sap solutions for governance risk and compliance and grc access control

SAP ERP Financials SAP Solutions for

Governance, Risk, and Compliance and SAP GRC Access Control

Rainer Salaw, CPA SAP Deutschland AG & Co KG

Regional Solution Sales GRC EMEA

Barbara Mayer Enterprise Risk Management,

SAP Consulting



Rainer Salaw, CPA SAP Deutschland AG & Co KG

Regional Solution Sales GRC EMEA

SAP AG 2007, SAP Skills 2007 Conference / G3 / 3

GRC as part of SAP Financials

Challenge for GRC

GRC-Suite in detail

Value proposition

AGENDA

The Fast Track to SAP Knowledge



Challenge for GRC

GRC-Suite in detail

Value proposition

AGENDA



Gartner Strong Positive

About SAP GRC Access Control SAP is the only vendor with a Gartner recommends rating

in all technique categories (Static analysis, provisioning support, integrated provisioning workflow, transaction monitoring and emergency access)

offers one of the strongest product sets in our analysis, comprehensively addressing all SoD issues across multiple SAP instances.

capable of running on multiple ERP platforms

1 Gartner -

MarketScope

for Segregation of Duties Controls Within ERP, 2007

Rating

StrongNegative

Caution Promising Positive Strong Positive9


mySAP ERP Financials

Corporate Performance

Management (CPM)

Accounting & Finance Transformation

Financial Supply Chain

Management (FSCM)

Governance, Risk, and Compliance

(GRC)

Strategy Management

(Balanced Scorecard)Consolidation

Planning

FI, FI-AA, FI-AR/AP NewGL, CO, PCA

Credit Mgmt., Collections Mgmt.

Dispute Mgmt.FI-CA, Biller direct,

In-house Cash

Governance, Risk, and Compliance

(GRC)

mySAP ERP Financials

Internal regulations / ethical standards

strategic/operative Risks External regulations / compliance to laws



Challenge for GRC

GRC-Suite in detail

Value proposition

AGENDA



Business Case: the True Information Age

In 2010 the need for fast, accurate and reliable

information will be increased significantly.

In four areas the demand will be raised most. Two of them are: Risk Management Governance


Supply Chain Customers & Channel

Human Resource environmental health & safety

Financecomplex, international

Compliance requirements (e.g. Revenue recognition)

Compliance / Risk Officehigh level risks, not

proactive

? SalesCredit risks, Customer ratings

PurchasingSupplier rating

& embargo lists

Management

no overview about risk portfolio

IT IT Security; SOD-

management,

Fraud

SALARIES

Supervisory board, internal auditalmost manual, sample based, not

error free controls

Fragmented Processes and Systems: A Risky Situation !


Supply Chain Customers & Channel

Supervisory board, internal auditdocumented decisions, audit trail

Compliance / Risk OfficeReal time risk analysis,

integrated view

ManagementTransparency about risks => max. confidence !

IT highly secured IT-

Systems

Purchasingtransparent

rating, compliance to

trace regulations

FinanceCompliance in group reporting processes

Human Resourcecompliance to environmental standards

Salestransparent customer solvency

SALARIES

Gain Confidence by Proactive Transparency with SAP GRC


Fragmentation vs. Holistic Approach to GRC

Business Process Platform

SAP Solutions for GRC

Cross-Industry GRC

Access Controls Global Trade Environment Process Controls

Risk ManagementGRC Repository: Documentation and Monitoring

Industry-Specific GRC

Business Applications

?Information

Security SOX Compliance

Risk

Mgmt Internal

Audit

Information Security

From Fragmented Risk & Compliance

Risk

Mgmt

SOX

Compliance

Internal

Audit

to Holistic GRC


GRC Suite

Access Control

Risk Management

Process Control

Compliance Calibrator

Role Expert Access Enforcer

Fire Fighter

Cross industry solution Industry specific solutions

Global Trade

Services (GTS)

Environment, Health & Safety (EH&S)

more

Solutions

GRC Suite Functions for All Process Orientated Risks and Regulations


GRC Suite

Access Control

Risk Management

Process Control

GRC-Repository

SAP GRC Access Control

Risk Analysis and Remediation

Enterprise Role Management

Compliant User Provisioning

Super User Privilege

Management

Cross industry solution Industry specific solutions

Global Trade

Services (GTS)

Environment, Health & Safety (EH&S)

more

Solutions

GRC Suite Functions for All Process Orientated Risks and Regulations


SAP Solutions for GRC Framework for an integrated GRC-Solution



Business Process

GRC as an integrated part of all business processes

leverage integration through high automation(e.g. automatic controls)

Group-wide utilization, open architecture (usage of SAPstechnology platform no limitation to SAP-ERP systems)

SAP GRC Access Controls


GRC Repository Central System of Record Drives Governance, Increases Transparency

PerformanceMeasures &Benchmarks

Regulations & Industry Mandates Risk & Control

Libraries

Corporate Policies &

Procedures

BOD & Committee

Minutes

GRCRepository

Best PracticesControl

Frameworks (COSO, COBIT)

Advisory Services(Auditors, Attorneys)

Internal Policies

Governmental Agencies

InfluenceCouncils

Enforces governance for the entire enterprise

Regional regulations

Multiple frameworks for each department

Pre-built control & risk libraries

Complete body of evidence for compliance

Centralized knowledge base for all GRC relevant information beyond fragmentation

Single source of truth for reporting



Challenge for GRC

GRC-Suite in detail

Value proposition

AGENDA



How Does GRC Supports You?

Access Controls Process

Controls Risk

Management

Identification of all kind of risks (group wide)Segregation of duties risks Fraud Risky system authorizations Misusage of rights

Compliance of processing Stick to governance Focus on operation business risks Quality of processes

Focus on non operative risks Opportunity management Decision supportTransparency and Remediation

Define appropriate actions for identified risks Eliminate risks by segregation of duties (remove authorizations, redesign processes) Minimize risks by defining appropriate mitigation controls Maximize risk awareness ( transparency, continuous monitoring, escalation, mitigation, remediation)

Governance & Compliancee.g. Sarbanes Oxley Act (SOX) etc. KonTraG

Rules of Business Conduct, Ethical standards, Governance rules

automationmanual activity


How Does GRC Supports You?

