Learn SAP GRC

All rights reserved www.oJAYo.com

www.oJAYo.com 1
What is SAP ?

Introduction

www.oJAYo.com 2
 Started in 1972
More than 70% of fortune 100 companies
Largest business software company in
revenue
More than quarter million customers
More than 100 countries
More than 55000 employees in 130+
countries
A 40 years innovation history

SAP Company

www.oJAYo.com 3
 a German multinational company
Offers ERP and other Enterprise IT solutions
SAP = System, applications and products for data
processing
Leader in enterprise resource planning
More than 50% of ERP market share
Popular products = ECC ( Enterprise core
componants) BI ( Business intelligence), HANA
( High performance analytical appliance)

What is SAP

www.oJAYo.com 4
 ERP = Enterprise resource planning
ERP = Any enterprise software which
fulfills more than 2 functions in a company.
Enables many of the key critical IT
functions of a company.

ERP definition

www.oJAYo.com 5
 Customer Strategy & Relationships (Marketing)
Employee Development & Satisfaction
Quality, Process Improvement & Change Management
Financial Analysis, Reporting, & Capital Management
Management Responsibility
Customer Acquisition (Sales)
Product Development
Product/Service Delivery
Accounting Management
Technology Management

Key Business processes

www.oJAYo.com 6
 Key processes in any given company can be segregated
into 10 main areas.

But there are hundreds of sub processes needed to run

the company.

The greatest CIO challenge is to IT enable all the

processes with an integrated enterprise software
application.

SAP fulfills that rare need

Sub processes

www.oJAYo.com 7
 Minimal integration
Support for multi language, multi currency.
Central updates
Real time information
Reduces redundant errors
State of the art features
Higher efficiency and speed of operation
Customization is minimal
Use of best industry practices

SAP Advantages

www.oJAYo.com 8
Single vendor reliance & so slightly higher
prices
High switching costs
High implementation costs
Slow ROI ( return on investment)

SAP disadvantages

www.oJAYo.com 9
 ECC 6.0: Finance AP, AR, GL, Controlling,
Consolidation
: Purchasing, Material management,
inventory
: Master data management
BI/BW : Business intelligence regarding sales,
operations, fulfillment, inventory. How do you keep
current with
Portal : Knowledge management system
GTS : Global trading system
HANA

SAP modules

www.oJAYo.com 10
SAP Security is complex, 1000's of users, 100's of roles, 1000's of transaction and
auth. objects
Users SAP Role T-code Objects

www.oJAYo.com 11
What is GRC ?
GRC stands for Governance, risk and compliance. SAP
offers a suite of products under GRC umbrella which help
the organization in identifying risk and effectively
eliminating or mitigating them.

There are 4 products that it offers each aimed at

addressing different needs. They serve the following
function.

1.) A product to troubleshoot emergency issues in SAP

2.) A product to analyze risks associated with user / roles
3.) A product to manage role build lifecycle.
4.) A product to manage user assignments.

www.oJAYo.com 12
SAP GRC product versions
GRC 4.0(Virsa) GRC 5.1 GRC 10.0
Emergency FF: Firefighter SPM : Superuser Emergency Access
privilege management
management
Risk analysis CC: Compliance RAR : Risk analysis Access risk analysis
Calibrator and remediation

Role assignment AE : Access enforcer CUP : Compliant user Access request

provisioning management
Role build workflow RE : Role Architect ERM : Enterprise role Business role
management management
Process control

Technology (Abap) (Java) (Abap)

www.oJAYo.com 13
SAP GRC Firefighter/SPM
Addresses the greatest audit concern. Assignment
of SAP_All
Firefighter is a tool by which superuser access is
granted to the user for troubleshooting an issue for
a temperory period.
All actions & activities of the user are logged
At the end of the session, the activity log is
reviewed by the controller of risk.

