PwC Advisory Governance, Risk and Compliance

Segregation of duties and access control

Leveraging SAP GRC to meet the challenges

pwc

Are you worried about unauthorised access to critical systems and confidential information? Are you able to identify and address segregation of duties (SoD) conflicts effectively? Is access control technology really beneficial and necessary?
Why segregation of duties and access control? With the heightened focus on corporate governance and internal controls in todays business environment, organisations need to implement effective measures for achieving regulatory compliance and meeting a variety of stakeholder demands among them the demands for a better and effective Governance, Risk management and Compliance (GRC) programme. Implementing effective and efficient internal controls is an important aspect of a GRC programme. Internal controls are mechanisms to help organisations achieve their business objectives while containing risks, which may lead to financial, operational and reputational losses. Effective and efficient internal controls are directly correlated to an organisations ability to execute business transactions, ensure productivity, profitability and sustainability. Internal controls in a business environment are often enforced through segregation of duties in business processes. Different roles and responsibilities are assigned to each individual to provide a check-and-balance environment appropriate to the risk level of the business. Segregation of duties is naturally embedded into the hierarchical and compartmentalised structure of any business organisation. However, there is often a blind-spot access to computer systems. With the advent of computer systems in almost every aspect of business, organisations are increasingly reliant on technology-based access control to enforce segregation of duties. Without proper and adequate access control, organisations may find out the hard way that segregation of duties is bypassed and controls no longer work. Addressing the key issues Many organisations do have difficulties managing segregation of duties and access controls. These realisations often arise through inspections and audits, or in some cases, fraud investigations. The three common issues are: How to identify SoD conflicts and what is adequate How to balance the inconvenience of access controls and productivity How to monitor the use of powerful system functions and unauthorised access to confidential information on a continuous basis These three issues cannot be addressed effectively without the support of access control technology. SAP GRC Access Control enables you to achieve: Minimal time for compliance by setting up the right access controls using a comprehensive library of SoD rules which allows you to go live quickly and achieve a cost-effective clean-up of initial controls to stop future violations. Continuous access management by enforcing SoD compliance from the start with enterprise-wide role design, documentation, and maintenance that eliminate manual errors and enforce best practices. This prevents the reintroduction of SoD violations and allows business users to perform emergency activities using superuser privilege in a controlled manner. Effective management oversight and audit by giving managers effective and comprehensive oversight through user access reaffirmations and reviews of access-risk, SoD rules, mitigating controls and roles. There are also audit trails for role provisioning, user provisioning, emergency access, and more. Auditors can comprehensively and more easily validate proper management oversight to ensure the business complies with all policies by making sure all access is properly authorised and by ensuring that SoD risks are appropriately mitigated. The importance of a holistic GRC approach Building and implementing segregation of duties and access control requires a holistic approach that is woven into the fabric of the organisation, often viewed as part of a larger GRC programme. Under this view, an effective governance structure is put in place, and roles and responsibilities are clearly defined. Risk identification, assessment and mitigation are closely tied to the achievement of the organisations business objectives. Executives and management have ready access to timely, accurate, relevant information about controls, and their impact on risk exposure. In other words, segregation of duties and access control are not the responsibility of one or two departments; it is a concerted effort of everyone in the organisation, from the Board right down to the staff on the ground.

Strategy PwC is the specialist in SoD and access control As one of the largest and most experienced global providers of GRC services, PwC has been working closely with technology providers such as SAP to help organisations create integrated, sustainable GRC programmes. PwCs proven methodology and approach ensure that organisations implement and operate SAP GRC Access Control using proper Strategy, Structure, Process, People and Technology.
Adopt a holistic GRC approach that involves all key stakeholders

Structure
Align to strategy with a control framework, clear governance structure, and well defined security roles, responsibilities and procedures

Technology
Provide a consistent platform to achieve sustainability, consistency, transparency and efficiency

PwC GRC Programme

Process
Implement effective and efficient processes to ensure continuity of controls

People
Align the human elements of the business with proper skills, competency, training, and clearly defined performance measures

