Customer Presentation - GRC Access Control (August '08)

8/6/2019 Customer Presentation - GRC Access Control (August '08)

1/40

SAP GRC Ac c ess Cont rolProtec t in format ion and prevent f raud

May 2008


2/40

SAP 2008 / Page 2

Disc la imer

This presentation outlines our general product direction and should not be relied onin making a purchase decision. This presentation is not subject to your licenseagreement or any other agreement with SAP. SAP has no obligation to pursue anycourse of business outlined in this presentation or to develop or release anyfunctionality mentioned in this presentation.

This presentation and SAP's strategy and possible future developments are subjectto change and may be changed by SAP at any time for any reason without notice.

This document is provided without a warranty of any kind, either express or implied,including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or

omissions in this document, except if such damages were caused by SAP

intentionally or grossly negligent.


3/40

SAP 2008 / Page 3

Fragmentat ionManaging w i th c onf idence i s d i f f i cu l t i n an increas ing ly

comp l ex w or ld

Compliance

Board ofDirectors

Finance

Legal

Sales

Contracts

HR

Controller

IT

Policy Mgmt.

Audit &Compliance

Treasury

Compliance

Compliance

Compliance

U.S.

Germany

Japan

U.K.

France

China

Canada

India

Compliance

Governance

Compliance

Risk Mgmt.

GovernanceRisk Mgmt.

Risk Mgmt.

Governance

Risk

Mgmt.

Risk Mgmt.

Risk Mgmt.

Governance

SecurityProj.

Mgmt.Doc.

Mgmt. Contracts Planning Customers ERP Production Billing

SOX JSOXCreditRisk

HumanCapital

Risk

Segregationof DutiesFDA

ROHS

WEEEProject

Risk

Compliance

Risk Mgmt.

Governance


4/40

SAP 2008 / Page 4

SegregationOf Duties


Compliance

Compliance

Compliance

Compliance

Compliance

Governance

Compliance

Risk Mgmt.

GovernanceRisk Mgmt.

Risk Mgmt.

Governance

Risk

Mgmt.

Risk Mgmt.

Risk Mgmt.

Governance

Compliance

Risk Mgmt.

Governance

In t egrated GRCForward look ing organizat ions are seek ing a uni f ied

approac h to GRC

U.S.

Germany

Japan

U.K.

France

China

Canada

India

SecurityProj.

Mgmt.Doc.

Mgmt. Contracts Planning Customers ERP Production Billing

SOX JSOXCreditRisk

HumanCapital

Risk

SegregationOf DutiesFDA

ROHS

WEEEProject

Risk

Board ofDirectors

Finance

Legal

Sales

Contracts

HR

Controller

IT

Policy Mgmt.

Audit &Compliance

Treasury



5/40

SAP 2008 / Page 5

Acc ess and Author izat ion RisksManaging acc ess r isks is everyones job

Human Resources

Inefficient & non-compliant employeeprovisioning and de-provisioning

Finance5% of annual revenue lostto fraud1

Internal AuditTime and effort for audits

? OperationsUncontrolled rolemanagement

Information SecurityNo monitoring of

sensitive transactions

Executives & Managers

Responsibility forSegregation of Duties?

IT OperationsManual, error-prone

administration

SALARIES

Board, Audit CommitteeReactive approach

1 Association of Certified Fraud Examiners, 2006 Report to the Nation on Occupational Fraud and Abuse

Supply Chain Customers & Channel


6/40

SAP 2008 / Page 6

Ac cess And Aut hor iza t ion Managem entOvercome f ragment a t ion , ga in com prehens ive access

con t ro l

Supply Chain Customers & Channel

Board, Audit CommitteePreventive approach

Internal AuditLower cost of audit and

audit-related fees

Executives & Managers

Manage ComplianceWith Confidence

IT OperationsImprove efficiency by

automating corecompliance/securitytasks

FinanceVulnerability to unwantedfinancial activity fixed

Human Resources

Efficient and compliantuser provisioning

SALARIES

OperationsCompliant, role-based accesscontrol

Information SecuritySensitive transaction

monitoring


7/40

SAP 2008 / Page 7

Compl ianc e TrendsGartner s 2007 Planning Guidance for Compl iance

By 2010, auditors will expect regulated organizations to detect fraud byperforming transaction monitoring on a continuous basis, and 60% ofregulated firms will have such an automated process in place1

The broader market for GRC products will subsume this market by 2010, andSoD controls will be offered primarily as embedded capabilities in GRC

products/suites (0.8 probability).1

Process owners are looking to simplify and reduce the cost of compliance 2

Spending on security, segregation of duties, and other solutions that supportcontrols monitoring and automation will increase 2

1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007

2 Gartner The 2006 Planning Guidance for Compliance: Risk-Orientation, Standardization, and Automation, April 2006


8/40

SAP 2008 / Page 8

Governance, Risk , Compl ianc e - requi red

to es t ab l i sh Corpora te Acc ountab i l i t y

SAP GRCProcess Control

Control Monitoringfor BusinessProcesses

SAP GRC AccessControl

Secure SOD &Compliant

IDM/Provisioning

SAP GRC GlobalTrade Services

Streamline TradeCompliance

SAP Environment,Health & Safety

ComplianceManagement

Ensure EH&SOversight

SAP GRC Risk Management

Aggregated Detection of Risks andControl Monitoring

Provides a unified, business-userfocused approach

Organizes all compliancerequirements

Creates a common method tomeasure risks

Ensures strategy considers risks

Implements and monitors controlsin business processes

Detects and alerts to exceptionsfor risks and controls

Promotes sustainable operations


9/40

SAP 2008 / Page 9

SAP GRC Ac c ess Cont rolCont ro l Access and Author i zat ions Across Your Enterpr i se

Analyz

eand

Remediate

Enterpriserole

management

Analyze andremediate risk

Compliantuser

provisioning

Documentand

Audit

IdentityManagement

Automate Reviews

Modeland

Control

Superuserprivilege

management

SoD Rules & RegulationsCorporate PoliciesBest Practices

Embed cross-platform

Embed cross-function

FIN SCM SRM MFG HR

Manage by exception Collaborate acrossfunctions

Protect information and prevent fraud Automatically eliminate access and

authorization risks with out-of-the-box rules

Enforce segregation of duties acrossapplications and departments

Prevent improper access instead of reacting toproblems

Optimize operations

Automate segregation of duties management

Automate access management

Promote IT and Line of Business collaboration

Enforce accountability with review and approvalprocesses

Ease compliance and avoid authorization risk

Minimize time and cost for financialcompliance

Provide proof and reliability with control testsand audit trail for SOD controls

Report and review key risk indicators for systemaccess

Em

bedand

E

xecute

Provide proofStreamline audits


10/40

SAP 2008 / Page 10

SAP GRC Ac c ess Cont rolSustainable prevent ion of segregat ion of dut ies v io lat ions

Cross-enterprise library of best practice segregation of duties rules

Compliant UserProvisioning

Prevent SoDviolations at

run time

Superuser PrivilegeManagement

Close #1 audit issuewith temporary

emergency access

Periodic AccessReview and Audit

Focus on remaining

challenges duringrecurring audits

(Stay in Control)(Stay Clean)

Risk analysis, remediation and prevention services

Enterprise RoleManagement

Enforce SoDcompliance atdesign time

Risk Analysisand Remediation

Rapid, cost-effectiveand comprehensive

initial clean-up

(Get Clean)

Minimal

Time To Compliance

Continuous

Access Management

Effective

Management Oversightand Audit


11/40

SAP 2008 / Page 11


Get Clean

SAP GRC Ac c ess Cont rolMinimal t ime t o compl iance


12/40

SAP 2008 / Page 12

EnterpriseRole Management

SuperuserPrivilege Management


CompliantUser Provisioning

Stay Clean

Get Clean

SAP GRC Ac c ess Cont rolCont inuous acc ess management


13/40

SAP 2008 / Page 13

Management Oversight Internal Audit

EnterpriseRole Management

SuperuserPrivilege Management


Stay inControl

Stay Clean

Get Clean

CompliantUser Provisioning

SAP GRC Ac c ess Cont rolEf fec t ive management oversight and aud i t


14/40

SAP 2008 / Page 14 SAP 2007-2008 / Page 14

Risk Analys is, Remediat ion, and Prevent ion ServicesDel iver 24/7, real -t im e compl ianc e by s topping secur i t y and contro ls v io lat ions

befo re they occur

Reporting

RiskIdentification

Elimin

ation

Prevention

Acc ess Risks Serv ices

Rules

Acc ess Risks L ibrary

SAP GRC Access Control, with itscomprehensive preconfigured ruleset, reflected deep expertise withinSAP that would have taken us avery long time to replicate.Deepak Mehrotra, SOX Compliance Manager,Synopsys Inc.

Real-time SOD Risk Analysis

Critical Transaction Monitoring

Cross-Application Integration

Remediation Management

Mitigation Management

Common services across allSAP GRC Access Controlcapabilities

Alerts Framework

Reporting

Real-time Simulation

Mandatory Prevention

Cross-Enterprise Rules Database

Cross-Enterprise Rules Architect


15/40

SAP 2008 / Page 15 SAP 2007-2008 / Page 15

Risk Analys is and Remediat ionGett ing Clean

Reporting

Risk Elimination

Risk

Identification

Prevention

In i t ia l R isk Analys is and Remediat ion

The cleanup process hasbrought a tremendous degree of

discipline to the way we thinkabout and manage user accessand authorizations.Deepak Mehrotra, SOX Compliance Manager,Synopsys Inc.

Access Risk Identification

Access Risk Elimination

Reporting

Prevention

End-to-EndAutomation

Facilitates collaborationbetween Business and IT toclean up access risks


16/40

SAP 2008 / Page 16 SAP 2007-2008 / Page 16

Role Role

Ent erpr ise Role Def in i t ionEnables enterpr ise ro le def in i t ion and main tenance in a s ing le locat ion

Centra l ized Role Managem ent

Across app l i ca t i ons

Audit logSAP GRCAccess Control

28% time savings in rolemanagement Customer Survey, 3/2006Compl iant enterpr ise ro les

Reduce cost of rolemaintenance

Ease compliance and avoidauthorization risk

Eliminate errors and enforcebest practices

Assure audit-ready traceabilityand security checks

New role mapping of businessroles to technical roles with SAPGRC Access Control 5.3

EnterpriseRules

Role RoleRole RoleRole Role


17/40

SAP 2008 / Page 17

Com pl iant User Provis ioningProb lem: Ine f f ic ien t and unaud i tab le user provis ion ing

Current approachinefficient, not compliant

Accessrequest

Manager

approval

Roleowner

IT security

Manualprovisioning

e-mail

e-mail

spreadsheets,paper forms

spreadsheets,paper forms


18/40

SAP 2008 / Page 18 SAP 2007-2008 / Page 18

Com pl iant User Provis ioningEnables compliant end-to-end provisioning hire to ret ire

Compl ian t p rov i sion ing w i t h dynamic w ork f l ow

Path workflowbasedon request type anduser attributes

Escalationworkflow

Exceptionworkflow

Via e-mail

One-click preventivesimulation

100% automated

We reduced provisioning from 2weeks to 2 days Web Seminar Rockwell Collins, 3/2005

Embed cross-enterprisepreventive compliance inbusiness process

Reduce cost of useradministration

Improve productivity of end

users

Provide auditable tracking forauditors

HR event

Employeehired/retired

Requestgenerated

100% automated

Mgrapproval

Riskanalysis

Automatedprovisioning


19/40

SAP 2008 / Page 19 SAP 2007-2008 / Page 19

Superuser Pr iv ilege ManagementEnables compl iance-focused emergenc y acc ess for SAP ERP

Compl ian t super user acc ess

New session New session New session New session

SAP_ALL

Preassigned FireFighter IDs Access restrictions Validity dates Field-level changes tracked in audit log

Superuser

Super users and auditors love it Web Seminar Lincoln Electric, 3/2006

Close #1 open audit issue

Avoid business obstructions withfaster emergency response

Reduce audit time

Reduce time to perform critical

tasks

Firecall ID

Log

Firecall ID

FICO

Firecall ID

MM

Firecall ID

SD

LogLogLog


20/40

SAP 2008 / Page 20 SAP 2007-2008 / Page 20

Management Oversight and Audi t sPeriod ic rev iew s; comprehensive and e f f ic ien t aud i ts

ReviewUser Provisioning

Review

Potential Risks

Review Actual Risks

Review Policy

ReviewEmergency Access

Management

1) Validate

via sampling that

changes to access

were appropriately

authorized

2) Validate that

segregation of duties

risks are appropriatelymitigated on a sample

basis

Internal Audit

Equips internal and external auditorsto complete comprehensive andefficient testing

Saves audit and audit-related fees

Management by exception

Automated, pre-built access controlsreporting

Review of roles, users and mitigationcontrols


21/40

SAP 2008 / Page 21

Comprehensive Ac c ess Contro lsEnables bus iness managers, audi to rs , and IT secur i ty to c o l labora te

Enabling business to take accountability for accessCollaboration Businessand IT

IT Security

Identification and elimination ofPotential access risks (e.g. segregation of duties violations) and

Actual risks (e.g. sensitive transaction monitoring)

Real-time detective and preventive controls cross-enterprise

Access RiskIdentification andElimination

BusinessUsers

ManagementOversight

SoD-compliant role-design and management to address the root ofthe problem

Role Design AndManagement

Automated, pre-built access controls reporting

Review of roles, users and mitigation controls

Periodic AccessReview

Provide documentation to help validate that the business team isfollowing the control process

Audit CycleManagement

Internal Audit

Owner

Efficient and effective superuser privilege management, withtracking of all activity

Privileged User Access

Efficient and SoD-compliant user provisioning and de-provisioningfrom hire to retire

Compliant UserProvisioning

SAP Benef i t sey Areas


22/40

SAP 2008 / Page 22

GRC Management by Ex c ept ionTurning regulatory requi rements in to s t rategic advantage

Tomorrow

Savings forInnovation

GRC Spend

COST

Today

MultipleTools

ManualEfforts

ComplianceManagemen

t byException

EmbeddedCompliance

CommonFoundation

Increase

transparency

Gain flexibility andspeed

Lower cost of auditand audit-related fees

Achieve higherconfidence


23/40

SAP 2008 / Page 23 SAP 2007-2008 / Page 23

Cross-Ent erpr ise Solut ionIdent i fy and remedia te conf l ic ts across funct ions and app l ica t ions

Hire-to-Retire

Reconcile-to-Report

Procure-to-Pay

Order-to-Cash

Production-to-Delivery

Cross-Enterprise

GRC

Cross-Funct

ional

Cross-Application


24/40

SAP 2008 / Page 24

HR/Payroll

Procure to Pay

Order to Cash

Finance

General Accounting

Consolidations

HR

Procure to Pay

Order to Cash

Finance

General Accounting

Fixed Assets

System Administration

HR

Procure to Pay

Order to Cash

Finance

General Accounting

Project Systems

Fixed Assets

System Administration

HR

Procure to Pay

Order to Cash

Finance

General Accounting

Project Systems

Fixed Assets

Basis, Security andSystem Administration

Materials Management

APO

SRM

CRM

Consolidations

JD EdwardsPeopleSoftOracleSAP

Cross-Ent erpr ise Capabi l i t iesSAP GRC Acc ess Contro l del ivers best pract ice SoD

rules l ibrary


25/40

SAP 2008 / Page 25

Business and IT Col laborat ionEnabl ing Bus iness t o Take Acc ountab i l i t y fo r Acc ess

Business

Make decisions

IT

Enable decisions

SAP GRC Access Control enables crucial collaboration

Business owns the responsibility for Segregation of Duties

IT understands the technology to grant or revoke user access


26/40

SAP 2008 / Page 26 SAP 2007-2008 / Page 26

BusinessDr iven Ident i ty Management

CFO

BusinessControls

CIO

SystemsAccess

SAP GRCAccess Control

IdentityManagement

Additional user provisioning

Identity synchronization andvirtualization

Privilege management forapplications and resources

User provisioning

Risk analysis

Audit and compliance, includingaudit repository

Approval workflows

Privilege management for businesstransactions

SAP will offer an integrated solution

SAP addresses compliance issues across the organization


27/40

SAP 2008 / Page 27 SAP 2007-2008 / Page 27

SAP GRC Acc ess Cont rol 5.3Ident i ty management in tegrat ion

SAP GRC Access Control approach to Identity management:

SAPGRC

AccessControl

Enterpriserole

management

Risk analysisand

remediation

Compliantuser

provisioning

Identity

Managem

ent Applications

SAP NetweaverIdM

IBM SUN

Superuserprivilege

management

SAP_ALL

HRHR

authoritativesource

Auditing andreview

HR

Self-service

Authoritativesource


28/40

SAP 2008 / Page 28

What our cus t omers saySAP GRC Access Contro l del ivers value

Effect ive and Ef f ic ient

The SAP applications not onlyhelp to ensure good governanceand compliance, they also reducethe effort involved so that ourpeople can focus on the business.

Prevent iveA key internal control in anyorganization is segregation ofduties (SoD), which is arduousto achieve manually with all thedifferent transactional accessavailable in SAP software. SAPGRC Access Control automated

this function and enabled us tochange our process andimplement a preventive solutionfor future ongoing compliance.

Easy

SAP GRC Access Control is

easy to implement, and easy touse, and most importantly givesus the ability to ensure we meetregulatory requirements withminimal impact on our staff andbusiness operations.

Proact iveWe used to be in a reactionmode with SAP GRC AccessControl we are now in aproactive mode.

Automated

We clearly would not have beenas successful without thisapplication, in terms of ourexternal reporting requirementsfor the SEC and the PublicCompany Accounting OversightBoard.


29/40

SAP 2008 / Page 29

Average value reported

Proven resul t s for c ustom ersCus tomers repor t sign i f ican t reduc t ions in compl iance

cos t and labor

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Source: Customer Survey, March 2006

Reduction in timespentmaking changes to users and roles

Reduction in timerequired to clean upaudit report findings for security

Reduction in timespent onexternal/internal audit

Reduction in timespentmanaging authorization risk

(Number of responses = 130)

Reduction in internal/external audit costs

Reduction in costsfor managing userauthorization risk

30%

25%

32%

28%

28%

31%


30/40

SAP 2008 / Page 30

Gart ner St rong Posi t iveSAP GRC Acc ess Contro l rec eives h ighest rat ing f rom

Gartner 1

About SAP GRC Access Control SAP is the only vendor with a Gartner recommends rating

in all technique categories (Static analysis, provisioning support, integratedprovisioning workflow, transaction monitoring and emergency access)

offers one of the strongest product sets in our analysis, comprehensivelyaddressing all SoD issues across multiple SAP instances.

capable of running on multiple ERP platforms

1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007

Strong PositivePositivePromisingCautionStrongNegative

Rating


31/40

SAP 2008 / Page 31 SAP 2007-2008 / Page 31

ReferencesDel iver ing rea l wor ld va lue to our c ustomers

Real-World

Value

Saved time and costs, with

single, integrated system

Faster approval of access

and authorization requests

Created a highly responsive

audit environment that

enables rapid response and

remediation to SOD issues

Established audit

response processes to

minimize audit time and

cost

Improved strategy for

resolving SOD conflict

problems

Achieved ROI in less than 3

months through productivity

improvements and reduced

audit costs

Enforce key SOD control

at lowest total cost of

ownership

89% reduction in

administrative costs dueto self-service workflow

GTS and Access Control part

of a large solution selected

over Oracle / Hyperion


32/40

SAP 2008 / Page 32

Synopsys, Inc .


33/40

SAP 2008 / Page 33

Canadian Pac i f ic Rai lw ay


34/40

SAP 2008 / Page 34

Canadian Pac i f ic Rai lw ay


35/40

SAP 2008 / Page 35

Bacard i


36/40

SAP 2008 / Page 36

Pr int ronix

Virsa Compliance Calibrator is easy to implement and

easy to use, and most importantly gives us the ability to

ensure we meet regulatory requirements with minimal

impact on our staff and business operations.

