SlideShare a Scribd company logo

SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.

Download as PPT, PDF
Audit Office of New South Wales
Audit Office of New South Wales

SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013. Auditor-General of New South Wales, Peter Achterstraat, Includes: Key responsibilities government agencies Growing number of agencies using SAP SAP security is a key risk area for most government agencies Understanding key risks associated with SAP User access management Segregation of management Security Management Change management Disaster recovery management What can you do?

Technology
1 of 15
SAP: How Risk Savvy Are You? 5 March 2013 SAP User Group – NSW Public Sector Special Interest Group
Why is this important?
Session Objectives
The Big Picture
Overview of Audit Issues Raised
Overview of Audit Issues Raised 155 234 72 137 0 50 100 150 200 250 300 350 400 2011 2012 NumberofIssuesIdentified Year Issues Identified in 2011 and 2012 Repeat/Partial Repeat Issues New issues Status:
Risk Area: SAP User Access Management General User Accounts Management Creation, modification & termination Generic user accounts management Access types Custodianship management Default user accounts management Access types Custodianship management Users with access capability to: Perform table maintenance SAP_ALL & SAP_NEW equivalent Administrative capabilities (including creation of user accounts capability)
Risk Area: Segregation of Duties (SoD) • Security Access Baselines which identify key functions and processes for which access should be segregated were often undefined. • Inadequate design of SoD prior to business re-organisation and system implementation/upgrades • SoD was often left as an after- thought, resulting in high costs, inefficiencies and exposure to financial and reputational risk. • Lack of formal periodic SoD reviews. • Reviews often fell short of required level of detail and only focused on whether terminated employee access had been disabled. • Access was often not assigned in accordance with the users’ defined role, and in some cases resulted in access to conflicting duties. • Several agencies identified system developers had unrestricted access to commit changes in the production system. AwarenessAwareness • Agencies showed a lack of awareness with regards to designing and implementing appropriate Segregation of Duties controls and processes.
Risk Area: SAP Security Management Configuration Management Production client Password parameters Workflow SAP built-in configurations settings Users with capabilities to perform all types of configuration management Audit Logging Configuration Reviews Escalation & follow up
Risk Area: Change Management Application Changes Documented types of application changes made in the financial year Approvals Testing Comparison of approved request forms & changes in SAP Transport management Users with capability to perform transports Transport path
Risk Area: Disaster Recovery Management Issues Raised by Audit Office of NSW (for 2011 & 2012): 0 20 40 60 80 100 120 2011 2012 NumberofAgencies Year Disaster Recovery Planning and Testing Across Agencies DRP, Fully Tested DRP, Partially tested DRP, Not tested No DRP DRP Status:
Risk Area: SAP Projects Many organisations see business transformations or process changes as not required with SAP implementations or major upgrades. Typically, it is viewed as just a technical upgrade. Security is usually an after-thought or overlooked during SAP implementations or major upgrades. Automated configurations are not fully explored as a criteria for SAP implementations or major upgrades. As a result, typically seen would be manual workarounds or costly changes. Also, increased risk, unauthorised transactions & fraud.
So What Can You Do? (An Auditor’s Perspective) Establish or extend the organisation’s risk management practices in managing SAP. Design and implement controls that addresses the high risk areas, common audit issues, common SAP weakness pitfalls and any compliance/ regulatory compliance requirements. Establish a program for the effectiveness of the controls over a period of time (and not just at implementation stages)
Helpful Tools and Resources Tools: GRC Firefighter NSW government resources: DFS guidelines M2012-15: Digital Information Security Policy (http://www.dpc.nsw.gov.au/announcements/ministerial_memoranda/2012/m2012 -15_digital_information_security_policy) Audit guides: ISACA Security, Audit and Control Features of SAP ERP 3rd Edition ANAO Better Practice Guides
Q&A

Recommended

Employee Engagement and Empowerment
Employee Engagement and EmpowermentEmployee Engagement and Empowerment
Employee Engagement and Empowerment
Varun Mittal
 
Trade Financing Software Automation
Trade Financing Software AutomationTrade Financing Software Automation
Trade Financing Software Automation
Varun Mittal
 
17. Process: ocp cfops integration
17. Process: ocp cfops integration17. Process: ocp cfops integration
17. Process: ocp cfops integration
ssusereb347d
 
