SlideShare uma empresa Scribd logo

Sap grc-access-control-solution

Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)

Sap grc-access-control-solution

Tecnologia
1 de 13
Baixar para ler offline
WHITEPAPER SAP GRC Access Control Solution. -White paper on Implementation Methodology. HCL SAP GRC Practice January 2008 1-13
Table of Content Executive Summary 3 Introduction 4 SOX, SoD and SAP 4 Functions of SAP GRC Access Control 6 Implementation Methodology 7 ANNEXURE 1:Various Aspects 10 ANNEXURE 2: Role and Responsibilities 11 ANNEXURE 3:Time Lines 12 ANNEXURE 4: Challenges 12 ANNEXURE 5: SAP GRC Business benefits 13 2-13
In the era of stringent corporate governance new regulatory requirements have made tighter internal control as standard compliance across the globe. All organization irrespective of size are struggling to comply with these regulations and managing the risk.The cost and effort to establish,maintain and prove compliance demand both money and time which can be invested for more value addition rather than value protection. For many organization the technology solutions is to try automation using standard office tools such as spreadsheet which in spite of its low cost advantage may become a part of problem rather than a compliance solution. Fortunately newly available software platform that have become known as the GRC technology can help streamline the automation.This white paper pertains to one of the most accountable control automation tool:SAPAccess Control and details its implementation methodology. Executive Summary 3-13
He who cannot obey himself will be commanded. That is the nature of living creatures. - FriedrichWilhelm Nietzsche ©Barings Bank – Nick Lee son’s $1.2 Billion loss – Barings’ forced into bankruptcy. §Due to improper supervision and SoD violations delayed detection. ©Daiwa Bank – Toshihide Iguchi’s $1.1 Billion loss and $340 Million fine for unauthorized trades. ©Mgmt tried to conceal losses by overriding controls and SoD violations ©Sumitomo Bank –Yasuo Hamanaka’s $1.8 Billion copper position losses. ©Maintained 2 sets of books for over a decade ©NatWest U.K. – Kyriacos Papoulis concealed over $100 Million in option losses §Manipulated the books. ©Enron,Tyco International,Adelphia, Peregrine Systems and WorldCom…………………..Socite General…. SAP GRC Access Control Integrated GRC is an offshoot of SOX and such other compliances existing across industries worldwide. Evolution of Integrated GRC: In itself GRC is not new. Corporate Governance, Risk management and Compliance as individual issues where the most fundamental concerns of Business and its Top leaders.What's new is Integrated GRC. It an approach the organization practices and the various roles the board and the senior management, line management and rest of the organization play in relation to oversight, strategy risk management and strategy execution regarding compliance with laws and regulations and internal policies and procedures. Introduction Sarbanes Oxley Compliance was a result of such Scandals.Also known as the Public CompanyAccounting Reform and Investor Protection Act of 2002 and commonly called SOX,it is a controversial United States federal law passed in response to a number of major corporate and accounting scandals. Signed by Congress on July 30,2002 its overall purpose is to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. As per the requirement to be SOX (Sarbanes OxleyAct) compliant, the main issue arises in SoD (Segregation of Duties) management i.e. Access related problems in organizations. For this purpose the necessity is to make an automated approach to implement the rules and policies of SOX compliance. SAP is in process of addressing the various compliance and risk management issues across the verticals with the development of automated solutions. One of the Solutions they have developed comprises GRC Access Control an application that handles sustainable prevention of segregation of duties violations. By implementing the automated Access control solution, it will provide the enablement to fulfill the requirements of SOX compliance without any SoD violation and its severity. SOX, SoD and SAP 4-13
A primary internal control intended to prevent or decrease the risk of errors or irregularities by assigning conflicting duties to different personnel. SAP Definition for SoD Segregation of Duties (SoD) Across an enterprise there are various functions and these functions are performed, together by a set of roles/responsibilities. SoD says that these set of Roles/responsibilities should be assigned in such a way that, across an enterprise, any individual should not have end to end access rights over any function. End to end access SoD Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business.With the concept of SoD,business critical duties can be categorized into four types of functions:authorization,custody,record keeping and reconciliation. In a perfect system, no one person should handle more than one type of functions. The Roles and Responsibilities for the function should be divided in such a way that one person does not have full right over the function that the risk of malicious activity of manipulation of the function is reduced.The more critical the function is, greater and clearer Segregation of Duties should be. Some examples of incompatible duties are: ©Creating vendor and initiate payment to him. ©Creating invoices and modifying them. ©Processing inventory,and posting payment. ©Receiving Checks and writing pay-offs. Ideally, single individual must not have authority of creation, modification, reviewing and deletion for any transaction / tasks / resources. If any individual has access rights to creation and modification,he can create and after getting it reviewed, he can modify it to do some fraudulent exercises. Similarly if an individual has creation and deletion rights he can create, initiate payment and later delete any transaction logs that can track his activity. Segregation of Duties deals with access controls.Access Control ensures that one individual should not have access to two or more than two incompatible duties. Segregation of Duties ensures that: ©There are no errors,as SoD ensures cross check of roles/responsibilities ©Risk of Fraud is reduced as fraud will involve two or more than two individuals ©Clear separation of Roles/Responsibilities across various functions in organization. ©Segregation of Duties must be so performed that it reduces the risk associated with a function/process that can be mal-functioned to practice any 5-13
