WHITE PAPER

SAP GRC Access Control Solution.

-White paper on Implementation Methodology.

HCL SAP GRC Practice

January 2008
1-13

Table of Content
Executive Summary

Introduction

SOX, SoD and SAP

Functions of SAP GRC Access Control

Implementation Methodology

ANNEXURE 1:Various Aspects

10

ANNEXURE 2: Role and Responsibilities

11

ANNEXURE 3: Time Lines

12

ANNEXURE 4: Challenges

12

ANNEXURE 5: SAP GRC Business benefits

13

2-13

Executive Summary
In the era of stringent corporate governance new regulatory requirements have made tighter internal control as
standard compliance across the globe.

All organization irrespective of size are struggling to comply with these regulations and managing the risk.The cost and
effort to establish, maintain and prove compliance demand both money and time which can be invested for more value
addition rather than value protection.

For many organization the technology solutions is to try automation using standard office tools such as spreadsheet
which in spite of its low cost advantage may become a part of problem rather than a compliance solution.

Fortunately newly available software platform that have become known as the GRC technology can help streamline the
automation.This white paper pertains to one of the most accountable control automation tool: SAP Access Control and
details its implementation methodology.

3-13

SAP GRC Access Control

He who cannot obey himself will be commanded.

Integrated GRC is an offshoot of SOX and such other

That is the nature of living creatures.

compliances existing across industries worldwide.

- Friedrich Wilhelm Nietzsche

Evolution of Integrated GRC:

Barings Bank Nick Lee sons $1.2 Billion loss

Barings forced into bankruptcy.

Due to improper supervision and SoD

violations delayed detection.

Daiwa Bank Toshihide Iguchis $1.1 Billion loss

and $340 Million fine for unauthorized trades.

Mgmt tried to conceal losses by overriding

controls and SoD violations

Sumitomo Bank Yasuo Hamanakas $1.8

Billion copper position losses.

In itself GRC is not new. Corporate Governance, Risk

management and Compliance as individual issues where
the most fundamental concerns of Business and its Top
leaders.What's new is Integrated GRC.
It an approach the organization practices and the various
roles the board and the senior management, line
management and rest of the organization play in relation
to oversight, strategy risk management and strategy
execution regarding compliance with laws and
regulations and internal policies and procedures.

Maintained 2 sets of books for over a decade

NatWest U.K. Kyriacos Papoulis concealed

over $100 Million in option losses

Manipulated the books.

Enron, Tyco International, Adelphia, Peregrine

Systems and WorldCom..Socite

General.

SOX, SoD and SAP

As per the requirement to be SOX (Sarbanes Oxley Act)
compliant, the main issue arises in SoD (Segregation of
Duties) management i.e. Access related problems in
organizations. For this purpose the necessity is to make
an automated approach to implement the rules and

Introduction
Sarbanes Oxley Compliance was a result of such
Scandals.Also known as the Public Company Accounting
Reform and Investor Protection Act of 2002 and
commonly called SOX, it is a controversial United States
federal law passed in response to a number of major
corporate and accounting scandals.
Signed by Congress on July 30, 2002 its overall purpose is
to protect investors by improving the accuracy and
reliability of corporate disclosures made pursuant to the
securities laws.

policies of SOX compliance.

SAP is in process of addressing the various compliance

and risk management issues across the verticals with the
development of automated solutions.
One of the Solutions they have developed comprises
GRC Access Control an application that handles
sustainable prevention of segregation of duties
violations. By implementing the automated Access
control solution, it will provide the enablement to fulfill
the requirements of SOX compliance without any SoD
violation and its severity.
4-13

SAP Definition for SoD

A primary internal control intended to prevent or

Segregation of Duties deals with access controls.Access

decrease the risk of errors or irregularities by assigning

Control ensures that one individual should not have

conflicting duties to different personnel.

access to two or more than two incompatible duties.

Some examples of incompatible duties are:

Segregation of Duties (SoD)

Across an enterprise there are various functions and

Creating vendor and initiate payment to him.

these functions are performed, together by a set of

Creating invoices and modifying them.

roles/responsibilities.

Processing inventory, and posting payment.

Receiving Checks and writing pay-offs.

SoD says that these set of Roles/responsibilities should

be assigned in such a way that, across an enterprise, any
individual should not have end to end access rights over

Ideally, single individual must not have authority of

creation, modification, reviewing and deletion for any
transaction / tasks / resources.

any function.

If any individual has access rights to creation and

modification, he can create and after getting it reviewed,
he can modify it to do some fraudulent exercises.
Similarly if an individual has creation and deletion rights
End to end access

SoD

Actual job titles and organizational structure may vary

greatly from one organization to another, depending on
the size and nature of the business.With the concept of
SoD, business critical duties can be categorized into four
types of functions: authorization, custody, record keeping
and reconciliation. In a perfect system, no one person
should handle more than one type of functions.

The Roles and Responsibilities for the function should

be divided in such a way that one person does not have
full right over the function that the risk of malicious
activity of manipulation of the function is reduced. The
more critical the function is, greater and clearer
Segregation of Duties should be.

he can create, initiate payment and later delete any

transaction logs that can track his activity.
Segregation of Duties ensures that:

There are no errors, as SoD ensures cross check of

roles/responsibilities

Risk of Fraud is reduced as fraud will involve two or

more than two individuals

Clear separation of Roles/Responsibilities across

various functions in organization.

Segregation of Duties must be so performed that it

reduces the risk associated with a function/process

that can be mal-functioned to practice any
5-13

fraudulent exercises. If proper SoD does not exist in

an organization, then:

There are ineffective internal access controls

There is improper use of materials, money, financial

application for SAP. When deployed together,they

provide an end-to-end Access Control solution that
addresses the following areas:

assets and resources

Estimation of financial condition may be wrong

Financial documents produced for audits and review

Risk detection SAP applications for Access Control

detect even the most obscure access and

may be incorrect

Manual Approach for SoD

Traditional approaches for identifying and preventing
SoD issues are costly, time-consuming, and exhaustive
with scope for errors. In the increased regulatory
environment, companies cannot afford to waste time
and money hoping that a manual approach will satisfy
their audit requirements. Companies now seek a
comprehensive, automated approach to help them
quickly resolve the SoD challenges without disrupting
their business.

SAP Access Control

authorization risks across SAP and non-SAP

SAP GRC Access Control delivers a comprehensive,

applications, providing protection against every

cross-enterprise set of Access Control that enables all

potential source of risk, including segregation of

corporate compliance stakeholders -- including business

duties and transaction monitoring.

managers, auditors, and IT security managers -- to

Risk remediation and mitigation These applications

collaboratively define and oversee proper SoD

for access and authorization control enable fast,

enforcement, enterprise role management, compliant

efficient remediation and mitigation of access and

provisioning, and Superuser privilege management.

authorization risks by automating workflows and

enabling collaboration among business and technical

Functions of SAP GRC Access

Control

users.

Repor ting The

applications deliver the

The SAP GRC Access Control Includes the Virsa

comprehensive reports and role-based dashboards

Compliance Calibrator application for SAP, the Virsa

businesses need to monitor the performance of

Role Expert application for SAP, the Virsa Firefighter

compliance initiatives and to take action as needed.

application for SAP, and the Virsa Access Enforcer

Risk prevention Once access and authorization risks

6-13

have been remediate, only SAP applications for

This implementation methodology when followed step

Access Control can prevent new risks from entering

by step makes access and authorization risk

a production system. By empowering business users

management and further its compliance adherence, an

to check for risks in real time and automating user

integral part of customary organizational activities. The

administration, the applications make risk

implementation process is based on Best Practices

prevention a continuous, proactive process.

provided by SAP and extends from GET CLEAN

(identify and resolve the access risk issues) phase to

Implementation Methodology
based on SAP Best Practice

STAY CLEAN (complaint user provisioning process is

channeled into automated structure) phase.

The implementation process starts from installation and

configuration of Compliance Calibrator. In line with the
SoD Management Process, Business Process Owners
identify any fraudulent or accidental corruption activity,
subjected to access and authorization or SoD risks and
then implement the necessary mitigation controls on
them. Next, during implementation of Role Expert,
through Role Designer we design the role designation
methodology of the organization. In Access Enforcer
implementation, we define workflows. Workflows are
meant for channelizing the different work processes into
structured, transparent and automated manner.
At last, Fire Fighter is implemented which endow
selected users with exceptional rights. To ensure risk
occurrence, all the activities of users with fire fighter
rights are logged and documented.
HCL has come out with an excellent approach and
methodology for implementation of SAP GRC Access
Control Suite.This Suite embraces four tools:

Access risk analysis and remediation

Complaint user provisioning

Role Management

Privileged user access management

7-13

The proposed methodology which helps in

Control Tools.

implementing SAP GRC Access Control projects has six

phases:

Access Control Tool Suite can be easily downloaded

from SAP Support Portal at SAP Service Marketplace at:

Implementation Readiness

service.sap.com. You need to login from your service

Deploy & Install GRC Access Control Tool Suite

marketplace ID. It will ask for your Customer Number

Risk Analysis and Remediation

or Installation Number.

Super User Privilege Management

Compliance User Provisioning

The SAP GRC Access Control Tool Suite includes

Enterprise Role Management

following tools:

Virsa Compliance Calibrator

Preparation of Implementation

Virsa Access Enforcer

We recommend the implementation life-cycle of GRC

Virsa Role Expert

Access Control Tool includes every thing from

Virsa Firefighter for SAP

Installation and configuration of all 4 softwares to their

integration and validation.

