Mitigating Sod Violations: 2 Hours

Mitigating SoD
Violations
2 hours
Mitigating SoD Violations| TESORO CONFIDENTIAL 2

Course Agenda
Course Introduction
SoD Overview
Identification of Appropriate Mitigation
Mitigating Control Groups
Course Summary

Introductions
Before we proceed with the course, let’s take some time to get to know each other.
Tell us:
• Your name
• Your business unit department
• Your expectations from this session
• An interesting fact about yourself

Safety and Logistics
Exit Locations No calls Start and Finish Time Facilities

Key Terms
Term Description
GRC refers to taking an integrated, enterprise-wide approach to Governance,
Risk, and Compliance. It is transformational and addresses the people,
Governance, Risk, and
process, and technology enhancements needed to achieve risk intelligence.
Compliance (GRC)
GRC also refers to the name of the SAP application Tesoro uses to process
Segregation of Duties (SoD) analysis.
SoD is a primary internal control designed to prevent or decrease the risk of
Segregations of Duties fraud and errors or irregularities in financial reporting by ensuring that no
(SoD) single individual has authority to execute two or more conflicting
transactions.
Mitigating Controls are the SOX controls used to prevent or detect possible
Mitigating Controls
error or fraud if a user requires access that causes an SoD conflict.
Mitigating Control A Mitigating Control Group is a unique identifier for all the SOX Controls that
Group appropriately mitigate a particular SoD violation within a business role.

Key Terms
Term Description
The SoD Rule Set maintained in GRC is the comprehensive list of all
SoD Rule Set combinations of transactions/functions that will cause SoD violations if
obtained by a single user in and between systems.
An SoD violation is an occurrence of user access comprised of a combination
SoD Violation
of transactions/functions that pose a risk and are contained in the SoD
(SoD Conflict)
Ruleset.
A business role is an enterprise level security role in GRC that is assigned to
one or more users which corresponds to their job and provides them with all
Business Roles
the functional access they need in multiple systems. An example of a
business role is “AP Clerk”.

Course Overview
Course Description
This course explains the process of handling SoD
violations in SAP HANA S4.
Course Prerequisites
None

Course Objectives
Upon completing this course, you will be able to:

• Describe SoD and its benefits
• Explain the importance of SoD in SOX Compliance
• Describe the high-level process flow for mitigating
an SoD violation in GRC
• Explain the various SoD risk levels and stakeholder
roles in mitigating the identified risks
• Create and assign a mitigating control group in GRC by
SAA team
• Approve a new mitigating control group request in GRC
by Risk Owners
• Approve a new mitigating control group assignment for
a specific SoD violation in GRC by the SOX team

Course Agenda
Course Introduction
SoD Overview
Course Summary

Module Objectives
Upon completing this module, you will be able to:

• Describe the high-level process flow for mitigating
a control in GRC
• Explain the various SoD risk levels and stakeholder
roles in mitigating the identified risks

SoD Overview
SAP GRC Access Control helps organizations to automatically detect, manage, and prevent
access risk violations and reduce unauthorized access.
SoD is a primary internal control designed to prevent or decrease the risk of fraud and
errors or irregularities in financial reporting by ensuring that no single individual has
authority to execute two or more conflicting transactions.
Segregation of
Duties

Why is SOX Compliance Required?
SOX is a U.S. federal law applicable to all public U.S. companies. SoD is a key part of
achieving Sarbanes Oxley (SOX) Compliance. Any SoD violations that exist for users in SAP
and other select systems need to be mitigated in GRC Access Control by SOX controls
stored in GRC Process Controls.
SOX introduced major changes to the regulation of corporate governance and financial practice.
It is arranged into eleven titles, six of them being more compliance concerned:
Corporate Responsibility for Financial Reports Real Time Issuer Disclosures
Disclosures in Periodic Reports Criminal Penalties for Altering Documents
Corporate Responsibility for Financial Reports,

Management Assessment of Internal Controls
and Criminal Penalties
It’s purpose is to ensure that financial statements are accurately reported. The failure in SOX compliance
implicates in penalties that include fines and imprisonment.

