Вы находитесь на странице: 1из 4

Turning risk into results

Enabling access management


with SAP GRC

What we are seeing in the market


Primarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in
efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive
access. As a result, many companies implemented GRC access management solutions such as SAP GRC
Access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they
were not able to achieve the full value of a GRC access management solution.
This is the right time to learn about opportunities to transform your access management program. Enabling
an SAP GRC Access Control solution can help:
Lower the cost of access management and related audit activities through centralization and
automation
Improve sustainability by centralizing and standardizing methodologies, processes and components
Increase effectiveness of access processes through integration with other SAP GRC modules and
focus on critical foundational components such as role design and organizational alignment
Our recent EY global information security survey of more than 1,700 senior information security
and IT leaders found that 46% of respondents ranked internal threats as a significant concern. Fully
deploying SAP GRC Access Control while focusing on improving access management fundamentals
will help address that risk while reducing cost and improving value.

What are the opportunities at your company?


Typical current state
Increasing
complexity

Reactive

Consistent
failures

Cost
pressures

Inconsistent
approach

Multiple and manual access


management processes

Fragmented, manual and


ad hoc reporting
Limited visibility to risks

High instances of access


violations

Manual and inconsistent


processes lead to higher IT costs
Significant impact on business

Inconsistent role design


approach across business
processes

Mature state
Simplified

Significant workflow automation in user


access processes
Integration with SAP GRC Process Control

Proactive

Mandatory SoD checks in the request


process
Dashboard-level reporting on user access
process, firefighter usage logs and realtime SoD reports analytics and trending

Compliant

Compliant SAP role design


and standardized user access
management processes
Ability to improve audit activities

Costefficient

Consistent

IT security operational efficiencies via


SAP GRC automation and standardization
Automation of access provisioning
activities
Globally standard roles across
business processes and standard user
access management processes for
application systems

SAP GRC Access Control can enable your risk agenda

Enhance risk strategy

Embed risk management

Improved alignment to the objectives


and strategy of the business

Comprehensive and continuous


risk management and monitoring

Improved visibility to risks that


matter most to the organization
Proactive identication of risks
Enhanced decision-making

Risk agenda
Enhance
risk
strategy

Embed
risk
management

Turning
risk into
results

Improve controls and


processes
Better aligned risk coverage,
including the identication of
stronger, more pervasive controls

Central management of nancial,


operational and compliance risks
and controls across organization

Optimize risk
management
functions

Improve
controls and
processes

Optimize risk management


functions
Elimination of duplicate and
fragmented risk management
activities
Increased integration and
coordination among business,
IT and compliance

Reduced level of effort associated


with performing and testing controls
Increased control and process
efciencies enabled through
automation and continuous monitoring

Sustainability of risk
management process
Effective top-down and bottomup reporting

Improved control mix that addresses


key business risks while driving
process efciencies

Resulting in the following


benefits:

Risk

Value
Cost

Increased integration and coordination


among business, IT and compliance

Risk

Value
Cost

Risk

Value

Cost

Reduced audit costs due to a reliable


and automated access management
environment

Identification of access anomalies


indicating possible fraudulent activities
through alerts

Cost avoidance associated with audit


failure

Continuous access control and SoD


management and monitoring

Sustainability of access management


process

Efficiencies associated with preparation


and analysis of SoD reports

User-friendly reporting

Reduction in the number of manual


controls required to be designed and
operated to mitigate access-related
issues

Enhanced visibility to access-related


risk exposure at the enterprise (i.e.,
cross-application, cross-business
process)

Real-time notification of potential


access issues based on established
business rules

Elimination of redundant and excessive


access management procedures
Streamlined access approval process

Super-user access management


Early detection of potential access
issues through scenario analysis before
performing changes to user and role
access

Next steps to improve your risk management landscape


Rapid SAP access diagnostic provides
accelerated current state assessment of
your SAP access processes and technology,
allowing you to identify realizable value and
develop a future state road map to achieve it.

SAP GRC demo facilitates mapping


of business requirements to SAP GRC
functionality and could be used to develop
an initial business case for implementing
SAP GRC.

EY SAP GRC Accelerated Analytics Workbench: a


tool that presents SoD conflicts in a business-friendly
format and helps identify key risks and pain points
and determine initial remediation.

