Sabine Schler, Liane Will, Marc O. Schfer

CobiT and the Sarbanes-Oxley Act

The SOX Guide for SAP Operations

Bonn Boston

5Contents

Foreword .............................................................................. 9

Acknowledgements ............................................................. 11

1 Introduction .................................................................... 131.1 Overview of CobiT ................................................... 13

1.2 COSO ...................................................................... 18

1.3 Overview of the Sarbanes-Oxley Act ........................ 19

1.4 Connection Between CobiT and Other Standards of Best Practices ....................................................... 23

1.5 SAP IT Service & Application Management ............... 25

2 Central SAP Tools ........................................................... 292.1 SAP Solutions for Governance, Risk, and

Compliance ............................................................. 29

2.2 SAP Solution Manager: The SAP Platform for Application Management and Cooperation .............. 35

3 CobiT Domain: Plan and Organize ................................ 413.1 PO1: De ning a Strategic IT Plan .............................. 42

3.2 PO2: De ning the Information Architecture ............. 45

3.3 PO3: Determining the Technological Direction ......... 52

3.4 PO4: De ning the IT Processes, Organization, and Relationships ..................................................... 53

3.5 PO5: Managing the IT Investment ............................ 61

3.6 PO6: Communicating Management Aims and Direction ................................................................. 62

3.7 PO7: Managing IT Human Resources ....................... 64

3.8 PO8: Managing Quality ............................................ 68

3.9 PO9: Assessing and Managing IT Risks ..................... 71

3.10 PO10: Managing Projects ......................................... 75

64 CobiT Domain: Acquire and Implement ....................... 794.1 AI1: Identifying Automated Solutions ....................... 80

4.2 AI2: Acquiring and Maintaining Application Software .................................................................. 83

4.3 AI3: Acquiring and Maintaining Technology Infrastructure ........................................................... 90

4.4 AI4: Enabling Operation and Use ............................. 97

4.5 AI5: Procuring IT Resources ..................................... 101

4.6 AI6: Managing Changes ........................................... 102

4.7 AI7: Installing and Accrediting Solutions and Changes ................................................................... 104

5 CobiT Domain: Deliver and Support ............................ 1095.1 DS1: De ning and Managing Service Levels ............. 111

5.2 DS2: Managing Third-Party Services ......................... 118

5.3 DS3: Managing Performance and Capacity ............... 123

5.4 DS4: Ensuring Continuous Operation ....................... 125

5.5 DS5: Ensuring Systems Security ................................ 127

5.6 DS6: Identifying and Allocating Costs ....................... 135

5.7 DS7: Educating and Training Users ........................... 136

5.8 DS8: Managing the Service Desk and Incidents ........ 138

5.9 DS9: Managing the Con guration ............................ 141

5.10 DS10: Managing Problems ....................................... 143

5.11 DS11: Managing Data .............................................. 146

5.12 DS12: Managing the Physical Environment .............. 149

5.13 DS13: Managing Operations .................................... 150

6 CobiT Domain: Monitor and Evaluate .......................... 1556.1 ME1: Monitoring and Evaluating IT Performance ..... 156

6.2 ME2: Monitoring and Evaluating Internal Controls ... 159

6.3 ME3: Ensuring Compliance with Speci cations ........ 163

6.4 ME4: Ensuring IT Governance .................................. 164

77 Relevance of CobiT and COSO for Ful lling SOX ........ 167

8 Outlook ........................................................................... 175

A CobiT Controls ............................................................... 179

B Literature ........................................................................ 191

Index .................................................................................... 193

9Foreword

Enhancing growth and expanding competitive advantage

are the goals of many enterprises as they use IT to help

increase ef ciency, exibility, and innovation. The basic pre-

requisite for such a strategy is a high-quality IT concept.

Implementing the Control Objectives for Information and

Related Technology (CobiT) framework makes it possible

to harmonize the goals of a company and its information

technology. CobiT provides measurement categories and

models with which to judge stages of maturity in order to

quantify achievements and identify responsibilities in busi-

ness and IT.

Moreover, these issues are enforced by initiatives such as

corporate governance, risk, and compliance management,

which evolved as a response to new legislation, increas-

ing pressure from capital markets, and higher expectations

among shareholders.

This SAP Pocket Guide gives you an overview of CobiT and

explains how the tool and service portfolio of SAP can sup-

port you in implementing CobiT. The guide highlights the

new products and applications offered by SAP Governance,

Risk, and Compliance.

10

This guide describes how IT investments can be used pro-

actively to manage business processes. This helps reduce

compliance cost and create more ef cient and effective op-

erational business process management, leading to higher

shareholder value.

February 2007

Amit Chatterjee

Senior Vice President, Governance, Risk and Compliance

Business Unit, SAP AG

155

6 CobiT Domain: Monitor and Evaluate

CobiT and ITIL work on process classi cation with regard

to the levels non-existent, initial, repeatable, de ned, con-

trolled and measurable, and optimized. This applies to all

IT governance processes. To classify the IT processes and

identify optimization potential, the processes must be mon-

itored and measured continually. Suitable quality criteria,

such as performance and compliance, must be de ned with

statutory and other speci cations. Only then can quality im-

provement be included in the life cycle of IP processes as a

continuous process.

CobiT ITSAM Process

Do-main

Pro-cess

Control

ME 1 Monitor and evalu-ate IT performance

All ITSAM processes

ME 2 Monitor and evalu-ate internal controls

All ITSAM processes

156

CobiT ITSAM Process

Do-main

Pro-cess

Control

ME 3 Ensure regulatory compliance

Con guration Man-agement, Release Management, Change Manage-ment, IT Service Continuity Manage-ment

ME 4 Provide IT gover-nance

All ITSAM processes

Table 6.1 Overview of CobiT Processes in ME and ITSAM

6.1 ME1: Monitoring and Evaluating IT Performance

Permanent monitoring ensures that IT services are effec-

tively monitored. The relevant service indicators must be

integrated into systematic, real-time reporting.

When evaluating the IT services, you should consider the

following questions:

To what extent is the processing of the business pro-

cesses supported by the provision of the IT service?

What contribution does the IT service make towards

achieving the strategic business plan and the IT plan?

Does the delivery of the IT service comply with statu-

tory and company regulations?

157

How does the delivery of the IT services affect internal

and external customer satisfaction?

What are the main IT services for which management

reporting is to be performed?

What future investments can be derived?

Do new technologies have to be implemented?

Are investments to be made in new infrastructures or

staff training?

In addition, if measured gures deviate from targets, are

corrective measures to be introduced? Monitoring is neces-

sary to ensure that the correct measures have been taken

and that they comply with the speci ed statutory and com-

pany regulations.

Tools

The implementation of standard SAP applications in mySAP

ERP, mySAP CRM, SAP NetWeaver Business Intelligence,

and Strategic Enterprise Management enables you to map

IT management and the delivery of IT services. The IT ser-

vices have been de ned as products. The transfer prices for

the IT services have been calculated and stored. Open in-

terfaces enable you to determine the actual quantities or-

dered. By evaluating this information, you can use manage-

ment reporting to map the adherence to service contracts

and service plans.

158

IT Management Reporting

Along with IT Management Reporting for business, you

also should establish technically oriented IT Management

Reporting. One particularly relevant gure is adherence to

Service Level Agreements (SLAs). Based on the SAP Early-

Watch Alert evaluations and additional data from the avail-

able technical monitoring in SAP Solution Manager, you can

call up reporting for the applications and the affected busi-

ness processes.

SAP GRC Access Control

In order to limit risk, SAP GRC Access Control products

ensure that IT staff members are provided with appropri-

ate authorization pro les, enabling them to operate the IT

infrastructure needed to run the business processes. At the

same time, SAP GRC Access Control eliminates the risks in-

volved in granting authorizations that violate segregation of

duties.

