This article is an excerpt taken from the IDC Vendor Spotlight detailing IDC’s views summarised as 5 key business risks that access control solutions can help manage.

5 Key Business Risks

1. Financial

Financial processes must be designed to prevent fraud by those inside the business. Segregation of duties is a key technique to protect against fraud, the principle being that transactions must always require action from two or more staff, making it extremely difficult for an individual to commit fraud and more errors are likely to be picked up.

2. Reputational

Organisations must protect their reputation among customers and investors. The failure of risk management processes can have a big impact on the reputation of a business as well as direct financial losses or legal repercussions.

In Europe, a series of corporate scandals and failures have made the public aware of the fact that not all businesses meet the standards required of them, reducing trust in the business in question. This loss of trust can have a material impact on brand value and the share price of listed companies.

3. Regulatory

Applying processes that manage risk goes beyond good business practice. All businesses are legally required to comply with regulations determined by the jurisdictions in which they operate. Organisations in certain industries such as financial services and pharmaceuticals must adhere to a specific set of regulations driven by the types of products they develop and sell.

Auditors will check compliance with these regulations. Critically, it is not enough for an organisation to show that no failures occurred; regulators and auditors must see that robust processes are in place to ensure continued compliance.

4. Privacy

An example of a set of regulations that apply to all organisations in Europe are those set out in the General Data Protection Regulations (GDPR). All businesses that operate in Europe must treat personal data in line with a set of rules that control the way data is collected and consent for its use, storage, and retention is handled. There are serious penalties for organisations that breach these regulations.

5. Access Control

Processes designed to mitigate financial, reputational, and legal risks are the first part of the solution; access control is the second. The effectiveness of business processes is contingent on the correct people actioning each step of the process. Risk management is ultimately in the hands of people who must perform the role defined for them precisely. Individuals with access rights to systems that are too broad may find they are able to circumvent or compromise processes designed to protect the business.

Compliance is a Complex and Evolving Challenge

The CFO is the primary owner of risk management, answerable to the board, and holding a personal legal responsibility. In Europe, the regulatory burden has been rising as the EU in particular seeks to protect consumers and investors and reduce systemic risks in certain industries.

The financial crisis of 2008 in particular triggered a wave of new regulations. CFOs had to respond quickly and received investment to upgrade systems and processes to meet emerging requirements, but in most cases, compliance was achieved by adjusting existing systems to meet the new requirements of regulations such as MIFID, IFRS, and SOX.

Is your access control solution working for you?

It’s worth revisiting your access control processes to ensure they’re keeping up with changing regulations and best practices. Get in touch with one of Soterion’s SAP security consultants to explore how we can help solve your GRC objectives.

More about Soterion

Soterion is an international leading provider of governance, risk, and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure.

Soterion is passionate about simplifying the governance, risk, and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability. Email info@soterion.com for more information.

Download the full IDC Vendor Spotlight

Source: IDC Vendor Spotlight, Sponsored by Soterion, Soterion: Managing Risk and Ensuring Compliance Through Application Access Management, Doc. #EUR148915922, March 2022

Original article published on Soterion’s Website

The post Mitigate 5 Key Business Risks with an Access Control Solution appeared first on InsideSAP Asia.

In this article, we look at the key challenges associated with SAP access risk management, as outlined by IDC, and how Soterion’s software can assist with overcoming these challenges.

Read or download the full IDC Spotlight

Three key challenges associated with SAP access risk management

1. SAP access management is highly complex and is difficult to maintain as business, processes, and regulations change

Managing SAP access rights is highly complex due to the vast array of process and role configurations that organisations can and do utilise within their SAP applications. As organisations evolve and adopt new applications, the burden of managing access rights only increases, leading to increased costs and risks, particularly the chance of audits identifying control weaknesses resulting from SAP access irregularities.

Staying on top of SAP access rights is a challenge due to the vast number of possible access permutations and the rate at which they must be updated to keep up with organisational change. The rate of business transformation and pace of regulatory change will only increase, so organisations must find a way of preventing increased SAP access risk becoming a product of this environment.

2. Poor access management can lead to compromised processes that present a business risk and audit failures

Poor access management is most likely to be identified either during a statutory or internal audit, as these audits set out to identify weaknesses in an organisation’s processes that present a risk to the organisation and its various stakeholders, customers, and suppliers.

