Day14-Day15

Day14

GRC 10.1/12.0 Governance Risk & Compliance Access Control

Business Challenge • Without proper controls, accidental and intentional activities due to excessive access – Access & privileges can impact performance and reputation. Authorization Risk • Addressing regulatory mandates with manual activities and fragmented processes increases cost and complexity. • Complexity impacts access and authorization management, making it inefficient. • Consequently, risks are not identified and managed in time and no proper remediation or mitigation is possible. • Manager cannot own the responsibility for segregation of duties in the fragmented model.

Solution – • Overcome the fragmented authorization management processes. Comprehensive • Effective and efficient cleanup of SOD conflicts and excessive Risk Based Approach authorizations. • Prevent future violations via risk based approval process for new authorizations within the organization. • Everything is monitored in risk based approach ( Who can access the data, what kind of authorization do we need to assign, Are all risks properly mitigated).

GOVERNANCE • Corporate governance ensures ethical corporate behavior together with management practices in the creation of wealth for all stakeholders. • Spells out the rules and procedures for making decisions about corporate affairs. • IT governance helps to ensure alignment of IT and enterprise objectives so that IT resources are used responsibly and its risks are properly managed.

Risk Management • Risk management identifies, classifies, documents, and reduces risks to an acceptable level. • Risk is a result of three different parameters:  Existence of threat for a business process  Likelihood of occurrence  Impact on the business process

COMPLIANCE • Corporate policies represent the corporation philosophy and strategic thinking on a high level. • Low Level policies focus on the operational layer. • Policies need to be in sync with overall business strategy and legal requirements.

Fragmentation / Integration Approach • Organization fragmentation resulting from disconnecting departmental activities can result in inconsistent policies, duplication of efforts & difficulty predicting risk. • Integrated approach help organization to move towards excellence and help reducing cost, simplify governance, risk & compliance.



ACCESS RISK ANALYSIS • Avoid SOD violation ACCESS REQUEST MANGEMENT • A fully automated security • Compliance with • Automate the process • Manage various type of audit and SOD (Segregation SOX of Duties ) analysis tool. business risk. • Designed to solve all audit HARMONIZATION • Automates and expedites user issues related to regulatory OF compliance. provisioning throughout an Business Role Management ACCESS CONTROL employee’s life cycle. • Role Definition Analyze & Reports • Role Development • User reports Emergency Access Management • Role Testing • SOD’s • Track, monitors and logs the • Role Maintenance • AUDITS activity performed by superuser. • For emergency or extraordinary situations. • Enable user to perform the task outside their role.

NWBC VS PORTAL GRC 5.3 based on Java Webdynpro GRC 10.X based on ABAP Webdynpro

NWBC Customizing Go to SPRO –> Governance, Risk and Compliance –> Configure LaunchPad for Menus https://blogs.sap.com/2014/04/26/customizng-nwbc-for-new-menus-with-our-own-transactions-reports-an d-accessing-sap-backend-systems-from-nwbc/

Work Center • Work Centers provide a central point for GRC 10.0 Functionality • They are organized based on what the customer is licensed to operate. • Access work centers in two ways:  NWBC  Portal • Administrator can customize the work centers to support the organization’s structure.

My Home Work Center My Home provides a central location to view and act on your assigned tasks and accessible objects.  View, access, and perform workflow tasks assigned to us  View completed reports that we scheduled  Perform document search across all documents and content for which we have authorization  View application help  View and process your user data

Setup Work Center

Access Management Work Center

Reports and Analytics Work Center

Master Data Work Center

Rule Setup Work Center Rule Setup included work sets seen in Setup work Center

Authorization Risk – Purchase-To-Pay • ME21 for Creating Purchase Order • MIGO for posting good receipt • MIRO for posting an invoice

Excessive • Create a fraudulent vendor with a private Authorization account (XK01) – Purchase- To-Pay • Create a purchase order (ME21N) and enter an invoice for the purchase order (MIRO) • Hide the missing goods receipt by maintaining a GR/IR clearing account (MR11) and setting the delivery complete flag (ME22N) • Release the invoice, which has been blocked because of quantity difference (MRBR) • Execute the payment run (F110)

5 Critical Conflicts of SOD (P2P) • Vendor Master Data Maintenance + Vendor Master Data Confirmation : Fictitious vendors can be created, or bank account information can be changed to redirect payments to a different account.  As a compensatory control, the “Master Data Change Protocol” should be checked before every payment run. We can examine the protocol using the transaction “FK04“. It is necessary to check if the same user has maintained the Master Data and confirmed the change to it. This check should be carried out by a person who does not have authorization to maintain Master Data.