Webinar: Zarion Allocate
Webinar: Zarion AllocateWebinar: Zarion Allocate
Webinar: Zarion Allocate
Jason Cooke
 
Alm
AlmAlm
Alm문일 손
 
Insurance Lead Management
Insurance Lead ManagementInsurance Lead Management
Insurance Lead Management
Avikar Singh Dhankhar
 
Dell Healthcare Services: Staffing and Enrollment
Dell Healthcare Services: Staffing and EnrollmentDell Healthcare Services: Staffing and Enrollment
Dell Healthcare Services: Staffing and Enrollment
Dell Services
 
Infographic Slide: What is Requirements Management?
Infographic Slide: What is Requirements Management?Infographic Slide: What is Requirements Management?
Infographic Slide: What is Requirements Management?
OneDeskApp
 

Recommended

Employee Engagement and Empowerment
Employee Engagement and EmpowermentEmployee Engagement and Empowerment
Employee Engagement and Empowerment
Varun Mittal
 
Trade Financing Software Automation
Trade Financing Software AutomationTrade Financing Software Automation
Trade Financing Software Automation
Varun Mittal
 
17. Process: ocp cfops integration
17. Process: ocp cfops integration17. Process: ocp cfops integration
17. Process: ocp cfops integration
ssusereb347d
 
Webinar: Zarion Allocate
Webinar: Zarion AllocateWebinar: Zarion Allocate
Webinar: Zarion Allocate
Jason Cooke
 
Alm
AlmAlm
Alm문일 손
 
Insurance Lead Management
Insurance Lead ManagementInsurance Lead Management
Insurance Lead Management
Avikar Singh Dhankhar
 
Dell Healthcare Services: Staffing and Enrollment
Dell Healthcare Services: Staffing and EnrollmentDell Healthcare Services: Staffing and Enrollment
Dell Healthcare Services: Staffing and Enrollment
Dell Services
 
Infographic Slide: What is Requirements Management?
Infographic Slide: What is Requirements Management?Infographic Slide: What is Requirements Management?
Infographic Slide: What is Requirements Management?
OneDeskApp
 
Neha Asthana (Software Tester_1.1)
Neha Asthana (Software Tester_1.1)Neha Asthana (Software Tester_1.1)
Neha Asthana (Software Tester_1.1)Asthana Neha
 
Oracle Financial Close Management: Streamline Your Close Process
Oracle Financial Close Management: Streamline Your Close ProcessOracle Financial Close Management: Streamline Your Close Process
Oracle Financial Close Management: Streamline Your Close Process
InnovusPartners
 
Dell Healthcare Services Grievance and Appeals Management
Dell Healthcare Services Grievance and Appeals ManagementDell Healthcare Services Grievance and Appeals Management
Dell Healthcare Services Grievance and Appeals Management
Dell Services
 
Pallavi_Singh_8
Pallavi_Singh_8Pallavi_Singh_8
Pallavi_Singh_8Pallavi Singh
 
Product Spotlight: Oracle Financial Close Management (FCM)
Product Spotlight: Oracle Financial Close Management (FCM)Product Spotlight: Oracle Financial Close Management (FCM)
Product Spotlight: Oracle Financial Close Management (FCM)
InnovusPartners
 
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
InnovusPartners
 
Payforit4 training jul13
Payforit4 training jul13Payforit4 training jul13
Payforit4 training jul13ImpulsePay
 
Dust bowl
Dust bowlDust bowl
Dust bowlliahanda
 
Raa taltree presentation
Raa taltree presentationRaa taltree presentation
Raa taltree presentation
Louisebarmore
 
Lets get rocked
Lets get rockedLets get rocked
Lets get rockeddjcspartan
 
Παρατηρήσεις- Συμπεράσματα
Παρατηρήσεις- ΣυμπεράσματαΠαρατηρήσεις- Συμπεράσματα
Παρατηρήσεις- Συμπεράσματαdemikok
 
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Audit Office of New South Wales
 
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Audit Office of New South Wales
 
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Audit Office of New South Wales
 
Presentation
PresentationPresentation
Presentationrinkishukla
 
PNG : A Million Different Journeys
PNG : A Million Different JourneysPNG : A Million Different Journeys
PNG : A Million Different JourneysAlly Stoltz
 
