Professional Documents
Culture Documents
Compliance Trends
and Techniques in
Higher Education
Sherry Amos
Director, Industry Strategy, SAP
Craig Kennedy
Executive Solution Engineer, SAP
Craig Weisiger
SAP Security Analyst, Baylor College of Medicine
Governance, Risk, and Compliance Trends
Sherry Amos
Director, Industry Strategy, SAP
GRC in Detail
Craig Kennedy
Solution Engineer, SAP
Context: What does SAP do?
SAP ERP
Student Lifecycle
Financials
Human Capital Management
Supply Chain
Facilities
Analytics
SAP NetWeaver™
PEOPLE INTEGRATION
Multi channel access SAP NetWeaver provides SAP ERP with a
…
Composite Application Framework
Automate processes
Risk
Embed in processes
Enterprise Risk Management
Business
Applications and
IT Infrastructure
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Risk Management
Questions
SAP GRC Access Control
Sustainable prevention of segregation of duties violations
Effective
Minimal Continuous
Management Oversight
Time To Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)
Risk Identification Enterprise Role Compliant User Superuser Privilege Periodic Access
and Remediation Management Provisioning Management Review and Audit
Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at violations at with temporary challenges during
initial clean-up design time run time emergency access recurring audits
F_BKPF_GSB
FB05 S1
F_BKPF_BUP C1
MIGO
M_MSEG_BWA
MB1A S2
M_MSEG_LGO
SU01
S_TCODE
F-29 S3
C2
M_MSEG_BWE
FK01
F_BKPF_BUK
MB21 S4
M_MRES_BWA
MB01
C3
F_BKPF_KOA
FK02 S5
Access Control
Risk Elimination
End-to-End
Automation
Reporting
“The clean-up process has
brought a tremendous degree of
discipline to the way we think
Prevention about and manage user access
and authorizations.”
Synopsys Inc.
HR event
Request 100% automated • Embed cross-enterprise
generated
preventive compliance in
Employee
hired/retired
Path workflow—based
on request type and
business process
user attributes
Mgr
• Reduce cost of user
approval Via e-mail administration
Escalation • Improve productivity of end
workflow
users
Risk One-click preventive
analysis simulation • Provide auditable tracking for
auditors
Exception
workflow
Automated
provisioning 100% automated
• Management by exception
Review
Review User Provisioning • Automated, pre-built access
Emergency Access
controls reporting
• Review of roles, users and
mitigation controls
Management
Review
Potential Risks
Review Policy
1) Validate
via sampling that
changes to access • Equips internal and external
were appropriately auditors to complete
authorized comprehensive and efficient
testing
• Saves audit and audit-related
Internal Audit fees
Craig Weisiger
SAP Security Analyst
Baylor College of Medicine
Background and General Info
Users – 14000
R/3 Roles – 5200
Main Roles - 417
Composite Roles - 45
Derived roles - 2897 Biology Medicine
Portal Roles – 10
Assigned to users – 4
Communications or Support Roles - 6
FireFighter
Widely used with SME and Audit
Use a one to one Firefighter account to User
Special Roles for Viewing Reports
Compliance Calibrator
In place during 3 external audits
Audit has found no issues with roles
Assignment issues with users
– Mitigation controls moved responsibility to Business Units
Role Expert
Have elected not to use at this time due to our role design
Would recommend Role Expert for new installations
Reporting capabilities
Real Time
Distributed to appropriate Managers
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
9 9 effectiveness of controls
9 9 9 9 Certify and Sign-off
9 9 (302, Designs,…)
9 9
• Supports end-to-end enterprise control
management with single solution
Monitor
E Yved withn
… 5
S pU
s
R Vn impro entatio
ucti
be e
on nd imp
rod tion a
Ha installa
m
le
• Enables management by exception
4
the AP?