SoD Key Value Drivers
SoD, as a primary internal control, brings the following benefits:
Asset Safeguarding
Reduction in the cost of fraud and other internal

control failures
Reduction in the risk of non-compliance

SoD Risk Levels
SoD Risks are classified into the following levels:
This risk level is applicable to SoD Risks that cannot be allowed because they create
Critical opportunity for severe financial misstatement or fraudulent activity affecting the company.
Any SoD Risks at this level are prohibited, therefore no end user can be allowed the
combination of access that creates these risks in production unless granted by exception
through GRC Firefighter. The control for SoD Risks at this level is preventive because it
prohibits user assignment of the combination of access causing these risks.
This risk level is applicable to SoD Risks that are only allowed at the discretion of the Risk
High Owner with careful consideration for all business implications because they create
opportunity for significant financial misstatement or fraudulent activity affecting the
company. Any SoD Risks at this level must be mitigated with the appropriate SOX Controls in
order to assign the combination of access that creates these risks in production. The
controls for SoD Risks at this level are detective because they are reviewed and investigated
for suspicious activities after they have occurred.
This risk level is applicable to SoD Risks that are allowed at the discretion of the Risk Owner
Low with moderate consideration for all business implications because they create minimal
opportunity for financial misstatement or fraudulent activity affecting the company. Any
SoD Risks at this level are not required to be mitigated with SOX Controls in order to assign
the combination of access that creates these risks in production. The control for SoD Risks at
this level only exists to the extent deemed applicable by the Risk Owner but will not be
required for SOX compliance.
Mitigating Control Process Flow
The high-level process flow for mitigating a control is illustrated below.

Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)
Unmitigated Risk for
Role/User Received Participate in Risk Participate in Risk
GRC Remediation Remediation
Review Risk and Coordinate

Meeting with Risk Owner
and Control Owner
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
Assign Existing or Newly

Yes
Created Mitigating Control
GRC
Validate and Yes Role/User
Approve MC Mitigated
GRC ERP
Note: In case where the Approver is not known or No
found, the request will be routed to GRC Admin
as an escape path. Terminate
Check Your Knowledge 1
Q SoD is a basic external control designed to prevent or decrease the risk of fraud
and errors or irregularities in financial reporting by ensuring that no single
individual has authority to execute two or more conflicting transactions.
Select whether the statement is True or False.
A. True
B. False

Q SoD is a basic external control designed to prevent or decrease the risk of fraud
and errors or irregularities in financial reporting by ensuring that no single
individual has authority to execute two or more conflicting transactions.
A. True
B. False

Module Summary
This brings us to the end of this module. The key takeaways from this module are:
• SAP GRC Access Control helps organizations to automatically detect, manage, and
prevent access risk violations and reduce unauthorized access.
• SoD is a primary internal control designed to prevent or decrease the
risk of fraud and errors or irregularities in financial reporting by
ensuring that no single individual has authority to execute two
or more conflicting transactions.
• SOX is a U.S. federal law applicable to all public U.S. companies.
SoD is a key part of achieving Sarbanes Oxley (SOX)
Compliance. Any SoD conflicts that exist for users in SAP
and other select systems need to be mitigated in GRC
Access Control by SOX controls stored in GRC Process Controls.
• SoD Risks are classified into the following levels: Critical,
High, and Low.

Course Agenda
Course Introduction
SoD Overview
Course Summary

Module Objectives

• Review risk
• Identify the appropriate mitigation

The high-level process flow for mitigating an SoD risk is illustrated below.
Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)

and Control Owner
Terminate
Validate and
Approve MC
No
GRC
Yes Yes
Create a New
Group
No GRC GRC

Yes
GRC
GRC ERP
Review Risk
When an SoD violation is identified, a collaborative effort is required in order to resolve it.
The following stakeholders play an important role in mitigation or remediation of an SOD
risk:
Mitigating Control SoD Governance

SAA Team SoD Risk Owner Owner Board
The Systems Access SoD Risk Owners are Mitigating Control The SoD Governance
Administration (SAA) designated personnel Owners are SOX team Committee meets
team reviews SoD risks in the business who members who are quarterly to review key
and makes provide the expert authorized to propose SoD activities (such as
recommendations to knowledge regarding SOX controls that changes to SoD ruleset
Risk Owners and SoD risks in their area would appropriately and new SoD
Mitigating Control of operation and mitigate SoD violations. violations) and
Owner regarding controls that would considers the impacts
access, risk, and appropriately mitigate of emerging business
mitigation for their those risks. risks.
approval.