But, as the IDC Spotlight points out, the cost of poor access management extends beyond the risk of fraud and the cost of remediation. Incorrect access rights can be the root cause of an array of process inefficiencies, where users underutilise the technology available to them as they are unable to fully capitalise on it.

Where SAP users do not have the correct access, businesses can experience downtime (end-user waiting for appropriate access) as assigning new access and getting the necessary approvals from line managers and risk owners can take time. There is also a link between access rights and software licensing. Over-allocated access can lead to paying for more licenses than what is required by the organisation.

3. SAP access management is technical in nature, but access decisions are best made by risk owners and line managers

SAP ERP manages access via the transaction code, which is assigned to an SAP role. The SAP role in turn is assigned to the SAP user.

This sounds reasonable and straight-forward, but vast dimensions of typical SAP installations mean that it is not:

• Over 140,000 transaction codes in SAP ECC
• Thousands of users that are not easily aggregated into roles with identical or highly similar access needs
• Often multiple legal or geographic entities with separate SAP installations and separate access management needs
• Frequent changes in access management requirements due to reorganisations, spin-offs, consolidations, changes in business scope, etc.

Despite this technical nature, IDC says this shouldn’t be left to the technical experts alone.

Access management responsibilities must be shared between the IT function and the process owners and managers. Business process owners are best placed to determine the rights required to execute a task within the relevant compliance rules, while managers are best placed to allocate roles to the individuals they manage.

Importantly, these business owners will be able to proactively manage and maintain access rights within their domain, given the right tools. This helps move access management from an annual reactive activity toward being an exercise in continuous compliance.

Empowered business owners will be able to map processes, identify weaknesses, and implement improvements. Understanding precisely how individuals interact with SAP processes enables organisations to apply the principle of least privilege to each member of staff, reducing risk without harming productivity.

SAP access must be managed proactively, and to do this a tool is required to monitor, interpret, and optimise each user’s access as it pertains to their role.

In the IDC Vendor Spotlight, IDC profiles Soterion as an SAP access management solution that helps business managers understand, implement, and monitor access to SAP, reducing risk and improving efficiency.

Here’s what they had to say about Soterion:

“Soterion software tackles the challenge of the changing nature of SAP access rights – with an access management solution that helps business users see how users utilise their access in practice and highlights the business implications of poorly configured access rights.”

“The work that Soterion has done to convert technical access rights data into insights that business decision-makers can understand and monitor continuously will help access management become proactive, rather than something to be tackled periodically ahead of an audit.”

IDC highlighted some of the standout features of Soterion’s solutions including its:

Business-centric design

“Decisions regarding SAP access are best made by those that understand the business context in which processes and the staff who interact with them operate. Soterion’s tool helps visualise the relationship between access rights and business processes, highlighting weaknesses in a way that managers can quickly comprehend. The power of this tool is that it puts control in the hands of those best placed to make decisions.”

Reporting capabilities

“A key differentiator of Soterion is its reporting capabilities, which illustrates access risks in business process flow diagrams.”

Simplified language

“For business users that are not SAP transaction code experts, it simplifies understanding where in the business process the conflicting access resides. By converting the technical GRC language into a language the business users can understand, can help in making better decisions and making business users more involved and accountable in the process. Ultimately, this can improve the overall capability of the organisation to manage its risk.”

Take your SAP access risk management to the next level?

Get in touch with one of Soterion’s SAP security consultants for advice or feel free to email info@soterion.com to discuss your organisation’s GRC needs.

This article is sponsored by Soterion

The post SAP Access Risk Management: Soterion Featured as a Solutions Provider appeared first on InsideSAP Asia.

Qlik Gold Client helps you improve the availability, security and quality of data in your non-production SAP environments, thereby increasing developer productivity while maintaining referential data integrity and reducing storage requirements.

• Streamline test data management
• Powerful data masking
• Impressive data subsetting
• Use with BW or BW on HANA
• Support data privacy compliance
• Facilitate business divestitures
• Enable SAP HANA modernization

About Qlik

This page is sponsored by Qlik

The post Streamline your SAP test data management and SAP modernization initiatives appeared first on InsideSAP Asia.

