Professional Documents
Culture Documents
SAP GRC Access Control Enablement
SAP GRC Access Control Enablement
3 Scope of Work 07
6 Our Deliverables 19
08 Our Differentiators 27
4
Our Understanding of your
2 expectations
Understanding the need for SAP GRC Access Controls
What is needed?
…GRC Access Controls
Access Request Business Role
Emergency Access
Access Risk Analysis(ARA) Management(ARM) Management (BRM)
Management (EAM)
Ensure rapid, initial clean-up Prevent SoD violations at the SoD compliance at the time of
Temporary emergency access
run time role design
6
Our understanding of your expectations
Identify
appropriate Preparation of
SoD Rulebook SoD Report
GRC
Preparation and UAT and
functions Assist in preparation
Mitigation
Identify of SoD Rulebook with Training Monitoring and
Control Design Sustenance
appropriate GRC risks classified as Assist in conducting
Prepare SoD report Provide Hyper-care
functions based Critical, High, UAT of the “To-Be”
at role and user level Support
on understanding Medium and Low governance framework
Identify Conflicts to
of applicable Validate with BPO(s) Conduct Training for
live with
business and Audit Initiators, Approvers
Design applicable
processes and Administrators
Mitigation Controls
executed in SAP
Obtain Sign-Offs
7
Scope of Work
3
Scope as we understand*
Based on our discussions with the management the overall functional scope of the engagement will be as below:
SAP Processes/Modules/Systems
SAP GRC Applications
In Scope: • SAP GRC Access Controls 10.1
SAP ECC System • Access Risk Analysis (ARA)
• Access Request Management
(ARM)
• Emergency Access Management
(EAM)
• Business Role Management (BRM)
9
Our Approach and
4 Team Involvement
Our tailored roadmap for implementing GRC
GRC JournVendor
Identify applicable
Mitigation Controls
11
Rationale behind our Implementation Roadmap for SAP GRC
Our overall roadmap is tailored to help you achieve faster go live, with the help of ‘accelerators’. The advantage you
will gain is, old access is in process, your GRC is up and running ensuring new users and roles are compliant.
12
Our Approach for SAP GRC Implementation
A B C Analyze Risks D E
Rule set Define
Phase
Define Governance
Framework
(PMU, EAM and BRM)
Prepare Configuration
Documents and User
Manuals
13
Workshop Based Approach for Ruleset preparation
Business Process
compliance. Desk Bank RM
Solutions Evaluate application portfolio Webber 600 Sr Mgr, Grossberg
Alignment for efficiency and effectiveness Mgr & Sr SM Banking
in meeting strategic business for 6-8
needs. weeks DBS Web Banking
Controls Evaluate SOX documentation Webber 120/ Sr Mgr, Grossberg
Hexagon Client
Controls Analysis
Optimization for opportunities to leverage process Mgr & Sr
application controls. Hexagon Server
End User For the spreadsheets/ databases Webber 400 Sr Mgr, Levy
Computing [End User Computing (EUC)] Cash Receipts--Lockbox
Mgr & Sr Mellon Telecash NA N/A
Control that support a significant for 4
Review business process where Cash
the AP/Cash Disbursements
weeks-- AccPac OneGlobe SAP AccPac
importance is assessed asDisbursements
high / Wire & Check
or critical, identify and Payables Desk Bank JPMC Insight MultiCash RM
recommend policy/procedure
to support audit reliance.
PNC Bank IDDC Direct
Vendor Determine a roadmap to Webber 200 and Recording
A/P--Receipt Sr Mgr and Grossberg
AccPac OneGlobe SAP AccPac
Management address risks related to (invoices) Mgr for 4
outsourcing IT processes. weeks Excel RM
Provide detailed risk
assessment and risk Cash Disbursements--Imprest NA Excel NA NA
•
management guidance.