• Purchase Order Maintenance + Purchase Order Release The combination of both authorizations, that is for the maintenance of the purchase order and for its release, might lead to the issuing of unauthorized purchase orders. • Purchase Order Maintenance + Goods Receipt Posting Purchase orders with the corresponding users can be found in the “EKKO“ table in the “ERNAM” field. We can find the user responsible for posting the goods receipt in the “MKPF” table in the “USNAM” field. It is necessary to check if users created a purchase order and also posted the goods receipt.

• O2C: Customer Master Data Maintenance + Entry of/Changes to Sales Orders  Users with the authorizations to maintain customer master data and sales orders could create fictitious customers with fake bank information. There is a possibility to show a credit and subsequently redirect payments to one’s own account. • P2P: Purchase Order Maintenance + Payment Run Execution When performing the “MIRO” transaction, e.g. the bank data of the one- time vendor can be changed. If users are also authorized to execute payment runs, this may lead to unapproved invoices being paid unnoticed by the company. Executing the “MIRO” (Invoice posting) or “FB01” (GL posting) transactions and simultaneously executing payment runs with e.g. transaction “F110” is another indicator of a possible SoD conflict.`

Payroll Risks The payroll process contains the following steps, which need to be separated from each other: • Run payroll simulation ( HR) • Release payroll (HR) • Run productive payroll (FI) • Prepare bank transfer using preliminary program (FI) • Use the payment media workbench to create a payment file for final bank transfer.

Authorization • Modify payroll master data, such as salary Risk information (PA30), and then process the payroll (PA03, PAUX) • Change the employee HR benefits (HREBEN0083), then process payroll (PA03, PAUX) to improve their own financial situation. • Modify time data (PA63) and process payroll (PA03, PAUX), resulting in fraudulent payments. • Enter false time data (PA71) and perform payroll maintenance.

Type OF Controls Business Internal Financial Controls controls Controls

Business Controls • 1. Visual controls. These include checklists, dash boards, scorecards, budgets, etc. They let you SEE that the right things are happening, of if not, they raise a flag that lets you make sure to focus on fixing the situation. • 2. Procedural controls. These include things like having 2 unrelated parties internally check/be involved in the flow of money. Your standard review process for all new hires. Your standardized sales concessions you empower your sales team to use. Procedural controls establish a known pathway to a consistently secure result. • 3. Embedded controls. These are the controls that work without someone having to remember to do something out-of-the-way to use them. These include things like your standardized contracts, automated data backups, and intentionally designed financial controls that work automatically in the background to protect your business from poor decisions or behaviour.

Internal Controls • Detective Internal Controls Detective internal controls are those controls that are used after the fact of a discretionary event. • Preventative Internal Controls Preventative internal controls are those controls put in place to avert a negative event from occurring. For example, most applications have checks and balances built-in to avoid or minimize entering incorrect information. • Corrective Internal Controls Corrective internal controls are typically those controls put in place after the detective internal controls discover a problem. These controls could include disciplinary action, reports filed, software patches or modifications.

Financial Controls • Balance Sheet • Assets • Income Statement • Cash Flow Statement • Operating Expense • Sales / Revenue

Managing Risks by Segregating Duties • SAP has developed a three-phase approach to risk management

REMEDIATION This is the process of removing the risk from the roles /users.



Key Users



Key Terminology

FUNCTIONS

Rule Set

VIRSA ( SAP Compliance Calibrator by Virsa Systel) • VIRSA Compliance Calibrator provides real-time compliance monitoring and controls, integrated within your SAP deployment.  • VIRSA Access Enforcer provides tools for assigning, enforcing, and logging (cross- system)  • VIRSA Role Expert provides tools to create, manage, and define access permissions, either individual access controls, or groups of access controls • VIRSA Firefighter provides flexible controls that allow you to assign special permissions for emergency access  • SAP acquire VIRSA for Compliance Capabilities. • It is installed as VIRSA plugin in SAP system



