
Risk analysis
function
ERP 2005
RTA
RTA
RTA
Business Applications
SAP AG 2007, SAP Skills 2007 Conference / G3 / 23
RTA
?? Compliance ?
S
O
D
M
A
T
R
I
X
officer
Risks
P
L
A
N
Risk analysis
function A
Compare
Riskreport
C
T
U
A
L
ERP 2005
RTA
RTA
RTA
Business Applications
SAP AG 2007, SAP Skills 2007 Conference / G3 / 24
RTA
critical transaction or
authorization objects
Function 1
Function 2
180.000 rules
System 1: Transaction 1
System 1: Transaction n
System 1: Transaction 2
System 1: Transaction m
System 2: Transaction 1
System 2: Transaction n
System 2: Transaction 2
System 2: Transaction m
System n: Transaction 1
System n: Transaction n
System m: Transaction 2
System m: Transaction m
Risk 1
Risk 2
Business
Functions
System
Action & Permission
Function A
Action 1+ Permission 1
Action 2 + Permission 2
Action 3 + Permission 3
Action n + Permission n
+
Function B
Action 4+ Permission 4
Action 5 + Permission 5
Action 6 + Permission 6
Action n + Permission n
Function C
Action 7+ Permission 7
Action 8 + Permission 8
Action 9 + Permission 9
Action n + Permission n
+
Function D
Compliance Calibrator
Rule Generation
Risk Rule 1
Risk Rule 2
Risk Rule 3
Risk Rule 4
Risk Rule 5
Risk Rule 6
Risk Rule 7
Risk Rule 8
Risk Rule 9
Risk Rule n
Risk Rule 10
Risk Rule 11
Risk Rule 12
Risk Rule 13
Risk Rule 14
Risk Rule 15
Risk Rule 16
Risk Rule 17
Risk Rule 18
Risk Rule n
Unternehmensweite
Rollendefinition und Pflege
mit eingebauter
Funktionstrennungsprfung
SAP GRC
Access Control
Audit log
Across applications
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Typical Challenges.
Too many users have SAP_ALL
SOD-Violations!!
No activity monitoring, no audit trail
No time limitation for SAP_ALL Users
No clear responsible for SAP_ALL authorizations
Smart emergency situation management
No clear workflow in case of emergency!
SAP-System
FireFighter are
log in to the
system as
normal user
Maier
assigned to user
Maier
conduct process
Neue Session
perform activity
FireFighter ID FICO
Start
Transaction
FireFighter
All FireFighter
activities are
recorded in
detail in a log
file
FireFighter ID MM
FireFighter ID SD
Log
FireFighter ID Basis
FireFighter ID
Log off as
FireFighter
SAP_ALL
HR event
Access
Request
Employee
hired/retired
Manager
Approval
Request
generated
Path workflowbased
on request type and
user attributes
Mgr
approval
Role Expert
Compliant Roles
Role
Owner
IT Security
Compliance
Calibrator
Online Risikoanalyse
Via e-mail
Escalation
workflow
Risk
analysis
Tabellen,
Formulare
100% automated
One-click preventive
simulation
Exception
workflow
Automated
provisioning
100% automated
Manual
Provisioning
Roadmap
Access Control
5.2 SP3
Language Translations
Country A languages
English
French
German
Japanese
Country B languages
Spanish
Portuguese
Italian
Hungarian
Cross-Enterprise
(Greenlight):
Real-Time
Agents for Risk
Analysis
Comprehensive
SOD Rules for
Oracle, JDE and
PeopleSoft
Access Control
5.2 SP4
Web Services for IDM
integration (official
and stable API for
partners)
Fix for connector limit
in Compliance
Calibrator
SAP GRC Access Control branding and single launchpad for all 4 access control capabilities
Migration scripts
Form customization
Search roles
Migration scripts
Business Applications
SAP AG 2007, SAP Skills 2007 Conference / G3 / 38
Concerns
Virsa
Support
Concerns
Risk appetite
Controls in place
Risk avoidance
Controls working
effectively
Visibility
Timely notification
Cost of compliance
Business
Process
Managers
Internal
Auditors
Business
Executives
Risks correctly
identified
Response to
control deficiencies
Preventive controls
Concerns
Risk identification &
evaluation
Timely notification
Maximum
productivity
IT Security
and Support
Concerns
Identify &
implement
compliance
systems
Fit with IT
infrastructure
Transfer
accountability to
business
Prevent risk from
entering systems
AUTOMATION
Reduce cost without compromising
compliance
Reduced audit fees and testing costs
Streamlined testing and remediation
INSIGHT
Effectively manage business,
financial, and compliance performance
Real time view of control health
Enterprise-wide visibility into risks and controls
SAP AG 2007, SAP Skills 2007 Conference / G3 / 40
Scoping and
Set-Up
Document
Processes
and Controls
Assess
Control
Design and
Remediate
Issues
Auditor
Test
Operating
Effectiveness
Sign-Off,
Prepare
Certification /
Internal Control
Report
Attest
and
Report
Assignment of
sub-processes
to organizations
Central process
Organizationcatalog
specific control
Central catalog
documentation
of control
objectives/risks Documentation
of testing
Assignment of
procedures
sub-processes
Documentation
to significant
of entity-level
accounts/releva
controls
nt assertions
Setup of
Gap analysis
automated
reporting
control testing
Identify fraud
and monitoring
related risk
Control and
process
design
assessments
via surveys
Entity-level
control
assessments
via surveys
Identification
of Issues
Validation of
assessments
Remediation
of issues
Progress
tracking and
analysis
Documentation
of testing
results
Documentation
of continuous
control
monitoring
Identification of
issues
Remediation
and retest of
issues
Progress
tracking and
analysis
Review
Analysis
overviews with Attestation
drill-down
Reporting
functionality
Management
reports
Workflowtriggered signoff supporting
404 reporting /
302 certification
Analytics
Work List
Organization
Hierarchy
Assessment
Surveys
Account Groups/
Assertions
Question
Library
Process
Hierarchy
Survey
Library
Control Objective
Catalog
Entity-Level
Controls
Hierarchy
Manual Tests
Test
Plans
Automated
Testing
Rules
Queries
Scheduling
Evaluation
Work List
Compliance
Assessments
Testing
Monitoring
Sign-off
User
Roles
Delegation
PC 2.5 Innovation
Information Architecture and Organization Hierarchy
Account Hierarchy
Business
Segment
Account
Groups
Compliance
Category
Process
Region
Division/
Legal Entity
Significant
Account
Business
Operation
Location/
Operating Unit
Assessments
Sub process
Assertions
Risks/Control
Objectives
Controls
Assertions
Control Tests
(Manual/Auto)
Signoff Flow
SAP AG 2007, SAP Skills 2007 Conference / G3 / 44
Remediation
Case
Monitor
Certify
Remediate Issues
Financial Controls
Operational Controls
Test
Test Automated
Controls
Business Processes
Test
Manual
Controls
6
13
20
27
Document
IT Infrastructure
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
5
4
11 12
19
18
26
25
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im men
le
bee
o nd imp
ti
c
S pU
u
rod tion a
s
Ha installa
the AP?
of S
Ye s
No
IT Controls
Enables management by
exception
prioritizes remediation
activities
provides management
insight into the control
environment
Process-Control-Objective-Risk
Monitor
Certify
9
9
9
9 9 9 9
9
9
9
9
Test
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
ti
c
S pU
u
rod tion a
6
13
20
27
IT Infrastructure
Document
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
4
11
18
25
5
12
19
26
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Provides a flexible
organization hierarchy
Flexible integration
framework for document
management systems
Single source of truth for
reporting
All information
is organized in
tabs
Control Monitor
provides summarized
information over time
Inbox provides
quick access to
cases and tasks
Monitor
Certify
Test
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
27
IT Infrastructure
Document
Centralized Control
Management
7
14
21
28
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
25
24
23
22
15
29
30
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Assignment of
Organizations
Assignment of
Test Plan and
Test Step Owners
Organizations
Business processes
Sub processes
Risks
Objectives
Test plans
SAP AG 2007, SAP Skills 2007 Conference / G3 / 51
Monitor
Certify
Review Exceptions
Test
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
27
IT Infrastructure
Document
7
14
21
28
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
25
24
23
22
15
29
30
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Select
Re-use
Pre-delivered Test
Custom Test
Plug-and-play your
existing test scripts
Construct
Ad-hoc Test
Order to Cash
Order
Capture
Order
Fulfillment
Procure to Pay
Demand
Planning
Operational
Inventory
Payables
Procurement Management Management
Reconcile to Report
Budgeting
Sub ledger
Planning
Transactions
IT Basis
SAP AG 2007, SAP Skills 2007 Conference / G3 / 53
Application
Security
Change
Control
Billing &
Returns
Financial
Close
Revenue
Recognition
Consolidation
& Reporting
Was pricing or
exchange rates
adjusted?
Were
shipments
made without
proper sales
documents?
...
Multiple Controls
Check that control value exists
Is the Duplicate
Voucher flag
turned ON?
Has the duplicate
Voucher control
changed?
How often?
Monitor
Certify
Test
Streamlines manual
controls and tests
Provides manual test plans
with detailed test steps and
instructions
Review Exceptions
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
20
IT Infrastructure
Perform
Assessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
ti
c
S pU
u
rod tion a
13
Document
27
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
11 12
19
18
26
25
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Promotes timely
performance with
scheduled workflow and
email notifications
Documents evidence to
support evaluation results
Capture monetary risk
quantification for failed
tests
Control Testers
Receive test
instructions via email
Create documents
and spreadsheets
and save to local file
servers
Paper-based
documentation surveys
for completion
Create test
plan
What do we
need to test?
Who should
perform the
test?
Management &
Executives
Perform manual
tests based on
verbal instructions
Consolidate results
from multiple
sources
What am I
supposed to
do?
Why is this
important?
Where do we
stand?
How can we
improve?
Compliance Team
Management &
Executives
Control
Testers
Document control
and test plan
Monitor
Certify
Review Exceptions
Test
Test Automated
Controls
Business Processes
Test
Manual
Controls
Perform
SelfAssessments
EproYved wtiitohn
ta
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
Document
Remediate Issues
IT Infrastructure
Self Assessment
27
7
14
21
28
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
25
24
23
22
15
29
30
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Flexible survey
creation, scheduling,
and routing
Handles assessments
for process design,
control design, entitylevels, and more
Reference information
and instructions guides
occasional users
Survey Management
Survey reports provide
drill-down to any cases
generated
Monitor
Certify
Test
Remediation Case
Management
Detects global exceptions
and prioritizes corrective
action
Review Exceptions
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
Perform
Assessments
E Yed with
n
v
pro tatio
Rn V
n im lemen
bee
o nd imp
S pU
ucti
rod tion a
6
13
20
IT Infrastructure
Document
Management by Exception
27
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
4
11
18
25
5
12
19
26
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Workflow-based
notifications alert users to
failed tests or assessments
Documents remediation
activities and resolution
Dashboards and reporting
provide actionable insight
to exceptions
Automated prioritization
focuses valuable
resources on high-impact
exceptions
Automated routing and
notification ensures
nothing falls through the
cracks
Deploy
Automated Controls
Business Processes
Test
Manual
Controls
IT Infrastructure
Perform
SelfAssessments
SU
RV
EY
Ye s
No
Threaded discussion of
resolution activities
provides evidence for
external auditors
Resolution can be
captured along with the
case details for audit
purposes
SAP AG 2007, SAP Skills 2007 Conference / G3 / 65
Monitor
Certify
Test
Review Exceptions
Test Automated
Controls
Business Processes
Remediate Issues
Test
Manual
Controls
6
13
20
27
IT Infrastructure
Document
Management Certification
7
14
21
28
1
1
8
15
22
29
2
9
16
23
30
3
10
17
24
5
4
11 12
19
18
26
25
Perform
Assessments
EproYved wtiitohn
enta
Rn V
n im
bee plem
im
o
S pU
ucti n and
d
ro
tio
s
Ha installa
the AP?
of S
Ye s
No
Process-Control-Objective-Risk
Corporate Signers
US
US Finance
Order to Cash
1
AR Billing
AR Collections
Support
section 302
certification
Freeze key
information
that has
been
signed-off
Hierarchical,
bottom-up
progression
WebDynpro
WebDynpro
Content
Content
SAP
SAP Application
Application
Pages
Pages
BI
BI Pages
Pages for
for
Analytics
Analytics
CrossCrossPlatform
Platform
Enablement
Enablement
Repository
Repository
Interfaces
Interfaces
Savvion
Savvion
BPM/Workflow
BPM/Workflow
Audit
Audit Log
Log
Survey
Survey
Assessments
Assessments
Testing
Testing
Object
Object Level
Level
Security
Security
Sign
Sign Off
Off
Query
Query
Builder
Builder
Report
Report
Mart
Mart
Portal
Portal Pages
Pages
for
for Analytics
Analytics
Business Applications
SAP AG 2007, SAP Skills 2007 Conference / G3 / 70
Am I on track to
reach my goals?
Another assessment to
fill out?
Brainstorm
one-off response
possibilities
Ask for
additional
input
Siloed risk
thinking
Send out
MS Excels
Workshop after
workshop
Risk
Managers
Focus only on
negative risks
Lines of
Business
Management &
Executives
The Goal
Executives
Applications to
mitigation top risks
Automatic risk
identification
Role-based best
practice playbooks
End-to-end risk
processes across
the value chain
Enable risk
management
innovation
Lines of
Business
Risk
Managers
Become a driver of
business change
SONA
xApp
GRC-Suite
GTS
Risk
Management
Process
Controls
Access
Controls
EH&S
GRC-Repository
REA
xEM
SONA
External
Provider
KRIs /
Content
Establish
risk appetite
and thresholds
Actionable,
role-based
dashboards
and alerts
Collaborate and
aggregate across the
enterprise
Balance cost of
risk avoidance
and opportunity
Drive Consistency
Risk Catalog
GRC Repository
KRI 1
Scrap Rates
5%
KRI 2
<95%
Supplier on-time
delivery
Supply chain
continuity risk
Avoid Surprises
Automatically
Identify Risks
Embedded into key
business processes
Workflow delivers
assessments to
experts
SAP CRM example
Collaborative Assessments
for Manual Risk Activities
Qualitative &
quantitative point and
scenario analyses
Analyses done before
and after response
Workflow reminders
for updates
Respond Intelligently
Spot Risk
Interdependencies
Indirect
Global
Taxes
Correlation
New Global
Suppliers
xSOP
EH&S
xEM
Production disruptions
EAM
Supplier disruptions
SRM/xSA
CfP
GRC
...
Solution
Supply
IT
Sales
Finance
Propose Risk
Response
Loss Event
Tracking
Proposed Responses
Self-learning Response
Effectiveness
Stay Informed
Regulatory checklist approach has lead to overcontrolling and under-controlling many processes
Set controls based upon the level or risk associated
with each business process
2005
2007
xSOP
EH&S
xEM
Production disruptions
EAM
Supplier disruptions
SRM/xSA
CfP
GRC
Solution
Planning
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 81
The Fast
Track
SAP
Knowledge
Users
Customer
Users
Customer
Users
11,800
100,000+
6,500
10,700
40,895
6,250
10,000
40,000
6,050
10,000
32,000
6,000
8,000
30,876
6,000
8,000
30,000
5,723
7,500
27,000
5,600
7,410
26,000
5,200
7,400
23,020
4,500
7,000
20,000
4,200
Summary
Market leader
Real-time Prevention
RISK
Cross system
Contact
AGENDA
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 87
The Fast
Track
SAP
Knowledge
AGENDA
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 88
The Fast
Track
SAP
Knowledge
Client Issues
Negative Sarbanes-Oxley Audit Results
Segregation of Duties / Excessive Access
Security Administration Process
Internal Controls Repository
Maintaining a clean environment
ERP Upgrades
Escalating help desk costs
Change management
SOX awareness/responsibility
GRC - Governance
Governance
Corporate Governance:
Ethical corporate behavior together with management practices
in the creation of wealth for all stakeholders
Spells out the rules and procedures for making decisions on
corporate affairs
IT-Governance:
Helps to ensure the alignment of IT and enterprise objectives
IT resources are used responsibly and its risks are managed
properly
Risk Management
Identify, classify, document and reduce risks to an acceptable
level based on the value of the information resource to the
organization
Risk- is a result of three different parameters
Existence of a threat for a business process
Likelihood of occurrence
Impact for the business process
RISK
THREAT
LIKELIHOOD
IMPACT
GRC - Compliance
Compliance
Acting according:
National and international legal requirements
Sarbanes-Oxley-Act (US)
Data Protection Law (Germany)
J-SOX (Japan) ...
