Reduce Access Risks While Decreasing Costs

Charlie Singh Sr. Manager, Compliance American Water

We are American Water Greater than 99 percent compliance rate meeting state and federal drinking water and wastewater standards

Treat and deliver more than 1 billion gallons of water a day

Manage and maintain more than 100 wastewater treatment plants

Invest approximately $900 million annually in our systems

Serve over 15 million people

Approx 7,000 employees

Serve 1,100 communities in 30 states

46,000 miles of pipeline

Approximately 89 percent of our operations are regulated utilities

First U.S. water utility named to the Dow Jones Sustainability North America Index 2

American Water Footprint – HQ in Voorhees, NJ

3

American Water’s Business - The Integrated Water Cycle

Our goal is to consistently provide customers with safe, high quality drinking water and reliable water and wastewater services

4

AW Business Transformation Project – SAP SCOPE Release 2 – EAM /CIS Go-live in Q2 and Q3, 2013

Release 1 Go-live August 1st, 2012

EAM

ERP Hire to Retire

Record to Report

Procure to Pay

Plan to Build

(HTR)

(RTR)

(PTP)

(PTB)

CIS Request to Complete

Order to Cash (OTC)

(RTC) • Organization Management

• Develop Plan & Budget

• Identify needs (Goods & Services)

• Develop Asset Strategy & Plan

• Plan Work

• Talent Management

• Develop & File Rates

• Source Supplier

• Initiate Work

• HR Service & Administration

• Close Subsidiary General Ledgers

• Optimize Investments & Budgets

• HR Operations & Support

• Consolidate Financial Statements • Report to Internal Parties • Report to External Parties • Support Close

• Purchase Goods & Services • Receive Goods & Services

• Manage Resources

• Pay Supplier

• Execute Work

• Manage Items • Classify Items • Move Material • Manage Inventory Accuracy

• Manage Work

• Receive Inquiry • Design/ Estimate/ Final Approval • Schedule Work • Assign Work • Execute Work

• Establish Customer Account • Collect Meter Reads • Edit and Pull Data for Billing • Billing • Post Charges

• Close Work

• Monitor Receivables

• Manage Complaints & Issues

• Credits & Collections

• Manage Supplier Returns • Vendor Managed Inventory

ECC, BI/BW, SRM, SAP Portal, Nakisa, SuccessFactors

CRM, KRONOS GIS, Click Mobile/Scheduling 5

Business Transformation (BT) Project Questions that had to be answered • How to embed proper security controls during the project

• How to utilize existing infrastructure and resources • How and where should the SOD rule set and mitigating controls reside… considering desire to avoid duplicate control repositories, documentation, and responses • How do we manage emergency access management (FireFighters) • How do we manage enterprise role management • How do we standardize and automate the user provisioning process • How do we ensure compliance and provide automated tools to evaluate security risk and mitigate exceptions • Future integration with IdM / IAM

6

SAP Access Control and SAP Process Control 10.0 A Clear Choice for BT Implementation SAP Access Control and SAP Process Control aligned with American Water’s Business Transformation strategic objectives by increasing cross-function accountability and standardization, increasing visibility across risk and compliance initiatives, along with reducing total cost of ownership. The result is an expanded ability to monitor strategic, financial, compliance, and operational risks and controls.

Current Future 7

SAP Access Control benefits to American Water Reduce access risk across SAP application modules  Robust database of validated segregation of duties (SoD) rules  Risk analysis of user access request and role definition Streamline compliance process  Automated user access review and collaboration; Conduct user access and role recertification  Ability to provide automated self-service user access request and approval Obtain real-time oversight  Real time access risks analysis and reporting dashboards  Emergency access privileges with integrated monitoring

SAP Process Control benefits to American Water Repository of SOX and non-SOX controls to support compliance and other regulatory activities  Dynamic electronic catalog of controls Continuous monitoring of key controls  Efficient audit process for external and internal audits  Management and assignment of testing and mitigating controls  Evaluate and manage organizational process and control changes through questionnaires and remediation plans Increase sustainability of processes and controls through policy life-cycle management

8

Benefits SAP Access Control and existing IAM integration was easy

9

Benefits Tie-in of SAP Access Control to existing IT Processes Control Frameworks

Policies and Procedures Password Management

Application Access Management User Provisioning

IT Access Management Process

New User Access

Emergency and Privileged Access Modify Existing Access

Terminate Existing Access

Emergency Access Provisioning

Emergency Access Monitoring and Review

Periodic User Recertification

Access Approval Preventative SoD Check

Role Management Create New Role

Modify Existing Role

Disable Existing Role

Periodic Role Recertification

Compliance and Monitoring Periodic Segregation of Duties Review

User Access Provisioning

Periodic Sensitive Access Review

Access Risk Analysis

Remediation

Business Role Management

Mitigating Controls

Emergency Access Management

10

Benefits - SAP Access Control and SAP Process Control integration with SAP was straightforward Plan / Analyze

Design

Build

04/01/2011

09/30/11

Internal Controls – SOD focus

SoD & SA Risk Definition

BT Security

BT Change Management

BT SMEs

Internal Controls - PC focus

ITS

Design SOD & SA Rules

Role Design Methodology

Business Role Definition

12/31/11

Build SOD Rules

GRC Reqs.

GRC AC Team

Deployment

Test

04/15/12

08/01/12 GRC AC Support

Build GRC (Risk Analysis, Role Management, Emergency Access Mgmt, User Provisioning)

Role SOD Check

Business Role SOD Check

Transaction to Role Mapping

Business Role Mapping

User SOD Remediation & Mitigation

User SOD Check

Build Business Roles

Build Master Roles

Go-Live

Assign Users To Roles

Role-User Mapping

User Training

Input to Role Definition , Controls Design, Job Design, SOD Remediation

Controls Definition

Controls Design

GRC Install

Controls Build

SAP Process Control Deployment, ARIS & Mitigation SoD Linkage, SOX Reporting

Provide Technical Support (GRC installation, Other key linkages) GRC Activity

Controls Activity

BT Activity

GRC Maintenance Strategy 11

11

Benefits of having implemented SAP Access Control and SAP Process Control in conjunction with BT Project Utilized same resources from SAP ERP go-live to gain efficiencies  System Implementer; AW Subject Matter Experts; AW Security and Compliance teams

SAP Access Control and SAP Process Control run on same platform as SAP ECC  Netweaver Platform  Standard and ABAP Reports

AW reduced costs as workshops, meetings and compliance activity discussions included GRC topics along with the ERP scope.  Requirements workshops  Compliance meetings

Unified Master Data (SAP Access Control / SAP Process Control integration benefits)  Common and shared organization hierarchy, process and sub-process definition  Provides consistent data to enable analysis & reporting for access/controls management

Mitigation Control library hosted and shared from SAP Process Control  Common controls repository and shared with SAP Access Control for SOD mitigation controls

External Audit’s review of GRC solutions occurred along with SAP pre-imp audit  SOD rule set engine and SAP Configuration/Workflow review

12

Charlie Singh Sr. Manager - Compliance Email: [email protected]

13