Learn how to:
Centralize risk-based controls
SAP GRC to simplify compliance
Streamline access certifications
Monitor with red flags analytics
Manage segregation of duties rulesets
Balancing SAP Security: Access, Protection, Authorization
Aprender como:
Centralice los controles basados en riesgos
SAP GRC para simplificar el cumplimiento
Optimice las certificaciones de acceso
Monitorear con análisis de banderas rojas
Gestionar conjuntos de reglas de segregación de funciones
Equilibrio de la seguridad de SAP: acceso, protección, autorización
2. Agenda
Centralize risk-based controls
SAP GRC to simplify compliance
Streamline access certifications
Monitor with red flags analytics
Manage segregation of duties rulesets
3. The centralization of
processes is a
prerequisite for cost
saving and digitalization
efforts in response to the
COVID19 crisis
4. GRPC_STR_CHANGE
Update and simplify the
hierarchy of SAP processes
and sub-processes
GRPCRTA_PC
Centralize local
control catalogs with
harmonized multi-
compliance
frameworks
ASGN-TSTER
Change the schedule
of controls with
problematic
workflows
SURVEY
Align control surveys to
yes/no confirmations with
comments and attachments
5. The detection and
investigation of
suspicious fraudulent
activity is critical
during the operational
adjustments triggered by
COVID19
7. SAP Business Partner
Screening
Ongoing due diligence on
third-parties
SAP Business Integrity
Screening
Notifications on fraud red
flags
SAP Tax Compliance
Prevent fines and disputes
SAP Risk Management
Develop exit plans to
address continuiry risks
8. SAP Risk Management
Monte Carlo Simulations
• cash-flow analysis
• delays in supply
• delays in orders
• budgeting
• insurance
• price calculation
• bidding
9. • Update process owners
• Compare changes in the most
used roles
User access reviews
• Evaluate recent changes for
terminations and contractors
• Sample some reviews to
audit the full process
11. SAP Business Integrity
Screening
Exception reporting and
management
• Duplicated payments
• Split orders
• Invoice before reception
• Inaccurate master data
• Unusual discounts
12. SAP
Segregation of
duties
Ruleset
• Review changes in the
access control attributes
• Leverage checks based
on pre-configured SAP
Best Practices for
industry
• Continue improving the
rules for display rights
• Simplify roles for the new
normal
14. Leading analysts on information
security in the era of digital
transformation
@kuppingercole
info@kuppingercole.com
Hinweis der Redaktion
security and governance done right
- How to centralize risk-based controls in SAP GRC to simplify compliance
- Tips to streamline access certifications and monitoring with red flags analytics
- How to manage segregation of duties rulesets
Hierarchy GRPC_STR_DISPLAY: Use the needs for reports following the C-level organization and the hierarchy of regulations, cannot centralize inconsistent processes, review with process owners the relevance, reassess the process to focus the resources
Centralization: many control frameworks, follow group policies, assess the justification of having differetent controls in some entities, centralize the delegation of tasks for other users´ access rights. SAP and non-SAP applications. Use generic test plans for control clusters corporate, financial, IT, and industry-specific
Schedule: evaluate the frequency to test controls, test shared controls by shared service centers, look for recurrent escalation of issues or rejected or pending.
SAP GRC to simplify compliance: fraud, more risks from work from home
How can we reduce risks from business partners, business integrity of partners
Standard risk management should be done better (e.g- Credit Swiss dismissing the CRO)7
Need for a real management of risks, update and audit action plans, prevent hiding risks
Scenario analysis using Monte Carlo enables you to select a list of risks, assign them to a random distribution, and decide on a distribution method for the number of losses involved (frequency). In this way, the system estimates the total aggregated loss (the sum) at risk for your simulation.
Detect changes in uses to update SoD and Sensitive Access rule sets, unreversed temporary rules and conflicts on covid operations, improper change processes, .
Changes in handling hybrid roles that blend duties, changes in sub-contractors, also administrators
Sample some reviews to review the details of the certification: need to know, understanding, incompatibilities, review the removal of accesses
Duplicated payments, errors and fraud
split into smaller value POs to avoid additional approval checks
Inaccurate client, vendor or bank master data to cleanup and training. incomplete or inaccurate sets of data
Goods received after invoice date : goods receipts were posted after the date of inovices. Lack of resources in Warehouse is the main cause of late inventory accounting updates
Attribute-Based Access Controls (ABAC) enable the use of “attributes” in authorization decisions. These attributes can be anything from user details such as role, department, nationality, or even a user’s security clearance level. You can consider additional contextual attributes such as IP address, location, time, device, and transaction history. And most importantly, for SoD, you can now use data attributes in authorization logic. This means that field-level values within SAP can be used to determine whether to block or allow a transaction, and these details can further be used in reporting activities.