There are many areas which should be monitored to ensure your SAP Security model is both controlled and maintained.
One such area is to design a robust Segregation of Duties (SoD) Management Process to support the organisation’s internal controls methodology. This provides the assurance that no one individual has the physical and system access to control end-to-end phases of a business process or transaction by effectively reducing the associated risk of fraud and error. For example;
For companies registered on the U.S. stock exchange, it is a legal requirement to be compliant with the Sarbanes–Oxley Act (SOX).
The act passed in 2002 by U.S. Congress protects investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. The requirement for Segregation of Duties can be found within SOX control 404 – Assessment of internal control.
Possessing strong SoD controls is also applicable to U.K. based companies to ensure both Internal Controls and External Auditors are equally satisfied.
Below is a high-level overview of a manual approach to identifying risks and conflicts which may be present within business processes. However, it is recommended to implement a dedicated solution, such as SAP Governance, Risk, and Compliance commonly referred to as SAP GRC.
The first phase is to ascertain a list of applicable SoD conflicts which can either permit fraud or can generate significant risks. This can be achieved by identifying the objective of the organisation together with the hierarchy and nature of the organisation. Liaise with the Business and understand business processes and who performs the roles within the organisation. The desired result for your business is to determine potential risks and categorise as either high, medium or low. The risk can then be managed by implementing remediation and mitigating processes.
(simple example of a risk)
Build a technical rule set or Transaction Matrix against user and/or role assignments based on the risks identified.
Analyse the risks against the rule set to identify conflicts. Any conflicts should be highlighted and recommendations escalated to the appropriate department, such as Internal Controls/Finance. This may require further interaction with the Business to identify a suitable solution to eliminate risk.
Pursue a solution within the organisation structure to identify ways of performing segregation of duties to the Business process within the department. If this can be achieved, then a review of the SAP Security Model should be undertaken to implement the required change to either a conflicting role or role assignment.
In such cases where it has not been possible to remediate the existing conflicts due to organisational constraints, then consider recommending an appropriate control to mitigate the risk. This would require liaising with the business to identify additional monitoring procedures to compensate the risk.
it’s imperative that a continuous process is in place to review all new access requests and changes to the SAP Security model against the SoD conflict matrix; this should be performed prior to: –
Thanks for taking the time to read this, as previously mentioned, this is just a high-level overview. The Edenhouse SAP Security & Governance team are able to assist with any SoD issues or concerns then please contact us.
Written by; SAP Support Manager, Darrell Yates
SAP Support Manager, Darrell Yates has over 15 years’ experience working with SAP. Prior to becoming SAP Security Support Lead in his previous role he has worked on many Global projects as a SAP Security Consultant, travelling to countries such as Nigeria, Egypt, Spain and UK&I. Based in Birmingham, Darrell has worked for us for just over two years.
Speak to Edenhouse, the market leaders in SAP solutions.