Sap Solutions For Governance Risk And Compliance And Grc Access Control 3 doc

Holistic Approach to GRCBusiness Process Platform SAP Solutions for GRC Cross-Industry GRC Access Controls Global Trade Environment Process Controls Risk Management GRC Repository: Docum

SAP ERP Financials

SAP Solutions for

Governance, Risk, and

Compliance and

SAP GRC Access Control

Rainer Salaw, CPA

SAP Deutschland AG & Co KG

Regional Solution Sales GRC

EMEA

Barbara Mayer

Enterprise Risk Management,

SAP Consulting

SAP ERP Financials

SAP Solutions for

Governance, Risk, and

Compliance and

SAP GRC Access Control

Rainer Salaw, CPA

SAP Deutschland AG & Co KG

Regional Solution Sales GRC

EMEA

GRC as part of SAP Financials Challenge for GRC

GRC-Suite in detail Value proposition

AGENDA

GRC as part of SAP Financials Challenge for GRC

GRC-Suite in detail Value proposition

AGENDA

Gartner “Strong Positive”

About SAP GRC Access Control

„ SAP is the only vendor with a “Gartner recommends” rating

in all technique categories (Static analysis, provisioning support, integrated provisioning workflow, transaction monitoring and

emergency access)

„ “… offers one of the strongest product sets in our analysis,

comprehensively addressing all SoD issues across multiple SAP

instances”.

„ “…capable of running on multiple ERP platforms…”

1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007

Rating

Strong Negative

Positive

9

mySAP ERP Financials

Corporate Performance Management (CPM)

Accounting &

Finance Transformation

Financial Supply Chain Management (FSCM)

Governance, Risk, and Compliance

(GRC)

mySAP ERP Financials

Internal regulations / ethical standards strategic/operative Risks External regulations / compliance to laws

GRC as part of SAP Financials Challenge for GRC

GRC-Suite in detail Value proposition

AGENDA

Business Case: „…the True Information Age“

„In 2010 the need for fast, accurate and reliable

information will be increased significantly.

In four areas the demand will

be raised most Two of them are:

„ Risk Management

„ Governance

Supply Chain Customers & Channel

Human Resource environmental health

& safety

Finance complex, international Compliance requirements (e.g Revenue recognition)

Compliance / Risk Office

high level risks, not

proactive

Credit risks, Customer ratings

Supervisory board, internal audit

almost manual, sample based, not

error free controls

Fragmented Processes and Systems: A Risky Situation !

Supply Chain Customers & Channel

Supervisory board, internal audit

documented decisions, audit trail

Compliance / Risk Office

Real time risk analysis,

Human Resource

compliance to environmental standards

Sales

transparent customer solvency

SALARIES

Gain Confidence by Proactive Transparency with SAP GRC

Fragmentation vs Holistic Approach to GRC

Business Process Platform

SAP Solutions for GRC

Cross-Industry GRC

Access Controls Global Trade Environment Process Controls

Risk Management GRC Repository: Documentation and Monitoring

Audit

Information Security

From Fragmented Risk

& Compliance…

Risk Mgmt Compliance SOX

Internal Audit

GRC Suite

Access

Control

Risk Management

Process Control

Environment, Health & Safety (EH&S)

… more Solutions

GRC Suite

Functions for All Process Orientated Risks and Regulations

GRC Suite

Access

Control

Risk Management

Process Control

GRC-Repository

SAP GRC Access Control

Risk Analysis and

Remediation

Enterprise Role Management

Compliant User Provisioning

Super User Privilege Management

solutions

Global Trade Services (GTS)

Environment, Health & Safety (EH&S)

… more Solutions

GRC Suite

Functions for All Process Orientated Risks and Regulations

SAP Solutions for GRC

Framework for an integrated GRC-Solution

Business Process Platform

(e.g automatic controls)

„ Group-wide utilization, open architecture (usage of SAP´s technology platform Æ no

limitation to SAP-ERP systems)

SAP GRC Access Controls

Corporate Policies &

Best Practices Frameworks Control

(COSO, C OBI T)

Advisory Services

(Auditors, Attorneys)

Internal Policies

Governmental

Agencies

Influence Councils

„ Enforces governance for the entire enterprise

GRC as part of SAP Financials Challenge for GRC

GRC-Suite in detail Value proposition

AGENDA

How Does GRC Supports You?

Identification of all kind of risks (group wide)

Segregation of duties risks

Transparency and Remediation

Define appropriate actions for identified risks

„ Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)

„ Minimize risks by defining appropriate mitigation controls

„ Maximize risk awareness (Æ transparency, continuous monitoring, escalation, mitigation, remediation)

Governance & Compliance

Rules of Business Conduct, Ethical standards, Governance rules

How Does GRC Supports You?

Identification of all kind of risks (group wide)

Segregation of duties risks

Transparency and Remediation

Define appropriate actions for identified risks

„ Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)

„ Minimize risks by defining appropriate mitigation controls

„ Maximize risk awareness (Æ transparency, continuous monitoring, escalation, mitigation, remediation)

Governance & Compliance

Rules of Business Conduct, Ethical standards, Governance rules

SAP GRC Access Control

Sustainable Prevention of Segregation of Duties Violations

Cross-enterprise library of best practice segregation of duties rules

Compliant User Provisioning

Prevent SoD violations at run time

Superuser Privilege Management

Close #1 audit issue with temporary emergency access

Periodic Access Review and Audit

Focus on remaining challenges during recurring audits

(Stay in Control) (Stay Clean)

Risk analysis, remediation and prevention services

Enterprise Role Management

Enforce SoD compliance at design time

Effective Management Oversight

and Audit

Access Controls SAP GRC Access Control

Risk Analysis and Remediation

Getting Clean

Reporting Risk Elimination

Risk Identification

Prevention

End-to-End Automation

Initial Risk Analysis and Remediation

Facilitates collaboration between Business and IT to clean up access risks

The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.

Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.

Maintain vendor

master data

Authorization: Initiate payment

purchasing

Maintain vendor

master data

Authorization: Initiate payment

ERP 2005

P L A N

ERP 2005

P L A N

A C T U A L

Risk-SAP GRC Access Control

Risk Analysis and Remediation Functionality

GRC Access Control content covers more than 200 Risks

Risk analysis and remediation functionality

Risk-analysis, detection and remediation of SOD-violations in access control and authorization

management

critical transaction or authorization objects

SAP GRC Access Control

Risk Analysis and Remediation Functionality

GRC Access Control content covers more than 200 Risks

Risk analysis and remediation functionality

Risk-analysis, detection and remediation of SOD-violations in access control and authorization

System 2: Transaction 2

… System 2: Transaction m

System m: Transaction 2

… System m: Transaction m

180.000 rules

Architecture – Automatic Rule Generation

Risk 1

Function A

Function B

Action 1+ Permission 1 Action 2 + Permission 2 Action 3 + Permission 3

Action 4+ Permission 4 Action 5 + Permission 5 Action 6 + Permission 6

+

Risk Rule 1 Risk Rule 2 Risk Rule 3 Risk Rule 4 Risk Rule 5 Risk Rule 6 Risk Rule 7 Risk Rule 8 Risk Rule 9 Risk Rule “n”

ALL cross combinations

Action 10+ Permission 10 Action 11 + Permission 11 Action 12 + Permission 12

SAP GRC Access Control

Risk Analysis and Remediation Functionality

SAP GRC Access Control

Risk Analysis and Remediation Functionality

Enterprise Role Definition

Enables Enterprise Role Definition and Maintenance in a Single Location

Centralized Role Management

28% time savings in role management

Compliant enterprise roles

Unternehmensweite

Funktionstrennungsprüfung

SAP GRC Access Control

Enterprise Role Management

Typical Challenges….

Too many users have SAP_ALL

No activity monitoring, no audit trail

No time limitation for SAP_ALL Users

No clear responsible for SAP_ALL authorizations

Smart emergency situation management

No clear workflow in case of emergency!

SAP GRC Superuser Priviledge Management

„Maier“

Log off as FireFighter

FireFighter ID FICO

Start Transaction FireFighter

FireFighter ID MM FireFighter ID SD FireFighter ID Basis

Multiple usage of FireFighters

(e.g year end closing activities, substitution activities, design of new roles, and many more…)

multiple FireFighter are assigned to user

„Maier“

All FireFighter activities are recorded in detail in a log file

SAP GRC Superuser Priviledge Management

SAP GRC Access Controls

Compliant User Provisioning

Access

Request

Manager Approval

Role Owner

Workflowprozess im Access Enforcer

Request generated

Automated provisioning

Mgr approval

Risk analysis

Path workflow—based

on request type and user attributes

Escalation workflow

Exception workflow

100% automated

HR event

Employee hired/retired

Via e-mail

One-click preventive simulation

100% automated

…

Compliance Calibrator

SAP GRC Access Controls

Compliant User Provisioning

SAP GRC Access Control 5.3

ƒ SAP GRC Access Control branding and single launchpad for all 4 access control capabilities

SOD Rules for

Oracle, JDE and

PeopleSoft

Q2 2007 (AC 5.2 SP3)

Superuser privilege management (formerly known as Virsa Firefighter for SAP)

• Change Log / Self Auditing

• Audit trail for configuration changes

• Write log report to designated file server

• Web report enhancements

• Report filter variant

• Report for “All” systems

• Retrieve change log from CDHDR table for performance improvement

• Assign multiple FF owners to one FF ID

Enterprise role management (formerly known as Virsa Role Expert)

• Close RE 4.0 gaps

• Additional reports

• Search roles

• Single composite role relationship

• List role & transactions

• More detail role change history

• Role authorization changes at object field level

• View PFCG change log

• Generate roles for multiple systems

• Risk simulation for combined roles and existing user simulation at role design time

• Enforce naming convention according to policy

• Compliant provisioning for SAP EP,

• Compliant provisioning for Oracle, PeopleSoft and JDE (Greenlight)

• HR triggers for PeopleSoft

• Password resets for ORCL, PSFT, JDE

• Close AE.net & SAFE gaps

• Authoritative User Sources: Integration with multiple LDAPs and SAP HR for user data source

• Reporting and reporting enhancements

• User Access Reviews (Manager / User Reaffirm)

• Cross system risk analysis / simulation

• Supporting multiple CUA’s

• Full support for all SU01 fields

• Misc.

