Our commitment to deliver quality and value to your business:

Turning risk into results

SAP GRC Access Controls Enablement

 Contents
1 Executive Summary 02

2 Our Understanding of your expectations 04

3 Scope of Work 07

4 Our Approach and Team involvement 09

5 Project Governance Structure 14

6 Our Deliverables 19

07 Tools and Knowledgebase 22

08 Our Differentiators 27

09 Annexure I - Sample Work Products 33

1 Executive Summary
Executive Summary
Intent
Thank you for giving us the opportunity
to submit this proposal to ABC ABC to
provide Implementation services to ‘SAP
GRC Access controls ’
Our understanding of your needs:
► Design and implement automated risk
framework for SAP users and roles
► Design and implement workflow
based access provisioning process for
ongoing management of user
authorizations
► Design a continuous monitoring
mechanism to monitor SoD conflicts
and sensitive access assigned
► Realize the framework in ‘SAP GRC
10.1 – Access Control’
► Create roadmap for optimizing the IT
Landscape from an SoD and
Compliance perspective
Approach
Vendor has developed a proven
methodology to assist clients’ SAP GRC
Access Control implementations,
addressing SOD and sensitive access
issues. remediation, SoD migration and
then development of ongoing continuous
compliance procedures. Based on your
specific requirements we have tailored our
approach
We have designed and proposed an
approach which strike an optimum balance
between the system based and manual
controls considering the organization,
process maturity and complexities of
systematizing the controls
KVendor highlights of our approach:
 It will be a partnering exercise and the
activities will be planned in such a way
that the kVendor process owners
availability will be used optimally
 The entire implementation would be
carried out in such a way to give
appropriate importance and focus to all
the business units.
Differentiators
Experience with ABC Group & ABC: Vendor
has been providing Advisory, Assurance and
Audit services to various ABC group companies
and ABC. This will help us in focusing on ABC
specific issues and improve quality of execution
Experience in SAP GRC V10.1: We have
successfully completed various SAP GRC 10.1
implementations in India and abroad.
Experience in Authorization design: We have
vast experience in designing Authorization
framework, assisting clients with effective
remediation and mitigation strategy and SAP Role
design .
Our Team: Our team has rich experience in
performing Advisory and Implementations for
various clients in different industries
Our methodology: We have tailor made our
methodology to accelerate implementation
timeframe and thereby achieving faster ‘Go Live’,
at the same time focusing on gradual knowledge
transfer during the course of the implementation
to the ABC ABC project team.
4
 Our Understanding of your
2 expectations
Understanding the need for SAP GRC Access Controls

Automated risk identification / ABC wants to establish

Achieve clean roles and
user accesses + prevention for SAP users and
roles
+ Workflow based user
provisioning process = ‘Access Management
Framework’ for user access

What is needed?
…GRC Access Controls

 
Access Request
Access Risk Analysis(ARA) Management(ARM)
Ensure rapid, initial clean-up Prevent SoD violations at the
run time
 
Business Role
Emergency Access
Management (BRM)
Management (EAM)
SoD compliance at the time of
Temporary emergency access
role design

6
Our understanding of your expectations
Identify
appropriate Preparation of
SoD Rulebook SoD Report
GRC
Preparation and UAT and
functions  Assist in preparation
Mitigation
Identify of SoD Rulebook with Training Monitoring and

Control Design Sustenance
appropriate GRC risks classified as  Assist in conducting
 Prepare SoD report  Provide Hyper-care
functions based Critical, High, UAT of the “To-Be”
at role and user level Support
on understanding Medium and Low governance framework
 Identify Conflicts to
of applicable  Validate with BPO(s)  Conduct Training for
live with
business and Audit Initiators, Approvers
 Design applicable
processes and Administrators
Mitigation Controls
executed in SAP
 Obtain Sign-Offs

7
 Scope of Work
3
Scope as we understand*
Based on our discussions with the management the overall functional scope of the engagement will be as below:

