empower your business to confidently navigate...

SAPINSIDER SPECIAL REPORT | MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS

Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com S-1

I f you were to plot a graph outlining the number of organizations that are beginning to form

a comprehensive governance, risk, and compliance (GRC) strategy, it would likely follow a

similar trajectory to the rate of regulatory proliferation. New and changing regulations such

as anti-bribery and corruption (ABC) statutes are increasing regulatory pressure to unprec-

edented levels, and stopgap GRC activities that do not encompass a proactive approach put a

company at the risk of non-compliance and business disruption. Just as important, companies

that regularly rely on reactive, patchwork measures in lieu of a robust GRC strategy expose

themselves to very real and potentially devastating security breaches and fraud.

The door has slammed shut to the days when quarterly, spreadsheet-based internal audits

sufficed. Organizations recognize that having a truly consolidated view of GRC issues that

aligns with their overall business strategy is no longer merely a nice-to-have luxury. Costs for

non-compliance that include damage to the brand, loss of revenue, fines and penalties, and

proprietary theft far outweigh the cost of implementing a global GRC platform. And trying

to make do with a fragmented GRC environment only increases costs and complexity as

that approach introduces redundancies and fails to protect against threats on the horizon.

Companies that adopt a forward-looking, proactive approach to GRC recognize that hav-

ing a global GRC platform does much more than check off the box on compliance. An

increased understanding of a business’s appetite to take on risk can aid an organization in

exploring new revenue streams, for example, by fully capitalizing on emerging trade agree-

ments such as the Trans-Pacific Partnership. Other hidden benefits include identifying new

opportunities, enhancing one’s brand, and increasing market access. Overall, this helps to

drive improvements in operations and even streamline business processes.

3 Cornerstones of GRC SuccessThis backdrop serves to explain the reasons why SAP’s GRC strategy has evolved from one

in which automating and centralizing data was the starting and ending point for shoring up

risk factors to one that places GRC at the very center of a business strategy. There are three

cornerstones to this strategy converging to provide the business with the means to make

better and more informed decisions:

■ Simplify GRC

■ Gain insight from it

■ Strengthen the organization to anticipate GRC-related needs and opportunities they

may create

Empower Your Business to Confidently Navigate Risk

S-3 PwC and SAP: A Holistic, Enterprise-Wide View of GRC

S-5 EY and SAP: Enable Your Internal Auditors

S-6 Accenture: Effective GRC Strategies Begin with Business Alignment

S-7 Dolphin Enterprise Solutions Corporation: 7 Strategies for Preparing Your SAP Systems for Audits

S-8 Deloitte & Touche LLP: Secure, Vigilant, Resilient

S-9 ultimumIT: Integrate Business Processes into Your GRC Strategy to Discover Long-Term Value

S-10 Security Weaver: 9 Ways to Jumpstart License Compliance and Minimize Risk in Your SAP Landscape

S-11 EY: No Reward Without Risk

S-12 ERP Maestro: Increased External Audit Scrutiny Puts Spotlight on Access Controls

S-13 High Water Advisors: What Risks Are Hiding in Your SAP Landscape?

S-14 Layer Seven Security: Unlocking the Cyber Security Toolkit in SAP Solution Manager

S-15 Greenlight Technologies: Quantify the Impact of Segregation of Duties on Your Business

INSIDE THIS SPECIAL REPORT

Kevin McCollomVice President and General Manager GRC Solutions SAP Labs, LLC

http://sapinsideronline.com



MANAGING RISK, SECURITY, AND COMPLIANCE: TIPS FROM TODAY’S GRC LEADERS | SAPINSIDER SPECIAL REPORT

Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.comS-2

Simplify

SAP offering a global GRC platform is not new. But embed-

ding GRC activities into underlying business processes is

the key to transforming GRC from an afterthought into a

true partnership with the business. Embedding GRC best

practices into business processes drives simplicity in the

organization by eliminating the redundancies that tradi-

tionally crop up when putting new programs in place with

every new regulation or perceived threat that appears. A

single, unified, SAP HANA-enabled GRC platform elimi-

nates duplication, manual effort, and errors, and provides

the real-time visibility that organizations need to proac-

tively respond to any threat or compliance issue.

GRC is a focal point of SAP’s overarching Run Simple

message because it is unique in how simplification can

positively affect the landscape, and thus the business.

When new threats result in new programs and processes,

building siloed, redundant, and error-prone controls, poli-

cies, and technologies only serves to increase complexity,

which may actually increase risk. Embedding GRC activi-

ties directly into business processes makes GRC a natural

step in a business process rather than a separate process

altogether. For example, complying with ABC regula-

tions in a new jurisdiction shouldn’t require building

new internal processes and controls. Leveraging existing

processes and embedded controls documented in and

reusable from an enterprise GRC platform saves time,

prevents mistakes, and enhances compliance.

Gain Insight

When GRC is no longer an afterthought, true business

impact and insights can be derived, nearly instantaneously,

and leveraged to optimize business decisions. Business deci-

sions can be projected into the future and GRC activities

can be modeled accordingly, which goes hand in hand with

helping an organization understand its risk appetite. With

GRC embedded into business processes, companies can

identify business and regulatory trends and model for dif-

ferent situations and outcomes, as well as detect potential

business anomalies such as fraud, waste, and abuse. A global

organization added millions to its bottom line by analyzing

data patterns with SAP solutions for GRC to identify travel

expense errors that were being constantly repeated and

costing precious discounts, rebates, and tax savings.

Strengthen

Leveraging a comprehensive GRC platform not only

to detect and predict business impacts and anomalies

before they happen, but to explore unexpected business

opportunities helps strengthen the business in ways that

just weren’t possible with a reactive approach to GRC

challenges. When a business fully understands how cer-

tain regulations or trade agreements intersect with its

business strategy, it can shape its response and be pre-

pared for potential future outcomes. That might be an

extreme example, but it speaks to an unprecedented level

of preparation that an integrated GRC platform enables.

