DynamicsCon 2021 Make SOX Compliance A Breeze with Cross

THE MARKET LEADER ACCESS ORCHESTRATION SECTION DESCRIPTION

© Pathlock. All rights reserved. 1

DynamicsCon 2021

Make SOX Compliance A Breeze with Cross App Superpowers


© Pathlock. All rights reserved. 2© Pathlock. All rights reserved. 2

Today’s Presenters

Kevin DunnePresidentPathlock

Anand KottiDirector of Customer Solutions

Pathlock


© Pathlock. All rights reserved. 3© Pathlock. All rights reserved. 3

Our Customers

Trusted by the world's leading enterprises, governments, and

auditors

The market leading platform for Access Orchestration.

Our Integrations

User monitored for our customers

Business activities monitored for our customers

Employees around the world

Typical ROI achieved by customers through automation,

automation, reduced costs, and minimized risk exposure

exposure

Users governed for our customers

Millions

Business activities monitored for our customers

Billions

Employees around the world

130+

Typical ROI achieved by customers through automation,

reduced costs, and minimized risk exposure

4-7x

COMPANY OVERVIEW

+ 140 others

4© Pathlock. All rights reserved.

4

Management-driven

formal assessment of

internal controls

Executive officer

responsibility for financial

reporting

and internal controls

External audit on

effectiveness of ICFR and

financial statements

Remediation for any

issues or weaknesses that

are discovered

SOX 404 and 302 compliance requires …

© Pathlock. All rights reserved.

5

SOX Compliance and Financial Control Programs Cost Big Money…

Cost Center Annual Cost

Generating, reviewing, documenting User Access Reviews (UARs) $250k

Productivity lost due to manual access provisioning $600k

Internal sample testing of controls $1.4M

Tooling to gather data for audits (IGA, PAM, audit, data analytics) $1.0M

External audit costs to document and retest controls $500k

Single occurrence of fraud $1.5M

Cost of a failed audit $3M

Loss due to inefficiencies in business processes (POs overpaid, invoices duplicated, supplied goods not invoiced , time wasted) $50M

TOTAL ANNUAL SPEND $58.5M

6© Pathlock. All rights reserved.

But these compliance programs aren’t very effective…

Average enterprise loses 5% of

annual revenue due to fraud.(ACFE)

Market drop

$3.5B

Poor privileged access controls

led to material weakness

IT General Controls

Loss

6.7%

Material weaknesses required

prior year’s restatement

ICFR

Loss

$103M

Lack of oversight allowed ethics

officer to embezzle

Fraud

Cost to resolve

$54M

Poor controls caused lack of visibility

into inventory

Multiple ERPs

~20% disclose material

weaknesses or significant deficiencies

every quarter.

(Pathlock)

Half of all fraud cases

involve internal control

weaknesses. (Center for Audit Quality)

F100 RetailerF500 Food ServiceF500 MachineryF1000 CPG



Real-time Connection

ERP

Cloud

Legacy

Enterprise Systems

ALL APPLICATIONS

Connect to Applications

“Can Do” Analysis

Access Analysis

User Access Review

Access Management

Emergency Access

ALL USERS

Govern User Access

“Did Do” Analysis

Segregation of Duties

Business Processes

IT General Controls

Data Security & Privacy

ALL ACTIVITY

Monitor Business Transactions

Quantify Risk

Financial Reporting

Information Technology

Industry Requirements

Anomalous Activity

ALL RISKS

Prioritize by Impact

ALL THE TIME

Secure your users, applications and data and prove it to the worldAutomate Segregation of Duties (SoD) and Data Security policies across 100s of cloud and on-premise systems

PLATFORM

THE MARKET LEADER IN ACCESS ORCHESTRATION • Better: comprehensive view of all entitlements, allowing for real time risk analysis and centralized user access review flow

• Cheaper: decrease user access review labor by 90%+

• Better: simulate and quantify risk of any separation of duties conflicts in real time

• Cheaper: decrease risk from roles by 50%+

• Better: identify and track changes to application configuration or master data

• Cheaper: decrease preventable data loss by 30%+, while increasing compliance

• Better: complete, real time view of all transactions across all financially relevant systems

• Cheaper: decrease controls testing labor by 95%+

User Access Reviews

Compliant Provisioning

Segregation of

Duties

Continuous Controls

Monitoring

Emergency Access

Management

ConfigurationManagement

• Better: complete audit reporting for all user elevations and termination of suspicious sessions

