SAP GRC Risk Identification And Remediation

SAP Best PracticesSAP GRC Risk Identification and RemediationSeptember 26, 2007EnglishSAP GRCRisk Identification andRemediationBusiness Scenario Scriptfor Discovery System version 3SAP AGNeurottstr. 1669190 WalldorfGermany

ContentsIntroduction. 3Statistical Overview . 3Initial Segregation of Duties Clean-up Process (Get Clean). 6Prevention through Simulation . 10Stay Clean – Prepare for an Audit . 12Overview Mitigation Controls. 14Create Controls . 14Executive-Level View . 17 SAP AGPage 2 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationIntroductionSAP GRC Access Control delivers a comprehensive, cross-enterprise set of access controls thatenables all corporate compliance stakeholders – including business managers, auditors, and ITsecurity managers – to collaboratively define and oversee proper Segregation of Duties (SoD)enforcement. SoDs can be quite challenging to achieve in a small operation, as it is not alwayspossible to have enough staff to properly segregate duties. In those cases, management needs totake a more active role to achieve separation of duties, by reviewing the transactions performed byother users, or using other Mitigation Controls.Risk Identification and Remediation (formerly known as Compliance Calibrator) software helpsautomate all SoD - related activities. Risk Identification and Remediation detect even the mostobscure access and authorization risks across SAP and non-SAP applications, providing protectionagainst every potential source of risk, including segregation of duties and transaction monitoring.These applications for access and authorization control enable fast, efficient remediation andmitigation of access and authorization risks by automating workflows and enabling collaborationamong business and technical users. Risk Identification and Remediation provides the ability toperform several major functions.Statistical OverviewBy logging in to SAP GRC Access Control as an Internal Auditor or Chief Compliance Officer canlook at the overall risk across entire organization, ensure compliance, and prepare for an externalaudit1. Log into the Compliance Calibrator demo ispatcher/virsa/ccappcomp/ComplianceCalibrator SAP AGUSERPASSWORDMbondsarbanes1Page 3 of 17

SAP Best PracticesSAP GRC Risk Identification and Remediation2. Select the Informer Tab (Should be the default view on logon)3. Select Risk Violations (left hand table)4. Select “PR” (Business Risks) on the Dashboard under the Bar graph.Note: These are all the Procure to pay risks found in the SAP System.5. Click on ‘no. of violations’ to display the users for P001 Risk (7,730).These are the users whom are in violation of this risk.to go back to the ‘SOD Violations by Process Procure to Pay’ screen6. Select the7. Click on the “P001’ to see the Risk DescriptionIt’s easy for business users to define new rules by just combining 2 conflicting functions andCompliance Calibrator adds all the appropriate transactions and authorization objects8. Select “AP02: AP02 - Process Vendor Invoices”9. Function Information Screen appears.NOTE: Compliance Calibrator automatically knows which SAP actions and permissions or“authorization objects” are parts of this function. There are 28 different transactions in SAP to SAP AGPage 4 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationProcess Vendor Invoices and another 185 authorization object values – all come pre-configuredout of the box.10.11.12.13.14.to go backSelect theSelect “PR01: PR01 - Vendor Master Maintenance”Select “Permissions’ tabOpen an action (FK01)Open an Auth Object to show field valuesNote: Compliance Calibrator has an out-of-the box library of 100,000 different authorizationobject combinations in SAP that can cause risk – this best practices db gets you up and runningquickly. Because these authorization objects come pre-configured customers tell us this can save upto 400 hours of time during implementation.15. Select Log off. SAP AGPage 5 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationInitial Segregation of Duties Clean-up Process (Get Clean)When an organization applies enterprise-wide segregation of duties rules for the first time, there isusually an initial “clean-up” project required.Through the central risk analysis and remediation capability of SAP GRC Access Control (formerlyknown as “Virsa Compliance Calibrator”), internal audit cannot only review the current status of thisproject, but help business owner teams to work through their remediation issues.Business owners like Fox Wilson can be given complete reports of deficiencies. They can drill downto specific system and specifically what role is causing the violation. Now Fox Wilson can tackle forexample the risks of one of his direct reports, Brent Bailo. He can work on Brent’s risks one at a timeand resolve themCompliance Calibrator can even find transactions embedded in custom code or user exits –ONLY a real-time solution inside SAP can perform this type of risk analysis.1. Log into the Compliance Calibrator demo 4.5.6.USERPASSWORDFwilsonsarbanes1Select the Informer Tab (Should be the default view on logon)Select Risk Analysis then “User Level”Enter User: BBAILOSelect Report Type: Permission LevelSelect Report Format: Detail7. Click ‘Execute’8. Click Risk Description ID F00500M01 text ‘Maintain bank account and post a payment from it.’ SAP AGPage 6 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationMitigate the Risk9. The risk “F00500M: Maintain bank account and post a payment from it” already has Mitigateselected10. Click ContinueNOTE: Choose an appropriate mitigating control, from approved mitigation list. It is important to have“control” around mitigations to make sure they are meaningful.This is a very important step and not available in other solutions. When your auditor arrives 6months down the road and sees that Brent Bailo has SoD risk in his authorizations, they will noticethat you have assigned a mitigating control – in addition they will see that you have evendocumented that control – GREAT, better than most companies. Now the mitigating control suggeststhat the Corporate Accountant will run a report on a weekly basis – the auditor will ask, “Can youprove to me that this report was actually run and reviewed?” The “mitigation monitor” is an individualwho will get an e-mail if the payment detail report is not run on a weekly basis and they will follow-upwith the Corporate Accountant to help ensure control effectiveness.11. Search for Mitigation Control12. Select Mitigation Control: FI 002790 SAP AGPage 7 of 17

