Enabling access management with SAP GRC - EY - United States

Turning risk into results Enabling access management with SAP GRC...

4 downloads 705 Views 2MB Size
Turning risk into results Enabling access management with SAP GRC

What we are seeing in the market Primarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive access. As a result, many companies implemented GRC access management solutions such as SAP GRC Access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they were not able to achieve the full value of a GRC access management solution. This is the right time to learn about opportunities to transform your access management program. Enabling an SAP GRC Access Control solution can help: • Lower the cost of access management and related audit activities through centralization and automation • Improve sustainability by centralizing and standardizing methodologies, processes and components • Increase effectiveness of access processes through integration with other SAP GRC modules and focus on critical foundational components such as role design and organizational alignment Our recent EY global information security survey of more than 1,700 senior information security and IT leaders found that 46% of respondents ranked internal threats as a significant concern. Fully deploying SAP GRC Access Control while focusing on improving access management fundamentals will help address that risk while reducing cost and improving value.

What are the opportunities at your company? Typical current state Increasing complexity

Reactive

Consistent failures

Cost pressures

Inconsistent approach

Multiple and manual access management processes

Fragmented, manual and ad hoc reporting Limited visibility to risks

High instances of access violations

Manual and inconsistent processes lead to higher IT costs Significant impact on business

Inconsistent role design approach across business processes

Mature state Simplified

Significant workflow automation in user access processes Integration with SAP GRC Process Control

Proactive

Mandatory SoD checks in the request process Dashboard-level reporting on user access process, firefighter usage logs and realtime SoD reports analytics and trending

Compliant

Compliant SAP role design and standardized user access management processes Ability to improve audit activities

Costefficient

Consistent

IT security operational efficiencies via SAP GRC automation and standardization Automation of access provisioning activities Globally standard roles across business processes and standard user access management processes for application systems

SAP GRC Access Control can enable your risk agenda

Enhance risk strategy

Embed risk management

 Improved alignment to the objectives and strategy of the business

 Comprehensive and continuous risk management and monitoring

 Improved visibility to risks that matter most to the organization  Proactive identification of risks  Enhanced decision-making

Risk agenda Enhance risk strategy

Embed risk management

Turning risk into results

Improve controls and processes  Better aligned risk coverage, including the identification of stronger, more pervasive controls

 Central management of financial, operational and compliance risks and controls across organization

Optimize risk management functions

Improve controls and processes

Optimize risk management functions  Elimination of duplicate and fragmented risk management activities  Increased integration and coordination among business, IT and compliance

 Reduced level of effort associated with performing and testing controls  Increased control and process efficiencies enabled through automation and continuous monitoring

 Sustainability of risk management process  Effective top-down and bottomup reporting

 Improved control mix that addresses key business risks while driving process efficiencies

Resulting in the following benefits:

Risk

Value Cost

• Increased integration and coordination among business, IT and compliance

Risk

Value Cost

Risk

Value

Cost

• Reduced audit costs due to a reliable and automated access management environment

• Identification of access anomalies indicating possible fraudulent activities through alerts

• Cost avoidance associated with audit failure

• Continuous access control and SoD management and monitoring

• Sustainability of access management process

• Efficiencies associated with preparation and analysis of SoD reports

• User-friendly reporting

• Reduction in the number of manual controls required to be designed and operated to mitigate access-related issues

• Enhanced visibility to access-related risk exposure at the enterprise (i.e., cross-application, cross-business process)

• Real-time notification of potential access issues based on established business rules

• Elimination of redundant and excessive access management procedures • Streamlined access approval process

• Super-user access management • Early detection of potential access issues through scenario analysis before performing changes to user and role access

Next steps to improve your risk management landscape Rapid SAP access diagnostic provides accelerated current state assessment of your SAP access processes and technology, allowing you to identify realizable value and develop a future state road map to achieve it.

