ISACA After Hours Seminar January 31, 2012 After Hours Seminar January 31, 2012 ... ME 2.4 Control...

ISACA After Hours Seminar January 31, 2012

Making Continuous Monitoring and Continuous Auditing Work with SAP GRC

Gerhard Wasnick

ISACA AHS; January 31, 2012

Table of Content

Getting started, Terms and Objectives

Frameworks, Compliance Requirements

The SAP GRC Tool, Mapping

Implementation of Continuous Audit (CA) or Continuous

Monitoring (CM) Scenarios

Example 1 CA: SAP Basis System Parameter

Example 2 CM: SAP Chart of Account Master Data

Other Examples

Lessons Learned, Q&A

© Riscomp GmbH /


After-Hour Seminar

Objectives

© Riscomp GmbH /

Objectives:

Providing a glimpse of the current

possibilities to automate controls or

perform automated monitoring

Show the continous audit (CA) and

continous monitoring (CM) scenarios,

working live in the system

Out of Scope:

Complete overview of SAP GRC

functions

ISACA AHS; January 31, 2012 © Riscomp GmbH /


What is continuous auditing -

continuous monitoring

© Riscomp GmbH /

Continuous auditing is the independent application of automated tools to provide assurance on

financial, compliance, strategic and operational data within a company. … The «continous»

aspect of continous auditing and reporting refers to real-time.

Continuous monitoring is the process and technology used to detect compliance and risk

issues associated with an organizations financial and operational environment. … Through

continous monitoring of the operations and control, weak or poorly designed or implemented

controls can be corrected or replaces, … enhancing the organization’s operational risk profile.


Technical Implementation

© Riscomp GmbH /

Automatic control is the application of concepts derived from the research area of modern

control theory. Automatic control is also a technology for application of control strategies. …


Legal Requirements

Schweiz: OR 728a (Swiss) code of obligations,

Code of data protection

Europe: 7th directive of the European Union

derived into local law like BilMoG in

Germany

USA: Sarbanes-Oxley Act 404 of 2002

Japan: Japan’s Financial Instruments and

Exchange Law (J-SOX)

© Riscomp GmbH /

…


ISO 27003 ISMS

Important Standards

ISO 27035

IT Security Event

detection

ISO 20000 ITIL

DS5 System Security

PO 4.1 Define Processes

AI 2.5 Configuring Application Software

PO 6.3 IT Policy Management

PO 9 Assess and Manage IT Risks

ME 2.4 Control Self Assessment

PO 4.11 Segregation of Duties

AC 6 Transaction Authentication & Integrity

COBIT ISO

ISO 27001

…

ISO 27000 ff.

ISO 27002

© Riscomp GmbH /


SAP Governance, Risk and

Compliance (GRC)

© Riscomp GmbH /


ISO 27003 ISMS

Mapping of

Standards and GRC Functionality

ISO 27035 IT Security

Event detection

ISO 20000

ITIL

(1) COBIT DS5

System Security

PO 4.1 Define

Processes

AI 2.5 Configuring

Application Software

PO 6.3 IT Policy

Management

PO 9 Assess

and Manage

IT Risks

ME 2.4 Control

Self Assessment

PO 4.11

Segregation

of Duties

AC 6 Transaction Authentication & Integrity

© Riscomp GmbH /


Implementation of

CA / CM Scenarios

© Riscomp GmbH /

Risk based approach for continuous audit

Implementation

feasibility

check

Benefit

valuation

(qualitative)

Implementation,

test and go-live

Cost-benefit based approach

for CM and efficient internal control systems

Estimation

of savings

Estimation of

feasibility

& effort

Automation

TOP 10

List

Implementation

and test

Risk &

Control

identification

Stock take

of control

effort

Implementation


Automated Control and Monitoring

Process Flow

Custom

Programs

Delivered

rules, queries

and reports

Configurable

rules

FIN

O2C

P2P

HR

IT

Fixed

Assets

Tra

nsa

ctio

n

Con

trols

Co

nfigu

ration

Co

ntr

ols

Ma

ste

r D

ata

Con

trols

Xcelsius Dashboards

and Analytics

Crystal Reports

Auditability

Root cause analysis

Workflows

Map to

Controls

Test or

Monitor

Define Data

Source and

Business

Rules

Report Analyze &

Remediate

© SAP 2011

© Riscomp GmbH /


CA/CM Objectives of the Examples

Objective of the CA Scenarios: Perform audit or control action

automatically and inform users

© Riscomp GmbH /

SAP ERP System

Application

Customizing

SAP GRC

System

CA/CM Scenario 1

CA/CM Scenario 2

Basis Parameter

Inform

Users


Example 1: ISO 27003 /

COBIT DS5 System Security

Background: System security is driven by SAP system parameters

defining the minimum length of passwords, maximum number of log-in

attempts etc.

