Company ABC

Company ABC
SAP GRC & Authorisation

Implementation and Support
January 2018re
May 2016
Contents
1. Executive Summary
2. Approach And Methodology
• Stage 1 (Get Visibility): Deploy Deloitte SoD Analysis Dashboard
• Stage 2 (Review Controls & Get Clean): Review Current Ruleset & Develop SAP Compliant Roles
• Stage 3 (Stay in Control): Deploy Continuous Compliance User Access Management Processes
3. Project Timeline
4. Project Deliverables
5. Our Experienced Team & Detailed Resume
6. Standard Business Terms
@2018 Deloitte Enterprise Risk Services Pte Ltd. All rights reserved. 2
Executive Summary
Deloitte & Touche Enterprise Risk Services Pte Ltd

(“Deloitte”) is pleased to present this proposal to provide Access
Control Framework and Compliance Tools services to Company
ABC.
Our value propositions to Company ABC are as follows:

• Introduction of extensive Deloitte SAP Access controls library Deloitte
SAP GRC Access Control Best Practice which identify the SoD and
Sensitive/Critical Access, and also use standardized governance, risk and
compliances processes to address these risks or issues
• Extensive experience in performing role designs and controls review

by experienced professionals who has years of experience in handling SAP
authorizations and security aspects.
• Deep technical skills to enable compliance in SAP security roles in SAP core
system through sophisticated roles implementation methodology and
approach.
• Among all SAP vendors in SEA, Deloitte has successfully delivered many
big projects with great credentials around governance, risk and
compliance areas especially in roles compliant and segregation of duties
assessments cum remediation services.
Our Understanding of your Requirements
We have carefully reviewed your requirements and we are confident that we will be able to fulfil them with our strong
expertise and experienced core team.
Background & Context
Company ABC is seeking assistance to support the assessment on the role design for any Segregation of Duties (SOD)
gaps and ensure compliance in the SAP security roles in the SAP core ERP system. The purpose is to enhance the
security role compliance status, and facilitate the effective implementation of the Access Control Governance
Framework within the organisation with SAP GRC10.
Scope of Work
Stage 1: Quick Wins – Deploy Deloitte SoD Analysis Dashboard

1.1 Development & implementation of Deloitte SoD Analysis Dashboard
Stage 2: Review Current Review & Develop SAP Compliant Roles

2.1 Deloitte independent review of Company ABC SoD & CA ruleset
2.2 Deploy SAP Access Risk Analysis via SAP GRC
2.3 Perform user and role level access risk analysis
2.4 Ensure compliant roles to remediate / mitigate user SoD
2.5 Create/update authorization matrix and rollout to all users
Stage 3: Deploy Continuous Compliance User Access Management Processes
3.1 Refreshing/updating current Company ABC SAP Security document
3.2 GRC AC features enablement (Emergency Access Management/Firefighter IDs, User Access Review, User Access Management, Access
Risk Analysis)
3.3 Integration with ServiceNow
Stage 1 (Get Visibility):
Deploy Deloitte SoD Analysis
Dashboard
Deloitte SoD Analysis Dashboard
We will be providing Company ABC with a value-added services on our latest and well-designed dashboards
for the executive management. These dashboards provide the management with insightful on the
compliance status for business planning and decision making.
Steps to success:
Identify Visualization Identify Input Files Implement Dashboard

Tool •Can data be live? •Deloitte will manage whole
•Power BI, QlikSense, •What data extract required process
Tableau, etc. •How to extract •Implement dashboard
template
•Customization according to
Company ABC requirement
Reporting development to Company ABC management
Sample Walkthrough
Executive
Summary
• Showcase critical
statistics
• Easy for
management so
identify which
area to focus on
• Insights for
business planning
and decision
making to clean
up the access
risks
Sample Walkthrough
Risk Response
• Overview of what
is Company ABC’s
response to the
SoD risks
identified
• Summarize the
amount of work
that need to be
done.
Sample Walkthrough
Root Cause
Analysis
is the root cause
analysis
performed on the
SoD report
• Summarizes what
are causing these
SoDs and where
they are coming
from
Sample Walkthrough
Remediation
Strategy Planning
is the remediation
plan undertaken
by IT
• Whole screen can

be customized as
per plan
Sample Walkthrough
User Action
Analysis
• A detailed analysis
of how much
users are
executing these
violated t-codes
• Easy to identify
which department
need function
segregation etc.
Stage 2
(Review Controls & Get Clean):
Review Current Ruleset & Develop
SAP Compliant Roles
Company ABC Amatil Access Control Ruleset Review
Ruleset Review Methodology
• A detailed analysis of existing Company ABC

Company ABC
Access Control Ruleset
Access Control Ruleset
• Business alignment workshop through Deloitte’s

Greenhouse approach with the company’s
business process owners to identify business
modules.
• Ensure existing SoD risks are up-to-date,

e.g. custom t-codes are updated in the ruleset.
• Ensure new SoD risks are updated into the

ruleset.
Company ABC Access Control Ruleset Review
Example of finalized ruleset
Segregation of Duties (SoD) assessment
Key factors in remediating SoD violations & ensuring SoD compliant roles
A successful implementation of SAP compliant roles requires key guiding principles to adhere during development:
 Remediated risks should address audit requirements
 Embed SoD Controls
 Embed critical access controls
 Acceptable excessive access (< 10%)
 Roles are designed based on business process and organization positions
 Tied with a position's job scope
 Assign roles to end user according to user’s position and business job scope
 Ensured by negative testing
Identify root cause analysis and remediation plan
Plan Remediation
Identify Risk & Analyze Root Cause & Mitigation
Business
Process What user suppose to do
• Fix role design

SAP User • Excessive defect
Action Log What user is doing Access
• Adjust role
assignment Output:
Deloitte • SoD Risk User/Role
Access Risk • Enhance system Remediation &
SAP Assessment configuration Mitigation Plan
• Sensitive control
Authorization
Setting What user can do / Critical
Access • Setup mitigation
control
SoD Rules
Company ABC
Sensitive / What user should not do
AC Ruleset
Critical Access
Typical Compliant Role deployment actions
Various information will be taken into consideration. Key information like “SAP user action log” will be integrated with root cause analysis, Once the
access risks and control gaps are identified, Deloitte will recommend the required remediation actions.
Common root cause can be:
Excessive Access
Outcome of remediation plan
Inherited risk from business process
Lack of resource in organization
SAP configuration control gap
Common Remediation & Mitigation

