Upload
gourav-ladha
View
203
Download
0
Tags:
Embed Size (px)
Citation preview
EW Consultants Private Limited. Private & Confidential.
Contents
2
❯ Challenges with User Access in SAP ERP System X
❯ Need for Automated Access Controls tools X
❯ About Us X
❯ Our Team X
❯ About XsXprt X
❯ Product Overview X
❯ Key Features X
❯ Value Added Features X
❯ Value Delivered X
❯ Annexures X
EW Consultants Private Limited. Private & Confidential. 4
Challenges with User Access in SAP ERP System
❯ Difficulty in identifying who (users) has what (access)?
❯ How to provide assurance to the auditors that user access controls are in place?
❯ SUIM report unable to provide holistic view of the segregation of duties (SOD) conflicts?
❯ How to ensure the security of data and prevent fraud from happening in SAP?
❯ How to ensure that users are getting authorizations based on their roles & responsibilities?
❯ How to check the addition or modification in authorizations will not lead to SOD Conflicts?
❯ Difficulty in managing access change requests and getting appropriate approvals for them?
❯ Are user licenses efficiently managed to save the company from paying penalties due to SAP EULA violations?
❯ SAP Administration team wasting productive time and effort in building reports every month/quarter
EW Consultants Private Limited. Private & Confidential.
2013 Sarbanes-Oxley Compliance Survey, conducted by Protiviti:
6
Need for Automated Access Controls tools
‘Are You Doing Enough to Prevent Access Risk and Fraud?’ A study on SAP Customers conducted by insiderPROFILES
EW Consultants Private Limited. Private & Confidential.
There are more than one reason that requires Managements of small, medium and large organizations to look for
automation of user access controls. Below are some of the compliances, beside statutory audits, which requires
assessment of user access controls on a periodic basis:
❯ Section 177(4)(vii) and 143(3)(i) of the Indian Companies Act 2013
❯ Sarbanes Oxley (SOX)
❯ J-SOX
❯ HIPAA
❯ PCI
❯ GLBA
❯ ISO 9004:2009
❯ ISO 19011:2011
❯ SSAE 16
❯ GS007
SAP ECC is the leading ERP system in the world with over 253,500* customers worldwide. It is a very complex
application security design that requires a specialized skill set and tool to assess the strength and weaknesses of user
access and the grass root level.
7
Compliances impacting User Access Controls
Disclaimer:
* Facts and Figures obtained from SAP.com
** SAP, R/3, mySAP, NetWeaver and ABAP are legal trademarks of the SAP AG, Walldorf.
EW Consultants Private Limited. Private & Confidential.
EW Consultants Pvt. Ltd.
We offer a wide range of services in four major domains i.e. People, Process, ERP Systems and IT Infrastructure. Our service offerings are
classified into Risk Advisory, Consulting, Business Solutions and Training. Our Business Solutions division focuses on developing enterprise
applications.
We have a team of dedicated, experienced and highly qualified advisory professionals who have worked for ‘Fortune 500’ clients across
countries including US, UK, Europe, APAC, UAE and India. Our team comprises of CA, MBA, CISA, ISO 9000 Auditor, Engineers and SAP
Certified professionals. Our team comes from diverse Big4 backgrounds, bringing extensive delivery and project management experience
for rendering risk advisory services. Along with SAP ECC system, our team has hand-on experiences working on leading audit tools such as
SAP GRC Access Controls, Approva Bizright Access Controls, etc.
We are supported by our team of domains experts and business partners bringing combined experience of over 500 man-years, to help us
deliver best of our services. We are also fortunate in receiving guidance from our advisory board, a team of senior management executives
such as CFO's, CIO's from various industries in India and globally.
9
About Us
Risk Advisory
Consulting
Business Solutions
Training
EW Consultants Private Limited. Private & Confidential. 10
About Us
IT Infrastructure
ERP System
Process
People
We provide One-stop
solution for all your
business needs…
Our Capabilities
EW Consultants Private Limited. Private & Confidential.
XsXprtTM
, is an user access and compliance management tool designed to work with SAP ERP system. It acts as a
decision support system that will allow you to timely identify and fix user access violations. XsXprt is designed to
manage various internal and external compliances.
It provides deeper insight of user access through its comprehensive reports and simulators. XsXprt bring to you the
leading industry control practices, through the vast experience our experts from diversified sectors.
Primary objectives:
❯ Identification of Segregation of Duties (SOD) violations and access to sensitive business functions
❯ Providing assurance to auditors on user access controls
❯ Building strong internal controls to prevent unauthorized access
❯ Actively monitoring usage of licenses and health check of users access
❯ Reducing cost of compliance and preparing for compliance audits such as SOX
Leveraging our years of global experience in SAP Risk Advisory, focused on User access risk management and
Segregation of duties controls, we bring to you an advanced automated solution for smartly managing user access
controls in SAP.
14
Product Overview
EW Consultants Private Limited. Private & Confidential.