Access Controls Process

Controls Risk

Management

Identification of all kind of risks (group wide)Segregation of duties risks Fraud Risky system authorizations Misusage of rights

Compliance of processing Stick to governance Focus on operation business risks Quality of processes

Focus on non operative risks Opportunity management Decision supportTransparency and Remediation

Define appropriate actions for identified risks Eliminate risks by segregation of duties (remove authorizations, redesign processes) Minimize risks by defining appropriate mitigation controls Maximize risk awareness ( transparency, continuous monitoring, escalation, mitigation, remediation)

Governance & Compliancee.g. Sarbanes Oxley Act (SOX) etc. KonTraG

Rules of Business Conduct, Ethical standards, Governance rules

automationmanual activity

Access Controls



Superuser

Priviledge

Management



SAP GRC Access Control Sustainable Prevention of Segregation of Duties Violations

Cross-enterprise library of best practice segregation of duties rules


Prevent SoD

violations at

run time

Superuser

Privilege Management

Close #1 audit issue with temporary

emergency access

Periodic Access Review and Audit

Focus on remaining challenges during recurring audits

(Stay in Control)(Stay Clean)

Risk analysis, remediation and prevention services


Enforce SoD

compliance at design time


Rapid, cost-effective and comprehensive

initial clean-up

(Get Clean)

Minimal Time To Compliance

Continuous Access Management

Effective Management Oversight

and Audit

Access ControlsSAP GRC

Access Control


Risk Analysis and Remediation Getting Clean

Reporting

Risk Elimination

RiskIdentification

Prevention

End-to-End Automation

Initial Risk Analysis and RemediationFacilitates collaboration between Business and IT to clean up access risks

The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.


Authorization:

Maintain vendor

master data

Authorization: Initiate payment

to vendor

Heterogeneous IT-landscape

Cross-System Risk Analysis

Legacy CustomFinancials

and Accounting

Inventory and purchasing


Authorization:

Maintain vendor

master data

Authorization: Initiate payment

to vendor

Heterogeneous IT-landscape

Cross-System Risk Analysis

Legacy CustomFinancials

and Accounting

Inventory and purchasing

! RISK

VIRSA

Cross-enterprise Rule Set



How Does it Work? Compliance Calibrator

S O D - M A T R I X

RTA RTA RTA RTA

Risk analysis function

ERP 2005

P

L

A

N

??Compliance officer

?Risk analysis for

user Maier

Risks



How Does it Work? Compliance Calibrator

S O D - M A T R I X

RTA RTA RTA RTA

Risk analysis function

ERP 2005

P

L

A

N

A

C

T

U

A

L

Compare

??Compliance officer

?Risk analysis for

user Maier

RisksRisk-

report


SAP GRC Access Control Risk Analysis and Remediation Functionality

GRC Access Control content covers more than 200 Risks

Risk analysis and remediation functionalityRisk-analysis, detection and remediation of SOD-violations in access control and authorization

management

critical transaction or authorization objects



GRC Access Control content covers more than 200 Risks

Risk analysis and remediation functionality Risk-analysis, detection and remediation of SOD-violations in access control and authorization

management

System 1: Transaction 1System 1: Transaction n

System 2: Transaction 1System 2: Transaction n

System n: Transaction 1System n: Transaction n

System 1: Transaction 2System 1: Transaction m

System 2: Transaction 2System 2: Transaction m

System m: Transaction 2System m: Transaction m

180.000 rules

Function 1 Function 2


Architecture

Automatic Rule Generation

Risk 1

Function A

Function B

Action 1+ Permission 1Action 2 + Permission 2Action 3 + Permission 3Action n

+ Permission n


+ Permission n

+Risk Rule 1Risk Rule 2Risk Rule 3Risk Rule 4Risk Rule 5Risk Rule 6Risk Rule 7Risk Rule 8Risk Rule 9Risk Rule n

ALL

cross combinationsOf Action + Permissionbetween Functions A & B

BusinessRisks

BusinessFunctions

SystemAction & Permission

Compliance CalibratorRule Generation

Risk 2

Function C

Function D


+ Permission n


+ Permission n

+ ALL cross combinationsOf Action + Permissionbetween Functions C & D

Risk Rule 10Risk Rule 11Risk Rule 12Risk Rule 13Risk Rule 14Risk Rule 15Risk Rule 16Risk Rule 17Risk Rule 18Risk Rule n


Enterprise Role Definition Enables Enterprise Role Definition and Maintenance in a Single Location

Centralized Role Management

Across applications

Enterprise Rules Audit log

SAP GRC

Access Control

Role

Reduce cost of role maintenance

Ease compliance and avoid authorization risk

Eliminate errors and enforce best practices

Assure audit-ready traceability and security checks

28% time savings in role management

Customer Survey, 3/2006

RoleRole

Role

Role Role Role Role Role Role

Compliant enterprise roles

Unternehmensweite Rollendefinition

und Pflege

mit

eingebauter Funktionstrennungsprfung


SAP GRC Access Control Enterprise Role Management


Typical Challenges.

Too many users have SAP_ALL SOD-Violations!!

No activity monitoring, no audit trail

No time limitation for SAP_ALL Users

No clear responsible for SAP_ALL authorizations

Smart emergency situation management

No clear workflow in case of emergency!

-> SAP GRC superuser

privilege management for SAP


SAP GRC Superuser

Priviledge

Management

Neue

Session

Log

perform activity

conduct processlog in to the system as

normal user Maier

system log off within the

normal userMaier

Log off as FireFighter

FireFighter ID FICO

Start Transaction FireFighter

FireFighter ID MM

FireFighter ID SD

FireFighter ID Basis

FireFighter ID

SAP_ALL

SAP-System

Eliminates the no.1 auditors issue !

Multiple usage

of FireFighters (e.g. year end closing activities, substitution activities, design of new

roles, and many more)

multiple FireFighter

are assigned to user

Maier

All FireFighter

activities are recorded in

detail in a log file


SAP GRC Superuser

Priviledge

Management


SAP GRC Access Controls Compliant User Provisioning

Vergabe

(und Entzug) von Rollen

und Berechtigungsprofilen mit

eingebauter, automatischer

Funktionstrennungsprfung

Access Request

Manager Approval

Role Owner

IT Security

Manual Provisioning

email

email

Tabellen, Formulare

Word, Excel etc.

Workflowprozess

im

Access Enforcer

Request generated

Automated provisioning

Mgr approval

Risk analysis

Path workflowbased on request type and

user attributes

Escalation workflow

Exception workflow

100% automatedHR event

Employeehired/retired

Via e-mail

One-click preventive simulation

100% automated


Online Risikoanalyse

Role ExpertCompliant Roles

We reduced provisioning from 2 weeks to 2 days

Web Seminar Rockwell Collins, 3/2005

Current approach

inefficient, not compliant


SAP GRC Access Controls Compliant User Provisioning


SAP GRC Access Control 5.3 SAP GRC Access Control branding and single launchpad for all 4 access control capabilities

Roadmap SAP GRC Access Control 5.3

Q1 2008 (AC 5.3)

Access Control 5.2 SP3

Language Translations

Country A languages

English

French

German

Japanese

Country B languages

Spanish

Portuguese

Italian

Hungarian

Cross-Enterprise (Greenlight):

Real-Time Agents for Risk Analysis

Comprehensive

SOD Rules for Oracle, JDE and PeopleSoft

Q2 2007 (AC 5.2 SP3)

Superuser

privilege management (formerly known as Virsa

Firefighter for SAP)

Change Log / Self Auditing

Audit trail for configuration changes

Write log report to designated file server

Web report enhancements

Report filter variant

Report for All

systems

Retrieve change log from CDHDR table for performance improvement

Assign multiple FF owners to one FF ID

Enterprise role management (formerly known as Virsa

Role Expert)

Close RE 4.0 gaps

Additional reports

Search roles

Single composite role relationship

List role & transactions

More detail role change history

Role authorization changes at object field level

View PFCG change log

Generate roles for multiple systems

Risk simulation for combined roles and existing user simulation at role design time

Enforce naming convention according to policy

Role Mappings

Misc.

