grc nordic sap user management · 2020. 9. 16. · grc nordic sap user management webinar. sap...
TRANSCRIPT
![Page 1: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/1.jpg)
GRC Nordic SAP User Management webinar
![Page 2: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/2.jpg)
SAP Authorisationmanagement
Security and Risk Managenemt
SAP AuthorisationSupport and Access
Management
Licence Management
SAP User Management
![Page 3: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/3.jpg)
Team today
Matti Halonen Mikko Syrjänen
![Page 4: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/4.jpg)
SAP User Management audit – how to prepare ?
![Page 5: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/5.jpg)
How to prepare for an SAP User Management Audit
We have divided the presentation into six blocks
Focus will be on SAP User Management
Personal experience in auditengagements
Customer auditexperiences
Several areas of expertise not discussed today but we hope to get your feedback !
Take home from this presentation a positive attidudetowards audit !
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Covid-19
![Page 6: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/6.jpg)
Understand different objectives
• Financial audit
• Internal audit
• Tax audit
• Industry / quality
• Special audit
Audit
Types
Audit
Objectives
Efficiency
Effectiveness
Audit
Plan
• Financial reportingreliability
• Internal controlenvironment / risks
• Compliance withindustry standard
• Complexity
• Risk basedapproach
Vs.
• Time
• Skills / Resources
• Framework
• Plan
• Findings
• Report
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
![Page 7: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/7.jpg)
How auditors see SAP User
management? Governance
Processes
Technical reality
ITGC
Top-down risk view
SAP Authorisation concept
Role change process
Object values
System parameters
![Page 8: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/8.jpg)
Description of how everything should work
• Organisation/ownership
• Access risk approach
• Process descriptions
• Access risk tools, details, procedures
• Technical approach
SAP Authorisationconcept
Auditors
view
Recommendation
• Basis for the audit
• Compares contentagainst ”standard”
• Completeness
• Up to date ?
• Invest in this !!!
• Update
• Provide to auditorfor commentingand review
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
![Page 9: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/9.jpg)
Real life comments…
Earlier we prepared days for coming audit with mixed feelings…
Now we have everything relevantdocumented and we simply share theupdated authorisation conceptdocument with our audit !
![Page 10: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/10.jpg)
Defined processes, approvals and audit trails
• Roles & responsibilities
• Reporting
• Concept management
• Regular meetings to govern and improve
AuthorisationManagement Processes
User Management Processes
Access riskmanagement Processes
• Tickets, CR, Incidents
• User add, move, remove, leave etc.
• Role assignment
• Role change
• Projects
• Approach /methods
• Monitoring / Reporting
• User Access Review
• Risk reduction
• Risk prevention simulation
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
![Page 11: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/11.jpg)
Snap shot of technical reality…
• Job descriptions vs rights
• Access risk levels
• Mitigation of remainingrisks
• Correctly maintained
• Technical feasibility ?!
Business roles
IT roles
Externals
Power/key usermanagement
Special
Topics
• User with widerights without ”jobdescription”
• Method and toolsto control
• Review processfor logs
• Tables
• Program / Executionrights
• Z Codes
• Batch input sessions
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
![Page 12: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/12.jpg)
Typical audit requests
• Information securitypolicy
• Authorisation conceptdocument
• Landscape
• Approval policies
Documentation Data requests
• RSPARAM/PAHI
• USR02 table
• RSUSR100 reports
• Tickets / approvals
• PA HR Tables
• Tcode /Object values
• DEVAccess table
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Authentication/pswdsLogon etc
![Page 13: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/13.jpg)
Typical audit requests
• Information securitypolicy
• Authorisation conceptdocument
• Landscape
• Approval policies
Documentation Data requests
• RSPARAM/PAHI
• USR02 table
• RSUSR100 reports
• Tickets / approvals
• PA HR Tables
• Tcode /Object values
• DEVAccess table
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Official processbypassed / Approvals
![Page 14: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/14.jpg)
Typical audit requests
• Information securitypolicy
• Authorisation conceptdocument
• Landscape
• Approval policies
Documentation Data requests
• RSPARAM/PAHI
• USR02 table
• RSUSR100 reports
• Tickets / approvals
• PA HR Tables
• Tcode /Object values
• DEVAccess table
Tables
Program / Executionrights
Z Codes
Batch input sessions
Transport system
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
![Page 15: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/15.jpg)
Who has the responsibility of this area ?
• Standard users
• Password parameters
• Logon settings
System Parameters
Change
Management
Other layers of security
• Transports
• Production clientcontrol history
• Change logging
• Test / qualitysystem security
• Developmentsystem security
• RFC Connections
• Firewalls, networks
• Database
• Operating System
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
![Page 16: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/16.jpg)
SAVE TIME
• Documentation
• Agree timetable / slack in calendar
• Auditor access / data requests
UNDERSTAND•Audit objective
•Audit thinking
How to make audit less painfull / get the value
CO-OPERATE
•Be open about the situation
•Explain your plan and efforts
•Ask for advice and explanations
SELF AUDIT
• Fix obvious things during the year
• Explain this approach to your auditor
• Explain this to your management / user community
Agree the audit findings before the final report
![Page 17: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/17.jpg)
Top 4 Audit issues
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
• No approach to security
• No documentation
Lack of policy
Lack of plan
Power usermonitoring
Access risklevel
Approvals
• Solution missing
• Review processfailing
• Risk levels high
• Several areasunsecure
• Official processbypassed
• Projects
Create plan and improve every year
SAP Documentation and guidelines
S/4 not started….or exit plan
![Page 18: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/18.jpg)
Impact to audit
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
• Access risks / SoD
• Reduced physicalobservation
Fraud risks higherdue to theuncertainty/ layoffs
Personnelpartly/fullyremote
Audit remotely
• Authentication
• Multifactor to SAP
• Access risks
• No major issueswhen processesin place
Audit focus is in valuations, goingconcern issues currently
Will shift later to remote work questionsCovid-19
![Page 19: GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control](https://reader036.vdocuments.site/reader036/viewer/2022062613/61452cb734130627ed50d11b/html5/thumbnails/19.jpg)
GRC Nordic tapahtumat 2020
Tapahtuma Ajankohta
› Lokakuu › Webinaari: Deep dive to SAP Security around authorisations,
› Marraskuu › Webinaari: SAP autorisointikonsepti
› Joulukuu › Webinaari: SAP S/4 analyysi