120131 making monitoring
DESCRIPTION
opipTRANSCRIPT
-
ISACA After Hours Seminar January 31, 2012
Making Continuous Monitoring and Continuous Auditing Work with SAP GRC
Gerhard Wasnick
-
ISACA AHS; January 31, 2012
Table of Content
Getting started, Terms and Objectives
Frameworks, Compliance Requirements
The SAP GRC Tool, Mapping
Implementation of Continuous Audit (CA) or Continuous
Monitoring (CM) Scenarios
Example 1 CA: SAP Basis System Parameter
Example 2 CM: SAP Chart of Account Master Data
Other Examples
Lessons Learned, Q&A
Riscomp GmbH / Page 2
-
ISACA AHS; January 31, 2012
After-Hour Seminar
Objectives
Riscomp GmbH / Page 3
Objectives:
Providing a glimpse of the current
possibilities to automate controls or
perform automated monitoring
Show the continous audit (CA) and
continous monitoring (CM) scenarios,
working live in the system
Out of Scope:
Complete overview of SAP GRC
functions
-
ISACA AHS; January 31, 2012 Riscomp GmbH / Page 4
-
ISACA AHS; January 31, 2012 Riscomp GmbH / Page 5
-
ISACA AHS; January 31, 2012
What is continuous auditing -
continuous monitoring
Riscomp GmbH / Page 6
Continuous auditing is the independent application of automated tools to provide assurance on
financial, compliance, strategic and operational data within a company. The continous aspect of continous auditing and reporting refers to real-time.
Continuous monitoring is the process and technology used to detect compliance and risk
issues associated with an organizations financial and operational environment. Through continous monitoring of the operations and control, weak or poorly designed or implemented
controls can be corrected or replaces, enhancing the organizations operational risk profile.
-
ISACA AHS; January 31, 2012
Technical Implementation
Riscomp GmbH / Page 7
Automatic control is the application of concepts derived from the research area of modern
control theory. Automatic control is also a technology for application of control strategies.
-
ISACA AHS; January 31, 2012
Legal Requirements
Schweiz: OR 728a (Swiss) code of obligations,
Code of data protection
Europe: 7th directive of the European Union
derived into local law like BilMoG in
Germany
USA: Sarbanes-Oxley Act 404 of 2002
Japan: Japans Financial Instruments and Exchange Law (J-SOX)
Riscomp GmbH / Page 8
-
ISACA AHS; January 31, 2012
ISO 27003 ISMS
Important Standards
ISO 27035
IT Security Event
detection
ISO 20000 ITIL
DS5 System Security
PO 4.1 Define Processes
AI 2.5 Configuring Application Software
PO 6.3 IT Policy Management
PO 9 Assess and Manage IT Risks
ME 2.4 Control Self Assessment
PO 4.11 Segregation of Duties
AC 6 Transaction Authentication & Integrity
COBIT ISO
ISO 27001
ISO 27000 ff.
ISO 27002
Riscomp GmbH / Page 9
-
ISACA AHS; January 31, 2012
SAP Governance, Risk and
Compliance (GRC)
Riscomp GmbH / Page 10
-
ISACA AHS; January 31, 2012
ISO 27003 ISMS
Mapping of
Standards and GRC Functionality
ISO 27035 IT Security
Event detection
ISO 20000
ITIL
(1) COBIT DS5
System Security
PO 4.1 Define
Processes
AI 2.5 Configuring
Application Software
PO 6.3 IT Policy
Management
PO 9 Assess
and Manage
IT Risks
ME 2.4 Control
Self Assessment
PO 4.11
Segregation
of Duties
AC 6 Transaction Authentication & Integrity
Riscomp GmbH / Page 11
-
ISACA AHS; January 31, 2012
Implementation of
CA / CM Scenarios
Riscomp GmbH / Page 12
Risk based approach for continuous audit
Implementation
feasibility
check
Benefit
valuation
(qualitative)
Implementation,
test and go-live
Cost-benefit based approach
for CM and efficient internal control systems
Estimation
of savings
Estimation of
feasibility
& effort
Automation
TOP 10
List
Implementation
and test
Risk &
Control
identification
Stock take
of control
effort
Implementation
-
ISACA AHS; January 31, 2012
Automated Control and Monitoring
Process Flow
Custom
Programs
Delivered
rules, queries
and reports
Configurable
rules
FIN
O2C
P2P
HR
IT
Fixed
Assets
Tra
nsa
ctio
n
Con
trols
Co
nfigu
ration
Co
ntr
ols
Ma
ste
r D
ata
Con
trols
Xcelsius Dashboards
and Analytics
Crystal Reports
Auditability
Root cause analysis
Workflows
Map to
Controls
Test or
Monitor
Define Data
Source and
Business
Rules
Report Analyze &
Remediate
SAP 2011
Riscomp GmbH / Page 13
-
ISACA AHS; January 31, 2012
CA/CM Objectives of the Examples
Objective of the CA Scenarios: Perform audit or control action
automatically and inform users
Riscomp GmbH / Page 14
SAP ERP System
Application
Customizing
SAP GRC
System
CA/CM Scenario 1
CA/CM Scenario 2
Basis Parameter
Inform
Users
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Background: System security is driven by SAP system parameters
defining the minimum length of passwords, maximum number of log-in
attempts etc.
Risk: Hostile acquisition of users and unauthorized access
Procedures:
ITGC Control Execution: Start the Report RSPARAM and check
that the parameter login/min_password_lng is set according to
standards. Document the result.
