Beruflich Dokumente
Kultur Dokumente
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
SAP ERP Financials
SAP Solutions for
Governance, Risk, and
Compliance and
SAP GRC Access Control
GRC-Suite in detail
Value proposition
GRC-Suite in detail
Value proposition
Rating
Strong Caution Promising Positive Strong
Negative Positive
9
About SAP GRC Access Control
SAP is the only vendor with a Gartner recommends rating
in all technique categories (Static analysis, provisioning support,
integrated provisioning workflow, transaction monitoring and
emergency access)
offers one of the strongest product sets in our analysis,
comprehensively addressing all SoD issues across multiple SAP
instances.
capable of running on multiple ERP platforms
Internal regulations /
ethical standards
Credit Mgmt.,
mySAP strategic/operative Risks
External regulations /
Collections Mgmt. ERP Financials compliance to laws
Dispute Mgmt.
FI-CA, Biller direct,
In-house Cash
GRC-Suite in detail
Value proposition
Management
Supervisory board, internal audit
almost manual, sample based, not SALARIES
no overview about
error free controls
risk portfolio
?
environmental health
Fraud & safety
Purchasing Sales
Supplier rating Credit risks,
& embargo Customer
lists ratings
Cross-Industry GRC
GRC Repository: Documentation and Monitoring
Risk Management
Access Controls Global Trade Environment Process Controls
Business Applications
GRC Suite
Global
Trade
Access Process Risk Services
Control Control Management (GTS)
Environment,
Compliance Role Expert Access Fire Fighter Health &
Calibrator Enforcer Safety
(EH&S)
more Solutions
GRC Suite
Global
Trade
Access Process Risk Services
Control Control Management (GTS)
GRC-Repository
more Solutions
leverage integration
through high automation
(e.g. automatic controls)
SAP GRC Access Controls
Group-wide utilization, open
architecture (usage of SAPs
technology platform no
limitation to SAP-ERP systems)
Business Applications
Performance
& Industry department
Mandates Risk & Control
Measures &
Benchmarks
Libraries Pre-built control & risk
GRC libraries
BOD & Repository Corporate
Committee Policies &
Minutes Procedures Complete body of evidence
for compliance
Control
Best Practices Frameworks
(COSO, COBIT) Centralized knowledge base
for all GRC relevant
information
Advisory Services Internal beyond fragmentation
(Auditors, Attorneys) Policies
GRC-Suite in detail
Value proposition
manual activity
automation
AccessControls
Access Controls Process Controls Risk Management
manual activity
automation
Effective
Minimal Continuous
Management Oversight
Time To Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)
Risk Analysis Enterprise Role Compliant User Superuser Privilege Periodic Access
and Remediation Management Provisioning Management Review and Audit
Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at violations at with temporary challenges during
initial clean-up design time run time emergency access recurring audits
Risk Elimination
End-to-End
Automation
Heterogeneous IT-landscape
Legacy Custom
Financials
Inventory and
and
purchasing
Accounting
Authorization: Authorization:
Maintain vendor Initiate payment
master data to vendor
Heterogeneous IT-landscape
Legacy Custom
Financials
Inventory and
and
purchasing
VIRSA Accounting
Cross-enterprise Rule Set
Authorization: Authorization:
Maintain vendor ! Initiate payment
master data to vendor
RISK
?? Compliance ?
Risk analysis for
user Maier
officer
S
O
D Risk analysis
- function
P
M Risks L
A A
N
T
R
I ERP 2005
X
Business Applications
?? Compliance ?
Risk analysis for
user Maier
officer
S
O
D Risk analysis
- function A
P C Risk-
M Risks L Compare T report
A A U
A
N
T L
R
I ERP 2005
X
Business Applications
critical transaction or
authorization objects
Function 1 Function 2
180.000 rules
System 1: Transaction 1 System 1: Transaction 2
System 1: Transaction n System 1: Transaction m
+
Action n + Permission n Risk Rule 4
ALL cross combinations
Risk Rule 5
Risk 1 Of Action + Permission
between Functions A & B
Risk Rule 6
Action 4+ Permission 4 Risk Rule 7
Action 5 + Permission 5 Risk Rule 8
Function B Risk Rule 9
Action 6 + Permission 6
Action n + Permission n Risk Rule n
+
Action n + Permission n Risk Rule 13
ALL cross combinations
Risk Rule 14
Risk 2 Of Action + Permission
between Functions C & D Risk Rule 15
Action 10+ Permission 10 Risk Rule 16
Action 11 + Permission 11 Risk Rule 17
Function D Risk Rule 18
Action 12 + Permission 12
Action n + Permission n Risk Rule n
Unternehmensweite
Centralized Role Management Rollendefinition und Pflege
mit eingebauter
Funktionstrennungsprfung
Enterprise SAP GRC Audit log
Rules Access Control Reduce cost of role
maintenance
FireFighter ID Basis
Manager Mgr
email Approval approval Via e-mail
Role Expert
Compliant Roles
Escalation
workflow
Role
Owner
Risk One-click preventive
analysis simulation
Tabellen,
Formulare
Compliance Exception
Word, Excel etc. Calibrator workflow
IT Security
Online Risikoanalyse
Automated
provisioning 100% automated
Manual
Provisioning
Q2 2007 (AC 5.2 SP3) Q3 2007 (AC 5.2 SP4) Q1 2008 (AC 5.3)
Business Applications
CONTROL
Increase confidence in the effectiveness of
your controls
AUTOMATION
Reduce cost without compromising
compliance
Reduced audit fees and testing costs
Streamlined testing and remediation
INSIGHT
Effectively manage business,
financial, and compliance performance
Management Auditor
Sign-Off,
Assess Test Attest
Prepare
Scoping and Document Control Operating Certification / and
Processes Design and
Set-Up Effective- Internal Control Report
and Controls Remediate
ness Report
Issues
Structure Definition
Organizational Account Hierarchy Process / Risk / Control Hierarchy
Hierarchy (n-tier)
Region Process
Significant
Division/ Account Sub process Assessments
Legal Entity Assertions
Business Risks/Control
Operation Objectives
Location/ Controls
Operating Unit
Assertions
Signoff Flow
EproYved wtiitohn
Rn V ta
S pU
n im men
prioritizes remediation
bee le
c tio nd imp
u
rod tion a
4
5
s
Ha installa
the AP?
Ye s
3
2 11 12
of S
1 10
1 9 19
18
activities
8 17
7 16 26
6 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
provides management
insight into the control
environment
Document
Process-Control-Objective-Risk
9 GRC Repository
Certify
9 9
9 9 9 9 Certify and Sign-off
9 9 (302, Designs,) Rationalizes controls against
9 9
multiple frameworks
Link control documentation
Monitor
S pU
Rn V
c ti
bee
EproYved wtiitohn
n im lemen
o nd imp
ta
management systems
u
rod tion a
5
s
Ha installa
Ye s
3 12
2
of S
1 11
1 10 19
9 18
8 17
7 16 26
6 25
15
No
14 24
13 23
22
21
20 30
29
28
reporting
27
IT Infrastructure
Document
Process-Control-Objective-Risk
Role-based dashboards
provide actionable insight
to control status
Global heat map
highlights exceptions
from all control tests and
assessments
Management level reports
highlights exceptions
from all control tests and
assessments
Enterprise transparency
across multi-instance and
multi-platform
environments
All information
is organized in
tabs Survey Monitor tracks
sign-off and
Control Monitor assessment surveys
provides summarized
information over time
Drill-down capability
provides details of the
cases and case priority for
each report
9
Centralized Control
Certify
9 9
9 9 9 9 Certify and Sign-off
9
9
9 (302, Designs,) Management
9
One system for managing
automated and manual
Monitor
controls
System can manage
Review Exceptions Remediate Issues
Financial Control
Test Automated Test Perform
Operational Controls
Controls Manual Assessments
Controls IT Controls
Business Processes
Controls can be monitored
Test
EproYved wtiitohn
Rn V ta
S pU
n im lemen
Ye s
3 12
1 2
of S
11
1 9 10 19
8 18
7 17 26
16
systems
6 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
Improve controls with regular
assessments
Document
Process-Control-Objective-Risk
Risk Manipulation
of financial results
Objective Accurate
financial reporting
9
Automated Process Controls
Certify
9 9
9 9 9 9 Certify and Sign-off
(302, Designs,)
9
9
9
9
Detects global violations
and prioritizes corrective
action (automatic case
generation)
Monitor
EproYved wtiitohn
Rn V ta
S pU
n im lemen
bee
o nd imp
ucti
rod tion a
s
Ha installa
Ye s
3 12
1 2
of S
11
1 9 10 19
8 18
7 17 26
6 16
15 25
No
14 24
13 23
22
21
20 30
29
delivered
28
27
IT Infrastructure
Document
Process-Control-Objective-Risk
Application Change
IT Basis Security Control
Were
shipments
Was pricing or made without
exchange rates proper sales
adjusted? documents?