fraudulent exercises.If proper SoD does not exist in an organization,then: ©There are ineffective internal access controls ©There is improper use of materials, money, financial assets and resources ©Estimation of financial condition may be wrong ©Financial documents produced for audits and review may be incorrect Manual Approach for SoD Traditional approaches for identifying and preventing SoD issues are costly, time-consuming, and exhaustive with scope for errors. In the increased regulatory environment, companies cannot afford to waste time and money hoping that a manual approach will satisfy their audit requirements. Companies now seek a comprehensive, automated approach to help them quickly resolve the SoD challenges without disrupting their business. SAP Access Control SAP GRC Access Control delivers a comprehensive, cross-enterprise set of Access Control that enables all corporate compliance stakeholders -- including business managers, auditors, and IT security managers -- to collaboratively define and oversee proper SoD enforcement, enterprise role management, compliant provisioning,and Superuser privilege management. Functions of SAP GRC Access Control application for SAP. When deployed together,they provide an end-to-end Access Control solution that addresses the following areas: ©Risk detection SAP applications for Access Control detect even the most obscure access and authorization risks across SAP and non-SAP applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring. ©Risk remediation and mitigation These applications for access and authorization control enable fast, efficient remediation and mitigation of access and authorization risks by automating workflows and enabling collaboration among business and technical users. ©Reporting The applications deliver the comprehensive reports and role-based dashboards businesses need to monitor the performance of compliance initiatives and to take action as needed. ©Risk prevention Once access and authorization risks 6-13 The SAP GRC Access Control Includes the Virsa Compliance Calibrator application for SAP, the Virsa Role Expert application for SAP, the Virsa Firefighter application for SAP, and the Virsa Access Enforcer
have been remediate, only SAP applications for Access Control can prevent new risks from entering a production system.By empowering business users to check for risks in real time and automating user administration, the applications make risk prevention a continuous,proactive process. Implementation Methodology based on SAP Best Practice HCL has come out with an excellent approach and methodology for implementation of SAP GRC Access Control Suite.This Suite embraces four tools: ©Access risk analysis and remediation ©Complaint user provisioning ©Role Management ©Privileged user access management This implementation methodology when followed step by step makes access and authorization risk management and further its compliance adherence, an integral part of customary organizational activities.The implementation process is based on Best Practices provided by SAP and extends from GET CLEAN (identify and resolve the access risk issues) phase to STAY CLEAN (complaint user provisioning process is channeled into automated structure) phase. The implementation process starts from installation and configuration of Compliance Calibrator. In line with the SoD Management Process, Business Process Owners identify any fraudulent or accidental corruption activity, subjected to access and authorization or SoD risks and then implement the necessary mitigation controls on them. Next, during implementation of Role Expert, through Role Designer we design the role designation methodology of the organization. In Access Enforcer implementation, we define workflows. Workflows are meant for channelizing the different work processes into structured,transparent and automated manner. At last, Fire Fighter is implemented which endow selected users with exceptional rights. To ensure risk occurrence, all the activities of users with fire fighter rights are logged and documented. 7-13
The proposed methodology which helps in implementing SAP GRCAccess Control projects has six phases: ©Implementation Readiness ©Deploy & Install GRCAccess ControlTool Suite ©RiskAnalysis and Remediation ©Super User Privilege Management ©Compliance User Provisioning ©Enterprise Role Management ControlTools. Access Control Tool Suite can be easily downloaded from SAP Support Portal at SAP Service Marketplace at: service.sap.com. You need to login from your service marketplace ID. It will ask for your Customer Number or Installation Number. The SAP GRCAccess ControlTool Suite includes following tools: ©Virsa Compliance Calibrator ©VirsaAccess Enforcer ©Virsa Role Expert ©Virsa Firefighter for SAP Risk analysis and remediation Risk Analysis and Remediation is done by Compliance Calibrator. Risk Analysis and Remediation provides real-time compliance around the clock and prevents security and controls violations before they occur. Once deployed, business managers can analyze real-time data, find hidden issues and help ensure the effectiveness of access and authorization controls across the enterprise. The scope of the process includes following key areas: ©Identification of critical access and segregation of duties ©Real-time risk assessment ©Simulation and remediation ©Documentation of mitigation controls ©Summary and drill-down reports Preparation of Implementation We recommend the implementation life-cycle of GRC Access Control Tool includes every thing from Installation and configuration of all 4 software’s to their integration and validation. Preparation Includes: ©NetWeaver installation configured and validated i.e. ready for applications installation ©Resource Identification ©Requirement Validation: It will include review and validation of customer’s requirement against product functionality.There should be a brief analysis of customer’s business environment which will include the organizational scan and study of their business processes.BPX along with implementation consultant and BPO will architect solutions to address requirement gaps. Deploy & Install GRC Access Control Tool Suite Once the preparations for implementation are done,we proceed for installation and configuration of Access 8-12
Super user Privilege Management Superuser Privilege Management is done using Firefighter ©Superuser Privilege Management is a solution used for emergency situations, extensive and/or special access, and when you do not have time to obtain logins,passwords.Feature provided by it: ©Provides Super User access control ©Compliant controls for emergency access §Users assigned to specific firefighting IDs with defined authorizations and validity dates §Separate login is required as well as documentation regarding reason for use Can only be used by one user at a time Auditable reporting Compliant User Provisioning Compliant User Provisioning will be done byAccess Enforcer Access Enforcer enables fully compliant user provisioning throughout the employee life cycle and prevents new SoD violations. Businesses can automate provisioning, test for SoD issues, streamline approvals, and reduce the workload for IT staff. The solution performs following activities: ©Automate ProvisioningWorkflow ©Provide Compliant User Provisioning Across the Enterprise § © §Logs actions without turning on SAP logging ©Identify SoD Issues in RealTime ©StreamlineApprovals Enterprise Role Management Introduction to Role Expert Role Expert is a Role Creation and Management Tool. This SAP GRCAccess ControlTool is a web enabled tool that can ease the overhead in an Organization in creation and management of Roles. Apart from creation and management of Roles it also takes care of Risks associated with different Roles, Segregation of Duties, and Generation of types of reports useful for management and auditors and also the mitigation of risks. Purpose of Role Expert Role Expert implementation serves the following purposes in an organization: ©It helps implement best practices of good role naming conventions. ©Automates the creation and maintenance of Roles. ©Implements best practices of Approval workflow automation for Role in the Organization. ©Automates the generation of reports of various types to serve the purpose of management and auditors as well. ©Performing automatic risk analysis at all levels and also mitigation of risks before approving or creating the requested role. ©Transparency, tracking and monitoring of creation and implementation of Roles. § 9-13
