Enabling access management with SAP GRC - EY

1 Turning risk into results Enabling access management with SAP GRC. What we are seeing in the market Primarily driven by the Sarbanes-Oxley Act of 2002, the last 10 years have seen a considerable increase in efforts around resolving audit issues associated with segregation of duties (SoD) and sensitive and excessive access . As a result, many companies implemented GRC access management solutions such as SAP GRC. access Control. However, a lot of companies focused on the short-term goal of audit remediation, so they were not able to achieve the full value of a GRC access management solution. This is the right time to learn about opportunities to transform your access management program. Enabling an SAP GRC access Control solution can help: Lower the cost of access management and related audit activities through centralization and automation Improve sustainability by centralizing and standardizing methodologies, processes and components Increase effectiveness of access processes through integration with other SAP GRC modules and focus on critical foundational components such as role design and organizational alignment Our recent EY global information security survey of more than 1,700 senior information security and IT leaders found that 46% of respondents ranked internal threats as a significant concern.

2 Fully deploying SAP GRC access Control while focusing on improving access management fundamentals will help address that risk while reducing cost and improving value. What are the opportunities at your company? Typical current state Mature state Multiple and manual access Significant workflow automation in user Increasing management processes access processes Simplified Integration with SAP GRC Process Control complexity Fragmented, manual and Mandatory SoD checks in the request ad hoc reporting process Reactive Limited visibility to risks Proactive Dashboard-level reporting on user access process, firefighter usage logs and real- time SoD reports analytics and trending High instances of access Compliant SAP role design Consistent violations and standardized user access Compliant management processes failures Ability to improve audit activities Manual and inconsistent IT security operational efficiencies via Cost processes lead to higher IT costs Cost- SAP GRC automation and standardization pressures Significant impact on business efficient Automation of access provisioning activities Inconsistent role design Globally standard roles across Inconsistent approach across business business processes and standard user processes Consistent access management processes for approach application systems SAP GRC access Control can enable your risk agenda Enhance risk strategy Embed risk management Improved alignment to the objectives Comprehensive and continuous and strategy

3 Of the business risk management and monitoring Improved visibility to risks that Central management of nancial, matter most to the organization Risk agenda operational and compliance risks and controls across organization Proactive identi cation of risks Enhance Embed Enhanced decision-making risk risk strategy management Turning risk into results Improve controls and Optimize risk management processes Improve Optimize risk functions controls and management Better aligned risk coverage, processes functions Elimination of duplicate and including the identi cation of fragmented risk management stronger, more pervasive controls activities Reduced level of effort associated Increased integration and with performing and testing controls coordination among business, IT and compliance Increased control and process ef ciencies enabled through Sustainability of risk automation and continuous monitoring management process Improved control mix that addresses Effective top-down and bottom- key business risks while driving up reporting process ef ciencies Resulting in the following benefits: Risk Value Risk Value Risk Value Cost Cost Cost Increased integration and coordination Reduced audit costs due to a reliable Identification of access anomalies among business, IT and compliance and automated access management indicating possible fraudulent activities Real-time notification of potential environment through alerts access issues based on established Cost avoidance associated with audit Continuous access control and SoD.

4 Business rules failure management and monitoring Sustainability of access management Efficiencies associated with preparation Enhanced visibility to access -related process and analysis of SoD reports risk exposure at the enterprise ( , User-friendly reporting Reduction in the number of manual cross-application, cross-business controls required to be designed and process). operated to mitigate access -related Super-user access management issues Early detection of potential access Elimination of redundant and excessive issues through scenario analysis before access management procedures performing changes to user and role Streamlined access approval process access Next steps to improve your risk management landscape Rapid SAP access diagnostic provides SAP GRC demo facilitates mapping accelerated current state assessment of of business requirements to SAP GRC. your SAP access processes and technology, functionality and could be used to develop allowing you to identify realizable value and an initial business case for implementing develop a future state road map to achieve it.

