WHITE PAPER

SAP GRC Access Control Solution.

-White paper on Implementation Methodology.

HCL SAP GRC Practice

January 2008
1-13
 Table of Content
Executive Summary 3

Introduction 4

SOX, SoD and SAP 4

Functions of SAP GRC Access Control 6

Implementation Methodology 7

ANNEXURE 1:Various Aspects 10

ANNEXURE 2: Role and Responsibilities 11

ANNEXURE 3: Time Lines 12

ANNEXURE 4: Challenges 12

ANNEXURE 5: SAP GRC Business benefits 13

2-13
Executive Summary
In the era of stringent corporate governance new regulatory requirements have made tighter internal control as
standard compliance across the globe.

All organization irrespective of size are struggling to comply with these regulations and managing the risk.The cost and
effort to establish, maintain and prove compliance demand both money and time which can be invested for more value
addition rather than value protection.

For many organization the technology solutions is to try automation using standard office tools such as spreadsheet
which in spite of its low cost advantage may become a part of problem rather than a compliance solution.

Fortunately newly available software platform that have become known as the GRC technology can help streamline the
automation.This white paper pertains to one of the most accountable control automation tool: SAP Access Control and
details its implementation methodology.

3-13
SAP GRC Access Control
He who cannot obey himself will be commanded. Integrated GRC is an offshoot of SOX and such other

That is the nature of living creatures. compliances existing across industries worldwide.

- Friedrich Wilhelm Nietzsche

Evolution of Integrated GRC:

Barings Bank – Nick Lee son’s $1.2 Billion loss –

©
In itself GRC is not new. Corporate Governance, Risk

Barings’ forced into bankruptcy. management and Compliance as individual issues where

§Due to improper supervision and SoD the most fundamental concerns of Business and its Top

violations delayed detection. leaders.What's new is Integrated GRC.

Daiwa Bank – Toshihide Iguchi’s $1.1 Billion loss

©
It an approach the organization practices and the various

and $340 Million fine for unauthorized trades. roles the board and the senior management, line

Mgmt tried to conceal losses by overriding

©
management and rest of the organization play in relation

controls and SoD violations to oversight, strategy risk management and strategy

Sumitomo Bank – Yasuo Hamanaka’s $1.8

©
execution regarding compliance with laws and

Billion copper position losses. regulations and internal policies and procedures.

Maintained 2 sets of books for over a decade

©

NatWest U.K. – Kyriacos Papoulis concealed

©
SOX, SoD and SAP
over $100 Million in option losses
As per the requirement to be SOX (Sarbanes Oxley Act)
§Manipulated the books.
compliant, the main issue arises in SoD (Segregation of
Enron, Tyco International, Adelphia, Peregrine
©
Duties) management i.e. Access related problems in
Systems and WorldCom…………………..Socite
organizations. For this purpose the necessity is to make
General….
an automated approach to implement the rules and
policies of SOX compliance.
Introduction
Sarbanes Oxley Compliance was a result of such
SAP is in process of addressing the various compliance
Scandals.Also known as the Public Company Accounting
and risk management issues across the verticals with the
Reform and Investor Protection Act of 2002 and
development of automated solutions.
commonly called SOX, it is a controversial United States
One of the Solutions they have developed comprises
federal law passed in response to a number of major
GRC Access Control an application that handles
corporate and accounting scandals.
sustainable prevention of segregation of duties
Signed by Congress on July 30, 2002 its overall purpose is
violations. By implementing the automated Access
to protect investors by improving the accuracy and
control solution, it will provide the enablement to fulfill
reliability of corporate disclosures made pursuant to the
the requirements of SOX compliance without any SoD
securities laws.
violation and its severity.
4-13
SAP Definition for SoD
A primary internal control intended to prevent or Segregation of Duties deals with access controls.Access
decrease the risk of errors or irregularities by assigning Control ensures that one individual should not have
conflicting duties to different personnel. access to two or more than two incompatible duties.

Some examples of incompatible duties are:

Segregation of Duties (SoD)
Across an enterprise there are various functions and Creating vendor and initiate payment to him.
©

these functions are performed, together by a set of Creating invoices and modifying them.
©

roles/responsibilities. Processing inventory, and posting payment.

©

Receiving Checks and writing pay-offs.

©

SoD says that these set of Roles/responsibilities should

Ideally, single individual must not have authority of
be assigned in such a way that, across an enterprise, any
creation, modification, reviewing and deletion for any
individual should not have end to end access rights over
transaction / tasks / resources.
any function.

If any individual has access rights to creation and

modification, he can create and after getting it reviewed,
he can modify it to do some fraudulent exercises.
Similarly if an individual has creation and deletion rights
End to end access SoD he can create, initiate payment and later delete any

Actual job titles and organizational structure may vary transaction logs that can track his activity.

greatly from one organization to another, depending on

Segregation of Duties ensures that:
the size and nature of the business.With the concept of
SoD, business critical duties can be categorized into four
There are no errors, as SoD ensures cross check of
©
types of functions: authorization, custody, record keeping
roles/responsibilities
and reconciliation. In a perfect system, no one person
Risk of Fraud is reduced as fraud will involve two or
©
should handle more than one type of functions.
more than two individuals
Clear separation of Roles/Responsibilities across
©
The Roles and Responsibilities for the function should
various functions in organization.
be divided in such a way that one person does not have
full right over the function that the risk of malicious
Segregation of Duties must be so performed that it
©
activity of manipulation of the function is reduced. The
reduces the risk associated with a function/process
more critical the function is, greater and clearer
that can be mal-functioned to practice any
Segregation of Duties should be.
5-13
 fraudulent exercises. If proper SoD does not exist in
an organization, then:
application for SAP. When deployed together,they
There are ineffective internal access controls
©
provide an end-to-end Access Control solution that
There is improper use of materials, money, financial
©
addresses the following areas:
assets and resources
Estimation of financial condition may be wrong
©
Risk detection SAP applications for Access Control
©
Financial documents produced for audits and review
©
detect even the most obscure access and
may be incorrect

Manual Approach for SoD

Traditional approaches for identifying and preventing
SoD issues are costly, time-consuming, and exhaustive
with scope for errors. In the increased regulatory
environment, companies cannot afford to waste time
and money hoping that a manual approach will satisfy
their audit requirements. Companies now seek a
comprehensive, automated approach to help them
quickly resolve the SoD challenges without disrupting
their business.

SAP Access Control

authorization risks across SAP and non-SAP
SAP GRC Access Control delivers a comprehensive, applications, providing protection against every
cross-enterprise set of Access Control that enables all potential source of risk, including segregation of
corporate compliance stakeholders -- including business duties and transaction monitoring.
managers, auditors, and IT security managers -- to Risk remediation and mitigation These applications
©
collaboratively define and oversee proper SoD for access and authorization control enable fast,
enforcement, enterprise role management, compliant efficient remediation and mitigation of access and
provisioning, and Superuser privilege management. authorization risks by automating workflows and
enabling collaboration among business and technical
Functions of SAP GRC Access users.
Control Repor ting The
© applications deliver the
The SAP GRC Access Control Includes the Virsa comprehensive reports and role-based dashboards
Compliance Calibrator application for SAP, the Virsa businesses need to monitor the performance of
Role Expert application for SAP, the Virsa Firefighter compliance initiatives and to take action as needed.
application for SAP, and the Virsa Access Enforcer Risk prevention Once access and authorization risks
©
6-13
 have been remediate, only SAP applications for This implementation methodology when followed step
Access Control can prevent new risks from entering by step makes access and authorization risk
a production system. By empowering business users management and further its compliance adherence, an
to check for risks in real time and automating user integral part of customary organizational activities. The
administration, the applications make risk implementation process is based on Best Practices
prevention a continuous, proactive process. provided by SAP and extends from GET CLEAN
(identify and resolve the access risk issues) phase to
STAY CLEAN (complaint user provisioning process is
Implementation Methodology channeled into automated structure) phase.
based on SAP Best Practice
The implementation process starts from installation and
configuration of Compliance Calibrator. In line with the
SoD Management Process, Business Process Owners
identify any fraudulent or accidental corruption activity,
subjected to access and authorization or SoD risks and
then implement the necessary mitigation controls on
them. Next, during implementation of Role Expert,
through Role Designer we design the role designation
methodology of the organization. In Access Enforcer
implementation, we define workflows. Workflows are
meant for channelizing the different work processes into
structured, transparent and automated manner.
At last, Fire Fighter is implemented which endow
selected users with exceptional rights. To ensure risk
occurrence, all the activities of users with fire fighter
rights are logged and documented.

HCL has come out with an excellent approach and

methodology for implementation of SAP GRC Access
Control Suite.This Suite embraces four tools:
Access risk analysis and remediation
©

Complaint user provisioning

©

Role Management
©

Privileged user access management

©

7-13
The proposed methodology which helps in Control Tools.
implementing SAP GRC Access Control projects has six
phases: Access Control Tool Suite can be easily downloaded
from SAP Support Portal at SAP Service Marketplace at:
Implementation Readiness
© service.sap.com. You need to login from your service
Deploy & Install GRC Access Control Tool Suite
© marketplace ID. It will ask for your Customer Number
Risk Analysis and Remediation
© or Installation Number.
Super User Privilege Management
©

Compliance User Provisioning

© The SAP GRC Access Control Tool Suite includes
Enterprise Role Management
© following tools:
Virsa Compliance Calibrator
©

