Post on 20-May-2020
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-1
I f you were to plot a graph outlining the number of organizations that are beginning to form
a comprehensive governance, risk, and compliance (GRC) strategy, it would likely follow a
similar trajectory to the rate of regulatory proliferation. New and changing regulations such
as anti-bribery and corruption (ABC) statutes are increasing regulatory pressure to unprec-
edented levels, and stopgap GRC activities that do not encompass a proactive approach put a
company at the risk of non-compliance and business disruption. Just as important, companies
that regularly rely on reactive, patchwork measures in lieu of a robust GRC strategy expose
themselves to very real and potentially devastating security breaches and fraud.
The door has slammed shut to the days when quarterly, spreadsheet-based internal audits
sufficed. Organizations recognize that having a truly consolidated view of GRC issues that
aligns with their overall business strategy is no longer merely a nice-to-have luxury. Costs for
non-compliance that include damage to the brand, loss of revenue, fines and penalties, and
proprietary theft far outweigh the cost of implementing a global GRC platform. And trying
to make do with a fragmented GRC environment only increases costs and complexity as
that approach introduces redundancies and fails to protect against threats on the horizon.
Companies that adopt a forward-looking, proactive approach to GRC recognize that hav-
ing a global GRC platform does much more than check off the box on compliance. An
increased understanding of a business’s appetite to take on risk can aid an organization in
exploring new revenue streams, for example, by fully capitalizing on emerging trade agree-
ments such as the Trans-Pacific Partnership. Other hidden benefits include identifying new
opportunities, enhancing one’s brand, and increasing market access. Overall, this helps to
drive improvements in operations and even streamline business processes.
3 Cornerstones of GRC SuccessThis backdrop serves to explain the reasons why SAP’s GRC strategy has evolved from one
in which automating and centralizing data was the starting and ending point for shoring up
risk factors to one that places GRC at the very center of a business strategy. There are three
cornerstones to this strategy converging to provide the business with the means to make
better and more informed decisions:
■ Simplify GRC
■ Gain insight from it
■ Strengthen the organization to anticipate GRC-related needs and opportunities they
may create
Empower Your Business to Confidently Navigate Risk
S-3 PwC and SAP: A Holistic, Enterprise-Wide View of GRC
S-5 EY and SAP: Enable Your Internal Auditors
S-6 Accenture: Effective GRC Strategies Begin with Business Alignment
S-7 Dolphin Enterprise Solutions Corporation: 7 Strategies for Preparing Your SAP Systems for Audits
S-8 Deloitte & Touche LLP: Secure, Vigilant, Resilient
S-9 ultimumIT: Integrate Business Processes into Your GRC Strategy to Discover Long-Term Value
S-10 Security Weaver: 9 Ways to Jumpstart License Compliance and Minimize Risk in Your SAP Landscape
S-11 EY: No Reward Without Risk
S-12 ERP Maestro: Increased External Audit Scrutiny Puts Spotlight on Access Controls
S-13 High Water Advisors: What Risks Are Hiding in Your SAP Landscape?
S-14 Layer Seven Security: Unlocking the Cyber Security Toolkit in SAP Solution Manager
S-15 Greenlight Technologies: Quantify the Impact of Segregation of Duties on Your Business
INSIDE THIS SPECIAL REPORT
Kevin McCollomVice President and General Manager GRC Solutions SAP Labs, LLC
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-2
Simplify
SAP offering a global GRC platform is not new. But embed-
ding GRC activities into underlying business processes is
the key to transforming GRC from an afterthought into a
true partnership with the business. Embedding GRC best
practices into business processes drives simplicity in the
organization by eliminating the redundancies that tradi-
tionally crop up when putting new programs in place with
every new regulation or perceived threat that appears. A
single, unified, SAP HANA-enabled GRC platform elimi-
nates duplication, manual effort, and errors, and provides
the real-time visibility that organizations need to proac-
tively respond to any threat or compliance issue.
GRC is a focal point of SAP’s overarching Run Simple
message because it is unique in how simplification can
positively affect the landscape, and thus the business.
When new threats result in new programs and processes,
building siloed, redundant, and error-prone controls, poli-
cies, and technologies only serves to increase complexity,
which may actually increase risk. Embedding GRC activi-
ties directly into business processes makes GRC a natural
step in a business process rather than a separate process
altogether. For example, complying with ABC regula-
tions in a new jurisdiction shouldn’t require building
new internal processes and controls. Leveraging existing
processes and embedded controls documented in and
reusable from an enterprise GRC platform saves time,
prevents mistakes, and enhances compliance.
Gain Insight
When GRC is no longer an afterthought, true business
impact and insights can be derived, nearly instantaneously,
and leveraged to optimize business decisions. Business deci-
sions can be projected into the future and GRC activities
can be modeled accordingly, which goes hand in hand with
helping an organization understand its risk appetite. With
GRC embedded into business processes, companies can
identify business and regulatory trends and model for dif-
ferent situations and outcomes, as well as detect potential
business anomalies such as fraud, waste, and abuse. A global
organization added millions to its bottom line by analyzing
data patterns with SAP solutions for GRC to identify travel
expense errors that were being constantly repeated and
costing precious discounts, rebates, and tax savings.
Strengthen
Leveraging a comprehensive GRC platform not only
to detect and predict business impacts and anomalies
before they happen, but to explore unexpected business
opportunities helps strengthen the business in ways that
just weren’t possible with a reactive approach to GRC
challenges. When a business fully understands how cer-
tain regulations or trade agreements intersect with its
business strategy, it can shape its response and be pre-
pared for potential future outcomes. That might be an
extreme example, but it speaks to an unprecedented level
of preparation that an integrated GRC platform enables.
In addition, having this platform in place demonstrates
that a company has taken the reasonable care to be com-
pliant, which is a mitigating factor that can significantly
reduce the cost of enforcement actions. Enforcement has
shown to be nearly three times more costly than had an
organization made the proper compliance investments.1
The GRC Future Is NowIn some ways, penalties have historically been an assumed
cost of doing business. Not necessarily because of delib-
erate malfeasance, but because technology limitations
prevented corporations from bringing GRC considerations
into the business decision-making process. This is not the
case today, with SAP solutions for GRC, SAP HANA, and
the entire state-of-the-art analytics portfolio at the fore-
front of technology advancements that are helping drive
better business decisions in GRC. With SAP Fiori, users
have a consistent, streamlined, modern user experience
across the device spectrum that also helps drive insight.
As regulatory proliferation continues, SAP’s goal is to
continue to invest in and evolve the GRC suite, embedding
deeply into business processes. We see this today with SAP
solutions for GRC already embedded into what is avail-
able on SAP Business Suite 4 SAP HANA (SAP S/4HANA),
and this will hold true as GRC continues to be an inte-
gral component of additional business processes and the
applications supporting them that run on SAP S/4HANA.
A truly comprehensive GRC suite is more than enterprise
GRC. Security is an integral part of navigating risk by pre-
venting large-scale data breaches affecting end customers.
Because of this, SAP’s GRC strategy includes deepening
the existing integration between its information security
and enterprise GRC portfolios to provide unprecedented
identity governance and administration capabilities.
It is no accident that SAP solutions for GRC are top of
mind for new and installed SAP customers as the global
market leader in the enterprise GRC space. We carefully
designed and executed our strategy to build on the trust
our customers put in the SAP brand. Through SAP’s
unparalleled services and partner network, SAP will con-
tinue to deliver GRC and security solutions that simplify
GRC, provide unique business insight, and strengthen
businesses for the road ahead.
1 Ponemon Institute LLC, “The True Cost of Compliance” (2011).
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-3
A Holistic, Enterprise-Wide View of GRCHow People, Strategy, and Technology Come Together to Manage Risk
Scott OstermanSAP Security and
SAP Access Control Practice Leader
Partner PwC
Bruce McCuaigDirector
GRC Product Marketing SAP
Increasing risk and regulatory complexity are the big-
gest pressures on organizations’ governance, risk, and
compliance (GRC) functions. Most businesses, however,
spend their GRC focus on reactive measures, typically
including security and controls improvements, without
thinking proactively about setting up a holistic GRC
program that can help them adjust as new regulations
take form and new risks appear.
SAP market observations suggest that integrated,
holistic GRC approaches where organizations are
continuously and proactively monitoring risk aren’t
yet prevalent among enterprises. While some compa-
nies are further along in their GRC journeys, whether
that’s embracing mobile, SAP Fiori-enabled technolo-
gies or managing security around SAP HANA, many
are still having trouble grasping the bigger picture. An
SAP-sponsored survey of more than 1,000 executives
with responsibility for GRC in their organizations
found that just 17% of companies were using any con-
tinuous monitoring capabilities, meaning that the rest
were relying on a combination of manual spreadsheets
and disparate solutions across different organizations
and groups.1
The technology is available. SAP solutions for GRC
— including SAP Access Control, SAP Process Control,
SAP Risk Management, SAP Fraud Management, and
SAP Audit Management — provide the capabilities for
companies to continuously monitor their systems and
risks, allowing them to set up a GRC program that has
real impact to the organization. The gap, therefore, isn’t
technology; the gap is capability, motivation, and gov-
erning the future rather than the past.
This gap exists because most enterprises have
taken a fragmented approach to GRC. Because pro-
fessional standards and regulators do not require a
holistic, integrated approach, companies often have
employees tasked with monitoring controls operating
separately from those who are focused on enterprise
1 Loudhouse, “Managing Risk in an Age of Complexity” (2015; http://go.sap.com/docs/download/2015/07/08e10861-357c-0010-82c7-eda71af511fa.pdf).
risk management at the corporate level. These func-
tions too often work in silos; they don’t talk to each
other, work together, or integrate properly to ensure
that risks are mitigated. Moreover, many companies
are still without risk management processes at all, and
operate with a reactive approach to business changes.
Executives therefore grow frustrated with the lack of
visibility, and control failure becomes the biggest orga-
nizational risk. A consistent framework is needed to
guide the allocation of accountability and the integra-
tion of information. Without it, businesses not only fail
to manage risk and compliance optimally, but they also
fail to achieve the proper return on their GRC technol-
ogy investment.
3 Lines of Defense A holistic approach to GRC means implementing com-
pliance, process, audit, and risk on integrated platforms
that are operated by collaborative teams that drive
GRC practices into critical business activities and moni-
tor progress at an enterprise level.
SAP developed the “three lines of defense” approach,
which outlines how a business can find the best way to
manage any given risk (see Figure 1 on the next page).
The methodology behind this concept is as follows:
1. Control risk and manage compliance in business
activities. This means that the first line of defense is
the business — they own the risk in their business
and monitor and evaluate related controls.
2. Identify, measure, monitor, and report risk and
compliance at the enterprise level. This means that
the risk management function takes it to the next
level, assessing and providing appropriate frameworks
for operations and evaluating and taking action on
risk management practices across the enterprise.
3. Provide assurance, insight, and advice. This respon-
sibility rests with internal auditors, whose audits can
confirm that the framework in place is effective, and
that risks are being properly tracked and mitigated.
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-4
With this methodology, an enterprise can carry out a
strategy that can handle any risk, and report back to its
top executives and board regarding progress.
It also enables the organization to get the most out
of its technology investment. A holistic team work-
ing with integrated data can realize the value of SAP
solutions for GRC. Some companies are unsure as to
how exactly to treat risks: How do you even get started
assessing something as daunting as risk management
across an enterprise? SAP recently released SAP GRC
Strategy Selector, an iPad app that is designed to assess
risks, propose a risk management strategy and primary
line of defense for each risk, and also suggest the most
appropriate SAP solution to enable the line of defense.2
With the right methodology and technology in place,
it’s important to have the right people on board, both
within the organization as well as from outside thought
leadership and consultants such as PwC.
Redefine the PeopleA compliant environment starts in the boardroom.
While a compliant environment does mean address-
ing some issues in a reactionary fashion, from audit
findings to breaches, executives must not lose sight of
the fact that there are broader risks that are pervasive
2 For more about the app, see http://blogs.sap.com/analytics/ 2015/04/21grc-tuesdays-a-strategic-solution-for-the- disintegration-of-grc.
across all organizations that need to be monitored
and addressed.
