Audit Within GRC Landscape
29
An In-Depth Analysis of What to Audit — and How — Within Your GRC Landscape © 2012 Wellesley Information Services. All rights reserved. James Roeske VanRiver Consulting In This Session … • Hear the strategies, challenges, and technologies you need to master in order to effectively audit your SAP BusinessObjects GRC environment Gain a comprehensive understanding of the key auditable areas • Gain a comprehensive understanding of the key auditable areas within GRC • Walk through the latest tools and methodologies SAP now makes available to help you streamline your audit process • Examine what areas auditors and compliance administrators should focus on • Explore key weaknesses and errors that have been observed in over 160 GRC environments 1 Due to time restrictions and limited customer usage, ERM will not be covered in this presentation _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________
-
Upload
sergio-mota -
Category
Documents
-
view
35 -
download
2
description
GRC roadmap
Transcript of Audit Within GRC Landscape
An In-Depth Analysis of What to Audit —and How — Within Your GRC Landscape
© 2012 Wellesley Information Services. All rights reserved.
James RoeskeVanRiver Consulting
In This Session …
• Hear the strategies, challenges, and technologies you need to master in order to effectively audit your SAP BusinessObjects GRC environmentGain a comprehensive understanding of the key auditable areas • Gain a comprehensive understanding of the key auditable areas within GRC
• Walk through the latest tools and methodologies SAP now makes available to help you streamline your audit process
• Examine what areas auditors and compliance administrators should focus on
• Explore key weaknesses and errors that have been observed in over 160 GRC environments
1
Due to time restrictions and limited customer usage, ERM will not be covered in this presentation
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Auditing Access Control – What does this mean to me?• Risk Analysis Remediation (RAR) – Audit Focus Areas• Compliant User Provisioning (CUP) – Audit Focus Areas• Superuser Privilege Management (SPM) – Audit Focus Areas• Wrap-up
2
Back in the OLD Days
• When I first started in SAP security 17 years ago, an SAP Security Audit consisted of the following questions:
1. How many users have SAP_ALL and SAP_NEW assigned to them?
2. Have you reset the password for SAP?3. Do you “save” the emails from people
requesting security changes?
Congratulations, you just
3
Congratulations, you just passed your Audit!
Times HAVE CHANGEDThank goodness!
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What Does a GRC Audit Mean to Your Company?
• The definition of a “Security or Compliance Audit” is very different across the industry
Some auditors are familiar with the SAP BusinessObjects GRC • Some auditors are familiar with the SAP BusinessObjects GRC applications and provide feedback to enhance the compliance environment through better configuration and improved processes
• Some auditors compare results from SUIM reports and SAP table extracts with reports out of GRCSome a ditors se their o n tools to assess sec rit iss es and
4
• Some auditors use their own tools to assess security issues and will never look at the internal SAP BusinessObjects Access Control systems
Which type of Audit do you usually have? Is it different for your Internal vs. External auditors?
The Auditors Found a Problem!
• Audit Points• Inconsistent Results• “Deficiencies”Deficiencies
5
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Fantasy of SoD Violations
• Usual Customer Reactions:
How can this be? We have passed every audit for the last 45 years.I thought we had a GRC system to point these issues out before the auditors find them?The auditors are wrong, they don’t understand our business, configuration, or they don’t know SAP Security!See I told you, those security people didn’t know what they y , y p p ywere doing!
6
RAR Review
• Does this make your auditor happy, worried, or indifferent?
7
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Auditing Access Control – What does this mean to me?• Risk Analysis Remediation (RAR) – Audit Focus Areas• Compliant User Provisioning (CUP) – Audit Focus Areas• Superuser Privilege Management (SPM) – Audit Focus Areas• Wrap-up
8
Checklist
RAR• Rule Set Configuration• Rule Set Change Control Process• Mitigating Control Configuration• Mitigating Control Enforcement• Ownership
9
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What Was Done During Your RAR Project?
• Six steps to help you better leverage SAP BusinessObjects Access Control SoD analysis capabilities to identify “real” risks, choose the correct remediation option, and resolve the problem long termlong term
Get Clean and Stay Clean
Risk R le Anal sis and Contin o s Risk Recognition
Rule Customization
Analysis and Scoping Remediation Mitigation Continuous
Compliance
10
RAR Review
• Do you need to be at 0 SoDs to pass an audit? NO!
