SAP Authorizations & Compliance Sanna OinonenProcess Owner, Finance Authorizations Microsoft Mobile September 9, 2014
SAP Authorization Concept
SAP Authorization Risk Management
Segregation of the Duty Conflicts – Concept for Mitigation
Summary
About Microsoft
Agenda
• Founded in 1975, Microsoft (Nasdaq "MSFT") is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.
• Microsoft refers to Microsoft Corp. and its affiliates, including Microsoft Mobile Oy, a subsidiary of Microsoft. Microsoft Mobile Oy develops, manufactures and distributes Lumia and Asha and Nokia X mobile phones and other devices.
• Key figures:Fiscal Year Ending
Head Count
Net Revenue (US$)
GrowthNet Income (US$)
Growth
June 30, 2014
128,076 $86.83B 12% $22.07B 1%
Source: http://www.microsoft.com/en-us/news/inside_ms.aspx
Important Dates:Sept. 3, 2013Microsoft announces decision to acquire Nokia’s devices and services business, license Nokia’s patents and mapping service
Oct. 17, 2013 Microsoft launches Windows 8.1
Oct. 22, 2013Microsoft launches Surface 2 and Surface Pro 2
Nov. 22, 2013Microsoft launches Xbox One
Feb. 4, 2014Satya Nadella named chief executive officer for Microsoft
March 27, 2014Microsoft launches Office for iPad
April 25, 2014Microsoft completes acquisition of Nokia Devices and Services business
Source: http://www.microsoft.com/en-us/news/exec/slt.aspx
Source: http://www.microsoft.com/en-us/news/inside_ms.aspx
• Authorization concept is the foundation and needs to be well defined in order to get the most out of the SAP GRC Access Control
• Principles to consider:• Default authorization is “no authorization”• Using role based authorizations you get more visibility &
control instead of users having individual access rights• Keep the concept and authorization structure simple and easy
to maintain• Secure all sensitive data with authorization restrictions• Do not allow direct table accesses - use always
programs/transaction codes/reports to access the data• Include authorization checks to all programs • Authorizations must be continuously monitored and regularly
reviewed• Define authorization request and maintenance processes with
control points• Engage the business and the management• Define clear roles & responsibilities with named owners
SAP Authorization Concept - Principles
START: User requests
authorizations
Line Manager approves
the request (business)
User Group Approver approves
the request (business)
User account creation
(IT)
END: Assigning approved
authorizations & mitigating possible risks
(IT)
Example:SAP Authorization Concept – Roles & Responsibilities in Authorization Request Process
When role based authorizations are
used, users are able to choose the correct
group based on their job profile/organization
User Group Approver is
responsible for approving new valid users to the group,
requesting the removal of users
who no longer need the access, and
reviewing regularly users in the group
The account creation and authorization
assignment should be separated (SoD)
or automated by GRC
Mitigation can be automated or done manually
in SAP GRC
SAP GRC
Set the level you want to be on! Too much rules might make a mess instead of giving you visibility
• Build your rules wisely – use the rule set provided by SAP as a starting point to build on
• Follow the processes you defined in the SAP Authorization Concept
• Engage the management • Agree clear roles &
responsibilities• Named Risk Owners • Train the responsible
persons and set up a competent support network
SAP Authorization Risk Management – Practical Tips
Build authorization processes that support the Authorization Risk Management and follow them!
SAP Authorization Risk Management Process
1. Risk Recognition - Start for
the risk management process is to
identify, agree and
approve the risks that are applicable for the company. Nominate a
risk owner for each risk. Define the risk levels
(high, medium,
low).
2. Rule Building
and Validation - An ongoing process; *regular
reviews for the defined Rule Set are needed to
identify possible update
requirements*e.g.
development projects should
consider rule updates
when implementing
new functionalitie
s.
3. Analysis –
When the defined risks
are set up into the SAP
GRC and validated by the business,
the next phase is
analysing the results. Rules might need changes still at this phase.
4. Remediation– When the
analysis is completed
and errors in rules are
eliminated, the options
for next actions are:
Option1: Removal of
access rights Option2:
Modifying the access rights
Option3: Access rights stay as they
are - need for a mitigation
arise.
5. Mitigation - Mitigating control is
used as an alternative
control when a risk cannot be eliminated due to sound
business reasons.
Mitigating controls need to be defined and created to the SAP
GRC before it is possible to assign them
to users.
6. Continuous Complianc
e – Agreed
processes are followed and the SAP GRC
Access Control is used to ensure
continuous compliance.