Throwing technology at risk management is only
part of the solution. Simply implementing a solution
that monitors a set of controls or tracks data for a given
regulation, but fails to report its findings to the highest
levels of management, is inadequate. The right people
need to be in place to ensure the synergy between tech-
nology and strategy. One of the issues that companies
face with GRC is that they fail to have someone at the
C-level whose responsibility is chiefly on risk and com-
pliance — a chief risk officer. Without someone at this
level directing the GRC actions and framework, orga-
nizations will continue to manage GRC at a tactical,
rather than strategic, level.
But in the absence of a chief risk officer, the C-suite
executives in charge of finance, risk, compliance, opera-
tions, and audit can effectively lead and promote the
three lines of defense.
Going Forward Having a holistic GRC strategy involves putting the
right people and technology in place, and that they
work in tandem to ensure an enterprise-wide execution
of GRC processes. With such a view of GRC, you can
ensure your organization is headed in the right direc-
tion to combat future uncertainty and protect your
data. For more, visit www.pwc.com/sap.
FIGURE 1 SAP’s
“three lines
of defense”
methodology
First Line of Defense
Second Line of Defense
Third Line of Defense
Control business operations
Control risks in business activities
Entity-level risk and compliance
management
Provide independent assurance
Automation and continuous
monitoring of risks and controls
Boar
d of
dire
ctor
s, a
udit
com
mitt
ee, a
nd o
ther
exe
cutiv
es
Management of the frameworks for
risk, control, and compliance
Continuous monitoring of risk, control,
and compliance requirements
Automation and continuous risk-based auditing for assurance
and insight
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-5
Enable Your Internal AuditorsHow SAP Audit Management Can Improve Decision Making, Lower Reaction Time, and Optimize the Audit Process
Marsha ReppyAmericas SAP Controls,
Security, and GRC Leader EY
W ith the global business environment changing so
rapidly, driven by economic, technological, and
regulatory changes, companies face increasing levels
of risk. As a result, management and audit committees
continue to challenge internal audit (IA) functions to
be more effective, efficient, and innovative, and to help
organizations address the risks they face today as well
as anticipate emerging risks.
An optimal mix of processes, people, and technol-
ogy is critical to achieving that goal. With technology
such as SAP Audit Management — an SAP solution
for governance, risk, and compliance (GRC) devoted to
audit functions — businesses can optimally support the
efforts of IA organizations. Let’s look at three key bene-
fits businesses can realize with SAP Audit Management.
1. Improved Decision MakingWith the volumes of data present in enterprise sys-
tems and produced in business processes, companies
need to make effective and timely decisions. SAP Audit
Management allows for improved decision making,
enabling you to prioritize your activities on risks that
matter. The solution includes automated and com-
prehensive monitoring of risks across the entire audit
process, from the identification of a risk to its mitigation.
SAP Audit Management integrates multiple GRC
processes and mandates, supporting all relevant regula-
tory requirements while improving collaboration and
reducing duplication. These capabilities come together
with embedded analytics within the planning and exe-
cution phases of IA processes, allowing organizations
to focus internal audits on high-risk and unusual areas.
It also allows you to manage your resources and their
competencies, so the right people are performing the
right tasks and the potential effects of making resource
changes are revealed.
2. Lowered Reaction TimeSAP Audit Management enables you to detect risks
as they occur and, in some cases, prevent risks from
occurring at all. Predictive modeling and continuous
monitoring also help identify trends that may be missed
using traditional sampling techniques. With these capa-
bilities, you can react to significant risks as soon as
they arise, adjust your audit plan, and understand the
effects of these adjustments. This reduced reaction time
improves the agility of your risk management processes,
allowing you to effectively respond to business needs.
3. Optimized Audit ProcessImproving the efficiency of your people and the over-
all integrity of the audit process is essential. SAP Audit
Management provides continuity and automation
of previously fragmented and manual IA processes,
reducing the risk of human error. It also boasts a better
user experience with an intuitive interface, interactive
screens, and easy audit report generation. With a better
user experience, members of the IA team can become
more efficient and effective.
Technology Enables Process ImprovementSAP Audit Management can help improve your IA func-
tions, but you also need to look beyond the technology.
Perform a current-state diagnostic of your processes
and develop a business case, taking into account your
long-term vision and objectives. Then consider GRC
broadly, focusing not just on IA process optimization
and resource management, but also on integration with
other areas. Doing so will enable you to leverage the
technology’s potential to its fullest, helping the organi-
zation improve its risk management practices and the
IA function meet its goals and objectives. Learn more at
www.ey.com/US/en/Services/Advisory.
Improving the efficiency of your people
and the overall integrity of the audit
process is essential.
Shola OguntundeSenior Manager
EY
James ChiuDirector, GRC Solution
ManagementSAP
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-6
Kush SharmaManager, Security
Transformation Accenture
S ecurity concerns can seem daunting to any enter-
prise. With new threats always on the horizon, and
business models that place a high value on networks
and connectivity, traditional ways of assessing and
analyzing risk are giving way to new models that focus
on governance, risk, and compliance (GRC) as a compre-
hensive, end-to-end enterprise platform. The stakes are
too high to rely on localized security measures that may
have sufficed in the past, as companies are more glob-
ally focused than ever before. This global focus requires
an integrated approach to get visibility into all types of
threats. Only then will an organization have the ability
to detect and ultimately predict critical events as well
as prepare for and execute a response.
Organizations that run SAP solutions for GRC have
a strong foundation for mitigating enterprise risk, but
they also need to be vigilant outside of their existing
technology. One key challenge for a global enterprise,
for example, is to customize a solution to adhere to
regulations at a regional level, which often vary greatly
from region to region. With vast experience working
with SAP customers, Accenture has learned the nuances
of SAP solutions for GRC and how to apply this knowl-
edge within an organization’s specific environment.
It is important to build a consensus from various stake-
holders for how SAP solutions for GRC will be used to
support the business. Leaders and solution owners must
come to a shared view on how compliance, integration,
authentication, and access management will mesh to
support a holistic enterprise platform.
