Upload
madhu-babu
View
21
Download
2
Embed Size (px)
DESCRIPTION
3897 Presentation
Citation preview
Overview of Automated Monitoring Scenarios Using SAP Process Control 10.xTracy Levine & Brian Merkel3897
KEY LEARNING POINTS
The session will provide an overview of the basic concepts around Continuous Monitoring:
• Exception-based monitoring of policies, business rules and built-in application controls
• Inner-workings of Continuous Monitoring
• Remediation and Issue Management
• Reporting, dashboards and analytics
• Workflow - alerts, reviews, approvals and other process automation needs
WHAT WE’LL COVER
• Overview of GRC Process Control 10.x
• What is Continuous Monitoring?
• Application of Continuous Monitoring
• Continuous Monitoring Scenarios
• Wrap-up
THE WORLD AT AN INFLECTION POINT
New risks are continuously introduced by way of:
– Expansion into new locations
– Mergers and acquisitions
– New processes
– New technologies
Process bloat, among other things, requires regular process-optimization reviews
PROCESS OPTIMIZATION
Business Value Drivers
Change New Risk
Process Optimization
Balance Cost and
Flexibility
Continuous Monitoring
Business Value
Outcomes
Increase Risk
Coverage
Minimize Business
Effort
STRIKING A BALANCE
Increase Business Flexibility
Reduce Cost
GRC PROCESS CONTROL 10.X
Support decisions and promote accountability with insightful analytics and sign-off
Perform automated, exception-based monitoring of ERP systems
Perform periodic risk assessments
to determine scope and test
strategies
Document controls and policies centrally;
map to key regulations and
impacted organizations
WHAT WE’LL COVER
• Overview of GRC Process Control 10.x
• What is Continuous Monitoring?
• Application of Continuous Monitoring
• Continuous Monitoring Scenarios
• Wrap-up
OVERVIEW OF CONTINUOUS MONITORING
Business Rules
Metrics (KPI)
Trend Analysis
Exception-Based MgmtSAP ECC Instance
APO
SAP BW Platform
SAP GRCContinuous Monitoring
Collect
Automatically gather new & updated data from multiple
disparate data sources across system the organisation’
system landscape.
Standardize
Build a consolidated set of business rules for each
business process (including key “control” ) to enable sophisticated analysis &
comparison.
Analyze
Apply business rules & data analytics within and across
business processes to identify compliance
violations and/or processing errors.
Route & Collaborate
Route new information/ exceptions to appropriate Business units. Escalate or
divert outstanding exceptions.
Act & Refine
Improve compliance & business processes. Validate
corrections.
Learn from user actions. Improve understanding of expected and unexpected
behaviour.
USING CM EFFECTIVELY
Organization
- What organization/group will own PC 10 automated monitoring?
- How are automated/configurable controls owned in the organization?
Process
- How will control failures be documented as issues and remediated?
- How will controls be scheduled for automated testing?
- How will automated business rules be designed to adequately assess the effectiveness of a control?
Personnel
- Who will maintain the automated rules library?
- Who will schedule automated rules for testing?
- Who will review exception reports and delegate the remediation?
- Who will remediate issues?
Documentation & Education
- How will the owners have the technical & accounting knowledge to design automated rules?
- How will issue owners assess the business & technical impact of a control failure?
1
2
3
4
Stak
eho
lde
r C
om
mu
nic
atio
ns
(In
tern
al &
Ext
ern
al)
RETURN ON INVESTMENT
DecreasedCost
Increased Effectiveness
Broader Visibility
Competitive Edge
ROI
WHAT WE’LL COVER
• Overview of GRC Process Control 10.x
• What is Continuous Monitoring?
• Application of Continuous Monitoring
• Continuous Monitoring Scenarios
• Wrap-up
TEN ESSENTIAL PRACTICES
Ten Essential Practices to Analyze, Improve and Transform SAP Security and GRC Strategies
STAKEHOLDER CHALLENGES
Typical Stakeholder Typical Challenges
CFO Lack of ROI quantification, other investment priorities
CIO Lack of clear business mandate – the is no “head of GRC” to face off to
CISO Competing security specific investment
Internal Audit Gets the value, typically only influences the sale
IT TransformationProgram
Has the funding, but often under appreciates the enterprise value of GRC
Application Security Admin.
Well versed in the access management slice of GRC, but does not see the enterprise story
Risk and Compliance function
Get enterprise value of GRC, but challenged to organize the process and people side
GRC ROADMAP
Current StateReview
Future StatePlanning
TransformationalRoadmap
Illustrative GRC Roadmap Development Plan
• Stakeholders, business process owner identification and project planning
• Review the current stateReview application architectureReview data integrationReview risk registers/control
frameworksCurrent access roles and
implementationsApplication open issues analysis
• Review documents• Conduct interviews / workshops to
gather, clarify requirements and priorities
• Understand the key areas for process automation
• Incorporate feedback and reprioritize as appropriate
• Define the GRC transformation roadmap (prioritization of capabilities, technologies)Governance and support modelMethodology for future
implementations with templates (user case, detailed design, test strategy, etc.)
• Review with client the roadmap for refinement, realign the roadmap and priorities
Project Plan and Identified Stakeholders
Interview Notes and Documents
Transformation Roadmap Document
WHAT WE’LL COVER
• Overview of GRC Process Control 10.x
• What is Continuous Monitoring?
• Application of Continuous Monitoring
• Continuous Monitoring Scenarios
• Wrap-up
AUTOMATED CONTROLS: MANAGE BY EXCEPTION
Monitoring is about looking at your business processes, transactions, and master data, and asserting your expectations of how it should be.
Data Source
Business Rule
Business Rule-to-Control Mapping
Job Scheduled
CONTINUOUS MONITORING SCENARIOS
Example Continuous Transaction monitoring controls1. Detect unusual number of journal postings made to one-time vendors. 2. Identify all purchase orders made to one-time vendors and calculate their percentage with respect to the total amount of purchase orders created at the company code level.
Example Continuous Access monitoring controls1. Detect users with the ability to maintain vendor master data and initiate payment to vendors (Segregation of duties violations).
Example Continuous Configuration monitoring controls1. Detect changes to tolerance limits for invoice verification.2. Detect change to Duplicate Invoice settings.
Continuous Monitoring
Configuration Monitoring
Master Data Monitoring
Access Monitoring
Transaction Monitoring
Example Continuous Master Data monitoring controls1. Detect vendor master data with identical bank account details.2. Detect changes to 3 way match configuration settings at the vendor master data level.
CONFIGURATION MONITORING: CHANGES TO TOLERANCE LIMITS
SAP GRC Process Control SAP ERP System
Risk: Three-way match is not configured appropriately allowing high level of deviations between PO/GR/Invoices.
Continuous monitoring of changes made to tolerance limits settings for invoice verification.
Control Objective: Changes tolerance limits for invoice verification are investigated and reviewed for appropriateness.
Changes to tolerance limits for invoice verification are continuously monitored and deviations from established policies and procedures will be flagged as exceptions
Business Rule: Detect changes to tolerance limits for invoice verification. Report on vendors which have similar bank details captured in the company code view of master data.
Information in SAP: Duplicate Invoice Settings (i.e.. Tolerance Key, % Tolerance Limit, Value Tolerance Limit, Company Code, Change By/On)
Business Benefits: Automated tracking of changes to tolerance limits for invoice verification resulting in enhanced assurance that the 3 way match control is operating effectively during purchasing activities.
Produces exception reports out of GRC based on ERP information.
CONFIGURATION MONITORING – SAMPLE OUTPUT
Details such as the date and time on which the change was made and also the user who
made the change is populated to assist in investigation
Severity of deficiency based on logic in the business rules
Change type (Insert, Update or Delete) and change details
are identified as part of automated
reporting of exceptions
MASTER DATA MONITORING:DUPLICATE BANK DETAILSSAP GRC Process Control SAP ERP System
Risk: Erroneous and/or fraudulent purchasing transactions made to vendors
Continuous monitoring of duplicate bank account details in vendor master data.
Control Objective: Duplicate vendor bank details are investigated and reviewed for appropriateness.
Instances of multiple vendors with the duplicate bank details are continuously monitored and deviations from established policies and procedures will be flagged as exceptions.
Business Rule: Detect instances of multiple vendors with the same bank details. Report on vendors which have similar bank details captured in company code view of master data.
Information in SAP: Duplicate Vendor Bank Details (i.e.. Bank acct. #, bank country key, bank control key, vendor number, vendor name and details).
Business Benefits: Automated tracking of duplicate vendor bank details resulting in benefits for the master data teams, shared service centres, etc. & in enhanced quality of master data within the ERP systems.
Produces exception reports out of GRC based on ERP information.
MASTER DATA MONITORING – SAMPLE OUTPUT
Three instances identified where multiple vendors have
the same bank details.
Severity of deficiency updated based on logic defined in
business rule.
Duplicate bank info (bank account number, country key
and bank key)
Displays number of vendors detected with identical bank
info.
TRANSACTION MONITORING:VENDOR PAYMENTS
SAP GRC Process Control SAP ERP System
Risk: Fictitious or inappropriate payments are made resulting in financial loss
Continuous monitoring of number of payments made to one-time vendors.
Control Objective: Multiple payments to one-time vendors are investigated and reviewed for appropriateness.
Instances of multiple payments to one-time vendors over a certain amount will be continuously monitored and deviations from established policies and procedures will be flagged as exceptions
Business Rule: Detect instances of multiple payments to one time vendors. Report on vendors which have similar bank details captured in the company code view of master data
Information in SAP: Payment Settings (i.e.. One time vendor indicator, number of payments, monetary amount of payments, create/change by date and person).
Business Benefits: Automated tracking of unusual/high volume of payments made to one-time vendor resulting in enhanced management of vendor’s contractual agreements.
Produces exception reports out of GRC based on ERP information.
TRANSACTION MONITORING – SAMPLE OUTPUT
Severity of deficiency updated based on the logic defined in
the business rules.
Eight postings made to this one-time vendor
Details such as account number, posting key and
accounting document number will assist with investigation
ACCESS MONITORING:SEGREGATION OF DUTIES
SAP GRC Process Control SAP ERP System
Risk: Ability to create fictitious vendors and initiate unauthorised payments.
Continuous monitoring of users with segregation of duties violations in Purchasing processes.
Control Objective: Incompatible purchasing activities should not be assigned to the same user within the ERP system
Users with the ability to maintain vendor master data and initiate payment to vendors will be continuously monitored and deviations from established policies and procedures will be flagged as exceptions.
Business Rule: Detect users with the ability to maintain vendor master data and initiate payment to vendors. Report on segregation of duties violations
Business Benefits: Automated tracking of un-mitigated users resulting in timely detection and mitigation of Segregation of duties violations in ERP system.
Produces exception reports out of GRC based on ERP information.
ACCESS MONITORING – SAMPLE OUTPUT
Ability to generate multiple Access Risk reports that have been generated in SAP GRC
Access Control during the risk analysis.
Risk analysis results with detailed information about
user ID, Risk ID and transaction codes.
Ability to assign mitigating controls.
ISSUE TRACKING AND REMEDIATION
• Identify issues quickly using automated or manual controls
• Report ad hoc issues across GRC with handling by Issue Administrator
• Track Issues through to timely closure with full audit trail and reporting
• Continually improve processes with optional CAPA routing
WHAT WE’LL COVER
• Overview of GRC Process Control 10.x
• What is Continuous Monitoring?
• Application of Continuous Monitoring
• Continuous Monitoring Scenarios
• Wrap-up
MANAGING SAP SECURITY & GRC IS A CHALLENGE
SAP Security Programs are faced with:•Complex and rapidly evolving SAP landscape•In-demand and expensive resources•Pressure to reduce cost
SAP Security Programs Must:•Manage Risk•Meet compliance and regulatory requirements•Safeguard critical data•Be responsive to the business
Key Points to Take Home
• Key business benefits to implementing Continuous Monitoring
• Four key configuration steps to setting up automated business rule:
• Data Source
• Business Rule
• Assignment of Business Rule
• Schedule Job
• Understanding of various compliance monitoring scenarios
• Best practices for establishing a commitment to GRC programs and Implementing PC (CM)
CONCLUSION
How To Contact Us:
Tracy LevineEmail: [email protected]: @TracyLevineWebsite: Tracy-Levine.com
Brian MerkelEmail: [email protected]
CONTACT US
• www.tracy-levine.com
• “Continuous Monitoring: Match Your Business Needs with the Right Techniques,” Levitt and Risinger; https://www.isaca.org/chapters7/Orange-County/Events/Documents/Event%20Presentations/2012-2013/2012-09-11%20-%20SAP%20Continuous%20Monitoring.pdf
• http://rahulurs.com/sap/process-controls/
• http://help.sap.com
• Follow Financial Management SAP Process Control 10.1
• “SAP Business Objects Process Control 10.0 Automated Monitoring Overview,” Sudhalkar; http://a248.g.akamai.net/n/248/420835/18c4944d9b5c0a1c75600f0c42b2f693241ac4d02abf7f9e618a717905fbe3bd/sapasset.download.akamai.com/420835/sapcom/docs/2011/12/f0d0e87e-557c-0010-82c7-eda71af511fa.pdf
MORE INFORMATION
FOLLOW US
Thank you for your time
Follow us on at @ASUG365