SAPience.be User Day ’13March 21, 2013

Your logo

1

The monitoring of SOX Compliance with SAP GRC Access Control 10.0

Eric Lagrange, Alpro

Chris Walravens, Expertum

SAPience.be User Day ‘13

Your logo

2

Agenda

Key Facts about Alpro

Key Facts about Expertum

SOX Compliance @ Alpro

SAP GRC Access Control

Position Based Security

Preventative Simulation

Operational Processes

Risk Mitigation

Root Cause Analysis

Reporting

Benefits

SAPience.be User Day ‘13

Your logoKey facts and figures about Alpro

Alpro founded in 1980 and acquired by Dean Foods mid 2009

Part of The WhiteWave Foods Company since mid 2012 NYSE

Grown to € 286 million in revenues in 2012 (US GAAP) (€ 304 mio IFRS)

European market leader in non-dairy plant-based products

2 power brands: Alpro® and Provamel®

6 product categories

3 channels

4 wholly-owned commercial organisations in BE, NL, UK and GE and more

than 30 commercial partnerships in all other primary European markets

4 plants in BE, FR, UK and NL

~850 employees

Your logoAlpro mission anchored in sustainable development

“We create delicious

naturally-healthy

plant-based foods

for the maximum wellbeing of everyone

and with the utmost respect for our planet”

Your logoAlpro driving innovation in 3 dimensions3. Innovation

Your logoInnovations 2012

Your logoInnovations in 2012

Your logoVegetal alternatives are 5 to 10 times more efficientthan animal products on key SD KPIs

x45

x20

x10

Source: Ecofys

x3

x2,5

x5

Cow’s milk vs soy

Cow’s meat vs soy

Land

Water

Air

Energy

CO2

Your logoEvidence shows that healthy and sustainable foods go hand in hand

Source: Barilla Centre for Food Nutrition

Your logo

10

Introduction Expertum

SAPience.be User Day ‘13

Facts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships

Mission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growth

Strength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM)

Gold

Your logo

Knowledge

Management

-Product &

Service

Developme

nt

Project Manage

ment (PM) Supply

Chain Manage

ment (SCM)

Product Lifecycle Manage

ment (PLM)

Application

Lifecycle

Management

(SolMan +NW)

Governance, Risk, and

Compliance

(GRC)

Business Intellige

nce (BI: BW + BO)

Finance &

Controlling

(FI/CO)

Expertum Competence Areas

Focus GRC team

• SAP Authorization Health Check

• SAP Authorization Concept (re)Design

• SOD conflict Remediation• SAP Security Framework

design

• SAP GRC Toolbox - GRC RDS Certified

• SAP IDM

• Day to Day support

Your logo

12

SOX-Compliance @ Alpro

Achieved SOX-compliance successfully (2010 / 2011 / 2012)

Resulted in enhanced business controls and authorizations

Provided Alpro management extra comfort on the main business processes and its impact on the financial reporting

For SAP authorizations, 2 controls applied:• Internally built tool used during operational processes

• Periodic query runs of external auditor

Major gaps between the two controls existed:• Internal tool only checked on transaction code level

• No alignment of monitored functionality between the two tools / rule sets

SAPience.be User Day ‘13

Your logo

13

SAP GRC Access Control

Alignment of rule set

Preventative simulation

Embed risk analysis in the operational

processes

Document risk mitigation

Facilitate root cause analysis

Enhance reporting

SAPience.be User Day ‘13

Emergency Access

Management (EAM)

Provision & Manage

Users (PMU)

Business Role Management

(BRM)

Analyze & Manage Risks

(AMR)

Your logo

14

Position Based Security

Position based security• Use of the HR organizational structure

• Role assignments to positions

2-layered concept• Composite roles for positions or functions

• Single & derived roles for functionality (at sub-process level)

Approval process• Approvals of role assignments are done on position level

• Risk mitigations are approved on position level

SAPience.be User Day ‘13

Your logo

15

Preventative Simulation

Rule set• Contains critical functionality & SOD queries

• Works on transaction code and detailed object level

• Aligned with SOX controls applied by external auditor

Simulation functionality

SAPience.be User Day ‘13

Your logo

16

Operational Processes

New user / Existing position

Existing user / Change position

New user / New position

Existing user / multiple position

Changes in roles

SAPience.be User Day ‘13

No simulation required

Run user simulation

Run position simulation

Run position simulation

Your logo

17

Risk Mitigation

Mitigation decision on position level (Corporate Controller)

Mitigation documentation both on position & user level

• New / Changed position

• Decision and documentation on position level

• Apply the position mitigations to the users

• New user

• Apply mitigations of assigned position on user level

• Changed user

• Remove all mitigations of previous position on user level

• Apply mitigations of new position on user level

SAPience.be User Day ‘13

Your logo

18

Root Cause Analysis

SAPience.be User Day ‘13

SOD Rule

Maintain AP Payment run

vs

Maintain Vendor MD

Technical Roles

XP3..FIAP_PAYRUN_FULL

+

XP3..VENDMD_FULL

=

Your logo

19

Reporting

SAPience.be User Day ‘13 19

Your logo

20

Benefits

Rule set fully in line with SOX requirements

Full preventative mode: no authorization change goes into production without preventative checking against the rule set

Risk analysis fully embedded in the operational processes

Risk mitigations are fully documented during the operational processes

Root cause analysis is facilitated, making day-to-day maintenance easier

SAPience.be User Day ‘13

Thank you!

Your logo

Get Inspired.Stay Connected.

Achieve Business Agility.

21SAPience.be User Day ‘13