SAP GRC Access Control 10.1 Implementation

SAP Processes/Modules/Systems
SAP GRC Applications
In Scope: • SAP GRC Access Controls 10.1
SAP ECC System • Access Risk Analysis (ARA)
• Access Request Management
(ARM)
• Emergency Access Management
(EAM)
• Business Role Management (BRM)

9
 Our Approach and
4 Team Involvement
Our tailored roadmap for implementing GRC

GRC JournVendor

Identify applicable
Mitigation Controls

Create governance framework 4 6

Identify risk rules as
applicable to your 5
organization
3 Charter a roadmap for
Monitor for compliance
clean roles and identify
1 remediation strategies
and exceptions on an
ongoing basis

2 Implement GRC Access Control solution

11
 Rationale behind our Implementation Roadmap for SAP GRC

Our overall roadmap is tailored to help you achieve faster go live, with the help of ‘accelerators’. The advantage you
will gain is, old access is in process, your GRC is up and running ensuring new users and roles are compliant.

12
 Our Approach for SAP GRC Implementation

A B C Analyze Risks D E
Rule set Define
Phase

Project and Define

Definition and Governance Hyper-Care
Preparation Mitigation
Configuration Framework
Controls
1 2
Prepare Project Plan
Defining SOD rules 3
and templates
Risk Analysis and
categorization
Proposed Services

Define Governance
Framework
(PMU, EAM and BRM)

Provide Hyper-Care support

Prepare Configuration
Documents and User
Manuals

13
Workshop Based Approach for Ruleset preparation

Vendor/Mercury ERP Vendor Knowledge Client Knowledge

Controls Content & Experience & Experience
Process Documentation
Priority Project Name Description Sponsor Contact Appx. Appx Resources Resource LOU Schedule, Staffing &
Size Start Required Contact Notes
1 IT Asset High level study of potential Salluzzo 150 16-Sep Mgr and Sr Grossberg  80% Complete
Landscape risk areas and development of Mgr
streamlined audit and IT risk
remediation needs including
consideration of control work
being documented under Process Inventory
various projects.
2 Privacy Umbrella review of various Salluzzo 500 1-Jan Senior for Leizerov Applications by Region
Diagnostic regulatory requirements Significant Mega 8 weeks
regarding data privacy and
security that are most Processes Sub Processes Asia Pacific North America EMEA Latin America
significant to ABC’s global
Cash Receipts
business and an assessment of
Cash Receipts--Wire and APS OneGlobe SAP APS
the processes, procedures and Checks In Office
AccPac CitiDirect MultiCash AccPac
technology to ensure

Business Process
compliance. Desk Bank RM
Solutions Evaluate application portfolio Webber 600 Sr Mgr, Grossberg
Alignment for efficiency and effectiveness Mgr & Sr SM Banking
in meeting strategic business for 6-8
needs. weeks DBS Web Banking
Controls Evaluate SOX documentation Webber 120/ Sr Mgr, Grossberg
Hexagon Client

Controls Analysis
Optimization for opportunities to leverage process Mgr & Sr
application controls. Hexagon Server
End User For the spreadsheets/ databases Webber 400 Sr Mgr, Levy
Computing [End User Computing (EUC)] Cash Receipts--Lockbox
Mgr & Sr Mellon Telecash NA N/A
Control that support a significant for 4
Review business process where Cash
the AP/Cash Disbursements
weeks-- AccPac OneGlobe SAP AccPac
importance is assessed asDisbursements
high / Wire & Check
or critical, identify and Payables Desk Bank JPMC Insight MultiCash RM
recommend policy/procedure
to support audit reliance.
PNC Bank IDDC Direct
Vendor Determine a roadmap to Webber 200 and Recording
A/P--Receipt Sr Mgr and Grossberg
AccPac OneGlobe SAP AccPac
Management address risks related to (invoices) Mgr for 4
outsourcing IT processes. weeks Excel RM
Provide detailed risk
assessment and risk Cash Disbursements--Imprest NA Excel NA NA

•
management guidance.