In addition, having this platform in place demonstrates

that a company has taken the reasonable care to be com-

pliant, which is a mitigating factor that can significantly

reduce the cost of enforcement actions. Enforcement has

shown to be nearly three times more costly than had an

organization made the proper compliance investments.1

The GRC Future Is NowIn some ways, penalties have historically been an assumed

cost of doing business. Not necessarily because of delib-

erate malfeasance, but because technology limitations

prevented corporations from bringing GRC considerations

into the business decision-making process. This is not the

case today, with SAP solutions for GRC, SAP HANA, and

the entire state-of-the-art analytics portfolio at the fore-

front of technology advancements that are helping drive

better business decisions in GRC. With SAP Fiori, users

have a consistent, streamlined, modern user experience

across the device spectrum that also helps drive insight.

As regulatory proliferation continues, SAP’s goal is to

continue to invest in and evolve the GRC suite, embedding

deeply into business processes. We see this today with SAP

solutions for GRC already embedded into what is avail-

able on SAP Business Suite 4 SAP HANA (SAP S/4HANA),

and this will hold true as GRC continues to be an inte-

gral component of additional business processes and the

applications supporting them that run on SAP S/4HANA.

A truly comprehensive GRC suite is more than enterprise

GRC. Security is an integral part of navigating risk by pre-

venting large-scale data breaches affecting end customers.

Because of this, SAP’s GRC strategy includes deepening

the existing integration between its information security

and enterprise GRC portfolios to provide unprecedented

identity governance and administration capabilities.

It is no accident that SAP solutions for GRC are top of

mind for new and installed SAP customers as the global

market leader in the enterprise GRC space. We carefully

designed and executed our strategy to build on the trust

our customers put in the SAP brand. Through SAP’s

unparalleled services and partner network, SAP will con-

tinue to deliver GRC and security solutions that simplify

GRC, provide unique business insight, and strengthen

businesses for the road ahead.

1 Ponemon Institute LLC, “The True Cost of Compliance” (2011).




A Holistic, Enterprise-Wide View of GRCHow People, Strategy, and Technology Come Together to Manage Risk

Scott OstermanSAP Security and

SAP Access Control Practice Leader

Partner PwC

Bruce McCuaigDirector

GRC Product Marketing SAP

Increasing risk and regulatory complexity are the big-

gest pressures on organizations’ governance, risk, and

compliance (GRC) functions. Most businesses, however,

spend their GRC focus on reactive measures, typically

including security and controls improvements, without

thinking proactively about setting up a holistic GRC

program that can help them adjust as new regulations

take form and new risks appear.

SAP market observations suggest that integrated,

holistic GRC approaches where organizations are

continuously and proactively monitoring risk aren’t

yet prevalent among enterprises. While some compa-

nies are further along in their GRC journeys, whether

that’s embracing mobile, SAP Fiori-enabled technolo-

gies or managing security around SAP HANA, many

are still having trouble grasping the bigger picture. An

SAP-sponsored survey of more than 1,000 executives

with responsibility for GRC in their organizations

found that just 17% of companies were using any con-

tinuous monitoring capabilities, meaning that the rest

were relying on a combination of manual spreadsheets

and disparate solutions across different organizations

and groups.1

The technology is available. SAP solutions for GRC

— including SAP Access Control, SAP Process Control,

SAP Risk Management, SAP Fraud Management, and

SAP Audit Management — provide the capabilities for

companies to continuously monitor their systems and

risks, allowing them to set up a GRC program that has

real impact to the organization. The gap, therefore, isn’t

technology; the gap is capability, motivation, and gov-

erning the future rather than the past.

This gap exists because most enterprises have

taken a fragmented approach to GRC. Because pro-

fessional standards and regulators do not require a

holistic, integrated approach, companies often have

employees tasked with monitoring controls operating

separately from those who are focused on enterprise

1 Loudhouse, “Managing Risk in an Age of Complexity” (2015; http://go.sap.com/docs/download/2015/07/08e10861-357c-0010-82c7-eda71af511fa.pdf).

risk management at the corporate level. These func-

tions too often work in silos; they don’t talk to each

other, work together, or integrate properly to ensure

that risks are mitigated. Moreover, many companies

are still without risk management processes at all, and

operate with a reactive approach to business changes.

Executives therefore grow frustrated with the lack of

visibility, and control failure becomes the biggest orga-

nizational risk. A consistent framework is needed to

guide the allocation of accountability and the integra-

tion of information. Without it, businesses not only fail

to manage risk and compliance optimally, but they also

fail to achieve the proper return on their GRC technol-

ogy investment.

3 Lines of Defense A holistic approach to GRC means implementing com-

pliance, process, audit, and risk on integrated platforms

that are operated by collaborative teams that drive

GRC practices into critical business activities and moni-

tor progress at an enterprise level.

SAP developed the “three lines of defense” approach,

which outlines how a business can find the best way to

manage any given risk (see Figure 1 on the next page).

The methodology behind this concept is as follows:

1. Control risk and manage compliance in business

activities. This means that the first line of defense is

the business — they own the risk in their business

and monitor and evaluate related controls.

2. Identify, measure, monitor, and report risk and

compliance at the enterprise level. This means that

the risk management function takes it to the next

level, assessing and providing appropriate frameworks

for operations and evaluating and taking action on

risk management practices across the enterprise.

3. Provide assurance, insight, and advice. This respon-

sibility rests with internal auditors, whose audits can

confirm that the framework in place is effective, and

that risks are being properly tracked and mitigated.






With this methodology, an enterprise can carry out a

strategy that can handle any risk, and report back to its

top executives and board regarding progress.

It also enables the organization to get the most out

of its technology investment. A holistic team work-

ing with integrated data can realize the value of SAP

solutions for GRC. Some companies are unsure as to

how exactly to treat risks: How do you even get started

assessing something as daunting as risk management

across an enterprise? SAP recently released SAP GRC

Strategy Selector, an iPad app that is designed to assess

risks, propose a risk management strategy and primary

line of defense for each risk, and also suggest the most

appropriate SAP solution to enable the line of defense.2

With the right methodology and technology in place,

it’s important to have the right people on board, both

within the organization as well as from outside thought

leadership and consultants such as PwC.

Redefine the PeopleA compliant environment starts in the boardroom.

