SAP ERP Financials SAP Solutions for Governance, Risk, and Compliance and SAP GRC Access Control Rainer Salaw, CPA SAP Deutschland AG & Co KG Regional Solution Sales GRC EMEA Barbara Mayer Enterprise Risk Management, SAP Consulting SAP ERP Financials SAP Solutions for Governance, Risk, and Compliance and SAP GRC Access Control Rainer Salaw, CPA SAP Deutschland AG & Co KG Regional Solution Sales GRC EMEA AGENDA GRC as part of SAP Financials Challenge for GRC GRC-Suite in detail Value proposition © SAP AG 2007, SAP Skills Knowledge The Fast Track to SAP 2007 Conference / G3 / AGENDA GRC as part of SAP Financials Challenge for GRC GRC-Suite in detail Value proposition © SAP AG 2007, SAP Skills Knowledge The Fast Track to SAP 2007 Conference / G3 / Gartner “Strong Positive” Rating Strong Negative Caution Promising Positive Strong Positive About SAP GRC Access Control SAP is the only vendor with a “Gartner recommends” rating in all technique categories (Static analysis, provisioning support, integrated provisioning workflow, transaction monitoring and emergency access) “… offers one of the strongest product sets in our analysis, comprehensively addressing all SoD issues across multiple SAP instances” “…capable of running on multiple ERP platforms…” Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007 © SAP AG 2007, SAP Skills 2007 Conference / G3 / mySAP ERP Financials Strategy Management (Balanced Scorecard) Consolidation Planning FI, FI-AA, FI-AR/AP NewGL, CO, PCA Corporate Performance Management (CPM) Credit Mgmt., Collections Mgmt Dispute Mgmt FI-CA, Biller direct, In-house Cash mySAP ERP Financials Financial Supply Chain Management (FSCM) © SAP AG 2007, SAP Skills 2007 Conference / G3 / Accounting & Finance Transformation Internal regulations / ethical standards strategic/operative Risks External regulations / compliance to laws Governance, Risk, and Compliance (GRC) AGENDA GRC as part of SAP Financials Challenge for GRC GRC-Suite in detail Value proposition © SAP AG 2007, SAP Skills Knowledge The Fast Track to SAP 2007 Conference / G3 / Business Case: „…the True Information Age“ „In 2010 the need for fast, accurate and reliable information will be increased significantly In four areas the demand will be raised most Two of them are: Risk Management Governance © SAP AG 2007, SAP Skills 2007 Conference / G3 / Fragmented Processes and Systems: A Risky Situation ! Supervisory board, internal audit almost manual, sample based, not error free controls Management no overview about risk portfolio SALARIES Compliance / Risk Office high level risks, not proactive IT IT Security; SODmanagement, Fraud Purchasing Supplier rating & “embargo lists” Supply Chain © SAP AG 2007, SAP Skills 2007 Conference / G3 / ? Finance complex, international Compliance requirements (e.g Revenue recognition) Human Resource environmental health & safety Sales Credit risks, Customer ratings Customers & Channel Gain Confidence by Proactive Transparency with SAP GRC Supervisory board, internal audit documented decisions, audit trail Compliance / Risk Office Real time risk analysis, integrated view IT highly secured ITSystems Purchasing transparent rating, compliance to trace regulations Supply Chain © SAP AG 2007, SAP Skills 2007 Conference / G3 / 10 SALARIES Management Transparency about risks => max confidence ! Finance Compliance in group reporting processes Human Resource compliance to environmental standards Sales transparent customer solvency Customers & Channel Continuous Compliance: What Is Access Enforcer? Access Enforcer is an automated user request, approval, and compliant provisioning solution that is web-based and workflow configurable with proactive SoD compliance checking User Provisioning Human to SAP Resources systems System + User Role Requests Financial System + CRM System Access Enforcer ACCESS ENFORCER PROCESS OVERVIEW © SAP AG 2007, SAP Skills 2007 Conference / G3 / 132 Payroll System Access Enforcer – Real Time Risk Simulation Results © SAP AG 2007, SAP Skills 2007 Conference / G3 / 133 Workflow Results What can be accomplished after a workflow is finished: Create User in SAP Assign Roles in SAP Change Role Assignment Lock User in SAP Unlock User in SAP Delete User in SAP Create and Assign Mitigation Send Notifications If the auto-provisioning feature is configured to “yes,” the first six items can be automatically completed by AE Otherwise the security approver must complete the provisioning in SAP manually © SAP AG 2007, SAP Skills 2007 Conference / G3 / 134 AGENDA The Access Control Suite: An Overview SAP CC: The SOD Management Process Project Organization © SAP AG 2007, SAP Skills Knowledge The Fast Track to SAP 2007 Conference / G3 / 135 Interdependencies GRC Access Controls Firefighter Risk Analysis for simulation Critical Transactions SoD Analysis Compliance Calibrator with Risk Terminator Risk Analysis Work Flows Access Enforcer © SAP AG 2007, SAP Skills 2007 Conference / G3 / 136 Role Expert Role Information Workflow Engine for role approval Best Practice Road Map GRC Access Controls Installation Installation and configuration Compliance Calibrator and Risk Manager Firefighter comes with the RTAs, (+BC Sets) Later install and configure Access Enforcer and Role Expert Implementation Firefighter Compliance Calibrator with Risk Terminator Access Enforcer Role Expert This Road Map ensures fastest implementation, while optimal change management © SAP AG 