Import/Export of configuration data

Migration scripts

Compliant user provisioning (formerly known as Virsa

Access Enforcer )

Compliant provisioning for SAP EP,

Compliant provisioning for Oracle, PeopleSoft and JDE (Greenlight)

HR triggers for PeopleSoft

Password resets for ORCL, PSFT, JDE

Close AE.net

& SAFE gaps

Authoritative User Sources: Integration with multiple LDAPs

and SAP HR for user data source

Reporting and reporting enhancements

User Access Reviews (Manager / User Reaffirm)

Cross system risk analysis / simulation

Supporting multiple CUAs

Full support for all SU01 fields

Misc.

Form customization


Risk analysis and remediation

(formerly known as Virsa

Compliance Calibrator)

Risk analysis for SAP Enterprise Portal and UME

Close critical CC 4.0*

& SAFE gaps

BI Integration for custom reporting

Reporting/ Reporting Enhancements

Additional auditor, business manager and IT reports

SOD management by exception (Integration w/ Workflow)

Miscellaneous


Migration scripts

Download and print capability on every report

Performance improvements

Concurrent Risk Analysis

Batch mode risk analysis

Improved Memory Mgmt

Access Control 5.2 SP4

Web Services for IDM integration (official and stable API for partners)

Fix for connector limit in Compliance Calibrator

Q3 2007 (AC 5.2 SP4)

* Note: This release will not include granular security and logging requirements in the next release


SAP Solutions for GRC Framework for an Integrated GRC-Solution



Business Process



SAP Addresses the Needs of Multiple Stakeholders

Business Executives

Business Process Managers

Virsa SupportConcerns

Risk appetite Risk avoidance Visibility Timely notification Cost of compliance

Internal Auditors

IT Security and Support

Concerns

Controls in place Controls working

effectively

Risks correctly identified

Response to control deficiencies

Preventive controls

Concerns

Risk identification & evaluation

Timely notificationMaximum

productivity

Concerns

Identify & implement compliance systems

Fit with IT infrastructure

Transfer accountability to business

Prevent risk from entering systems


Benefits of Using an Integrated Control System

AUTOMATIONReduce cost without compromising

compliance

Reduced audit fees and testing costs Streamlined testing and remediation

INSIGHTEffectively manage business,

financial, and compliance performance

Real time view of control health Enterprise-wide visibility into risks and controls

CONTROLIncrease confidence in the effectiveness of

your controls

100% testing of all data all the time Enable early detection and remediation


Scoping andSet-Up

Document Processes

and Controls

Sign-Off, Prepare

Certification / Internal Control

Report

Assess Control

Design and Remediate

Issues

TestOperatingEffective-

ness

Attest and

Report

Management Auditor

PC 2.5 Supports Compliance Processes

Review Attestation Reporting

Assignment of sub-processes to organizations

Organization-specific control documentation

Documentation of testing procedures

Documentation of entity-level controls

Setup of automated control testing and monitoring

Control and process design assessments via surveys

Entity-level control assessments via surveys

Identification of Issues

Validation of assessments

Remediation of issues

Progress tracking and analysis

Documentation of testing results

Documentation of continuous control monitoring

Identification of issues

Remediation and retest of issues

Progress tracking and analysis

Organization hierarchy

Central process catalog

Central catalog of control objectives/risks

Assignment of sub-processes to significant accounts/relevant assertions

Gap analysis reporting

Identify fraud related risk

Analysis overviews with drill-down functionality

Management reports

Workflow-triggered sign-off supporting 404 reporting / 302 certification

Continuous Control Monitoring


Analytics Work List

Process Control 2.5

Solution Overview

Organization Hierarchy

Account Groups/Assertions

Process Hierarchy

Control Objective Catalog

Entity-Level Controls Hierarchy

Assessment Surveys

Question Library

Survey Library

Manual Tests

Test Plans

Automated Testing

Rules

Queries Scheduling

Evaluation Work List

Compliance

Assess-

ments

Testing Monitoring

Sign-off User Roles Delegation


PC 2.5 Innovation Information Architecture and Organization Hierarchy

Improved productivity with new work center-based design approach


Significant

Account

Remediation Case

Control Tests

(Manual/Auto)

Controls

Risks/Control Objectives

Business Segment

Region

Division/ Legal Entity

Business Operation

Location/ Operating Unit

Organizational Hierarchy (n-tier) Account Hierarchy Process / Risk / Control Hierarchy

Assertions

Assertions

Signoff Flow

Structure Definition

Control Framework and Organization Management

Assessments

Compliance Category

Process

Sub process

Account Groups


SAP GRC Process Control

Convergence of Controls Process Management and Continuous Controls Monitoring

Single Solution for end-to-end enterprise control management

Provides centralized control management for automated and manual controls

Financial Controls

Operational Controls

IT Controls

Enables management by exception

prioritizes remediation activities

provides management insight into the control environment

Perform Assessments

Test Automated Controls

Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y

Certify and Sign-off

(302, Designs,)

Process-Control-Objective-Risk

IT Infrastructure

Business Processes

Review Exceptions Remediate

Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2


Perform Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

GRC Process Control -

Single Solution for End-to-End Enterprise Control Management

GRC Repository Rationalizes controls against

multiple frameworks Link control documentation

to manual and automated control tests

Provides a flexible organization hierarchy

Flexible integration framework for document management systems

Single source of truth for reporting


Actionable Intelligence from Compliance Analytics

Role-based dashboards provide actionable insight to control status

Global heat map highlights exceptions from all control tests and assessments

Management level reports highlights exceptions from all control tests and assessments

Enterprise transparency across multi-instance and multi-platform environments



DashboardControl Execution Monitor provides latest information on deficiencies

Control Monitor provides summarized information over time

Inbox provides quick access to cases and tasks

Survey Monitor tracks sign-off and assessment surveys

All information is organized in tabs


Management Reports with Drill-Down

Drill-down capability provides details of the cases and case priority for each report


Perform Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

SAP GRC Process Control: Centralized Control Management

Centralized Control Management One system for managing

automated and manual controls

System can manage

Financial Control

Operational Controls

IT Controls

Controls can be monitored across multiple enterprise systems

Improve controls with regular assessments


Control Environment Setup

Selects controls that contribute to financial quantification of risk for executive reporting

