Gr c 2009 Segregation Access Control

7/28/2019 Gr c 2009 Segregation Access Control

http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 1/6



Are you worried about unauthorised access to critical systems and condential inormation?

Are you able to identiy and address segregation o duties (SoD) conficts eectively?

Is access control technology really benecial and necessary?

Why segregation o duties and access control?

With the heightened ocus on corporate governance

and internal controls in today’s business environment,

organisations need to implement eective measures or

achieving regulatory compliance and meeting a variety o

stakeholder demands – among them the demands or a

better and eective Governance, Risk management and

Compliance (GRC) programme.

Implementing eective and ecient internal controls is an

important aspect o a GRC programme. Internal controls

are mechanisms to help organisations achieve theirbusiness objectives while containing risks, which may lead

to nancial, operational and reputational losses. Eective

and ecient internal controls are directly correlated to an

organisation’s ability to execute business transactions,

ensure productivity, protability and sustainability.

Internal controls in a business environment are oten

enorced through segregation o duties in business

processes. Dierent roles and responsibilities are assigned

to each individual to provide a check-and-balance

environment appropriate to the risk level o the business.

Segregation o duties is naturally embedded into the

hierarchical and compartmentalised structure o anybusiness organisation.

However, there is oten a blind-spot – access to computer

systems. With the advent o computer systems in almost

every aspect o business, organisations are increasingly

reliant on technology-based access control to enorce

segregation o duties. Without proper and adequate

access control, organisations may nd out the hard way

that segregation o duties is bypassed and controls no

longer work.

Addressing the key issues

Many organisations do have diculties managing

segregation o duties and access controls. These

realisations oten arise through inspections and audits, or

in some cases, raud investigations. The three common

issues are:

How to identiy SoD conficts and what is adequate

How to balance the inconvenience o access controls

and productivity

How to monitor the use o powerul system unctions

and unauthorised access to condential inormation on acontinuous basis

These three issues cannot be addressed eectively

without the support o access control technology.

•

•

•

SAP GRC Access Control enables you to achieve:

Minimal time or compliance – by setting up the right

access controls using a comprehensive library o SoD

rules which allows you to go live quickly and achieve a

cost-eective clean-up o initial controls to stop uture

violations.

Continuous access management – by enorcing SoD

compliance rom the start with enterprise-wide role

design, documentation, and maintenance that eliminate

manual errors and enorce best practices. This prevents

the reintroduction o SoD violations and allows businessusers to perorm emergency activities using superuser

privilege in a controlled manner.

Eective management oversight and audit – by

giving managers eective and comprehensive oversight

through user access rearmations and reviews o

access-risk, SoD rules, mitigating controls and roles.

There are also audit trails or role provisioning, user

provisioning, emergency access, and more. Auditors

can comprehensively and more easily validate proper

management oversight to ensure the business

complies with all policies by making sure all access is

properly authorised and by ensuring that SoD risks areappropriately mitigated.

The importance o a holistic GRC approach

Building and implementing segregation o duties and

access control requires a holistic approach that is woven

into the abric o the organisation, oten viewed as part o

a larger GRC programme. Under this view, an eective

governance structure is put in place, and roles and

responsibilities are clearly dened. Risk identication,

assessment and mitigation are closely tied to the

achievement o the organisation’s business objectives.Executives and management have ready access to timely,

accurate, relevant inormation about controls, and their

impact on risk exposure. In other words, segregation o

duties and access control are not the responsibility o one

or two departments; it is a concerted eort o everyone in

the organisation, rom the Board right down to the sta on

the ground.

•

•

•



PwC is the specialist in SoD and

access control

As one o the largest and most

experienced global providers o GRC

services, PwC has been working

closely with technology providers

such as SAP to help organisations

create integrated, sustainable GRC

programmes.

PwC’s proven methodology and

approach ensure that organisations

implement and operate SAP GRC Access Control using proper Strategy,

Structure, Process, People and

Technology.

