SAP Solution in Detail SAP BusinessObjects Governance, risk, and Compliance Solutions SAP BusinessObjects Access Control

COnfIdEnTly COnTrOl ACCESS And PrEvEnT frAud

SAP BuSineSSOBjectS AcceSS cOntrOl

Executives today struggle to address compliance initiatives for an everincreasing number of regulatory requirements. At the same time, business partners and customers expect a more efficient exchange of information from businesses, which must establish an open IT infrastructure in response. Ensuring proper segregation-of-duties policies to manage access adds a burden for IT stakeholders in these organizations. The SAP BusinessObjects Access Control application helps business managers, IT security, and auditors collaborate in controlling access and preventing fraud across the enterprise while minimizing audit time and audit-related costs.

cOntent

4 4 4 4 6 6 6 8 8 9 10 11 11 12 12 13 13 13 13 13 13

Challenges to Efficient Compliance Management fragmented Approach Increases risk Inefficient Compliance Processes lack of real-Time Oversight Reduced Access Risk Across the Enterprise Enterprise-Wide risk Analysis risk Mitigation Streamlined Compliance Processes Enterprise role Management Compliant user Provisioning Superuser Privilege Management Real-Time Oversight Management Oversight for Business Owner Accountability Minimized Audit Time and Auditrelated Costs Integrated Solutions to Build Business Effectiveness SAP BusinessObjects Governance, Risk, and Compliance Solutions Obtain Complete Insight, Greater Efficiency, and Improved flexibility Complete Insight Greater Efficiency Improved flexibility Find Out More

chAllengeS tO efficient cOmPliAnce mAnAgement

frAGMEnTEd APPrOACh duE TO COMPlEx rEGulATOry EnvIrOnMEnT

The regulatory environment for public and nonprofit organizations has become increasingly complex. Companies must address not only horizontal mandates in such areas as financial reporting, security, privacy, records retention, import-export regulations, environmental standards, occupational safety, and credit risk exposure but also vertical mandates for their industry-specific areas. The growing number of regulatory requirements often results in a fragmented approach across the enterprise, in which each department or business unit is independently tasked with implementing policies, identifying and measuring risks, and supporting regulatory mandates.

Inefficient Compliance Processes

In this approach, risk and compliance initiatives are generally defined and measured at the local level and supported by local departmental IT systems. The local decision makers responsible for their initiative are often unaware of the interdependencies between their mandates and those in other departments. Complicating the matter, each departmental IT system may use its own metrics, standards, and methodologies for analyzing the risk and compliance information for the initiative it supports. As a result, data aggregation becomes a complex and time-consuming task and often results in a limited or false view of enterprise risk. Such an inefficient approach can lead to duplication of controls, inconsistent policies, and difficulty in predicting risk. Transparency is lost, while the cost of preventing critical access risk and managing compliance rises significantly.

While the visibility continues to improve, the access to sensitive data by current and former employees continues to be a key risk element.
2010 Global State of Information Security Survey by CIO, CSO, and PriceWaterhouseCoopers

Fragmented Approach Increases Risk

This fragmentation greatly impacts access control management one of the key controls for effective compliance, which can only be addressed enterprise-wide. Administrators are faced with thousands of users, roles, and processes that require access evaluation, testing, and remediation. Without proper segregation of duties (Sod) controls, mistakes and fraud due to overreaching system-access privileges can significantly impact the performance and reputation of any organization. The cost in money and resources to implement Sod controls and prevent critical access risk on an ongoing basis can be overwhelming for many companies.

Lack of Real-Time Oversight

recently, there has been an increasing number of incidents of corporate fraud in news headlines. Many of the fraudulent actions were executed in part using improper access to corporate systems, e-mail accounts, and proprietary information. Over the past three years, companies have lost uS$8.2 million each year on average, an increase of 22% over the same figure from the previous years survey (Kroll

Global fraud report, Issue 8, March 2009). Challenging economic conditions tend to lead to increased fraud as companies are pressured to achieve financial results. Increases in fraud can also occur in public or private organizations through theft of company information as employees are forced to work harder with reduced resources and experience salary reductions and layoffs. What is needed is an automated, enterprise-wide system for access control that enables IT executives to address regulatory requirements, maintain an open infrastructure to support business needs, and put controls in place to reduce risk and prevent fraud.

