Sarbanes-Oxley: SAP R/3 security perspective

ASUG Annual Conference October 2003 Dallas, Texas

Mark Russo, CPA Jan Smolders, CISA
CSI Belgium 2003

Agenda
30 introduction Sarbanes-Oxley regulation and requirements Some root causes for non compliance How a proven SAP R/3 authorisation concept can foster Sarbanes-Oxley Compliance CSI framework for Sarbanes-Oxley relevance determination Questions and answers
CSI Belgium 2003

30 introduction

CSI Belgium 2003

Sarbanes-Oxley regulation and requirements

CSI Belgium 2003

Sarbanes-Oxley overview
Section 302 - Quarterly Cert. of Internal Controls by CEO / CFO Has the CEO / CFO on a quarterly basis:
reviewed the SEC filings and certified the financial statements Established, implemented and maintained disclosed control and procedures. Reported any material deficiencies and/or material changes in internal controls and/ or fraud to the Audit Committee and auditors.

Section 404 Mmgt. assertion on effectiveness of Int. Controls On an annual basis management must::
Establish internal control reports that states managements responsibility for establishing and maintaining internal controls and procedures for financial reporting. Management must assess Internal controls and procedures as it relates to financial reporting. CSI Belgium 2003 External auditors must certify these reports.

Sarbanes-Oxley overview
Section 401 (b) Rules on Pro Forma Figures
Can not contain any untrue statement of material fact, no misleading information. Reconcile pro forma information with GAAP

Section 409 Material changes in a real time disclosure.

A company must disclose any financial changes or material changes in the financial condition.

SAP Control Environment

Manual Controls Business Process Security Configurable Controls: Configurable Controls: 3 Way Match Restricting Access Allowances Functionally Required Fields Organizationally Tolerances Segregation of Duties Sequential documents
Ect

SAP Security & SOX

Define Critical SAP Functionality
Grouping transaction and objects

Assign a rating based on SOX relevance

Develop a method
COSO and COBIT

Review access to ensure only authorized users have access to SOX critical functionality Ensure users do not have conflicting access
Develop an SOD based on critical SAP functionality

Continuous Monitoring
Develop SAP reporting Security monitoring tools

Some root causes for non compliance

CSI Belgium 2003

Some root causes for non compliance

Integration of applications Integration of business processes Distributed systems Change management User empowerment Control environment Integration of SAP and BPR projects Business environment impact on internal control

CSI Belgium 2003

How a proven SAP R/3 authorisation concept can foster Sarbanes-Oxley Compliance

CSI Belgium 2003

Types of controls
Inherent Controls are hard coded into the system and rarely changed. Configurable Controls can be split in two main categories Business process control features are standard designed into the system but require to be configured during implementation and must be maintained during normal operations.
Access security control features are standard designed into the system but are required to be configured during implementation and must be maintained during normal operations.

Manual and reporting Controls should be utilized when a combination of the above controls does not ensure a satisfactory control environment or are, given the size and/or nature of the business, less efficient/effective.
CSI Belgium 2003

SAP R/3 Security

Menu Command field

Parameter Tcode

S_Tcode (= authorization object)

SERP SARP
Occurs only for the initial transaction started

Other Tcodes

Tcode
= 52 000 Tcodes

Reporting Tree

TSTCA
(= table; = 1 additional authority check) Checked for every transaction called

SE 38 SA 38

USOBX

ABAP
Z Tcode Z ABAP

Authority check on ?
TOBJ_OFF / (USOBX_C)
Confidentiality Integrity Availability

SE 16 SE 17 SM 30 SM 31
CSI Belgium 2003

DATA (tables)

Assess change drivers...

Organizational
New User Functions Task

Authorizations

Functional
Enjoy, Menu, EP,

Technical
PFCG, Roles, LDAP, # issues
Maintainability is key to security E E C I A C R

DO not exagerate
STRICTLY NEEDED BUSINESS REQUIREMENTS

CSI Belgium 2003

Function - Task concept

Departments Modules

Users

Functions

Tasks

easy to manage very complex but stable (if the organizational levels in SAP are stable!)