...
Multiple Controls
9 9
9 9 9 9 Certify and Sign-off
9 9 (302, Designs,) Streamlines manual
9 9
controls and tests
Provides manual test plans
Monitor
S pU
Rn V
c ti
bee
EproYved wtiitohn
n im lemen
o nd imp
ta Documents evidence to
support evaluation results
u
rod tion a
4
5
s
Ha installa
the AP?
Ye s
3
2 11 12
of S
1 10
1 9 19
8 18
7 17 26
6 16 25
15
No
14 24
13 23
22
21
20 30
29
28
27
Process-Control-Objective-Risk
? ? ?
Paper-based
! documentation surveys
for completion
Perform manual
tests based on
verbal instructions
9
Self Assessment
Certify
9 9
9 9 9 9 Certify and Sign-off
(302, Designs,)
9
9
9
9 Flexible surveys to support
design assessments and
self-assessments
Monitor
Rn V
EproYved wtiitohn
ta
email notifications
S pU
n im lemen
bee
o nd imp
ucti
rod tion a
s
Ha installa
Ye s
3 12
1 2
of S
11
1 9 10 19
8 18
7 17 26
6 16
15 25
No
14 24
13 23
22
21
20 30
29
28
instructions guides
27
IT Infrastructure
occasional users
Document
Process-Control-Objective-Risk
Flexible survey
creation, scheduling,
and routing
Handles assessments
for process design,
control design, entity-
levels, and more
Reference information
and instructions guides
occasional users
9 Management by Exception
Certify
9 9
9 9 9 9 Certify and Sign-off
9
9
9
9
(302, Designs,) Remediation Case
Management
Detects global exceptions
Monitor
S pU
Rn V
ucti
bee
E Yed with
v
pro tatio
n im lemen
o nd imp
rod tion a
n
activities and resolution
4
5
s
Ha installa
the AP?
Ye s
3 12
2
of S
1 11
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
provide actionable insight
to exceptions
Document
Process-Control-Objective-Risk
Automated prioritization
focuses valuable
resources on high-impact
exceptions
Automated routing and
notification ensures
nothing falls through the
cracks
Threaded discussion of
resolution activities
Deploy Test Perform provides evidence for
Automated Controls Manual Self-
Business Processes Controls Assessments external auditors
EY
RV
SU
Ye s
No
IT Infrastructure
Resolution can be
captured along with the
case details for audit
purposes
9
Management Certification
Certify
9 9
9 9 9 9 Certify and Sign-off
9 9 (302, Designs,)
9 9 Section 302 and 404
certification
Business process review
Monitor
and approval
Review Exceptions Remediate Issues Freeze key information that
has been signed-off
Test Automated Test Perform Hierarchical, bottom-up
Controls Manual Assessments
Controls progression
Business Processes
Test
EproYved wtiitohn
Rn V enta
S pU
n im
bee plem
o im
ucti n and
rod
s tio
4
5 Ha installa
the AP?
