3897 presentation

Overview of Automated Monitoring Scenarios Using SAP Process Control 10.xTracy Levine & Brian Merkel3897

KEY LEARNING POINTS

The session will provide an overview of the basic concepts around Continuous Monitoring:

• Exception-based monitoring of policies, business rules and built-in application controls

• Inner-workings of Continuous Monitoring

• Remediation and Issue Management

• Reporting, dashboards and analytics

• Workflow - alerts, reviews, approvals and other process automation needs

WHAT WE’LL COVER

• Overview of GRC Process Control 10.x

• What is Continuous Monitoring?

• Application of Continuous Monitoring

• Continuous Monitoring Scenarios

• Wrap-up

THE WORLD AT AN INFLECTION POINT

New risks are continuously introduced by way of:

– Expansion into new locations

– Mergers and acquisitions

– New processes

– New technologies

Process bloat, among other things, requires regular process-optimization reviews

PROCESS OPTIMIZATION

Business Value Drivers

Change New Risk

Process Optimization

Balance Cost and

Flexibility

Continuous Monitoring

Business Value

Outcomes

Increase Risk

Coverage

Minimize Business

Effort

STRIKING A BALANCE

Increase Business Flexibility

Reduce Cost

GRC PROCESS CONTROL 10.X

Support decisions and promote accountability with insightful analytics and sign-off

Perform automated, exception-based monitoring of ERP systems

Perform periodic risk assessments

to determine scope and test

strategies

Document controls and policies centrally;

map to key regulations and

impacted organizations

WHAT WE’LL COVER

• Overview of GRC Process Control 10.x

• What is Continuous Monitoring?

• Application of Continuous Monitoring

• Continuous Monitoring Scenarios

• Wrap-up

OVERVIEW OF CONTINUOUS MONITORING

Business Rules

Metrics (KPI)

Trend Analysis

Exception-Based MgmtSAP ECC Instance

APO

SAP BW Platform

SAP GRCContinuous Monitoring

Collect

Automatically gather new & updated data from multiple

disparate data sources across system the organisation’

system landscape.

Standardize

Build a consolidated set of business rules for each

business process (including key “control” ) to enable sophisticated analysis &

comparison.

Analyze

Apply business rules & data analytics within and across

business processes to identify compliance

violations and/or processing errors.

Route & Collaborate

Route new information/ exceptions to appropriate Business units. Escalate or

divert outstanding exceptions.

Act & Refine

Improve compliance & business processes. Validate

corrections.

Learn from user actions. Improve understanding of expected and unexpected

behaviour.

USING CM EFFECTIVELY

Organization

- What organization/group will own PC 10 automated monitoring?

- How are automated/configurable controls owned in the organization?

Process

- How will control failures be documented as issues and remediated?

- How will controls be scheduled for automated testing?

- How will automated business rules be designed to adequately assess the effectiveness of a control?

Personnel

- Who will maintain the automated rules library?

- Who will schedule automated rules for testing?

- Who will review exception reports and delegate the remediation?

- Who will remediate issues?

Documentation & Education

- How will the owners have the technical & accounting knowledge to design automated rules?

- How will issue owners assess the business & technical impact of a control failure?

1

2

3

4

Stak

eho

lde

r C

om

mu

nic

atio

ns

(In

tern

al &

Ext

ern

al)

RETURN ON INVESTMENT

DecreasedCost

Increased Effectiveness

Broader Visibility

Competitive Edge

ROI

WHAT WE’LL COVER

• Overview of GRC Process Control 10.x

• What is Continuous Monitoring?

• Application of Continuous Monitoring

• Continuous Monitoring Scenarios

• Wrap-up

TEN ESSENTIAL PRACTICES

Ten Essential Practices to Analyze, Improve and Transform SAP Security and GRC Strategies

STAKEHOLDER CHALLENGES

Typical Stakeholder Typical Challenges

CFO Lack of ROI quantification, other investment priorities

CIO Lack of clear business mandate – the is no “head of GRC” to face off to

CISO Competing security specific investment

Internal Audit Gets the value, typically only influences the sale

IT TransformationProgram

Has the funding, but often under appreciates the enterprise value of GRC

Application Security Admin.