While a compliant environment does mean address-

ing some issues in a reactionary fashion, from audit

findings to breaches, executives must not lose sight of

the fact that there are broader risks that are pervasive

2 For more about the app, see http://blogs.sap.com/analytics/ 2015/04/21grc-tuesdays-a-strategic-solution-for-the- disintegration-of-grc.

across all organizations that need to be monitored

and addressed.

Throwing technology at risk management is only

part of the solution. Simply implementing a solution

that monitors a set of controls or tracks data for a given

regulation, but fails to report its findings to the highest

levels of management, is inadequate. The right people

need to be in place to ensure the synergy between tech-

nology and strategy. One of the issues that companies

face with GRC is that they fail to have someone at the

C-level whose responsibility is chiefly on risk and com-

pliance — a chief risk officer. Without someone at this

level directing the GRC actions and framework, orga-

nizations will continue to manage GRC at a tactical,

rather than strategic, level.

But in the absence of a chief risk officer, the C-suite

executives in charge of finance, risk, compliance, opera-

tions, and audit can effectively lead and promote the

three lines of defense.

Going Forward Having a holistic GRC strategy involves putting the

right people and technology in place, and that they

work in tandem to ensure an enterprise-wide execution

of GRC processes. With such a view of GRC, you can

ensure your organization is headed in the right direc-

tion to combat future uncertainty and protect your

data. For more, visit www.pwc.com/sap.

FIGURE 1 SAP’s

“three lines

of defense”

methodology

First Line of Defense

Second Line of Defense

Third Line of Defense

Control business operations

Control risks in business activities

Entity-level risk and compliance

management

Provide independent assurance

Automation and continuous

monitoring of risks and controls

Boar

d of

dire

ctor

s, a

udit

com

mitt

ee, a

nd o

ther

exe

cutiv

es

Management of the frameworks for

risk, control, and compliance

Continuous monitoring of risk, control,

and compliance requirements

Automation and continuous risk-based auditing for assurance

and insight




Enable Your Internal AuditorsHow SAP Audit Management Can Improve Decision Making, Lower Reaction Time, and Optimize the Audit Process

Marsha ReppyAmericas SAP Controls,

Security, and GRC Leader EY

W ith the global business environment changing so

rapidly, driven by economic, technological, and

regulatory changes, companies face increasing levels

of risk. As a result, management and audit committees

continue to challenge internal audit (IA) functions to

be more effective, efficient, and innovative, and to help

organizations address the risks they face today as well

as anticipate emerging risks.

An optimal mix of processes, people, and technol-

ogy is critical to achieving that goal. With technology

such as SAP Audit Management — an SAP solution

for governance, risk, and compliance (GRC) devoted to

audit functions — businesses can optimally support the

efforts of IA organizations. Let’s look at three key bene-

fits businesses can realize with SAP Audit Management.

1. Improved Decision MakingWith the volumes of data present in enterprise sys-

tems and produced in business processes, companies

need to make effective and timely decisions. SAP Audit

Management allows for improved decision making,

enabling you to prioritize your activities on risks that

matter. The solution includes automated and com-

prehensive monitoring of risks across the entire audit

process, from the identification of a risk to its mitigation.

SAP Audit Management integrates multiple GRC

processes and mandates, supporting all relevant regula-

tory requirements while improving collaboration and

reducing duplication. These capabilities come together

with embedded analytics within the planning and exe-

cution phases of IA processes, allowing organizations

to focus internal audits on high-risk and unusual areas.

It also allows you to manage your resources and their

competencies, so the right people are performing the

right tasks and the potential effects of making resource

changes are revealed.

2. Lowered Reaction TimeSAP Audit Management enables you to detect risks

as they occur and, in some cases, prevent risks from

occurring at all. Predictive modeling and continuous

monitoring also help identify trends that may be missed

using traditional sampling techniques. With these capa-

bilities, you can react to significant risks as soon as

they arise, adjust your audit plan, and understand the

effects of these adjustments. This reduced reaction time

improves the agility of your risk management processes,

allowing you to effectively respond to business needs.

3. Optimized Audit ProcessImproving the efficiency of your people and the over-

all integrity of the audit process is essential. SAP Audit

Management provides continuity and automation

of previously fragmented and manual IA processes,

reducing the risk of human error. It also boasts a better

user experience with an intuitive interface, interactive

screens, and easy audit report generation. With a better

user experience, members of the IA team can become

more efficient and effective.

Technology Enables Process ImprovementSAP Audit Management can help improve your IA func-

tions, but you also need to look beyond the technology.

Perform a current-state diagnostic of your processes

and develop a business case, taking into account your

long-term vision and objectives. Then consider GRC

broadly, focusing not just on IA process optimization

and resource management, but also on integration with

other areas. Doing so will enable you to leverage the

technology’s potential to its fullest, helping the organi-

zation improve its risk management practices and the

IA function meet its goals and objectives. Learn more at

www.ey.com/US/en/Services/Advisory.

Improving the efficiency of your people

and the overall integrity of the audit

process is essential.

Shola OguntundeSenior Manager

EY

James ChiuDirector, GRC Solution

ManagementSAP






Kush SharmaManager, Security

Transformation Accenture

S ecurity concerns can seem daunting to any enter-

prise. With new threats always on the horizon, and

business models that place a high value on networks

and connectivity, traditional ways of assessing and

analyzing risk are giving way to new models that focus

on governance, risk, and compliance (GRC) as a compre-

hensive, end-to-end enterprise platform. The stakes are

too high to rely on localized security measures that may

have sufficed in the past, as companies are more glob-

ally focused than ever before. This global focus requires

an integrated approach to get visibility into all types of

threats. Only then will an organization have the ability

to detect and ultimately predict critical events as well

as prepare for and execute a response.

Organizations that run SAP solutions for GRC have

a strong foundation for mitigating enterprise risk, but

they also need to be vigilant outside of their existing

technology. One key challenge for a global enterprise,

for example, is to customize a solution to adhere to

regulations at a regional level, which often vary greatly

from region to region. With vast experience working

with SAP customers, Accenture has learned the nuances

of SAP solutions for GRC and how to apply this knowl-

edge within an organization’s specific environment.

