Embed Size (px)
Citation preview
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
Tips to Help You Improve the Way You Create Custom Reports in SAP GRC 10.1
Prateek Jain EY
1
In This Session
• Get an overview of SAP Access Control (AC) processes
• Discuss reporting challenges and issues that companies typically face while using
reports for SAP AC
• Discuss reporting features available within AC v10.x
• Learn how to overcome challenges that GRC users come across while reviewing
standard reports
• Learn how to build custom reports that assist GRC administrator, auditors and
compliance group in order to improve visibility of risks and manage compliance
2
What We’ll Cover
• Overview of SAP AC processes
• Reporting challenges and issues
• Reporting options within SAP GRC
• Where is data stored?
• Building custom reports
• Wrap-up
3
SAP Access Control Processes
• Identifying applicable AC processes is a critical step in defining an overall reporting
strategy
Policies and procedures Control frameworks
Application access management
User Provisioning: Access Risk Management (ARM) Emergency Access Management (EAM)
New user access Modify existing access Terminate existing access
Access approval
Preventative segregation of duties (SoD) check
Emergency access
provisioning
Emergency access
monitoring and review
Role management
Create new role Modify existing role Disable existing role
Compliance and monitoring
Periodic SoD Review Periodic sensitive access (SA)
review
Remediation Mitigating controls
Acce
ss m
an
ag
em
en
t p
roce
ss a
rea
s
Business Role Management
(BRM)
Access Risk Analysis
(ARA)
Periodic access reviews
ARM ARM ARM
ARM
ARM ARA
EAM EAM
BRM BRM BRM
ARA ARA ARA ARA
Role approval and
governance BRM
4
What We’ll Cover
• Overview of SAP AC processes
• Reporting challenges and issues
• Reporting options within SAP GRC
• Where is data stored?
• Building custom reports
• Wrap-up
5
Typical SAP GRC Reporting Challenges
6
SAP Access Control Reporting – Issues Observed
• Lack of an enterprise-wide reporting strategy for managing AC risk.
• Report ownership is not clearly defined, which can lead to a considerable amount of
overlap among reporting functions.
• Native compliance reporting in SAP can be difficult to obtain, usually requiring
reformatting and manual compilation.
• Even while using Access Control, manual reporting techniques are needed for executing,
distributing and analyzing reports.
• Report selection and output are not appropriately customized as per reviewer
requirements.
• Appropriate guidance or training may not be available for interpreting or reviewing
reports.
• Lack of evaluation and analysis framework makes it difficult to consistently apply
remediation and take follow-up actions.
7
Building Blocks – SAP Access Control Reporting
• Establish a reporting strategy linked to regulatory controls requirements (i.e., Sarbanes-
Oxley [SOX] report review frequency) and access control processes
• While selecting a reporting strategy, consider the following:
Top-down (dashboard and analytical reporting driven)
Maturity of the access control processes (manual, automated, integrated)
Organizational structure (centralized, decentralized)
• Consider including reporting as a key component of your overall GRC
implementation/rollout strategy
8
What Can an Effective Reporting Strategy Do for You?
• An effective reporting strategy can improve access risk management by:
Providing near-real-time visibility to risks, bottlenecks, and issues
Detecting inadvertent or deliberate errors in a timely manner
Defining consistent guidelines for remediation and follow-up actions
Providing audit-ready, detailed reporting
Improving overall efficiency of risk management process, freeing compliance and IT
resources for more value-added initiatives
Maximizing the effectiveness of reporting to increase acceptance of Access Control as
a risk management tool
9
What We’ll Cover
• Overview of SAP AC processes
• Reporting challenges and issues
• Reporting options within SAP GRC
• Where is data stored?
• Building custom reports
• Wrap-up
10
Identify Reporting Options
Source: SAP
Integration with SAP Business Warehouse (BW)
11
GRC Standard Reports
• GRC 10.1 provides a number of standard reports for all AC modules
Access analysis reports:
Provide details to access rules, mitigation control, and SoD and SA violations
Emergency access management reports:
Firefighter log report, transaction log and session details
Role management reports:
View details related to role management
Access request reports:
Provide details related to access requests
• Reports are available within each standard work center to align with transactional
activities
12
GRC Standard Reports (cont.)
Dashboard reporting – Standard
dashboards can be used for high-
level reporting.
Ad hoc reporting – Standard
reports for AC modules can be
used for detailed reporting.
13
Personalize View of GRC Standard Report
Personalize report columns, sorts
and filters by user
14
What We’ll Cover
• Overview of SAP AC processes
• Reporting challenges and issues
• Reporting options within SAP GRC
• Where is data stored?
