SAP Analytics

Struggling to understand what’s going on in your business?  Use the leading analytics tools from SAP.

SAP Analytics combines all analytical capabilities – including planning, predictive analytics, and business intelligence (BI) in a single solution. Take advantage of a modern, intuitive user experience to get answers to the most important questions affecting your business today.

Learn More

SAP S/4HANA

SAP S/4HANA is the next generation ERP business suite designed to help you run simple in a digital and networked economy. The new suite is built to drive instant value across lines of business and industries with the ultimate in sophistication: simplicity.

Learn More

SAP Business ByDesign

Manage your entire business with a single cloud ERP solution. Supporting every aspect of your company from finance to CRM, SAP Business ByDesign is available anytime, anywhere on almost any device. Designed for small to medium-sized businesses, the solution can help you seize new opportunities and accelerate growth.

Learn More

SuccessFactors

Only SAP SuccessFactors gives you the talent solutions, core HR, collaboration tools, and workforce analytics you need to produce, measure and continuously improve your business results through people, every day. Based in the cloud, SAP SuccessFactors is the marketing leading Human Capital Management (HCM) solution

 

Learn More

SAP Customer Engagement & Commerce

Today’s consumers have high expectations, so it’s imperative for businesses to deliver a seamless customer experience. With SAP Cloud for Customer, you can gain a 360° view of your customers to understand their needs and wants at any given time.

Learn More

SAP Hana Cloud Platform

SAP HANA Cloud Platform enables anyone to extend SAP applications in minutes, all in the cloud. The SAP HANA Platform transforms existing systems while enabling innovation to meet future business needs.

Learn More

UX & Mobility

SAP Mobile Platform accelerates the development and delivery of secure, highly scalable business and consumer mobile applications to any device.

Learn More
EdenhouseExpert InsightsBlogSAP SecuritySAP Security and Governance: Segregatio…

SAP Security and Governance: Segregation of Duties (SoD)

8th August, 2017 Written By Edenhouse Solutions

There are many areas which should be monitored to ensure your SAP Security model is both controlled and maintained.

One such area is to design a robust Segregation of Duties (SoD) Management Process to support the organisation’s internal controls methodology. This provides the assurance that no one individual has the physical and system access to control end-to-end phases of a business process or transaction by effectively reducing the associated risk of fraud and error. For example;

  • Creating invoices and adjusting
  • Creating vendor and initiate payment
  • Processing inventory with posting payment authorisation

For companies registered on the U.S. stock exchange, it is a legal requirement to be compliant with the Sarbanes–Oxley Act (SOX).

The act passed in 2002 by U.S. Congress protects investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. The requirement for Segregation of Duties can be found within SOX control 404 – Assessment of internal control.

Possessing strong SoD controls is also applicable to U.K. based companies to ensure both Internal Controls and External Auditors are equally satisfied.

Below is a high-level overview of a manual approach to identifying risks and conflicts which may be present within business processes. However, it is recommended to implement a dedicated solution, such as SAP Governance, Risk, and Compliance commonly referred to as SAP GRC.

Identifying Risks

The first phase is to ascertain a list of applicable SoD conflicts which can either permit fraud or can generate significant risks. This can be achieved by identifying the objective of the organisation together with the hierarchy and nature of the organisation. Liaise with the Business and understand business processes and who performs the roles within the organisation. The desired result for your business is to determine potential risks and categorise as either high, medium or low. The risk can then be managed by implementing remediation and mitigating processes.

(simple example of a risk)

SAP Security and Governance: An example of a risk

 

Rule Set/Transaction Matrix Creation

Build a technical rule set or Transaction Matrix against user and/or role assignments based on the risks identified.

Risk Analysis

Analyse the risks against the rule set to identify conflicts. Any conflicts should be highlighted and recommendations escalated to the appropriate department, such as Internal Controls/Finance. This may require further interaction with the Business to identify a suitable solution to eliminate risk.

Remediation

Pursue a solution within the organisation structure to identify ways of performing segregation of duties to the Business process within the department. If this can be achieved, then a review of the SAP Security Model should be undertaken to implement the required change to either a conflicting role or role assignment.

Mitigation

In such cases where it has not been possible to remediate the existing conflicts due to organisational constraints, then consider recommending an appropriate control to mitigate the risk. This would require liaising with the business to identify additional monitoring procedures to compensate the risk.

Continuous Monitoring and Compliance

it’s imperative that a continuous process is in place to review all new access requests and changes to the SAP Security model against the SoD conflict matrix; this should be performed prior to: –

  • Individual access assignment
  • Changes to roles before being promoted to the Production environment
  • New defined processes

Thanks for taking the time to read this, as previously mentioned, this is just a high-level overview. The Edenhouse SAP Security & Governance team are able to assist with any SoD issues or concerns then please contact us. 

Written by; SAP Support Manager, Darrell Yates 

SAP Support Manager, Darrell Yates has over 15 years’ experience working with SAP. Prior to becoming SAP Security Support Lead in his previous role he has worked on many Global projects as a SAP Security Consultant, travelling to countries such as Nigeria, Egypt, Spain and UK&I. Based in Birmingham, Darrell has worked for us for just over two years.

Want to find out more?

Speak to Edenhouse, the market leaders in SAP solutions.