Ok, so here’s the deal:
1. We’ve got a “clean slate.” Our roles are “SoD free” or compensating controls (manual or automated) have been implemented for unavoidable risks.
2. Documented policies and procedures have been put in place for user administration and role remediation activities. .
3. Roles are being managed based on functional business processes.
What we need now is to start thinking ahead of the curve. Channel Steve Jobs, Al Gore, Martin Luther King. Forward motion my friends. We are all in need of a scalable system that can handle growth and will aid the organization in compliance efforts long-term. Stage 1 and Stage 2 will get you through your audit, but they won’t help you survive the next one or the one after that. As for scalability, no one ever implemented a software solution such as SAP without the intention or will to grow (last time I checked money doesn’t grow on trees and ERP costs a pretty penny).
Stage 3 provides the organization with the tools and strategies to aid in securing vital business data and upholding system stability and compliance long-term.
For organizations that do not deploy GRC, it is essential to have a central repository to manage approvals and changes that have been executed in the SAP landscape. A repository can be used as an in-house audit tool to track change logs or actions that have been taken against mitigating controls. However, risk-monitoring methods are only valuable if companies have been able to appropriately assess not only risk priority levels but also the effectiveness of controls that are in place.
Another growing concern for savvy organizations is the need for information in real time. Many companies have employed detective controls, which do not allow for a proactive approach to SAP security risks. Detective controls are valuable with regard to reporting and analytics, but with the onset of competition in the environment via cloud and mobility comes an increased need for preventive measures and risk-monitoring efforts.
Through the use of GRC access controls, organizations can preemptively identify risk events by integrating mandatory SoD analysis efforts into the automated workflow process. The same functionality can also apply to business role management, when making any modifications to an existing role or when creating new roles that may have inherent violations. The utilization of Emergency Access Management will securely provision users “firefighter” capabilities via an automated workflow complete with audit trails. Furthermore, user access review functionality dictates the periodic review of user security and puts the responsibility of user access back into the hands of the business. All of the above allow for a greater ease of collaboration between business and IT and makes all parties, key stakeholders within the process.
The most critical aspect of surviving SAP Security Audits is the following: Take ownership of your SAP Security Landscape. No one should be losing sleep over an SAP security audit, but a lack of transparency can lead to uncertainties surrounding the business. The greatest concern, understandably, is a need for increased visibility into the cumulative nature of a user’s access in business terms. All big businesses have unavoidable risks, they key is being able to demonstrate knowledge in this realm and articulate the action plan which minimizes reintroduction to risk exposure.
The above information is not comprehensive, but rather a brief overview of the general approach in order to survive an SAP Audit. For questions, comments or knowledge on how we can make this a reality for your organization, please reach out to me directly… firstname.lastname@example.org
Living the dream,