Governance, Risk, and

Compliance Trends
and Techniques in
Higher Education

Sherry Amos
Director, Industry Strategy, SAP
Craig Kennedy
Executive Solution Engineer, SAP
Craig Weisiger
SAP Security Analyst, Baylor College of Medicine

Governance, Risk, and Compliance Trends

Sherry Amos
Director, Industry Strategy, SAP

GRC in Detail
Craig Kennedy
Solution Engineer, SAP

Context: What does SAP do?

SAP ERP
Student Lifecycle
Financials
Human Capital Management
Supply Chain
Facilities
Analytics
SAP NetWeaver

Portal

Collaboration

INFORMATION INTEGRATION
Bus. Intelligence

SAP NetWeaver provides SAP ERP with a

Knowledge Mgmt

Master Data Mgmt

PROCESS INTEGRATION
Integration
Business
Broker
Process Mgmt
APPLICATION PLATFORM
J2EE
ABAP

Life Cycle Mgmt

Composite Application Framework

PEOPLE INTEGRATION
Multi channel access

comprehensive integration platform

integrated out of the box
delivers the foundation to serve all ERP
applications
Business Process Platform (ESOA)
built to extend mySAP ERP and to integrate

DB and OS Abstraction

non-SAP systems

SAP Solutions for GRC

Providing the framework for an integrated approach to GRC

SAP solutions for GRC

Industries
Life Sciences

Oil & Gas

Chemicals

Standardize components

Utilities

High Tech

Automate processes
Risk

Compliance
& Controls

Governance

Embed in processes

Enterprise Risk Management

Access
Control

Process
Control

GRC Repository

ESOA Platform
Business
Applications and
IT Infrastructure

SAP AG 2007, EDUCAUSE 2007

Global
Trade

Environmental

GRC
Composites

Corporate Sustainability Management

SONA

SAP Solutions for GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Risk Management
Questions

SAP GRC Access Control

Sustainable prevention of segregation of duties violations

Minimal
Time To Compliance

Continuous
Access Management

Effective
Management Oversight
and Audit

(Get Clean)

(Stay Clean)

(Stay in Control)

Risk Identification
and Remediation

Enterprise Role
Management

Compliant User
Provisioning

Superuser Privilege
Management

Periodic Access
Review and Audit

Rapid, cost-effective
and comprehensive
initial clean-up

Enforce SoD
compliance at
design time

Prevent SoD
violations at
run time

Close #1 audit issue

with temporary
emergency access

Focus on remaining
challenges during
recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

SAP AG 2007, EDUCAUSE 2007

Real-time Compliance 24 x 7
w

Object

F_BKPF_GSB

F_BKPF_BUP

M_MSEG_BWA

M_MSEG_LGO

S_TCODE

T - Code

FB05

Single Role

Composite Role

S1
C1

MIGO
MB1A

Derived Role

S2

SU01
F-29

S3
C2

M_MSEG_BWE

F_BKPF_BUK

M_MRES_BWA

FK01
MB21

S4

MB01
C3

F_BKPF_KOA

FK02

S5

Access Control

SAP AG 2007, EDUCAUSE 2007

User

Risk Analysis and Remediation (aka Compliance Calibrator)

Getting clean

Initial Risk Analysis and Remediation

Facilitates collaboration
between Business and IT to
clean up access risks

Risk
Identification

Risk Elimination

End-to-End
Automation

Reporting

Prevention

The clean-up process has

brought a tremendous degree of
discipline to the way we think
about and manage user access
and authorizations.
Synopsys Inc.

SAP AG 2007, EDUCAUSE 2007

Enterprise Role Definition (aka Role Expert)

Enables enterprise role definition and maintenance in a single location

Centralized Role Management

Enterprise
Rules

SAP GRC
Access Control

Reduce cost of role

maintenance
Ease compliance and avoid
authorization risk

Audit log

Eliminate errors and enforce

best practices

Across applications

Role

Role
Role
Role
Role

Role

Role

Compliant enterprise roles

SAP AG 2007, EDUCAUSE 2007

Role

Role

Assure audit-ready traceability

and security checks

Role

28% time savings in role

management
Customer Survey, 3/2006

Compliant User Provisioning (aka Access Enforcer)

