SAP GRC access control and process control are automated tools to manage an internal security model, remediate compliance issues, and monitor potential business risks within an SAP system. When users have too much access in a system, they can damage the company and break compliance both by intentional misuse (e.g. using privileges to steal money or goods) and accidental misuse (e.g. by making a mistake in accounting or bypassing a quality control safeguard). By logging access, transactions and other information, GRC Software addresses compliance, quality, fraud and other internal security issues.
SAP GRC access control focuses on what users can do, while SAP GRC process control focuses on what users are doing. For example, if the system allowed managers to review workers’ medical records, SAP GRC access control would detect the potential for a HIPAA violation and create an alert. If someone were actually looking through the company’s medical records improperly, process control would alert monitors.
Expert Insight: Scott Goolik, VP of Compliance and Security
Access Control and Process Control are analogous to different types of security in a bank. SAP GRC access control is like locked doors, guards and alarms — it controls who can enter and exit sensitive areas, and sounds the alarm if someone enters a room they shouldn’t. An SAP GRC Access Control tool like the ControlPanelGRC® Access Control Suite is the first step in a GRC program, allowing companies to modernize role management, Segregation of Duties (SoD), auditing and other basic compliance tasks.
SAP GRC Process Control is similar to drawer counts, reconciliation checks and identity and credit verification. It examines processes looking for signs of fraud or theft.
Why are SAP GRC Process Control and Access Control Important?
Compliance requirements like Sarbanes-Oxley (SOX) as well as industry-specific rules like 21 CFR Part 11, mandate controls to detect, mitigate and prevent misconduct. These rules are backed up by auditing and hefty noncompliance penalties, but leave many of the details of implementation up to companies.
Traditionally, companies would manually review internal records to meet regulatory compliance goals. They would compile data into audit reports, which could also be used to detect fraud, design remediation efforts and perform other compliance activities.
Unfortunately, this technique is time-consuming and inefficient; it can take hundreds of hours to compile company access logs, create, authenticate and review reports. Manual reporting also leads to data entry errors, which can cause false positives. And by the time the information is reviewed, it’s usually at least a few months old.
This increases risks by delaying remediation. It also makes change control difficult to impossible, since there’s no practical way to check user access changes for Segregation of Duties (SoD) risks against current data. Additionally, these reports typically only sample access data, since it’s impractical to check everything by hand. Both internal fraud and external intrusions can slip by, making document-centric remediation a poor tool for both security and compliance.
Remediation efforts also tend to fail without SAP GRC access control and process control. It’s very difficult to streamline the security model and see all the possible consequences of changing a user’s role, for example. As a result, companies often end up introducing new compliance issues, building excessively complex roles that further burden SAP GRC efforts, or both.
SAP GRC access control and process control solve these problems by automating most of the work that goes into creating audit reports, as well as detecting and remediating internal compliance issues. Output is generated directly from change logs, eliminating errors and allowing a complete review of access and business processes.
The software also centralizes controls and evaluates changes before they are implemented, allowing users to remediate easily and prevent unintended consequences. Change control can also be automated, instantly detecting issues that could otherwise sit in the system for years, unnoticed.
What is SAP GRC Access Control?
Within the SAP environment, users are assigned roles, which give them particular privileges to access particular data and perform particular actions. SAP GRC access control governs these roles, handling both routine access within the system, and special permissions such as emergency access.
SoD is a key part of access control. Compliance regimes like Sarbanes-Oxley prohibit users from having certain combinations of privileges which can lead to fraud. For example, if a user is able to create and pay vendors, the user could use that ability to funnel money to collaborators, or simply steal money and hide their tracks through fake vendors. Therefore, businesses need to organize roles so that different users are responsible for entering vendors and payments.
Other types of access pose inherent security and compliance risks. For example, the ability to access credit card data or reconfigure the system could allow a user to do harm to a company, through theft, sabotage and negligence.
SAP GRC access control guards against both kinds of risks by controlling what users can do and recording what they are doing. Within ControlPanelGRC, the Risk Analyzer holds segregation of duties rules, organized in a user-friendly fashion. It examines what users can do, and automatically executes what-if analysis to determine potential compliance issues. The module generates reports and notifications, allowing managers to remediate compliance issues as they’re detected.
Risk analysis is integrated with the User and Role Management module, which ensures change management and ongoing compliance. If a user takes on a new job or moves to a different department, they need to be assigned a new role, but this can cause SoD issues if not handled properly. User and Role Management analyzes the request for potential problems before assigning it. It also automates the workflow, ensuring that risks are examined, and roles are assigned and signed off on by the proper parties.
In an emergency, an SAP BASIS administrator or other user might need an extraordinary amount of access in the system to fix a critical error or other issue. Within SAP GRC access control, the Emergency Access Manager handles this access, minimizing its potential risks. Users can create pre-approved authorizations to assign emergency privileges. During the emergency, everything the user does is tracked for audit purposes. Users must also indicate why they requested emergency access and what they did, providing detailed descriptions which are then routed to managers automatically for review.
