rethinking segregation of duties: where is your business most exposed?

Rethinking Segregation of Duties: Where Is

Your Business Most Exposed? Erin Hughes

SAP

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 1

Agenda

1 The Rule Set

2 3 The Mitigating

Controls

The History

4 The Benefits of

Automation

5 Q&A


First, a look at Segregation of Duties

But really, SoD has

“always” been an audit

consideration and an

important component of

an internal controls

program

And internal control

requirements –

including SoD – are not

only required for

publically held

companies

Segregation of Duties (SoD): A basic internal control that prevents or detects errors

and irregularities by assigning to separate individuals responsibility for initiating and

recording transactions and custody of assets to separate individuals*

Source: ISACA Glossary Terms

http://www.isaca.org/Knowledge-Center/Lists/ISACA Glossary Terms/DispForm.aspx?ID=1700


Risk vs. Cost – The balancing act

Many companies still rely heavily on manual

processes to manage SoD

7% 8%

15% 23%

37% 55%

Homegrown None Other ID management system MS Excel or Word SAP ERP security reports (SUIM)

Source: SAPinsider “Are You Doing Enough to Prevent Access Risk and Fraud?

http://sapinsider.wispubs.com/Assets/Articles/2012/January/Are-You-Doing-Enough-To-Prevent-Access-Risk-And-Fraud?redirect=true&site=insiderPROFILEs

http://sapinsider.wispubs.com/Assets/Articles/2012/January/Are-You-Doing-Enough-To-Prevent-Access-Risk-And-Fraud?redirect=true&site=insiderPROFILEs


Automation is key

Advantages:

■ No visible budget startup investment

■ Smaller organizations can get away with

less rigor

■ Can be cheaper if auditors accept the

process as defensible

Disadvantages:

■ Real cost hidden in labor

■ Mostly inefficient processes

■ Always at risk of not passing auditor

scrutiny

■ Can be considerably more expensive

than other options

■ More prone to human error

■ Not continuous

Advantages:

■ Can be set up as continuous process

that prevents SOD “creep” throughout

the year

■ Most control for businesses to manage

SOD risk while minimizing disruption

■ Potentially the most cost-efficient and

defensible over the long term

Disadvantages:

■ Substantial startup costs which require

budget approval

Advantages:

■ Can directly support external auditor

approach and expectation

■ Consultants may leave behind software

to test and prep for future audits

Disadvantages:

■ Most expensive approach

■ Least control for businesses, resulting in

auditors dictating business process

changes

■ Dependency on consultants for any

policy changes

■ Not continuous

Gartner estimates that most organizations take one of three approaches:

Manual processes supported by

spreadsheets (40% of G2000)

Consultant-enabled engagements

(40% of G2000)

Automation through commercially

supported software (20% of G2000)

Source: www.gartner.com/doc/2484315/automate-segregation-

duties-erp-reduce


SAP Access Control Manage access risk and prevent fraud

Monitor emergency access and

transaction usage

Certify access assignments are still warranted

Define and maintain roles in business terms

Automate access

assignments across SAP

and non-SAP systems

Find and remediate SoD and critical access violations

SAP_ALL

X

Legacy


SAP Access Control – A little bit of (unofficial) history

April 2006: SAP acquires Virsa

• SAP Virsa Compliance Calibrator (CC)

• SAP Virsa Access Enforcer (AE)

• SAP Virsa Firefighter (FF)

• SAP Virsa Role Expert (RE)

September 2008: SAP changes the Access Control module names with version 5.3

• Risk Analysis and Remediation (RAR)

• Compliant User Provisioning (CUP)

• Superuser Privilege Management (SPM)

• Enterprise Role Management (ERM)

January 2009: SAP officially announces new names for the GRC solutions

• SAP BusinessObjects Access Control (with 4 capabilities: RAR, CUP, SPM, ERM)

June 2011: Access Control 10.0 is released

• No longer 4 capabilities: 1 harmonized solution called SAP BusinessObjects Access Control

April 2012: SAP removes the BusinessObjects branding from the GRC solutions:

• SAP Access Control


Or in other words …

Virsa SAP Access Control (until 2011) SAP Access Control Today

Compliance Calibrator Risk Analysis and Remediation Access Risk Analysis

Firefighter Superuser Privilege Mgmt. Emergency Access Mgmt.

Access Enforcer Compliant User Provisioning User Access Mgmt.

Role Expert Enterprise Role Mgmt. Business Role Mgmt.


CC RAR ARA

FF SPM EAM

AE CUP UAM

RE ERM BRM




transaction usage



Automate access


and non-SAP systems


SAP_ALL

X

Legacy


Implementation and best practice considerations

Rule #1: Don’t cut the design phase short!