Plan
• Adjust user role assignment
• Fix role design defect
• Reduce excessive access
• Define mitigation control
• Improve business process or
organization structure
Risk response approach
Various information will be taken into consideration. Key information will be integrated with root cause analysis, below diagram demonstrate how
we perform the risk remediation / mitigation to address the user access risks.
Risk Identified
SOD Risk Response CA
Remediation Mitigation Review
Inherited risk from biz- Inherited risk from biz-

process process
Remediation – Technical Side Remediation – Business Side Mitigation Protection
• Fix Single Role Design Defect • Communication with business user • Design mitigating control • Review user access
• Fix Composite Role Design Defect • Re-training • Apply mitigating control at role level • Restrict to authorized user
• Adjust user to role assignment • Adjust user to role assignment • Apply mitigating control at user level
• Enhance system configuration
control
Business Workshops
To participate and assist to conduct business alignment sessions to address business and IT rationalization together with the support from the
Company ABC functional and IT teams. This is ensure clear message on the remediation and mitigation recommendation are applicable and
accepted by the business.
Accepted changes on business processes or roles & responsibilities

Business remediation actions and required mitigation controls
Accepted changes on SAP roles & user access

SAP role remediation actions and required mitigation controls
Sample of Risk Response Approach
Stage Outcome Scenarios Solution
Access Risk Analysis

Generate Risk
(ARA) Report for SAP Determine function split.
Analysis
Users If excessive role,
recommend to remove
from user Compile and
Scenario 1: SoD due to
conflicting roles communicate any access
lost from roles
reassignment and any
Scenario 2: SoD due to Determine role split to new t-codes introduced
Analyse ARA Report ensure SoD compliant
risky role to user
roles
Scenario 3: no SOD
Remediate
Workshop with Role Matrix for user role
IT/Business to discuss build and assignment
Workshops
Deloitte’s
recommendation Mitigate
Stage 3 (Stay in Control):
Deploy Continuous
Compliance User Access
Management Processes
Continuous Compliance User Access Management Processes
Keys to continuous compliance
Enhance Existing Governance
• Who is the ruleset owner?
• Frequency of periodic SoD checks?
• How will ruleset get updated?
Deloitte will provide support on Security Approach

Documents
• Refresh and update existing Company ABC security

documents (Role mapping process, Security user
guide, etc.)
• Advise on best practice for governance
Security Approach Document
Security Processes, Authorization Concept, Role Template, Ruleset will be documented in
a Security Approach document
• Important to document security approach in Company ABC
• This document will document processes such as User Access Provisioning, User Access Review,
Role Management, etc.
User Access Provisioning
EAM
Change Manaegment
Example of Recommended Processes
User access request management process and function features
1 2
Self-service access request • Reject high risk request
• Scenario based request • Highlight mid / low risk
template Access for approver
risk
• New / Change / Terminate • Suggest mitigation
analysis
account control to approver
End
• End user role selection
user dynamical guide
• Online end user guide
3
SAP
Provisioning to Online management
ERP, BI, EP… approval
SAP systems
• Fully / partial approve
Provisioning to
• Approve with mitigation
Non-SAP systems control
Managers
Non-SAP
• Online approver guide
• End-to-end audit trial
User access review process and function features
1 2 3
User access review self- Manger review and confirm
service • Review user – role
• Self-review – role assignment assignment with tocde usage
with tocde usage information information
Users • Keep required roles • Keep required roles Managers
• Reject unnecessary roles • Reject unnecessary roles
• Online manager guide • Online manager guide
4
SAP IT security admin review
ERP, BW, EP… Remove unnecessary roles in • Review the decisions from
SAP systems managers
Remove unnecessary roles in • Adjust if needed
Non-SAP systems
Non-SAP
E-Expense …
Emergency Access Management Process and function features
Complete
Request for Use Firefighter
Firefighter Session
Firefighter Access Access Logon
Firefighter and logoff
Request Approve /
Firefighter
Reject
Owner
Generate FF action
IT security
log
Review FF action log

close case / further
Security investigation
27
Business Role Management Process and function features
Role Designer Role Designer Risk Analysis Role Approver

Role Generation
- Request for new role creation - Develop and Role Baseline - Approve role
Role Testing
and define new roles derive role creation
Matrix
Role Maintenance consists of the following procedures:
 Defining roles - Create and maintain attributes for various role types. The role types are categorized as either
technical roles or business roles.
 Maintaining authorizations – Technical concept
 Complete single roles – Technical concept
 Deriving (if needed, to complete in backend system through Deloitte enhancement)
 Analyzing access risks and check against role baseline matrix – Identify access risks from the
authorizations assigned to the role, and also analyze the impact to other roles
 Approving roles – Approve role maintenance request based on the information collected in prior stages
 Generating roles - Technical concept
 Maintaining test cases - Document test results for any testing done for the role
Example of Security Approach Document
Continuous Compliance User Access Mananagement Processes
Keys to continuous compliance
GRC AC features enablement & Integration with ServiceNow
Project Timeline
Detailed Project Timeline
Detailed Timeline
January 2019 to July 2019
Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7
Stage 1: Deploy Dashboard
Dashboard conceptual workshop

Dashboard design &
implementation
Stage 2: Risk Assessment
Ruleset alignment workshop
Update Access Control ruleset
SoD Root Cause Analysis
Business Remediation Workshop

Release 1 Release 2
Compliant Roles Redesign
User Authorization Matrix
Stage 3: Continuous Compliance
Security Approach Document

GRC AC Tools Enablement &
Integration with ServiceNow
Business Roles Design
Milestone
Project Deliverables
Key Deliverables – Stage 1 - (Get Visibility): Quick Wins – Dashboard & Ruleset Review
1. Preparation
― Project charter & team structure
― Project detailed scope and plan
― Kickoff
2. Development & implementation of Deloitte Access Control Management Dashboard

― Dashboard conceptual workshops
― Dashboard input files
― Deloitte Access Control Management Dashboard implementation
3. Deloitte independent review of Company ABC SoD & CA ruleset

― Ruleset alignment workshops with business processes owners from:
― Finance
― Procurement
― Warehouse management
― Production
― Sales
― HR and others
― Company ABC access control ruleset
34
Key Deliverables – Stage 2 - (Review Controls & Get Clean): Segregation of Duties (SoD) assessment
1. Deloitte independent review of Company ABC SoD & CA ruleset

― Ruleset alignment workshops with business processes owners from:
― Finance
― Procurement
― Production
― Sales
― HR and others
― Company ABC access control ruleset
2. SoD Analysis Report

― GRC SoD report based on new ruleset
― Root cause analysis
― Role level gap analysis
― User level gap analysis
3. SoD alignment workshops with business

― SOD alignment workshops with business processes owners from:
― Finance
― Procurement
― Production
― Sales
35 ― HR and others
Key Deliverables – Stage 2 - (Review Controls & Get Clean): Segregation of Duties (SoD) assessment
4. Remediation & Mitigation

― Remediation & mitigation plan documentation
― Final Authorization matrix design
― Compliant roles build file
― Handover workshop with IT
36
Key Deliverables – Stage 3 - (Stay Clean): Continuous Compliance Operation Processes
1. Company ABC user access management operation processes