2005 Cuban Tourism Presentation "Making up for lost time"
2005 Cuban Tourism Presentation "Making up for lost time"2005 Cuban Tourism Presentation "Making up for lost time"
2005 Cuban Tourism Presentation "Making up for lost time"Ally Stoltz
 
Stupid Awesome Python Tricks
Stupid Awesome Python TricksStupid Awesome Python Tricks
Stupid Awesome Python Tricks
Bryan Helmig
 
Paratirisymperasmata
ParatirisymperasmataParatirisymperasmata
Paratirisymperasmatademikok
 
Sarah Lynn Looney
Sarah Lynn LooneySarah Lynn Looney
Sarah Lynn Looneysarahlynnberry
 
Lets get rocked
Lets get rockedLets get rocked
Lets get rockeddjcspartan
 
Alimentos elaborados
Alimentos elaboradosAlimentos elaborados
Alimentos elaboradoshunain25
 

More Related Content

What's hot

Neha Asthana (Software Tester_1.1)
Neha Asthana (Software Tester_1.1)Neha Asthana (Software Tester_1.1)
Neha Asthana (Software Tester_1.1)Asthana Neha
 
Oracle Financial Close Management: Streamline Your Close Process
Oracle Financial Close Management: Streamline Your Close ProcessOracle Financial Close Management: Streamline Your Close Process
Oracle Financial Close Management: Streamline Your Close Process
InnovusPartners
 
Dell Healthcare Services Grievance and Appeals Management
Dell Healthcare Services Grievance and Appeals ManagementDell Healthcare Services Grievance and Appeals Management
Dell Healthcare Services Grievance and Appeals Management
Dell Services
 
Product Spotlight: Oracle Financial Close Management (FCM)
Product Spotlight: Oracle Financial Close Management (FCM)Product Spotlight: Oracle Financial Close Management (FCM)
Product Spotlight: Oracle Financial Close Management (FCM)
InnovusPartners
 
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
InnovusPartners
 

What's hot (6)

Neha Asthana (Software Tester_1.1)
Neha Asthana (Software Tester_1.1)Neha Asthana (Software Tester_1.1)
Neha Asthana (Software Tester_1.1)
 
Oracle Financial Close Management: Streamline Your Close Process
Oracle Financial Close Management: Streamline Your Close ProcessOracle Financial Close Management: Streamline Your Close Process
Oracle Financial Close Management: Streamline Your Close Process
 
Dell Healthcare Services Grievance and Appeals Management
Dell Healthcare Services Grievance and Appeals ManagementDell Healthcare Services Grievance and Appeals Management
Dell Healthcare Services Grievance and Appeals Management
 
Pallavi_Singh_8
Pallavi_Singh_8Pallavi_Singh_8
Pallavi_Singh_8
 
Product Spotlight: Oracle Financial Close Management (FCM)
Product Spotlight: Oracle Financial Close Management (FCM)Product Spotlight: Oracle Financial Close Management (FCM)
Product Spotlight: Oracle Financial Close Management (FCM)
 
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
Harnessing the Power of Hyperion for Human Capital Reporting & Analysis at AD...
 

Viewers also liked

Payforit4 training jul13
Payforit4 training jul13Payforit4 training jul13
Payforit4 training jul13ImpulsePay
 
Raa taltree presentation
Raa taltree presentationRaa taltree presentation
Raa taltree presentation
Louisebarmore
 
Lets get rocked
Lets get rockedLets get rocked
Lets get rockeddjcspartan
 
Παρατηρήσεις- Συμπεράσματα
Παρατηρήσεις- ΣυμπεράσματαΠαρατηρήσεις- Συμπεράσματα
Παρατηρήσεις- Συμπεράσματαdemikok
 
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Audit Office of New South Wales
 
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Audit Office of New South Wales
 
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Audit Office of New South Wales
 
PNG : A Million Different Journeys
PNG : A Million Different JourneysPNG : A Million Different Journeys
PNG : A Million Different JourneysAlly Stoltz
 
2005 Cuban Tourism Presentation "Making up for lost time"
2005 Cuban Tourism Presentation "Making up for lost time"2005 Cuban Tourism Presentation "Making up for lost time"
2005 Cuban Tourism Presentation "Making up for lost time"Ally Stoltz
 
Stupid Awesome Python Tricks
Stupid Awesome Python TricksStupid Awesome Python Tricks
Stupid Awesome Python Tricks
Bryan Helmig
 