Enables compliant end-to-end provisioning hire to retire

Compliant provisioning with dynamic workflow

HR event

Request
generated

Employee
hired/retired

100% automated

Path workflowbased
on request type and
user attributes
Mgr
approval

Via e-mail

One-click preventive
simulation
Exception
workflow

Automated
provisioning

Reduce cost of user

administration
Improve productivity of end
users

Escalation
workflow
Risk
analysis

Embed cross-enterprise
preventive compliance in
business process

Provide auditable tracking for

auditors

100% automated

We reduced provisioning from 2

weeks to 2 days
Rockwell Collins

SAP AG 2007, EDUCAUSE 2007

Superuser Privilege Management (aka Firefighter)

Enables compliance-focused emergency access for SAP

Compliant super user access

New session

Close #1 open audit issue

Super user

Avoid business obstructions

with faster emergency response

SAP_ALL

Reduce audit time

New session

New session

New session

Firecall ID

Firecall ID

Firecall ID

Firecall ID

SD

MM

FICO

Log

Log

Log

Preassigned firefighter IDs

Access restrictions
Validity dates
Field-level changes tracked in audit log

SAP AG 2007, EDUCAUSE 2007

Reduce time to perform critical

tasks

Log

Super users and auditors love it

Lincoln Electric

Management Oversight
Periodic Access Reviews

Management by exception
Review
User Provisioning

Review
Emergency Access

Automated, pre-built access

controls reporting
Review of roles, users and
mitigation controls

Management
Review
Potential Risks
Review Policy

Review Actual Risks

The SAP applications not only

help ensure good governance and
compliance, they also reduce the
effort involved so that our people
can focus more on the business.
Xerox Europe

SAP AG 2007, EDUCAUSE 2007

Audit

Comprehensive and efficient auditing

1) Validate
via sampling that
changes to access
were appropriately
authorized

Internal Audit

2) Validate that
segregation of duties
risks are appropriately
mitigated on a sample
basis

Equips internal and external

auditors to complete
comprehensive and efficient
testing
Saves audit and audit-related
fees

[Our audit firm] agreed to use

the SAP GRC Access Control
reports in the audit as evidence
for control effectiveness. We
saved very significantly on time
and money spent on external
audit fees.
Synopsys, Inc.

SAP AG 2007, EDUCAUSE 2007

GRC at Baylor College of Medicine

Craig Weisiger
SAP Security Analyst
Baylor College of Medicine

Background and General Info

Baylor College of Medicine
SAP Implementation - 1999
Major upgrade / role rebuild in 2003
Implemented Virsa VRAT, VFAT and VRMT in 2003
VFAT to Firefighter in 2004
VRAT to Compliance Calibrator in 2006

Presently on ERP - ECC5, SRM, ESS and Portal

SAP AG 2007, EDUCAUSE 2007

Current Environment

Users 14000
R/3 Roles 5200
Main Roles - 417
Composite Roles - 45
Derived roles - 2897

Biology

Medicine

Fund Center Controlling Roles 1841

SRM Roles 34
End user assigned roles 14
Communication or support roles 30

Portal Roles 10
Assigned to users 4
Communications or Support Roles - 6
SAP AG 2007, EDUCAUSE 2007

Virology

Support and Admin

Decentralized Admin 60+ (SAM - Security

Admin Module)
By Department

Central Support and Role Maintenance 2

All Role Maintenance
Central Users Admin
Second Level Help Desk
Admin Support
GRC Management
IDM Project Lead
SAP AG 2007, EDUCAUSE 2007

The Access Control Suite

FireFighter
Widely used with SME and Audit
Use a one to one Firefighter account to User
Special Roles for Viewing Reports

Compliance Calibrator
In place during 3 external audits
Audit has found no issues with roles
Assignment issues with users
Mitigation controls moved responsibility to Business Units

Role Expert
Have elected not to use at this time due to our role design
Would recommend Role Expert for new installations

Access Enforcer Not installed

SAP AG 2007, EDUCAUSE 2007

Key Benefits
Reduce False Positives and focus on analyzing real issues
Catch low hanging fruit (e.g. Role analysis)
Focus on SOD issues by functional areas (HR, FI) and/or risk levels
Reduce analysis time (BPOs, WPOs, IT)

Assist with mitigation controls (i.e. documentation and risk

acceptance process)
Aid in monitoring actual execution of conflicting critical
transactions
Proactively maintain compliance via simulation
Reduce cost related to Audits
Additionally, provides monitoring capabilities for firefighter access
to Production (i.e. monitor every transaction used during firefighter
session)

SAP AG 2007, EDUCAUSE 2007

Key Drivers
Reduce auditing cost
Audit effort (Internal Audit)
Response effort (BPOs,WPOs, IT)