SAP Solution in Detail SAP BusinessObjects Access Control

The SAP BusinessObjects Access Control application helps organizations overcome these challenges so that they can confidently control access and prevent fraud. The application enables business managers, IT security, and auditors to: reduce Sod violations and critical access risk across the enterprise Streamline compliance processes deliver real-time oversight of the current risk situation.

By supporting the creation of compliant business processes, SAP BusinessObjects Access Control enables business-owner accountability and minimizes audit time and auditrelated costs.

The Security Executive Council Survey reported more than 40% increases in theft, fraud, and requests for support to hr relative to layoffs in fiscal year 200809.
2009 Security Budget research report: Impact of the Economic downturn, April 2009, Security Executive Council

SAP Solution in Detail SAP BusinessObjects Access Control

reduced AcceSS riSk AcrOSS the enterPriSe

MInIMIzEd TIME TO COMPly WITh rEGulATOry rEquIrEMEnTS

for companies struggling to manage multiple compliance initiatives, Sod can be one of the most difficult controls to deploy. Keeping pace with constantly changing business requirements and role definitions, layering new access on to old access, and testing access authorizations for thousands of employees across various systems presents an overwhelming challenge to preventing critical access risk. To take control of user access in their organization, compliance groups should start by conducting an initial cleanup, which involves three steps. first, an enterprise-wide risk analysis must be conducted to uncover existing access violations. next, the violations or risks uncovered must be reviewed. The final step is to mitigate the risk associated with the access in question or remove the access. To perform a comprehensive cleanup rapidly and cost-effectively, best-run companies require software engineered with this purpose in mind.

It includes rules for the most common business functions and associated risks, which is requisite for identifying Sod violations and critical access risks. The rules database is compatible with SAP and non-SAP software including Oracle, PeopleSoft, and Jd Edwards products as well as legacy software and applications not classified as enterprise resource planning (ErP) software. This comprehensive integration enables the mapping of functions and associated risk across all these software solutions to establish a consistent policy and prevent duplication of effort.

Risk Mitigation
upon identifying Sod violations and critical access risks, business managers can then review issues found during the initial risk analysis. robust reporting functionality in SAP BusinessObjects Access Control allows business managers to sort the Sod violations by role, by business process, and by user and to review the root cause of the violation. The software also indicates the severity level of any violation. With this level of detailed reporting, stakeholders are able to resolve issues found during the analysis and prevent risk. An example of preventing an Sod violation is when it is discovered that employees are authorized both to create new vendors and to make payments to those vendors. That opens up the possibility of fraud, because the

Enterprise-Wide Risk Analysis

SAP BusinessObjects Access Control delivers risk analysis and remediation functionality that enables businesses to analyze critical access risk rapidly and identify Sod conflicts based on real-time data. The application identifies potential access risks using a robust database of Sod rules that are based on best practices. The rule set leverages SAP expertise in business processes and the companys years of experience assisting industry-leading customers with Sod implementations.

Votorantim Celulose e Papel S.A., one of Brazils largest pulp and paper producers, reduced access conflicts by 91% with SAP BusinessObjects Access Control.
Celso yao, risk Manager, votorantim Celulose e Papel S.A.

SAP Solution in Detail SAP BusinessObjects Access Control

employees can pay money into accounts they themselves have configured. Authorization for this combination of business functions represents an Sod violation. To prevent the risk, the manager must decide how to mitigate the violation. One way is to rescind employees authorization to perform one of the business functions. If both functions are required, the manager can choose an appropriate mitigating control and assign a monitor to oversee that the mitigating control is carried out. After the initial cleanup, managers can conduct regular risk analyses of user access requests and role definitions to sustain Sod control and prevent critical access risks on an ongoing basis.