This is important whether you’re planning to:

• “Complete the AC suite”

• Upgrade to 10.x

• Leverage advanced SAP Access Control functionality

• Extend SAP Access Control beyond SAP ERP

• Integrate with Identity Management applications

Look for process improvements during the design phase

Question whether the way you’re doing things today is the “best way” or just what you’ve been doing

for years


Implementation and best practice considerations (cont.)

SAP AC: SAP Access Control

Identifying the right internal resources

• Active executive participation

• Need a good project manager

• Need decision makers

• Need collaboration between all parties

• Need to know the business processes

• Employee and company knowledge are essential

Start when needed; don’t wait for the perfect time, or for future functionality

Focus on priorities and methodologies

Focus on high-risk areas, not all risks

IGA: Identity, Governance, and Administration (Gartner)

Only contractors assigned to the project

• Leave with little knowledge transfer

• Don’t have a relationship with the business

• Little decision-making authority – do it like

we’ve always done it

Management believes compliance can

be achieved in a few weeks or when the

project ends

Do Don’t




transaction usage



Automate access


and non-SAP systems


SAP_ALL

X

Legacy


Risk definition is one of the most important tasks in your project

Step 1: Document

Access Risks

Should be done in business language

Risk statement should clearly state the actions and the negative results that will occur if the undesired access is exploited

Step 2: Classify Access

Risks

Assess the severity of the risk to the organization if exploited

Assign/review risk ranking (critical, high, medium, low)

Step 3:

Identify Risk

Owners

Risks belong to the business; risk owners should be business personnel (not IT!)

Assign owners to each risk

Step 4:

Translate into

Technical Risks

Enlist the help of IT to assist with technical risk definitions

Remember to include both standard and custom transactions

Step 5:

Publish and

Deploy Technical

Risk Definitions

Publish risk definitions

Upload risk definitions into AC and generate rules


Best practices for defining risks: Risk definition result

You now have technical risk definitions that have been:

• Defined

• Documented

• Reviewed

• Approved

A risk is a risk is a risk

• It doesn’t matter who has the access

• Reported risks must be remediated by removing access or identifying appropriate controls

When you begin reporting actual risks for remediation, there should be no

arguments about which risks are reported

After completing the 5 steps for risk identification


Rule set definition is not a one-time activity

Changes happen every day – make sure your rules reflect changes in your environment

• Role changes

• Custom transactions

• New business processes

• Configuration changes

Establish and document a change management process for modifying risks/rules in AC

• It’s critical that your rule change process is formally documented to provide proof to management and auditors that the rules are appropriately controlled

Identify a process for keeping your risks current


So, when is the last time you reviewed or updated your rule set?

If you’ve upgraded (or are planning to)

upgrade your AC system, was/is a rule set

review part of the project?

Have you “gone live” with any new

functionality in your ERP system that should

be reviewed?

Have you added new systems to your

landscape which are applicable for SoD or

critical access?

SoD should be reviewed not just within a

single system, but from a process perspective

HCM

Ariba

T&E

CRM


Key considerations when updating your rule set

Functional

• What was your starting point?

• Did you deactivate any business processes,

risks during your initial implementation?

• Should they still be deactivated?

• What has changed since your last review?

• New business units

• New business processes

• New business process owners

• SoD vs. sensitive access risks

Technical

• What was your starting point?

• Did you deactivate any t-codes, authorization

objects during your initial implementation?

• Should they still be deactivated?

• What has changed since your last review?

• New systems in the landscape

• New authorizations or t-codes in use


You ran the reports and have 2,546,657 violations. Now what?


Big Picture

Being “clean” is a relative term

The segregation of duties rules are the master data that drive the Access Control capability and

ultimately are the measure of how clean you are

Like all master data within an ERP system, if it’s incorrect or incomplete, the results will not be

accurate, and you may think you’re clean, but you’re not


When access violations are found, a decision must be made

The following questions should be addressed,

but typically aren’t:

1. What is my potential financial exposure as

a result of mitigating the risk or modifying

the access?

2. How many labor hours will be required to

execute the mitigating controls?

3. What are the chances that we will actually

find violations – and potentially fraud –

through a manual, sample-based

approach?

1 2 Modify the user’s

access

Assign a

mitigating control


Current challenges

The following questions should be addressed,

but typically aren’t:

1. What is my potential financial exposure as a result

of mitigating the risk or modifying the access?

2. How many labor hours will be required to execute

the mitigating controls?

3. What are the chances that we will actually find

violations – and potentially fraud – through a

manual, sample-based approach?