Think Process, Not TechnologyIn our experience helping global multinationals
develop and design security strategies, we find an
approach that puts people and process ahead of tech-
nology is one that best leads to long-term success.
With this in mind, we approach SAP solutions for
GRC implementations with the understanding that
other pieces can assist these solutions in creating a
holistic, end-to-end security framework that supports
the entire business.
One interesting piece of the puzzle is the trend of
more organizations turning to the cloud to host busi-
ness applications. This opens an entirely new set of
security concerns, and we find that many SAP customers
are looking to refresh their entire security strategy. They
can tackle security not through the standard approach
at the application layer, but instead by adopting a
broader approach that takes an integrated, enter-
prise view of security through all layers, including the
network, operating systems, databases, and, most impor-
tantly, the business applications themselves, given how
many users access SAP systems. Because of increased
use of the cloud, security needs to be addressed not just
internally but externally, as data traverses through the
internet and the access management mechanisms and
data protection controls needed to secure it.
Creating this new enterprise security architecture is
only half the battle. Managing and maintaining a world-
class architecture demands world-class resources, and
many organizations turn to Accenture’s managed security
solutions to help manage growing complexity. And with
mergers and acquisitions on the rise, Accenture’s team of
SAP security specialists can help ensure a successful transi-
tion while meeting the requirements of two organizations.
Staying on the Leading EdgeSAP customers are making heavy investments in effec-
tive security and risk management measures. Accenture
is committed to protecting this investment by staying
on the leading edge in the strategy, integration, design,
delivery, and management of the modern GRC platform.
At the Accenture Security Labs in Virginia, an entire
team is dedicated to research, development, and innova-
tion to ensure a company’s security response is always
one step ahead of the latest threat on the horizon.
Accenture’s approach is aligned with what our clients
and the market is asking for — a partner that helps
solve business issues in an integrated way, with digital
pervasive in everything we do. For more information,
visit www.accenture.com/us-en/Pages/insight-cyber-
security-research-report.aspx.
Leaders and solution
owners must come
to a shared view
on how compli-
ance, integration,
authentication, and
access management
will mesh to support
a holistic enterprise
platform.
Process Before TechnologyEffective GRC Strategies Begin with Business Alignment
Nazam JamalInfrastructure and Security
Transformation Accenture
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-7
7 Strategies for Preparing Your SAP Systems for Audits
Brian ShannonChief Strategy Officer
Dolphin Enterprise Solutions Corporation
The word “audit” often carries with it a sense of
dread and foreboding. This may be because many
companies are ill equipped to handle the amount of
work required to prepare for fiscal, regulatory, and
compliance audits such as payment card industry (PCI)
and personally identifiable information (PII) audits.
With the right preparation and tools, however, you can
be confident that your audits will run smoothly.
Prepare Your SAP Systems for Audits Let’s take a look at seven strategies that make it
easier for organizations running SAP systems to
prepare for audits.
1. Start with an Information Lifecycle Management Strategy
Align the organization’s retention policies and audit
requirements with what will be needed to support
them — operational changes, new technology, or a
combination of both. Start with an information lifecy-
cle management strategy to ensure that information is
managed correctly over time and across the entire SAP
system landscape. Remember that retention polices are
essential to any audit.
2. Consider the Effects of Global Audit Requirements
Businesses with global operations must consider the
effects of global audit requirements before investing
in specific solutions or changing procedures. Regula-
tions can change frequently, and some countries such
as France, Luxembourg, and Brazil have especially strin-
gent compliance requirements. Invest in flexible tools
that can generate the right information in the right for-
mat at the right time.
3. Don’t Forget About Data Extraction
Ask any auditor, finance team member, or IT service
provider — extracting data for audits can be a lengthy
and difficult process. Think about how data will be
extracted in the event of an audit and look for ways
to leverage the built-in capabilities and specialized
solutions that are available in your SAP landscape
to ensure your organization will be able to respond
quickly and easily to any audit request.
4. Adopt the Latest SAP Technologies for Audits
Even if you have SAP solutions for governance, risk,
and compliance (SAP solutions for GRC) in place, you
must implement the latest release to have access to the
most up-to-date features for controlling risk, prevent-
ing fraud, and implementing stronger process controls.
Don’t forget to consider how these new capabilities will
affect data growth and data extraction.
5. Optimize Audit-Related Tasks
Due to the perceived infrequency of audits, many
organizations do not optimize audit-related tasks or
toolsets. However, these tools can enable quicker audit
response times and reduce fines, penalties, and the
overall cost of audits. Wherever possible, build audit
requirements directly into process optimization efforts
to minimize duplication of efforts and allow auditors to
be self-sufficient.
6. Calculate the ROI of Audit Compliance
Once the proper audit controls are in place, it is impor-
tant to calculate the return on investment (ROI) of
audit compliance. To ensure adequate funding and
support for compliance at the highest levels of the orga-
nization, assign values to fraud prevention, data privacy
and protection, and more secure processes.
7. Lower the Cost of Long-Term Data Storage
Data retention periods can vary depending on the
type of data and the applicable regulations. Health,
academic, and other personal data must be kept for
much longer periods than financial data, for example.
Consider using data archiving and cloud storage to
lower the cost of long-term data storage.
Learn MoreFor more information on preparing your SAP systems
for audits, visit www.dolphin-corp.com.
Build audit
requirements
directly into
process optimiza-
tion efforts to
minimize duplica-
tion of efforts and
allow auditors to be
self-sufficient.
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
S-8
Secure, Vigilant, ResilientHow Companies Can Keep Pace with the Evolving Threats of Modern Business
Jeff LucyDirector
Deloitte & Touche LLP
Bill SmithSenior Manager
Deloitte & Touche LLP
Despite heightened attention and an unprecedented
level of security investment from organizations,
the number of cyber incidents and their associated costs
continue to rise. Increasingly sophisticated hackers cause
some to question whether security is even possible in
today’s rapidly evolving landscape of cyberattacks.