SAP BusinessObjects Access Control reduces Sod violations and critical access risks across the enterprise, thereby streamlining compliance with regulatory requirements. In addition to helping eliminate existing access risks, the application helps prevent the addition of new risks by supporting compliant business processes during, for example, role creation and role provisioning. The software leverages rule sets that are packaged with it and that were developed by SAP over a period of 12 years based on best practices.

SAP Solution in Detail SAP BusinessObjects Access Control

StreAmlined cOmPliAnce PrOceSSeS

COnTInuOuS ACCESS MAnAGEMEnT

The cost in money and resources to enforce access control, Sod, and compliant user provisioning on a continual basis can be overwhelming for many companies. Even after conducting an initial cleanup, new access control risks may arise on a daily basis as user roles and business needs change and new regulations are introduced. SAP BusinessObjects Access Control helps organizations introduce continuous access management. The solution automates all aspects of access management, including enterprise role management, compliant user provisioning, and emergency privilege management to increase efficiency and reduce the resources and time required for compliance.

violations. new roles are often tested for whether the user can perform the tasks required by their role but not tested for compliance. When Sod violations are revealed during user acceptance testing, IT is required to return to the development phase and recreate the role. This process is not only inefficient, but it also creates risk for the company for the time during which the improper privileges are assigned to a role. SAP BusinessObjects Access Control translates technical access risks into common business language, facilitating improved collaboration between IT and business owners. By incorporating Sod rules into the role design and role creation process, the application allows you to define compliant roles proactively. The flexible role-building methodology in the application guides

you through a step-by-step process of building new roles. The application also offers you functionality to perform preventive simulations, with which you can see what impact access changes will have before they are introduced into a production environment. Simulations can be performed at the user level, role level, or position level to test for any Sod violations. you can also perform automated risk assessment, track changes, and perform role maintenance, which increases the consistency of user access and lowers IT costs. As a single authoritative source for enterprise role definition, SAP BusinessObjects Access Control enforces best-practice methodologies while eliminating offline, manual processes such as updating Microsoft Excel sheets actions that can escape automated, software-supported Sod
Figure 1: Reduce Cost with Automated Enterprise Role Management

Enterprise Role Management

A key challenge to creating compliant enterprise role management is the lack of effective collaboration between IT teams and business managers. Business managers own the responsibility for managing Sod and critical access risk. They may conduct periodic access reviews and prepare for and respond to more stringent audits; however, they are often most concerned with simply obtaining the necessary access to make their employees productive and less concerned with the potential risks posed to Sod in the process. IT has the technical expertise to put proper system and application access controls in place. however, IT security often builds roles independent of Sod controls, and this can lead to Sod

Centralized Role Management

SAP BusinessObjects Access Control application

Enterprise rules

Audit log

Across Applications Oracle PeopleSoft legacy

SAP

role

role role role

role

role

role

role

role

role

Compliant Enterprise Roles

SAP Solution in Detail SAP BusinessObjects Access Control

rules. Its approval workflow can serve as a record for documentation and audit purposes. With this centralized tool, technical and business owners are able to use the same, consistent terms to document role definitions. Business users are empowered with automated change management, single-click automatic role creation, and role comparison features. By automating enterprise role management, SAP BusinessObjects Access Control enables businesses to reduce the cost of role maintenance, eliminate manual errors, and enforce best practices.

Compliant User Provisioning

Many organizations use inefficient processes in their attempt to maintain ongoing access control compliance. These processes include such tools as e-mail, spreadsheets, and filed paper copies, each of which involves multiple manual steps. Transitioning end users to a new assignment or hiring new employees and granting them access can take weeks away from productive work. This type of approach often leaves out risk analysis altogether. As organizations grant and rescind access to enterprise systems, the employees who perform the work often overlook how these changes can impact Sod and critical access risk. And there is often little or no automated workflow to provide a record of changes, leaving that work to be performed manually by compiling forms, e-mail messages, and paper files. SAP BusinessObjects Access Control enables fully automated and compliant user provisioning throughout the

