Access Violation Management in REMEDYNE: An Introduction

When setting up your SAP authorization concept you follow 2 rules:

  1. minimize access (in particular to very risky transactions/data)
  2. avoid combinations of access authorizations that are risky, like creating a vendor and posting an invoice for the same vendor.

REMEDYNE has built-in controls for several SOD use cases, like SOD risks that you will find in the SOD matrix of SAP GRC Access Controls. But you can set up your own, new rules very easily. Here we explain a few basics that you should understand when you start your journey.

Where does SAP save information about who created or changed an SAP Business Object?

When a user creates a vendor in the SAP system, the username is saved together with the vendor master data in table LFA1. The fields is LFA1:ERNAM (created by).
Now when some user changes data for the vendor, changes are logged in SAP change documents: change documents exist for >1500 business objects in SAP ERP or S/4HANA, and also customers can create their own change document types. Basically a change document is a simple set of data that only has information about which object was changed, by whom (username), when, and the change details (old value/new value). All change documents are saved in tables CDHDR and CDPOS.

How can you make use of the data?

We use the example above about creating or changing a vendor, and posting/changing an invoice: there are 4 possible SOD combinations that you need to check if you want to cover 100% of risks in the scenarios:

  1. user creates vendor and posts invoice
  2. user creates vendor add changes invoice
  3. user changes vendor and posts invoice
  4. user changes vendor and changes invoice

In all cases, the user might try to set up a bogus vendor/invoice or change bank details and divert a payment.

So in order to cover all 4 scenarios, you need to have 4 queries getting data from different sources and compare the usernames and make sure the invoice is from the same vendor:

  1. user creates vendor and posts invoice: table – table
  2. user creates vendor add changes invoice: table – change document (type BELEG _or_ INCOMINGINVOICE)
  3. user changes vendor and posts invoice: change document – table
  4. user changes vendor and changes invoice: change document – change document

The tables involved are LFA1 and BKPF for vendor and invoice respectively, and the change document types are KRED (for the vendor), and BELEG (accounting document) or INCOMINGINVOICE (for MM invoices).

In this simple example, there are 6(!) combinations that need to be covered in order to detect all possible scenarios.

Because reading data from a table and accessing data in a change document works somehow differently, different ways and tools are required.

How REMEDYNE helps to access and correlate the data

We have developed 3 tools that make life easier and allow to detect all those transactions where a user executes a high risk transaction and changes data, or excuses a high risk combination of transactions/changes a combination of data.
For single transaction that are considered high risk, you can use the Single Action Tool: this allows to define which business object and change document you want to monitor, and even which field you consider as critical, e.g. monitor only changes to vendor bank details.
For combinations of transactions, you can use the SOD Tool and/or the SQVI Query Viewer together with our mapping tool. The SOD tool gives access to data in change documents, and automatically correlates only change documents that “belong together”, like invoices that come the same vendor that was changed. The SAP standard SQVI transactions enables you to create and run analysis for data in tables.

These 3 tools are our framework for Access Violation Management and can be set up by users without coding.

We have examples in our Knowledge Base on how to set up SOD controls using these tools.

From risk to mitigation

Access risks such as from the SAP GRC Access Controls SOD matrix can be avoided in some cases by changing SAP authorization roles, or assigning different roles to users when re-organizing work and processes. But in many cases, organizations cannot avoid to grant high risk combinations of authorizations to users, simply because there are not so many users. In that case, you find residual risks in SAP GRC Access Controls and you accept them. REMEDYNE’s Access Violation Management allows you to set up controls for each residual risk that you have in SAP GRC, and monitor all activities related to them. You then can review activities and have compensating controls for those risks.

Easy SoD — Segregation of Duties Rules in SAP ERP

Segregation of Duties (SoD) is a major element in SAP authorization concepts: user authorizations should be minimal, i.e. you restrict access to critical functions (single actions), and you try to avoid granting access to critical combinations of activities (SoD), such as one user creating vendors and maintaining their bank data, and also entering invoices for the same vendors, or initiating payments. This would violate the 4 eyes principle and create process risks that open up opportunities for errors and frauds.

SAP systems log a lot of useful information that can be used to mitigate risks, but sometimes they are hard to find and access and use. Changes to business objects can be in tables or change documents, and for SoD analysis purposes, you have to combine date from these different sources.

SoD is a cumbersome process in SAP it usually requires a fresh installation of SAP GRC Access Controls or another 3rd party system that will read the data from your SAP and allow you to check the results in this system.

SAP GRC requires additional implementation in order to be used by clients.

However, these statements aren’t entirely true.

Let us explain why.

REMEDYNE is a software that’s been on the market quite a while, it’s a mature product that has a lot to offer to their clients.

On top of that it’s an add-on to your existing SAP installation and doesn’t require any additional installations of the software to a new hardware or to a Cloud server.

With a simple transport request REMEDYNE is imported to your SAP environment.

And now comes the easy part.

With the transport request our clients receive +100 predefined SAP checks pre-configured based on SAP Best Practices, and handful tools that will allow you to create your own SoD checks without any coding knowledge from the user.

Normally, it’s expected from the user to be familiar with the standard SAP tables, and general knowledge of SAP Change Objects.

Let us dig a bit deeper how can one create SoD Checks without any coding skills.

First and foremost, you need to know what you want to achieve.

Second you need to know where this information is stored.

And finally how this information will be retrieved and displayed in a user friendly format.

What?

You have been in contact with your external auditors, a BIG 4 company, more less they all work with the same SoD matrices. These BIG 4 SoD checks are done only on a yearly basis during their audit, or if you have SAP GRC or some other tool as per your requirement. These SoD matrices have rules which comprise set of forbidden actions by user. SoD matrices are great starting point!

Where?

As mentioned previously all data in SAP is stored in tables, SAP uses the concept of dual tables one for the main information of the document (Header Table) such as date of posting, who posted it, what is the document type and so on, and the detailed information of the document (Item Table) containing information like material number, accounting posting keys, item values, quantities etc.

Other source of information are Change Objects.

For those of you unfamiliar with change objects, SAP stores the changes to any object/table in change objects. Changes can be viewed; either with a separate transaction or an option within the data transaction, in the form of Change Documents. These Change Documents contains all the relevant information like the changed object dataset, old & new values, date & time of change along with the person name who has made the changes. More details can be found here .

How?

REMEDYNE has created couple of tools which can make what & where possible in REMEDYNE. We have introduced that in one of our previous post on the website.

Therefore, we have created couple of tools:

· SoD tool which analyzes the two different change objects;

· Single Action tool which analyzes one change object/table/field;

· QV2CHECK that uses the power of SQVI to combine the results of Single Action Tool & any combination of SAP tables

Find out how you set up controls in our Knowledge Base article on our website.

REMEDYNE has built-in checks, and users can easily create new controls using hard to access data, allowing monitoring of critical activities and mitigate residual risks from the SAP roles and authorizations.

Time for an Update – Many Changes in recent Releases

We have been neglecting this blog in the last 2 years or so, but we have been very busy working on the product and with customers. Here comes a short overview of important updates since release 3.0.

UI5 App

Customers can use our new UI5 app to access alerts from almost any device.

Preview of a REMEDYNE alert tin the UI5 app

Action!

REMEDYNE alerts now can trigger a wide range of actions, such as sending emails, blocking a vendor or a financial document, or release a block, stop a payment, etc. These auto-reaction methods (actions) are easy to setup from a dropdown menu and increase the effectiveness of the controls.

Alerts and user activities can trigger automated actions in the SAP system

SAP GRC Process Controls Integration

REMEDYNE alerts can be accessed from SAP GRC Process Controls through the SAP QUERY method. Based on alert type, company code, etc. it can be assigned via the risk-control-matrix to an owner who can assign an mitigation plan, or close the alert.

Integration with SAP GRC Process Controls or other workflow tools.

Access Violation Management

Segregation-of-Duty (SoD) conflicts, or access to critical functions, are a major security issue in SAP ERP security. We have a new tool with patent-pending technology that allows users to track critical actions, or executed SoD transaction, and offer a risk mitigation to issues not covered by the SAP authorization concept.