• Form customization

• Import/Export of configuration data

Risk analysis and remediation (formerly known as Virsa Compliance Calibrator)

• Risk analysis for SAP Enterprise Portal and UME

• Close critical CC 4.0 * & SAFE gaps

• BI Integration for custom reporting

• Reporting/ Reporting Enhancements

• Additional auditor, business manager and IT reports

• SOD management by exception (Integration w/

• Concurrent Risk Analysis

• Batch mode risk analysis

• Improved Memory Mgmt

Access Control 5.2 SP4

• Web Services for IDM integration (official and stable API for partners)

• Fix for connector limit

in Compliance Calibrator

Q3 2007 (AC 5.2 SP4)

* Note: This release will not include

granular security and logging

requirements in the next release

SAP Solutions for GRC

Framework for an Integrated GRC-Solution

Business Process Platform

Business Applications

Business Process

SAP GRC Access Controls

SAP Addresses the Needs of Multiple Stakeholders

Business Executives

Business Process Managers Virsa Support

Concerns

„ Controls in place

„ Controls working effectively

„ Risks correctly identified

„ Response to control deficiencies

Concerns

„ Identify &

implement compliance systems

„ Fit with IT infrastructure

„ Transfer accountability to business

„ Prevent risk from entering systems

Benefits of Using an Integrated Control System

AUTOMATION

Reduce cost without compromising

compliance

INSIGHT

Effectively manage business, financial, and compliance performance

CONTROL

Increase confidence in the effectiveness of

your controls

„ 100% testing of all data all the time

Scoping and

Set-Up

Document Processes and Controls

Sign-Off, Prepare Certification / Internal Control Report

Assess Control Design and Remediate Issues

Test Operating Effective- ness

Attest and Report

to organizations

„ specific control documentation

Organization-„ Documentation

of testing procedures

„ Documentation

of entity-level controls

„ Setup of automated control testing and monitoring

„ Control and process design assessments via surveys

„ Entity-level control assessments via surveys

„ Identification

of Issues

„ Validation of assessments

„ Remediation

of issues

„ Progress tracking and analysis

„ Documentation

of testing results

„ Documentation

of continuous control

monitoring

„ Identification of issues

„ Remediation and retest of issues

„ Progress tracking and analysis

„ Management reports

„ triggered sign- off supporting

Workflow-404 reporting /

302 certification

Continuous Control Monitoring

„ Analytics

„ Work List

„ Organization Hierarchy

„ Account Groups/

Assertions

„ Process Hierarchy

„ Control Objective Catalog

„ Entity-Level Controls Hierarchy

„ Assessment Surveys

– Question Library

– Survey Library

„ Manual Tests

– Test Plans

„ Automated Testing

– Rules

– Queries

„ Scheduling

„ Evaluation Work List

„ Compliance

– ments

PC 2.5 Innovation

Information Architecture and Organization Hierarchy

Improved productivity with new work center-based design approach

Significant Account

Remediation Case

Control Tests (Manual/Auto) Controls

Risks/Control Objectives

Groups

SAP GRC Process Control – Convergence of Controls

Process Management and Continuous Controls Monitoring

„ Single Solution for end enterprise control management

end-to-„ Provides centralized control management for automated and manual controls

„ Enables management by exception

9 99 9 9 9

9

Has duc tion

en i oved withthe

talla and lem entatio

1 3 5 6

9 10 11 12 15 17 19 7

13 22 24 26

20 29 27 2

Perform Assessments

9 99 9 9 9

9

Has duction

en i oved with the talla and lementatio n

of SAP?

S U R V

E Y

Yes No

1

3 56

9 10 11 12 15 17 19 7

13 22 24 26

20 29 27 2

Enterprise Control Management

GRC Repository

„ Rationalizes controls against multiple frameworks

„ Link control documentation

to manual and automated control tests

„ Provides a flexible organization hierarchy

„ Flexible integration framework for document management systems

„ Single source of truth for reporting

Actionable Intelligence from Compliance Analytics

SAP GRC Process Control – Dashboard

Control Execution Monitor provides latest information on deficiencies

Control Monitor provides summarized information over time

Inbox provides quick access to cases and tasks

Survey Monitor tracks sign-off and

assessment surveys

All information

is organized in tabs

Management Reports with Drill-Down

Drill-down capability provides details of the cases and case priority for each report