SAP GRC - Governance Risk and Compliance
Following financial scandals (i.e. those of Enron, Parmalat) from the years 2000, and the skepticism towards the market that these have generated, governments decided to define regulations in order to protect investors.
There are many compliance duties that listed companies have to follow. Among these, for example, we have the systems accountability subject matter, definition of internal control systems, and Segregation of Duties principles. Read here more on the SoD (Segregation Of Duties)
This is why SAP decided, starting from around 2006, to create a specific solution aimed at the management of company risks and management of anti-fraud regulations compliance.
However, even before 2006 there were specific tools used for systems compliance, in particular for Sarbanes and Oxley Act. One of these was VIRSA, by the VIRSA System company. You can see below how the company website looked like back in 2006.
As shown above, SAP decided to acquire the company in order to develop and evolve the VIRSA tool, by defining a business unit for the building of governance and compliance systems in SAP. One that would later fall under the Governance Risk and Compliance solutions label.
Indice
SAP GRC is an acronym for Governance Risk and compliance. This acronym contains various applicative SAP solutions.
Not all of these solutions are dedicated to the management of internal controls and access management strictly speaking. Here are the main GRC area systems:
- SAP GRC Access Control
- SAP GRC Process Control
- SAP GRC Risk Management
- SAP GRC GTS Global Trade Services
- SAP Audit Management
- SAP BIS Business Integrity Screening
- SAP ETD Enterprise Threat Detection
- SAP Cloud Identity Access Governance
SAP GRC Access Control
This is one of the most installed and known GRC systems. This component is made up of four modules:
- Access Risk Analysis (ARA)
- Emergency Access Management (EAM)
- Business Role Management (BRM)
- Access Request Management (ARQ)
Once it’s installed, usually on a separate machine, all the other GRC systems are contained: Process Control and GRC Risk Management, which have to be licensed in order to be used.
In the past this solution was developed in the ABAP language (by VIRSA), however later on, after the acquisition by SAP, it was totally re-written in JAVA (from release 5.x onwards). From release 10 onwards, to the latest version (now v.12) SAP has completely re-written the application in ABAP (WebDynpro)
Given the history of the product, also the names of the various components have changed over time. Here are terms that can help understand of what version we’re talking about when looking at documentation:
- (ARA) Access Risk Analysis (10.x, 12.x)
- (RAR) Risk Analysis and Remediation (5.x)
- (CC) Compliance Calibrator (4.x)
- Risk Terminator (This sub-component has never changed its name)
- (EAM) Emergency Access Management (10.x, 12.x)
- (SPM) Super User Privilege Management (5.x)
- (FF) Firefighter (4.x)
- (BRM) Business Role Management (10.x, 12.x)
- Enterprise Role Management (5.x)
- (RE) Role Expert (4.x)
- (ARQ) Access Request Management (10.x, 12.x)
- (CUP) Compliance User Provisioning (5.x)
- (AE) Access Enforcer (4.x)
Here is what the components allow:
- Access Risk Analysis. It makes it possible to make an analysis on all accesses (Access Risk Analysis) based on a risk matrix. An already existing matrix can be used as a starting point, or an ad hoc one can be defined. The tool allows to make this analysis on all SAP or non-SAP systems, also considering all peculiarities of SAP systems, so organizational analysis, taking into account authorization objects and eventual mitigation controls loaded in the tool. How many risks should an SoD matrix have?
- Emergency Access Management. It makes it possible to manage privileged during daily activities by users, mainly ICT or administrators. Read here to learn more about the management of SAP Super Users
- Business Role Management. It makes it possible to define a methodology for technical roles creation in the system. This means it adds a series of functions not present in the SAP profile generator (transaction PFCG), for example naming convention, approval workflows, and preventive risk analysis
Access Request Management. It makes it possible to define a workflow for the management of accesses. For example: new users, user change, user locking. This component can be linked to the company LDAP or a SAP HR system. It also makes it possible to define workflows on components ARA, EAM, or BRM, management and approval of changes to the SoD matrix, approval of super users requests, or approval of changes to authorization roles.