Paratirisymperasmata
ParatirisymperasmataParatirisymperasmata
Paratirisymperasmatademikok
 
Lets get rocked
Lets get rockedLets get rocked
Lets get rockeddjcspartan
 
Alimentos elaborados
Alimentos elaboradosAlimentos elaborados
Alimentos elaboradoshunain25
 
Dust bowl
Dust bowlDust bowl
Dust bowl
liahanda
 
Kateeeeeeeeeeeeeeeeeeeee
KateeeeeeeeeeeeeeeeeeeeeKateeeeeeeeeeeeeeeeeeeee
Kateeeeeeeeeeeeeeeeeeeee
aylenkaterine
 
Assignment 2 and transcript
Assignment 2 and transcriptAssignment 2 and transcript
Assignment 2 and transcriptjpapps
 
Edlt116 learners and teaching assignment 2 e portfolio
Edlt116 learners and teaching assignment 2 e portfolioEdlt116 learners and teaching assignment 2 e portfolio
Edlt116 learners and teaching assignment 2 e portfoliojpapps
 

Viewers also liked (20)

Payforit4 training jul13
Payforit4 training jul13Payforit4 training jul13
Payforit4 training jul13
 
Dust bowl
Dust bowlDust bowl
Dust bowl
 
Raa taltree presentation
Raa taltree presentationRaa taltree presentation
Raa taltree presentation
 
Lets get rocked
Lets get rockedLets get rocked
Lets get rocked
 
Παρατηρήσεις- Συμπεράσματα
Παρατηρήσεις- ΣυμπεράσματαΠαρατηρήσεις- Συμπεράσματα
Παρατηρήσεις- Συμπεράσματα
 
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
Use of IT Tools in Audits in Australia - by Peter Achterstraat, Auditor-Gener...
 
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
Ag pres sopac_contestability_public_sector_business_model_of_the_future_march...
 
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
Ag pres changing_our_stripes_can_the_public_sector_push_the_boundaries_of_pri...
 
Presentation
PresentationPresentation
Presentation
 
PNG : A Million Different Journeys
PNG : A Million Different JourneysPNG : A Million Different Journeys
PNG : A Million Different Journeys
 
2005 Cuban Tourism Presentation "Making up for lost time"
2005 Cuban Tourism Presentation "Making up for lost time"2005 Cuban Tourism Presentation "Making up for lost time"
2005 Cuban Tourism Presentation "Making up for lost time"
 
Stupid Awesome Python Tricks
Stupid Awesome Python TricksStupid Awesome Python Tricks
Stupid Awesome Python Tricks
 
Paratirisymperasmata
ParatirisymperasmataParatirisymperasmata
Paratirisymperasmata
 
Sarah Lynn Looney
Sarah Lynn LooneySarah Lynn Looney
Sarah Lynn Looney
 
Lets get rocked
Lets get rockedLets get rocked
Lets get rocked
 
Alimentos elaborados
Alimentos elaboradosAlimentos elaborados
Alimentos elaborados
 
Dust bowl
Dust bowlDust bowl
Dust bowl
 
Kateeeeeeeeeeeeeeeeeeeee
KateeeeeeeeeeeeeeeeeeeeeKateeeeeeeeeeeeeeeeeeeee
Kateeeeeeeeeeeeeeeeeeeee
 
Assignment 2 and transcript
Assignment 2 and transcriptAssignment 2 and transcript
Assignment 2 and transcript
 
Edlt116 learners and teaching assignment 2 e portfolio
Edlt116 learners and teaching assignment 2 e portfolioEdlt116 learners and teaching assignment 2 e portfolio
Edlt116 learners and teaching assignment 2 e portfolio
 

Similar to SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.