Easy configuration of the Access Violation Management: users can select objects to monitor from a list, and even add filters (e.g. you do not want to see all changes to vendor master data, but only to bank data).

If you use a tool such as SAP GRC Access Controls, you can now mitigate residual risks that cannot be covered by the SAP authorization concept:

Each SoD Risk in SAP GRC Access Controls or a similar tool can be monitored by REMEDYNE.

Risks in the Access Controls/SoD matrix can be monitored with REMEDYNE Access Violation Management.

Sanction List Screening, Business Partner Screening

We have teamed up with our friends at sanctions.io to provide integrated screening against the most important sanction lists (from the US/OFAC, UN, UK, and EU). This screening is built in to the standard REMEDYNE tool and available at no additional costs!

Create Custom REMEDYNE Checks in Minutes using the SAP standard Query Viewer SQVI

Any query you have defined in the SAP Query Viewer (transaction SQVI) can be easily converted to a REMEDYNE check. Like this, create new controls for your continuous monitoring or continuous auditing in minutes — our next blog post will explain how! So stay tuned!

Sanctioned Party List Screening: Ensure Compliance in Trade

A sanctioned party list contains persons and companies with whom trade is prohibited by law. Sanctioned party lists are issued by government agencies and are binding for all traders. Failure to comply with financial or trade sanctions is a criminal offence in many countries.
During sanctioned party list screening, you compare your business partner addresses with the addresses on the relevant sanctioned party lists. When you export goods, for example, you can automatically compare the consignees’ addresses with the sanctioned party list.

Lists that might be relevant to you:
Consolidated United Nations Security Council Sanctions List – UN
Consolidated list of persons, groups and entities subject to EU financial sanctions (CFSP) – EU
Consolidated list of targets – HM Treasury, UK
Denied Persons List (DPL) – US Bureau of Industry and Security
ITAR Debarred (DTC) – US State Department
Entity List (EL) – US Bureau of Industry and Security
Foreign Sanctions Evaders (FSE) – US Treasury Department
Non-SDN Iranian Sanctions Act List (NS-ISA) – US Treasury Department
Nonproliferation Sanctions (ISN) – US State Department
Part 561 List (561) – US Treasury Department
Palestinian Legislative Council List (PLC) – US Treasury Department
Specially Designated Nationals (SDN) – US Treasury Department
Sectoral Sanctions Identifications List (SSI) – US Treasury Department
Unverified List (UVL) – US Bureau of Industry and Security
List of the State Secretariat for Economic Affairs (SECO) – Switzerland

We have set up a new service at sanctions.io where we offer easy access to a consolidated database of sanction lists either through our website or using our API in your own application. REMEDYNE will provide out of the box sanction lists scans for SAP applications with its new product release REMEDYNE Continuous Monitoring 2.0 (planned release date is early 2017).

Privacy Compliant Continuous Monitoring

ERP systems lawfully collect and store data for the purpose of executing the regular business processes of a company. Privacy law covers the case of investigating on a case-by-case basis for given clues for e.g. an error or a criminal offense. However, this exemption does not cover a continuous analysis of audit data and screening for fraud evidence. (Source: “Privacy Compliant Internal Fraud Screening” by Ulrich Flegel, http://link.springer.com/chapter/10.1007%2F978-3-8348-9788-6_19)
REMEDYNE Continuous Monitoring also has checks delivered by REMEDYNE that use personal data as defined by law in the EU and countries world-wide (for example, user IDs; see e.g. http://ec.europa.eu/justice/data-protection/).
To stay compliant with applicable law in your country, you can deactivate checks that use personal data.
Furthermore REMEDYNE has a built-in data protection mode that can be switched on easily and that will remove all personal data from alerts that REMEDYNE will create.

New Features in REMEDYNE Fraud Prevention

We have released version 1.4 of our SAP ERP Add-On that helps detecting and resolving fraud, errors and operational inefficiencies. With this new release we have focused on making the software even easier to use.

Drill down
Users that investigate alerts in the tool now have direct access to detailed information on master data, accounting documents, and so on. A double-click on the data in our case management transaction drills down to the related SAP transaction and immediately displays the specific information. This enables investigators to quickly access all information they need to derive a conclusion.