Risk analysis and remediation

Risk Analysis and Remediation is done by

Preparation Includes:

Compliance Calibrator.

Net Weaver installation configured and validated i.e.

ready for applications installation

Resource Identification

Requirement Validation: It will include review and

Risk Analysis and Remediation provides real-time

compliance around the clock and prevents security and
controls violations before they occur. Once deployed,

validation of customers requirement against

business managers can analyze real-time data, find

product functionality.There should be a brief analysis

hidden issues and help ensure the effectiveness of access

of customers business environment which will

and authorization controls across the enterprise.

include the organizational scan and study of their

business processes. BPX along with implementation

The scope of the process includes following key

consultant and BPO will architect solutions to

areas:

address requirement gaps.

Identification of critical access and segregation of

duties

Deploy & Install GRC Access Control Tool

Real-time risk assessment

Suite

Simulation and remediation

Once the preparations for implementation are done, we

Documentation of mitigation controls

proceed for installation and configuration of Access

Summary and drill-down reports

8-12

Super user Privilege Management

Identify SoD Issues in Real Time

Superuser Privilege Management is done

Streamline Approvals

using Firefighter
Enterprise Role Management

Superuser Privilege Management is a solution used

Introduction to Role Expert

for emergency situations, extensive and/or special

Role Expert is a Role Creation and Management Tool.

access, and when you do not have time to obtain

This SAP GRC Access Control Tool is a web enabled tool

logins, passwords. Feature provided by it:

that can ease the overhead in an Organization in

Provides Super User access control

creation and management of Roles.

Compliant controls for emergency access

Apart from creation and management of Roles it also

Users assigned to specific firefighting IDs with

defined authorizations and validity dates

Separate

login is required as well as

documentation regarding reason for use

takes care of Risks associated with different Roles,

Segregation of Duties, and Generation of types of
reports useful for management and auditors and also the
mitigation of risks.

Can only be used by one user at a time

Auditable reporting

Logs actions without turning on SAP logging

Purpose of Role Expert

Role Expert implementation serves the following
purposes in an organization:

It helps implement best practices of good role

Compliant User Provisioning

Compliant User Provisioning will be done
by Access Enforcer

naming conventions.

Automates the creation and maintenance of Roles.

Implements best practices of Approval workflow

automation for Role in the Organization.

Automates the generation of reports of various

Access Enforcer enables fully compliant user

types to serve the purpose of management and

provisioning throughout the employee life cycle and

auditors as well.

prevents new SoD violations. Businesses can automate

Performing automatic risk analysis at all levels and

provisioning, test for SoD issues, streamline approvals,

also mitigation of risks before approving or creating

and reduce the workload for IT staff. The solution

the requested role.

performs following activities:

Transparency, tracking and monitoring of creation

and implementation of Roles.

Automate Provisioning Workflow

Provide Compliant User Provisioning Across the

Enterprise
9-13

ANNEXURE 1:Various Aspects.

Steps

Activities Involved

Person Involved

Duration/Days

Implementation
Readiness

Hardware/Software requirement
analysis
Software Installation
NetWeaver Environment Validation

Basis/Security
Consultant
GRC AC Tool Consultant

17

Deploy & Install GRC

Access Control Tool Suite

Software installation as well certain GRC AC Tool Consultant

one-time initial configuration activities.

15

Risk Analysis and

Remediation

Identification of critical access and

GRC AC Tool Consultant
segregation of duties
GRC Business Process Analyst
SOX Domain Consultant
Real-time risk assessment
Simulation and remediation
Documentation of mitigation controls
Summary and drill-down reports

26

Super User Privilege

Management

The application tracks, monitors, and

logs every activity a super user
performs with a privileged user ID.
Creation of Firefighter Ids
Assignment of Firefighter roles to
applicable User IDs
Mapping Firefighter IDs to Owner,
Firefighter, and Controller

Compliance User
Provisioning

GRC AC Tool Consultant

Learn about Access Enforcer
workflows and their components
GRC Business Process Analyst
Define process stages and approvals
Create test initiators, stages, and paths
Define test users and request types
Test initial workflows
Define escalations and detours
Complete workflow configuration

20

Enterprise Role
Management

Creation of Role Attributes required GRC AC Tool Consultant

for any Role
GRC Business Process Analyst
Creation of Role Generation
Methodology
Creation of Naming Conventions for
Roles
Creation of Role in Role Expert
Reports in Role Expert

15

GRC AC Tool Consultant

GRC Business Process Analyst

10-13

ANNEXURE 2: Role and Responsibilities

Role

Number

Group

Responsibility

Basis/Security
Consultant

HCL GRC

Hardware/Software requirement analysis

Software Installation
NetWeaver Environment Validation

GRC AC Tool
Consultant

HCL GRC

SOX Domain
Consultant

HCL GRC

Risk identification
Creation of Mitigation Controls
Approve or Reject already created Risks and Mitigation
Controls
Scenario Analysis and Identification of Format & Content of
Reports

GRC Business
Process Analyst

HCL GRC

Client Technical
Team

To be
decided

Client

Hardware/Software requirement analysis

Software Installation
NetWeaver Environment Validation

Client Business
Team

To be
decided

Client

Identifying risk and/or approving controls for monitoring

risks
Approving remediation to address user access issues
Approve or reject risks between business areas and approve
mitigating controls for risks.

