SAP Security Concepts, Segregation of Duties, Sensitive Access & Mitigating Controls. Jonathan Levitt March 2015

Similar documents
Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Risk Management in Role-based Applications Segregation of Duties in Oracle

Access Governance. Delivering value. What you gain. Putting a project back on track for success

Expert Tips To Simplify And Automate Your User Access Request Process David Denson PwC

Case Study of a Segregation of Duties Project

Risk and Controls 101

Segregation of Duties

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

Finance Effectiveness Efficiency

Auditing Standard 5- Effective and Efficient SOX Compliance

Leverage T echnology: Move Your Business Forward

Internal Controls, Fraud Detection and ERP

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

City of Berkeley. Accounts Payable Audit

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

GRC TRAINING: RISK OWNERS

Continuous Monitoring: Match Your Business Needs with the Right Technique

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

ORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT

4th Annual ISACA Kettle Moraine Spring Symposium

Accounts Payable Outsourcing Audit April 2014

MEMORANDUM. Municipal Officials. From: Karen Horn, Director, Public Policy and Advocacy; and Abby Friedman, Director, Municipal Assistance Center

Welcome to the internal reconciliation topic

OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT

Accounts Payable Best Practices

Automating the Audit July 2010

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

Welcome to the financial reports topic

Armanino LLP Welcomes You To Today s Webinar: GP Tips and Tricks: Using Credit Cards in GP

Office of the Auditor General. Audit of Accounts Payable. Tabled at Audit Committee November 26, 2015

Continuous Monitoring and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

Welcome to the topic on managing delivery issues with Goods Receipt POs.

Information Technology General Controls (ITGCs) 101

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

BTS CP Business Best Practice Process Design. Carola Feind-Just Head Consumer Products MEE Business Transformation Services

Minimize Access Risk and Prevent Fraud With SAP Access Control

Oracle Role Manager. An Oracle White Paper Updated June 2009

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

TLS013. Supply Chain Key Performance Indicators (KPIs) and Performance Measurement Ehap Sabri, PhD, CFPIM

Chapter 15 Auditing the Expenditure Cycle


ERP For Small & Medium Enterprises. The most effective and efficient way to run your business. Version 2.0

Improve Business Efficiency by Automating Intercompany Transactions

C31: Introduction to Application Controls: SAP and JD Edwards Sarah E. Thompson and K. C. Fike, PwC

MD AOC Project Introduction to PeopleSoft

Document Information, Statuses & Exceptions in Ariba

GR5 Access Request. Process Diagram

AP Automation Best Practices and Trends Oracle E-Business Suite

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER

Welcome to the Audit, Control & Security Stream. Sponsored by:

Auditing for Value in the Procure to Pay Cycle Dallas IIA Chapter. October 1, 2009

Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2011_1 SP0 Fax

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

Audit of the City s Master Vendor File

1. Introduction to the Automated Accounts Payable Development Process Flows of Purchase Orders, Goods Receipts and Invoice Queries...

Accounts Payable and Payments Policy

Leveraging Your ERP System to Enhance Internal Controls

Audit of the Enterprise Resource Planning System Implementation

Accounts Payable. Cash Projections Reports - 3-tiered Pay on Dates show what is due in the next 30/60/90 days.

Connecting the dots: IT to Business

How To Improve Your Business

Supporting Compliance Management with Technology

Maximo ITSM Product Suite. Francois Marais

NetSuite Essentials. Course Description. Key Objectives

Ensure Effective Controls and Ongoing Compliance

IT28 GOING PAPERLESS WITH MICROSOFT DYNAMICS NAV Tom Taylor, Microsoft

Article: Control Systems and Controls Testing: General Review

LGMA Qld Governance and Corporate Planning Village Forum

New, changed, or deprecated features

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Process Control Optimisation with SAP

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

Product Brief. Intacct Financials & Accounting. Intacct General Ledger

Compliance & Internal Audit Collaboration

{Governmental Client Training} June 20, 2016

The Basics of Internal Controls

Toronto Maintenance Management System Application Review. the exercise to harmonize business practices is completed;

State of Oregon. State of Oregon 1

Anti-Fraud Management Example In Accounts Payable. Michael Heckner October 12, 2012

EDUCATION, LEARNING AND TEACHING. I have never let my schooling interfere with my education. Mark Twain ( ) American writer.

