Rethinking Segregation of Duties: Where Is Your Business Most Exposed

Rethinking Segregation of Duties: Where Is
Your Business Most Exposed?
Erin Hughes
SAP

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 1
Agenda
1 The Rule Set
2 3The Mitigating
Controls
The History
4The Benefits of
Automation
5Q&A

First, a look at Segregation of Duties
But really, SoD has
“always” been an audit
consideration and an
important component of
an internal controls
program
And internal control
requirements –
including SoD – are not
only required for
publically held
companies
Segregation of Duties (SoD): A basic internal control that prevents or detects errors
and irregularities by assigning to separate individuals responsibility for initiating and
recording transactions and custody of assets to separate individuals*
Source: ISACA Glossary Terms

Risk vs. Cost – The balancing act
Many companies still rely heavily on manual
processes to manage SoD
7%
8%
15%
23%
37%
55%
Homegrown
None
Other
ID management system
MS Excel or Word
SAP ERP security reports (SUIM)
Source: SAPinsider “Are You Doing Enough to Prevent Access Risk and Fraud?

Automation is key
Advantages:
■ No visible budget startup investment
■ Smaller organizations can get away with
less rigor
■ Can be cheaper if auditors accept the
process as defensible
Disadvantages:
■ Real cost hidden in labor
■ Mostly inefficient processes
■ Always at risk of not passing auditor
scrutiny
■ Can be considerably more expensive
than other options
■ More prone to human error
■ Not continuous
Advantages:
■ Can be set up as continuous process
that prevents SOD “creep” throughout
the year
■ Most control for businesses to manage
SOD risk while minimizing disruption
■ Potentially the most cost-efficient and
defensible over the long term
Disadvantages:
■ Substantial startup costs which require
budget approval
Advantages:
■ Can directly support external auditor
approach and expectation
■ Consultants may leave behind software
to test and prep for future audits
Disadvantages:
■ Most expensive approach
■ Least control for businesses, resulting in
auditors dictating business process
changes
■ Dependency on consultants for any
policy changes
■ Not continuous
Gartner estimates that most organizations take one of three approaches:
Manual processes supported by
spreadsheets (40% of G2000)
Consultant-enabled engagements
(40% of G2000)
Automation through commercially
supported software (20% of G2000)
Source: www.gartner.com/doc/2484315/automate-segregation-
duties-erp-reduce

SAP Access Control
Manage access risk and prevent fraud
Monitor emergency access and
transaction usage
Certify access assignments
are still warranted
Define and maintain roles in business
terms
Automate access
assignments across SAP
and non-SAP systems
Find and remediate SoD and
critical access violations
SAP_ALL
X
Legacy

SAP Access Control – A little bit of (unofficial) history
April 2006: SAP acquires Virsa
• SAP Virsa Compliance Calibrator (CC)
• SAP Virsa Access Enforcer (AE)
• SAP Virsa Firefighter (FF)
• SAP Virsa Role Expert (RE)
September 2008: SAP changes the Access Control module names with version 5.3
• Risk Analysis and Remediation (RAR)
• Compliant User Provisioning (CUP)
• Superuser Privilege Management (SPM)
• Enterprise Role Management (ERM)
January 2009: SAP officially announces new names for the GRC solutions
• SAP BusinessObjects Access Control (with 4 capabilities: RAR, CUP, SPM, ERM)
June 2011: Access Control 10.0 is released
• No longer 4 capabilities: 1 harmonized solution called SAP BusinessObjects Access Control
April 2012: SAP removes the BusinessObjects branding from the GRC solutions:
• SAP Access Control

Or in other words …
Virsa SAP Access Control (until 2011) SAP Access Control Today
Compliance Calibrator Risk Analysis and Remediation Access Risk Analysis
Firefighter Superuser Privilege Mgmt. Emergency Access Mgmt.
Access Enforcer Compliant User Provisioning User Access Mgmt.
Role Expert Enterprise Role Mgmt. Business Role Mgmt.
CC RAR ARA
FF SPM EAM
AE CUP UAM
RE ERM BRM

SAP Access Control
transaction usage
are still warranted
terms
Automate access
and non-SAP systems
SAP_ALL
X
Legacy

Implementation and best practice considerations
Rule #1: Don’t cut the design phase short!
This is important whether you’re planning to:
• “Complete the AC suite”
• Upgrade to 10.x
• Leverage advanced SAP Access Control functionality
• Extend SAP Access Control beyond SAP ERP
• Integrate with Identity Management applications
Look for process improvements during the design phase
Question whether the way you’re doing things today is the “best way” or just what you’ve been doing
for years