Creates complete control environment, including Organizations Business processes Sub processes Risks Objectives Test plans

Creates and links both manual and automated control tests in a single application

Assignment of Test Plan and Test Step Owners

Assignment of Compliance Information (financial and non-financial assertions)

Assignment of Organizations

Control

Prior period posting checkProcess

Manage Financial AccountingSubprocess

Perform Closing

Risk

Manipulation of financial resultsObjective

Accurate financial reporting


Perform Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

Automated Process Controls Detects global violations

and prioritizes corrective action (automatic case generation)

Apply same control to multiple organizations (version concept)

Automatically monitors controls in multiple enterprise applications

80 Master controls were delivered



Three Ways to Monitor Automated Controls Across Critical Business Processes

ConstructAd-hoc Test

Re-useCustom Test

SelectPre-delivered Test

Pre-delivered tests with flexible rule criteria for SAP and Oracle

Plug-and-play your existing test scripts

Create control tests on-the-fly with custom query builder

Order to Cash Order CaptureOrder

FulfillmentBilling &

Returns

Procure to Pay Demand

PlanningOperational

Procurement

Reconcile to Report Budgeting PlanningSub ledger

TransactionsFinancialClose

IT Basis Application

SecurityChange

Control

Revenue

Recognition

Inventory

Management

Payables

Management

Consolidation

& Reporting


Order to Cash Sample Automated Control Monitoring

Did the customer order exceed allowedthresholds?

Were shipments made without proper sales documents?

Was pricing or exchange rates adjusted?

Were there changes to revenue accounts and posting tolerances?


Automatically Create & Test 1000s of Controls

Configuration, Master Data and Transaction Data

Multiple Controls

Any Form, Tab or Field

...

Apply percentage threshold

Apply absolute value threshold

Monitor change frequency

Monitor changes to control

Check that control value exists

Is the Duplicate Voucher flag turned ON?

Have any duplicate vouchers been

processed over the past 30, 60, 90 days?

Hide / Disable / Query Only

Has the duplicate Voucher control

changed? How often?


Sample Automated Control Tests


Perform Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

Manual Control Testing Streamlines manual

controls and tests Provides manual test plans

with detailed test steps and instructions

Promotes timely performance with scheduled workflow and email notifications

Documents evidence to support evaluation results

Capture monetary risk quantification for failed tests



Manual Compliance Management Costly Effort to Coordinate Tasks

Control TestersCompliance Team Management & Executives

! ?

What do we need to test?

Who should perform the test?

Where do we stand?

How can we improve?

Create documents and spreadsheets

and save to local file servers

Create test plan

Paper-based documentation surveys

for completion?

What am I supposed to do?

Why is this important?

?

Receive test instructions via email

Perform manual tests based on

verbal instructions

Consolidate results from multiple

sources

Is this the right process?


Workflow Streamlines Manual Control Activities Automated Notification and Guided Procedures Ensure Timeliness and Reliability

Document control and test plan

Attach reference document and spreadsheet

Follow guided procedure and perform test

Report results and attach evidence

Automatic notification routes tasks to appropriate users Guided procedures and reference documents train users Complete audit trail of testing results and evidence

Control Testers

Compliance Team Management & Executives


Perform Self-

Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

SAP GRC Process Control Convergence of Compliance Process Management and Continuous Controls Monitoring

Self Assessment Flexible surveys to support

design assessments and self-assessments

Assessments for process design, control design, entity-levels, and more

Promotes timely performance with scheduled workflow and email notifications

Reference information and instructions guides occasional users


Deploy Flexible Assessments

Flexible survey creation, scheduling, and routing

Handles assessments for process design, control design, entity-levels, and more

Reference information and instructions guides occasional users


Survey Management

Survey reports provide drill-down to any cases generated


Perform Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2


Management by Exception

Management by Exception Remediation Case

Management Detects global exceptions

and prioritizes corrective action

Workflow-based notifications alert users to failed tests or assessments

Documents remediation activities and resolution

Dashboards and reporting provide actionable insight to exceptions


Accelerate Time to Resolution with Remediation Case Management

Perform Self-

Assessments

Deploy

Automated Controls

Test Manual

Controls

IT Infrastructure

Business Processes

Automated prioritization focuses valuable resources on high-impact exceptions

Automated routing and notification ensures nothing falls through the cracks

Threaded discussion of resolution activities provides evidence for external auditors

S U R V

E Y

YesNo


Case Trail and Status Tracking During Case Remediation

Case trail and status tracking during case remediation

Resolution can be captured along with the case details for audit purposes

Linked to test results


Perform Assessments


Test Manual

Controls

D

o

c

u

m

e

n

t

T

e

s

t

M

o

n

i

t

o

r

C

e

r

t

i

f

y


(302, Designs,)


IT Infrastructure

Business Processes


Issues

9999

999999

9

Has pro

duction b

een impr

oved with

the insta

llation an

d implem

entation

of SAP?

S U R V

E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

SAP GRC Process Control Convergence of Control Process Management and Continuous Controls Monitoring

Management Certification Section 302 and 404

certification Business process review

and approval Freeze key information that

has been signed-off Hierarchical, bottom-up

progression


Automatic Sign-Off Process

AR Billing

Order to Cash

US Finance

US

Corporate Signers

CEO/CFO

1

2

3

4

5

6

Each sub process owner signs off

Process owner signs off

Lowest location signs off

Higher location signs off

Corporate signer(s) sign off

CEO/CFO sign off

AR Collections

Support section 302 certification

Freeze key information that has been signed-off

Hierarchical, bottom-up progression



the Integrated Solution for Enterprise-Wide Management of Any Kind of Controls

Cost reduction through automation

Automated case management accelerated remediation process

Reduces RISKS and saves TIME and MONEY

Integrated solution low TCO

Risk based approach

12

6

9 3

12

11

45

8

10

7


SAP GRC PC 2.5 Architecture

Repository

Interfaces

Repository

Interfaces

SAP Services (ABAP Stack)

GRC NWBC User Interface

NavigationNavigation WebDynpro

Content

WebDynpro

Content

SAP Application Pages

SAP Application Pages

BI Pages for

Analytics

BI Pages for

Analytics

Portal Pages

for Analytics

Portal Pages

for Analytics

Automated

Controls

Automated

Controls

Query

Builder

Query

Builder

Cross-

Platform

Enablement

Cross-

Platform

Enablement

Savvion

BPM/Workflow

Savvion

BPM/Workflow

Process Control Plus (Java Stack)

Master DataMaster Data Audit LogAudit Log Survey

Assessments

Survey

Assessments TestingTesting

Report

Mart

Report

Mart

Object Level

Security

Object Level

Security Sign OffSign Off


SAP Solutions for GRC Framework for an Integrated GRC-Solution



Business Process



Risk Management Today No Transparency, Suboptimal Decision-Making

Send out MS Excels

Workshop after

workshop

Ask for additional

input

Brainstorm

one-off response possibilities

Siloed risk thinking

Focus only on

negative risks

Risk Managers

What is the statusof our top risks?

