Read the article below or download the PDF

In the early days of SAP (R2), users were granted SAP access using SAP profiles. This later transformed into SAP roles through the Profile Generator (PFCG). To enhance the provisioning process and address the issue of SAP authorisation creep (users gradually being assigned additional access), SAP implemented the ability to assign SAP roles to the HR Organisation Structure. Whenever a user was assigned to an HR position within SAP, they would automatically be assigned the SAP roles associated with that HR position.

SAP Composite Roles were introduced to improve provisioning efficiency by grouping multiple single roles within a data container. When an SAP user is assigned an SAP Composite Role, they gain access to all the individual roles included in the Composite Role.

Over time, the significance of access risk management grew exponentially. The practice of granting SAP access without considering its potential risks became increasingly unsustainable. Consequently, this gave rise to the development and implementation of access control solutions, such as Governance, Risk, and Compliance (GRC) systems.

At first, access control solutions primarily assessed the SAP systems to detect access risk violations and conducted ‘What-If’ simulations to evaluate the potential risks of proposed role allocations. As access control solutions advanced, they incorporated additional features such as User Access Reviews and role provisioning. The introduction of the Business Role concept facilitated role provisioning. A Business Role functions similarly to an SAP Composite Role, serving as a data container for a group of roles (from multiple SAP systems). When a user is assigned a Business Role, they automatically inherit all the roles associated with that specific Business Role.

In most cases, a Business Role provides greater flexibility compared to an SAP Composite Role in access control solutions, allowing for partial assignment. For example, if an accounts payable clerk only needs 80% of the functionalities offered by the ACCOUNTS PAYABLE CLERK Business Role, it can be assigned partially. On the other hand, an SAP Composite Role is less flexible because once it is assigned, all the individual roles associated with it become available to the user. Business Roles can also include roles from multiple SAP systems, where Composite Roles are limited to roles from the one SAP system.

Identity and access management (IAM) solutions were implemented to effectively handle identity management throughout the IT environment and streamline the Joiner-Mover-Leaver procedure. By enabling access provisioning for various systems and solutions, it was anticipated that IAM solutions would overcome previous provisioning difficulties and greatly enhance the efficiency of onboarding and user provisioning. Moreover, IAM solutions also catered for the Business Roles, which surpassed the limitations of access control solution Business Roles restricted to SAP s ystems. IAM solution Business Roles encompass roles from diverse systems, including both SAP and non-SAP platforms.

Utopia? Almost, but not quite.

The integration of access control solutions and IAM solutions has posed significant challenges in practice, hindering organisations from reaping the benefits of a mutually beneficial relationship between risk management and provisioning. Consequently, organisations must decide which solution will handle the overlapping tasks and functions.

Outlined below are some of the functions that can be performed by both access control and IAM solutions:

Selection of the appropriate solution for each function is critical in attaining an organisation’s desired business objectives. Each solution presents its own set of advantages and disadvantages, influenced by factors such as business goals, system and application types, and the number of solutions involved.

For organisations with extensive SAP footprint, effectively managing access risk and maintaining a balance between provisioning efficiencies and access control are paramount. If an IAM solution is chosen to handle overlapping activities, the desired level of access risk management may not be attained. In such cases, utilising the access control solution for provisioning SAP access could yield the desired outcome.

Conversely, if an organisation has a limited SAP footprint and does not require comprehensive SAP access risk analysis, an IAM solution might be sufficient.

The choice of solution depends on the specific needs of the organisation.

Is opting for a hybrid model the right choice?

To achieve a balance between provisioning efficiencies and effective access risk management, one possible approach is to adopt a hybrid model.

For organisations with a significant SAP footprint and a strong focus on access risk management, an access control solution can be implemented to handle all overlapping activities within SAP systems. Simultaneously, an IAM solution can be utilised for all non-SAP systems.

An alternative approach involves utilising the access control solution for designing Business Roles and then replicating them in the IAM solution for provisioning purposes. By defining Business Roles in the access control solution, it becomes possible to leverage historical usage data and access risk information to create suitable Business Roles for specific user groups.

While implementing a hybrid model has certain drawbacks, such as requiring some business users to operate in two separate systems, it can effectively address the organisation’s need for managing SAP access risks while simultaneously improving the efficiency of SAP user provisioning to an acceptable extent.

