Академический Документы
Профессиональный Документы
Культура Документы
Holly Marrs
PwC
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
In This Session
Cutover Stability
Hypercare
Planning Metrics
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
2
Hypercare Definition
When companies undertake a major implementation or upgrade, the most visible goal is a
timely and successful go-live with minimal disruption for the business. Oftentimes, this
leads to an intense (and often stressful) period immediately after go-live called “hypercare”.
• Definition: The period after go-live is often referred to as hypercare and it can be
extremely risky to the success of an implementation. This is a period of time where the
project team provides extended support for the business to work through issues
encountered when cutting over to the new system. Hypercare typically extends 30-90
days after go-live.
Risk: When project teams are so focused on helping the company maintain business-as-
usual activities, control deficiencies go unnoticed until it is too late!
3
Hypercare Definition (cont.)
• During the first few months after go-live, clients will make dozens of choices that could
have immense impacts on:
• Securing the system properly
• Relying on transactions posted in the system
• Their ability to pass audits
• With so many moving parts such as mass data loads, user training, increased volume of
system changes, and elevated access …
• How do companies maintain compliance to IT general controls during such a critical
time?
• How do companies work with both internal and external audit to demonstrate modified
controls unique to this go-live scenario?
Answer: Plan ahead and utilize SAP Access Control and Process Control
4
Hypercare Definition (cont.)
5
Hypercare Definition (cont.)
• Issue prioritization
6
Hypercare Definition (cont.)
Risk Factors: People
• Lack of executive level support/awareness to post go-live criticality
• Lack of dedicated business process and technical professionals
• Lack of sufficient involvement from the business process owners in the hypercare
phase
• Lack of necessary ERP expertise on the implementation team (including management
and readiness partner)
• Insufficient training for end users
• Importance of change management is underestimated or done ineffectively
• Lack of effective knowledge management
• Insufficient governance strategy around segregation of duties, master data, and
reporting
7
Hypercare Definition (cont.)
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
9
Cutover Planning
• During the cutover window, several circumstances will be presented that are outside of
the normal expectations for the systems and business process environment. Examples of
this may include:
• Data Management/Conversion:
• Mass data loads will be occurring through either automated conversion programs or
• There is a high likelihood that the volume of changes introduced to the live
environment will be higher than normal and the speed with which those changes are
migrated to production may be significantly faster than in a stable environment
• The production environment may be open more often or for more extended periods
10
Cutover Planning (cont.)
• During the cutover window, several circumstances will be presented that are outside of
the normal expectations for the systems and business process environment. Examples of
this may include: (cont.)
Sensitive Access Management :
roles. This may increase the likelihood of granting excessive access to business
users so that transaction processing can occur or significantly increase usage of
Firefighter.
For organizations in a phased implementation approach, there will likely be live
business units/locations in addition to those that are being cutover into the system.
Access granted to project team members for cutover purposes can create exposure
to all locations or units that are live.
11
Cutover Planning (cont.)
• During the cutover window, several circumstances will be presented that are outside of
the normal expectations for the systems and business process environment. Examples of
this may include: (cont.)
Segregation of Duties (SoD):
the production environment and this is not advised. This access may create
Segregation of Duties (SoD) violations, grant access to sensitive information, or
grant access to transaction codes/authorizations that may not be in production
roles.
Plans may have been well articulated for controls and security after go live; however, a
number of unexpected factors may lead to the controls failing and the security controls not
operating as management intended.
12
What We’ll Cover
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
13
Stability Metrics and Reporting
Prepare and track Hypercare Readiness Scorecard for go-live
Phase 3,
Criteria Phase 1 Phase 2 Notes and Actions needed for 100%
etc.
Processes • Control integration, training
Tools • SAP AC/PC monitoring
Reports • Defect Report, EAM Report
Roles &
• Training team, support team, audit, etc.
responsibilities
Staffing Plans • Global 24 hour “war room” support for week 1
Coverage Plans • Continue weekly update
Infrastructure • Preparation of technical equipment for locations, mobile devices
Training • Dry run complete?
