SAP GRC & SOD/SOX Management

1

Introduction

The modern risk landscape is continually shifting and evolving.

It's not just companies, individuals or groups, sometimes entire nations can suddenly face a compliance attack. That's one side of where compliance comes under threat.

And as cloud solutions and intelligent technologies continue to evolve, cybercrime, data breaches, and fraud become an increasingly complex threat.

In this current environment of heightened risk and uncertainty, businesses need to leverage – and simplify – every tool possible to anticipate and manage risk. Achieving business objectives and maintaining strong compliance and governance standards is a growing challenge for every organization. The best businesses meet these needs with a people-first approach and an ongoing commitment to training and supporting their teams – from the top down – to leverage new technologies and innovate responsive GRC strategies.

Without a functioning user administration, your employees cannot work in your SAP systems. The maintenance of user profiles and associated roles can be time-consuming without the right technical support. Ensuring compliance as well as complete documentation ensures legal requirements are met. In addition, your departments and IT are well prepared for internal and external audits.

We offer innovative solutions for the administration of your SAP users. These make it easy to administer the users, the corresponding access rights, and approval processes. The manual effort is minimized, and your employees are adequately supported, through process automation and easy to use web-based solutions.

2

Strategic Reasons OPTIMAL for SAP GRC and SOD/SOX MANAGEMENT

Some of the key strategic reasons for companies to focus optimally on SAP GRC Compliance and best practice SOD and SOX compliance come from the increasing costs of running audits. The following four points clearly highlight the need for good SAP governance:

• SOD/SOX audit hours continue to increase year on year – increasing costs

• Co-sourcing relationships are on the rise – increasing complexity

• Control counts continue to go up – increasing volume of work

• External auditors continue to ask for more documentation from each audit – increasing demand

So how can CIOs running complex SAP Landscapes improve the efficiency of their SAP Governance to support their SOD/SOX compliance and stay within budget and accommodate the latest industry regulations and standards? Furthermore, how can CIOs assist audit teams by free up time and resources in their audits so that they can focus on adding more value to their organizations?

We look at three strategies:

• Leverage technology to improve the audit workflow

• Reduce the count of key controls

• Staff Recertification on SAP Solutions  

Incorporating just one of these three strategies will yield improved results and assist audit teams in reducing costs and increasing the value of their delivery.

Strategy 1: Leverage Technology

Microsoft Excel and Email are the two clear components of every audit function:

Microsoft Excel was released in 1987 and throughout this time, the lowly spreadsheet has evolved to be more than just a bookkeeping tool. Over time the simple spreadsheet has morphed into a workflow staple for every auditor, due in part to its ability to link data across different documents and automate basic workflow tasks. Accordingly, modern audit projects require more attributes and details about a control than in past years. Whether it’s documenting the completeness and accuracy of evidence, or validating the integrity of a key report, auditing procedures have evolved beyond simple attribute ticking and tying. The modern spreadsheet can handle this robust auditing process, but the spreadsheet lacks speed, efficiency, and consistency.

However, to keep up with the ever-growing list of audit requirements, audit teams have accepted MS Excel to be the cornerstone of how they approach the audit. This means an ever-increasing number of spreadsheets floating through the organization, shared network folders or a cloud-based collaboration tools to help coordinate the audit information while organizing the audit staff responsibilities. On top of this version control issues become dramatically more complicated and much more time-consuming to resolve.

As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all Audit sheets, the downstream ripple effect can cost managers hours and hours of clean up. Unfortunately, this painstaking clean-up process often goes unreported to the client, and the clients audit costs increase unnecessarily.  

This is certainly not an effective approach.

So, why are teams still using the spreadsheet? The answer: familiarity.

Given the complex nature of modern audit programs, audit data points often have a many-to-many relationship when it comes to risk and control mapping. Some examples include risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls.

But there is good news that stops this process of the ever-growing "table uncontrolled growth", which counteracts innovation as well as deep knowledge about compliance and authorization topics. VOQUZ Labs provides its customers with a tool that centrally ensures compliance in SAP systems, permanently uncovers compliance gaps and, on the other hand, enables undisturbed work in the systems for all parties involved. The nice old Excel spreadsheet becomes superfluous and only serves as a target for a presentation of results. The real work and verification continue to take place directly in SAP in the setQ software at a central location. This makes all the work in the authorization area transparent across all systems and makes it easier to establish and maintain SAP compliance. Here, all data is monitored in the background, merged and made available for evaluations. All this without slowing down any employee in their work or implementing time-consuming additional processes that inhibit productive operation.

A central authorization management should be the basis for all authorization and compliance tasks in SAP. A faithful guardian and a smart tool. It is precisely with such central management tools that the rising tide of controls, measures and new processes can be stopped. We will go into more detail about this later on.

Strategy 2: Reduce the Count of Key Controls

Organizations running SAP face countless risks on a daily basis. Audit teams often address these risks by applying a brute-force approach and simply creating a new control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts and “scope creep.”

