GRC Introduction - day1

Access Controls 5.x and 10.0 - day1

Access Risk Analysis - day2
Emergency Access Management - day2
Access Request Management - day3
Business Role Management - day3
AC 10 implementation process and Sample Project - day4
Rule set and SoD analysis -day5
GRC assessments- day5

GRC Governance Risk & Compliance

GRC Categories and Vendors

SarbanesOxley Section 404: Assessment of internal control
The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the
adequacy of the company's internal control over financial reporting (ICOFR). This is the most costly aspect of the legislation for
companies to implement, as documenting and testing important financial manual and automated controls requires enormous
effort.
Category

Business View Representative

Vendors

Finance Management GRC

Management, workflow, Documentation and

reporting associated with financial controls

Axentis, Certus, IBM, Movaris,

OpenPages, Oracle, Paisley
Consulting, Qumas, SAP

Internal audit work papers, task management

and workflow

PricewaterhouseCoopers, Paisley
Consulting

Audit Data Extraction and

Analysis

Tools for extracting data from

business applications and running ad hoc
analysis or template queries

ACL, IDEA (Case Ware)

Segregation of Duties

Ensuring that personnel do not

have access to data in a way that
creates the potential for fraud

Audit Management

Business Rule Management

Monitoring transactional data in accordance

with business rules established as controls

Approva, Oversight Systems,

Virsa Systems (SAP)

170 Systems, Infogix,

web Method

SAP GRC
Access risk management (AC) Confidently manage and reduce access risk across the
enterprise with a single solution to manage a centralized strategy for governance, risk, and
compliance.
Enterprise GRC (PC & RM) Automate risk management, compliance, and monitoring
activities and minimize the associated cost and effort required.
Global trade services(GTS) Minimize global trade violations with a single, integrated
platform to meet complex and ever-changing global trade compliance requirements.
Environment, health, and safety management Empower your organization to
address regulatory compliance; integrate the management of operational risks related to
environment, health, and safety; and address corporate sustainability initiatives.
Sustainability performance management (SuPM) Help your organization track and
communicate sustainability performance, set goals and objectives, manage risks, and
monitor activities.

Access Controls Manage Access & Authorizations

SAP Governance, Risk, and Compliance (GRC) Access Control provides end-to-end
automation for documenting, detecting, remediating, mitigating, and preventing access and
authorization risk enterprise wide, resulting in proper segregation of duties, lower costs,
reduced risk, and better business performance.
Access Control includes the following capabilities:
Access Risk Analysis, which supports real-time compliance to detect, remove, and prevent access and
authorization risks by preventing security and control violations before they occur.
Access Request Management, which automates provisioning, tests for segregation of
duties (SoD) risks, and streamlines approvals by the appropriate business approvers
to unburden IT staff and provide a complete history of user access.
Business Role Management, which standardizes and centralizes role creation and
maintenance.
Emergency Access Management, which enables users to perform emergency
activities outside their roles as privileged users in a controlled and auditable
environment.

End-To-End Compliance with SAP GRC Access Controls

Architecture GRC 10
optional

Front End Client

SAP GUI
Adobe Flash Player
7.10

*Crystal Reports Adapter and Active

Component Framework needed for
viewing GRC Crystal Reports

Web Browser

SAP NW Portal 7.01

http
GRC Portal Content

CRA*

http DIAG
recommended for GTS/SPL

SAP NetWeaver 7.02

Search/Classification

AC, PC & RM
RFC

GRC Search

RFC

RFC

optional

SAP ERP (4.6C 7.1)

Nota Fiscal Eletronica

(Software Component:
SLL-NFE)

Required for Nota Fiscal E.

NW Function Modules

RFC

Content Lifecycle
Management (CLM)

GTS Plug-in
(Plug-in: SLL-PI)

SAP NetWeaver
AS ABAP 7.02

optional
web
services

SAP GRC 10.0

(Plug-in: GRCPINW)

HR Function Modules
PC Automated Cntrls
(Plug-in: GRCPIERP)

Nota Fiscal Content

Identity Management
Solutions
(SAP or Non-SAP)

SAP NW BW 7.02
BI Content 7.06
GRC BW Content

(Software Component:
SLL-LEG)

Adobe Document
Services

SAP Net Weaver PI

RFC

GTS

required for RM and GTS

SAP NW Java 7.01

(Software Component:
GRCFND_A)

optional

optional

Adapter

Non-SAP Business
Applications

AC 5.3 Dashboard

AC 10 Dash board

SPRO Settings

Configuration
Common Settings
User Roles
BC Sets
AC Parameters
Connector and Connector Settings
Plug-in Customizing
Components Configuration
ARA
EAM
ARM
BRM

AC Roles
Admin Users: SAP_GRAC_SETUP, SAP_GRAC_RULE_SETUP
Risk Analysis: SAP_GRAC_RISK_ANALYSIS, SAP_GRAC_RISK_OWNER,
MSMP: SAP_GRC_MSMP_WF_ADMIN_ALL ,SAP_GRC_MSMP_CONFIG_ALL
Role Mgt: SAP_GRAC_ROLE_MGMT_ADMIN, SAP_GRAC_ROLE_MGMT_DESIGNER
Super User Admin: SAP_GRAC_SUPER_USER_MGMT_ADMIN,
SAP_GRAC_SUPER_USER_MGMT_OWNER, SAP_GRAC_SUPER_USER_MGMT_CNTLR
End Users: SAP_GRAC_NWBC , SAP_GRAC_BASE.
Access Request Roles: SAP_GRAC_ACCESS_REQUESTER, SAP_GRAC_ACCESS_APPROVER,
SAP_GRAC_ACCESS_REQUEST_ADMIN

BC Sets
The following are the BC Sets need to be activated for Access Control to
work by default
GRAC_RA_RULESET_COMMON
and respective back-end rule-set(s) e.g. GRAC_RA_RULESET_SAP_R3
GRAC_ACCESS_REQUEST_REQ_TYPE
GRAC_ACCESS_REQUEST_EUP
GRAC_ACCESS_REQUEST_APPL_MAPPING
GRAC_ACCESS_REQUEST_PRIORITY
GRAC_ROLE_MGMT_SENTIVITY
GRAC_ROLE_MGMT_METHODOLOGY
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_PRE_REQ_TYPE
GRAC_SPM_CRITICALITY_LEVEL
GRC_MSMP_CONFIGURATION

for R/3

Connectors
Integration Framework settings include:
Create Connectors
Maintain Connectors and Connection Types
Maintain Connection Settings
Maintain Service Providers and Consumer Proxies in SOA Manager
Event-Based Monitoring

Configuration Parameters - 1

Configuration Parameters - 2

Plug-in Settings
Plug-in Connector (pointing to the ERP itself)
GRC connector (pointing to the AC server & client, logical name)
Rule set (what Rule set to use in AC)
HR Triggers Activation
The Risk Terminator settings

Access Risk Analysis

Ruleset setup
Mitigation Controls Setup
Repository Sync
User/ Roles/ Profiles Sync
Authorization Sync
Batch Risk Analysis
Reviewing risk analysis reports
Performing user/ role/ profile level analysis
User/ role Simulation

Emergency Access Management

FFID Creation
FFID Owners
FFID Controllers
Reason Codes creation
Firefighter assignment
FFID activity log sync

Using EAM -GRAC_SPM/ GRAC_EAM

Access Request Management

Number ranges creation
Request Type configuration
Provisioning Settings
BRF+ rule creation
MSMP configuration
Process ID
Maintaining rules
Maintaining agents
Notification settings
Path creation
Routing setup
Activation
Access request creation/ review/ approval

Business Role Management

Role attributes creation
Naming conventions
BRF rules for methodology and role approvers
Methodology setup
Organization creation
Condition groups
Role Creation/ review and approval
Mass Role Maintenance
Role import
Mass role derivation