employee lifecycle to prevent Sod violations. Employees can request access using a structured dialog of self-service workflows that specify business processes and roles, reducing the IT resources required. Managers receive an e-mail notification of an employees request. The application automatically tests for Sod issues, removes SOd or critical access risks, and implements mitigating controls prior to approval. With this functionality, the application prevents Sod violations from being introduced into the production environment. Additionally, its dynamic workflow provides end-to-end automation for user provisioning in multiple applications. The application also offers expanded automated provisioning through integration with standardsbased identity management software. requests can be automatically integrated with user identity information from a lightweight directory Access Protocol (ldAP) directory or other human resources databases so that managers can approve requests via e-mail. With compliance embedded in business processes, organizations can take a preventive approach, helping restrict management from granting access to an employee in a manner that might create an Sod violation. however, if a unique situation requires high-risk access privileges to be granted such as when a small branch office manager must be able to both create and pay vendors the application enables the creation of mitigating controls, which can be assigned as required. Integrated, real-time risk analysis can be conducted before access is granted.

Finally we have just one place to look for all our compliance rule sets, violations, mitigation controls, checks and balances, and so forth. That winds up saving us quite a bit of money.
dina dayal, director of Security and quality Assurance, newell rubbermaid

In addition, SAP BusinessObjects Access Control creates a more efficient internal audit process with business-friendly reporting and features such as audit logs for detailed tracking, customizable reporting, and process-efficiency statistics. Instead of trying to find forms, e-mail messages, and relevant files, change logs are readily available electronically, thereby minimizing audit time and audit-related costs. By automating compliant user provisioning, your organization can increase productivity and reduce the overall cost of compliance.

SAP Solution in Detail SAP BusinessObjects Access Control

Compliant Provisioning with Dynamic Workflow hr event Employee hired or retired request generation 100% automated

Figure 2: Prevent Risk with Compliant User Provisioning

...... Path workflow based on Manager approval via e-mail

request type and user attributes

...... Escalation workflow risk analysis One-click preventive simulation ...... Escalation workflow Automated provisioning 100% automated SAP Oracle PeopleSoft legacy

Excessive access rights was the top internal/external audit finding over the past 12 months.
Protecting What Matters, The 6th Annual Global Security Survey, february 16, 2009, deloitte

Superuser Privilege Management

Granting emergency access to enterprise systems leads to one of the most common audit issues companies experience today. you may have additional accounting personnel who need to post payments during the month-end close or a sales manager who requires approval on a pricing discount in order to close a deal when his manager is on vacation. If system access is too severely restricted, costly and unproductive delays can occur as the approving manager is contacted, new access privileges are created, and emergency access is approved and granted. frequently, existing access rights are shared to circumvent the controls, introducing regulatory violations and leaving auditors without a valid trail of who did what.

In situations such as these, SAP BusinessObjects Access Control enables rapid response with functionality that authorizes users to perform activities outside their role using firefighter login Ids with superuser privileges in a controlled, auditable environment. no longer will you have to wait or wake up supervisors in the middle of the night to get approvals for privileged access. The application efficiently creates emergency access for any user and allows companies to quickly resolve this common audit issue, significantly reducing the time required to perform critical tasks. With this functionality, the application also delivers the necessary audit reporting to prevent regulatory violations. It tracks, monitors, and logs every activity a user performs while logged in with the privileged user Id.

Standard reports, including notifications of usage and detailed activity logs, are sent automatically to supervisors for increased visibility. Activity logs track input down to the field value level and allow you to filter, sort, and download input information. Audit time is minimal, because detailed logs are available for auditors immediately and can be reviewed and signed off in advance of the official audit report. SAP BusinessObjects Access Control automates Sod and access management controls and facilitates improved collaboration between IT and business users. Automated reporting embedded in business processes reduces the time and cost for audits. The solution streamlines compliance processes for enterprise role management, compliant user provisioning, and emergency privilege management, so you can maintain continuous compliance during role design, in daily operations, and even during urgent situations.

