Effectiveness of SOX 1 Running head: EFFECTIVENESS OF SOX ...
SoX Compliance with GRC Access Control - The Alpro case
-
Upload
expertum-consulting-excellence -
Category
Technology
-
view
682 -
download
9
description
Transcript of SoX Compliance with GRC Access Control - The Alpro case
SAPience.be User Day ’13March 21, 2013
Your logo
1
The monitoring of SOX Compliance with SAP GRC Access Control 10.0
Eric Lagrange, Alpro
Chris Walravens, Expertum
SAPience.be User Day ‘13
Your logo
2
Agenda
Key Facts about Alpro
Key Facts about Expertum
SOX Compliance @ Alpro
SAP GRC Access Control
Position Based Security
Preventative Simulation
Operational Processes
Risk Mitigation
Root Cause Analysis
Reporting
Benefits
SAPience.be User Day ‘13
Your logoKey facts and figures about Alpro
Alpro founded in 1980 and acquired by Dean Foods mid 2009
Part of The WhiteWave Foods Company since mid 2012 NYSE
Grown to € 286 million in revenues in 2012 (US GAAP) (€ 304 mio IFRS)
European market leader in non-dairy plant-based products
2 power brands: Alpro® and Provamel®
6 product categories
3 channels
4 wholly-owned commercial organisations in BE, NL, UK and GE and more
than 30 commercial partnerships in all other primary European markets
4 plants in BE, FR, UK and NL
~850 employees
Your logoAlpro mission anchored in sustainable development
“We create delicious
naturally-healthy
plant-based foods
for the maximum wellbeing of everyone
and with the utmost respect for our planet”
Your logoAlpro driving innovation in 3 dimensions3. Innovation
Your logoInnovations 2012
Your logoInnovations in 2012
Your logoVegetal alternatives are 5 to 10 times more efficientthan animal products on key SD KPIs
x45
x20
x10
Source: Ecofys
x3
x2,5
x5
Cow’s milk vs soy
Cow’s meat vs soy
Land
Water
Air
Energy
CO2
Your logoEvidence shows that healthy and sustainable foods go hand in hand
Source: Barilla Centre for Food Nutrition
Your logo
10
Introduction Expertum
SAPience.be User Day ‘13
Facts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships
Mission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growth
Strength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM)
Gold
Your logo
Knowledge
Management
-Product &
Service
Developme
nt
Project Manage
ment (PM) Supply
Chain Manage
ment (SCM)
Product Lifecycle Manage
ment (PLM)
Application
Lifecycle
Management
(SolMan +NW)
Governance, Risk, and
Compliance
(GRC)
Business Intellige
nce (BI: BW + BO)
Finance &
Controlling
(FI/CO)
Expertum Competence Areas
Focus GRC team
• SAP Authorization Health Check
• SAP Authorization Concept (re)Design
• SOD conflict Remediation• SAP Security Framework
design
• SAP GRC Toolbox - GRC RDS Certified
• SAP IDM
• Day to Day support
Your logo
12
SOX-Compliance @ Alpro
Achieved SOX-compliance successfully (2010 / 2011 / 2012)
Resulted in enhanced business controls and authorizations
Provided Alpro management extra comfort on the main business processes and its impact on the financial reporting
For SAP authorizations, 2 controls applied:• Internally built tool used during operational processes
• Periodic query runs of external auditor
Major gaps between the two controls existed:• Internal tool only checked on transaction code level
• No alignment of monitored functionality between the two tools / rule sets
SAPience.be User Day ‘13
Your logo
13
SAP GRC Access Control
Alignment of rule set
Preventative simulation
Embed risk analysis in the operational
processes
Document risk mitigation
Facilitate root cause analysis
Enhance reporting
SAPience.be User Day ‘13
Emergency Access
Management (EAM)
Provision & Manage
Users (PMU)
Business Role Management
(BRM)
Analyze & Manage Risks
(AMR)
Your logo
14
Position Based Security
Position based security• Use of the HR organizational structure
• Role assignments to positions
2-layered concept• Composite roles for positions or functions
• Single & derived roles for functionality (at sub-process level)
Approval process• Approvals of role assignments are done on position level
• Risk mitigations are approved on position level
SAPience.be User Day ‘13
Your logo
15
Preventative Simulation
Rule set• Contains critical functionality & SOD queries
• Works on transaction code and detailed object level
• Aligned with SOX controls applied by external auditor
Simulation functionality
SAPience.be User Day ‘13
Your logo
16
Operational Processes
New user / Existing position
Existing user / Change position
New user / New position
Existing user / multiple position
Changes in roles
SAPience.be User Day ‘13
No simulation required
Run user simulation
Run position simulation
Run position simulation
Your logo
17
Risk Mitigation
Mitigation decision on position level (Corporate Controller)
Mitigation documentation both on position & user level
• New / Changed position
• Decision and documentation on position level
• Apply the position mitigations to the users
• New user
• Apply mitigations of assigned position on user level
• Changed user
• Remove all mitigations of previous position on user level
• Apply mitigations of new position on user level
SAPience.be User Day ‘13
Your logo
18
Root Cause Analysis
SAPience.be User Day ‘13
SOD Rule
Maintain AP Payment run
vs
Maintain Vendor MD
Technical Roles
XP3..FIAP_PAYRUN_FULL
+
XP3..VENDMD_FULL
=
Your logo
19
Reporting
SAPience.be User Day ‘13 19
Your logo
20
Benefits
Rule set fully in line with SOX requirements
Full preventative mode: no authorization change goes into production without preventative checking against the rule set
Risk analysis fully embedded in the operational processes
Risk mitigations are fully documented during the operational processes
Root cause analysis is facilitated, making day-to-day maintenance easier
SAPience.be User Day ‘13
Thank you!
Your logo
Get Inspired.Stay Connected.
Achieve Business Agility.
21SAPience.be User Day ‘13