It is this time of the year for many companies: Everybody is nervous, stressed as the auditors are in, requesting countless documents you may or may not have.
External auditors are breathing down my neck…
I need to get them on-time, accurate reports.
Many hours are spent digging into data, producing reports, generate data dumps for the auditors. Once they get the information, more countless man hours are spent providing additional information as the sampling did not produce the auditors were looking for.
Monitoring SoD security is tedious and reactionary.
Most of companies struggle or fail their audits because of the following challenges:
- too many SoD violations
- change control issues moving program changes to production that should not be there
- the usage of your Emergency Id’s is not documented properly
- User provisioning is done in a formal way
- No accountability for changing user access due to lack of role ownership
- Roles with conflicting transactions cause SoD issues
- System Administrators and SAP Security staff have too much access
- Manual methods are very time-consuming and require dedicated resources to pull reports.
- Manually extracting data out of enterprise software products is complex and prone to errors.
- Manual methods hurt the quality of the audit — often producing results with false positives, creating re-dos and more work for auditors.
- Risks are managed mostly during the periodic audits and not proactively
This is just to mention a few. The most important issues, however ,that many companies have not kept up to date with SAP Security architecture for the following reasons:
- SAP had been rolled out and the implementer has left the project without proper hand-over
- Company has merged or business has been divested without considering SAP Security properly
- Using of one-fits-all resource doing SAP Security, Basis and other chores at the same time
- Business has changed and SAP Security has been patched as the original design doesn’t meet the new requirements
- Users have changed position and new access has not been re-certified again but new roles have been added to previous job description
- User access has been copied from user to user rather than redefined during on-boarding process
We are here to help you to make sense out of your SAP Security Landscape. Let us schedule a free discovery call to find out what your issues are and discuss what your option are.
We are now asking you to help us so that we can help you! As simple as that.
Our goal is to offer affordable solutions to SAP Customers that do not have the luxury of having a big SAP Security / Basis team. Sometimes small changes to your daily activities an free up more time for your team to perform tasks that are business critical and help them to focus on what is important.
If your main issue is a lack of a GRC solution to perform regular SoD analysis, including a pro-active SoD analysis before access is granted and/or manage your Emergency Requests, you may want to consider our State of the Art subscription based solution.
Identify Segregation of Duties Access Conflicts in Minutes
Having the proper Segregation of Duties (SoD) policies in place is only one small piece of the compliance puzzle. Reporting and auditing on SoD access in SAP® is a large, virtually impossible undertaking without the proper reporting tool. Meanwhile the need to identify potential access conflicts is required as part of the auditing process – and is even the law for public companies subject to Sarbanes-Oxley (SOX) legislation.
Segregation of Duties Analysis is a central feature of ERP Maestro’s online reporting service. The Conflict Risk Overview and User Conflict Matrix are two key reports that use 100% of SAP user data to provide business process owners (BPOs) all the visual intelligence they need to:
- Quickly identify all potential access conflicts – not just a sample
- Breaks down conflicts by risk level
- Pinpoint conflicts from overused or underused access
- Begin the remediation process immediately
Did this article trigger some interest? If yes, feel free to contact me and let me know how we can help you.