Sap tech ed13_asug_delivering_continuous_sap_solution_availability
Sap tech ed13_asug_delivering_continuous_sap_solution_availabilitySap tech ed13_asug_delivering_continuous_sap_solution_availability
Sap tech ed13_asug_delivering_continuous_sap_solution_availability
Robert Max
 
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
SAPinsider Events
 
Sap tech ed_Delivering Continuous SAP Solution Availability
Sap tech ed_Delivering Continuous SAP Solution Availability Sap tech ed_Delivering Continuous SAP Solution Availability
Sap tech ed_Delivering Continuous SAP Solution Availability
Robert Max
 
SAP Inside Track 2012 enterprise risk management newman v fx
SAP Inside Track 2012 enterprise risk management newman v fxSAP Inside Track 2012 enterprise risk management newman v fx
SAP Inside Track 2012 enterprise risk management newman v fx
William Newman
 
Lean Management System Assessment
Lean Management System AssessmentLean Management System Assessment
Lean Management System Assessment
Operational Excellence Consulting
 
A Comprehensive Guide to US CMA Syllabus 2022
A Comprehensive Guide to US CMA Syllabus 2022A Comprehensive Guide to US CMA Syllabus 2022
A Comprehensive Guide to US CMA Syllabus 2022
chinuroula
 
Gourav ladha - Profile
Gourav ladha - ProfileGourav ladha - Profile
Gourav ladha - Profile
Gourav Ladha
 
Fail to prepare - Softworld 2011
Fail to prepare - Softworld 2011Fail to prepare - Softworld 2011
Fail to prepare - Softworld 2011
Sageukofficial
 
Fail to prepare, prepare to fail: implementing ERP and CRM systems
Fail to prepare, prepare to fail: implementing ERP and CRM systemsFail to prepare, prepare to fail: implementing ERP and CRM systems
Fail to prepare, prepare to fail: implementing ERP and CRM systems
Sageukofficial
 
Resume
ResumeResume
Resume
Kaushal Doshi
 
Resume
ResumeResume
Resume
Kaushal Doshi
 
How Nisa Retail improve service & cut costs through APM
How Nisa Retail improve service & cut costs through APMHow Nisa Retail improve service & cut costs through APM
How Nisa Retail improve service & cut costs through APM
Intechnica
 
Mann-India_SAP_Service-Offering_GRC
Mann-India_SAP_Service-Offering_GRCMann-India_SAP_Service-Offering_GRC
Mann-India_SAP_Service-Offering_GRC
Mann-India
 
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
William Newman
 

Similar to SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013. (20)

Sap tech ed13_asug_delivering_continuous_sap_solution_availability
Sap tech ed13_asug_delivering_continuous_sap_solution_availabilitySap tech ed13_asug_delivering_continuous_sap_solution_availability
Sap tech ed13_asug_delivering_continuous_sap_solution_availability
 
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
 
Sap tech ed_Delivering Continuous SAP Solution Availability
Sap tech ed_Delivering Continuous SAP Solution Availability Sap tech ed_Delivering Continuous SAP Solution Availability
Sap tech ed_Delivering Continuous SAP Solution Availability
 
SAP Inside Track 2012 enterprise risk management newman v fx
SAP Inside Track 2012 enterprise risk management newman v fxSAP Inside Track 2012 enterprise risk management newman v fx
SAP Inside Track 2012 enterprise risk management newman v fx
 
SHASHI SOCRATES
SHASHI SOCRATESSHASHI SOCRATES
SHASHI SOCRATES
 
Lean Management System Assessment
Lean Management System AssessmentLean Management System Assessment
Lean Management System Assessment
 
A Comprehensive Guide to US CMA Syllabus 2022
A Comprehensive Guide to US CMA Syllabus 2022A Comprehensive Guide to US CMA Syllabus 2022
A Comprehensive Guide to US CMA Syllabus 2022
 
Bhalchandra_Rajadhyax_Resume
Bhalchandra_Rajadhyax_ResumeBhalchandra_Rajadhyax_Resume
Bhalchandra_Rajadhyax_Resume
 
Gourav ladha - Profile
Gourav ladha - ProfileGourav ladha - Profile
Gourav ladha - Profile
 
Fail to prepare - Softworld 2011
Fail to prepare - Softworld 2011Fail to prepare - Softworld 2011
Fail to prepare - Softworld 2011
 
Fail to prepare, prepare to fail: implementing ERP and CRM systems
Fail to prepare, prepare to fail: implementing ERP and CRM systemsFail to prepare, prepare to fail: implementing ERP and CRM systems
Fail to prepare, prepare to fail: implementing ERP and CRM systems
 
Resume
ResumeResume
Resume
 
Resume
ResumeResume
Resume
 
Resume
ResumeResume
Resume
 
How Nisa Retail improve service & cut costs through APM
How Nisa Retail improve service & cut costs through APMHow Nisa Retail improve service & cut costs through APM
How Nisa Retail improve service & cut costs through APM
 
