book

SAP® GRC For Dummies®

Name: SAP® GRC For Dummies®
ISBN: 9780470333174

by Denise Vu Broady, Holly A. Roland

May 2008

Beginner to intermediate

342 pages

9h 3m

English

For Dummies

Read now

Unlock full access

Copyright
About the Authors
Authors' Acknowledgments
Introduction
About This BookFoolish AssumptionsHow This Book Is OrganizedPart I: Governance, Risk, and Compliance DemystifiedPart II: Diving into GRCPart III: Going GreenPart IV: Managing the Flow of InformationPart V: The Part of TensGlossaryIcons Used in This BookWhere to Go from Here
I. Governance, Risk, and Compliance Demystified
1. The ABCs of GRC
1.1. Getting to Know GRC1.2. Getting in the Business Drivers' Seat1.3. Getting Motivated to Make the Most of GRC1.3.1. Complying with financial regulations1.3.2. Failing an audit1.3.3. Experiencing a rude awakening1.3.4. Going from private to public1.3.5. Managing growth1.3.6. Taking out an insurance policy1.3.7. Managing risk1.3.8. Reducing costs1.3.9. Struggling with the high volume of compliance1.4. Introducing the GRC Stakeholders1.4.1. GRC stakeholders inside a company1.4.2. GRC stakeholders outside a company1.5. Understanding GRC by the Letters1.5.1. Governance1.5.2. Risk1.5.3. Compliance1.6. C Is for Compliance: Playing by the Rules1.6.1. Controls: Mechanisms of compliance1.6.2. Domains of compliance1.6.2.1. Financial compliance1.6.2.2. Trade management compliance1.6.2.3. Environment, health, and safety compliance1.6.2.4. Risk management compliance1.6.2.5. Data privacy and security compliance1.6.2.6. Sustainability reporting1.7. R Is for Risk: Creating Opportunity1.8. G Is for Governance: Keeping Focused and Current1.9. Hitting the Audit Trail1.10. Designing Your Approach to GRC1.10.1. After the rush to clean up1.10.2. Stages of GRC adoption1.11. What GRC Solutions Provide
2. Risky Business: Turning Risks into Opportunities
2.1. Discovering Enterprise Risk Management2.2. Defining Risk2.3. Ignoring Risk (At Your Peril)2.4. Sorting Through the Approaches to Risk Management2.4.1. The ad hoc approach2.4.2. The fragmented approach2.4.3. The risk manager's job approach2.4.4. The systematic, enterprise-wide approach2.4.5. A cultural approach2.5. Identifying the Critical Components of a Successful Risk Management Framework2.5.1. A culture that takes risk seriously, from the C-suite down2.5.2. A risk management organization: Distributing responsibility throughout the culture2.5.3. A systematic framework in place2.5.4. Technology that creates a risk picture2.6. Taking the Four Steps to Enterprise Risk Management2.6.1. Risk planning2.6.2. Risk identification and analysis2.6.3. Risk response2.6.4. Risk monitoring2.7. Analyzing What Went Wrong: When Risk Becomes Reality2.8. Automating the Risk Management Cycle2.9. Taking the SAP Approach: SAP GRC Risk Management2.9.1. SAP GRC risk management and key risk indicators2.9.2. Monitoring risks and key risk indicators with SAP GRC Risk Management2.10. Using SAP GRC Risk Management: A Fictional Case Study2.10.1. Where should we produce?2.10.1.1. Considering China2.10.1.2. Considering Romania2.11. Using SAP Risk Management: An SAP Case Study2.12. Gleaning the Benefits of SAP GRC Risk Management
3. Governance: GRC in Action
3.1. Getting to Know Governance3.2. Gleaning the Benefits of Good Governance3.3. Drafting Governance Blueprints3.4. Creating a Framework for Great Governance3.5. Evaluating Your Governance Framework3.5.1. From a strategic and operational perspective3.5.2. From a legal and regulatory compliance perspective3.6. Hurdles to Instituting and Maintaining a Good Framework3.6.1. Avoiding GRC silos3.6.2. Making GRC strategic3.6.3. Justifying the cost of GRC3.6.4. Applying GRC too narrowly3.6.5. Setting up checks and balances3.7. Making the Argument for Automation3.8. The SAP Approach: Integrated Holistic IT for GRC3.9. Coming to Grips with Governance
II. Diving into GRC
4. How Sarbanes and Oxley Changed Our Lives
4.1. Figuring Out Whether SOX Applies to You4.2. Discovering Why SOX Became Necessary4.3. Who Are Sarbanes and Oxley, Anyway?4.4. Breaking Down SOX to the Basics4.4.1. Sections 302 and 906: Threatening management with a big stick4.4.2. Section 404: Ensuring a healthy immune system4.4.3. What does Section 404 mean for business?4.5. Information Technology: SOX in a Box4.5.1. IT frameworks: Your template for compliance4.5.2. COSO's control framework4.5.3. The SOX ripple effect4.6. Paying Up: What's SOX Going to Cost You?4.6.1. SOX Costs Then4.6.2. SOX Costs Now4.7. Setting the Record Straight4.8. Other Laws You Need to Know About4.9. We're All In This Together: Convergence4.9.1. Japan's J-SOX4.9.2. Australia's CLERP-94.9.3. Canada's C-114.9.4. Basel II4.10. Sorting Out the Benefits of SOX

