Taminco reaches SOX compliance
with SAP GRC Access Control
Robert Moeyens
Taminco
1
Chris Walravens
Expertum
SAPience.be User Day ‘14
Agenda
The Players
Project Trigger: SOX compliance
SAP GRC Access Control
Project Phases
Project Benefits
Pitfalls / Lessons Learned
SAPience.be User Day ‘14 2
Taminco
SAPience.be User Day ‘14 3
Taminco
SAPience.be User Day ‘14 4
Expertum
History
• Founded in April 2006 by 2 ex-SAP BeLux employees
• Partnerships
Today
• Team of 55+ SAP Experts and Project Managers
Mission
• Exceed client expectations by providing top-quality expertise
• Provide our people a safe environment for personal and professional growth
Strenght
• Highly skilled & experienced SAP consultants in all SAP areas, combined with a
wide industry knowledge in several domains
SAPience.be TECHday’13 5
Expertum
SAPience.be TECHday’13 6
Knowledge Management
- Product & Service
Development
Agenda
The Players
Project Trigger: SOX compliance
SAP GRC Access Control
Project Phases
Project Benefits
Pitfalls / Lessons Learned
SAPience.be User Day ‘14 7
Trigger – SOX Compliance
SAPience.be User Day ‘14 8
US Sarbanes-Oxley Act of 2002 commonly called Sarbanes-Oxley, or SOx, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, WorldCom, …
Applicable to all companies listed on New York Stock Exchange
Section 302:
The CEO/CFO Must Certify Quarterly and Annually that : • The Securities & Exchange Commission report has been reviewed by the CEO/CFO
• The report does not contain any misleading and/or untrue statements
• Significant deficiencies and material weaknesses in internal control have been disclosed to the Audit Committee and auditors, as well as any fraud (material or not) involving anyone with a significant role in internal control
• Material weaknesses must be disclosed in the annual report to shareholders
Section 404:
Defines the rules for internal control and financial reporting • Taminco management must assess effectiveness of internal control structure and
procedures for financial reporting
Agenda
The Players
Project Trigger: SOX compliance
SAP GRC Access Control
Project Phases
Project Benefits
Pitfalls / Lessons Learned
SAPience.be User Day ‘14 9
SAP GRC Access Control
SAPience.be User Day ‘14 10
Analyze & Manage Risk (AMR)
Centralized definition of Critical Access & Segregation of Duties
Common understanding between Business & IT (same rules)
Real-time risk analysis on user, role & HR object level
Proactive detection of SoD issues by simulation
Continuous monitoring of access risks & user assignments
Access violation dashboards and reports
Documentation & assignment of mitigating controls
Automated Access Reviews & follow-up actions
SAPience.be User Day ‘14 11
Emergency Access (EAM)
Centralized, automated, pre-approved cross-system
emergency access
Detailed audit trails of performed actions
Integration with approval workflow possible
SAPience.be User Day ‘14 12
Agenda
The Players
Project Trigger: SOX compliance
SAP GRC Access Control
Project Phases
Project Benefits
Pitfalls / Lessons Learned
SAPience.be User Day ‘14 13
Project Phases
SAPience.be User Day ‘14 14
Role Remediation
AMR Implementation
User Remediation
EAM Implementation
Change Request Proc.
Preparing: Role Remediation
Review sensitive objects / maintain access in display roles
Remediate naming conventions of roles & profiles
Remediate manual & changed statuses
Remediate derived role (naming) to be real deriveds
Remediate content correspondence between master & deriveds
Remediate differences between derived values & codification
Analyze content of composite roles (similar composites, similar
content)
Remediate content of composite roles (similar composites,
similar content)
Remediate DEV & PRS differences (all roles on PRS need to
exist on DEV with identical content)
SAPience.be User Day ‘14 15
Implement SAP GRC
SAP GRC Access Control implemented on same box as
Solution Manager (2-tier)
Configured to run on
• ECC production
• Solution Manager production
• GRC production
Implemented modules:
• Analyze & Manager Risk (AMR)
• Emergency Access Management (EAM)
SAPience.be User Day ‘14 16
Implement AMR
Establish the SOX rule set:
• Based on the rules used by the external auditor, Complemented by risks identified in the Risk & Control Matrix (RCM)
• Translated into a GRC rule set (actions & permissions)
• Risk types:
• Critical Access
• Segregation of Duties
• Severity (High, Medium, Low) determined based on:
• Direct Impact on Financial Statements
• Materiality
• Likelihood of Fraud
• Added custom transaction codes where needed
SAPience.be User Day ‘14 17
The Rule Set
SAPience.be User Day ‘14 18
User Remediation (1)
AMR supports remediation activities through extensive root
cause analysis functionality
Critical Access
• Comprehensive exercise with the key users to identify who
needed to keep the critical access (and who needed to lose it)
• Some users, of course, need to keep such access
• Best to tackle this first, as to much critical access will also
“explode” your SOD results
SAPience.be User Day ‘14 19
User Remediation (2)
Segregation of Duties
• Again, comprehensive exercise with the key users to identify
who needed to keep left / right side of the conflict
• Because of organizational issues, a small portion of the potential
SOD conflicts needed to remain assigned to the users
• For these remaining SOD risks, the compensating / mitigating
controls where used from the RCM
• These mitigations are also documented in GRC Access Control
SAPience.be User Day ‘14 20
User Remediation - Report
SAPience.be User Day ‘14 21
Implement EAM
A fairly large amount of the risks where caused by IT support people having broad maintenance access on production
For IT support people the EAM module was implemented
This allowed Taminco to:
• Reduce the permanent accesses of IT people to « display » only
• Allow them to use broad accesses (not SAP_ALL !) when they need it, but in a fully controlled and monitored process
• Activity logs need to be reviewed and validated, allowing corrective action in case of misusing the firefighter
SAPience.be User Day ‘14 22
Change Request Process
As from the beginning of the year, the change request
procedure includes a mandatory risk simulation step
The AMR module contains functionality, allowing to simulate the
combination of the current situation and the needed additions
This allows to check if risks would be introduced by the change
before they get in production
If risks occur the CFO needs to either reject the change (or
request a modification of the change) or approve the request
with the assignment of a mitigating control
SAPience.be User Day ‘14 23
Project Phases
SAPience.be User Day ‘14 24
Role Remediation
AMR Implementation
User Remediation
EAM Implementation
Change Request Proc.
Agenda
The Players
Project Trigger: SOX compliance
SAP GRC Access Control
Project Phases
Project Benefits
Pitfalls / Lessons Learned
SAPience.be User Day ‘14 25
Project Benefits
We came from +20.000 SOD conflicts to +/- 1.000 mitigated
risks.
We saw an increasing insight in the authorizations processes
by the key players.
Permanent access for IT reduced to only display. The other
accesses are received through firefighter.
A controlled role assignment process is implemented.
SOX compliance will be achieved (authorizations part).
SAPience.be User Day ‘14 26
User Remediation - Report
SAPience.be User Day ‘14 27
Agenda
The Players
Project Trigger: SOX compliance
SAP GRC Access Control
Project Phases
Project Benefits
Pitfalls / Lessons Learned
SAPience.be User Day ‘14 28
Pitfalls / Lessons Learned
The quality of your authorizations concept largely determines
your remediation effort.
Not always easy to determine exactly who needs what. Key
users really need to know every detailed flow in the
organization.
Taking away access is never easy.
Authorizations remediation is closely linked with business
controls (mitigating controls)
SAPience.be User Day ‘14 29
Thank you!
SAPience.be User Day ‘14 30
Robert Moeyens Global Application Manager Taminco
+32 2 238 46 72 [email protected] www.nationale-loterij.be
Chris Walravens GRC Community Lead Expertum
+32 474 475 983 [email protected] www.expertum.net