Non-key vs. Key:

Non-key control: A control is deemed non-key if the potential impact on the financial statements upon its failure is deemed immaterial and if that failure cannot cause the entire process to fail.

Key control: A key control addresses a risk of material misstatement, a high risk, or both a control objective and an assertion. These controls must operate effectively to provide reasonable assurance that the risk of material errors will be prevented or timely detected.

To keep things simple, the quickest method to differentiate between non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk?

As prescribed by the PCAOB’s Audit Standard 5 (AS5), a risk-based audit approach dictates that companies and their auditors focus on areas of high-risk. As a best practice, audit teams should make an effort to plan and perform a recurring risk assessment and exercise control rationalization at least once per year. Now comes the most important part and this is to update the current SAP GRC solution with the risk levels for each control. If this process is kept simple and easy then the downstream impact is lessened at every audit and this makes the entire audit process more efficient across the organization.

To summarize a specific SAP GRC application-based approach is critical to ensuring the control is accurate up to date and adjustable.

Strategy 3: Staff Recertification for SAP

With many new changes taking place across almost all business areas relating to changing business processes and their inherent risk and controls, staff are often left behind when it comes to ensuring that their SAP certification and knowledge is updated for audit purposes.

Keeping track of who has attended which training and if they have the qualifications to operate certain functionality across the SAP landscape is key to ensuring good governance and compliance.

The previous two strategic pillars also have a role to play in this area. Technology is an enabler of the process to manage and control recertification, and moving away from excel workbooks and having active versioning can save companies time and money.

RISE with SAP – Friend or Foe?

28.6.2021

Beware of dual SAP licensing

2.6.2021

Digital Access and how to avoid an unfriendly audit by SAP

17.3.2021

3

Optimize the Administration of SAP Authorizations using Central working Tools

It is time to explain urgently needed main functions of a central SAP Authorization Management. Since the entire field in SAP authorization management is also very broad in terms of topics, each important area should have its own workspace. This ensures that no important points are lost from view.

But here are a few examples of how centrally controlled authorization management can help in the SAP compliance check or in everyday authorization confusion.

Where are the biggest pain points when you look at the entire SAP Governance - Risk Management - Compliance in short SAP-GRC.

SAP security, SAP role set, and SOD conflicts are the cost drivers, and this is precisely where centralized management must come in. Let's take the entire work around the SAP authorization concept. It must be set up once according to controllable SAP compliance guidelines. Then likewise implemented under these guidelines.

Reality shows that across industries there are many activities in SAP that are very similar and where a base of role segments would be a great relief in the daily work but can also better maintain or establish SAP compliance.

So if you manage to provide such standard roles, adapted to the respective company, for your daily work, you not only make your daily work easier, but you can always access segments that have been checked for compliance. New authorization concepts can also be created much more quickly.

Once the concept has been created or newly created, it must be distributed according to SAP compliance and SAP security.

Here is the next area in SAP authorization management that must take over clearly separated important functions.

For example, updates or an exchange of active roles should be done in such a way that the daily workflow in the company remains unaffected. Any conflicts that arise must therefore be monitored centrally by SAP Authorization Management. Work must not be impeded, and if there is definitive certainty that the new or updated role can really be used without errors, the exchange must take place silently. This is the only way that daily SAP use and SAP compliance in authorization management really play well together.

Also in the further cycle, if there are updates or changes in the concept. The changes are made centrally, checked and then distributed or exchanged without conflict.

Basically, the necessary SAP compliance and SAP security activities are reduced and staff resources are saved, while at the same time compliance is increased.

Especially the SAP GRC experiences a transparency through a central control that survives every SAP security audit safely. SAP compliance conflicts should be detected immediately and indicate uncertainties or compliance violations. Such conflicts are not always preventable. In such cases, the conflict must be described and, if necessary, the exceptions must be documented and transparently stored. AgainAgain, the next area in authorization management, which should be clearly defined separately.

Another area with high personnel costs and great dangers for SAP GRC are the entire application and authorization processes, which often devour huge resources and open up SAP compliance holes.

Here, a central SAP authorization management can and should simplify the processes in such a way that a "dual control principle" is not violated, the complete application and authorization takes place in the specialist department and the distribution processes run completely automatically and according to SAP compliance in the background.

This makes central authorization management across all SAP systems an indispensable SAP GRC tool that covers the entire SAP GRC area centrally and transparently.

4

Solutions for transparent SAP user administration

The managers to administer your SAP users compliance including SOD/ SOX

Here, some of the most important and necessary functions are presented in detail and listed as examples of how very practically such functions in individual managers should ensure SAP compliance and SAP security as well as minimize effort.

Identity Management

An Identity Management automates and simplifies the recording, control and administration of users and the associated access rights and approval processes. With the Identity Management you administer and document all SAP system accounts and authorizations of your users centrally. It should be a central working tool and not only be in the separate SAP systems.