11
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Segregation of Duties Risk Management Process
Goal: Eliminate the Security Clean-Up Pendulum Effect
Take access awayto eliminate all
violations
Have to give accessback because thebusiness can no
longerfunctionfunction
12
Clicky Clicky vs. Thinky Thinky
• The “clicky clicky” is easy, but the “thinky thinky” is the hard part
• The technical configuration of the GRC was completed and modeled correctly after best practices
• But, the “thinky thinky,” regarding establishing practical ownership, compliance, and business process standards, is lackingg
13
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Phase One — Rule Building and Validation
RULE CUSTOMIZATION AND VALIDATION
• Reference best practices rules for your environment
• Validate rules
• Customize rules, then test
• Verify against test user/role cases
Risk Recognition
Rule Customization
Analysis and Scoping Remediation Mitigation Continuous
Compliance
14
Classic View of GRC Implementation
“If you are looking for the wrong things, then you will also get the wrong results”
Completeness and accuracy is critical in the SoD analysis process. The goal is to eliminate False Positives and False Negatives in SoD reporting.
Key items to focus on related to accuracy of the RAR rule set are:C stom Transaction Codes created b the c stomer• Custom Transaction Codes created by the customer
• Unique customization and configuration by the customer• Correct use of “AND,” “OR,” and “NOT” logic in the rules• Testing, testing, and more testing of the rules to make sure they
are working the way you intend them to operate15
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
“It takes a village to build a good rule set for SoD compliance”
Classic View of GRC Implementation (cont.)
Many different people need to participate in the rule definition portion of the project to provide different perspectives, priorities, and technical details to the rule set configuration
Key people that should be involved in the SoD rule set definition workshops are:workshops are:• Business Process Owners• Audit and Compliance Representatives• Security Administrators• Compliance Calibrator Rule Keeper and Administers
16
SAP GRC Rules Example
The standard delivered rule sets are now delivered in the Service Pack RTA download area
Risk ID Function1 ID Function 1 Function 2 ID Function 2 Description of Risk Risk Level
S002 SD05 Sales Order,Agreements, or Contracts
AR03 Clear Customer Balance
Create sales documents and immediately clears customer’s obligation
High
S003 SD05 Sales Order,Agreements, or Contracts
SD01 Customer Master Maint.
Create a fictitious customer and initiate fraudulent sales document
High
S014 SD05 Sales Order,Agreements, or Contracts
SD02 Delivery Processing
Cover up unauthorized shipment by creating fictitious sales documents
High
S016 SD05 Sales Order SD06 Sales Pricing Enter sales documents and lover HighS016 SD05 Sales Order,Agreements, or Contracts
SD06 Sales Pricing Maint.
Enter sales documents and lover prices for fraudulent gain
High
S020 SD05 Sales Order,Agreements, or Contracts
SD04 Sales Order Release
Risk of entering and releasing sales documents by the same person
High
S027 SD05 Delivery Processing
AR02 Cash Application
User can create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods
High
17
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Risk Authorization Examples for Customization
ACTVT 01, 02, 05, 06, 77$KOART(Account Type)
A-Asset, D-Customer, K-Vendor, M-Material, S-General ledger
M MATE STA B-Accounting, G-Costing, _ _(Material Views)
g, g,K-Basic
M_MSEG_BWE(Movement types for GR)
101-106, 122
M_MSEG_BWA(Movement types for VL trans)
601-602
M_BEST_BSA
(Order type)
EC, FO, NB
ME28 with M_EINK_FRG
(Release strategies)
Not checked – Must be added based on release strategy for each company
VA01
(Sales order document types)
Critical order types can be included by supplying values for V_VBAK_AAT object
18
Auditing the Rule Set — Risk Customization
19
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
SoD Active Rules vs. Deactivated Rules
Real Customer BAD Example
Auditing the Rule Set — Risk Customization (cont.)
Enabled Disabled Percent Disabled
Finance 14 18 56%Basis 19 0 0%HR 21 0 0%Materials Mgt 2 12 70%Procure to Pay 44 23 34%y %
Rules were originally disabled based on functionalitythat was identified to be not used by the customer
20
Risk Authorization Examples for Customization
21
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Risk Authorization Examples for Customization (cont.)
