Implementing SAP Governance, Risk, and Compliance

Asokkumar Christian has worked as an SAP consultant for 15 years in various roles as technical consultant, techno-functional consultant, solution architect, GRC Suite Implementation consultant, and Security Architect. He has worked in Sap Labs as Sr. Consultant in Regional Implementation Group (RIG) and helped out more than a handful of ramp-up customers to implement their GRC- Access Control and Process Control Solutions successfully. He has extensive experience in Solution Management and Production Development for GRC as well. D. Rajen Iyer has more than 16 years' experience in supply chain management applications and implementations. He has worked in the software consulting, apparel, aerospace, high-tech, manufacturing, and trading industries. Rajen has more than 10 years' experience with SAP, including work on Global Trade Services, Sales and Distribution, Pricing, and Materials Management A certified Project Management Professional, Rajen is currently leading an SAP practice with KRYAA, which focuses on GTS, Solution Extensions, and xApps. Atul Sudhalkar is the senior director at SAP Labs for GRC, where he defines product strategy, vision, and product specifications for SAP's Governance, Risk, and Compliance products.

Preface ... 19
Structure of This Book ... 20
Target Audience ... 20
How to Use This Book ... 21
Conclusion ... 21

Acknowledgments ... 23

1. SAP Governance, Risk, and Compliance Overview ... 25

1.1 ... SAP GRC Suite Overview and Components ... 28
1.2 ... Shared Master Data ... 66
1.3 ... SAP Content Life Cycle Management ... 67
1.4 ... SAP GRC 10.0 Architecture and Landscape ... 69
1.5 ... Summary ... 74

2. Planning SAP GRC Implementations ... 75

2.1 ... Regulations and Policies in SAP GRC ... 76
2.2 ... Purpose of SAP GRC Tools ... 79
2.3 ... Business Processes and Controls ... 81
2.4 ... Organizational Hierarchy and Local Controls ... 82
2.5 ... User Interface and Work Center ... 85
2.6 ... Rules ... 87
2.7 ... Reporting ... 87
2.8 ... Summary ... 90

3. SAP Access Control Overview ... 91

3.1 ... General Assumptions during Implementation ... 92
3.2 ... SAP Access Control--Post-Installation Technical Settings ... 98
3.3 ... SAP Access Control Configuration ... 142
3.4 ... Summary ... 144

4. Emergency Access Management Overview ... 147

4.1 ... Using Emergency Access Management ... 149
4.2 ... Emergency Access Management Configuration in SAP GRC ... 152
4.3 ... Using a Firefighter ID ... 159
4.4 ... Reporting ... 161
4.5 ... Summary ... 168

5. Access Risk Analysis Overview ... 169

5.1 ... Access Risk Analysis Basic Configuration ... 172
5.2 ... Access Risk Analysis Reporting ... 193
5.3 ... Risk Remediation Process ... 196
5.4 ... Alert Monitoring ... 200
5.5 ... Risk Terminator ... 200
5.6 ... Access Risk Analysis 10.0: Additional Features ... 202
5.7 ... Summary ... 204

6. Business Role Manager Overview ... 205

6.1 ... Business Role Manager Configuration ... 207
6.2 ... Business Role Manager Use: Creating a New Single Role ... 223
6.3 ... Role Maintenance and Reporting ... 229
6.4 ... Summary ... 230

7. User Access Management Overview ... 231

7.1 ... Different User Roles in User Access Management ... 234
7.2 ... Maintenance of Users ... 237
7.3 ... User Access Management Configuration ... 237
7.4 ... Configure the MSMP Workflow ... 255
7.5 ... Process Details: Change/Create Access Request ... 259
7.6 ... Password Self-Service ... 263
7.7 ... User Access Management Reporting ... 265
7.8 ... Summary ... 268

8. SAP Access Control Advanced Topics ... 269

8.1 ... Multistage Multipath (MSMP) Workflow ... 270
8.2 ... Debugging MSMP ... 293
8.3 ... Business Rule Framework Plus (BRF+) ... 295
8.4 ... Workflow Notification Maintenance in MSMP ... 310
8.5 ... Customizing Workflow Processes: Email Notifications ... 320
8.6 ... Select Notification Templates and Recipients ... 323
8.7 ... Setting Up Email Reminders ... 325
8.8 ... Periodic Reviews ... 326
8.9 ... HR Triggers ... 338
8.10 ... Summary ... 340

