CASE STUDIES
Periodic user access review (SAP ERP)
SAP authorisation periodic review and decision implementation in practice. A case study of smartGRC implementation in a retail company.
Introduction
Conducting periodic authorisation reviews of IT systems is becoming an increasingly common control mechanism found in environments where large ERP systems underpin operations. This is often driven by a desire to implement good practice, or is the result of implementing a recommendation following a completed audit of financial statements. Securing business processes via well-built and assigned user permissions is an important preventive control, reducing the risk of redundant accesses. It is also a good reinforcement of the company’s internal control system. It is worth considering why still so few companies in practice effectively implement this control and base their management of the risk of the redundant privileges on it. The purpose of this case study is to detail the practical experience gained after implementing the tool and such a process in a global US-European retail organisation.
Challenge
The company’s management, following the recommendation from the financial auditor that a periodic authorisation review should be implemented, appointed the IT Director as responsible for supporting the authorisation review process from the utility side, as it was clear from the outset that the scale of business operations did not allow this process to be carried out manually, without the use of system support. The Audit Director also decided to contribute to the exercise from his perspective and therefore prepared a list of key assumptions and risks in this area to guide the further design and implementation of the authorisation review process. The company’s management did not have a detailed idea developed for the implementation of this project, and there were no procedures or policies in place to determine how such a process would be implemented. It was clear from the outset that there was no point in re-inventing from scratch – the company searched the market for off-the-shelf practices and a technical solution to address the following challenges:
- Distributed data: Authorisation information was stored in two ERP systems with a total of more than 1,000 users
- International reach: Users worked in the ERP system in more than a dozen countries across Europe and beyond and used English for daily communication
- Numerous participants: Approximately 100 business verifiers were involved in the authorisation review process
- Time pressure/limited time for implementation: The company had only 3 weeks to carry out the entire authorisation review process and approximately 7 weeks to prepare and launch the entire process
- Unclear user role descriptions: Roles described in technical language, without dedicated business descriptions that would be incomprehensible to verifiers without technical knowledge
- Large number of SOD risks: A total of 1518 risks of redundant rights (SoD – Segregation of duties) in dialog user rights were identified
To summarise these challenges from a time perspective, a solution was needed that would support the organisation both technically and organisationally, with the whole thing being up and running in less than three months. In addition, as if this list of challenges was too short and the task too easy, the Audit Director identified the following risks and requirements for the process that would be met in the very first review of ERP user authorisations:
- Completeness: All high-level redundant priviledges risks as well as critical and sensitive user access from a business perspective (master data, bank accounts, payments, etc.) and IT perspective (technical access – editing tables, running programs, etc.) must be included in the process
- Accuracy: Any active dialog user (can be blocked due to wrong password, but must be valid) who has min. 1 medium or high risk must be on the statement. All their authorisations that generate risks must also be included in the statement. The SAP ECC ERP and SAP HR systems are to be considered first. In subsequent years, also domain systems, a dedicated sales system, a purchasing portal, etc.
- Transparency: At the end of the review, the administrator must be able to prepare a statement in which the list of users and risks can be proven to be complete, so that he or she can be certain that the above-mentioned requirements have been met
- Timeliness: The progress (e.g. percentage) of the review is visible during the review. Verifiers who do not take action receive notifications – an important aspect is the timeliness of the completion of the review. The review administrator, once the deadline has passed, is to complete and report all business authorisations that have not been accepted for revocation
- Usability: The business user – verifier has an overview of the description and level of the risk, can see if transactions related to the risk have been used or are only available in the authorisations. The review must be easy to perform, one verifier must not spend more than 3-4h on analysing the privileges of his users. Information on user triggered transactions with their business description is to be available on request to the verifier. In subsequent reviews, information is to be included on decisions made in the previous review
- Follow-up for business decisions: The IT team has approximately 1 month after the review to implement the decision, the implementation of the decision (risk reduction) is a more important process than the verifiers’ decision itself – the status of the progress of the implementation of the business decisions must be monitored
- Review management: During the course of the review, it may happen that the original verifier goes is out of the office or on leave – in such a situation, the Review Administrator should be able, during the course of the review, to change the person performing the review, e.g. by being able to define a delegation, or to delegate to another person from the organisation