• Building custom reports
• Wrap-up
15
SAP GRC 10.1 GRC Tables
• Using transaction code SE16, you can access GRC tables:
GRC Foundation (GRFN)*
Access Control (AC)*:
ARA
EAM
BRM
Access request
Process Control (PC)*
• Limit your search using “*” within the GRC system for relevant data stored within the
system
16
Key Tables in Access Risk Analysis
Rule set
GRACSOD*
GRACFUNC*
Mitigating controls:
GRACMIT*
Batch risk analysis:
GRACUSERPRMVL
GRACUSERCRPVL
GRACMGRISKD
17
Key Tables in Emergency Access Management
Firefighter log:
GRACFFLOG
GRACREASONSYS
Firefighter ownership:
GRCFFUSER
GRACFFOWNER
GRACFFCTRL
Firefighter ID or role assignment:
GRACFFUSERT
18
Key Tables in Business Role Management
Role details:
GRACROLE
GRACROLERELAT
GRACROLEACT
Role ownership:
GRACROLEAPPRVR
Reporting:
GRACROLEREQ
GRACROLEACTVL
19
Key Tables in Access Request
Firefighter log:
GRACFFLOG
GRACREASONSYS
Firefighter ownership:
GRCFFUSER
GRACFFOWNER
GRACFFCTRL
Firefighter ID or role assignment:
GRACFFUSERT
20
What We’ll Cover
• Overview of SAP AC processes
• Reporting challenges and issues
• Reporting options within SAP GRC
• Where is data stored?
• Building custom reports
• Wrap-up
21
Why There Is a Need to Create Custom Reports
• Issues observed
Periodic reporting of outstanding requests
Multiple steps to obtain visibility into access request to determine the approver (i.e.,
with whom the request is pending)
• Resolution
Develop custom report by joining back-end GRC tables
Ability to access information quickly without the need for filters or several drill-downs
Every organization has some uniqueness in the way it manages its GRC operations and
has different reporting requirements
22
Building Custom Reports
• Custom reports can be developed through queries within SAP ABAP (Advanced Business
Application Programming) systems:
Using transaction code SQ01, SQ02 and SQVI
SQ02 – Create
InfoSet by
joining tables
SQ01 –
Create
queries
SQVI –
Query viewer
23
Publish Custom Report
• Use transaction code LPD_CUST to publish queries to SAP Business Client (BC)
24
Custom Report Example
• Example custom reports:
GRC pending access requests by approver
GRC request detail
• Tables used to create the above custom reports:
Table name Table description
GRFNMWRTDATLG GRC request approval status
GRFNMWRTINST GRC request instance details
GRACREQPROVLOG GRC request provisioning logs
GRACREQPROVITEM GRC request line item details
GRACROLE Role
GRACROLEAPPRVR Role approver
25
Sample Report – Design
Table fields Field description
INSTANCE_ID MSMP (Instance_ID)
STATUS_CHANGE_BY Approver user
Table 1 – GRFNMWRTDATLG
Table fields Field description
INSTANCE_ID MSMP (Instance_ID)
EXTERNAL_KEY External key (Req_ID)
EXTERNAL_KEY_DIS External key for display
APPROVAL_STATUS Instance approval status
Table fields Field description
REQ_ID Request ID
PROV_ITEM_TYPE Line item type
APPROVAL_STATUS Line item approval status
Table 2 – GRFNMWRTINST
Table 3 – GRACREQPROVITEM
Table join using common
field Instance_ID
Table join using common
field Req_ID
26
Sample Report – Launch
• Custom reports that you develop can be placed into the customized launchpad, which
can be secured using standard SAP security
Customized
launchpad
27
Sample Report – Execution
• The selection screen below shows that you can enter the request number or approval
status to see pending approvals within the access request
Enter the request
number
Enter status as
Pending
28
Sample Report – Results
• You will be able to view a report with details of the request such as:
Request number
Instance status
Requestor
Approver
29
Sample Report – Results (cont.)
• Line Item Approval Status column shows the approval status of each specific role within
the request. The blank fields represent roles that have not been processed.
Role status (approved/
rejected/blank
[pending approval])
30
What We’ll Cover
• Overview of SAP AC processes
• Reporting challenges and issues
• Reporting options within SAP GRC
• Where is data stored?
• Building custom reports
• Wrap-up
31
Where to Find More Information
• Mark Polak and Marsha Reppy, “Build a Powerful, Effective Business Case for Your GRC
Solution Implementation” (SAPinsider, October/November/December 2013).
GRC Thought Leadership Publication
www.ey.com/Publication/vwLUAssets/10-2012_GRC/$FILE/10-
2012_GRC_Ernst&Young.pdf
• SAP (Official), “A Detailed Guide to the Available Reporting Options with SAP
Governance, Risk, and Compliance 10.0 Solutions” (SCN, October 2012).
www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a051ae87-bdb3-2f10-
8b9a-e941e7f49326
32
7 Key Points to Take Home
• Establish a process-based access control reporting strategy as part of your GRC
implementation/rollout program
• While selecting a reporting strategy, consider the top-down approach
• Define clear ownership of roles and responsibilities between the business, IT and
compliance for each report category
• Leverage standard dashboards, reports, workflow and security capabilities provided
by SAP AC
• Advanced analytics can be used as a powerful tool to complement standard GRC reports
• Store GRC back-end system data in transparent tables
• Secure custom reports by leveraging the SAP standard security
33
Your Turn!
How to contact me:
Prateek Jain
Please remember to complete your session evaluation
34
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and
for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.
© 2016 Ernst & Young LLP
All Rights Reserved.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific
advice.
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2016 Wellesley Information Services. All rights reserved.