The very innovations that drive business growth and
value — such as the proliferation of sensitive data and the
mobile access that employees often have to it — create
cyber risks that, if not checked, can outweigh the busi-
ness benefits the organization is seeking. To stay secure,
vigilant, and resilient in a rapidly evolving landscape of
cyber threats, companies need to identify the top risks
they face and develop a sound cyber risk program that
includes software such as SAP solutions for governance,
risk, and compliance (SAP solutions for GRC).
SecureTraditional security controls, preventive measures, and
compliance initiatives tend to consume the majority
of companies’ investments in cyber risk management,
and this investment will either need to continue at
current levels or increase. Companies should build a
business-centric access and data protection program that
appropriately balances the needs for speed, scalability,
and sustainability.
SAP Access Control can help companies under-
stand areas of sensitive data access, enable stronger
access controls for areas of high sensitivity, and provide
additional approval controls. SAP Process Control
can help a company manage and monitor its con-
trols environment, specifically internal controls that
handle areas of sensitive access as well as recertification
of controls. SAP Regulation Management by Greenlight,
combined with public information sources, can provide
companies with insights around what is required to be
properly secured to enhance their security profile.
VigilantEfforts to be vigilant start with a solid picture of
what a company needs to defend against. Knowing a
company’s specific business risks as well as the larger
threat landscape within its industry is an important
starting point. Effective cyber vigilance requires robust
monitoring of infrastructure, applications, and users.
SAP Fraud Management and SAP Access Violation
Management by Greenlight can detect anomalous busi-
ness transactions embedded in mass amounts of activity
that could indicate a potential compromise of a user’s
credentials or access abuse. SAP Regulation Management
by Greenlight can consolidate inputs across the technol-
ogy landscape to provide consolidated perspectives on
the overall vigilant posture of the organization.
ResilientTechnology teams handle many day-to-day, routine
security events, but some incidents may become serious
business crises. Being resilient means having the capac-
ity, at a moment’s notice, to contain the damage and
mobilize the diverse resources needed to decrease its
impact, including direct costs and business disruption
as well as reputation and brand damage.
SAP solutions for GRC help companies manage and
expand their existing crisis management programs. With
SAP Risk Management, companies can manage areas
of potential impact and gain insight into risk exposure.
Companies can assign hard-dollar figures to areas of risk,
allowing them to better quantify the potential impact.
Learn MoreTo learn how Deloitte is helping organizations
strengthen their cyber risk programs by incorporating
the capabilities of SAP solutions for GRC, visit www.
deloitte.com/sap or email us at jlucy@deloitte.com or
billsmith@deloitte.com.
This publication contains general information only and is not a substitute for professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any per-son who relies on this publication.
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
S-9
M any companies implement SAP solutions for
governance, risk, and compliance (SAP solutions
for GRC); turn on different aspects of SAP Access Con-
trol, SAP Process Control, and SAP Risk Management;
and consider the job done. They may be able to, for
example, check segregation of duties (SoD) violations
against user access, require IT users to check out Fire-
Fighter IDs, and have a few controls established and
monitored in real time via continuous control monitor-
ing. Technically, the solutions are installed and working
— but are they really providing maximum return on
the company’s investment?
For continuous, long-term success, companies need
to better connect their GRC solutions with their
integral, enterprise-wide business processes. Without
this approach, companies may face redundant, costly
audit efforts; uncoordinated, inconsistent processes
among different departments; and insufficient visibil-
ity into risks.
Daily Compliance Is KeyTo truly capture the value of SAP solutions for GRC,
companies should extend the functionality to the busi-
ness and incorporate the processes into daily tasks. This
is how businesses can achieve continuous compliance
— by making compliance part of a company’s daily
operations through constant diligence and improve-
ment. By continuously reviewing the effectiveness
of compliance activities, companies can ensure their
compliance activities and business processes are truly
integrated and aligned.
For example, consider how compliance can help
reduce the time it takes to identify and mitigate SoD
issues. When an issue arises that causes an SoD viola-
tion to occur, you can use SAP Access Control to quickly
mitigate and even systematically point to the correct
mitigating control. By maintaining continuous com-
pliance, you can be sure that the mitigating control is
appropriate and effective to mitigate the violation. This
can save time and effort, eliminate manual errors, and
ensure consistency throughout the organization.
Compliance Beyond ITIntegrate Business Processes into Your GRC Strategy to Discover Long-Term Value
Francine FergusonPractice Director
ultimumIT
Going Beyond the Initial ImplementationThis is where ultimumIT differentiates itself: Through
our robust technical implementation experience, and
our governance and compliance expertise, we have
established a proven methodology and approach.
For example, to help organizations further hone and
increase their return on investment with SAP solutions
for GRC, ultimumIT has developed the following bolt-
on utilities:
■ uAssist: Streamlines reporting and provides con-
tinuous compliance alerts by combining repetitive,
hard-to-generate reports in a central location and
providing email notifications upon termination of
SAP Access Control approvers.
■ uChangeAC: Reduces the administrative
overhead of SAP Access Control by allow-
ing you to mass-replace all of the different
owners in SAP Access Control (FireFighter
owner, role owner, mitigation monitor, for
example) from a single screen in minutes.
■ uLicense: Simplifies and automates SAP
licensing processes by centralizing your SAP
license reports into a single screen, identify-
ing discrepancies within license assignments,
and providing the ability to mass-change or
update licenses in multiple systems.
ultimumIT offers services and tools that
not only focus on the initial successful imple-
mentation of SAP solutions for GRC, but also
help provide a vision for their future use, support, and
scalability. It is not merely a technical implementation,
but an important piece of a long-term roadmap for how
IT and the business will work together to report, govern,
and control one of the company’s largest capital invest-
ments and expenses — its ERP solution.
Learn MoreFor more information, visit www.ultimumIT.com or
contact us at info@ultimumit.com.
To truly capture the
value of SAP solutions
for GRC, companies
should extend the
functionality to the
business and incorporate
the processes into
daily tasks.
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-10
9 Ways to Jumpstart License Compliance and Minimize Risk in Your SAP Landscape
Stephen DuBravacExecutive Vice President
Security Weaver
To optimize their SAP investments, organizations need
to understand the licensing requirements for their SAP
solutions, and how to ensure appropriate licensing and
minimize risk. Minimizing licensing risks involves opti-
mizing direct, indirect, and package licenses. In addition
to using standard transactions USMM and SLAW, orga-
nizations seeking further assurance on compliance and
optimal returns on SAP investments often complement
these standard transactions with additional tools. In
addition to these tools, organizations should adopt best
practices focused on improving direct license allocations.