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

Fraud Control Theory

Accounts Payable Outsourcing

IDS for SAP. Application Based IDS Reporting in the ERP system SAP R/3

ACCOUNTS PAYABLE VOUCHER ADJUSTMENT

PwC Approach to Benefits Management

Oracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E

Easy Flow-Based Reporting Procure to Pay, Order to Cash etc.

General Ledger Auditing. Presented By: Jim Lee

Steve Shofner, Moss Adams IT Consultant Debra Mallette, Senior Process Consultant/Specialist, Kaiser Permanente Core Competencies C31

Work Instruction. Reverse Check Payment 11/05/07

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Welcome to the topic on purchasing items.

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Transcription:

SAP Security Concepts, Segregation of Duties, Sensitive Access & Mitigating Controls Jonathan Levitt

Agenda 1. Introduction 2. SAP Security Design Overview 3. The SAP Authorization Concept 4. Approaches to SAP Security 5. Segregation of Duties & Sensitive Access 6. Mitigating Controls 7. Questions 2

Objectives At the end of the session, the participant will: Gain an understanding of the SAP security environment and why security is important to the audit; Define and understand what a segregation of duties conflict in SAP is, and how to monitor/address it; and Define and understand mitigating controls. 3

SAP Security Design Overview 4

SAP Security Design Overview Introduction What is SAP Security Design? At its most fundamental level, SAP Security Design refers to the architectural structure of SAP security roles. However, effective security design is achieved via the convergence of role architecture: 1. SAP Security Organizational Structure & Governance - Ownership, Policies, and Accountability 2. SAP Security Processes - User Provisioning, Role Change Management, Emergency Access 3. Ongoing Management & Monitoring of the Security Environment - KPIs, Recertification, Get Clean & Stay Clean 5

SAP Security Design Overview Introduction Security & Provisioning Processes Org Structure & Governance SAP Security Architecture Monitoring M Effective SAP Security Design Management 6

SAP Security Design Overview SAP Security Design Challenges User provisioning process with insufficient automation & information Role Change Mgmt lacks risk and quality controls Inefficient emergency support process Security & Provisioning Processes Org Structure & Governance Misalignment of IT vs Business Objectives Lack of Strategic Security Design Decisions No Role or Security Design Ownership Management KPIs for Security Design are not established Lack of automation for ongoing monitoring & recertification procedures Insufficient SoD and/or Mitigating control frameworks M SAP Security Architecture Effective SAP Security Design Overly Complex Security Design Lacks flexibility to respond to ongoing changes Lacks scalability to grow with organization Inefficient Role Build Approach No Documentation of Security Control Points Inherent Segregation of Duties Risk Monitoring Management 7

SAP Security Design Overview Audit Issues & Complexity Poor security can lead to audit issues When access controls are not in place, it impact the amount of reliance audit can place on reports coming from SAP Segregation of Duties is a key underlying principle of internal controls, and is the concept of having more than one person required to complete a task. Security can have a detrimental impact on this control (to be discussed in greater detail later in presentation). It is sometimes difficult for auditors to dig deep into SAP because security is complex: In SAP ERP 6.0 o o 108,000 transaction codes 2,600 authorization objects Several transaction codes can perform similar tasks 8

The SAP Authorization Concept 9

The SAP Authorization Concept Introduction Security & Provisioning Processes Org Structure & Governance SAP Security Architecture Monitoring M Effective SAP Security Design Management 10

The SAP Authorization Concept Introduction (continued) SAP Security Architecture Security within the SAP application is achieved through the authorization concept. The authorization concept is to help establish maximum security, sufficient privileges for end users to fulfil their job duties, and easy user maintenance. 11