ANNEXURE 1:Various Aspects. Steps Activities Involved Person Involved Duration/Days Implementation • Readiness • Software Installation • NetWeaver EnvironmentValidation Deploy & Install GRC • Access Control Tool Suite • • • • Super User Privilege Management l • Assignment of Firefighter roles to • Mapping Firefighter IDs to Owner, Compliance User • Provisioning • Define process stages and approvals • Create test initiators, stages, and paths • Define test users and request types • Test initial workflows • Define escalations and detours • Complete workflow configuration Enterprise Role • Management • Creation of Role Generation Methodology • Creation of Naming Conventions for Roles • Creation of Role in Role Expert • Reports in Role Expert Hardware/Software requirement Basis/Security 17 analysis Consultant GRC AC Tool Consultant Software installation as well certain GRC AC Tool Consultant 15 one-time initial configuration activities. Risk Analysis and • Identification of critical access and GRC AC Tool Consultant 26 Remediation segregation of duties GRC Business Process Analyst Real-time risk assessment SOX Domain Consultant Simulation and remediation Documentation of mitigation controls Summary and drill-down reports The application tracks, monitors, and GRC AC Tool Consultant 4 ogs every activity a super user GRC Business Process Analyst performs with a privileged user ID. • Creation of Firefighter Ids applicable User IDs Firefighter, and Controller Learn about Access Enforcer GRC AC Tool Consultant 20 workflows and their components GRC Business Process Analyst Creation of Role Attributes required GRC AC Tool Consultant 15 for any Role GRC Business Process Analyst 10-13
Role Number Group Responsibility Basis/Security Consultant GRC AC Tool Consultant • Integration of all 4 tools • Risk Recognition, Remediation, Mitigation • Rule Building and their Maintenance • Configuration of workflows • Configuration of Role Attributes • Configuration of Role Generation Methodology • Configuration of Naming Conventions • Report Generation SOX Domain 1 Consultant • Creation of Mitigation Controls • Approve or Reject already created Risks and Mitigation • Scenario Analysis and Identification of Format & Content of GRC Business 1 Process Analyst • Designing workflows for user and role provisioning • Identification of Role Attributes • Identification of Role Generation Methodology • Identification of Naming Conventions • Identification of risk & role owners and approvers Client Technical Team • NetWeaver EnvironmentValidation Client Business Team • Approving remediation to address user access issues • Approve or reject risks between business areas and approve Client Project Manager/ Coordinator Client Audit / Internal Control Team 1 HCL GRC • Hardware/Software requirement analysis • Software Installation • NetWeaver EnvironmentValidation 2 HCL GRC • Master Data Creation • Configuration of all 4 tools HCL GRC • Risk identification Controls Reports HCL GRC • Risk Analysis andValidation • Designing alternative controls to mitigate SoD issues To be Client • Hardware/Software requirement analysis decided • Software Installation To be Client • Identifying risk and/or approving controls for monitoring decided risks mitigating controls for risks. To be Client • Managing the implementation project decided To be Client • Perform risk assessments on a regular basis to identify new decided risks, perform periodic testing of rules and mitigating controls; act as a liaison with external auditors. ANNEXURE 2: Role and Responsibilities 11-13
ANNEXURE 3:Time Lines Implementation Activity Duration/Days Formation of project team* 2 Software Installation andValidation* 5 RequirementValidation/System and User Landscape Study/Master Data Creation* Implementation Readiness 17 Compliance Calibrator Configuration and Implementation 26 Firefighter Configuration and Implementation 4 Role Expert Configuration and Implementation 15 Access Enforcer Configuration and Implementation 20 Roll-Out/Deployment/Go-Live 10 10 Challenges Solution Real-time alert generation and A Setting up organizational rules and running risk analysis based on these rules Integrating workflows in Compliance Calibrator for various processes Efficient handling of false positives Designing user-provisioning workflows and proper initiators to trigger them Cross-application implementation Cross-system Cross-geo implementation lert Generation and its notification through e-mail was configured not notification through mail only for mitigating controls but also for risk execution and critical transaction execution Compliance Calibrator provides a supplemental table to address organizational restrictions without having to change and maintain the entire rules database.These restrictions were configured as organizational rules. Various processes of Compliance Calibrator can be automated and structured through workflows which are created and executed through Access Enforcer. Path for connecting the Compliance Calibrator to the workflows is entered in the Workflow service URL. Rule Building is done at authorization objects level to prevent false positives of SoD violations. User provisioning workflows are created and configured through Access Enforcer The system includes rules at both the transaction and object level that address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR / Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals. TheVirsa Compliance Calibrator "out-of-the-box" rule set includes implementation transaction objects and value combinations analyzing some 120,000 possible combinations of potential risk for access rights.These cover - SAP: 20,000, Oracle: 20,000, PeopleSoft: 3,800, JDE 151. A centralized monitoring system is provided by connecting various systems across geo. Note: *These activities are performed simultaneously.The total implementation time is 56 calendar days. ANNEXURE 4: Challenges 12-13
ANNEXURE: 5 SAP GRC Business Benefits: SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance, risk,and compliance help you leverage your SAP and non-SAP IT investments,and deliver the following business benefits: Increased shareholder value – Good corporate governance is reflected in many intangibles, including brand and reputation – and it translates directly into share price premiums. Optimized risk/return portfolios – Greater transparency and insight enables your decision makers to select or reject projects based on risk impact and probability relative to potential return. Reduced GRC costs – Integrated corporate governance significantly reduces the number of people – and time – required to ensure and manage compliance and risk management. Improved business performance and predictability – SAP solutions for governance,risk,and compliance deliver enterprise wide transparency,a systematic process for anticipating risks,and the tools to proactively determine proper actions. Business sustainability – Using solutions delivered through automation, analytics, and alerts, businesses can more effectively mitigate risks stemming from myriads of legislations. Assumptions for the Duration/Days inAnnexure: 1. Minimum NetWeaver support Pack is already installed and validated on identified systems. 2. All the database and memory requirements for installation ofAccess ControlTools are met. 3. Hardware and memory sizing is already performed. 4. Organization already possesses the license for all requiredAccess ControlTool. 5. Person efforts and time would go on reducing in subsequent implementation in different geographies 6. The company would go for addressing compliance management issues subsequently across different locations. 13-13

Recomendados

SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
TLI GrowthSession
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
Kellton Tech Solutions Ltd
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
Nasir Gondal
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
suresh
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
Nasir Gondal
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
TransWare AG
 

Recomendados

SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
TLI GrowthSession
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
Kellton Tech Solutions Ltd
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
Nasir Gondal
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
suresh
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
Nasir Gondal
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
TransWare AG
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
CA CISA Jayjit Biswas
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
Latha Kamal
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
Harish Sharma
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
grconlinetraining
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
SAP grc
SAP grc SAP grc
SAP grc
smadhu29
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
larrymcc
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
AuditBot SAP Security Audit
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
techgurusuresh
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
Anil Kumar
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous Delivery
Sriram Narayanan
 
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
SAP Technology
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM Authorizations
UL Transaction Security
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
Siva Pradeep Bolisetti
 
SAP Access Authorization Solution
SAP Access Authorization SolutionSAP Access Authorization Solution
SAP Access Authorization Solution
Sayyed Zakir Ali Rizwe
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
hkodali
 
End to End Process Transformation with Signavio.pdf
End to End Process Transformation with Signavio.pdfEnd to End Process Transformation with Signavio.pdf
End to End Process Transformation with Signavio.pdf
IgnacioPeredoCL
 
Sap overview
Sap overviewSap overview
Sap overview
Srinivas Vuppala
 
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
전 윤희
 
العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا
العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا
العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا
Voix Eve
 

Mais conteúdo relacionado

Mais procurados

SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
Harish Sharma
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
AuditBot SAP Security Audit
 
End to End Process Transformation with Signavio.pdf
End to End Process Transformation with Signavio.pdfEnd to End Process Transformation with Signavio.pdf
End to End Process Transformation with Signavio.pdf
IgnacioPeredoCL
 

Mais procurados (20)

Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 
SAP grc
SAP grc SAP grc
SAP grc
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous Delivery
 
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM Authorizations
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
SAP Access Authorization Solution
SAP Access Authorization SolutionSAP Access Authorization Solution
SAP Access Authorization Solution
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
 
End to End Process Transformation with Signavio.pdf
End to End Process Transformation with Signavio.pdfEnd to End Process Transformation with Signavio.pdf
End to End Process Transformation with Signavio.pdf
 
Sap overview
Sap overviewSap overview
Sap overview
 

Destaque

프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
전 윤희
 
The Secret Sauce of Successful Teams
The Secret Sauce of Successful TeamsThe Secret Sauce of Successful Teams
The Secret Sauce of Successful Teams
Atlassian
 

Destaque (12)

프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
프로코밀『 W3.ow.to 』 톡 w2015 ♡ 프로코밀판매,프로코밀정품구입,프로코밀판매처,프로코밀정품구입,프로코밀가격,화이자 프로코밀,...
 
العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا
العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا
العمل خارج الأطر القانونية /عاملات القطاع الفلاحي في سيدي بوزيد نموذجا
 
Edgwl
EdgwlEdgwl
Edgwl
 
Sopa de carbassa
Sopa de carbassaSopa de carbassa
Sopa de carbassa
 
How to Drive Adoption of Intelligence Systems
How to Drive Adoption of Intelligence SystemsHow to Drive Adoption of Intelligence Systems
How to Drive Adoption of Intelligence Systems
 
Anteproyecto Empresa "YUUMIT"
Anteproyecto Empresa "YUUMIT"Anteproyecto Empresa "YUUMIT"
Anteproyecto Empresa "YUUMIT"
 
Logos cooperativa
Logos cooperativaLogos cooperativa
Logos cooperativa
 
Guide to IoT Projects and Architecture with Microsoft Cloud and Azure
Guide to IoT Projects and Architecture with Microsoft Cloud and AzureGuide to IoT Projects and Architecture with Microsoft Cloud and Azure
Guide to IoT Projects and Architecture with Microsoft Cloud and Azure
 
La veille au sein d’ooredoo
La veille au sein d’ooredooLa veille au sein d’ooredoo
La veille au sein d’ooredoo
 
Analisis del Proyecto de Ley Gral de la Industria Eléctrica - Desregulación y...
Analisis del Proyecto de Ley Gral de la Industria Eléctrica - Desregulación y...Analisis del Proyecto de Ley Gral de la Industria Eléctrica - Desregulación y...
Analisis del Proyecto de Ley Gral de la Industria Eléctrica - Desregulación y...
 