Conclusion

Every method has its advantages and disadvantages, and there isn’t a single solution that fits every situation perfectly. When deciding, it’s important to take into account your organisation’s requirements, business goals, SAP footprint, and priorities for managing risks.

For optimal decision-making, collaboration between the SAP security and cyber teams is essential. They should engage in discussions and debates for each specific scenario to determine the most suitable solution for the organisation.

A hybrid approach might be the most favourable option, striking a balance between efficient provisioning and effective management of access risks.

Soterion hosts a podcast called ‘SAP Security & GRC’, dedicated to helping organisations on their journey to effective access risk management in SAP.

Soterion’s CEO, Dudley Cartwright covers topics related to SAP security and GRC, providing insights and tips from industry experts as well as his experience over the decades. Episodes are available in audio and video formats and are between 15-40 minutes long. The podcast is available on all major platforms, such as Apple Podcasts, Spotify, Google Podcasts, etc.

Where to find the podcast:

• Visit Soterion’s website and subscribe to receive notifications of new episodes https://soterion.com/podcast/
• Find all the episodes on Soterion’s YouTube channel https://www.youtube.com/channel/UCaFYqhaX0nWTOVgVO8trEUA
• Search “SAP Security & GRC” in your podcast app.

This article is sponsored by Soterion

The post The Evolution of SAP Security, Access Control, and IAM appeared first on InsideSAP Asia.

The podcast features interviews with experts from the SAP community who share their experiences and knowledge on topics such as identity and access management, SAP security controls, audit, and compliance. The discussions are informative, engaging, and accessible to both technical and non-technical listeners, with episodes available in audio and video formats and ranging from 15 to 40 minutes long.

One of the key features of the podcast is its focus on practical tips and solutions for SAP security and compliance. Listeners can expect real-world scenarios and actionable advice on how to address common challenges faced by SAP users.

The podcast is a valuable resource for Governance, Risk, and Compliance practitioners working in the IT or Finance departments of organisations running SAP. Whether you are a security consultant, an IT manager, or a business owner, you will find the podcast to be a valuable resource for improving your SAP security posture.

Listeners can access the podcast on all major platforms such as Apple Podcasts, Spotify, Google Podcasts, and more. To stay up to date with new episodes, visit Soterion’s website to subscribe and receive notifications. Additionally, viewers can watch the episodes on Soterion’s YouTube channel and subscribe to receive notifications of new uploads.

Soterion’s SAP Security & GRC podcast is a must-listen for anyone interested in SAP security and compliance. With its expert guests, practical advice, and insightful discussions, the podcast provides a wealth of information and knowledge that will help you stay ahead of the curve in the fast-evolving world of SAP security.

Take Me to the Podcast

• Visit Soterion’s website and subscribe to receive notifications of new episodes: https://soterion.com/podcast/
• Watch the episodes on Soterion’s YouTube channel and subscribe to receive notifications of new uploads.
• Alternatively click here to find the link to the podcast on your platform of choice or type ‘SAP Security & GRC’ in your Podcast app and follow to receive notifications of new episodes.

This article is sponsored by Soterion

The post Soterion Launches Informative SAP Security and GRC Podcast appeared first on InsideSAP Asia.

This article is an excerpt taken from the IDC Vendor Spotlight detailing IDC’s views summarised as 5 key business risks that access control solutions can help manage.

5 Key Business Risks

1. Financial

Financial processes must be designed to prevent fraud by those inside the business. Segregation of duties is a key technique to protect against fraud, the principle being that transactions must always require action from two or more staff, making it extremely difficult for an individual to commit fraud and more errors are likely to be picked up.

2. Reputational

Organisations must protect their reputation among customers and investors. The failure of risk management processes can have a big impact on the reputation of a business as well as direct financial losses or legal repercussions.

In Europe, a series of corporate scandals and failures have made the public aware of the fact that not all businesses meet the standards required of them, reducing trust in the business in question. This loss of trust can have a material impact on brand value and the share price of listed companies.

3. Regulatory

Applying processes that manage risk goes beyond good business practice. All businesses are legally required to comply with regulations determined by the jurisdictions in which they operate. Organisations in certain industries such as financial services and pharmaceuticals must adhere to a specific set of regulations driven by the types of products they develop and sell.

Auditors will check compliance with these regulations. Critically, it is not enough for an organisation to show that no failures occurred; regulators and auditors must see that robust processes are in place to ensure continued compliance.

4. Privacy

An example of a set of regulations that apply to all organisations in Europe are those set out in the General Data Protection Regulations (GDPR). All businesses that operate in Europe must treat personal data in line with a set of rules that control the way data is collected and consent for its use, storage, and retention is handled. There are serious penalties for organisations that breach these regulations.

5. Access Control

Processes designed to mitigate financial, reputational, and legal risks are the first part of the solution; access control is the second. The effectiveness of business processes is contingent on the correct people actioning each step of the process. Risk management is ultimately in the hands of people who must perform the role defined for them precisely. Individuals with access rights to systems that are too broad may find they are able to circumvent or compromise processes designed to protect the business.

Compliance is a Complex and Evolving Challenge

The CFO is the primary owner of risk management, answerable to the board, and holding a personal legal responsibility. In Europe, the regulatory burden has been rising as the EU in particular seeks to protect consumers and investors and reduce systemic risks in certain industries.

The financial crisis of 2008 in particular triggered a wave of new regulations. CFOs had to respond quickly and received investment to upgrade systems and processes to meet emerging requirements, but in most cases, compliance was achieved by adjusting existing systems to meet the new requirements of regulations such as MIFID, IFRS, and SOX.

Is your access control solution working for you?

It’s worth revisiting your access control processes to ensure they’re keeping up with changing regulations and best practices. Get in touch with one of Soterion’s SAP security consultants to explore how we can help solve your GRC objectives.

More about Soterion

Soterion is an international leading provider of governance, risk, and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure.

Soterion is passionate about simplifying the governance, risk, and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability. Email info@soterion.com for more information.

Download the full IDC Vendor Spotlight

Source: IDC Vendor Spotlight, Sponsored by Soterion, Soterion: Managing Risk and Ensuring Compliance Through Application Access Management, Doc. #EUR148915922, March 2022

Original article published on Soterion’s Website

The post Mitigate 5 Key Business Risks with an Access Control Solution appeared first on InsideSAP Asia.

In this article, we look at the key challenges associated with SAP access risk management, as outlined by IDC, and how Soterion’s software can assist with overcoming these challenges.

Read or download the full IDC Spotlight

Three key challenges associated with SAP access risk management

1. SAP access management is highly complex and is difficult to maintain as business, processes, and regulations change

Managing SAP access rights is highly complex due to the vast array of process and role configurations that organisations can and do utilise within their SAP applications. As organisations evolve and adopt new applications, the burden of managing access rights only increases, leading to increased costs and risks, particularly the chance of audits identifying control weaknesses resulting from SAP access irregularities.

Staying on top of SAP access rights is a challenge due to the vast number of possible access permutations and the rate at which they must be updated to keep up with organisational change. The rate of business transformation and pace of regulatory change will only increase, so organisations must find a way of preventing increased SAP access risk becoming a product of this environment.

2. Poor access management can lead to compromised processes that present a business risk and audit failures

Poor access management is most likely to be identified either during a statutory or internal audit, as these audits set out to identify weaknesses in an organisation’s processes that present a risk to the organisation and its various stakeholders, customers, and suppliers.

But, as the IDC Spotlight points out, the cost of poor access management extends beyond the risk of fraud and the cost of remediation. Incorrect access rights can be the root cause of an array of process inefficiencies, where users underutilise the technology available to them as they are unable to fully capitalise on it.

Where SAP users do not have the correct access, businesses can experience downtime (end-user waiting for appropriate access) as assigning new access and getting the necessary approvals from line managers and risk owners can take time. There is also a link between access rights and software licensing. Over-allocated access can lead to paying for more licenses than what is required by the organisation.

3. SAP access management is technical in nature, but access decisions are best made by risk owners and line managers

SAP ERP manages access via the transaction code, which is assigned to an SAP role. The SAP role in turn is assigned to the SAP user.

This sounds reasonable and straight-forward, but vast dimensions of typical SAP installations mean that it is not:

• Over 140,000 transaction codes in SAP ECC
• Thousands of users that are not easily aggregated into roles with identical or highly similar access needs
• Often multiple legal or geographic entities with separate SAP installations and separate access management needs
• Frequent changes in access management requirements due to reorganisations, spin-offs, consolidations, changes in business scope, etc.

Despite this technical nature, IDC says this shouldn’t be left to the technical experts alone.

Access management responsibilities must be shared between the IT function and the process owners and managers. Business process owners are best placed to determine the rights required to execute a task within the relevant compliance rules, while managers are best placed to allocate roles to the individuals they manage.

Importantly, these business owners will be able to proactively manage and maintain access rights within their domain, given the right tools. This helps move access management from an annual reactive activity toward being an exercise in continuous compliance.

Empowered business owners will be able to map processes, identify weaknesses, and implement improvements. Understanding precisely how individuals interact with SAP processes enables organisations to apply the principle of least privilege to each member of staff, reducing risk without harming productivity.

SAP access must be managed proactively, and to do this a tool is required to monitor, interpret, and optimise each user’s access as it pertains to their role.

In the IDC Vendor Spotlight, IDC profiles Soterion as an SAP access management solution that helps business managers understand, implement, and monitor access to SAP, reducing risk and improving efficiency.

Here’s what they had to say about Soterion:

“Soterion software tackles the challenge of the changing nature of SAP access rights – with an access management solution that helps business users see how users utilise their access in practice and highlights the business implications of poorly configured access rights.”

“The work that Soterion has done to convert technical access rights data into insights that business decision-makers can understand and monitor continuously will help access management become proactive, rather than something to be tackled periodically ahead of an audit.”

IDC highlighted some of the standout features of Soterion’s solutions including its:

Business-centric design

“Decisions regarding SAP access are best made by those that understand the business context in which processes and the staff who interact with them operate. Soterion’s tool helps visualise the relationship between access rights and business processes, highlighting weaknesses in a way that managers can quickly comprehend. The power of this tool is that it puts control in the hands of those best placed to make decisions.”

Reporting capabilities

“A key differentiator of Soterion is its reporting capabilities, which illustrates access risks in business process flow diagrams.”

Simplified language

“For business users that are not SAP transaction code experts, it simplifies understanding where in the business process the conflicting access resides. By converting the technical GRC language into a language the business users can understand, can help in making better decisions and making business users more involved and accountable in the process. Ultimately, this can improve the overall capability of the organisation to manage its risk.”

Take your SAP access risk management to the next level?

Get in touch with one of Soterion’s SAP security consultants for advice or feel free to email info@soterion.com to discuss your organisation’s GRC needs.

This article is sponsored by Soterion

The post SAP Access Risk Management: Soterion Featured as a Solutions Provider appeared first on InsideSAP Asia.

For Bridgestone Australia, one of the most well-known tyre manufacturers in the country, dealing with risk is a daily reality. Part of their brand promise is reducing risk for their customers who trust them to manufacture high-quality tyres to keep their families safe on the road.

But when it came to managing financial risk in their SAP system, they faced challenges. With a growing team, maintaining access controls within their SAP system had become time-consuming, inefficient and costly.

High growth and legacy ERP set-up no longer sustainable

Bridgestone Australia has used SAP since 1998 and over the years the volume of users has increased significantly. In 2008 they had a small number of SAP users due to running two systems within the company, namely SAP and iSeries. Due to the volume of users being fairly small, managing segregation of duties was relatively simple.

The turning point came in 2013/14 when all Bridgestone users needed to be migrated to SAP and many new processes were introduced.

With a large number of users and the complexity of the process, the team knew this process needed to move from the existing manual processes to automation.

The search for a commercial solution

Having investigated several options, Bridgestone decided that a custom solution was the way to move forward. Leading the charge for a fit-for-purpose solution was Jess Barnes, Senior Business Analyst in the SAP team at Bridgestone Australia.

Jess understood the complexity required to create a custom program that would handle the needs of the business and the plan was for her to write IT specifications for the program during the first quarter of 2015.

It was then at the Mastering SAP Conference Australia that Jess came across Soterion, and discovered their solution could do everything she needed it to do, presenting the data beautifully, and meeting budgetary requirements.