― Access Risk Analysis
― Access Request Management
― Business Role Management
― Emergency Access Management
― User Access Review
2. Integration with ServiceNow

― Requirements for integration
― Technical build file for integration
― Incorporation of all processes from ServiceNow with SAP GRC AC
3. Business Roles Design

― Develop compliant roles
― Position Standardization
― Compliant role design approach
― Compliant role assignment
37
Our experienced team
Providing you a trusted Team
Steering Committee
Company ABC – Project Sponor
Deloitte – Engagement Partner
Key Roles
• Make key decisions, sign-off on major deliverables
and act on recommendations
Engagement DT & Company
• Identify and assign appropriate resources to the
Partner ABC
project
Management
• Provides overall ownership and management of the
Tang Ke Project Manager project team
Project Advisor Project Manager • Lead end-to-end delivery of engagement and its
associated deliverables to quality, time and budget
Steve Junsay Tang Ke Business Internal Control and manages on-going communications
Deloitte Project
Process Owner • Ensure objectives are met within timing and scope
Manager
outlined by the engagement contract
GRC Solution & Access Control • Manage day-to-day activities and coordinate
Lead specialist inputs
IT Functional IT Security
Team Team
Allen Wong
• Conduct workshop and advise on the best practice
controls
Back Office Support GRC Solution & • Perform analysis
Access Control • Design compliant roles
SAP Access Control Consultant Lead • Perform remediation and provide mitigation
recommendations
SAP Access Control Consultant • Provide support on authorization matrix
SAP ERP functional consultant
The resumes of the key engagement team members are set out in the following pages.
Detailed Resume (1/5)
Profile summary
Professional experience
Tank is a Director and SAP GRC Lead with the Risk Consulting Services practice
of Deloitte. He is responsible for SAP GRC engagements, including SAP GRC 10+ years
Deployment, Security & Authorization Management and Process Control
Implementation for SOX Compliance, with extensive full project lifecycle Position in firm
experience in several global and regional organizations. Partner
Prior to joining Deloitte, Tank worked with two international consulting firms and
played as SME (subject matter expert) in GRC areas. Tank has worked in SAP Skills
Advisory and GRC Product team, focusing on SAP internal control automation • SAP GRC AC, PC
and SAP compliance cost reduction, involved in different projects to provide
value add-on to their business and resolve tough problems • SAP SD
• SAP Mitigation Controls Design Tank Tang
Qualifications & professional affiliations Partner,

Risk Advisory
• Master of Software Engineering
• Bachelor of Business Insurance, Economics
• SAP Certified Solution Consultant
• Oracle GRC Certified Trainee
• Archer eGRC Certified Solution Administrator
Profile summary
Allen is a Senior Consultant with the Risk Advisory practice of Deloitte. He is
specializing in SAP Enterprise Role Management, GRC Access Control and HANA 5 years
authorisation as well as SAP FICO implementation.
Position in firm
Senior Consultant
He have an extensive experience in implementation of SAP Authorisation & GRC
10 solutions for global organizations, in all phases of a project lifecycle from Skills
requirement gathering all the way to production support. He possess a strong
proficiency in design of SAP HANA, ECC, SRM, SCM and BW authorisation • SAP GRC AC, PC
through experience in designing of compliant roles and setting up mitigation • SAP FICO
controls, role owners, SOD approvers to mitigate the business operation risks. • SAP Authorization for ECC 6 & 7 Allen Wong
He also have a broad range of knowledge SAP processes (certified in SAP FI)
with focus on the controls / audit requirement fulfilment. • Data Analytics – QlikSense, Tableau, Senior Consultant,
Power BI Risk Advisory
He have served as served as the GRC Application Owner and HANA Authorisation
IP (Intellectual Property) Owner for one of the four supermajor Oil & Gas
Company. He has also served as a consultant for the execution of various ERP
Authorisation rollout & SOD reviews on predominantly multinational
organizations of various industries, including Public Sector, Manufacturing and
Financial Institutions companies in Singapore.
Qualifications & professional affiliations

• Bachelor (Honours) of Information Communications Technology, Majoring in
Software Engineering
• SAP Certified Application Consultant
• Awaiting CISA Accreditation
Experience and role on major engagements

• Led and conducted full implementation of Deloitte SAP Access Risk solution
for a major SEA beverage conglomerate to comply with regulatory • Served as a consultant for FICO Configuration project in
mandates such as Sarbanes-Oxley. He designed new security processes Benelux (Belgium, Netherlands, Luxembourg) for a British
including user access management, change management, ruleset oil and gas company with an extensive experience in
governance and also designed enhancement updates to client’s IT Policies & dunning & correspondence requirements. Also served as a
SOP documents to ensure continuous compliance and governance. Also between the company and its third party vendors for FICO
conducted more than 10 training workshops for both business users & enhancements throughout Europe & CIS.
operations team on current situation & remediation, security approach,
• Served as Access Control specialist to performed SAP
authorization concepts, tools usage, governance process and future project
Access Rights Analysis and Review on a public board of
implementation guides. Also built a management dashboard which
Singapore to provide assurance on information security &
transforms raw data into meaningful visualization for management
reduce risks of fraudulent activities. Also built a Allen Wong
monitoring.
management dashboard which transforms raw data into
• Led, designed and implemented the SAP HANA Global Role Template and Senior Consultant,
meaningful visualization for management monitoring.
Security Processes (User Access Provisioning, Emergency User Risk Advisory
Management, Auditing) for a global supermajor oil and gas company. • Served as a consultant for a Germany lubricant business’
Performed analysis of existing controls in SAP systems and business SAP Implementations rollout with over 150 change
processes and translate them into a HANA landscape. Also led and requests designed in the SAP Security sphere.
implemented the SAP ECC Authorisation portion of the migration.
• Led a global enhancement factory to work on a major oil company’s
lubricant business’ security enhancements. Designed & built SOD compliant
roles and experienced in identifying possible present business & security
risk and propose solution to mitigate or solve the risk. Also Conversed and
led the conversations with other functional modules to gather information
and security impact and design the subsequent SOD rule according to the
company’s finance principle.
• Led and conducted full testing for a Poland & Russia lubricant business for
SAP implementation of SAP FICO module. Also designed with functional
specs, configured and tested the SAP Finance Customizing Configurations
for SAP Interfacing to external systems such as E-Expense & DOLPHIN
Profile summary
Chaiwat Singkarintr is a senior consultant Deloitte and Touche Risk Advisory at
Singapore office. He is responsible for SAP security, SAP authorization and SAP 10 years
basis. He also have background in project management and IT auditing.
Position in firm
He has 10 years of professional experience in implementation and rollout project Senior Consultant
at SCCC group, Thai Airways, PTT group, SCG Ceramic, Airport of Thailand, Port
Authority of Thailand, Siemens.
Skills
His industry experience spans across oil & gas, chemicals, airlines and
transportation. • SAP Authorization, SOD management
• SAP Basis
His working experience includes SAP hardware sizing, landscape design,
• SAP MM and Ariba On-Premise Chaiwat Singkarintr
installation, authorization concept and user management. His industry
experience spans across Oil & Gas, Chemicals, Airlines and Transportation. • PMO Senior Consultant,
• IT Audit Risk Advisory
Qualifications & professional affiliations
• Master of Business Administration