❯ Risk Management
❯ Quickly identify access risk such as super user access and SOD violations that may lead to do fraud or misreporting
❯ Compliance reporting
❯ Adhere to the current and future compliance requirements of the regulatory bodies, using our comprehensive reports
❯ Auditor Assurance
❯ Provide assurance to your internal and external auditors by providing real-time audit data per their requirements
❯ Business specific rules and matrices
❯ Design your own custom rule books from our huge repository of SOD rules and assess the state of your user access
❯ User access provisioning
❯ Be proactive and check possible ‘what-if’ violation scenarios using our dynamic simulators before assigning new authorizations
❯ License cost management
❯ Take control of your SAP user license utilizations to manage license cost and SAP license audits
15
Key Features
EW Consultants Private Limited. Private & Confidential.
❯ Rule enhancement
❯ Our innovation to automatically manage rules in the rulebooks with dynamically changing user access
❯ Dynamic workflow
❯ A comprehensive and customizable workflow with high security and email alerts to ensure approval process can be automated
❯ Statistical measures
❯ Statistically computed risk scores to help categorize the users in to groups per their risk levels
❯ Infographic dashboard
❯ Infographic view of the user access issues to provide a bird-eye view for the management to devise an action plan
❯ In-memory processing
❯ Built with in-memory capabilities to provide you faster processing and scalability (tested on data of 9000+ users)
❯ User-friendly design
❯ Interface designed to provide user comfort for any technical / functional user to work with ease
16
Value Added Features
EW Consultants Private Limited. Private & Confidential.
Administrator:
❯ In-built rule-set repository to assist in evaluation of gaps
❯ Reduction in effort for managing user access and change request
❯ Get real-time state of user access and violations using smart reports
❯ High speed in-memory data processing to save time and optimized resource utilization
❯ SAP Certified Integration to ensure safety of data
Management:
❯ Infographic dashboard and variety of reports to provide a bird-eye view of access to SAP
❯ Audit and compliance readiness
❯ Reduction in cost of compliance
❯ No need to spend on expensive IT infrastructure and implementation projects
❯ Improved assurance on user access controls
Process Owners:
❯ Simplified process for requesting and reviewing access
❯ Take ownership of user access based on defined roles & responsibilities
Auditors:
❯ Quick and accurate assessment of gaps using detailed reports
❯ Increased reliability on audit data as compared to traditional methods
17
Value Delivered
EW Consultants Private Limited. Private & Confidential.
Background:
HDFC Standard Life Insurance Company Limited (HDFC Life) is one
of the leading private life insurance companies in India. HDFC Life
implemented SAP in December 2009 with over 1700 users.
Challenges:
Since the implementation of SAP at HDFC Life, they were facing
challenges in managing their user access based on their roles and
responsibilities:
❯ Continuously changing access requirements of the
business users
❯ Extensive employee movements new joiners, transfers,
terminations, etc.
❯ Managing change request w.r.t. 2000+ roles assigned to
1700+ users, in SAP
❯ Difficulty in maintaining segregation of duties and access
to sensitive business transactions
❯ Pressure from management and external auditors to
ensure user access compliance and many more….
Solution:
❯ Identifying gaps
❯ Suggesting solution for remediation
❯ Redesigning existing roles
❯ Realigning user access provisioning process
19
Case Study
Result of the exercise:
As a result of the project, their were visible improvements in the
user access and process also got streamlined. However, managing
this process manually was still a challenge.
User access optimization exercise was able to provide them
immediate resolution of issues, however managing user access in
a long run required more then spreadsheets. To manage this
activity on a continuous basis they required an automated
solution. A tool that can help them perform preventive checks
before granting access to users, based on this new SOD matrix.
Implementation of XsXprt:
Considering this challenge, we suggested them to leverage our
user access and compliance management tool - ‘XsXprt’.
XsXprt is an advanced tool capable of performing both what-if
simulations and providing conflict reports within the SAP user
access. It provides deeper insight of user access on a near real-
time basis. It can help identify and remediate gaps affecting user
access in SAP.
How XsXprt helped:
❯ Reducing their overall time and effort in managing access
❯ Enabling daily check for possible SOD conflicts
❯ Acting on issues related to user access, licensing and
overall health-check, using detailed report
❯ High speed data processing and silent data extraction
using seamless integration with SAP
EW Consultants Private Limited. Private & Confidential.
Software:
❯ Operating System: Windows Server 2008 onwards
❯ Database: Microsoft SQL Server 2008 R2 onwards
❯ IIS: Version 7.0 onwards
❯ ASP.Net Framework: version 4.0 onwards
❯ Xtract IS
Hardware:
❯ Storage: 40-50 GB
❯ Memory: 6-8 GB RAM
Deployment:
❯ Time required: 2-3 days
❯ Custom Rule-set development: 12-15 days (optional)
20
Application Perquisites
Thank You.
Gourav Ladha
MBA, SAP Certified
Director
Mobile : +91-971-295-2955
Email: [email protected]
www.ewcindia.co.in +91-79-65444107
G-402, Titanium City Centre, Anand Nagar 100 Feet Road, Satellite, Ahmedabad - 380015
EW Consultants Private Limited