What is segregation of duties and why is it important?
If you’ve recently implemented an SAP ERP platform, congratulations! It means your company is growing and you now have a fantastic ERP tool at your disposal. Your approach to how you manage access to this platform, however, is vital. It can mean the difference between a secure, well-run organization and an enterprise that suffers fraud and material misstatements of its financials.
Many new SAP ERP administrators start out granting broad access to users in order to ensure the system can be fully utilized. But there is great risk involved in easy, broad access – the risk of fraud, accounting errors, and general mismanagement; all of which can cost millions of dollars. And when auditors come knocking, they want to see a strong balance between access and control. Auditors like to say, “trust is good, but control is cheaper.”
An important control to implement in your SAP environment is segregation of duties (SOD). SOD ensures that key processes are performed by different people to prevent fraud and financial misstatements. For example, if an employee is responsible for both creating and paying vendors, it would be easy to create fake vendors and route the payments to her own bank account. Separating these two tasks and assigning them to different people creates a natural barrier to fraud.
Establishing rules that identify SOD violations can be a complex and time-consuming process but is essential for assessing access risk and properly segregating functions. In SAP ERP environments the SOD ruleset (a.k.a. SOD matrix) must handle authorization objects and not merely look at transaction codes available to a user. Otherwise false positives will occur and make the reporting questionable.
False positives occur when a report shows SOD violations that are not really violations. For example, perhaps a user has access to two or more transaction codes that together would constitute a violation, but because the user only has the authorization objects with field values for display access for those transaction codes, the reported conflict is an error.
Often auditors have unique requirements based on a company’s unique operations, market factors, or regulations, and the ruleset must accommodate these auditor specific requirements. SOD-relevant custom transactions as well as SAP standard transactions must be accounted for by the ruleset. These complexities mean that when done manually, identifying, updating, and enforcing SOD rules can be expensive in both staff time and service fees.
Fortunately, there are tools that can eliminate much of this work. Security Weaver’s Separations Enforcer is particularly effective in helping to manage access risk in SAP. It enables rapid analysis of users across the entire SAP landscapes for both SOD conflicts and sensitive access risks, offers a function -based SOD matrix that is easily customizable and can automatically report on SOD-relevant custom transactions even if those transactions are not explicitly included in the ruleset, and provides reports that are fast, readable, comprehensive, and avoid false positives.
Security Weaver’s internationally proven and well-documented rules matrix makes it easy for organizations to rapidly implement a complete solution. Rules are easily maintained and updated and can handle complex logic at both the transaction and authorization level, and the solution can manage a wide variety of concurrent rule sets, making it adaptable for any organization structure.
Veteran managers of SAP ERP environments know they need a way to reduce access risks without causing productivity issues. Separations Enforcer is the solution to that challenge. For more information on this and other access management solutions, visit www.securityweaver.com or request a free demo here. Don’t leave the security of your new SAP ERP environment open to unnecessary and unacceptable risk. Put SOD safeguards in place today to keep your data secure, your reporting correct, your assets safe, and your auditors happy.