Naming Convention GRC 5.3 GRC 10 SAP GRC Business Objects Access Control SAP Access Control ( From May 2012) Installation Risk Analysis & Remediation Access Risk & Analysis End user Access Super User Privilege Management Emergency Access GRC Patch Installation Compliant User Provisioning Access Request Management GRC Patches Enterprise Role Management Business Role Management Real Time Agents Java Stack ABAP Stack Any Browser NWBC or Portal JSPM ABAP Stack - SAINT VIRCC00_0.SCA - Risk Analysis and GRCFND_A  Remediation  VIRAE00_0.SCA - Compliant User Provisioning  VIRRE00_0.SCA - Enterprise Role Manager  VIRFF00_0.SCA - Superuser Privilege Management  VIRACLP00_0.SCA - Launch Pad  VIREPRTA00_0.SCA - Enterprise Portal VIRSANH GRCPINW( Non HR) VIRSAHR GRCPIERP (HR)

GRC 10.1 GRC Access Control version 10.1 look and feel is almost similar to version 10.0 except few additional options that SAP has included based on customer feedback. The new changes predominantly focus on HANA integration, access request, rule set creation and enhanced remediation process. Kindly note – If we want FIORI apps for GRC 10.1 then SAP component: UIGRC001 in Front end and GRCFND_A in Backend. According to SAP NOTE: 2678236 - SAP has done the modification in S4HANA & Fiori standard ruleset with GRC 10.1 SP22 & GRC 12.0 SP03.

• Disable link functionality in attachment & links • HANA Data Base Connection type GRC AC 10.1 can use HANA as database to store master data. GRC can even do user management for HANA system similar to any other SAP systems. If we are using SAP HANA database, make sure that plug-in SAP GRC 10.1 Plug-In SAP HANA is installed.

• Maintain Firefighter ID role name per connector GRC AC 10.1 came up with this new feature to maintain Firefighter ID role name per system/connector. Instead of maintaining the SPM role in configuration parameter we can utilize the new option to map FF ID role per connector. • Organization rule creation wizard You can create Org rule using this wizard and can even also download and upload it in other system. No need to bother about the org fields or value which you will use to create org rule. 

• Configure Attributes for Role search criteria in Access requests Now with this new feature we can customize the search criteria screen and can make only the important search criteria visible in search request so that requester can fill in the details and can search the roles.

• Risk Analysis Run risk analysis on the role selected for provisioning and can even suggest mitigating. •  Risk analysis on SU01 Attributes Sometimes business wants to perform risk analysis on SU01 attributes of user for ex: Function, department, parameters etc. GRC AC 10 does have this functionality but we can at max do risk analysis on user group level of users only. In GRC AC 10.1 With this new enhanced feature we can now create custom group based on SU01 attributes as shown below and can perform risk analysis on the user belongs to that attributes

Remediation View • The main task in implementing GRC AC is to make all users SOD free i.e. to be clean. For this we have to download user level detailed report and then analyse the root cause to see whether we can remediate or mitigate to be clean. Business is taking lots of time analysing the report and deciding the solution. • Now GRC AC 10.1 has come up with a remediation view report where business itself can analyse all aspects of risk and also help business to take decision to be clean. This will save lots of time of business and can effectively guide business to take a decision to be SOD clean.

• Risk Analysis Report We can mitigate the user on risk and rule from this screen itself. See below: Or else we can remove the role by selecting remove role option. See below:  

System Architecture GRC BOX • GRCFND_A ( Access Control, Process Control and Risk Management in one ABAP addon) • SLL-LEG ( Global Trade Services) • SLL-NFE (Nota Fiscal Electronics) • GRCPIERP ( Process control automated controls and HR relevant functions) Business System • GRCPINW ( GRC NW Plugin in Business Client)

SAP GRC 12.0 IMPROVED USER INTERFACE 2638578- What's new Biggest benefit of SAP GRC 12.0 is an improved in GRC Access Control user experience, which has been significantly 12.0 improved from GRC 10.1. GRCFND_A V1200 SAP has now included GRC in its broader strategy GRCPIERP V1200_S4 of moving towards mobile devices. So, we can GRCPINW V1200_750 now access the functionality and features of 12.0 through Fiori Launchpad. SAP GRC will have a Fiori like front end (users can still keep on using NW if preferable) GRC 12.0 Navigation is based on SAP Personas, For better navigation, Classic screens are replaced with simpler screens and to enhance data quality.