Corporate Policies representing the corporate philosophy and
the strategic thinking on a high-level
Low-Level policies focusing on the operational layer.
Key Areas
Business Users
IT Security
Collaboration between
Business and IT
Management Oversight
Internal Audit
Firefighter
Risk Analysis
for simulation
Critical
Transactions
SoD Analysis
Compliance
Calibrator
with
Risk Terminator
Risk Analysis
Work Flows
Access Enforcer
Role Expert
Role Information
Workflow
Engine
for role approval
Firefighter
Compliance
Calibrator
with
Risk Terminator
Access Enforcer
Role Expert
AGENDA
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 96
The Fast
Track
SAP
Knowledge
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 97
The Fast
Track
SAP
Knowledge
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 98
The Fast
Track
SAP
Knowledge
Risk
Recognition
Rule
Building and
Validation
3
Analysis
PHASE ONE
4
Remediation
PHASE TWO
5
Mitigation
6
Continuous
Compliance
PHASE THREE
Responsibilities
Identify risks and/or approve risks for monitoring
Senior Officers
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 101
The Fast
Track
SAP
Knowledge
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
RISK RECOGNITION
Identify conflicts and approve
exceptions
Clarify and classify risk high,
medium, low
Identify new risks and conditions for
monitoring in the future
Mitigation
Continuous
Compliance
Segregation of Duties
Risk!
Gives someone the access to create a sales order,
generating fraudulent revenue, and then reverse
the revenue in a subsequent period by issuing a
credit memo
Risk!
Gives someone the access to create a fictitious
vendor and generate fraudulent payments to the
vendor
F-06
F-26
F-28
F-29
F-30
F-36
F-39
FI01
Create Bank
FI02
Change Bank
F-40
FI06
F-52
FBA2
FBZ1
FBZ3
SE01
Transport Organizer
SE06
Transport Organizer
SE09
Transport Organizer
SE11
ABAP Dictionary
SE16
Table Maintenance
SE11
ABAP Dictionary
SE36
SE37
SE41
Menu Painter
SM30
Table Maintenance
SQ00
SU12
SUB%
...
...
Business language
SAP - Results in over
180,000 SoD Object
Level Rules
Rules at the
Authorization Object
level eliminate false
positives
Automated rule
building
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 108
The Fast
Track
SAP
Knowledge
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
Business Process
n
Business Process
Purchase to Pay
Risk A:
Risk B:
Risk C:
Func. 5:
Function 1:
Function 2:
Function 3:
Function 4:
Actions/Permissions
Actions/Permissions
Actions/Permissions
Actions/Permissions
Actions/Permissions
SAP ERP
SAP ERP
SAP ERP
SAP ERP
SAP ERP
Create a
Business
Process
Examples: Procure
to Pay, Order to
Cash, Finance and
Controlling
Create Functions
for the Business
Process
Assign Actions and
Permissions to the
Function
GL02
GL01
HR / Payroll
MM / PP / QM
Order to Cash
Procure to Pay
SRM / EBP
CRM
Consolidation
APO
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 116
The Fast
Track
SAP
Knowledge
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
ANALYSIS
Run analytical reports
Estimate cleanup efforts
Analyze roles and users
Modify rules based on analysis
Set Alerts to distinguish executed risks
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
REMEDIATION
Determine alternatives for eliminating risks
Present analysis and select corrective
actions
Document approval of corrective actions
Modify or create roles or user assignments
Remediation Strategy
Analyze reports results to determine extent of
remediation efforts
Discuss potential remediation methodologies
that are appropriate to address the security
violations identified
Remediation Exercise
Perform walkthroughs of the remediation
strategies using live examples
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 122
The Fast
Track
SAP
Knowledge
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
MITIGATION
Determine alternative controls to mitigate
risk
Educate management about conflicts
approval and monitoring
Document a process for monitoring
mitigation controls
Implement controls
Auditable Support-Access
Gives the customer full control about external support activities
Mitigation Control
Logs critical business activities a user is performing as FireFighter
Helps to resolve SOD issues without the involvement of extra staff
The Process
Firefighter
Role Setup
Audit Log
AGENDA
SOD Management Process Overview
Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 128
The Fast
Track
SAP
Knowledge
Risk
Recognition
Rule
Building and
Validation
Analysis
Remediation
Mitigation
Continuous
Compliance
CONTINUOUS COMPLIANCE
Communicate changes in roles and user
assignments
Simulate changes to roles and users
Implement Alerts to monitor for new
selected risks and mitigating control testing
Continuous Compliance
Manager
approval
Role
owner
spreadsheets,
paper forms
spreadsheets,
paper forms
Manual
provisioning
IT security
+
User
Role
Requests
Financial
System
CRM
System
Access Enforcer
ACCESS ENFORCER PROCESS OVERVIEW
Payroll
System
Workflow Results
What can be accomplished after a workflow is finished:
Create User in SAP
Assign Roles in SAP
Change Role Assignment
Lock User in SAP
Unlock User in SAP
Delete User in SAP
Create and Assign Mitigation
Send Notifications
If the auto-provisioning feature is configured to yes, the first six items can be
automatically completed by AE. Otherwise the security approver must complete
the provisioning in SAP manually.
