ISACA After Hours Seminar January 31, 2012 After Hours Seminar January 31, 2012 ... ME 2.4 Control...
-
Upload
truongnhan -
Category
Documents
-
view
219 -
download
5
Transcript of ISACA After Hours Seminar January 31, 2012 After Hours Seminar January 31, 2012 ... ME 2.4 Control...
ISACA After Hours Seminar January 31, 2012
Making Continuous Monitoring and Continuous Auditing Work with SAP GRC
Gerhard Wasnick
ISACA AHS; January 31, 2012
Table of Content
Getting started, Terms and Objectives
Frameworks, Compliance Requirements
The SAP GRC Tool, Mapping
Implementation of Continuous Audit (CA) or Continuous
Monitoring (CM) Scenarios
Example 1 CA: SAP Basis System Parameter
Example 2 CM: SAP Chart of Account Master Data
Other Examples
Lessons Learned, Q&A
© Riscomp GmbH / Page 2
ISACA AHS; January 31, 2012
After-Hour Seminar
Objectives
© Riscomp GmbH / Page 3
Objectives:
Providing a glimpse of the current
possibilities to automate controls or
perform automated monitoring
Show the continous audit (CA) and
continous monitoring (CM) scenarios,
working live in the system
Out of Scope:
Complete overview of SAP GRC
functions
ISACA AHS; January 31, 2012
What is continuous auditing -
continuous monitoring
© Riscomp GmbH / Page 6
Continuous auditing is the independent application of automated tools to provide assurance on
financial, compliance, strategic and operational data within a company. … The «continous»
aspect of continous auditing and reporting refers to real-time.
Continuous monitoring is the process and technology used to detect compliance and risk
issues associated with an organizations financial and operational environment. … Through
continous monitoring of the operations and control, weak or poorly designed or implemented
controls can be corrected or replaces, … enhancing the organization’s operational risk profile.
ISACA AHS; January 31, 2012
Technical Implementation
© Riscomp GmbH / Page 7
Automatic control is the application of concepts derived from the research area of modern
control theory. Automatic control is also a technology for application of control strategies. …
ISACA AHS; January 31, 2012
Legal Requirements
Schweiz: OR 728a (Swiss) code of obligations,
Code of data protection
Europe: 7th directive of the European Union
derived into local law like BilMoG in
Germany
USA: Sarbanes-Oxley Act 404 of 2002
Japan: Japan’s Financial Instruments and
Exchange Law (J-SOX)
© Riscomp GmbH / Page 8
…
ISACA AHS; January 31, 2012
ISO 27003 ISMS
Important Standards
ISO 27035
IT Security Event
detection
ISO 20000 ITIL
DS5 System Security
PO 4.1 Define Processes
AI 2.5 Configuring Application Software
PO 6.3 IT Policy Management
PO 9 Assess and Manage IT Risks
ME 2.4 Control Self Assessment
PO 4.11 Segregation of Duties
AC 6 Transaction Authentication & Integrity
COBIT ISO
ISO 27001
…
ISO 27000 ff.
ISO 27002
© Riscomp GmbH / Page 9
ISACA AHS; January 31, 2012
ISO 27003 ISMS
Mapping of
Standards and GRC Functionality
ISO 27035 IT Security
Event detection
ISO 20000
ITIL
(1) COBIT DS5
System Security
PO 4.1 Define
Processes
AI 2.5 Configuring
Application Software
PO 6.3 IT Policy
Management
PO 9 Assess
and Manage
IT Risks
ME 2.4 Control
Self Assessment
PO 4.11
Segregation
of Duties
AC 6 Transaction Authentication & Integrity
© Riscomp GmbH / Page 11
ISACA AHS; January 31, 2012
Implementation of
CA / CM Scenarios
© Riscomp GmbH / Page 12
Risk based approach for continuous audit
Implementation
feasibility
check
Benefit
valuation
(qualitative)
Implementation,
test and go-live
Cost-benefit based approach
for CM and efficient internal control systems
Estimation
of savings
Estimation of
feasibility
& effort
Automation
TOP 10
List
Implementation
and test
Risk &
Control
identification
Stock take
of control
effort
Implementation
ISACA AHS; January 31, 2012
Automated Control and Monitoring
Process Flow
Custom
Programs
Delivered
rules, queries
and reports
Configurable
rules
FIN
O2C
P2P
HR
IT
Fixed
Assets
Tra
nsa
ctio
n
Con
trols
Co
nfigu
ration
Co
ntr
ols
Ma
ste
r D
ata
Con
trols
Xcelsius Dashboards
and Analytics
Crystal Reports
Auditability
Root cause analysis
Workflows
Map to
Controls
Test or
Monitor
Define Data
Source and
Business
Rules
Report Analyze &
Remediate
© SAP 2011
© Riscomp GmbH / Page 13
ISACA AHS; January 31, 2012
CA/CM Objectives of the Examples
Objective of the CA Scenarios: Perform audit or control action
automatically and inform users
© Riscomp GmbH / Page 14
SAP ERP System
Application
Customizing
SAP GRC
System
CA/CM Scenario 1
CA/CM Scenario 2
Basis Parameter
Inform
Users
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Background: System security is driven by SAP system parameters
defining the minimum length of passwords, maximum number of log-in
attempts etc.
