SAP ERP Financials
SAP Solutions for
Governance, Risk, and
Compliance and
SAP GRC Access Control
Rainer Salaw, CPA
SAP Deutschland AG & Co KG
Regional Solution Sales GRC
EMEA
Barbara Mayer
Enterprise Risk Management,
SAP Consulting
SAP ERP Financials
SAP Solutions for
Governance, Risk, and
Compliance and
SAP GRC Access Control
Rainer Salaw, CPA
SAP Deutschland AG & Co KG
Regional Solution Sales GRC
EMEA
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 3
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 4
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 5
Gartner “Strong Positive”
About SAP GRC Access Control
SAP is the only vendor with a “Gartner recommends” rating
in all technique categories (Static analysis, provisioning support,
integrated provisioning workflow, transaction monitoring and
emergency access)
“… offers one of the strongest product sets in our analysis,
comprehensively addressing all SoD issues across multiple SAP
instances”.
“…capable of running on multiple ERP platforms…”
1 Gartner -
MarketScope
for Segregation of Duties Controls Within ERP, 2007
Rating
Strong
Negative
Caution Promising Positive Strong
Positive
9
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 6
mySAP ERP Financials
Corporate
Performance
Management (CPM)
Accounting &
Finance Transformation
Financial
Supply Chain
Management (FSCM)
Governance, Risk,
and Compliance
(GRC)
Strategy
Management
(Balanced Scorecard)
Consolidation
Planning
FI, FI-AA, FI-AR/AP
NewGL, CO, PCA
Credit Mgmt.,
Collections Mgmt.
Dispute Mgmt.
FI-CA, Biller direct,
In-house Cash
Governance, Risk,
and Compliance
(GRC)
mySAP
ERP Financials
Internal regulations /
ethical standards
strategic/operative Risks
External regulations /
compliance to laws
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 7
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 8
Business Case: „…the True Information Age“
„In 2010 the need for fast,
accurate and reliable
information will be increased
significantly.
In four areas the demand will
be raised most. Two of them
are:
Risk Management
Governance
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 9
Supply Chain
Customers & Channel
Human Resource
environmental health
& safety
Finance
complex, international
Compliance requirements
(e.g. Revenue recognition)
Compliance / Risk Office
high level risks, not
proactive
?
Sales
Credit risks,
Customer
ratings
Purchasing
Supplier rating
& “embargo
lists”
Management
no overview about
risk portfolio
IT
IT Security; SOD-
management,
Fraud
S
A
L
A
R
I
E
S
Supervisory board, internal audit
almost manual, sample based, not
error free controls
Fragmented Processes and Systems: A Risky Situation !
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 10
Supply Chain
Customers & Channel
Supervisory board, internal audit
documented decisions, audit trail
Compliance / Risk Office
Real time risk analysis,
integrated view
Management
Transparency about risks
=> max. confidence !
IT
highly secured IT-
Systems
Purchasing
transparent
rating,
compliance to
trace
regulations
Finance
Compliance in group
reporting processes
Human Resource
compliance to
environmental standards
Sales
transparent
customer
solvency
S
A
L
A
R
I
E
S
Gain Confidence by Proactive Transparency with SAP GRC
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 11
Fragmentation vs. Holistic Approach to GRC
Business Process Platform
SAP Solutions for GRC
Cross-Industry GRC
Access Controls Global Trade Environment Process Controls
Risk Management
GRC Repository: Documentation and Monitoring
Industry-Specific GRC
Business Applications
?
Information
Security
SOX
Compliance
Risk
Mgmt
Internal
Audit
Information
Security
From Fragmented Risk
& Compliance…
Risk
Mgmt
SOX
Compliance
Internal
Audit
…
to Holistic GRC
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 12
GRC Suite
Access
Control
Risk
Management
Process
Control
Compliance
Calibrator
Role Expert Access
Enforcer
Fire Fighter
Cross industry solution
Industry specific
solutions
Global
Trade
Services
(GTS)
Environment,
Health &
Safety
(EH&S)
… more
Solutions
GRC Suite
Functions for All Process Orientated Risks and Regulations
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 13
GRC Suite
Access
Control
Risk
Management
Process
Control
GRC-Repository
SAP GRC Access Control
Risk Analysis and
Remediation
Enterprise Role
Management
Compliant User
Provisioning
Super User
Privilege
Management
Cross industry solution
Industry specific
solutions
Global
Trade
Services
(GTS)
Environment,
Health &
Safety
(EH&S)
… more
Solutions
GRC Suite
Functions for All Process Orientated Risks and Regulations
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 14
SAP Solutions for GRC
Framework for an integrated GRC-Solution
Business Process Platform
Business Applications
Business Process
GRC as an integrated part
of all business processes
leverage integration
through high automation
(e.g. automatic controls)
Group-wide utilization, open
architecture
(usage of SAP´s
technology platform Æ no
limitation to SAP-ERP systems)
SAP GRC Access Controls
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 15
GRC Repository
Central System of Record Drives Governance, Increases Transparency
Performance
Measures &
Benchmarks
Regulations
& Industry
Mandates
Risk & Control
Libraries
Corporate
Policies &
Procedures
BOD &
Committee
Minutes
GRC
Repository
Best Practices
Control
Frameworks
(COSO, C
OBIT)
Advisory Services
(Auditors, Attorneys)
Internal
Policies
Governmental
Agencies
Influence
Councils
Enforces governance for the
entire enterprise
–
Regional regulations
–
Multiple frameworks for each
department
–
Pre-built control & risk
libraries
Complete body of evidence
for compliance
Centralized knowledge base
for all GRC relevant
information
Æ beyond fragmentation
Single source of truth for
reporting
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 16
GRC as part of SAP Financials
Challenge for GRC
GRC-Suite in detail
Value proposition
AGENDA
The Fast Track to SAP Knowledge
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 17
How Does GRC Supports You?