• Only 4 custom t-codes existed in this customer’s SoD rule setrule set
• They are:ZR08 – Cancel Invoice DocumentZPA30 – Maintain HR Master DataZPA40 –Personnel ActionsZPA61 – Maintain Time Data
22
Auditing Critical Actions
• Are you monitoring the same critical actions as your auditors?
Stop the surprises each year and h th it d b A C t l!have them monitored by Access Control!
23
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Workflow-Enabled Change Control
• Are you using Workflow change control or manual processes to manage Rule Set and Mitigation changes?
24
Management View Reports — Do Your Auditors Have Access to This?• Graphical reporting to see the current state of your environment,
and identification of key SoD violation “hot spots”
25
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Risk Analysis Reports — Do Your Auditors Have Access to This?• Detailed analytical reporting to focus and filter detailed SoD
information
26
Risk Analysis Reports — Do Your Auditors Have Access to This? (cont.)• Detailed reporting without having to give access to the Rule
Architect or Mitigation configuration tabs
27
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Mitigating Controls — Are They Consistent and Complete?
• Creation of a Mitigation Control in RAR
28
SoD Results with Mitigations
We just Mitigate everything and our SoD problems go AWAY!
29
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
RAR Review — Mitigations• “Per discussion with the Director of Procurement and Materials Management, Head Buyer,
and Stores and Inventory Manager, the functions of Create/Change Requisition and Automatic generation of Purchase Order are performed by the Stores Managers and Buyers as part of their standard duties. To limit exposure, the same individual cannot purchase unauthorized items and hide by not fully receiving order. Also, limit exposure to requisition an item and create a Purchase Order from that Requisition. To address the remaining risks identified by create a Purchase Order from that Requisition. To address the remaining risks identified by SAP GRC Access Control 5.3- SoD at the User level, we have created the following Mitigating Control.”
30
SoD Rule Keeper
Ownership
“It takes a village to be compliant!”
Compliance Team
Audit
R l
Risk Owners
Mitigation Monitors
Mitigation Approvers
Role Owners
31
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Getting the Right People InvolvedRoles Responsibilities
Business Process Owners • Identify risks and/or approve risks for monitoring
• Approve remediation involving user access
• Design controls for mitigating conflicts
• Communicate access assignments or role changes
• Perform proactive continuous complianceSenior Officers • Approve/Reject risks between business areas
• Approve mitigating controls for selected risksSecurity Administrator and Technical Liaisons
• Ownership of SAP GRC tools and security processes
• Design and maintain rules to identify risk conditions
• Customize SAP GRC roles to enforce roles and responsibilities
• Analysis and remediation of SoD conflicts at role levelyAuditors & Regulators • Perform risk assessment on a regular basis
• Provide specific requirements for audit purposes
• Perform periodic testing of rules and mitigating controls
• Act as liaison between external auditorsSoD Rule Keeper • Responsible for SAP GRC tool configuration and administration
• Maintain controls over rules to ensure integrity
• Act as liaison between Basis and SAP GRC Support Center
Incorrect Rule Configuration Is Always the Top Priority
• The purpose of remediation is to determine alternatives for eliminating SoD violations. These alternatives should be explored in the following order:
1 Is this SoD violation caused by an incorrect rule? If yes then 1. Is this SoD violation caused by an incorrect rule? If yes, then modification to the rule is required to resolve the false positive.
2. Can access be removed from the role or user to resolve the SoD violation?
3. Can this SoD violation be addressed using other alternatives, such as utilizing SAP Workflow, user exits, configuration modifications, or business process change?modifications, or business process change?
4. Can this access requirement be addressed using GRC Superuser Privilege Management for SAP functionality?
5. If the SoD violation is not resolved in steps 1-4, then Mitigation is required
33
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Auditing Access Control – What does this mean to me?• Risk Analysis Remediation (RAR) – Audit Focus Areas• Compliant User Provisioning (CUP) – Audit Focus Areas• Superuser Privilege Management (SPM) – Audit Focus Areas• Wrap-up
34
Checklist
CUP• Request Audit Trails• Workflow Design• Stage Configuration to Support Compliance• Administrator Access
35
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Auditing CUP Beyond Just Audit Trails
• Audit CUP means going the standard “Audit Trail” monitoring of requests and looking at configuration for Compliance and approval loopholes
36
CUP Review
If SoD = Yes
Is your CUP system configured utilizing suggested SAP BusinessObjects GRC best practices?
Are SoD violations still able to slip into your system through user access requests?