The Secret Sauce of Successful Teams
The Secret Sauce of Successful TeamsThe Secret Sauce of Successful Teams
The Secret Sauce of Successful Teams
 
Presentation urban conseil 2017 v1.1
Presentation urban conseil 2017 v1.1Presentation urban conseil 2017 v1.1
Presentation urban conseil 2017 v1.1
 

Semelhante a Sap grc-access-control-solution

Brochure Auditing Erp System V2
Brochure Auditing Erp System V2Brochure Auditing Erp System V2
Brochure Auditing Erp System V2
agc infotech
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
Ahmed Abdul Hamed
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive
ROMI Associates
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Automation Technology Series: Part 2: Intelligent automation: Driving efficie...
Automation Technology Series: Part 2: Intelligent automation: Driving efficie...Automation Technology Series: Part 2: Intelligent automation: Driving efficie...
Automation Technology Series: Part 2: Intelligent automation: Driving efficie...
Accenture Insurance
 

Semelhante a Sap grc-access-control-solution (20)

Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_duties
 
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
 
Oracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessOracle Scene Safeguard your Business
Oracle Scene Safeguard your Business
 
Oracle Scene Oct 2017
Oracle Scene Oct 2017Oracle Scene Oct 2017
Oracle Scene Oct 2017
 
SAP Compliance Management Demystified | Symmetry
SAP Compliance Management Demystified | SymmetrySAP Compliance Management Demystified | Symmetry
SAP Compliance Management Demystified | Symmetry
 
Brochure Auditing Erp System V2
Brochure Auditing Erp System V2Brochure Auditing Erp System V2
Brochure Auditing Erp System V2
 
Concept of Governance - Management of Operational Risk for IT Officers/Execut...
Concept of Governance - Management of Operational Risk for IT Officers/Execut...Concept of Governance - Management of Operational Risk for IT Officers/Execut...
Concept of Governance - Management of Operational Risk for IT Officers/Execut...
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach Matters
 
Cloud Compliance Use Case Demo
Cloud Compliance Use Case DemoCloud Compliance Use Case Demo
Cloud Compliance Use Case Demo
 
Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...
 
Allgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementAllgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance Management
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
GRC FOR CAPITAL MARKETS: Beyond Corporate Governance
GRC FOR CAPITAL MARKETS: Beyond Corporate GovernanceGRC FOR CAPITAL MARKETS: Beyond Corporate Governance
GRC FOR CAPITAL MARKETS: Beyond Corporate Governance
 
task 1
task 1task 1
task 1
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
IPO Readiness SOX Sod
IPO Readiness SOX SodIPO Readiness SOX Sod
IPO Readiness SOX Sod
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...
 
Automation Technology Series: Part 2: Intelligent automation: Driving efficie...
Automation Technology Series: Part 2: Intelligent automation: Driving efficie...Automation Technology Series: Part 2: Intelligent automation: Driving efficie...
Automation Technology Series: Part 2: Intelligent automation: Driving efficie...
 

Mais de Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)

Mais de Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU) (7)

How to analyzing sap critical authorizations
How to analyzing sap critical authorizationsHow to analyzing sap critical authorizations
How to analyzing sap critical authorizations
 
How to assign sap business planning and consolidation authorizations via the ...
How to assign sap business planning and consolidation authorizations via the ...How to assign sap business planning and consolidation authorizations via the ...
How to assign sap business planning and consolidation authorizations via the ...
 
Exportto excel
Exportto excelExportto excel
Exportto excel
 
166427325 sap-a udit-management
166427325 sap-a udit-management166427325 sap-a udit-management
166427325 sap-a udit-management
 
5182
51825182
5182
 
5182
51825182
5182
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Sap grc-access-control-solution

