It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Segregation of Duties (SoD) Conflicts Happen
Today’s fast changing business and regulatory climate puts a significant burden on organizations as they work to streamline and transform their businesses to stay competitive. They face significant governance, risk and compliance (GRC) challenges as their SAP environments struggle to adapt. This is particularly true when managing SoD and sensitive authorization risks across multiple lines of business and departments. Change is constant as reorganizations or mergers and acquisitions take place. Locations are opened and closed, employees are shifted, new hires onboarded, and others depart.
This dynamic ebb and flow creates situations where SoD conflicts occur, such as a small purchasing department where the person creating the vendor master list may also be issuing purchase orders. The situation might be due to staffing shortages or restructuring. And it is most likely happening in multiple instances across the business.
Within the SAP GRC framework, once this SoD conflict risk is identified it must be addressed, using mitigating controls, such as having the plant controller review change documents to the vendor master list to make sure no unauthorized vendor payments are being made. Typically, control often rests in the hope that the reviewer will run the report regularly to look for potential compliance violations. Hope is not a viable control, and this increases risk.
The risk is made worse by the fact that SAP GRC mitigating controls management is often a manual, document-centric process without any systematic risk and usage analysis, or real-time alerts of potential compliance violations. There is no consistent and timely generation of compliance reports for review and sign off and an incident might go unnoticed for weeks or months.
Multiply this by the number of users and roles across the organization, with an almost unlimited number of potential SoD conflicts, and the security and compliance problem can spiral out of control. It becomes not only a burden for the IT and security staff to manage but a significant risk for the business and an auditor’s nightmare.
GRC Automation – Take the Risk out of Developing and Enforcing Mitigating Controls
Managing SoD conflicts with mitigating controls does not have to be a burden. GRC software automates risk detection and remediation. Therefore, choosing the right software is critical. It can make or break your GRC automation efforts. Ideally the software should help you reduce your SoD conflicts, and when you cannot, it must enable you to define important conflicts through accurate SAP GRC access risk analysis and alert staff to risks in real-time.
The software must also provide real-time alerts to compliance violations along with reports that have the necessary information to drill down to the cause and provide the controls to fix the issue. The software should provide workflow automation to speed up compliance reports for review and sign off, so mitigation controls are properly enforced and not based on the assumption that the reviewer will run a report. The reports must also be easy to understand, and users must be able to find what they need quickly.
ControlPanelGRC – A Powerful Tool for Automating SAP GRC Mitigating Controls
Symmetry’s ControlPanelGRC solves security and compliance challenges and can help your organization completely revamp its SAP security model. A powerful set of tools ensures you can analyze risks, reduce SoD conflicts, remediate or assign types of mitigating controls directly and track compliance with timely reports.
ControlPanelGRC’s Risk Analyzer is a powerful solution for managing SoD and sensitive authorizations in real-time. Risk Analyzer reports provide all the necessary information to make judgements on appropriate mitigation options. Its drill-down capabilities provide details of each risk, risk description, risk severity, conflicting functions, authorization object details and direct access to the user’s master records.
Risk Analyzer works hand-in-glove with ControlPanelGRC’s Usage Analyzer to provide information on the last time transactions were run. Immediate action can be taken to remediate or mitigate directly with the Risk Analyzer interface.
Risk Analyzer’s monitoring capability helps you enforce ongoing compliance by automatically generating critical reports or conflicting transaction notifications and routing them for review while maintaining a documented audit trail. Risk Analyzer is integrated with ControlPanelGRC’s AutoAuditor, which empowers compliance owners across the enterprise to better manage risks within their departments.
For example, in the case of the short-staffed purchasing department, AutoAuditor’s self-documenting workflow feature can generate a list of any changes to the vendor master list and push it to the plant controller for review and sign off. These actions are documented, freeing IT staff from the hassle of chasing documentation and letting auditors breathe a sigh of relief. No more hoping a report will be pulled and reviewed.
The Symmetry Difference – Above and Beyond
Beyond the powerful features and capabilities of ControlPanelGRC, Symmetry delivers fast deployment backed with unparalleled support and managed services. Our industry leading Net Promoter Score and 22 years of managing SAP systems means that your ControlPanelGRC implementation will not only be successful, but that your time to value will be greatly accelerated.
SoD conflicts do happen and the GRC mitigating controls to manage them don’t have to increase your compliance risk and put a burden on your staff. ControlPanelGRC gives customers peace of mind by automating GRC functions, reducing SoD conflicts and ensuring audit readiness; enabling them to streamline business operations and successfully meet the challenges of a rapidly changing business environment.
Talk to Symmetry to learn more about how ControlPanelGRC can help you change managing SoD conflicts from a burden to a strategic asset.