• Bachelor of Science, IT
• IT Infrastructure Library Certification Program (ITIL)
Experience and role on major engagements
Chemical client – Bangladesh, Sri Lanka, Cambodia and Vietnam

Worked as SAP Authorization Team Lead and Member Airlines client - Thailand
- Understand As-Is authorization concept for SAP ECC, HCM and Fiori Worked as PMO
- Design authorization approach to reduce number of issues on production, - Identify gap between As-Is and To-Be process
reusable and maximize resource utilization - Setup meeting with client and 3rd party to clarify and confirm
- Create project work plan requirement to match with project objective
- Track project work plan and create status report for high level management - Track project plan, highlight project status report and ensure
- Estimate effort and resource for each project that critical issues, risks, CRs are managed in timely manner
- Manage workload within team (parallel projects) to complete project tasks
within timeline IT Audit
Chaiwat Singkarintr
- Identify risk / issue that might impact to project timeline and escalate to - Evaluate the design and operating effectiveness of controls and
management level document Senior Consultant,
- Advise clients on business and technology risks, controls which Risk Advisory
Oil and Gas client – Thailand mitigate risks, and related opportunities for control improvement
Worked as SAP BASIS, Authorization Team Member and Ariba Data Conversion
Lead
- Designed processes for Basis areas, Procurement areas, data conversion
approach that extracted data from SAP to Ariba On-Premise
- Co-ordinates with other module teams within the project (FI, CO, SD, MM,
LO, IS-Oil, PM, WM, HR, SRM, CLM, PPM, MDM, GRC, PI, BI and ABAP)
- SAP ECC6, SAP Enterprise Portal, SAP SRM, SAP CLM, SAP MDM, SAP PPM,
PI and SAP Web Dispatcher Installation
- Hardware Sizing and Landscape Design
- Implement SSL connection between SAP system
- Design and implement authorization concept and authorization design.
- Evaluate SoD and audit SAP system setting
Standard Business Terms
1. Contract and Parties.
(a) The engagement letter and any appendices (“Engagement Letter”) issued by Deloitte & Touche Enterprise Risk Services Pte Ltd with registered business address at 6 Shenton Way, OUE
Downtown 2, #33-00, Singapore 068809 (“Deloitte”) and addressed to the Client and these General Business Terms (together the “Contract”) constitute the whole agreement between the
Client and Deloitte in relation to the services, and work product (including Advice as defined below) described in the Contract to be provided by Deloitte (the “Services”) and Deloitte’s
responsibilities for providing the Services. Capitalized terms not defined in these General Business Terms shall have the meaning given to them in the Engagement Letter.
(b) This Contract is between the Client and Deloitte.
(c) Deloitte may subcontract any Services under this Contract to any other Deloitte Entity and/or to any other third party (collectively “Subcontractor”). Client’s relationship is solely with
Deloitte as the entity contracting to provide the Services. Each party is an independent contractor and neither party is, nor shall be considered to be, the other’s agent, distributor, partner,
fiduciary, joint venturer, co-owner, or representative.
(d) Deloitte remains responsible to the Client for all of the Services performed or to be performed under this Contract, including Services performed by its Subcontractors. Accordingly, to the
fullest extent possible under applicable law, (i) none of the Deloitte Entities (except Deloitte) will have any liability to the client (ii) the Client will not bring, any claim or proceedings of any
nature (whether in contract, tort, breach of statutory duty or otherwise, and including, but not limited to, a claim for negligence) in any way in respect of or in connection with this Contract
against any of the Deloitte Entities (except Deloitte) and (iii) the Client will also ensure that no other member of the Client Group which is not a party to the Contract brings any claim or
proceedings of any nature (whether in contract, tort, breach of statutory duty or otherwise, and including, but not limited to, a claim for negligence) in any way in respect of or in connection with
this Contract against any of the Deloitte Entities.
(e) For the purposes of this Contract:
“Advice” shall mean all advice, opinions, reports, recommendations and other work product in any form (including Deliverables) provided by or on behalf of Deloitte and/or its Subcontractors as
part of the Services.
“Affiliates” means in relation to the Client any company, partnership or other legal entity (other than a natural person) which from time to time directly or indirectly Controls, is Controlled by or
is under common Control with, the Client.
“Client” shall mean the entity specified in the Engagement Letter and if applicable, shall include such of the Client’s subsidiaries and/or Affiliates as identified in the Engagement Letter (together
with the Client, “Client Group”) and references to the Client shall include the other members of the Client Group unless the context requires otherwise. The Client represents and warrants that it
has the power and authority to (i) sign the Contract, and (ii) to bind, itself and the members of the Client Group as the case may be.
“Control” means that the Client has the legal power to direct, or cause the direction, of the general management of the company, partnership or other legal entity.
“Deliverables” means any and all tangible work outputs of the Services to be delivered by Deloitte as part of the Services, including written returns, reports, documents and other materials.
Deloitte Entities” and individually, “Deloitte Entity’ means Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its member firms and their respective subsidiaries and affiliates or
sub-licensees (including Deloitte), their predecessors, successors and assignees, and all partners, principals, members, owners, directors, employees, subcontractors (including the Subcontractors) and agents of all such
entities. Neither DTTL nor, except as expressly provided herein, any member firm of DTTL has any liability for each other’s acts or omissions. Each member firm of DTTL is a separate and independent legal entity
operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names; and services are provided by member firms or their subsidiaries or affiliates and not by DTTL.
2. Responsibilities of the Client and of Deloitte.
(a) Responsibilities of the Client
(i) The Client shall cooperate with Deloitte and its Subcontractors in connection with the performance of the Services, including, without limitation, providing Deloitte and its Subcontractors with reasonable facilities and
timely access to data, information and personnel of the Client or Client Group (as the case may be). The Client shall be responsible for the performance of its personnel, agents and third parties retained by the Client,
for the timeliness, accuracy and completeness of all data and information provided to Deloitte and its Subcontractors by or on behalf of the Client for the purpose of the performance of the Services under this Contract.
Deloitte and its Subcontractors may use and rely on information and data furnished by the Client or others without verification. The performance of the Services is dependent upon the timely performance of the
Client’s responsibilities under the Contract and timely decisions and approvals of the Client in connection with the Services. Deloitte and its Subcontractors shall be entitled to rely on all decisions and approvals of the
Client.
(ii) The Client shall be solely responsible for, among other things: (A) making all management decisions and performing all management functions; (B) designating one or more individuals who possess suitable skill,
knowledge, and/or experience, preferably within senior management to oversee the Services; (C) evaluating the adequacy and results of the Services; (D) accepting responsibility for implementing the results of the
Services; and (E) establishing and maintaining internal controls, including, without limitation, monitoring ongoing activities.
(b) Responsibilities of Deloitte
(i) The Services provided are not binding on governmental or regulatory authorities and do not constitute a representation, warranty, or guarantee that any regulatory authorities will concur with any Advice. Any
Services provided by or on behalf of Deloitte will be based upon the applicable law and regulations. Subsequent changes in or to the foregoing (for which Deloitte shall have no responsibility to advise Client) may result
in the Services provided by or on behalf of Deloitte being rendered invalid.
(ii) In formulating any Advice as part of the Services, Deloitte may discuss ideas with the Client orally or show the Client drafts of such Advice. To the extent that the content of drafts or oral Advice are expected to be
finalized and confirmed to the Client in writing, such confirmed Advice shall supersede any previous drafts or oral Advice, Deloitte shall not be responsible if the Client or others choose to rely on, act or refrain from
acting on the basis of any drafts or oral Advice.
(iii) Deloitte will use its reasonable endeavours acting in a commercially prudent manner to carry out the Services in accordance with any timetable specified in the Contract. However, it is agreed that any dates
specified in the Contract for the performance of any part of the Services, including delivery of any Advice, are estimated dates for planning purposes only. Deloitte will notify the Client promptly if it expects or
encounters any significant delays which will materially affect achievement of any timetable for delivery of the Services.
3. Approval of Deliverables
(a) Client shall approve each Deliverable that conforms in all material respects with the specifications therefor set forth in the Engagement Letter or as otherwise agreed by the parties in writing