SAP GRC Process Control

SAP GRC Process Control is used to document and deploy

internal controls. A pool of controls to be checked is dis-

tributed to the persons responsible, and any discrepancies

are removed by means of remediation cases. One exam-

ple would be safeguarding purchasing processes for IT re-

sources. Among other things, SAP GRC Process Control can

be used to determine whether the suppliers bank data has

been changed, or whether an invoice has been settled more

than once. It is also possible to check, for example, whether

159

three quotations were obtained from different suppliers be-

fore a supplier was selected.

In case of a de ciency or non-adherence to a control, re-

mediation cases are automatically created, assigned priori-

ties, and assigned to the relevant process owners. With this

risk-based approach, the de ciencies in the control system

are assigned priorities, and cases are monitored until the

de ciencies are removed.

6.2 ME2: Monitoring and Evaluating Internal Controls

An important area of monitoring is the use of suitable tools

and measures in order to provide targeted management re-

porting of deviations from the internal controls. The devia-

tions can be disclosed by standard reports, self-evaluation,

or reviews by third parties. Monitoring is used mainly to

safeguard IT operation effectively and ef ciently.

The core features of monitoring are:

Compliance with laws and regulations

The performance of IT processes

Information security

Adherence to checkpoints for Change Management

Adherence to SLAs

The result is that the corresponding correction measures are

introduced for all the deviations reported, and their success

is monitored.

160

Tools

SAP GRC Process Control

SAP GRC Process Control is integrated into the control doc-

umentation of the SAP GRC Repository. The GRC Reposi-

tory contains all regulations, risks and controls, test plans,

and results, regardless of source system. The SAP GRC Re-

pository provides tools for monitoring and managing con-

trols and risks throughout the enterprise.

SAP GRC Process Control provides managers with a Global

Control Risk Heat Map to uniquely identify risks and in-

fractions of the internal control system, making it easier

for management and auditors to prioritize and introduce

corrective measures, and to prevent weak points from de-

veloping in the control environment. Figure 6.1 shows an

example of the Global Control Risk Heat Map. The regions

in a geographical overview are highlighted in various colors

to indicate their risk levels. You can choose a region and

branch to the next level of detail. On the most detailed

level, you get a statistical overview of the nancial transac-

tions in a single location: Atlanta in the example. In this

case, the total exceeds the de ned limit and is therefore

highlighted in red.

The checking and remediation activities are transferred to

the persons responsible by means of a work ow. The check

can be performed manually or automatically. A manual

check could specify, for example, that an auditor has to

check 15 listed documents, following the dual-control prin-

ciple. The checking operation is then documented in SAP

GRC Process Control.

161

Figure 6.1 Global Control Risk Heat Map

Automatic tests can also be performed. The evaluation of the

application-speci c controls can determine, for example,

whether critical supplier data such as upper limits for orders

or payment methods have been changed. SAP GRC Process

Control enables automated control monitoring for SAP and

non-SAP business applications.

SAPs collaboration with Cisco allows you to set up auto-

matic controls on the network level. You can thus intercept

e-mails containing sensitive information before they leave

162

the con nes of the company, for example. This protects pri-

vate information about customers (such as Social Security

of other social insurance information), and can also be used

to ensure that business gures are not sent out of the com-

pany by e-mail before the quarterly gures are published.

Cisco also extends the reach of SAP GRC Process Control to

include data exchange among all participants in your com-

panies value chain, including suppliers and customers.

Service Level Reporting

Service Level Reporting in SAP Solution Manager is based

on the EWA data and can be enhanced by adding data from

monitoring. It forms the interface between IT departments

and the business-process owner. By incorporating Business

Process Monitoring, you can include business process alerts

in Service Level Reporting. In this case, Service Level Re-

porting provides not only technical information, but also

information as to whether technical problems have affected

business processes. System-availability reporting is also pos-

sible, as well as reporting on system performance, query

performance, and database performance, to name just a

few possibilities.

Change Request Management

Change Request Management enables you to centrally

controlfrom within SAP Solution Managerthat only ap-

proved change requests are implemented, and that they are

transported through the system landscape in line with the

company-speci c schedules and guidelines.

