SAP process control

SAP PROCESS CONTROL:

• it deals with regulatory compliance by regulation, bussiness process and organizational hierarchies.
• in NWBC T-code, the master data tab  of GRC will be there, but the GRC master data is different for traditional data.

SAP Process Control enables organizations to do the following:

• Document their control environments
• Test and assess controls 
• Track issues for remediation 
• Certify and report on the state and quality of process controls
• Manage policies
• Perform continuous controls monitoring using a combination of data forms, automated workflows, certification, and interactive reports

Note:

 It also includes powerful and flexible continuous controls monitoring (CCM) capabilities. CCM can be used to measure the effectiveness of controls, to monitor compliance, and to ensure that configuration and master data settings are valid.

Policy management features cover the life cycle of policies: drafting, approval, implementation, revisions, and so on.

SAP Process Control can reconstruct past configuration and master data settings over a test time period (e.g., last quarter, last year, etc.). This guarantees that all sensitive settings can be reviewed and tested for correctness, which is a powerful feature unique to SAP Process Control.

 This definitely reduces your cost of compliance and speeds up your auditing process.


Let’s take the Order to Cash (OTC) process and consider that we want to do an audit check on the internal controls.Online Transactional Processing (OLTP) of the SAP ERP system. With the help of defined SAP Process Control scenarios and hundreds of automated controls allows for the extension of control for customs and queries. This allows business to meet challenges and address all require internal control in a fully automated way. This allows users to monitor, track and escalate necessary risk situations.

This increases everyone’s confidence and trust over the company.
 

SAP GRC DUMP DETAILS

Add- on need to install

GRCFND_A – for access control, risk management and process control.

SLL-LEG       - Global trade services.

SLL-NFE – for Nota fical electronica

Note: combination of all the 3 add-ons is called SAP GRC SUITE. it is also possible to implement individually.

plug –on :

GRCPINW
GRCPIPERP

SAP ACCESS CONTROL

                                                      SAP ACCESS CONTROL

Many companies ask themselves the following questions surrounding roles and security within their organization:

• How did they get that access, who approved, and why? 
• Who are our users? 
• What do they have access to? 
• Are the extra access privileges provided to handle some extreme situations still available?
• Are the extra access privileges provided to handle some extreme situations still available?  

for all the above issue, proper SOD is solution.

• SAP Access Control is considered the foremost application to detect and address SoD issues.
• SoD issues are among the top audit issues reported by major auditing firms.

there are some challenges and assumptions made in providing an employee access using SAP Access Control:

• First, providing access to employees is assumed to be easy and straightforward. 
•  The second challenge thatadditional privileges to deal with some critical situations, such as meeting shipment deadlines or month-end closings.  these additional privileges provided to the employee are forgotten, and the company is exposed to risks arising from this lapse in alertness. 
• while removing the same authorization some authorization may miss, due to the license of SAP system sercurity consult need to assign additional authorizations to user.
• over a time company can losse control of data,due assign to third party person interruption.

Note : only Aduits and IT professional can find out errors in the SOD. 

1. Access risk analiysis tool:  when ever  need of assign an missing authorization to any user  in SAP is required , this access risk analiysis tool with a global rule set based on industry best practices to make quick start analysis regarding security.

• the risk level are classified as below:

1. High.
2. Medium.
3. Low
   
   this classification values are based on Aduit team needs.

• Access risk analysis tool against roles, users, user groups,profiles, the SOD detail information on critical actions,critical permissions,critical roles and profiles.

2.Emergency access management tool:

when an user performing beyond his daily activities, suppose month end activities or year end activities at that time the particular user needs extra authorization then what the authorization was  

assigned.

In this situation, EAM tool provides top solution for the authorization, changes were documented for future risk analysis.

• from the above figure, this tool is having with some extraordinary IT privilages for specified number of days for extraditory situation and access issues.
• This tool will act like fire fighter for filtering,sorting, downloading for various input values of audit purpose.

3.Business Role Manager Tool :

• this tool enforces while creating roles,while creating role using BRM tool, it will automated with  involve role owners, auditors, and security persons.

4. user access management tool:

right from user hire to fire, user administration will be performed ny this tool + documentation with work flow ( no need of third party tools).

    

Note: SAP GRC suite is one time investment, because of Return of investment while performing internal and external auditing many companies are investing on GRC suite now.

Introduction to GRC

• GRC stands for        Governance,Risk and Compliance.

what is the need of SAP GRC:

• remove any risk in managing organizations’ key operations.
• SAP GRC can help customers to meet financial, environmental, health and safety, and sustainability regulations imposed by governments and regulatory bodies on companies and their business partners.
•  report on all compliance-related activities for internal/external auditors.
• Regulatory compliance is a fast-evolving challenge for companies.
• because of GRC,  increased efficiency of operations,reduced risk of penalties for noncompliance during auditing.
• SAP Risk Management helps to balance business opportunities with financial, legal.
• operational risks to be identified in time to minimize the market penalties from high-impact events and monitor them continuously.

• few years ago, manay companies did what ever the activities done by GRC, manually.but is not up to the mark and interms of financial also.

SAP GRC Suite Overview and Components:

SAP GRC provides end-to-end automation for documenting, detecting, remediating, mitigating, and preventing risks enterprise-wide, resulting in proper segregation of duties (SoDs).


 The SAP GRC suite contains the following components to address compliance management.

• SAP Access Control 
•  SAP Process Control
•  SAP Risk Management
•  SAP Global Trade Services (SAP GTS)
•  SAP Nota Fiscal Electronica (SAP NFE).

Even though it’s called the SAP GRC suite, each element can be individually implemented to suit an enterprise’s need.

Value of suite as a whole:

SAP GRC is based on ABAP application server, to strength the core compoents of SAP.

SAP 10.0 support the following core process.

1. Customization (IMG) functions and transport management.
2. Object level security .
3. Archiving and audit tracking .
4. Using SAP standard workflow engine with flexible Multistage Multipath (MSMP) workflow.
5. Business Rules Framework Plus (BRF+) rule engine to make flexible decisions and approvals workflow much easier for the user community to modify according to their needs.
6. User maintenance and role-based authorizations.
7. change management and audit records.
8. end users friendly.
9. Integration with SAP ERP systems using SAP NetWeaver Process Integration (PI) with contents such as SLL-LEG and SLL-NFE add-ons for SAP GTS and SAP NFE  .