Understand
AP/Procurement Card NA OneGlobe NA NA
NA Works NA NA

Workshop
AP Sub-Contractors AccPac OneGlobe SAP AccPac

Business • Understand business

• Risk Weighting Process inputs / concerns
• Control Mix Phased Approach • Validate What-Could-Go-
Wrongs i.e. risks

Controls to
Automate
Deployment Risk and Control Matrix
Labor Cost Reconciliation Process
Risk and Control Matrix
Process:
As of:
Process:
Prepared by:
As of:
Reconciliations
Labor Cost Reconciliation Process
1/25/2006
Reconciliations
Jeff Smith
1/25/2006
Prepared by: Jeff Smith
Control Control Risk Control for
Risk # Risk Description Risk Type Control # Control Name Control Description
Category Type Assessment Testing
Control Control Risk Control for
1 Risk # Riskis Description
Labor Cost data inaccurately Risk Type
Accuracy Control
1 # Cost
Labor Control Name
Data to Control
This reconciliation compares Description
the completeness and accuracy of IT Dependent -
Detect Moderate Yes
transferred to the General Ledger. GL Data labor costs recorded through the Projects Module to the Labor Category
Manual Type Assessment Testing
1 Labor Cost data is inaccurately Accuracy 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
transferred to the General Ledger. GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
2 Labor Cost Data is not completely Completeness 1 Labor Cost Data to This reconciliation compares the completeness and accuracy of IT Dependent - Detect Moderate Yes
transferred to the General Ledger. GL Data labor costs recorded through the Projects Module to the Labor Manual
2 Labor Cost Data is not completely Completeness 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
transferred to the General Ledger. GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
3 Labor Cost Data is transferred to Completeness 1 Labor Cost Data to This reconciliation compares the completeness and accuracy of IT Dependent - Detect Moderate Yes
the General Ledger in the wrong GL Data labor costs recorded through the Projects Module to the Labor Manual
3 Labor Cost Data is transferred to
period. Completeness 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
the General Ledger in the wrong GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
period. Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.
4 Labor Cost Data is not transferred Completeness 1 Labor Cost Data to This reconciliation compares the completeness and accuracy of IT Dependent - Detect Moderate Yes
to the General Ledger. GL Data labor costs recorded through the Projects Module to the Labor Manual
4 Labor Cost Data is not transferred Completeness 1 Labor Cost Data to
Reconciliation CostsThis reconciliation
recorded compares
in the General the completeness
Ledger. and accuracy of IT Dependent
Once the Reconciliation - Detect Moderate Yes
to the General Ledger. GL Data laborperformed
has been costs recorded through
through the Projects Module
the Reconciliation Databaseto the Labor
User Manual
Reconciliation Costsa recorded
Interface, Systems in the General
Engineer Ledger.
reviews Once the
the following Reconciliation
reports:
has beenReport
(1) Summary performed through the Reconciliation Database User
Interface,Report
(2) Exception a Systems Engineer reviews the following reports:

Exception Reporting
If any(1) Summaryare
exceptions Report
noted, the Systems Engineer will

Validate
(2) Exception
determine whether Report
any follow-up is required. If follow-up is
If anythe
required, exceptions
Systems are noted,will
Engineer thework
Systems Engineer
with the will
appropriate
determine
personnel whether
to resolve the any follow-up is required. If follow-up is
errors.
required, the Systems Engineer will work with the appropriate
personnel to resolve the errors.

Exceptions
Rule-set
• Report & Refine Development
• Remediate
• Identify Compensating Controls

14
 Project Governance Structure
5
Our Proposed Project Governance Structure

Guiding Principles
Project sponsorship, project management and business partnership are essential for
projects of this scale to be successful. Our proposed project organization embeds the
Sponsor following kVendor elements:

St
Govern

rat
eg
► Sponsorship: Ensure executive sponsorship and

ic
Promote Project Customer
Steering commitment to drive change to the security
Vendor
Committee environment
Joint Involvement
Members ► Structure: Streamline structure to make decisions
Monitor quickly; design to provide teams with appropriate
support but also the flexibility to manage their own
Manage
Project domains

Op
Management Office Subject

era
(PMO) Matter
► Involvement: Encourage participation from a broad

tio
Resource

na
TT Manager s range of functional areas (i.e., finance, IT)
l
Execute
Vendor Project Vendor
Manager resources ► Communication: Provide ongoing communication to
manage change