It is important to build a consensus from various stake-

holders for how SAP solutions for GRC will be used to

support the business. Leaders and solution owners must

come to a shared view on how compliance, integration,

authentication, and access management will mesh to

support a holistic enterprise platform.

Think Process, Not TechnologyIn our experience helping global multinationals

develop and design security strategies, we find an

approach that puts people and process ahead of tech-

nology is one that best leads to long-term success.

With this in mind, we approach SAP solutions for

GRC implementations with the understanding that

other pieces can assist these solutions in creating a

holistic, end-to-end security framework that supports

the entire business.

One interesting piece of the puzzle is the trend of

more organizations turning to the cloud to host busi-

ness applications. This opens an entirely new set of

security concerns, and we find that many SAP customers

are looking to refresh their entire security strategy. They

can tackle security not through the standard approach

at the application layer, but instead by adopting a

broader approach that takes an integrated, enter-

prise view of security through all layers, including the

network, operating systems, databases, and, most impor-

tantly, the business applications themselves, given how

many users access SAP systems. Because of increased

use of the cloud, security needs to be addressed not just

internally but externally, as data traverses through the

internet and the access management mechanisms and

data protection controls needed to secure it.

Creating this new enterprise security architecture is

only half the battle. Managing and maintaining a world-

class architecture demands world-class resources, and

many organizations turn to Accenture’s managed security

solutions to help manage growing complexity. And with

mergers and acquisitions on the rise, Accenture’s team of

SAP security specialists can help ensure a successful transi-

tion while meeting the requirements of two organizations.

Staying on the Leading EdgeSAP customers are making heavy investments in effec-

tive security and risk management measures. Accenture

is committed to protecting this investment by staying

on the leading edge in the strategy, integration, design,

delivery, and management of the modern GRC platform.

At the Accenture Security Labs in Virginia, an entire

team is dedicated to research, development, and innova-

tion to ensure a company’s security response is always

one step ahead of the latest threat on the horizon.

Accenture’s approach is aligned with what our clients

and the market is asking for — a partner that helps

solve business issues in an integrated way, with digital

pervasive in everything we do. For more information,

visit www.accenture.com/us-en/Pages/insight-cyber-

security-research-report.aspx.

Leaders and solution

owners must come

to a shared view

on how compli-

ance, integration,

authentication, and

access management

will mesh to support

a holistic enterprise

platform.

Process Before TechnologyEffective GRC Strategies Begin with Business Alignment

Nazam JamalInfrastructure and Security

Transformation Accenture





7 Strategies for Preparing Your SAP Systems for Audits

Brian ShannonChief Strategy Officer

Dolphin Enterprise Solutions Corporation

The word “audit” often carries with it a sense of

dread and foreboding. This may be because many

companies are ill equipped to handle the amount of

work required to prepare for fiscal, regulatory, and

compliance audits such as payment card industry (PCI)

and personally identifiable information (PII) audits.

With the right preparation and tools, however, you can

be confident that your audits will run smoothly.

Prepare Your SAP Systems for Audits Let’s take a look at seven strategies that make it

easier for organizations running SAP systems to

prepare for audits.

1. Start with an Information Lifecycle Management Strategy

Align the organization’s retention policies and audit

requirements with what will be needed to support

them — operational changes, new technology, or a

combination of both. Start with an information lifecy-

cle management strategy to ensure that information is

managed correctly over time and across the entire SAP

system landscape. Remember that retention polices are

essential to any audit.

2. Consider the Effects of Global Audit Requirements

Businesses with global operations must consider the

effects of global audit requirements before investing

in specific solutions or changing procedures. Regula-

tions can change frequently, and some countries such

as France, Luxembourg, and Brazil have especially strin-

gent compliance requirements. Invest in flexible tools

that can generate the right information in the right for-

mat at the right time.

3. Don’t Forget About Data Extraction

Ask any auditor, finance team member, or IT service

provider — extracting data for audits can be a lengthy

and difficult process. Think about how data will be

extracted in the event of an audit and look for ways

to leverage the built-in capabilities and specialized

solutions that are available in your SAP landscape

to ensure your organization will be able to respond

quickly and easily to any audit request.

4. Adopt the Latest SAP Technologies for Audits

Even if you have SAP solutions for governance, risk,

and compliance (SAP solutions for GRC) in place, you

must implement the latest release to have access to the

most up-to-date features for controlling risk, prevent-

ing fraud, and implementing stronger process controls.

Don’t forget to consider how these new capabilities will

affect data growth and data extraction.

5. Optimize Audit-Related Tasks

Due to the perceived infrequency of audits, many

organizations do not optimize audit-related tasks or

toolsets. However, these tools can enable quicker audit

response times and reduce fines, penalties, and the

overall cost of audits. Wherever possible, build audit

requirements directly into process optimization efforts

to minimize duplication of efforts and allow auditors to

be self-sufficient.

6. Calculate the ROI of Audit Compliance

Once the proper audit controls are in place, it is impor-

tant to calculate the return on investment (ROI) of

audit compliance. To ensure adequate funding and

support for compliance at the highest levels of the orga-

nization, assign values to fraud prevention, data privacy

and protection, and more secure processes.

7. Lower the Cost of Long-Term Data Storage

Data retention periods can vary depending on the

type of data and the applicable regulations. Health,

academic, and other personal data must be kept for

much longer periods than financial data, for example.

Consider using data archiving and cloud storage to

lower the cost of long-term data storage.

Learn MoreFor more information on preparing your SAP systems

for audits, visit www.dolphin-corp.com.

Build audit

requirements

directly into

process optimiza-

tion efforts to

minimize duplica-

tion of efforts and

allow auditors to be

self-sufficient.




Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com


S-8

Secure, Vigilant, ResilientHow Companies Can Keep Pace with the Evolving Threats of Modern Business

Jeff LucyDirector

Deloitte & Touche LLP

Bill SmithSenior Manager

Deloitte & Touche LLP

Despite heightened attention and an unprecedented

level of security investment from organizations,

the number of cyber incidents and their associated costs

continue to rise. Increasingly sophisticated hackers cause

some to question whether security is even possible in

today’s rapidly evolving landscape of cyberattacks.

The very innovations that drive business growth and

value — such as the proliferation of sensitive data and the

mobile access that employees often have to it — create

cyber risks that, if not checked, can outweigh the busi-

ness benefits the organization is seeking. To stay secure,

vigilant, and resilient in a rapidly evolving landscape of

cyber threats, companies need to identify the top risks

they face and develop a sound cyber risk program that

includes software such as SAP solutions for governance,

risk, and compliance (SAP solutions for GRC).

SecureTraditional security controls, preventive measures, and

compliance initiatives tend to consume the majority

of companies’ investments in cyber risk management,

and this investment will either need to continue at

current levels or increase. Companies should build a

business-centric access and data protection program that

appropriately balances the needs for speed, scalability,

and sustainability.

SAP Access Control can help companies under-

stand areas of sensitive data access, enable stronger

access controls for areas of high sensitivity, and provide

additional approval controls. SAP Process Control

can help a company manage and monitor its con-

trols environment, specifically internal controls that

handle areas of sensitive access as well as recertification

of controls. SAP Regulation Management by Greenlight,

combined with public information sources, can provide

companies with insights around what is required to be

properly secured to enhance their security profile.

VigilantEfforts to be vigilant start with a solid picture of

what a company needs to defend against. Knowing a

company’s specific business risks as well as the larger

threat landscape within its industry is an important

starting point. Effective cyber vigilance requires robust

monitoring of infrastructure, applications, and users.

SAP Fraud Management and SAP Access Violation

Management by Greenlight can detect anomalous busi-

ness transactions embedded in mass amounts of activity

that could indicate a potential compromise of a user’s

credentials or access abuse. SAP Regulation Management

by Greenlight can consolidate inputs across the technol-

ogy landscape to provide consolidated perspectives on

the overall vigilant posture of the organization.

ResilientTechnology teams handle many day-to-day, routine

security events, but some incidents may become serious

business crises. Being resilient means having the capac-

ity, at a moment’s notice, to contain the damage and

mobilize the diverse resources needed to decrease its

impact, including direct costs and business disruption

as well as reputation and brand damage.

SAP solutions for GRC help companies manage and

expand their existing crisis management programs. With

SAP Risk Management, companies can manage areas

of potential impact and gain insight into risk exposure.

Companies can assign hard-dollar figures to areas of risk,

allowing them to better quantify the potential impact.

Learn MoreTo learn how Deloitte is helping organizations

strengthen their cyber risk programs by incorporating

the capabilities of SAP solutions for GRC, visit www.

deloitte.com/sap or email us at [email protected] or

[email protected].

This publication contains general information only and is not a substitute for professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any per-son who relies on this publication.



Reproduced from the Oct n Nov n Dec 2015 issue of SAPinsider with permission from its publisher, WIS Publishing | SAPinsiderOnline.com


S-9

M any companies implement SAP solutions for

governance, risk, and compliance (SAP solutions

for GRC); turn on different aspects of SAP Access Con-

trol, SAP Process Control, and SAP Risk Management;

and consider the job done. They may be able to, for

example, check segregation of duties (SoD) violations

against user access, require IT users to check out Fire-

Fighter IDs, and have a few controls established and

monitored in real time via continuous control monitor-

ing. Technically, the solutions are installed and working

— but are they really providing maximum return on

the company’s investment?

For continuous, long-term success, companies need

to better connect their GRC solutions with their

integral, enterprise-wide business processes. Without

this approach, companies may face redundant, costly

audit efforts; uncoordinated, inconsistent processes

among different departments; and insufficient visibil-

ity into risks.

Daily Compliance Is KeyTo truly capture the value of SAP solutions for GRC,

companies should extend the functionality to the busi-

ness and incorporate the processes into daily tasks. This

is how businesses can achieve continuous compliance

— by making compliance part of a company’s daily

operations through constant diligence and improve-

ment. By continuously reviewing the effectiveness

of compliance activities, companies can ensure their

compliance activities and business processes are truly

integrated and aligned.

For example, consider how compliance can help

reduce the time it takes to identify and mitigate SoD

issues. When an issue arises that causes an SoD viola-

tion to occur, you can use SAP Access Control to quickly

mitigate and even systematically point to the correct

mitigating control. By maintaining continuous com-

pliance, you can be sure that the mitigating control is

appropriate and effective to mitigate the violation. This

can save time and effort, eliminate manual errors, and

ensure consistency throughout the organization.

Compliance Beyond ITIntegrate Business Processes into Your GRC Strategy to Discover Long-Term Value

Francine FergusonPractice Director

ultimumIT

Going Beyond the Initial ImplementationThis is where ultimumIT differentiates itself: Through

our robust technical implementation experience, and

our governance and compliance expertise, we have

established a proven methodology and approach.

For example, to help organizations further hone and

increase their return on investment with SAP solutions

for GRC, ultimumIT has developed the following bolt-

on utilities:

■ uAssist: Streamlines reporting and provides con-

tinuous compliance alerts by combining repetitive,

hard-to-generate reports in a central location and

providing email notifications upon termination of

SAP Access Control approvers.

■ uChangeAC: Reduces the administrative

overhead of SAP Access Control by allow-

ing you to mass-replace all of the different

owners in SAP Access Control (FireFighter

owner, role owner, mitigation monitor, for

example) from a single screen in minutes.

■ uLicense: Simplifies and automates SAP

licensing processes by centralizing your SAP

license reports into a single screen, identify-

ing discrepancies within license assignments,

and providing the ability to mass-change or

update licenses in multiple systems.

ultimumIT offers services and tools that

not only focus on the initial successful imple-

mentation of SAP solutions for GRC, but also

help provide a vision for their future use, support, and

scalability. It is not merely a technical implementation,

but an important piece of a long-term roadmap for how

IT and the business will work together to report, govern,

and control one of the company’s largest capital invest-

ments and expenses — its ERP solution.

Learn MoreFor more information, visit www.ultimumIT.com or

contact us at [email protected].

To truly capture the

value of SAP solutions

for GRC, companies

should extend the

functionality to the

business and incorporate

the processes into

daily tasks.






9 Ways to Jumpstart License Compliance and Minimize Risk in Your SAP Landscape

Stephen DuBravacExecutive Vice President

Security Weaver

To optimize their SAP investments, organizations need

to understand the licensing requirements for their SAP

solutions, and how to ensure appropriate licensing and

minimize risk. Minimizing licensing risks involves opti-

mizing direct, indirect, and package licenses. In addition

to using standard transactions USMM and SLAW, orga-

nizations seeking further assurance on compliance and

optimal returns on SAP investments often complement

these standard transactions with additional tools. In

addition to these tools, organizations should adopt best

practices focused on improving direct license allocations.

Optimizing SAP License Compliance Below are nine ways to jumpstart managing licensing

compliance for your SAP software.

1. Ensure License Ratios Sound Right

Ratios for named categories (for example, developer or

full professional) for your deployed SAP licenses should

make sense given your organization’s business model

and employee count. When these ratios seem off, use

that as a guide to locate suboptimal license allocations.

2. Combine Access Cost Management with Access Risk Management

This takes work out of the system, allows managers

to make better decisions during approval and recer-

tification activities, and enables administrators to

simultaneously manage access risk and license compli-

ance during role design and development tasks.

3. Make License Reviews Part of Business Planning

Using “what-if” simulations and trend analysis during

business planning helps administrators understand

how and when a growing employee population will

impact licensing requirements. Simulations also enable

administrators to understand how changes will affect

license consumption, requirements, and costs.

4. Continuously Audit Your SAP Software Licenses

Software license audits are on the rise, and perform-

ing these audits can be disruptive to staff and budgets.

Having familiar tools and processes in place that run

continuously and are integrated with ongoing opera-

tions dramatically reduces disruptions.

5. Use a Ruleset for Assignments

Codifying rules for assigning named license categories

eliminates confusion on why license types are assigned

and reduces the costs of ongoing license management.

6. Understand Usage Data

Detailed user transaction histories showing which

transactions were used, and when, enable administra-

tors to determine if allocation rules are well defined.

7. Integrate License Management with Role Management

Role design and maintenance are often the root cause

behind expensive, improperly allocated licenses. When

license management and role management are inte-

grated, administrators understand the cost effects of

unused, poorly designed roles.

8. Enforce Policies and Controls for Inactive and Duplicate Users

Inactive and duplicate users are two common drivers

for overspending on licenses. Controls can identify and

remove these users to ensure that entitlements are only

assigned to valid users, to avoid overpayments, and to

free staff from tedious work.

9. Change the Frame from License Compliance to License Optimization

Investments in SAP software are intended to help peo-

ple be more productive. Enterprises may be compliant,

but still may overspend on license and maintenance

fees because people have too much or little access or

are insufficiently trained. A license optimization mind-

set means organizations do more than count licenses

— they review usage patterns and role assignments and

seek to optimize their SAP investments.

Learn MoreTo learn more about additional ways to jumpstart

license compliance in your SAP landscape, visit us at

www.securityweaver.com.





No Reward Without Risk3 Steps to Building a Risk-Aware Organization

Marsha ReppyAmericas SAP Controls,

Security, and GRC Leader EY

Operating a business requires taking risks.

Organizations that identify and manage

these risks well are positioned to grow and remain

successful. To see how well organizations are

performing in their risk management efforts, EY con-

ducted a governance, risk, and compliance (GRC)

survey of 1,196 participants around the globe and

across industries.

We focused on an array of topics, including risk

strategy, coordination of functions, internal audit, and

technology, to gain a better understanding of how well

organizations are managing risk today. Results showed

that while organizations are making progress, further

opportunities exist to improve the way that they iden-

tify, manage, and respond to risk.

A Comprehensive ApproachThe results of the survey indicate that organizations

are looking for a more comprehensive, coordinated,

and innovative approach to enable them to successfully

manage the opportunities and the hardships pre-

sented by risk. This requires transforming the way the

organization views and capitalizes on risk — we call this

building a risk-aware organization. With the knowledge

that risks are a never-ending challenge and new risks

will be encountered every day, companies can take a

three-step approach to risk management.

Step 1: Advance Strategic Thinking

Challenge the way the organization categorizes,

manages, and responds to risk by considering

it in the context of business decisions and design-

ing risk response plans to appropriately manage

identified risks.

Nearly all organizations (97%) indicated that they

have made progress in linking their risk management

objectives and business objectives, but only 16% con-

sider themselves to be closely linked today. While 66%

of organizations indicated that risk management has

limited involvement in business decision making, 90%

expect to be directly involved or provide inputs within

the next three years.

Step 2: Optimize Functions and Processes

Focus on what the organization is doing to optimally

align functions by allocating talent and designing risk

management processes to efficiently and effectively

execute risk response plans across each of the lines of

defense. Among respondents, 21% indicated that risk

activities are well coordinated today, whereas 67%

indicated that they expect risk activities to be well coor-

dinated within three years.

Step 3: Embed Solutions

It’s important to integrate sustainable solutions

throughout the organization to prevent, balance, and

limit risk. This remains a significant opportunity as 46%

of respondents indicated that they do not leverage GRC

technology, such as SAP solutions for GRC, limiting

their ability to continuously identify and monitor risks

in an integrated fashion across their organization, with

only 23% evaluating and adjusting their risk profile on

a periodic basis.

For More InformationFor the full results of the survey and our other thought

leadership reports, visit www.ey.com/GRCsurvey2015.

For more information on our risk services, includ-

ing those focused on SAP controls, security, and GRC,

email [email protected].

Organizations are looking for a

more comprehensive, coordinated,

and innovative approach to enable

them to successfully manage the

opportunities and the hardships

presented by risk.

Daniel PriorSenior Manager

EY






Increased External Audit Scrutiny Puts Spotlight on Access Controls

Jody PatersonCEO

ERP Maestro

Controlling access to your business environment is

fundamental to the security and regulatory compli-

ance of your organization, and maintaining the necessary

levels of control requires frequent reviews of who is access-

ing what in your systems. While external auditors have

always discouraged manual approaches to managing access

control reviews, 70% of companies manually monitor

access controls in their ERP system, including segregation

of duties (SoD), emergency access, and provisioning.1

Why do so many organizations choose a manual

approach over using an automated solution despite the

advantages of automation, such as accuracy, complete-

ness, and continuous auditing? It is not due to a lack of

awareness of the value automated tools bring, but rather

the perceived high cost and complex implementation

project that is involved.

While organizations have been able to get by using

ad hoc field tools to manually spot-analyze their envi-

ronments, external auditors are changing how they

evaluate access controls. This means that organizations

can no longer continue to manage controls this way

and still remain compliant going forward.

What Changed?This shift is directly influenced by the updated COSO 2013

framework for internal management controls, which

is being incorporated into access control audits.2 The

updates to the framework focus on an increased reliance

on IT in general, with a particular focus on completeness

and accuracy of controls, including access controls.

As a result, external audit firms are reporting that

the Public Corporation Accounting Oversight Board

(PCAOB) is increasing pressure on them to prove their

control effectiveness.3 With tougher audits that incorpo-

rate higher expectations for controls over processes and

1 Gartner, “Market Guide for SoD Controls Monitoring Tools” (April 2015; www.gartner.com/doc/3039718/market-guide-sod-controls-monitoring).

2 See www.coso.org/IC.htm.

3 Wall Street Journal, “Fees Rise as Internal Controls Draw Auditor Focus” (May 2015; http://blogs.wsj.com/cfo/2015/ 05/19/fees-rise-as-internal-controls-draw-auditor-focus).

technology, organizations will find it more difficult to

demonstrate that a manual approach — exporting large

datasets and running them through numerous custom

queries using homegrown spreadsheets and databases —

is actually complete and accurate.

How Can Organizations Adapt?Automated solutions can improve organizations’ ability

to monitor access controls with the completeness and

accuracy auditors require. However, many solutions can

involve long, costly implementations that organizations

simply can’t afford as 2015 audits rapidly approach.

ERP Maestro addresses the need for completeness

and accuracy and can be implemented in time for 2015

audits. It is a quick and simple cloud-based solution that

automates SoD, sensitive access, emergency access, and

secure provisioning in SAP environments. Because it’s a

software-as-a-service (SaaS) solution, it can be deployed

and fully configured in 30 minutes, and flexible subscrip-

tion pricing makes it easy to fit into any budget. The

solution monitors all transactions in SAP systems for

conflicts down to the authorization level and features

a selection of audit-ready reports out of the box that

follow best-practice reporting standards.

Beyond AutomationAlthough ERP Maestro can help organizations automate

access controls quickly to reach compliance in the 2015

audit year, a fully mature governance, risk, and compli-

ance (GRC) program is a journey of steps. As organizations’

GRC capabilities mature, they may require the function-

ality of SAP solutions for GRC — such as SAP Access

Control, SAP Process Control, and SAP Risk Management

— to build a comprehensive framework of controls for

their environment. ERP Maestro supports this journey by

complementing SAP solutions for GRC with transaction

monitoring and advanced reporting features.

ERP Maestro is available for a free two-week trial

to help organizations assess whether it can meet their

access control automation needs. To learn more, visit

www.erpmaestro.com.

With tougher

audits that incor-

porate higher

expectations for

controls, organiza-

tions will find it

more difficult to

demonstrate that

a manual approach

is accurate.





A re you confident that your SAP system and

related processes are working as intended? Is this

confidence based on opinion, or is it backed by fact?

Perhaps your talented SAP security team has been

able to meet all of your security needs with standard

SAP functionality, so you haven’t bothered to imple-

ment SAP Access Control. Your auditors rely on your

manual testing procedures for compliance, so you

haven’t implemented SAP Process Control. Your busi-

ness users have no significant complaints, and you

haven’t had a major process breakdown in several years.

These are achievements to be proud of, but they may

not mean all is working as intended. Others in your

position have also felt confident — until they were hit

by fraud, process breakdown, or system failure resulting

in public embarrassment, regulatory fines, and poten-

tially even the loss of their job.

This fate can be avoided. An independent, in-depth

SAP system assessment can help uncover issues that

may be hidden from view by internal teams that are

too close to the processes to be objective.

Hidden Issues in SystemsHigh Water Advisors regularly performs client system

assessments to find these types of problems. Many

organizations that we review have one key thing in

common: They don’t believe they have an issue (often

adamantly so). But we’ve found unexpected issues such

as the following:

■ Missing information: A standard report being relied

upon for monitoring a key risk area was incompletely

reporting results, preventing visibility into several

significant risks that not only had serious compliance

implications, but had actually been exploited.

■ Overzealous contractors: A few external contrac-

tors had been giving themselves super-user privileges

that had not been authorized, and were also using

SAP default IDs (that should have been disabled) to

perform critical business functions, unbeknownst to

those in charge.

■ Misplaced trust: Poor SAP NetWeaver configuration

could have allowed any person connected to the cli-

ent’s network to gain administrative privileges on a

system administered and hosted by a well-respected

third party.

■ Generous relationships: Millions of dollars in unap-

plied credit memos, some of which were years old,

were located. However, those same vendors were

actively being paid from accounts payable (AP).

■ Configuration confusion: Incorrectly configured

payment tolerances resulted in quick payment of

invoices when a vendor had overcharged. However,

there was no ability to recognize an invoice differ-

ence that worked in the client’s favor.

■ Potential fraud: Someone used an unmonitored back

door to directly edit purchase orders at the table level.

Misplaced ComfortThese issues were not just present in one or two clients

— they were widespread. This lack of knowledge of

risks affecting the business is exactly why organizations

should be looking to SAP solutions for governance,

risk, and compliance (SAP solutions for GRC). Maybe

you are in an organization that is not using SAP Access

Control because you don’t think you have a security

problem or you don’t have SAP Process Control because

your control monitoring seems to be working fine with-

out it. Perhaps you haven’t implemented SAP Fraud

Management because you have good people. There

may still be problems lurking beneath the surface that

you can’t spot without focused attention.

If you want to know for sure if you need to add more

robust GRC solutions to your landscape, consider an

assessment by an independent expert. This review is not

the same as a financial statement audit and it doesn’t

need to be painful — it can be as short as a few hours

or as long as a few days depending on the complexity of

your SAP landscape. You will likely uncover issues that

will make you glad you checked. For more information,

visit www.highwateradvisors.com/content/sap-grc.

Steve BiskieManaging Director

High Water Advisors

What Risks Are Hiding in Your SAP Landscape?Conduct a System Assessment to Uncover Issues Before They Become Trouble

An independent,

in-depth SAP

system assessment

can help uncover

issues that may be

hidden from view.






FIGURE 1 SAP Solution Manager provides the essential tools

you need to protect your SAP landscape against cyber attacks

The fear and anxiety driven by the wave of cyber

attacks in recent years has led many companies to

bolster their security programs. It’s also led to a stream

of software solutions from third-party developers offer-

ing to solve customers’ cyber security challenges. You

may have heard the sales spin, watched the demos, and

even considered the proposals. But before you launch

the purchase order, ask yourself: Is there an alternative?

What if the tools you need to secure your SAP

systems were available to you at this very moment?

The Cyber Security Toolkit in SAP Solution ManagerSAP has equipped customers with a variety of tools to

protect against even the most advanced forms of cyber

threats. The tools are available in SAP Solution Manager

and are displayed in Figure 1. They include:

1. Configuration validation: Implement automated

vulnerability checks across your entire landscape

2. System recommendations: Detect security-relevant

patch day and support package notes

3. Change analysis: Analyze the root cause of changes

in your managed systems

4. End-to-end (E2E) alerting: Investigate email and

SMS alerts for critical security events

5. Security dashboards: Monitor the health of your

systems in near real time

Other than following standard SAP Solution

Manager setup procedures, including those related to

technical monitoring, there are no prerequisites for

using any of these tools. What’s more, since you’re lever-

aging standard SAP components, there’s no need to

license third-party software. You can redeploy the dol-

lars earmarked for security tools to more urgent needs,

such as hiring more resources for security teams.

In addition, SAP Solution Manager provides the

scalability to grow from 20 systems to 200 without wor-

rying about sizing or licensing issues. You also have the

ability to build custom security checks using fully trans-

parent rules, enabling you to tune rules for each system,

environment, or any other variable.

SAP Solution Manager also allows you to secure

access to security-related information using the SAP

authorization concept. This removes the concern about

the proliferation of sensitive data to systems outside

the SAP landscape. Finally, you benefit from the avail-

ability of detailed drill-down reports from SAP Business

Warehouse, support and maintenance directly from

SAP, and the reassurance of knowing you’re following

an approach recommended by SAP.1

Learn MoreLayer Seven Security enables organizations to unlock the

value of SAP Solution Manager and realize the potential

of SAP systems. We leverage the diagnostics infrastruc-

ture in SAP Solution Manager to build comprehensive

and cost-effective vulnerability management programs.

Learn more at www.layersevensecurity.com/solutions

or email me at [email protected].

1 For more on using SAP Solution Manager for security purposes, see page 19 of SAP’s “Secure Configuration of SAP NetWeaver Application Server Using ABAP” (January 2012; http://bit.ly/ 1GT2zKu) and page 33 of “Securing Remote Function Calls” (December 2014; http://bit.ly/1K0WXih).

SAP Solution

Manager includes

several standard

tools to secure

systems from

cyber risks.

Unlocking the Cyber Security Toolkit in SAP Solution ManagerHow to Implement Advanced Security Monitoring Without Third-Party Software

Aman DhillonSAP Security Architect Layer Seven Security





Quantify the Impact of Segregation of Duties on Your BusinessMeasuring the Financial Exposure of Your Controls Environment

Susan StapletonVP Customer Advisory

Greenlight Technologies

Companies are at varying stages of segregation

of duties (SoD) management. Some still manu-

ally analyze risk with rudimentary methods, while

others have moved to solutions such as SAP Access

Control to automate their SoD analysis and imple-

ment preventive checks during their user and role

maintenance processes.

Regardless of where companies are in their SoD jour-

ney, the last mile is almost always the same. Eradicating

all SoD violations is nearly impossible and in many

cases doing so hinder business productivity. Where SoD

violations cannot be removed, businesses put controls

in place to mitigate risks. However, these controls are

often manual and hastily implemented, which can

prevent risks from being reported, and results in a time-

consuming, tedious process that adds little to no value

to the business.

The driver behind requiring SoD — as well as other

internal controls, for that matter — is to protect the

business from fraud, but manual, ineffective controls

are not reliable. A compelling way not only to pro-

tect but also to engage your business is to expose SoD

risk in terms that the business can clearly understand:

dollar values.

Measure Your Financial Exposure from SoDGreenlight and SAP offer a solution that helps quan-

tify the financial impact that SoD can have on your

business. The SAP Access Violation Management appli-

cation by Greenlight continuously monitors SAP and

non-SAP systems to identify SoD conflicts and expose

violations by user, business process, and risk (see

Figure 1). You can identify your highest areas of expo-

sure and determine a clear path to course correct.

Perhaps most important, you finally have transpar-

ency into your financial exposure based on unresolved

access violations, which can drive organizational

change where the level of exposure may be too great,

or uncover areas of internal fraud or loss of revenue

due to employee error.

Automate Mitigating Controls with Exception-Based SoD MonitoringSAP Access Violation Management provides exception-

based monitoring, alerting control owners only when

an actual violation has occurred. This approach reduces

— and in some cases, eliminates — the manual con-

trols that too many companies use to mitigate SoD.

This approach also provides more comprehensive

controls coverage by enabling the analysis of business

transactions and user activities across business applica-

tions, allowing a census-based approach that is more

complete than a sample-testing approach and gives

management greater confidence in the overall process.

Solutions That ScaleSAP and Greenlight solutions enable your organization

to take a true enterprise approach to governing access.

With more businesses investing in best-of-breed solu-

tions and making the move to the cloud, Greenlight’s

advanced integration platform ensures that you can scale

as your business changes and grows. Greenlight’s abil-

ity to integrate with and correlate data across multiple

business applications, coupled with powerful analytics

aimed at business users, delivers enterprise visibility of

risk exposure and regulatory compliance from a single

platform. Learn more at www.greenlightcorp.com.

FIGURE 1 SAP

Access Violation

Management by

Greenlight allows

you to monitor access

violations and assign

real dollar values

to them




empower your business to confidently navigate...

Documents