Learn how you can automate continuous delivery of real-time, analytics-ready data into AWS Data Warehouses or Data Lakes and make it easily accessible through a governed catalogue. Request a demo and talk with our solution experts, and learn how you can do more with Qlik and AWS, including:

• Real-time data for analytics in AWS
• Automated SAP data analytics in AWS
• Mainframe modernization with AWS
• Agile data warehouse automation for Redshift
• Data Lake ingestion and automation
• Analyse Data in AWS with Qlik Sense

See Qlik and AWS In Action

About Qlik

VINCI Energies: Using Qlik Gold Client to Carry Out a Large-Scale Migration Project

In 2018, VINCI Energies carried out one of the most significant Global S/4HANA migrations. The project was recognized by SAP as one of the most innovative projects of 2018. VINCI Energies also received an SAP Innovation trophy in 2019. Watch this video to find out how this leading company has developed a clear strategy with Gold Client, to carry out a large-scale migration project.

Data is the new Gold for Lenovo’s Strategic Advantage

Learn how Qlik enables Lenovo to discover insights faster and helps sales and operations teams deepen customer relationships.

This page is sponsored by Qlik

The post See Qlik Data Integration and Analytics in Action with AWS appeared first on InsideSAP Asia.

SAP cloud solutions have been instrumental in accelerating the German multinational’s cloud strategy, as evidenced by the company’s Q4 2021 and full-year financial report. According to SAP CEO and Executive Board Member Christian Klein’s earlier statement, the increasing number of organisations banking on SAP products and services to achieve a holistic business transformation and successful cloud migration is a testament to the company’s commitment to accelerating the use of cloud. 

The enterprise software giant has not only exceeded the top end of the group’s forecast for software and cloud earnings but has also seen massive support for its complete enterprise resource planning (ERP) system, SAP S/4HANA Cloud, which was propelled by RISE with SAP following its release in January last year. Since its launch, the BTaaS product has helped organisations from across different industries worldwide — ranging from sports to automatic vehicles and energy power companies. Aside from harnessing the power of cloud ERP, the comprehensive solution also provides analytics, business process intelligence (BPI), and SAP Business Technology Platform (SAP BTP) capabilities to transform customers into sustainable, intelligent enterprises and help them achieve meaningful business outcomes.

With industry-specific solutions that leverage innovative technologies such as artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT), and advanced analytics, SAP has continuously assisted organisations across the globe in running their businesses more efficiently. During the SAP Japan Customer Awards 2021, numerous customers were recognised for their efforts to embark on a transformational journey. These include SOLIZE Corporation, Mitsubishi Electric Corporation, and Shiseido Co., Ltd., all of which began their breakthrough digital transformation in 2021 by utilising SAP’s wide range of cloud software applications and services.

Marubeni, Human Holdings Among the Latest SAP Cloud Customers in Japan

This month, Japanese companies Marubeni Corporation, a major integrated investment and trading business conglomerate, and Human Holdings Co., Ltd., a firm engaged in education, nursing care, and human resources-related businesses, have teamed up with SAP to scale their operational expansion and further expedite business process transformation. Implementing the signature offering RISE with SAP, both projects involving the new additions to the SAP cloud customer list will be centered on SAP’s next-generation ERP, SAP S/4HANA Cloud.

According to Marubeni Corporation, it has become increasingly difficult for its SAP ERP system to expand and upgrade its functionalities because of repeated add-on extensions since its inception in 2000. (InsideSAP Asia often references articles from websites in other languages to bring you as much information as possible.) With this, SAP S/4HANA Cloud was chosen by the company’s Information Planning Department in order to digitise its entire business operations, enable further innovation, and develop a stable platform for the future. RISE with SAP is now the core system platform for the group’s subsidiaries abroad.

Moreover, Marubeni intends to speed up and simplify the data migration and data management processes with the help of tools provided by SAP Partners Syniti and Tricentis. The organisation’s information subsidiary Marubeni IT Solutions Co., Ltd. is in charge of system introduction projects using the Fit to Standard approach and leveraging Syniti’s SAP Advanced Data Migration tools and Tricentis’ SAP Application Testing Solutions.

Meanwhile, Human Holdings Co., Ltd. has also deployed RISE with SAP to address the company’s mission-critical requirements of adding value to existing businesses, and creating new opportunities by aggregating, analysing, and utilising a wide range of management data. (InsideSAP Asia often references articles from websites in other languages to bring you as much information as possible.) It has partnered with Focus Systems to implement SAP’s comprehensive solution, taking into account its extensive proposal-making experience, which includes expertise in public cloud-based ERP and business flow enhancements.