5. Fraud, Negligence, and Entropy: What Can Go Wrong and How to Prevent It
5.1. Defining Fraud5.1.1. Motivations for fraud5.1.2. Sowing the seeds of fraud5.1.3. Some common examples of fraud5.1.4. The Barings Bank scandal: Operations risk extraordinaire5.2. Negligence: More Likely Than Fraud5.3. Entropy: Errors, Omissions, and Inefficiencies5.4. Cleaning Up: The Mop-Up Operation5.4.1. Thinking like an auditor5.4.2. Making the computer your auditor
6. Access Control and the Role of Roles
6.1. Understanding Access Control and Roles6.2. Getting a Handle on Access Control6.2.1. Users and permissions6.2.2. The roles revolution6.3. How Access Control Got Messy6.3.1. Every user is different6.3.2. Virtual things are hard to track6.3.3. IT and business don't speak the same language6.3.4. Exceptional circumstances dictate exceptional access6.3.5. Large scale increases complexity6.4. Getting Clean6.4.1. Figuring out where you stand6.4.1.1. Starting the conversation6.4.1.2. Examining the org chart6.4.1.3. Defining auditable roles6.4.1.4. Mapping the business roles to technical roles6.4.1.5. When you can't segregate duties6.5. Staying Clean6.6. Managing Exceptional Access6.7. The SAP Approach: SAP GRC Access Control6.8. Where Do You Go from Here?
7. Taking Steps toward Better Internal Controls
7.1. Understanding Internal Controls7.2. Exploring the Benefits of Better Controls7.2.1. Benefit one: Business process improvement7.2.2. Benefit two: Management by exception7.2.3. Benefit three: Real-time monitoring7.2.4. Benefit four: Mindset changes7.3. Seeing How Automating Controls Makes Things Easier7.4. Taking Five Steps to Better Internal Controls7.4.1. Documentation: The mapping exercise7.4.2. Testing: Real-time and historical7.4.3. Remediation: Fixing the problem7.4.4. Analysis: Reports for management7.4.5. Optimization: Barring risk7.5. Getting to Know the SAP Approach: SAP GRC Process Control7.5.1. Single system of record7.5.2. Continuous monitoring7.5.3. Out-of-the-box monitoring7.5.4. End-to-end internal controls
8. It's a Small World: Effectively Managing Global Trade
8.1. Understanding Four Reasons Why Global Trade Is So Complex8.1.1. Long supply chains8.1.2. New regulations and security initiatives8.1.3. Modernization of government IT systems8.1.4. Increasing complexity of regulations8.2. Figuring Out the Complexities of Importing8.2.1. Classifying an item: What is it?8.2.2. Making way for the goods: Pre-clearance8.2.3. Making it through: Clearing Customs8.2.4. Reconciling value: The step most often missed8.2.5. Getting the lead out: Brand protection8.3. Making Sure You're Complying with All 19,391 Exporting Restrictions8.3.1. Knowing who you're dealing with8.3.2. Obtaining the right export licenses8.3.3. Knowing how the product will be used8.4. Taking Advantage of the System: Trade Preference Management8.5. Discovering the Different Ways to Manage Global Trade8.6. Using the SAP Approach: SAP GRC Global Trade Services
III. Going Green
9. Making Your Company Environmentally Friendly
9.1. Discovering the Three Ps of Going Green: People, Processes, and Products9.2. Going Green: It's Not Just for Tree-Huggers Anymore9.3. Understanding Why Your Company Should Go Green9.4. Going Green Is Good Business9.4.1. Enhance your image9.4.1.1. Hewlett Packard9.4.1.2. Wal-Mart9.4.1.3. Sun Microsystems9.4.1.4. Timberland9.4.1.5. DHL9.4.1.6. IBM9.4.2. Build trust with regulatory authorities9.4.3. Influence future events9.5. Implementing Green Practices9.5.1. Trees matter9.5.2. Let there be (green) light!9.5.3. Water: To bottle or not to bottle?9.5.4. Reduce your risk9.6. Going Green Is also the Law9.6.1. Compliance9.6.2. Risks of noncompliance: Fines and public relations nightmares9.7. A Final Word About Going Green
10. Keeping Employees Healthy and Safe