Client Project
Manager/
Coordinator

To be
decided

Client

Managing the implementation project

Client Audit /
Internal Control
Team

To be
decided

Client

Perform risk assessments on a regular basis to identify new

risks, perform periodic testing of rules and mitigating
controls; act as a liaison with external auditors.

Master Data Creation

Configuration of all 4 tools
Integration of all 4 tools
Risk Recognition, Remediation, Mitigation
Rule Building and their Maintenance
Configuration of workflows
Configuration of Role Attributes
Configuration of Role Generation Methodology
Configuration of Naming Conventions
Report Generation

Risk Analysis and Validation

Designing alternative controls to mitigate SoD issues
Designing workflows for user and role provisioning
Identification of Role Attributes
Identification of Role Generation Methodology
Identification of Naming Conventions
Identification of risk & role owners and approvers

11-13

ANNEXURE 3:Time Lines

Implementation Activity

Duration/Days

Formation of project team*

Software Installation and Validation*
Requirement Validation/System and User Landscape Study/Master Data Creation*
Implementation Readiness
Compliance Calibrator Configuration and Implementation
Firefighter Configuration and Implementation
Role Expert Configuration and Implementation
Access Enforcer Configuration and Implementation
Roll-Out/Deployment/Go-Live

2
5
10
17
26
4
15
20
10

Note: * These activities are performed simultaneously.The total implementation time is 56 calendar days.

ANNEXURE 4: Challenges
Challenges

Solution

Real-time alert generation and

notification through mail

Alert Generation and its notification through e-mail was configured not
only for mitigating controls but also for risk execution and critical
transaction execution

Setting up organizational rules and

running risk analysis based on
these rules

Compliance Calibrator provides a supplemental table to address

organizational restrictions without having to change and maintain the entire
rules database. These restrictions were configured as organizational rules.

Integrating workflows in
Compliance Calibrator
for various processes

Various processes of Compliance Calibrator can be automated and

structured through workflows which are created and executed through
Access Enforcer. Path for connecting the Compliance Calibrator to the
workflows is entered in the Workflow service URL.

Efficient handling of false

positives

Rule Building is done at authorization objects level to prevent false positives

of SoD violations.

Designing user-provisioning
workflows and proper
initiators to trigger them

User provisioning workflows are created and configured through Access

Enforcer

Cross-application
implementation

The system includes rules at both the transaction and object level that
address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR /
Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals.

Cross-system
implementation

The Virsa Compliance Calibrator "out-of-the-box" rule set includes

transaction objects and value combinations analyzing some 120,000 possible
combinations of potential risk for access rights. These cover - SAP: 20,000,
Oracle: 20,000, PeopleSoft: 3,800, JDE 151.

Cross-geo implementation

A centralized monitoring system is provided by connecting various systems

across geo.
12-13

ANNEXURE: 5
SAP GRC Business Benefits:
SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance,
risk, and compliance help you leverage your SAP and non-SAP IT investments, and deliver the following business benefits:

Increased shareholder value Good corporate governance is reflected in many intangibles, including brand and
reputation and it translates directly into share price premiums.

Optimized risk/return portfolios Greater transparency and insight enables your decision makers to select or
reject projects based on risk impact and probability relative to potential return.

Reduced GRC costs Integrated corporate governance significantly reduces the number of people and time
required to ensure and manage compliance and risk management.

Improved business performance and predictability SAP solutions for governance, risk, and compliance deliver
enterprise wide transparency, a systematic process for anticipating risks, and the tools to proactively determine proper
actions.

Business sustainability Using solutions delivered through automation, analytics, and alerts, businesses can more
effectively mitigate risks stemming from myriads of legislations.

Assumptions for the Duration/Days in Annexure:

1.

Minimum Net Weaver support Pack is already installed and validated on identified systems.

2.

All the database and memory requirements for installation of Access Control Tools are met.

3.

Hardware and memory sizing is already performed.

4.

Organization already possesses the license for all required Access Control Tool.

5.

Person efforts and time would go on reducing in subsequent implementation in different geographies

6.

The company would go for addressing compliance management issues subsequently across different locations.

13-13