Example: In every company, there are exceptional situations in which employees have to perform activities that are not otherwise part of their daily duties. Here, opportunities arise to use critical combinations, which thus become an SAP security risk. With a clear emergency management, it is possible to counteract these dangers. The use of critical combinations can result in the immediate loss of the exception, all activities are logged unchangeably, and the time limit enables an automatic return to regular operation

Emergency Management

Emergency Management stands for SAP security. However, comprehensive security can only be achieved if it is also guaranteed in emergency and exceptional situations. The Emergency Management ensures that you remain in control even in these situations.

Example: In every company, there are exceptional situations in which employees have to perform activities that are not otherwise part of their daily duties. It is easy for critical combinations to arise here, which then become an SAP security risk. With this manager it is possible to counteract these dangers concretely. Use of critical combinations can result in the immediate loss of the exception, all activities are logged unchangeably, and the time limit enables an automatic return to regular operation.

Compliance Management

The Compliance Management should support you in closing compliance gaps in your SAP system and mitigating compliance risks. It should analyze the SAP GRC authorization concept for weaknesses, risks and violations of laws and law-like regulations.

Example: The Compliance Management should visualize where and how many compliance violations exist. A person needs to be given temporary authorizations that conflict with the authorizations of the daily work in the area of SAP Compliance. Thus, a compliance gap exists. The Compliance Manager can be used here to check who is responsible for the exception, associated documents can be viewed, and if this exception does not meet the company-specific conditions, countermeasures can now be initiated to rectify the situation.

Compliance Reference Management

The Compliance Reference Management would be an extension for the Compliance Management. The Compliance Reference Management extends the Compliance Management by audit queries. These templates should be integrated once into your SAP system landscape and can be extended later to meet your country, industry and organizations specific audit queries.

Example: Your company has audited audit processes that must be followed. With Reference Management, the following capabilities should be available. Important, recurring audit queries corresponding to internal company processes should be available at any time. This means that they are predefined but can also be specifically adapted at any time.

These audit queries should be managed centrally, so that you have a functioning SAP audit management in the shortest possible time.

Mitigation Management

With a Mitigation Management, unavoidable audit conflicts can be mitigated. The Mitigation Management should create automatically compensatory controls based on previously defined rules if audit conflicts arise.

Example: Again, the example that it is occasionally necessary to violate SAP compliance and SAP security in order to keep certain company processes running. This is sometimes unavoidable and, especially in larger companies, such activities quickly get lost in the general flow of operations. Now such gaps can be exploited unnoticed. This is where Mitigation Management should take action and, if necessary, inform previously defined responsible persons that such an SAP compliance violation has just occurred. Furthermore, responsible persons can be periodically reminded to fulfil their control obligation and thus counteract SoD conflicts.

Recertification Management

A Recertification Management should be a central cockpit via which reoccurring decisions are monitored, analyzed and managed across systems. Validity of users, roles or assignments can be easily and centrally managed. It would be fine if the access works via SAP GUI, web or mobile devices. The department should be able to validate previously assigned authorizations for roles and jobs. All follow-ups should be clearly displayed in a cockpit for editing. Freely definable escalation procedures should be ensuring that decisions are processed correctly. And finally, should keep a permanent eye on the validity of special users such as consultants or auditors.

Authorization process as web application

The request for authorizations in SAP comprises at least two important pillars. Firstly, the functional requirements that enable the employee to work in SAP. Second, these requirements must be translated into roles and authorizations so that SAP compliance and SAP security are not violated. The first part is handled by the business department, while the second part is in the hands of system administrators, who often know little about the business requirements.

With Web Manager, transparency can be introduced into the entire application and authorization process, the application processes are accelerated, and the workload shrinks immensely.

Example: Approvers have been defined with the Web Manager. These approvers are limited in their scope of authorization so that they can only approve what falls within their area of responsibility (e.g. a ward physician who is only allowed to assign authorizations to ward staff for his ward area). The rest now works automatically. In the Web Manager, the approver can see which authorizations the person currently has. SAP compliance violations are displayed immediately if there are any unauthorized combinations. Procedures for such violations can be stored, as well as documented, or are completely excluded. In this process, the system administration area is initially involved once in the definition, after which regular operation takes place without their intervention and only the task of the "trouble shooter" remains here to maintain SAP security in SAP GRC.

5

SUMMARY

SAP GRC, SAP Compliance, SAP Security and ultimately the transparency in SoD conflicts are important, but cost a lot of time, are complicated to track and, performed manually, lead less and less to the desired success. This is the right to exist of setQ with its various mangers, which extremely simplify day-to-day business, but also automate the points mentioned and thus ensure compliance and security in SAP.

Our newest whitepaper on SAP Access & Authorizations

Learn how to manage your SAP GRC Authorizations

We're there for you

We live of satisfied customers. That’s why weare always available for our actual customers and those who think about it.Regardless whether you seek technical support or answers on complex licensingand user management issues.

Just contact us, often a quick hint is all youneed. And we always enjoy to give that hint!

Technical support:

We’ll help you out. Get connected with our support team at supq(at)voquzlabs.com or call us directly on one of the numbers below.

- American Customers: +19176364290
- All other regions: +4989925191260