10.1. Keeping Your Employees Safe and Healthy: The Big Picture10.1.1. Enabling and maintaining good health10.1.2. Avoiding accidents10.1.3. Healthy benefits equal employee recruitment retention10.2. Moving Down the Road to Zero Accidents10.2.1. Organizing and managing a comprehensive health and safety program10.2.2. Assessing risks10.2.3. Standardizing your procedures10.2.4. Managing accidents10.2.5. Inspecting your sites and creating new safety measures10.2.6. Educating your employees10.3. Making the Case for Automation and Integration10.4. Taking the SAP Approach to Employee Health and Safety10.4.1. The Occupational Health module10.4.2. The Industrial Hygiene and Safety module10.4.2.1. Risk assessment10.4.2.2. Standard operating procedures10.4.2.3. Accident management10.4.2.4. Site inspections10.4.2.5. Safety briefing and worker qualification
11. Making Your Business Processes Environmentally Friendly
11.1. Discovering Ways in which All Companies Can Go Green11.2. Reducing Your Energy Use and Costs11.3. Building, Renovating, and Cleaning with Sustainable Resources and Materials11.3.1. Begin at the beginning with green design11.3.2. Pick the right spot11.3.3. Crunch your numbers11.3.4. Make friends with your site plan11.3.5. Reduce unnecessary strains on your HVAC11.3.6. Exploit the advantages of technology11.3.7. Command the water11.3.8. Use green and recycled building materials11.3.9. Build smart, build green11.3.10. Renovate green11.3.11. Clean green11.3.12. Recycle11.3.13. Reducing travel11.4. Getting LEED Certified11.5. Assessing Your Environmental Risks11.6. Greening Manufacturing11.6.1. Green legislation11.6.2. EPA Clean Air Act11.6.3. EPA Clean Water Act11.6.4. Waste Electrical and Electronic Equipment (WEEE)11.7. Adopting Green Practices for Manufacturing11.7.1. Establish an energy management program11.7.2. Reduce emissions11.7.3. Reduce waste11.7.4. Deal with hazardous substances11.7.5. Optimize occupational health11.7.6. Promote industrial hygiene and safety11.7.7. Ensure product safety11.8. Taking the SAP Approach to Making Your Processes Environmentally Friendly11.8.1. SAP Environmental Compliance11.8.1.1. Building emissions models and analyzing emissions11.8.1.2. Managing compliance11.8.1.3. Creating reports and documentation11.8.1.4. Controlling trading and collaboration11.8.2. SAP Waste Management: A core component of SAP Environment, Health, and Safety
12. Making Your Products Environmentally Friendly
12.1. Discovering What It Takes to Make Products Environmentally Friendly12.2. Figuring Out What Your Materials Are and What They Do12.2.1. Defining hazardous materials12.2.2. Defining dangerous goods12.3. Realizing the Benefits of Compliance12.3.1. The benefits of complying12.3.2. The risks of failing to comply12.4. Using Hazardous Materials Responsibly12.4.1. Customer compliance management12.4.2. Supplier compliance management12.4.3. Compliance reporting12.4.4. Comprehensive task management12.5. Working with Hazardous Materials12.5.1. Packing12.5.2. Materials communications12.5.3. Transporting materials12.6. Keeping Up with Materials Legislation12.6.1. Toxic Substances Control Act (TSCA)12.6.2. Registration, Evaluation, Authorization of Chemicals (REACH)12.6.2.1. What REACH says12.6.2.2. Who REACH affects12.6.3. Reduction of Hazardous Substances (RoHS)12.7. Exploring the SAP Approach to Product Compliance12.7.1. Compliance for Products by TechniData (CfP)12.7.2. SAP EH&S12.7.2.1. Substance volume tracking12.7.2.2. Document management and shipping12.7.2.3. Bill of materials transfer12.7.2.4. Specification information system12.7.2.5. Phrase management
IV. Managing the Flow of Information
13. Sustainability and Corporate Social Responsibility