(“Specifications”). Within ten (10) days (or such other period agreed upon in the Engagement Letter) from its receipt of a Deliverable, Client shall provide Deloitte with (i) written approval of
such Deliverable or (ii) a written statement that identifies in reasonable detail, with references to the applicable Specifications, all of the deficiencies preventing approval (the “Deficiencies”).
(b) Deloitte shall have thirty (30) days (or such other period agreed upon in the Engagement Letter) from the date it receives the notice of Deficiencies to complete corrective actions in order for
such Deliverable to conform in all material respects to the applicable Specifications. Client shall complete its review of the corrected Deliverable and notify Deloitte in writing of acceptance or
rejection in accordance with the foregoing provisions of this Section.
(c) Notwithstanding the foregoing provisions of this Section, approval of a Deliverable shall be deemed given by Client if Client has not delivered to Deloitte a notice of Deficiencies for such
Deliverable prior to the expiration of any period for Client review thereof as set forth in this Section, or if Client uses the Deliverable in production.
(d) To the extent that any Deliverable has been approved by Client at any stage of Deloitte’ performance under the Engagement Letter, Deloitte shall be entitled to rely on such approval for
purposes of all subsequent stages of Deloitte performance under the Engagement Letter. Client agrees that, in the event an approved Deliverable differs from the Specifications for such
Deliverable, the Specifications shall be deemed modified to conform such approved Deliverable.
(e) If Deloitte is unable to correct the Deficiencies in a Deliverable within the period of time set forth above, Client shall be entitled, at its option, to a refund or credit of professional fees paid to
Deloitte hereunder with respect to the Services giving rise to such Deliverable and this shall be Client’s sole and exclusive remedy, and Deloitte sole and exclusive obligation, with respect to any
claim that the Deliverables do not conform to the requirements of these terms or the Engagement Letter.
4. Payment of Invoices.
Deloitte’s invoices are due and payable by the Client upon presentation. If payment of an invoice is not received within 30 days of the invoice date (“Due Date”), Deloitte reserves the right to
charge interest at the rate of (i) one and a half percent (1½%) per month. Without limiting its other rights or remedies, Deloitte shall have the right to suspend or terminate the Services
entirely or in part if payment is not received by the Due Date. The Client shall be responsible for all taxes, such as VAT, GST, sales and use tax, gross receipts tax, withholding tax, and any
similar tax, imposed on or in connection with the Services, other than Deloitte’s income and property taxes.
5. Term.
(a) Unless otherwise provided, this Contract shall terminate once the Services have been completed and performed.
(b) This Contract may be terminated by either party at any time, without cause, by giving written notice to the other party not less than 30 days before the effective date of termination.
(c) Either party may terminate this Contract by written notice to the other on or at any time after the occurrence of any of the following events: (i) a material breach by the other party of an obligation under the
Contract and, if the breach is capable of remedy, the defaulting party failing to remedy the breach within 30 days of receipt of notice of such breach; (ii) the other party becomes insolvent or goes into liquidation; (iii)
the other party has a resolution passed or a petition presented for its winding-up or dissolution (other than for the purpose of a solvent amalgamation or reconstruction); (iv) the making of an administration order in
relation to the other party, or the appointment of a receiver over, or an encumbrancer taking possession of or selling, an asset of the other party; (v) the other party making an arrangement or composition with its
creditors generally or making an application to a court of competent jurisdiction for protection from its creditors generally; or (vi) any event analogous to those set out in (ii) to (v) in any relevant jurisdiction.
(d) Deloitte may terminate this Contract in whole or in part, with immediate effect upon written notice to the Client if Deloitte determines that (i) a governmental, regulatory, or professional entity, or other entity
having the force of law has introduced a new, or modified an existing, law, rule, regulation, interpretation, or decision, the result of which would render Deloitte’s performance of any part of the Contract illegal or
otherwise unlawful or in conflict with independence or professional rules; or (ii) circumstances change (including, without limitation, changes in ownership of the Client or of its affiliates) so that Deloitte’s performance
of any part of the Contract would be illegal or otherwise unlawful or in conflict with independence or professional rules.
(e) Upon termination of the Contract, for any reason (as stated above), the Client will compensate Deloitte in accordance with the terms of the Contract for the Services performed and expenses incurred through the
effective date of termination.
6. Ownership of Deloitte Property & Work Products.
(a) To the extent that any property (whether tangible or intangible) of any Deloitte Entity is used or developed in connection with this Contract, such property, including work papers, shall remain the property of the
relevant Deloitte Entity. Subject to payment of all of Deloitte’s fees due in connection with the Services and this Contract, the tangible items specified as a Deliverable will become property of Client. Any intellectual
property and other proprietary rights in the material and data provided by the Client for performing the Services shall remain the property of the Client.
(b) To the extent that Deloitte utilises any of its property (including, without limitation, the Deloitte Technology or any hardware or software of Deloitte) in connection with the performance of services hereunder, such
property will remain the property of Deloitte and Client will acquire no right or interest in such property. Notwithstanding anything in this Agreement to the contrary, the parties acknowledge and agree that (i) Deloitte
will own all right, title, and interest, including, without limitation, all rights under all copyright, patent, and other intellectual property laws, in and to the Deloitte Technology; and (ii) Deloitte may employ, modify,
disclose, and otherwise exploit the Deloitte Technology (including, without limitation, providing services or creating programming or materials for other clients). Deloitte does not agree to any terms that may be
construed as precluding or limiting in any way its right to (aa) provide accounting, auditing, tax, consulting, or other services of any kind or nature whatsoever to any person or entity as Deloitte in its sole discretion
deems appropriate or (bb) develop for itself, or for others, materials that are competitive with those produced as a result of the services provided hereunder, irrespective of their similarity to the Deliverables.
(c) The Client acknowledges that Deloitte and its Subcontractors, in connection with performing the Services, may develop or acquire general experience, skills, knowledge, and ideas. The Client acknowledges and
agrees that, any Deloitte Entity may use and disclose such experiences, skills, knowledge and ideas subject to the obligations of confidentiality set out in Paragraph 11.
(d) “Deloitte Technology or Technologies” means all know-how and software, system interfaces, templates, models, methodologies, ideas, concepts, techniques, tools, processes, and technologies, including web-based
technologies and algorithms owned by, licensed to or developed by any Deloitte Entity and used by Deloitte and its Subcontractors in performing the Services or its other obligations, and the generalised features of the
structure, sequence and organisation of the software, user interfaces and screen designs, general purpose consulting and software tools, utilities and routines, logic, coherence and methods of operations of systems.
7. Limitations on Damages.
(a) The total liability of Deloitte, its subcontractors and their respective personnel for any claims, liabilities, losses, damages, costs or expenses arising under or in connection with this Contract or the Services (“Claims”)
provided or to be provided under this Contract shall not in aggregate exceed three times the fees paid under this Contract for that part of the Services giving rise to the Claim.
(b) In no event shall any Deloitte Entity (including Deloitte and its Subcontractors) and their respective personnel be liable whether in contract, tort or otherwise for any losses incurred as a result of loss of use,
contracts, data, goodwill, revenues or profits (whether or not deemed to constitute direct Claims) or any consequential, special, indirect, incidental, punitive or exemplary loss, damage, or expense arising under or in
connection with the Contract.
(c) In circumstances where all or any portion of the provisions of this Paragraph 7 are finally determined to be unenforceable, the aggregate liability of Deloitte, any other Deloitte Entity (including Subcontractors) and
their respective personnel for any Claim shall not exceed an amount which is proportional to the relative fault that their conduct bears to all other conduct giving rise to such Claim.
(d) Deloitte’s responsibility for the Services is solely towards the Client and not towards any other members of the Client Group. If more than one member of the Client Group is a party to the Contract, Deloitte’s
responsibility is solely towards the respective members of the Client Group for which the Services were provided.
(e) The liability cap in Paragraph 7(a) applies in aggregate to each and all Claims which from time to time arise under or in connection with the Contract and the Services, whether such Claims are made at the same or