163

Services

Identity and Access Management Strategy Evaluation

Identity and Access Management Strategy primarily involves

analyzing requirements with regard to user registration and

access management. The requirements are compared with

the quotation from SAP and partner solutions. Alternative

solutions are presented and evaluated. Finally, an imple-

mentation plan is presented.

Technical Risk Assessment

The result of this service shows the most important techni-

cal risks of an implemented SAP landscape and the con-

nected internet-based scenarios. Recommendations for risk

removal and minimization are made.

6.3 ME3: Ensuring Compliance with Speci cations

An independent review process ensures compliance with

laws and regulations. An audit charter is created and the

process of engaging an independent auditor is assured. The

rst step is to identify the applicable laws and regulations

that directly affect IT operations. First, the requirements for

IT service delivery must be considered, including the ser-

vices of third parties and the effects on the IT organization

and its processes and infrastructure. In addition, the laws

and regulations relating to electronic data processing, data

protection, internal checkpoints, nancial reporting, indus-

try-speci c regulations, intellectual property and copyright,

and even work safety must be evaluated.

164

Tools

SAP GRC Repository

All regulations and laws, as well as the internal control

system derived from them, are stored in the SAP GRC Re-

pository. One type of control documented in the GRC Re-

pository is the check on the segregation of duties, which

also can be performed with SAP GRC Access Control. All

application-related and IT-related checks are grouped and

managed centrally in the SAP GRC Repository. This central

storage reduces the costs involved in the audit process, and

also makes it possible to immediately identify and remove

redundant controls.

Services

SAP Authorization Strategy Concept for SOX Compliance

The result of the SAP Authorization Strategy Concept for

SOX Compliance service is the identi cation of all important

security de ciencies in the implemented SAP authorization

concept. Changes are suggested, and an implementation

plan is formulated to remedy these de ciencies.

6.4 ME4: Ensuring IT Governance

The goal of this control is to create reporting that trans-

parently shows whether and how the IT plan was imple-

mented. The most important decision makers from the IT

and business elds must be informed whether the planned

value potentials have been achieved. In addition, the IT risk

after the implementation must be evaluated. A competent

165

assessment must be made as to whether the technical limits

have been achieved or even exceeded. The most important

goal is to prevent loss of business through IT system failures.

Therefore, all the persons responsible must have transpar-

ent information as to which IT infrastructure and IT applica-

tions can provide stable, failure-free operation for the most

important business processes.

Tools

SAP GRC Repository

The SAP GRC Repository centrally documents and stores the

information related to all statutory, risk-related, and com-

pliance topics. It manages all GRC content, including frame-

works, regulations, processes, and controls, thus ensuring

that company regulations and their related infrastructure

are mapped consistently, effectively, and ef ciently.

Services

SAP Solution Management Assessment

SAP provides the Solution Management Assessment service

as part of the Premium Engagements, to identify and evalu-

ate availability requirements. In this process, the solution

landscape and the most important core business processes

are analyzed. The result is a description and a technical eval-

uation of the risks to stability, as well as the availability and

safety of the core business processes.

193

Index

A

AICPA 24American Institute of Certi ed

Public Accountants 24ASAP 37, 40Authorization Concept for SAP

89

B

Browser 145BS 7799 23Business Blueprint 85Business Process Management

36Business Process Monitoring 114Business Process Repository 92

C

CCC Strategy Development 100CCMS 112, 125Central System Administration

113Certi cation 97Change Request Management

36, 38, 57, 63, 69, 104AI2 86AI3 93AI6 103AI7 105ME2 162

CI 141Cisco 35CobiT 13, 23

Comittee of Sponsoring Organizations of the Treadway Comission 167

Control Activities 168Control Objectives for Informa-

tion and Related Technology CobiT

Control Objectives for Sarbanes-Oxley 15

COSO 13, 15COSO Enterprise Risk Manage-

ment (ERM) 18cProjects 44, 78Customer Competence Center

60

D

Document Management 98

E

E-Learning Management 98EarlyWatch 117EarlyWatch Alert 68, 143Enterprise SOA 44EWA 68, 114, 143Expert-on-Demand 144