Risk: Hostile acquisition of users and unauthorized access
Procedures:
ITGC Control Execution: Start the Report «RSPARAM» and check
that the parameter «login/min_password_lng» is set according to
standards. Document the result.
Audit Procedure: dito
Riscomp Automated Scenario: An automated scenario checks the
parameter frequently. Only if the parameter is below a threshold, an issue
will be sent to the control owner for ICS and or IT-Audit for audit
purposes.
© Riscomp GmbH / Page 15
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 16
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 17
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 18
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 19
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 20
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 21
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
© Riscomp GmbH / Page 22
ISACA AHS; January 31, 2012
Example 2: COBIT AI 2.5
Configuring Application Software
Information: Systems like SAP ERP can be configured to fit
the companies process and compliance needs. The
configuration is stored in database tables. The configuration
values determine the compliance of a SAP System.
Technical Background: Account master data is kept in SAP
in two database tables: SKA1 and SKB1. The accounts are
established initially during the system implementation.
However, during the normal course of business individual
accounts can be maintained and should be closely
monitored.
© Riscomp GmbH / Page 23
ISACA AHS; January 31, 2012
Example 2: COBIT AI 2.5
Configuring Application Software
Risk: The critical master data settings containing high risk for
the accuracy and reliability of financial figures should be
documented and monitored closely.
Procedures:
IT Audit: Audit Procedure: During the course of a financial
audit, the configuration is checked manually.
Control Execution: Frequent sampling of chart of account
master data or data analysis of the database tables.
Riscomp Automated Scenario: The GRC system checks
the critical fields in the chart of accounts like «automated
postings allowed only» according to defined thresholds.
© Riscomp GmbH / Page 24
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
© Riscomp GmbH / Page 25
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
© Riscomp GmbH / Page 26
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
© Riscomp GmbH / Page 27
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
© Riscomp GmbH / Page 28
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
© Riscomp GmbH / Page 29
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
© Riscomp GmbH / Page 30
ISACA AHS; January 31, 2012
Further CA / CM Examples
Compliant User Provisioning Processes in Access Control
(CM)
Integrating SOD analysis with the internal control system
(CA)
Frequent analysis of users with developer keys (CA)
Users with critical profiles (sap_all, sap_new) (CA)
Check of manual FX-Rate changes (CM)
Open posting periods per company code (CM)
3-Way match parameter check (CM)
© Riscomp GmbH / Page 31
ISACA AHS; January 31, 2012
Lessons Learned
Continuous monitoring and auditing works
for SAP Systems including Business Warehouse
The complexity of the scenarios can vary and needs
upfront evaluation!
Scenarios can be amended at any time forming a flexible
framework of automated scenarios
Automated scenarios require profound GRC and ERP
know-how
SAP partners providing content help to achieve the break-
even point faster with content life cycle management
© Riscomp GmbH / Page 32
ISACA AHS; January 31, 2012
Further Information
Various Trainings
SAP Standard training GRC 100, GRC 300, 330,
GRC340, WDEAC1, TZPR10 or TZAC10
Trainings with Vereon.ch
Customized Trainings
SAP Press «Handbuch SAP Revision»
in english available in Q4/2012
© Riscomp GmbH / Page 34
ISACA AHS; January 31, 2012
RISCOMP GmbH offers services in the IT and business
consulting field. Our main focus is the automation of Governance,
Risk and Compliance processes. We enable our customers to
establish simple, intuitive, integrated and efficient processes to
handle GRC Tasks.
We provide you the combination of professional expertise
in RISk and COMPliance with technical implementation
know-how for SAP BO GRC solutions.
Our team brings more than 20 years experience
(working for BIG 4, running ICS, implementing
SAP ERP and SAP GRC – based processes).
We put all necessary views together to ensure a maximized
added value out of a GRC implementation
Process
ICS, Compliance & Risk Management processes
Content
Framework definition i.e. risks, controls, automated scenarios etc.
Technology
Automation of GRC processes and integration with your ERP environment.
Presentation Riscomp GmbH C
om
pa
ny
Co
mp
ete
nc
e
Ap
pro
ac
h
ISACA AHS; January 31, 2012
RISCOMP GmbH
Best-practice processes and structures for internal control systems
- Processes to administrate ICS (control execution confirmation, change management, …)
- Test processes (design effectiveness, self assessment,…)
- Annual ICS scoping and risk evaluation
- Policy and procedure management processes
- SAP user provisioning and role management
ICS
Pro
ce
ss
es
IK
S In
halt
e
Design and Implementation of automated control- and monitoring scenarios in
SAP R/3 and SAP GRC (Continous Controls Monitoring CCM)
Software implementation and project management
SAP GRC software migration for Processc controls 3.0 > 10 and Access Controls 5.3 >10
Design and conducting training sessions for SAP Education Au
tom
ati
on
Imp
lem
en
tati
on
Our content for the internal control systems are bundled together to products
- Catalogue of manual business process controls
- Best practice repository of semi- and full automated business process controls
- Standard catalogue of general IT controls (security, change management and operation)
- Methodology for an efficient adjustment of segregation of duties matrices to the business
requirements
- Fraud patterns analysis
All products are based on acknowledged standards like COBIT, COSO or SAP AK Rev.