The SAP Authorization Concept Three levels of security in SAP User master record User requires valid user-id and password 1 T-code check User requires an authorization for transactions 2 Authority check User requires an authorization for underlying authorization objects and field values 3 12

The SAP Authorization Concept The Components SAP User Master Record Master data for SAP users Roles Contains transaction codes, authorizations (mapped to one profile) and user assignments Profiles Container of authorizations Authority Check Performed by SAP to help establish that a user has the correct authorization to execute a particular task. Authorization Object: Template for security that contains fields with blank values Authorization (Field Values): Authorization object with completed fields 13

The SAP Authorization Concept Bringing it together Let s make an analogy the Lock and the Key To open the lock, the proper key must be cut specifically for a certain lock 14

The SAP Authorization Concept User Types SAP Authorization Structure User Type Dialog System Communication Service Reference A B C S L User Role Profile Authorization 15

The SAP Authorization Concept Authorization Structure SAP Authorization Structure User Role Authorization is not the same as transaction. Why? Profile Authorization In SAP, you can perform the same function with different transactions. 16

The SAP Authorization Concept Authorization Structure (continued) SAP Authorization Structure SAP Program Access Elements User Role SAP is delivered with about 1500 authorization objects An object is a structure provided by SAP to grant access to a data element or a task in a specific content. Profile Authorization Authorization Object Authorization Field Values Authorization Object Fields 17

The SAP Authorization Concept Authorization Structure (continued) SAP Authorization Structure SAP Authorization Structure SAP Program Access Elements User Role Menu Items Profile USOBT_C USOBX_C (SU24) Authorization Authorization Object Authorization Data Authorization Field Values Authorization Object Fields 18

The SAP Authorization Concept Why are authorization objects required? In SAP, you can perform the same function with different transactions: Transaction Code MK01 FK01 XK01 Conventional approach protection via menu/function Create Vendor SAP approach protection once via authorization 19

The SAP Authorization Concept The Authority Check Transaction Code check: Object S_TCODE Start T Code Field 1 TCD Start T Code FB03 Authorization check: Object F_BKPF_BUK Display posting Field 1 ACTVT Display 03 Field 2 BUKRS Company Code 1000 20

Approaches to SAP Security 21

SAP Security Approaches Task Based vs. Job Based Security Design Job Based: Security is built based on positions/jobs within the organization, such as AR credit associate. Provisioning access is based on job responsibilities. Smaller number of roles per user increased risk for granting functionality more than once. Transaction codes and authorizations typically duplicated in many roles. Users may be granted more access than necessary as a result of additional job or backup responsibilities. Appropriate for static organizations. Task Based: Security is built based on small, definable tasks, executed by the user, such as process cash receipts. Larger number of roles per user decreased risk of duplicate access. Transaction codes in one roles with minimal exceptions User assignment flexibility simple to grant additional access to only the tasks necessary. Supports future growth and sustainability role modification decreased as a result of functionality improvements and rollouts. Appropriate for dynamic organizations. 22

SAP Security Approaches Job Based Security Design Security roles are built based on positions/jobs for a group of users (e.g. Accounts Payable Clerk). A single role contains the access to perform a job. Transaction codes and authorizations typically duplicated in many roles. AP Supervisor AP Clerk AP Manager 23

SAP Security Approaches Task Based Security Design A task-based design begins by bucketing transactions into one of 4 access tiers: General, Display, Functional and Control Point. Task-based roles contain access to only one of these tiers. What Contract Maintenance AP AR Common Display USER PROFILE User General Process Billing FI Common Display Vendor Master Maintenance TIER 1: GENERAL ACCESS General access is provisioned via one single role made up of tasks common to users such as printing, inbox, SU53, etc. TIER 2: DISPLAY ACCESS Display access is provisioned via a set of roles defined by functional area that allow display and reporting access intended to compliment the functional roles of the users. TIER 3: FUNCTIONAL ACCESS Functional access is provisioned via multiple single task based roles. Role grouping of activities that are the lowest common denominator of tasks and permission components to suit the needs of the end-users. These groupings usually are SoD free and part of a sub-process such as Invoice Processing or Material Master Maintenance. Where Organizational Grouping - A Organizational Grouping - B TIER 4: CONTROL POINTS Roles that provide additional control point access or granularity needed by Tiers 1-3 such as Company Code, Plant, etc. 24