Our approach recognises that technology is not a solution but an enabler, a tool to efficiently gather and analyse data and support people and processes. With one of the largest available global resource pools of SAP GRC technologies, we work with organisations to address a wide range of GRC issues. We can help you: Define the strategic vision for an integrated GRC programme at the most appropriate level enterprise, regional or divisional to ensure you remain within your risk tolerance Conduct a current state assessment of GRC capabilities and identify gaps and requirements for key risks and controls, probably in areas such as training, monitoring and project risk reviews Implement and integrate the solution in accordance with the strategic vision Customise SAP GRC solution to specific organisation needs and requirements Leverage templates, tools and standard industry practices to fast track implementation Support solution implementation with knowledge and experience in key GRC-related areas, such as information security, data management, and sourcing Design and configure reporting to help meet client regulatory, compliance and risk management needs Conduct testing, remediation and training activities to maintain the effectiveness of the GRC programme, personnel, and policies

The effect of tightening SoD and access controls Organisations that have gone through this exercise typically experience the following: Clearer defined set of SoD rules Significantly fewer transaction codes assigned to each user. In the example below, originally 45% of users had more than 500 transaction codes each. After the exercise, 90% of users had less than 300 codes each. Workflow for user provisioning Remediation of SoD conflicts

50 Percentage (%) of users 40 30 20 10 0 < 100 100-300 300-500 > 500

Before After

No of transaction codes per user (Sample size: 220 users)

Segregation of duties and access control management

Overcome fragmentation, gain comprehensive access control

Board, Audit Committee Preventive approach Internal Audit Lower cost of audit and audit-related fees IT Operations Improve efficiency by automating core compliance/security tasks Information Security Sensitive transaction monitoring

Executives & Managers Manage compliance with confidence Finance Vulnerability to unwanted financial activity fixed Human Resources Efficient and compliant user provisioning Operations Compliant, role-based access control

Supply Chain

Customers & Channel

PwCs GRC Access Control implementation approach Get clean

Minimal Time To Compliance

Stay clean
Continuous Access Management

Stay in control
Effective Management Oversight and Audit

Risk Analysis Prepare, plan and facilitate risk workshops to identify SoD and access control rules, and implement SAP GRC Risk Analysis and Remediation (RAR)

Role Remediation Facilitate role remediation workshops to clean up roles with two best in class offerings working together: PwCs SAP Role Redesign Methodology and Risks Library SAP GRC Enterprise Role Management (ERM) Outcome and benefits SAP authorisation is standardised and roles are clearly designed using Enterprise Role Management

SAP GRC Access Framework Advise and facilitate setting up of GRC Access Framework and implement both SAP GRC Compliant User Provisioning (CUP) and Superuser Privilege Management (SPM) to sustain the SAP access compliance Outcome and benefits Structured SAP GRC Framework is set up Controlled and secured user provisioning is put in place with Compliant User Provisioning and Superuser Privilege Management Sustainability is achieved

PwC

Outcome and benefits SoD and access control rules are identified with clearly documented remediation and mitigating controls

SAP

Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up

Enterprise Role Management Enforce SoD compliance at design time

Compliant User Provisioning Prevent SoD violations at run time

Superuser Privilege Management Close #1 audit issue with temporary emergency access

Periodic Access Review and Audit Focus on remaining challenges during recurring audits

Risk analysis, remediation and prevention services Cross-enterprise library of best practice segregation of duties rules

Contacts:
Chan Hiang Tiak +65 6236 3338 hiang.tiak.chan@sg.pwc.com Tan Shong Ye +65 6236 3262 shong.ye.tan@sg.pwc.com Charles Loh +65 6236 4479 charles.ks.loh@sg.pwc.com Keith Stephenson +65 6236 3358 keith.stephenson@sg.pwc.com For general enquiries, please email to grc@sg.pwc.com

The information contained in this brochure is of a general nature only. It is not meant to be comprehensive and does not constitute the rendering of legal, accounting, tax or other professional advice or service by PricewaterhouseCoopers. Before taking any action, please ensure that you obtain advice specific to your circumstances.

pwc.com/sg
2009 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers LLP is part of the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.