• GRC Introduction - day1

• Access Controls 5.x and 10.0 - day1

• Access Risk Analysis - day2

• Emergency Access Management - day2

• Access Request Management - day3

• Business Role Management - day3

• AC 10 implementation process and Sample Project - day4

• Rule set and SoD analysis -day5

• GRC assessments- day5

GRC – Governance Risk & Compliance

GRC Categories and Vendors

Category Business View Representative Vendors

Finance Management GRC Management, workflow, Documentation and reporting associated with financial controls

Axentis, Certus, IBM, Movaris,OpenPages, Oracle, PaisleyConsulting, Qumas, SAP

Audit Management

Internal audit work papers, task management and workflow

PricewaterhouseCoopers, PaisleyConsulting

Audit Data Extraction andAnalysis

Tools for extracting data frombusiness applications and running ad hoc analysis or template queries

ACL, IDEA (Case Ware)

Segregation of Duties Ensuring that personnel do nothave access to data in a way thatcreates the potential for fraud

Approva, Oversight Systems,Virsa Systems (SAP)

Business Rule Management Monitoring transactional data in accordance with business rules established as controls 170 Systems, Infogix,

web Method

Sarbanes–Oxley Section 404: Assessment of internal controlThe most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICOFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.

SAP GRC• Access risk management (AC) – Confidently manage and reduce access risk across the enterprise with a single solution to manage a centralized strategy for governance, risk, and compliance.• Enterprise GRC (PC & RM) – Automate risk management, compliance, and monitoring activities and minimize the associated cost and effort required.•Global trade services (GTS) – Minimize global trade violations with a single, integrated platform to meet complex and ever-changing global trade compliance requirements.• Environment, health, and safety management – Empower your organization to address regulatory compliance; integrate the management of operational risks related to environment, health, and safety; and address corporate sustainability initiatives.• Sustainability performance management (SuPM) – Help your organization track and communicate sustainability performance, set goals and objectives, manage risks, and monitor activities.

Access Controls – Manage Access & AuthorizationsSAP Governance, Risk, and Compliance (GRC) Access Control provides end-to-endautomation for documenting, detecting, remediating, mitigating, and preventing access andauthorization risk enterprise wide, resulting in proper segregation of duties, lower costs,reduced risk, and better business performance.

Access Control includes the following capabilities:

• Access Risk Analysis, which supports real-time compliance to detect, remove, and prevent access and authorization risks by preventing security and control violations before they occur.• Access Request Management, which automates provisioning, tests for segregation of duties (SoD) risks, and streamlines approvals by the appropriate business approvers to unburden IT staff and provide a complete history of user access.• Business Role Management, which standardizes and centralizes role creation and maintenance.• Emergency Access Management, which enables users to perform emergency activities outside their roles as privileged users in a controlled and auditable environment.

End-To-End Compliance with SAP GRC Access Controls

Architecture – GRC 10

*Crystal Reports Adapter and Active Component Framework – needed for viewing GRC Crystal Reports

SAP NetWeaverAS ABAP 7.02

AC, PC & RM(Software Component: GRCFND_A)

SAP GRC 10.0

GTS(Software Component:

SLL-LEG)

Nota Fiscal Eletronica(Software Component: SLL-NFE)

Content Lifecycle Management (CLM)

SAP ERP (4.6C – 7.1)

Non-SAP Business ApplicationsAdapter

NW Function Modules(Plug-in: GRCPINW)

HR Function ModulesPC Automated Cntrls

(Plug-in: GRCPIERP) GTS Plug-in

(Plug-in: SLL-PI)

SAP NW Portal 7.01

GRC Portal Content

SAP NW BW 7.02BI Content 7.06GRC BW Content

Identity Management Solutions

(SAP or Non-SAP)

optional

optional

optional

http

RFC

webservices

RFC

optional

SAP GUI7.10

Web Browser

Front End Client

Adobe Flash Player

RFC

RFC

DIAGhttp

CRA*

RFCSAP NetWeaver 7.02Search/Classification

GRC Search

recommended for GTS/SPL

SAP NW Java 7.01Adobe Document

Services

required for RM and GTS

SAP Net Weaver PI Nota Fiscal Content

Required for Nota Fiscal E.