10

SAP Solution in Detail SAP BusinessObjects Access Control

reAl-time OverSight

IMMEdIATE vISIBIlITy Of CurrEnT rISK SITuATIOn

Once organizations have completed the initial analysis and implemented controls to mitigate Sod violations and prevent critical access risk, it is imperative to have real-time visibility into the daily events that could impact ongoing compliance. As the needs of a business evolve, role definitions change, employees are promoted, and access privileges are modified constantly. Management cannot obtain a clear view across the enterprise to assess current risk exposure from reports based on periodic data downloads. What is needed is software that analyzes and compares rules and detects potential risks based on realtime data. Without this support, it is difficult for business owners to be truly accountable for preventing risk. If business managers cannot accurately review and track access control changes and associated problems, and if they cannot provide complete records to auditors, audit costs increase. Internal auditors who are faced with spreadsheets listing the access and authorizations of all employees can perform only a very limited audit. Even if they do capture the status quo at one point in time during an annual audit, changes to roles or business processes can render those roles or processes noncompliant at any time thereafter. SAP BusinessObjects Access Control offers management real-time accessrisk analysis, reporting, and dashboards for increased accuracy. Managers can perform what-if simulations to prevent access violations. The solution provides functionality allowing manage-

Figure 3: Continuous Monitoring of Compliance and Access Risk

ment to take responsibility for effective oversight of Sod and critical access risk. The application includes real-time detection controls and transactionusage monitoring to give auditors the tools they need to stay in control of access compliance.

Management Oversight for Business Owner Accountability

Managers must conduct user access reviews periodically to ensure Sod mitigations are effective. SAP BusinessObjects Access Control allows management to leverage automated, prebuilt reporting to improve visibility in five key access control areas: User provisioning reports display all user access reaffirmations and access approvals Potential risk reports highlight users with Sod conflicts who have the potential to make mistakes or commit fraud Actual risk reports monitor transactions to detect when users executed transactions that constitute an Sod violation

Policy reporting reviews the Sod rules library and allows management to make updates and changes to business processes as required by changes in the regulatory environment, with management also able to review mitigation controls and assess their effectiveness Emergency access reports show which employees have used superuser privileges and what tasks were performed using that access

SAP Solution in Detail SAP BusinessObjects Access Control

11

With SAP BusinessObjects Access Control, GRUMA is able to achieve 90% faster resolution of auditor observations.
Juan Carlos vola, CIO, GruMA S.A.B. de C.v.

Integrated Solutions to Build Business Effectiveness

The SAP BusinessObjects solution portfolio includes world-leading solutions for business intelligence, information management, enterprise performance management, and governance, risk, and compliance. Together, these solutions provide a preventative, real-time approach to governance, risk, and compliance across heterogeneous environments, enabling complete insight, greater efficiency, and improved flexibility.

SAP BusinessObjects Access Control automates user access reviews, enabling you to review the potential risks in your organization and work toward rapid resolution. for example, you can perform a risk analysis by user and discover any unmitigated risk that requires attention. you can also review mitigating controls and the employees assigned to monitor them. The application alerts the appropriate manager when the monitor assigned to run a mitigation report does not perform the duties assigned within the specified time period. Actual usage and role usage reports reveal when a violation occurs, for example, when an employee performs conflicting functions, such as creating a new vendor and paying a vendor. The alert system allows managers to focus on high-priority items and exceptions. reports provide comprehensive evidence for auditors that mitigation measures are effective. This robust reporting gives you the transparency that is required by regulators and auditors, and it gives the confidence essential for successful business management. It offers the flexibility to innovate business processes and improves the productivity of managers, thereby significantly lowering the overall cost of compliance.

Minimized Audit Time and AuditRelated Costs

SAP BusinessObjects Access Control enables internal and external auditors to complete comprehensive and efficient testing to make sure all access is properly authorized and that controls are in place and regularly tested to mitigate all Sod risks. The automation built into the application simplifies the investigation process and delivers standard, audit-ready reporting to confirm that all access to systems was properly authorized, including user access approval as well as role approval. Instead of trying to find manual forms, spreadsheets, and files, approval workflows and a role-change history automatically provide an audit trail. notifications of emergency privilege usage and detailed activity logs are also available for auditors to track this type of usage. Auditors can use the application to test for mitigation effectiveness, especially for those users who have Sod conflicts. Auditors can test whether risk descriptions and mitigation controls match and whether the mitigation is actually executed. SAP BusinessObjects Access Control delivers immediate visibility of the current risk situation for both management and internal audit personnel. The application offers improved accuracy with real-time reporting and enables business-owner accountability with built-in review and approval processes.