37
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What Type of Requests Are Being Handled by CUP?
• CUP can handle many different kinds of requests, including user access requests, FireFighter, IdM, rule set changes, etc.
Whi h i ? • Which ones are you using? • Which ones should you be using to address your audit
requirements?
38
Initiator Configuration
• Verify if requests are going down the wrong workflow path due to incorrect Initiator configuration
39
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
CUP Configuration Critical to Staying SoD Compliant
• Verification of the Stage ConfigurationCUP is a critical component to maintain a SoD free environment, only if it is configured correctly
40
CUP Configuration Critical to Staying SoD Compliant (cont.)
• Verification of escalation is being used to support compliance and proper approval, or just to speed up the provisioning approval process
41
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
CUP and RAR Integration Configured for Compliance
• Validation of the CUP configuration for RAR integration to close SoD loopholes during the provisioning process
42
Request Administration — Can Be Used for Good and Evil
• Who has Request Administration Access? They can approve ANY request in the system!But their name will be listed in the Audit Trail
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Auditing Access Control – What does this mean to me?• Risk Analysis Remediation (RAR) – Audit Focus Areas• Compliant User Provisioning (CUP) – Audit Focus Areas• Superuser Privilege Management (SPM) – Audit Focus Areas• Wrap-up
44
Checklist
FireFighterg• Appropriate Use of SPM• Log Analysis• Activity Monitoring• Owner and Controller Accountability• SPM Maintenance
45
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
FireFighter Concept — It Has a Purpose and Should Not Be Abused
B i S t
Special Access to be used when I need itAccess to do my
everyday activitiesBasis Support
Finance Support
Sales Support
46
SPM Abuse
• Validation that the SPM access is being used for the right purposes
“I log into FireFighter at 8:00 am and sign out at 5:00 pm That • I log into FireFighter at 8:00 am and sign out at 5:00 pm. That way I never have security problems.” WRONG!
47
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
SPM Reason and Activity Documentation Enforcement
• “Reason and Activity” is one of the most important components to SPM
48
SPM “Owner and Controller” Accountability and Configuration• Verification that Owners and Controllers are configured properly
and actually participate in the process • They are NOT in this example!
49
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Findings from an SPM Structure Review
• Validate if the system is being maintained properly
• Findings from an actual SPM customer168 FireFighters exist in the current SAP PRD System33 belong to users already deleted4 FF IDs have the same access of the user assigned36 FF have never logged on, or logged on within the last 180 days4 FF IDs have expired assignments to users (non operational)4 FF IDs have expired assignments to users (non-operational)
50
What We’ll Cover …
• Auditing Access Control – What does this mean to me?• Risk Analysis Remediation (RAR) – Audit Focus Areas• Compliant User Provisioning (CUP) – Audit Focus Areas• Superuser Privilege Management (SPM) – Audit Focus Areas• Wrap-up
51
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Additional Resources
• SAP BusinessObjects Governance, Risk, and Compliance Solutions
www.sap.com/solutions/sapbusinessobjects/large/governance-risk compliance/index epxrisk-compliance/index.epx
• Reference documents and blogswww.customeradvisory.com/blog.html
• SAP Solutions for Governance, Risk, and Compliance (GRC)http://help.sap.com/grc
Access Control Documentation 5 3 – http://help sap com/Access Control Documentation 5.3 http://help.sap.com/grc-ac53Access Control Documentation 10.0 – http://help.sap.com/grc-ac
52
7 Key Points to Take Home
• A good audit does not just look at security data, but also analyzes how your compliance tools are configured!
• GRC configuration: If you look for the wrong stuff, you’re going to get the wrong resultsget the wrong results
• Has your SAP BusinessObjects Access Control system been configured to reflect your business requirements, risk, and audit priorities?
• Having strong security and compliance business practices is critical to support a configured compliance application
• Get your auditors to participate and partner in the processes and • Get your auditors to participate and partner in the processes and sustainment decisions around your GRC application configuration
• Auditors need to become more familiar and comfortable using and reviewing customers’ SAP BusinessObjects GRC systems
• Auditors are your friend … please be nice to us! ☺53
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Your Turn!
Continue the conversation! Post your questions on Insider Learning Network’s Forums
*bit.ly/FinancialsGRCForums54
DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.
55
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2012 Wellesley Information Services. All rights reserved.