Implementation and best practice considerations (cont.)
SAP AC: SAP Access Control
Identifying the right internal resources
• Active executive participation
• Need a good project manager
• Need decision makers
• Need collaboration between all parties
• Need to know the business processes
• Employee and company knowledge are essential
Start when needed; don’t wait for the perfect time,
or for future functionality
Focus on priorities and methodologies
Focus on high-risk areas, not all risks
IGA: Identity, Governance, and Administration (Gartner)
Only contractors assigned to the project
• Leave with little knowledge transfer
• Don’t have a relationship with the business
• Little decision-making authority – do it like
we’ve always done it
Management believes compliance can
be achieved in a few weeks or when the
project ends
Do Don’t

SAP Access Control
transaction usage
are still warranted
terms
Automate access
and non-SAP systems
SAP_ALL
X
Legacy

Risk definition is one of the most important tasks in your project
Step 1:
Document
Access Risks
 Should be done in business language
 Risk statement should clearly state the actions and the
negative results that will occur if the undesired access is
exploited
Step 2:
Classify Access
Risks
 Assess the severity of the risk to the organization if
exploited
 Assign/review risk ranking (critical, high, medium, low)
Step 3:
Identify Risk
Owners
 Risks belong to the business; risk owners should be
business personnel (not IT!)
 Assign owners to each risk
Step 4:
Translate into
Technical Risks
 Enlist the help of IT to assist with technical risk
definitions
 Remember to include both standard and custom
transactions
Step 5:
Publish and
Deploy Technical
Risk Definitions
 Publish risk definitions
 Upload risk definitions into AC and generate rules

Best practices for defining risks: Risk definition result
You now have technical risk definitions that have been:
• Defined
• Documented
• Reviewed
• Approved
A risk is a risk is a risk
• It doesn’t matter who has the access
• Reported risks must be remediated by removing access or identifying appropriate controls
When you begin reporting actual risks for remediation, there should be no
arguments about which risks are reported
After completing the 5 steps for risk identification

Rule set definition is not a one-time activity
Changes happen every day – make sure your rules reflect changes in your environment
• Role changes
• Custom transactions
• New business processes
• Configuration changes
Establish and document a change management process for modifying risks/rules in AC
• It’s critical that your rule change process is formally documented to provide proof to management and auditors
that the rules are appropriately controlled
Identify a process for keeping your risks current

So, when is the last time you reviewed or updated your rule set?
If you’ve upgraded (or are planning to)
upgrade your AC system, was/is a rule set
review part of the project?
Have you “gone live” with any new
functionality in your ERP system that should
be reviewed?
Have you added new systems to your
landscape which are applicable for SoD or
critical access?
SoD should be reviewed not just within a
single system, but from a process perspective
HCM
Ariba
T&E
CRM

Key considerations when updating your rule set
Functional
• What was your starting point?
• Did you deactivate any business processes,
risks during your initial implementation?
• Should they still be deactivated?
• What has changed since your last review?
• New business units
• New business processes
• New business process owners
• SoD vs. sensitive access risks
Technical
• What was your starting point?
• Did you deactivate any t-codes, authorization
objects during your initial implementation?
• Should they still be deactivated?
• What has changed since your last review?
• New systems in the landscape
• New authorizations or t-codes in use

You ran the reports and have 2,546,657 violations. Now what?

Big Picture
Being “clean” is a relative term
The segregation of duties rules are the master data that drive the Access Control capability and
ultimately are the measure of how clean you are
Like all master data within an ERP system, if it’s incorrect or incomplete, the results will not be
accurate, and you may think you’re clean, but you’re not

When access violations are found, a decision must be made
The following questions should be addressed,
but typically aren’t:
1. What is my potential financial exposure as
a result of mitigating the risk or modifying
the access?
2. How many labor hours will be required to
execute the mitigating controls?
3. What are the chances that we will actually
find violations – and potentially fraud –
through a manual, sample-based
approach?
1 2Modify the user’s
access
Assign a
mitigating control

Current challenges
The following questions should be addressed,
but typically aren’t:
1. What is my potential financial exposure as a result
of mitigating the risk or modifying the access?
2. How many labor hours will be required to execute
the mitigating controls?
3. What are the chances that we will actually find
violations – and potentially fraud – through a
manual, sample-based approach?
 Lack of visibility into bottom-line exposure due
to SoD violations
 Manually intensive mitigating control processes
 Identification of issues like searching for a
needle in a haystack
 Siloed approach to enterprise access
governance

Focus mitigating control execution only on actual violations –
Process
Potential Risk Violation
Users have authorization to perform one or more transactions
resulting in SoD violations
Risk Violations Through Transaction Usage
Users have accessed one or more transaction
codes resulting in SoD violations
Risk Violation Without
Filtering
Details of all SoD transaction
events
Exceptions
requiring
review
Filtering risk data, by
dollar value, and other
transaction details can
bring thousands of
records down to a
handful, and many times
to zero
Notification only when
actual SoD events occur
is the most efficient
process for business,
compliance, and audit

Focus mitigating control execution only on actual violations –
Example
Potential Risk Violation
Users have authorization to maintain vendors and issue
payments to those vendors
Risk Violations Through Transaction Usage
Users have accessed one or more transaction
code where they maintained a vendor and
issued a payment
Risk Violation
Without Filtering
Users have maintained a
vendor and issued a payment
over $1,000
Exceptions
requiring
review
Users maintained a
vendor and issued a
payment over $1,000 to
the same vendor

SAP Access Violation Management
Manage user access based on business impact
Assess the financial
exposure of SoD violations
 Summarize the dollar value of actual SoD
violations
 Clearly articulate the financial exposure that
broad user access has on the business
 Drive change where the impact exceeds the
materiality threshold
Reduce governance costs of
enterprise-wide access
 Extend the capabilities of the SAP Access
Control application across enterprise
systems
 Enable business ownership of access
governance and remediation activities
Enable exception-based
monitoring
 Automate identification and review
of actual SoD violations
 Alert business owners only when
exceptions occur, reducing manual control
efforts and eliminating false positives
 Use a comprehensive library of automated
SoD controls across business processes
 Enjoy centralized tracking, investigation,
and resolution of SoD violations

Reprioritize your mitigating control efforts
Where is your business most exposed?
Before
Prioritize efforts based on processes with the
highest number of SoD issues identified
After
Prioritize efforts based on processes with highest
amount of financial exposure due to executed
SoD violations

© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Demo

Business Owner Notification

27© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Access Violation Summary Report by User

Access Violations Detail

Documentation by Business Reviewer

Change Status of Exception to Complete the Review

Audit Reporting – Complete Audit Trail

Summary Reports

Customer example 1
Large Global Oil and Gas Customer
 Knew it had an SoD issue with users who could maintain customer master data and process
sales orders, but did not know the extent of the problem
 Paid for a remote engagement in which SAP Access Violation management identified that over 6
months, 47 users had maintained customer data and processed sales orders for those same
customers with a total value of over €150 million

Customer example 2
Large U.S. Utility Customer
 Knew it had an SoD issue with users who could submit purchase orders and enter goods
receipts, but believed it was used very rarely and only on an emergency basis
 Went live with SAP Access Violation Management and identified that one user violated this risk
for over $US2.8 million in a single month
Where the dollar values are this high, accepting the risk and applying a
mitigating control may not be enough – change must be driven within the
business

SAP Access Control Maturity Curve
Reactive Proactive
IT-OwnedBusiness-Owned

Maximizing the benefits
We’re going to focus on:
1. Know what you own!
2. Leveraging end-to-end automation
3. Looking beyond ERP

Knowing what you own might seem like a no brainer, but …
Compliance Calibrator Risk Analysis and Remediation Access Risk Analysis
Firefighter Superuser Privilege Mgmt. Emergency Access Mgmt.
Access Enforcer Compliant User Provisioning User Access Mgmt.
Role Expert Enterprise Role Mgmt. Business Role Mgmt.
CC RAR ARA
FF SPM EAM
AE CUP UAM
RE ERM BRM
But there’s more …

SAP Access Control has evolved with each version
Virsa name Corresponding AC 10.x
terminology
Functionality Gap
Compliance Calibrator Access Risk Analysis Cross-system analysis
Permission level critical access analysis
Workflow process for approving rule set changes
Audit log of configuration changes
Organizational rules
Support for position-based security
Firefighter Emergency Access Management Workflow process for requesting Firefighter IDs
Workflow process for provisioning Firefighter IDs
Workflow process for reviewing Firefighter logs
Additional logging of Firefighting activities
Access Enforcer User Access Management Flexible workflow configuration
Automated periodic certification reviews
Password self-service
Provisioning to SAP Portal
SAP Access Approver mobile app
Support of CUA composite roles
Role Expert Business Role Management Support of business roles
Support of CUA composite roles
Automated periodic certification reviews
Approval workflow for role changes
Enhanced Reporting Options
SAP Identity Analytics, SAP Fiori
Apps, SAP Smart Business
Rapid Deployment Solution

