SAP GRC Risk Identification and Remediation

Similar documents
OAUG / DOAG SIG DAY Vienna Sept 27 th 2010 Oracle Governance Risk and Compliance OAUG. August 2010

White Paper Enforcing Segregation of Duties (SoD)

SEC302 Umoja Security GRC Analysis. Umoja Security GRC Analysis Version 8 1

GETTING STARTED WITH QUICKEN with Online Bill Pay 2010, 2009, and for Windows

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

Governance, Risk, and Compliance

FileBound AP Demo Overview

CONTINUOUS AUDITING - UPDATE. Travis S. Moser, CISA

Secure Your ERP Environment with Automated Controls Naomi Iseri,Sr. GRC Solution Consultant

Why Oracle GRC with every E-Business Suite Upgrade

... Preface Acknowledgments SAP Governance, Risk, and Compliance Overview Planning SAP GRC Implementations...

Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation

Oracle Risk Management Cloud. Release 13 (updates 18A 18C) What s New

Welcome to the course on the working process across branch companies.

Configuration: Emergency Access Management for SAP Access Control 12.0

Minimizing fraud exposure with effective ERP segregation of duties controls

Before you can download your transactions with Quicken you will need internet access, your customer ID and password. *

Service-Enabled Procurement Scenario

10/18/2018. London Governance, Risk, and Compliance

GETTING STARTED WITH QUICKEN 2014 Windows Express Web Connect and Web Connect

Maximo 2018 Completed Projects

SAP BusinessObjects Access Control 5.3 Support Pack 9. Functional Overview SAP BusinessObjects Access Control Solution Management September 30, 2009

IT Service Delivery And Support

Note: We do not claim that this is an exhaustive list of all the various errors you can have in executing the APP.

TRAINING DOCUMENT Internet Expenses Administrator

SAP PAPA Shop User Guide

GETTING STARTED WITH QUICKEN with Online Bill Pay for Windows. Click the version you are looking for

Detect. Resolve. Prevent. Assure.

Order entry and fulfillment at Fabrikam: an ERP walkthrough

FINANCIAL ACCOUNTING

In this topic, we will cover the Solution Packager tool that enables partners and Software Solution Providers to create pre-packaged solutions for

Securing Your Business in the Digital Age

Order entry and fulfillment at Fabrikam: an ERP walkthrough

P-Card Expense Report

ArchiOffice QuickBooks Integration

Procure to Pay Process. Purchase Order

Leverage T echnology: July 19 th, 2013 Adil Khan. Move Your Business Forward. Copyright. Fulcrum Information Technology, Inc.

A Financial Executive s Guide to Internal Controls & Fraud Prevention in the Cloud

BillQuick Peachtree Integration

Demo Script. Procure-to-Pay - Stock Classification: Internal and for Partners. SAP Business ByDesign Reference Systems.

Proactively Managing ERP Risks. January 7, 2010

END-USER GUIDE. The Procure-to-Pay Process

SAP Segregation of Duties Internal Audit

BillQuick-QuickBooks Advanced Integration Guide 2016

Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042

This topic focuses on how to prepare a customer for support, and how to use the SAP support processes to solve your customer s problems.

SAP Consolidated Payables Link

BillQuick-Sage 50 Integration Guide 2017

CSI Authorization Auditor 2016

Case description. SIF 8035 Informasjonssystemer Våren Øving 6 SAP. Innlevering: Fredag 6. april

STP359: Supply Network Inventory in SNC

Western Power Ariba Network Supplier Guide

FIN900 Auditing of Financial Business Processes in SAP

Streamlining Access Control for SAP Systems

Use Case: Salesforce connector

Procure to Pay Process. Purchase Order

BUSINESS BILL PAY Quick Step User Guide

Insight Portal User Guide

HOW INTEGRATION WORKS...

Infor Risk & Compliance Monitor and control risk across your business

BillQuick MYOB Integration

What s New in QuickBooks 2017

Welcome to the topic on purchasing items.

ORACLE ADVANCED FINANCIAL CONTROLS CLOUD SERVICE

Professional Software, Inc. MAS 90 / MAS 200 VERSION 4.4 CLASS OUTLINE April 20, 2010

Welcome to the topic on the analytic content and applications that are made possible in SAP Business One version by running on SAP HANA.

