Turning risk into resultsEnabling access management with SAP GRC

What we are seeing in the marketPrimarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive access. As a result, many companies implemented GRC access management solutions such as SAP GRC Access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they were not able to achieve the full value of a GRC access management solution.

This is the right time to learn about opportunities to transform your access management program. Enabling an SAP GRC Access Control solution can help:

• Lower the cost of access management and related audit activities through centralization and automation

• Improve sustainability by centralizing and standardizing methodologies, processes and components• Increase effectiveness of access processes through integration with other SAP GRC modules and

focus on critical foundational components such as role design and organizational alignment

What are the opportunities at your company?Typical current state Mature state

Our recent EY global information security survey of more than 1,700 senior information security and IT leaders found that 46% of respondents ranked internal threats as a significant concern. Fully deploying SAP GRC Access Control while focusing on improving access management fundamentals will help address that risk while reducing cost and improving value.

Increasing complexity Simplified

Reactive Proactive

Consistent failures Compliant

Cost pressures

Cost- efficient

Inconsistent approach Consistent

Multiple and manual access management processes

Significant workflow automation in user access processesIntegration with SAP GRC Process Control

Fragmented, manual and ad hoc reportingLimited visibility to risks

Mandatory SoD checks in the request processDashboard-level reporting on user access process, firefighter usage logs and real-time SoD reports analytics and trending

High instances of access violations

Compliant SAP role design and standardized user access management processesAbility to improve audit activities

Manual and inconsistent processes lead to higher IT costsSignificant impact on business

IT security operational efficiencies via SAP GRC automation and standardizationAutomation of access provisioning activities

Inconsistent role design approach across business processes

Globally standard roles across business processes and standard user access management processes for application systems

SAP GRC Access Control can enable your risk agenda

Improve controls and processes

Better aligned risk coverage,including the identification of stronger, more pervasive controls

Reduced level of effort associated with performing and testing controls

Increased control and process efficiencies enabled through automation and continuous monitoring

Improved control mix that addresses key business risks while driving process efficiencies

Embed risk management Comprehensive and continuous

risk management and monitoring

Central management of financial, operational and compliance risks and controls across organization

Enhance risk strategy

Improved alignment to the objectives and strategy of the business

Improved visibility to risks that matter most to the organization

Proactive identification of risks

Enhanced decision-making

Optimize risk managementfunctions

Elimination of duplicate and fragmented risk management activities

Increased integration and coordination among business, IT and compliance

Sustainability of risk management process

Effective top-down and bottom-up reporting

Turning risk into results

Enhance risk

strategy

Embed risk

management

Optimize risk management

functions

Improve controls and

processes

Risk agenda

Resulting in the following benefits:

• Increased integration and coordination among business, IT and compliance

• Real-time notification of potential access issues based on established business rules

• Sustainability of access management process

• User-friendly reporting

• Reduced audit costs due to a reliable and automated access management environment

• Cost avoidance associated with audit failure

• Efficiencies associated with preparation and analysis of SoD reports

• Reduction in the number of manual controls required to be designed and operated to mitigate access-related issues

• Elimination of redundant and excessive access management procedures

• Streamlined access approval process

• Identification of access anomalies indicating possible fraudulent activities through alerts

• Continuous access control and SoD management and monitoring

• Enhanced visibility to access-related risk exposure at the enterprise (i.e., cross-application, cross-business process)

• Super-user access management

• Early detection of potential access issues through scenario analysis before performing changes to user and role access

Risk

Cost

Value Risk Value

Cost Cost

ValueRisk

Next steps to improve your risk management landscape

EY SAP GRC Accelerated Analytics Workbench: a tool that presents SoD conflicts in a business-friendly format and helps identify key risks and pain points and determine initial remediation.

SAP role design benchmarking: key metrics enabling an organization to compare its SAP role design against other companies and leading practices.

SAP GRC demo environment: demo environment for all the latest versions of software, including SAP GRC 10.0 for Access Control, Process Control, Risk Management and Global Trade Services.