SAP GRC demo environment: demo environment


for all the latest versions of software, including SAP
GRC 10.0 for Access Control, Process Control, Risk
Management and Global Trade Services.

SAP role design benchmarking: key metrics


enabling an organization to compare its SAP
role design against other
companies and leading
Roles should be standardized and rationalized to better align with
Industrial Clients business process design and organizational structure
practices.

EY RiskUniverse: industry-specific risk universes,


process-normative models and key business risks
linked to application-specific controls that can be
used to customize SAP GRC demos.

Comparison of SAP roles against initial design and similar


organizations
Leading practice role design methodology
(and typical number of roles in General Accounting)

Children/derived roles

Children/derived roles

General Accounting
"FI/CO/AM/TR" roles

Job/function role (58)

Transactions restricted to a specific user


(i.e., process interface exceptions, mass updates)

Functional role (8-12)


Transactions which represent the execution of the job function
(minimum overlap of t-codes between roles)

A/P Processing
Processing
A/P
A/P Processing
Processing Additional
Additional
A/P
A/R Credit
Credit Management
Management Override
Override Executing
Executing
A/R
A/R Credit
Credit Management
Management Override
Override Executing
Executing without
without VKM1,
VKM1, VKM2
VKM2
A/R
Invoice IDOC
IDOC Processing
Processing
Invoice
Invoice IDOC
IDOC Processing
Processing For
For Project
Project CC
CC and
and Plants
Plants
Invoice
Invoice IDOC
IDOC Processing
Processing For
For Stable
Stable CC
CC and
and Plants
Plants
Invoice
Post Park Journal Entries
Post Park Journal Entries
Park Journal Entries For Project CC and Plants
Park Journal Entries For Project CC and Plants
Park Journal Entries For Stable CC and Plants
Park Journal Entries For Stable CC and Plants

Supply Chain
"IM/WM/PP" roles

20

Industrial Client vs. Leading Practice Gap

43

25
24

22

15

Order to Cash
"SD" roles

22

Display role (14)

Departmental role (1-2)


Transactions which everyone in the
department will have access
(i.e., includes display only roles)

A/R Reporting
A/R Customer Master Displaying
G/L Journal Entry Displaying

Basic role (1)

Financial Reporting General Display


Display Role (FLB1N)
G/L Account Displaying

Procure to Pay
"MM" roles

General User Role


(Z:ABC_GENERAL_USER)

Human Resources
"HR" roles

12

10
0

20

40

60

80

100

120

140

160

Number of Parent/Template Roles

Proprietary & Confidential not for use or disclosure outside Industrial Client
All Rights Reserved Ernst & Young 2010
DRAFT FOR DISCUSSION ONLY

Page 2

22

12

General role (1)

Transactions which
which everyone
everyone
Transactions
in the
the organization
organization will
will have
have access
access (i.e.,
(i.e., printing
printing functions,
functions,
in
export/import functions)

Page 1

107

29

Parent role

Parent role

Special access role (4-8)

4 tier model

Design vs. Actual SAP Roles Gap

Company A current state General Accounting


roles (and number of Z:FI roles)

Industrial Client SAP Roles (mapped to job functions document)


Industrial Client SAP Roles (not mapped to job functions document)
Roles in comparable organizations

Proprietary & Confidential not for use or disclosure outside Industrial Client
All Rights Reserved Ernst & Young 2010
DRAFT FOR DISCUSSION ONLY

Why EY?
Global and flexible approach with
a focus on SAP GRC
Knowledgeable team with
practical experience in process,
risk and technology disciplines

Industry-specific content and


enablers
Leading-practice assessment
diagnostics and leverage models
Service delivery model design and
key performance indicators

EY | Assurance | Tax | Transactions | Advisory

2014 EYGM Limited.


All Rights Reserved.

About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services
we deliver help build trust and confidence in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no. XX0000

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Our services
Rapid GRC technology diagnostic
GRC technology vendor selection
GRC technology implementation and assessments
Risk transformation enabled by GRC technology

1403-1222661 EC
ED 0115
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional
advice. Please refer to your advisors for specific advice.

ey.com