Download - Enabling access management with SAP GRC
Turning risk into resultsEnabling access management with SAP GRC
What we are seeing in the marketPrimarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive access. As a result, many companies implemented GRC access management solutions such as SAP GRC Access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they were not able to achieve the full value of a GRC access management solution.
This is the right time to learn about opportunities to transform your access management program. Enabling an SAP GRC Access Control solution can help:
• Lower the cost of access management and related audit activities through centralization and automation
• Improve sustainability by centralizing and standardizing methodologies, processes and components• Increase effectiveness of access processes through integration with other SAP GRC modules and
focus on critical foundational components such as role design and organizational alignment
What are the opportunities at your company?Typical current state Mature state
Our recent EY global information security survey of more than 1,700 senior information security and IT leaders found that 46% of respondents ranked internal threats as a significant concern. Fully deploying SAP GRC Access Control while focusing on improving access management fundamentals will help address that risk while reducing cost and improving value.
Increasing complexity Simplified
Reactive Proactive
Consistent failures Compliant
Cost pressures
Cost- efficient
Inconsistent approach Consistent
Multiple and manual access management processes
Significant workflow automation in user access processesIntegration with SAP GRC Process Control
Fragmented, manual and ad hoc reportingLimited visibility to risks
Mandatory SoD checks in the request processDashboard-level reporting on user access process, firefighter usage logs and real-time SoD reports analytics and trending
High instances of access violations
Compliant SAP role design and standardized user access management processesAbility to improve audit activities
Manual and inconsistent processes lead to higher IT costsSignificant impact on business
IT security operational efficiencies via SAP GRC automation and standardizationAutomation of access provisioning activities
Inconsistent role design approach across business processes
Globally standard roles across business processes and standard user access management processes for application systems
SAP GRC Access Control can enable your risk agenda
Improve controls and processes
Better aligned risk coverage,including the identification of stronger, more pervasive controls
Reduced level of effort associated with performing and testing controls
Increased control and process efficiencies enabled through automation and continuous monitoring
Improved control mix that addresses key business risks while driving process efficiencies
Embed risk management Comprehensive and continuous
risk management and monitoring
Central management of financial, operational and compliance risks and controls across organization
Enhance risk strategy
Improved alignment to the objectives and strategy of the business
Improved visibility to risks that matter most to the organization
Proactive identification of risks
Enhanced decision-making
Optimize risk managementfunctions
Elimination of duplicate and fragmented risk management activities
Increased integration and coordination among business, IT and compliance
Sustainability of risk management process
Effective top-down and bottom-up reporting
Turning risk into results
Enhance risk
strategy
Embed risk
management
Optimize risk management
functions
Improve controls and
processes
Risk agenda
Resulting in the following benefits:
• Increased integration and coordination among business, IT and compliance
• Real-time notification of potential access issues based on established business rules
• Sustainability of access management process
• User-friendly reporting
• Reduced audit costs due to a reliable and automated access management environment
• Cost avoidance associated with audit failure
• Efficiencies associated with preparation and analysis of SoD reports
• Reduction in the number of manual controls required to be designed and operated to mitigate access-related issues
• Elimination of redundant and excessive access management procedures
• Streamlined access approval process
• Identification of access anomalies indicating possible fraudulent activities through alerts
• Continuous access control and SoD management and monitoring
• Enhanced visibility to access-related risk exposure at the enterprise (i.e., cross-application, cross-business process)
• Super-user access management
• Early detection of potential access issues through scenario analysis before performing changes to user and role access
Risk
Cost
Value Risk Value
Cost Cost
ValueRisk
Next steps to improve your risk management landscape
EY SAP GRC Accelerated Analytics Workbench: a tool that presents SoD conflicts in a business-friendly format and helps identify key risks and pain points and determine initial remediation.
SAP role design benchmarking: key metrics enabling an organization to compare its SAP role design against other companies and leading practices.
SAP GRC demo environment: demo environment for all the latest versions of software, including SAP GRC 10.0 for Access Control, Process Control, Risk Management and Global Trade Services.