• Cheaper: reduce manual provisioning and audit labor by 80%+

• Better: automatically provision down to the privilege level with no delay

• Cheaper: decrease onboarding delays and zombie accounts by 95%+



Solution Overview

THE MARKET LEADER IN ACCESS ORCHESTRATION


Business RolesSingle RolesDerived RolesComposite RolesEnabler Roles Custom Roles (Z*)Authorization Objects

RolesDutiesPrivileges Permissions

The number of software apps deployed by large firms across all industries world-wide has increased 68% over the past four years, reaching an average of 129 apps per company. Reference Link

“Performing periodic SOD analysis is time-consuming. Cross-platform SOD is not feasible without automation. We know we are risking compliance failure and we do not have a choice” - Head of Internal Audit

“The rise in the use of the Privileged Access functionality is causing our organization to see a huge spike in unaudited logs and they go unchecked “– Firefighter Controller

“When employees move departments and new roles are added and old roles are removed. When internal auditquestions about the audit trail, it turns out be a nightmare when we are dealing with thousands of users across platforms“ - Director of Business Applications

https://www.wsj.com/articles/employees-are-accessing-more-and-more-business-apps-study-finds-11549580017



+ 140 more apps

Identify Sync

Repository Sync

OOTB SOD Risks Custom SOD Risks

SOD

*SOD Analysis (Ad Hoc)*SOD Analysis (Campaign)

Admin/Campaign Owner

SOD

User Security AttributesApp #1-NEntitlements Roles Functions

User Identity Attributes Location ProjectBusiness UnitPosition “N

Remediate Mitigate

Trigger a workflow within Pathlock Platform to deprovision

Create a ticket in external ticketing system.

Send an alert to App owner to Analyze the risk and deprovision within Pathlock Platform

Reporting to support internal and external auditors show the security poster of the app

Accept the risk with a reason code

Enable Continuous control monitoring

Detailed reporting access violations – Who , What, When and How.

Reporting to support internal and external auditors show the security poster of the app

SOD Analysis

User Attribute Source



Workflow Privileged Access Management

Identify Sync

Repository Sync

Provision

Monitor

• Assign or provision time bound privileged access to Enrolled Asset

• Set-Up Deprovisioning policy for violations

Prevent

• Set-Up Alert -Policy




ID Based

Role Based

Audit

• On-demand self serving audits on all activities performed using this access

Approve

• Ability to handle requests from 3rd party Apps

• Support any Business App for provisioning

• Prevent any fraudulent activity

Privileged Access Management

+ 140 more apps




Workflow UAR- User Access Reviews

Identify Sync

Repository Sync

Business Roles *UAR by Business Role*UAR by Technical Role

Technical Roles



Revoke Approve

Trigger a workflow Pathlock Platform to deprovision

Create a ticket in external ticketing system.

Send an alert to App owner to Analyze the risk and deprovision within Pathlock Platform

Reporting to support internal and external auditors show why the access is revoked

Detailed User attributes info available to make decision process seamless – Who , What, When and How.

Approve and certify the access

Audit reporting to support internal and external auditors to show why the access is approved

Business Role

Technical Role


User Access Reviews

+ 140 more apps




Analyze

Identify Sync

Repository Sync

Security Analyst

User Identity Attributes Location ProjectBusiness UnitPosition Manager“N

User Security AttributesApp #1-NEntitlements Roles Functions “N

Real-time sync of User Activity

Security Automation & Access Enforcement

Security Controls

Multiple login failuresCross platform Login attemptsLocation Downloads Dormant AccountsAmount (AP)Encryption

“N

AnalyzeExtract Respond

Alert Notifications

Audit Reports

Incident Investigation

Access Enforcement

Third-Party integrations

Sync

+ 140 more apps



15

Pathlock can automate SOX Compliance saving $ and preventing risk:

Cost CenterWithoutPathlock

WithPathlock

How Pathlock Helps

Generating, reviewing, documenting User Access Reviews (UARs) $250k $25k Automated, easy-to-consume reviews surface exceptions

Productivity lost due to manual access provisioning $600k $0Instant, “what-if” provisioning streamlines access checks at point of provisioning

Internal sample testing of controls $1.4M $0 Testing is automated and continuous

Tooling to gather data for audits (IGA, PAM, audit, data analytics) $1.0M $250kAll systems are integrated and data is aggregated for a complete picture

External audit costs to document and retest controls $500k $250k Evidence and documentation are already complete

Single occurrence of fraud $1.5M $300k Risk of insider fraud is greatly reduced

Cost of a failed audit $3M $0 Risk of audit failure is eliminated

Loss due to inefficiencies in business processes (POs overpaid, invoices duplicated , supplied goods not invoiced , time wasted)

$50M $25M Processes are more efficient and cash is preserved

TOTAL WITHOUT PATHLOCK → $58.5M $25.8M TOTAL WITH PATHLOCK


Comparing Pathlock with Other MSFT Dynamics Solutions:

Capabilities Built in to Dynamics365 Other Solutions Pathlock

Compliant Provisioning • Limited to Dynamics365 • Limited to Dynamics365

• Provision with specific privileges automatically, across systems

• Direct integration to IGA (Azure AD, Sailpoint, etc.)

Segregation of Duties• Access level conflicts only• Limited to Dynamics365

• Limited to Dynamics365 + small number of applications

• Privilege level conflict management along with risk quantification

• Cross application SOD rule set, supporting 140+ applications

User Access Reviews

• Single application• No ability to deprovision

directly• No workflow management

• Limited to Dynamics365 + small number of applications

• No ability to deprovision directly

• Automate workflow on ad-hoc and scheduled cross app UAR

• Deprovision directly upon UAR

Emergency Access Management • N/A• No monitoring or logging of user activity• No ability to terminate suspicious

sessions

• Monitor and log all user activity in privileged user sessions

• Rules to auto-terminate suspicious session

Continuous Controls Monitoring • N/A• No ability to monitor non-SOD

transactions

• Identify and quantify actual violations of SOD risks

• Monitor business processes and find trapped cash and ITGC’s

Configuration Management• Only available at object

level• Only available at object level

• Audit trail of all configuration and master data changes

• Real-time alerts on suspicious behavior



Fortune 1000 Apparel company leverages Pathlock to provide cross application governance in a heterogeneous

environment

Feedback

Monitor all transactions for internal control failures, improve visibility and exposure to areas of

key risk to facilitate audit reporting and documentation

Key Criteria

Implement a cost-effective, cloud-based solution that will minimize complexity in their digital

landscape as they continue to connect a diverse set of applications

Background

SAP ECCMSFT Dynamics365Manhattan Warehouse System

Systems

$2.8B US D (2019)

Revenue

8,900

Employees

Sportswear

Products and Services

Apparel

Industry

USA

Fortune 1000 Manufacturer

With existing technology investments

like SAP Access Control to minimize

time to value and maximize ROI

Integrated

Compliance that grows

with the business

Sustainable

Financially relevant

business applications

10+Transform fragmented approach and siloed processes for access governance into a centralized and

standardized enterprise model

Replace a mostly manual control environment to improve audit and compliance efficiency through increased automation and a single pane of glass for access risk, compliant provisioning, user access reviews, and emergency access

Pathlock was selected over other solutions for breadth of integrations available (only vendor to

support Manhattan Warehouse), depth and volume of use cases (SOD, ICFR, ITGC) across all

financially relevant applications



Want to learn more?

Head to pathlock.com


19

In summary, Pathlock can automate SOX Compliance saving $ and preventing risk:

Cost CenterWithoutPathlock

WithPathlock

How Pathlock Helps

Generating, reviewing, documenting User Access Reviews (UARs) $250k $25k Automated, easy-to-consume reviews surface exceptions

Productivity lost due to manual access provisioning $600k $0Instant, “what-if” provisioning streamlines access checks at point of provisioning

Internal sample testing of controls $1.4M $0 Testing is automated and continuous

Tooling to gather data for audits (IGA, PAM, audit, data analytics) $1.0M $250kAll systems are integrated and data is aggregated for a complete picture

External audit costs to document and retest controls $500k $250k Evidence and documentation are already complete

Single occurrence of fraud $1.5M $300k Risk of insider fraud is greatly reduced

Cost of a failed audit $3M $0 Risk of audit failure is eliminated

Loss due to inefficiencies in business processes (POs overpaid, invoices duplicated , supplied goods not invoiced , time wasted)

$50M $25M Processes are more efficient and cash is preserved

TOTAL WITHOUT PATHLOCK → $58.5M $25.8M TOTAL WITH PATHLOCK

Documents

DynamicsCon 2021 Make SOX Compliance A Breeze with Cross