End-to-end Automation
Where you can, let SAP Access Control do the work for you
• Automate user access management
• Leverage simplified access request forms, templates
• The rules engine is powerful – use it
• Automate provisioning and deprovisioning wherever possible
• Automate user access reviews
• Automate Firefighter requests, approvals, assignments, and log reviews
• Automate role management activities where possible
• Approvals
• What-if simulations
• Automate mitigating controls – look at potential vs. actual SoD risk violations

SAP Access Control and SAP Access Violation Management
Comprehensive access governance capabilities
SAP Access Control
Access Risk Analysis,
User Access Management,
Emergency Access Management,
Business Role Management
Real-Time Cross-Enterprise Control
Discovery, Aggregation, Correlation, and Normalization
Accelerated Mitigation
Automated Mitigating Controls,
Exception-based notifications,
User, Role, and Risk Modeling
ReportingSimulation Embedded
GRC
Rules &
Analytics
Workflow
Financial Exposure of Access Risk
Bottom-line Dollar Value
Cloud
& SaaS
Business
Applications
Core SAP Legacy/Custom
Solutions
Other SAP
& ERPs

While you’re here …
Day Time Session
Wed 1:00 pm – 2:15 pm
Case study: How ConocoPhillips conducts user access reviews
and monitors transaction usage in SAP GRC 10.0
Trevor Wyatt, ConocoPhillips
Wed 4:30 – 5:45 pm
Tools and techniques proven to unify business role management
across multiple systems in SAP Access Control 10.x
James Roeske, Customer Advisory Group
Thr 8:30 am – 9:45 am
Apply existing risk and compliance processes across both SAP
and non-SAP systems with SAP Access Violation Management
Susan Stapleton, Greenlight Technologies
Thr 1:00 pm – 2:15 pm
Choosing the best method for emergency access management
(EAM) in SAP Access Control 10.x
Holly Marrs, Protiviti
Thr 4:30 – 5:45 pm
Case study: How eBay effectively utilizes SAP GRC 10.1 to
automate and streamline its periodic user certification process
Sangram Dash, eBay
Fri 8:30 am – 9:45 am
Case study: How Tyson Foods remediated four million
segregation of duties conflicts without changing its overall security
design
Patrick Snodgrass, Tyson Foods

GRC Conference Highlights
Visit the SAP GRC Solution Center (Montrachet 1)
For your 1:1 discussion with an SAP solution expert or for guided tours of new GRC applications:
SAP Access Control Fiori Apps and SAP Audit Management
Attend these interactive hands-on sessions:
Tuesday 2:00 pm – 3:15 pm Hands-on lab: An introduction to using key features in SAP Access Control 10.1
Wednesday 1:00 pm – 2:15 pm Hands-on lab: How to speed up audit processing with SAP Audit Management
Wednesday 2:45 pm – 4:00 pm Hands-on lab: An introduction to using key features in SAP Access Control 10.1
Wednesday 4:30 pm – 5:45 pm Hands-on lab: A practical guide to using key features in SAP Process Control 10.1
Thursday 1:00 pm – 2:15 pm Hands-on lab: A practical guide to using key features in SAP Process Control 10.1
Thursday 3:00 pm – 4:15 pm Hands-on lab: How to speed up audit processing with SAP Audit Management
Participate in these Exhibit Hall demos:
Wednesday 12:15 pm – 12:45 pm Live demo: How to support the audit management process with the latest SAP technology
Wednesday 2:30 pm – 3:00 pm Transform regulatory compliance with SAP Regulation Management by Greenlight
Wednesday 6:00 pm – 6:30 pm Live demo: Take your enterprise risk management program further with SAP Risk Management
Thursday 10:30 am – 11:00 am Live demo: See how SAP Fraud Management can enable you to detect, investigate, analyze, and prevent fraud by
combining analytics with the speed of SAP HANA
Attend the 15 SAP-led general sessions and
8 customer-led case studies

Thank you
Contact information:
Erin Hughes
Erin.hughes@sap.com

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Rethinking Segregation of Duties: Where Is Your Business Most Exposed

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Rethinking Segregation of Duties: Where Is Your Business Most Exposed

Similar to Rethinking Segregation of Duties: Where Is Your Business Most Exposed (20)

More from SAPinsider Events

More from SAPinsider Events (9)

Recently uploaded

Recently uploaded (20)

Rethinking Segregation of Duties: Where Is Your Business Most Exposed