► Validation: Enforce acceptance and validation events

Vendor Project
Business Units across business, to ensure alignment to overall
Su

Team
objectives
p

Business/
po

instance/ Design Team

rt

function/ Lead
► Escalation: Provide escalation path to manage issues
stream leads Design Team
Members and risks early
kVendor users

16
Project Monitoring & Review
Below will the project review mechanism that would be followed for the project

As per Project Charter Steering

Steering Committee
Committee
RAID – Risk, Assumptions, Issues
& Dependencies Register
• Project Status Report
• Escalated Issues & Risks
• Acceptance Sign-Off

Fortnightly Project
Project Management
Management
Meeting
Meeting

Status Update
• Status Meeting
• Escalated Issues & Risks
• Updated Project Plans

Weekly Status
Status Reports,
Reports,
Weekly
Weekly Status
Status Meeting
Meeting
Overdue Overdue
• Weekly Status Report Risks Actions
• Updated Issues & Risk
• Minutes of meeting

Day-to-day Minutes
Minutes of
of meeting,
meeting,Team
Team Project Risks, Issues,
Meetings
Meetings Dependency, Actions

17
Project Communication Plan & escalation matrix
Communication Type Objective Frequency Audience Owner

Weekly Status Report Report to track the project status as Every Friday Project Stakeholders & Project Project team
against plan, project risk, Managers
escalations required.

Escalations Deviations, project risk etc which As and when/ Status Project Stakeholders & Project Project Managers

e
needs to be highlighted to top reports Managers
management

Fortnightly Project Review Project Status, Risk, Issues and

escalations
Fortnight

t i v
Program Manager & Project
Managers
Project Managers

Internal Vendor Quality

Assurance
Project Status, Risk, Issues and
escalations
Monthly

t r a Vendor Internal Steering

committee
Vendor Project
Manager

Steering Committee Project Status, Risk, Issues and

escalations

u s
As per Project Charter Steering committee members &
Project Managers
Project Managers

Priority
(Governance Category)
Escalation #1 Il l
ESCALATION MATRIX

Escalation #2 Escalation #3

►Very High/Critical (Level 1) ►Immediate Management Notifications (per Major Incident Process definition)

►High (Level 2) ►Vendor Project Manager (4th Day) ►Client Project Manager(6th Day) ► Steering Committee (15th Day)

►Medium /Low (Level 3) ►Vendor Project Manager (7th Day) ►Client Project Manager(11th Day) ►Steering Committee (25th Day)

18
Governance Framework
Process Flow – Improvement (Change Request)
Business Users Vendor Execution Team Vendor Team

Yes Root Cause Analysis by

Requirement Requirement Feasibility
Identification Documentation SME and Tech. Team
Acknowledgement

Change Request Effort estimate

e
Approval Compilation
by IT Head No

v
by Project Lead

Approval by
IT Head

a ti Approval by

r
Project Manager
Knowledge

t
Repository

s
Improvement Notification
(Change Request)

u
Creation

lI l
Onsite team and User
Acceptance
Solution Solution
Testing
Updated Designing

Resolved Request Released

Vendor team will carry out the Improvement

Requirement reported by Vendor Execution team will translate
based solution designing, solution documentation and
end users the Business requirement
related Training/Hand holding post required approvals
19
6 Our Deliverables
Our Deliverables – Phase Wise

PHASE A PHASE B

Project charter
Meeting Schedule

SoD Rulebook

Project Plan

21
Our Deliverables – Phase Wise

PHASE C PHASE D

SoD Report – Role Level Governance Framework

UAT Scripts
SoD Report – User Level Mitigation Controls

22
7 Tools & Knowledgebase
Vendor – GRC – Rule set library

Vendor proprietary methodology which is evolved over a

period from our global experience and knowledgebase.

Comprehensive GRC rule-sets for various business processes and

SAP modules

24
Other Enablers – Process Depot, Risk & Controls Repository

Training, user manuals and system configuration

documents for system administrators, approvers and end
users to help them conduct daily or periodic activities.

