sap risk identification and remediation script

SAP Best Practices SAP GRC Risk Identification and Remediation

September 26, 2007 English

SAP GRC Risk Identification and Remediation

SAP AG Neurottstr. 16 69190 Walldorf Germany

Business Scenario Script for Discovery System version 3

© SAP AG of 17

Contents Introduction............................................................................................................................... 3 Statistical Overview .................................................................................................................. 3 Initial Segregation of Duties Clean-up Process (Get Clean).................................................... 6 Prevention through Simulation ............................................................................................... 10 Stay Clean – Prepare for an Audit ......................................................................................... 12 Overview Mitigation Controls.................................................................................................. 14 Create Controls ...................................................................................................................... 14 Executive-Level View ............................................................................................................. 17


© SAP AG of 17

Introduction SAP GRC Access Control delivers a comprehensive, cross-enterprise set of access controls that enables all corporate compliance stakeholders – including business managers, auditors, and IT security managers – to collaboratively define and oversee proper Segregation of Duties (SoD) enforcement. SoDs can be quite challenging to achieve in a small operation, as it is not always possible to have enough staff to properly segregate duties. In those cases, management needs to take a more active role to achieve separation of duties, by reviewing the transactions performed by other users, or using other Mitigation Controls. Risk Identification and Remediation (formerly known as Compliance Calibrator) software helps automate all SoD - related activities. Risk Identification and Remediation detect even the most obscure access and authorization risks across SAP and non-SAP applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring. These applications for access and authorization control enable fast, efficient remediation and mitigation of access and authorization risks by automating workflows and enabling collaboration among business and technical users. Risk Identification and Remediation provides the ability to perform several major functions.

Statistical Overview By logging in to SAP GRC Access Control as an Internal Auditor or Chief Compliance Officer can look at the overall risk across entire organization, ensure compliance, and prepare for an external audit

1. Log into the Compliance Calibrator demo server: http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator

USER PASSWORD

Mbond sarbanes1

http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator�



© SAP AG of 17

2. Select the Informer Tab (Should be the default view on logon) 3. Select Risk Violations (left hand table) 4. Select “PR” (Business Risks) on the Dashboard under the Bar graph.

Note: These are all the Procure to pay risks found in the SAP System.

5. Click on ‘no. of violations’ to display the users for P001 Risk (7,730).

These are the users whom are in violation of this risk.

6. Select the to go back to the ‘SOD Violations by Process Procure to Pay’ screen 7. Click on the “P001’ to see the Risk Description

It’s easy for business users to define new rules by just combining 2 conflicting functions and Compliance Calibrator adds all the appropriate transactions and authorization objects

8. Select “AP02: AP02 - Process Vendor Invoices” 9. Function Information Screen appears.

NOTE: Compliance Calibrator automatically knows which SAP actions and permissions or “authorization objects” are parts of this function. There are 28 different transactions in SAP to


© SAP AG of 17

Process Vendor Invoices and another 185 authorization object values – all come pre-configured out of the box.

10. Select the to go back 11. Select “PR01: PR01 - Vendor Master Maintenance” 12. Select “Permissions’ tab 13. Open an action (FK01) 14. Open an Auth Object to show field values

Note: Compliance Calibrator has an out-of-the box library of >100,000 different authorization object combinations in SAP that can cause risk – this best practices db gets you up and running quickly. Because these authorization objects come pre-configured customers tell us this can save up to 400 hours of time during implementation.

15. Select Log off.


© SAP AG of 17

Initial Segregation of Duties Clean-up Process (Get Clean) When an organization applies enterprise-wide segregation of duties rules for the first time, there is usually an initial “clean-up” project required. Through the central risk analysis and remediation capability of SAP GRC Access Control (formerly known as “Virsa Compliance Calibrator”), internal audit cannot only review the current status of this project, but help business owner teams to work through their remediation issues. Business owners like Fox Wilson can be given complete reports of deficiencies. They can drill down to specific system and specifically what role is causing the violation. Now Fox Wilson can tackle for example the risks of one of his direct reports, Brent Bailo. He can work on Brent’s risks one at a time and resolve them Compliance Calibrator can even find transactions embedded in custom code or user exits – ONLY a real-time solution inside SAP can perform this type of risk analysis.


USER PASSWORD

Fwilson sarbanes1

2. Select the Informer Tab (Should be the default view on logon) 3. Select Risk Analysis then “User Level” 4. Enter User: BBAILO 5. Select Report Type: Permission Level 6. Select Report Format: Detail

7. Click ‘Execute’ 8. Click Risk Description ID F00500M01 text ‘Maintain bank account and post a payment from it.’




© SAP AG of 17

Mitigate the Risk 9. The risk “F00500M: Maintain bank account and post a payment from it” already has Mitigate

selected

10. Click Continue

NOTE: Choose an appropriate mitigating control, from approved mitigation list. It is important to have “control” around mitigations to make sure they are meaningful. This is a very important step and not available in other solutions. When your auditor arrives 6 months down the road and sees that Brent Bailo has SoD risk in his authorizations, they will notice that you have assigned a mitigating control – in addition they will see that you have even documented that control – GREAT, better than most companies. Now the mitigating control suggests that the Corporate Accountant will run a report on a weekly basis – the auditor will ask, “Can you prove to me that this report was actually run and reviewed?” The “mitigation monitor” is an individual who will get an e-mail if the payment detail report is not run on a weekly basis and they will follow-up with the Corporate Accountant to help ensure control effectiveness.

11. Search for Mitigation Control 12. Select Mitigation Control: FI_002790


© SAP AG of 17

13. Enter Control Valid to: (current date) 14. Select a Monitor ID: HASSELT

15. Save.

Remediation through “Access Removal’

16. Select ‘Remove Access from the User’ (vs Mitigate the Risk which was the default)

17. Click ‘Continue’

NOTE: If this user had been running transactions, from here you can see exactly how many times the user has performed the transaction since the time the user got access to the system. Many users do not even know they have access. SAP GRC Access Control allows business users to collaborate with technical users on risk resolution. The business user is the correct person to make the risk tradeoff of whether BBAILO should have this access or not, BUT they are probably not the right person to decide to I remove this transaction from the role (which will affect other users), this is a technical tradeoff. SAP GRC Access Control sends a workflow ticket off to a technical user to implement the remediation. 18. Click ‘Cancel’


© SAP AG of 17

Delimit access for the user Delimit will allow you to specify a certain time period where the user’s access will remain before the workflow ticket is sent off for resolution. 19. Select “delimit access for the user”

20. Click Continue 21. Enter a comment: “Please investigate removing role from Brent or transaction from the role” 22. Click Cancel 23. Click “User Level’ (Left hand table)


© SAP AG of 17

Prevention through Simulation If Fox needs to make any changes to the privileges granted to any of his users, he can see the implications before he makes any changes. Fox can simulate those changes BEFORE implementing them in production. The simulation can take place at the user level, role level or position. For example, Fox Wilson can check what will happen if he grants Brent Bailo additional access rights.

1. Select the following field:

Field Value

System ERP-Discovery

User BBAILO

2. Select “Simulation” 3. Set ‘Type’: Role

4. Click ‘Value’: Drilldown


© SAP AG of 17

5. Enter “VS::FI_VM*” in Role 6. Click Search

7. Select the Role (enter Select) 8. Select ‘Risks from Simulation Only” to Yes 9. Click ‘Simulate’

Note: By performing simulation we are implementing a PREVENTIVE control that avoids risk before it is introduced into the production environment.

10. Click the Details Icon (on the upper right hand corner) to see which roles the conflicts come from

11. Log off Fox Wilson.


© SAP AG of 17

Stay Clean – Prepare for an Audit After the initial clean-up, and going forward in regular intervals (quarterly, semi-annually or at least annually), internal audit needs to get ready for an external audit. 12. Log into the Compliance Calibrator demo server:

http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator

USER PASSWORD

mbond sarbanes1

13. Select “Risk Analysis” 14. Click “User Level” 15. Narrow the review down to:

Field Value

System ERP-Discovery

User Group SUPER

Risks by Process Finance

Risk Level High

16. Click “Execute” to see what

NOTE: The execution will take some time.

17. To save this query, by clicking “Save Variant” 18. Enter ‘SUPER in SAP -xx’ where xx is your initials.




© SAP AG of 17

19. Select “User Level” 20. Select “Search Variant” 21. Select the variant you just created. Notice the settings you created are now defaulted 22. Select the “Mitigation” tab (found on the top of the page)


© SAP AG of 17

Overview Mitigation Controls

1. Use the Pie Chart and review the Mitigation controls defined 2. Use the Graph and review the mitigation controls for each of the controls by process. 3. Logoff Maria Bond.

Create Controls Previously we had shown how Fox had assigned mitigating control “XXX” with control monitor JMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to select a mitigating control previously had to create appropriate controls for his area of responsibility. Let’s take a quick look at how Fox has created the mitigating control.


USER PASSWORD

Fwilson sarbanes1

2. Select ‘Mitigation’ Tab 3. Click ‘Mitigation Controls’ 4. Click “Create” 5. Set Mitigation Control ID: FI_0009 6. Enter the Description:

Reports “Display Critical Vendor Changes” (S_ALR_87010040) and “Vendor List” (S_ALR_87010036) are reviewed by the Master Data Manager.

7. Set Business Unit: CORP FINANCE 8. Set Management Approval: MBOND 9. Click the Plus sign to add a risk

10. Select the 11. Search for P001 12. Select P001




© SAP AG of 17

13. Select the “Monitors Tab” 14. Select the plus sign to add a monitor ID 15. Set Monitor ID: “APPROCESS” 16. Click the plus sign to add another monitor ID 17. Set Monitor ID: “JMURPHY”

18. Select the “Reports Tab’


© SAP AG of 17

19. Click the Plus sign to add a report 20. Set System: ERP - Discovery 21. Set Action: S_ALR_87010040 22. Set Monitor: JMURPHY 23. Set Frequency to “1” 24. Click the plus sign to add another report 25. Set System: : ERP - Discovery 26. Set Action: S_ALR_87010036 27. Set Monitor: JMURPHY 28. Set Frequency to “1”

29. Click “Save” 30. Logoff Fox Wilson

Let’s take a quick look at the Mitigation Control that Fox had created. 31. Log into the Compliance Calibrator demo server:


USER PASSWORD

Fwilson sarbanes1

32. Select ‘Mitigation’ Tab 33. Click ‘Mitigation Controls” 34. Click “Search” 35. Set Mitigation Control ID: FI_0009

Fox can now verify that the mitigation control was created.




© SAP AG of 17

Executive-Level View Executive Progress Tracking – Interaction with management. If not already logged on, log onto Fox Wilson 36. Log into the Compliance Calibrator demo server:


USER PASSWORD

Fwilson sarbanes1

37. Select ‘Informer’ Tab 38. Click ‘Management View.’



sap risk identification and remediation script

Documents

left hand

jmurphy set

discovery

report set

click continue

compliance

mitigating

mitigation