Lack of visibility into bottom-line exposure due

to SoD violations

Manually intensive mitigating control processes

Identification of issues like searching for a

needle in a haystack

Siloed approach to enterprise access

governance


Focus mitigating control execution only on actual violations –

Process

Potential Risk Violation Users have authorization to perform one or more transactions

resulting in SoD violations

Risk Violations Through Transaction Usage

Users have accessed one or more transaction codes resulting in SoD violations

Risk Violation Without Filtering

Details of all SoD transaction events

Exceptions

requiring

review

Filtering risk data, by

dollar value, and other

transaction details can

bring thousands of

records down to a

handful, and many times

to zero

Notification only when

actual SoD events occur

is the most efficient

process for business,

compliance, and audit


Focus mitigating control execution only on actual violations –

Example

Potential Risk Violation Users have authorization to maintain vendors and issue

payments to those vendors

Risk Violations Through Transaction Usage

Users have accessed one or more transaction code where they maintained a vendor and

issued a payment

Risk Violation Without Filtering

Users have maintained a vendor and issued a payment

over $1,000

Exceptions

requiring

review

Users maintained a

vendor and issued a

payment over $1,000 to

the same vendor


SAP Access Violation Management Manage user access based on business impact

Assess the financial

exposure of SoD violations

Summarize the dollar value of actual SoD

violations

Clearly articulate the financial exposure that

broad user access has on the business

Drive change where the impact exceeds the

materiality threshold

Reduce governance costs of

enterprise-wide access

Extend the capabilities of the SAP Access

Control application across enterprise

systems

Enable business ownership of access

governance and remediation activities

Enable exception-based

monitoring

Automate identification and review

of actual SoD violations

Alert business owners only when

exceptions occur, reducing manual control

efforts and eliminating false positives

Use a comprehensive library of automated

SoD controls across business processes

Enjoy centralized tracking, investigation,

and resolution of SoD violations


Reprioritize your mitigating control efforts Where is your business most exposed?

Before

Prioritize efforts based on processes with the

highest number of SoD issues identified

After

Prioritize efforts based on processes with highest

amount of financial exposure due to executed

SoD violations

© 2015 SAP SE or an SAP affiliate company. All rights reserved.

Demo


Business Owner Notification

27 © 2015 SAP SE or an SAP affiliate company. All rights reserved.

Access Violation Summary Report by User


Access Violations Detail


Documentation by Business Reviewer


Change Status of Exception to Complete the Review


Audit Reporting – Complete Audit Trail


Summary Reports


SAP Access Violation Management Customer example 1

Large Global Oil and Gas Customer

Knew it had an SoD issue with users who could maintain customer master data and process

sales orders, but did not know the extent of the problem

Paid for a remote engagement in which SAP Access Violation management identified that over 6

months, 47 users had maintained customer data and processed sales orders for those same

customers with a total value of over €150 million


SAP Access Violation Management Customer example 2

Large U.S. Utility Customer

Knew it had an SoD issue with users who could submit purchase orders and enter goods

receipts, but believed it was used very rarely and only on an emergency basis

Went live with SAP Access Violation Management and identified that one user violated this risk

for over $US2.8 million in a single month

Where the dollar values are this high, accepting the risk and applying a

mitigating control may not be enough – change must be driven within the

business


SAP Access Control Maturity Curve

Reactive Proactive

IT-O

wn

ed

Bu

sin

ess

-Ow

ned


Maximizing the benefits

We’re going to focus on:

1. Know what you own!

2. Leveraging end-to-end automation

3. Looking beyond ERP


Knowing what you own might seem like a no brainer, but …


Compliance Calibrator Risk Analysis and Remediation Access Risk Analysis

Firefighter Superuser Privilege Mgmt. Emergency Access Mgmt.

Access Enforcer Compliant User Provisioning User Access Mgmt.

Role Expert Enterprise Role Mgmt. Business Role Mgmt.


CC RAR ARA

FF SPM EAM

AE CUP UAM

RE ERM BRM

But there’s more …


SAP Access Control has evolved with each version

Virsa name Corresponding AC 10.x

terminology

Functionality Gap

Compliance Calibrator Access Risk Analysis Cross-system analysis

Permission level critical access analysis

Workflow process for approving rule set changes

Audit log of configuration changes

Organizational rules

Support for position-based security

Firefighter Emergency Access Management Workflow process for requesting Firefighter IDs

Workflow process for provisioning Firefighter IDs

Workflow process for reviewing Firefighter logs

Additional logging of Firefighting activities

Access Enforcer User Access Management Flexible workflow configuration

Automated periodic certification reviews

Password self-service

Provisioning to SAP Portal

SAP Access Approver mobile app

Support of CUA composite roles

Role Expert Business Role Management Support of business roles

Support of CUA composite roles

Automated periodic certification reviews

Approval workflow for role changes

Enhanced Reporting Options

SAP Identity Analytics, SAP Fiori

Apps, SAP Smart Business

Rapid Deployment Solution


End-to-end Automation

Where you can, let SAP Access Control do the work for you

• Automate user access management

• Leverage simplified access request forms, templates

• The rules engine is powerful – use it

• Automate provisioning and deprovisioning wherever possible

• Automate user access reviews

• Automate Firefighter requests, approvals, assignments, and log reviews

• Automate role management activities where possible

• Approvals

• What-if simulations

• Automate mitigating controls – look at potential vs. actual SoD risk violations


SAP Access Control and SAP Access Violation Management

Comprehensive access governance capabilities

SAP Access Control Access Risk Analysis,

User Access Management,

Emergency Access Management,

Business Role Management

Real-Time Cross-Enterprise Control Discovery, Aggregation, Correlation, and Normalization

Accelerated Mitigation Automated Mitigating Controls,

Exception-based notifications,

User, Role, and Risk Modeling

Reporting Simulation Embedded

GRC Rules & Analytics

Workflow

Financial Exposure of Access Risk Bottom-line Dollar Value

Cloud

& SaaS

Business

Applications

Core SAP Legacy/Custom

Solutions

Other SAP

& ERPs


While you’re here …

Day Time Session

Wed 1:00 pm – 2:15 pm

Case study: How ConocoPhillips conducts user access reviews

and monitors transaction usage in SAP GRC 10.0

Trevor Wyatt, ConocoPhillips

Wed 4:30 – 5:45 pm

Tools and techniques proven to unify business role management

across multiple systems in SAP Access Control 10.x

James Roeske, Customer Advisory Group

Thr 8:30 am – 9:45 am

Apply existing risk and compliance processes across both SAP

and non-SAP systems with SAP Access Violation Management

Susan Stapleton, Greenlight Technologies

Thr 1:00 pm – 2:15 pm

Choosing the best method for emergency access management

(EAM) in SAP Access Control 10.x

Holly Marrs, Protiviti

Thr 4:30 – 5:45 pm

Case study: How eBay effectively utilizes SAP GRC 10.1 to

automate and streamline its periodic user certification process

Sangram Dash, eBay

Fri 8:30 am – 9:45 am

Case study: How Tyson Foods remediated four million

segregation of duties conflicts without changing its overall security

design

Patrick Snodgrass, Tyson Foods

GRC Conference Highlights

Visit the SAP GRC Solution Center (Montrachet 1)

For your 1:1 discussion with an SAP solution expert or for guided tours of new GRC applications:

SAP Access Control Fiori Apps and SAP Audit Management

Attend these interactive hands-on sessions:

Tuesday 2:00 pm – 3:15 pm Hands-on lab: An introduction to using key features in SAP Access Control 10.1

Wednesday 1:00 pm – 2:15 pm Hands-on lab: How to speed up audit processing with SAP Audit Management

Wednesday 2:45 pm – 4:00 pm Hands-on lab: An introduction to using key features in SAP Access Control 10.1

Wednesday 4:30 pm – 5:45 pm Hands-on lab: A practical guide to using key features in SAP Process Control 10.1

Thursday 1:00 pm – 2:15 pm Hands-on lab: A practical guide to using key features in SAP Process Control 10.1

Thursday 3:00 pm – 4:15 pm Hands-on lab: How to speed up audit processing with SAP Audit Management

Participate in these Exhibit Hall demos:

Wednesday 12:15 pm – 12:45 pm Live demo: How to support the audit management process with the latest SAP technology

Wednesday 2:30 pm – 3:00 pm Transform regulatory compliance with SAP Regulation Management by Greenlight

Wednesday 6:00 pm – 6:30 pm Live demo: Take your enterprise risk management program further with SAP Risk Management

Thursday 10:30 am – 11:00 am Live demo: See how SAP Fraud Management can enable you to detect, investigate, analyze, and prevent fraud by

combining analytics with the speed of SAP HANA

Attend the 15 SAP-led general sessions and

8 customer-led case studies


Thank you

Contact information:

Erin Hughes

[email protected]



No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate

company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and

services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop

or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future

developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time

for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://global12.sap.com/corporate-en/legal/copyright/index.epx



rethinking segregation of duties: where is your business most exposed?

Technology

sap se

sap access control

sap systems

sap affiliate company

critical access violations

erin hughes sap

access risk

sod risk