AGENDA
The Access Control Suite: An Overview
SAP CC: The SOD Management Process
Project Organization
SAP
AG 2007,to
SAP
Skills 2007
Conference / G3 / 135
The Fast
Track
SAP
Knowledge
Firefighter
Risk Analysis
for simulation
Critical
Transactions
SoD Analysis
Compliance
Calibrator
with
Risk Terminator
Risk Analysis
Work Flows
Access Enforcer
Role Expert
Role Information
Workflow
Engine
for role approval
Implementation
Firefighter
Compliance
Calibrator
with
Risk Terminator
Access Enforcer
Role Expert
Service Levels
SAP Consulting offers the following scenarios of
service:
Basic service
The customer nominates and empowers a project manager
and an implementation team of his own. As the project
manager is qualified but lacks experience in implementing
the GRC system, a project management assistance (PMA) of
SAP Consulting ensures via checks on pre-defined focus
topics at pre-defined project stages that the GRC Access
Controls project is delivered on time and in budget
according to defined scope.
Extended service
Based on scoping workshops, Mainova can order extended
service.
Full service
As the customer lacks resources, a full service can be
ordered. Individual effort estimation required.
Brief
GRC Assessment
Project
Team
Effort
Duration
GRC
Compliance
Calibrator
Basic Implementation
GRC Compliance
Calibrator
Identification of
strategic GRC focus
areas based on risk
potential
Identification of
improvement potential
Value
proposition
GRC Risk
Analysis Entry
Text
to implement GRC CC
using implementation
expertise of SAP as Project
Management Guidance
SAPText Client
SAP
6 days Consulting *)
> 2 weeks
1 week
> 6 weeks
Client
Text
Client
SAP
*) + Client effort
Basic Analysis/
Entry Risk
Assessment
Deliverables
Management Letter
Review
Roadmap
Entry Business Case
Risk Analysis
Workshop
License
GRC Access Controls
Installation on one
Development and one
Quality System
Risk Report by
User/Roles
Recommendations
Basic Configuration
Know-How Transfer
(Coaching) for System
Administrator
Project Management
Coach for GRC CC
Implementation
GRC Firefighter
GRC Firefighter enablement
Brief
Value
proposition
Project
Team
Effort
Duration
SAPText
Client
SAP
TextClient
> 1 week
> 3 weeks
*) + Client effort
Deliverables
Basic Configuration
Basic Configuration
Project
Closing
Go-Live
Rule Building
and Validation
Risk
Recognition
Project
Setup
Installation
Architecture
Training on the Job / Coaching / Testing
Start
Full Support
Go- Exemplary
live Support
Steering
Committee
Project
Managers
PM(A) SAP
Business Process
Owners
Key Users
PM Customer
Audit
Project role
Required availability
Project Executive
Sponsor
Sponsorship + steering
Project Steering
Committee
Customer Project
Manager
High
Min
Medium
Technical Team
High
Min
= On requirement
Medium = 1- 2 days per week
High
= 3-4 days per week
SAP AG 2007, SAP Skills 2007 Conference / G3 / 143
Questions?
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This
limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.