EY RiskUniverse®: industry-specific risk universes, process-normative models and key business risks linked to application-specific controls that can be used to customize SAP GRC demos.
Page 1 Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010
DRAFT – FOR DISCUSSION ONLY
Basic role (1) Transactions which everyone
in the organization will have access (i.e., printing functions, export/import functions)
Departmental role (1-2) Transactions which everyone in the
department will have access (i.e., includes display only roles)
Functional role (8-12) Transactions which represent the execution of the job function
(minimum overlap of t-codes between roles)
Special access role (4-8) Transactions restricted to a specific user
(i.e., process interface exceptions, mass updates)
4 –
tier
mod
el
Parent role
Children/derived roles
General role (1) General User Role
(Z:ABC_GENERAL_USER)
Display role (14)
Job/function role (58)
Parent role
Children/derived roles
Company A current state General Accounting roles (and number of “Z:FI” roles)
Leading practice role design methodology (and typical number of roles in General Accounting)
A/P Processing A/P Processing – Additional
A/R Credit Management Override Executing A/R Credit Management Override Executing without VKM1, VKM2
Invoice IDOC Processing Invoice IDOC Processing – For Project CC and Plants Invoice IDOC Processing – For Stable CC and Plants
Post Park Journal Entries Park Journal Entries – For Project CC and Plants Park Journal Entries – For Stable CC and Plants…
Special access role (4-8) Transactions restricted to a specific user
(i.e., process interface exceptions, mass updates)
Functional role (8-12) Transactions which represent the execution of the job function
(minimum overlap of t-codes between roles)
Departmental role (1-2) Transactions which everyone in the
department will have access (i.e., includes display only roles)
Basic role (1) Transactions which everyone
in the organization will have access (i.e., printing functions, export/import functions)
Job/function role (58) A/P Processing
A/P Processing – Additional A/R Credit Management Override Executing
A/R Credit Management Override Executing without VKM1, VKM2 Invoice IDOC Processing
Invoice IDOC Processing – For Project CC and Plants Invoice IDOC Processing – For Stable CC and Plants
Post Park Journal Entries Park Journal Entries – For Project CC and Plants Park Journal Entries – For Stable CC and Plants…
Display role (14) A/R Reporting
A/R Customer Master Displaying G/L Journal Entry Displaying
Financial Reporting General Display Display Role (FLB1N)
G/L Account Displaying …
General role (1) General User Role
(Z:ABC_GENERAL_USER)
Page 2 Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010
DRAFT – FOR DISCUSSION ONLY
Roles should be standardized and rationalized to better align with Industrial Client’s business process design and organizational structure
10
12
22
24
20
12
22
22
43
107
0 20 40 60 80 100 120 140 160
Human Resources "HR" roles
Procure to Pay "MM" roles
Order to Cash "SD" roles
Supply Chain "IM/WM/PP" roles
General Accounting "FI/CO/AM/TR" roles
Comparison of SAP roles against initial design and similar organizations
Industrial Client SAP Roles (mapped to job functions document) Industrial Client SAP Roles (not mapped to job functions document)
Roles in comparable organizations
“Design vs. Actual” SAP Roles Gap
Industrial Client vs. Leading Practice Gap
29
25
15
8
7
Number of Parent/Template Roles
Rapid SAP access diagnostic provides accelerated current state assessment of your SAP access processes and technology, allowing you to identify realizable value and develop a future state road map to achieve it.
SAP GRC demo facilitates mapping of business requirements to SAP GRC functionality and could be used to develop an initial business case for implementing SAP GRC.
Why EY?
• Global and flexible approach with a focus on SAP GRC
• Knowledgeable team with practical experience in process, risk and technology disciplines
• Industry-specific content and enablers
• Leading-practice assessment diagnostics and leverage models
• Service delivery model design and key performance indicators
Our services• Rapid GRC technology diagnostic
• GRC technology vendor selection
• GRC technology implementation and assessments
• Risk transformation enabled by GRC technology
EY | Assurance | Tax | Transactions | Advisory
About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2014 EYGM Limited. All Rights Reserved.
EYG/OC/FEA no. XX0000
1403-1222661 EC
ED 0115
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com