SAP Solutions for Governance, Risk and Compliance August 6, 2015

©  2015 SAP AG. All rights reserved. 2 Confidential

Agenda

SAP Solutions for GRC Overview

SAP Solutions for GRC SAP Access Control SAP Process Control SAP Risk Management

SAP Regulation Management by Greenlight

Wrap up

Confidential

©  2015 SAP AG. All rights reserved. 3 Confidential

GRC Core

SAP solutions for governance, risk and compliance Simplify, gain insight and strengthen

Native HANA Applications

SAP Process Control SAP Access Control

SAP Audit Management SAP Fraud Management

SAP Access Violation Management by

Greenlight

SAP Regulation Management by

Greenlight

SAP Dynamic Authorization

Management by NextLabs

Security

SAP Identity Management SAP Single Sign-On SAP Enterprise Threat Detection

SAP Risk Management

SAP Solution Extensions

©  2015 SAP AG. All rights reserved. 4 Confidential

A Unified Platform….

Single Unified Platform Multiple Solutions

SAP GRC

Access Control

Process Control

Risk Management

SAP Systems

Non-SAP Systems

Legend Delivered Integration Integration Enabled by Solution Extension

Monitored Systems

SAP Systems

Non-SAP Systems

Monitored Systems

(a)

(b)

Access Risk Control

Effectiveness Enterprise

Risk

Business Intelligence Layer

Enterprise View

?? ??

??

??

??

??

Notes (a) No cross GRC application integration

(b) Indirect path to enterprise view

(c) Multiple integration touch points

?? ??

Enterprise View

SAP NetWeaver

??

©  2015 SAP AG. All rights reserved. 5 Confidential

Monitor emergency access and transaction usage

Certify access assignments are still warranted

Define and maintain roles in business terms

Automate access assignments across SAP and

non-SAP systems

Find and remediate SoD and critical access violations

SAP Access Control Manage access risk and prevent fraud

SAP_ALL X

Legacy

©  2015 SAP AG. All rights reserved. 6 Confidential

SAP Access Control Visibility of Application Access Risk

©  2015 SAP AG. All rights reserved. 7 Confidential

�  Reliance on manual or third party efforts to identify conflicts �  Manual process for managing access rights to system. Costly and repetitive clean

up efforts of SoD conflicts �  Lengthy and manual process between IT and the Business to approve user

access requests, including email and/or hard-copy forms �  No visibility of SoD risks prior to effecting changes to roles or provisioning users

�  Costly and extensive internal/external audit efforts

�  Implemented a process to identify and remediate SoD conflicts at a granular level…example of initial risk- level violations found: 580K + (typical)

�  Reduction in SoD violations by 99.4% and ability to preserve clean-up effort through risk analysis simulations during role management and provisioning

�  Reduction in time to get new users on board from 14 days to 1.42 days, with over 92% of requests being automated

�  Workflow approval and risk analysis simulation built into role management and user provisioning

�  Experienced 90% faster internal audit and 50% faster external audit revision time

SAP Access Control – Benefits Sample before/after scenarios

Before

After

©  2015 SAP AG. All rights reserved. 8 Confidential

Support decisions and promote accountability with insightful analytics and sign-off

Perform automated, exception-based monitoring of ERP and other systems

Evaluate control design and effectiveness; raise and remediate issues

Perform periodic risk assessments to determine

scope and test strategies

Document controls and policies centrally; map to key

regulations and impacted organizations

SAP Process Control Ensure effective controls and on-going compliance

©  2015 SAP AG. All rights reserved. 9 Confidential

Automated control testing and monitoring for SAP and non-SAP systems

Identify issues sooner while reducing effort and cost

Key Benefits

Accurately identify and analyze control exceptions across SAP and non-SAP business applications

Route exceptions via workflow to ensure timely investigation, documentation and remediation

Use configurable rules, existing queries, SAP reports, and best practice content to create the monitoring you need without programming

©  2015 SAP AG. All rights reserved. 10 Confidential

�  No single repository of risks and controls; exist in various spreadsheets or separate tools

�  Lack of resources to execute internal and external audit/compliance testing – high number of manual controls

�  Limited visibility of compliance / testing status and remediation efforts �  Lack of scheduling and assignment capabilities for control owners �  Lack of a structured and automated certification/sign-off process �  Limited to no automated policy management capabilities

�  One common, shared repository of process risks and controls across all areas including finance, operations, and regulation specific allowing for 25% less time spent on compliance activities and less time preparing for audits

�  Optimization of limited resources through reduced duplication of controls (up to 30%) and increase in automated testing (automation of 160+ controls)

�  Improved reporting for compliance managers, top-level management, and external stakeholders/auditors

�  Scheduling and assignment tracking ensures accountability �  Structured, electronic sign-off ensures completeness and auditability �  Automated policy management lifecycle ensures proper tone set within organization

SAP Process Control - benefits Sample before/after scenarios

Before

After

©  2015 SAP AG. All rights reserved. 11 Confidential

Monitor thresholds, effectiveness of risk responses, and corrective actions

Design and manage risk mitigation strategies

Analyze risk via scenarios, modeling,

& other factors to understand exposure

Link risks, risk drivers, risk indicators,

impacts and responses

Plan risk management within the context of value

to the organization

SAP Risk Management Preserve and grow value

©  2015 SAP AG. All rights reserved. 12 Confidential

SAP Risk Management Visibility of Enterprise Risks

©  2015 SAP AG. All rights reserved. 13 Confidential

�  No formal solution to plan, identify, analyze, respond, and monitor risks �  Risk management function performed in silos with manual tools by each business

unit �  Loss events not captured, advanced modeling not performed

�  Effective responses not put in place to reduce incidents and exposure over time �  Risk management is reactionary, no real-time visibility into risk status

�  Implemented the SAP Risk Management solution based on COSO’s risk management framework to help formalize and solidify a more mature risk management function

�  A unified approach to enterprise risk management allows for adoption of a common methodology and aggregation from lower level to high-level risks

�  Loss events are captured, and advanced modeling capabilities such as “monte-carlo scenario modeling” are performed

�  Risk responses put in place and monitored for effectiveness over time �  Key risk indicators established to monitor real-time risks and prevent loss events

from materializing

Before

After

SAP Risk Management – Benefits Sample before/after scenarios

©  2015 SAP AG. All rights reserved. 14 Confidential

Agenda

SAP Solutions for GRC Overview

SAP Solutions for GRC SAP Access Control SAP Process Control SAP Risk Management

SAP Regulation Management by Greenlight

Wrap up

Confidential

©  2015 SAP AG. All rights reserved. 15 Confidential

SAP Solutions for Governance, Risk and Compliance 3 Takeaways

SAP enables a flexible, scalable unified approach to GRC initiatives

Our solution extends beyond SAP applications to provide an unified view of the “state of compliance”

SAP enables unparalleled automation and efficiency to streamline your compliance initiatives

©  2015 SAP AG. All rights reserved. 16 Confidential

Thank you!

©  2015 SAP AG. All rights reserved. 17 Confidential

© 2015 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.