Ye s
3
2 11 12
of S
1 10
1 9 19
8 18
7 17 26
6 16 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
Document
Process-Control-Objective-Risk
6
CEO/CFO CEO/CFO sign off
Support
5 section 302
Corporate Signers Corporate signer(s) sign off
certification
Freeze key
4 information
US Higher location signs off
that has
been
3 signed-off
US Finance Lowest location signs off
Hierarchical,
bottom-up
2 progression
Order to Cash Process owner signs off
1
Each sub process owner
AR Billing AR Collections
signs off
10
11
12 1
2
Automated case management
accelerated remediation process
9 3
8 4
7 6 5
WebDynpro
WebDynpro SAP
SAP Application
Application BI
BI Pages
Pages for
for Portal
Portal Pages
Pages
Navigation
Navigation Content
Content Pages
Pages Analytics
Analytics for
for Analytics
Analytics
Object
Object Level
Level Query
Query
Sign
Sign Off
Off
Security
Security Builder
Builder
Business Applications
GRC-Suite
other
Partner GTS
Risk
Solutions
Management
GRC-Repository
REA
Cross industry solution xEM
External KRIs /
SONA Provider Content
Automatically
Identify Risks
Collaborative Assessments
Prioritization using Risk Heat Map
for Manual Risk Activities
Qualitative &
quantitative point and
scenario analyses
Analyses done before
and after response
Workflow reminders Prioritization for response investment
for updates
Identifying shifting in risk profile
Spot Risk
Interdependencies
Indirect
Global
Taxes
Correlation
New Global
Suppliers
Finance
Supply
Sales
IT
...
Enabling Lines of Business to
Best Practice Response Playbooks
Effectively Mitigate Risks
Strategy
Planning
Management
GRC-Suite in detail
Value proposition
Market leader
1
Real-time Prevention RISK
Cross system
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
AGENDA
Project Organization
Project Organization
ERP Upgrades
Change management
SOX awareness/responsibility
Governance
Corporate Governance:
Ethical corporate behavior together with management practices
in the creation of wealth for all stakeholders
Spells out the rules and procedures for making decisions on
corporate affairs
IT-Governance:
Helps to ensure the alignment of IT and enterprise objectives
IT resources are used responsibly and its risks are managed
properly
Risk Mgmt.
Risk Management
Identify, classify, document and reduce risks to an acceptable
level based on the value of the information resource to the
organization
Risk- is a result of three different parameters
Existence of a threat for a business process
Likelihood of occurrence
Impact for the business process
RISK
Compliance
Acting according:
National and international legal requirements
Sarbanes-Oxley-Act (US)
Data Protection Law (Germany)
J-SOX (Japan) ...
Corporate Policies representing the corporate philosophy and
the strategic thinking on a high-level
Low-Level policies focusing on the operational layer.
Critical Compliance
Transactions
SoD Analysis Calibrator
with
Risk Terminator Role Information
Workflow
Risk Analysis Engine
Work Flows for role approval
Access Enforcer
Installation
Installation and configuration Compliance Calibrator and Risk Manager
Firefighter comes with the RTAs, (+BC Sets)
Later install and configure Access Enforcer and Role Expert
Implementation
Compliance
Calibrator
Firefighter Access Enforcer Role Expert
with
Risk Terminator
Project Organization
1 2 3 4 5 6
Rule
Risk Continuous
Building and Analysis Remediation Mitigation
Recognition Compliance
Validation
PHASE ONE PHASE TWO PHASE THREE
Roles Responsibilities
Identify risks and/or approve risks for monitoring
Approve remediation involving user access
Business Process Owners
Design controls for mitigating conflicts
Communicate access assignments or role changes
Perform proactive continuous compliance
Approve/Reject risks between business areas
Senior Officers
Approve mitigating controls for selected risks
Security Administrator and Design and maintain rules to identify risk conditions
Technical Liaisons Customize SAP GRC roles to enforce roles and responsibilities
Analysis and remediation of SoD conflicts at role level
Rule Continuous
Risk Analysis Remediation Mitigation
Building and Compliance
Recognition
2 Validation 3 4 5 6
1
RISK RECOGNITION
Identify conflicts and approve
exceptions
Clarify and classify risk high,
medium, low
Identify new risks and conditions for
monitoring in the future
Risk!