optional

AC 5.3 Dashboard

AC 10 Dash board

SPRO Settings

Common Settings • User Roles• BC Sets• AC Parameters• Connector and Connector Settings• Plug-in CustomizingComponents Configuration• ARA • EAM • ARM• BRM

Configuration

AC Roles• Admin Users: SAP_GRAC_SETUP, SAP_GRAC_RULE_SETUP

• Risk Analysis: SAP_GRAC_RISK_ANALYSIS, SAP_GRAC_RISK_OWNER,

• MSMP: SAP_GRC_MSMP_WF_ADMIN_ALL ,SAP_GRC_MSMP_CONFIG_ALL

• Role Mgt: SAP_GRAC_ROLE_MGMT_ADMIN, SAP_GRAC_ROLE_MGMT_DESIGNER

•Super User Admin: SAP_GRAC_SUPER_USER_MGMT_ADMIN,

SAP_GRAC_SUPER_USER_MGMT_OWNER, SAP_GRAC_SUPER_USER_MGMT_CNTLR

• End Users: SAP_GRAC_NWBC , SAP_GRAC_BASE.

• Access Request Roles: SAP_GRAC_ACCESS_REQUESTER, SAP_GRAC_ACCESS_APPROVER,

SAP_GRAC_ACCESS_REQUEST_ADMIN

BC SetsThe following are the BC Sets need to be activated for Access Control to work by default

•GRAC_RA_RULESET_COMMONand respective back-end rule-set(s) e.g. GRAC_RA_RULESET_SAP_R3 for R/3•GRAC_ACCESS_REQUEST_REQ_TYPE•GRAC_ACCESS_REQUEST_EUP•GRAC_ACCESS_REQUEST_APPL_MAPPING•GRAC_ACCESS_REQUEST_PRIORITY•GRAC_ROLE_MGMT_SENTIVITY•GRAC_ROLE_MGMT_METHODOLOGY•GRAC_ROLE_MGMT_ROLE_STATUS•GRAC_ROLE_MGMT_PRE_REQ_TYPE•GRAC_SPM_CRITICALITY_LEVEL•GRC_MSMP_CONFIGURATION

Connectors

Integration Framework settings include:

• Create Connectors

• Maintain Connectors and Connection Types

• Maintain Connection Settings

• Maintain Service Providers and Consumer Proxies in SOA Manager

• Event-Based Monitoring

Configuration Parameters - 1

Configuration Parameters - 2

• Plug-in Connector (pointing to the ERP itself)

• GRC connector (pointing to the AC server & client, logical name)

• Rule set (what Rule set to use in AC)

• HR Triggers Activation

• The Risk Terminator settings

Plug-in Settings

Access Risk Analysis• Ruleset setup

• Mitigation Controls Setup

• Repository Sync

• User/ Roles/ Profiles Sync

• Authorization Sync

• Batch Risk Analysis

• Reviewing risk analysis reports

• Performing user/ role/ profile level analysis

• User/ role Simulation

Emergency Access Management

• FFID Creation

• FFID Owners

• FFID Controllers

• Reason Codes creation

• Firefighter assignment

• FFID activity log sync

• Using EAM -GRAC_SPM/ GRAC_EAM

Access Request Management

• Number ranges creation

• Request Type configuration

• Provisioning Settings

• BRF+ rule creation

• MSMP configuration

• Process ID

• Maintaining rules

• Maintaining agents

• Notification settings

• Path creation

• Routing setup

• Activation

• Access request creation/ review/ approval

Business Role Management• Role attributes creation

• Naming conventions

• BRF rules for methodology and role approvers

• Methodology setup

• Organization creation

• Condition groups

• Role Creation/ review and approval

• Mass Role Maintenance

• Role import

• Mass role derivation