Well versed in the access management slice of GRC, but does not see the enterprise story

Risk and Compliance function

Get enterprise value of GRC, but challenged to organize the process and people side

GRC ROADMAP

Current StateReview

Future StatePlanning

TransformationalRoadmap

Illustrative GRC Roadmap Development Plan

• Stakeholders, business process owner identification and project planning

• Review the current stateReview application architectureReview data integrationReview risk registers/control

frameworksCurrent access roles and

implementationsApplication open issues analysis

• Review documents• Conduct interviews / workshops to

gather, clarify requirements and priorities

• Understand the key areas for process automation

• Incorporate feedback and reprioritize as appropriate

• Define the GRC transformation roadmap (prioritization of capabilities, technologies)Governance and support modelMethodology for future

implementations with templates (user case, detailed design, test strategy, etc.)

• Review with client the roadmap for refinement, realign the roadmap and priorities

Project Plan and Identified Stakeholders

Interview Notes and Documents

Transformation Roadmap Document

WHAT WE’LL COVER

• Overview of GRC Process Control 10.x

• What is Continuous Monitoring?

• Application of Continuous Monitoring

• Continuous Monitoring Scenarios

• Wrap-up

AUTOMATED CONTROLS: MANAGE BY EXCEPTION

Monitoring is about looking at your business processes, transactions, and master data, and asserting your expectations of how it should be.

Data Source

Business Rule

Business Rule-to-Control Mapping

Job Scheduled

CONTINUOUS MONITORING SCENARIOS

Example Continuous Transaction monitoring controls1. Detect unusual number of journal postings made to one-time vendors. 2. Identify all purchase orders made to one-time vendors and calculate their percentage with respect to the total amount of purchase orders created at the company code level.

Example Continuous Access monitoring controls1. Detect users with the ability to maintain vendor master data and initiate payment to vendors (Segregation of duties violations).

Example Continuous Configuration monitoring controls1. Detect changes to tolerance limits for invoice verification.2. Detect change to Duplicate Invoice settings.

Continuous Monitoring

Configuration Monitoring

Master Data Monitoring

Access Monitoring

Transaction Monitoring

Example Continuous Master Data monitoring controls1. Detect vendor master data with identical bank account details.2. Detect changes to 3 way match configuration settings at the vendor master data level.

CONFIGURATION MONITORING: CHANGES TO TOLERANCE LIMITS

SAP GRC Process Control SAP ERP System

Risk: Three-way match is not configured appropriately allowing high level of deviations between PO/GR/Invoices.

Continuous monitoring of changes made to tolerance limits settings for invoice verification.

Control Objective: Changes tolerance limits for invoice verification are investigated and reviewed for appropriateness.

Changes to tolerance limits for invoice verification are continuously monitored and deviations from established policies and procedures will be flagged as exceptions

Business Rule: Detect changes to tolerance limits for invoice verification. Report on vendors which have similar bank details captured in the company code view of master data.

Information in SAP: Duplicate Invoice Settings (i.e.. Tolerance Key, % Tolerance Limit, Value Tolerance Limit, Company Code, Change By/On)

Business Benefits: Automated tracking of changes to tolerance limits for invoice verification resulting in enhanced assurance that the 3 way match control is operating effectively during purchasing activities.

Produces exception reports out of GRC based on ERP information.

CONFIGURATION MONITORING – SAMPLE OUTPUT

Details such as the date and time on which the change was made and also the user who

made the change is populated to assist in investigation

Severity of deficiency based on logic in the business rules

Change type (Insert, Update or Delete) and change details

are identified as part of automated

reporting of exceptions

MASTER DATA MONITORING:DUPLICATE BANK DETAILSSAP GRC Process Control SAP ERP System

Risk: Erroneous and/or fraudulent purchasing transactions made to vendors

Continuous monitoring of duplicate bank account details in vendor master data.

Control Objective: Duplicate vendor bank details are investigated and reviewed for appropriateness.

Instances of multiple vendors with the duplicate bank details are continuously monitored and deviations from established policies and procedures will be flagged as exceptions.

Business Rule: Detect instances of multiple vendors with the same bank details. Report on vendors which have similar bank details captured in company code view of master data.

Information in SAP: Duplicate Vendor Bank Details (i.e.. Bank acct. #, bank country key, bank control key, vendor number, vendor name and details).

Business Benefits: Automated tracking of duplicate vendor bank details resulting in benefits for the master data teams, shared service centres, etc. & in enhanced quality of master data within the ERP systems.

Produces exception reports out of GRC based on ERP information.

MASTER DATA MONITORING – SAMPLE OUTPUT

Three instances identified where multiple vendors have

the same bank details.

Severity of deficiency updated based on logic defined in

business rule.

Duplicate bank info (bank account number, country key

and bank key)

Displays number of vendors detected with identical bank

info.