2007, SAP Skills 2007 Conference / G3 / 137 Service Levels SAP Consulting offers the following scenarios of service: Basic service – The customer nominates and empowers a project manager and an implementation team of his own As the project manager is qualified but lacks experience in implementing the GRC system, a project management assistance (PMA) of SAP Consulting ensures via checks on pre-defined focus topics at pre-defined project stages that the GRC Access Controls project is delivered on time and in budget according to defined scope Extended service – Based on scoping workshops, Mainova can order extended service Full service – As the customer lacks resources, a full service can be ordered Individual effort estimation required © SAP AG 2007, SAP Skills 2007 Conference / G3 / 138 Packaged Solutions Model Access Controls Packaged Solutions Step Packaged Solution Brief Value proposition Project Team Effort Duration GRC Assessment GRC Risk Analysis Entry AS-IS Analysis and Evaluation Risk Analysis based on standard rules Identification of strategic GRC focus areas based on risk potential Identification of improvement potential Text Client Focus for roadmap Haptic Approach Text Client GRC Compliance Calibrator Basic Implementation GRC Compliance Calibrator Cost efficient way to implement GRC CC – using implementation expertise of SAP as Project Management Guidance Text Client SAP SAP SAP days Consulting *) d Tech Cons.+1 d Cons *) 12 d Cons + d Tech Cons*) > weeks week > weeks *) + Client effort Basic Analysis/ Entry Risk Assessment Deliverables Management Letter Review Roadmap Entry Business Case Risk Analysis Workshop License GRC Access Controls Risk Analysis based on standard SODMatrix Installation on one Development and one Quality System Risk Report by User/Roles Recommendations Basic Configuration Know-How Transfer (Coaching) for System Administrator Project Management Coach for GRC CC Implementation © SAP AG 2007, SAP Skills 2007 Conference / G3 / 139 Packaged Solutions Model Access Controls Based on Step the following Packages can be implemented Packaged Solution GRC Firefighter GRC Firefighter enablement Brief Value proposition Project Team Effort Duration GRC Access Enforcer GRC Access Enforcer enablement Fast and cost efficient way to implement GRC Firefighter, the compliant answer to SAP_ALL and other emergency accesses Text SAP Client Fast and cost efficient way to implement audit-proofed access granting Building up in-house expertise using SAP expertise SAP Text Client d Tech Cons.+ d Cons *) d Tech Cons.+ 10 d Consulting *) > week > weeks *) + Client effort Installation Firefighter on one Development and one Quality Assurance System Basic Configuration Deliverables Installation Access Enforcer on one Development and one Quality Assurance System Basic Configuration Know-How Transfer (Coaching) Template FF Recommendations Know-How Transfer (Coaching) Audit proofed Workflow Design (max WF) Create/Change/Delete Test users © SAP AG 2007, SAP Skills 2007 Conference / G3 / 140 Project Plan – Full Service UAT and Review / Documentation Remediation & Mitigation Analysis Project Closing Go-Live Rule Building and Validation Risk Recognition Project Setup Installation Architecture Training on the Job / Coaching / Testing Start © SAP AG 2007, SAP Skills 2007 Conference / G3 / 141 Full Support Go- Exemplary live Support Project Organization – Full Service Steering Committee Project Managers PM(A) SAP © SAP AG 2007, SAP Skills 2007 Conference / G3 / 142 Business Process Owners Key Users PM Customer Audit Required Availability of Resources Project role Required availability Project Executive Sponsor Sponsorship + steering Project Steering Committee Once per month Customer Project Manager High Business Process Owner Min Business Process Team Member (key user) Medium Technical Team High Min = On requirement Medium = 1- days per week High = 3-4 days per week © SAP AG 2007, SAP Skills 2007 Conference / G3 / 143 Questions? © SAP AG 2007, SAP Skills 2007 Conference / G3 / 144 © SAP AG 2007, SAP Skills 2007 Conference / G3 / 145 Copyright 2007 SAP AG All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries Oracle is a registered trademark of Oracle Corporation UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology Java is a registered trademark of Sun Microsystems, Inc JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape MaxDB is a trademark of MySQL AB, Sweden SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary The information in this document is proprietary to SAP No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development Please note that this document is subject to change and may be changed by SAP at any time without notice SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages © SAP AG 2007, SAP Skills 2007 Conference / G3 / 146 ... Conference / G3 / 37 Q1 2008 (AC 5 .3) SAP GRC Access Control 5 .3 SAP GRC Access Control branding and single launchpad for all access control capabilities Risk analysis and remediation (formerly known... & D Risk Rule Risk Rule Risk Rule Risk Rule Risk Rule Risk Rule Risk Rule Risk Rule Risk Rule Risk Rule “n” Risk Rule 10 Risk Rule 11 Risk Rule 12 Risk Rule 13 Risk Rule 14 Risk Rule 15 Risk. .. Rule 16 Risk Rule 17 Risk Rule 18 Risk Rule “n” SAP GRC Access Control Risk Analysis and Remediation Functionality © SAP AG 2007, SAP Skills 2007 Conference / G3 / 28 SAP GRC Access Control Risk