skip to Main Content

SAP GRC Access ControlsConstant Change Pressures GRC and Business Operations

Today’s organizations are constantly changing. Gone are the days of a static environment that slowly evolves.  The digital economy demands rapid business transformation just to keep up, let alone get ahead.  This transformation includes employee turnover, new business models, business expansion and increasing regulation in areas, such as data protection and privacy.  Constant change increases pressure on organizations to ensure their SAP systems are secure and compliant.  Access and process controls must be managed in the context of this dynamic business environment.  Organizations are wrestling with changing governance, risk and compliance (GRC) functions and nonstop pressure to establish consistent operations across their businesses to maintain the agility they need to adapt and grow.

Manual Processes Still Used to Manage Control and Access the SAP Environment

Despite these dynamic and fast-moving challenges, many businesses still use manual processes and documents to manage control of their SAP environment.  The pervasive use of email, spreadsheets and documents is inefficient, ineffective and reduces an organization’s flexibility.  Considerable time and money are spent running reports, compiling information and integrating that information into documents and spreadsheets that are sent out via email for review.

This approach is not only slow and costly, it lacks a structure of accountability with no clear workflow or audit trails, which means things can fall through the cracks.  It is worsened by the complex, interrelated web of different SAP instances across the business and exposes the organization to risk and non-compliance.  Issues with Segregation of Duties (SoD), inherited rights, process controls, configuration, critical and super-user access, transaction controls and changes to roles and access cannot be effectively managed with a manual approach.  Organizations need to automate their GRC functions and imbed risk analysis and mitigation into access and processes to avoid risk, reduce cost and cut the time required to maintain compliance.

Access Control is at the Heart of GRC Automation

While there are many areas within the SAP GRC environment that benefit from automation, such as process control, security configuration and basis controls, access control is where the need is historically greatest, especially with today’s fast changing regulatory and audit pressures.  A recent Gartner paper points out six key access control factors, with the focus on SoD, when considering automation tools.  SoD risk analysis, compliant user provisioning, emergency access management, access certification, role management and transaction monitoring all work together to ensure organizations have the controls needed to increase the reliability of transactions, improve auditor trust and increase the effectiveness of anti-fraud controls.

Automating access control functions is very challenging because of complexity and the need for an integrated and harmonized end-to-end approach.  SoD risk analysis requires the use of predefined rules to users and their associated roles in the SAP environment. Once risks have been clearly identified, access privileges must be carefully provisioned for new users to avoid reintroducing these risks.  When emergencies occur, and they do, users must be allowed access to take responsibility for tasks outside their normal job functions.  Roles must be periodically reviewed for any unauthorized modifications or “access creep,” and an access certification workflow is necessary to ensure users only have the access privileges required to do their jobs.  Continuous monitoring is necessary to detect privilege conflicts and prevent unauthorized transactions.  All these functions must be tied together seamlessly to make SAP GRC access control automation valuable to the organization.  Automation tools must be user friendly and generate reports that can be understood and used by non-technical users.

The complexity and the requirement of an integrated, end-to-end approach, including analytics and reporting, leave many GRC tools lacking, as do difficult implementations and licensing challenges.  Many tools are not only difficult to deploy, but also lack user interfaces and reports that are easy to understand by non-technical users.  These factors often cause businesses to abandon their GRC automation efforts.

ControlPanelGRC – A Better Solution for SAP GRC Access Control

Symmetry’s ControlPanelGRC meets these challenges with its Access Controls Suite, that includes an intuitive user interface and easy to read reports.  The Access Controls Suite delivers the integrated approach necessary to identify and assess control failures, potential failures, SoD conflicts, as well as prevent excessive access to individuals beyond what they need in their role.  Access Controls Suite provides continuous monitoring of access risk and SoD violations.

User access and transactions are reviewed regularly to streamline access rights, prevent issues of too much access and manage and mitigate the cost of SAP licensing.  This enables the organization not only to manage SAP licensing, but also address compensating controls for user access when unique situations of access come up by documenting and monitoring access when SoD and access is not possible.  The Access Control Suite also provides emergency access management (EAM) by logging and tracking every activity each user performs during an SAP fire call session.

SAP user and role administration is streamlined by allowing the organization to manage and process requests for new users and requests and changes for exiting user access.  SoD checks are run against the access provisioned and document defined roles, and reports are generated for acceptance and sign-off.  The organization is now in a continual state of audit readiness through the automation and validation of SAP audit reports which provide assurance of controls.

The Symmetry Difference – Above and Beyond

Beyond the powerful features and capabilities of ControlPanelGRC, Symmetry delivers fast deployment backed with unparalleled support and managed services.  Our industry leading Net Promoter Score and 22 years of managing SAP systems means that your ControlPanelGRC implementation will not only be successful, but that your time to value will be greatly accelerated.  ControlPanelGRC has given our customers peace of mind by automating their GRC functions and streamlining their business operations to successfully meet the challenges of a rapidly changing business environment.

Talk to Symmetry to learn more about ControlPanelGRC and how the Access Controls Suite can turn GRC from a chore to a strategic asset.

Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.