Preparation of Implementation Virsa Access Enforcer

©

We recommend the implementation life-cycle of GRC Virsa Role Expert

©

Access Control Tool includes every thing from Virsa Firefighter for SAP
©

Installation and configuration of all 4 software’s to their

integration and validation. Risk analysis and remediation
Risk Analysis and Remediation is done by
Preparation Includes: Compliance Calibrator.
Net Weaver installation configured and validated i.e.
©

ready for applications installation Risk Analysis and Remediation provides real-time
Resource Identification
©
compliance around the clock and prevents security and
Requirement Validation: It will include review and
©
controls violations before they occur. Once deployed,
validation of customer’s requirement against business managers can analyze real-time data, find
product functionality.There should be a brief analysis hidden issues and help ensure the effectiveness of access
of customer’s business environment which will and authorization controls across the enterprise.
include the organizational scan and study of their
business processes. BPX along with implementation The scope of the process includes following key
consultant and BPO will architect solutions to areas:
address requirement gaps. Identification of critical access and segregation of
©

duties
Deploy & Install GRC Access Control Tool Real-time risk assessment
©

Suite Simulation and remediation

©

Once the preparations for implementation are done, we Documentation of mitigation controls
©

proceed for installation and configuration of Access Summary and drill-down reports
©

8-12
Super user Privilege Management Identify SoD Issues in Real Time
©

Superuser Privilege Management is done Streamline Approvals

©

using Firefighter
Enterprise Role Management
Superuser Privilege Management is a solution used
© Introduction to Role Expert
for emergency situations, extensive and/or special Role Expert is a Role Creation and Management Tool.
access, and when you do not have time to obtain This SAP GRC Access Control Tool is a web enabled tool
logins, passwords. Feature provided by it: that can ease the overhead in an Organization in
Provides Super User access control
© creation and management of Roles.
Compliant controls for emergency access
© Apart from creation and management of Roles it also
§Users assigned to specific firefighting IDs with takes care of Risks associated with different Roles,
defined authorizations and validity dates Segregation of Duties, and Generation of types of
§Separate login is required as well as reports useful for management and auditors and also the
documentation regarding reason for use mitigation of risks.
§Can only be used by one user at a time
Auditable reporting
© Purpose of Role Expert
§Logs actions without turning on SAP logging Role Expert implementation serves the following
purposes in an organization:
It helps implement best practices of good role
©

naming conventions.
Compliant User Provisioning
Automates the creation and maintenance of Roles.
©
Compliant User Provisioning will be done
Implements best practices of Approval workflow
©
by Access Enforcer automation for Role in the Organization.
Automates the generation of reports of various
©
Access Enforcer enables fully compliant user types to serve the purpose of management and
provisioning throughout the employee life cycle and auditors as well.
prevents new SoD violations. Businesses can automate Performing automatic risk analysis at all levels and
©
provisioning, test for SoD issues, streamline approvals, also mitigation of risks before approving or creating
and reduce the workload for IT staff. The solution the requested role.
performs following activities: Transparency, tracking and monitoring of creation
©

and implementation of Roles.

Automate Provisioning Workflow
© §
Provide Compliant User Provisioning Across the
©

Enterprise
9-13
ANNEXURE 1:Various Aspects.

Steps Activities Involved Person Involved Duration/Days

Implementation • Hardware/Software requirement Basis/Security 17

Readiness analysis Consultant
• Software Installation GRC AC Tool Consultant
• NetWeaver Environment Validation

Deploy & Install GRC • Software installation as well certain GRC AC Tool Consultant 15
Access Control Tool Suite one-time initial configuration activities.

Risk Analysis and • Identification of critical access and GRC AC Tool Consultant 26
Remediation segregation of duties GRC Business Process Analyst
• Real-time risk assessment SOX Domain Consultant
• Simulation and remediation
• Documentation of mitigation controls
• Summary and drill-down reports

Super User Privilege The application tracks, monitors, and GRC AC Tool Consultant 4
Management logs every activity a super user GRC Business Process Analyst
performs with a privileged user ID.
• Creation of Firefighter Ids
• Assignment of Firefighter roles to
applicable User IDs
• Mapping Firefighter IDs to Owner,
Firefighter, and Controller

Compliance User • Learn about Access Enforcer GRC AC Tool Consultant 20

Provisioning workflows and their components GRC Business Process Analyst
• Define process stages and approvals
• Create test initiators, stages, and paths
• Define test users and request types
• Test initial workflows
• Define escalations and detours
• Complete workflow configuration

Enterprise Role • Creation of Role Attributes required GRC AC Tool Consultant 15

Management for any Role GRC Business Process Analyst
• Creation of Role Generation
Methodology
• Creation of Naming Conventions for
Roles
• Creation of Role in Role Expert
• Reports in Role Expert