The post SAP Cloud Customer List in Japan Adds Marubeni, Human Holdings appeared first on InsideSAP Asia.

Soterion’s GRC Solutions

Soterion’s solution suite enables organizations to gain visibility and effectively manage their access risk exposure. Download our brochure for more details on all of the following solutions.

• Access Risk Manager

The Access Risk Manager includes core access risk control features to manage SAP access risk. These include identification (Identify Risk), risk remediation (Get Clean), user access change management (Stay Clean simulations), and risk mitigation (Stay in Control).

• Elevated Rights Manager

The Elevated Rights Manager grants sensitive fire-fighting access in an automated workflow-driven process, and enables your management team to perform a structured review of any activities that were performed during the Elevated Rights Access period.

• Periodic Review Manager

The Periodic Review Manager allows business users to review access in the context of risk and business processes, ensuring informed and effective decision making. This business-friendly process is easily managed using progress dashboards to expedite the review process. This process will significantly enhance the insight into your GRC environment, as well as being an audit and statutory requirement for many organizations.

• Central Identity Manager

The Central Identity Manager introduces the Business Role concept to improve efficiencies in the SAP user provisioning process. Standardization of job functions across the organization reduces complexity and the effort required to manage and review SAP user access. The Central User Administration functionality further reduces the support effort and cost to manage user access across the SAP landscape, including non-productive SAP systems.

• Data Privacy Manager

Manage personal data in SAP and monitor which SAP users have access to sensitive personal information. The Data Privacy Manager analyses all tables in SAP and highlights those that contain fields with personal or sensitive information, categorizing the data by Data Domain (such as bank details, email addresses and ID numbers) and per Data Subject (business partner, vendor, customer, employee and SAP user).

• Password Self-Service

Soterion provides users with the ability to reset their SAP passwords. This vastly reduces the burden on the authorization support team, saving cost and time. The self-service functionality reduces business down-time by empowering users to reset passwords instantly.

• Basis Review Manager

SAP Basis Configurations provide system-level controls to secure an SAP system. The Basis Review Manager compares your SAP Basis configuration to an industry best-practice set of rules. Since these configurations usually form part of an annual external audit, our Basis Review Manager will allow you to be prepared, and will establish complete compliance to avoid adverse audit findings.

• SAP License Manager

The SAP License Manager identifies under-utilized and incorrectly classified SAP User accounts by monitoring user activity in SAP for effective license optimization. This ensures optimal contract management and compliance whilst reducing unplanned and excess costs.

Feel free to email us on info@soterion.com to discuss your organization’s GRC needs.

Soterion SOD Risk Trends Graph

Soterion SOD Risk Detail Business-Friendly Reporting

Soterion SAP Access Change Request Simulation

Soterion Dashboard

Innovation in User Experience for Automated Controls

GRC2020 Research, LLC, recognized Soterion with the 2019 GRC User Experience Award. Download the report to find out why our solutions were chosen above the rest.

About Soterion:

Soterion is a leading provider of SAP governance, risk and compliance (GRC) solutions. Soterion’s user-friendly GRC solutions provide SAP customers with in-depth access risk reporting in business-friendly language. This allows organizations to effectively understand and manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on enhancing better decision making and business accountability.  

Soterion’s plug-and-play GRC solution is easy to learn, S/4HANA ready and boasts an award-winning user experience. Organizations running SAP can make use of Soterion’s GRC security suite either as an on-premise or a secure cloud offering.

As access risk is business risk, Soterion believes that effective GRC is measured by how well the business users can carry out their access risk management activities. Our business-friendly GRC solution enhances the organisation’s overall risk awareness by empowering business buy-in and accountability of access risk.

This page is sponsored by Soterion

The post Is Your Organisation Managing SAP Access Risk Effectively? appeared first on InsideSAP Asia.

In this report, you’ll learn:

• The information, analytics and enabling technology capabilities of AP top performers
• The skills, training and automation technology that best enable workers at top-performing companies
• How top performing companies use technology to enable organization and governance, service partnering and service design
• A checklist of service delivery objectives for maturing as an AP organization

Approaching the future with flexibility and maintaining a competitive edge requires a comprehensive approach to AP-focused P2P automation. Use this report to develop your future-proof strategy.

Not what you were looking for? Try The Outperformer’s Guide to Total Financial Process Domination!

