Upload
controlpanelgrc
View
5.984
Download
1
Embed Size (px)
DESCRIPTION
With fewer staff covering more job functions, small to medium businesses (SMBs) are faced with frequent segregation of duties conflicts. Even if your company is not subject to Sarbanes Oxley (SOX) governance, adopting a SOX-conscious culture can greatly reduce the risk of unauthorized access the potential for fraud. Join us for this free webinar to find out about the state of SOX compliance in 2010 and how SMBs can go about implementing SOX-like controls. Learn the theory then see it in practice. Learn three key strategies that you can put into action today to strengthen controls at your organization. -Reduce sensitive Authorizations -Establish security change controls and documentation -Establish change controls for correction transports
Citation preview
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Scott Goolik, Chief Technology Officer SymSoft CorporationJamison Tomasek, Internal Audit Director Courier Corporation
SAP Security and Controls Best Practices for Sarbanes-Oxley
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Scott Goolik, Chief Technology Officer SymSoft CorporationJamison Tomasek, Internal Audit Director Courier Corporation
SAP Security and Controls Best Practices for Sarbanes-Oxley
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Agenda
About Courier Corporation & SymSoft
Sarbanes-Oxley 2010 Overview
Three Ways to Strengthen Your Controls1. Reduce sensitive authorizations2. Establish security change controls and
documentation3. Establish change controls for correction transports
Questions
3
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
About SymSoft Corporation
Makers of Governance, Risk and Compliance (GRC) solutions for SAP environments
Sister company to Milwaukee-based Symmetry Corporation 15 years of technical implementation solutions
for the SAP and Enterprise Security marketplace One of the largest dedicated SAP Basis/security consulting
organizations in the U.S. 10 years of software development and marketing experience Previous reseller of Virsa (now SAP GRC) 200 SAP implementations 90 outsourcing customers SAP Certified Hosting Partner
4
www.ControlPanelGRC.com
Professional Solutions for Compliance Automation
Your Presenters
Scott Goolik Chief Technology Officer -
SymSoft Corporation 14 years in SAP security and
controls including Big 4 auditing firms
Lead architect of the ControlPanelGRC solution
Jamison Tomasek CPA Internal Audit Director Courier
Corporation Five years with Courier
Corporation Worked as Sarbanes
Oxley consultant Ten years Progress Software Deloitte & Touche LLP
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
About Courier Corporation
Founded 1824 Headquarters: North
Chelmsford, MA Employees: 1,600 $250 million in sales 6 printing plants & 3
publishing companies, all running SAP
Over 10,000 titles in print, over 700 titles per year
$12M Man Roland Press
Creative HomeownerREADover
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
About Courier Corporation
SAP installation 4 subsidiaries using SAP 95 SAP users Using FI/CO, SD, MM,
and WM Publishing IT staff of 4
supporting SAP and mostother publishing applications
Basis support is outsourced to Symmetry Corporation
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Sarbanes-Oxley 2010 Overview
SEC requirements around reporting of internal control effectiveness, design, and documentation Management accountability for internal controls Companies traded on U.S. stock exchanges
There are others, like those with public debt Some other countries have similar requirements
(JSOX)
Requires CEO, CFO to confirm the design and effectiveness of internal controls and for the auditor to issue an opinion
8
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Sarbanes-Oxley 2010 Overview
SAP has a significant number of built in controls Many are more applicable to larger shops Some require a great deal of expertise
Audit firms have significant knowledge of SAP This means SAP gets a great deal of scrutiny Companies can leverage that knowledge
Smaller companies often struggle Segregation of Duties Need for compensating manual controls Lack of expertise
9
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Sarbanes-Oxley 2010 OverviewExcerpt applicable to todays discussion - IT
11
www.ControlPanelGRC.com
Professional Solutions for Compliance Automation
Sarbanes-Oxley 2010 Overview
12
Excerpt applicable to todays discussion Business Process
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Sarbanes-Oxley 2010 Overview
Companies now able to use a risk-based auditing approach Quest to move to automated controls Overall reduction in the number of controls
External audit also able to use a risk-based approach Greater reliance on the client (internal
audits) work Better guidance on auditing client controls
13
Recent changes in Sarbanes Oxley
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Sarbanes-Oxley 2010 Overview Controls Review
Manual Anything that involves a human Can still involve an automated process
Automated Controls that occur without humans Best type of control
Compensating Controls that are relied upon when key controls are not working In early stages of compliance prevalent in SMEs
Preventative and detective Preventative controls prevent errors
Authorizations, configuration Detective controls allow for corrective action
Alerts, periodic reporting, system monitoring
14
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Sarbanes-Oxley 2010 Overview
Documentation Documented business processes work better Provides training materials Increases efficiency by identifying processes required for
control objectives Improved understanding of business processes Better IT integration with the business is good SOX can be used as a tool by IT Segregation of Duties is really fraud prevention Prepares you for other compliance regulation
PCI Data Privacy Customer Requirements
15
Why Should You Care About SOX Compliance?
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com16
Three Ways to Strengthen your Controls
1. Reduce sensitive authorizations2. Establish security change controls and
documentation3. Establish change controls for correction transports
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
Primary control intended to prevent or decrease the risk of errors or irregularities
Authorization to sensitive transactions or authorizations that are not required for normal job function
Authorization to sensitive system functions that could impact data confidentiality, availability, and integrity
Generally permit data modification
17
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
Remove SAP_ALL from all dialog or service Users
Watch out for generic logons! Implement emergency procedures for
emergency access The old envelope containing a password stored in a
safe SAP-GRC Access Controls: SuperUser Privilege
Management ControlPanelGRC Emergency Access Manager
Ensure logons used for background processing are of the System type
18
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
Once youve tackled Sensitive Authorizations, move on to Segregation of Duties!
Confused?! Sensitive authorizations, excessive access, and
segregation of duties are very complex, but many companies are happy to help via products and services!
ControlPanelGRC Risk Analyzer ControlPanelGRC Emergency Access Manager
19
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
Courier Control Problem Courier SAP development team needed access to
numerous production transactions IT needed to support business users due to shortage of
super users Some mass updates could only be performed by IT Time pressure situations around order fixes Business users needed to have access to fill a broad
range of responsibilities Supervisor coverage Back up support
20
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
Our solution implement third party emergency-access application to grant and track sensitive access on temporary basis ControlPanelGRC Emergency Access manager
21
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
We created special transactions to grant access to sensitive roles
We gave IT users access to the Firecall roles This allows IT to run the special transactions for
access
22
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
When an IT user (with the correct role), invokes a special-access transaction, they are prompted to document their purpose
An alert-email is sent to IT mgmt & the audit group
The IT users transactions are logged until they sign-off
A completion email is sent to same groups
23
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
1. Reduce Sensitive Authorizations
We maintain a complete history of sensitive authorizations, with documentation
There are multiple reports and dashboards for analysis of usage
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Three Ways to Strengthen your Controls
1. Reduce sensitive authorizations2. Establish security change controls and
documentation3. Establish change controls for correction
transports
25
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Ensure that security changes are restricted to the security team in all clients and systems! Reduces the risk of unauthorized changes Role maintenance restricted to security team in
development system Security team provided display-only access to Roles
in production Authorization issues when attempting to assign Roles in production
with these restrictions? Add this entry to PRGN_CUST to change the authority-check for Role assignments!
User maintenance tasks are restricted to the security team Implement segregation of duty/excessive access checks,
if possible
26
Tip
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Record Role definitions Text description of the Role
Store definitions in Microsoft Excel, Profile Generator (Description tab)
All Roles that will be assigned in production need an owner to approve and validate changes
Document security change processes Process for receiving and validating requests from Role
owners Request was approved was it approved by the
correct person? Transporting changes from development to quality
assurance Approval from Role owner to send (tested) change to
production
27
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Definition of Role testing processes Positive and negative testing of critical transactions in
each Role Document testing (if necessary) for audit purposes Make testing as easy as possible for the Role owner Assign permanent test logons to each Role to ensure
testing can occur anytime Include Common or Display Roles provided to all
users (if relevant) Make the password easy to remember, unless the test
environment contains sensitive data Passwords dont expire and cant be changed on
service users
28
Note
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Periodic review of Role assignments and transactions by Role owners Verification of current Role users, transactions, definitions Verification of Role changes over the previous period Sample Role definition reports generated by
ControlPanelGRC Access Certification Manager
29
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Periodic review of Role assignments and transactions by Role owners Sample Role Matrix
(Transactions, Organizational Levels, Users)
30
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Seem like a big process to manage? ControlPanelGRC User and Role Manager ControlPanelGRC User and Role Change Analyzer ControlPanelGRC Security Quality Assurance ControlPanelGRC Access Certification Manager
31
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Couriers approach so far: Clearly defined Role create/change approval process
Audit trail by email chain Planned- defined process flow through third party
application (ControlPanelGRC User & Role Manager) Automated workflow for user role assignment
Pre-defined business approvers who can review transactions and related users
Documented approvals Automated role assignment within 15 minutes of final
approval
32
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
2. Security Change Controls & Documentation
Sample for role change testing (4 company versions) new transactions
33
Random testing only
Test all T-codes, highlight issues
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Three Ways to Strengthen your Controls
1. Reduce sensitive authorizations2. Establish security change controls and
documentation3. Establish change controls for correction
transports
34
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Correction Transport Change Controls
Courier Control Problem A Courier internal audit needed to have excellent
recordkeeping around all transports for control testing purposes
Started with e-mail scavenger hunts Moved to a better intranet-based (but still e-mail) solution
Still issues around this solution Needed a more automated approach
35
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
Correction Transport Change Controls Control Problem B
Courier in-house basis administrators needed access to development and production to do transports
Problem seemed insolvable Required compensating controls Outsourced Basis administration did not solve problem Was an ongoing annual (and ultimately last) deficiency in
Sarbanes-Oxley testing Management concern Audit Committee concern
36
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Change management is always a big challenge in SAP environments Untested changes are a risk to the business Sequence of transports cases issues during migration Auditors are asking for more and more documentation Basis team is unnecessarily involved for the clerical
task of importing changes and validating approvals Change review board concept can be used to
ensure all business owners are aware of pending changes
Workflow (SAP-based or non-SAP) can help route requests around for approval
37
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Seem like a big process to manage? ControlPanelGRC Transport Manager
38
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Couriers challenges around change control management: Ensuring and documenting approvals for management &
audit Email responses strung together and saved as PDFs
Engage business users for testing and approvals Begging, cajoling, nagging, reminding, candy
Basis staff availability to execute transports Visibility of error reports Documentation of work done, issues, related work
Great notes, but cant be found 2 weeks later Sequencing of multiple transports Tracking transports done by consultants
39
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Our main workflow for transports within ControlPanelGRC Transport Manager
40
www.ControlPanelGRC.com
Professional Solutions for Compliance Automation
Sample Workflow for Managing Change TransportsDEV gold DEV test QAS 100 Production
= Represents transport(s)= Email notification
from Control Panel
IT d
evel
oper
Bus
ines
s U
sers
IT S
r. M
gmt
IT P
roje
ct
Mgr
Con
trol
Pane
lGR
C
app.
20Document& Approve
27IT
Validation
25QAS
Migration
30User Val.
& Approve
37Final IT
Prep
50Prod
Approval
55Prod
Migration
57Prod
Validation
90Task
Complete
10Initial
Request
ReleaseTransport
Doc desc,problem, testing &forward
Doc tests,choose testers &forward
SCC1
40PM
Approval
Finishimplement.
tasks
Review& forwardor reject
Review& forwardor reject
User(s)test chgs
Phases:
Validatechgs &save
Documentrelease reqs
& forward
Test chgs,prep
test data
Lead userdoc testing& forwardor reject
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Transports done within workflows: Transports from DEV to QA to PRO done by scheduled
batch jobs BASIS staff no longer involved in standard transports
Predictable & controllable transport times BASIS staff freed up for other tasks
Transport errors highlighted with error codes, too
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Every change request has full documentation
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
All changes All approvals All issues All in one place
Documentation,continued
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3. Correction Transport Change Controls
Unexpected benefits! The IT staff have more time because their work is more
organized The business users have been very willing to join the
workflow, because its easier than writing up email approvals
The Basis team has more time as they no longer have to move transports, create or maintain users & their roles
And of course, the auditors are happy.
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com46
Key Learnings
Smaller companies subject to SEC requirements and other regulated enterprises face special challenges in addressing audit and compliance concerns; however these challenges can be met and conquered.
Creativity and newly available solutions can reduce the cost and complexity of compliance.
Preparing for audits can be made more efficient and less intrusive, all while yielding more complete results.
www.ControlPanelGRC.com
Professional Solutions for Compliance Automation
Thank You!
For ControlPanelGRCcase studies, articles, and archived
webinars please visit www.controlpanelgrc.com
Slide Number 1Slide Number 2AgendaAbout SymSoft CorporationYour PresentersAbout Courier CorporationAbout Courier CorporationSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewSarbanes-Oxley 2010 OverviewThree Ways to Strengthen your Controls1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive Authorizations1. Reduce Sensitive AuthorizationsThree Ways to Strengthen your Controls2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & Documentation 2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & Documentation2. Security Change Controls & DocumentationThree Ways to Strengthen your ControlsCorrection Transport Change ControlsCorrection Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change ControlsSample Workflow for Managing Change Transports3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change Controls3. Correction Transport Change ControlsKey LearningsThank you