www.oJAYo.com 14
Risk Analysis & remediation
RAR is a tool to identify risk associated with a
role or a user.
A simple example of risk is if a user has access
to the following process combinations.
Create vendor & make payments
Create purchase orders and create a vendor
Assign roles/profiles to self
Access to modify programs in production system
Access to execute reports .

www.oJAYo.com 15
SAP GRC Access enforcer
This is the third product in the GRC suite. This
product enables automatic role assignments,
user creations, user modifications with inbuilt
approval workflow.
Various entities are involved like user,
Requestor, security administrator, users
manager, Role approver, etc who participate in
the workflow.
There is an approval trail and an assignment
proof.
Reduces the risk of fraudulent user assignments
as there are more than one set of eyes involved
in managing users.
www.oJAYo.com 16
GRC Role expert
Role expert is used to manage SAP role lifecycle.
Role administration involves a lot of
administrative checks and lacks transparency for
managers.
Role expert is one of the most efficient ways
available to manage the entire role build / modify
lifecycle with complete transparency, inbuilt sox
checks, and least administration overheads.

www.oJAYo.com 17
What is Risk ?

www.oJAYo.com 18
 Risk to organization is defined as any activity that poses
a threat to organizations ability in day to day functioning.
To ellaborate, a financial fraud in a company is a threat.
Unavailbility of system due to any reason is a threat.

www.oJAYo.com 19
What is SOX ?
SOX or SARBOX stands for Sarbanes OXley - a
United States federal securities law sponsored
by two government officials by the name of
U.S. Senator Paul Sarbanes
U.S. representative Michael G Oxley
The law was implemented after a series of large scale
accounting scandals that hit Enron, worldcom, Tyco,
Peregrine systems.
The scandals eroded publics confidence and companies
stock prices and public in general lost a lot of invested
funds.

www.oJAYo.com 20
Sarbanes & Oxley

www.oJAYo.com 21
SOX Law highlights
The law holds companies top management CEO / CFO to
the accounting statements of the company.
1.) A new government organization came into existence
called Public Company Accounting Oversight Board
(PCAOB). PCAOB overlooks accounting practices of
public accounting audit firms.
2.) External auditor independence, auditor partner rotation,
auditor approval and selection process, auditor reporting
requirements.
3.) CEO/CFO of the company must take the ownership of
the accuracy and completeness of their financial
statements.

www.oJAYo.com 22
 The Sarbanes-Oxley Act of 2002 is a federal law
designed to help reduce financial statement fraud and
accounting irregularities.

The law was enacted by Congress as a response to

series of corporate accounting scandals that had rattled
public confidence in the domestic equity markets.

It requires that public companies document and test both

their disclosure controls and internal controls over
financial reporting annually and that the CEO and CFO
certify that the controls are effective and operating as
intended.

www.oJAYo.com 23
 FORM 10-K

ITEM 9A. Controls and Procedures

Management is responsible for establishing and maintaining adequate internal control over
financial reporting, as such term is defined in Rule 13a-15(f) of the Securities Exchange Act of
1934. Under the supervision and with the participation of our management, including our Chief
Executive Officer and Chief Financial Officer, we conducted an evaluation of the effectiveness of
our internal control over financial reporting as of January 29, 2011 as required by the Securities
Exchange Act of 1934 Rule 13a-15(c).
In making this assessment, we used the criteria set forth by the Committee of Sponsoring
Organizations of the Treadway Commission ("COSO") in Internal Control-Integrated Framework.
Based on our evaluation, management concluded that internal control over financial reporting was
effective as of January 29, 2011.

www.oJAYo.com 24
SOX - Consequences of negligence
Internal control deficiencies can lead to a significant
deficiency and/or a material weakness.

In both instances, the Company will have to absorb

higher external audit fees.

Additionally, in the latter instance the Company s

share prices could be adversely impacted.

The CEO and CFO could face substantial fines

and/or jail time for falsely certifying that the
Companys disclosure controls and/or system of
internal control over financial reporting is operating
effectively.

The Company could face fines, investor litigation,

more rigorous scrutiny by the SEC, and/or be
delisted from the NYSE.

www.oJAYo.com 25
Internal control primer
COSO Framework:
Recognized by the SEC as an effective framework to satisfy the IC evaluation and disclose
requirements of SOX

Internal Control:
A process effected by an entity's Board of Directors, management and other personnel
designed to provide reasonable assurance regarding the achievement of objectives in
Operations, Financial Reporting, and Regulatory Compliance.

Categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable law and regulations

www.oJAYo.com 26
Types of controls
Preventative versus Detective
Preventative - Designed to deter undesirable events from occurringDetective -
Designed to discover undesirable events that have already occurred and correct
them

Key versus Secondary

Key - A primary control activity designed to reduce the risk associated with a critical
business objective
Failure of key controls can result in the overall failure of the organization must be
auditable

Secondary- Designed to reduce the risk of non critical business objectivesCan

reinforce key control activities. Do not have to be auditable

www.oJAYo.com 27
Internal control - examples
Examples of controls
Access Security
Logical and Physical

Change Control
Application and Infrastructure

Computer Operations
Batch Processing
Backup & Recovery and Incident
Management

Program Development
Project management methodology

www.oJAYo.com 28
Sox Deficiency
Definition
A deficiency in internal controls which could adversely affect the
company's ability to deliver accurate financial reporting. A design
deficiency exists when a necessary control is missing or an existing
control is not properly designed so that even when the control is
operating as designed the control objective is not always met. An
operating deficiency exists when a properly designed control is not
operating as designed or the person performing a control does not
possess the necessary authority or qualifications to perform the
control effectively.

Severity
Impact Magnitude of potential misstatement if not mitigated
Likelihood Inherent risk prior to mitigation

Categories
Deficiency
Reported to senior management
Significant
Reported to senior management and the Audit Committee
Material Weakness
Reported to senior management, the Audit Committee and results in
an adverse opinion on internal controls reported in the 10-K filing.

www.oJAYo.com 29
 Next : Segregation of duties

www.oJAYo.com 30
SAP GRC

what is Segregation of duties

www.oJAYo.com 31
What is SOD ?
This is one of the key control principle in an
enterprise. The principle recommends using
more than one person to carry out an important
task in the business.
This aligns to 4 eye / two signature principle and
helps to reduce the chances of financial frauds
and irregularities.
This principle gains furthur importance in an
SOX system.

www.oJAYo.com 32
Segregation of duties
Segregation of duties is the concept of having
two or more persons involved in execution of a
critical task. The objective is to reduce the
possibility of fraud in a company and to have
better control on organization day to day
operations.
To give a simple example, imagine if a user is
able to post payments and also receive goods.
This would be a risk to the organization as he is
now able to post payments on company behalf
and receive goods. he has now the authority to
execute a fraudulent payment and receive
goods.
www.oJAYo.com 33
 So in an organizations all sensitive end to end functions
are identified and tasks associated are distributed to one
or more persons.
Segregation of duties is a key concept of internal
controls.
To summarize, Company's critical processes must be
segregated to prevent frauds and errors.

www.oJAYo.com 34
The pattern to minimize risk is:
The 3 steps to managing risk is to identify, divide,
segregate function.
Identify critical processes and associated risks.
GRC solution from SAP assists in identification
of these functions and risks. Identify SAP
transactions and authorization objects
associated with those critical processes and
business functions.
Divide critical business function into sub
processes to apply segregation of duties in the
organization.
Assign each subprocess to different person or
team.
www.oJAYo.com 35
Segregate the following functions
to combine roles such as receiving checks (payment on
account) and approving write-offs.
depositing cash and reconciling bank statements.
approving time cards and have custody of pay checks.
Receiving goods and making payments.
creating roles and assigning the roles in a system

www.oJAYo.com 36
Categories of segregation
IT Security function - Assign vs create roles.
Recording function, e.g. preparing source documents or
code or performance reports
splitting one security key in two (more) parts between
responsible persons
custody of asset whether directly or indirectly, e.g.
receiving checks in mail or implementing source code or
database changes.
reconciliation or audit

www.oJAYo.com 37
SOD governance
In a perfect IT governance world, no one person should
handle more than one sub process.
The challenge comes becuase of the size of the
company, complexity of processes, employee's
acceptance to change in process to name a few.

Thank you
www.oJAYo.com 38
www.oJAYo.com 39
SAP GRC
Audit needs addressed

www.oJAYo.com 40
Audit needs and risk identification
Audit needs being addressed
What is risk and categories of risk.
How is risk represented in SAP GRC
Examples of risk.

www.oJAYo.com 41
 Audit Needs fulfilled
Emergency Access Access risk Analysis (ARA)
Management ( EAM )
Continues compliance
Simulation of user before actual
SAP_ALL keys to the kingdom is not assignment
assigned. Mitigating controls exist.
Access is module specific and limited SOD / Sensitive access is monitored
compared to SAP_ALL
A detailed log Is available for review at
any given time.

Access request Business role

management (ARM) management (BRM)
Managers approval is attached to
workflow. Access approval evidence is
available at all times
A request can be tied to the actual Role modification undergoes sox check.
change in the system. Role modification is transparent.
A change can be tied to a specific request
and a requestor.

www.oJAYo.com 42
Risk : possibility of FI or material deficiency or system risk, Thereby threat

Sensitive function risk Segregation of Duties risk

There are certain Some business processes

activities in SAP and in should not be jointly
organization which are assigned to a single user.
considered to be sensitive Assigning them to a single
and need to be executed user might introduce risk
carefully by senior SAP in the system of
employee and using FF. fraudulent accounting,
material or system
Archiving (SARA ) activity.
Open close system (SCC4)
Mass updates (LSMW ) Create vendor+payments
Scripting (SECATT) PO process + Goods
Cutting checks (FCHK)www.oJAYo.com
receipt 43
Customer create User create + Role assign
Create bank Create customer + cut
check
 Risk structure in SAP GRC

Global set Rule set

Risk
Risk( PO * GR )
Business
PO GR function
Actions
ME21 ME22 MIGO MB01

Movement Permissions
Doc type Org values Org values
type

www.oJAYo.com 44
Summary - Audit painpoints addressed
Superuser Privilege Management
Allow superuser access
Monitor and report actions
performed
Risk Analysis and Remediation
Identify and remove SOD issues
Mitigation controls
Compliant User Provisioning
SAP access provisioning with
approval workflow
Centralised creation of new users
Reporting
Visibility across the landscape of
risk, violations and mitigation

www.oJAYo.com 45
Starting RAR : /n/Virsa/Zvrat

www.oJAYo.com 46
Select SAP R/3 and role Auditor

www.oJAYo.com 47
SAP GRC Dashboard / cockpit

www.oJAYo.com 48
Select global rule set

www.oJAYo.com 49
Role build

www.oJAYo.com 50
Transactions included

Known conflict between PO create/ GR

www.oJAYo.com 51
Authorization objects included

www.oJAYo.com 52
 User = Riskyuser
Role = ZROLE_WITH_RISK
Role type = single
Scenario = role check analysis

www.oJAYo.com 53
I.Risk analysis Role, High level, object
level

www.oJAYo.com 54
Result Sox check

Fig. below details how the role itself has conflicting

transactions.

www.oJAYo.com 55
II.Risk analysis role, all level, auth object

www.oJAYo.com 56
Result Sox check

Output shows 2 high and 2 medium conflicts

www.oJAYo.com 57
3. Risk analysis Role, All level,
Transaction check

www.oJAYo.com 58
Result sox check Tx. level

Transaction level

www.oJAYo.com 59
How to simulate

www.oJAYo.com 60
Risk analysis check by simulation

Only incremental risk what if scenario

www.oJAYo.com 61
Risk analysis by simulation : total

www.oJAYo.com 62
Types of Report views

I. Summary view

www.oJAYo.com 63
II. Detail view

www.oJAYo.com 64
 III. Technical view

www.oJAYo.com 65
 IV Business view

www.oJAYo.com 66
Best selection for risk analysis

www.oJAYo.com 67
Risk analysis user, high level, object level

www.oJAYo.com 68
Risk analysis user level

High level conflicts check at object level.

www.oJAYo.com 69
Conclusions

All individual roles need to be clean of sox conflicts. SOX

check to be mandatory in role build or modification and
in user assignments.
More false positives at transaction level than at object
level.
Ideal mode = clean at both Tx. Level and auth. Objects
level

www.oJAYo.com 70
SAP GRC Mitigation

www.oJAYo.com 71
Role Mitigation

www.oJAYo.com 72
www.oJAYo.com 73
User Mitigation

www.oJAYo.com 74
www.oJAYo.com 75
Mitigation structure

How to create Mitigation structure ?

Step 1 : Create BU
Step 2 : Assign Approver and Monitor
Step 3 : Create Mit control
Step 4 : Assign mitigations

www.oJAYo.com 76
Creating Business unit in SAP

Step 1 : create business unit entries for mitigation.

www.oJAYo.com 77
Step 2 : Identify Monitor & Controller

Monitor = MitMonitor
Controller = MitControl

www.oJAYo.com 78
Mitigation Monitor

www.oJAYo.com 79
Mitigation Controller

www.oJAYo.com 80
Mitigation Approver

www.oJAYo.com 81
Step 2 : Create Approver & Monitor

www.oJAYo.com 82
www.oJAYo.com 83
Step 3

Assign Approver and Monitor for the BU

www.oJAYo.com 84
Step 4 : Create Mitigation control

www.oJAYo.com 85
Management reports and
Alerts

www.oJAYo.com 86
www.oJAYo.com 87
www.oJAYo.com 88
www.oJAYo.com 89
www.oJAYo.com 90
Rule architect

www.oJAYo.com 91
Business processes

www.oJAYo.com 92
Business process - create

www.oJAYo.com 93
II. Function Display, Change

www.oJAYo.com 94
Function - create

www.oJAYo.com 95
III. Risk Display, Change

www.oJAYo.com 96
Risk - create

www.oJAYo.com 97
Rules conflicting transactions

www.oJAYo.com 98
Rules conflicting transactions

www.oJAYo.com 99
Rules conflicting objects.

www.oJAYo.com 100
Critical transactions - Maintain

www.oJAYo.com 101
Existing entries

www.oJAYo.com 102
New entries

www.oJAYo.com 103
Upload critical transactions

www.oJAYo.com 104
Download existing critical Tx. entries

www.oJAYo.com 105
Output of table

File downloaded as below which can be opened with

notepad or excel.

www.oJAYo.com 106
II. Critical Roles - Maintain

www.oJAYo.com 107
New entry

www.oJAYo.com 108
GRC Table entries via Transports

www.oJAYo.com 109
Critical roles upload/download

www.oJAYo.com 110
III. Critical profiles

www.oJAYo.com 111
Rule matrix modify

www.oJAYo.com 112
www.oJAYo.com 113
Rule Architect Maintain org. rules

www.oJAYo.com 114
Transporting Rulesets

www.oJAYo.com 115
Configurator

www.oJAYo.com 116
www.oJAYo.com 117
 SAP GRC Access
management

www.oJAYo.com 118
TARGET
ON
SAP GRC CUP

Access manager user provisioning provides automatic user

account creations and role assignments with inbuilt workflow
ability.

It automates multiple manual processes in conventional

account creation and role assignment processes.

Provides better change log traceability, manager approvals,

CUP prevents segregation of duties violations. Provides better

SOX process compliance adherence.

Administration load/bottlenecks get reduced and requests get

expedited fast.