The Next Level of Controls Automation: How you can fully automate controls testing in financial systems by combining MetricStream and IRC

What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

Version Countries: US, CA. Setup and User Manual (include user demo scenarios in red) For Microsoft Dynamics 365 Business Central

Creating a Purchasing Credit Card (P-Card) Journal Voucher

BillQuick MYOB Integration

Subaward Online Invoice Review and Approval Process

Welcome to the procurement process topic.

Version 4 Reference Guide. Mobile Inspections. January 2013

Jakarta ServiceNow Governance Risk Compliance. Last updated: February 13, 2019

Assessment I: Training Exercise

3M Ariba Light Account Network Collaboration for Suppliers

Record Usage Decision (QA11)

SC341 Umoja Requesting Services of Consultants and Individual Contractors

PM Created on 1/14/ :49:00 PM

Welcome to the course on the initial configuration process of the Intercompany Integration solution.

HOW INTEGRATION WORKS...3

BillQuick QuickBooks Integration

CAREER MANAGER, CAREER MANAGER SENIOR LEADER, VP OR PARTNER, HR TALENT CONSULTANT AND EXCEPTION APPROVER

Maximo Priorities Update July 31, 2018

Subject Idiom Page. BI Background Management English 1 (7) Team Created by Creation Date Version. BI Carlos Basto 9/9/

Session 1-3 and 1-4 Sage 300 CRE: Advanced Accounts Payable Lab (Parts 1 and 2) Presented by: Kathy Lewis Kathy Lewis Consulting

Information Technology Solutions

External Invoicing Reporting & Approvals

DRAFT How to Use SAP Activate Content in SAP Solution Manager 7.2

GR3 - Emergency Access Management. Process Diagram

ArchiOffice QuickBooks Integration

Demo Script. Manufacturing Basics Classification: Internal and for Partners. SAP Business ByDesign Reference Systems. Version:

NICE UPTIVITY REPORTS REFERENCE GUIDE. August

Contents. OneAccess Value. SAP Security best Practices. Process Workflow. Functional / Demo

Quick Start Guide. Version R94. English

Making intelligent decisions about identities and their access

Feature Scope Description for SAP Assurance and Compliance Software for SAP S/4HANA

April NC E-Procurement ACCBO Spring Conference Tips & Tricks

Transcription:

September 26, 2007 English SAP GRC Risk Identification and Remediation Business Scenario Script for Discovery System version 3 SAP AG Neurottstr. 16 69190 Walldorf Germany

Contents Introduction... 3 Statistical Overview... 3 Initial Segregation of Duties Clean-up Process (Get Clean)... 6 Prevention through Simulation... 10 Stay Clean Prepare for an Audit... 12 Overview Mitigation Controls... 14 Create Controls... 14 Executive-Level View... 17 SAP AG Page 2 of 17

Introduction SAP GRC Access Control delivers a comprehensive, cross-enterprise set of access controls that enables all corporate compliance stakeholders including business managers, auditors, and IT security managers to collaboratively define and oversee proper Segregation of Duties (SoD) enforcement. SoDs can be quite challenging to achieve in a small operation, as it is not always possible to have enough staff to properly segregate duties. In those cases, management needs to take a more active role to achieve separation of duties, by reviewing the transactions performed by other users, or using other Mitigation Controls. Risk Identification and Remediation (formerly known as Compliance Calibrator) software helps automate all SoD - related activities. Risk Identification and Remediation detect even the most obscure access and authorization risks across SAP and non-sap applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring. These applications for access and authorization control enable fast, efficient remediation and mitigation of access and authorization risks by automating workflows and enabling collaboration among business and technical users. Risk Identification and Remediation provides the ability to perform several major functions. Statistical Overview By logging in to SAP GRC Access Control as an Internal Auditor or Chief Compliance Officer can look at the overall risk across entire organization, ensure compliance, and prepare for an external audit 1. Log into the Compliance Calibrator demo server: http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/compliancecalibr ator USER Mbond PASSWORD sarbanes1 SAP AG Page 3 of 17

2. Select the Informer Tab (Should be the default view on logon) 3. Select Risk Violations (left hand table) 4. Select PR (Business Risks) on the Dashboard under the Bar graph. Note: These are all the Procure to pay risks found in the SAP System. 5. Click on no. of violations to display the users for P001 Risk (7,730). These are the users whom are in violation of this risk. 6. Select the to go back to the SOD Violations by Process Procure to Pay screen 7. Click on the P001 to see the Risk Description It s easy for business users to define new rules by just combining 2 conflicting functions and Compliance Calibrator adds all the appropriate transactions and authorization objects 8. Select AP02: AP02 - Process Vendor Invoices 9. Function Information Screen appears. NOTE: Compliance Calibrator automatically knows which SAP actions and permissions or authorization objects are parts of this function. There are 28 different transactions in SAP to SAP AG Page 4 of 17

Process Vendor Invoices and another 185 authorization object values all come pre-configured out of the box. 10. Select the to go back 11. Select PR01: PR01 - Vendor Master Maintenance 12. Select Permissions tab 13. Open an action (FK01) 14. Open an Auth Object to show field values Note: Compliance Calibrator has an out-of-the box library of >100,000 different authorization object combinations in SAP that can cause risk this best practices db gets you up and running quickly. Because these authorization objects come pre-configured customers tell us this can save up to 400 hours of time during implementation. 15. Select Log off. SAP AG Page 5 of 17

Initial Segregation of Duties Clean-up Process (Get Clean) When an organization applies enterprise-wide segregation of duties rules for the first time, there is usually an initial clean-up project required. Through the central risk analysis and remediation capability of SAP GRC Access Control (formerly known as Virsa Compliance Calibrator ), internal audit cannot only review the current status of this project, but help business owner teams to work through their remediation issues. Business owners like Fox Wilson can be given complete reports of deficiencies. They can drill down to specific system and specifically what role is causing the violation. Now Fox Wilson can tackle for example the risks of one of his direct reports, Brent Bailo. He can work on Brent s risks one at a time and resolve them Compliance Calibrator can even find transactions embedded in custom code or user exits ONLY a real-time solution inside SAP can perform this type of risk analysis. 1. Log into the Compliance Calibrator demo server: http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/compliancecalibr ator USER Fwilson PASSWORD sarbanes1 2. Select the Informer Tab (Should be the default view on logon) 3. Select Risk Analysis then User Level 4. Enter User: BBAILO 5. Select Report Type: Permission Level 6. Select Report Format: Detail 7. Click Execute 8. Click Risk Description ID F00500M01 text Maintain bank account and post a payment from it. SAP AG Page 6 of 17

Mitigate the Risk 9. The risk F00500M: Maintain bank account and post a payment from it already has Mitigate selected 10. Click Continue NOTE: Choose an appropriate mitigating control, from approved mitigation list. It is important to have control around mitigations to make sure they are meaningful. This is a very important step and not available in other solutions. When your auditor arrives 6 months down the road and sees that Brent Bailo has SoD risk in his authorizations, they will notice that you have assigned a mitigating control in addition they will see that you have even documented that control GREAT, better than most companies. Now the mitigating control suggests that the Corporate Accountant will run a report on a weekly basis the auditor will ask, Can you prove to me that this report was actually run and reviewed? The mitigation monitor is an individual who will get an e-mail if the payment detail report is not run on a weekly basis and they will follow-up with the Corporate Accountant to help ensure control effectiveness. 11. Search for Mitigation Control 12. Select Mitigation Control: FI_002790 SAP AG Page 7 of 17

13. Enter Control Valid to: (current date) 14. Select a Monitor ID: HASSELT 15. Save. Remediation through Access Removal 16. Select Remove Access from the User (vs Mitigate the Risk which was the default) 17. Click Continue NOTE: If this user had been running transactions, from here you can see exactly how many times the user has performed the transaction since the time the user got access to the system. Many users do not even know they have access. SAP GRC Access Control allows business users to collaborate with technical users on risk resolution. The business user is the correct person to make the risk tradeoff of whether BBAILO should have this access or not, BUT they are probably not the right person to decide to I remove this transaction from the role (which will affect other users), this is a technical tradeoff. SAP GRC Access Control sends a workflow ticket off to a technical user to implement the remediation. 18. Click Cancel SAP AG Page 8 of 17

Delimit access for the user Delimit will allow you to specify a certain time period where the user s access will remain before the workflow ticket is sent off for resolution. 19. Select delimit access for the user 20. Click Continue 21. Enter a comment: Please investigate removing role from Brent or transaction from the role 22. Click Cancel 23. Click User Level (Left hand table) SAP AG Page 9 of 17

Prevention through Simulation If Fox needs to make any changes to the privileges granted to any of his users, he can see the implications before he makes any changes. Fox can simulate those changes BEFORE implementing them in production. The simulation can take place at the user level, role level or position. For example, Fox Wilson can check what will happen if he grants Brent Bailo additional access rights. 1. Select the following field: Field System User Value ERP-Discovery BBAILO 2. Select Simulation 3. Set Type : Role 4. Click Value : Drilldown SAP AG Page 10 of 17

5. Enter VS::FI_VM* in Role 6. Click Search 7. Select the Role (enter Select) 8. Select Risks from Simulation Only to Yes 9. Click Simulate Note: By performing simulation we are implementing a PREVENTIVE control that avoids risk before it is introduced into the production environment. 10. Click the Details Icon (on the upper right hand corner) to see which roles the conflicts come from 11. Log off Fox Wilson. SAP AG Page 11 of 17

Stay Clean Prepare for an Audit After the initial clean-up, and going forward in regular intervals (quarterly, semi-annually or at least annually), internal audit needs to get ready for an external audit. 12. Log into the Compliance Calibrator demo server: http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/compliancecalibr ator USER mbond 13. Select Risk Analysis 14. Click User Level 15. Narrow the review down to: PASSWORD sarbanes1 Field System User Group Risks by Process Risk Level Value ERP-Discovery SUPER Finance High 16. Click Execute to see what NOTE: The execution will take some time. 17. To save this query, by clicking Save Variant 18. Enter SUPER in SAP -xx where xx is your initials. SAP AG Page 12 of 17

19. Select User Level 20. Select Search Variant 21. Select the variant you just created. Notice the settings you created are now defaulted 22. Select the Mitigation tab (found on the top of the page) SAP AG Page 13 of 17

Overview Mitigation Controls 1. Use the Pie Chart and review the Mitigation controls defined 2. Use the Graph and review the mitigation controls for each of the controls by process. 3. Logoff Maria Bond. Create Controls Previously we had shown how Fox had assigned mitigating control XXX with control monitor JMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to select a mitigating control previously had to create appropriate controls for his area of responsibility. Let s take a quick look at how Fox has created the mitigating control. 1. Log into the Compliance Calibrator demo server: http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/compliancecalibr ator USER Fwilson PASSWORD sarbanes1 2. Select Mitigation Tab 3. Click Mitigation Controls 4. Click Create 5. Set Mitigation Control ID: FI_0009 6. Enter the Description: Reports Display Critical Vendor Changes (S_ALR_87010040) and Vendor List (S_ALR_87010036) are reviewed by the Master Data Manager. 7. Set Business Unit: CORP FINANCE 8. Set Management Approval: MBOND 9. Click the Plus sign to add a risk 10. Select the 11. Search for P001 12. Select P001 SAP AG Page 14 of 17

13. Select the Monitors Tab 14. Select the plus sign to add a monitor ID 15. Set Monitor ID: APPROCESS 16. Click the plus sign to add another monitor ID 17. Set Monitor ID: JMURPHY 18. Select the Reports Tab SAP AG Page 15 of 17

19. Click the Plus sign to add a report 20. Set System: ERP - Discovery 21. Set Action: S_ALR_87010040 22. Set Monitor: JMURPHY 23. Set Frequency to 1 24. Click the plus sign to add another report 25. Set System: : ERP - Discovery 26. Set Action: S_ALR_87010036 27. Set Monitor: JMURPHY 28. Set Frequency to 1 29. Click Save 30. Logoff Fox Wilson Let s take a quick look at the Mitigation Control that Fox had created. 31. Log into the Compliance Calibrator demo server: http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/compliancecalibr ator USER Fwilson PASSWORD sarbanes1 32. Select Mitigation Tab 33. Click Mitigation Controls 34. Click Search 35. Set Mitigation Control ID: FI_0009 Fox can now verify that the mitigation control was created. SAP AG Page 16 of 17

Executive-Level View Executive Progress Tracking Interaction with management. If not already logged on, log onto Fox Wilson 36. Log into the Compliance Calibrator demo server: http://sapdiscoverysystem:51000/webdynpro/dispatcher/virsa/ccappcomp/compliancecalibr ator USER Fwilson 37. Select Informer Tab 38. Click Management View. PASSWORD sarbanes1 SAP AG Page 17 of 17

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback