SAP Solutions For Governance Risk and Compliance and GRC Access Control PDF

SAP ERP Financials
SAP Solutions for

Governance, Risk, and
Compliance and
SAP GRC Access Control
Rainer Salaw, CPA

SAP Deutschland AG & Co KG
Regional Solution Sales GRC
EMEA
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
SAP ERP Financials
SAP Solutions for
Compliance and
Rainer Salaw, CPA

SAP Deutschland AG & Co KG
Regional Solution Sales GRC
EMEA
AGENDA
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
The Fast Track

© SAP AG 2007,to SAP
SAP Knowledge
Skills 2007 Conference / G3 / 3
AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
The Fast Track

SAP Knowledge
Gartner “Strong Positive”
Rating
Strong Caution Promising Positive Strong
Negative Positive
9
About SAP GRC Access Control
SAP is the only vendor with a “Gartner recommends” rating
in all technique categories (Static analysis, provisioning support,
integrated provisioning workflow, transaction monitoring and
emergency access)
“… offers one of the strongest product sets in our analysis,
comprehensively addressing all SoD issues across multiple SAP
instances”.
“…capable of running on multiple ERP platforms…”
1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 5

mySAP ERP Financials
Strategy FI, FI-AA, FI-AR/AP

Management NewGL, CO, PCA
(Balanced Scorecard)
Consolidation
Planning
Corporate
Accounting &
Performance
Finance Transformation
Management (CPM)
Internal regulations /
ethical standards
Credit Mgmt.,
mySAP strategic/operative Risks
External regulations /
Collections Mgmt. ERP Financials compliance to laws
Dispute Mgmt.
FI-CA, Biller direct,
In-house Cash
Financial Governance, Risk,

Supply Chain and Compliance
Management (FSCM) (GRC)

AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
The Fast Track

SAP Knowledge
Business Case: „…the True Information Age“
„In 2010 the need for fast,

accurate and reliable
information will be increased
significantly.
In four areas the demand will

be raised most. Two of them
are:
Risk Management
Governance

Fragmented Processes and Systems: A Risky Situation !
Management
Supervisory board, internal audit
almost manual, sample based, not SALARIES
no overview about
error free controls
risk portfolio
Compliance / Risk Office

high level risks, not Finance
proactive complex, international
Compliance requirements
IT (e.g. Revenue recognition)
IT Security; SOD- Human Resource
management,
?
environmental health
Fraud & safety
Purchasing Sales
Supplier rating Credit risks,
& “embargo Customer
lists” ratings
Supply Chain Customers & Channel

Gain Confidence by Proactive Transparency with SAP GRC
Supervisory board, internal audit Management

documented decisions, audit trail SALARIES
Transparency about risks
=> max. confidence !
Compliance / Risk Office
Real time risk analysis, Finance
integrated view Compliance in group
reporting processes
IT
highly secured IT- Human Resource
Systems compliance to
Purchasing environmental standards
transparent
rating, Sales
compliance to transparent
trace customer
regulations solvency
Supply Chain Customers & Channel

Fragmentation vs. Holistic Approach to GRC
From Fragmented Risk … to Holistic GRC

& Compliance…
Information
Security
Information
Security SOX Risk SOX
Mgmt Compliance
Risk
Mgmt
? Compliance
Internal
Audit
Internal
Audit
SAP Solutions for GRC

Industry-Specific GRC
Cross-Industry GRC
GRC Repository: Documentation and Monitoring
Risk Management
Access Controls Global Trade Environment Process Controls
Business Process Platform
Business Applications

GRC Suite
Functions for All Process Orientated Risks and Regulations
Cross industry solution Industry specific

solutions
GRC Suite
Global
Trade
Access Process Risk Services
Control Control Management (GTS)
Environment,
Compliance Role Expert Access Fire Fighter Health &
Calibrator Enforcer Safety
(EH&S)
… more Solutions

GRC Suite
Functions for All Process Orientated Risks and Regulations
Cross industry solution Industry specific

solutions
GRC Suite
Global
Trade
Access Process Risk Services
Control Control Management (GTS)

Environment,
Risk Analysis and Enterprise Role Compliant User Super User
Remediation Management Provisioning Privilege
Health &
Management Safety
(EH&S)
GRC-Repository
… more Solutions

Framework for an integrated GRC-Solution
Business Process
GRC as an integrated part

of all business processes
leverage integration
through high automation
(e.g. automatic controls)
SAP GRC Access Controls
Group-wide utilization, open
architecture (usage of SAP´s
technology platform Æ no
limitation to SAP-ERP systems)

GRC Repository
Central System of Record Drives Governance, Increases Transparency
Enforces governance for the

entire enterprise
Governmental Influence – Regional regulations
Agencies Councils
– Multiple frameworks for each
Regulations
Performance
& Industry department
Mandates Risk & Control
Measures &
Benchmarks
Libraries – Pre-built control & risk
GRC libraries
BOD & Repository Corporate
Committee Policies &
Minutes Procedures Complete body of evidence
for compliance
Control
Best Practices Frameworks
(COSO, COBIT) Centralized knowledge base
for all GRC relevant
information
Advisory Services Internal Æ beyond fragmentation
(Auditors, Attorneys) Policies
Single source of truth for

reporting

AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
The Fast Track

SAP Knowledge
How Does GRC Supports You?
Access Controls Process Controls Risk Management
Governance & Compliance

e.g. Sarbanes Oxley Act (SOX) etc. KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
Identification of all kind of risks (group wide)

Segregation of duties risks Compliance of processing Focus on non operative risks
Fraud Stick to governance Opportunity management
Risky system authorizations Focus on operation business risks Decision support
Misusage of rights Quality of processes Transparency and Remediation
Define appropriate actions for identified risks

Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)
Minimize risks by defining appropriate mitigation controls
Maximize risk awareness (Æ transparency, continuous monitoring, escalation, mitigation, remediation)
manual activity
automation

How Does GRC Supports You?
AccessControls
Access Controls Process Controls Risk Management
Governance & Compliance

e.g. Sarbanes Oxley Act (SOX) etc. KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
Identification of all kind of risks (group wide)

Superuser
Segregation of duties risks Compliance of processing Focus on non operative risks
Fraud Priviledge Stick to governance Opportunity management
Management
Risky system authorizations Focus on operation business risks Decision support
Misusage of rights Quality of processes Transparency and Remediation
Enterprise Role Compliant User
Management Define appropriate actions for identified risks
Provisioning
Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)

Minimize risks by defining appropriate mitigation controls
Maximize
Risk risk Remediation
Analysis and awareness (Æ transparency, continuous monitoring, escalation, mitigation, remediation)
manual activity
automation

SAP GRC Access Control SAP GRC
Sustainable Prevention of Segregation of Duties Violations
AccessControl
Access Controls
Effective
Minimal Continuous
Management Oversight
Time To Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)
Risk Analysis Enterprise Role Compliant User Superuser Privilege Periodic Access
and Remediation Management Provisioning Management Review and Audit
Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at violations at with temporary challenges during
initial clean-up design time run time emergency access recurring audits
Risk analysis, remediation and prevention services
Cross-enterprise library of best practice segregation of duties rules

Risk Analysis and Remediation
Getting Clean
Initial Risk Analysis and Remediation

Facilitates collaboration
Risk between Business and IT to
Identification clean up access risks
Risk Elimination
End-to-End
Automation
The clean-up process has

Reporting
brought a tremendous degree of
discipline to the way we think
about and manage user access
and authorizations.
Prevention Deepak Mehrotra, SOX Compliance Manager,
Synopsys Inc.

Cross-System Risk Analysis
Heterogeneous IT-landscape
Legacy Custom
Financials
Inventory and
and
purchasing
Accounting
Authorization: Authorization:
Maintain vendor Initiate payment
master data to vendor

Cross-System Risk Analysis
Heterogeneous IT-landscape
Legacy Custom
Financials
Inventory and
and
purchasing
VIRSA Accounting
Cross-enterprise Rule Set
Authorization: Authorization:
Maintain vendor ! Initiate payment
master data to vendor
RISK

How Does it Work? Æ Compliance Calibrator
?? Compliance ?
Risk analysis for
user „Maier“
officer
S
O
D Risk analysis
- function
P
M Risks L
A A
N
T
R
I ERP 2005
X
RTA RTA RTA RTA

How Does it Work? Æ Compliance Calibrator
?? Compliance ?
Risk analysis for
user „Maier“
officer
S
O
D Risk analysis
- function A
P C Risk-
M Risks L Compare T report
A A U
A
N
T L
R
I ERP 2005
X
RTA RTA RTA RTA

Risk Analysis and Remediation Functionality
Risk analysis and remediation functionality

Risk-analysis, detection and remediation of SOD-violations in access control and authorization
management
GRC Access Control content covers more than 200 Risks
critical transaction or
authorization objects

Risk analysis and remediation functionality

Risk-analysis, detection and remediation of SOD-violations in access control and authorization
management
GRC Access Control content covers more than 200 Risks
Function 1 Function 2
180.000 rules
System 1: Transaction 1 System 1: Transaction 2
… …
System 1: Transaction n System 1: Transaction m
System 2: Transaction 1 System 2: Transaction 2

… …
System 2: Transaction n System 2: Transaction m
System n: Transaction 1 System m: Transaction 2

… …
System n: Transaction n System m: Transaction m

Architecture – Automatic Rule Generation
Business Business System Compliance Calibrator

Risks Functions Action & Permission Rule Generation
Action 1+ Permission 1 Risk Rule 1

Action 2 + Permission 2 Risk Rule 2
Function A
+
Action “n” + Permission “n” Risk Rule 4
ALL cross combinations
Risk Rule 5
Risk 1 Of “Action + Permission”
between Functions A & B
Risk Rule 6
Function B Risk Rule 9
Action 6 + Permission 6
Action “n” + Permission “n” Risk Rule “n”

Function C
+
Action “n” + Permission “n” Risk Rule 13
ALL cross combinations
Risk Rule 14
Risk 2 Of “Action + Permission”
between Functions C & D Risk Rule 15
Function D Risk Rule 18
Action 12 + Permission 12
Action “n” + Permission “n” Risk Rule “n”



Enterprise Role Definition
Enables Enterprise Role Definition and Maintenance in a Single Location
Unternehmensweite
Centralized Role Management Rollendefinition und Pflege –
mit eingebauter
Funktionstrennungsprüfung
Enterprise SAP GRC Audit log
Rules Access Control Reduce cost of role
maintenance
Across applications Ease compliance and avoid

authorization risk
Eliminate errors and enforce
… best practices
Assure audit-ready
traceability and security
checks
Role Role Role Role Role Role Role Role
Role
Role
28% time savings in role
Compliant enterprise roles management
– Customer Survey, 3/2006

Enterprise Role Management

Typical Challenges….
Too many users have SAP_ALL

Æ SOD-Violations!!
No activity monitoring, no audit trail
No time limitation for SAP_ALL Users
No clear responsible for SAP_ALL authorizations
Smart emergency situation management
No clear workflow in case of emergency!
-> SAP GRC superuser privilege management for SAP

SAP GRC Superuser Priviledge Management
multiple
SAP-System
FireFighter are
assigned to user
conduct process „Maier“
log in to the
system as Neue Session
normal user All FireFighter
„Maier“ activities are
perform activity recorded in
FireFighter ID FICO detail in a log
Start file
Transaction FireFighter ID MM
FireFighter Log
FireFighter ID SD
FireFighter ID Basis
system log off

FireFighter ID …
Log off as within the
FireFighter normal user
SAP_ALL „Maier“
Eliminates the no.1 auditors Multiple usage of FireFighters

issue ! (e.g. year end closing activities,
substitution activities, design of new
roles, and many more…)

SAP GRC Superuser Priviledge Management

SAP GRC Access Controls “We reduced provisioning from 2
Compliant User Provisioning weeks to 2 days”
– Web Seminar Rockwell Collins, 3/2005
Workflowprozess im Access Enforcer
Current approach – inefficient, not compliant
Request 100% automated
HR event
generated
Access email
Request Employee Path workflow—based
hired/retired on request type and
user attributes
Manager Mgr
email Approval approval Via e-mail
Role Expert
Compliant Roles
Escalation
workflow
Role
Owner
Risk One-click preventive
analysis simulation
Tabellen,
Formulare
Compliance Exception
Word, Excel etc. Calibrator workflow
IT Security
Online Risikoanalyse
Automated
provisioning 100% automated
Manual
Provisioning
…
Vergabe (und Entzug) von Rollen und Berechtigungsprofilen

mit eingebauter, automatischer Funktionstrennungsprüfung
Compliant User Provisioning

Roadmap
SAP GRC Access Control 5.3
Q2 2007 (AC 5.2 SP3) Q3 2007 (AC 5.2 SP4) Q1 2008 (AC 5.3)
Access Control Access Control SAP GRC Access Control 5.3

5.2 SP3 5.2 SP4 SAP GRC Access Control branding and single launchpad for all 4 access control capabilities
Language Translations Risk analysis and remediation Enterprise role management