Our approach recognises that technology is not a solution

but an enabler, a tool to eciently gather and analysedata and support people and processes. With one o

the largest available global resource pools o SAP GRC

technologies, we work with organisations to address a

wide range o GRC issues. We can help you:

• Dene the strategic vision or an integrated GRC

programme at the most appropriate level – enterprise,

regional or divisional to ensure you remain within your

risk tolerance

• Conduct a current state assessment o GRC

capabilities and identiy gaps and requirements or key

risks and controls, probably in areas such as training,monitoring and project risk reviews

• Implement and integrate the solution in accordance

with the strategic vision

• Customise SAP GRC solution to specic organisation

needs and requirements

• Leverage templates, tools and standard industry

practices to “ast track” implementation

• Support solution implementation with knowledge

and experience in key GRC-related areas, such as

inormation security, data management, and sourcing

• Design and congure reporting to help meet client

regulatory, compliance and risk management needs

• Conduct testing, remediation and training activities

to maintain the eectiveness o the GRC programme,

personnel, and policies

PwCGRC

Programme Process

Implement eectiveand ecient

processes to ensurecontinuity o controls

Technology

Provide a consistentplatorm to achieve

sustainability,consistency,

transparency and

eciency

Strategy

Adopt a holistic GRC

approach that involvesall key stakeholders

Structure

Align to strategy witha control ramework,

clear governancestructure, and welldened security roles,responsibilities and

procedures

People

Align the humanelements o the

business with properskills, competency,training, and clearly

dened perormancemeasures

The eect o tightening SoD and access controls

Organisations that have gone through this exercise

typically experience the ollowing:

Clearer dened set o SoD rules

Signicantly ewer transaction codes assigned to each

user. In the example below, originally 45% o users

had more than 500 transaction codes each. Ater the

exercise, 90% o users had less than 300 codes each.

Workfow or user provisioning

Remediation o SoD conficts

•

•

•

•

Beore

Ater

No o transaction codes per user

(Sample size: 220 users)

< 100 100-300 300-500 > 500

50

40

30

20

10

0

P e r c e n t a g e ( % ) o f u s e r s



Board, Audit CommitteePreventive approach

Internal AuditLower cost o audit andaudit-related ees

IT OperationsImprove eciencyby automating corecompliance/security tasks

Inormation Security

Sensitive transactionmonitoring

Supply Chain Customers & Channel

OperationsCompliant, role-based

access control

Human ResourcesEcient and compliantuser provisioning

Finance Vulnerability to unwantednancial activity xed

Executives & Managers

Manage compliancewith condence

Segregation o duties and access control managementOvercome ragmentation, gain comprehensive access control

PwC’s GRC Access Control implementation approach

Stay cleanContinuous Access

Management

Stay in controlEective Management

Oversight and Audit

Risk analysis, remediation and prevention services

Cross-enterprise library o best practice segregation o duties rules

Get cleanMinimal Time To

Compliance

P w C

S A

P

Risk Analysis andRemediation

Rapid, cost-eective andcomprehensive initial

clean-up

Enterprise RoleManagement

Enorce SoD complianceat design time

Compliant UserProvisioning

Prevent SoD violations atrun time

Superuser PrivilegeManagement

Close #1 audit issuewith temporary

emergency access

Periodic AccessReview and Audit

Focus on remainingchallenges duringrecurring audits

SAP GRC Access Framework

Advise and acilitate setting up o GRC Access Framework and implement bothSAP GRC Compliant User Provisioning

(CUP) and Superuser PrivilegeManagement (SPM) to sustain the SAPaccess compliance

Outcome and benefts

Structured SAP GRC Framework is set up

Controlled and secured user provisioning

is put in place with Compliant User

Provisioning and Superuser Privilege

Management

Sustainability is achieved

•

•

•

Role Remediation

Facilitate role remediation workshops to‘clean up’ roles with two best in classoerings working together:

PwC’s SAP Role Redesign Methodologyand Risks Library

SAP GRC Enterprise Role Management(ERM)

Outcome and benefts

SAP authorisation is standardisedand roles are clearly designed using

Enterprise Role Management

•

•

•

Risk Analysis

Prepare, plan and acilitate riskworkshops to identiy SoD andaccess control rules, and implement

SAP GRC Risk Analysis andRemediation (RAR)

Outcome and benefts

SoD and access control rules areidentied with clearly documented

remediation and mitigating controls

•



Contacts:

Chan Hiang Tiak

+65 6236 3338

[email protected]

Tan Shong Ye

+65 6236 3262

[email protected]

Charles Loh

+65 6236 4479

[email protected]

Keith Stephenson

+65 6236 3358

[email protected]

For general enquiries, please email to [email protected]

The inormation contained in this brochure is o a general nature only. It is not meant to be comprehensive and does not constitute the rendering olegal, accounting, tax or other proessional advice or service by PricewaterhouseCoopers. Beore taking any action, please ensure that you obtainadvice specic to your circumstances.



pwc.com/sg© 2009 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers LLP” is part o the network o member rms o PricewaterhouseCoopersInternational Limited, each o which is a separate and independent legal entity.

Documents

Gr c 2009 Segregation Access Control