Understand
AP/Procurement Card NA OneGlobe NA NA
NA Works NA NA
Workshop
AP Sub-Contractors AccPac OneGlobe SAP AccPac
Controls to
Automate
Deployment Risk and Control Matrix
Labor Cost Reconciliation Process
Risk and Control Matrix
Process:
As of:
Process:
Prepared by:
As of:
Reconciliations
Labor Cost Reconciliation Process
1/25/2006
Reconciliations
Jeff Smith
1/25/2006
Prepared by: Jeff Smith
Control Control Risk Control for
Risk # Risk Description Risk Type Control # Control Name Control Description
Category Type Assessment Testing
Control Control Risk Control for
1 Risk # Riskis Description
Labor Cost data inaccurately Risk Type
Accuracy Control
1 # Cost
Labor Control Name
Data to Control
This reconciliation compares Description
the completeness and accuracy of IT Dependent -
Detect Moderate Yes
transferred to the General Ledger. GL Data labor costs recorded through the Projects Module to the Labor Category
Manual Type Assessment Testing
1 Labor Cost data is inaccurately Accuracy 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
transferred to the General Ledger. GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
2 Labor Cost Data is not completely Completeness 1 Labor Cost Data to This reconciliation compares the completeness and accuracy of IT Dependent - Detect Moderate Yes
transferred to the General Ledger. GL Data labor costs recorded through the Projects Module to the Labor Manual
2 Labor Cost Data is not completely Completeness 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
transferred to the General Ledger. GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
3 Labor Cost Data is transferred to Completeness 1 Labor Cost Data to This reconciliation compares the completeness and accuracy of IT Dependent - Detect Moderate Yes
the General Ledger in the wrong GL Data labor costs recorded through the Projects Module to the Labor Manual
3 Labor Cost Data is transferred to
period. Completeness 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
the General Ledger in the wrong GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
period. Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
4 Labor Cost Data is not transferred Completeness 1 Labor Cost Data to This reconciliation compares the completeness and accuracy of IT Dependent - Detect Moderate Yes
to the General Ledger. GL Data labor costs recorded through the Projects Module to the Labor Manual
4 Labor Cost Data is not transferred Completeness 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
to the General Ledger. GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
Exception Reporting
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
Validate
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
Exceptions
Rule-set
• Report & Refine Development
• Remediate
• Identify Compensating Controls
14
Project Governance Structure
5
Our Proposed Project Governance Structure
Guiding Principles
Project sponsorship, project management and business partnership are essential for
projects of this scale to be successful. Our proposed project organization embeds the
Sponsor following kVendor elements:
St
Govern
rat
eg
► Sponsorship: Ensure executive sponsorship and
ic
Promote Project Customer
Steering commitment to drive change to the security
Vendor
Committee environment
Joint Involvement
Members ► Structure: Streamline structure to make decisions
Monitor quickly; design to provide teams with appropriate
support but also the flexibility to manage their own
Manage
Project domains
Op
Management Office Subject
era
(PMO) Matter
► Involvement: Encourage participation from a broad
tio
Resource
na
TT Manager s range of functional areas (i.e., finance, IT)
l
Execute
Vendor Project Vendor
Manager resources ► Communication: Provide ongoing communication to
manage change
Team
objectives
p
Business/
po
function/ Lead
► Escalation: Provide escalation path to manage issues
stream leads Design Team
Members and risks early
kVendor users
16
Project Monitoring & Review
Below will the project review mechanism that would be followed for the project
Fortnightly Project
Project Management
Management
Meeting
Meeting
Status Update
• Status Meeting
• Escalated Issues & Risks
• Updated Project Plans
Weekly Status
Status Reports,
Reports,
Weekly
Weekly Status
Status Meeting
Meeting
Overdue Overdue
• Weekly Status Report Risks Actions
• Updated Issues & Risk
• Minutes of meeting
Day-to-day Minutes
Minutes of
of meeting,
meeting,Team
Team Project Risks, Issues,
Meetings
Meetings Dependency, Actions
17
Project Communication Plan & escalation matrix
Communication Type Objective Frequency Audience Owner
Weekly Status Report Report to track the project status as Every Friday Project Stakeholders & Project Project team
against plan, project risk, Managers
escalations required.
Escalations Deviations, project risk etc which As and when/ Status Project Stakeholders & Project Project Managers
e
needs to be highlighted to top reports Managers
management
t i v
Program Manager & Project
Managers
Project Managers
u s
As per Project Charter Steering committee members &
Project Managers
Project Managers
Priority
(Governance Category)
Escalation #1 Il l
ESCALATION MATRIX
Escalation #2 Escalation #3
►Very High/Critical (Level 1) ►Immediate Management Notifications (per Major Incident Process definition)
►High (Level 2) ►Vendor Project Manager (4th Day) ►Client Project Manager(6th Day) ► Steering Committee (15th Day)
►Medium /Low (Level 3) ►Vendor Project Manager (7th Day) ►Client Project Manager(11th Day) ►Steering Committee (25th Day)
18
Governance Framework
Process Flow – Improvement (Change Request)
Business Users Vendor Execution Team Vendor Team
e
Approval Compilation
by IT Head No
v
by Project Lead
Approval by
IT Head
a ti Approval by
r
Project Manager
Knowledge
t
Repository
s
Improvement Notification
(Change Request)
u
Creation
lI l
Onsite team and User
Acceptance
Solution Solution
Testing
Updated Designing
PHASE A PHASE B
Project charter
Meeting Schedule
SoD Rulebook
Project Plan
21
Our Deliverables – Phase Wise
PHASE C PHASE D
UAT Scripts
SoD Report – User Level Mitigation Controls
22
7 Tools & Knowledgebase
Vendor – GRC – Rule set library
24
Other Enablers – Process Depot, Risk & Controls Repository
25
8 Our Differentiators
Our Differentiators
Industry Expertise
► Extensive work in the consumer products industry with deep
knowledge of business processes
► Involvement of appropriate Industry experts during the design
workshops for SAP application
GRC Expertise
► Rich domain expertise in the field of Segregation of duties, user role
design and authorizations, GRC implementations and reviews
27
Why Vendor is “Best Fit” for ABC ABC
28
How Vendor is uniquely positioned to be the preferred partner for your GRC
journVendor
1 Our ability to assist you throughout the lifecycle of GRC implementation journVendor
Our rich Audit, Risk and Controls experience in some of the major organizations both nationally
and overseas
2
3 Our strong team with extensive experience in SAP GRC implementation, Role Re-design and
knowledge of identifying Risk and implementing Controls in ERP landscape
29
Vendor India GRC Practice Overview
Vendor GRC India practice has proven its GRC expertise with multiple GRC implementations and capability to deliver solutions for all SAP GRC modules
30
Our Team
2 4 8 27 13
Our team is a mix of technical and functional experts with diverse industry exposure…
Technical Expertise SAP Security, BI/BO, CRM, HR SAP GRC 5.3, 10,0, and 10.1, Vendor Analyzer (Approva)
SAP GRC Access Controls 10.0
Certified
Functional SAP Functional: FI, CO, MM, SD, Risk and Controls Audit and SOX
Expertise HR, PP, PM, PS, QM, SRM, CRM
Professional Chartered
MBA Engineers ABAP Development
background Accountants
Previous
organization Big 4 SAP Accenture IBM/Infosys
31
9 Annexure I - Sample Work-Products
Sample Work Products
ti ve
stra
u
Ill
33
Sample Work Products
ti ve
stra
u
Ill
34
Sample Work Products
User, Technical and configuration Guides
ti ve
stra
u
Ill
35
Sample Work Products
Custom Dashboards created for analyses and GRC 10 Access Control Dashboards configured for
remediation monitoring
ti ve
stra
u
Ill
36
Thank You