13.1. Discovering the Great Power and Responsibility of Big Companies13.2. Getting the Lowdown on Sustainability13.3. Discovering Why Sustainability Is Good Business13.3.1. Managers recognize sustainability as a top priority13.3.2. Stakeholders exert pressure13.3.3. Sustainable businesses have better access to capital13.3.4. Government regulations increasingly require it13.3.5. Sustainability helps you manage risk13.3.6. CSR protects your brand image13.3.7. It helps you attract and keep the best employees13.3.8. CSR is ethical13.3.9. It helps business planning and innovation13.3.10. CSR increases profits13.4. Discovering the Possible Downside of CSR13.5. Managing Sustainability Performance13.5.1. The current reporting process is a mess13.5.2. New tactics are required13.6. Discovering Why an Automated Solution Is Needed13.6.1. Sustainability reporting is a recurring problem13.6.2. Huge amounts of data are involved13.6.3. Integration is a plus13.6.4. Automation creates supply chain transparency13.6.5. Automation means auditability13.6.6. Automation yields analytics and benchmarks13.6.7. An IT solution speeds distribution of data
14. IT GRC
14.1. Getting a Handle on What IT GRC Is14.2. Understanding IT Governance in Terms of Risk and Compliance14.2.1. In terms of risk14.2.2. In terms of compliance14.2.2.1. COBIT14.2.2.2. COSO14.2.3. Keeping up with the pace of change14.3. Securing Your Software Applications14.3.1. Taking basic application security measures14.3.2. Consolidating security solutions14.3.3. Making friends with the IT department14.4. Keeping the Kimono Closed: Data Privacy14.5. Protecting Key Corporate Assets: Intellectual Property14.5.1. Cinching up the kimono14.5.2. Leveraging the network14.5.3. Other ways data can walk away14.5.4. Protecting IT assets14.5.5. Communication
15. Turning On the Lights with GRC and CPM
15.1. Turning On the Lights with CPM15.2. Making the Case for CPM and GRC Integration15.2.1. Understanding obstacles to integration15.2.2. Instrumenting the enterprise15.2.3. Collecting the payoff from CPM and GRC integration15.2.4. Supplier concentration15.2.5. Loan processing15.3. Seeing CPM and GRC Integration in Practice15.3.1. The intersection of actuals15.3.2. Strategy, risk, and planning15.3.3. Governance and strategy15.4. Discovering the Reusable Technology of GRC15.4.1. Repository15.4.2. Document management15.4.3. Case management15.4.4. Workflow15.4.5. Process modeling15.4.6. Policy engine15.4.7. Rule engine15.4.8. Controls15.4.9. Reporting15.4.10. Standardized interfaces to components15.4.11. Composite apps on the platform
V. The Part of Tens
16. Top Ten GRC Strategies
16.1. Evaluate Which of the Most Prevalent GRC Issues Apply to You16.2. Adopt Best Practices16.3. Implement Key GRC Strategies16.4. Set Yourself Up for Success16.5. Watch Out for Danger Signs16.6. Define GRC Roles and Responsibilities16.7. Shake Down the People Who Know16.8. Move to Strategic Adoption of Automated Controls16.9. Adopt Strategies for Cleaning Up Access Control16.10. Getting Your GRC Project Going and Keeping It Going
17. Ten Best Practices in Global Trade
17.1. Automate or Else17.2. Don't Go to Pieces17.3. Make Sure You Can Trust Your Partners17.4. Avoid Importing Delays17.5. Get On Board with the Government's High-Tech Documenting Processes17.6. Know Who Is Allowed at the Party17.7. Know Who You're Shipping to17.8. Get the Right Licenses17.9. Take the Free Money17.10. Leave a Paper Trail
18. Ten Groups of GRC Thought Leadership Resources
18.1. GRC Resources18.1.1. Web sites18.1.2. Blogs18.1.3. Online journals18.2. Risk Resources18.2.1. Web sites18.2.2. Blogs18.2.3. Books18.3. SOX Resources18.3.1. Web sites and forums18.3.2. Books18.4. Financial Compliance Resources18.4.1. J-SOX18.4.2. Basel II18.4.3. Foreign Corrupt Practices Act18.5. Access Control and Process Control Resources18.5.1. Web sites18.5.2. Articles18.5.3. Wikis18.6. IT GRC Resources18.6.1. Blogs18.7. Global Trade Resources18.7.1. Web sites18.7.2. Blogs18.8. Employee Health and Safety Resources18.8.1. Web sites and online journals18.8.2. Blogs18.8.3. Articles18.9. Going Green Resources18.9.1. Web sites18.9.2. Wikis18.9.3. Articles18.9.4. Blogs18.9.5. Books18.10. Sustainability Resources18.10.1. Web sites18.10.2. Articles18.10.3. Blogs and books
Glossary