The post A Checklist for Developing a Future-Proof AP Organization appeared first on InsideSAP Asia.

Download this comprehensive whitepaper – Managing an S/4HANA migration with Rev-Trac – to discover:

• Why automating your SAP change management processes is crucial
• How Rev-Trac Platinum can help you to successfully manage dual SAP environments
• What key Rev-Trac Platinum features help to minimize unscheduled downtime

Run without interruption during your S/4HANA migration –

Download the report below.

By completing this form, you will be sending your details to RSC in accordance with their privacy policy

Summary of Rev-Trac 

A Revelation Software Concepts (RSC) technology that automates SAP change management processes to massively reduce the time, effort, and cost to deliver change. Automate SAP change management for faster, more frequent, and low-risk change and respond to business demands quickly. Rev-Trac Platinum eliminates error-prone manual SAP change processes and provides the control and governance to achieve agile, DevOps, and continuous delivery objectives.

This page is sponsored by RSC

The post Rev-Trac Platinum appeared first on InsideSAP Asia.

This huge architectural change has meant that the application can be redesigned to simplify processing steps. For example, the SAP ECC Finance module relied on many different tables to separate headers, line item details and supporting master data attributes, which made for a very complex data model. 

With SAP S/4 HANA, the database is able to cope with greater data volumes and complexity within single tables or views. So the volume of tables and structures are simplified. This should therefore make reporting easier, and as such increase the transparency of information. This simplifies the landscape options, as it means that there is the opportunity to consolidate the system landscape. 

Now there is no need for separate SAP Advanced Planning and Optimisation (APO) or Business Warehouse systems, as you have the HANA database. Also, by mandating SAP HANA as the database, you’ll further reduce the complexity of your deployment options, while presenting a cost saving opportunity through the removal of separately licensed third-party databases. 

Despite this code base change, there are familiar aspects to SAP S/4 HANA. The table structure is flatter, but the majority of the standard SAP ECC tables still exist. From the user interface perspective, there is still an ABAP user interface, which looks and behaves in a very similar manner to SAP ECC. However, this is intended for use by administrators only. For end users, the intention is to use the SAP Fiori user interface. 

With S/4 HANA, SAP has also recognised that customers are expecting more agile deployment approaches, so they have also offered different implementation scenarios to align more with a cloud deployment model. As such, SAP S/4 HANA is available as a traditional on-premise solution but there is also a version available as a public cloud option. There is also a managed cloud option to provide the middle ground

SAP S/4 HANA has been designed with simplicity in mind, although that is generally intended for the end-users, rather than implementers, systems integrators or administrators. From a security perspective, you can expect significant involvement in an SAP S/4 HANA implementation, as there are some fundamental changes to the way in which these simple processes are delivered to users.

Download the rest of this guide to gain a practical understanding of the new security considerations that come with implementing SAP S/4 HANA – helping you side-step the mistakes of the previous ERP implementations.

This article is sponsored by Turnkey Consulting

The post Understanding the Differences Between SAP ECC and SAP S/4HANA appeared first on InsideSAP Asia.

However, when supporting SAP implementations, some systems integrators (SI’s) don’t consider security highly enough – focusing too much on the functional aspects of the project in order to get the project over the line as efficiently as possible.

This is unsurprising as today, whilst having great functional experience, few systems integrators have the skills to safeguard SAP effectively. But not doing so at the point of implementation can have considerable consequences:

1. Overspent budgets

Projects often go over budget due to avoidable and costly retrospective security remediation. 

2. Missed deadlines

Retrospective remediation doesn’t only cost money, it costs time – often resulting in missed project deadlines.

3. Auditor rejection

When it comes to the project being approved, either by auditors or internal teams, if the appropriate security measures haven’t been implemented it’s unlikely to get the go-ahead.

4. Business downtime

If left unchecked, poor security controls can result downtime – restricting user access to your business-critical application.

Often a more effective approach to implementation is to employ an SAP security specialist to work alongside an SI – bringing together great functional experience with the right security expertise. But how does this work in reality? How can SAP security specialists work alongside SIs?

Find the answers in the next part of Turnkey’s 7-part video series – where Turnkey’s global management team met to address some of the biggest challenges facing SAP security professionals today.

The post Why you can’t rely on systems integrators for SAP security appeared first on InsideSAP Asia.