10-13
ANNEXURE 2: Role and Responsibilities
Role Number Group Responsibility

Basis/Security 1 HCL GRC • Hardware/Software requirement analysis

Consultant • Software Installation
• NetWeaver Environment Validation

GRC AC Tool 2 HCL GRC • Master Data Creation

Consultant • Configuration of all 4 tools
• Integration of all 4 tools
• Risk Recognition, Remediation, Mitigation
• Rule Building and their Maintenance
• Configuration of workflows
• Configuration of Role Attributes
• Configuration of Role Generation Methodology
• Configuration of Naming Conventions
• Report Generation

SOX Domain 1 HCL GRC • Risk identification

Consultant • Creation of Mitigation Controls
• Approve or Reject already created Risks and Mitigation
Controls
• Scenario Analysis and Identification of Format & Content of
Reports

GRC Business 1 HCL GRC • Risk Analysis and Validation

Process Analyst • Designing alternative controls to mitigate SoD issues
• Designing workflows for user and role provisioning
• Identification of Role Attributes
• Identification of Role Generation Methodology
• Identification of Naming Conventions
• Identification of risk & role owners and approvers

Client Technical To be Client • Hardware/Software requirement analysis

Team decided • Software Installation
• NetWeaver Environment Validation

Client Business To be Client • Identifying risk and/or approving controls for monitoring
Team decided risks
• Approving remediation to address user access issues
• Approve or reject risks between business areas and approve
mitigating controls for risks.

Client Project To be Client • Managing the implementation project

Manager/ decided
Coordinator

Client Audit / To be Client • Perform risk assessments on a regular basis to identify new
Internal Control decided risks, perform periodic testing of rules and mitigating
Team controls; act as a liaison with external auditors.

11-13
ANNEXURE 3:Time Lines
Implementation Activity Duration/Days

Formation of project team* 2

Software Installation and Validation* 5
Requirement Validation/System and User Landscape Study/Master Data Creation* 10
Implementation Readiness 17
Compliance Calibrator Configuration and Implementation 26
Firefighter Configuration and Implementation 4
Role Expert Configuration and Implementation 15
Access Enforcer Configuration and Implementation 20
Roll-Out/Deployment/Go-Live 10
Note: * These activities are performed simultaneously.The total implementation time is 56 calendar days.

ANNEXURE 4: Challenges
Challenges Solution

Real-time alert generation and Alert Generation and its notification through e-mail was configured not
notification through mail only for mitigating controls but also for risk execution and critical
transaction execution

Setting up organizational rules and Compliance Calibrator provides a supplemental table to address
running risk analysis based on organizational restrictions without having to change and maintain the entire
these rules rules database. These restrictions were configured as organizational rules.

Integrating workflows in Various processes of Compliance Calibrator can be automated and

Compliance Calibrator structured through workflows which are created and executed through
for various processes Access Enforcer. Path for connecting the Compliance Calibrator to the
workflows is entered in the Workflow service URL.

Efficient handling of false Rule Building is done at authorization objects level to prevent false positives
positives of SoD violations.

Designing user-provisioning User provisioning workflows are created and configured through Access
workflows and proper Enforcer
initiators to trigger them

Cross-application The system includes rules at both the transaction and object level that
implementation address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR /
Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals.

Cross-system The Virsa Compliance Calibrator "out-of-the-box" rule set includes

implementation transaction objects and value combinations analyzing some 120,000 possible
combinations of potential risk for access rights. These cover - SAP: 20,000,
Oracle: 20,000, PeopleSoft: 3,800, JDE 151.

Cross-geo implementation A centralized monitoring system is provided by connecting various systems

across geo.
12-13
ANNEXURE: 5
SAP GRC Business Benefits:

SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance,
risk, and compliance help you leverage your SAP and non-SAP IT investments, and deliver the following business benefits:

Increased shareholder value – Good corporate governance is reflected in many intangibles, including brand and
reputation – and it translates directly into share price premiums.

Optimized risk/return portfolios – Greater transparency and insight enables your decision makers to select or
reject projects based on risk impact and probability relative to potential return.

Reduced GRC costs – Integrated corporate governance significantly reduces the number of people – and time –
required to ensure and manage compliance and risk management.

Improved business performance and predictability – SAP solutions for governance, risk, and compliance deliver
enterprise wide transparency, a systematic process for anticipating risks, and the tools to proactively determine proper
actions.

Business sustainability – Using solutions delivered through automation, analytics, and alerts, businesses can more
effectively mitigate risks stemming from myriads of legislations.

Assumptions for the Duration/Days in Annexure:

1. Minimum Net Weaver support Pack is already installed and validated on identified systems.
2. All the database and memory requirements for installation of Access Control Tools are met.
3. Hardware and memory sizing is already performed.
4. Organization already possesses the license for all required Access Control Tool.
5. Person efforts and time would go on reducing in subsequent implementation in different geographies
6. The company would go for addressing compliance management issues subsequently across different locations.

13-13