Turning risk into results

Enabling access management

with SAP GRC
What we are seeing in the market
Primarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in
efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive
access. As a result, many companies implemented GRC access management solutions such as SAP GRC
Access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they
were not able to achieve the full value of a GRC access management solution.
This is the right time to learn about opportunities to transform your access management program. Enabling
an SAP GRC Access Control solution can help:
• Lower the cost of access management and related audit activities through centralization and
automation
• Improve sustainability by centralizing and standardizing methodologies, processes and components
• Increase effectiveness of access processes through integration with other SAP GRC modules and
focus on critical foundational components such as role design and organizational alignment

Our recent EY global information security survey of more than 1,700 senior information security
and IT leaders found that 46% of respondents ranked internal threats as a significant concern. Fully
deploying SAP GRC Access Control while focusing on improving access management fundamentals
will help address that risk while reducing cost and improving value.

What are the opportunities at your company?

Typical current state Mature state
Multiple and manual access Significant workflow automation in user
Increasing management processes access processes
Simplified Integration with SAP GRC Process Control
complexity

Fragmented, manual and Mandatory SoD checks in the request

ad hoc reporting process
Reactive Limited visibility to risks Proactive Dashboard-level reporting on user access
process, firefighter usage logs and real-
time SoD reports analytics and trending
High instances of access Compliant SAP role design
Consistent violations and standardized user access
Compliant management processes
failures
Ability to improve audit activities

Manual and inconsistent IT security operational efficiencies via

Cost processes lead to higher IT costs Cost- SAP GRC automation and standardization
pressures Significant impact on business efficient Automation of access provisioning
activities

Inconsistent role design Globally standard roles across

Inconsistent approach across business business processes and standard user
processes Consistent access management processes for
approach
application systems
SAP GRC Access Control can enable your risk agenda
Enhance risk strategy
 Improved alignment to the objectives
and strategy of the business
 Improved visibility to risks that
matter most to the organization
 Proactive identification of risks
 Enhanced decision-making
Improve controls and
processes
 Better aligned risk coverage,
including the identification of
stronger, more pervasive controls
 Reduced level of effort associated
with performing and testing controls
 Increased control and process
efficiencies enabled through
automation and continuous monitoring
 Improved control mix that addresses
key business risks while driving
process efficiencies
Risk Value
Cost
• Increased integration and coordination
among business, IT and compliance
• Real-time notification of potential
access issues based on established
business rules
• Sustainability of access management
process
• User-friendly reporting
Embed risk management
 Comprehensive and continuous
risk management and monitoring
 Central management of financial,
Risk agenda operational and compliance risks
and controls across organization
Enhance Embed
risk risk
strategy management
Turning
risk into
results
Optimize risk management
Improve Optimize risk functions
controls and management
processes functions  Elimination of duplicate and
fragmented risk management
activities
 Increased integration and
coordination among business,
IT and compliance
 Sustainability of risk
management process
 Effective top-down and bottom-
up reporting
Resulting in the following
benefits:
Risk Value Risk Value
Cost Cost
• Reduced audit costs due to a reliable • Identification of access anomalies
and automated access management indicating possible fraudulent activities
environment through alerts
• Cost avoidance associated with audit • Continuous access control and SoD
failure management and monitoring
• Efficiencies associated with preparation • Enhanced visibility to access-related
and analysis of SoD reports risk exposure at the enterprise (i.e.,
• Reduction in the number of manual cross-application, cross-business
controls required to be designed and process)
operated to mitigate access-related • Super-user access management
issues • Early detection of potential access
• Elimination of redundant and excessive issues through scenario analysis before
access management procedures performing changes to user and role
• Streamlined access approval process access
Next steps to improve your risk management landscape
Rapid SAP access diagnostic provides SAP GRC demo facilitates mapping
accelerated current state assessment of of business requirements to SAP GRC
your SAP access processes and technology, functionality and could be used to develop
allowing you to identify realizable value and an initial business case for implementing
develop a future state road map to achieve it. SAP GRC.

EY SAP GRC Accelerated Analytics Workbench: a SAP GRC demo environment: demo environment
tool that presents SoD conflicts in a business-friendly for all the latest versions of software, including SAP
format and helps identify key risks and pain points GRC 10.0 for Access Control, Process Control, Risk
and determine initial remediation. Management and Global Trade Services.

SAP role design benchmarking: key metrics EY RiskUniverse®: industry-specific risk universes,
enabling an organization to compare its SAP process-normative models and key business risks
role design against other companies and leading
Roles should be standardized and rationalized to better align with
linked to application-specific controls that can be
practices. Industrial Client’s business process design and organizational structure used to customize SAP GRC demos.
Comparison of SAP roles against initial design and similar
organizations

“Design vs. Actual” SAP Roles Gap

Leading practice role design methodology Company A current state General Accounting
(and typical number of roles in General Accounting) roles (and number of “Z:FI” roles)

Children/derived roles Children/derived roles 29 107

General Accounting
"FI/CO/AM/TR" roles
20
Parent role Parent role Industrial Client vs. Leading Practice Gap

Special access role (4-8) Job/function role (58)

A/P Processing
Processing 25 43
Transactions restricted to a specific user
A/P Supply Chain
A/P Processing
A/P Processing –– Additional
Additional
(i.e., process interface exceptions, mass updates) A/R Credit
Credit Management
Management Override
Override Executing
Executing "IM/WM/PP" roles
A/R 24
A/R Credit
A/R Credit Management
Management Override
Override Executing
Executing without
without VKM1,
VKM1, VKM2
VKM2
Invoice IDOC
Invoice IDOC Processing
Processing
Invoice IDOC
IDOC Processing
Processing –– For
For Project
Project CC
CC and
and Plants
Plants
Functional role (8-12) Invoice
Invoice IDOC
Invoice IDOC Processing
Processing –– For
For Stable
Stable CC
CC and
and Plants
Plants
Transactions which represent the execution of the job function Post Park Journal Entries 15 22
Post Park Journal Entries Order to Cash
4 – tier model

Park Journal Entries – For Project CC and Plants

(minimum overlap of t-codes between roles) Park Journal Entries – For Project CC and Plants "SD" roles
Park Journal Entries – For Stable CC and Plants…
Park Journal Entries – For Stable CC and Plants… 22

Departmental role (1-2) Display role (14)

Transactions which everyone in the A/R Reporting Financial Reporting General Display 8 22
department will have access A/R Customer Master Displaying Display Role (FLB1N) Procure to Pay
(i.e., includes display only roles) G/L Journal Entry Displaying G/L Account Displaying … "MM" roles
12

Basic role (1) General role (1)

Transactions which
Transactions which everyone
everyone
General User Role 7 12
in the
in the organization
organization will
will have
have access
access (i.e.,
(i.e., printing
printing functions,
functions, (Z:ABC_GENERAL_USER) Human Resources
export/import functions) "HR" roles
10

0 20 40 60 80 100 120 140 160

Number of Parent/Template Roles
Proprietary & Confidential – not for use or disclosure outside Industrial Client
Page 1 All Rights Reserved – Ernst & Young 2010 Industrial Client SAP Roles (mapped to job functions document)
DRAFT – FOR DISCUSSION ONLY
Industrial Client SAP Roles (not mapped to job functions document)
Roles in comparable organizations

Proprietary & Confidential – not for use or disclosure outside Industrial Client
Page 2 All Rights Reserved – Ernst & Young 2010
DRAFT – FOR DISCUSSION ONLY

Why EY? • Industry-specific content and Our services

enablers • Rapid GRC technology diagnostic
• Global and flexible approach with
a focus on SAP GRC • Leading-practice assessment
• GRC technology vendor selection
diagnostics and leverage models
• Knowledgeable team with
• Service delivery model design and • GRC technology implementation and assessments
practical experience in process,
risk and technology disciplines key performance indicators • Risk transformation enabled by GRC technology

EY | Assurance | Tax | Transactions | Advisory © 2014 EYGM Limited.

All Rights Reserved.

About EY EYG/OC/FEA no. XX0000

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services
we deliver help build trust and confidence in the capital markets and in economies the world over. We develop 1403-1222661 EC
outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for our clients and for our communities. ED 0115

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young advice. Please refer to your advisors for specific advice.
Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. ey.com