SAP GRC demo facilitates mapping of business requirements to SAP GRC functionality and could be used to develop an initial business case for implementing SAP GRC.

EY SAP GRC Accelerated Analytics Workbench: a tool that presents SoD conflicts in a business-friendly format and helps identify key risks and pain points and determine initial remediation.

SAP GRC demo environment: demo environment for all the latest versions of software, including SAP GRC 10.0 for Access Control, Process Control, Risk Management and Global Trade Services.

SAP role design benchmarking: key metrics enabling an organization to compare its SAP role design against other companies and leading Roles should be standardized and rationalized to better align with Industrial Client’s business process design and organizational structure practices.

EY RiskUniverse®: industry-specific risk universes, process-normative models and key business risks linked to application-specific controls that can be used to customize SAP GRC demos.

Comparison of SAP roles against initial design and similar organizations Leading practice role design methodology (and typical number of roles in General Accounting)

Children/derived roles

Children/derived roles

General Accounting "FI/CO/AM/TR" roles

Job/function role (58)

Transactions restricted to a specific user (i.e., process interface exceptions, mass updates)

Functional role (8-12) Transactions which represent the execution of the job function (minimum overlap of t-codes between roles)

A/P Processing Processing A/P A/P Processing Processing –– Additional Additional A/P A/R Credit Credit Management Management Override Override Executing Executing A/R A/R Credit Credit Management Management Override Override Executing Executing without without VKM1, VKM1, VKM2 VKM2 A/R Invoice IDOC IDOC Processing Processing Invoice Invoice IDOC IDOC Processing Processing –– For For Project Project CC CC and and Plants Plants Invoice Invoice IDOC IDOC Processing Processing –– For For Stable Stable CC CC and and Plants Plants Invoice Post Park Journal Entries Post Park Journal Entries Park Journal Entries – For Project CC and Plants Park Journal Entries – For Project CC and Plants Park Journal Entries – For Stable CC and Plants… Park Journal Entries – For Stable CC and Plants…

Supply Chain "IM/WM/PP" roles

20

Industrial Client vs. Leading Practice Gap

43

25 24

22

15

Order to Cash "SD" roles

22

Display role (14)

Departmental role (1-2) Transactions which everyone in the department will have access (i.e., includes display only roles)

A/R Reporting A/R Customer Master Displaying G/L Journal Entry Displaying

Basic role (1)

Financial Reporting General Display Display Role (FLB1N) G/L Account Displaying …

Procure to Pay "MM" roles

8

General User Role (Z:ABC_GENERAL_USER)

7

Human Resources "HR" roles

12

10 0

20

40

60

80

100

120

140

160

Number of Parent/Template Roles

Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010 DRAFT – FOR DISCUSSION ONLY

Page 2

22

12

General role (1)

Transactions which which everyone everyone Transactions in the the organization organization will will have have access access (i.e., (i.e., printing printing functions, functions, in export/import functions)

Page 1

107

29

Parent role

Parent role

Special access role (4-8)

4 – tier model

“Design vs. Actual” SAP Roles Gap

Company A current state General Accounting roles (and number of “Z:FI” roles)

Industrial Client SAP Roles (mapped to job functions document) Industrial Client SAP Roles (not mapped to job functions document) Roles in comparable organizations

Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010 DRAFT – FOR DISCUSSION ONLY

Why EY? • Global and flexible approach with a focus on SAP GRC • Knowledgeable team with practical experience in process, risk and technology disciplines

• Industry-specific content and enablers • Leading-practice assessment diagnostics and leverage models • Service delivery model design and key performance indicators

EY | Assurance | Tax | Transactions | Advisory

© 2014 EYGM Limited. All Rights Reserved.

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no. XX0000

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Our services • Rapid GRC technology diagnostic • GRC technology vendor selection • GRC technology implementation and assessments • Risk transformation enabled by GRC technology

1403-1222661 EC ED 0115 This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com