What risks dont weknow about?

Am I on track toreach my goals?

Another assessment to fill out?

Lines of Business

Management & Executives

Will we meet analyst / market expectations?

What are our top 10 risks?


Lines of Business

Executives

Risk Managers

The Goal Risk-Adjusted Management of Enterprise Performance

Applications to mitigation top risks

Role-based best practice playbooks

Enable risk management innovation

Risk in context of corporate strategy and performance

Understand true exposure resulting from risk correlation

Achieve proactive transparency

Automatic risk identification

End-to-end risk processes across the value chain

Become a driver of business change


SAP Solutions for GRC Risk Management in a Leading Role

Cross industry solution

Access Controls

Risk Management

GRC-Repository

GRC-Suite

Process Controls

GTS

EH&S


SONAExternal Provider

KRIs / Content

SONA xApp

xEM

other Partner

Solutions

REA


Risks Management Steps Process Automation for the Virtuous Cycle

Actionable, role-based

dashboards and alerts

Establish risk appetite

and thresholds

Collaborate and aggregate across the

enterprise

Balance cost of risk avoidance

and opportunity


Drive Consistency Agreement on Top Risks, Thresholds, and Appetite

Create Risk and Activity Catalogs

GRC Repository

What types of risks do we want to track? Proposed risks based on activity type Align risks to corporate goals Customizable, pre-delivered content

Risk Catalog

KRI 2Supplier on-time delivery

Supply chain continuity risk

Document Risk Appetite


Avoid Surprises Identify and Assess All Key Risks Across the Enterprise

Collaborative Assessments for Manual Risk Activities

Qualitative & quantitative point and scenario analyses

Analyses done before and after response

Workflow reminders for updates

Prioritization using Risk Heat Map

Prioritization for response investment Identifying shifting in risk profile

Automatically Identify Risks

SAP CRM example

Embedded into key business processes

Workflow delivers assessments to experts


Enabling Lines of Business toEffectively Mitigate Risks

Respond Intelligently Create Resolution Strategies for Critical Risks

Best Practice Response Playbooks

Propose Risk Response

Loss Event Tracking

Lessons Learned

Risk: Merger / Acquisition

Proposed ResponsesSelf-learning Response

Effectiveness

Spot Risk Interdependencies

Finance

Sales

IT

Supply

...

New Global Suppliers

Indirect Global Taxes

Correlation

Mismatch of Demand with Supply

Employee health and safety

Non-compliance with emissions

Production disruptions

Supplier disruptions

Non-compliance with RoHS/WEEE

Non-compliance to Fin Regulations

xSOP

EH&S

xEM

EAM

SRM/xSA

CfP

GRC

Top Industry Risks Solution


Stay Informed Build Proactive Monitoring Into Existing Business Processes

Capture Incidents and LossesSet Control Limits Based Upon Associated Risk

Learn from previous experiences Incorporate into response playbook

Executive and Risk Manager Dashboards

Regulatory checklist approach has lead to over-controlling and under-controlling many processes

Set controls based upon the level or risk associated with each business process


A sustainable business benefitIT matters in achieving good governance as it helps in becoming a better run business. It can enable companies to move beyond pure compliance towards a sustainable business benefit.

Werner Brandt

CFO SAP AG. Event: The 4th Boardroom Series Breakfast Meeting Shanghai, June 12, 2006

We Drink Our Own Champagne SAP Risk Management Drives Excellence at SAP AG

a part of management excellenceIn an ever changing world

economy, partners, and customers management excellence is required to react positively and therefore fast to any changes. Risk Management is clearly a part of management excellence.

Hans Peter Klaey, President SAP Asia Pacific

2005 2007


Why SAP GRC Risk Management?

Enabling Lines of Business toMitigate Top Industry Risks

Automatic Risk Identification and Monitoring Across the Enterprise

Risks in Context of Strategy and Objectives

Strategy Management Planning

Mismatch of Demand with Supply

Employee health and safety

Non-compliance with emissions

Production disruptions

Supplier disruptions

Non-compliance with RoHS/WEEE

Non-compliance to Fin Regulations

xSOP

EH&S

xEM

EAM

SRM/xSA

CfP

GRC

Top Industry Risks Solution



Challenge for GRC

GRC-Suite in detail

Value proposition

AGENDA



SAP Solutions for Governance, Risk and Compliance

Single, holistic and integrated approach for managing governance, risks and compliance

Deliver enterprise predictability and quality of operations: No Surprises

Reduce the cost of compliance and free resources for innovation

Improves performance by proactive risk management

Prevention of fraud, bribery , corruption

Increase confidence of stakeholders


SAP Solutions for GRC

Access Control

7,000

7,400

7,410

7,500

8,000

8,000

10,000

10,000

10,700

11,800

20,000

23,020

26,000

27,000

30,000

30,876

32,000

40,000

40,895

100,000+Customer Users Customer Users Customer Users

4,200

4,500

5,200

5,600

5,723

6,000

6,000

6,050

6,250

6,500


Market leader

Cross system

Summary

Real-time Prevention

Integrated end-to-end solution

RISK

11


Contact

Rainer Salaw, CPA

CFO Solution Sales EMEAGovernance, Risk & ComplianceSAP Deutschland AG & Co. KG

Phone +49 (811) 5545-225Mobil +49 (0170) 2200125

[email protected]

http://www.sap.com/financials



Barbara Mayer Enterprise Risk Management,

SAP Consulting


AGENDA


The Access Control Suite: An Overview

The SOD Management Process

Project Organization


AGENDA






Client Issues

Negative Sarbanes-Oxley Audit Results Segregation of Duties / Excessive Access Security Administration Process Internal Controls Repository Maintaining a clean environment ERP Upgrades Escalating help desk costs Change management SOX awareness/responsibility


Corporate Governance: Ethical corporate behavior together with management practices

in the creation of wealth for all stakeholders Spells out the rules and procedures for making decisions on

corporate affairs

IT-Governance: Helps to ensure the alignment of IT and enterprise objectives IT resources are used responsibly and its risks are managed

properly

GRC -

Governance

Governance


Risk Management Identify, classify, document and reduce risks to an acceptable

level based on the value of the information resource to the organization

Risk- is a result of three different parameters

Existence of a threat for a business process

Likelihood of occurrence

Impact for the business process

GRC -

Risk Management

Risk Mgmt.

RISK

THREAT IMPACTLIKELIHOOD


GRC

-

Compliance

Compliance

Acting according: National and international legal requirements

Sarbanes-Oxley-Act (US)

Data Protection Law (Germany)

J-SOX (Japan) ... Corporate Policies representing the corporate philosophy and

the strategic thinking on a high-level Low-Level policies focusing on the operational layer.