After three days of training, the Soterion team worked closely with Bridgestone’s infrastructure team to set up a Soterion server to talk to their SAP server. After a proof of concept, in 2016 Bridgestone Australia started using the Soterion solution.

“The tool is very useful to us because it gives us a clear picture and transparency of ourfinancial risk in the business and the team is able to present the stats to the risk committee and executive team providing peace of mind to all.”

– Jess Barnes, Senior Business Analyst

Adjusting the solution makes it more powerful

Although Soterion’s solution can be used out-the-box, there were certain setups that Jess and the Bridgestone team needed to do to customise it to their specific requirements and integrate into the company’s risk and governance control policies.

1. Reviewing the rule set

The first thing the Bridgestone team did was to review the risk level and relevancy of the standard rule set. They decided to create their own Bridgestone rule set so that they could add their own set transactions to the list.

The out-the-box solution shows low, medium, high or critical risk levels. In the system, Bridgestone found that certain risk levels which were marked as ‘high’ they saw as ‘medium’, however, a relevancy checkbox allowed the team to keep oversight of all risks regardless of the levels.

2. Segregation of Duties (SOD)

The second activity the team embarked on was to review all the risks that they have in the business by looking at all their users. They needed to define a mitigating control for each of them, something that the business and auditors would both agree on.

After running the SOD risk details within the Soterion solution, users who had a particular risk were highlighted together with a long description function that defined the risk. The team were then able to record a mitigating control.

Role simulation and user simulation were used on a daily basis. When creating a new role the team could instantly check whether there was any segregation of duties, look into their risk definition details and allocate a mitigating control, ready for audit.

Key lessons from Bridgestone’s implementation

• Once a mitigating control has been decided on, it is a good idea to review it regularly. Bridgestone Australia does this on a yearly basis to ensure their mitigating controls are still relevant.
• When setting up roles, ensure there are no conflicts in the same role. Revoking a role is difficult to do once the role has been set, especially with a large number of users. Setting this up correctly from the very beginning is crucial.
• There is no need to develop a custom solution. Solutions such as Soterion’s GRC software can do everything and more, and brings with it expert knowledge which has been built up over years.

About Soterion

Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post Driving Governance at Bridgestone with Soterion appeared first on InsideSAP Asia.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

• First line: Operational / Business users
• Second line: Risk / Compliance departments
• Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.

About Soterion

Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post Can Pablo Escobar teach us something about Risk Management? appeared first on InsideSAP Asia.

Surprisingly, it was discovered that more than half of the companies surveyed haven’t customised their rule sets and are still using the vendor’s out-the-box standard rule set. This comes as a surprise considering SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

• Segregation of Duties (SOD)
• Critical Transactions
• Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advantages of customising your SAP access risk rule set aren’t immediately apparent.

Here are some reasons to customise your SAP access risk rule sets that you might already know about (and some you might not have considered).

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your organisation’s needs. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage.

By removing risks that are not applicable to your organisation, you will reduce the effort and costs involved in managing those risks.

Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.

The more common scenario with regard to updating the rule set is adding custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in several ways:

At Soterion, a study was recently conducted to find out how many organisations have customised their SAP access risk rule set.

Surprisingly, it was discovered that more than half of the companies surveyed haven’t customised their rule sets and are still using the vendor’s out-the-box standard rule set. This comes as a surprise considering SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

• Segregation of Duties (SOD)
• Critical Transactions
• Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advantages of customising your SAP access risk rule set aren’t immediately apparent.

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advantages of customising your SAP access risk rule set aren’t immediately apparent.

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your organisation’s needs. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage.

By removing risks that are not applicable to your organisation, you will reduce the effort and costs involved in managing those risks.

Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.

The more common scenario with regard to updating the rule set is adding custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in several ways:

• Monitoring relevant and applicable risks:
  Monitoring risks that the business believe in will enhance their participation and buy-in. This will raise the organisation’s risk awareness.
• Building understanding of business impact:
  A big challenge for many organisations is that business users do not understand the SOD access risks, resulting in actions being taken without fully understanding the consequences or impact it will have on the business. Rule set projects are usually workshop based where business users and functional consultants discuss and analyse each risk. This is a useful educational exercise where each SOD risk is explained in detail and how fraud can potentially be committed with the conflicting combination of access. Once business users understand the SOD risk, they will have a better understanding of the impact of these risks on the organisation, and thus be able to make a more informed decisions as to whether users should have that particular access or not.
• Defining a Standard Operating Procedure (SOP):
  As it is unlikely that the organisation can operate without any risk violations, there will be a number of end users who will have access risks. When a user requests additional access that is in conflict with access they already have, it’s unclear whether the access requested can be approved. As a result, these types of requests often sit in the reviewer’s inbox for several days

  It’s important to define a policy for risk levels i.e. what is the rule for a simulation for each risk level? Part of the rule set customisation is to define these rules (SOP).

  An example here is:

• • If risk = Critical – access cannot be assigned
  • If risk = High – access can be assigned but with Mitigating Control
  • If Risk = Medium – access can be assigned without Mitigating Control

By defining these types of guidelines, your business users are able to make quicker decisions on whether the additional access requested can be approved. This reduces the time that SAP access change requests sit in a manager’s inbox waiting to be approved, which ultimately reduces the business downtime (end-user waiting for requested access) saving your organisation valuable time and costs.

Whether you need assistance with customising your out-the-box SAP access risk rule set or advice on where to start, Soterion’s team of SAP experts can assist with your unique requirements and help you implement more effective GRC.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post The Hidden Benefits of Customising Your Organisation’s SAP Access Risk Rule Set appeared first on InsideSAP Asia.

• SAP Access Risk Simulations (approval / rejection done by line managers)
• User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

In this article, we will take a look at the purpose of a User Access Review and discuss six technical aspects that organisations should consider in order to make the process easier and simpler for the business users.

Why is it Becoming so Important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such as Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the User Access Review is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 January 2021.

The User Access Review, therefore, provides the organisation with an opportunity to re-look at the user’s access to confirm whether it is still relevant and applicable (as the user may have moved to a different job function, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that it limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick-box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity. However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

1. Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether a risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool to facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review. To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.

• Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
• User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:

• Geography: User Access Review done by region.
• Risk Level: User Access Review done by risk level.
• SAP module: User Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post SAP User Access Review – Top 6 considerations for a more effective outcome appeared first on InsideSAP Asia.

Soterion’s GRC Solutions

Soterion’s solution suite enables organizations to gain visibility and effectively manage their access risk exposure. Download our brochure for more details on all of the following solutions.

• Access Risk Manager

The Access Risk Manager includes core access risk control features to manage SAP access risk. These include identification (Identify Risk), risk remediation (Get Clean), user access change management (Stay Clean simulations), and risk mitigation (Stay in Control).

• Elevated Rights Manager

The Elevated Rights Manager grants sensitive fire-fighting access in an automated workflow-driven process, and enables your management team to perform a structured review of any activities that were performed during the Elevated Rights Access period.

• Periodic Review Manager

The Periodic Review Manager allows business users to review access in the context of risk and business processes, ensuring informed and effective decision making. This business-friendly process is easily managed using progress dashboards to expedite the review process. This process will significantly enhance the insight into your GRC environment, as well as being an audit and statutory requirement for many organizations.

• Central Identity Manager

The Central Identity Manager introduces the Business Role concept to improve efficiencies in the SAP user provisioning process. Standardization of job functions across the organization reduces complexity and the effort required to manage and review SAP user access. The Central User Administration functionality further reduces the support effort and cost to manage user access across the SAP landscape, including non-productive SAP systems.

• Data Privacy Manager

Manage personal data in SAP and monitor which SAP users have access to sensitive personal information. The Data Privacy Manager analyses all tables in SAP and highlights those that contain fields with personal or sensitive information, categorizing the data by Data Domain (such as bank details, email addresses and ID numbers) and per Data Subject (business partner, vendor, customer, employee and SAP user).

• Password Self-Service

Soterion provides users with the ability to reset their SAP passwords. This vastly reduces the burden on the authorization support team, saving cost and time. The self-service functionality reduces business down-time by empowering users to reset passwords instantly.

• Basis Review Manager

SAP Basis Configurations provide system-level controls to secure an SAP system. The Basis Review Manager compares your SAP Basis configuration to an industry best-practice set of rules. Since these configurations usually form part of an annual external audit, our Basis Review Manager will allow you to be prepared, and will establish complete compliance to avoid adverse audit findings.

