SoX Compliance with GRC Access Control - The Alpro case


Published on

The monitoring of SOX Compliance with SAP GRC Access Control 10.0: the Alpro case

To ensure SOX compliance of their authorizations, Alpro decided to implement the Analyze & Manage Risk (AMR) module of SAP GRC Access Control 10.0 to perform risk analyses on the same level as the external auditors do, to facilitate clean-up of unwanted access rights, to document the mitigation of SOX critical accesses that are needed both at user and at HR position levels, and to run dashboard and detailed reports in order to increase the business understanding and involvement in the authorizations processes.

SAPience User Day, March 21, 2013

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SoX Compliance with GRC Access Control - The Alpro case

  1. 1. User Day ’13 March 21, 2013The monitoring of SOX Compliancewith SAP GRC Access Control 10.0 Eric Lagrange, Alpro Your logo Chris Walravens, Expertum User Day ‘13 1
  2. 2. Agenda Your logo Key Facts about Alpro Key Facts about Expertum SOX Compliance @ Alpro SAP GRC Access Control Position Based Security Preventative Simulation Operational Processes Risk Mitigation Root Cause Analysis Reporting Benefits User Day ‘13 2
  3. 3. Key facts and figures about Your logoAlpro Alpro founded in 1980 and acquired by Dean Foods mid 2009 Part of The WhiteWave Foods Company since mid 2012 NYSE Grown to € 286 million in revenues in 2012 (US GAAP) (€ 304 mio IFRS) European market leader in non-dairy plant-based products 2 power brands: Alpro® and Provamel® 6 product categories 3 channels 4 wholly-owned commercial organisations in BE, NL, UK and GE and more than 30 commercial partnerships in all other primary European markets 4 plants in BE, FR, UK and NL ~850 employees
  4. 4. Alpro mission anchored Your logoin sustainable development “We create delicious naturally-healthy plant-based foods for the maximum wellbeing of everyone and with the utmost respect for our planet”
  5. 5. 3. Innovation Alpro driving innovation in 3 dimensions Your logo
  6. 6. Innovations 2012 Your logo
  7. 7. Innovations in 2012 Your logo
  8. 8. Vegetal alternatives are 5 to 10 timesmore efficient Your logothan animal products on key SD KPIs Cow’s milk Cow’s meat vs vs soy soy Land x3 x45 Water x2,5 x20 Air CO2 x5 x10 Energy Source: Ecofys
  9. 9. Evidence shows that healthy and Your logo sustainable foods go hand in handSource: Barilla Centre for Food Nutrition
  10. 10. Introduction Expertum Your logoFacts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships GoldMission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growthStrength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM) User Day ‘13 10
  11. 11. Expertum Competence Areas Your logo Project Management (PM) Focus GRC team Finance & Supply Chain Controlling Management (FI/CO) • SAP Authorization Health (SCM) Check Knowledge Management - • SAP Authorization Concept (re)Design Business Product & Product Intelligence Service Lifecycle • SOD conflict Remediation Management(BI: BW + BO) Development (PLM) • SAP Security Framework design Governance, Application Risk, and Lifecycle • SAP GRC Toolbox - GRC Compliance Management RDS Certified (GRC) (SolMan • SAP IDM +NW) • Day to Day support
  12. 12. SOX-Compliance @ Alpro Your logo Achieved SOX-compliance successfully (2010 / 2011 / 2012) Resulted in enhanced business controls and authorizations Provided Alpro management extra comfort on the main business processes and its impact on the financial reporting For SAP authorizations, 2 controls applied: • Internally built tool used during operational processes • Periodic query runs of external auditor Major gaps between the two controls existed: • Internal tool only checked on transaction code level • No alignment of monitored functionality between the two tools / rule sets User Day ‘13 12
  13. 13. SAP GRC Access Control Your logo Alignment of rule set Analyze & Emergency Manage Risks Access Preventative simulation (AMR) Management (EAM) Business Role Provision & Embed risk analysis in the operational Management Manage Users (BRM) (PMU) processes Document risk mitigation Facilitate root cause analysis Enhance reporting User Day ‘13 13
  14. 14. Position Based Security Your logo Position based security • Use of the HR organizational structure • Role assignments to positions 2-layered concept • Composite roles for positions or functions • Single & derived roles for functionality (at sub-process level) Approval process • Approvals of role assignments are done on position level • Risk mitigations are approved on position level User Day ‘13 14
  15. 15. Preventative Simulation Your logo Rule set • Contains critical functionality & SOD queries • Works on transaction code and detailed object level • Aligned with SOX controls applied by external auditor Simulation functionality User Day ‘13 15
  16. 16. Operational Processes Your logo New user / Existing position No simulation required Existing user / Change position New user / New position Run position simulation Existing user / multiple position Run user simulation Changes in roles Run position simulation User Day ‘13 16
  17. 17. Risk Mitigation Your logo Mitigation decision on position level (Corporate Controller) Mitigation documentation both on position & user level • New / Changed position • Decision and documentation on position level • Apply the position mitigations to the users • New user • Apply mitigations of assigned position on user level • Changed user • Remove all mitigations of previous position on user level • Apply mitigations of new position on user level User Day ‘13 17
  18. 18. Root Cause Analysis Your logoSOD Rule Technical RolesMaintain AP Payment run XP3..FIAP_PAYRUN_FULLvs = +Maintain Vendor MD XP3..VENDMD_FULL User Day ‘13 18
  19. 19. Reporting Your logo User Day ‘13 19 19
  20. 20. Benefits Your logo Rule set fully in line with SOX requirements Full preventative mode: no authorization change goes into production without preventative checking against the rule set Risk analysis fully embedded in the operational processes Risk mitigations are fully documented during the operational processes Root cause analysis is facilitated, making day-to-day maintenance easier User Day ‘13 20
  21. 21. Get Inspired. Stay Connected.Achieve Business Agility. Thank you! Your logo User Day ‘13 21