Sapience be-user-day-14-presentation-taminco-reaches-sox-compliance-with-sap-grc-access-control final

Taminco reaches SOX compliance

with SAP GRC Access Control

Robert Moeyens

Taminco

1

Chris Walravens

Expertum

SAPience.be User Day ‘14

Agenda

The Players

Project Trigger: SOX compliance

SAP GRC Access Control

Project Phases

Project Benefits

Pitfalls / Lessons Learned

SAPience.be User Day ‘14 2

Taminco


Taminco


Expertum

History

• Founded in April 2006 by 2 ex-SAP BeLux employees

• Partnerships

Today

• Team of 55+ SAP Experts and Project Managers

Mission

• Exceed client expectations by providing top-quality expertise

• Provide our people a safe environment for personal and professional growth

Strenght

• Highly skilled & experienced SAP consultants in all SAP areas, combined with a

wide industry knowledge in several domains

SAPience.be TECHday’13 5

Expertum

SAPience.be TECHday’13 6

Knowledge Management

- Product & Service

Development

Agenda

The Players



Project Phases

Project Benefits



Trigger – SOX Compliance


US Sarbanes-Oxley Act of 2002 commonly called Sarbanes-Oxley, or SOx, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, WorldCom, …

Applicable to all companies listed on New York Stock Exchange

Section 302:

The CEO/CFO Must Certify Quarterly and Annually that : • The Securities & Exchange Commission report has been reviewed by the CEO/CFO

• The report does not contain any misleading and/or untrue statements

• Significant deficiencies and material weaknesses in internal control have been disclosed to the Audit Committee and auditors, as well as any fraud (material or not) involving anyone with a significant role in internal control

• Material weaknesses must be disclosed in the annual report to shareholders

Section 404:

Defines the rules for internal control and financial reporting • Taminco management must assess effectiveness of internal control structure and

procedures for financial reporting

Agenda

The Players



Project Phases

Project Benefits





Analyze & Manage Risk (AMR)

Centralized definition of Critical Access & Segregation of Duties

Common understanding between Business & IT (same rules)

Real-time risk analysis on user, role & HR object level

Proactive detection of SoD issues by simulation

Continuous monitoring of access risks & user assignments

Access violation dashboards and reports

Documentation & assignment of mitigating controls

Automated Access Reviews & follow-up actions


Emergency Access (EAM)

Centralized, automated, pre-approved cross-system

emergency access

Detailed audit trails of performed actions

Integration with approval workflow possible


Agenda

The Players



Project Phases

Project Benefits



Project Phases


Role Remediation

AMR Implementation

User Remediation

EAM Implementation

Change Request Proc.

Preparing: Role Remediation

Review sensitive objects / maintain access in display roles

Remediate naming conventions of roles & profiles

Remediate manual & changed statuses

Remediate derived role (naming) to be real deriveds

Remediate content correspondence between master & deriveds

Remediate differences between derived values & codification

Analyze content of composite roles (similar composites, similar

content)

Remediate content of composite roles (similar composites,

similar content)

Remediate DEV & PRS differences (all roles on PRS need to

exist on DEV with identical content)


Implement SAP GRC

SAP GRC Access Control implemented on same box as

Solution Manager (2-tier)

Configured to run on

• ECC production

• Solution Manager production

• GRC production

Implemented modules:

• Analyze & Manager Risk (AMR)

• Emergency Access Management (EAM)


Implement AMR

Establish the SOX rule set:

• Based on the rules used by the external auditor, Complemented by risks identified in the Risk & Control Matrix (RCM)

• Translated into a GRC rule set (actions & permissions)

• Risk types:

• Critical Access

• Segregation of Duties

• Severity (High, Medium, Low) determined based on:

• Direct Impact on Financial Statements

• Materiality

• Likelihood of Fraud

• Added custom transaction codes where needed


The Rule Set


User Remediation (1)

AMR supports remediation activities through extensive root

cause analysis functionality

Critical Access

• Comprehensive exercise with the key users to identify who

needed to keep the critical access (and who needed to lose it)

• Some users, of course, need to keep such access

• Best to tackle this first, as to much critical access will also

“explode” your SOD results


User Remediation (2)

Segregation of Duties

• Again, comprehensive exercise with the key users to identify

who needed to keep left / right side of the conflict

• Because of organizational issues, a small portion of the potential

SOD conflicts needed to remain assigned to the users

• For these remaining SOD risks, the compensating / mitigating

controls where used from the RCM

• These mitigations are also documented in GRC Access Control


User Remediation - Report


Implement EAM

A fairly large amount of the risks where caused by IT support people having broad maintenance access on production

For IT support people the EAM module was implemented

This allowed Taminco to:

• Reduce the permanent accesses of IT people to « display » only

• Allow them to use broad accesses (not SAP_ALL !) when they need it, but in a fully controlled and monitored process

• Activity logs need to be reviewed and validated, allowing corrective action in case of misusing the firefighter


Change Request Process

As from the beginning of the year, the change request

procedure includes a mandatory risk simulation step

The AMR module contains functionality, allowing to simulate the

combination of the current situation and the needed additions

This allows to check if risks would be introduced by the change

before they get in production

If risks occur the CFO needs to either reject the change (or

request a modification of the change) or approve the request

with the assignment of a mitigating control


Project Phases


Role Remediation

AMR Implementation

User Remediation

EAM Implementation

Change Request Proc.

Agenda

The Players



Project Phases

Project Benefits



Project Benefits

We came from +20.000 SOD conflicts to +/- 1.000 mitigated

risks.

We saw an increasing insight in the authorizations processes

by the key players.

Permanent access for IT reduced to only display. The other

accesses are received through firefighter.

A controlled role assignment process is implemented.

SOX compliance will be achieved (authorizations part).


User Remediation - Report


Agenda

The Players



Project Phases

Project Benefits




The quality of your authorizations concept largely determines

your remediation effort.

Not always easy to determine exactly who needs what. Key

users really need to know every detailed flow in the

organization.

Taking away access is never easy.

Authorizations remediation is closely linked with business

controls (mitigating controls)


Thank you!


Robert Moeyens Global Application Manager Taminco

+32 2 238 46 72 [email protected] www.nationale-loterij.be

Chris Walravens GRC Community Lead Expertum

+32 474 475 983 [email protected] www.expertum.net

mailto:[email protected]



http://www.expertum.net





Technology

Sapience be-user-day-14-presentation-taminco-reaches-sox-compliance-with-sap-grc-access-control final