Identify Appropriate Mitigation
SAA Team will collaborate with the Risk Owner and Mitigating Control Owner to decide
whether to terminate the access request or mitigate the SoD conflict.
Example: A request to grant access to tcodes VA01 and VA02 to users assigned the Billing
Associate business role prompts an SoD Conflict with their current access to VF01 and VF02. The
decision either not to grant the access requested or to grant the access and identify the
appropriate mitigation needs to be made.
Department Business Role Risk ID Risk Description Rule ID T-Code T-Code Description
0001 VF01 Create Billing Document
0001 VA01 Create Sales Order
0002 VF02 Change Billing Document
0002 VA01 Create Sales Order
0003 VF04 Maintain Billing Due List
Billing & Cash Maintain a sales doc and generate 0003 VA01 Create Sales Order
BL - Billing Associate S007
Apps a billing doc for it 0005 VF01 Create Billing Document
0005 VA02 Change Sales Order
0006 VF02 Change Billing Document
0007 VF04 Maintain Billing Due List
Mitigating Control Group: BL_0003
CA0430 - Measured physical inventories at the refineries are captured in an inventory system (i.e. yield accounting system). The inventory balances and
movement activity in the inventory system are compared to SAP. Differences over threshold are investigated and resolved as necessary.
CA1653 - Billing personnel prepare a monthly analysis of sales orders that are manually created by Billing personnel and manual sales orders or deliveries
that are changed by Billing personnel. The analysis is reviewed by billing management, or designee. Any changes made by the reviewer must be reviewed by
a second person. 24
Mitigating SoD Violations| TESORO CONFIDENTIAL
Check Your Knowledge – 1
Q1 Which of the following designated personnel in the business provides the expert
knowledge regarding SoD risks in their area of operation and controls that would
appropriately mitigate those risks.
Select the correct answer.
A. SoD Governance Team

B. SoD Risk Owners
C. Mitigating Control Owner
D. SAA Team

Check Your Knowledge – 1A
Q1 Which of the following designated personnel in the business provides the expert
knowledge regarding SoD risks in their area of operation and controls that would
appropriately mitigate those risks.
Select the correct answer.
A. SoD Governance Team

B. SoD Risk Owners
C. Mitigating Control Owner
D. SAA Team

Module Summary
This brings us to the end of this module. Some of the key takeaways from this module are:
• When an SoD violation is identified, a collaborative effort is required in order
to resolve it.
• The SAA Team collaborates with Risk Owner and Mitigating Control Owner
to decide whether to terminate or mitigate an SoD risk.

Course Agenda
Course Introduction
SoD Overview
Course Summary

Module Objectives

SAA team
• Approve a new mitigating control group request in GRC
by Risk Owners and SOX team
• Approve a new or existing mitigating control group
assignment for a specific SoD violation in GRC by Risk
Owners

The high-level process flow for mitigating an SoD risk is illustrated below.
Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)

and Control Owner
Terminate
Validate and
Approve MC
No
GRC
Yes Yes
Create a New
Group
No GRC GRC

Yes
GRC
GRC ERP
Creating a New Mitigating Control Group
A Mitigating Control Group is needed to mitigate an SoD risk for a business role in the
system. To mitigate an SoD risk, a mitigating control group is created to remove the risk
for the business. The SAA Team creates a new Mitigating Control Group to mitigate the
SoD risk.
To create a mitigating control group in GRC, execute the T-Code NWBC, and perform
the following steps:
1
Navigate to Master Data-> Risks and Responses-> Risk Catalog to add a risk to a template.

Creating a New Mitigating Control Group (Contd.)
2
Navigate to Classification Hierarchy->
Access Controls risks-> SOD risks in
the Risk Classification- Tesoro
Corporation window. Click Create >>
Risk Template.
3
On the Risk Template screen, in the
General tab, enter the relevant
information in the Name and 3 4
Description fields.
4
In the Central Controls tab, search
and assign a relevant control to the
template. Click Save and a new risk
template is created under SOD risks.

5
Next, navigate to Master Data-> Activities and Processes-> Business Process-> Process
Structure-> Access Control->Mitigation Control Group. Select Mitigating Controls Group.

View the simulation in the next slide to learn how to do the following steps:
Process Control Steps
1. Add the SoD Risk ID to the Risk Catalog as a "Risk Template” in order to align the SOX
Control(s) to the SoD Risk.
2. Create the new "Mitigating Control Group" that will be used to group the SOX Controls.
3. Add the relevant sub-process and Mitigating Control Group to the Organization Hierarchy in
order to align a new Mitigating Control ID to the Mitigating Control Group.
4. Once the Mitigation Control Group is added to Organization Hierarchy, a NEW Mitigating
Control ID can be assigned to the Mitigating Control Group.
Access Control Step

5. Open the new Mitigating Control ID and add correspond Risk ID and Risk Owner to complete
the process.

Creating a Mitigating Control in GRC
Creating a Mitigating Control in GRC
In this simulation, you will learn how to

perform the steps to create a new
mitigating control in GRC.
T-Code:
• NWBC
Click the DEMO button to view the simulation. DEMO
Click the TRY IT button to practice this activity. TRY IT


Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)

and Control Owner
Terminate
Validate and
Approve MC
No
GRC
Yes Yes
Create a New
Group
No GRC GRC

Yes
GRC
GRC ERP
Assigning a Mitigating Control Group
After the Mitigating Control approval process, SAA assigns the mitigating control group to
the business role for mitigation of the risk.
To assign a mitigating control group in GRC, perform the following steps:
1 Navigate to Access Management -> Access Risk

Analysis -> Role Level.
2
On the Risk Analysis: Role Level screen, select
relevant options for the following fields:
• System 1
• Role Type
• Role
• Risk by Process 2
• Risk Level
• Rule Set
• Access Risk Analysis
• Action Level
• Access Risk Assessment
• Permission level
• Mitigation Analysis
Click Run in Foreground.
Assigning a Mitigating Control Group (Contd.)
3 The Multi selection screen displays the user list that violates the risk rule. Choose the relevant
username with risk and click Mitigate Risk.
4 Select the relevant Mitigating Control and click Submit to mitigate the relevant risk.

Assigning a Mitigating Control Group (Contd.)
View the simulation in the next slide to learn how to do the following steps:
1. In Access Management, under Access Risk Analysis - select Role Level to perform a SoD
Analysis base on specific criteria (system, role name, etc.)
2. If the SoD Analysis results has unmitigated SoD violations, the user can select the row with
Risk ID to mitigate.
3. Click Mitigate Risk button for a new pop-up window that will list Mitigating Control that
corresponds to the Risk ID selected.
4. Upon submission of Assigning a Mitigating Control, the Mitigating Control Owner will be
notified via email to review and approve/reject accordingly.
5. Once the Mitigating Control Owner has approve/reject the request to assign the Mitigating
control to Risk ID, an email notification will be sent to the requestor (SAA Team).

Assigning a Mitigating Control in GRC
Assigning a Mitigating Control in GRC
In this simulation, you will learn how to

perform the steps to assign a new mitigating
control in GRC.
T-Code:
• NWBC
Click the DEMO button to view the simulation. DEMO
Click the TRY IT button to practice this activity. TRY IT


Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)

and Control Owner
Terminate
Validate and
Approve MC
No
GRC
Yes Yes
Create a New
Group
No GRC GRC

Yes
GRC
Approve Assignment
Mitigated
GRC ERP
Approving the Creation of a Mitigating Control Group
To validate and approve a mitigating control group creation for a specific SoD violation in
GRC, perform the following steps:
1
Navigate to the email notification with the detailed request.
2
Use the link in the email notification to access NWBC.
3
Navigate to My Home-> Work Inbox->Work Inbox link.

4
Choose the task subject Approval required for mitigating control.

5 Review the request and click the Approve button. If for some reason, the
request cannot be approved, click the Reject button. The Hold button will
allow you to hold the request and review at a later time.

6
A pop-up window to approve the new mitigating control displays. Click Ok.

7
The request for approval is approved and is submitted.

Approving the Assignment of a Mitigating Control
Group
To validate and approve a mitigating control group assignment for a specific SoD
violation in GRC, perform the following steps:
1
2
3

Group
4
Choose the task subject Control assignment approval for.

Group
5
Review the request and click the Approve button.

Group
6
The screen below will display once the assignment of a mitigating control group
request has been approved.


Mitigating Control
SAA Team Risk Owner
Owner (SOX team)

and Control Owner
Terminate
Validate and
Approve MC
No
GRC
Yes Yes
Create a New
Group
No GRC GRC

Yes
GRC
GRC ERP
Mitigating Control Owner receives the request for the new Mitigating Control Group for
review and approval.
To approve a mitigating control group create request in GRC, perform the following steps:
1
2
3

(Contd.)
4
Choose the task subject Approval required for mitigating control group.

(Contd.)
5
Click the Approve button.

(Contd.)
6
A pop-up window to approve the new mitigating control displays. Click Ok.
The request for approval is submitted.

(Contd.)
7
The request for approval is submitted.

Q
Mitigating Control Group is required to remove the risk for the user.
A. True
B. False

Q
Mitigating Control Group is required to remove the risk for the user.
A. True
B. False

Module Summary
This brings us to the end of this module. Some of the key takeaways from this module are:
• The SAA team creates a new Mitigating Control Group to mitigate the risk.
• Mitigating Control Owner receives the request for the new Mitigating Control Group for
review and approval.
• After the Mitigating Control approval process, the SAA team assigns the
mitigating control for the business role to mitigate the risk.

Course Agenda
Course Introduction
SoD Overview
Course Summary

Course Recap
This brings us to the end of this course.

