SAP Security and Controls Best Practices for Sarbanes-Oxley

Professional Solutions for Compliance Automation

www.ControlPanelGRC.com

Scott Goolik, Chief Technology Officer SymSoft CorporationJamison Tomasek, Internal Audit Director Courier Corporation

SAP Security and Controls Best Practices for Sarbanes-Oxley



Agenda

About Courier Corporation & SymSoft

Sarbanes-Oxley 2010 Overview

Three Ways to Strengthen Your Controls1. Reduce sensitive authorizations2. Establish security change controls and

documentation3. Establish change controls for correction transports

Questions

3



About SymSoft Corporation

Makers of Governance, Risk and Compliance (GRC) solutions for SAP environments

Sister company to Milwaukee-based Symmetry Corporation 15 years of technical implementation solutions

for the SAP and Enterprise Security marketplace One of the largest dedicated SAP Basis/security consulting

organizations in the U.S. 10 years of software development and marketing experience Previous reseller of Virsa (now SAP GRC) 200 SAP implementations 90 outsourcing customers SAP Certified Hosting Partner

4



Your Presenters

Scott Goolik Chief Technology Officer -

SymSoft Corporation 14 years in SAP security and

controls including Big 4 auditing firms

Lead architect of the ControlPanelGRC solution

Jamison Tomasek CPA Internal Audit Director Courier

Corporation Five years with Courier

Corporation Worked as Sarbanes

Oxley consultant Ten years Progress Software Deloitte & Touche LLP



About Courier Corporation

Founded 1824 Headquarters: North

Chelmsford, MA Employees: 1,600 $250 million in sales 6 printing plants & 3

publishing companies, all running SAP

Over 10,000 titles in print, over 700 titles per year

$12M Man Roland Press

Creative HomeownerREADover



About Courier Corporation

SAP installation 4 subsidiaries using SAP 95 SAP users Using FI/CO, SD, MM,

and WM Publishing IT staff of 4

supporting SAP and mostother publishing applications

Basis support is outsourced to Symmetry Corporation




SEC requirements around reporting of internal control effectiveness, design, and documentation Management accountability for internal controls Companies traded on U.S. stock exchanges

There are others, like those with public debt Some other countries have similar requirements

(JSOX)

Requires CEO, CFO to confirm the design and effectiveness of internal controls and for the auditor to issue an opinion

8




SAP has a significant number of built in controls Many are more applicable to larger shops Some require a great deal of expertise

Audit firms have significant knowledge of SAP This means SAP gets a great deal of scrutiny Companies can leverage that knowledge

Smaller companies often struggle Segregation of Duties Need for compensating manual controls Lack of expertise

9



Sarbanes-Oxley 2010 OverviewExcerpt applicable to todays discussion - IT

11




12

Excerpt applicable to todays discussion Business Process




Companies now able to use a risk-based auditing approach Quest to move to automated controls Overall reduction in the number of controls

External audit also able to use a risk-based approach Greater reliance on the client (internal

audits) work Better guidance on auditing client controls

13

Recent changes in Sarbanes Oxley



Sarbanes-Oxley 2010 Overview Controls Review

Manual Anything that involves a human Can still involve an automated process

Automated Controls that occur without humans Best type of control

Compensating Controls that are relied upon when key controls are not working In early stages of compliance prevalent in SMEs

Preventative and detective Preventative controls prevent errors

Authorizations, configuration Detective controls allow for corrective action

Alerts, periodic reporting, system monitoring

14




Documentation Documented business processes work better Provides training materials Increases efficiency by identifying processes required for

control objectives Improved understanding of business processes Better IT integration with the business is good SOX can be used as a tool by IT Segregation of Duties is really fraud prevention Prepares you for other compliance regulation

PCI Data Privacy Customer Requirements

15

Why Should You Care About SOX Compliance?


www.ControlPanelGRC.com16

Three Ways to Strengthen your Controls

1. Reduce sensitive authorizations2. Establish security change controls and

documentation3. Establish change controls for correction transports



1. Reduce Sensitive Authorizations

Primary control intended to prevent or decrease the risk of errors or irregularities