Role design templates for robust and efficient role design

considering the detailed level authorization requirements
from business.

25
8 Our Differentiators
Our Differentiators

Industry Expertise
► Extensive work in the consumer products industry with deep
knowledge of business processes
► Involvement of appropriate Industry experts during the design
workshops for SAP application

Our Methodology Our People

► People with deep GRC and Access
► Methodology tailored to suit the large controls expertise, who were earlier
scale implementation project, ensuring involved in multiple implementation and
quality and consistency
► Ensuring knowledge transfer and skill ABC product development of SAP GRC with
SAP
building of your team during course of
implementation ABC ► Blended teams with experience in
process, SAP as well GRC, experience in
conducting SOD workshops with
business and audit teams

GRC Expertise
► Rich domain expertise in the field of Segregation of duties, user role
design and authorizations, GRC implementations and reviews

27
 Why Vendor is “Best Fit” for ABC ABC

20 + Successful AC & 10 + successful PC implementations in India

1
► Selected KVendor clients – Asian Paints Limited, Godrej Consumers, Marico, Essar Oil, Viacom18, Multi Screen
Media, Honda Motors, Suzlon Energy, ABC Global Beverages, Unilever (SAARC and Europe), ABC Sky, Kraft
(North America), Greenply, Timken, American Waters, Himalaya Drugs
► Currently engaged with a major business conglomerate in implementing 4000+ automated controls via SAP GRC PC
in India along with Risk Management and Audit Management solution

Largest Dedicated SAP GRC Professionals 2

► 50+ dedicated SAP GRC Professionals in India
► Only GRC practice to have CMMi Certification
► Team Members have relevant OEM certifications

3 Dedicated EMEIA Advisory Centre for GRC Projects

► Our GRC practice is closely integrated with global with knowledge sharing routed through EMEIA Advisory
Center
► EMEIA advisory center to support in solutions, training, learning from international projects

28
 How Vendor is uniquely positioned to be the preferred partner for your GRC
journVendor

1 Our ability to assist you throughout the lifecycle of GRC implementation journVendor

Our rich Audit, Risk and Controls experience in some of the major organizations both nationally
and overseas
2
3 Our strong team with extensive experience in SAP GRC implementation, Role Re-design and
knowledge of identifying Risk and implementing Controls in ERP landscape

29
Vendor India GRC Practice Overview

Vendor GRC India practice has proven its GRC expertise with multiple GRC implementations and capability to deliver solutions for all SAP GRC modules

20+ GRC 5+ GRC Governance

Our experience 10+ Global GRC
Implementations projects
implementations
in India

Our SAP GRC CA, MBA,

55 + Technical Engineers,
Functional
team Professionals
consultants consultants SAP certified

SOD & SAP GRC SAP GRC SAP GRC

Our Solutions
SAP Security Internal Access Process Risk
Controls Control Control Management

30
 Our Team

2 4 8 27 13

Partners Senior Manager Manager Senior Staff

Our team is a mix of technical and functional experts with diverse industry exposure…

Technical Expertise SAP Security, BI/BO, CRM, HR SAP GRC 5.3, 10,0, and 10.1, Vendor Analyzer (Approva)
SAP GRC Access Controls 10.0
Certified

Functional SAP Functional: FI, CO, MM, SD, Risk and Controls Audit and SOX
Expertise HR, PP, PM, PS, QM, SRM, CRM

…. educational background and prior experience

Professional Chartered
MBA Engineers ABAP Development
background Accountants

Previous
organization Big 4 SAP Accenture IBM/Infosys

31
9 Annexure I - Sample Work-Products
Sample Work Products

ti ve
stra
u
Ill

33
Sample Work Products

ti ve
stra
u
Ill

34
Sample Work Products
User, Technical and configuration Guides

Sample User Guide Sample Technical Guide Sample Config Guide

ti ve
stra
u
Ill

35
Sample Work Products

Custom Dashboards created for analyses and GRC 10 Access Control Dashboards configured for
remediation monitoring

ti ve
stra
u
Ill

36
Thank You