SAP Best PracticesSAP GRC Risk Identification and Remediation13. Enter Control Valid to: (current date)14. Select a Monitor ID: HASSELT15. Save.Remediation through “Access Removal’16. Select ‘Remove Access from the User’ (vs Mitigate the Risk which was the default)17. Click ‘Continue’NOTE: If this user had been running transactions, from here you can see exactly how many timesthe user has performed the transaction since the time the user got access to the system.Many users do not even know they have access. SAP GRC Access Control allows business users tocollaborate with technical users on risk resolution. The business user is the correct person to makethe risk tradeoff of whether BBAILO should have this access or not, BUT they are probably not theright person to decide to I remove this transaction from the role (which will affect other users), this isa technical tradeoff. SAP GRC Access Control sends a workflow ticket off to a technical user toimplement the remediation.18. Click ‘Cancel’ SAP AGPage 8 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationDelimit access for the userDelimit will allow you to specify a certain time period where the user’s access will remain before theworkflow ticket is sent off for resolution.19. Select “delimit access for the user”20.21.22.23.Click ContinueEnter a comment: “Please investigate removing role from Brent or transaction from the role”Click CancelClick “User Level’ (Left hand table) SAP AGPage 9 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationPrevention through SimulationIf Fox needs to make any changes to the privileges granted to any of his users, he can see theimplications before he makes any changes.Fox can simulate those changes BEFORE implementing them in production. The simulationcan take place at the user level, role level or position.For example, Fox Wilson can check what will happen if he grants Brent Bailo additional accessrights.1. Select the following field:FieldValueSystemERP-DiscoveryUserBBAILO2. Select “Simulation”3. Set ‘Type’: Role4. Click ‘Value’: Drilldown SAP AGPage 10 of 17

SAP Best PracticesSAP GRC Risk Identification and Remediation5. Enter “VS::FI VM*” in Role6. Click Search7. Select the Role (enter Select)8. Select ‘Risks from Simulation Only” to Yes9. Click ‘Simulate’Note: By performing simulation we are implementing a PREVENTIVE control that avoids risk beforeit is introduced into the production environment.10. Click the Details Iconcome from(on the upper right hand corner) to see which roles the conflicts11. Log off Fox Wilson. SAP AGPage 11 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationStay Clean – Prepare for an AuditAfter the initial clean-up, and going forward in regular intervals (quarterly, semi-annually or at leastannually), internal audit needs to get ready for an external audit.12. Log into the Compliance Calibrator demo PASSWORDmbondsarbanes113. Select “Risk Analysis”14. Click “User Level”15. Narrow the review down to:FieldValueSystemERP-DiscoveryUser GroupSUPERRisks by ProcessFinanceRisk LevelHigh16. Click “Execute” to see whatNOTE: The execution will take some time.17. To save this query, by clicking “Save Variant”18. Enter ‘SUPER in SAP -xx’ where xx is your initials. SAP AGPage 12 of 17

SAP Best Practices19.20.21.22.SAP GRC Risk Identification and RemediationSelect “User Level”Select “Search Variant”Select the variant you just created. Notice the settings you created are now defaultedSelect the “Mitigation” tab (found on the top of the page) SAP AGPage 13 of 17

SAP Best PracticesSAP GRC Risk Identification and RemediationOverview Mitigation Controls1. Use the Pie Chart and review the Mitigation controls defined2. Use the Graph and review the mitigation controls for each of the controls by process.3. Logoff Maria Bond.Create ControlsPreviously we had shown how Fox had assigned mitigating control “XXX” with control monitorJMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to select a mitigatingcontrol previously had to create appropriate controls for his area of responsibility.Let’s take a quick look at how Fox has created the mitigating control.1. Log into the Compliance Calibrator demo PASSWORDFwilsonsarbanes12. Select ‘Mitigation’ Tab3. Click ‘Mitigation Controls’4. Click “Create”5. Set Mitigation Control ID: FI 00096. Enter the Description:Reports “Display Critical Vendor Changes” (S ALR 87010040) and “Vendor List”(S ALR 87010036) are reviewed by the Master Data Manager.7. Set Business Unit: CORP FINANCE8. Set Management Approval: MBOND9. Click the Plus sign to add a risk10. Select the11. Search for P00112. Select P001 SAP AGPage 14 of 17

SAP Best Practices13.14.15.16.17.SAP GRC Risk Identification and RemediationSelect the “Monitors Tab”Select the plus sign to add a monitor IDSet Monitor ID: “APPROCESS”Click the plus sign to add another monitor IDSet Monitor ID: “JMURPHY”18. Select the “Reports Tab’ SAP AGPage 15 of 17