TRANSACTION MONITORING:VENDOR PAYMENTS

SAP GRC Process Control SAP ERP System

Risk: Fictitious or inappropriate payments are made resulting in financial loss

Continuous monitoring of number of payments made to one-time vendors.

Control Objective: Multiple payments to one-time vendors are investigated and reviewed for appropriateness.

Instances of multiple payments to one-time vendors over a certain amount will be continuously monitored and deviations from established policies and procedures will be flagged as exceptions

Business Rule: Detect instances of multiple payments to one time vendors. Report on vendors which have similar bank details captured in the company code view of master data

Information in SAP: Payment Settings (i.e.. One time vendor indicator, number of payments, monetary amount of payments, create/change by date and person).

Business Benefits: Automated tracking of unusual/high volume of payments made to one-time vendor resulting in enhanced management of vendor’s contractual agreements.

Produces exception reports out of GRC based on ERP information.

TRANSACTION MONITORING – SAMPLE OUTPUT

Severity of deficiency updated based on the logic defined in

the business rules.

Eight postings made to this one-time vendor

Details such as account number, posting key and

accounting document number will assist with investigation

ACCESS MONITORING:SEGREGATION OF DUTIES

SAP GRC Process Control SAP ERP System

Risk: Ability to create fictitious vendors and initiate unauthorised payments.

Continuous monitoring of users with segregation of duties violations in Purchasing processes.

Control Objective: Incompatible purchasing activities should not be assigned to the same user within the ERP system

Users with the ability to maintain vendor master data and initiate payment to vendors will be continuously monitored and deviations from established policies and procedures will be flagged as exceptions.

Business Rule: Detect users with the ability to maintain vendor master data and initiate payment to vendors. Report on segregation of duties violations

Business Benefits: Automated tracking of un-mitigated users resulting in timely detection and mitigation of Segregation of duties violations in ERP system.

Produces exception reports out of GRC based on ERP information.

ACCESS MONITORING – SAMPLE OUTPUT

Ability to generate multiple Access Risk reports that have been generated in SAP GRC

Access Control during the risk analysis.

Risk analysis results with detailed information about

user ID, Risk ID and transaction codes.

Ability to assign mitigating controls.

ISSUE TRACKING AND REMEDIATION

• Identify issues quickly using automated or manual controls

• Report ad hoc issues across GRC with handling by Issue Administrator

• Track Issues through to timely closure with full audit trail and reporting

• Continually improve processes with optional CAPA routing

WHAT WE’LL COVER

• Overview of GRC Process Control 10.x

• What is Continuous Monitoring?

• Application of Continuous Monitoring

• Continuous Monitoring Scenarios

• Wrap-up

MANAGING SAP SECURITY & GRC IS A CHALLENGE

SAP Security Programs are faced with:•Complex and rapidly evolving SAP landscape•In-demand and expensive resources•Pressure to reduce cost

SAP Security Programs Must:•Manage Risk•Meet compliance and regulatory requirements•Safeguard critical data•Be responsive to the business

Key Points to Take Home

• Key business benefits to implementing Continuous Monitoring

• Four key configuration steps to setting up automated business rule:

• Data Source

• Business Rule

• Assignment of Business Rule

• Schedule Job

• Understanding of various compliance monitoring scenarios

• Best practices for establishing a commitment to GRC programs and Implementing PC (CM)

CONCLUSION

How To Contact Us:

Tracy LevineEmail: tmlevine@us.ibm.comTwitter: @TracyLevineWebsite: Tracy-Levine.com

Brian MerkelEmail: bmerkel@us.ibm.com

CONTACT US

• www.tracy-levine.com

• “Continuous Monitoring: Match Your Business Needs with the Right Techniques,” Levitt and Risinger; https://www.isaca.org/chapters7/Orange-County/Events/Documents/Event%20Presentations/2012-2013/2012-09-11%20-%20SAP%20Continuous%20Monitoring.pdf

• http://rahulurs.com/sap/process-controls/

• http://help.sap.com

• Follow Financial Management SAP Process Control 10.1

• “SAP Business Objects Process Control 10.0 Automated Monitoring Overview,” Sudhalkar; http://a248.g.akamai.net/n/248/420835/18c4944d9b5c0a1c75600f0c42b2f693241ac4d02abf7f9e618a717905fbe3bd/sapasset.download.akamai.com/420835/sapcom/docs/2011/12/f0d0e87e-557c-0010-82c7-eda71af511fa.pdf

MORE INFORMATION

FOLLOW US

Thank you for your time

Follow us on at @ASUG365