Authorizations Auth. object fields

CSI Belgium 2003

Function Task Concept

Organizational Organizational / Technical Technical

USERS
Assignment

TCODES

FUNCTIONS

Grouping

DERIVED TASKS
Establish SoD basis - Central / Decentral - Orglevels / Other fields (codification document) - Restriction levels (naming convention)

Grouping Homogeneous content: - Functional - Authorization objects - Process split (SoD)

Business Requirements
CSI Belgium 2003

MASTER TASKS

CSI framework for SarbanesOxley relevance determination

CSI Belgium 2003

CSI framework
What it is and does:
Uses COSO and CobiT as reference Just a framework Gives guidance, structures thinking Helps prioritising actions and resources Generic Flexible to adapt to specific requirements Easy to use and understand

What it isnt and doesnt:

Exact measuring tool A roadmap to Sarbanes-Oxley compliance

Starting point 1: COSO

Coso definition of internal control.
Internal control is a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations.
Business unit 1 Business unit 2 Business unit 3

Key Concepts.
Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. Its not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entitys management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
CSI Belgium 2003

...

Starting point 2: CobiT

CSI Belgium 2003

Starting point 2: CobiT

Control Object Delivery and Support 5 (DS5) : Ensure system security
Control over the IT process of ensuring systems security that satisfies the business requirement to safeguard information against unauthorised use, disclosure or modification, damage or loss is enabled by logical access controls which ensure that access to systems, data and programmes is restricted to authorised users and takes into consideration: confidentiality and privacy requirements, authorisation, authentication and access control, user identification and authorisation profiles, needto-have and need-to-know, cryptographic key management, incident handling, reporting and follow-up, virus prevention and detection, firewalls, centralised security administration, user training, tools for monitoring compliance, intrusion testing and reporting
CSI Belgium 2003

Starting point 2: CobiT

DS5 : Ensure system security: Information criteria Effectiveness
Efficiency S S P P
Legend:

Reliability Compliance Confidentiality Integrity Availability

P = Primary is the degree to which the defined control objective directly impacts the information criterion concerned. S = Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned. Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.

CSI Belgium 2003

Starting point 2: CobiT

Control Object Delivery and Support 11 (DS11) : Manage Data
Control over the IT process of managing data that satisfies the business requirement to ensure that data remains complete, accurate and valid during its input, update and storage is enabled by an effective combination of application and general IT Controls over the IT operations and takes into consideration: form design, source document controls, input processing and output controls, media identification, movement and library management, data back-up and recovery, authentication and integrity, data ownership, data administration policies, data models and date representation standards, integration and consistency across platforms, legal and regulatory requirements
CSI Belgium 2003

Starting point 2: CobiT

DS11 : Manage data: Information criteria
Effectiveness Efficiency P Reliability Compliance Confidentiality P
Legend:

Integrity Availability

P = Primary is the degree to which the defined control objective directly impacts the information criterion concerned. S = Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned. Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.

CSI Belgium 2003

SOX definition of Internal Control

SOX defines "internal control over financial reporting" as
A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant; (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets CSI Belgium 2003 that could have a material effect on the financial statements.

Risk factors, rating and ranking

Inherent risk ranking
Inherent risk of granting the underlying functionality to a user in an SAP R/3 production system.
Access to customizing/Development 5
Should not occur in the production environment, in case it cannot be avoided, strict controls should be in place. Changes to customzing may impact the configurable controls embedded in the system.

Access to system functionality

Should be strictly controlled in the production environment but cannot be avoided.

Access to Master Data

Changes to master data impact multiple transactions even if small the impact may be boosted by the volume

Access to Transaction Data

Impact of single transaction mostly not significant

2 1

Access to Reporting/Display

This ranking does not aim ability to change data in the systemlist of tasks from critical to low No at quantifying the risk , it only serves to obtain a ranking risk. (5 = critical; 3 = medium; 1= Low)

CSI Belgium 2003

Risk factors, rating and ranking

Information criteria impact rating
Quantifies risk for access type - information criteria combination Effecti Efficie Reliabi Compl Confid Integri
veness (B) Customizing/ Development System Master Data Transaction Data Reporting/ Display n cy (B) lity (S) 5 4 5 4 1 iance (S) 5 4 4 3 1
entialit y (P)

ty (P) 5 4 5 4 1

Availa bility (S) 5 5 4 2 1

1 3 5 5 5

According to CobiT DS05- Ensure system security, the information criteria Effectiveness and Efficiency are not considered relevant, consequently, they are not included in this analysis. P = Primary = 5, S = Secondary = 3, B = Blank = Not rated

CSI Belgium 2003

Risk factors, rating and ranking

Information criteria impact rating
Quantifies risk for access type - information criteria combination Effecti Efficie Reliabi Compl Confid Integri
veness (B) Customizing/ Development System Master Data Transaction Data Reporting/ Display n cy (B) lity (P) 5 4 5 4 1 iance (B) entialit y (B)

ty (P) 5 4 5 4 1

Availa bility (B) -

According to CobiT DS11- Manage date only information criteria Reliability and Integrity are considered relevant Secondary = 3, B = Blank = Not rated

P = Primary = 5, S =

CSI Belgium 2003

Risk factors, rating and ranking

Module risk rating
Risk based on proximity of a transaction to the financial statements and the internal control environment
Basis Component, WAS 5 Financial Accounting, Controlling, 4 Project Systems, Asset Accounting Materials Management, Sales and Distribution, 3 Human Resources, Cross module Master data Quality Management, Warehouse Management, 2 Production Planning, Plant Maintenance Business Warehouse 1

CSI Belgium 2003

Sarbanes-Oxley classification
Calibration
Score > 1200 Score > 800 1199 < Score > 400 799 < Score < 400 SOX - Critical SOX - High SOX Medium SOX Low

Professional judgement of CSI Professional judgement of the organisation

The theoretical maximum score is 2000, however, once the score is over 1200 for a task we considered it as critical from a Sarbanes-Oxley perspective

CSI Belgium 2003

Sarbanes-Oxley classification
Results when applied on the CSI master task concept
723 master tasks covering 12.000+ SAP R/3 transactions
10.2 % 12.5 % 33.9 % 43.4 %

Number of Master Tasks Asset accounting Business Warehouse Production Planning Project Systems Financial Accounting Plant Maintenance Controlling Warehouse management Materials Management Human Resources Quality Management Basis Component Sales and Distribution Cross Module TOTAL

Critical 1 0 0 1 5 0 4 0 0 0 0 63 0 0 74

High 4 0 0 5 50 0 19 0 3 4 0 0 5 0 90

Medium 6 0 31 10 72 11 37 2 35 13 8 0 16 4 245

Low 4 1 39 7 30 11 20 13 64 52 18 11 41 3 314

Total 15 1 70 23 157 22 80 15 102 69 26 74 62 7 723

CSI Belgium 2003

SOX classification users and functions

SOX relevance of a function/user is driven by the highest risk ranking on Task Level USER A
Function 1 SOX_C Function 2 SOX_L Funtion 3 SOX_M

TASK a SOX_C

TASK b SOX_H

TASK c SOX_L

TASK d SOX_M

SoD = Segregation of duties

CSI Belgium 2003

SOX classification segregation of duties

SOX relevance of a function/user is driven by the highest risk ranking on Task Level corrected for SoD USER risks B USER D USER C
Function 1 SOX_M Function 2 SOX_L Funtion 3 SOX_M
Function 1 SOX_M Function 2 SOX_L Funtion 4 SOX_M Function 5 SOX_H Function 6 SOX_H Funtion 3 SOX_M

TASK e SOX_M

TASK f SOX_M

TASK c SOX_L

TASK d SOX_M

TASK e SOX_M

TASK f SOX_M

TASK c SOX_L

TASK g SOX_M

TASK e SOX_M

TASK h SOX_M

TASK g SOX_H

TASK d SOX_M

Tasks e and f contain no SoD risks Function 1 is SOX_M ranked Functions 1, 2 and 3 contain no SoD risks User B is ranked SOX_M

Tasks e and g contain SoD risks Function 1 and 4 is still SOX_M ranked User C is ranked SOX_H

Tasks e and h contain SoD risks Function 5 is SOX_H ranked Functions 5 and 6 contain SoD risks User D is ranked SOX_C

CSI Belgium 2003

SOX classification business processs

A business process is a relay of Tasks/Functions
Less relays required => Increased collusion risk => Increased SOX relevance
Step 1 Step 2 Step 3

Function 1

Function 2

Function 3

Function 4

Function 5

Function 6

Function 7

Task 1

Task 2

Task 3

Task 4 Task 7 Task 8

Task 9

Task 10

Task 11

Task 12

Task 5

Task 6

CSI Belgium 2003

SOX assessment overview

Identify business processes supported by the SAP environments end-toend including mySAP components Identify functions per business process Identify tasks and task content (T-codes) per function Review general framework and adjust for industry specific risks documenting the changes made Rank tasks according to framework characteristics Apply professional judgement and document changes made Rank functions/users according to framework characteristics taking segregation of duties risks into account List of critical users/functions Review existence and operations of compensating controls for risk users and functions Identify residual risk and define action plan

CSI Belgium 2003

Questions and Answers

With compliments

Jan Smolders Sr. Consultant CSI-BE Cell: Office: Home office e-mail: +32-494-51 51 21 +32-16 29 53 51 +32-3 321 23 43 jsmolders@be-csi.com

Mark Russo Managing Consultant CSI-US Cell: Office: e-mail: +1-(212)-581-09-98 +1-(917)-541-04-10 mrusso@us-csi.com