Authorization to sensitive transactions or authorizations that are not required for normal job function

Authorization to sensitive system functions that could impact data confidentiality, availability, and integrity

Generally permit data modification

17




Remove SAP_ALL from all dialog or service Users

Watch out for generic logons! Implement emergency procedures for

emergency access The old envelope containing a password stored in a

safe SAP-GRC Access Controls: SuperUser Privilege

Management ControlPanelGRC Emergency Access Manager

Ensure logons used for background processing are of the System type

18




Once youve tackled Sensitive Authorizations, move on to Segregation of Duties!

Confused?! Sensitive authorizations, excessive access, and

segregation of duties are very complex, but many companies are happy to help via products and services!

ControlPanelGRC Risk Analyzer ControlPanelGRC Emergency Access Manager

19




Courier Control Problem Courier SAP development team needed access to

numerous production transactions IT needed to support business users due to shortage of

super users Some mass updates could only be performed by IT Time pressure situations around order fixes Business users needed to have access to fill a broad

range of responsibilities Supervisor coverage Back up support

20




Our solution implement third party emergency-access application to grant and track sensitive access on temporary basis ControlPanelGRC Emergency Access manager

21




We created special transactions to grant access to sensitive roles

We gave IT users access to the Firecall roles This allows IT to run the special transactions for

access

22




When an IT user (with the correct role), invokes a special-access transaction, they are prompted to document their purpose

An alert-email is sent to IT mgmt & the audit group

The IT users transactions are logged until they sign-off

A completion email is sent to same groups

23




We maintain a complete history of sensitive authorizations, with documentation

There are multiple reports and dashboards for analysis of usage





documentation3. Establish change controls for correction

transports

25



2. Security Change Controls & Documentation

Ensure that security changes are restricted to the security team in all clients and systems! Reduces the risk of unauthorized changes Role maintenance restricted to security team in

development system Security team provided display-only access to Roles

in production Authorization issues when attempting to assign Roles in production

with these restrictions? Add this entry to PRGN_CUST to change the authority-check for Role assignments!

User maintenance tasks are restricted to the security team Implement segregation of duty/excessive access checks,

if possible

26

Tip




Record Role definitions Text description of the Role

Store definitions in Microsoft Excel, Profile Generator (Description tab)

All Roles that will be assigned in production need an owner to approve and validate changes

Document security change processes Process for receiving and validating requests from Role

owners Request was approved was it approved by the

correct person? Transporting changes from development to quality

assurance Approval from Role owner to send (tested) change to

production

27




Definition of Role testing processes Positive and negative testing of critical transactions in

each Role Document testing (if necessary) for audit purposes Make testing as easy as possible for the Role owner Assign permanent test logons to each Role to ensure

testing can occur anytime Include Common or Display Roles provided to all

users (if relevant) Make the password easy to remember, unless the test

environment contains sensitive data Passwords dont expire and cant be changed on

service users

28

Note




Periodic review of Role assignments and transactions by Role owners Verification of current Role users, transactions, definitions Verification of Role changes over the previous period Sample Role definition reports generated by

ControlPanelGRC Access Certification Manager

29




Periodic review of Role assignments and transactions by Role owners Sample Role Matrix

(Transactions, Organizational Levels, Users)

30




Seem like a big process to manage? ControlPanelGRC User and Role Manager ControlPanelGRC User and Role Change Analyzer ControlPanelGRC Security Quality Assurance ControlPanelGRC Access Certification Manager

31




Couriers approach so far: Clearly defined Role create/change approval process

Audit trail by email chain Planned- defined process flow through third party

application (ControlPanelGRC User & Role Manager) Automated workflow for user role assignment

Pre-defined business approvers who can review transactions and related users

Documented approvals Automated role assignment within 15 minutes of final

approval

32




Sample for role change testing (4 company versions) new transactions

33

Random testing only

Test all T-codes, highlight issues





documentation3. Establish change controls for correction

transports

34



Correction Transport Change Controls

Courier Control Problem A Courier internal audit needed to have excellent

recordkeeping around all transports for control testing purposes

Started with e-mail scavenger hunts Moved to a better intranet-based (but still e-mail) solution

Still issues around this solution Needed a more automated approach

35



Correction Transport Change Controls Control Problem B

Courier in-house basis administrators needed access to development and production to do transports

Problem seemed insolvable Required compensating controls Outsourced Basis administration did not solve problem Was an ongoing annual (and ultimately last) deficiency in

Sarbanes-Oxley testing Management concern Audit Committee concern

36



3. Correction Transport Change Controls

Change management is always a big challenge in SAP environments Untested changes are a risk to the business Sequence of transports cases issues during migration Auditors are asking for more and more documentation Basis team is unnecessarily involved for the clerical

task of importing changes and validating approvals Change review board concept can be used to

ensure all business owners are aware of pending changes

Workflow (SAP-based or non-SAP) can help route requests around for approval

37




Seem like a big process to manage? ControlPanelGRC Transport Manager

38




Couriers challenges around change control management: Ensuring and documenting approvals for management &

audit Email responses strung together and saved as PDFs

Engage business users for testing and approvals Begging, cajoling, nagging, reminding, candy

Basis staff availability to execute transports Visibility of error reports Documentation of work done, issues, related work

Great notes, but cant be found 2 weeks later Sequencing of multiple transports Tracking transports done by consultants

39




Our main workflow for transports within ControlPanelGRC Transport Manager

40



Sample Workflow for Managing Change TransportsDEV gold DEV test QAS 100 Production

= Represents transport(s)= Email notification

from Control Panel

IT d

evel

oper

Bus

ines

s U

sers

IT S

r. M

gmt

IT P

roje

ct

Mgr

Con

trol

Pane

lGR

C

app.

20Document& Approve

27IT

Validation

25QAS

Migration

30User Val.

& Approve

37Final IT

Prep

50Prod

Approval

55Prod

Migration

57Prod

Validation

90Task

Complete

10Initial

Request

ReleaseTransport

Doc desc,problem, testing &forward

Doc tests,choose testers &forward

SCC1

40PM

Approval

Finishimplement.

tasks

Review& forwardor reject

Review& forwardor reject

User(s)test chgs

Phases:

Validatechgs &save

Documentrelease reqs

& forward

Test chgs,prep

test data

Lead userdoc testing& forwardor reject




Transports done within workflows: Transports from DEV to QA to PRO done by scheduled

batch jobs BASIS staff no longer involved in standard transports

Predictable & controllable transport times BASIS staff freed up for other tasks

Transport errors highlighted with error codes, too




Every change request has full documentation




All changes All approvals All issues All in one place

Documentation,continued




Unexpected benefits! The IT staff have more time because their work is more

organized The business users have been very willing to join the

workflow, because its easier than writing up email approvals

The Basis team has more time as they no longer have to move transports, create or maintain users & their roles

And of course, the auditors are happy.


www.ControlPanelGRC.com46

Key Learnings

Smaller companies subject to SEC requirements and other regulated enterprises face special challenges in addressing audit and compliance concerns; however these challenges can be met and conquered.

Creativity and newly available solutions can reduce the cost and complexity of compliance.

Preparing for audits can be made more efficient and less intrusive, all while yielding more complete results.



Thank You!

For ControlPanelGRCcase studies, articles, and archived

webinars please visit www.controlpanelgrc.com

Slide Number 1Slide Number 2AgendaAbout SymSoft CorporationYour PresentersAbout Courier CorporationAbout Courier CorporationSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewThree Ways to Strengthen your Controls1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive AuthorizationsThree Ways to Strengthen your Controls2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & Documentation 2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & DocumentationThree Ways to Strengthen your ControlsCorrection Transport Change ControlsCorrection Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change ControlsSample Workflow for Managing Change Transports3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change ControlsKey LearningsThank you