Table of Contents

Open all
Close all
Preface
19
Structure of This Book
20
Target Audience
20
How to Use This Book
21
Conclusion
21
Acknowledgments
23
1 SAP Governance, Risk, and Compliance Overview
25
1.1 SAP GRC Suite Overview and Components
28
1.1.1 Value of the Suite as a Whole
29
1.1.2 Reasons to Implement SAP GRC
30
1.1.3 SAP Access Control
31
1.1.4 SAP Process Control
41
1.1.5 SAP Risk Management
49
1.1.6 SAP Global Trade Services and SAP Nota Fiscal Electronica
54
1.2 Shared Master Data
66
1.3 SAP Content Life Cycle Management
67
1.4 SAP GRC 10.0 Architecture and Landscape
69
1.4.1 Backend System Requirements
69
1.4.2 Two-Tier versus Three-Tier Landscapes
72
1.4.3 Frontend Options
73
1.5 Summary
74
2 Planning SAP GRC Implementations
75
2.1 Regulations and Policies in SAP GRC
76
2.1.1 Japan’s J-SOX
77
2.1.2 Australia’s CLERP-9
78
2.1.3 Canada’s C-11
78
2.1.4 Basel II
78
2.2 Purpose of SAP GRC Tools
79
2.3 Business Processes and Controls
81
2.4 Organizational Hierarchy and Local Controls
82
2.5 User Interface and Work Center
85
2.6 Rules
87
2.7 Reporting
87
2.8 Summary
90
3 SAP Access Control Overview
91
3.1 General Assumptions during Implementation
92
3.1.1 SAP NetWeaver Business Client as SAP Access Control User Interface
94
3.1.2 SAP NetWeaver Business Client Use Case
96
3.2 SAP Access Control—Post-Installation Technical Settings
98
3.2.1 Basis Preliminary Check
99
3.2.2 Activating BC Sets
105
3.2.3 Activate Common Workflow
110
3.2.4 Workflow Verification
117
3.2.5 Troubleshooting for Task-Specific Customization
124
3.2.6 Shared Configuration of SAP GRC Systems
130
3.2.7 SAP Crystal Reports Features
137
3.2.8 Activate Profile of Roles Delivered by SAP
138
3.2.9 Creating the Initial User in the ABAP System
140
3.3 SAP Access Control Configuration
142
3.4 Summary
144
4 Emergency Access Management Overview
147
4.1 Using Emergency Access Management
149
4.2 Emergency Access Management Configuration in SAP GRC
152
4.2.1 Configuration Parameters
152
4.2.2 General Configuration Steps
153
4.2.3 Email Configuration
157
4.3 Using a Firefighter ID
159
4.4 Reporting
161
4.4.1 Consolidated Log Report
162
4.4.2 Reason Code and Activity Report
165
4.4.3 Firefighter Log Summary Report
165
4.4.4 Invalid Emergency Access Report
166
4.4.5 Transaction Logs and Session Detail
166
4.4.6 SOD Conflict Report for Firefighter IDs
166
4.4.7 Reason Code Usage Frequency
167
4.5 Summary
168
5 Access Risk Analysis Overview
169
5.1 Access Risk Analysis Basic Configuration
172
5.1.1 Maintaining SAP Access Control Risk Analysis Configuration Parameters
173
5.1.2 Adding a Connector to the AUTH Scenario
175
5.1.3 Risk Loading and Activation
176
5.1.4 Synchronization Jobs
183
5.1.5 Rule Set Maintenance
184
5.1.6 Maintain Shared Master Data
188
5.1.7 Perform Batch Risk Analysis
190
5.2 Access Risk Analysis Reporting
193
5.3 Risk Remediation Process
196
5.3.1 Role Cleanup Process with Access Risk Analysis
197
5.3.2 Risk Mitigation as Remediation
198
5.4 Alert Monitoring
200
5.5 Risk Terminator
200
5.5.1 Configuration Setup in the SAP GRC System
201
5.5.2 Configuration Setup in the Plug-In System
201
5.6 Access Risk Analysis 10.0: Additional Features
202
5.6.1 Initial Access Risk Assessment
202
5.6.2 Additional Reporting Features
202
5.7 Summary
204
6 Business Role Manager Overview
205
6.1 Business Role Manager Configuration
207
6.1.1 Activation of BC Sets
208
6.1.2 Verifying Default Configuration Parameters
209
6.1.3 Maintain Role Type Settings
212
6.1.4 Specify Naming Conventions
213
6.1.5 Standard Role Methodology
217
6.1.6 MSMP Workflow Configuration
219
6.1.7 Creating Role Owners
222
6.2 Business Role Manager Use: Creating a New Single Role
223
6.2.1 Assigning Authorizations to the New Role
224
6.2.2 Analyzing Access Risks and Remediation
226
6.2.3 Request Approval
227
6.2.4 Role Generation
227
6.2.5 Testing the Role
228
6.3 Role Maintenance and Reporting
229
6.4 Summary
230
7 User Access Management Overview
231
7.1 Different User Roles in User Access Management
234
7.1.1 General Users
234
7.1.2 Requestors
235
7.1.3 Approvers
235
7.1.4 Administrators
236
7.1.5 Auditors
236
7.2 Maintenance of Users
237
7.3 User Access Management Configuration
237
7.3.1 Basic Requirements
238
7.3.2 Activation of Business Configuration (BC) Sets
239
7.3.3 Configuration Parameters
240
7.3.4 Maintain Connector Settings
241
7.3.5 Maintain Data Sources Configuration
245
7.3.6 Define Request Type
247
7.3.7 Maintain Number Range Intervals for Provisioning Requests
248
7.3.8 Define Number Range for Provisioning Requests
249
7.3.9 Maintain End User Personalization
249
7.3.10 Maintain Provisioning Settings
251
7.3.11 Maintain User Defaults
253
7.3.12 Activate End User Logon
253
7.4 Configure the MSMP Workflow
255
7.5 Process Details: Change/Create Access Request
259
7.5.1 Role Availability for Provisioning
261
7.5.2 Access Request Process Steps
262
7.6 Password Self-Service
263
7.6.1 Maintain Password Self-Service
263
7.7 User Access Management Reporting
265
7.8 Summary
268
8 SAP Access Control Advanced Topics
269
8.1 Multistage Multipath (MSMP) Workflow
270
8.1.1 Configure Process and Global Setting
271
8.1.2 Maintain Rules and Rule Results
274
8.1.3 Maintain Agents
278
8.1.4 Variables and Templates
281
8.1.5 Maintain Paths and Assign Stages to Path
282
8.1.6 Maintain Stages
284
8.1.7 Maintain Stage Task Settings
286
8.1.8 Notification Settings
289
8.1.9 Maintain Route Mapping
290
8.1.10 Generate Versions
291
8.2 Debugging MSMP
293
8.3 Business Rule Framework Plus (BRF+)
295
8.3.1 BRF+ Use Case in SAP Access Control
296
8.3.2 Chaining Routing Rules Using a Function Module and BRF+
305
8.3.3 BRF+ Function in Business Role Manager
306
8.4 Workflow Notification Maintenance in MSMP
310
8.4.1 Available Notification Templates
310
8.4.2 Notification Variables
317
8.5 Customizing Workflow Processes: Email Notifications
320
8.5.1 Creation of Custom Document Objects
320
8.5.2 Associate Custom Document Object with Message Class
321
8.6 Select Notification Templates and Recipients
323
8.7 Setting Up Email Reminders
325
8.8 Periodic Reviews
326
8.8.1 Configuration for SoD Review
328
8.8.2 Maintain Reviewers and Coordinators
330
8.8.3 Generate Data for SoD Review
332
8.9 HR Triggers
338
8.10 Summary
340
9 SAP Process Control Overview
341
9.1 The Evolution of SAP Process Control
342
9.2 SAP Process Control Features
342
9.2.1 Date Validity
343
9.2.2 Views
344
9.3 Architecture
344
9.3.1 Installation and Setup
346
9.4 Configuration and Basic Settings
347
9.4.1 General Settings
349
9.4.2 Shared Master Data Settings
356
9.4.3 SAP Process Control Reporting
