Professional Documents
Culture Documents
Mitigating Sod Violations: 2 Hours
Mitigating Sod Violations: 2 Hours
Mitigating Sod Violations: 2 Hours
Violations
2 hours
Course Introduction
SoD Overview
Course Summary
Before we proceed with the course, let’s take some time to get to know each other.
Tell us:
• Your name
• Your business unit department
• Your expectations from this session
• An interesting fact about yourself
Term Description
GRC refers to taking an integrated, enterprise-wide approach to Governance,
Risk, and Compliance. It is transformational and addresses the people,
Governance, Risk, and
process, and technology enhancements needed to achieve risk intelligence.
Compliance (GRC)
GRC also refers to the name of the SAP application Tesoro uses to process
Segregation of Duties (SoD) analysis.
SoD is a primary internal control designed to prevent or decrease the risk of
Segregations of Duties fraud and errors or irregularities in financial reporting by ensuring that no
(SoD) single individual has authority to execute two or more conflicting
transactions.
Mitigating Controls are the SOX controls used to prevent or detect possible
Mitigating Controls
error or fraud if a user requires access that causes an SoD conflict.
Mitigating Control A Mitigating Control Group is a unique identifier for all the SOX Controls that
Group appropriately mitigate a particular SoD violation within a business role.
Term Description
The SoD Rule Set maintained in GRC is the comprehensive list of all
SoD Rule Set combinations of transactions/functions that will cause SoD violations if
obtained by a single user in and between systems.
An SoD violation is an occurrence of user access comprised of a combination
SoD Violation
of transactions/functions that pose a risk and are contained in the SoD
(SoD Conflict)
Ruleset.
A business role is an enterprise level security role in GRC that is assigned to
one or more users which corresponds to their job and provides them with all
Business Roles
the functional access they need in multiple systems. An example of a
business role is “AP Clerk”.
Course Description
This course explains the process of handling SoD
violations in SAP HANA S4.
Course Prerequisites
None
Course Introduction
SoD Overview
Course Summary
SAP GRC Access Control helps organizations to automatically detect, manage, and prevent
access risk violations and reduce unauthorized access.
SoD is a primary internal control designed to prevent or decrease the risk of fraud and
errors or irregularities in financial reporting by ensuring that no single individual has
authority to execute two or more conflicting transactions.
Segregation of
Duties
SOX is a U.S. federal law applicable to all public U.S. companies. SoD is a key part of
achieving Sarbanes Oxley (SOX) Compliance. Any SoD violations that exist for users in SAP
and other select systems need to be mitigated in GRC Access Control by SOX controls
stored in GRC Process Controls.
SOX introduced major changes to the regulation of corporate governance and financial practice.
It is arranged into eleven titles, six of them being more compliance concerned:
It’s purpose is to ensure that financial statements are accurately reported. The failure in SOX compliance
implicates in penalties that include fines and imprisonment.
Asset Safeguarding
This risk level is applicable to SoD Risks that cannot be allowed because they create
Critical opportunity for severe financial misstatement or fraudulent activity affecting the company.
Any SoD Risks at this level are prohibited, therefore no end user can be allowed the
combination of access that creates these risks in production unless granted by exception
through GRC Firefighter. The control for SoD Risks at this level is preventive because it
prohibits user assignment of the combination of access causing these risks.
This risk level is applicable to SoD Risks that are only allowed at the discretion of the Risk
High Owner with careful consideration for all business implications because they create
opportunity for significant financial misstatement or fraudulent activity affecting the
company. Any SoD Risks at this level must be mitigated with the appropriate SOX Controls in
order to assign the combination of access that creates these risks in production. The
controls for SoD Risks at this level are detective because they are reviewed and investigated
for suspicious activities after they have occurred.
This risk level is applicable to SoD Risks that are allowed at the discretion of the Risk Owner
Low with moderate consideration for all business implications because they create minimal
opportunity for financial misstatement or fraudulent activity affecting the company. Any
SoD Risks at this level are not required to be mitigated with SOX Controls in order to assign
the combination of access that creates these risks in production. The control for SoD Risks at
this level only exists to the extent deemed applicable by the Risk Owner but will not be
required for SOX compliance.
Mitigating SoD Violations| TESORO CONFIDENTIAL 15
Mitigating Control Process Flow
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
Q SoD is a basic external control designed to prevent or decrease the risk of fraud
and errors or irregularities in financial reporting by ensuring that no single
individual has authority to execute two or more conflicting transactions.
A. True
B. False
Q SoD is a basic external control designed to prevent or decrease the risk of fraud
and errors or irregularities in financial reporting by ensuring that no single
individual has authority to execute two or more conflicting transactions.
A. True
B. False
This brings us to the end of this module. The key takeaways from this module are:
• SAP GRC Access Control helps organizations to automatically detect, manage, and
prevent access risk violations and reduce unauthorized access.
• SoD is a primary internal control designed to prevent or decrease the
risk of fraud and errors or irregularities in financial reporting by
ensuring that no single individual has authority to execute two
or more conflicting transactions.
• SOX is a U.S. federal law applicable to all public U.S. companies.
SoD is a key part of achieving Sarbanes Oxley (SOX)
Compliance. Any SoD conflicts that exist for users in SAP
and other select systems need to be mitigated in GRC
Access Control by SOX controls stored in GRC Process Controls.
• SoD Risks are classified into the following levels: Critical,
High, and Low.
Course Introduction
SoD Overview
Course Summary
The high-level process flow for mitigating an SoD risk is illustrated below.
Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)
Unmitigated Risk for
Role/User Received Participate in Risk Participate in Risk
GRC Remediation Remediation
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
When an SoD violation is identified, a collaborative effort is required in order to resolve it.
The following stakeholders play an important role in mitigation or remediation of an SOD
risk:
SAA Team will collaborate with the Risk Owner and Mitigating Control Owner to decide
whether to terminate the access request or mitigate the SoD conflict.
Example: A request to grant access to tcodes VA01 and VA02 to users assigned the Billing
Associate business role prompts an SoD Conflict with their current access to VF01 and VF02. The
decision either not to grant the access requested or to grant the access and identify the
appropriate mitigation needs to be made.
Department Business Role Risk ID Risk Description Rule ID T-Code T-Code Description
0001 VF01 Create Billing Document
0001 VA01 Create Sales Order
0002 VF02 Change Billing Document
0002 VA01 Create Sales Order
0003 VF04 Maintain Billing Due List
Billing & Cash Maintain a sales doc and generate 0003 VA01 Create Sales Order
BL - Billing Associate S007
Apps a billing doc for it 0005 VF01 Create Billing Document
0005 VA02 Change Sales Order
0006 VF02 Change Billing Document
0006 VA02 Change Sales Order
0007 VF04 Maintain Billing Due List
0007 VA02 Change Sales Order
CA0430 - Measured physical inventories at the refineries are captured in an inventory system (i.e. yield accounting system). The inventory balances and
movement activity in the inventory system are compared to SAP. Differences over threshold are investigated and resolved as necessary.
CA1653 - Billing personnel prepare a monthly analysis of sales orders that are manually created by Billing personnel and manual sales orders or deliveries
that are changed by Billing personnel. The analysis is reviewed by billing management, or designee. Any changes made by the reviewer must be reviewed by
a second person. 24
Mitigating SoD Violations| TESORO CONFIDENTIAL
Check Your Knowledge – 1
Q1 Which of the following designated personnel in the business provides the expert
knowledge regarding SoD risks in their area of operation and controls that would
appropriately mitigate those risks.
Q1 Which of the following designated personnel in the business provides the expert
knowledge regarding SoD risks in their area of operation and controls that would
appropriately mitigate those risks.
This brings us to the end of this module. Some of the key takeaways from this module are:
• When an SoD violation is identified, a collaborative effort is required in order
to resolve it.
• The SAA Team collaborates with Risk Owner and Mitigating Control Owner
to decide whether to terminate or mitigate an SoD risk.
Course Introduction
SoD Overview
Course Summary
The high-level process flow for mitigating an SoD risk is illustrated below.
Mitigating Control
SAA Team Risk Owner
Owner (SOX Team)
Unmitigated Risk for
Role/User Received Participate in Risk Participate in Risk
GRC Remediation Remediation
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
A Mitigating Control Group is needed to mitigate an SoD risk for a business role in the
system. To mitigate an SoD risk, a mitigating control group is created to remove the risk
for the business. The SAA Team creates a new Mitigating Control Group to mitigate the
SoD risk.
To create a mitigating control group in GRC, execute the T-Code NWBC, and perform
the following steps:
1
Navigate to Master Data-> Risks and Responses-> Risk Catalog to add a risk to a template.
2
Navigate to Classification Hierarchy->
Access Controls risks-> SOD risks in
the Risk Classification- Tesoro
Corporation window. Click Create >>
Risk Template.
3
On the Risk Template screen, in the
General tab, enter the relevant
information in the Name and 3 4
Description fields.
4
In the Central Controls tab, search
and assign a relevant control to the
template. Click Save and a new risk
template is created under SOD risks.