Mann-India_SAP_Service-Offering_GRC
Mann-India_SAP_Service-Offering_GRCMann-India_SAP_Service-Offering_GRC
Mann-India_SAP_Service-Offering_GRC
 
Dinesh_SAP_FI_Oct15
Dinesh_SAP_FI_Oct15Dinesh_SAP_FI_Oct15
Dinesh_SAP_FI_Oct15
 
Kumar_Jaiswal_SAP_FICO
Kumar_Jaiswal_SAP_FICOKumar_Jaiswal_SAP_FICO
Kumar_Jaiswal_SAP_FICO
 
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
 
FastClose_EN
FastClose_ENFastClose_EN
FastClose_EN
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 

SAP: How risk savvy are you? Presentation to SAP User Group in New South Wales Public Sector Interest Group March 2013.

  • 1. SAP: How Risk Savvy Are You? 5 March 2013 SAP User Group – NSW Public Sector Special Interest Group
  • 2. Why is this important?
  • 5. Overview of Audit Issues Raised
  • 6. Overview of Audit Issues Raised 155 234 72 137 0 50 100 150 200 250 300 350 400 2011 2012 NumberofIssuesIdentified Year Issues Identified in 2011 and 2012 Repeat/Partial Repeat Issues New issues Status:
  • 7. Risk Area: SAP User Access Management General User Accounts Management Creation, modification & termination Generic user accounts management Access types Custodianship management Default user accounts management Access types Custodianship management Users with access capability to: Perform table maintenance SAP_ALL & SAP_NEW equivalent Administrative capabilities (including creation of user accounts capability)
  • 8. Risk Area: Segregation of Duties (SoD) • Security Access Baselines which identify key functions and processes for which access should be segregated were often undefined. • Inadequate design of SoD prior to business re-organisation and system implementation/upgrades • SoD was often left as an after- thought, resulting in high costs, inefficiencies and exposure to financial and reputational risk. • Lack of formal periodic SoD reviews. • Reviews often fell short of required level of detail and only focused on whether terminated employee access had been disabled. • Access was often not assigned in accordance with the users’ defined role, and in some cases resulted in access to conflicting duties. • Several agencies identified system developers had unrestricted access to commit changes in the production system. AwarenessAwareness • Agencies showed a lack of awareness with regards to designing and implementing appropriate Segregation of Duties controls and processes.
  • 9. Risk Area: SAP Security Management Configuration Management Production client Password parameters Workflow SAP built-in configurations settings Users with capabilities to perform all types of configuration management Audit Logging Configuration Reviews Escalation & follow up
  • 10. Risk Area: Change Management Application Changes Documented types of application changes made in the financial year Approvals Testing Comparison of approved request forms & changes in SAP Transport management Users with capability to perform transports Transport path
  • 11. Risk Area: Disaster Recovery Management Issues Raised by Audit Office of NSW (for 2011 & 2012): 0 20 40 60 80 100 120 2011 2012 NumberofAgencies Year Disaster Recovery Planning and Testing Across Agencies DRP, Fully Tested DRP, Partially tested DRP, Not tested No DRP DRP Status:
  • 12. Risk Area: SAP Projects Many organisations see business transformations or process changes as not required with SAP implementations or major upgrades. Typically, it is viewed as just a technical upgrade. Security is usually an after-thought or overlooked during SAP implementations or major upgrades. Automated configurations are not fully explored as a criteria for SAP implementations or major upgrades. As a result, typically seen would be manual workarounds or costly changes. Also, increased risk, unauthorised transactions & fraud.
  • 13. So What Can You Do? (An Auditor’s Perspective) Establish or extend the organisation’s risk management practices in managing SAP. Design and implement controls that addresses the high risk areas, common audit issues, common SAP weakness pitfalls and any compliance/ regulatory compliance requirements. Establish a program for the effectiveness of the controls over a period of time (and not just at implementation stages)
  • 14. Helpful Tools and Resources Tools: GRC Firefighter NSW government resources: DFS guidelines M2012-15: Digital Information Security Policy (http://www.dpc.nsw.gov.au/announcements/ministerial_memoranda/2012/m2012 -15_digital_information_security_policy) Audit guides: ISACA Security, Audit and Control Features of SAP ERP 3rd Edition ANAO Better Practice Guides
  • 15. Q&A