357
9.4.4 Common Component Settings for SAP Process Control
358
9.5 Implementation Overview of SAP Process Control
360
9.5.1 Setting Business Goals
361
9.5.2 Phased Approaches
361
9.5.3 Master Data Collection
363
9.5.4 Process Control Users and Roles
363
9.6 Overview of SAP Process Control Usage
364
9.6.1 Documenting
365
9.6.2 Scope
365
9.6.3 Evaluation
366
9.6.4 Monitoring and Remediation
366
9.6.5 Reporting
367
9.6.6 Certification
368
9.6.7 Policy Management
369
9.7 Summary
369
10 SAP Process Control Master Data
371
10.1 Organizations
374
10.1.1 Multiple Hierarchies
376
10.1.2 Validity Dates and Time Frames in the Organization Structure
377
10.2 Business Process Models
378
10.3 Regulations
382
10.4 Policies
384
10.5 Accounts and Account Groups
385
10.6 Master Data Content Management and Transport
387
10.6.1 Master Data Upload Generator
388
10.6.2 Content Lifecycle Management
391
10.6.3 CLM versus MDUG
393
10.7 Summary
394
11 Continuous Controls Monitoring
397
11.1 Continuous Monitoring Architecture
398
11.2 Configuring Continuous Control Monitoring
402
11.3 Creating Data Sources
409
11.3.1 Adding Data Source Information
411
11.3.2 Defining the Technical Details
413
11.3.3 Pointing to a Connector
415
11.3.4 Adding Documentation
417
11.4 Creating Business Rules
418
11.4.1 Basic Information
421
11.4.2 Filter Criteria
422
11.4.3 Deficiency Criteria
423
11.4.4 Conditions and Calculations
425
11.4.5 Technical Settings and Monitoring Rule Behavior
426
11.4.6 Ad Hoc Query
426
11.5 Data Source Types and Related Rules
427
11.6 Assigning Rules to Controls
430
11.7 Scheduling Monitoring Rules
431
11.8 Structured Approach to Continuous Controls Monitoring
434
11.8.1 The Nature of ERP Controls
435
11.8.2 The Goal of Monitoring
436
11.8.3 Effective Monitoring
437
11.8.4 The Importance of Proper Configurations and Master Data Settings
438
11.8.5 Transactions
439
11.8.6 Reports and Analytics
440
11.9 Summary
441
12 Continuous Controls Monitoring: Data Source Types
443
12.1 Configurable Data Sources and Rules
444
12.1.1 Configurable Data Sources
445
12.1.2 Configurable Business Rules
449
12.1.3 Limitations of Configurable Data Sources and Rules
450
12.2 Change Log Check Rules
452
12.2.1 Change Tracking: Logs versus Polling
453
12.2.2 Defining Change Log Rules
454
12.3 Other Data Source Types and Rules
459
12.3.1 ABAP Reports
459
12.3.2 Segregation of Duty Integration
460
12.3.3 SAP NetWeaver BW Query
460
12.3.4 Event-Driven Data Sources
461
12.3.5 SAP NetWeaver Process Integration
462
12.3.6 External Partner Data Sources
464
12.3.7 ABAP Program Data Sources
464
12.4 Performance Considerations with Change Logging
465
12.5 Summary
465
13 Continuous Controls Monitoring: Advanced Topics
467
13.1 Operational Data Provider (ODP) Rules
468
13.2 SAP HANA
468
13.3 Using SAP NetWeaver BRF+ to Build Advanced Rules
471
13.3.1 Using BRF+ Rules in SAP Process Control Business Rules
471
13.3.2 Additional Features of BRF+ and SAP Process Control
476
13.4 Advanced Rule Logic: Grouping, Aggregation, and Currency Conversion
477
13.5 Using the BRF+ Workbench
484
13.6 Continuous Control Monitoring: Content Export/Import
496
13.7 Summary
501
14 Continuous Controls Monitoring: Miscellaneous Topics
503
14.1 Efficiently Managing Continuous Controls Monitoring Content
504
14.1.1 Data Sources
504
14.1.2 Business Rules
505
14.1.3 Organization-Level System Parameters (OLSP)
507
14.1.4 OLSP and Business Rule Filter Conditions Combine
511
14.1.5 Runtime Binding of Date Ranges
512
14.1.6 Decoupling Test Schedule from Test Period
513
14.2 CCM Data Security
515
14.2.1 Guiding Principles
516
14.2.2 Analysis
516
14.2.3 The Goal
518
14.2.4 The Solution
519
14.2.5 CCM Data Security Model
521
14.3 Summary
521
15 SAP Risk Management Implementation
523
15.1 Enterprise Risk Management Overview
524
15.2 Enterprise Risk Management Scenario
526
15.2.1 Business Blueprint
529
15.2.2 Solution Configuration
529
15.2.3 Data Conversion and Master Data Setup
532
15.2.4 Authorization Concept and Roles
552
15.2.5 Workflows
556
15.2.6 Reporting
559
15.3 Operational Risk Management Overview
560
15.4 Operational Risk Management Scenario
563
15.4.1 Business Blueprint
565
15.4.2 Solution Configuration
566
15.4.3 Master Data Setup
566
15.4.4 Loss Event Management Workflow and Upload
576
15.4.5 Reporting
579
15.5 Summary
580
16 Trade Compliance and Financial Risk
583
16.1 Global Trade Key Functions
585
16.1.1 SAP Compliance Management
586
16.1.2 SAP Customs Management
589
16.1.3 SAP Risk Management
593
16.2 SAP ERP Setup for Trade Preference Processing
598
16.2.1 Set Up Communication from SAP ERP to SAP GTS
598
16.2.2 Set Up Document Transfer in SAP ERP
600
16.2.3 Maintain BOM Transfer Settings
601
16.2.4 Define a Worklist for Vendor-Based Long-Term Vendor Declarations
602
16.3 SAP Global Trade Services Setup
604
16.3.1 Define Basic Settings in SAP GTS
604
16.3.2 Set Up System Communication in SAP GTS
606
16.3.3 Number Range Configuration within SAP GTS
606
16.3.4 Define and Assign Organizational Parameters
607
16.3.5 Define the Country Group
609
16.3.6 Define and Activate a Legal Regulation
610
16.4 SAP Risk Management General Settings
612
16.4.1 Activate the Document Type and Item Category
612
16.4.2 Define an Organizational Structure
613
16.4.3 Activate the Preference Agreement
614
16.4.4 Define and Assign the Rule Set
616
16.4.5 Set Control Settings for the Data Scope in Vendor Declarations
617
16.5 SAP GTS Benefits
620
16.6 Summary
623
17 Compliance with Environment, Health, and Safety Management
625
17.1 Integration of SAP EHS Management and SAP Global Trade Services
626
17.1.1 SAP EHS Management Configuration
628
17.1.2 SAP Global Trade Services Configuration
636
17.2 Visualization Features with SAP GTS 10
642
17.2.1 Accessing the New User Interface
643
17.2.2 SAP NetWeaver Business Client (NWBC)
644
17.3 Sanctioned Party List Screening Configuration
645
17.4 SAP Global Trade Services Deployment and Reporting
647
17.4.1 Deployment Options
648
17.4.2 Reporting
649
17.5 Summary
656
18 Supply Chain Compliance
657
18.1 Import Filing to Reduce Compliance Costs
658
18.2 Import Processes within SAP ERP
658
18.3 SAP Global Trade Services Declarations
660
18.3.1 Customs Document Review
661
18.4 Customs Import Process Configuration with SAP ERP
668
18.5 SAP Global Trade Services Configuration
673
18.6 Configuration Settings for SAP Customs Management
681
18.7 Summary
694
19 Conclusion
695
19.1 Chapter Review
696
19.2 Business Benefits of the GRC Suite
697
19.3 GRC Suite and their Value
698
19.4 SAP GRC Future Outlook
699
The Authors
701
Index
703