Access manager comes with powerful inbuilt reports

119 Test.com
TARGET
ON
SAP GRC CUP
Actions in workflow

Creating user, modifying user account.

Deletion of user account.

User lock management

User password management

Role assignments to users

User Access review / Baselines / Consolidation / Compliance /

Attestation process.

120 Test.com
TARGET
ON

Access Manager entities

.

121 Test.com
Access enforcer / CUP
Access enforcer is an end to end
workflow for user provisioning.
Any user can request a role in access
manager. A request number is auto
generated and forwarded to user's
manager as step 1.
On approval from user manager, the
request gets forwarded to individual
role owners for their respective role
approvals.
Final review is by the security team to
ensure that the request does not
cause any security gaps.
After obtaining all the necessary
approvals, the role gets auto-assigned
to the user.

www.oJAYo.com 122
CUP automated workflow
1. user joins the compan 2. Automated request
and her manager requests goes to the role owner
SAP account acces for her. for approval.

Request needs to be
approved by the manager
first.

3. Request is
reviewed by
security for
completeness and
on confirmation
user gets created,
with the right roles

www.oJAYo.com 123
Access enforcer request view

www.oJAYo.com 124
Access enforcer request details

www.oJAYo.com 125
Access enforcer modules
Requestor: End users can request access to SAP and
non SAP system. This access is generally available for
all.
Approvers: Approvers approve the request once they
receive it from requestors. Here there are two types of
approvers. 1.) Role approvers 2.) Security administrator
approvers.
Informer: The reporting cockpit is represented by
informer. This module can be used by teams like audit,
compliance, helpdesk to monitor the requests.
Configuration: This is Administrators cockpit for
configuration of workflows, connectors, and other
attributes for managing this tool.

www.oJAYo.com 126
Access manager admin. cockpit

www.oJAYo.com 127
www.oJAYo.com 128
Standard Approvers in CUP
Three levels of approvals are standard
in GRC CUP. Additional workflows
approvers can be added/substracted
based on your organization
requirements.
1. Manager - Manager is usually the
requestor's superior.
2. Role owner - Role owners are sent
approval requests to get their buyin for
role assignments.
3. Security - Too much automation can
be dangerous hence its always good
to have someone watching the whole
process. Security provides the final
blessing before role gets auto-
assigned to the users.

www.oJAYo.com 129
GRC RAR SPM
Steps for demo

www.oJAYo.com 130
Steps :
1.) SU01 Created a User account : Firefight01 with type as service,
password deactivated.
2.) Kickstart firefighter transaction.
3.) Assign Owner : The person who owns the firefighter account. The
person who owns the risk and responsibility for that emergency account.
4.) Assign Controller : The person who gets communicated about
activities usage of firefighter account. Owner and controller can be the
same person in a small organization. In a larger organization the owner
can delegate the responsibility of controller to another person.
5.) Assign firefighter account to user account Support = The support user
who will use the firefighter account to support business activites,
troubleshooting work or project support.

www.oJAYo.com 131
GRC SPM/Firefighter 5.3
Introduction

www.oJAYo.com 132
The need for emergency access
An emergency elevated access may be needed
in following situations
Accessing critical functions in Sap which are sensitive
and critical business functions. For example open/close
clients, Modify number ranges, change entries in a
custom table, change a minor configuration in SPRO.
Supporting a project go live / cutover process.
Troubleshooting an issue in production system.

www.oJAYo.com 133
Life before SPM.
The old method of providing elevated access
involved directly assigning a very powerful SAP
profile to user like SAP_ALL or something
similar. There were multiple problems with this
approach :
A huge audit red flag due to lack of process visibility.
It was difficult to obtain detail user activity log.
The activity log had to be manually generated.
Log had to be manually sent to the controller of the Ffid.
Possibility of manual error as lot of processes had user
tasks.
Lack of automation and hence more chances of causing
financial irregularity or destabilizing business function.
Assigning SAP_ALL was like giving user the keys of the
kingdom. Giving so much process power to a single user
www.oJAYo.com 134
was a risk by itself.
SAP GRC SPM advantages
Elevated emergency access but still module
wise restricted access. Much more limited
compared to SAP_ALL.
Detailed log ability with field activity and value
visibility in logs.
Enhanced Automation in the overall process.
On demand availability of firefighter log.
Workflow for log approval process.