• Country A languages • Web Services for IDM (formerly known as Virsa Compliance Calibrator) (formerly known as Virsa Role Expert)
• English integration (official • Risk analysis for SAP Enterprise Portal and UME • Close RE 4.0 gaps
and stable API for • Close critical CC 4.0* & SAFE gaps • Additional reports
• French • BI Integration for custom reporting • Search roles
• German partners)
• Reporting/ Reporting Enhancements • Single composite role relationship
• Japanese • Fix for connector limit
• Additional auditor, business manager and IT • List role & transactions
in Compliance reports • More detail role change history
• Country B languages Calibrator • SOD management by exception (Integration w/ • Role authorization changes at object field level
• Spanish Workflow) • View PFCG change log
• Miscellaneous • Generate roles for multiple systems
• Portuguese
• Import/Export of configuration data • Risk simulation for combined roles and existing user
• Italian • Migration scripts simulation at role design time
• Hungarian • Download and print capability on every report • Enforce naming convention according to policy
• Cross-Enterprise • Performance improvements • Role Mappings
(Greenlight): • Concurrent Risk Analysis • Misc.
• Real-Time • Batch mode risk analysis • Import/Export of configuration data
Agents for Risk • Improved Memory Mgmt • Migration scripts
Analysis
• Comprehensive Compliant user provisioning
SOD Rules for (formerly known as Virsa Access Enforcer ) Superuser privilege management
Oracle, JDE and • Compliant provisioning for SAP EP, (formerly known as Virsa Firefighter for SAP)
PeopleSoft • Compliant provisioning for Oracle, PeopleSoft and JDE • Change Log / Self Auditing
(Greenlight) • Audit trail for configuration changes
• HR triggers for PeopleSoft • Write log report to designated file server
• Password resets for ORCL, PSFT, JDE • Web report enhancements
• Close AE.net & SAFE gaps • Report filter variant
• Authoritative User Sources: Integration with multiple • Report for “All” systems
LDAPs and SAP HR for user data source • Retrieve change log from CDHDR table for performance
• Reporting and reporting enhancements improvement
• User Access Reviews (Manager / User Reaffirm) • Assign multiple FF owners to one FF ID
• Cross system risk analysis / simulation
• Supporting multiple CUA’s
• Full support for all SU01 fields
* Note: This release will not include
• Misc.
granular security and logging • Form customization
requirements in the next release • Import/Export of configuration data

Framework for an Integrated GRC-Solution
Business Process

SAP Addresses the Needs of Multiple Stakeholders
Business Internal Business

IT Security
Executives Auditors Process
and Support
Managers
Concerns Virsa Support
Concerns Concerns Concerns
Risk appetite Controls in place Risk identification & Identify &
evaluation implement
Risk avoidance Controls working
compliance
effectively Timely notification
Visibility systems
Risks correctly Maximum
Timely notification Fit with IT
identified productivity
infrastructure
Cost of compliance
Response to
Transfer
control deficiencies
accountability to
Preventive controls business
Prevent risk from
entering systems

Benefits of Using an Integrated Control System
CONTROL
Increase confidence in the effectiveness of
your controls
100% testing of all data all the time

Enable early detection and remediation
AUTOMATION
Reduce cost without compromising
compliance
Reduced audit fees and testing costs
Streamlined testing and remediation
INSIGHT
Effectively manage business,
financial, and compliance performance
Real time view of control health

Enterprise-wide visibility into risks and controls

PC 2.5 Supports Compliance Processes
Management Auditor
Sign-Off,
Assess Test Attest
Prepare
Scoping and Document Control Operating Certification / and
Processes Design and
Set-Up Effective- Internal Control Report
and Controls Remediate
ness Report
Issues
Continuous Control Monitoring
Organization Assignment of Control and Documentation Analysis Review

hierarchy sub-processes process of testing overviews with Attestation
to organizations design results drill-down
Central process Reporting
Organization- assessments Documentation functionality
catalog
specific control via surveys of continuous Management
Central catalog documentation control
Entity-level reports
of control monitoring
objectives/risks Documentation control Workflow-
of testing assessments Identification of triggered sign-
Assignment of procedures via surveys issues off supporting
sub-processes
Documentation Identification Remediation 404 reporting /
to significant
of entity-level of Issues and retest of 302 certification
accounts/releva
nt assertions controls Validation of issues
Gap analysis Setup of assessments Progress
reporting automated Remediation tracking and
control testing of issues analysis
Identify fraud and monitoring
related risk Progress
tracking and
analysis
Process Control 2.5 – Solution Overview
Analytics Organization Assessment Evaluation Sign-off User

Work List Hierarchy Surveys Work List Roles
Account Groups/ – Question Compliance Delegation
Assertions Library – Assess-
Process – Survey ments
Hierarchy Library – Testing
Control Objective Manual Tests Monitoring
Catalog – Test
Entity-Level Plans
Controls Automated
Hierarchy Testing
– Rules
– Queries
Scheduling

PC 2.5 Innovation
Information Architecture and Organization Hierarchy
Improved productivity with new work center-based design approach

Control Framework and Organization Management
Structure Definition
Organizational Account Hierarchy Process / Risk / Control Hierarchy
Hierarchy (n-tier)
Business Account Compliance

Segment Category
Groups
Region Process
Significant
Division/ Account Sub process Assessments
Legal Entity Assertions
Business Risks/Control
Operation Objectives
Location/ Controls
Operating Unit
Assertions
Control Tests Remediation

(Manual/Auto) Case
Signoff Flow

SAP GRC Process Control – Convergence of Controls
Process Management and Continuous Controls Monitoring
9 Single Solution for end-to-

Certify
9 9
9 9 9 9 Certify and Sign-off
(302, Designs,…)
end enterprise control
9 9
9 9 management
Provides centralized control
management for automated
Monitor
and manual controls

Review Exceptions Remediate Issues – Financial Controls
– Operational Controls
Test Automated Test Perform
– IT Controls
Controls Manual Assessments
Controls Enables management by
Business Processes
exception
Test
EproYved wtiitohn
Rn V ta
S pU
n im men
– prioritizes remediation
bee le
c tio nd imp
u
rod tion a
… 4
5
s
Ha installa
the AP?
Ye s
3
2 11 12
of S
1 10
1 9 19
18
activities
8 17
7 16 26
6 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
– provides management
insight into the control
environment
Document
Process-Control-Objective-Risk

GRC Process Control - Single Solution for End-to-End
Enterprise Control Management
9 GRC Repository
Certify
9 9
9 9 (302, Designs,…) Rationalizes controls against
9 9
multiple frameworks
Link control documentation
Monitor
to manual and automated

control tests
Review Exceptions Remediate Issues
Provides a flexible
organization hierarchy
Controls Manual Assessments Flexible integration
Controls
Business Processes
framework for document
Test
S pU
Rn V
c ti
bee
EproYved wtiitohn
n im lemen
o nd imp
ta
management systems
u
rod tion a
… 5
s
Ha installa
Single source of truth for

4
the AP?
Ye s
3 12
2
of S
1 11
1 10 19
9 18
8 17
7 16 26
6 25
15
No
14 24
13 23
22
21
20 30
29
28
reporting
27
IT Infrastructure
Document

Actionable Intelligence from Compliance Analytics
Role-based dashboards
provide actionable insight
to control status
Global heat map
highlights exceptions
from all control tests and
assessments
Management level reports
highlights exceptions
from all control tests and
assessments
Enterprise transparency
across multi-instance and
multi-platform
environments

SAP GRC Process Control – Dashboard
Control Execution
Monitor provides Inbox provides
latest information on quick access to
deficiencies cases and tasks
All information
is organized in
tabs Survey Monitor tracks
sign-off and
Control Monitor assessment surveys
provides summarized
information over time

Management Reports with Drill-Down
Drill-down capability
provides details of the
cases and case priority for
each report

SAP GRC Process Control: Centralized Control
Management
9
Centralized Control
Certify
9 9
9
9
9 (302, Designs,…) Management
9
One system for managing
automated and manual
Monitor
controls
System can manage
– Financial Control
– Operational Controls
Controls – IT Controls
Business Processes
Controls can be monitored
Test
EproYved wtiitohn
Rn V ta
S pU
n im lemen
across multiple enterprise

bee
o nd imp
ucti
rod tion a
… 4
5
s
Ha installa
the AP?
Ye s
3 12
1 2
of S
11
1 9 10 19
8 18
7 17 26
16
systems
6 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
Improve controls with regular
assessments
Document

Control Environment Setup
Assignment of Assignment of
Compliance Assignment of Test Plan and
Information (financial Organizations Test Step Owners
and non-financial
assertions)
Control — Prior period
posting check
Process — Manage
Financial Accounting
Subprocess — Perform
Closing
Risk — Manipulation
of financial results
Objective — Accurate
financial reporting
Creates complete control

Creates and links both
environment, including
manual and automated
Organizations control tests in a single
Business processes application Selects controls that
Sub processes contribute to financial
Risks quantification of risk for
Objectives executive reporting
Test plans

Management
9
Automated Process Controls
Certify
9 9
(302, Designs,…)
9
9
9
9
Detects global violations
and prioritizes corrective
action (automatic case
generation)
Monitor
Apply same control to

Review Exceptions Remediate Issues multiple organizations
(version concept)
Controls Manual Assessments Automatically monitors
Business Processes
Controls controls in multiple
enterprise applications
Test
EproYved wtiitohn
Rn V ta
S pU
n im lemen
bee
o nd imp
ucti
rod tion a
… s
Ha installa
80 Master controls were

5
4
the AP?
Ye s
3 12
1 2
of S
11
1 9 10 19
8 18
7 17 26
6 16
15 25
No
14 24
13 23
22
21
20 30
29
delivered
28
27
IT Infrastructure
Document

Three Ways to Monitor Automated Controls Across Critical
Business Processes
Select Re-use Construct

Pre-delivered Test Custom Test Ad-hoc Test
Pre-delivered tests with Plug-and-play your Create control tests on-

flexible rule criteria for existing test scripts the-fly with custom
SAP and Oracle query builder
Order Order Billing & Revenue

Order to Cash Capture Fulfillment Returns Recognition
Demand Operational Inventory Payables

Procure to Pay Planning Procurement Management Management
Budgeting Sub ledger Financial Consolidation

Reconcile to Report Planning Transactions Close & Reporting
Application Change
IT Basis Security Control

Order to Cash Sample Automated Control Monitoring
Did the customer order

exceed allowed
thresholds?
Were
shipments
Was pricing or made without
exchange rates proper sales
adjusted? documents?
Were there changes to

revenue accounts and
posting tolerances?

Automatically Create & Test 1000’s of Controls
Configuration, Master Data and Transaction Data
Any Form, Tab

or Field
...
Multiple Controls
Check that control value exists
Have any duplicate

Monitor changes to control vouchers been
Is the Duplicate processed over the
Voucher flag past 30, 60, 90 days?
Monitor change frequency turned ON?
Apply absolute value threshold

Has the duplicate
Voucher control
Apply percentage threshold changed?
How often?
Hide / Disable / Query Only

Sample Automated Control Tests

Management
9 Manual Control Testing

Certify
9 9
9 9 (302, Designs,…) Streamlines manual
9 9
controls and tests
Provides manual test plans
Monitor
with detailed test steps and

instructions
Promotes timely
performance with
Test Automated Test Perform scheduled workflow and
Controls email notifications
Business Processes
Test
S pU
Rn V
c ti
bee
EproYved wtiitohn
n im lemen
o nd imp
ta Documents evidence to
support evaluation results
u
rod tion a
… 4
5
s
Ha installa
the AP?
Ye s
3
2 11 12
of S
1 10
1 9 19
8 18
7 17 26
6 16 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure Capture monetary risk

quantification for failed
tests
Document

Manual Compliance Management –
Costly Effort to Coordinate Tasks
Compliance Team Control Testers Management &

Receive test
instructions via email
Executives
Create documents
and spreadsheets
and save to local file
servers
? ? ?
Paper-based
! documentation surveys
for completion
Perform manual
tests based on
verbal instructions
Is this the right

Create test process?
plan
Consolidate results
from multiple
sources
What do we What am I Where do we

need to test? supposed to stand?
do?
Who should How can we
perform the Why is this improve?
test? important?

Workflow Streamlines Manual Control Activities Automated
Notification and Guided Procedures Ensure Timeliness and Reliability
Compliance Team Control Management &

Testers Executives
Document control Follow guided procedure

and test plan and perform test
Attach reference document Report results and

and spreadsheet attach evidence
Automatic notification routes tasks to appropriate users

Guided procedures and reference documents train users
Complete audit trail of testing results and evidence

SAP GRC Process Control Convergence of Compliance Process
Management and Continuous Controls Monitoring
9
Self Assessment
Certify
9 9
(302, Designs,…)
9
9
9
9 Flexible surveys to support
design assessments and
self-assessments
Monitor
Assessments for process

design, control design,
entity-levels, and more
Promotes timely
Controls Manual Self- performance with
Controls Assessments scheduled workflow and
Business Processes
Test
Rn V
EproYved wtiitohn
ta
email notifications
S pU
n im lemen
bee
o nd imp
ucti
rod tion a
… s
Ha installa
Reference information and

5
4
the AP?
Ye s
3 12
1 2
of S
11
1 9 10 19
8 18
7 17 26
6 16
15 25
No
14 24
13 23
22
21
20 30
29
28
instructions guides
27
IT Infrastructure
occasional users
Document

Deploy Flexible Assessments
Flexible survey
creation, scheduling,
and routing
Handles assessments
for process design,
control design, entity-
levels, and more
Reference information
and instructions guides
occasional users

Survey Management
Survey reports provide

drill-down to any cases
generated

SAP GRC Process Control – Management by Exception
9 Management by Exception
Certify
9 9
9
9
9
9
(302, Designs,…) Remediation Case
Management
Detects global exceptions
Monitor
and prioritizes corrective

action
Workflow-based
notifications alert users to
failed tests or assessments
Controls
Business Processes Documents remediation
Test
S pU
Rn V
ucti
bee
E Yed with
v
pro tatio
n im lemen
o nd imp
rod tion a
n
activities and resolution
… 4
5
s
Ha installa
the AP?
Ye s
3 12
2
of S
1 11
Dashboards and reporting

1 10 19
9 18
8 17
7 16 26
6 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
provide actionable insight
to exceptions
Document

Accelerate Time to Resolution with Remediation Case
Management
Automated prioritization
focuses valuable
resources on high-impact
exceptions
Automated routing and
notification ensures
nothing falls through the
cracks
Threaded discussion of
resolution activities
Deploy Test Perform provides evidence for
Automated Controls Manual Self-
Business Processes Controls Assessments external auditors
EY
RV
… SU
Ye s
No
IT Infrastructure