SAP Security Approaches Task Based Security Design (continued) Security roles are built based on positions/jobs for a group of users (e.g. Accounts Payable Clerk). User assigned to the tasks needed to perform his/her job (not a job-based role) User receives multiple single roles Flexibility to each individual user s role assignments AP Clerk User General AP Common Display Process Billing Organizational Grouping - A 25

Segregation of Duties & Sensitive Access 26

Segregation of Duties & Sensitive Access Introduction Segregation of Duties A segregation of duties risk is when a combination of abilities that when assigned to a backend user constitutes a risk. Objective of this risk is to facilitate the appropriate division of responsibilities. Sensitive or Critical Access A sensitive or critical access risk is where the direct assignment of an ability to a backend user constitutes a risk. Objective of this risk is to help establish that access is restricted to the appropriate individuals. 27

Segregation of Duties & Sensitive Access Introduction (continued) Segregation of Duties Example risk: Maintain Accounting Periods vs. Post Accounting Document in GL Allow a user to inappropriately open accounting periods previously closed and fraudulently post documents to that period after month end. Sensitive or Critical Access Example risk: Post Accounting Document in GL Should be restricted to authorized users to thereby decrease the risk of fraudulent, malicious of erroneous journal entries being posted. 28

Segregation of Duties & Sensitive Access Examples Finance: Maintenance of accounting periods should be segregated from the posting of financial transactions in the wrong period. Inventory: The receipt/maintenance of inventory should be segregated from order and invoicing activities. Accounts Payable: Reconciling and releasing blocked vendor invoices should be segregated from daily processing and posting activities. Procurement: Maintenance of contracts and terms should be segregated from payment and billing document changes. 29

Segregation of Duties Walkthrough 30

Segregation of Duties Walkthrough 31

Segregation of Duties & Sensitive Access How to monitor? Companies have many different ways to monitor segregation of duties and sensitive access: SAP GRC Access Control Other access control systems (Approva, ControlPannel, SecurityWeaver, ACL, etc.) or homegrown monitoring tools Reporting transaction code SUIM. 32

Mitigating Controls 33

Mitigating Controls Introduction Defining and applying Mitigating Controls If violating access cannot be remediated as there is a legitimate business purpose for access then mitigation is going to be required. Mitigating controls are designed to cover the residual risk of a user having that access. For example, if a business unit is too small to segregate duties in the purchasing department and users must have the ability to create and approve purchase orders for the business to function, the business may choose to establish a mitigating control to analyze transactions by users with access to both sides of the SOD conflict to mitigate the risk: Risk: A user can create and approve a fictitious PO. Key Control: The ability to release (approve) and create purchase orders is segregated. Mitigating Control: Location supervisor analyze purchase orders entered into SAP by the two Purchasing Clerks from the business unit 34

Mitigating Controls Considerations Is the risk truly a risk for compliance requirement? Yes No Determine the controls in place that mitigate Deactivate or Switch to Low Risk Preventive Detective Scenario 1: No intent to grant access. Scenario 2: Some Users Require Access Scenario 3: Remediation of Access Occurring Scenario 4: Detective Controls Management does not intend that any users receive access to the risk. No mitigating controls should be created. The SOD is enforced partially in the environment, most users do not have the access, however some need it. Detective controls (mitigating) are put in place for these users. Management intends to enforce the SOD however most users currently have access as the business processes require redesign and/or the access remediation. Detective controls (mitigating) are put in place while remediation occurs. Management has detective controls in place that mitigate the associated risk. Management does not intend to segregate the access in the system to mitigate the risk in a preventive manner. Mitigation Process 35

Questions? This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information