Kate SquyresManager, IT CompliancePrintronix

PrintronixCompany

Global enterprise printing solutions forindustrial manufacturing and distributionsupply chain

Products/Services

Virsa Compliance CalibratorSAPSolutions and Services

$128 millionRevenue

785Employees

Irvine, CaliforniaLocation

High TechIndustry

www.printronix.comWeb Site

Challenges and Oppor tuni t ies Ensure the company has the internal control

environment for financial statements to be incompliance with latest regulatory disclosurerequirements

Minimize time and cost of annual audits

Object ives

Enable compliance that is easy to implement andreadily accepted by the audit community

Implement a solution that is easy to use bybusiness process owners and has minimal impacton IT resources

Im p l em en ta t i on H i gh l igh t s

Implementation was completed on time and withinbudget; total time to completion was less than sixmonths and met end-of-year audit requirements

Wh y SA P Virsa Compliance Calibrator is integrated to SAP

ERP, enabling streamlined, real-time review ofsecurity set-up

Depth of functionality and ease of use

Benef i t s

Established readily accepted, audit responseprocesses that have minimized audit time andcost

Created a highly responsive audit environmentthat enables rapid response and remediation toSegregation of Duty (SoD) violations
http://www.printronix.com/http://www.printronix.com/


37/40

SAP 2008 / Page 37

Xerox Europe


38/40

SAP 2008 / Page 38

Wolver ine

Challenges and Opportunit ies

Difficulty documenting Segregation of Duties (SoD)controls

Assessing & monitoring internal controls takessignificant time

Home-grown solutions are inconsistent and notcomprehensive

Compliance requires high level of changemanagement

Objectives Segregation of duty capabilities

Sarbanes-Oxley Section 302/404 Compliance

Risk management

Real-time detection of violations

Implementat ion Highlights

Compliance Calibrator implemented in two weeks

Why SAP Integration with SAP applications helps speed

implementation

SAP GRC solutions give Wolverine compliancemanagers the ability to identify conflicts

Satisfies compliance audit requirements

Alleviates concerns about data integrity

Benefits

Simplified compliance with Sarbanes-Oxley

Reduced consulting and audit effort and cost Reduced time needed to make user profile changes

Improved ability to develop strategy for resolving SoDconflict problems

Enabled implementation of governance best practices

Reduced internal efforts to maintain, control andperform analysis

Ability to run simulations by user role

The SAP application has given the security team amethod to quickly identify risks within the system. Thesimulation feature has been a significant tool to aid inconflict mitigation.

Kiki Lown,Director of Compliance & Administration,Wolverine World Wide, Inc.

Wolverine World Wide, Inc.Company

Apparel and accessoriesProducts/Services

SAP Solutions for Governance, Risk andCompliance; Virsa Compliance Calibrator

SAP Solutions and Services

$1 BillionRevenue

4,500Employees

Rockford, MichiganLocationConsumer ProductsIndustry

PricewaterhouseCoopersPartner

www.wolverineworldwide.comWeb Site





$1 BillionRevenue

4,500Employees








$1 BillionRevenue

4,500Employees



http://www.wolverineworldwide.com/http://www.wolverineworldwide.com/http://www.wolverineworldwide.com/http://www.wolverineworldwide.com/http://www.wolverineworldwide.com/http://www.wolverineworldwide.com/


39/40

SAP 2008 / Page 39 SAP 2007-2008 / Page 39

Resources

www.sap.com/GRC

Solutions for automated end-to-end GRC Processes

www.sap.com/solutions/grc/accessandauthorization/index.epx

SAP GRC Access Control

www.sap.com/solutions/grc/brochures/index.epx

SAP Solutions for GRC: Brochures & whitepapers

www.sap.com/solutions/grc/demos/index.epx

SAP Solutions for GRC: Demos
http://www.sap.com/GRChttp://www.sap.com/solutions/grc/accessandauthorization/index.epxhttp://www.sap.com/solutions/grc/brochures/index.epxhttp://www.sap.com/solutions/grc/demos/index.epxhttp://www.sap.com/solutions/grc/demos/index.epxhttp://www.sap.com/solutions/grc/brochures/index.epxhttp://www.sap.com/solutions/grc/accessandauthorization/index.epxhttp://www.sap.com/GRC


40/40

SAP Solut ions for Governanc e, Risk , and Com pl ianc e

Documents

Customer Presentation - GRC Access Control (August '08)