Access Controls
Process
Controls Risk
Management
Identification of all kind of risks (group wide)
Segregation of duties risks
Fraud
Risky system authorizations
Misusage of rights
Compliance of processing
Stick to governance
Focus on operation business risks
Quality of processes
Focus on non operative risks
Opportunity management
Decision support
Transparency and Remediation
Define appropriate actions for identified risks
Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)
Minimize risks by defining appropriate mitigation controls
Maximize risk awareness (Æ transparency, continuous monitoring, escalation, mitigation, remediation)
Governance & Compliance
e.g. Sarbanes Oxley Act (SOX) etc. KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
automation
manual activity
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 18
How Does GRC Supports You?
Access Controls
Process
Controls Risk
Management
Identification of all kind of risks (group wide)
Segregation of duties risks
Fraud
Risky system authorizations
Misusage of rights
Compliance of processing
Stick to governance
Focus on operation business risks
Quality of processes
Focus on non operative risks
Opportunity management
Decision support
Transparency and Remediation
Define appropriate actions for identified risks
Eliminate risks by segregation of duties (Æremove authorizations, redesign processes)
Minimize risks by defining appropriate mitigation controls
Maximize risk awareness (Æ transparency, continuous monitoring, escalation, mitigation, remediation)
Governance & Compliance
e.g. Sarbanes Oxley Act (SOX) etc. KonTraG
Rules of Business Conduct, Ethical standards, Governance rules
automation
manual activity
Access Controls
Risk Analysis and Remediation
Enterprise Role
Management
Superuser
Priviledge
Management
Compliant User
Provisioning
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 19
SAP GRC Access Control
Sustainable Prevention of Segregation of Duties Violations
Cross-enterprise library of best practice segregation of duties rules
Compliant User
Provisioning
Prevent SoD
violations at
run time
Superuser
Privilege
Management
Close #1 audit issue
with temporary
emergency access
Periodic Access
Review and Audit
Focus on remaining
challenges during
recurring audits
(Stay in Control)(Stay Clean)
Risk analysis, remediation and prevention services
Enterprise Role
Management
Enforce SoD
compliance at
design time
Risk Analysis
and Remediation
Rapid, cost-effective
and comprehensive
initial clean-up
(Get Clean)
Minimal
Time To Compliance
Continuous
Access Management
Effective
Management Oversight
and Audit
Access Controls
SAP GRC
Access Control
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 20
Risk Analysis and Remediation
Getting Clean
Reporting
Risk Elimination
Risk
Identification
Prevention
End-to-End
Automation
Initial Risk Analysis and Remediation
Facilitates collaboration
between Business and IT to
clean up access risks
The clean-up process has
brought a tremendous degree of
discipline to the way we think
about and manage user access
and authorizations.
Deepak Mehrotra, SOX Compliance Manager,
Synopsys Inc.
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 21
Authorization:
Maintain vendor
master data
Authorization:
Initiate payment
to vendor
Heterogeneous IT-landscape
Cross-System Risk Analysis
Legacy Custom
Financials
and
Accounting
Inventory and
purchasing
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 22
Authorization:
Maintain vendor
master data
Authorization:
Initiate payment
to vendor
Heterogeneous IT-landscape
Cross-System Risk Analysis
Legacy Custom
Financials
and
Accounting
Inventory and
purchasing
!
RISK
VIRSA
Cross-enterprise Rule Set
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 23
Business Applications
How Does it Work? Æ Compliance Calibrator
S
O
D
-
M
A
T
R
I
X
RTA RTA RTA RTA
Risk analysis
function
ERP 2005
P
L
A
N
??
Compliance
officer
?
Risk analysis for
user „Maier“
Risks
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 24
Business Applications
How Does it Work? Æ Compliance Calibrator
S
O
D
-
M
A
T
R
I
X
RTA RTA RTA RTA
Risk analysis
function
ERP 2005
P
L
A
N
A
C
T
U
A
L
Compare
??
Compliance
officer
?
Risk analysis for
user „Maier“
Risks
Risk-
report
© SAP AG 2007, SAP Skills 2007 Conference / G3 / 25
SAP GRC Access Control
Risk Analysis and Remediation Functionality
GRC Access Control content covers more than 200 Risks
Risk analysis and remediation functionality
Risk-analysis, detection and remediation of SOD-violations in access control and authorization
management
critical transaction or
authorization objects