The document discusses SAP's GRC (Governance, Risk, and Compliance) software solutions. It summarizes key capabilities like integrated risk management, access control, role management, and provisioning. These capabilities help organizations comply with regulations, automate manual processes, and prevent security risks through continuous monitoring and access controls.

1. Governance, Risk & Compliance SAP Live and Local Webcast Tour ‘08 5 June, 2008 [email_address]

2. Fragmentation Managing with confidence is difficult in an increasingly complex world Board of Directors Finance Legal Sales Contracts HR Controller IT Policy Mgmt. Audit & Compliance Treasury Australia U.S.A Japan U.K. France China Germany India Compliance Compliance Compliance Compliance Compliance Governance Compliance Risk Mgmt. Governance Risk Mgmt. Risk Mgmt. Governance Risk Mgmt. Risk Mgmt. Risk Mgmt. Governance Security Proj. Mgmt. Doc. Mgmt. Contracts Planning Customers ERP Production Billing ASX Principle 7 CLERP 9 Credit Risk Human Capital Risk Segregation of duties SOX ROHS WEEE Project Risk Compliance Risk Mgmt. Governance

3. Integrated GRC Forward looking organizations are seeking a unified approach to GRC Australia U.S. A. Japan U.K. France China Germany India Compliance Compliance Compliance Compliance Compliance Governance Compliance Risk Mgmt. Governance Risk Mgmt. Risk Mgmt. Governance Risk Mgmt. Risk Mgmt. Risk Mgmt. Governance Compliance Risk Mgmt. Governance Security Proj. Mgmt. Doc. Mgmt. Contracts Planning Customers ERP Production Billing Board of Directors Finance Legal Sales Contracts HR Controller IT Policy Mgmt. Audit & Compliance Treasury ASX Principle 7 CLERP 9 Credit Risk Human Capital Risk SOX ROHS WEEE Project Risk Segregation Of Duties

4. SAP Solutions for GRC A unified solution for GRC management Transparency to balanced global risk profile Standardization on common GRC content and rules Automates and embeds GRC into business processes Business Process Platform Cross-Industry GRC Risk Management Risk Management Business Applications Compliance & Controls Industry-Specific GRC GRC Repository Environment Access Control Global Trade Process Control Life Sciences High Tech Chemicals Oil & Gas Banking Business Process

5. SAP GRC Access Control Sustainable prevention of segregation of duties violations Cross-enterprise library of best practice segregation of duties rules Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access Periodic Access Review and Audit Focus on remaining challenges during recurring audits (Stay in Control) (Stay Clean) Risk analysis, remediation and prevention services Enterprise Role Management Enforce SoD compliance at design time Risk Identification and Remediation Rapid, cost-effective and comprehensive initial clean-up (Get Clean) Minimal Time To Compliance Continuous Access Management Effective Management Oversight and Audit

6. Risk Analysis, Remediation and Prevention Services Delivers 24/7, real-time compliance by stopping security and controls violations before they occur Alerts Framework Reporting Reporting Real-time Simulation Mitigation Management Remediation Management Critical Transaction Monitoring Real-time SoD Risk Analysis Cross-Application Integration Risk Identification Elimination Prevention Mandatory Prevention Access Risks Services Cross-Enterprise Rules Architect Cross-Enterprise Rules Database Rules Access Risks Library Common services across all SAP GRC Access Control capabilities “ SAP GRC Access Control, with its comprehensive preconfigured rule set, reflected deep expertise within SAP that would have taken us a very long time to replicate.” Synopsys Inc.

7. Risk Analysis and Remediation Getting clean Reporting Risk Elimination Risk Identification Prevention End-to-End Automation Initial Risk Analysis and Remediation Facilitates collaboration between Business and IT to clean up access risks “ The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.” Synopsys Inc.

8. Enterprise Role Definition Enables enterprise role definition and maintenance in a single location Centralized Role Management Across applications Enterprise Rules Audit log SAP GRC Access Control Reduce cost of role maintenance Ease compliance and avoid authorization risk Eliminate errors and enforce best practices Assure audit-ready traceability and security checks 28% time savings in role management Customer Survey, 3/2006 Compliant enterprise roles Role … Role Role Role Role Role Role Role Role Role

9. SAP GRC Access Control Superuser Access Management Key Functionality Alert Framework Date Restrictions ID Administration Audit Logs Security Notification Reporting Reporting The only compliance-focused emergency access solution Compliant Superuser Access Privileged Access Firecall ID SD Firecall ID MM Firecall ID FICO Firecall ID . . . New Session New Session New Session New Session Superuser Pre-assigned firecall IDs Access restrictions Validity dates Field-level changes tracked in audit log Log-in Restrictions Single User per ID Specific Authorization Access Log Log Log Log

10. SAP GRC Access Control Compliant Provisioning Enables Compliant End-to-End Provisioning “ hire to retire” Current Approach—Inefficient, Not Compliant email email spreadsheets, paper forms spreadsheets, paper forms Access Request Manager Approval Role Owner IT Security Manual Provisioning

11. GRC Access Control Compliant Provisioning Compliant Provisioning with Dynamic Workflow Path Workflow—based on request type and user attributes Escalation Workflow Exception Workflow 100% Automated HR Event Employee Hired/Retired Via e-mail 1 “Click” Preventive Simulation 100% Automated Embed cross-enterprise preventive compliance into business process Reduce cost of user administration Improve productivity of end users Auditable tracking for auditors “ We reduced provisioning from 2 weeks to 2 days” – Web Seminar Rockwell Collins, 3/2005 Request Generated Automated Provisioning Mgr Approval Risk Analysis … … …

12. Key Solution Capabilities and Benefits Identifies and prevents access and authorization risks in cross-enterprise IT systems to prevent fraud and reduce the cost of continuous compliance and control Provides end-to-end automation for detecting, remediating, mitigating, and preventing access and authorisation risk across the enterprise Allows for true cross-enterprise SoD risk mitigation by integrating into SAP and non-SAP systems Common Customer Challenges Addressed Need to comply with SOX regulations for section 404, or similar regulations Weak support for the audit process to ensure the right measures are in place to prevent fraud Manual or people-intensive compliance processes involving emails, spreadsheets and/or paper Costly, manual remediation Uncontrolled role management Excessive super-user access Inefficient and un-auditable user provisioning Reactive vs. preventative Value Proposition Establish approach and process to manage risk rules Gain alerts on potential violations Identify business functions which produces risks when executed by same individual Focus on prevention vs. “a point in time” detection Simplify compliant enterprise level role administration Enforce compliant security for Privileged Access Increase visibility through timely notification Deliver audit ready, detailed reporting Lower risk and save money through proactive compliance GRC Access Controls

13. Our offer to you The Two Faces of Risk: Cultivating Risk Intelligence for Competitive Advantage Deloitte Review

14. Questions?

15. Thank you [email_address]