Policies need to be in sync with the overall business strategy and legal requirements


Benefit: Collaboration Within the Company

OWNER Key Areas GRC Access Control

Business Users Risk Identification and Elimination

Analysis and elimination of potential access risks and actual risks

Real-time check and assignment of detective and preventive controls

Role Design and Management Risk-preventive role design to address the root of a problem

Compliant User Provisioning Efficient user provisioning and de-provisioning from hire to retire

Privileged User Access Auditable superuser privilege management

IT Security Collaboration between Business and IT

Enabling business to take accountability for access

Management Oversight Periodic Access Review Review of roles, users and mitigation controls by using automated reporting views

Internal Audit Audit Cycle Management Provide documentation to help validate that the business team is following the control process


Interdependencies GRC Access Controls

Role Expert

Access Enforcer

Firefighter


with Risk Terminator

Critical

Transactions

SoD

Analysis

Risk Analysis

for simulation

Role InformationWorkflow

Engine

for role approval

Risk AnalysisWork Flows


Best Practice Road Map GRC Access Controls

Implementation

Firefighter



Access Enforcer Role Expert

This Road Map ensures fastest implementation, while optimal change management

Installation Installation and configuration Compliance Calibrator and Risk Manager Firefighter comes with the RTAs, (+BC Sets) Later install and configure Access Enforcer and Role Expert


AGENDA






AGENDA

SOD Management Process Overview

Risk Recognition

Rule Building

Analysis and Remediation

Mitigation

Continuous Compliance



AGENDA


Risk Recognition

Rule Building


Mitigation




SoD Management Process: Get Clean & Stay Clean

SOD Risk Management ProcessAlthough every business and every system is unique, each implementation follows the same risk-based Best Practice

methodology, which has been proven at many customer sites.

PHASE ONE PHASE THREE

Risk Recognition

Rule Building andValidation

Analysis Remediation Mitigation ContinuousCompliance

1 2 3 4 6

PHASE TWO

5


Roles and Responsibilities

Roles Responsibilities

Business Process Owners

Identify risks and/or approve risks for monitoring Approve remediation involving user access Design controls for mitigating conflicts Communicate access assignments or role changes Perform proactive continuous compliance

Senior Officers Approve/Reject risks between business areas Approve mitigating controls for selected risks

Security Administrator and Technical Liaisons

Ownership of SAP GRC tools and security process Design and maintain rules to identify risk conditions Customize SAP GRC roles to enforce roles and responsibilities Analysis and remediation of SoD conflicts at role level

Auditors & Regulators

Perform risk assessment on a regular basis Provide specific requirements for audit purposes Perform periodic testing of rules and mitigating controls Act as liaison between external auditors

SoD Rule Keeper Responsible for SAP GRC tool configuration and administration Maintain controls over rules to ensure integrity Act as liaison between basis and SAP GRC Support Center


AGENDA


Risk Recognition

Rule Building


Mitigation




Phase One: Risk Recognition

3 4 65Rule

Building andValidation


2Risk

Recognition

1

RISK RECOGNITION Identify conflicts and approve

exceptions Clarify and classify risk high,

medium, low Identify new risks and conditions for

monitoring in the future


Segregation of Duties

John can create sales orders and issue credit memosRisk!Gives someone the access to create a sales order, generating fraudulent revenue, and then reverse the revenue in a subsequent period by issuing a credit memo

Risk!Gives someone the access to create a fictitious vendor and generate fraudulent payments to the vendor

Sandy can create vendor master records and process accounts payable payments


Risk Recognition: Business Process Owners

The Business Process Owners should do the following: Document business risk and prepare a risk

statement Cross-reference the risk statement with the

risks provided with Compliance Calibrator Assign Risk Levels


Risk Recognition: Example SOD Risk

Maintain a non bona-fide bank account and divert incoming payments to it.

FI01 Create Bank

FI02 Change Bank

FI06 Set Flag to Delete Bank

F-04 Post with Clearing

F-06 Post Incoming Payments

F-26 Incoming Payments Fast Entry


F-29 Post Customer Down Payment

F-30 Post with Clearing

F-36 Bill of Exchange Payment

F-39 Clear Customer Down Payment

F-40 Bill of Exchange Payment


FBA2 Post Customer Down Payment

FBZ1 Post Incoming Payments

FBZ3 Incoming Payments Fast Entry

Conflicting Transactions are grouped into functions


Risk Recognition: Example Critical Transactions

Examples of security critical basis transactions:

SA38 Execute ABAP Reports

SE01 Transport Organizer



SE11 ABAP Dictionary

SE16 Table Maintenance

SE11 ABAP Dictionary

SE36 Logical Database Builder

SE37 ABAP Function Modules

SE41 Menu Painter

SM30 Table Maintenance

SQ00 SAP Query: Start queries

SU12 Delete ALL users

SUB% Internal call: Submit via command fld

... ...


Risk Recognition: SAP GRC Risk Database

Over 200 Risk GroupsE.g. Order to Cash, Procure to Pay, Financial Accounting, HR/Payroll, APO, CRM, EBP/SRM, Basis

Business language SAP - Results in over

180,000 SoD Object Level Rules

Rules at the Authorization Object level eliminate false positives

Automated rule building

Reduces time for implementation

Validated by Big 4 auditors at 400+ customers


AGENDA


Risk Recognition

Rule Building


Mitigation




Phase One: Rule Building and Validation

3 4 65Analysis Remediation Mitigation Continuous

ComplianceRule


2

Risk Recognition1

RULE BUILDING AND VALIDATION Reference best practices rules for your

environment Validate rules Customize rules, then test Verify against test user/role cases


Rule Architect Overview


Rule Structure

The Full Picture

Rule Set A

Global

Business Process

Order to CashBusiness Process

Purchase to Pay

Risk A:Enter sales documents and lower prices for fraudulent gain.

Function 1:Sales Order Agreements

Function 2:Sales Pricing Maintenance

Actions/Permissions

SAP ERP

Actions/Permissions

SAP ERP

Actions/Permissions

SAP ERP

Business Process n

Risk B:User is able to maintain vendor master data and initiate payment runs.

Function 3:Vendor Master Maint.

Function 4:Process Vendor Invoices

Func. 5:

Actions/Permissions

SAP ERP

Risk C:User is able to ....