Case Trail and Status Tracking During Case Remediation
Linked to test results
Case trail and

status tracking
during case
remediation
Resolution can be
captured along with the
case details for audit
purposes

SAP GRC Process Control — Convergence of Control
Process Management and Continuous Controls Monitoring
9
Management Certification
Certify
9 9
9 9 (302, Designs,…)
9 9 Section 302 and 404
certification
Business process review
Monitor
and approval
Review Exceptions Remediate Issues Freeze key information that
has been signed-off
Test Automated Test Perform Hierarchical, bottom-up
Controls progression
Business Processes
Test
EproYved wtiitohn
Rn V enta
S pU
n im
bee plem
o im
ucti n and
… rod
s tio
4
5 Ha installa
the AP?
Ye s
3
2 11 12
of S
1 10
1 9 19
8 18
7 17 26
6 16 25
15
No
14 24
13 23
22
21
20 30
29
28
27
IT Infrastructure
Document

Automatic Sign-Off Process
6
CEO/CFO CEO/CFO sign off
Support
5 section 302
Corporate Signers Corporate signer(s) sign off
certification
Freeze key
4 information
US Higher location signs off
that has
been
3 signed-off
US Finance Lowest location signs off
Hierarchical,
bottom-up
2 progression
Order to Cash Process owner signs off
1
Each sub process owner
AR Billing AR Collections
signs off

SAP GRC Process Control – the Integrated Solution for
Enterprise-Wide Management of Any Kind of Controls
Risk based approach
Cost reduction through

automation
10
11
12 1
2
Automated case management Æ
accelerated remediation process
9 3
8 4
7 6 5
Integrated solution Æ low TCO
Reduces RISKS and saves TIME

and MONEY

SAP GRC PC 2.5 Architecture
GRC NWBC User Interface
WebDynpro
WebDynpro SAP
SAP Application
Application BI
BI Pages
Pages for
for Portal
Portal Pages
Pages
Navigation
Navigation Content
Content Pages
Pages Analytics
Analytics for
for Analytics
Analytics
Process Control Plus (Java Stack)

Cross-
Cross-
Automated
Automated Repository
Repository Savvion
Savvion
Platform
Platform
Controls
Controls Interfaces
Interfaces BPM/Workflow
BPM/Workflow
Enablement
Enablement
SAP Services (ABAP Stack)

Survey
Survey Report
Report
Master
Master Data
Data Audit
Audit Log
Log Testing
Testing
Assessments
Assessments Mart
Mart
Object
Object Level
Level Query
Query
Sign
Sign Off
Off …
…
Security
Security Builder
Builder

Framework for an Integrated GRC-Solution
Business Process

Risk Management Today
No Transparency, Suboptimal Decision-Making
What is the status Am I on track to Will we meet analyst /

of our top risks? reach my goals? market expectations?
What risks don’t we Another assessment to What are our
know about? fill out? top 10 risks?
Brainstorm
Ask for one-off response
additional possibilities
input
Send out Siloed risk

MS Excels thinking
Workshop after Focus only on

workshop negative risks
Risk Lines of Management &

Managers Business Executives

The Goal
Risk-Adjusted Management of Enterprise Performance
Executives Risk in context of corporate

strategy and performance
Understand true exposure
resulting from risk correlation
Achieve proactive transparency
Applications to Automatic risk

mitigation top risks identification
Role-based best End-to-end risk
practice playbooks processes across
Enable risk the value chain
management Become a driver of
innovation business change
Lines of Risk
Business Managers

Risk Management in a Leading Role
GRC-Suite
other
Partner GTS
Risk
Solutions
Management
SONA Access Process

xApp Controls Controls EH&S
GRC-Repository
REA
Cross industry solution xEM
External KRIs /
SONA Provider Content

Risks Management Steps
Process Automation for the Virtuous Cycle
Establish Collaborate and

risk appetite aggregate across the
and thresholds enterprise
Actionable, Balance cost of

role-based risk avoidance
dashboards and opportunity
and alerts

Drive Consistency
Agreement on Top Risks, Thresholds, and Appetite
Create Risk and Activity Catalogs
What types of risks do we want to track?

Proposed risks based on activity type
Align risks to corporate goals
Customizable, pre-delivered content
Risk Catalog GRC Repository
Identify KRI Targets and Thresholds Document Risk Appetite

KRI 1
Scrap Rates
5%
Supply chain
continuity risk
<95%
KRI 2
Supplier on-time
delivery

Avoid Surprises
Identify and Assess All Key Risks Across the Enterprise
Automatically
Identify Risks
Embedded into key

business processes
Workflow delivers
assessments to
experts
SAP CRM example
Collaborative Assessments
Prioritization using Risk Heat Map
for Manual Risk Activities
Qualitative &
quantitative point and
scenario analyses
Analyses done before
and after response
Workflow reminders Prioritization for response investment
for updates
Identifying shifting in risk profile

Respond Intelligently
Create Resolution Strategies for Critical Risks
Spot Risk
Interdependencies
Indirect
Global
Taxes
Correlation
New Global
Suppliers
Finance
Supply
Sales
IT
...
Enabling Lines of Business to
Best Practice Response Playbooks
Effectively Mitigate Risks
Top Industry Risks Solution Risk: Merger / Acquisition

Mismatch of Demand with Supply xSOP Lessons Propose Risk
Employee health and safety EH&S Learned Response
Non-compliance with emissions xEM
Production disruptions EAM
Supplier disruptions SRM/xSA Loss Event
Tracking
Non-compliance with RoHS/WEEE CfP
Self-learning Response
Non-compliance to Fin Regulations GRC
Proposed Responses Effectiveness

Stay Informed
Build Proactive Monitoring Into Existing Business Processes
Executive and Risk Manager Dashboards
Set Control Limits Based Upon

Capture Incidents and Losses
Associated Risk
Regulatory checklist approach has lead to over-

controlling and under-controlling many processes
Learn from previous experiences
Set controls based upon the level or risk associated
Incorporate into response playbook
with each business process

We Drink Our Own Champagne
SAP Risk Management Drives Excellence at SAP AG
A sustainable business benefit…
“ IT matters in achieving good governance as it helps in becoming

a better run business. It can enable companies to move beyond
pure compliance towards a sustainable business benefit.
“
Werner Brandt
CFO SAP AG. Event: The 4th Boardroom Series Breakfast Meeting Shanghai,
June 12, 2006
… a part of management excellence
“ In an ever changing world – economy, partners, and

customers –management excellence is required to react
positively and therefore fast to any changes. Risk
Management is clearly a part of management excellence.
“
Hans Peter Klaey, President SAP Asia Pacific
2005 2007

Why SAP GRC Risk Management?
Automatic Risk Identification and Enabling Lines of Business to

Monitoring Across the Enterprise Mitigate Top Industry Risks
Top Industry Risks Solution
Mismatch of Demand with Supply xSOP
Employee health and safety EH&S
Non-compliance with emissions xEM
Production disruptions EAM
Supplier disruptions SRM/xSA
Non-compliance with RoHS/WEEE CfP
Non-compliance to Fin Regulations GRC
Risks in Context of Strategy and Objectives
Strategy
Planning
Management

AGENDA
Challenge for GRC
GRC-Suite in detail
Value proposition
The Fast Track

SAP Knowledge
SAP Solutions for Governance, Risk and Compliance
Single, holistic and integrated

approach for managing governance,
risks and compliance
Deliver enterprise predictability and
quality of operations: “No Surprises”
Reduce the cost of compliance and
free resources for innovation
Improves performance by proactive
risk management
Prevention of fraud, bribery ,
corruption
Increase confidence of stakeholders

SAP Solutions for GRC – Access Control
Customer Users Customer Users Customer Users
11,800 100,000+ 6,500
10,700 40,895 6,250
10,000 40,000 6,050
10,000 32,000 6,000
8,000 30,876 6,000
8,000 30,000 5,723
7,500 27,000 5,600
7,410 26,000 5,200
7,400 23,020 4,500
7,000 20,000 4,200

Summary
Market leader
1
Real-time Prevention RISK
Cross system
Integrated end-to-end solution

Contact
Rainer Salaw, CPA

CFO Solution Sales EMEA
Governance, Risk & Compliance
SAP Deutschland AG & Co. KG
Phone +49 (811) 5545-225

Mobil +49 (0170) 2200125
Rainer.Salaw@sap.com
http://www.sap.com/financials

SAP ERP Financials
SAP Solutions for
Compliance and
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
AGENDA
The Access Control Suite: An Overview
The SOD Management Process
Project Organization
The Fast Track

SAP Knowledge
AGENDA
The Fast Track

SAP Knowledge
Client Issues
Negative Sarbanes-Oxley Audit Results
Segregation of Duties / Excessive Access
Security Administration Process
Internal Controls Repository
Maintaining a clean environment
ERP Upgrades
Escalating help desk costs
Change management
SOX awareness/responsibility

GRC - Governance
Governance
Corporate Governance:
Ethical corporate behavior together with management practices
in the creation of wealth for all stakeholders
Spells out the rules and procedures for making decisions on
corporate affairs
IT-Governance:
Helps to ensure the alignment of IT and enterprise objectives
IT resources are used responsibly and its risks are managed
properly

GRC - Risk Management
Risk Mgmt.
Risk Management
Identify, classify, document and reduce risks to an acceptable
level based on the value of the information resource to the
organization
Risk- is a result of three different parameters
– Existence of a threat for a business process
– Likelihood of occurrence
– Impact for the business process
RISK
THREAT LIKELIHOOD IMPACT

GRC - Compliance
Compliance
Acting according:
National and international legal requirements
– Sarbanes-Oxley-Act (US)
– Data Protection Law (Germany)
– J-SOX (Japan) ...
Corporate Policies representing the corporate philosophy and
the strategic thinking on a high-level
Low-Level policies focusing on the operational layer.
Policies need to be in sync with the overall business

strategy and legal requirements

Benefit: Collaboration Within the Company
OWNER Key Areas GRC Access Control

Business Users Risk Identification and Analysis and elimination of potential
Elimination access risks and actual risks
Real-time check and assignment of

detective and preventive controls
Role Design and Management Risk-preventive role design to address
the root of a problem
Compliant User Provisioning Efficient user provisioning and de-
provisioning from hire to retire
Privileged User Access Auditable superuser privilege
management
IT Security Collaboration between Enabling business to take
Business and IT accountability for access
Management Oversight Periodic Access Review Review of roles, users and mitigation
controls by using automated reporting
views
Internal Audit Audit Cycle Management Provide documentation to help validate
that the business team is following the
control process

Interdependencies GRC Access Controls
Firefighter Risk Analysis Role Expert

for simulation
Critical Compliance
Transactions
SoD Analysis Calibrator
with
Risk Terminator Role Information
Workflow
Risk Analysis Engine
Work Flows for role approval
Access Enforcer

Best Practice Road Map GRC Access Controls
Installation
Installation and configuration Compliance Calibrator and Risk Manager
Firefighter comes with the RTAs, (+BC Sets)
Later install and configure Access Enforcer and Role Expert
Implementation
Compliance
Calibrator
Firefighter Access Enforcer Role Expert
with
Risk Terminator
This Road Map ensures fastest implementation, while

optimal change management

AGENDA
The Fast Track

SAP Knowledge
AGENDA
SOD Management Process Overview

Risk Recognition
Rule Building
Analysis and Remediation
Mitigation
Continuous Compliance
The Fast Track

SAP Knowledge
AGENDA

Risk Recognition
Rule Building
Mitigation
The Fast Track

SAP Knowledge
SoD Management Process: Get Clean & Stay Clean
1 2 3 4 5 6
Rule
Risk Continuous
Building and Analysis Remediation Mitigation
Recognition Compliance
Validation
PHASE ONE PHASE TWO PHASE THREE
SOD Risk Management Process

Although every business and every system is unique, each implementation
follows the same risk-based “Best Practice” methodology, which has been
proven at many customer sites.

Roles and Responsibilities
Roles Responsibilities
Identify risks and/or approve risks for monitoring
Approve remediation involving user access
Business Process Owners
Design controls for mitigating conflicts
Communicate access assignments or role changes
Perform proactive continuous compliance
Approve/Reject risks between business areas
Senior Officers
Approve mitigating controls for selected risks
Ownership of SAP GRC tools and security process
Security Administrator and Design and maintain rules to identify risk conditions
Technical Liaisons Customize SAP GRC roles to enforce roles and responsibilities
Analysis and remediation of SoD conflicts at role level
Perform risk assessment on a regular basis

Provide specific requirements for audit purposes
Auditors & Regulators
Perform periodic testing of rules and mitigating controls
Act as liaison between external auditors
Responsible for SAP GRC tool configuration and administration
SoD Rule Keeper Maintain controls over rules to ensure integrity
Act as liaison between basis and SAP GRC Support Center

AGENDA

Risk Recognition
Rule Building
Mitigation
The Fast Track

SAP Knowledge
Phase One: Risk Recognition
Rule Continuous
Risk Analysis Remediation Mitigation
Building and Compliance
Recognition
2 Validation 3 4 5 6
1
RISK RECOGNITION
Identify conflicts and approve
exceptions
Clarify and classify risk – high,
medium, low
Identify new risks and conditions for
monitoring in the future

Segregation of Duties
John can create sales orders and issue credit

memos
Risk!
Gives someone the access to create a sales order,
generating fraudulent revenue, and then reverse
the revenue in a subsequent period by issuing a
credit memo
Sandy can create vendor master records and

process accounts payable payments
Risk!
Gives someone the access to create a fictitious
vendor and generate fraudulent payments to the
vendor

Risk Recognition: Business Process Owners
The Business Process Owners

should do the following:
Document business risk and prepare a risk
statement
Cross-reference the risk statement with the
risks provided with Compliance Calibrator
Assign Risk Levels

Risk Recognition: Example SOD Risk
Maintain a non bona-fide bank account and divert

incoming payments to it.
F-04 Post with Clearing

F-06 Post Incoming Payments
F-26 Incoming Payments Fast Entry
F-29 Post Customer Down Payment
F-30 Post with Clearing
FI01 Create Bank
F-36 Bill of Exchange Payment
F-39 Clear Customer Down Payment FI02 Change Bank
F-40 Bill of Exchange Payment FI06 Set Flag to Delete Bank

FBA2 Post Customer Down Payment
FBZ1 Post Incoming Payments
FBZ3 Incoming Payments Fast Entry
Conflicting Transactions are grouped into functions

Risk Recognition: Example Critical Transactions
Examples of security critical basis transactions:
SA38 Execute ABAP Reports
SE01 Transport Organizer
SE11 ABAP Dictionary
SE16 Table Maintenance
SE11 ABAP Dictionary
SE36 Logical Database Builder
SE37 ABAP Function Modules
SE41 Menu Painter
SM30 Table Maintenance
SQ00 SAP Query: Start queries
SU12 Delete ALL users
SUB% Internal call: Submit via command fld
... ...

