Turning risk into results Enabling access management with SAP GRC
What we are seeing in the market Primarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive access. As a result, many companies implemented GRC access management solutions such as SAP GRC Access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they were not able to achieve the full value of a GRC access management solution. This is the right time to learn about opportunities to transform your access management program. Enabling an SAP GRC Access Control solution can help: • Lower the cost of access management and related audit activities through centralization and automation • Improve sustainability by centralizing and standardizing methodologies, processes and components • Increase effectiveness of access processes through integration with other SAP GRC modules and focus on critical foundational components such as role design and organizational alignment Our recent EY global information security survey of more than 1,700 senior information security and IT leaders found that 46% of respondents ranked internal threats as a significant concern. Fully deploying SAP GRC Access Control while focusing on improving access management fundamentals will help address that risk while reducing cost and improving value.
What are the opportunities at your company? Typical current state Increasing complexity
Reactive
Consistent failures
Cost pressures
Inconsistent approach
Multiple and manual access management processes
Fragmented, manual and ad hoc reporting Limited visibility to risks
High instances of access violations
Manual and inconsistent processes lead to higher IT costs Significant impact on business
Inconsistent role design approach across business processes
Mature state Simplified
Significant workflow automation in user access processes Integration with SAP GRC Process Control
Proactive
Mandatory SoD checks in the request process Dashboard-level reporting on user access process, firefighter usage logs and realtime SoD reports analytics and trending
Compliant
Compliant SAP role design and standardized user access management processes Ability to improve audit activities
Costefficient
Consistent
IT security operational efficiencies via SAP GRC automation and standardization Automation of access provisioning activities Globally standard roles across business processes and standard user access management processes for application systems
SAP GRC Access Control can enable your risk agenda
Enhance risk strategy
Embed risk management
Improved alignment to the objectives and strategy of the business
Comprehensive and continuous risk management and monitoring
Improved visibility to risks that matter most to the organization Proactive identification of risks Enhanced decision-making
Risk agenda Enhance risk strategy
Embed risk management
Turning risk into results
Improve controls and processes Better aligned risk coverage, including the identification of stronger, more pervasive controls
Central management of financial, operational and compliance risks and controls across organization
Optimize risk management functions
Improve controls and processes
Optimize risk management functions Elimination of duplicate and fragmented risk management activities Increased integration and coordination among business, IT and compliance
Reduced level of effort associated with performing and testing controls Increased control and process efficiencies enabled through automation and continuous monitoring
Sustainability of risk management process Effective top-down and bottomup reporting
Improved control mix that addresses key business risks while driving process efficiencies
Resulting in the following benefits:
Risk
Value Cost
• Increased integration and coordination among business, IT and compliance
Risk
Value Cost
Risk
Value
Cost
• Reduced audit costs due to a reliable and automated access management environment
• Identification of access anomalies indicating possible fraudulent activities through alerts
• Cost avoidance associated with audit failure
• Continuous access control and SoD management and monitoring
• Sustainability of access management process
• Efficiencies associated with preparation and analysis of SoD reports
• User-friendly reporting
• Reduction in the number of manual controls required to be designed and operated to mitigate access-related issues
• Enhanced visibility to access-related risk exposure at the enterprise (i.e., cross-application, cross-business process)
• Real-time notification of potential access issues based on established business rules
• Elimination of redundant and excessive access management procedures • Streamlined access approval process
• Super-user access management • Early detection of potential access issues through scenario analysis before performing changes to user and role access
Next steps to improve your risk management landscape Rapid SAP access diagnostic provides accelerated current state assessment of your SAP access processes and technology, allowing you to identify realizable value and develop a future state road map to achieve it.
SAP GRC demo facilitates mapping of business requirements to SAP GRC functionality and could be used to develop an initial business case for implementing SAP GRC.
EY SAP GRC Accelerated Analytics Workbench: a tool that presents SoD conflicts in a business-friendly format and helps identify key risks and pain points and determine initial remediation.
SAP GRC demo environment: demo environment for all the latest versions of software, including SAP GRC 10.0 for Access Control, Process Control, Risk Management and Global Trade Services.
SAP role design benchmarking: key metrics enabling an organization to compare its SAP role design against other companies and leading Roles should be standardized and rationalized to better align with Industrial Client’s business process design and organizational structure practices.
EY RiskUniverse®: industry-specific risk universes, process-normative models and key business risks linked to application-specific controls that can be used to customize SAP GRC demos.
Comparison of SAP roles against initial design and similar organizations Leading practice role design methodology (and typical number of roles in General Accounting)
Children/derived roles
Children/derived roles
General Accounting "FI/CO/AM/TR" roles
Job/function role (58)
Transactions restricted to a specific user (i.e., process interface exceptions, mass updates)
Functional role (8-12) Transactions which represent the execution of the job function (minimum overlap of t-codes between roles)
A/P Processing Processing A/P A/P Processing Processing –– Additional Additional A/P A/R Credit Credit Management Management Override Override Executing Executing A/R A/R Credit Credit Management Management Override Override Executing Executing without without VKM1, VKM1, VKM2 VKM2 A/R Invoice IDOC IDOC Processing Processing Invoice Invoice IDOC IDOC Processing Processing –– For For Project Project CC CC and and Plants Plants Invoice Invoice IDOC IDOC Processing Processing –– For For Stable Stable CC CC and and Plants Plants Invoice Post Park Journal Entries Post Park Journal Entries Park Journal Entries – For Project CC and Plants Park Journal Entries – For Project CC and Plants Park Journal Entries – For Stable CC and Plants… Park Journal Entries – For Stable CC and Plants…
Supply Chain "IM/WM/PP" roles
20
Industrial Client vs. Leading Practice Gap
43
25 24
22
15
Order to Cash "SD" roles
22
Display role (14)
Departmental role (1-2) Transactions which everyone in the department will have access (i.e., includes display only roles)
A/R Reporting A/R Customer Master Displaying G/L Journal Entry Displaying
Basic role (1)
Financial Reporting General Display Display Role (FLB1N) G/L Account Displaying …
Procure to Pay "MM" roles
8
General User Role (Z:ABC_GENERAL_USER)
7
Human Resources "HR" roles
12
10 0
20
40
60
80
100
120
140
160
Number of Parent/Template Roles
Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010 DRAFT – FOR DISCUSSION ONLY
Page 2
22
12
General role (1)
Transactions which which everyone everyone Transactions in the the organization organization will will have have access access (i.e., (i.e., printing printing functions, functions, in export/import functions)
Page 1
107
29
Parent role
Parent role
Special access role (4-8)
4 – tier model
“Design vs. Actual” SAP Roles Gap
Company A current state General Accounting roles (and number of “Z:FI” roles)
Industrial Client SAP Roles (mapped to job functions document) Industrial Client SAP Roles (not mapped to job functions document) Roles in comparable organizations
Proprietary & Confidential – not for use or disclosure outside Industrial Client All Rights Reserved – Ernst & Young 2010 DRAFT – FOR DISCUSSION ONLY
Why EY? • Global and flexible approach with a focus on SAP GRC • Knowledgeable team with practical experience in process, risk and technology disciplines
• Industry-specific content and enablers • Leading-practice assessment diagnostics and leverage models • Service delivery model design and key performance indicators
EY | Assurance | Tax | Transactions | Advisory
© 2014 EYGM Limited. All Rights Reserved.
About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EYG/OC/FEA no. XX0000
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
Our services • Rapid GRC technology diagnostic • GRC technology vendor selection • GRC technology implementation and assessments • Risk transformation enabled by GRC technology
1403-1222661 EC ED 0115 This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com