Content preview from SAP® GRC For Dummies®

Chapter 6. Access Control and the Role of Roles

In Chapter 5, we discuss how fraud can occur where duties are not clearly segregated. To minimize fraud, companies need to wisely segregate the duties of employees. And to segregate duties, companies rely on roles and access control.

The concepts behind these terms are simple. Everyone in the company should have a well-defined role that minimizes the opportunity for fraud. And when an employee needs to access a computer system, access controls need to be in place that allow the employee to access only what he needs to do to perform his job: nothing more, nothing less. In this chapter, we look at these concepts in-depth. We also discuss how roles can wind up being much more complicated and difficult to manage than you might expect. We also take a look at the SAP solutions for access control.

Understanding Access Control and Roles

Employees perform their duties once they are logged into the system, but it's also vital to monitor how they get there. Most companies have thousands of users. Each user has one or more role. Each role has access to a certain number of transactions in the system. Many companies have more than one system to which users have access. Each of these systems have hundreds of screens, with multiple transactions. All this adds up to a massive number of places where segregation of duties violations can occur — hundreds of thousands, in fact.

Access control is a gatekeeper function that patrols system access, ensuring that ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470333174Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

SAP® GRC For Dummies®

by Denise Vu Broady, Holly A. Roland

Chapter 6. Access Control and the Role of Roles

Understanding Access Control and Roles

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.