different times or by one or more members of the Client Group and/or other persons. The liability cap in Paragraph 7(a) also applies to any and all Claims against any other Deloitte Entities, including the
Subcontractors, if and only to the extent that it is judicially determined that any of them have any liability under or in connection with the Contract or the Services.
(f) If the liability exclusion for other Deloitte Entities provided in Paragraph 1(d) is for any reason not effective, then the limitations on liability provided for in this Paragraph 7 shall apply to the other Deloitte Entities
(including Subcontractors) as if they were named therein.
(g) The provisions of Paragraph 7(a) shall not apply to fraud and intentional misconduct as finally determined, or any liability which by the governing law of the Contract is unlawful to limit or exclude.
8. Limitation on Warranties.
This is a services agreement. Deloitte warrants that it shall perform the Services in good faith and with reasonable skill and care and in accordance with generally accepted professional
standards.
The express warranties, representations and obligations of Deloitte in this Contract are made expressly in place of and to the exclusion (to the fullest extent permitted by law) of all other
representations, warranties, terms and conditions, express or implied, statutory or otherwise, relating to anything supplied or to be supplied and services provided or to be provided by or on
behalf of Deloitte under or in connection with this Contract and the Services.
9. Force Majeure.
Neither party shall be liable for any delays or non-performance resulting from circumstances or causes beyond its reasonable control, including, without limitation, acts or omissions or the failure
to cooperate by the other party (including, without limitation, entities or individuals under its control, or any of their respective officers, directors, employees, other personnel and agents), fire or
other casualty, act of God, epidemic, strike or labour dispute, war or other violence, or any law, order, or requirement of any governmental agency or authority.
10. Limitation on Actions.
No action, regardless of form, relating to the Contract or the Services, may be brought by either party more than one year after the cause of action has accrued under applicable law, except for
an action for non-payment of professional fees and expenses which may be brought at any time after the expiration of the said one year period.
11. Confidentiality.
11A Confidentiality. Client agrees that all services hereunder and Deliverables will be solely for Client’s informational purposes and internal use and without limitation shall not, without
Deloitte’s prior written consent, use any Deliverables or Advice in connection with any business decisions of any third party or for advertisement purposes. Client further agrees that such
services and Deliverables will not, unless considered by Client to be reasonably necessary for the carrying on of its business, be used by, or circulated, quoted, disclosed, or distributed to,
nor will reference to such services or Deliverables be made to, any person or entity other than Client.
11B To the extent that, in connection with this engagement, either party (each, the “receiving party”) comes into possession of any trade secrets or other proprietary or confidential information
of the other (the “disclosing party”), it will not disclose such information to any third party without the disclosing party’s written consent. Notwithstanding the above, the disclosing party
hereby consents to the receiving party disclosing such information:
(1) In the case of Deloitte being the receiving party, to its subcontractors, whether located within or outside of Deloitte & Touche Enterprise Risk Services Pte Ltd , that are providing
Services in connection with this engagement and that have agreed to be bound by confidentiality obligations similar to those in this paragraph;
(2) As may be required by law, regulation, judicial or administrative process, or in accordance with applicable professional standards or rules, or in connection with litigation pertaining
hereto provided, to the extent permitted by law, prompt written notice is provided to the disclosing party hereto and the receiving party cooperates with the disclosing party hereto in
efforts to limit the extent of information disclosed or otherwise contest any such disclosure;
(3) To the extent such information (i) shall have otherwise become publicly available (including, without limitation, any information filed with any governmental agency and available to the
public) other than as the result of a disclosure in breach hereof, (ii) becomes available to the receiving party on a non-confidential basis from a source other than the disclosing party that
the receiving party believes is not prohibited from disclosing such information to the receiving party by obligation to the disclosing party, (iii) is known by the receiving party prior to its
receipt from the disclosing party without any obligation of confidentiality with respect thereto, or (iv) is developed by the receiving party independently of any disclosures made by the
disclosing party to the receiving party of such information.
In satisfying its obligations under this paragraph (3), each party shall maintain the other’s trade secrets and proprietary or confidential information in confidence using at least the same
degree of care as it employs in maintaining in confidence its own trade secrets and proprietary or confidential information, but in no event less than a reasonable degree of care. Nothing in
this paragraph shall alter the Client’s obligations under paragraph 11A. Notwithstanding anything to the contrary herein, the Client acknowledges that Deloitte, in connection with
performing the Services, may develop or acquire experience, skills, knowledge, and ideas that are retained in the unaided memory of its personnel. The Client acknowledges and agrees
that Deloitte may use and disclose such experience, skills, knowledge, and ideas.
(4) The Client shall not disclose to any third party any Advice without the express written consent of Deloitte, except (i) disclosure may be made to the extent mandatory laws, applicable
regulations, rules and professional obligations prohibit limitations on disclosure, (ii) the Client may disclose the Advice on a need to know basis to any Affiliate that is not identified in the
Contract for information purposes only, provided that the Client ensures and the recipient undertakes to keep such Advice confidential and not to bring any claim of any kind against any
Deloitte Entity in relation to the Advice or the Services, and (iii) the Client may disclose the Advice on a need to know basis to statutory auditors of the Client Group in their capacity as
such.
(5) Unless otherwise agreed, all Services are intended only for the benefit of the Client entitled to rely on the Advice or Deliverable. The mere receipt of any Advice or Deliverable, (or any
information derived therefrom) by any other persons is not intended to create any duty of care, professional relationship or any present or future liability of any kind between those persons
and Deloitte.
12. Assignment.
Neither party may assign or otherwise transfer this Contract without the prior express written consent of the other, except that Deloitte may assign any of its rights or obligations hereunder to
any other Deloitte Entity and to any successor to its business. Neither party will directly or indirectly agree to assign or transfer to a third party any Claim against the other party arising out of
this Contract.
13. Indemnification.
The Client shall indemnify and hold harmless Deloitte and any other Deloitte Entity from all third party Claims except to the extent finally determined to have resulted primarily from fraud or
intentional misconduct of Deloitte, or any other Deloitte Entity. In circumstances where all or any portion of the provisions of this paragraph are finally determined to be unavailable, the
aggregate liability of Deloitte, and all other Deloitte Entities (including their respective personnel) for any Claim shall not exceed an amount which is proportional to the relative fault that their
conduct bears to all other conduct giving rise to such Claim.
The limitation of liability and indemnification provisions herein shall apply to the fullest extent of the law, whether in contract, statue, tort (including negligence) or otherwise.
14. Electronic Communications.
(a) Except as instructed otherwise in writing, Deloitte Entities and the Client Group are authorized to use properly addressed fax, email (including emails exchanged via Internet media) and
voicemail communication for both sensitive and non-sensitive documents and other communications concerning this Contract, as well as other means of communication used or accepted by the
other. Deloitte Entities may also communicate electronically with tax and other authorities.
(b) It is recognized that the internet is inherently insecure and that data can become corrupted, communications are not always delivered promptly (or at all), and that other methods of
communication may be appropriate. Electronic communications are also prone to contamination by viruses. Each party will be responsible for protecting its own systems and interests and, to
the fullest extent permitted by law, will not be responsible to the other on any basis (contract, tort or otherwise) for any loss, damage or omission in any way arising from the use of the internet
or from access by any Deloitte Entity personnel to networks, applications, electronic data or other systems of the Client.
15. Other Clients.
Nothing in this Contract will prevent or restrict any Deloitte Entity, including Deloitte, from providing services to other clients (including services which are the same or similar to the Services) or
using or sharing for any purpose any knowledge, experience or skills used in, gained or arising from performing the Services subject to the obligations of confidentiality set out in Paragraph 11
even if those other clients’ interests are in competition with the Client. Also, to the extent that Deloitte possesses information obtained under an obligation of confidentiality to another client or
other third party, Deloitte is not obliged to disclose it to the Client, or use it for the benefit of the Client, however relevant it may be to the Services.
16. Staff.
Deloitte and the Client each agree not to directly or indirectly solicit, employ or engage any personnel of the other party who within 12 months of such action has been involved directly with the
provision of the Services or otherwise directly connected with this Contract, except where an individual responds directly to a general recruitment campaign. In the event that event a party
breaches this provision, the breaching party shall be liable to the aggrieved party for an amount equal to thirty percent (30%) of the annual base compensation of the relevant personnel in his
or her new position. Although such payment shall be the aggrieved party’s exclusive means of monetary recovery from the breaching party for breach of this provision, the aggrieved party shall
be entitled to seek injunctive or other equitable relief. This provision shall not restrict the right of either party to solicit or recruit generally in the media.
17. Destruction of Working Papers.
Deloitte may retain copies of documents and files provided by the Client or on the Client’s behalf in connection with the Services for purposes of compliance with professional standards and
internal retention policies. Any documents and files retained by Deloitte on completion of the Services (including documents legally belonging to the Client) may routinely be destroyed in
accordance with Deloitte Entities’ policies applying from time to time.
18. Marketing Material & Use of Name.
Neither Deloitte Entities nor Client shall use the other’s trademarks, service marks, logos, and/or branding in external publicity material without such other party’s prior written consent.
However Deloitte Entities may refer to the name of the Client and the performance of the Services in (a) marketing and publicity materials, as an indication of its experience, and (b) in
internal data systems.
19. Spreadsheets, Models and Tools.
In the course of providing the Services, Deloitte may make reference to spreadsheets, models or tools (together “Models”) that the Client provides to Deloitte or requests Deloitte to rely upon
(“Client Models”) or that Deloitte otherwise uses in connection with the Services (“Deloitte Models”). All Models have limitations and may not produce valid results for all possible
combinations of input data with the result that actual and potential errors are not detected. Unless otherwise expressly agreed in the Contract: (a) Deloitte will not be responsible for
reviewing, testing or detecting any errors in any Client Models; (b) no Deloitte Model will be provided or treated as Advice; and (c) where Deloitte provides any Deloitte Model by way of
explanation or illustration of any Advice, Deloitte makes no representation, warranty or undertaking (express or implied) of any kind about the accuracy, suitability or adequacy of any such
Deloitte Model for the Client’s own needs.
20. Data Protection.
(a) Each party shall comply with their respective obligations under the applicable data protection laws to the extent in connection with this Contract and the Services it stores, processes and
transfers any personal data to which data protection laws apply (“Personal Data”). In relation to any Client Group or third party Personal Data which is processed by Deloitte as part of the
Services, Deloitte as data processor will (i) process such Personal Data only in accordance with lawful and reasonable instructions of the Client; and (ii) in compliance with legally required
security obligations applicable to a data processor.
(b) The Client confirms that it has obtained all legally required authorizations to transfer any Personal Data to Deloitte and to contractors providing administrative, infrastructure and other
support services to Deloitte as well as to any Deloitte Entity (including any Subcontractors) and their respective personnel, and to any subcontractor, including across borders.
21. Anti-corruption.
Deloitte understands that the Client maybe subject to laws that prohibit bribery and/or providing anything of value to government officials with the intent to influence that person’s actions in
respect of the Client . Deloitte may be subject to similar laws and codes of professional conduct and has its own internal policies and procedures which prohibit illegal or unethical behaviours.
In providing the Services, Deloitte undertakes not to offer, promise or give financial or other advantage to another person with the intention of inducing a person to perform improperly or to
reward improper behaviour for the benefit of the Client.
22. Counterparts and Language.
This Contract may be signed in any number of counterparts (whether such counterparts are original or fax or in the form of a pdf attachment to an email). Each signed counterpart shall be
deemed to be an original thereof, but all the counterparts shall together constitute one and the same instrument. Where there are versions of the Contract in the English language and another
language, in the event of any discrepancies between versions, the English language version shall prevail.
23. Entire Agreement, Modification and Effectiveness.
Nothing discussed prior to execution of the Contract induced, nor forms part of, the Contract except to the extent repeated in this Contract. This Contract supersedes any previous agreement,
understanding or communication, written or oral, relating to its subject matter. No variation to the Contract shall be effective unless it is documented in writing and signed by authorized
representatives of both parties, provided, however, that the scope of the Services may be changed by agreement of the parties in writing, including by e-mail or fax. If Deloitte has already
started work (e.g., by gathering information, project planning or giving initial advice) at the request of the Client then the Client agrees that this Contract is effective from the start of such work.
24. Survival and Interpretation and Third Party Beneficiary.
(a) Any provisions of the Contract which either expressly or by their nature extend beyond the expiration or termination of this Contract shall survive such expiration or termination, including,
without limitation, Paragraphs 1(d), 3, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24 and 25.
(b) If any provision of this Contract is found by a court of competent jurisdiction or other competent authorities to be unenforceable, in whole or in part such provision or the affected part shall
not affect the other provisions, but such unenforceable provision shall be deemed modified to the extent necessary to render it enforceable, preserving to the fullest extent permissible the intent
of the parties set forth herein. The provisions of Paragraphs 1, 5, 6, 7, 8, 10, 12, 14, 15, 16, 18 and 20, hereof shall apply to the fullest extent of the law, whether in contract, statute, tort
(including without limitation negligence), or otherwise, notwithstanding the failure of the essential purpose of any remedy.
(c) Deloitte Entities are intended third-party beneficiaries of the Contract. Each such Deloitte Entity may in its own right enforce such terms, agreements and undertakings.
(d) Unless otherwise provided in this Contract, any person who is not a party to this Contract shall not have any rights to enforce any of the terms herein under the provisions of the Contracts
(Rights of Third Parties) Act (Cap 53B).]
25. Governing Law.
This Contract, and all matters relating to it, (including non contractual obligations) shall be governed by, and construed in accordance with, the laws of Singapore (without giving effect to the
choice of law principles thereof).
26. Dispute Resolution.
The parties agree to attempt in good faith to resolve any dispute or claim arising out of or in connection with the Contract promptly through negotiations between senior management. If the
matter is not resolved through negotiation, then the claim or dispute including any question relating to its existence, validity or termination will be finally resolved by arbitration in accordance
with the rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this clause which decision shall be final and
binding on the Parties. The language of the arbitration shall be English.
27. Quality of Services.
(a) If, at any time, you believe the service by us to you could be improved, or if you are dissatisfied with any aspect of the Services, you should raise the matter with the partner responsible for
providing the Services to you. If you would prefer to discuss the matter with someone other than that partner, or if you wish to make a complaint, please write to Janson Yap, Regional
Managing Partner Enterprise Risk Services, Southeast Asia, at jansonyap@deloitte.com.
(b) We will investigate all matters that are brought to our attention in a timely manner and contact you to discuss and try and resolve the matter.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of
member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also
referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of
DTTL and its member firms.
This communication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and
their related entities (collectively, the “Deloitte network”). None of the Deloitte network shall be responsible for any loss whatsoever
sustained by any person who relies on this communication.
About Deloitte Singapore
In Singapore, services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates.
© 2018 Deloitte & Touche Enterprise Risk Services Pte Ltd

Company ABC - SAP GRC Compliant User Access Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Company ABC - SAP GRC Compliant User Access Management

Uploaded by

Copyright:

Available Formats

SAP GRC & Authorisation

2. Approach And Methodology

• Stage 1 (Get Visibility): Deploy Deloitte SoD Analysis Dashboard

5. Our Experienced Team & Detailed Resume

6. Standard Business Terms

Deloitte & Touche Enterprise Risk Services Pte Ltd

Our value propositions to Company ABC are as follows:

• Extensive experience in performing role designs and controls review

Background & Context

Stage 1: Quick Wins – Deploy Deloitte SoD Analysis Dashboard

Stage 2: Review Current Review & Develop SAP Compliant Roles

Identify Visualization Identify Input Files Implement Dashboard

Reporting development to Company ABC management

• Whole screen can

Ruleset Review Methodology

• A detailed analysis of existing Company ABC

• Business alignment workshop through Deloitte’s

• Ensure existing SoD risks are up-to-date,

• Ensure new SoD risks are updated into the

 Remediated risks should address audit requirements

 Embed SoD Controls

 Embed critical access controls

 Acceptable excessive access (< 10%)

 Roles are designed based on business process and organization positions

 Tied with a position's job scope

 Ensured by negative testing

• Fix role design

Common root cause can be:

Common Remediation & Mitigation

SOD Risk Response CA

Remediation Mitigation Review

Inherited risk from biz- Inherited risk from biz-

Remediation – Technical Side Remediation – Business Side Mitigation Protection

Accepted changes on business processes or roles & responsibilities

Accepted changes on SAP roles & user access

Stage Outcome Scenarios Solution

Access Risk Analysis

• Who is the ruleset owner?

• Frequency of periodic SoD checks?

• How will ruleset get updated?

Deloitte will provide support on Security Approach

• Refresh and update existing Company ABC security

• Advise on best practice for governance

User Access Provisioning

Review FF action log

Role Designer Role Designer Risk Analysis Role Approver

Role Maintenance consists of the following procedures:

GRC AC features enablement & Integration with ServiceNow

Stage 1: Deploy Dashboard

Dashboard conceptual workshop

Ruleset alignment workshop

Update Access Control ruleset

SoD Root Cause Analysis

Business Remediation Workshop

User Authorization Matrix

Stage 3: Continuous Compliance

Security Approach Document

2. Development & implementation of Deloitte Access Control Management Dashboard

3. Deloitte independent review of Company ABC SoD & CA ruleset

1. Deloitte independent review of Company ABC SoD & CA ruleset

2. SoD Analysis Report

3. SoD alignment workshops with business

4. Remediation & Mitigation