R E PSAP GRC Access Control Solution. Solut ion. A-White paper on Implementation Methodology. Methodology. P E T I H W
HCL SAP GRC Practice January 2008 1-13
Table of Content Executive Summary
3
Introduction
4
SOX, SoD and SAP
4
Functions of SAP GRC Access Control
6
Implementation Methodology
7
ANNEXURE 1: Various Aspects
10
ANNEXURE 2: Role and Responsibilities
11
ANNEXURE 3: Time Lines
12
ANNEXURE 4: Challenges
12
ANNEXURE 5: SAP GRC Business benefits
13
2-13
Executive Summary In the era of stringent corporate governance new regulatory requirements have made tighter internal control as standard compliance across the globe.
All organization irrespective of size are struggling to comply with these regulations and managing the risk. The cost and effort to establish, maintain and prove compliance demand both money and time which can be invested for more value addition rather than value protection.
For many organization the technology solutions is to try automation using standard office tools such as spreadsheet which in spite of its low cost advantage may become a part of problem rather than a compliance solution.
Fortunately newly available software platform that have become known as the GRC technology can help streamline the automation.This white paper pertains to one of the most accountable control automation tool: SAP Access Control and details its implementation methodology.
3-13
SAP GRC Access Control He who cannot obey himself will be commanded.
Integrated GRC is an offshoot of SOX and such other
That is the nature of living creatures.
compliances existing across industries worldwide.
- Friedrich Wilhelm Nietzsche Evolution of Integrated GRC: Barings Bank – Nick Lee son’s $1.2 Billion loss –
In itself GRC is not new. Corporate Governance, Risk
Barings’ forced into bankruptcy.
management and Compliance as individual issues where
©
Due to improper supervision and SoD
the most fundamental concerns of Business and its Top
violations delayed detection.
leaders.What's new is Integrated GRC.
§
Daiwa Bank – Toshihide Iguchi’s $1.1 Billion loss
It an approach the organization practices and the various
and $340 Million fine for unauthorized trades.
roles the board and the senior management, line
Mgmt tried to conceal losses by overriding
management and rest of the organization play in relation
©
©
controls and SoD violations
to oversight, strategy risk management and strategy
Sumitomo Bank – Yasuo Hamanaka’s $1.8
execution regarding compliance with laws and
Billion copper position losses.
regulations and internal policies and procedures.
©
Maintained 2 sets of books for over a decade
©
NatWest U.K. – Kyriacos Papoulis concealed
©
over $100 Million in option losses Manipulated the books.
§
Enron, Tyco International, Adelphia, Peregrine
©
Systems and WorldCom…………………..Socite General….
SOX, SoD and SAP As per the requirement to be SOX (Sarbanes Oxley Act) compliant, the main issue arises in SoD (Segregation of Duties) management i.e. Access related problems in organizations. For this purpose the necessity is to make an automated approach to implement the rules and
Introduction Sarbanes Oxley Compliance was a result of such Scandals.Also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX, it is a controversial United States federal law passed in response to a number of major corporate and accounting scandals. Signed by Congress on July 30, 2002 its overall purpose is to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.
policies of SOX compliance.
SAP is in process of addressing the various compliance and risk management issues across the verticals with the development of automated solutions. One of the Solutions they have developed comprises GRC Access Control an application that handles sustainable prevention of segregation of duties violations. By implementing the automated Access control solution, it will provide the enablement to fulfill the requirements of SOX compliance without any SoD violation and its severity. 4-13
SAP Definition for SoD A primary internal control intended to prevent or
Segregation of Duties deals with access controls.Access
decrease the risk of errors or irregularities by assigning
Control ensures that one individual should not have
conflicting duties to different personnel.
access to two or more than two incompatible duties. Some examples of incompatible duties are:
Segregation of Duties (SoD) Across an enterprise there are various functions and
©
these functions are performed, together by a set of
©
roles/responsibilities.
©
Creating vendor and initiate payment to him. Creating invoices and modifying them. Processing inventory, and posting payment. Receiving Checks and writing pay-offs.
©
SoD says that these set of Roles/responsibilities should be assigned in such a way that, across an enterprise, any individual should not have end to end access rights over any function.
Ideally, single individual must not have authority of creation, modification, reviewing and deletion for any transaction / tasks / resources.
If any individual has access rights to creation and modification, he can create and after getting it reviewed, he can modify it to do some fraudulent exercises. Similarly if an individual has creation and deletion rights End to end access
SoD
Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping and reconciliation. In a perfect system, no one person should handle more than one type of functions.