Soft spots • Mitigation plans developed and conveyed to user and hypercare teams?
Critical • Conversion of SIT/UAT critical tickets to hypercare tickets
Workarounds • Workaround plans conveyed to user and hypercare teams
DO communicate with both internal and external auditors regarding the plan and timing
for short-term hypercare controls and the longer term new control framework
15
Stability Metrics and Reporting (cont.)
Backlog
Opened
Closed
SEV1
SEV2
SEV3
SEV4
CR
Date
Rejected/Dup.
03/27/13 30 30 2149 595 955 528 48 23
Completed 03/26/13 185 172 2164 601 957 533 49 24
03/25/13 189 203 2151 605 948 526 48 24
Open 03/24/13 46 44 2165 616 963 514 48 24
03/23/13 48 41 2163 612 968 511 48 24
03/22/13 126 115 2156 602 970 512 48 24
0
0
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
50
10
15
20
25
30
35
40
45
50
55
60
65
70
75
80
85
03/21/13 187 172 2145 597 967 509 48 24
1)
Open Completed Rejected/Dup. Data of previous days may change according to changed severity
Report generated: 3/27/13 11:10 AM 12-24 24-48 48-72 3-7 7-10 10-30 > 30 %
0-12
Total 2149 8484 2826 Severity Total % Met
hrs hrs hrs hrs days days days days
1- Severe 595 3704 1336 SLA
955 3523 1119 TOP 207 196 258 169 354 100 105 25 1414 17% 29%
2- Major
1- Severe 506 431 590 372 821 298 533 153 3704 44% 25%
3- Minor 528 1035 304
2- Major 210 171 266 237 699 349 1032 559 3523 42% 25%
4- Minimal 48 94 29
3- Minor 92 56 88 52 176 78 292 201 1035 12% 45%
CR 23 128 38 4- Minimal 21 17 5 3 10 5 17 16 94 1% 83%
Totals 829 675 949 664 1706 730 1874 929
% 10% 8% 11% 8% 20% 9% 22% 11%
SLA: Sev 1 = 24 hours; Sev 2 = 72 hours ( 3 days ); Sev 3 = 7 days; Sev 4 = 30 days
Weekly defect monitoring for first few months after go-live: Look for impacts to the security and control
environment. Is a temporary control needed to mitigate an open defect or workaround?
16
Stability Metrics and Reporting (cont.)
17
Stability Metrics and Reporting (cont.)
• In addition to reviews to support your control environment, there may be data within your
SAP environment that is indicating operational or compliance concerns. Review the data
for trends that could indicate manual work arounds have been introduced into the
environment.
PTP Disbursements Spend to one-time Identify if users are using one-time vendors to perform payments and not
vendors leveraging actual vendors, this could be an inefficiency in the process and
present a potential risk of fraud as one-time vendors present a unique fraud
risk.
18
Stability Metrics and Reporting (cont.)
Example of Stability Metrics
Cycle Area Metric Description
PTP PTP Outstanding Review of the number of documents and dollar value of all unmatched documents in
GR/IR the GR/IR account that have not been resolved after 60 or 90 days
balances
OTC OTC Sales Orders Identify instances where manual price overrides were used at the time of sales order
with manually processing
updated prices
OTC OTC Customer Identify if there are inefficiencies in the order-to-cash process to see if there are a lot of
Credit Notes credit notes compared to the number of invoices issued
vs. Invoice
Ratio
OTC Accounts # of Cancelled Identify the number of cancelled sales invoices
Receivable Sales Invoices
RTR Financial Manual Journal Identify the number of manual journal entries and late entries (where a prior posting
Close Entries period was opened and entries recorded)
19
What We’ll Cover
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
20
Controls Approach
21
Controls Approach (cont.)
• The controls team, those tasked with assessing the effectiveness of controls in the new
environment, will need to develop a risk-based response to go-live at each location.
There will be a series of tasks that they will want to consider performing.
• Examples of this may include:
Testing key automated controls are operating effectively, including report validation
Reviewing for users who were granted access outside of the automated provisioning
system
Reviewing for uses of standard SAP accounts, roles, and profiles
Reviewing FF usage and that an approved incident was logged for each FF check out
22
Controls Approach (cont.)
• Training
Creation and/or delivery of training sessions
Thoroughly document scenarios that qualify for temporary and modified controls
E.g., Emergency changes still require testing and approvals but may be captured in a
23
What We’ll Cover
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
24
Case Study
A global tire manufacturer was going through a large scale SAP implementation.
The work began with a small project to introduce Controls Integration (CI) to their
SAP implementation and this ultimately led to a thoroughly controlled SAP
environment.
25
Case Study (cont.)
Cost of Controls: Which curve will you end on?
Integrator Selected with No
Controls Focus
High
Controls
Checkpoints
Internal Audits
Cost of Controls
Controls
Implementation
Without Controls
COE
Controls Sustainment
with Controls
COE/GRC/Controls IQ
Low
Blueprint Realization Go-Live/Hypercare Sustainment
26
Case Study (cont.)
27
What We’ll Cover
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
28
Leveraging GRC 10.1 Functionality
• GRC Overview
• Leveraging Access Control – Emergency Access Management Example
• Leveraging Process Control – Continuous Control Monitoring for Critical ITGC
Configurable Controls Examples
29
Leveraging GRC 10.1 Functionality — Overview
Enterprise Risk
Management Risk Management
Compliance Global
and Controls
Access Control Process Control Environment
Trade
Business Applications
and IT Infrastructure SAP Oracle PPSFT Other …
30
Leveraging GRC 10.1 Functionality — Overview (cont.)
SAP GRC Suite Hypercare Examples to be Discussed
Access Control
Access (AC)
Control (AC) Process Control
Process (PC)
Control (PC) RiskRisk
Management
Management (RM)(RM)
31
Leveraging GRC 10.1 Functionality — Access Control
• SAP Access Control
Access Risk Analysis Emergency Access Management
• Real-time SoD and SA • Also known as Firefighter
reporting at user and role levels • Allows controlled and monitored
• Ability to document mitigating access to users for sensitive or
controls and assign to identified critical actions
SoD and SA conflicts GRC Access Control
10.1
33
Leveraging GRC 10.1 Functionality — Access Control (cont.)
Extended access is granted to users while creating an auditing layer that monitors and
records usage
34
Leveraging GRC 10.1 Functionality — Access Control (cont.)
• EAM Features
Provides EAM IDs to perform actions that require special/elevated access
Provides centralized access and administration of Firefighter IDs. Log review workflow
drives accountability and audit ability in the Firefighter log review process.
Integrates with ARM to support workflow-based Firefighter ID/role approval process
Captures reason code usage and activity for enhanced metrics reporting
35
Leveraging GRC 10.1 Functionality — Access Control (cont.)
• EAM Benefits
Mitigates the most common open audit issue faced by companies: SAP_ALL
36
Leveraging GRC 10.1 Functionality — Access Control (cont.)
38
Leveraging GRC 10.1 Functionality — Access Control (cont.)
39
Leveraging GRC 10.1 Functionality — Access Control (cont.)
4. After go-live support usage has stabilized, be sure to remove access from the support
team. Risk: Access remains for an unnecessary period of time which could result in
unauthorized use.
40
Leveraging GRC 10.1 Functionality — Process Control
Master Data
Transactions
Screenshot from an automated exception report targeted at preventing the use of one-time vendor accounts
41
Leveraging GRC 10.1 Functionality — Process Control (cont.)