You should now be able to:
• Describe the high-level process flow for mitigating an
SoD conflict in GRC
• Explain the various SoD risks levels and stakeholders
role in mitigating the identified risk
SAA Team
• Approve a mitigating group creation request in GRC by
Risk Owners and SOX Team
• Approve a mitigating group creation assignment for
a specific SoD violation in GRC by Risk Owners

Resources
For additional support material relevant to this training, please click the resource links
below.
Hands-on Guides
• Creating a Mitigating Control in GRC

• Assigning a Mitigating Control in GRC

Congratulations!
You have completed the course!

Why is SOX Compliance Required? (Contd.)
Guiding principles of managing Tesoro’s internal controls:
Automated Controls Minded Accountability Technology
• Significant shift • Create a culture of • Establish a strong • Use SAP’s GRC tool
from manual controls and move sense of to document and
controls to process/control to accountability for monitor controls
automated operations, where the operation of • Enables real-time
controls applicable controls and visibility into
• Move to 80% • Implement a self- responsibility for Tesoro’s controls'
automated assessment model deficiencies status and
controls at for control owners through a control responses to key
transactional level self-assessment compliance needs
process and risks
Reliable Financial Reporting: accuracy, completeness, and reliability of financial information
Operational Efficiency and Effectiveness: business objectives are met with more automated controls
Compliance with Laws and Regulations: regulatory and legal requirements are met
LOA Framework: streamlined, fit for purpose framework providing governance and process efficiencies

Mitigating Sod Violations: 2 Hours

Uploaded by

Copyright:

Available Formats

You might also like

Mitigating Sod Violations: 2 Hours

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mitigating Sod Violations: 2 Hours

Uploaded by

Copyright:

Available Formats

Mitigating SoD

Mitigating SoD Violations| TESORO CONFIDENTIAL 2

Identification of Appropriate Mitigation

Mitigating Control Groups

Mitigating SoD Violations| TESORO CONFIDENTIAL 3

Mitigating SoD Violations| TESORO CONFIDENTIAL 4

Exit Locations No calls Start and Finish Time Facilities

Mitigating SoD Violations| TESORO CONFIDENTIAL 5

Mitigating SoD Violations| TESORO CONFIDENTIAL 6

Mitigating SoD Violations| TESORO CONFIDENTIAL 7

Mitigating SoD Violations| TESORO CONFIDENTIAL 8

Upon completing this course, you will be able to:

Mitigating SoD Violations| TESORO CONFIDENTIAL 9

Identification of Appropriate Mitigation

Mitigating Control Groups

Mitigating SoD Violations| TESORO CONFIDENTIAL 10

Upon completing this module, you will be able to:

Mitigating SoD Violations| TESORO CONFIDENTIAL 11

Mitigating SoD Violations| TESORO CONFIDENTIAL 12

Corporate Responsibility for Financial Reports Real Time Issuer Disclosures

Disclosures in Periodic Reports Criminal Penalties for Altering Documents

Corporate Responsibility for Financial Reports,

Mitigating SoD Violations| TESORO CONFIDENTIAL 13

SoD, as a primary internal control, brings the following benefits:

Reduction in the cost of fraud and other internal

Reduction in the risk of non-compliance

Mitigating SoD Violations| TESORO CONFIDENTIAL 14

SoD Risks are classified into the following levels:

The high-level process flow for mitigating a control is illustrated below.

Review Risk and Coordinate

Assign Existing or Newly

Select whether the statement is True or False.

Mitigating SoD Violations| TESORO CONFIDENTIAL 17

Select whether the statement is True or False.

Mitigating SoD Violations| TESORO CONFIDENTIAL 18

Mitigating SoD Violations| TESORO CONFIDENTIAL 19

Identification of Appropriate Mitigation

Mitigating Control Groups

Mitigating SoD Violations| TESORO CONFIDENTIAL 20

Upon completing this module, you will be able to:

Mitigating SoD Violations| TESORO CONFIDENTIAL 22

Review Risk and Coordinate

Assign Existing or Newly

Mitigating Control SoD Governance

Mitigating SoD Violations| TESORO CONFIDENTIAL 23

Mitigating Control Group: BL_0003

Select the correct answer.

A. SoD Governance Team

Mitigating SoD Violations| TESORO CONFIDENTIAL 25

Select the correct answer.

A. SoD Governance Team

Mitigating SoD Violations| TESORO CONFIDENTIAL 26

Mitigating SoD Violations| TESORO CONFIDENTIAL 27

Identification of Appropriate Mitigation

Mitigating Control Groups

Mitigating SoD Violations| TESORO CONFIDENTIAL 28

Upon completing this module, you will be able to: