SEGREGATION OF DUTIES

REVIEW REPORT
AGENDA

03 Project Overview

07 Lessons Learned

10 Remediation

16 Rollout Plan

2
PROJECT OVERVIEW

The following information was completed in order to deliver a successful pilot:

• An Approva software production certification was received.
• Production software was installed.
• A steering committee was created.
• A QAR team was established.
• A communication plan, including a weekly dashboard, was created.
• SAP Basis and Fixed Assets rulebooks, as well as customized rules, were agreed upon and created.
• Violation reports were distributed to business process owners.
• The following processes were created:
− Rulebook creation
− Violation review
− Remediation/mitigation
− Customized rule creation
− BizRights user provisioning
• Pilot user base training was conducted.
• Project management responsibilities were transitioned to the client.
• A rollout plan and lessons learned were developed.

3
PROJECT STATUS

We are Here
Develop a
communication Initiate the Initiate the Identify lessons
plan and initiate Create violation violation learned
communication and agree review process review and completed the
Agree upon upon with NABU process with knowledge transfer
Engage external N.A. rulebook support- Fixed Assets (Location)
process Initiate the
Prod. consulting and the rules and SAP Fixed Assets
definitions configuration
hardware external auditor with BPOs and BASIS
for assistance of rulebooks
arrives the QA team

Purchase Install a
Complete Complete Identify Install a Conduct a
segregation development Enter all
production steering customized production second Create a
of duties system rulebooks Pilot project
certification committee rules system steering post-pilot
tool wrap-up
of software kick-off for the pilot committee rollout
software
in meeting plan
environment Train the
BPOs, project
team and key
members

4
VALUE-ADDED

The project team developed the following deliverables:

• An activity dictionary to increase understanding of various processes
• Multiple change forms for the various process definitions
• Four additional customized rules
• SOX control ROI breakdown and calculations
• A resource plan
• A roles and responsibilities matrix

5
SOX: THE LONG-TERM STRATEGY

Year One Year Two Year Three

Comply at all costs Basic control rationalization Detailed control rationalization and tool
automation

Prior to Baseline (*) After Baseline (*)

160
90
140 80
120 70

100 60

50
80
40
60
30
40
20
20 10
0 0
Finance Fixed Assets Inventory Order to Cash Procure to Pay General Finance Fixed Assets Inventory Order to Cash Procure to Pay General
Controls Controls

Automated Manual Automated Manual

• The total number of controls was reduced by consolidating control activities.

• Several automated controls increased globally and locally.
• The number of manual controls decreased.
• The control description included SAP configuration information.

6
LESSONS LEARNED
LESSONS LEARNED (1/2)

• Maintain a focus on long-term strategy when making tactical decisions.

• Streamline decisions by moving them upstream during the request process (i.e., empower BPOs
to make decisions before IT receives the decisions).
• Identify custom transactions to be implemented in BizRights only if there is an audit need and/or ROI; consider having
a set of rulebooks that require remediation and another set for informational purposes.
• Adapt BizRights rulebooks and authorization to the business process.
• SAP security should be involved before the configuration of t-codes in BizRights, so appropriate authorization objects
may be selected with each t-code.
• A disaster recovery plan for BizRights is not needed due to the criticality level of the application as deemed by the
client policy.
• Review compensating controls, the exclusion list and rulebooks annually at a minimum (e.g., incorporate in the control
rationalization and/or process certification).
• Business units should receive an overview of rules and not the technical details (authorization objects) to streamline
the BPO rule review and approval process.
• The BPO should be asked to identify company codes as well as create vs. display focus for sensitive t-codes of their
respective areas in order to streamline the process and reduce false-positive t-codes in rulebooks.

8
LESSONS LEARNED (2/2)

• For the review of rulebooks in the QA meeting:

− Consider a more detailed description by the BPO and have this information submitted prior to the
QA meeting.
− Distribute the standard approval rulebook prior to the meeting.
− Review the rulebook in the QA team so participants can actively ask questions.
− Create a SOD matrix for overview.

9
ROLLOUT PROCESS AND
REMEDIATION PLAN
ROLLOUT PROCESS AND REMEDIATION

Goals

• Identify high risks to the organization within the SAP environment.

• Ensure long-term success.
• Improve organizational efficiency in IA/SOX.
• Avoid short-term remediation/mitigation tactics that impede long-term success.

11
ROLLOUT PROCESS

As learned from the fixed assets and SAP Basis pilot:

• Identify and rank risks within the organization.
− Utilize IA/SOX controls and associated tests.
− Discuss risks that concern BPOs the most.
− Understand other compliance and regulatory requirements, which can be automated with BizRights.
• Review standard rulebooks and match risks.
− Focus on risks that add value to the organization and avoid adding complexity/“noise” in the reports.
− Customize new rules that are not in standard rulebooks but identified as risks in the previous step.
• Evaluate generated violations.
− Validate the accuracy of reports.
− Internally analyze rules to eliminate “false-positives” (e.g., display vs. create authorization).
− Determine an area of focus for remediation by categorizing violations in each module into high/medium/low and
volume.
− Analyze violations with BPOs.

12
REMEDIATION PLAN (1/2)

Four-Step Remediation Plan:

1. Identify false positives in the reports.

− Reconfigure rules correctly (e.g., display vs. create).
− Consider user exclusion (support teams).
2. Focus on roles and then users.
− Update all simple roles to eliminate violation occurrences.
− Avoid the attempt of fixing simple roles, composite roles and users at the same time.
− Avoid starting a user analysis until all roles are complete.
3. Move to composite roles once simple roles are cleaned up.
4. Focus on users with violations.
− Perform user updates carefully and communicate with business owners in order to avoid major business disruption
due to massive user authorization changes.
− Analyze user master records and audit logs to allow for the quickest possible resolution.
− While analyzing user violations, consider the following questions:
o Does the individual need the access causing the violation?
o Can the violation be resolved using SAP workflows, user exits, SAP configuration modifications or business
process changes?

13
REMEDIATION PLAN (2/2)

Four-Step Remediation Plan:

o Can the use of access on-demand resolve the issue? (To avoid the overuse of AoD, this
should one of the last considerations.)
− If the violation can not be resolved with the questions above, a comprehensive mitigating control should be
considered.

14
THINGS TO REMEMBER

Below are a few reminders as you rollout new rules and remediate the violations:
• Focus on high-risk SoDs first.
• Identify remediation that will reduce a significant amount of violations with a small amount of changes.
• Upon initial rollout of a rulebook, hundreds and/or thousands of violations will be produced. Remediation and
configuration changes will resolve a large portion initially but will be more difficult with the last few violations.
• Avoid taking away access that will need to be granted later.
• IT and business organization need to work together to move the project forward.
• Plan ample time with the business to determine corrective action and with SAP security to resolve role changes. Time
will be important as you roll out further phases.
• Automatic alerts should eventually be turned on once remediation is complete for an individual area – consider only
alerts (and remediation) for audit-related issues.
• A rule-naming convention should be agreed upon and used consistently.
• Ensure that the BPO and BPAs clearly understand what constitutes a risk. You could consider involving IA/SOX or the
ICS to resolve any confusion.
• Conflicts may exist over multiple SAP modules/functional areas. Although this was not encountered in the project, a
plan should be created to address such issues.

15
ROLLOUT SCOPE AND TIMELINE
DETERMINING FACTORS FOR SCOPE

• European fixed asset contacts are the same as general ledger contacts, which will
allow for an easy transition into the next phase.
• SAP Basis suggested using Legacy R/3 in the next phase, which will reduce overhead.
• Fixed Assets recommended using an evidence-based practice (EBP) on the next phase since it will complete the end-
to-end process in this area. In addition, the rule set for EBP is limited.
• ROI analysis – IT has the highest definite ROI from a SOX/IA testing perspective.
• Risk factors are determined.

17
RECOMMENDED NEXT WAVE

• The following modules and processes are recommended for the next phase of this project:
− SAP General Ledger: A shared services organization with a high ROI.
− Complete IT (e.g., SAP Security, superusers, etc.): The largest ROI currently identified for sensitive access and
SoD to be automated.
− SAP EBP: A natural extension from fixed assets, as it utilizes many of the same players as well as a high ROI.
− What-If Analysis Process: Allows the creation of a preventive process to eliminate/reduce new violations to the
environment.
− Access On-Demand: Allows for additional access on a temporary basis.

18
ROLLOUT PLAN

Tollgate: Start the

Validate the next project-to-
phase of the project/review resource process
requirements for 2008 knowledge
Conduct a Conduct a transfer
Stop all new Conduct a Tollgate:
knowledge steering
Conduct a violations steering Validation for
transfer to committee
steering entering the committee the next phase
ICS meeting
committee organization meeting and
meeting tollgate

Initiate Complete
Phase 1 Work on process Initiate Phase 3
Hire an fixed assets Complete all Initiate Phase Initiate the Complete Complete
rollout improvement and rollout:
internal and SAP remediation 2 kickoff: remediation of Phase 2 Phase 3
(see Slide ROI opportunities Phase 2 PR, MM and
controls Basis for Phase 1 AP, AR and remediation Remediation
23) with IA/SOX consolidations
strategist remediation HR

19
NEXT STEPS

• Short-Term View (Tactical Timeline Rollout)

− The next phase occurs.
− Conduct tollgate reviews to ensure that new violations are being resolved in a timely fashion.
− Acquire resource commitments.
− Ensure that an internal controls strategist is in place.
o Review the rollout plan with ICS and validate it.
− Schedule steering committee meetings to continue progress with the executives.
• Long-Term View
− Plan for process controls insight.
o Conduct an SAP controls review with Assure or a similar product to plan future rollouts and identify added value.
− Conduct a capability maturity model (CMM) to understand the current status of IA/SOX and future goals and create
a strategy to get this point.
− Create a risk strategy council with IA, SOX, ERM and possibly legal to create a unified risk strategy.

20
COMMON ISSUES DURING IMPLEMENTATION

Common Issues Recommended Approach

• Implementing a compliance tool is not a technology Effective implementation requires business process owner
project. support to design, respond to exceptions and build into
ongoing processes.

• The rulebooks do not reflect business rules/controls. Understand business rules and information requirements
before configuring rulebooks.

• The process infrastructure is not defined or considered. Tool implementation requires the definition of processes,
procedures or guidelines to use, own and maintain the
application. The security monitoring framework must
embrace the tool.

• The project is not synchronized with the SOX control and Understand SOX requirements prior to configuring the
testing strategy. rulebooks and link them to the SOX control objectives.

• Key owners, potential users, internal audit and SOX Owners, users, internal audit and SOX leadership should be
leaders are not involved in the design and implementation part of the design and implementation activities to ensure
phases. that the best possible decisions are made for the entire
company.

21
ROLLOUT ASSUMPTIONS

• Assume that the rollout schedule will start four months from today.
• Ignore organizational changes.
• Complete the 20XX phase even if it means slightly reducing scope or adding resources.

22