  • 1. WHITEPAPER SAP GRC Access Control Solution. -White paper on Implementation Methodology. HCL SAP GRC Practice January 2008 1-13
  • 2. Table of Content Executive Summary 3 Introduction 4 SOX, SoD and SAP 4 Functions of SAP GRC Access Control 6 Implementation Methodology 7 ANNEXURE 1:Various Aspects 10 ANNEXURE 2: Role and Responsibilities 11 ANNEXURE 3:Time Lines 12 ANNEXURE 4: Challenges 12 ANNEXURE 5: SAP GRC Business benefits 13 2-13
  • 3. In the era of stringent corporate governance new regulatory requirements have made tighter internal control as standard compliance across the globe. All organization irrespective of size are struggling to comply with these regulations and managing the risk.The cost and effort to establish,maintain and prove compliance demand both money and time which can be invested for more value addition rather than value protection. For many organization the technology solutions is to try automation using standard office tools such as spreadsheet which in spite of its low cost advantage may become a part of problem rather than a compliance solution. Fortunately newly available software platform that have become known as the GRC technology can help streamline the automation.This white paper pertains to one of the most accountable control automation tool:SAPAccess Control and details its implementation methodology. Executive Summary 3-13
  • 4. He who cannot obey himself will be commanded. That is the nature of living creatures. - FriedrichWilhelm Nietzsche ©Barings Bank – Nick Lee son’s $1.2 Billion loss – Barings’ forced into bankruptcy. §Due to improper supervision and SoD violations delayed detection. ©Daiwa Bank – Toshihide Iguchi’s $1.1 Billion loss and $340 Million fine for unauthorized trades. ©Mgmt tried to conceal losses by overriding controls and SoD violations ©Sumitomo Bank –Yasuo Hamanaka’s $1.8 Billion copper position losses. ©Maintained 2 sets of books for over a decade ©NatWest U.K. – Kyriacos Papoulis concealed over $100 Million in option losses §Manipulated the books. ©Enron,Tyco International,Adelphia, Peregrine Systems and WorldCom…………………..Socite General…. SAP GRC Access Control Integrated GRC is an offshoot of SOX and such other compliances existing across industries worldwide. Evolution of Integrated GRC: In itself GRC is not new. Corporate Governance, Risk management and Compliance as individual issues where the most fundamental concerns of Business and its Top leaders.What's new is Integrated GRC. It an approach the organization practices and the various roles the board and the senior management, line management and rest of the organization play in relation to oversight, strategy risk management and strategy execution regarding compliance with laws and regulations and internal policies and procedures. Introduction Sarbanes Oxley Compliance was a result of such Scandals.Also known as the Public CompanyAccounting Reform and Investor Protection Act of 2002 and commonly called SOX,it is a controversial United States federal law passed in response to a number of major corporate and accounting scandals. Signed by Congress on July 30,2002 its overall purpose is to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. As per the requirement to be SOX (Sarbanes OxleyAct) compliant, the main issue arises in SoD (Segregation of Duties) management i.e. Access related problems in organizations. For this purpose the necessity is to make an automated approach to implement the rules and policies of SOX compliance. SAP is in process of addressing the various compliance and risk management issues across the verticals with the development of automated solutions. One of the Solutions they have developed comprises GRC Access Control an application that handles sustainable prevention of segregation of duties violations. By implementing the automated Access control solution, it will provide the enablement to fulfill the requirements of SOX compliance without any SoD violation and its severity. SOX, SoD and SAP 4-13
  • 5. A primary internal control intended to prevent or decrease the risk of errors or irregularities by assigning conflicting duties to different personnel. SAP Definition for SoD Segregation of Duties (SoD) Across an enterprise there are various functions and these functions are performed, together by a set of roles/responsibilities. SoD says that these set of Roles/responsibilities should be assigned in such a way that, across an enterprise, any individual should not have end to end access rights over any function. End to end access SoD Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business.With the concept of SoD,business critical duties can be categorized into four types of functions:authorization,custody,record keeping and reconciliation. In a perfect system, no one person should handle more than one type of functions. The Roles and Responsibilities for the function should be divided in such a way that one person does not have full right over the function that the risk of malicious activity of manipulation of the function is reduced.The more critical the function is, greater and clearer Segregation of Duties should be. Some examples of incompatible duties are: ©Creating vendor and initiate payment to him. ©Creating invoices and modifying them. ©Processing inventory,and posting payment. ©Receiving Checks and writing pay-offs. Ideally, single individual must not have authority of creation, modification, reviewing and deletion for any transaction / tasks / resources. If any individual has access rights to creation and modification,he can create and after getting it reviewed, he can modify it to do some fraudulent exercises. Similarly if an individual has creation and deletion rights he can create, initiate payment and later delete any transaction logs that can track his activity. Segregation of Duties deals with access controls.Access Control ensures that one individual should not have access to two or more than two incompatible duties. Segregation of Duties ensures that: ©There are no errors,as SoD ensures cross check of roles/responsibilities ©Risk of Fraud is reduced as fraud will involve two or more than two individuals ©Clear separation of Roles/Responsibilities across various functions in organization. ©Segregation of Duties must be so performed that it reduces the risk associated with a function/process that can be mal-functioned to practice any 5-13
  • 6. fraudulent exercises.If proper SoD does not exist in an organization,then: ©There are ineffective internal access controls ©There is improper use of materials, money, financial assets and resources ©Estimation of financial condition may be wrong ©Financial documents produced for audits and review may be incorrect Manual Approach for SoD Traditional approaches for identifying and preventing SoD issues are costly, time-consuming, and exhaustive with scope for errors. In the increased regulatory environment, companies cannot afford to waste time and money hoping that a manual approach will satisfy their audit requirements. Companies now seek a comprehensive, automated approach to help them quickly resolve the SoD challenges without disrupting their business. SAP Access Control SAP GRC Access Control delivers a comprehensive, cross-enterprise set of Access Control that enables all corporate compliance stakeholders -- including business managers, auditors, and IT security managers -- to collaboratively define and oversee proper SoD enforcement, enterprise role management, compliant provisioning,and Superuser privilege management. Functions of SAP GRC Access Control application for SAP. When deployed together,they provide an end-to-end Access Control solution that addresses the following areas: ©Risk detection SAP applications for Access Control detect even the most obscure access and authorization risks across SAP and non-SAP applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring. ©Risk remediation and mitigation These applications for access and authorization control enable fast, efficient remediation and mitigation of access and authorization risks by automating workflows and enabling collaboration among business and technical users. ©Reporting The applications deliver the comprehensive reports and role-based dashboards businesses need to monitor the performance of compliance initiatives and to take action as needed. ©Risk prevention Once access and authorization risks 6-13 The SAP GRC Access Control Includes the Virsa Compliance Calibrator application for SAP, the Virsa Role Expert application for SAP, the Virsa Firefighter application for SAP, and the Virsa Access Enforcer
  • 7. have been remediate, only SAP applications for Access Control can prevent new risks from entering a production system.By empowering business users to check for risks in real time and automating user administration, the applications make risk prevention a continuous,proactive process. Implementation Methodology based on SAP Best Practice HCL has come out with an excellent approach and methodology for implementation of SAP GRC Access Control Suite.This Suite embraces four tools: ©Access risk analysis and remediation ©Complaint user provisioning ©Role Management ©Privileged user access management This implementation methodology when followed step by step makes access and authorization risk management and further its compliance adherence, an integral part of customary organizational activities.The implementation process is based on Best Practices provided by SAP and extends from GET CLEAN (identify and resolve the access risk issues) phase to STAY CLEAN (complaint user provisioning process is channeled into automated structure) phase. The implementation process starts from installation and configuration of Compliance Calibrator. In line with the SoD Management Process, Business Process Owners identify any fraudulent or accidental corruption activity, subjected to access and authorization or SoD risks and then implement the necessary mitigation controls on them. Next, during implementation of Role Expert, through Role Designer we design the role designation methodology of the organization. In Access Enforcer implementation, we define workflows. Workflows are meant for channelizing the different work processes into structured,transparent and automated manner. At last, Fire Fighter is implemented which endow selected users with exceptional rights. To ensure risk occurrence, all the activities of users with fire fighter rights are logged and documented. 7-13
  • 8. The proposed methodology which helps in implementing SAP GRCAccess Control projects has six phases: ©Implementation Readiness ©Deploy & Install GRCAccess ControlTool Suite ©RiskAnalysis and Remediation ©Super User Privilege Management ©Compliance User Provisioning ©Enterprise Role Management ControlTools. Access Control Tool Suite can be easily downloaded from SAP Support Portal at SAP Service Marketplace at: service.sap.com. You need to login from your service marketplace ID. It will ask for your Customer Number or Installation Number. The SAP GRCAccess ControlTool Suite includes following tools: ©Virsa Compliance Calibrator ©VirsaAccess Enforcer ©Virsa Role Expert ©Virsa Firefighter for SAP Risk analysis and remediation Risk Analysis and Remediation is done by Compliance Calibrator. Risk Analysis and Remediation provides real-time compliance around the clock and prevents security and controls violations before they occur. Once deployed, business managers can analyze real-time data, find hidden issues and help ensure the effectiveness of access and authorization controls across the enterprise. The scope of the process includes following key areas: ©Identification of critical access and segregation of duties ©Real-time risk assessment ©Simulation and remediation ©Documentation of mitigation controls ©Summary and drill-down reports Preparation of Implementation We recommend the implementation life-cycle of GRC Access Control Tool includes every thing from Installation and configuration of all 4 software’s to their integration and validation. Preparation Includes: ©NetWeaver installation configured and validated i.e. ready for applications installation ©Resource Identification ©Requirement Validation: It will include review and validation of customer’s requirement against product functionality.There should be a brief analysis of customer’s business environment which will include the organizational scan and study of their business processes.BPX along with implementation consultant and BPO will architect solutions to address requirement gaps. Deploy & Install GRC Access Control Tool Suite Once the preparations for implementation are done,we proceed for installation and configuration of Access 8-12
  • 9. Super user Privilege Management Superuser Privilege Management is done using Firefighter ©Superuser Privilege Management is a solution used for emergency situations, extensive and/or special access, and when you do not have time to obtain logins,passwords.Feature provided by it: ©Provides Super User access control ©Compliant controls for emergency access §Users assigned to specific firefighting IDs with defined authorizations and validity dates §Separate login is required as well as documentation regarding reason for use Can only be used by one user at a time Auditable reporting Compliant User Provisioning Compliant User Provisioning will be done byAccess Enforcer Access Enforcer enables fully compliant user provisioning throughout the employee life cycle and prevents new SoD violations. Businesses can automate provisioning, test for SoD issues, streamline approvals, and reduce the workload for IT staff. The solution performs following activities: ©Automate ProvisioningWorkflow ©Provide Compliant User Provisioning Across the Enterprise § © §Logs actions without turning on SAP logging ©Identify SoD Issues in RealTime ©StreamlineApprovals Enterprise Role Management Introduction to Role Expert Role Expert is a Role Creation and Management Tool. This SAP GRCAccess ControlTool is a web enabled tool that can ease the overhead in an Organization in creation and management of Roles. Apart from creation and management of Roles it also takes care of Risks associated with different Roles, Segregation of Duties, and Generation of types of reports useful for management and auditors and also the mitigation of risks. Purpose of Role Expert Role Expert implementation serves the following purposes in an organization: ©It helps implement best practices of good role naming conventions. ©Automates the creation and maintenance of Roles. ©Implements best practices of Approval workflow automation for Role in the Organization. ©Automates the generation of reports of various types to serve the purpose of management and auditors as well. ©Performing automatic risk analysis at all levels and also mitigation of risks before approving or creating the requested role. ©Transparency, tracking and monitoring of creation and implementation of Roles. § 9-13
  • 10. ANNEXURE 1:Various Aspects. Steps Activities Involved Person Involved Duration/Days Implementation • Readiness • Software Installation • NetWeaver EnvironmentValidation Deploy & Install GRC • Access Control Tool Suite • • • • Super User Privilege Management l • Assignment of Firefighter roles to • Mapping Firefighter IDs to Owner, Compliance User • Provisioning • Define process stages and approvals • Create test initiators, stages, and paths • Define test users and request types • Test initial workflows • Define escalations and detours • Complete workflow configuration Enterprise Role • Management • Creation of Role Generation Methodology • Creation of Naming Conventions for Roles • Creation of Role in Role Expert • Reports in Role Expert Hardware/Software requirement Basis/Security 17 analysis Consultant GRC AC Tool Consultant Software installation as well certain GRC AC Tool Consultant 15 one-time initial configuration activities. Risk Analysis and • Identification of critical access and GRC AC Tool Consultant 26 Remediation segregation of duties GRC Business Process Analyst Real-time risk assessment SOX Domain Consultant Simulation and remediation Documentation of mitigation controls Summary and drill-down reports The application tracks, monitors, and GRC AC Tool Consultant 4 ogs every activity a super user GRC Business Process Analyst performs with a privileged user ID. • Creation of Firefighter Ids applicable User IDs Firefighter, and Controller Learn about Access Enforcer GRC AC Tool Consultant 20 workflows and their components GRC Business Process Analyst Creation of Role Attributes required GRC AC Tool Consultant 15 for any Role GRC Business Process Analyst 10-13
  • 11. Role Number Group Responsibility Basis/Security Consultant GRC AC Tool Consultant • Integration of all 4 tools • Risk Recognition, Remediation, Mitigation • Rule Building and their Maintenance • Configuration of workflows • Configuration of Role Attributes • Configuration of Role Generation Methodology • Configuration of Naming Conventions • Report Generation SOX Domain 1 Consultant • Creation of Mitigation Controls • Approve or Reject already created Risks and Mitigation • Scenario Analysis and Identification of Format & Content of GRC Business 1 Process Analyst • Designing workflows for user and role provisioning • Identification of Role Attributes • Identification of Role Generation Methodology • Identification of Naming Conventions • Identification of risk & role owners and approvers Client Technical Team • NetWeaver EnvironmentValidation Client Business Team • Approving remediation to address user access issues • Approve or reject risks between business areas and approve Client Project Manager/ Coordinator Client Audit / Internal Control Team 1 HCL GRC • Hardware/Software requirement analysis • Software Installation • NetWeaver EnvironmentValidation 2 HCL GRC • Master Data Creation • Configuration of all 4 tools HCL GRC • Risk identification Controls Reports HCL GRC • Risk Analysis andValidation • Designing alternative controls to mitigate SoD issues To be Client • Hardware/Software requirement analysis decided • Software Installation To be Client • Identifying risk and/or approving controls for monitoring decided risks mitigating controls for risks. To be Client • Managing the implementation project decided To be Client • Perform risk assessments on a regular basis to identify new decided risks, perform periodic testing of rules and mitigating controls; act as a liaison with external auditors. ANNEXURE 2: Role and Responsibilities 11-13
  • 12. ANNEXURE 3:Time Lines Implementation Activity Duration/Days Formation of project team* 2 Software Installation andValidation* 5 RequirementValidation/System and User Landscape Study/Master Data Creation* Implementation Readiness 17 Compliance Calibrator Configuration and Implementation 26 Firefighter Configuration and Implementation 4 Role Expert Configuration and Implementation 15 Access Enforcer Configuration and Implementation 20 Roll-Out/Deployment/Go-Live 10 10 Challenges Solution Real-time alert generation and A Setting up organizational rules and running risk analysis based on these rules Integrating workflows in Compliance Calibrator for various processes Efficient handling of false positives Designing user-provisioning workflows and proper initiators to trigger them Cross-application implementation Cross-system Cross-geo implementation lert Generation and its notification through e-mail was configured not notification through mail only for mitigating controls but also for risk execution and critical transaction execution Compliance Calibrator provides a supplemental table to address organizational restrictions without having to change and maintain the entire rules database.These restrictions were configured as organizational rules. Various processes of Compliance Calibrator can be automated and structured through workflows which are created and executed through Access Enforcer. Path for connecting the Compliance Calibrator to the workflows is entered in the Workflow service URL. Rule Building is done at authorization objects level to prevent false positives of SoD violations. User provisioning workflows are created and configured through Access Enforcer The system includes rules at both the transaction and object level that address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR / Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals. TheVirsa Compliance Calibrator "out-of-the-box" rule set includes implementation transaction objects and value combinations analyzing some 120,000 possible combinations of potential risk for access rights.These cover - SAP: 20,000, Oracle: 20,000, PeopleSoft: 3,800, JDE 151. A centralized monitoring system is provided by connecting various systems across geo. Note: *These activities are performed simultaneously.The total implementation time is 56 calendar days. ANNEXURE 4: Challenges 12-13
  • 13. ANNEXURE: 5 SAP GRC Business Benefits: SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance, risk,and compliance help you leverage your SAP and non-SAP IT investments,and deliver the following business benefits: Increased shareholder value – Good corporate governance is reflected in many intangibles, including brand and reputation – and it translates directly into share price premiums. Optimized risk/return portfolios – Greater transparency and insight enables your decision makers to select or reject projects based on risk impact and probability relative to potential return. Reduced GRC costs – Integrated corporate governance significantly reduces the number of people – and time – required to ensure and manage compliance and risk management. Improved business performance and predictability – SAP solutions for governance,risk,and compliance deliver enterprise wide transparency,a systematic process for anticipating risks,and the tools to proactively determine proper actions. Business sustainability – Using solutions delivered through automation, analytics, and alerts, businesses can more effectively mitigate risks stemming from myriads of legislations. Assumptions for the Duration/Days inAnnexure: 1. Minimum NetWeaver support Pack is already installed and validated on identified systems. 2. All the database and memory requirements for installation ofAccess ControlTools are met. 3. Hardware and memory sizing is already performed. 4. Organization already possesses the license for all requiredAccess ControlTool. 5. Person efforts and time would go on reducing in subsequent implementation in different geographies 6. The company would go for addressing compliance management issues subsequently across different locations. 13-13