5
Next, navigate to Master Data-> Activities and Processes-> Business Process-> Process
Structure-> Access Control->Mitigation Control Group. Select Mitigating Controls Group.
View the simulation in the next slide to learn how to do the following steps:
Process Control Steps
1. Add the SoD Risk ID to the Risk Catalog as a "Risk Template” in order to align the SOX
Control(s) to the SoD Risk.
2. Create the new "Mitigating Control Group" that will be used to group the SOX Controls.
3. Add the relevant sub-process and Mitigating Control Group to the Organization Hierarchy in
order to align a new Mitigating Control ID to the Mitigating Control Group.
4. Once the Mitigation Control Group is added to Organization Hierarchy, a NEW Mitigating
Control ID can be assigned to the Mitigating Control Group.
T-Code:
• NWBC
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
After the Mitigating Control approval process, SAA assigns the mitigating control group to
the business role for mitigation of the risk.
To assign a mitigating control group in GRC, perform the following steps:
3 The Multi selection screen displays the user list that violates the risk rule. Choose the relevant
username with risk and click Mitigate Risk.
4 Select the relevant Mitigating Control and click Submit to mitigate the relevant risk.
View the simulation in the next slide to learn how to do the following steps:
1. In Access Management, under Access Risk Analysis - select Role Level to perform a SoD
Analysis base on specific criteria (system, role name, etc.)
2. If the SoD Analysis results has unmitigated SoD violations, the user can select the row with
Risk ID to mitigate.
3. Click Mitigate Risk button for a new pop-up window that will list Mitigating Control that
corresponds to the Risk ID selected.
4. Upon submission of Assigning a Mitigating Control, the Mitigating Control Owner will be
notified via email to review and approve/reject accordingly.
5. Once the Mitigating Control Owner has approve/reject the request to assign the Mitigating
control to Risk ID, an email notification will be sent to the requestor (SAA Team).
T-Code:
• NWBC
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
To validate and approve a mitigating control group creation for a specific SoD violation in
GRC, perform the following steps:
1
Navigate to the email notification with the detailed request.
2
Use the link in the email notification to access NWBC.
3
Navigate to My Home-> Work Inbox->Work Inbox link.
4
Choose the task subject Approval required for mitigating control.
5 Review the request and click the Approve button. If for some reason, the
request cannot be approved, click the Reject button. The Hold button will
allow you to hold the request and review at a later time.
6
A pop-up window to approve the new mitigating control displays. Click Ok.
7
The request for approval is approved and is submitted.
1
Navigate to the email notification with the detailed request.
2
Use the link in the email notification to access NWBC.
3
Navigate to My Home-> Work Inbox->Work Inbox link.
4
Choose the task subject Control assignment approval for.
Terminate
Validate and
Mitigation? No Terminate No
Approve MC
No
GRC
Yes Yes
Create a New
New Mitigating Yes Mitigating Approve
Control Group? Control MC?
Group
No GRC GRC
Mitigating Control Owner receives the request for the new Mitigating Control Group for
review and approval.
To approve a mitigating control group create request in GRC, perform the following steps:
1
Navigate to the email notification with the detailed request.
2
Use the link in the email notification to access NWBC.
3
Navigate to My Home-> Work Inbox->Work Inbox link.
7
The request for approval is submitted.
Q
Mitigating Control Group is required to remove the risk for the user.
A. True
B. False
Q
Mitigating Control Group is required to remove the risk for the user.
A. True
B. False
This brings us to the end of this module. Some of the key takeaways from this module are:
• The SAA team creates a new Mitigating Control Group to mitigate the risk.
• Mitigating Control Owner receives the request for the new Mitigating Control Group for
review and approval.
• After the Mitigating Control approval process, the SAA team assigns the
mitigating control for the business role to mitigate the risk.
Course Introduction
SoD Overview
Course Summary
For additional support material relevant to this training, please click the resource links
below.
Hands-on Guides
• Significant shift • Create a culture of • Establish a strong • Use SAP’s GRC tool
from manual controls and move sense of to document and
controls to process/control to accountability for monitor controls
automated operations, where the operation of • Enables real-time
controls applicable controls and visibility into
• Move to 80% • Implement a self- responsibility for Tesoro’s controls'
automated assessment model deficiencies status and
controls at for control owners through a control responses to key
transactional level self-assessment compliance needs
process and risks
Operational Efficiency and Effectiveness: business objectives are met with more automated controls
Compliance with Laws and Regulations: regulatory and legal requirements are met
LOA Framework: streamlined, fit for purpose framework providing governance and process efficiencies
Mitigating SoD Violations| TESORO CONFIDENTIAL 64