SAP BuSineSSOBjectS gOvernAnce, riSk, And cOmPliAnce SOlutiOnS

PrOACTIvEly BAlAnCE rISK And OPPOrTunITy ACrOSS yOur BuSInESS PrOCESS

Obtain Complete Insight, Greater Efficiency, and Improved Flexibility

SAP BusinessObjects Access Control is part of the SAP BusinessObjects governance, risk, and compliance (GrC) solutions. These solutions provide organizations with a preventative, real-time approach to GrC across heterogeneous environments. The solutions provide complete insight into risk and compliance initiatives, enable resources to be used more effectively, and allow for a faster response to changing business conditions. Complete Insight SAP BusinessObjects GrC solutions enable complete insight by providing a common approach to risk and compliance initiatives and continuously monitoring them so that business conditions can be understood, risks managed, and decisions improved. Greater Efficiency SAP BusinessObjects GrC solutions are designed to efficiently support the documentation and implementation of automated controls for any framework. Automation of manual risk and compliance activities, compliance rationalization, and prepopulated line-of-business and industry-specific content enables costs to be reduced and resources to be used more effectively. This leads to a much more efficient compliance environment.

Improved flexibility Working together, SAP BusinessObjects GrC solutions provide a preventative, real-time approach for your heterogeneous environment. Performance indicators across fragmented control environments are aggregated to deliver a common, system-wide view and unify management of strategic, financial, operational, and compliance-related risks across the organization. having a single strategy for internal policy and external regulation enables faster response to changing business conditions.

Find Out More

The SAP BusinessObjects Access Control application enables you to confidently control access and prevent fraud across your enterprise while minimizing the time and cost of compliance. To find out more about how this and other SAP BusinessObjects GrC solutions can benefit your business, please contact your SAP representative or visit us on the Web at www.sap.com /sapbusinessobjects/grc.

SAP Solution in Detail SAP BusinessObjects Access Control

13

14

SAP Solution in Detail SAP BusinessObjects Access Control

Quick fActS

www.sap.com /contactsap

Summary The SAP BusinessObjects Access Control application enables business managers, IT security, and auditors to collaborate in controlling access and preventing fraud across the enterprise. The software helps streamline processes and establish controls to maintain segregation of duties (Sod), minimize critical access risk, and assign compliant user access, while minimizing audit time and audit-related costs. Business Challenges Manage diverse, applicable regulatory requirements reduce audit and compliance costs caused by manual processes Maintain an open IT infrastructure while mitigating Sod risks Improve collaboration between IT and business managers Key Features SoD rules library leverage best practices and SAP expertise of business processes Automated workflows Increase efficiency and collaboration between IT and business owners What-if simulations define compliant roles proactively using preventive simulations Reporting Improve visibility of user provisioning, potential and actual risk, policy reporting, and superuser access Business Benefits Reduced risk of fraud by supporting the creation of compliant business processes Reduced SoD violations and critical access risk across SAP and non-SAP software through visibility of the current risk situation based on real-time data Minimized time to comply with regulatory requirements by automating the detection of access risk Minimized audit time and audit-related costs through automated audit trails, real-time detection controls, and transaction monitoring Improved visibility of current risk situation through real-time reporting For More Information To find out more about how SAP BusinessObjects Access Control and other SAP BusinessObjects governance, risk, and compliance solutions can benefit your business, please contact your SAP representative or visit us at www.sap.com/sapbusinessobjects/grc.

50 098 921 (10/04) 2010 SAP AG. All rights reserved. SAP, r/3, SAP netWeaver, duet, PartnerEdge, Bydesign, Clear Enterprise, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal reports, Crystal decisions, Web Intelligence, xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP france in the united States and in other countries. All other product and service names mentioned are the trademarks of their respective companies. data contained in this document serves informational purposes only. national product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. nothing herein should be construed as constituting an additional warranty.