The Roles and Responsibilities for the function should be divided in such a way that one person does not have full right over the function that the risk of malicious activity of manipulation of the function is reduced. The more critical the function is, greater and clearer Segregation of Duties should be.
he can create, initiate payment and later delete any transaction logs that can track his activity. Segregation of Duties ensures that:
There are no errors, as SoD ensures cross check of
©
roles/responsibilities Risk of Fraud is reduced as fraud will involve two or
©
more than two individuals Clear separation of Roles/Responsibilities across
©
various functions in organization.
Segregation of Duties must be so performed that it
©
reduces the risk associated with a function/process that can be mal-functioned to practice any 5-13
fraudulent exercises. If proper SoD does not exist in an organization, then: There are ineffective internal access controls
©
There is improper use of materials, money, financial
©
assets and resources Estimation of financial condition may be wrong
©
Financial documents produced for audits and review
©
may be incorrect
application for SAP. When deployed together,they provide an end-to-end Access Control solution that addresses the following areas:
Risk detection SAP applications for Access Control
©
detect even the most obscure access and
Manual Approach for SoD Traditional approaches for identifying and preventing SoD issues are costly, time-consuming, and exhaustive with scope for errors. In the increased regulatory environment, companies cannot afford to waste time and money hoping that a manual approach will satisfy their audit requirements. Companies now seek a comprehensive, automated approach to help them quickly resolve the SoD challenges without disrupting their business.
SAP Access Control
authorization risks across SAP and non-SAP
SAP GRC Access Control delivers a comprehensive,
applications, providing protection against every
cross-enterprise set of Access Control that enables all
potential source of risk, including segregation of
corporate compliance stakeholders -- including business
duties and transaction monitoring.
managers, auditors, and IT security managers -- to
Risk remediation and mitigation These applications
©
collaboratively define and oversee proper SoD
for access and authorization control enable fast,
enforcement, enterprise role management, compliant
efficient remediation and mitigation of access and
provisioning, and Superuser privilege management.
authorization risks by automating workflows and enabling collaboration among business and technical
Functions of SAP GRC Access Control
users. Reporting The applications deliver the
©
The SAP GRC Access Control Includes the Virsa
comprehensive reports and role-based dashboards
Compliance Calibrator application for SAP, the Virsa
businesses need to monitor the performance of
Role Expert application for SAP, the Virsa Firefighter
compliance initiatives and to take action as needed.
application for SAP, and the Virsa Access Enforcer
Risk prevention Once access and authorization risks
©
6-13
have been remediate, only SAP applications for
This implementation methodology when followed step
Access Control can prevent new risks from entering
by step makes access and authorization risk
a production system. By empowering business users
management and further its compliance adherence, an
to check for risks in real time and automating user
integral part of customary organizational activities. The
administration, the applications make risk
implementation process is based on Best Practices
prevention a continuous, proactive process.
provided by SAP and extends from GET CLEAN (identify and resolve the access risk issues) phase to
Implementation Methodology based on SAP Best Practice
STAY CLEAN (complaint user provisioning process is channeled into automated structure) phase.
The implementation process starts from installation and configuration of Compliance Calibrator. In line with the SoD Management Process, Business Process Owners identify any fraudulent or accidental corruption activity, subjected to access and authorization or SoD risks and then implement the necessary mitigation controls on them. Next, during implementation of Role Expert, through Role Designer we design the role designation methodology of the organization. In Access Enforcer implementation, we define workflows. Workflows are meant for channelizing the different work processes into structured, transparent and automated manner. At last, Fire Fighter is implemented which endow selected users with exceptional rights. To ensure risk occurrence, all the activities of users with fire fighter rights are logged and documented. HCL has come out with an excellent approach and methodology for implementation of SAP GRC Access Control Suite.This Suite embraces four tools: Access risk analysis and remediation
©
Complaint user provisioning
©
Role Management
©
Privileged user access management
©
7-13
The proposed methodology which helps in
Control Tools.
implementing SAP GRC Access Control projects has six phases:
Access Control Tool Suite can be easily downloaded from SAP Support Portal at SAP Service Marketplace at:
Implementation Readiness
service.sap.com. You need to login from your service
Deploy & Install GRC Access Control Tool Suite
marketplace ID. It will ask for your Customer Number
Risk Analysis and Remediation
or Installation Number.
© © ©
Super User Privilege Management
©
Compliance User Provisioning
The SAP GRC Access Control Tool Suite includes
Enterprise Role Management
following tools:
© ©
Virsa Compliance Calibrator
©
Preparation of Implementation
©
We recommend the implementation life-cycle of GRC
©
Access Control Tool includes every thing from
©
Virsa Access Enforcer Virsa Role Expert
Virsa Firefighter for SAP
Installation and configuration of all 4 software’s to their integration and validation.
Risk analysis and remediation Risk Analysis and Remediation is done by
Preparation Includes:
Compliance Calibrator.
Net Weaver installation configured and validated i.e.
©
ready for applications installation Resource Identification
©
Requirement Validation: It will include review and
©
validation of customer’s requirement against product functionality.There should be a brief analysis of customer’s business environment which will
Risk Analysis and Remediation provides real-time compliance around the clock and prevents security and controls violations before they occur. Once deployed, business managers can analyze real-time data, find hidden issues and help ensure the effectiveness of access and authorization controls across the enterprise.
include the organizational scan and study of their business processes. BPX along with implementation consultant and BPO will architect solutions to address requirement gaps.
The scope of the process includes following key areas:
Identification of critical access and segregation of
©
duties
Deploy & Install GRC Access Control Tool
©
Suite
©
Once the preparations for implementation are done, we proceed for installation and configuration of Access
Real-time risk assessment Simulation and remediation Documentation of mitigation controls
©
Summary and drill-down reports
©
8-12
Super user Privilege Management Superuser Privilege Management is done
Identify SoD Issues in Real Time
©
StreamlineApprovals
©
using Firefighter Enterprise Role Management Superuser Privilege Management is a solution used
Introduction to Role Expert
for emergency situations, extensive and/or special
Role Expert is a Role Creation and Management Tool.
access, and when you do not have time to obtain
This SAP GRC Access Control Tool is a web enabled tool
logins, passwords. Feature provided by it:
that can ease the overhead in an Organization in
Provides Super User access control
creation and management of Roles.
Compliant controls for emergency access
Apart from creation and management of Roles it also
©
© ©
Users assigned to specific firefighting IDs with
takes care of Risks associated with different Roles,
defined authorizations and validity dates
Segregation of Duties, and Generation of types of
Separate login is required as well as
reports useful for management and auditors and also the
documentation regarding reason for use
mitigation of risks.
§
§
Can only be used by one user at a time
§
Auditable reporting
©
Logs actions without turning on SAP logging
§
Purpose of Role Expert
Role Expert implementation serves the following purposes in an organization: It helps implement best practices of good role
©
Compliant User Provisioning
naming conventions. Automates the creation and maintenance of Roles.
©
Compliant User Provisioning will be done by Access Enforcer
Implements best practices of Approval workflow
©
automation for Role in the Organization. Automates the generation of reports of various
©
Access Enforcer enables fully compliant user
types to serve the purpose of management and
provisioning throughout the employee life cycle and
auditors as well.
prevents new SoD violations. Businesses can automate
Performing automatic risk analysis at all levels and
©
provisioning, test for SoD issues, streamline approvals,
also mitigation of risks before approving or creating
and reduce the workload for IT staff. The solution
the requested role.
performs following activities:
Transparency, tracking and monitoring of creation
©
and implementation of Roles. Automate Provisioning Workflow
©
§
Provide Compliant User Provisioning Across the
©
Enterprise 9-13
ANNEXURE 1: Various Aspects. Steps
Activities Involved
Person Involved
Duration/Days
Implementation Readiness
• Hardware/Software requirement analysis • Software Installation • NetWeaver Environment Validation
Basis/Security Consultant GRC AC Tool Consultant
17
Deploy & Install GRC Access Control Tool Suite
• Software installation as well certain GRC AC Tool Consultant one-time initial configuration activities.
15
Risk Analysis and Remediation
• Identification of critical access and GRC AC Tool Consultant segregation of duties GRC Business Process Analyst • Real-time risk assessment SOX Domain Consultant • Simulation and remediation • Documentation of mitigation controls • Summary and drill-down reports
26
Super User Privilege Management
The application tracks, monitors, and logs every activity a super user performs with a privileged user ID. • Creation of Firefighter Ids • Assignment of Firefighter roles to applicable User IDs • Mapping Firefighter IDs to Owner, Firefighter, and Controller
4
Compliance User Provisioning
• Learn about Access Enforcer GRC AC Tool Consultant workflows and their components GRC Business Process Analyst • Define process stages and approvals • Create test initiators, stages, and paths • Define test users and request types • Test initial workflows • Define escalations and detours • Complete workflow configuration
20
Enterprise Role Management
• Creation of Role Attributes required GRC AC Tool Consultant for any Role GRC Business Process Analyst • Creation of Role Generation Methodology • Creation of Naming Conventions for Roles • Creation of Role in Role Expert • Reports in Role Expert
15
GRC AC Tool Consultant GRC Business Process Analyst
10-13
ANNEXURE 2: Role and Responsibilities Role
Number
Group
Responsibility
Basis/Security Consultant
1
HCL GRC
• Hardware/Software requirement analysis • Software Installation • NetWeaver Environment Validation
GRC AC Tool Consultant
2
HCL GRC
• • • • • • • • • •
SOX Domain Consultant
1
HCL GRC
• Risk identification • Creation of Mitigation Controls • Approve or Reject already created Risks and Mitigation Controls • Scenario Analysis and Identification of Format & Content of Reports
GRC Business Process Analyst
1
HCL GRC
• • • • • • •
Client Technical Team
To be decided
Client
• Hardware/Software requirement analysis • Software Installation • NetWeaver Environment Validation
Client Business Team
To be decided
Client
• Identifying risk and/or approving controls for monitoring risks • Approving remediation to address user access issues • Approve or reject risks between business areas and approve mitigating controls for risks.