HR data is a special challenge for SAP GRC access control. it must be kept accurate and up to date, but it also contains sensitive information which requires tightly restricted access. Many SAP GRC access control modules handle SoD, but don’t place extra safeguards on this data.
ControlPanelGRC takes a more secure approach with the HR Analyzer™. This tool logs access and screen views of secure data, and notifies executives immediately of any indication that HR records have been improperly accessed or viewed. Data is automatically scrambled outside of production, ensuring it can’t be compromised by system testing and other non-HR uses.
HR Analyzer also synchronizes HR changes like hiring, terminations, job reassignments and pay raises with user provisioning processes handled elsewhere in SAP GRC. This ensures HR accuracy and cuts down on the time it takes to change employee status.
What is SAP GRC Process Control?
If your audits require you to spend a lot of time recreating transactions or proving that something bad didn’t happen, a tool like the ControlPanelGRC Process Control Suite can be a huge help. Instead of focusing on user roles and privileges, SAP GRC process control focuses on the business processes themselves, monitoring them to ensure they’re handled correctly.
Process control gives businesses a second chance to catch problems that they may have missed in SAP GRC access control. For example, SAP has a configuration flag that allows you to prohibit duplicate invoices from being paid. However, if that duplicate check has been disabled or wasn’t configured properly in the first place, SAP process control would detect it, using the transactional checks — that is, by inspecting the actual business transactions that occurred.
The ControlPanelGRC Process Analyzer for Procure to Pay can spot users making payments to vendors who haven’t been approved, or paying a duplicate invoice that may indicate fraud. Another module monitors Order to Cash transactions, allowing you to spot improper changes to customer credit limits, or excessive (and potentially fraudulent) returns. Both modules look for exceptions to business rules. If an issue is detected, key personnel are notified in real time, and the system provides tools for quick remediation.
The Enterprise Risk Management (ERM) module enhances documentation, testing and execution of controls. It helps companies ensure their controls are configured and functioning properly, and aligned with compliance requirements. This makes it particularly useful for stringent compliance regimes, such as HIPAA, SOX and 21 CFR Part 11.
The AutoAuditor™ eliminates the stress and delays of compiling audits across your SAP GRC environment. It syncs with other ControlPanelGRC modules, and schedules and pushes audits to the right users. This automates execution, delivery and validation ensuring your organization doesn’t miss an important deadline or step.
What is SAP GRC — Other Tools
Although SAP GRC access control and process control are the most important tools, certain vendor-specific products can support other areas of the GRC process. ControlPanelGRC offers a Security Acceleration Suitethat automates many routine tasks in SAP security administration. For example, its User and Role Change Analyzer helps admins analyze and compare multiple role versions, document changes, alter multiple roles at once and analyze and remediate inadvertent problems with role changes. By automating these tasks, admins can save time and understand security changes better, reducing risk and cost.
ControlPanelGRC also offers a Basis Control Suite to help manage routine SAP Basis tasks, such as transports and batch jobs — something no other GRC software vendor currently offers. For companies without outside Basis support, this reduces the amount of time and work involved in day-to-day SAP Basis administration, reducing the burden on internal IT.
It also reduces the security risks posed by the slow or lax administration common among overtaxed internal teams. Many of the most dangerous SAP vulnerabilities prey on companies whose IT departments don’t have time to perform routine patching and maintenance promptly. By automating these tasks, the Basis Control Suite virtually eliminates the most frequently exploited cyber security vulnerabilities.
Should I Outsource SAP GRC Administration?
Like anything else in IT managed services, it depends on the vendor and on your internal resources. If you have SAP GRC access control software that produces incomprehensible output, the problem probably isn’t your compliance team — it’s the software or the vendor support; if your software doesn’t provide high level overviews for executives, clear technical data for administration and multi-level access for compliance teams, switch to a product that does.
But in many cases, outsourcing SAP GRC access control and process control can save money and improve your compliance program. The right IT managed services provider can ensure your software is setup and configured properly, free your internal staff to work on more strategic projects, and provide an invaluable outside observer to prevent issues like fraud and poor change management.
Symmetry’s Security Complete PlusGRC provides total security and compliance services, taking the stress out of protecting business assets. Our highly-trained consultants are experts in SAP administration, security and compliance, providing a level of protection very few organizations could afford to hire internally. Services include 24x7x365 user administration and compliance monitoring, and comprehensive reporting across all levels of your organization.
Because we offer a complete range of SAP services, we can provide as much or as little IT infrastructure support as you need. Whether you’re looking for a partner to configure, host and manage your entire SAP environment, or just some help setting up your SAP GRC program, Symmetry is the ideal managed services partner.
Contact us to learn how we can help — in GRC and beyond.