Gives someone the access to create a fictitious
vendor and generate fraudulent payments to the
vendor
... ...
Rule Continuous
Risk Analysis Remediation Mitigation
Building and Compliance
Recognition
1 Validation 3 4 5 6
2
Rule Set A
Global
GL02 GL01
Rule Continuous
Risk Analysis Remediation Mitigation
Building and Compliance
Recognition
1 2 Validation 4 5 6
3
ANALYSIS
Run analytical reports
Estimate cleanup efforts
Analyze roles and users
Modify rules based on analysis
Set Alerts to distinguish executed risks
REMEDIATION
Determine alternatives for eliminating risks
Present analysis and select corrective
actions
Document approval of corrective actions
Modify or create roles or user assignments
Remediation Exercise
E.g. within a small office one person has to take over two roles
within the business process which causes a missing SoD conflict
What is Firefighter?
Firefighter allows super users to perform emergency activities
outside their normal role within a controlled and auditable
environment.
All activities of the user accessing the higher authorization privileges
will be reported
Firefighter will generate an audit trail, which can be used to document
the reasons for using higher access privileges
Audit trail is required for SoX compliance
Monitoring logs must be analysed timely and frequently!!
Firefighter
1
Role Setup
3 Audit Log
CONTINUOUS COMPLIANCE
Communicate changes in roles and user
assignments
Simulate changes to roles and users
Implement Alerts to monitor for new
selected risks and mitigating control testing
Enables compliant
end-to-end
Current approach inefficient, not compliant
provisioning
hire to retire Access e-mail
request
Manager
e-mail approval
Role
owner
spreadsheets,
paper forms
spreadsheets,
paper forms IT security
Manual
provisioning
User
Provisioning
Human
to SAP
Resources
systems System
Financial
+ + System
User
Role
Access Enforcer CRM
Requests
System
If the auto-provisioning feature is configured to yes, the first six items can be
automatically completed by AE. Otherwise the security approver must complete
the provisioning in SAP manually.
Project Organization
Critical
Transactions
Compliance
SoD Analysis Calibrator
with
Risk Terminator Role Information
Workflow
Risk Analysis Engine
Work Flows for role approval
Access Enforcer
Installation
Installation and configuration Compliance Calibrator and Risk Manager
Firefighter comes with the RTAs, (+BC Sets)
Later install and configure Access Enforcer and Role Expert
Implementation
Compliance
Calibrator
Firefighter Access Enforcer Role Expert
with
Risk Terminator
Packaged
GRC Firefighter GRC Access Enforcer
Solution
Fast and cost efficient way to Fast and cost efficient way to
implement GRC Firefighter, the implement audit-proofed access
Value compliant answer to SAP_ALL granting
proposition and other emergency Building up in-house expertise
accesses. using SAP expertise
Project SAPText
Client
SAP TextClient
Team
1 d Tech Cons.+ 4 d Cons. *) 2 d Tech Cons.+ 10 d Consulting *)
Effort
Duration > 1 week > 3 weeks
*) + Client effort
Installation Firefighter on one Installation Access Enforcer on
Development and one Quality one Development and one Quality
Assurance System Assurance System
Basic Configuration
Basic Configuration
Know-How Transfer (Coaching)
Deliverables Know-How Transfer (Coaching)
Template FF
Audit proofed Workflow Design
Recommendations
(max 2 WF)
Create/Change/Delete 5 Test
users
Remediation Project
& Mitigation Closing
Analysis Go-Live
Rule Building
and Validation
Risk
Recognition
Project
Setup
Installation
Architecture
Steering
Committee
Business Process
Project
Owners Audit
Managers
Key Users
Project Executive
Sponsor Sponsorship + steering
Project Steering
Committee Once per month
Customer Project
Manager High
Min = On requirement
Medium = 1- 2 days per week
High = 3-4 days per week
SAP AG 2007, SAP Skills 2007 Conference / G3 / 143
Questions?
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p,
System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This
limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.