SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector...
-
Upload
audit-office-of-new-south-wales -
Category
Technology
-
view
141 -
download
0
description
Transcript of SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector...
![Page 1: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/1.jpg)
SAP: How Risk Savvy Are You?
5 March 2013
SAP User Group – NSW Public Sector Special Interest Group
![Page 2: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/2.jpg)
Why is this important?
![Page 3: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/3.jpg)
Session Objectives
![Page 4: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/4.jpg)
The Big Picture
![Page 5: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/5.jpg)
Overview of Audit Issues Raised
![Page 6: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/6.jpg)
Overview of Audit Issues Raised
155
234
72
137
0
50
100
150
200
250
300
350
400
2011 2012
Num
ber o
f Iss
ues
Iden
tifie
d
Year
Issues Identified in 2011 and 2012
Repeat/Partial Repeat Issues
New issues
Status:
![Page 7: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/7.jpg)
Risk Area:SAP User Access Management
General User Accounts ManagementCreation, modification & termination
Generic user accounts managementAccess types
Custodianship management
Default user accounts managementAccess types
Custodianship management
Users with access capability to:Perform table maintenance
SAP_ALL & SAP_NEW equivalent
Administrative capabilities (including creation of user accounts capability)
![Page 8: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/8.jpg)
Risk Area:Segregation of Duties (SoD)
• Security Access Baselines which identify key functions and processes for which access should be segregated were often undefined.
• Inadequate design of SoD prior to business re-organisation and system implementation/upgrades
• SoD was often left as an after-thought, resulting in high costs, inefficiencies and exposure to financial and reputational risk.
• Lack of formal periodic SoD reviews.
• Reviews often fell short of required level of detail and only focused on whether terminated employee access had been disabled.
• Access was often not assigned in accordance with the users’ defined role, and in some cases resulted in access to conflicting duties.
• Several agencies identified system developers had unrestricted access to commit changes in the production system.
AwarenessAwareness
• Agencies showed a lack of awareness with regards to designing and implementing appropriate Segregation of Duties controls and processes.
![Page 9: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/9.jpg)
Risk Area:SAP Security Management
Configuration ManagementProduction client
Password parameters
Workflow
SAP built-in configurations settings
Users with capabilities to perform all types of configuration management
Audit LoggingConfiguration
Reviews
Escalation & follow up
![Page 10: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/10.jpg)
Risk Area:Change Management
Application ChangesDocumented types of application changes made in the financial year
Approvals
Testing
Comparison of approved request forms & changes in SAP
Transport managementUsers with capability to perform transports
Transport path
![Page 11: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/11.jpg)
Risk Area: Disaster Recovery Management
Issues Raised by Audit Office of NSW (for 2011 & 2012):
0
20
40
60
80
100
120
2011 2012
Nu
mb
er
of
Age
nci
es
Year
Disaster Recovery Planning and Testing Across Agencies
DRP, Fully Tested
DRP, Partially tested
DRP, Not tested
No DRP
DRP Status:
![Page 12: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/12.jpg)
Risk Area:SAP Projects
Many organisations see business transformations or process changes as not required with SAP implementations or major upgrades. Typically, it is viewed as just a technical upgrade.
Security is usually an after-thought or overlooked during SAP implementations or major upgrades.
Automated configurations are not fully explored as a criteria for SAP implementations or major upgrades.
As a result, typically seen would be manual workarounds or costly changes. Also, increased risk, unauthorised transactions & fraud.
![Page 13: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/13.jpg)
So What Can You Do?(An Auditor’s Perspective)
Establish or extend the organisation’s risk management practices in managing SAP.
Design and implement controls that addresses the high risk areas, common audit issues, common SAP weakness pitfalls and any compliance/ regulatory compliance requirements.
Establish a program for the effectiveness of the controls over a period of time (and not just at implementation stages)
![Page 14: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/14.jpg)
Helpful Tools and Resources
Tools:GRC
Firefighter
NSW government resources:DFS guidelines
M2012-15: Digital Information Security Policy (http://www.dpc.nsw.gov.au/announcements/ministerial_memoranda/2012/m2012-15_digital_information_security_policy)
Audit guides:ISACA Security, Audit and Control Features of SAP ERP 3rd Edition
ANAO Better Practice Guides
![Page 15: SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.](https://reader036.fdocuments.net/reader036/viewer/2022081403/55498718b4c90554648b5014/html5/thumbnails/15.jpg)
Q&A