Optimizing SAP License Compliance Below are nine ways to jumpstart managing licensing
compliance for your SAP software.
1. Ensure License Ratios Sound Right
Ratios for named categories (for example, developer or
full professional) for your deployed SAP licenses should
make sense given your organization’s business model
and employee count. When these ratios seem off, use
that as a guide to locate suboptimal license allocations.
2. Combine Access Cost Management with Access Risk Management
This takes work out of the system, allows managers
to make better decisions during approval and recer-
tification activities, and enables administrators to
simultaneously manage access risk and license compli-
ance during role design and development tasks.
3. Make License Reviews Part of Business Planning
Using “what-if” simulations and trend analysis during
business planning helps administrators understand
how and when a growing employee population will
impact licensing requirements. Simulations also enable
administrators to understand how changes will affect
license consumption, requirements, and costs.
4. Continuously Audit Your SAP Software Licenses
Software license audits are on the rise, and perform-
ing these audits can be disruptive to staff and budgets.
Having familiar tools and processes in place that run
continuously and are integrated with ongoing opera-
tions dramatically reduces disruptions.
5. Use a Ruleset for Assignments
Codifying rules for assigning named license categories
eliminates confusion on why license types are assigned
and reduces the costs of ongoing license management.
6. Understand Usage Data
Detailed user transaction histories showing which
transactions were used, and when, enable administra-
tors to determine if allocation rules are well defined.
7. Integrate License Management with Role Management
Role design and maintenance are often the root cause
behind expensive, improperly allocated licenses. When
license management and role management are inte-
grated, administrators understand the cost effects of
unused, poorly designed roles.
8. Enforce Policies and Controls for Inactive and Duplicate Users
Inactive and duplicate users are two common drivers
for overspending on licenses. Controls can identify and
remove these users to ensure that entitlements are only
assigned to valid users, to avoid overpayments, and to
free staff from tedious work.
9. Change the Frame from License Compliance to License Optimization
Investments in SAP software are intended to help peo-
ple be more productive. Enterprises may be compliant,
but still may overspend on license and maintenance
fees because people have too much or little access or
are insufficiently trained. A license optimization mind-
set means organizations do more than count licenses
— they review usage patterns and role assignments and
seek to optimize their SAP investments.
Learn MoreTo learn more about additional ways to jumpstart
license compliance in your SAP landscape, visit us at
www.securityweaver.com.
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-11
No Reward Without Risk3 Steps to Building a Risk-Aware Organization
Marsha ReppyAmericas SAP Controls,
Security, and GRC Leader EY
Operating a business requires taking risks.
Organizations that identify and manage
these risks well are positioned to grow and remain
successful. To see how well organizations are
performing in their risk management efforts, EY con-
ducted a governance, risk, and compliance (GRC)
survey of 1,196 participants around the globe and
across industries.
We focused on an array of topics, including risk
strategy, coordination of functions, internal audit, and
technology, to gain a better understanding of how well
organizations are managing risk today. Results showed
that while organizations are making progress, further
opportunities exist to improve the way that they iden-
tify, manage, and respond to risk.
A Comprehensive ApproachThe results of the survey indicate that organizations
are looking for a more comprehensive, coordinated,
and innovative approach to enable them to successfully
manage the opportunities and the hardships pre-
sented by risk. This requires transforming the way the
organization views and capitalizes on risk — we call this
building a risk-aware organization. With the knowledge
that risks are a never-ending challenge and new risks
will be encountered every day, companies can take a
three-step approach to risk management.
Step 1: Advance Strategic Thinking
Challenge the way the organization categorizes,
manages, and responds to risk by considering
it in the context of business decisions and design-
ing risk response plans to appropriately manage
identified risks.
Nearly all organizations (97%) indicated that they
have made progress in linking their risk management
objectives and business objectives, but only 16% con-
sider themselves to be closely linked today. While 66%
of organizations indicated that risk management has
limited involvement in business decision making, 90%
expect to be directly involved or provide inputs within
the next three years.
Step 2: Optimize Functions and Processes
Focus on what the organization is doing to optimally
align functions by allocating talent and designing risk
management processes to efficiently and effectively
execute risk response plans across each of the lines of
defense. Among respondents, 21% indicated that risk
activities are well coordinated today, whereas 67%
indicated that they expect risk activities to be well coor-
dinated within three years.
Step 3: Embed Solutions
It’s important to integrate sustainable solutions
throughout the organization to prevent, balance, and
limit risk. This remains a significant opportunity as 46%
of respondents indicated that they do not leverage GRC
technology, such as SAP solutions for GRC, limiting
their ability to continuously identify and monitor risks
in an integrated fashion across their organization, with
only 23% evaluating and adjusting their risk profile on
a periodic basis.
For More InformationFor the full results of the survey and our other thought
leadership reports, visit www.ey.com/GRCsurvey2015.
For more information on our risk services, includ-
ing those focused on SAP controls, security, and GRC,
email marsha.reppy@ey.com.
Organizations are looking for a
more comprehensive, coordinated,
and innovative approach to enable
them to successfully manage the
opportunities and the hardships
presented by risk.
Daniel PriorSenior Manager
EY
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-12
Increased External Audit Scrutiny Puts Spotlight on Access Controls
Jody PatersonCEO
ERP Maestro
Controlling access to your business environment is
fundamental to the security and regulatory compli-
ance of your organization, and maintaining the necessary
levels of control requires frequent reviews of who is access-
ing what in your systems. While external auditors have
always discouraged manual approaches to managing access
control reviews, 70% of companies manually monitor
access controls in their ERP system, including segregation
of duties (SoD), emergency access, and provisioning.1
Why do so many organizations choose a manual
approach over using an automated solution despite the
advantages of automation, such as accuracy, complete-
ness, and continuous auditing? It is not due to a lack of
awareness of the value automated tools bring, but rather
the perceived high cost and complex implementation
project that is involved.
While organizations have been able to get by using
ad hoc field tools to manually spot-analyze their envi-
ronments, external auditors are changing how they
evaluate access controls. This means that organizations
can no longer continue to manage controls this way
and still remain compliant going forward.
What Changed?This shift is directly influenced by the updated COSO 2013
framework for internal management controls, which
is being incorporated into access control audits.2 The
updates to the framework focus on an increased reliance
on IT in general, with a particular focus on completeness
and accuracy of controls, including access controls.
As a result, external audit firms are reporting that
the Public Corporation Accounting Oversight Board
(PCAOB) is increasing pressure on them to prove their
control effectiveness.3 With tougher audits that incorpo-
rate higher expectations for controls over processes and
1 Gartner, “Market Guide for SoD Controls Monitoring Tools” (April 2015; www.gartner.com/doc/3039718/market-guide-sod-controls-monitoring).
2 See www.coso.org/IC.htm.
3 Wall Street Journal, “Fees Rise as Internal Controls Draw Auditor Focus” (May 2015; http://blogs.wsj.com/cfo/2015/ 05/19/fees-rise-as-internal-controls-draw-auditor-focus).
technology, organizations will find it more difficult to
demonstrate that a manual approach — exporting large
datasets and running them through numerous custom
queries using homegrown spreadsheets and databases —
is actually complete and accurate.
How Can Organizations Adapt?Automated solutions can improve organizations’ ability
to monitor access controls with the completeness and
accuracy auditors require. However, many solutions can
involve long, costly implementations that organizations
simply can’t afford as 2015 audits rapidly approach.
ERP Maestro addresses the need for completeness
and accuracy and can be implemented in time for 2015
audits. It is a quick and simple cloud-based solution that
automates SoD, sensitive access, emergency access, and
secure provisioning in SAP environments. Because it’s a
software-as-a-service (SaaS) solution, it can be deployed
and fully configured in 30 minutes, and flexible subscrip-
tion pricing makes it easy to fit into any budget. The
solution monitors all transactions in SAP systems for
conflicts down to the authorization level and features
a selection of audit-ready reports out of the box that
follow best-practice reporting standards.
Beyond AutomationAlthough ERP Maestro can help organizations automate
access controls quickly to reach compliance in the 2015
audit year, a fully mature governance, risk, and compli-
ance (GRC) program is a journey of steps. As organizations’
GRC capabilities mature, they may require the function-
ality of SAP solutions for GRC — such as SAP Access
Control, SAP Process Control, and SAP Risk Management
— to build a comprehensive framework of controls for
their environment. ERP Maestro supports this journey by
complementing SAP solutions for GRC with transaction
monitoring and advanced reporting features.
ERP Maestro is available for a free two-week trial
to help organizations assess whether it can meet their
access control automation needs. To learn more, visit
www.erpmaestro.com.
With tougher
audits that incor-
porate higher
expectations for
controls, organiza-
tions will find it
more difficult to
demonstrate that
a manual approach
is accurate.
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-13
A re you confident that your SAP system and
related processes are working as intended? Is this
confidence based on opinion, or is it backed by fact?
Perhaps your talented SAP security team has been
able to meet all of your security needs with standard
SAP functionality, so you haven’t bothered to imple-
ment SAP Access Control. Your auditors rely on your
manual testing procedures for compliance, so you
haven’t implemented SAP Process Control. Your busi-
ness users have no significant complaints, and you
haven’t had a major process breakdown in several years.
These are achievements to be proud of, but they may
not mean all is working as intended. Others in your
position have also felt confident — until they were hit
by fraud, process breakdown, or system failure resulting
in public embarrassment, regulatory fines, and poten-
tially even the loss of their job.
This fate can be avoided. An independent, in-depth
SAP system assessment can help uncover issues that
may be hidden from view by internal teams that are
too close to the processes to be objective.
Hidden Issues in SystemsHigh Water Advisors regularly performs client system
assessments to find these types of problems. Many
organizations that we review have one key thing in
common: They don’t believe they have an issue (often
adamantly so). But we’ve found unexpected issues such
as the following:
■ Missing information: A standard report being relied
upon for monitoring a key risk area was incompletely
reporting results, preventing visibility into several
significant risks that not only had serious compliance
implications, but had actually been exploited.
■ Overzealous contractors: A few external contrac-
tors had been giving themselves super-user privileges
that had not been authorized, and were also using
SAP default IDs (that should have been disabled) to
perform critical business functions, unbeknownst to
those in charge.
■ Misplaced trust: Poor SAP NetWeaver configuration
could have allowed any person connected to the cli-
ent’s network to gain administrative privileges on a
system administered and hosted by a well-respected
third party.
■ Generous relationships: Millions of dollars in unap-
plied credit memos, some of which were years old,
were located. However, those same vendors were
actively being paid from accounts payable (AP).
■ Configuration confusion: Incorrectly configured
payment tolerances resulted in quick payment of
invoices when a vendor had overcharged. However,
there was no ability to recognize an invoice differ-
ence that worked in the client’s favor.
■ Potential fraud: Someone used an unmonitored back
door to directly edit purchase orders at the table level.
Misplaced ComfortThese issues were not just present in one or two clients
— they were widespread. This lack of knowledge of
risks affecting the business is exactly why organizations
should be looking to SAP solutions for governance,
risk, and compliance (SAP solutions for GRC). Maybe
you are in an organization that is not using SAP Access
Control because you don’t think you have a security
problem or you don’t have SAP Process Control because
your control monitoring seems to be working fine with-
out it. Perhaps you haven’t implemented SAP Fraud
Management because you have good people. There
may still be problems lurking beneath the surface that
you can’t spot without focused attention.
If you want to know for sure if you need to add more
robust GRC solutions to your landscape, consider an
assessment by an independent expert. This review is not
the same as a financial statement audit and it doesn’t
need to be painful — it can be as short as a few hours
or as long as a few days depending on the complexity of
your SAP landscape. You will likely uncover issues that
will make you glad you checked. For more information,
visit www.highwateradvisors.com/content/sap-grc.
Steve BiskieManaging Director
High Water Advisors
What Risks Are Hiding in Your SAP Landscape?Conduct a System Assessment to Uncover Issues Before They Become Trouble
An independent,
in-depth SAP
system assessment
can help uncover
issues that may be
hidden from view.
MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-14
FIGURE 1 SAP Solution Manager provides the essential tools
you need to protect your SAP landscape against cyber attacks
The fear and anxiety driven by the wave of cyber
attacks in recent years has led many companies to
bolster their security programs. It’s also led to a stream
of software solutions from third-party developers offer-
ing to solve customers’ cyber security challenges. You
may have heard the sales spin, watched the demos, and
even considered the proposals. But before you launch
the purchase order, ask yourself: Is there an alternative?
What if the tools you need to secure your SAP
systems were available to you at this very moment?
The Cyber Security Toolkit in SAP Solution ManagerSAP has equipped customers with a variety of tools to
protect against even the most advanced forms of cyber
threats. The tools are available in SAP Solution Manager
and are displayed in Figure 1. They include:
1. Configuration validation: Implement automated
vulnerability checks across your entire landscape
2. System recommendations: Detect security-relevant
patch day and support package notes
3. Change analysis: Analyze the root cause of changes
in your managed systems
4. End-to-end (E2E) alerting: Investigate email and
SMS alerts for critical security events
5. Security dashboards: Monitor the health of your
systems in near real time
Other than following standard SAP Solution
Manager setup procedures, including those related to
technical monitoring, there are no prerequisites for
using any of these tools. What’s more, since you’re lever-
aging standard SAP components, there’s no need to
license third-party software. You can redeploy the dol-
lars earmarked for security tools to more urgent needs,
such as hiring more resources for security teams.
In addition, SAP Solution Manager provides the
scalability to grow from 20 systems to 200 without wor-
rying about sizing or licensing issues. You also have the
ability to build custom security checks using fully trans-
parent rules, enabling you to tune rules for each system,
environment, or any other variable.
SAP Solution Manager also allows you to secure
access to security-related information using the SAP
authorization concept. This removes the concern about
the proliferation of sensitive data to systems outside
the SAP landscape. Finally, you benefit from the avail-
ability of detailed drill-down reports from SAP Business
Warehouse, support and maintenance directly from
SAP, and the reassurance of knowing you’re following
an approach recommended by SAP.1
Learn MoreLayer Seven Security enables organizations to unlock the
value of SAP Solution Manager and realize the potential
of SAP systems. We leverage the diagnostics infrastruc-
ture in SAP Solution Manager to build comprehensive
and cost-effective vulnerability management programs.
Learn more at www.layersevensecurity.com/solutions
or email me at adhillon@layersevensecurity.com.
1 For more on using SAP Solution Manager for security purposes, see page 19 of SAP’s “Secure Configuration of SAP NetWeaver Application Server Using ABAP” (January 2012; http://bit.ly/ 1GT2zKu) and page 33 of “Securing Remote Function Calls” (December 2014; http://bit.ly/1K0WXih).
SAP Solution
Manager includes
several standard
tools to secure
systems from
cyber risks.
Unlocking the Cyber Security Toolkit in SAP Solution ManagerHow to Implement Advanced Security Monitoring Without Third-Party Software
Aman DhillonSAP Security Architect Layer Seven Security
SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS
Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-15
Quantify the Impact of Segregation of Duties on Your BusinessMeasuring the Financial Exposure of Your Controls Environment
Susan StapletonVP Customer Advisory
Greenlight Technologies
Companies are at varying stages of segregation
of duties (SoD) management. Some still manu-
ally analyze risk with rudimentary methods, while
others have moved to solutions such as SAP Access
Control to automate their SoD analysis and imple-
ment preventive checks during their user and role
maintenance processes.
Regardless of where companies are in their SoD jour-
ney, the last mile is almost always the same. Eradicating
all SoD violations is nearly impossible and in many
cases doing so hinder business productivity. Where SoD
violations cannot be removed, businesses put controls
in place to mitigate risks. However, these controls are
often manual and hastily implemented, which can
prevent risks from being reported, and results in a time-
consuming, tedious process that adds little to no value
to the business.
The driver behind requiring SoD — as well as other
internal controls, for that matter — is to protect the
business from fraud, but manual, ineffective controls
are not reliable. A compelling way not only to pro-
tect but also to engage your business is to expose SoD
risk in terms that the business can clearly understand:
dollar values.
Measure Your Financial Exposure from SoDGreenlight and SAP offer a solution that helps quan-
tify the financial impact that SoD can have on your
business. The SAP Access Violation Management appli-
cation by Greenlight continuously monitors SAP and
non-SAP systems to identify SoD conflicts and expose
violations by user, business process, and risk (see
Figure 1). You can identify your highest areas of expo-
sure and determine a clear path to course correct.
Perhaps most important, you finally have transpar-
ency into your financial exposure based on unresolved
access violations, which can drive organizational
change where the level of exposure may be too great,
or uncover areas of internal fraud or loss of revenue
due to employee error.
Automate Mitigating Controls with Exception-Based SoD MonitoringSAP Access Violation Management provides exception-
based monitoring, alerting control owners only when
an actual violation has occurred. This approach reduces
— and in some cases, eliminates — the manual con-
trols that too many companies use to mitigate SoD.
This approach also provides more comprehensive
controls coverage by enabling the analysis of business
transactions and user activities across business applica-
tions, allowing a census-based approach that is more
complete than a sample-testing approach and gives
management greater confidence in the overall process.
Solutions That ScaleSAP and Greenlight solutions enable your organization
to take a true enterprise approach to governing access.
With more businesses investing in best-of-breed solu-
tions and making the move to the cloud, Greenlight’s
advanced integration platform ensures that you can scale
as your business changes and grows. Greenlight’s abil-
ity to integrate with and correlate data across multiple
business applications, coupled with powerful analytics
aimed at business users, delivers enterprise visibility of
risk exposure and regulatory compliance from a single
platform. Learn more at www.greenlightcorp.com.
FIGURE 1 SAP
Access Violation
Management by
Greenlight allows
you to monitor access
violations and assign
real dollar values
to them