Workflows
In addition to the built-in and ready to use workflow to approve/reject alerts created by the system and send emails, customers can now configure workflows with complex logic, several approval steps and full activity trace. Users can also upload supporting documentation.

For more information on REMEDYNE Fraud Prevention download our white paper:
https://remedyne.de/public_html/wp-content/uploads/2015/03/REMEDYNE140_overview.pdf

REMEDYNE Fraud Prevention now SAP Certified

SAP AG has certified that REMEDYNE Fraud Prevention integrates with SAP applications. REMEDYNE’s fraud detection intelligence for ERP and the UI5 component using NetWeaver Gateway have been tested and passed certification. Both components are add-ons to NW AS ABAP. REMEDYNE is a fully integrated add-on to SAP ERP to detect and prevent fraud and errors and supporting effective case management processes to quickly resolve any issues detected. Read our press release here.

REMEDYNE – Fraud Prevention

REMEDYNE helps companies to detect, investigate, and prevent fraud and errors. The software continuously analyzes business partner and transaction data with proven analytics, and enables managers and experts to conduct an effective investigation and quickly decide on each alert and take action.
With REMEDYNE, financial losses can be prevented, and operational efficiency increased. Customers can add own checks to address specific risks.

Some key features:
– Many pre-defined checks that are based on extensive research and experience in forensics and audit
– Access to alerts anytime, anywhere, with mobile device support (UI5)
– Workflow support to investigate alerts and take action
– Easy to deploy (SAP add-on), customize, add own checks
– Pricing based on company size, no limit on number of users

WHO is the user, WHAT can he do, and can you PROVE it? – How REMEDYNE fits into the security portfolio.

These questions are the business perspective on information security. IT can deploy various solutions (tools and processes) to address these questions.
One simple taxonomy for these solutions in the SAP space is this:
– Solutions that provide a trustworthy computing environment: security patches; secure ABAP code (secure coding practices, code reviews/scans); secure system configuration (implement SAP’s security guides, use Solution Manager’s Configuration Validation); the change management process
– Authentication mechanisms (WHO?): strong passwords, or even better strong, i.e. multi-factor authentication
– Access rights, segregation of duties (WHAT?): SAP authorizations
– Confidentiality, Integrity: includes all of the above, plus encryption of communication, and protect your SAP database and backups
– Monitoring (PROVE?): SAP table logging, change documents, logs
There is another layer around these levels, that consists of supporting tools. Examples include SAP GRC Access Controls, Identity Management, Single Sign-On. Essentially, they make IT and user’s life easier and help saving money through automation.

The security controls listed above aim to provide a secure environment so that nothing bad can happen. They establish security bottom-up.
REMEDYNE and other transaction monitoring solutions are not in the list because I want to highlight their special nature, complementing your controls already in place:
REMEDYNE analyzes WHAT users actually do (not what they can do, like e.g. SAP GRC AC does) in a definitive way (PROVE). And it directly shows the impact on your business.

Fraud Prevention Solutions for SAP

SAP Fraud Management/Financial Crime Platform, Oversight, REMEDYNE. This list is not exhaustive, but those are the products that we have listed on our own website. How do they compare to each other?
SAP Fraud Management/Financial Crime Platform: big data tool, helps customers to investigate fraud patterns that are uncommon and hidden in huge numbers of transactions. Leverages SAP HANA.
Oversight: strong analytical capabilities when data from different sources has to be combined, e.g. SAP and credit card data, and comes with pre-defined checks for travel expenses and other employee expenses.
REMEDYNE: continuous audit/transaction monitoring for SAP. Checks for procurement, accounting, inventory, order-to-cash, …

Take action and fight fraud now!

Every organization is subject to fraud and loses a significant share of its revenue to errors and fraud. REMEDYNE helps you driving down this number and to increase operational efficiency.

Get in touch with us to learn more and for a demo!

Configuration Validation

SAP’s Frank Buchholz gave a highly interesting presentation at TechEd that is available for download here: https://saptechedhandson.sap.com/demo.sap.com~vi~web/content/SIS262.pdf.
I like the configuration validation feature in Solution Manager, really useful for e.g. RFC and gateway security.