© Copyright BvD-it Services 2004

SAP GRC access control @ ULg

Pierre Blauwart – Project Manager

HERUG

Pg.: 2 | 19/11/2004

Agenda

ULG in a nutshell

Context

Definitions

Methodology & Roadmap

Project status

ULG – an all round university

17,00017,000 students 3,8003,800 foreign students 8080 nationalities 3,2003,200 graduates a year

Budget : 269 millions269 millions Euros which 50 %50 % are allocated to research 3,4003,400 employees, of which 2,2002,200 are teachers and researchers 3,0003,000 employed at the University Hospital Centre (CHU) Around 1,5001,500 jobs at the Liège Science Park (60 businesses) 900 900 jobs in spin-offs resulting from scientific research

ULG – SAP Implementation

SAP for Finance & Logistics : MM, SD, EP, CATS, PS, RRB, PCA, BI, PI, GRC

600 Users – 1000 Roles HR non SAP, SLCM non SAP

www.ulg.ac.be

Context

Trends in the ULg ecosystem: growing pressure to control the exposure to fraud and data tampering- External: More & more controls from public grantors, with concerns on

access procedure. This has resulted in audits driven by some of them & focused on segregation of duties

- Internal concern as well

Segregation of duties: - SoDs are a primary internal control intended to prevent, or decrease

the risk of errors or irregularities, identify problems and ensure corrective action is taken.

- Principle : This is achieved by assuring no single individual has control over all phases of a business process. Example : Modify vendor bank account + Vendor payment

- Remediation : incompatible duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions.

Solution selection : SAP GRC Access control

GRC : Governance, Risk & Compliance - Governance: Manages the strategic directives a company wants to follow- Risk : Management assesses the areas of exposures and potential impacts- Compliance: Tactical action to metigate risk

SAP GRC Access Control monitor, test, and enforce access and authorization controls across the enterprise.

Solution assessed- Set up a GRC tool- Use of detection solutions that operate on downloaded data

Solution adopted : Install SAP GRC access control

Scope of the project : Access Control

Scope of the project : Phase 1

Compliance Calibrator FirefighterCompliance Calibrator

Pg.: 9 | 19/11/2004

GRC Installation- Version 5.2- Connected to ECC instance

Proof-of-Concept : first risk assessment- About 300.000 Violations- First action: drastically reduce

SAP_ALL, SAP_NEW

Scoping of phase 1- Risk have been grouped by BPO:

FLC (Financial & Closing) OTC (Order to Cash) P2P (Procure to Pay) I2P (Idea to Project)

- Basis Component : out of scope

Project Roadmap - Step 1: Project Preparation

RFC

11 22 3344

Proof of concept

remediation

Go Live & Support

Implémentation Cycle 1Implémentation Cycle 1

Implémentation Cycle 2Implémentation Cycle 2

Implémentation Cycle 3Implémentation Cycle 3

55......

Riskassessment

Risks per Business Process

BP : Finance & PS 32 risks SoD BP : Material Management 14 risks SoD BP : Purchasing 67 risks SoD BP : Customer (& grantors) invoicing 29 risks SoD BP : Basis – technical 19 risks SoD BP : EC-CS Consolidation 14 risks SoD BP : HR & payroll 21 risks SoD BP : APO 16 risks SoD BP : CRM 20 risks SoD BP : EBP & SRM 24 risks SoD

Pg.: 11 | 19/11/2004

Step 2: Risk Assessment

1. Workshops: Adapt the standard SOD matrix Are the risks proposed in the standard matrix relevant ? Do we have to add some risks ? Do we have to consider additional transactions (transaction Z* ) ?

Adapt GRC standard risks : Critical, High, Medium & Low

2. Design (update) the SOD matrix in the SAP GRC system

3. Run the risk assessment

4. Perform analysis

Pg.: 12 | 19/11/2004

Ecrans GRC - CC

Pg.: 13 | 19/11/2004

Ecrans GRC - CC

Pg.: 14 | 19/11/2004

Ecrans GRC - CC

Pg.: 15 | 10/06/2009

Ecrans GRC - CC

Pg.: 16 | 19/11/2004

Risk assessment

Results- 98 % (516 out of 525) of the SAP users have SOD risks - SOD violations on role “display” !!!

Recommendations on naming convention- The naming of the role gives an information on the underlying business process- Use simple roles - Aggregate simple roles in composite role - Identify quickly the different roles :

Roles simples : « Z:xxx », roles composites : « ZC:xxx » Roles display : « Z:xxx_V »

Create one specific role dedicated per critical risk

Remark on traceability : the system keeps the history of the violations related to the risk assessment perform the first analysis in the acceptance system

Pg.: 17 | 19/11/2004

Step 3 : on progress

Remediation : no role can content a SOD violation

Mitigation : accept the risk for some user & enforce the control on it

Use Firefighter : to track actions performed by super users during certain period of time (closing period for example)

Integration on SAP EP

Pg.: 18 | 19/11/2004

Questions ?

Send a mail to our CFO : Anne Girin

anne.girin@ulg.ac.be