Proactively mitigate and reduce audit issues

Evaluate the business impact (role changes) prior to implementing
requested change
Reducing rework effort
Enabling pre-check of SOD issues

Reporting capabilities
Real Time
Distributed to appropriate Managers

SAP AG 2007, EDUCAUSE 2007

SAP Solutions for GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions

SAP AG 2007, EDUCAUSE 2007

SAP GRC Process Control

Increase confidence in the

effectiveness of controls

9
9
9 9 9 9
9
9
9
9

Certify and Sign-off

(302, Designs,)

Supports end-to-end enterprise control

management with single solution

Monitor

Certify

Controls process management and continuous controls monitoring

Review Exceptions

Test

Test Automated
Controls

Remediate Issues

Test
Manual
Controls

Perform
Assessments

Business Processes
E Yved withn
R Vn impro entatio

le
be
on nd imp
S pU
ucti
rod tion a
e

5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
6 7
25
15
24
14
23
13
22
21
30
20
29
28
27

s
Ha installa
the AP?
of S

Ye s
No

Document

IT Infrastructure

Process-Control-Objective-Risk

SAP AG 2007, EDUCAUSE 2007

Reduce cost without compromising

compliance
Provides centralized control management
for automated and manual controls

Effectively manage business risk

Enables management by exception

Prioritizes remediation activities

Provides management insight into the
control environment

SAP
SAP Solutions
Solutions for
for GRC
GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions

SAP Global Trade Services (SAP GTS)

Logistics/ Trade
Team

Legal/ SOX
Compliance Team

IT
Team

Import/
Export Officer

Increased
Productivity
and
Business
Insight

SAP Global Trade Services

Adaptable
Business
Processes
Based on
Flexible
Technology
Platform

Integrate
Systems,
Data and
Business
Partners

Export
Management

Trade
Preference
Management

Import
Management

Restitution
Management

SAP NetWeaver

Applications

ERP

SCM/
SRM

CRM

Data

Legacy

HTS
ECCN,
etc

Duty
Rates

Business Partners

SPL
Data

Rules
Of
Origin

Customer
& Supplier

Banks

Freight
Forwarder

Customs
Agencies

Key Compliance Issues for Higher Education

Deemed Exports
Public Domain Exemption
Fundamental Research Exemption
Full-time employee exemption
Educational Instruction Exemption
Government-sponsored research covered by
national security contract controls
ITAR -- defense articles and defense services,
especially in space research and, increasingly, in
life sciences and nanotechnology research
Other applications of U.S. export controls to faculty
or university research

What agencies are involved?

State Department - International Traffic in Arms Regulation (ITAR) 22 CFR 120-130

The US Department of State, Office of Defense Trade Controls (ODTC), is responsible for items and
information inherently military in design, purpose, or use. Referred to as "defense articles," such items
are found on the US Munitions List, 22 CFR 121 (linked above). Spacecraft and satellites, even if not for
military use, are on the Munitions List, along with their associated systems and related equipment.
Information related to Defense Articles is referred to as "technical data."

Commerce Department - Export Administration Regulation (EAR)15 CFR 700-799

The US Department of Commerce, Bureau of Industry and Security (BIS), has export jurisdiction over
every thing in the United States, although BIS does not require a license for every export. BIS controls
goods and information having both civilian and military uses by including them on the Commerce Control
List, 15 CFR 774. This is also known as the "Dual Use List" (linked above). BIS uses the term
"technology" when referring to information about the goods on the Commerce Control List.

Treasury Department - Office of Financial Assets Control (OFAC) CFR 500-599

The US Department of the Treasury oversees US trade embargo through its Office of Foreign Assets
Control (OFAC). Empowered by the Trading with the Enemy Act and the International Emergency
Economic Powers Act, OFAC enforces anti-terrorism sanctions at our borders and through Customs.
Concerned with the giving of "assistance" to the enemy, the pertinent regulations provide OFAC with
broad authority to interdict vaguely defined "prohibited transactions" involving persons from sanctioned
countries.