Actions/Permissions

SAP ERP


Create a Risk for the Business

Process

Create Functions for the Business

Process

Rule Building: Step One

Examples: Procure to Pay, Order to Cash, Finance and Controlling

Define a Rule Set ID and

Description

Create aBusinessProcess

Example: Global Rule Set

Assign Actions and Permissions to the Function

Assign Conflicting Functions

Assign to a Rule Set


Rule Building: Create Functions

GL02 GL01


Rule Building: Create Risks


Standard Rule Set

SAP Rules in the standard Rule Set include ERP

Basis

Finance -

General Ledger Accounting-

Fixed Assets -

Project Systems

HR / Payroll

MM / PP / QM

Order to Cash

Procure to Pay SRM / EBPCRMConsolidationAPO


AGENDA


Risk Recognition

Rule Building


Mitigation




Phase Two: Analysis

34 65


2

ANALYSIS Run analytical reports Estimate cleanup efforts Analyze roles and users Modify rules based on analysis Set Alerts to distinguish executed risks

Rule Building and

Validation

Risk Recognition1


Management View Reports


Risk Analysis Reports


Phase Two: Remediation

34

65Analysis Remediation Mitigation Continuous

Compliance2

Rule Building and

Validation

REMEDIATION Determine alternatives for eliminating risks Present analysis and select corrective

actions Document approval of corrective actions Modify or create roles or user assignments

1Risk

Recognition


Remediation Strategy

Analyze reports results to determine extent of remediation efforts

Discuss potential remediation methodologies that are appropriate to address the security violations identified

Remediation Exercise Perform walkthroughs of the remediation

strategies using live examples


AGENDA


Risk Recognition

Rule Building


Mitigation




Phase Two: Mitigation

3 4 65

2Rule



MITIGATION Determine alternative controls to mitigate

risk Educate management about conflicts

approval and monitoring Document a process for monitoring

mitigation controls Implement controls

1Risk

Recognition


Mitigating Controls Are Required when Remediation Fails

Mitigating controls are required when it is not possible to segregate duties within the business process

E.g. within a small office one person has to take over two roles within the business process which causes a missing SoD conflict

Examples for Mitigating Controls are: Release strategies / Authorization limits Review of user logs Review of exception reports Detailed variance analysis Establish insurance


Firefighter

A Key Mitigation Control

What is Firefighter? Firefighter allows super users to perform emergency activities

outside their normal role within a controlled and auditable environment.

All activities of the user accessing the higher authorization privilegeswill be reported

Firefighter will generate an audit trail, which can be used to documentthe reasons for using higher access privileges

Audit trail is required for SoX compliance Monitoring logs must be analysed timely and frequently!!


Firefighter Business Scenarios

Compliant controls for emergency access Users assigned to specific firefighting IDs with defined authorizations

and validity dates Separate login is required as well as documentation regarding reason

for use Can only be used by one user at a time

Auditable Support-Access Gives the customer full control about external support activities

Mitigation Control Logs critical business activities a user is performing as FireFighter Helps to resolve SOD issues without the involvement of extra staff


The Process

Firefighter Role Setup1

2

3

Document Why Needed

Audit Log


AGENDA


Risk Recognition

Rule Building


Mitigation




Phase Three: Continuous Compliance

3 46

52Analysis Remediation Mitigation Continuous

Compliance

CONTINUOUS COMPLIANCE Communicate changes in roles and user

assignments Simulate changes to roles and users Implement Alerts to monitor for new

selected risks and mitigating control testing

Rule Building and

Validation1Risk

Recognition



1.

Use Simulation for ongoing preventive compliancea.

New role or change request

b.

New user or user change request

2.

Use the integration capabilities of Role Expert, Access Enforcer, and Risk Terminator to prevent SoD violations from being incorporated during day-to-day operation and security maintenance

3.

Perform regular maintenance activities to ensure that rules are complete and accurate


Continuous Compliance: User Access Management

Enables compliant end-to-end provisioninghire to retire

Current approach

inefficient, not compliant

Access request

Manager approval

Role owner

IT security

Manual provisioning

e-mail

e-mail

spreadsheets, paper forms

spreadsheets, paper forms


Continuous Compliance: What Is Access Enforcer?

Access Enforcer is an automated user request, approval, and compliant provisioning solution that is web-based and workflow configurable with proactive SoD compliance checking.

User Provisioning to SAP systems

FinancialSystem

CRMSystem

PayrollSystem

Human Resources

System

Access Enforcer

UserRole

Requests

ACCESS ENFORCER PROCESS OVERVIEW

+ +


Access Enforcer

Real Time Risk Simulation Results


Workflow Results

What can be accomplished after a workflow is finished: Create User in SAP Assign Roles in SAP Change Role Assignment Lock User in SAP Unlock User in SAP Delete User in SAP Create and Assign Mitigation Send Notifications

If the auto-provisioning feature is configured to yes,

the first six items can be automatically completed by AE. Otherwise the security approver must complete the provisioning in SAP manually.



SAP CC: The SOD Management Process


AGENDA



Interdependencies GRC Access Controls

Role Expert

Access Enforcer

Firefighter



Critical

Transactions

SoD

Analysis

Risk Analysis

for simulation

Role InformationWorkflow

Engine

for role approval

Risk AnalysisWork Flows


Best Practice Road Map GRC Access Controls

Implementation

Firefighter



Access Enforcer Role Expert

This Road Map ensures fastest implementation, while optimal change management

Installation Installation and configuration Compliance Calibrator and Risk Manager Firefighter comes with the RTAs, (+BC Sets) Later install and configure Access Enforcer and Role Expert


Service Levels

SAP Consulting offers the following scenarios of service: Basic service

The customer nominates and empowers a project manager and an implementation team of his own. As the project manager is qualified but lacks experience in implementing the GRC system, a project management assistance (PMA) of SAP Consulting ensures via checks on pre-defined focus topics at pre-defined project stages that the GRC Access Controls project is delivered on time and in budget according to defined scope.

Extended service

Based on scoping workshops, Mainova

can order extended service.

Full service

As the customer lacks resources, a full service can be ordered. Individual effort estimation required.


Packaged Solutions Model Access Controls

GRC Compliance Calibrator

AS-IS Analysis and Evaluation

GRC Assessment GRC Risk Analysis Entry

Risk Analysis based on standard rules

Basic Implementation GRC Compliance Calibrator

Brief

Value proposition

Project Team Effort Duration

Deliverables

Packaged Solution

Identification of strategic GRC focus areas based on risk potential

Identification of improvement potential

Focus for roadmap Haptic Approach

Cost efficient wayto implement GRC CC using implementation expertise of SAP as Project Management Guidance

Text Text Text

Basic Analysis/Entry Risk Assessment

Management Letter Review

Roadmap Entry Business Case

Risk Analysis Workshop

Risk Analysis based on standard SOD-Matrix

Risk Report by User/Roles

Recommendations

License GRC Access Controls

Installation on one Development and one Quality System

Basic Configuration Know-How Transfer

(Coaching) for System Administrator

Project Management Coach for GRC CC Implementation

ClientSAP

6 days Consulting *)

> 2 weeks

ClientSAP

1 d Tech Cons.+1 d Cons. *)

1 week

ClientSAP

12 d Cons + 5 d Tech Cons*)

> 6 weeks

Packaged Solutions Step 1

*) + Client effort


Packaged Solutions Model Access Controls

GRC Firefighter enablement

GRC Firefighter

GRC Access Enforcer enablementBrief

Value proposition

Project Team Effort Duration

Deliverables

Packaged Solution

Fast and cost efficient way to implement GRC Firefighter, the compliant answer to SAP_ALL and other emergency accesses.

