SAP GRC access control @ ULg Pierre Blauwart – Project Manager HERUG BvD-it Confidential

Agenda ULG in a nutshell Context Definitions Methodology & Roadmap Project status BvD-it Confidential

ULG – an all round university 17,000 students 3,800 foreign students 80 nationalities 3,200 graduates a year Budget : 269 millions Euros which 50 % are allocated to research 3,400 employees, of which 2,200 are teachers and researchers 3,000 employed at the University Hospital Centre (CHU) Around 1,500 jobs at the Liège Science Park (60 businesses) 900 jobs in spin-offs resulting from scientific research Just 60 minutes away from Brussels, the Grand Duchy of Luxemburg and France, 30 minutes away from Germany and the Netherlands, the University of Liège is at the heart of Europe. Financement vient des funds

ULG – SAP Implementation SAP for Finance & Logistics : MM, SD, EP, CATS, PS, RRB, PCA, BI, PI, GRC 600 Users – 1000 Roles HR non SAP, SLCM non SAP Financement vient des funds Funds : more & more control, Audit on « segregation of duties » FP6 www.ulg.ac.be

Context Trends in the ULg ecosystem: growing pressure to control the exposure to fraud and data tampering External: More & more controls from public grantors, with concerns on access procedure. This has resulted in audits driven by some of them & focused on segregation of duties Internal concern as well Segregation of duties: SoDs are a primary internal control intended to prevent, or decrease the risk of errors or irregularities, identify problems and ensure corrective action is taken. Principle : This is achieved by assuring no single individual has control over all phases of a business process. Example : Modify vendor bank account + Vendor payment Remediation : incompatible duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. Grantors wants more & more to control their funds & expenses Concern about access procedure Financement vient des funds Funds : more & more control, Audit on « segregation of duties » FP6

Solution selection : SAP GRC Access control GRC : Governance, Risk & Compliance Governance: Manages the strategic directives a company wants to follow Risk : Management assesses the areas of exposures and potential impacts Compliance: Tactical action to metigate risk SAP GRC Access Control monitor, test, and enforce access and authorization controls across the enterprise. Solution assessed Set up a GRC tool Use of detection solutions that operate on downloaded data Solution adopted : Install SAP GRC access control The essential feature of segregation of duties is that no single person should have responsibility for controls over an entire transaction. Mitigation

Scope of the project : Access Control

Scope of the project : Phase 1 Compliance Calibrator Firefighter Compliance Calibrator : Risk Analysis & remediation solution for access & authorization controls Firefighter : super user access control solution Enables compliance-focused emergency access for SAP Role expert : role definition & management solution - allows role owners to document role definition, perform automated risk assessments, track change control, and facilitate maintenance Enables entreprise role definition (& maintenance) in a single location Access enforcer: Prevent Compliant solution at run time - enables compliant provisioning by automating the user access request and approval process with embedded risk analysis. Compliance Calibrator

Project Roadmap - Step 1: Project Preparation Implémentation Cycle 3 GRC Installation Version 5.2 Connected to ECC instance Proof-of-Concept : first risk assessment About 300.000 Violations First action: drastically reduce SAP_ALL, SAP_NEW Scoping of phase 1 Risk have been grouped by BPO: FLC (Financial & Closing) OTC (Order to Cash) P2P (Procure to Pay) I2P (Idea to Project) Basis Component : out of scope Implémentation Cycle 2 Implémentation Cycle 1 Voir avec Vincent sur quelle machine GRC est installé ? RFC ... Proof of concept 5 Go Live & Support 4 1 2 3 remediation Risk assessment BvD-it Confidential

Risks per Business Process BP : Finance & PS 32 risks SoD BP : Material Management 14 risks SoD BP : Purchasing 67 risks SoD BP : Customer (& grantors) invoicing 29 risks SoD BP : Basis – technical 19 risks SoD BP : EC-CS Consolidation 14 risks SoD BP : HR & payroll 21 risks SoD BP : APO 16 risks SoD BP : CRM 20 risks SoD BP : EBP & SRM 24 risks SoD

Step 2: Risk Assessment Workshops: Adapt the standard SOD matrix Are the risks proposed in the standard matrix relevant ? Do we have to add some risks ? Do we have to consider additional transactions (transaction Z* ) ? Adapt GRC standard risks : Critical, High, Medium & Low Design (update) the SOD matrix in the SAP GRC system Run the risk assessment Perform analysis BvD-it Confidential

Ecrans GRC - CC Pg.: 12 | 19/11/2004 BvD-it Confidential

Ecrans GRC - CC Pg.: 13 | 19/11/2004 BvD-it Confidential

Ecrans GRC - CC Pg.: 14 | 19/11/2004 BvD-it Confidential

Ecrans GRC - CC Pg.: 15 | 10/06/2009 BvD-it Confidential

Risk assessment Results Recommendations on naming convention 98 % (516 out of 525) of the SAP users have SOD risks SOD violations on role “display” !!! Recommendations on naming convention The naming of the role gives an information on the underlying business process Use simple roles Aggregate simple roles in composite role Identify quickly the different roles : Roles simples : « Z:xxx », roles composites : « ZC:xxx » Roles display : « Z:xxx_V » Create one specific role dedicated per critical risk Remark on traceability : the system keeps the history of the violations related to the risk assessment  perform the first analysis in the acceptance system Pg.: 16 | 19/11/2004 BvD-it Confidential

Step 3 : on progress Remediation : no role can content a SOD violation Mitigation : accept the risk for some user & enforce the control on it Use Firefighter : to track actions performed by super users during certain period of time (closing period for example) Integration on SAP EP BvD-it Confidential

Questions ? Send a mail to our CFO : Anne Girin anne.girin@ulg.ac.be Pg.: 18 | 19/11/2004 BvD-it Confidential