Audit Procedure: dito
Riscomp Automated Scenario: An automated scenario checks the
parameter frequently. Only if the parameter is below a threshold, an issue
will be sent to the control owner for ICS and or IT-Audit for audit
purposes.
Riscomp GmbH / Page 15
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 16
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 17
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 18
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 19
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 20
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 21
-
ISACA AHS; January 31, 2012
Example 1: ISO 27003 /
COBIT DS5 System Security
Riscomp GmbH / Page 22
-
ISACA AHS; January 31, 2012
Example 2: COBIT AI 2.5
Configuring Application Software
Information: Systems like SAP ERP can be configured to fit
the companies process and compliance needs. The
configuration is stored in database tables. The configuration
values determine the compliance of a SAP System.
Technical Background: Account master data is kept in SAP
in two database tables: SKA1 and SKB1. The accounts are
established initially during the system implementation.
However, during the normal course of business individual
accounts can be maintained and should be closely
monitored.
Riscomp GmbH / Page 23
-
ISACA AHS; January 31, 2012
Example 2: COBIT AI 2.5
Configuring Application Software
Risk: The critical master data settings containing high risk for
the accuracy and reliability of financial figures should be
documented and monitored closely.
Procedures:
IT Audit: Audit Procedure: During the course of a financial
audit, the configuration is checked manually.
Control Execution: Frequent sampling of chart of account
master data or data analysis of the database tables.
Riscomp Automated Scenario: The GRC system checks
the critical fields in the chart of accounts like automated
postings allowed only according to defined thresholds.
Riscomp GmbH / Page 24
-
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
Riscomp GmbH / Page 25
-
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
Riscomp GmbH / Page 26
-
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
Riscomp GmbH / Page 27
-
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
Riscomp GmbH / Page 28
-
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
Riscomp GmbH / Page 29
-
ISACA AHS; January 31, 2012
Example 2: AI 2.5
Configuring Application Software
Riscomp GmbH / Page 30
-
ISACA AHS; January 31, 2012
Further CA / CM Examples
Compliant User Provisioning Processes in Access Control
(CM)
Integrating SOD analysis with the internal control system
(CA)
Frequent analysis of users with developer keys (CA)
Users with critical profiles (sap_all, sap_new) (CA)
Check of manual FX-Rate changes (CM)
Open posting periods per company code (CM)
3-Way match parameter check (CM)
Riscomp GmbH / Page 31
-
ISACA AHS; January 31, 2012
Lessons Learned
Continuous monitoring and auditing works
for SAP Systems including Business Warehouse
The complexity of the scenarios can vary and needs
upfront evaluation!
Scenarios can be amended at any time forming a flexible
framework of automated scenarios
Automated scenarios require profound GRC and ERP
know-how
SAP partners providing content help to achieve the break-
even point faster with content life cycle management
Riscomp GmbH / Page 32
-
ISACA AHS; January 31, 2012
Questions
?
Riscomp GmbH / Page 33
-
ISACA AHS; January 31, 2012
Further Information
Various Trainings
SAP Standard training GRC 100, GRC 300, 330,
GRC340, WDEAC1, TZPR10 or TZAC10
Trainings with Vereon.ch
Customized Trainings
SAP Press Handbuch SAP Revision
in english available in Q4/2012
Riscomp GmbH / Page 34
-
ISACA AHS; January 31, 2012
RISCOMP GmbH offers services in the IT and business
consulting field. Our main focus is the automation of Governance,
Risk and Compliance processes. We enable our customers to
establish simple, intuitive, integrated and efficient processes to
handle GRC Tasks.
We provide you the combination of professional expertise
in RISk and COMPliance with technical implementation
know-how for SAP BO GRC solutions.
Our team brings more than 20 years experience
(working for BIG 4, running ICS, implementing
SAP ERP and SAP GRC based processes).
We put all necessary views together to ensure a maximized
added value out of a GRC implementation
Process ICS, Compliance & Risk Management processes
Content Framework definition i.e. risks, controls, automated scenarios etc.
Technology Automation of GRC processes and integration with your ERP environment.
Presentation Riscomp GmbH C
om
pa
ny
Co
mp
ete
nc
e
Ap
pro
ac
h
-
ISACA AHS; January 31, 2012
RISCOMP GmbH
Best-practice processes and structures for internal control systems
- Processes to administrate ICS (control execution confirmation, change management, )
- Test processes (design effectiveness, self assessment,)
- Annual ICS scoping and risk evaluation
- Policy and procedure management processes
- SAP user provisioning and role management
ICS
Pro
ce
ss
es
IK
S In
halt
e
Design and Implementation of automated control- and monitoring scenarios in
SAP R/3 and SAP GRC (Continous Controls Monitoring CCM)
Software implementation and project management
SAP GRC software migration for Processc controls 3.0 > 10 and Access Controls 5.3 >10
Design and conducting training sessions for SAP Education Au
tom
ati
on
Imp
lem
en
tati
on
Our content for the internal control systems are bundled together to products
- Catalogue of manual business process controls
- Best practice repository of semi- and full automated business process controls
- Standard catalogue of general IT controls (security, change management and operation)
- Methodology for an efficient adjustment of segregation of duties matrices to the business
requirements
- Fraud patterns analysis
All products are based on acknowledged standards like COBIT, COSO or SAP AK Rev.