Welcome to the Audit, Control & Security Stream Sponsored by:
Realizing the Value of your Controls Platform Gerald West Manager, Security and Controls Assurance Serco
Agenda Introduction Strategies (the CURE) Summary
Introduction Background Controls Value Realization Controls Platform
Background Serco 5bn global services company, over 40 countries, 120,000 employees Serving many sectors (defense, security, health, facilities management, transport, BPO etc) Over 700 contracts that run like independent companies SAP Journey Implemented SAP for Finance and Procurement from 2006 (250+ systems => 1 SAP) Also have SAP HR and Payroll components + Supporting systems (BW, CRM, SRM, PI etc) Grown from 6000 to 50,000 users in 6 years projected to exceed 100,000 users by 2015 My (GW) Journey 15 years SAP experience mainly in Security and Controls 6 years in Serco (S&A => CSI => SAP Mgmt =>VR => S&C Strategy) Driving SAP Value Realization since 2011
Controls Simple Definition Ensuring the right things happen And the wrong things don t Controls are ultimately about adding value Types of controls
Types of Controls 1. Access Controls 2. Process Controls 3. Contract Controls
Value Realization Unlocking the value of your IT asset User Adoption and Productivity Data Management and Insight Process and Controls Efficiency Technology Optimization and Innovation
CSI Operating Model Engagement CSI Clinics Controls & Security Improvement Forum CSI Reviews Strategy Audit Support Design & Assessments Project & CR Delivery Roadmap Risk Management THEMES Management External Scanning Controlling Reporting & Analytics Monitoring & Investigations Access Reviews Alerts/Controls Reviews DAM Reviews Access Controls Role Management Exceptional Access Data Restriction Segregation-of-Duties Process Controls Master Data Controls Transaction Data Controls Configuration Controls Delegated Authorities Workflow Mechanisms Organizational Structures Approval Levels Cost Object Owners Controls Platform Maintenance Security Platform Maintenance Identity Platform Maintenance Improvements & Innovation Governance Audit Policies Organizing Protecting Serving Operation User Provisioning Password Management Issue Resolution Licence Management Role Maintenance CSI Data Management Audit Log Processing* CSI Report Maintenance* Standards Security & Controls Board Design Authority (Sign-Off)
Controls Platform (Security Weaver) 9. Risk Visualizer (RV) Access Controls 1. Separations Enforcer (SE) 2. Secure Provisioning (SP) 3. Emergency Repair (ER) 4. Role Deriver (RD) 5. Reset Password (RP) Process Controls 6. Process Auditor (PA) Contract Controls 7. License Management (LM) 8. Transaction Archive (TA) 10. Secure Enterprise (EN)
Controls Platform (Security Weaver) 9. Risk Visualizer (RV) Access Controls 1. Separations Enforcer (SE) 2. Secure Provisioning (SP) 3. Emergency Repair (ER) 4. Role Deriver (RD) 5. Reset Password (RP) Process Controls 6. Process Auditor (PA) Contract Controls 7. Licence Management (LM) 8. Transaction Archive (TA) Serco Purchased 10. Secure Enterprise (EN)
Strategies C U R E Controls Engagement Usability Reporting
Controls.Is ensuring the right things happen and the wrong things don t
Controls Make the most of your controls Requirements Functionality Governance Innovation
Controls Requirements Understand Your Requirements Examples Audit Compliance (predictability and standardization) Segregation-of-Duties (SoD) Management (online and real-time) Reporting flexibility (to fit with highly-developed user reporting environment) Understand your challenges/features Examples Complex Organizational structure (Mass Role Build; Hierarchy Roles) Comprehensive (complex) user process
Controls Functionality (Exploit) Explore and Exploit The Platform Functionality Example - Separations Enforcer (Critical Access; Role Simulation) Efficiency Example - Role Deriver (Role build time reduction 4 hrs to 20 minutes for full set [hierarchy roles]) Integration Example - Process Auditor with Separations Enforcer (New SoD conflicts; New critical authorizations) Sustainability Example - Emergency Repair (Review of Logs)
Controls Functionality (Extend) Extend The Platform Workbench Example - Separations Enforcer (Custom SoD Functions and Conflicts) Example - Process Auditor (Custom Controls e.g. Duplicate Invoices control [ca 35k saving in less than 3 months]) User Exits Example - Secure Pro (Additional Fields from SU01) Example - Process Auditor (Duplicate Payment Control - Going from detective to preventive)
Controls Governance Implement Good Governance Data Quality (Data policy and standards; Alerts) Change Control (Approval process; Audit log) Ownership (Controls owners, Conflict owners etc) Periodic Reviews (Deactivated conflicts; Mitigating Controls etc) "Your controls are only as good as your data Integrate with existing governance Example - Controls & Security Improvement Forum, Process Improvement Forums
Controls Innovation Upgrade Upgrade to benefit from new features and improvements Example - Separations Enforcer (Mitigating controls role, multiple per conflict) Innovate Capture and submit Improvement Ideas /Enhancements Example Emergency Repair (Reviewer verdict not just Reviewed ; Auto-review option) Explore new ways of using the platform Example Process Auditor (Use as a data governance tool) Example Transaction Archive (Use also for process compliance, training needs analysis and general support; as well as licence optimization and forensic investigations)
Usability.Is making it easy to do the right thing
Usability Simplicity Make it easy to do the right thing (Data Structures, Processes etc) Clarity Make it crystal-clear (Naming Conventions, Processes etc) Access Make it accessible securely (SW Roles/Transactions, Launch-pad, Cloud version etc) Mobility Make it mobile (Mobile Apps, SAP By Email etc)
Reporting.Is being able to see what is happening
Reporting Standard Reports Executing real-time standard reports Scheduling standard reports Extending Existing Reports Adding controls platform data into existing custom reports (Security Weaver ) Drilling down to controls platform reports (Security Weaver) External Reports Leveraging Business Intelligence (e.g. Business Objects)/Business Warehouse Using controls platform dashboard/analytics (e.g. Risk Visualizer) New Reports SAP Query/ABAP Reporting (for controls data in SAP) Controls platform enhancements (report requests)
Reporting Standard Reports (Example)
Reporting Standard Reports (Example)
Reporting Standard Reports (Example)
Reporting Drilldown (Example)
Reporting External Reports (Example)
Reporting New Reports (Example)
Engagement.Is getting the right people on the bus
Engagement Key Stakeholders Business Process and Controls Owners Divisional Representatives (User Owners) Senior Management IT Teams Auditors Security & Authorizations Team Technical and Functional Teams Internal Audit External Audit Controls Platform Community Vendor (e.g. Security Weaver) User Groups (SWUG, SUG etc)
Summary The C U R E Controls Engagement Usability Reporting
Controls Strategy Framework Dimensions Initiatives People Process E N A B L E Define Engage Simplify Know Define and optimise processes, policies and standards Engage and Educate Controls Community Make it Easy To Do The Right Thing Identify and Manage Risks and Control Mechanisms Technology Data E X E C U T E Control Assure Report Implement and Maintain Effective Controls Establish Robust Assurance, Audit and Testing Processes Transform Controls Reporting and Insight
Summary Key Ideas Controls are about adding value, not just about preventing the wrong things happening Choose your controls platform to fit your needs and capabilities and make sure you get the value from it Make the most of your controls platform by being clear about your requirements, challenges and features, exploring, exploiting and extending the functionality, implementing good governance and embracing innovation Maximise the usability of your controls platform by making it simple, clear, accessible and mobile Mine your controls platform for insight using standard and custom reporting Make sure you engage the right stakeholders ultimately, controls is about people Recognise the value you get from your controls platform and capture the benefits
Thank you! SAP 2007 / Page 35
Questions gerald.west@serco.com
Appendices SAP 2007 / Page 37
Segregation of Duties Roles to enable duties of Duties Necessary and required access with controlled authorizations Process and position based role combinations Processes to audit and support exceptions where required with mitigations Exceptions and Conflicts Clearly visible conflicts and exceptions Mitigations are assignable, auditable and monitored On demand self service analysis by Process Owners and Business heads Insights into new process designs and controls Individual Process Process combinations Background activities Manual activities
Process Controls and Serco approach Process Audit and Control Processes should be standardized and repeatable Exceptions should able to be monitored and reported Exception definition should be flexible and adaptable Process exceptions should be captured in real time for approvals
Segregation of duties Technology Security Weaver s Separation Enforcer Natural integration into SAP Low TCO Flexibility to weave SoD management across roles and background authorisations On demand and self serviced SoD visibility Complete audit ability Roadmap Further enhancement and awareness Combine visibility with manual authorisations and multiple applications Winning factors Sponsorship Strong definition of requirements Quick results - from complete lack of visibility to on demand visibility in 4 months Simplifies complex subject Strong financial benefits Strong Partner knowledge and support
Process Controls Technology Security Weaver s Process Auditor Natural integration into SAP Low TCO Flexibility to weave across multiple processes Case management Out of the box controls with customisable logic Complete audit ability and visibility Report ability Roadmap Continuous enhancement and awareness Real time intervention Route information for approvals through workflows Backward and forward integrate the controls Weave process controls across multiple systems Winning factors Sponsorship Strong definition of requirements and roadmap Ability to leverage resources Strong financial benefits Strong Partner knowledge and support
Engagement Example (Process Controls) Key Stakeholders & Objectives Managed processes to drive compliance, savings and reduce risk Process and Controls Head Process Owners Business Heads Shared Service Centre Auditors Process Deployment Process execution and compliance Process output Traceability and reporting How do I minimize risk and maximize cost savings? How do I ensure processes are complied and efficient? Does the process work and how do I ensure compliance? How to utilize tools and identify exceptions? How do I audit and ensure compliance of rules/policies? Framework of risk visibility Controls Assurance Risk Cost tradeoff Maximize resources to control risk Exception framework and visibility Awareness of consequences Flexibility to redesign, simulate, deploy and measure productivity Continuous monitoring of efficiency Amount and percentage of savings Data and KPIs to represent efficiency Savings Learning framework to encourage compliance Benchmarking and best practices Tools to monitor and identify potential exceptions Tools to deal with exceptions and report Report on results Mechanism to feedback for improvements Case Management and documentation Audit logs and Reports Remediation actions and documentation Consistent process with flexibility for iteration
Controls Platform (Security Weaver) Selection Weighted scoring against 9 key criteria for 3 market leaders (2010) Security Weaver stood out on 3 criteria (Total Cost of Ownership, Performance, Flexibility) Implementation Two waves (technical [2010], business [2013]) Scope