EY RiskUniverse®: industry-specific risk universes, process-normative models and key business risks linked to application-specific controls that can be used to customize SAP GRC demos.

Page 1 Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010

DRAFT – FOR DISCUSSION ONLY

Basic role (1) Transactions which everyone

in the organization will have access (i.e., printing functions, export/import functions)

Departmental role (1-2) Transactions which everyone in the

department will have access (i.e., includes display only roles)

Functional role (8-12) Transactions which represent the execution of the job function

(minimum overlap of t-codes between roles)

Special access role (4-8) Transactions restricted to a specific user

(i.e., process interface exceptions, mass updates)

4 –

tier

mod

el

Parent role

Children/derived roles

General role (1) General User Role

(Z:ABC_GENERAL_USER)

Display role (14)

Job/function role (58)

Parent role

Children/derived roles

Company A current state General Accounting roles (and number of “Z:FI” roles)

Leading practice role design methodology (and typical number of roles in General Accounting)

A/P Processing A/P Processing – Additional

A/R Credit Management Override Executing A/R Credit Management Override Executing without VKM1, VKM2

Invoice IDOC Processing Invoice IDOC Processing – For Project CC and Plants Invoice IDOC Processing – For Stable CC and Plants

Post Park Journal Entries Park Journal Entries – For Project CC and Plants Park Journal Entries – For Stable CC and Plants…

Special access role (4-8) Transactions restricted to a specific user

(i.e., process interface exceptions, mass updates)

Functional role (8-12) Transactions which represent the execution of the job function

(minimum overlap of t-codes between roles)

Departmental role (1-2) Transactions which everyone in the

department will have access (i.e., includes display only roles)

Basic role (1) Transactions which everyone

in the organization will have access (i.e., printing functions, export/import functions)

Job/function role (58) A/P Processing

A/P Processing – Additional A/R Credit Management Override Executing

A/R Credit Management Override Executing without VKM1, VKM2 Invoice IDOC Processing

Invoice IDOC Processing – For Project CC and Plants Invoice IDOC Processing – For Stable CC and Plants

Post Park Journal Entries Park Journal Entries – For Project CC and Plants Park Journal Entries – For Stable CC and Plants…

Display role (14) A/R Reporting

A/R Customer Master Displaying G/L Journal Entry Displaying

Financial Reporting General Display Display Role (FLB1N)

G/L Account Displaying …

General role (1) General User Role

(Z:ABC_GENERAL_USER)

Page 2 Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010

DRAFT – FOR DISCUSSION ONLY

Roles should be standardized and rationalized to better align with Industrial Client’s business process design and organizational structure

10

12

22

24

20

12

22

22

43

107

0 20 40 60 80 100 120 140 160

Human Resources "HR" roles

Procure to Pay "MM" roles

Order to Cash "SD" roles

Supply Chain "IM/WM/PP" roles

General Accounting "FI/CO/AM/TR" roles

Comparison of SAP roles against initial design and similar organizations

Industrial Client SAP Roles (mapped to job functions document) Industrial Client SAP Roles (not mapped to job functions document)

Roles in comparable organizations

“Design vs. Actual” SAP Roles Gap

Industrial Client vs. Leading Practice Gap

29

25

15

8

7

Number of Parent/Template Roles

Rapid SAP access diagnostic provides accelerated current state assessment of your SAP access processes and technology, allowing you to identify realizable value and develop a future state road map to achieve it.

SAP GRC demo facilitates mapping of business requirements to SAP GRC functionality and could be used to develop an initial business case for implementing SAP GRC.

Why EY?

• Global and flexible approach with a focus on SAP GRC

• Knowledgeable team with practical experience in process, risk and technology disciplines

• Industry-specific content and enablers

• Leading-practice assessment diagnostics and leverage models

• Service delivery model design and key performance indicators

Our services• Rapid GRC technology diagnostic

• GRC technology vendor selection

• GRC technology implementation and assessments

• Risk transformation enabled by GRC technology

EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2014 EYGM Limited. All Rights Reserved.

EYG/OC/FEA no. XX0000

1403-1222661 EC

ED 0115

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com