Risk: Hostile acquisition of users and unauthorized access

Procedures:

ITGC Control Execution: Start the Report «RSPARAM» and check

that the parameter «login/min_password_lng» is set according to

standards. Document the result.

Audit Procedure: dito

Riscomp Automated Scenario: An automated scenario checks the

parameter frequently. Only if the parameter is below a threshold, an issue

will be sent to the control owner for ICS and or IT-Audit for audit

purposes.

© Riscomp GmbH /


Example 1: ISO 27003 /

COBIT DS5 System Security

© Riscomp GmbH /


Example 2: COBIT AI 2.5

Configuring Application Software

Information: Systems like SAP ERP can be configured to fit

the companies process and compliance needs. The

configuration is stored in database tables. The configuration

values determine the compliance of a SAP System.

Technical Background: Account master data is kept in SAP

in two database tables: SKA1 and SKB1. The accounts are

established initially during the system implementation.

However, during the normal course of business individual

accounts can be maintained and should be closely

monitored.

© Riscomp GmbH /


Example 2: COBIT AI 2.5


Risk: The critical master data settings containing high risk for

the accuracy and reliability of financial figures should be

documented and monitored closely.

Procedures:

IT Audit: Audit Procedure: During the course of a financial

audit, the configuration is checked manually.

Control Execution: Frequent sampling of chart of account

master data or data analysis of the database tables.

Riscomp Automated Scenario: The GRC system checks

the critical fields in the chart of accounts like «automated

postings allowed only» according to defined thresholds.

© Riscomp GmbH /


Further CA / CM Examples

Compliant User Provisioning Processes in Access Control

(CM)

Integrating SOD analysis with the internal control system

(CA)

Frequent analysis of users with developer keys (CA)

Users with critical profiles (sap_all, sap_new) (CA)

Check of manual FX-Rate changes (CM)

Open posting periods per company code (CM)

3-Way match parameter check (CM)

© Riscomp GmbH /


Lessons Learned

Continuous monitoring and auditing works

for SAP Systems including Business Warehouse

The complexity of the scenarios can vary and needs

upfront evaluation!

Scenarios can be amended at any time forming a flexible

framework of automated scenarios

Automated scenarios require profound GRC and ERP

know-how

SAP partners providing content help to achieve the break-

even point faster with content life cycle management

© Riscomp GmbH /


Further Information

Various Trainings

SAP Standard training GRC 100, GRC 300, 330,

GRC340, WDEAC1, TZPR10 or TZAC10

Trainings with Vereon.ch

Customized Trainings

SAP Press «Handbuch SAP Revision»

in english available in Q4/2012

© Riscomp GmbH /


RISCOMP GmbH offers services in the IT and business

consulting field. Our main focus is the automation of Governance,

Risk and Compliance processes. We enable our customers to

establish simple, intuitive, integrated and efficient processes to

handle GRC Tasks.

We provide you the combination of professional expertise

in RISk and COMPliance with technical implementation

know-how for SAP BO GRC solutions.

Our team brings more than 20 years experience

(working for BIG 4, running ICS, implementing

SAP ERP and SAP GRC – based processes).

We put all necessary views together to ensure a maximized

added value out of a GRC implementation

Process

ICS, Compliance & Risk Management processes

Content

Framework definition i.e. risks, controls, automated scenarios etc.

Technology

Automation of GRC processes and integration with your ERP environment.

Presentation Riscomp GmbH C

om

pa

ny

Co

mp

ete

nc

e

Ap

pro

ac

h


RISCOMP GmbH

Best-practice processes and structures for internal control systems

- Processes to administrate ICS (control execution confirmation, change management, …)

- Test processes (design effectiveness, self assessment,…)

- Annual ICS scoping and risk evaluation

- Policy and procedure management processes

- SAP user provisioning and role management

ICS

Pro

ce

ss

es

IK

S In

halt

e

Design and Implementation of automated control- and monitoring scenarios in

SAP R/3 and SAP GRC (Continous Controls Monitoring CCM)

Software implementation and project management

SAP GRC software migration for Processc controls 3.0 > 10 and Access Controls 5.3 >10

Design and conducting training sessions for SAP Education Au

tom

ati

on

Imp

lem

en

tati

on

Our content for the internal control systems are bundled together to products

- Catalogue of manual business process controls

- Best practice repository of semi- and full automated business process controls

- Standard catalogue of general IT controls (security, change management and operation)

- Methodology for an efficient adjustment of segregation of duties matrices to the business

requirements

- Fraud patterns analysis

All products are based on acknowledged standards like COBIT, COSO or SAP AK Rev.

ISACA After Hours Seminar January 31, 2012 After Hours Seminar January 31, 2012 ... ME 2.4 Control...

Documents

Transcript of ISACA After Hours Seminar January 31, 2012 After Hours Seminar January 31, 2012 ... ME 2.4 Control...