Risk Recognition: SAP GRC Risk Database
Over 200 Risk Groups

Validated by Big 4 auditors at 400+ customers
E.g. Order to Cash,
Procure to Pay,
Financial Accounting,
HR/Payroll, APO, CRM,
EBP/SRM, Basis…
Business language
SAP - Results in over
180,000 SoD Object
Level Rules
Rules at the
Authorization Object
level eliminate false
positives
Automated rule
building
Reduces time for implementation

AGENDA

Risk Recognition
Rule Building
Mitigation
The Fast Track

SAP Knowledge
Phase One: Rule Building and Validation
Rule Continuous
Recognition
1 Validation 3 4 5 6
2
RULE BUILDING AND VALIDATION

Reference best practices rules for your
environment
Validate rules
Customize rules, then test
Verify against test user/role cases

Rule Architect Overview

Rule Structure – The Full Picture
Rule Set A
“ Global”
Business Process Business Process Business Process

“ Order to Cash” “ Purchase to Pay” “n”
Risk A: Risk B: Risk C:

“Enter sales documents “User is able to maintain “User is able to ....”
and lower prices for vendor master data and
fraudulent gain.” initiate payment runs.”
Function 1: Function 2: Function 3: Function 4: Func. 5:

„Sales Order Agreements“ „Sales Pricing Maintenance“ „Vendor Master Maint.“ „Process Vendor Invoices“
Actions/Permissions Actions/Permissions Actions/Permissions Actions/Permissions Actions/Permissions

SAP ERP SAP ERP SAP ERP SAP ERP SAP ERP

Rule Building: Step One
Create a Define a Rule Set Create Functions Create a Risk for

Business ID and for the Business the Business
Process Description Process Process
Examples: Procure Example: Global Assign Actions and Assign Conflicting

to Pay, Order to Rule Set Permissions to the Functions
Cash, Finance and Function
Assign to a Rule
Controlling
Set

Rule Building: Create Functions
GL02 GL01

Rule Building: Create Risks

Standard Rule Set
SAP Rules in the standard

Rule Set include
ERP
– Basis
– Finance
- General Ledger Accounting
- Fixed Assets
- Project Systems
– HR / Payroll
– MM / PP / QM
– Order to Cash
– Procure to Pay
SRM / EBP
CRM
Consolidation
APO

AGENDA

Risk Recognition
Rule Building
Mitigation
The Fast Track

SAP Knowledge
Phase Two: Analysis
Rule Continuous
Recognition
1 2 Validation 4 5 6
3
ANALYSIS
Run analytical reports
Estimate cleanup efforts
Analyze roles and users
Modify rules based on analysis
Set Alerts to distinguish executed risks

Management View Reports

Risk Analysis Reports

Phase Two: Remediation
Risk Rule Analysis Remediation Mitigation Continuous

Recognition Building and Compliance
4
REMEDIATION
Determine alternatives for eliminating risks
Present analysis and select corrective
actions
Document approval of corrective actions
Modify or create roles or user assignments

Remediation Strategy
Analyze reports results to determine extent of

remediation efforts
Discuss potential remediation methodologies

that are appropriate to address the security
violations identified
Remediation Exercise
Perform walkthroughs of the remediation

strategies using live examples

AGENDA

Risk Recognition
Rule Building
Mitigation
The Fast Track

SAP Knowledge
Phase Two: Mitigation

5
MITIGATION
Determine alternative controls to mitigate
risk
Educate management about conflicts
approval and monitoring
Document a process for monitoring
mitigation controls
Implement controls

Mitigating Controls Are Required when Remediation Fails
Mitigating controls are required when it is not possible

to segregate duties within the business process
E.g. within a small office one person has to take over two roles
within the business process which causes a missing SoD conflict
Examples for Mitigating Controls are:

Release strategies / Authorization limits
Review of user logs
Review of exception reports
Detailed variance analysis
Establish insurance

Firefighter – A Key Mitigation Control
What is Firefighter?
Firefighter allows super users to perform emergency activities
outside their normal role within a controlled and auditable
environment.
All activities of the user accessing the higher authorization privileges
will be reported
Firefighter will generate an audit trail, which can be used to document
the reasons for using higher access privileges
Audit trail is required for SoX compliance
Monitoring logs must be analysed timely and frequently!!

Firefighter Business Scenarios
Compliant controls for emergency access

Users assigned to specific firefighting IDs with defined authorizations
and validity dates
Separate login is required as well as documentation regarding reason
for use
Can only be used by one user at a time
Auditable Support-Access
Gives the customer full control about external support activities
Mitigation Control
Logs critical business activities a user is performing as FireFighter
Helps to resolve SOD issues without the involvement of extra staff

The Process
Firefighter
1
Role Setup
2 Document Why Needed
3 Audit Log

AGENDA

Risk Recognition
Rule Building
Mitigation
The Fast Track

SAP Knowledge
Phase Three: Continuous Compliance

6
CONTINUOUS COMPLIANCE
Communicate changes in roles and user
assignments
Simulate changes to roles and users
Implement Alerts to monitor for new
selected risks and mitigating control testing

1. Use Simulation for ongoing preventive

compliance
a. New role or change request
b. New user or user change request
2. Use the integration capabilities of Role Expert,

Access Enforcer, and Risk Terminator to
prevent SoD violations from being
incorporated during day-to-day operation and
security maintenance
3. Perform regular maintenance activities to

ensure that rules are complete and accurate

Continuous Compliance: User Access Management
Enables compliant
end-to-end
Current approach – inefficient, not compliant
provisioning
“hire to retire” Access e-mail
request
Manager
e-mail approval
Role
owner
spreadsheets,
paper forms
spreadsheets,
paper forms IT security
Manual
provisioning

Continuous Compliance: What Is Access Enforcer?
Access Enforcer is an automated user request, approval, and compliant

provisioning solution that is web-based and workflow configurable with
proactive SoD compliance checking.
User
Provisioning
Human
to SAP
Resources
systems System
Financial
+ + System
User
Role
Access Enforcer CRM
Requests
System
ACCESS ENFORCER PROCESS OVERVIEW Payroll

System

Access Enforcer – Real Time Risk Simulation Results

Workflow Results
What can be accomplished after a workflow is finished:

Create User in SAP
Assign Roles in SAP
Change Role Assignment
Lock User in SAP
Unlock User in SAP
Delete User in SAP
Create and Assign Mitigation
Send Notifications
If the auto-provisioning feature is configured to “yes,” the first six items can be
automatically completed by AE. Otherwise the security approver must complete
the provisioning in SAP manually.

AGENDA
SAP CC: The SOD Management Process
The Fast Track

SAP Knowledge
Interdependencies GRC Access Controls
Firefighter Risk Analysis Role Expert

for simulation
Critical
Transactions
Compliance
SoD Analysis Calibrator
with
Risk Terminator Role Information
Workflow
Risk Analysis Engine
Work Flows for role approval
Access Enforcer

Best Practice Road Map GRC Access Controls
Installation
Installation and configuration Compliance Calibrator and Risk Manager
Firefighter comes with the RTAs, (+BC Sets)
Later install and configure Access Enforcer and Role Expert
Implementation
Compliance
Calibrator
Firefighter Access Enforcer Role Expert
with
Risk Terminator
This Road Map ensures fastest implementation, while

optimal change management

Service Levels
SAP Consulting offers the following scenarios of

service:
Basic service
– The customer nominates and empowers a project manager
and an implementation team of his own. As the project
manager is qualified but lacks experience in implementing
the GRC system, a project management assistance (PMA) of
SAP Consulting ensures via checks on pre-defined focus
topics at pre-defined project stages that the GRC Access
Controls project is delivered on time and in budget
according to defined scope.
Extended service
– Based on scoping workshops, Mainova can order extended
service.
Full service
– As the customer lacks resources, a full service can be
ordered. Individual effort estimation required.

Packaged Solutions Model Access Controls
Packaged Solutions Step 1
GRC Risk GRC

Packaged
GRC Assessment Compliance
Solution Analysis Entry Calibrator
AS-IS Analysis and Risk Analysis based Basic Implementation

Brief Evaluation on standard rules GRC Compliance
Calibrator
Identification of Identification of Cost efficient way

to implement GRC CC –
strategic GRC focus improvement potential
Value areas based on risk
using implementation
proposition Focus for roadmap expertise of SAP as Project
potential Management Guidance
Haptic Approach
Project SAPText Client

SAP Text Client
SAPText
Client
Team
6 days Consulting *) 1 d Tech Cons.+1 d Cons. *) 12 d Cons + 5 d Tech Cons*)
Effort
Duration > 2 weeks 1 week > 6 weeks
*) + Client effort
Basic Analysis/ Risk Analysis License

Entry Risk Workshop GRC Access Controls
Assessment Risk Analysis based Installation on one
Development and one
Management Letter on standard SOD-
Quality System
Review Matrix
Deliverables Roadmap Risk Report by
Basic Configuration
Know-How Transfer
Entry Business Case User/Roles
(Coaching) for System
Recommendations Administrator
Project Management
Coach for GRC CC
Implementation
Packaged Solutions Model Access Controls
Based on Step 1 the following Packages can be implemented
Packaged
GRC Firefighter GRC Access Enforcer
Solution
GRC Firefighter enablement GRC Access Enforcer

Brief enablement
Fast and cost efficient way to Fast and cost efficient way to
implement GRC Firefighter, the implement audit-proofed access
Value compliant answer to SAP_ALL granting
proposition and other emergency Building up in-house expertise
accesses. using SAP expertise
Project SAPText
Client
SAP TextClient
Team
1 d Tech Cons.+ 4 d Cons. *) 2 d Tech Cons.+ 10 d Consulting *)
Effort
Duration > 1 week > 3 weeks
*) + Client effort
Installation Firefighter on one Installation Access Enforcer on
Development and one Quality one Development and one Quality
Assurance System Assurance System
Basic Configuration
Basic Configuration
Know-How Transfer (Coaching)
Deliverables Know-How Transfer (Coaching)
Template FF
Audit proofed Workflow Design
Recommendations
(max 2 WF)
Create/Change/Delete 5 Test
users

Project Plan – Full Service
UAT and Review /

Documentation
Remediation Project
& Mitigation Closing
Analysis Go-Live
Rule Building
and Validation
Risk
Recognition
Project
Setup
Installation
Architecture
Training on the Job / Coaching / Testing
Start Full Support Go- Exemplary

live Support

Project Organization – Full Service
Steering
Committee
Business Process
Project
Owners Audit
Managers
Key Users
PM(A) SAP PM Customer

Required Availability of Resources
Project role Required availability
Project Executive
Sponsor Sponsorship + steering
Project Steering
Committee Once per month
Customer Project
Manager High
Business Process Owner Min
Business Process Team

Member (key user) Medium
Technical Team High
Min = On requirement
Medium = 1- 2 days per week
High = 3-4 days per week
Questions?

Copyright 2007 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p,
System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This
limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

SAP Solutions For Governance Risk and Compliance and GRC Access Control PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Solutions For Governance Risk and Compliance and GRC Access Control PDF

Uploaded by

Copyright:

Available Formats

SAP ERP Financials

SAP Solutions for

Rainer Salaw, CPA

Rainer Salaw, CPA

GRC as part of SAP Financials

Challenge for GRC

The Fast Track

GRC as part of SAP Financials

Challenge for GRC

The Fast Track

1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 5

Strategy FI, FI-AA, FI-AR/AP

Financial Governance, Risk,

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 6

GRC as part of SAP Financials

Challenge for GRC

The Fast Track

„In 2010 the need for fast,

In four areas the demand will

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 8

Compliance / Risk Office

Supply Chain Customers & Channel

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 9

Supervisory board, internal audit Management

Supply Chain Customers & Channel

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 10

From Fragmented Risk … to Holistic GRC

SAP Solutions for GRC

Business Process Platform

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 11

Cross industry solution Industry specific

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 12

Cross industry solution Industry specific

SAP GRC Access Control

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 13

 GRC as an integrated part

Business Process Platform

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 14

 Enforces governance for the

 Single source of truth for

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 15

GRC as part of SAP Financials

Challenge for GRC

The Fast Track

Access Controls Process Controls Risk Management

Governance & Compliance

Identification of all kind of risks (group wide)

Define appropriate actions for identified risks

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 17

Governance & Compliance

Identification of all kind of risks (group wide)

 Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 18

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 19

Initial Risk Analysis and Remediation

The clean-up process has

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 20

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 21

© SAP AG 2007, SAP Skills 2007 Conference / G3 / 22

RTA RTA RTA RTA

GRC as an integrated part

Enforces governance for the

Single source of truth for

Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)

Across applications Ease compliance and avoid

100% testing of all data all the time

Real time view of control health

Organization Assignment of Control and Documentation Analysis Review

Analytics Organization Assessment Evaluation Sign-off User

9 Single Solution for end-to-

Single source of truth for

Apply same control to

80 Master controls were