WIXLIB

Securing the Largest GlobalImplementation of SAP S/4HANAFiona Williams, Partner, Deloitte & Touche LLPASUG84484May 7 – 9, 2019

About the SpeakersFiona WilliamsPartner, Deloitte & Touche LLP 25 years of experience designing,developing, and implementingSAP security, controls, andgovernance, risk, and compliance(GRC) solutions Deputy CIO and CISO at Deloitteresponsible for the internalS/4HANA implementation An Adult Third Culture Kid (ATCK)David JayneSenior Manager, Deloitte & Touche LLP 15 years of experience designing,developing, and implementing SAPsecurity, controls, and GRC solutions Lead for SAP security, controls, andGRC workstreams on S/4HANAimplementation Has royal ancestry (according toresearch on Ancestry.com)

Agenda Deloitte’s Global S/4HANA JourneyGlobalization Impacts And ResolutionsGRC ApproachSecurity ApproachControls ApproachKey Takeaways

Deloitte’s globalS/4HANA journey

The case for changeDeloitte has achieved significant growth over the past 20 years, and as aresult, we evolved to support our changing businesses on a global scaleEvolvingBusiness ModelEnable a more flexible financial system andprocesses to support our evolving globalbusiness and new revenue modelsModernize our systems to handleanticipated increases in businesstransaction volumesSystemsModernizationQuickly adapt to the perpetuallyevolving regulatory environment,including Federal guidelines andaccounting e talent development opportunitiesfor our finance workforce by offering achance to design, build, and use cuttingedge tools and technologyImplement innovative technologiesand build client confidence inDeloitte capabilities in the FinanceTransformation spaceMarketReputation

Introduction to SWIFTSWIFT is transforming Deloitte’s Finance processes, technology,and organization.Strategic, World-Class, Innovative, and Forward-ThinkingSWIFT Features (SAP S/4HANA)SWIFT OutcomesEnd-to-End IntegrationGlobal PlatformData-Driven InsightsLocal NeedsLatest TechnologyRefreshed Revenue RecognitionInaugural Member FirmsUnited StatesCanadaScalabilityUnited KingdomFocus on ProfitOptimize EfficiencyAustraliaConsistent Project Management

SWIFT process scope and timelineSWIFT is a multi-year program that will impact nine key functional areasacross the Deloitte finance organization.In-Scope ProcessesTimelineTaxAssetManagementClient toCashProcure toPayPlanning &ForecastingTreasury &CapitalManagementGlobal SWIFTProgramEstablishedWave 1Go-LiveWave 2Go-LiveSummer2016Winter2017Fall2018RecordClientto toReportCashReporting &AnalyticsTime

SWIFT technology landscapeSAP technologies at center stage for the SWIFT finance transformation.SAP S/4HANABusiness Planning and Consolidation (BPC)FioriMaster Data Governance (MDG)SAP HANA SidecarFinancial Supply Chain Management (FSCM)SAP AribaCross Application Time Sheet (CATS)Commercial Project Management (CPM)GRC

SWIFT key ImpactsChanges were far-reaching and aimed to benefit a large part ofour organization.Refreshed ProjectFinancialManagementDeliver intelligence to enhance engagement economics[First major organization to work with SAP in implementing CPM 2.0 on HANA]Modern UserExperienceTeams can quickly access relevant real-time information through an intuitive anduser friendly interface (i.e., visual dashboard)Global Chart ofAccountsSingle global ledger with intuitive and logical account groupings that are scalableConsistent KPIsCentralized global KPIs across the Deloitte network of member firms to uniformlymeasure the health of the business

Globalizationrequirements

Globalization requirementsWe deployed our security, controls, and GRC solution to addressrequirementsFit/gapConfidentialityThe need to protectclient data requiresa robust securitystrategyGlobal GovernanceWith the inclusion ofthe different memberfirms, governanceover the systems andsolution needed to beestablishedDifferences in thelocal processesneed to beaddressedHarmonizationThe global solutionpresents anopportunity toharmonize supportChange ManagementEstablishing globalchange management iscritical to success

Globalization requirements solutionWe levered SAP GRC to help us address the globalization requirementsImpactResolutionConfidentiality Secure Provisioning: Identify appropriate approvers of confidential access route all request to them. Sensitive user access review: Enforce reviews of confidential access on a semi-annual basis.Fit/Gap Control Repository: Build complete listing of controls and clearly identify member firm relevance. Central point to manage risk: Set up one global GRC instance to access, business process, and IT risks.ChangeManagement Role change approval: Enable workflow approval of all business and single role creation or changes. Control Monitoring: Design rules in Process Control to identify changes in key configuration.Harmonization GRC governance model: The GRC solution is serving as a model for the overall establishment for aglobal governance foundation.

GRC approach

GRC global deployment solutionGRC Access Control (AC) was deployed and Process Control (PC) wasimplemented as part of the cornerstone of the global governance solutionGoalsAccessControl Enable business ownership of rolecontent and role access Develop global segregation of duties(SOD) framework to streamline accessmanagement and drive visibility intoaccess violations Enforce emergency access managementto require appropriate approval anddrive accountability Establish global user access reviewprocess to refresh security accessFunctionality User Access Management Emergency Access Management Access Risk Analysis Business Role Management User Access Review

GRC global deployment solutionGRC Access Control (AC) was deployed and Process Control (PC) wasimplemented as part of the cornerstone of the global governance solutionGoalsProcessControl Enable automated compliance as partof the foundation of the global design Leverage monitoring functionality tobring an integrated compliance view Standardize the control frameworksand drive control ownershipFunctionality Continuous Control Monitoring Control Surveys

Applicationsecurity approach

Guiding principlesEstablished guidelines are important to maintain a flexible security design No transaction code duplication - Transaction codes will not be assigned tomultiple task-based roles (except based on restriction requirements)Security roles are SOD-free - All roles are free of SOD conflicts. This eliminates thepossibility that users are assigned SOD conflicts by receiving one business role.Only GRC business roles are assigned to end users - All derived roles are mappedto business roles which can be assigned to end users. No roles will be designed tobypass business role assignment.

Swift security modelThe global solution required a scalable, flexible role security design The SWIFT security model is designed utilizing a task-based security approach. The individual activities performed in business process are identified and the associated businesstransactions are grouped into business activities. The organizational restrictions for the business activities are employed by creating geographicalderivatives called derived roles.Jobs/PositionsBusiness RoleBusiness Activities/TasksMaster Roles/Derived RolesBusiness TransactionsSAP TransactionsAuthorization Restrictions

Security design approachThe “least privilege access” concept was used when assigning accessto users

Integration of technical roles with business rolesThe diagram below shows the S/4HANA roles are integrated with the Fiorirole using GRC business rolesGeneral End UserTask RoleFiori Task RoleS/4HANAComposite RoleReporting Task RoleTransactionTask RoleGRC Business RoleTask Role withcatalog and groupsGatewayComposite RoleGeneral End userTask RoleLaunchpad Task Role

Segregation of duties(SOD) approach

SOD ruleset Fiori additionsFiori permission checks were embedded in the SOD Ruleset0102Fiori security only checks foroData service and authorizationobject accessAs a result, the SAP ruleset mustbe include Fiori App permissionlevel checks0304For adding Fiori apps to the SODruleset, no transaction codeinformation is availableWe leveraged the dummy t-codeconcept and corresponding permissionsin the SOD ruleset

SOD ruleset: t-code vs. Fiori DifferencesWe identified different steps to determine authorization objectsSOD Rule:T-CodeTransactionCodeRelevant AuthObjectsSOD Rule:Fiori AppoData ServiceUSOBT CHash Code ofServiceRelevant AuthObjectsKey Tables: USOBHASH provides mappingof oData service and itscorresponding hash code.USOBHASH USOBT C provides mapping ofauthorization objects relevantfor corresponding tcode or FioriUSOBT Cspecific hash code.

Controls approach

S/4HANA capabilities and control driversThe global solution provides many opportunities but also presents controlschallenges that need to be addressedAppendix LedgersReal-time CloseIntegration of Finance (FI) andControlling (CO) still allows flexibilitywith appendix ledgers (ex., manual G/Lpostings in appendix ledger while baseledger is closed to postings)Reduction in batch close processes,processes designed for real-timeoperations, and availability of reportingon demandUniversal JournalCentral FinanceA true single source of truth for allaccounting components – no morereconciliationPre-built SLT libraries and datatransformation capabilities enable rapiddeployment of SFIN as a centralfinancial platform

Business process control impact overview S/4HANA introduces new functionality which was previously not available in older versions. Along with thenew functionality, there are changes in the existing functionality as well.These changes require review of business process controls, broadly classified in two areas:New FunctionalityChanged FunctionalityExample: Traditional controls focused on maintenance of bankmaster. “Bank master data maintenance is accurate, complete,and performed in a timely manner.”Example: Tradition control for reviewing cash positionreferenced old t-codes : “The liquidity forecast report(transaction FF7B) is generated and reviewed on a daily basisto check the cash position”In S/4HANA, bank account workflows can be used for opening,closing, sensitive attribute change, etc., for enhanced control.New control objective in this scenario would be “SAP isconfigured with a workflow that requires opening, closing,sensitive data field changes in bank accounts to be approvedprior to being effective.”In S/4HANA, this functionality has moved to Fiori application.Old transactions like FF7B do not work in SFIN.New control objective in this scenario would be “The liquidityforecast report (via Fiori application Cash Position) is generatedand reviewed on a daily basis to check the cash position”

S/4HANA control impact exampleUniversal JournalUniversal JournalA true single source of truth forall accounting components —no more reconciliation;simple and holistic data modelallows for flexible reporting anddynamic hierarchies pullingfrom line item detail in realtimeControl Impact SAP has introduced a new table named ‘ACDOCA’ for theUniversal Journal. It allows bringing data from General Ledger,Asset Accounting, Material Ledger, Controlling (Including codingblock & CO-PA) into one journal. As a result, the traditional control requirement forreconciliations between sub-ledgers and general ledgers is nolonger needed. Example of new control description:SAP S/4 Hana automatically posts data from General Ledger, AssetAccounting, Material Ledger and Controlling into a universal journal(table ACDOCA), which eliminates the need for reconciliation ofthese accounts. Additionally, table ACDOCA (universal journal) replaced all theaggregate and index tables such as FAGLFLEXA – General LedgerLine Item table.