Ye s
12
1 2 11
1 9 10
18
19 of S
8 17
6 7 16
25
26
15
14 24
No
13 23
22
21
20 30
29
28
27
Process-Control-Objective-Risk
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
SAP Global Trade Services (SAP GTS)
Increased
Productivity
and
Business
Insight
Integrate
Applications Data Business Partners
Systems,
Data and
Business
Partners ERP
SCM/
CRM Legacy
HTS
ECCN,
Duty SPL
Rules
Of Customer Freight Customs
SRM Rates Data Banks
etc Origin & Supplier Forwarder Agencies
Key Compliance Issues for Higher Education
“Deemed” Exports
The US Department of State, Office of Defense Trade Controls (ODTC), is responsible for items and
information inherently military in design, purpose, or use. Referred to as "defense articles," such items
are found on the US Munitions List, 22 CFR 121 (linked above). Spacecraft and satellites, even if not for
military use, are on the Munitions List, along with their associated systems and related equipment.
Information related to Defense Articles is referred to as "technical data."
The US Department of Commerce, Bureau of Industry and Security (BIS), has export jurisdiction over
every thing in the United States, although BIS does not require a license for every export. BIS controls
goods and information having both civilian and military uses by including them on the Commerce Control
List, 15 CFR 774. This is also known as the "Dual Use List" (linked above). BIS uses the term
"technology" when referring to information about the goods on the Commerce Control List.
The US Department of the Treasury oversees US trade embargo through its Office of Foreign Assets
Control (OFAC). Empowered by the Trading with the Enemy Act and the International Emergency
Economic Powers Act, OFAC enforces anti-terrorism sanctions at our borders and through Customs.
Concerned with the giving of "assistance" to the enemy, the pertinent regulations provide OFAC with
broad authority to interdict vaguely defined "prohibited transactions" involving persons from sanctioned
countries.
How GTS manages Deemed Exports
Universities screen…
Visitor Entrance to Facilities –Screens visitors in real-time through a badging or visitor management system; no extra
steps needed. Centralizes a global audit trail of all visitor screening and results of sanctioned party matching, with alerts
triggered if a match is found.
Foreign National Students and Researchers – Screens all students and researchers against sanctioned parties lists as
well as EAR/ITAR controls. Manages the licensing and exception/exemption requirements
Human Resources Systems – Reviews all business partners, including current employees, external consultants and
applicants against the name, address, country of citizenship and project classification to ensure compliance with US EAR
deemed export regulations.
Web Download Transactions –Reviews web download transactions in real-time against sanctioned parties, US EAR, US
ITAR and OGA regulations.
Travel Itineraries – Screen all travel requests, itineraries and existing trips
Alerts and
Business Intelligence
Integration Management,
SAP NetWeaver Workflow
Ad
Ad Sales
Sales Back-end systems
HR
HR Visit
Visit Download
Download Travel
Travel Hoc
Hoc Reps
Reps
SAP
SAP Solutions
Solutions for
for GRC
GRC
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
Environment, Health & Safety
Enables Environmental Execution and Legal Compliance
ÎProduct Safety *
ÎHazardous Substance Management **
ÎDangerous Goods Management Substances
ÎGlobal Label Management
ÎIndustrial Hygiene and Safety
ÎOccupational Health Work
Employee
ÎWaste Management areas
ÎBasic Data & Tools
ÎEH&S Analytics & Reporting
* for producers of hazardous substances (regulatory)
** for users of hazardous substances (regulatory)
One solution for all industries
The World of SAP EH&S
SAP ERP
Human Enterprise Financials/
Capital Asset Research Procurement AR
Accounting
Management Management
Business process
integration
Increase Efficiency
Seamless integration with SAP ERP
Flexible and easy reuse of master data from SAP ERP
“We are now going to integrate EHS business processes such as product safety, dangerous
goods and waste management and industrial health and safety into the existing SAP R/3
environment. This integration is the real power of EH&S and will reduce EHS and other costs
significantly.”
Aventis
SAP Environmental Compliance
Environ
REACH
CfP
OH IHS HSM PS DG WM
level
Environmental
management of exception, limit tracking
Compliance
Compliance
Compliance
Product
REACH
SAP
SAP
For
• Support legally and corporate defined
SAP
SAP EH&S
EH&S environmental processes - air and water
emissions and wastes - compliance
reporting and permit management
SAP Public Services, Inc. Baylor College of Medicine SAP Public Services, Inc.
Washington, DC Houston, TX Newtown Square, PA