How GTS manages Deemed Exports

Universities screen

Students
Faculty
Full-Time Employees
Part-Time Employees

1) US Sanctioned Party
Lists
2) US Export
Administration
Regulations

Researchers
Contractors/Consultants

3) UN Sanctioned Party
Lists

Visitors
Partners

in the US and globally

4) Other regulations
based on industry and
corporate policy

SAP GTS Global Compliance Across the Organization

Visitor Entrance to Facilities Screens visitors in real-time through a badging or visitor management system; no extra
steps needed. Centralizes a global audit trail of all visitor screening and results of sanctioned party matching, with alerts
triggered if a match is found.
Foreign National Students and Researchers Screens all students and researchers against sanctioned parties lists as
well as EAR/ITAR controls. Manages the licensing and exception/exemption requirements
Human Resources Systems Reviews all business partners, including current employees, external consultants and
applicants against the name, address, country of citizenship and project classification to ensure compliance with US EAR
deemed export regulations.
Web Download Transactions Reviews web download transactions in real-time against sanctioned parties, US EAR, US
ITAR and OGA regulations.
Travel Itineraries Screen all travel requests, itineraries and existing trips
Students

Security

Compliance
Team

Human
Resources

Alerts and
Business Intelligence

SAP Global Trade Services

Rules engine
Integration Management,
Workflow

SAP NetWeaver

HR
HR

Visit
Visit

Download
Download

Travel
Travel

Ad
Ad
Hoc
Hoc

Sales
Sales
Reps
Reps

Back-end systems

SAP
SAP Solutions
Solutions for
for GRC
GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions

Environment, Health & Safety

Enables Environmental Execution and Legal Compliance

Product Stewardship/Hazardous Tracking
Specification Management
Rule Based automated classifications (EH&S Expert)
Automatic Report Generation and automated Distribution
and Redistribution
Label Management
Substance Tracking
Workers Health and Safety
Risk Assessment
Site Inspections / Safety Measures
Measurement Management / personal related exposure
profiles
Incident/Accident Management
Medical Services
Dangerous Goods / Waste Management
Regulation Data Management
Dangerous Goods Classification
Tremcard Management
Integration into logistic execution / Automated Dangerous
Goods checks
Internal and External Disposal Processing

SAP EH&S Components

SAP EH&S offers comprehensive and complete business solution
for environment, health and safety management
Product Safety *
Hazardous Substance Management **
Dangerous Goods Management

Substances

Global Label Management

Industrial Hygiene and Safety
Occupational Health

Employee

Waste Management

Work
areas

Basic Data & Tools

EH&S Analytics & Reporting
* for producers of hazardous substances (regulatory)
** for users of hazardous substances (regulatory)

One solution for all industries

The World of SAP EH&S

SAP ERP
Human
Enterprise
Capital
Asset
Management Management

Research

Procurement

AR

Financials/
Accounting

Business process
integration

Occupational
Health

Industrial
Hygiene
and Safety

Hazardous
Substance
Management

Product Safety Dangerous Goods

&
Management
Global Label
Management

Basic Data and Tools (Specifications Database)

Waste
Management

SAP Environment, Health and Safety (SAP EH&S)

Summary

The business value derived from the most comprehensive,

fully integrated EHS solution includes:
Increase Efficiency
Seamless integration with SAP ERP
Flexible and easy reuse of master data from SAP ERP

Reduce Risk of Non-Compliance

Ensure regulatory compliance
Transparency by use of a consistent and comprehensive reporting

Reduce TCO
Designed for deployment around the world
Adaptive solution based on generic and proven process models,
that can be configured to the individual company needs

We are now going to integrate EHS business processes such as product safety, dangerous
goods and waste management and industrial health and safety into the existing SAP R/3
environment. This integration is the real power of EH&S and will reduce EHS and other costs
significantly.
Aventis

SAP Environmental Compliance

Create regulatory compliance and
control your impact on air, water, soil

WM

SAP
SAP EH&S
EH&S

Compliance Management
Permit Management
Emissions Management
Greenhouse Gas Management

REACH

DG

SAP
REACH
Compliance

PS

CfP

HSM

Compliance
For
Product

IHS

SAP
Environmental
Compliance

OH

Industry-Specific
Environ

Cross-Industry

Monitor and report environment

compliance issues on plant, corporate
level
Control compliance activities,
management of exception, limit tracking
Support legally and corporate defined
environmental processes - air and water
emissions and wastes - compliance
reporting and permit management
Integration in SAP processes and
production control systems
"As soon as we had SAP Environmental
Compliance in place, people were using that
system almost entirely and stopped using
Excel spreadsheets to conduct calculations,"
Nova Chemicals

Questions?

Sherry Amos

Craig Weisiger

Craig Kennedy

Director, Industry Strategy

SAP Security Analyst

Executive Solution Engineer

SAP Public Services, Inc.

Baylor College of Medicine

SAP Public Services, Inc.

Washington, DC

Houston, TX

Newtown Square, PA

E sherry.amos@sap.com

E weisiger@bcm.edu

E craig.kennedy@sap.com