SAP Authorization Risk Management - Process
Continuous Compliance 6. Continuous Compliance – • Agreed processes are followed and the SAP GRC
Access Control is used to ensure continuous compliance
Tasks included are: • All authorization assignments and changes are done
according to the defined processes – approved and simulated in the SAP GRC to determine possible risks before any changes are actually done
• All authorization changes creating risks are approved (or rejected) by the named owners and mitigated in the SAP GRC
• A recurring review of the rule set and mitigating controls take place at least once in a fiscal year in order to determine whether risks and mitigating controls are up to date and still relevant
• Existing mitigating controls are renewed in SAP GRC for the users at least once a year after the review round
• Risk status is regularly monitored and analyzed in the SAP GRC to detect any mistakes or process failures
6. Continuous Compliance –
4. Updating the SAP GRC with the approved
changes and taking necessary remediation
actions5. Mitigating controls approved for the year and renewed for the
users in SAP GRC
SAP Authorization Risk Management - Timetable
Fiscal Year
Q1
Q4
Q3
Q2
Continuous
Compliance
Continuous
Compliance
Continuous Compliance
Continuous
Compliance
Business ProcessA business process or
business method is a collection of related, structured activities or
tasks that produce a specific service or product (serve a
particular goal) for a particular customer or customers.
SAP Authorization Risk Management – Why the Management Should Pay Attention?
Chief Financial OfficerThe chief financial officer
(CFO) or chief financial and operating officer (CFOO) is a
corporate officer primarily responsible for managing the
financial risks of the corporation
Source of the definitions: ttp://en.wikipedia.org/wiki/Main_Page
Thus also ultimately responsible for the risks authorizations might cause!
On average in ERP system there are 50,000-100,000 such authorization
combinations that constitute a potential segregation of duties violation raising
e.g. a risk of fraud (result of the number of transactions, authorization objects and programs)
In Business Processes the tasks are defined and the authorizations should be reflecting the process. Thus who
owns the business process must own the authorizations and risks arising from the
process!
Tasks/Activities
Controls
Access and
Authorizations • Business/financial process
design should include:• Tasks and activities to achieve a goal• Access and authorizations part of the
solution• Possible risks considered already when
designing the process! This can have impact to the process design
• Natural control points and controls which are part of the process • When controls are built wisely no additional
burdening and time consuming controls need to be “invented”
• When the controls are part of the process, real automation possible with the SAP GRC Process Control
• Can be used as mitigating controls when authorization risk has been recognized and approved to be a part of the process
Building Compliant & Clever Processes Business/Financial Process
Good control design part of the process enables automation with the SAP GRC Process Control
Risk: SoD1
One named Risk Owner “Mr. Smith” in business organization
Segregation of the Duty Conflicts – Concept for Mitigation
Risk: SoD2
One named Risk Owner “Mss. Doe” in business organization
Risk P001:Create fictitious
vendor and initiate payment
to the vendor
Example:
Function2: Process Vendor Invoices
Function1: Vendor Master
Maintenance
Mitigating Control MC_P001:Combination of controls related to e.g.• Balance Sheet Verification• Purchase Approval & PO Creation • Invoice Verification & Approval• Vendor Master Data Maintenance
GRC:
The control points the mitigating
control MC_P001 is
referring to are documented outside of the
SAP GRC in control catalogs.
In control catalog the controls are
earmarked as mitigating controls.
• When using roles based authorizations a certain group of users are having the same authorizations e.g. the Accounting Team responsible for invoice verification in a company
• The team has a user group assigned in SAP with defined & approved access rights with approved risks
• The group can be technically set up as a composite role (=collection of single roles) in SAP
• In SAP GRC it is possible to mitigate risks on composite role level
• The mitigations approved and assigned in SAP GRC to a certain composite role will automatically flow to the users in that group (=composite role assigned in SAP)
• All mitigations are assigned with the same expiring date in SAP GRC and they will be renewed all at once when approved for the fiscal year (see slide 13)
By doing this you can automate the mitigation control assignment in SAP GRC
(if not using the SAP GRC for access provisioning and automated mitigation)
Mitigation on Composite Role Level
• Define and implement an authorization concept
• Engage the business and management
• Define clear roles & responsibilities with named owners
• Set the level you want to be on! Too much rules might make a mess instead of giving you visibility and control
• Build authorization processes that support the authorization risk management and follow them
• When designing processes, make the authorizations and controls part of the process design
• Do the rule building and remediation well ONCE and enjoy the continuous compliance with SAP GRC Access Control
Key Points.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.