www.oJAYo.com 135
Entities involved in SPM process
User
Requestor
Owner
Controller
SPM administrator
SPM Technical consultant

www.oJAYo.com 136
SPM process

There are various scenarios when SPM is used like

discussed previously but let us consider troubleshooting
scenario.
There is a problem in SAP production and functional
consultant needs to use the SPM.
A request is made using the organization ticketting system
for assigning the firefighter to the functional consultant.
Some one else can request SPM for someone elses use.
The SAP security team handling SPM assignments
receives the request. Seeks out an approval from the
respective spm owner. Once approval is received, SPM
gets assigned for the specific period. The SPM assignee is
informed.
www.oJAYo.com 137
 Functional consultant logs into SAP. To kickstart SPM he
goes to transaction /n/virsa/vfat. Clicks on logon button to
start the SPM session.
He completes the troubleshooting task.
There are two alerts which can be configured. Once when
the user logs on, an automated email gets fired to the
controller. The second email gets fired after the user
completes his SPM session.
The approver reviews the activity log attached with the
second email and approves the same with their comments.
This forms the evidence of review by SPM owner.

www.oJAYo.com 138
SPM entity & process
Firefighter: Users has limited access as per their roles in the
organization. Suddenly they come across a business problem
where they need elevated access to resolve the issue. They
request emergency access
FF owner :The Firefighter request is received by
security team who then requests approval from
firefighter owner. firefighter owner then provides
their approval.
Security Admin :on receipt of approval, Security
admin assigns the firefighter to the firefighter user.

Firefighter :The user than uses the firefighter id to

troubleshoot the issue and resolves the business
problem. After resolution, the user logs out of the
system from firefighter session.
FF owner : Firefighter owner gets a log of
firefighter's activity. reviews the same and provides
her review approval to close the cycle.
www.oJAYo.com 139
SPM entity & process
Owner : Individual who is finally responsible for that area.
who owns the risk for that particular process

Controllers : They get communicated with user

login and log activity.

Many a times the owner and controller are common.

www.oJAYo.com 140
SPM cockpit

www.oJAYo.com 141
Firefighter 1 : /n/virsa/vfat
Transaction to kickstart firefighter session for both
firefighter and firefighter administrator is
/n/Virsa/VFAT

www.oJAYo.com 142
Firefighter 2 : Logon to SAP SPM cockpit

www.oJAYo.com 143
Firefighter 3 : Reason code (Document
Reason and Activity )

www.oJAYo.com 144
Firefighter 4 : Complete activity

www.oJAYo.com 145
Controller gets the log

www.oJAYo.com 146
Firefighter admin - log generation on
demand

www.oJAYo.com 147
GRC implementation steps

www.oJAYo.com 148
 Risk identification and
assessment
Planning for
implementation
upgrade requirements
analysis
Testing
Configuration
Go live

www.oJAYo.com 149
GRC ERM
Role management challenges

Administration of SAP roles is a tedious task and

involves a lot of manual activities.
Transporting roles through landscapes
Inclusion of right transactions and authorization
objects in built roles.
Role owner lacks visibility into role changes he
authorized.
Lack of audit trail as to what changes are moving
into production.