Client Project Manager/ Coordinator
To be decided
Client
• Managing the implementation project
Client Audit / Internal Control Team
To be decided
Client
• Perform risk assessments on a regular basis to identify new risks, perform periodic testing of rules and mitigating controls; act as a liaison with external auditors.
Master Data Creation Configuration of all 4 tools Integration of all 4 tools Risk Recognition, Remediation, Mitigation Rule Building and their Maintenance Configuration of workflows Configuration of Role Attributes Configuration of Role Generation Methodology Configuration of Naming Conventions Report Generation
Risk Analysis and Validation Designing alternative controls to mitigate SoD issues Designing workflows for user and role provisioning Identification of Role Attributes Identification of Role Generation Methodology Identification of Naming Conventions Identification of risk & role owners and approvers
11-13
ANNEXURE 3: Time Lines Implementation Activity
Duration/Days
Formation of project team* Software Installation and Validation* Requirement Validation/System and User Landscape Study/Master Data Creation* Implementation Readiness Compliance Calibrator Configuration and Implementation Firefighter Configuration and Implementation Role Expert Configuration and Implementation Access Enforcer Configuration and Implementation Roll-Out/Deployment/Go-Live
2 5 10 17 26 4 15 20 10
Note: * These activities are performed simultaneously.The total implementation time is 56 calendar days.
ANNEXURE 4: Challenges Challenges
Solution
Real-time alert generation and notification through mail
Alert Generation and its notification through e-mail was configured not only for mitigating controls but also for risk execution and critical transaction execution
Setting up organizational rules and running risk analysis based on these rules
Compliance Calibrator provides a supplemental table to address organizational restrictions without having to change and maintain the entire rules database. These restrictions were configured as organizational rules.
Integrating workflows in Compliance Calibrator for various processes
Various processes of Compliance Calibrator can be automated and structured through workflows which are created and executed through Access Enforcer. Path for connecting the Compliance Calibrator to the workflows is entered in the Workflow service URL.
Efficient handling of false positives
Rule Building is done at authorization objects level to prevent false positives of SoD violations.
Designing user-provisioning workflows and proper initiators to trigger them
User provisioning workflows are created and configured through Access Enforcer
Cross-application implementation
The system includes rules at both the transaction and object level that address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR / Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals.
Cross-system implementation
The Virsa Compliance Calibrator "out-of-the-box" rule set includes transaction objects and value combinations analyzing some 120,000 possible combinations of potential risk for access rights. These cover - SAP: 20,000, Oracle: 20,000, PeopleSoft: 3,800, JDE 151.
Cross-geo implementation
A centralized monitoring system is provided by connecting various systems across geo. 12-13
ANNEXURE: 5 SAP GRC Business Benefits: SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance, risk, and compliance help you leverage your SAP and non-SAP IT investments, and deliver the following business benefits:
Increased shareholder value – Good corporate governance is reflected in many intangibles, including brand and
reputation – and it translates directly into share price premiums.
Optimized risk/return portfolios – Greater transparency and insight enables your decision makers to select or
reject projects based on risk impact and probability relative to potential return.
Reduced GRC costs – Integrated corporate governance significantly reduces the number of people – and time –
required to ensure and manage compliance and risk management.
Improved business performance and predictability – SAP solutions for governance, risk, and compliance deliver
enterprise wide transparency, a systematic process for anticipating risks, and the tools to proactively determine proper actions.
Business sustainability – Using solutions delivered through automation, analytics, and alerts, businesses can more
effectively mitigate risks stemming from myriads of legislations.
Assumptions for the Duration/Days in Annexure:
1.
Minimum Net Weaver support Pack is already installed and validated on identified systems.
2.
All the database and memory requirements for installation ofAccess ControlTools are met.
3.
Hardware and memory sizing is already performed.
4.
Organization already possesses the license for all requiredAccess ControlTool.
5.
Person efforts and time would go on reducing in subsequent implementation in different geographies
6.
The company would go for addressing compliance management issues subsequently across different locations.
13-13