9. SAP Process Control Overview ... 341

9.1 ... The Evolution of SAP Process Control ... 342
9.2 ... SAP Process Control Features ... 342
9.3 ... Architecture ... 344
9.4 ... Configuration and Basic Settings ... 347
9.5 ... Implementation Overview of SAP Process Control ... 360
9.6 ... Overview of SAP Process Control Usage ... 364
9.7 ... Summary ... 369

10. SAP Process Control Master Data ... 371

10.1 ... Organizations ... 374
10.2 ... Business Process Models ... 378
10.3 ... Regulations ... 382
10.4 ... Policies ... 384
10.5 ... Accounts and Account Groups ... 385
10.6 ... Master Data Content Management and Transport ... 387
10.7 ... Summary ... 394

11. Continuous Controls Monitoring ... 397

11.1 ... Continuous Monitoring Architecture ... 398
11.2 ... Configuring Continuous Control Monitoring ... 402
11.3 ... Creating Data Sources ... 409
11.4 ... Creating Business Rules ... 418
11.5 ... Data Source Types and Related Rules ... 427
11.6 ... Assigning Rules to Controls ... 430
11.7 ... Scheduling Monitoring Rules ... 431
11.8 ... Structured Approach to Continuous Controls Monitoring ... 434
11.9 ... Summary ... 441

12. Continuous Controls Monitoring: Data Source Types ... 443

12.1 ... Configurable Data Sources and Rules ... 444
12.2 ... Change Log Check Rules ... 452
12.3 ... Other Data Source Types and Rules ... 459
12.4 ... Performance Considerations with Change Logging ... 465
12.5 ... Summary ... 465

13. Continuous Controls Monitoring: Advanced Topics ... 467

13.1 ... Operational Data Provider (ODP) Rules ... 468
13.2 ... SAP HANA ... 468
13.3 ... Using SAP NetWeaver BRF+ to Build Advanced Rules ... 471
13.4 ... Advanced Rule Logic: Grouping, Aggregation, and Currency Conversion ... 477
13.5 ... Using the BRF+ Workbench ... 484
13.6 ... Continuous Control Monitoring: Content Export/Import ... 496
13.7 ... Summary ... 501

14. Continuous Controls Monitoring: Miscellaneous Topics ... 503

14.1 ... Efficiently Managing Continuous Controls Monitoring Content ... 504
14.2 ... CCM Data Security ... 515
14.3 ... Summary ... 521

15. SAP Risk Management Implementation ... 523

15.1 ... Enterprise Risk Management Overview ... 524
15.2 ... Enterprise Risk Management Scenario ... 526
15.3 ... Operational Risk Management Overview ... 560
15.4 ... Operational Risk Management Scenario ... 563
15.5 ... Summary ... 580

16. Trade Compliance and Financial Risk ... 583

16.1 ... Global Trade Key Functions ... 585
16.2 ... SAP ERP Setup for Trade Preference Processing ... 598
16.3 ... SAP Global Trade Services Setup ... 604
16.4 ... SAP Risk Management General Settings ... 612
16.5 ... SAP GTS Benefits ... 620
16.6 ... Summary ... 623

17. Compliance with Environment, Health, and Safety Management ... 625

17.1 ... Integration of SAP EHS Management and SAP Global Trade Services ... 626
17.2 ... Visualization Features with SAP GTS 10 ... 642
17.3 ... Sanctioned Party List Screening Configuration ... 645
17.4 ... SAP Global Trade Services Deployment and Reporting ... 647
17.5 ... Summary ... 656

18. Supply Chain Compliance ... 657

18.1 ... Import Filing to Reduce Compliance Costs ... 658
18.2 ... Import Processes within SAP ERP ... 658
18.3 ... SAP Global Trade Services Declarations ... 660
18.4 ... Customs Import Process Configuration with SAP ERP ... 668
18.5 ... SAP Global Trade Services Configuration ... 673
18.6 ... Configuration Settings for SAP Customs Management ... 681
18.7 ... Summary ... 694

19. Conclusion ... 695

19.1 ... Chapter Review ... 696
19.2 ... Business Benefits of the GRC Suite ... 697
19.3 ... GRC Suite and their Value ... 698
19.4 ... SAP GRC Future Outlook ... 699

The Authors ... 701

Index ... 703