5 SAP GRC. EY SAP GRC Accelerated Analytics Workbench: a SAP GRC demo environment: demo environment tool that presents SoD conflicts in a business-friendly for all the latest versions of software, including SAP. format and helps identify key risks and pain points GRC for access Control, Process Control, Risk and determine initial remediation. management and Global Trade Services. SAP role design benchmarking: key metrics EY RiskUniverse : industry-specific risk universes, Enabling an organization to compare its SAP process-normative models and key business risks role design against other companies and leading Roles should be standardized and rationalized to better align with linked to application-specific controls that can be practices. Industrial Client's business process design and organizational structure used to customize SAP GRC demos. Comparison of SAP roles against initial design and similar organizations Design vs.

6 Actual SAP Roles Gap Leading practice role design methodology Company A current state General Accounting (and typical number of roles in General Accounting) roles (and number of Z:FI roles). Children/derived roles Children/derived roles 29 107. General Accounting "FI/CO/AM/TR" roles 20. Parent role Parent role Industrial Client vs. Leading Practice Gap Special access role (4-8) Job/function role (58). A/P Processing Processing 25 43. Transactions restricted to a specific user A/P Supply Chain A/P Processing A/P Processing Additional Additional ( , process interface exceptions, mass updates) A/R Credit Credit management management Override Override Executing Executing "IM/WM/PP" roles A/R 24. A/R Credit A/R Credit management management Override Override Executing Executing without without VKM1, VKM1, VKM2. VKM2. Invoice IDOC. Invoice IDOC Processing Processing Invoice IDOC. IDOC Processing Processing For For Project Project CC.

7 CC and and Plants Plants Functional role (8-12) Invoice Invoice IDOC. Invoice IDOC Processing Processing For For Stable Stable CC. CC and and Plants Plants Transactions which represent the execution of the job function Post Park Journal Entries 15 22. Post Park Journal Entries Order to Cash 4 tier model Park Journal Entries For Project CC and Plants (minimum overlap of t-codes between roles) Park Journal Entries For Project CC and Plants "SD" roles Park Journal Entries For Stable CC and Plants . Park Journal Entries For Stable CC and Plants 22. Departmental role (1-2) Display role (14). Transactions which everyone in the A/R Reporting Financial Reporting General Display 8 22. department will have access A/R Customer Master Displaying Display Role (FLB1N) Procure to Pay ( , includes display only roles) G/L Journal Entry Displaying G/L Account Displaying "MM" roles 12. Basic role (1) General role (1).

8 Transactions which Transactions which everyone everyone General User Role 7 12. in the in the organization organization will will have have access access ( , ( , printing printing functions, functions, (Z:ABC_GENERAL_USER) Human Resources export/import functions) "HR" roles 10. 0 20 40 60 80 100 120 140 160. Number of Parent/Template Roles Proprietary & Confidential not for use or disclosure outside Industrial Client Page 1 All Rights Reserved Ernst & Young 2010 Industrial Client SAP Roles (mapped to job functions document). DRAFT FOR DISCUSSION ONLY. Industrial Client SAP Roles (not mapped to job functions document). Roles in comparable organizations Proprietary & Confidential not for use or disclosure outside Industrial Client Page 2 All Rights Reserved Ernst & Young 2010. DRAFT FOR DISCUSSION ONLY. Why EY? Industry-specific content and Our services enablers Rapid GRC technology diagnostic Global and flexible approach with a focus on SAP GRC Leading-practice assessment GRC technology vendor selection diagnostics and leverage models Knowledgeable team with Service delivery model design and GRC technology implementation and assessments practical experience in process, risk and technology disciplines key performance indicators Risk transformation enabled by GRC technology EY | Assurance | Tax | Transactions | Advisory 2014 EYGM Limited.)

9 All Rights Reserved. About EY EYG/OC/FEA no. XX0000. EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop 1403-1222661 EC. outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. ED 0115. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young advice. Please refer to your advisors for specific advice. Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

10 For more information about our organization, please visit