G

Global Control Risk Heat Map 161

H

Help desk 36

194

I

Identity and Access Management Strategy Evaluation 163

Information and Communication 169

Information Architecture 45Information Systems Audit and

Control Association 13ISACA 13ISO 17799 23ISO 27001 24Issue 115Issue Management 144IT continuity 125IT Governance Institute (ITGI) 13ITIL 13, 23IT Management Reporting 158IT plan 42IT Sourcing Strategy 81ITSAM 28, 79, 109, 155

M

Maintenance Optimizer 87Maintenance Strategy 89Master Data Management 47MDM 47Mercury Loadrunner 94Migration Workbench 107Monitoring 169mySAP Supplier Relationship

Management (mySAP SRM) 101

O

OLA 111Operating Level Agreement 111Operating System 145

P

Product Documentation 90Public Company Accounting

Oversight Board (PCAOB) 170

Q

Quick Sizer 94

R

Risk Analysis 74Risk Assessment 168

S

Safeguarding 50SAP Authorization Strategy

Concept for SOX Compliance 164

SAP Business Maps 91SAP EarlyWatch Check 100SAP GoingLive Check 96, 99SAP GRC 29, 50, 57SAP GRC Access Control 30, 85

ME1 158SAP GRC Access Control

Application 73SAP GRC Process Control 34,

70, 158AI6 103ME2 160

SAP GRC Repository 32, 63, 164, 165

SAP IT Service & Application Management (SAP ITSAM) 25

SAP IT Strategy Development 102

SAP MaxAttention 50SAP NetWeaver 145

195

SAP NetWeaver Administrator 145

SAP Online Knowledge Products 99

SAP Premium Support 50SAP Quick Sizer 147SAP Service and Asset Manage-

ment 91SAP Solution Management

Assessment 100, 165SAP Solution Manager 176SAP Solution Manager Learning

Map 104SAP Solution Manager Roadmap

104SAP Solutions for Governance,

Risk, and Compliance SAP GRC

SAP Test Data Migration Server (TDMS) 86

SAP Test Management 88SAP Value Assessment 81SAP xApp 43SAP xRPM 43Sarbanes-Oxley Act SOXSEC 167Security 133Security Audit Log 129Service Desk 56, 69, 99, 138,

144Service Level Agreement 111Service Level Management 71Service Level Reporting 162Single Sign On 129SLA 111Software Lifecycle 39

Software Lifecycle Management 151

Solution Directory 48Solution Management Optimiza-

tion 51Solution Manager Diagnostics

93, 145Root cause analysis 145

Solution Maps 81Solution Monitoring 36, 99Solution Optimization and

Upgrade 96SOX 13, 19, 21SSO 129Support Packages 49, 87Support Package Stacks 87System Landscape Directory 49,

142

T

Technical Integration Check (TIC) 88

Technical Risk Assessment 95, 163

Test Data Migration Server 94, 107

Test Management 69, 94, 106Test Management Optimization

95Test Workbench 86

U

Underpinning Contract 111User Management Engine 128

196

V

Virsa Access Control 67Virsa Access Enforcer 31, 59, 107Virsa Compliance Calibrator 30,

58, 107

Virsa FireFighter 58, 130Virsa FireFighter for SAP 31Virsa Role Expert 31, 58, 107

SAP PRESSExtractCobiT and the Sarbanes-Oxley ActSabine Schler, Liane Will, Marc O. Schfer-------------------------------------------------------ContentsForeword-------------------------------------------------------Chapter 6: CobiT Domain: Monitor and Evaluate6.1 ME1: Monitoring and Evaluating IT Performance6.2 ME2: Monitoring and Evaluating Internal Controls6.3 ME3: Ensuring Compliance with Specifications6.4 ME4: Ensuring IT Governance

-------------------------------------------------------Index-------------------------------------------------------www.sap-press.de(c) Galileo Press GmbH 2007

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Average /GrayImageResolution 300 /GrayImageDepth 8 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /FlateEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Average /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /FlateEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure true /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles true /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /NA /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /LeaveUntagged /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice