Dec 18, 2015
ISC framework in the ERP environment- Entity level controls
- Automated application controls- Manual and semi-automated business process controls
- Authorizations and access protection (confidentiality, integrity)- IT General controls (change management, operation, security)
- Automated testing and monitoring of business processes, KPIs, etc.
• ___________• ___________• ___________• ___________• ___________Errors & Fraud
• ___________• ___________• ___________• ___________• ___________
Risks
Contain
Minimized by
…___________ __________
______ __ _____
_____ ______ ______
_______________ _ __
Business Processes
Balance Sheet P & L Notes
Arise through Must be observed / achieved in
FDA etc. Performance & Policies
Other Reg’s Organization’s Objectives & PoliciesExternal Financial Reporting regulations
Assertions
______ ___ _______
Valu
e / B
enefi
ts
Marketing / SalesCustomers
Suppliers
Supply Chain
Finance / HR
Procurement at GBI
Payment
Procure to Pay Process• Common Risks
– – – – – – –
• Common Controls– – – – – – –
Marketing / SalesCustomers
Suppliers
Supply Chain
Finance / HR
Order to Cash at GBI
Order to Cash Process• Common Risks
– – – – – – –
• Common Controls– – – – – – –
Environment Favorable to FraudFramework for spotting high-risk situations
Fraud
____
____
__
____________
________ /
_________
Fraud Triangle
• _________________________ (____________________ _________)
_____________________ _____________________
• ________________________ (____________________ _________)
_____________________ _____________________ _____________________ _____________________
• ______________________ (____________________ _________)
_____________________ _____________________
Inventory: Record Accuracy• Does ______________-- Match __________________
Check:– _______________– _______________– _______________
Physical Counting Cycle Counting
Typical SAP Landscape
Development System
Type of Users:---
Type of Work:---
Quality-Assurance System
Type of Users:---
Type of Work:---
Production System
Type of Users:---
Type of Work:---
Client Dependent vs. Independent
Dev 100Master (Gold)
- ________ Data
- ________ Data
- ________ Data
Dev 110Dev Test
- …
- ….
- ….
Dev 180Data Conversion
- …
- ….
- ….
Dev 900Sandbox
- …
- ….
- ….
Client Independent _____________ > Repository Objects (Client Independent Config _____________ - _____________, _____________ _____________ - _____________ _____________ > _____________
Client DependentSystem/Instance
SAP Change Management• SAP Transports are: ____________________________________________
They Contain: _________________________________________________
SAP Change Management Recommendations
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
System (Server) / Client Parameters• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
Table Security
Tables are Integral part of SAP Application Different Types of Tables
_________________ _________________ _________________ _________________
SAP is customized using thousands of ____________ tables through the _________________ (SPRO)
Table and Information Security
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
• Risk: _____________________________________________
Control: _____________________________________________
Program & Development Security• Good Development Practices
– _________________________________________
– _________________________________________
– _________________________________________
– _________________________________________
• Control Concerns: Development, Data Dictionary
– _________________________________________
– _________________________________________
– _________________________________________
– _________________________________________
Powerful ID’s and Profiles• List few SAP Supplied Powerful ID’s and Profiles that need ‘caged’
– _________________________________________
– _________________________________________
– _________________________________________
• Risks and Control Recommendations for Powerful ID’s / Profiles
– Risk: _____________________________________________
Control: _____________________________________________
– Risk: _____________________________________________
Control: _____________________________________________
– Risk: _____________________________________________
Control: _____________________________________________
Firefighter / Emergency User• Valid Scenarios, Situations for Firefighter Use
– _________________________________________
– _________________________________________
– _________________________________________
– _________________________________________
• Key differences of Firefighter vs. Regular ECC access: – Audit of reason and transactions used– Emergency vs. routine use
• Firefighter Best Practices
– _________________________________________
– _________________________________________
– _________________________________________
– _________________________________________
GRC & Other SAP Module Security• GRC (G___________, R____, & C__________________ Module
• Beyond ERP / ECC and GRC: What is another SAP module
– What is another SAP module: _________________________________________
– What does the module do: _______________________________________
______________________________________________________________
– How is Security Administered: ____________________________________
______________________________________________________________
GRC v 10.0 Module Function / Reason for Being
Segregation of Duties
19
Goal: __________________Definition
‘__________________________________’Person who ______________ should not be the person who ______________ .
An Individual should only have 1 of following Responsibilities / Privileges:
A_____________R_____________C_____________
Finance• Common Risks– – – – –
• Common Controls– – – – –
Inventory Control• Common Risks– – – – –
• Common Controls– – – – –