SAP GRC Process Control
Unlucky SAP GRC Access Control, which allows to have control on the management of accesses, Process Control makes it possible to manage a master data of organizational controls. Generally speaking, it allows to define an ICS – Internal Control System based on international frameworks, for example, the COSO (Committee of Sponsoring Organizations of the Treadway Commission)
How many controls are there in a company? There could be many for various reasons:
- Internal policies
- Certifications
- Regulative reasons, i.e. Sarbanes and Oxley Act, Basilea, 679/2016 (GDPR) etc.
Utilizing an electronic sheet that defines a risk matrix (Risk Control Matrix) cannot be the most manageable thing to do, especially in a scenario in which there can be many regulations to comply to, on many systems and in many countries.
The Process Control tools makes it then possible to do the following operations:
- Define a control master data, with risks present in the company, classified by organizational processes
- Define periodic processes of control like Self Assessments, Design Controls or Testing Controls, Sign-Off. These are real workflows that automatically start, manage and check the phases of internal control.
- Do automatic controls. With the sub-module Automated Monitoring it’s possible to write or call-back present controls in the systems in order to make the testing automatic
If you already defined mitigative controls, particularly in SAP, you can call-back them or use them in the GRC Process Control tool.
The definition of compensation and mitigation controls needs a deep knowledge of the involved processes and the technical identification of tables-fields involved in order to reveal a specific situation of risk. In the below example an extraction of tables from a compensation control for an access risk, “Maintain Posting Periods” against “Post Journal Entry)
SAP GRC Risk Management
It is the tool that SAP puts forward for the Enterprise Risk Management (ERM). An organization has to define objectives that it intends to reach. These objectives can be:
- New clients
- Revenue increase
- Improve costs management
- Increase clients satisfaction
The business model defines how to reach the defined objectives, for example the one mentioned above. Clearly these objectives have to relate to normative bonds defined by governments or decided by the company itself (for example through the voluntary participation of the company to programs)
In every business, inevitably, there can be obstacles to surpass or control in order to meet the defined strategic objectives. The system SAP Risk Management focuses on this. Identifying and evaluating these risks.
- Is there a methodology for managing risks in the company?
- Has an organizational Risk policy been defined?
The tool allows to control various risk management phases:
- Risk Planning
- Risk Identification
- Risk Analysis
- Risk Response
- Risk Monitoring
SAP Business Integrity Screening
It’s one of the new product areas that SAP released
- SAP Audit Management
- SAP BIS Business Integrity Screening (before known as Fraud Management)
Also important to mention SAP Enterprise Threat Detection, even though not linked with SAP BIS
SAP Audit Management is the tool designed to execute internal audits in the company systems and it allows to improve the management of this phases:
- Audit Planning
- Audit Preparation
- Audit Execution
- Audit Reporting
- Audit Follow-up
SAP BIS has as its main objectives the following:
- Identify frauds before the actual damage
- Manage company frauds, in other words having a tool that governs its entire lifecycle putting in place the needed compensative actions.
- Prevent frauds and estimate the chances of them happening
The phases of the process management include:
- Design
- Setup
- Detection
- Investigation
- Performance Analysis
The SAP Fraud Management (SAP BIS) as the Audit Management can be integrated with SAP GRC Process Control. Both solutions are based on SAP HANA.
How can Aglea help you define and improve the process of SAP systems governance?
We carried out more than 30 installations of SAP GRC Access Control; also Process Control and Risk Management, even though the latest are still not used much, at least in Italy.
- Which architecture should you adopt? Especially with heterogeneous systems.
- Some tool functions that SAP GRC puts at disposal have to be configured in precise cases. An incorrect configuration of the tool might lead to having many false positives or even false negatives. Especially when speaking about the access control suite.
- How close is your structure of company controls to the model defined by SAP GRC Process Control?
- How long does it take for the implementation and especially for the ordinary maintenance of the tools?
- How should you start? Every tool right away or a gradual approach? In which order?
You think that GRC Access Control fixes all user profiling problems? This might not always be true and it’s important to know which are the limits of this tool