Example Continuous Transaction monitoring Example Continuous
controls Configuration monitoring controls
2. Identify all purchase orders made to one- Configuration 2. Detect change to Duplicate
Monitoring Invoice settings.
time vendors and calculate their percentage
with respect to the total amount of purchase
orders created at the company code level. 3. Detect changes to Production
being locked down.
1. Detect users with the ability 1. Detect vendor master data with
to maintain vendor master data identical bank account details.
and initiate payment to vendors
(Segregation of Duties Access
Monitoring 2. Detect incomplete master data for
violations). materials, customers, vendors.
42
Leveraging GRC 10.1 Functionality — Process Control (cont.)
Create Data
Configure ERP for Analyze &
Analyze the Data Source & Business Map to Controls Schedule Report & Refine
Monitoring Remediate
Rule
43
Leveraging GRC 10.1 Functionality — Process Control (cont.)
Create Data
Configure ERP for Analyze &
Analyze the Data Source & Business Map to Controls Schedule Report & Refine
Monitoring Remediate
Rule
45
What We’ll Cover
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
46
Key Audit Focus Areas
• IT General Controls (ITGC) Overview
ITGCs help provide a foundation for data processing environments that is secure, reliable, and provides
for data completeness, accuracy, and integrity
47
Key Audit Focus Areas (cont.)
ITGC Overview – Foundation
• ITGCs represent the foundation of the IT control structure. They help establish the reliability
of data generated by IT systems and that systems operate as intended and that output is
reliable.
• In addition to ITGCs, IT Entity Level Controls (ELCs) exist to address the overall control
environment. IT ELCs are designed to shape the corporate culture or "tone at the top."
Examples of IT ELCs include IT policies and procedures, annual training requirements, and
IT governance.
48
Key Audit Focus Areas (cont.)
Public Company Accounting Oversight Board
SOX Act requires accounting firms auditing public PCAOB inspections are causing
companies to register with, and be subject to periodic external auditors to ask more
inspection by the PCAOB questions and evidence on controls
49
Key Audit Focus Areas (cont.)
• Completeness and Accuracy over Reporting
There are many viewpoints on how companies validate completeness and accuracy
over reporting. Management’s goal is to have comfort in all key reports, which can be
gained by the following methods:
Tying reports to independent source information
Controls
Relying on other ITGC controls for “canned” reports
50
Key Audit Focus Areas (cont.)
Most Common Areas for Testing during hypercare: Be ready!
Review for proper System Development Lifecycle (SDLC) controls
Review for users who were granted access outside of the automated provisioning system
• Definition of Hypercare
• Cutover Planning
• Stability Metrics and Reporting
• Controls Approach: Execution of tight control over business processes and security
• Case Study
• Leveraging GRC 10.1 Functionality
• Key Audit Focus Areas
• Wrap-up
52
Where to Find More Information
• Brian Shannon, “7 Strategies for Preparing Your SAP System for Audits (SAPinsider, October 2015).
http://sapinsider.wispubs.com/Assets/Articles/2015/October/SPI-7-strategies-for-preparing-your-SAP-
systems-for-audits
• Process Control – Continuous Monitoring on the SAP Help Portal
http://help.sap.com/saphelp_grcpc101/helpdata/en/5d/038910ddca4b9d847934a662b98b4c/content.htm?f
rameset=/en/9a/35bde07054476ead120eb81251f10a/frameset.htm¤t_toc=/en/60/d658f576b6452eb0f
943c04b354018/plain.htm&node_id=140&show_children=false
• Access Control – Configuring ID-based Firefighting on the SAP Help Portal
http://help.sap.com/saphelp_grcac101/helpdata/en/4f/5faf2e95052892e10000000a42189b/content.htm
• Access Control – Configuring EAM Log Notifications on the SAP Help Portal
http://help.sap.com/saphelp_grcac101/helpdata/en/c6/a13aab8efc454eadeab21a46381885/content.htm
53
7 Key Points to Take Home
54
Your Turn!
© 2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
56
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.