• SAP License Manager

The SAP License Manager identifies under-utilized and incorrectly classified SAP User accounts by monitoring user activity in SAP for effective license optimization. This ensures optimal contract management and compliance whilst reducing unplanned and excess costs.

Feel free to email us on info@soterion.com to discuss your organization’s GRC needs.

Soterion SOD Risk Trends Graph

Soterion SOD Risk Detail Business-Friendly Reporting

Soterion SAP Access Change Request Simulation

Soterion Dashboard

Innovation in User Experience for Automated Controls

GRC2020 Research, LLC, recognized Soterion with the 2019 GRC User Experience Award. Download the report to find out why our solutions were chosen above the rest.

About Soterion:

Soterion is a leading provider of SAP governance, risk and compliance (GRC) solutions. Soterion’s user-friendly GRC solutions provide SAP customers with in-depth access risk reporting in business-friendly language. This allows organizations to effectively understand and manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on enhancing better decision making and business accountability.  

Soterion’s plug-and-play GRC solution is easy to learn, S/4HANA ready and boasts an award-winning user experience. Organizations running SAP can make use of Soterion’s GRC security suite either as an on-premise or a secure cloud offering.

As access risk is business risk, Soterion believes that effective GRC is measured by how well the business users can carry out their access risk management activities. Our business-friendly GRC solution enhances the organisation’s overall risk awareness by empowering business buy-in and accountability of access risk.

This page is sponsored by Soterion

The post Is Your Organisation Managing SAP Access Risk Effectively? appeared first on InsideSAP Asia.

The vast majority of organisations that have implemented a GRC or access control solution are not seeing the value they should from their GRC investment.

Why is This?

By their nature, GRC solutions are very complex and technical solutions. They have been developed to analyse transaction codes, authorization objects and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for its use by business users.

Generally, the more complex the solution, the less uptake from business users. Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to business resistance. Business users will keep pushing these activities back onto IT, with the end result being that the GRC solution will be used predominantly as a back-end solution by the security and GRC teams, with minimal business involvement.

It is important to note that access risk is business risk. An organisation cannot manage their access risk effectively without significant business involvement. Therefore, organisations need to ensure that they implement a business-centric GRC solution if they are serious about managing their SAP access risk.

What Is Business-Centric GRC?

Business-centric GRC is putting the business user at the centre of the process. It is all about enhancing business-accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle covering the three lines of defence.

The first line of defence is your business or operational user. The second line of defence is your risk and compliance department, and the third line of defence is the audit and assurance department.

The first line of defence should be the strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else. Yet, this is often the organisation’s weakest line of defence – not because users do not know the risks or the processes involved, but because the current solutions and processes do not lend themselves for the business users to take ownership and become accountable.

As mentioned, to facilitate business buy-in, it is important that the solution is business-centric. Business-centric GRC converts technical GRC language into business-friendly language, allowing the business users to not only understand the risks in their area of responsibility, but also facilitate quicker decision making. More informed and quicker decisions reduce the business downtime of SAP users waiting for SAP access requests to be approved and assigned.

Soterion is a leader in business-centric GRC solutions. All features and functionality has been developed from the perspective of the business user. Soterion also recommends that the access risk management processes are practical for the business users to execute/perform. 

To illustrate this, consider the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. In addition to the effort required by the business to carry out the user access review, it is often the case that the effort does not justify the value of the exercise.

Challenges such as non-descriptive SAP role names make it difficult for the reviewers to know exactly what access/functionality the role users are entitled to. Soterion enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users are able to perform a more effective review that has a desirable business outcome. A review will take far less time and will have a significant cost savings to the organisation.

Enhancing business accountability of access risk with the use of a business-centric GRC solution will improve the organisation’s overall risk awareness and their ability to manage their risk. Every organisation should therefore be looking to improve their first line of defence by embracing elements of business-centric GRC.

For more information, please contact us on info@soterion.com

Soterion SOD Risk Trends Graph

Soterion SOD Risk Detail Business-Friendly Reporting

Soterion SAP Access Change Request Simulation

Soterion Dashboard

This article is sponsored by Soterion

The post Business-Centric GRC – The Future of Effective Access Risk Management appeared first on InsideSAP Asia.