www.oJAYo.com 151
Conventional role build cycle
New role build/modify request received.
Take approval from role owner in email. Manual step.
Check if the change will cause any sox issues for the role or
users. Manual step.
Coordinate with the role owner if there are any sox issues.
Manual step.
Tie up the role modification, creation to a ticket. Manual step
Build the role in development.
Attach proof of unit test / functional test in dev. Manual.
Transport the change to test system
Represent the change in change management. Extract and
maintain data manually to present the change.
once approved, the role gets transported to production.
Validate with the user that the change accurately reflects in
production. Manual
www.oJAYo.com 152
 Thanks to GRC ERM tool all these activities can
be well orchestrated using GRC ERM.
A bulk of manual steps can either be automated or
eliminated completely using the well integrated tool
ERM.
Additionally tool eliminates manual error and brings
in built-in best practices.
Robust audit logs to track changes
Maintain systems with ease and not unstable
manual mode at all times
Automate risk assessments
www.oJAYo.com 153
1. Define Role

Select system, role type, related business process,

sub process, project release.
Enter role name, brief, profile, description.

www.oJAYo.com 154
 Provide detail description about activities involved
in the role as shown below.
Primary function area
Select the right primary & alternate approvers
Include any custom attributes / customization if
needed.

www.oJAYo.com 155
Inclusion of transactions:

Selection of a specific function for example

maintain customer automatically pulls in the
related transactions and authorization objects.
The Function selected is SOD free as it is
populated out of compliance calibrator pre-built
function set. A very efficient approach.
Manual insertion of transaction / auth. Objects is
also supported.

www.oJAYo.com 156
 Transaction view

www.oJAYo.com 157
Include authorizations

Once the right auth. Objects are included, click on

org. levels for inclusion.

www.oJAYo.com 158
Include org. values

www.oJAYo.com 159
Derived roles

Associated org. values for the role are auto

populated.
Enter the values on which you want to control the
derived roles.
Enter the role names for each derived flavor.
Once work is complete, all saves of work are
activated by back button in this tool.
The button is situated on top right of the screen.

www.oJAYo.com 160
Approvals

Once role is constructed with all necessary checks

and objects, approval is sent to the role owner.
The workflows being used are part of access forcer.
Approver reviews and adds his comments. No
approval is complete without approver observation
remarks.

www.oJAYo.com 161
Sox check

This is the time when reviewer also checks for any

SOD violations.

www.oJAYo.com 162
Add review comments

Click on add comments to include final review

remarks.
Provide final approval and log out.

www.oJAYo.com 163
Role generation

The roles can be generated automatically using

role expert for the target system.
The roles are now ready for assignment and usage
in the target system.
You can validate the same by logging on to target
system and checking the role status.

www.oJAYo.com 164
Delta features of GRC role Expert

Role expert mass maintenance :

It is possible to make mass changes on roles in
role expert unlike PFCG.
Conventional method currently is cumbersome,
tedious. Role expert makes it very easy. RE goes
in and makes the change in all individual roles.

www.oJAYo.com 165
GRC 10.0

www.oJAYo.com 166
what is new in GRC 10.0
The major changes
are as follows. Risk

Moving away from

Java to ABAP version
of reporting. No more
Java components and
manaegement needed.
Access Process
GRC components Risk control control

management, Access
control and process
control gets integrated.

www.oJAYo.com 167
 Access control includes firefighter and user provisioning
components.
Also because of the integration, each of the tool work
seamlessly in the studio.
Shared information is common for business processes,
controls in organizations, workflows.
Process control brings in ability to document internal
controls and manage risks better.
Central internal control catalogue needs to be created
once and than shared between all

www.oJAYo.com 168
 Impact analsis: Risk analysis for
role now shows possible impact
for users. This is an enhancement
Crystal report: Integrated crystal
reports now enhance the reporting
functionality.
Mass mitigation for users / role is
not possible
User assignment now mimics
classic SAP user master.
Business users can now review
roles being created, modified.
Role assignments for user can be
reviewed by business owners at
any given point.

www.oJAYo.com 169
Conclusion

www.oJAYo.com 170
Next steps
You can get a lot of information on
www.SAP.com
SCN.SAP.com
www54.sap.com
scn.sap.com/community/grc

Lastly you can drop me an email if you have any

specific questions or just want to say hello.

www.oJAYo.com 171