Homepage for SAP Professionals

Business Process: Are the high level process areas where you want to report risk analysis. Examples of business process are Finance, Sales and Distribution, Production Planning, Human Resources Etc

Function:  Is grouping of one or more actions which are related to each other. Example functional area grouping could be vendor Master Maintain, Material master Maintain etc.  These functions will have all the transactions relevant to vendor master and transaction relevant to material master.

Risk: Is identified as material, physical loss, fraud, disruption or production loss which could occur due to and individuals who could take advantage of the situation.  The risk are generated due to conflicting function. Example risk could be “ Maintain Fictitious G/L Account and hide activity Via postings

Action: is an activity performed in the system in order to accomplish a specific function.  Example of a action could be Create Vendor master, Create Customer master, approve payments etc

Permissions:   Authorizations that allows the users to perform the particular activity in the system. Example Mass Update Material Master

System:  Refers to the system in which the analysis will be performed.  The system could be SAP ECC, SAP SRM SAP CRM etc

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

There are two main type of reporting in SAP GRC. One is focused on Risk analysis & remediation, and other on Management report.  All the tools have alerts built in.

Access Control Reports:

There are two types of report one focuses on the user and the other on the roles.  They have reports which provide detailed risk analysis for remediation. The audit log report details of the changes which happened in the system.

Compliant user Provisioning Reports:

This tool has reports on the user provisioning process. These reports mainly deal with approvals, problems in approvals, process progress, holdups in the approvals and quickness in approvals. The management reports will have pie charts which gives overall progress by organizations.

Super user Privileges:

Here the reports are geared towards who is using the transactions and details logs about the activities in the system.

Administrator:

Administrator needs information about any technical details on roles, users, controls and alerts.

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Running SOD Reports for Users at Authorization Object Level

This will enable the user to run reports on the roles or user to investigate if there segregation of duties conflicts within the composite role, single role or user in the system.  This report has to be run daily in the background to check if there have been any new risks identified in the system

Running Simulation Reports

The training will teach the user to run this report when they make the changes to single role, composite role or the user. This is a preventive report which can identify the Segregation of duties conflict before making the change to the user or role

Running Reports by Risk ID

In this report user will learn to look for a particular risk.  The risk could be very sensitive risk and they want to closely monitor the risk

Running Mitigating Control reports

The user will learn to look for all the mitigation controls which are in place on the users and roles in the system

Running Reports in the Background

The user will learn to monitor and schedule the reports in background. The user will also be advised to monitor for any errors and length of time the report runs. The SOD report can be scheduled in the background to run daily so the auditor can monitor any changes in risks or mitigating controls.

Management Report

The user should be made of these report which gives the upper management a over all status of the system from risk and mitigation perspective.  This report shows the overall status of the risk, mitigation controls and any unmitigated risks in the system.

Privileged User Access Management

This involves training the user in running the reports to look user who used the fire fighter and the transaction they used.  They should also be able to look at the reasons for accessing the fire privileged user management tool.

Maintaining Super IDs

This training involves teaching the user to enable a user to access the Privileged user management system for a particular time frame

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Emergency access in production happens when there are configuration changes which need to takes place in the system immediately and in response to a crisis.  Most of the time it may be true emergencies but some time lot of regular changes are also slipped into the system making them as emergency.   The best way to control this misuse is to involve the SAP Functional team and the audit team.

The audit team should be involved in following activities

Approval of the Emergency Change Request:  Audit group should be involved in approval of request to perform the emergency change in production.  They should analyze if the request is really an emergency.

Monitoring of the activity Logs:  SAP GRC tool provides logs of the activities performed during the emergency change process. Audit team should be reviewing the logs and comparing with the intent of the change and the documentation provided for change request.

Defining the Process:  Should define the process for requesting the emergency access.  The process should list Functional team approval, change management team approval and justification documentation provided before making the change.

Frequently used transactions:  Should review the transaction and see if they are used frequently. If they are used frequently the recommendations have to be made for the functional team to add to the transaction to existing or new role

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

The Stage is step where the request stops for approval.  The stages have following option when you configure the stage

Risk analysis:

The risk analysis can be forced be performed.  This will force the request only to move from the stage when risk analysis is performed.

Request Content:

Edit Request: This option makes the request editable.  If editing is enabled then the approver can add or remove roles.

Approve Entire Request: This option lets the approver to approve or reject the entire request. The option could be set so that he can approve partial request

Group Email: With option the approver can send his approval details to group email list,

Comment: With option we can make the comments entry mandatory

Rerouting:  With this option the approver has an option to forward and re-routing the approver to another approver

Security Approval:

Determines if the approver must reaffirm his user identify when performing the operation on the request

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Risk acknowledgment:  Identify all the sensitive and high risk transactions in the system. Then classify the transactions based on their risk in low, medium and high.  Segregate transactions which needs to be centrally Maintained (Material master, customer Master, vendor master). Also identify the process for assigning and approving access to the user who use the high risk and master data transaction. Disable risks which are not relevant to your business

Rule structure and substantiation:  Look at the rule set which come out of the box. Most of the companies will be able to use the standard rule set from SAP GRC. The rule set needs to be updated with custom transactions codes.  If the standard rule set does not satisfy the requirement then custom rule set can be built

Examination:  Estimate the amount of work to become compliant. Review the remediation effort to fix roles and users.  Modify the SOD rules if there are any missing rules.

Remediation / Mitigation:  Determine the alternatives for changing the roles.  Create a project plan to fix the transactions or object values in the roles.  Include time for testing and acceptance.  Propose mitigation if remediation is not an option

Continuous Compliance: Implements alerts for any risk introduced in the system.  Change control process to prevent any new risks being introduced into the system. Process for always simulating risks in roles and users

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

If your company wants to adopt custom SOD matrix for doing the analysis of SAP roles.  Since the SAP matrix is too restricted or too broad.

This will be following steps you can adopt for creating own custom SOD matrix in compliance calibrator.

1. Group all the similar transactions in to functions.  For example if you have customer related transactions then group them  into one function group

XD01      Create Customer (Centrally)                       XD02     Change Customer (Centrally)

XD04      Customer Changes (Centrally)                   XD05      Block customer (centrally)

XD06      Mark customer for deletion (centr.)        XD07      Change Customer Account Group

XD99      Customer master mass maintenance

1. In the above way group all the similar transaction into groups. Once the groupings are done you have to generate risks based on the combinations of the functional groups.
2. Once the combinations are identified the transaction combinations violations and object values are extracted from SU24 settings.

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate