Sox Best Practices Courier 4 100903115327 Phpapp02 PDF

SAP Security and Controls Best Practices for Sarbanes-Oxley
Scott Goolik, Chief Technology Officer SymSoft Corporation Jamison Tomasek, Internal Audit Director Courier Corporation
Professional Solutions for Compliance Automation www.ControlPanelGRC.com
SAP Security and Controls Best Practices for Sarbanes-Oxley

Scott Goolik, Chief Technology Officer SymSoft Corporation Jamison Tomasek, Internal Audit Director Courier Corporation
Agenda
About Courier Corporation & SymSoft Sarbanes-Oxley 2010 Overview Three Ways to Strengthen Your Controls
1. Reduce sensitive authorizations 2. Establish security change controls and documentation 3. Establish change controls for correction transports
Questions
Professional Solutions for Compliance Automation
www.ControlPanelGRC.com
3
About SymSoft Corporation

Makers of Governance, Risk and Compliance (GRC) solutions for SAP environments Sister company to Milwaukee-based Symmetry Corporation
15 years of technical implementation solutions for the SAP and Enterprise Security marketplace One of the largest dedicated SAP Basis/security consulting organizations in the U.S. 10 years of software development and marketing experience Previous reseller of Virsa (now SAP GRC) 200 SAP implementations 90 outsourcing customers SAP Certified Hosting Partner
4
Your Presenters
Scott Goolik Chief Technology Officer SymSoft Corporation 14 years in SAP security and controls including Big 4 auditing firms Lead architect of the ControlPanelGRC solution
Jamison Tomasek CPA Internal Audit Director Courier Corporation Five years with Courier Corporation Worked as Sarbanes Oxley consultant Ten years Progress Software Deloitte & Touche LLP
About Courier Corporation

Founded 1824 Headquarters: North Chelmsford, MA Employees: 1,600 $250 million in sales 6 printing plants & 3 publishing companies, all running SAP Over 10,000 titles in print, over 700 titles per year
$12M
Man Roland Press
Dover
REA
Creative Homeowner

About Courier Corporation

SAP installation
4 subsidiaries using SAP 95 SAP users Using FI/CO, SD, MM, and WM Publishing IT staff of 4 supporting SAP and most other publishing applications Basis support is outsourced to Symmetry Corporation

Sarbanes-Oxley 2010 Overview

SEC requirements around reporting of internal control effectiveness, design, and documentation Management accountability for internal controls Companies traded on U.S. stock exchanges
There are others, like those with public debt Some other countries have similar requirements (JSOX)
Requires CEO, CFO to confirm the design and effectiveness of internal controls and for the auditor to issue an opinion
8

SAP has a significant number of built in controls
Many are more applicable to larger shops Some require a great deal of expertise
Audit firms have significant knowledge of SAP

This means SAP gets a great deal of scrutiny Companies can leverage that knowledge
Smaller companies often struggle

Segregation of Duties Need for compensating manual controls Lack of expertise

9
Sarbanes-Oxley 2010 Overview Excerpt applicable to todays discussion - IT

11

Excerpt applicable to todays discussion Business Process

12

Recent changes in Sarbanes Oxley Companies now able to use a riskbased auditing approach
Quest to move to automated controls Overall reduction in the number of controls
External audit also able to use a riskbased approach

Greater reliance on the client (internal audits) work Better guidance on auditing client controls

13

Controls Review
Manual Anything that involves a human Can still involve an automated process Automated Controls that occur without humans Best type of control Compensating Controls that are relied upon when key controls are not working In early stages of compliance prevalent in SMEs Preventative and detective Preventative controls prevent errors
Authorizations, configuration
Detective controls allow for corrective action

Alerts, periodic reporting, system monitoring

14

Why Should You Care About SOX Compliance? Documentation
Documented business processes work better Provides training materials Increases efficiency by identifying processes required for control objectives
Improved understanding of business processes Better IT integration with the business is good SOX can be used as a tool by IT Segregation of Duties is really fraud prevention Prepares you for other compliance regulation
PCI Data Privacy Customer Requirements
15
Three Ways to Strengthen your Controls

1. Reduce sensitive authorizations
2. Establish security change controls and
documentation 3. Establish change controls for correction transports

16
1. Reduce Sensitive Authorizations

Primary control intended to prevent or decrease the risk of errors or irregularities Authorization to sensitive transactions or authorizations that are not required for normal job function Authorization to sensitive system functions that could impact data confidentiality, availability, and integrity Generally permit data modification

17

Remove SAP_ALL from all dialog or service Users Watch out for generic logons! Implement emergency procedures for emergency access
The old envelope containing a password stored in a safe SAP-GRC Access Controls: SuperUser Privilege Management ControlPanelGRC Emergency Access Manager
Ensure logons used for background processing are of the System type
18

Once youve tackled Sensitive Authorizations, move on to Segregation of Duties! Confused?!
Sensitive authorizations, excessive access, and segregation of duties are very complex, but many companies are happy to help via products and services!
ControlPanelGRC Risk Analyzer ControlPanelGRC Emergency Access Manager

19

Courier Control Problem
Courier SAP development team needed access to numerous production transactions
IT needed to support business users due to shortage of super users Some mass updates could only be performed by IT Time pressure situations around order fixes Business users needed to have access to fill a broad range of responsibilities
Supervisor coverage Back up support

20

Our solution implement third party emergencyaccess application to grant and track sensitive access on temporary basis
ControlPanelGRC Emergency Access manager

21

We created special transactions to grant access to sensitive roles
We gave IT users access to the Firecall roles This allows IT to run the special transactions for access
22

When an IT user (with the correct role), invokes a specialaccess transaction, they are prompted to document their purpose An alert-email is sent to IT mgmt & the audit group The IT users transactions are logged until they sign-off A completion email is sent to same groups

23

We maintain a complete history of sensitive authorizations, with documentation There are multiple reports and dashboards for analysis of usage



25
2. Security Change Controls & Documentation

Ensure that security changes are restricted to the security team in all clients and systems!
Reduces the risk of unauthorized changes Role maintenance restricted to security team in development system Security team provided display-only access to Roles in production
Authorization issues when attempting to assign Roles in production with these restrictions? Add this entry to PRGN_CUST to change the authority-check for Role assignments!
Tip
User maintenance tasks are restricted to the security team Implement segregation of duty/excessive access checks, if possible

26

Record Role definitions
Text description of the Role
Store definitions in Microsoft Excel, Profile Generator (Description tab)
All Roles that will be assigned in production need an owner to approve and validate changes
Document security change processes

Process for receiving and validating requests from Role owners
Request was approved was it approved by the correct person?
Transporting changes from development to quality assurance Approval from Role owner to send (tested) change to production
27

Definition of Role testing processes
Positive and negative testing of critical transactions in each Role Document testing (if necessary) for audit purposes Make testing as easy as possible for the Role owner Assign permanent test logons to each Role to ensure testing can occur anytime
Include Common or Display Roles provided to all users (if relevant) Make the password easy to remember, unless the test environment contains sensitive data
Passwords dont expire and cant be changed on service users
Note
28

Periodic review of Role assignments and transactions by Role owners
Verification of current Role users, transactions, definitions Verification of Role changes over the previous period Sample Role definition reports generated by ControlPanelGRC Access Certification Manager

29

Periodic review of Role assignments and transactions by Role owners
Sample Role Matrix (Transactions, Organizational Levels, Users)

30

Seem like a big process to manage?
ControlPanelGRC User and Role Manager ControlPanelGRC User and Role Change Analyzer ControlPanelGRC Security Quality Assurance ControlPanelGRC Access Certification Manager

31

Couriers approach so far:
Clearly defined Role create/change approval process
Audit trail by email chain Planned- defined process flow through third party application (ControlPanelGRC User & Role Manager)
Automated workflow for user role assignment

Pre-defined business approvers who can review transactions and related users Documented approvals Automated role assignment within 15 minutes of final approval

32

Sample for role change testing (4 company versions) new transactions
Test all Random T-codes, testing highlight only issues

33


34
Correction Transport Change Controls

Courier Control Problem A
Courier internal audit needed to have excellent recordkeeping around all transports for control testing purposes
Started with e-mail scavenger hunts Moved to a better intranet-based (but still e-mail) solution
Still issues around this solution Needed a more automated approach

35
Correction Transport Change Controls

Control Problem B
Courier in-house basis administrators needed access to development and production to do transports
Problem seemed insolvable Required compensating controls Outsourced Basis administration did not solve problem Was an ongoing annual (and ultimately last) deficiency in Sarbanes-Oxley testing
Management concern Audit Committee concern

36
3. Correction Transport Change Controls

Change management is always a big challenge in SAP environments
Untested changes are a risk to the business Sequence of transports cases issues during migration Auditors are asking for more and more documentation Basis team is unnecessarily involved for the clerical task of importing changes and validating approvals
Change review board concept can be used to ensure all business owners are aware of pending changes Workflow (SAP-based or non-SAP) can help route requests around for approval
37

Seem like a big process to manage?
ControlPanelGRC Transport Manager

38

Couriers challenges around change control management:
Ensuring and documenting approvals for management & audit
Email responses strung together and saved as PDFs
Engage business users for testing and approvals

Begging, cajoling, nagging, reminding, candy
Basis staff availability to execute transports Visibility of error reports Documentation of work done, issues, related work
Great notes, but cant be found 2 weeks later
Sequencing of multiple transports Tracking transports done by consultants

39

Our main workflow for transports within ControlPanelGRC Transport Manager

40
Sample Workflow for Managing Change Transports

ControlPanelGRC app.
DEV gold
SCC1
DEV test
QAS 100
Production
10 Initial Request
20 Document & Approve
25 QAS Migration
27 IT Validation
30 User Val. & Approve
37 Final IT Prep
40 PM Approval
50 Prod Approval
55 Prod Migration
57 Prod Validation
90 Task Complete
IT Sr. Mgmt
Phases:
Review & forward or reject
IT Project Mgr
Review & forward or reject
Business Users
User(s) test chgs
Lead user doc testing & forward or reject
IT developer
Release Transport
Doc desc, problem, testing & forward
Test chgs, prep test data
Doc tests, choose testers & forward

= Represents transport(s)
Document release reqs & forward
Finish implement. tasks
Validate chgs & save
= Email notification from Control Panel

Transports done within workflows:
Transports from DEV to QA to PRO done by scheduled batch jobs BASIS staff no longer involved in standard transports
Predictable & controllable transport times BASIS staff freed up for other tasks
Transport errors highlighted with error codes, too Professional Solutions for Compliance Automation

Every change request has full documentation

Documentation, continued
All changes All approvals All issues All in one place


Unexpected benefits!
The IT staff have more time because their work is more organized The business users have been very willing to join the workflow, because its easier than writing up email approvals The Basis team has more time as they no longer have to move transports, create or maintain users & their roles And of course, the auditors are happy.

Key Learnings
Smaller companies subject to SEC requirements and other regulated enterprises face special challenges in addressing audit and compliance concerns; however these challenges can be met and conquered. Creativity and newly available solutions can reduce the cost and complexity of compliance. Preparing for audits can be made more efficient and less intrusive, all while yielding more complete results.
46
For ControlPanelGRC case studies, articles, and archived webinars please visit www.controlpanelgrc.com
Thank You!

Sox Best Practices Courier 4 100903115327 Phpapp02 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sox Best Practices Courier 4 100903115327 Phpapp02 PDF

Uploaded by

Copyright:

Available Formats

SAP Security and Controls Best Practices for Sarbanes-Oxley

Professional Solutions for Compliance Automation www.ControlPanelGRC.com

SAP Security and Controls Best Practices for Sarbanes-Oxley

Professional Solutions for Compliance Automation www.ControlPanelGRC.com

About SymSoft Corporation

About Courier Corporation

Man Roland Press

Professional Solutions for Compliance Automation

About Courier Corporation

Professional Solutions for Compliance Automation

Sarbanes-Oxley 2010 Overview

Sarbanes-Oxley 2010 Overview

Audit firms have significant knowledge of SAP

Smaller companies often struggle

Professional Solutions for Compliance Automation

Sarbanes-Oxley 2010 Overview Excerpt applicable to todays discussion - IT

Professional Solutions for Compliance Automation

Sarbanes-Oxley 2010 Overview

Professional Solutions for Compliance Automation

Sarbanes-Oxley 2010 Overview

External audit also able to use a riskbased approach

Professional Solutions for Compliance Automation

Sarbanes-Oxley 2010 Overview

Detective controls allow for corrective action

Professional Solutions for Compliance Automation

Sarbanes-Oxley 2010 Overview

Three Ways to Strengthen your Controls

documentation 3. Establish change controls for correction transports

Professional Solutions for Compliance Automation

1. Reduce Sensitive Authorizations

Professional Solutions for Compliance Automation

1. Reduce Sensitive Authorizations

1. Reduce Sensitive Authorizations

Professional Solutions for Compliance Automation

1. Reduce Sensitive Authorizations

Professional Solutions for Compliance Automation

1. Reduce Sensitive Authorizations

Professional Solutions for Compliance Automation

1. Reduce Sensitive Authorizations

1. Reduce Sensitive Authorizations

Professional Solutions for Compliance Automation

1. Reduce Sensitive Authorizations

Professional Solutions for Compliance Automation

Three Ways to Strengthen your Controls

Professional Solutions for Compliance Automation

2. Security Change Controls & Documentation

Professional Solutions for Compliance Automation

2. Security Change Controls & Documentation

Document security change processes

2. Security Change Controls & Documentation

2. Security Change Controls & Documentation

Professional Solutions for Compliance Automation

2. Security Change Controls & Documentation

Professional Solutions for Compliance Automation

2. Security Change Controls & Documentation

Professional Solutions for Compliance Automation

2. Security Change Controls & Documentation

Automated workflow for user role assignment

Professional Solutions for Compliance Automation

2. Security Change Controls & Documentation

Professional Solutions for Compliance Automation

Three Ways to Strengthen your Controls

Professional Solutions for Compliance Automation