Fast and cost efficient way to implement audit-proofed access granting

Building up in-house expertise using SAP expertise

Text Text

Installation Firefighter on one Development and one Quality Assurance System

Basic Configuration Know-How Transfer (Coaching) Template FF Recommendations

Installation Access Enforcer on one Development and one Quality Assurance System

Basic Configuration Know-How Transfer (Coaching) Audit proofed Workflow Design

(max 2 WF) Create/Change/Delete 5 Test

users

ClientSAP

1 d Tech Cons.+ 4 d Cons. *)

> 1 week

ClientSAP

2 d Tech Cons.+ 10 d Consulting *)

> 3 weeks

Based on Step 1 the following Packages can be implemented

GRC Access Enforcer

*) + Client effort


Project Plan

Full Service

Installation Architecture

Start

Risk Recognition

Remediation & Mitigation

Project Setup

UAT and Review / Documentation

Training on the Job / Coaching / Testing

Rule Building and Validation

Go-

live

Full Support

Project

Closing

Exemplary

Support

Go-LiveAnalysis



Full Service

Steering Committee

Project Managers

Business Process Owners

Key UsersAudit

PM(A) SAP PM Customer


Required Availability of Resources

Min

= On requirementMedium

= 1-

2 days per weekHigh = 3-4 days per week

Project role Required availability

Project Executive Sponsor Sponsorship + steering

Project Steering Committee Once per month

Customer Project Manager High

Business Process Owner Min

Business Process Team Member (key user) Medium

Technical Team High


Questions?


Copyright 2007 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent

Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower

and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin

are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks

of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB

is a trademark of MySQL

AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP

product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the

information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that

you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

SAP ERP FinancialsSAP Solutions for Governance, Risk, and Compliance and SAP GRC Access ControlSAP ERP FinancialsSAP Solutions for Governance, Risk, and Compliance and SAP GRC Access ControlFoliennummer 3Foliennummer 4Gartner Strong PositivemySAP ERP FinancialsFoliennummer 7Business Case: the True Information AgeFragmented Processes and Systems: A Risky Situation !Gain Confidence by Proactive Transparency with SAP GRCFragmentation vs. Holistic Approach to GRCGRC SuiteFunctions for All Process Orientated Risks and RegulationsGRC SuiteFunctions for All Process Orientated Risks and RegulationsSAP Solutions for GRCFramework for an integrated GRC-SolutionGRC RepositoryCentral System of Record Drives Governance, Increases TransparencyFoliennummer 16How Does GRC Supports You?How Does GRC Supports You?SAP GRC Access ControlSustainable Prevention of Segregation of Duties Violations Risk Analysis and Remediation Getting CleanCross-System Risk Analysis Cross-System Risk Analysis How Does it Work? Compliance CalibratorHow Does it Work? Compliance CalibratorSAP GRC Access ControlRisk Analysis and Remediation FunctionalitySAP GRC Access ControlRisk Analysis and Remediation FunctionalityArchitecture Automatic Rule GenerationSAP GRC Access ControlRisk Analysis and Remediation FunctionalitySAP GRC Access ControlRisk Analysis and Remediation FunctionalityEnterprise Role DefinitionEnables Enterprise Role Definition and Maintenance in a Single Location SAP GRC Access ControlEnterprise Role ManagementTypical Challenges.SAP GRC Superuser Priviledge Management SAP GRC Superuser Priviledge Management SAP GRC Access ControlsCompliant User ProvisioningSAP GRC Access ControlsCompliant User ProvisioningRoadmapSAP GRC Access Control 5.3 SAP Solutions for GRCFramework for an Integrated GRC-SolutionSAP Addresses the Needs of Multiple StakeholdersBenefits of Using an Integrated Control SystemPC 2.5 Supports Compliance ProcessesProcess Control 2.5 Solution OverviewPC 2.5 InnovationInformation Architecture and Organization HierarchyControl Framework and Organization ManagementSAP GRC Process Control Convergence of Controls Process Management and Continuous Controls MonitoringGRC Process Control - Single Solution for End-to-End Enterprise Control Management Actionable Intelligence from Compliance AnalyticsSAP GRC Process Control DashboardManagement Reports with Drill-DownSAP GRC Process Control: Centralized Control ManagementControl Environment SetupSAP GRC Process Control: Centralized Control ManagementThree Ways to Monitor Automated Controls Across Critical Business Processes Order to Cash Sample Automated Control MonitoringAutomatically Create & Test 1000s of ControlsSample Automated Control TestsSAP GRC Process Control: Centralized Control ManagementManual Compliance Management Costly Effort to Coordinate TasksWorkflow Streamlines Manual Control Activities Automated Notification and Guided Procedures Ensure Timeliness and ReliabilitySAP GRC Process Control Convergence of Compliance Process Management and Continuous Controls MonitoringDeploy Flexible AssessmentsSurvey Management SAP GRC Process Control Management by ExceptionAccelerate Time to Resolution with Remediation Case Management Case Trail and Status Tracking During Case Remediation SAP GRC Process Control Convergence of Control Process Management and Continuous Controls MonitoringAutomatic Sign-Off Process SAP GRC Process Control the Integrated Solution for Enterprise-Wide Management of Any Kind of ControlsSAP GRC PC 2.5 ArchitectureSAP Solutions for GRCFramework for an Integrated GRC-SolutionRisk Management TodayNo Transparency, Suboptimal Decision-MakingThe Goal Risk-Adjusted Management of Enterprise PerformanceSAP Solutions for GRCRisk Management in a Leading RoleRisks Management Steps Process Automation for the Virtuous CycleDrive Consistency Agreement on Top Risks, Thresholds, and Appetite Avoid SurprisesIdentify and Assess All Key Risks Across the EnterpriseRespond IntelligentlyCreate Resolution Strategies for Critical RisksStay InformedBuild Proactive Monitoring Into Existing Business ProcessesWe Drink Our Own Champagne SAP Risk Management Drives Excellence at SAP AGWhy SAP GRC Risk Management?Foliennummer 81SAP Solutions for Governance, Risk and ComplianceSAP Solutions for GRC Access ControlSummaryContactSAP ERP FinancialsSAP Solutions for Governance, Risk, and Compliance and SAP GRC Access ControlFoliennummer 87Foliennummer 88Client IssuesGRC - GovernanceGRC - Risk ManagementGRC - ComplianceBenefit: Collaboration Within the CompanyInterde