Documente Academic
Documente Profesional
Documente Cultură
Agenda
30 introduction Sarbanes-Oxley regulation and requirements Some root causes for non compliance How a proven SAP R/3 authorisation concept can foster Sarbanes-Oxley Compliance CSI framework for Sarbanes-Oxley relevance determination Questions and answers
CSI Belgium 2003
30 introduction
Sarbanes-Oxley overview
Section 302 - Quarterly Cert. of Internal Controls by CEO / CFO Has the CEO / CFO on a quarterly basis:
reviewed the SEC filings and certified the financial statements Established, implemented and maintained disclosed control and procedures. Reported any material deficiencies and/or material changes in internal controls and/ or fraud to the Audit Committee and auditors.
Section 404 Mmgt. assertion on effectiveness of Int. Controls On an annual basis management must::
Establish internal control reports that states managements responsibility for establishing and maintaining internal controls and procedures for financial reporting. Management must assess Internal controls and procedures as it relates to financial reporting. CSI Belgium 2003 External auditors must certify these reports.
Sarbanes-Oxley overview
Section 401 (b) Rules on Pro Forma Figures
Can not contain any untrue statement of material fact, no misleading information. Reconcile pro forma information with GAAP
Review access to ensure only authorized users have access to SOX critical functionality Ensure users do not have conflicting access
Develop an SOD based on critical SAP functionality
Continuous Monitoring
Develop SAP reporting Security monitoring tools
How a proven SAP R/3 authorisation concept can foster Sarbanes-Oxley Compliance
Types of controls
Inherent Controls are hard coded into the system and rarely changed. Configurable Controls can be split in two main categories Business process control features are standard designed into the system but require to be configured during implementation and must be maintained during normal operations.
Access security control features are standard designed into the system but are required to be configured during implementation and must be maintained during normal operations.
Manual and reporting Controls should be utilized when a combination of the above controls does not ensure a satisfactory control environment or are, given the size and/or nature of the business, less efficient/effective.
CSI Belgium 2003
Parameter Tcode
Other Tcodes
Tcode
= 52 000 Tcodes
Reporting Tree
TSTCA
(= table; = 1 additional authority check) Checked for every transaction called
SE 38 SA 38
USOBX
ABAP
Z Tcode Z ABAP
Authority check on ?
TOBJ_OFF / (USOBX_C)
Confidentiality Integrity Availability
SE 16 SE 17 SM 30 SM 31
CSI Belgium 2003
DATA (tables)
Authorizations
Functional
Enjoy, Menu, EP,
Technical
PFCG, Roles, LDAP, # issues
Maintainability is key to security E E C I A C R
DO not exagerate
STRICTLY NEEDED BUSINESS REQUIREMENTS
Users
Functions
Tasks
easy to manage very complex but stable (if the organizational levels in SAP are stable!)
USERS
Assignment
TCODES
FUNCTIONS
Grouping
DERIVED TASKS
Establish SoD basis - Central / Decentral - Orglevels / Other fields (codification document) - Restriction levels (naming convention)
Business Requirements
CSI Belgium 2003
MASTER TASKS
CSI framework
What it is and does:
Uses COSO and CobiT as reference Just a framework Gives guidance, structures thinking Helps prioritising actions and resources Generic Flexible to adapt to specific requirements Easy to use and understand
Key Concepts.
Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. Its not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entitys management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
CSI Belgium 2003
...
P = Primary is the degree to which the defined control objective directly impacts the information criterion concerned. S = Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned. Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.
Integrity Availability
P = Primary is the degree to which the defined control objective directly impacts the information criterion concerned. S = Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned. Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.
Changes to master data impact multiple transactions even if small the impact may be boosted by the volume
2 1
Access to Reporting/Display
This ranking does not aim ability to change data in the systemlist of tasks from critical to low No at quantifying the risk , it only serves to obtain a ranking risk. (5 = critical; 3 = medium; 1= Low)
ty (P) 5 4 5 4 1
1 3 5 5 5
According to CobiT DS05- Ensure system security, the information criteria Effectiveness and Efficiency are not considered relevant, consequently, they are not included in this analysis. P = Primary = 5, S = Secondary = 3, B = Blank = Not rated
ty (P) 5 4 5 4 1
According to CobiT DS11- Manage date only information criteria Reliability and Integrity are considered relevant Secondary = 3, B = Blank = Not rated
P = Primary = 5, S =
Sarbanes-Oxley classification
Calibration
Score > 1200 Score > 800 1199 < Score > 400 799 < Score < 400 SOX - Critical SOX - High SOX Medium SOX Low
Sarbanes-Oxley classification
Results when applied on the CSI master task concept
723 master tasks covering 12.000+ SAP R/3 transactions
10.2 % 12.5 % 33.9 % 43.4 %
Number of Master Tasks Asset accounting Business Warehouse Production Planning Project Systems Financial Accounting Plant Maintenance Controlling Warehouse management Materials Management Human Resources Quality Management Basis Component Sales and Distribution Cross Module TOTAL
Critical 1 0 0 1 5 0 4 0 0 0 0 63 0 0 74
High 4 0 0 5 50 0 19 0 3 4 0 0 5 0 90
Medium 6 0 31 10 72 11 37 2 35 13 8 0 16 4 245
Low 4 1 39 7 30 11 20 13 64 52 18 11 41 3 314
TASK a SOX_C
TASK b SOX_H
TASK c SOX_L
TASK d SOX_M
TASK e SOX_M
TASK f SOX_M
TASK c SOX_L
TASK d SOX_M
TASK e SOX_M
TASK f SOX_M
TASK c SOX_L
TASK g SOX_M
TASK e SOX_M
TASK h SOX_M
TASK g SOX_H
TASK d SOX_M
Tasks e and f contain no SoD risks Function 1 is SOX_M ranked Functions 1, 2 and 3 contain no SoD risks User B is ranked SOX_M
Tasks e and g contain SoD risks Function 1 and 4 is still SOX_M ranked User C is ranked SOX_H
Tasks e and h contain SoD risks Function 5 is SOX_H ranked Functions 5 and 6 contain SoD risks User D is ranked SOX_C
Function 1
Function 2
Function 3
Function 4
Function 5
Function 6
Function 7
Task 1
Task 2
Task 3
Task 9
Task 10
Task 11
Task 12
Task 5
Task 6
With compliments
Jan Smolders Sr. Consultant CSI-BE Cell: Office: Home office e-mail: +32-494-51 51 21 +32-16 29 53 51 +32-3 321 23 43 jsmolders@be-csi.com
Mark Russo Managing Consultant CSI-US Cell: Office: e-mail: +1-(212)-581-09-98 +1-(917)-541-04-10 mrusso@us-csi.com