August 6, 2015 - The Anfield Grouptheanfieldgroup.com/wp-content/uploads/2015/08/SAP-GRC... · SAP...
Transcript of August 6, 2015 - The Anfield Grouptheanfieldgroup.com/wp-content/uploads/2015/08/SAP-GRC... · SAP...
SAP Solutions for Governance, Risk and Compliance August 6, 2015
© 2015 SAP AG. All rights reserved. 2 Confidential
Agenda
SAP Solutions for GRC Overview
SAP Solutions for GRC SAP Access Control SAP Process Control SAP Risk Management
SAP Regulation Management by Greenlight
Wrap up
Confidential
© 2015 SAP AG. All rights reserved. 3 Confidential
GRC Core
SAP solutions for governance, risk and compliance Simplify, gain insight and strengthen
Native HANA Applications
SAP Process Control SAP Access Control
SAP Audit Management SAP Fraud Management
SAP Access Violation Management by
Greenlight
SAP Regulation Management by
Greenlight
SAP Dynamic Authorization
Management by NextLabs
Security
SAP Identity Management SAP Single Sign-On SAP Enterprise Threat Detection
SAP Risk Management
SAP Solution Extensions
© 2015 SAP AG. All rights reserved. 4 Confidential
A Unified Platform….
Single Unified Platform Multiple Solutions
SAP GRC
Access Control
Process Control
Risk Management
SAP Systems
Non-SAP Systems
Legend Delivered Integration Integration Enabled by Solution Extension
Monitored Systems
SAP Systems
Non-SAP Systems
Monitored Systems
(a)
(b)
Access Risk Control
Effectiveness Enterprise
Risk
Business Intelligence Layer
Enterprise View
?? ??
??
??
??
??
Notes (a) No cross GRC application integration
(b) Indirect path to enterprise view
(c) Multiple integration touch points
?? ??
Enterprise View
SAP NetWeaver
??
© 2015 SAP AG. All rights reserved. 5 Confidential
Monitor emergency access and transaction usage
Certify access assignments are still warranted
Define and maintain roles in business terms
Automate access assignments across SAP and
non-SAP systems
Find and remediate SoD and critical access violations
SAP Access Control Manage access risk and prevent fraud
SAP_ALL X
Legacy
© 2015 SAP AG. All rights reserved. 6 Confidential
SAP Access Control Visibility of Application Access Risk
© 2015 SAP AG. All rights reserved. 7 Confidential
� Reliance on manual or third party efforts to identify conflicts � Manual process for managing access rights to system. Costly and repetitive clean
up efforts of SoD conflicts � Lengthy and manual process between IT and the Business to approve user
access requests, including email and/or hard-copy forms � No visibility of SoD risks prior to effecting changes to roles or provisioning users
� Costly and extensive internal/external audit efforts
� Implemented a process to identify and remediate SoD conflicts at a granular level…example of initial risk- level violations found: 580K + (typical)
� Reduction in SoD violations by 99.4% and ability to preserve clean-up effort through risk analysis simulations during role management and provisioning
� Reduction in time to get new users on board from 14 days to 1.42 days, with over 92% of requests being automated
� Workflow approval and risk analysis simulation built into role management and user provisioning
� Experienced 90% faster internal audit and 50% faster external audit revision time
SAP Access Control – Benefits Sample before/after scenarios
Before
After
© 2015 SAP AG. All rights reserved. 8 Confidential
Support decisions and promote accountability with insightful analytics and sign-off
Perform automated, exception-based monitoring of ERP and other systems
Evaluate control design and effectiveness; raise and remediate issues
Perform periodic risk assessments to determine
scope and test strategies
Document controls and policies centrally; map to key
regulations and impacted organizations
SAP Process Control Ensure effective controls and on-going compliance
© 2015 SAP AG. All rights reserved. 9 Confidential
Automated control testing and monitoring for SAP and non-SAP systems
Identify issues sooner while reducing effort and cost
Key Benefits
Accurately identify and analyze control exceptions across SAP and non-SAP business applications
Route exceptions via workflow to ensure timely investigation, documentation and remediation
Use configurable rules, existing queries, SAP reports, and best practice content to create the monitoring you need without programming
© 2015 SAP AG. All rights reserved. 10 Confidential
� No single repository of risks and controls; exist in various spreadsheets or separate tools
� Lack of resources to execute internal and external audit/compliance testing – high number of manual controls
� Limited visibility of compliance / testing status and remediation efforts � Lack of scheduling and assignment capabilities for control owners � Lack of a structured and automated certification/sign-off process � Limited to no automated policy management capabilities
� One common, shared repository of process risks and controls across all areas including finance, operations, and regulation specific allowing for 25% less time spent on compliance activities and less time preparing for audits
� Optimization of limited resources through reduced duplication of controls (up to 30%) and increase in automated testing (automation of 160+ controls)
� Improved reporting for compliance managers, top-level management, and external stakeholders/auditors
� Scheduling and assignment tracking ensures accountability � Structured, electronic sign-off ensures completeness and auditability � Automated policy management lifecycle ensures proper tone set within organization
SAP Process Control - benefits Sample before/after scenarios
Before
After
© 2015 SAP AG. All rights reserved. 11 Confidential
Monitor thresholds, effectiveness of risk responses, and corrective actions
Design and manage risk mitigation strategies
Analyze risk via scenarios, modeling,
& other factors to understand exposure
Link risks, risk drivers, risk indicators,
impacts and responses
Plan risk management within the context of value
to the organization
SAP Risk Management Preserve and grow value
© 2015 SAP AG. All rights reserved. 12 Confidential
SAP Risk Management Visibility of Enterprise Risks
© 2015 SAP AG. All rights reserved. 13 Confidential
� No formal solution to plan, identify, analyze, respond, and monitor risks � Risk management function performed in silos with manual tools by each business
unit � Loss events not captured, advanced modeling not performed
� Effective responses not put in place to reduce incidents and exposure over time � Risk management is reactionary, no real-time visibility into risk status
� Implemented the SAP Risk Management solution based on COSO’s risk management framework to help formalize and solidify a more mature risk management function
� A unified approach to enterprise risk management allows for adoption of a common methodology and aggregation from lower level to high-level risks
� Loss events are captured, and advanced modeling capabilities such as “monte-carlo scenario modeling” are performed
� Risk responses put in place and monitored for effectiveness over time � Key risk indicators established to monitor real-time risks and prevent loss events
from materializing
Before
After
SAP Risk Management – Benefits Sample before/after scenarios
© 2015 SAP AG. All rights reserved. 14 Confidential
Agenda
SAP Solutions for GRC Overview
SAP Solutions for GRC SAP Access Control SAP Process Control SAP Risk Management
SAP Regulation Management by Greenlight
Wrap up
Confidential
© 2015 SAP AG. All rights reserved. 15 Confidential
SAP Solutions for Governance, Risk and Compliance 3 Takeaways
SAP enables a flexible, scalable unified approach to GRC initiatives
Our solution extends beyond SAP applications to provide an unified view of the “state of compliance”
SAP enables unparalleled automation and efficiency to streamline your compliance initiatives
© 2015 SAP AG. All rights reserved. 16 Confidential
Thank you!
© 2015 SAP AG. All rights reserved. 17 Confidential
© 2015 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.